[Full-disclosure] [SECURITY] [DSA 2745-1] linux security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA-2745-1secur...@debian.org http://www.debian.org/security/ Dann Frazier August 28, 2013 http://www.debian.org/security/faq - -- Package: linux Vulnerability : privilege escalation/denial of service/information leak Problem type : local/remote Debian-specific: no CVE Id(s) : CVE-2013-1059 CVE-2013-2148 CVE-2013-2164 CVE-2013-2232 CVE-2013-2234 CVE-2013-2237 CVE-2013-2851 CVE-2013-2852 CVE-2013-4162 CVE-2013-4163 Debian Bug : 701744 Several vulnerabilities have been discovered in the Linux kernel that may lead to a denial of service, information leak or privilege escalation. The Common Vulnerabilities and Exposures project identifies the following problems: CVE-2013-1059 Chanam Park reported an issue in the Ceph distributed storage system. Remote users can cause a denial of service by sending a specially crafted auth_reply message. CVE-2013-2148 Dan Carpenter reported an information leak in the filesystem wide access notification subsystem (fanotify). Local users could gain access to sensitive kernel memory. CVE-2013-2164 Jonathan Salwan reported an information leak in the CD-ROM driver. A local user on a system with a malfunctioning CD-ROM drive could gain access to sensitive memory. CVE-2013-2232 Dave Jones and Hannes Frederic Sowa resolved an issue in the IPv6 subsystem. Local users could cause a denial of service by using an AF_INET6 socket to connect to an IPv4 destination. CVE-2013-2234 Mathias Krause reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. CVE-2013-2237 Nicolas Dichtel reported a memory leak in the implementation of PF_KEYv2 sockets. Local users could gain access to sensitive kernel memory. CVE-2013-2851 Kees Cook reported an issue in the block subsystem. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. CVE-2013-2852 Kees Cook reported an issue in the b43 network driver for certain Broadcom wireless devices. Local users with uid 0 could gain elevated ring 0 privileges. This is only a security issue for certain specially configured systems. CVE-2013-4162 Hannes Frederic Sowa reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). CVE-2013-4163 Dave Jones reported an issue in the IPv6 networking subsystem. Local users can cause a denial of service (system crash). This update also includes a fix for a regression in the Xen subsystem. For the stable distribution (wheezy), these problems has been fixed in version 3.2.46-1+deb7u1. The following matrix lists additional source packages that were rebuilt for compatibility with or to take advantage of this update: Debian 7.0 (wheezy) user-mode-linux 3.2-2um-1+deb7u2 We recommend that you upgrade your linux and user-mode-linux packages. Note: Debian carefully tracks all known security issues across every linux kernel package in all releases under active security support. However, given the high frequency at which low-severity security issues are discovered in the kernel and the resource requirements of doing an update, updates for lower priority issues will normally not be released for all kernels at the same time. Rather, they will be released in a staggered or "leap-frog" fashion. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSHqwmAAoJEBv4PF5U/IZAeWAP/2JqPMgJJ57Jbl37/5K7OKUP +aMeKi4Rg7lz1nEu+0L6g5+FI+bBH4QKvxQtVeODniUBbsMGeTqcJuYi1aRo7Dkk 7/eGLdwkqBoEQ3aezSTx9l09VWJVaTmVUoX3Zpp9A0Gqzgdf/DhiMC2os7bDKIVx gMvG97jTnD5irwsur3w9r27e3VQTtL5PU5TtG9Wm4K8jaKMhphMSZ6UCJj2kcot6 fJ2jzNF9AE+mor8WHWWXllp+b/kqP1mb3w06qkb7vN46RhEoYqGB7ey3n82V62pl /oArzFS9tO3YBewqoY/8TvLnIaefrJ4UhlO++icQxZ0yElrXdQYvLodS88MYOuXe CrIeCBwAF8cE9rfXKlwejh4hB7aRTXeq4vcrk2gN5daYL1ks5qVfouo79RYlGavX o1QZ0awt3qdv30O8dlyJt+MMVZ+W+plcoDbQ+h+YrOnblViZDXsxOVk1pwKvsxDy DKW7OOobh7RqJIQVg6LVq5O3JSRmb8RIWcKf8IxcamgG4ZJTcBeh5Zhv7CvhcnEd vC2qYxUypzxYyB3f4R6U9X/PbgjHJZcsD5XgAEPso8izv2qDp16RnDPFlFMpX4bA tKDnRnV6luYNgJlJZ91v2b4wEOTVG+mfpQCQrRT3THoA7aOJs7N6Jy7V2BuwfLTY ytYGfnxtbQQE3fQupyOy =EtQ/ -END PGP SIGNATURE- ___ Full-Disclosure - We believe in
[Full-disclosure] [SECURITY] [DSA 2746-1] icedove security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2746-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff August 29, 2013http://www.debian.org/security/faq - - Package: icedove Vulnerability : several Problem type : remote Debian-specific: no CVE ID : CVE-2013-1701 CVE-2013-1709 CVE-2013-1710 CVE-2013-1713 CVE-2013-1714 CVE-2013-1717 Multiple security issues have been found in Icedove, Debian's version of the Mozilla Thunderbird mail and news client. Multiple memory safety errors, missing permission checks and other implementation errors may lead to the execution of arbitrary code or cross-site scripting. The Icedove version in the oldstable distribution (squeeze) is no longer supported with full security updates. However, it should be noted that almost all security issues in Icedove stem from the included browser engine. These security problems only affect Icedove if scripting and HTML mails are enabled. If there are security issues specific to Icedove (e.g. a hypothetical buffer overflow in the IMAP implementation) we'll make an effort to backport such fixes to oldstable. For the stable distribution (wheezy), these problems have been fixed in version 17.0.8-1~deb7u1. For the unstable distribution (sid), these problems have been fixed in version 17.0.8-1. We recommend that you upgrade your icedove packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (GNU/Linux) iEYEARECAAYFAlIfhf8ACgkQXm3vHE4uylqF2QCeK7C4vEufIlumHBA/ElEt8/DK WW8An0Q0dB0o6Q9xLtdKeDzbg7RB/J6c =VAfs -END PGP SIGNATURE- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] UTA EDU University ENG - SQL Injection Vulnerability
Title: == UTA EDU University ENG - SQL Injection Vulnerability Date: = 2013-08-28 References: === http://www.vulnerability-lab.com/get_content.php?id=256 VL-ID: = 256 Common Vulnerability Scoring System: 8.4 Introduction: = The University of Texas at ArlingtonĀ“s College of Engineering provides one of the most comprehensive engineering programs in North Texas and the nation, with eight baccalaureate programs, 13 master`s and 9 doctorates. It is the fourth largest engineering college in Texas, with about 3,900 students. (Copy of the Homepage: http://www.uta.edu ) Abstract: = The Vulnerability Laboratory Research Team discovered a SQL Injection web vulnerability in the famous Arlington Engeneering University in Texas. Report-Timeline: 2011-12-26: Researcher Notification & Coordination (Chokri Ben Achour) 2012-11-27: Vendor Notification (Support Team) 2012-**-**: Vendor Response/Feedback (Support Team) 2013-08-22: Vendor Fix/Patch (No Response, verify by Check] 2013-08-28: Public Disclosure (Vulnerability Laboratory) Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A critical SQL Injection web vulnerability is detected in the famous Arlington Engeneering University in Texas. The vulnerability allows remote attackers to inject or execute own sql commands to compromise the web-application or web-server dbms. The vulnerability is located in the engineeringnews module when processing to request ID parameter with own SQL commands. Remote attackers are able to inject the commands to compromise the web-application and affected database management system. The flaw is result of the wrong validation of the id value when processing to load the engineeringnews.php file. Vulnerable Module(s): [+] ../engineeringnews/ Vulnerable File(s): [+] engineeringnews.php Vulnerable Parameter(s): [+] id Proof of Concept: = The remote sql injection vulnerability can be exploited by remote attackers without user interaction or privileged user account. For demonstration or reproduce ... PoC: http://www.uta.edu/engineering/engineeringnews/engineeringnews.php?id= -1337+union+select+1,2,3,concat_ws(0x3a3a,id,username,password),5,6,7,8,9,10,11,12,13,14,15,16,17,18,19+from+adlogin+limit+0,1-- Solution: = 2013-08-22: Vendor Fix/Patch (No Response, verify by Check] Risk: = The security risk of the remote sql injection web vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Chokri Ben Achour (cho...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (ad...@vulnerability-l
[Full-disclosure] Department of Transport UK - SQL Injection Vulnerability
Title: == Department of Transport UK - SQL Injection Vulnerability Date: = 2013-08-29 References: === http://www.vulnerability-lab.com/get_content.php?id=732 VL-ID: = 732 Common Vulnerability Scoring System: 8.6 Introduction: = Our vision is for a transport system that is an engine for economic growth, but one that is also greener and safer and improves quality of life in our communities. The Department provides leadership across the transport sector to achieve its objectives, working with regional, local and private sector partners to deliver many of the services. This section contains information on the Department s aims and objectives, its organisational structure, and the responsibilities of the various affiliated agencies. The Freedom of Information Act 2000 (FOI Act) came into force on 1 January 2005 and aims to make information held by public authorities more accessible to the public and allows individuals and companies to request a wide variety of material. The Freedom of Information section summarises our request handling procedures and information released in response to FOI requests. (Copy of the Homepage: http://www.dft.gov.uk/about ) Abstract: = The Vulnerability Laboratory Research Team discovered a critical remote SQL Injection vulnerability in the offical UK Department for Transport. Report-Timeline: 2012-10-11: Researcher Notification & Coordination (Chokri Ben Achour) 2012-10-12: Vendor Notification (Support Team) 2012-**-**: Vendor Response/Feedback (Support Team) 2013-08-22: Vendor Fix/Patch (No Response, verify by Check] 2013-08-28: Public Disclosure (Vulnerability Laboratory) Status: Published Exploitation-Technique: === Remote Severity: = Critical Details: A blind SQL Injection Vulnerability is detected in the official UK Department for Transport Website Web Application. The vulnerability allows remote attackers to unauthorized inject and execute own sql commands to compromise the application or dbms. The vulnerability is location in the imagelist.php file when processing to request via GET the vulnerable CATID parameter. Remote attacker can inject own sql commands to compromise the deparment of transport website application or web-server dbms. Exploitation of the sql injection web vulnerability requires no user interaction and no privileged application user account. Successful exploitation of the vulnerability results in web-application compromise & database management system compromise. Vulnerable Module(s): [+] Traffic signs and signals Vulnerable File(s): [+] imagelist.php Vulnerable Parameter(s): [+] CATID Proof of Concept: = The vulnerability can be exploited by remote attackers without privileged application or server user account (pre-auth) and also without user interaction. For demonstration or reproduce ... PoC: http://www.dft.gov.uk/trafficsignsimages/imagelist.php?CATID=6'[SQL+Injection]-- Risk: = The security risk of the remote sql injection vulnerability is estimated as critical. Credits: Vulnerability Laboratory [Research Team] - Chokri Ben Achour (cho...@evolution-sec.com) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains:www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact:ad...@vulnerability-lab.com - resea...@vulnerability-lab.com - ad...@evolution-sec.com Section:www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires auth
[Full-disclosure] Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability
Title: == Microsoft MSRC RSS ASPX - CS Cross Site Web Vulnerability Date: = 2013-07-28 References: === http://www.vulnerability-lab.com/get_content.php?id=1026 Microsoft Security Response Center (MSRC) ID: 15180 Video: http://www.vulnerability-lab.com/get_content.php?id=1028 View: http://www.youtube.com/watch?v=wcIIFB4Gx7g VL-ID: = 1026 Common Vulnerability Scoring System: 1.6 Introduction: = Microsoft Online Services is Microsoft`s hosted-software offering and a component of their software plus services strategy. Microsoft Online Services are hosted by Microsoft and sold `with` Microsoft partners. The suite includes Exchange Online, SharePoint Online, Office Communications Online, Microsoft Forefront, and Microsoft Office Live Meeting. For businesses, the Software-plus-Services approach enables organizations to access the capabilities of enterprise software through on-premises servers, as online services, or a combination of both, depending on specific business requirements. Services also provide the option to add complementary capabilities that enhance on-premises server software and simplify system management and maintenance. (Copy of the vendor Homepage: https://microsoftonline.com ) Abstract: = An independent vulnerability laboratory researcher discovered a client-side cross site scripting vulnerability on Microsoft Website Application. Report-Timeline: 2013-07-18: Researcher Notification & Coordination (Muhammad A.S.) 2013-07-19: Vendor Notification (Microsoft Security Response Center - MSRC) 2013-07-20: Vendor Response/Feedback (Microsoft Security Response Center - MSRC) 2013-07-26: Vendor Fix/Patch (Microsoft Development Team) 2013-07-28: Public Disclosure (Vulnerability Laboratory) Status: Published Affected Products: == Microsoft Corporation Product: Security Response Center (MSRC) - Blog aspx Web Application 2013 Q2 Exploitation-Technique: === Remote Severity: = Low Details: It has been discovered that the file `ssfeedgenerator.aspx` is not validating the input parameters and hence is vulnerable to remote xss attacks. Since no validation is being performed, it is possible to include remote xml files to be parsed and displayed on the main microsoft website. A remote attacker can include malicious xml files via URLS variable which can lead to remote java-script execution on the client machine within the context of microsoft.com website. The vulnerability is located in the rssfeedgenerator.aspx\\\" file and the vulnerable parameter is \\\'URLs\\\' which can be exploited via GET method to include remote (external) xml files. Exploitation of the vulnerability requires no privilege application user account but low or medium user interaction. Successful exploitation of the vulnerability results in session hijacking, non persistent phishing, non persistent malware injects, external redirects and manipulation of affected module or application context. Vulnerable Module(s): [+] RSS Feeds Vulnerable Path: [+] /security/msrc/rssfeedgenerator.aspx Vulnerable File(s): [+] rssfeedgenerator.aspx Vulnerable Parameter(s): [+] URLs Proof of Concept: ==
[Full-disclosure] NEW VMSA-2013-0011 VMware ESXi and ESX address an NFC Protocol Unhandled Exception
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - --- VMware Security Advisory Advisory ID: VMSA-2013-0011 Synopsis:VMware ESXi and ESX address an NFC Protocol Unhandled Exception Issue date: 2013-08-29 Updated on: 2013-08-29 (initial advisory) CVE numbers: CVE-2013-1661 - --- 1. Summary VMware has updated VMware ESXi and ESX to address a vulnerability in an unhandled exception in the NFC protocol handler. 2. Relevant releases VMware ESXi 5.1 without patch ESXi510-201307101 VMware ESXi 5.0 without patch ESXi500-201308101 VMware ESXi 4.1 without patch ESXi410-201304401 VMware ESXi 4.0 without patch ESXi400-201305401 VMware ESX 4.1 without patch ESX410-201304401 VMware ESX 4.0 without patch ESX400-201305401 3. Problem Description a. VMware ESXi and ESX NFC Protocol Unhandled Exception VMware ESXi and ESX contain a vulnerability in the handling of the Network File Copy (NFC) protocol. To exploit this vulnerability, an attacker must intercept and modify the NFC traffic between ESXi/ESX and the client. Exploitation of the issue may lead to a Denial of Service. To reduce the likelihood of exploitation, vSphere components should be deployed on an isolated management network VMware would like to thank Alex Chapman of Context Information Security for reporting this issue to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-1661 to this issue. Column 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. VMwareProductRunningReplace with/ ProductVersiononApply Patch ======== vCenter Serveranyanynot affected hosted*anyanynot affected ESXi5.1ESXiESXi510-201307101-SG ESXi5.0ESXiESXi500-201308101-SG ESXi4.1ESXiESXi410-201304401-SG ESXi4.0ESXiESXi400-201305401-SG ESX4.1ESXESX410-201304401-SG ESX4.0ESXESX400-201305401-SG * hosted products are VMware Workstation, Player, ACE, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the checksum of your downloaded file. ESXi and ESX https://www.vmware.com/patchmgr/download.portal ESXi 5.1 File: ESXi510-201307001.zip md5sum: 24065646806665d176a373bf9a861f98 sha1sum: c07a9361df8d9adcd2ff1f8e949d41fbeb091f0f http://kb.vmware.com/kb/2052151 ESXi510-201307001 contains ESXi510-201307101-SG ESXi 5.0 -- File: ESXi500-201308001.zip md5sum: 90d20a6921f35ededfc5021afeedc63f sha1sum:e739a671ab0bc9820fef90dc7ca4445eeb6a056d http://kb.vmware.com/kb/2053139 ESXi500-201308001 contains ESXi500-201308101-SG ESXi 4.1 -- File: ESXi410-201304001.zip md5sum: 9ce63bcacb3412fc1c8a6a8c47ac6af6 sha1sum: 241603ef6b856e573a62fe27da039c8fffe54b1d http://kb.vmware.com/kb/2045255 ESXi410-201304001 contains ESXi410-201304401-SG ESXi 4.0 -- File: ESXi400-201305001.zip md5sum: 065d3fa4b0f52dd38c2bd92e5bfc5580 sha1sum: 1f3cab25a144746372d86071a47e569c439e276a http://kb.vmware.com/kb/2044246 ESXi400-201305001 contains ESXi400-201305401-SG ESX 4.1 File: ESX410-201304001.zip md5sum: df9ef1d25f383a12d2fbc47cdc5f55d2 sha1sum: e49068da7cf7e0ada57c4604cbc9ba253c03e3a0 http://kb.vmware.com/kb/2045251 ESX410-201304001 contains ESX410-201304401-SG ESX 4.0 --- File: ESX400-201305001.zip md5sum: c9ac91d3d803c7b7cb9df401c20b91c0 sha1sum: 7f5cef274c709248daa56d8c0e6fcc1ba86ae411 http://kb.vmware.com/kb/2044242 ESX400-201305001 contains ESX400-201305401-SG 5. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1661 - --- 6. Change log 2013-08-29 VMSA-2013-0011 Initial security advisory in conjunction with the release of ESX 5.0 patches on 2013-08-29 - --- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.