[SECURITY] [DSA 4115-1] quagga security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4115-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 15, 2018 https://www.debian.org/security/faq
- -

Package: quagga
CVE ID : CVE-2018-5378 CVE-2018-5379 CVE-2018-5380 CVE-2018-5381

Several vulnerabilities have been discovered in Quagga, a routing
daemon. The Common Vulnerabilities and Exposures project identifies the
following issues:

CVE-2018-5378

It was discovered that the Quagga BGP daemon, bgpd, does not
properly bounds check data sent with a NOTIFY to a peer, if an
attribute length is invalid. A configured BGP peer can take
advantage of this bug to read memory from the bgpd process or cause
a denial of service (daemon crash).

https://www.quagga.net/security/Quagga-2018-0543.txt

CVE-2018-5379

It was discovered that the Quagga BGP daemon, bgpd, can double-free
memory when processing certain forms of UPDATE message, containing
cluster-list and/or unknown attributes, resulting in a denial of
service (bgpd daemon crash).

https://www.quagga.net/security/Quagga-2018-1114.txt

CVE-2018-5380

It was discovered that the Quagga BGP daemon, bgpd, does not
properly handle internal BGP code-to-string conversion tables.

https://www.quagga.net/security/Quagga-2018-1550.txt

CVE-2018-5381

It was discovered that the Quagga BGP daemon, bgpd, can enter an
infinite loop if sent an invalid OPEN message by a configured peer.
A configured peer can take advantage of this flaw to cause a denial
of service (bgpd daemon not responding to any other events; BGP
sessions will drop and not be reestablished; unresponsive CLI
interface).

https://www.quagga.net/security/Quagga-2018-1975.txt

For the oldstable distribution (jessie), these problems have been fixed
in version 0.99.23.1-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 1.1.1-3+deb9u2.

We recommend that you upgrade your quagga packages.

For the detailed security status of quagga please refer to its security
tracker page at: https://security-tracker.debian.org/tracker/quagga

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlqGBaVfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0RpyRAAhVpntFw+LSUUzL2/cx7m+s4fHijhOkU/AjKKmW4a9rAi0iJYW4HNv5BU
cKfz6yhngFUzCa+Glhmiwzt77eAoeksJSvxkKio5CTqjV3OxCWbDPPz/iRRHcKvK
MGhnqyShMCF8boQU0plmqNbfhnSWNAObbaI2fPmjLOU4A4jPY1T/fbzu4Sd3k5qY
ETeHq9+HlVdGnyNEoYnoO0XQH56ueNHy3VlChJ0S2OPtFtoKXkjM/er+yG6413+G
3e90tcbm2xlitmrTyZm9K/Q08UWLJx510n1rxehaO1DTEz+bqSNezySOhyNb8sTA
fuadDpgs2ozwgSmxyuWFj0RL3fKvgycw1ZeNiS5nUmRJTobrPlnjyX+A8FEJhPuI
9xyVa8j6wUeBVZdgd9b/EWLQ1Z9oDRiXmHRJeVOtz4JRNPP1KLtBcsPxFW9eCp83
9gFMqk/vMYQSpRqtQdnl5OawEpeurMtusBsnlEV5y9afiHU9jKB8N7RPwxCJgtjP
/jmhS4lOvn3F5lNILahaL3lrk/b0EsECajBltbN9YVU0yabWWRWSMrJ3ujamhaXE
aUQKmVj1alwDyg90vToiUftdr3R0hPPFuzA0BAK55SJVzjwJ2XInzItr+2y1tMPn
dSpd32tzrxpDm86rvmRIiAJbj28n7QnX9I9BlKZqWq2fUUhTkNg=
=Gy8j
-END PGP SIGNATURE-

Re: [FD] Defense in depth -- the Microsoft way (part 51): Skype's home-grown updater allows escalation of privilege to SYSTEM

[Stefan Kanthak]

"Jeffrey Walton"  wrote:

> On Fri, Feb 9, 2018 at 1:01 PM, Stefan Kanthak  
> wrote:

[ http://seclists.org/fulldisclosure/2018/Feb/33 ]

> Not sure if this is related, but:
> https://winbuzzer.com/2018/02/14/microsoft-just-killed-skype-classic-response-unfixable-security-bug-xcxwbn/

This is of course related: after Zack Whittacker published

some hundred news outlets, bloggers etc. followed up.
Except Zack Whittacker nobody contacted me.
Many copied his article, some others added their own and wrong
interpretation, even pure fiction, like this "WinBuzz":

| Microsoft today squashed a bug that was found in Skype's updater
| process earlier this week.

Wrong. I reported the vulnerability 5 months ago.
And Microsoft WONTFIX this vulnerability in Skype 7.x

JFTR: 
  also WONTFIX

[ pure speculation removed ]

| It seems Microsoft found an alternative to rewriting code and fixing
| Skype. the company has decided to effectively kill off the classic
| app. The older version of Skype is no longer available anywhere as a
| download.

Really?

Microsoft Update still offers the "classic" Skype for Windows alias
Skype Desktop Client: on Windows 7 (which still has the largest
market share) open Windows' control panel, go to Windows Update,
switch to Microsoft Update (if not done before), and find KB2876229
"Skype for Windows (7.30.0.101)" beyond the optional updates.

For those who don't want to or can not start Microsoft Update:
the Microsoft Update Catalog offers this and two older versions too



In  Microsoft states:

| Skype releases new versions of Skype for Windows throughout the year.
| To help you stay current with new functionality| and features of the
| Skype experience, Skype is available through Microsoft Update.
...
| you will receive the latest version of Skype through Microsoft Update.

NO, you DON'T get the latest version of Skype there!
And Skype doesn't use Microsoft Update to deliver updates.
Microsoft had well over 100 days since they closed MSRC case 40550 to
fix this ...


stay tuned
Stefan Kanthak

Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-Unrestricted File Upload

[Arvind Vishwakarma]

--
Vulnerability Type: Unrestricted File Upload
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Malicous File Upload
-

Product description:
Brao Tejari is a strategic procurement platform that enables
organizations to generate more value, influence innovation and reduce
risk powered by a unique supplier-centered approach that integrates
supplier lifetime value throughout the entire procurement process

Attack Scenario:
The Web Interface of the Bravo Tejari procurement portal does not use
perform server-side check on uploaded files. An attacker who has
access to the application can bypass client-side checks and uploads
malicious executable, pdf's and web-shells on the web-server.

Affected Product Link:
https://xx..com/esop/evm/OPPreliminaryForms.do?formId=857

Impact:
The uploaded files are not properly validated by the application. An
attacker can take advantage of this vulnerability and upload malicious
executable files to compromise the application.

Recommendation:
All uploaded files must be validated on both the client and server
side before storing them on the server.


Credit: Arvind Vishwakarma
http://ultimateone1.blogspot.ae/

Vulnerability Timeline:

12th December 2017 – Vulnerability Discovered
23rd December 2017 – Contacted Vendor – No Response
7th January 2018 – Contacted Vendor again – No Response
15th February 2018 – Vulnerability Disclosed

Vulnerability Disclosure (Web Apps)-Bravo Tejari Web Portal-CSRF

[Arvind Vishwakarma]

-
Vulnerability Type: Cross Site Request Forgery (CSRF)
Vendor of Product: Tejari
Affected Product Code Base: Bravo Solution
Affected Component: Web Interface Management.
Attack Type: Local - Authenticated
Impact: Unauthorised Access
--

Product description:
Bravo Tejari is a strategic procurement platform that enables
organizations to generate more value, influence innovation and reduce
risk powered by a unique supplier-centered approach that integrates
supplier lifetime value throughout the entire procurement process

Attack Scenario:
The Web Interface of the Bravo Tejari procurement portal does not use
random tokens to block any kind of forged requests. An atacker can
take advantage of this scenario and create a forged request to edit
user account details like name, address of the company/individual,
email address etc. He then uses social engineering techniques to
target specific individuals whose account details he would like to
change. He simply sends the link and tricks the user into clicking the
forged http request. The request is executed and user account details
are changed without his knowledge.

Proof of Concept Code:
Forged HTTP Request used by the attacker:



https://..com/esop/toolkit/profile/regData.do";
method="POST">
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  

  



Impact:
The affected product is a procurement portal and so all communication
regarding the contract lifecycle process is sent to user details
provided on the portal. If this vulnerability is sucessfully
exploited, the attacker will be able to change these details which
will potentially affect the victim's business.

Recommendation:
Ensure that all sensitive CRUD Operations are appropriately protected
with random tokens. Alternatively, the sensitive operations should
also have an authentication layer to confirm user verification.


Credit: Arvind Vishwakarma
http://ultimateone1.blogspot.ae/



Vulnerability Timeline:
12th December 2017 – Vulnerability Discovered
23rd December 2017 – Contacted Vendor – No Response
7th January 2018 – Contacted Vendor again – No Response
15th February 2018 – Vulnerability Disclosed