Re: [Full-disclosure] How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface
Hi, Tested this on Windows 7 x64 host instead (no Linux box available atm); confirmed the issue (consumes CPU and kills the host network adapter). Can someone assign a CVE for this? Looks like this can be exploited to at least DoS other VMs on the same host. 2013/6/21 Thomas Dreibholz dre...@simula.no Hi, I have discovered a problem with the VirtualBox virtio-net network driver that leads to a lockup of the host machine's kernel and the need for a hard reset to make it working again. The bug had been reported to the VirtualBox bug tracker 8 days ago (https://www.virtualbox.org/ticket/11863), with the usual reaction from Oracle support (i.e. none). The bug can be reproduced easily as follows: - The host system is a 64-bit Linux (tested with Ubuntu 12.04 LTS and Kubuntu 13.04). Did not try 32 bit. - VirtualBox is the latest version 4.2.12 (using Oracle's Ubuntu repository). - Create a new VM, use e.g. Kubuntu live CD image (32 or 64 bit, makes no difference). No disk needed. - Network adapter is: Bridged, Adapter Type: virtio-net. Boot the system, ensure that network is working. - tracepath 8.8.8.8 Now, the virtual machine locks up and the host machine's kernel seems to have at least one core blocked. The host machine's console output is BUG: soft lockup - CPU #2 stuck for 22s Also, the network on the host machine does not work any more. For example, ifconfig just hangs. - To recover the host machine, it needs a hard reset. sudo reboot, etc. will not work, since the kernel seems to hang. This bug is critical, since it makes the host machine's network unusable (particularly, if the host system is at a remote location), and it is very easy to trigger with just a simple, standard tracepath call inside a virtual machine. It is therefore trivial for a normal user in such a machine to trigger a denial of service. I did no further investigation of the problem yet, but if it is related to the path MTU discovery by tracepath, it might be possible to trigger it by a lot of other software as well. Best regards, Thomas ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface
On Wednesday 26 June 2013 09:09:52 Źmicier Januszkiewicz wrote: Can someone assign a CVE for this? Looks like this can be exploited to at least DoS other VMs on the same host. Usually oracle make the requests if needed. -- Agostino Sarubbo Gentoo Linux Developer ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] [DSA 2716-1] iceweasel security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2716-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff June 26, 2013 http://www.debian.org/security/faq - - Package: iceweasel Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1682 CVE-2013-1684 CVE-2013-1685 CVE-2013-1686 CVE-2013-1687 CVE-2013-1690 CVE-2013-1692 CVE-2013-1693 CVE-2013-1694 CVE-2013-1697 Multiple security issues have been found in Iceweasel, Debian's version of the Mozilla Firefox web browser: Multiple memory safety errors, use-after-free vulnerabilities, missing permission checks, incorrect memory handling and other implementaton errors may lead to the execution of arbitrary code, privilege escalation, information disclosure or cross-site request forgery. The iceweasel version in the oldstable distribution (squeeze) is no longer supported with security updates. For the stable distribution (wheezy), these problems have been fixed in version 17.0.7esr-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.7esr-1. We recommend that you upgrade your iceweasel packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlHK8xwACgkQXm3vHE4uylpwJACcC016haKkOmAV6qUhbcrwaE3r +JkAn2WJZ7PBhyukQ6umlbTNN5GHPUBU =FjcR -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Email Security Appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Email Security Appliance Advisory ID: cisco-sa-20130626-esa Revision 1.0 For Public Release 2013 June 26 16:00 UTC (GMT) +-- Summary === Cisco IronPort AsyncOS Software for Cisco Email Security Appliance is affected by the following vulnerabilities: * Web Framework Authenticated Command Injection Vulnerability * IronPort Spam Quarantine Denial of Service Vulnerability * Management GUI Denial of Service Vulnerability Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Successful exploitation of either of the two denial of service vulnerabilities may cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-esa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlHKgZEACgkQUddfH3/BbTqmeQD+JNzRuCvE2SnGfq8D0zI3kTfY WD4G+HaHcL9P0msOtyUA+wREdPv1NbnAU9ilnEbxKuYyOCwy43B49nb3tpSRl7ch =QzPf -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Web Security Appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Web Security Appliance Advisory ID: cisco-sa-20130626-wsa Revision 1.0 For Public Release 2013 June 26 16:00 UTC (GMT) - --- Summary === Cisco IronPort AsyncOS Software for Cisco Web Security Appliance is affected by the following vulnerabilities: * Two authenticated command injection vulnerabilities * Management GUI Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of any of the two command injection vulnerabilities could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Successful exploitation of the Management GUI Denial of Service Vulnerability could cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-wsa -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlHKgbUACgkQUddfH3/BbTrL8AD/SoOUwRsvEtX3h5k1PZjlpyAZ jvgRu3gHAB6cwf3mWJgA/1Z9L8jXLNqDr9duCISX8KldBUdTFCVAMSkg3jlBEALi =fNt5 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Multiple Vulnerabilities in Cisco Content Security Management Appliance
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Multiple Vulnerabilities in Cisco Content Security Management Appliance Advisory ID: cisco-sa-20130626-sma Revision 1.0 For Public Release 2013 June 26 16:00 UTC (GMT) +--- Summary === Cisco IronPort AsyncOS Software for Cisco Content Security Management Appliance is affected by the following vulnerabilities: * Web Framework Authenticated Command Injection Vulnerability * IronPort Spam Quarantine Denial of Service Vulnerability * Management GUI Denial of Service Vulnerability These vulnerabilities are independent of each other; a release that is affected by one of the vulnerabilities may not be affected by the others. Successful exploitation of the Web Framework Authenticated Command Injection Vulnerability could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system with elevated privileges. Successful exploitation of either of the two denial of service vulnerabilities could cause several critical processes to become unresponsive and make the affected system unstable. Cisco has released free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-sma -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlHKga4ACgkQUddfH3/BbToSLQD/ZV7L00kmcc9b+fTio/NrkEp0 NFSZ9GTC2hKHJuXLZzIBAIozsy3V8lkJ5OAya1Qbyj0TqJsrUi0oTRbkt/hue5Nc =IhXy -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory: Cisco ASA Next-Generation Firewall Fragmented Traffic Denial of Service Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory:Cisco ASA Next-Generation Firewall Fragmented Traffic Denial of Service Vulnerability Advisory ID: cisco-sa-20130626-ngfw http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/ cisco-sa-20130626-ngfw Revision 1.0 For Public Release 2013 June 26 16:00 UTC (GMT) +-- Summary === Cisco ASA Next-Generation Firewall (NGFW) Services contains a Fragmented Traffic Denial of Service (DoS) vulnerability. Successful exploitation of this vulnerability on the Cisco ASA NGFW could cause the device to reload or stop processing user traffic that has been redirected by the parent Cisco ASA to the ASA NGFW module for further inspection. There are no workarounds for this vulnerability, but mitigations are available. Cisco has released free software updates that address this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20130626-ngfw -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iF4EAREIAAYFAlHKgaUACgkQUddfH3/BbTp0ZgD+NDv7SbR9LIjMwPDqFmjfAjhY OSKWBWlunt8SOhDUbogA/jY0n25CWcbqKDlkUrbBNDXhXirk5TljKifNi2zHWH47 =KSS3 -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [ MDVSA-2013:179 ] firefox
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2013:179 http://www.mandriva.com/en/support/security/ ___ Package : firefox Date: June 26, 2013 Affected: Enterprise Server 5.0 ___ Problem Description: Multiple security issues was identified and fixed in mozilla firefox: Mozilla developers identified and fixed several memory safety bugs in the browser engine used in Firefox and other Mozilla-based products. Some of these bugs showed evidence of memory corruption under certain circumstances, and we presume that with enough effort at least some of these could be exploited to run arbitrary code (CVE-2013-1682). Security researcher Abhishek Arya (Inferno) of the Google Chrome Security Team used the Address Sanitizer tool to discover a series of use-after-free problems rated critical as security issues in shipped software. Some of these issues are potentially exploitable, allowing for remote code execution. We would also like to thank Abhishek for reporting additional use-after-free and buffer overflow flaws in code introduced during Firefox development. These were fixed before general release (CVE-2013-1684, CVE-2013-1685, CVE-2013-1686). Security researcher Mariusz Mlynski reported that it is possible to compile a user-defined function in the XBL scope of a specific element and then trigger an event within this scope to run code. In some circumstances, when this code is run, it can access content protected by System Only Wrappers (SOW) and chrome-privileged pages. This could potentially lead to arbitrary code execution. Additionally, Chrome Object Wrappers (COW) can be bypassed by web content to access privileged methods, leading to a cross-site scripting (XSS) attack from privileged pages (CVE-2013-1687). Security researcher Nils reported that specially crafted web content using the onreadystatechange event and reloading of pages could sometimes cause a crash when unmapped memory is executed. This crash is potentially exploitable (CVE-2013-1690). Security researcher Johnathan Kuskos reported that Firefox is sending data in the body of XMLHttpRequest (XHR) HEAD requests, which goes agains the XHR specification. This can potentially be used for Cross-Site Request Forgery (CSRF) attacks against sites which do not distinguish between HEAD and POST requests (CVE-2013-1692). Security researcher Paul Stone of Context Information Security discovered that timing differences in the processing of SVG format images with filters could allow for pixel values to be read. This could potentially allow for text values to be read across domains, leading to information disclosure (CVE-2013-1693). Mozilla developer Boris Zbarsky found that when PreserveWrapper was used in cases where a wrapper is not set, the preserved-wrapper flag on the wrapper cache is cleared. This could potentially lead to an exploitable crash (CVE-2013-1694). Mozilla security researcher moz_bug_r_a4 reported that XrayWrappers can be bypassed to call content-defined toString and valueOf methods through DefaultValue. This can lead to unexpected behavior when privileged code acts on the incorrect values (CVE-2013-1697). The mozilla firefox packages has been upgraded to the latest ESR version (17.0.7) which is unaffected by these security flaws. ___ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1682 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1684 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1685 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1686 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1687 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1690 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1693 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1694 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1697 http://www.mozilla.org/security/announce/2013/mfsa2013-49.html http://www.mozilla.org/security/announce/2013/mfsa2013-50.html http://www.mozilla.org/security/announce/2013/mfsa2013-51.html http://www.mozilla.org/security/announce/2013/mfsa2013-53.html http://www.mozilla.org/security/announce/2013/mfsa2013-54.html http://www.mozilla.org/security/announce/2013/mfsa2013-55.html http://www.mozilla.org/security/announce/2013/mfsa2013-56.html http://www.mozilla.org/security/announce/2013/mfsa2013-59.html ___ Updated Packages: Mandriva Enterprise Server 5: f377616fa413576835d3fae079ff0aa5
[Full-disclosure] [Security-news] SA-CONTRIB-2012-136 - Apache Solr Search Autocomplete - Cross Site Scripting (XSS)
View online: https://drupal.org/node/1762734 * Advisory ID: DRUPAL-SA-CONTRIB-2012-136 * Project: Apache Solr Autocomplete [1] (third-party module) * Version: 6.x, 7.x * Date: 2012-August-29 * Security risk: Moderately critical [2] * Exploitable from: Remote * Vulnerability: Cross Site Scripting DESCRIPTION - Apache Solr Search Autocomplete module enables you to add autocomplete capabilities to the search text field for the Apache Solr Search Integration module. The module doesn't sufficiently filter the autocomplete results sent back from the Drupal site, so under the scenario where someone provided a URL with a specially-crafted search string embedded in it, the attacker could have a user execute arbitrary Javascript when clicking or focusing on the autocomplete text field. This vulnerability is mitigated by the fact that the attacked user must click or otherwise give focus to the text widget to have the Javascript activate. CVE: CVE-2012-6573 VERSIONS AFFECTED --- * Apache Solr Autocomplete 6.x-1.x versions prior to 6.x-1.4. * Apache Solr Autocomplete 7.x-1.x versions prior to 7.x-1.3. Drupal core is not affected. If you do not use the contributed Apache Solr Autocomplete [3] module, there is nothing you need to do. SOLUTION Install the latest version. * If you use the Apache Solr Autocomplete module for Drupal 6.x, upgrade to Apache Solr Autocomplete 6.x-1.4 [4] * If you use the Apache Solr Autocomplete module for Drupal 7.x, upgrade to Apache Solr Autocomplete 7.x-1.3 [5] Also see the Apache Solr Autocomplete [6] project page. REPORTED BY - * drupaledmonk [7] FIXED BY * Alejandro Garza [8] the module maintainer COORDINATED BY -- * Greg Knaddison [9] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [10]. Learn more about the Drupal Security team and their policies [11], writing secure code for Drupal [12], and securing your site [13]. [1] http://drupal.org/project/apachesolr_autocomplete [2] http://drupal.org/security-team/risk-levels [3] http://drupal.org/project/apachesolr_autocomplete [4] https://drupal.org/node/1762684 [5] https://drupal.org/node/1762686 [6] http://drupal.org/project/apachesolr_autocomplete [7] http://drupal.org/user/263391 [8] http://drupal.org/user/153120 [9] http://drupal.org/user/36762 [10] http://drupal.org/contact [11] http://drupal.org/security-team [12] http://drupal.org/writing-secure-code [13] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [Security-news] SA-CONTRIB-2013-054 - Fast Permissions Administration - Access Bypass
View online: https://drupal.org/node/2028813 * Advisory ID: DRUPAL-SA-CONTRIB-2013-054 * Project: Fast Permissions Administration [1] (third-party module) * Version: 6.x, 7.x * Date: 2013-June-26 * Security risk: Highly critical [2] * Exploitable from: Remote * Vulnerability: Access bypass DESCRIPTION - The Fast Permissions Administration module enables you to use inline filters on the permissions page, as well as loading the permissions form through a modal dialog. The module doesn't sufficiently check user access for the modal content callback, allowing unauthorized access to the permissions edit form. CVE IDENTIFIER(S) ISSUED * /A CVE identifier [3] will be requested, and added upon issuance, in accordance with Drupal Security Team processes./ VERSIONS AFFECTED --- * Fast Permissions Administration 6.x-2.x versions prior to 6.x-2.5. * Fast Permissions Administration 7.x-2.x versions prior to 7.x-2.3. Drupal core is not affected. If you do not use the contributed Fast Permissions Administration [4] module, there is nothing you need to do. SOLUTION Install the latest version: * If you use the Fast Permissions Administration module for Drupal 6.x, upgrade to Fast Permissions Administration 6.x-2.5 [5] * If you use the Fast Permissions Administration module for Drupal 7.x, upgrade to Fast Permissions Administration 7.x-2.3 [6] Also see the Fast Permissions Administration [7] project page. REPORTED BY - * Philip Boden [8] FIXED BY * Corey Aufang [9] the module maintainer COORDINATED BY -- * Klaus Purer [10] of the Drupal Security Team CONTACT AND MORE INFORMATION The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact [11]. Learn more about the Drupal Security team and their policies [12], writing secure code for Drupal [13], and securing your site [14]. [1] http://drupal.org/project/fpa [2] http://drupal.org/security-team/risk-levels [3] http://cve.mitre.org/ [4] http://drupal.org/project/fpa [5] https://drupal.org/node/2028417 [6] https://drupal.org/node/2028421 [7] http://drupal.org/project/fpa [8] http://drupal.org/user/329794 [9] http://drupal.org/user/163737 [10] http://drupal.org/user/262198 [11] http://drupal.org/contact [12] http://drupal.org/security-team [13] http://drupal.org/writing-secure-code [14] http://drupal.org/security/secure-configuration ___ Security-news mailing list security-n...@drupal.org Unsubscribe at http://lists.drupal.org/mailman/listinfo/security-news ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] How to lock up a VirtualBox host machine with a guest using tracepath over virtio-net network interface
On 6/21/13, Thomas Dreibholz dre...@simula.no wrote: I have discovered a problem with the VirtualBox virtio-net network driver that leads to a lockup of the host machine's kernel and the need for a hard reset to make it working again. The bug had been reported to the VirtualBox bug tracker 8 days ago (https://www.virtualbox.org/ticket/11863), with the usual reaction from Oracle support (i.e. none). FWIW: *not* confirmed for : 64-bit Linux host = Debian Squeeze 6.0.7 amd64 32-bit Linux guest = Debian Squeeze 6.0.7 i386 VirtualBox = 4.1.26 (guest network adapter set to virtio for the test) '$ tracepath 8.8.8.8' run in the guest works fine, and no unpleasant effects are noticed on either host or guest. I note that VirtualBox 4.1.26 (latest update to 4.1 series) was released on the same day as 4.2.14 (latest update to 4.2 series) - specifically 21st.June.2013 - which happens to be the same day you reported the problem here after getting apparently zero response from Oracle Support for 8 days. Maybe they just silently fixed the bug during those 8 days - in which case they should have had the manners to let you know. Cheers Nick Boyce -- I can't watch TV longer than five minutes without praying for nuclear holocaust ~~ Bill Hicks ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
