[Full-disclosure] [USN-1079-2] OpenJDK 6 vulnerabilities
=== Ubuntu Security Notice USN-1079-2March 15, 2011 openjdk-6b18 vulnerabilities CVE-2010-4448, CVE-2010-4450, CVE-2010-4465, CVE-2010-4469, CVE-2010-4470, CVE-2010-4471, CVE-2010-4472, CVE-2010-4476, CVE-2011-0706 === A security issue affects the following Ubuntu releases: Ubuntu 9.10 Ubuntu 10.04 LTS This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 9.10: icedtea6-plugin 6b18-1.8.7-0ubuntu1~9.10.1 openjdk-6-jre 6b18-1.8.7-0ubuntu1~9.10.1 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~9.10.1 Ubuntu 10.04 LTS: icedtea6-plugin 6b18-1.8.7-0ubuntu1~10.04.2 openjdk-6-jre 6b18-1.8.7-0ubuntu1~10.04.2 openjdk-6-jre-headless 6b18-1.8.7-0ubuntu1~10.04.2 After a standard system update you need to restart any Java services, applications or applets to make all the necessary changes. Details follow: USN-1079-1 fixed vulnerabilities in OpenJDK 6 for non-armel (ARM) architectures. This update provides the corresponding updates for OpenJDK 6 for use with the armel (ARM) architectures. In order to build the armel (ARM) OpenJDK 6 update for Ubuntu 10.04 LTS, it was necessary to rebuild binutils and gcj-4.4 from Ubuntu 10.04 LTS updates. Original advisory details: It was discovered that untrusted Java applets could create domain name resolution cache entries, allowing an attacker to manipulate name resolution within the JVM. (CVE-2010-4448) It was discovered that the Java launcher did not did not properly setup the LD_LIBRARY_PATH environment variable. A local attacker could exploit this to execute arbitrary code as the user invoking the program. (CVE-2010-4450) It was discovered that within the Swing library, forged timer events could allow bypass of SecurityManager checks. This could allow an attacker to access restricted resources. (CVE-2010-4465) It was discovered that certain bytecode combinations confused memory management within the HotSpot JVM. This could allow an attacker to cause a denial of service through an application crash or possibly inject code. (CVE-2010-4469) It was discovered that the way JAXP components were handled allowed them to be manipulated by untrusted applets. An attacker could use this to bypass XML processing restrictions and elevate privileges. (CVE-2010-4470) It was discovered that the Java2D subcomponent, when processing broken CFF fonts could leak system properties. (CVE-2010-4471) It was discovered that a flaw in the XML Digital Signature component could allow an attacker to cause untrusted code to replace the XML Digital Signature Transform or C14N algorithm implementations. (CVE-2010-4472) Konstantin Preißer and others discovered that specific double literals were improperly handled, allowing a remote attacker to cause a denial of service. (CVE-2010-4476) It was discovered that the JNLPClassLoader class when handling multiple signatures allowed remote attackers to gain privileges due to the assignment of an inappropriate security descriptor. (CVE-2011-0706) Updated packages for Ubuntu 9.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.diff.gz Size/MD5: 146232 31c9fd1c87f901507dec909a87d40589 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7-0ubuntu1~9.10.1.dsc Size/MD5: 3009 13ad66a10ac1cb3698ec20d1d214a626 http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6b18/openjdk-6b18_6b18-1.8.7.orig.tar.gz Size/MD5: 71430490 b2811b2e53cd9abaad6959d33fe10d19 armel architecture (ARM Architecture): http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea-6-jre-cacao_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 369758 6c4489efb438728ec430f7fe9c560a24 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/icedtea6-plugin_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5:75714 7d6bcfe18707892e7aebe836cff565db http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-dbg_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 84965722 3bd57de4c9b80d33e545cd1e9c9492e9 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-demo_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 1544602 d3689556c3354209f1ac402f2ebde500 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jdk_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 9107834 c31913d1c41bc826021784ea9c99cfb5 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre-headless_6b18-1.8.7-0ubuntu1~9.10.1_armel.deb Size/MD5: 29720800 eff015c81953c6d7384706d14d97a896 http://ports.ubuntu.com/pool/main/o/openjdk-6b18/openjdk-6-jre_6b18-1
[Full-disclosure] [USN-1085-2] tiff regression
=== Ubuntu Security Notice USN-1085-2March 15, 2011 tiff regression https://launchpad.net/bugs/731540 === A security issue affects the following Ubuntu releases: Ubuntu 6.06 LTS Ubuntu 8.04 LTS Ubuntu 9.10 Ubuntu 10.04 LTS Ubuntu 10.10 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 6.06 LTS: libtiff43.7.4-1ubuntu3.10 Ubuntu 8.04 LTS: libtiff43.8.2-7ubuntu3.8 Ubuntu 9.10: libtiff43.8.2-13ubuntu0.5 Ubuntu 10.04 LTS: libtiff43.9.2-2ubuntu0.5 Ubuntu 10.10: libtiff43.9.4-2ubuntu0.2 After a standard system update you need to restart your session to make all the necessary changes. Details follow: USN-1085-1 fixed vulnerabilities in the system TIFF library. The upstream fixes were incomplete and created problems for certain CCITTFAX4 files. This update fixes the problem. We apologize for the inconvenience. Original advisory details: Sauli Pahlman discovered that the TIFF library incorrectly handled invalid td_stripbytecount fields. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS and 10.10. (CVE-2010-2482) Sauli Pahlman discovered that the TIFF library incorrectly handled TIFF files with an invalid combination of SamplesPerPixel and Photometric values. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service. This issue only affected Ubuntu 10.10. (CVE-2010-2482) Nicolae Ghimbovschi discovered that the TIFF library incorrectly handled invalid ReferenceBlackWhite values. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service. (CVE-2010-2595) Sauli Pahlman discovered that the TIFF library incorrectly handled certain default fields. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service. (CVE-2010-2597, CVE-2010-2598) It was discovered that the TIFF library incorrectly validated certain data types. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could crash the application, leading to a denial of service. (CVE-2010-2630) It was discovered that the TIFF library incorrectly handled downsampled JPEG data. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could execute arbitrary code with user privileges, or crash the application, leading to a denial of service. This issue only affected Ubuntu 10.04 LTS and 10.10. (CVE-2010-3087) It was discovered that the TIFF library incorrectly handled certain JPEG data. If a user or automated system were tricked into opening a specially crafted TIFF image, a remote attacker could execute arbitrary code with user privileges, or crash the application, leading to a denial of service. This issue only affected Ubuntu 6.06 LTS, 8.04 LTS and 9.10. (CVE-2011-0191) It was discovered that the TIFF library incorrectly handled certain TIFF FAX images. If a user or automated system were tricked into opening a specially crafted TIFF FAX image, a remote attacker could execute arbitrary code with user privileges, or crash the application, leading to a denial of service. (CVE-2011-0191) Updated packages for Ubuntu 6.06 LTS: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.10.diff.gz Size/MD5:24707 92ee677a20237cfdb17b5dcbe024fc81 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4-1ubuntu3.10.dsc Size/MD5: 1445 19186c480eda8ade1d4fd194a7e08bf6 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/tiff_3.7.4.orig.tar.gz Size/MD5: 1280113 02cf5c3820bda83b35bb35b45ae27005 amd64 architecture (Athlon64, Opteron, EM64T Xeon): http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff-tools_3.7.4-1ubuntu3.10_amd64.deb Size/MD5: 220784 7b8f336c5190b816fb92f498b30755c9 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4-dev_3.7.4-1ubuntu3.10_amd64.deb Size/MD5: 283278 2633a7f81897814f7bddb303f6952b34 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiff4_3.7.4-1ubuntu3.10_amd64.deb Size/MD5: 488554 bd11ebd5ae319660ec0eff4f22b55268 http://security.ubuntu.com/ubuntu/pool/main/t/tiff/libtiffxx0c2_3.7.4-1ubuntu3.
Re: [Full-disclosure] Materials regarding Cyber-war
2011/3/14 john s : > ... > details seem murky, but operation orchard might be a candidate: > http://en.wikipedia.org/wiki/Operation_Orchard Big Safari subset, before eaten by 9ec4c12949a4f31474f299058ce2b22a i'd say that qualifies... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
2011/3/13 김동욱 : > > First thing comes to mind is Russia vs Georgia case. Any other cyberwar > and/or suspected cyberwar case you would recommend? details seem murky, but operation orchard might be a candidate: http://en.wikipedia.org/wiki/Operation_Orchard ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VMSA-2011-0005 VMware vCenter Orchestrator remote code execution vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - VMware Security Advisory Advisory ID: VMSA-2011-0005 Synopsis: VMware vCenter Orchestrator remote code execution vulnerability Issue date:2011-03-14 Updated on:2011-03-14 (initial release of advisory) CVE numbers: CVE-2010-1870 - 1. Summary A vulnerability in VMware vCenter Orchestrator(vCO) could allow remote execution. 2. Relevant releases VMware vCenter Orchestrator 4.1 VMware vCenter Orchestrator 4.0 3. Problem Description VMware vCenter Orchestrator is an application to automate management tasks. It embeds Apache Struts (version 2.0.11) which is a third party component. The following vulnerability has been reported in Apache Struts 2.0.11 or earlier. A remote execution of code vulnerability could allow malicious users to bypass the '#'-usage protection built into the ParametersInterceptor, which could allow server side context objects to be manipulated. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2010-1870 to this vulnerability. VMware would like to thank the Vulnerability Research Team of Digital Defense, Inc. for reporting this issue to us. Apache Struts version 2.0.11 and earlier also contain vulnerabilities which have not been assigned CVE names. This advisory also addresses these vulnerabilities described at the following URLs: * http://struts.apache.org/2.2.1/docs/s2-002.html * http://struts.apache.org/2.2.1/docs/s2-003.html * http://struts.apache.org/2.2.1/docs/s2-004.html Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMware Product Running Replace with/ ProductVersion on Apply Patch = === = vCO4.1 Windows vCO fix for Apache Struts * vCO4.0 Windows vCO fix for Apache Struts * * Refer to VMware Knowledge Base article 1034175 for a workaround. 4. Solution Vmware vCenter Orchestrator --- vCenter Orchestrator workaround for Apache Struts http://kb.vmware.com/kb/1034175 5. References CVE numbers http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1870 - 6. Change log 2011-03-14 VMSA-2011-0005 Initial security advisory in conjunction with the release of an Apache Struts workaround for VMware vCenter Orchestrator on 2011-03-14. - 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Advisories http://www.vmware.com/security/advisories VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/eos_vi.html Copyright 2011 VMware Inc. All rights reserved. -BEGIN PGP SIGNATURE- Version: PGP Desktop 9.8.3 (Build 4028) Charset: utf-8 wj8DBQFNfoXpS2KysvBH1xkRAiuiAJ9nyIgRIEiD4kYI7ZODRu/m0iJOQgCeIbKD J0gV3DRUWD3NMkMKC/ysvZE= =8K7w -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] old kvirc exploit
That old kvirc exploit (affecting versions 4.0.1 and below) has been abused on freenode a lot lately. For more on the exploit, read http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2785 Cheers, Leon ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
I mean the Nimda was one cyberwar between USA and China. On 3/13/2011 10:13 PM, 김동욱 wrote: > > Dear Lists, > > I'm looking for information or materials about cyberwar between > nations for research purpose. > > First thing comes to mind is Russia vs Georgia case. Any other > cyberwar and/or suspected cyberwar case you would recommend? > > Suggestion on any materials, documents, movie clip would be appreciated. > > Thanks, > > Dongwook Kim > Infosec Technology. > > 82-2-6003-0958 > > CONFIDENTIALITY NOTICE > === > This e-mail message and any attachments are only for the use of the > intended recipient and may contain information that is privileged, > confidential or exempt from disclosure under applicable law. If you > are not the intended recipient, any disclosure, distribution or other > use of this e-mail message or attachments is prohibited. If you have > received this e-mail message in error, please delete and notify the > sender immediately. > > > ___ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ -- Blog: http://hamgaalalt.blogspot.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2191-1] proftpd security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2191-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff March 14, 2011 http://www.debian.org/security/faq - - Package: proftpd-dfsg Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2008-7265 CVE-2010-3867 CVE-2010-4652 Several vulnerabilities have been discovered in ProFTPD, a versatile, virtual-hosting FTP daemon: CVE-2008-7265 Incorrect handling of the ABOR command could lead to denial of service through elevated CPU consumption. CVE-2010-3867 Several directory traversal vulnerabilities have been discovered in the mod_site_misc module. CVE-2010-4562 A SQL injection vulnerability was discovered in the mod_sql module. For the oldstable distribution (lenny), this problem has been fixed in version 1.3.1-17lenny6. The stable distribution (squeeze) and the unstable distribution (sid) are not affected, these vulnerabilities have been fixed prior to the release of Debian 6.0 (squeeze). We recommend that you upgrade your proftpd-dfsg packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk1+YmQACgkQXm3vHE4uylpFKgCfarREV6pyMLSNv0kSdPmm4Hss pDkAnix/Pp7SEL25AgO8jSzDlisJAJSL =uk9S -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On Mar 14, 2011, at 10:04 AM, imipak wrote: > On 14/03/11 16:51, bk wrote: > > >> The point you missed is that almost all the examples we've seen so far have > >> been closer to espionage than to actual warfare. > > [...] > > > Despite that, I agree. Espionage != War. People hyping "cyberwar" are > > either trying > > to increase their sales, budget, or jurisdiction. > > > > > "Report: Iran's paramilitary launches cyber attack" > > http://www.google.com/hostednews/ap/article/ALeqM5jlwiVKEhlj8CjRz6dzR-McTlnRHw > > -i Yes, let's put a lot of stock in propaganda that amounts to "we're in ur hostin providerz, defacin ur websitez." This is from the same regime that photoshopped in extra missiles to make their capabilities look stronger. Grow up. -- chort___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On 14/03/11 16:51, bk wrote: >> The point you missed is that almost all the examples we've seen so far have >> been closer to espionage than to actual warfare. [...] > Despite that, I agree. Espionage != War. People hyping "cyberwar" are either trying > to increase their sales, budget, or jurisdiction. > "Report: Iran's paramilitary launches cyber attack" http://www.google.com/hostednews/ap/article/ALeqM5jlwiVKEhlj8CjRz6dzR-McTlnRHw -i ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On Mar 14, 2011, at 8:19 AM, valdis.kletni...@vt.edu wrote: > On Sun, 13 Mar 2011 22:24:41 PDT, bk said: >> On Mar 13, 2011, at 8:26 PM, leo.gra...@gmail.com wrote: >> >>> I think operation aurora, night dragon, stuxnet.and others >> >> Aurora and Night Dragon are espionage, not warfare. Stop conflating the >> issues. > > The point you missed is that almost all the examples we've seen so far have > been closer to espionage than to actual warfare. That was your point, but I wasn't replying to your message. Despite that, I agree. Espionage != War. People hyping "cyberwar" are either trying to increase their sales, budget, or jurisdiction. On the other hand, as you alluded to in your first post, electronic espionage is far more wide-spread than the public knows. It's very likely that any company with strategic access to supply chain, intellectual property, or financial systems has already been breached, possibly by multiple nation-state sponsored actors. This is not just Fortune 50 type companies. Even small companies that are sub-contractor, or play a similarly small role in important industry sectors are at risk. If you own 15 small mining interests, that's pretty valuable in aggregate. TL;DR: It's not war. It's not just China. If you think they aren't after you, that just means they have free rein on your systems. -- chort ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
On Sun, 13 Mar 2011 22:24:41 PDT, bk said: > On Mar 13, 2011, at 8:26 PM, leo.gra...@gmail.com wrote: > > > I think operation aurora, night dragon, stuxnet.and others > > Aurora and Night Dragon are espionage, not warfare. Stop conflating the > issues. The point you missed is that almost all the examples we've seen so far have been closer to espionage than to actual warfare. pgpBnuSta0hLd.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TLS servers with overbroad certificates may mishandle diverted connections
On Mon, Mar 14, 2011 at 6:43 AM, coderman wrote: > On Sun, Mar 13, 2011 at 7:31 PM, Matt McCutchen > wrote: >> If I make a TLS connection to example.com, a MITM attacker can divert >> the connection to any server that bears a certificate valid for >> example.com, ... especially likely to arise with wildcard certificates. >> ... >> I plan to release an automated testing >> tool, but I decided to go ahead and publicize the issue first. > > ... > > p.s. marsh ray: wildcard certs are a useful tool when properly applied. > (though i admit most won't use them properly. par for the crypto course...) Its always nice when the reception's machine in the lobby is trusted to act as a web server and serve content. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Materials regarding Cyber-war
2011/3/13 김동욱 : > > Dear Lists, > I'm looking for information or materials about cyberwar between nations... between nations? i guess i'll bin these excerpts of my favorites... (no one mentioned the classic siberian pipeline explosion yet: http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage ) --- ... [massive sillicon valley] Phone and Internet outage that has left thousands of customers in the San Jose, Calif., area without phone or broadband Internet service was caused by vandals who had cut fiber-optic cables. Police told the newspaper that four AT&T fiber-optic cables were severed shortly before 1:30 a.m. PDT along Monterey Highway north of Blossom Hill Road in South San Jose. A cable in San Carlos, Calif., owned by Sprint Nextel was also cut about two hours later, Crystal Davis, a Sprint spokeswoman confirmed. Davis said that a manhole cover had been lifted, and the fiber underground had been cut. She confirmed that the Sprint fiber that was cut also appeared to be the work of vandals. --- KANSAS CITY, Missouri - Vandals cut fiber from a pole Tuesday night, cutting Time Warner Cable service to business and residential customers for about 12 hours. Time Warner spokesman Matt Derrick says the vandals hit several locations between 8:30 and 9 p.m. Tuesday. --- BELLINGHAM, Wash. (AP) A fiber optic cable failure that disrupted telephone service to more than 60,000 customers was caused by at least one of the lines being severed. "We conducted a preliminary investigation and it's been determined that someone cut this cable intentionally," Qwest spokesman Michael Dunne said Thursday. ... The Wednesday morning failure most affected Qwest customers in Bellingham, with scattered outages reported by Verizon customers elsewhere in Whatcom County before service was restored about five hours later. A system of cables along the Interstate 5 corridor links Bellingham's long-distance lines to a switch in Seattle. During the outage, "the vast majority of Qwest customers in Bellingham could not call outside their local calling area," Dunne said. "They could call their neighbors, but they could not call Seattle, for example, or 911." Police officers were asked to report for duty and police vehicles were stationed at major intersections. Firefighters across the county were asked to relay emergency needs to county dispatchers. There were at least two calls to dispatch that originated from citizens going to fire halls for help, county emergency officials told The Bellingham Herald. Service in the rest of the county was intermittent, said Melissa Barran, spokesperson for Verizon, which provides much of the phone service in the county outside of Bellingham. Cellular phone service was disrupted throughout Whatcom County and in the San Juan Islands, said Georgia Taylor, a Verizon Wireless spokesperson. Fiber optic phone lines in Snohomish County were severed for unexplained reasons twice in two days in September 2001. Those outages, limited to Whatcom County, caused phone blackouts that underscored the vulnerability of the county's 911 dispatch system. When asked whether the latest outage was related to the disruption two years earlier, Jim Powers, an FBI agent in Bellingham, replied, "That is of the utmost concern to us." ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] TLS servers with overbroad certificates may mishandle diverted connections
On Sun, Mar 13, 2011 at 7:31 PM, Matt McCutchen wrote: > If I make a TLS connection to example.com, a MITM attacker can divert > the connection to any server that bears a certificate valid for > example.com, ... especially likely to arise with wildcard certificates. > ... > I plan to release an automated testing > tool, but I decided to go ahead and publicize the issue first. i can has code? p.s. marsh ray: wildcard certs are a useful tool when properly applied. (though i admit most won't use them properly. par for the crypto course...) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] TLS servers with overbroad certificates may mishandle diverted connections
If I make a TLS connection to example.com, a MITM attacker can divert the connection to any server that bears a certificate valid for example.com, regardless of the data in DNS. If such a server is not intended to handle requests for example.com and responds in an improper way, the attacker will have broken the integrity of TLS. This situation is especially likely to arise with wildcard certificates. The impact may range from a mere nuisance to JavaScript injection or worse depending on the application and how the server responds. To test a server, simply view its certificate, choose a DNS name for which the certificate is valid but for which the server is not listed in DNS, and map that name to the server in your hosts file. Point your favorite client to that DNS name and see how the server responds. For SNI clients, a TLS failure (preferably an "unrecognized_name" fatal alert) is ideal; the client is already obliged not to rely on anything it sees before a successful TLS handshake. An application-level error such as HTTP 400 or 403 is probably harmless in real-world scenarios. An HTTP redirect to a non-TLS site is bad: if it happens on a request for a JavaScript file, the attacker can now inject malicious code. In October, I manually tested a selection of about 20 of my favorite web sites with multiple subdomains; most were affected, though only one admitted JavaScript injection. I plan to release an automated testing tool, but I decided to go ahead and publicize the issue first. Previous discussion on the IETF TLS list: http://www.ietf.org/mail-archive/web/tls/current/msg07133.html -- Matt ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
