APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update 2014-001
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2014-02-25-1 OS X Mavericks 10.9.2 and Security Update 2014-001 OS X Mavericks 10.9.2 and Security Update 2014-001 is now available and addresses the following: Apache Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Multiple vulnerabilities in Apache Description: Multiple vulnerabilities existed in Apache, the most serious of which may lead to cross-site scripting. These issues were addressed by updating Apache to version 2.2.26. CVE-ID CVE-2013-1862 CVE-2013-1896 App Sandbox Available for: OS X Mountain Lion v10.8.5 Impact: The App Sandbox may be bypassed Description: The LaunchServices interface for launching an application allowed sandboxed apps to specify the list of arguments passed to the new process. A compromised sandboxed application could abuse this to bypass the sandbox. This issue was addressed by preventing sandboxed applications from specifying arguments. This issue does not affect systems running OS X Mavericks 10.9 or later. CVE-ID CVE-2013-5179 : Friedrich Graeter of The Soulmen GbR ATS Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Viewing or downloading a document containing a maliciously crafted embedded font may lead to arbitrary code execution Description: A memory corruption issue existed in the handling of handling of Type 1 fonts. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1254 : Felix Groebert of the Google Security Team ATS Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A memory corruption issue existed in the handling of Mach messages passed to ATS. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1262 : Meder Kydyraliev of the Google Security Team ATS Available for: OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: An arbitrary free issue existed in the handling of Mach messages passed to ATS. This issue was addressed through additional validation of Mach messages. CVE-ID CVE-2014-1255 : Meder Kydyraliev of the Google Security Team ATS Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: The App Sandbox may be bypassed Description: A buffer overflow issue existed in the handling of Mach messages passed to ATS. This issue was addressed by additional bounds checking. CVE-ID CVE-2014-1256 : Meder Kydyraliev of the Google Security Team Certificate Trust Policy Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Root certificates have been updated Description: The set of system root certificates has been updated. The complete list of recognized system roots may be viewed via the Keychain Access application. CFNetwork Cookies Available for: OS X Mountain Lion v10.8.5 Impact: Session cookies may persist even after resetting Safari Description: Resetting Safari did not always delete session cookies until Safari was closed. This issue was addressed through improved handling of session cookies. This issue does not affect systems running OS X Mavericks 10.9 or later. CVE-ID CVE-2014-1257 : Rob Ansaldo of Amherst College, Graham Bennett CoreAnimation Available for: OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1 Impact: Visiting a maliciously crafted site may lead to an unexpected application termination or arbitrary code execution Description: A heap buffer overflow existed in CoreAnimation's handling of images. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1258 : Karl Smith of NCC Group CoreText Available for: OS X Mavericks 10.9 and 10.9.1 Impact: Applications that use CoreText may be vulnerable to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in CoreText in the handling of Unicode fonts. This issue is addressed through improved bounds checking. CVE-ID CVE-2014-1261 : Lucas Apa and Carlos Mario Penagos of IOActive Labs curl Available for: OS X Mavericks 10.9 and 10.9.1 Impact: An attacker with a privileged network position may intercept user credentials or other sensitive information Description: When using curl to connect to an HTTPS URL containing an IP address, the IP address was not validated against the certificate. This issue does not affect systems prior to OS X Mavericks v10.9. CVE-ID CVE-2014-1263 : Roland Moriz of Moriz GmbH Data Security Available for: OS X Mavericks 10.9 and 10.9.1 Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps. CVE-ID CVE-2014-1266 Date and
APPLE-SA-2014-02-25-2 Safari 6.1.2 and Safari 7.0.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2014-02-25-2 Safari 6.1.2 and Safari 7.0.2 Safari 6.1.2 and Safari 7.0.2 is now available and addresses the following: WebKit Available for: OS X Lion v10.7.5, OS X Lion Server v10.7.5, OS X Mountain Lion v10.8.5, OS X Mavericks v10.9.1 Impact: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution Description: Multiple memory corruption issues existed in WebKit. These issues were addressed through improved memory handling. CVE-ID CVE-2013-6635 : cloudfuzzer CVE-2014-1268 : Apple CVE-2014-1269 : Apple CVE-2014-1270 : Apple For OS X Mavericks systems, Safari 7.0.2 will be included in OS X Mavericks 10.9.2. For OS X Mountain Lion systems Safari 6.1.2 may be obtained from Mac App Store. For OS X Lion systems Safari 6.1.2 is available via the Apple Software Update application. Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTDNegAAoJEPefwLHPlZEwMjUQAJBWV8XC85kZjDFC7FgHzIln oU9Kc9DNCI9ymv0wfXWBHR07QZrtOugEUC2Wpj7GB/QVjwFUlLs0/yU7tddHiMif D/OsqSNB1Y7n2Le1fzgQbaiNo56oTNFLs/+hivTp6Wgv8ScJ421V9PfSfN8qK1BY cqhXuReuB5tiuwYgNcnT803sUWu8aG2IVSZE4uUXgivEC7zXTAXtfXXMbeV8q76W yyvwiTZ0RkQi4bto0Xgie01MbFCJMmcdXHjTRq6o+P4aMYcjqTgaMEwChxM7S2JC fI24bn6CTBpH8fAHj/b7dMgHMp8TVGmwC7XVQroMnyrK5QBovHjym40qK7Sn8A1o GotUP6hyniAFChLSDlZqskR5DKJIQwL65wIJMpANA37TtRjvWvDmFj2fCTO4fg/A WSbRsks0HXWjSZcsi4UK4BsOADeac/FxAPFIo6biZLGacP1Gb3i/fIuTlvSLGkxH T1HvJDtLt5qMO56De3DeGN2HChle6TPGCZIZuGnjm/1mOFpr6ncPgUWExvOc46pJ ElLoLtZoePttEL8KS6iPrEXvmjfw92GTkCYd9AGbKefx3UrIZJeOuaoNMDBBWJrR wHEz9wECF18LqhdhmnVCsFwAnUmMm6BfQrdaIOXYdvkT6tudbOYyYJ2E3G7U9GVR vgHI3c7JfmZu/ocYgqGm =DVSA -END PGP SIGNATURE-
[security bulletin] HPSBPI02869 SSRT100936 rev.3 - HP LaserJet MFP Printers, HP Color LaserJet MFP Printers, Certain HP LaserJet Printers, Remote Unauthorized Access to Files
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c03744742 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c03744742 Version: 3 HPSBPI02869 SSRT100936 rev.3 - HP LaserJet MFP Printers, HP Color LaserJet MFP Printers, Certain HP LaserJet Printers, Remote Unauthorized Access to Files NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2013-04-25 Last Updated: 2014-02-20 Potential Security Impact: Remote unauthorized access to files Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP LaserJet MFP printers, HP Color LaserJet MFP printers, and certain HP LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to files. References: CVE-2012-5221, iDefense [V-bxys4j4rnm], SSRT100936 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. Please refer to the RESOLUTION below for a list of impacted products . BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2012-5221(AV:N/AC:L/Au:N/C:C/I:N/A:N) 7.8 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 The Hewlett-Packard Company thanks Andrei Costin working with the iDefense Vulnerability Contributor Program for reporting this vulnerability to security-al...@hp.com. RESOLUTION HP recommends following the HP Imaging and Printing Security Best Practices available at http://h71028.www7.hp.com/enterprise/downloads/HP-Imaging10.pdf . Page 51 documents how to disable file access via Postscript. In addition, HP has provided firmware updates that address this potential vulnerability. Please see the table below. To obtain the updated firmware, go to www.hp.com and follow the below steps to obtain the firmware Update. Obtain the firmware update from www.hp.com : Select Drivers Software. Enter the product name listed in the table below into the search field. Click on Search. Click on the appropriate product. Under Select operating system click on Cross operating system (BIOS, Firmware, Diagnostics, etc.) Note: If the Cross operating system ... link is not present, select any Windows operating system from the list. Select the appropriate firmware update under Firmware. Note use the firmware version listed or a more recent version, one that has a higher revision number. Firmware Updates Product Name Model Firmware Update Version HP Color LaserJet 3000 Q7534A v 46.070.1 (or higher) HP Color LaserJet 3800 Q5981A v 46.070.1 (or higher) HP Color LaserJet 4700 Q7492A v 46.220.1 (or higher) HP Color LaserJet 4730 Multifunction Printer Q7517A v 46.370.1 (or higher) HP Color LaserJet CM4730 Multifunction Printer CB480A v 50.272.8 (or higher) HP Color LaserJet 5550 Q3714A v 07.220.1 (or higher) HP Color LaserJet 9500 Multifunction Printer C8549A v 08.280.1 (or higher) HP Color LaserJet CM6030 Multifunction Printer CE664A v 52.243.0 (or higher) HP Color LaserJet CM6040 Multifunction Printer Q3939A v 52.243.0 (or higher) HP Color LaserJet CP3505 CB442A v 03.150.1 (or higher) HP Color LaserJet CP3525 CC469A v 06.171.2 (or higher) HP Color LaserJet CP4005 CB503A v 46.220.1 (or higher) HP Color LaserJet CP6015 Q3932A v 04.191.2 (or higher) HP Color LaserJet Enterprise CP4025 CC490A v 07.151.3 (or higher) HP Color LaserJet Enterprise CP4525 CC493A v 07.151.3 (or higher) HP LaserJet 4240 Q7785A v 08.240.1 (or higher) HP LaserJet 4250 Q5400A v 08.240.1 (or higher) HP LaserJet 4345 Multifunction Printer Q3942A v 09.290.1 (or higher) HP LaserJet 4350 Q5407A v 08.240.1 (or higher) HP LaserJet 5200L Q7543A v 08.220.8 (or higher) HP LaserJet 5200N Q7543A v 08.220.8 (or higher) HP LaserJet 9040 Q7697A v 08.240.2 (or higher) HP LaserJet 9040 Multifunction Printer Q3721A v 08.280.1 (or higher) HP LaserJet 9050 Q7697A v 08.240.2 (or higher) HP LaserJet 9050 Multifunction Printer Q3721A v 08.280.1 (or higher) HP LaserJet Enterprise P3015 CE526A v 07.171.2 (or higher) HP LaserJet M3027 Multifunction Printer CB416A v 48.292.8 (or higher) HP LaserJet M3035 Multifunction Printer CB414A v 48.292.8 (or higher) HP LaserJet CM3530 Multifunction Printer CC519A v 53.222.8 (or higher) HP LaserJet M4345 Multifunction Printer CB425A v 48.292.8 (or higher) HP LaserJet M5025 Multifunction Printer Q7840A v 48.292.8 (or higher) HP LaserJet M5035 Multifunction Printer Q7829A v 48.292.8 (or higher) HP LaserJet M9040 Multifunction Printer CC394A v 51.242.7 (or higher) HP LaserJet M9050 Multifunction Printer CC395A v 51.242.7 (or higher)
[security bulletin] HPSBMU02966 rev.1 - HP Operations Orchestration, Unauthorized Access to Information
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04125866 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04125866 Version: 1 HPSBMU02966 rev.1 - HP Operations Orchestration, Unauthorized Access to Information NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-02-24 Last Updated: 2014-02-24 Potential Security Impact: Unauthorized access to information Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY A potential security vulnerability has been identified with HP Operations Orchestration. The vulnerability could be exploited to gain unauthorized access to information. References: CVE-2013-2071 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Operations Orchestration v10.00, v10.01, v10.01.0001 running on Windows and Linux BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2013-2071(AV:N/AC:H/Au:N/C:P/I:N/A:N) 2.6 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided an update to resolve the vulnerability for HP Operations Orchestration. HP Operations Orchestration v10.02 is available from HP Software Support Online: http://support.openview.hp.com HISTORY Version:1 (rev.1) - 24 February 2014 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HP Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-al...@hp.com. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-al...@hp.com Subscribe: To initiate a subscription to receive future HP Security Bulletin alerts via Email: http://h41183.www4.hp.com/signup_alerts.php?jumpid=hpsc_secbulletins Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/secBullArchive/ Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HP General Software HF = HP Hardware and Firmware MP = MPE/iX MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PI = Printing and Imaging PV = ProCurve ST = Storage Software TU = Tru64 UNIX UX = HP-UX Copyright 2014 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided as is without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (GNU/Linux) iEYEARECAAYFAlMLmg0ACgkQ4B86/C0qfVl+kACggNp6u0Ubov/Xz8WoZc1/P0Du 1Q0AnRy8IUChn4pOqH8DLiJ9gmeWmsNs =ikWd -END PGP SIGNATURE-
[security bulletin] HPSBST02955 rev.1 - HP XP P9000 Performance Advisor Software, 3rd party Software Security - Apache Tomcat and Oracle Updates
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Note: the current version of the following document is available here: https://h20564.www2.hp.com/portal/site/hpsc/public/kb/ docDisplay?docId=emr_na-c04047415 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c04047415 Version: 1 HPSBST02955 rev.1 - HP XP P9000 Performance Advisor Software, 3rd party Software Security - Apache Tomcat and Oracle Updates NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2014-02-24 Last Updated: 2014-02-24 Potential Security Impact: 3rd party Software Security - Apache Tomcat and Oracle Updates Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified in 3rd party software used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat Software. HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. References: CVE-2013-0361 CVE-2013-0354 CVE-2013-0397 CVE-2012-3190 CVE-2013-0352 CVE-2012-3219 CVE-2013-0363 CVE-2013-0381 CVE-2011-5035 CVE-2013-0364 CVE-2013-0372 CVE-2013-0366 CVE-2009-2902 CVE-2009-2901 CVE-2009-2693 CVE-2009-3548 CVE-2010-2227 CVE-2010-1157 CVE-2010-3718 CVE-2011-0013 CVE-2010-4172 CVE-2011-3190 CVE-2011-1184 CVE-2011-5064 CVE-2011-5063 CVE-2011-5062 CVE-2007-5342 CVE-2007-6286 CVE-2007-5333 CVE-2008-0002 CVE-2007-5461 CVE-2011-2729 CVE-2011-2526 CVE-2011-2481 CVE-2011-2204 CVE-2012-2733 CVE-2012-4534 CVE-2012-4431 CVE-2012-3546 CVE-2011-0534 CVE-2008-2370 CVE-2008-1947 CVE-2008-1232, CPU-JAN-2013, SSRT101157 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP XP P9000 Performance Advisor Software v5.4.1 and earlier BACKGROUND CVSS 2.0 Base Metrics === Reference Base Vector Base Score CVE-2007-5333(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2007-5342(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2007-5461(AV:N/AC:M/Au:S/C:P/I:N/A:N)3.5 CVE-2007-6286(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2008-0002(AV:N/AC:M/Au:N/C:P/I:P/A:N)5.8 CVE-2008-1232(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2008-1947(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2008-2370(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2009-2693(AV:N/AC:M/Au:N/C:N/I:P/A:P)5.8 CVE-2009-2901(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2009-2902(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2009-3548(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2010-1157(AV:N/AC:H/Au:N/C:P/I:N/A:N)2.6 CVE-2010-2227(AV:N/AC:L/Au:N/C:P/I:N/A:P)6.4 CVE-2010-3718(AV:L/AC:H/Au:N/C:N/I:P/A:N)1.2 CVE-2010-4172(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2011-0013(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2011-0534(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2011-1184(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-2204(AV:L/AC:M/Au:N/C:P/I:N/A:N)1.9 CVE-2011-2481(AV:L/AC:L/Au:N/C:P/I:P/A:P)4.6 CVE-2011-2526(AV:L/AC:M/Au:N/C:P/I:P/A:P)4.4 CVE-2011-2729(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-3190(AV:N/AC:L/Au:N/C:P/I:P/A:P)7.5 CVE-2011-5035(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2011-5062(AV:N/AC:L/Au:N/C:P/I:N/A:N)5.0 CVE-2011-5063(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2011-5064(AV:N/AC:M/Au:N/C:P/I:N/A:N)4.3 CVE-2012-2733(AV:N/AC:L/Au:N/C:N/I:N/A:P)5.0 CVE-2012-3190(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2012-3219(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2012-3546(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2012-4431(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2012-4534(AV:N/AC:H/Au:N/C:N/I:N/A:P)2.6 CVE-2013-0352(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2013-0354(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2013-0361(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-0363(AV:N/AC:L/Au:N/C:C/I:N/A:N)7.8 CVE-2013-0364(AV:N/AC:L/Au:N/C:C/I:N/A:N)7.8 CVE-2013-0366(AV:N/AC:L/Au:N/C:C/I:C/A:C) 10.0 CVE-2013-0372(AV:N/AC:M/Au:N/C:N/I:P/A:N)4.3 CVE-2013-0381(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 CVE-2013-0397(AV:N/AC:L/Au:N/C:P/I:P/A:N)6.4 === Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided a software update, HP XP P9000 Performance Advisor Software v5.5.1 to resolve this issue. To obtain the update, go to http://www.hp.com : Select Support Select Download Drivers Search find by product for HP P9000 Performance Advisor Software Select HP P9000 Performance Advisor Software and then choose the operating system Download HP StorageWorks P9000 Performance Advisor Software v5.5.1
APPLE-SA-2014-02-25-3 QuickTime 7.7.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 APPLE-SA-2014-02-25-3 QuickTime 7.7.5 QuickTime 7.7.5 is now available and addresses the following: QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An uninitialized pointer issue existed in the handling of track lists. This issue was addressed through improved error checking. CVE-ID CVE-2014-1243 : Tom Gallagher (Microsoft) Paul Bates (Microsoft) working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of H.264 encoded movie files. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1244 : Tom Gallagher Paul Bates working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An out of bounds byte swapping issue existed in the handling of QuickTime image descriptions. This issue was addressed through improved bounds checking. CVE-ID CVE-2013-1032 : Jason Kratzer working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A signedness issue existed in the handling of 'stsz' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1245 : Tom Gallagher Paul Bates working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'ftab' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1246 : An anonymous researcher working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A memory corruption issue existed in the handling of 'dref' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1247 : Tom Gallagher Paul Bates working with HP's Zero Day Initiative QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'ldat' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1248 : Jason Kratzer working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Viewing a maliciously crafted PSD image may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of PSD images. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1249 : dragonltx of Tencent Security Team QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: An out of bounds byte swapping issue existed in the handling of 'ttfo' elements. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1250 : Jason Kratzer working with iDefense VCP QuickTime Available for: Windows 7, Vista, XP SP2 or later Impact: Playing a maliciously crafted movie file may lead to an unexpected application termination or arbitrary code execution Description: A buffer overflow existed in the handling of 'clef' atoms. This issue was addressed through improved bounds checking. CVE-ID CVE-2014-1251 : Aliz Hammond working with HP's Zero Day Initiative QuickTime 7.7.5 may be obtained from the QuickTime Downloads site: http://support.apple.com/downloads/ Information will also be posted to the Apple Security Updates web site: http://support.apple.com/kb/HT1222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBAgAGBQJTDNezAAoJEPefwLHPlZEwA28P/24CQNEYClDxGO81zpafYO0R zNWNZiyxkcMWYGuDXvcN5HLiLiDwOkJqUMMkOxzCtsTKw69xopzlebzyZ4CS4YiZ J4xQzzGjD3dOtseQLTHp1CRNXUl/sIgR1ztS+qCkmh5/QJlSEQlg/as9KlJ0RM2Q yzUfMjy92KZjmGRsEimFbI2xq9lMR1nwMC0pJvB4T670rK3SHEUs1lfpv2HNOAR7 54s7OL8TU+L/xAo2HfS6+2LScKIrye7vsOMH0KuB3BiQ16HBYRQdL+tWV3HAF/Cl
Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher)
*) Issue: Authentication-Bypass in CosmoShop ePRO V10.17.00 (and lower, maybe higher) *) Author: l0om ( http://l0om.org ) *) Date: 26.02.2013 *) Overview: Cosmoshop provides an admin backup-function which saves .htaccess protected MySQL dump files in a backup directory. This directory does only prevent HTTP GET-requests but passes POST-request. This allows an attacker to download the backup-file without authentification. *) Details: Cosmoshop is another webshop-solution written in perl developed for the german market. The backup.cgi script is buggy (tested in CosmoShop ePRO V10.17.00) The backup.cgi script creates a MySQL backup of your shop. As the logged-in shop administrator you are allowed to execute it. If you decide to use this build-in backup function it will create a backup of your users and admins data (including passwords, email, ...). This file is saved as artikel_kunden_daten.sql.gz (german style) and gets proteced by htaccess. The .htaccess file build by the script includes something like: Limit GET ... /Limit As you can see the file is only protected for HTTP GET requests but not for HTTP POST requests. The protected directoy is located on domain.com/HTML-ROOT/admin/backup/artikel_kunden_daten.sql.gz where the html-root is sometimes /cosmoshop, sometimes /cosmoshop/default, sometimes none of them... However, using curl with GET results in an 401 error: badass@badhost:~ curl http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz -- 401 - Authorization Required but the POST variant of the request gives you the file without authentification: badass@badhost:~ curl --data fruit_0f_the=l0om http://XXX.YYY.de/.../admin/backup/artikel_kunden_daten.sql.gz ur_login_data.gz % Total% Received % Xferd Average Speed TimeTime Time Current Dload Upload Total SpentLeft Speed Ouch. *) Workaround: + Dont use the build-in backup function - simply use your own mysqlclient tools to save your database (how about mysqldump ?). Dont forget to delete the directory. + edit the .htaccess file in the backup-directory - simply delete the LIMIT .. and /LIMIT (yes, sometimes less is more) *) Greetings: my beautiful lady, patze, jeff, molke, DocDohmen, Herr Lindner, evil_matt, john, I², takt, Maximilian, Big-Ben, Eulenspiegel
Persistent XSS in Media File Renamer V1.7.0 wordpress plugin
Title: Persistent XSS in Media File Renamer V1.7.0 wordpress plugin Date: 1/31/2014 Author: Larry W. Cashdollar, @_larry0 Vendor: Notified 2/4/2014 CVE: 2014-2040 Download: http://www.meow.fr/media-file-renamer/ Vulnerability: The following functions do not sanitize input before being echoed out: In file mfrh_class.settings-api.php: 166 function callback_multicheck( $args ) { 167 $value = $this-get_option( $args['id'], $args['section'], $args['std'] ); 168 169 $html = ''; 170 foreach ( $args['options'] as $key = $label ) { 171 $checked = isset( $value[$key] ) ? $value[$key] : '0'; 172 $html .= sprintf( ' ', $args['section'], $args['id'], $key, checked( $checked, $key, false ) ); 173 $html .= sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 174 } 175 $html .= sprintf( ' %s', $args['desc'] ); 176 177 echo $html; 178 } function callback_radio( $args ) { 186 187 $value = $this-get_option( $args['id'], $args['section'], $args['std'] ); 188 189 $html = ''; 190 foreach ( $args['options'] as $key = $label ) { 191 $html .= sprintf( ' ', $args['section'], $args['id'], $key, checked( $value, $key, false ) ); 192 $html .= sprintf( ' %3$s ', $args['section'], $args['id'], $label, $key ); 193 } 194 $html .= sprintf( ' %s', $args['desc'] ); 195 196 echo $html; 197 } function callback_wysiwyg( $args ) { 250 251 $value = wpautop( $this-get_option( $args['id'], $args['section'], $args['std'] ) ); 252 $size = isset( $args['size'] ) !is_null( $args['size'] ) ? $args['size'] : '500px'; 253 254 echo ' '; 255 256 wp_editor( $value, $args['section'] . '[' . $args['id'] . ']', array( 'teeny' = true, 'textarea_rows' = 10 ) ); 257 258 echo ' '; 259 260 echo sprintf( ' %s ', $args['desc'] ); 261 } PoC: If a user with permission to add media or edit media uploads a file with scriptalert(1)/script as the title they can XSS the site admin user. Full Advisory: http://www.vapid.dhs.org/advisories/wordpress/plugins/MediaFileRenamer-1.7.0/index.html
Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerability
Document Title: === Barracuda Networks Bug Bounty #31 Firewall - Persistent Access Policy Vulnerability References (Source): http://www.vulnerability-lab.com/get_content.php?id=1070 Barracuda Networks Security ID (BNSEC): BNSEC-2068 Release Date: = 2014-02-25 Vulnerability Laboratory ID (VL-ID): 1070 Common Vulnerability Scoring System: 3.5 Product Service Introduction: === The Barracuda Firewall goes beyond traditional network firewalls and UTMs by providing powerful network security, granular layer 7 application controls, user awareness and secure VPN connectivity combined with cloud-based malware protection, content filtering and reporting. It alleviates the performance bottlenecks in Unified Threat Management (UTM) appliances through intelligent integration of on-premise and cloud-based technologies. While the powerful on-premises appliance is optimized for tasks like packet forwarding and routing, Intrusion Prevention (IPS), DNS/DHCP services and site-to-site connectivity; CPU intensive tasks like virus scanning, content filtering and usage reporting benefit from the scalable performance and elasticity of the cloud. (Copy of the Vendor Homepage: https://www.barracuda.com/products/firewall ) Abstract Advisory Information: == The Vulnerability Laboratory Research Team discovered a persistent web vulnerability in the official Barracuda Networks Web Firewall appliance web-application. Vulnerability Disclosure Timeline: == 2013-09-04: Researcher Notification Coordination (Ateeq ur Rehman Khan) 2013-09-06: Vendor Notification (Barracuda Networks Security Team - Bug Bounty Program) 2013-10-03: Vendor Response/Feedback (Barracuda Networks Security Team - Bug Bounty Program) 2014-02-17: Vendor Fix/Patch (Barracuda Networks Developer Team) [Coordination: Eric ** ] 2014-02-25: Public Disclosure (Vulnerability Laboratory) Discovery Status: = Published Affected Product(s): Barracuda Networks Product: Web Firewall 6.1.0.016 - Models: X100; X200; X300; X400 X600 Exploitation Technique: === Remote Severity Level: === Medium Technical Details Description: A persistent input validation web vulnerability has been discovered in the official Barracuda Networks Web Firewall appliance web-application. The web vulnerability allows remote attackers or local low privileged application user accounts to inject (persistent) own malicious script codes on the application-side of the vulnerable online-service module. The vulnerability is located in the `Firewall Captive Portal Basic Configuration` and the vulnerable input field is `username` under the `User Access Policy Exceptions`. Remote attackers are able to inject custom malicious script codes via the `Username` input field. The attack vector is persistent and the injection request method is POST. To bypass the filter and to be able to save the injected payload into the application, the attacker needs to create 2 entries. First entry should be the attackers payload and second entry should be any dummy account userid. The application only performs validation on the active field which is freshly added and ignores the earlier entries thus allowing successful injection of the script code into the application interface. The security risk of the persistent validation vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 3.5(+)|(-)3.6. Exploitation of the persistent input validation vulnerability requires a low privileged application user account and low user interaction. Successful exploitation results in session hijacking, persistent phishing, persistent external redirects persistent manipulation of affected or connected module context. Vulnerable Application(s): [+] Firewall (WAF) Appliance Application (X300Vx v6.1.0.016) Vulnerable Module(s): [+] FirewallCaptive Portal Basic Configuration User Access Policy Exceptions Vulnerable Parameter(s): [+] username Proof of Concept (PoC): === The persistent input validation web vulnerabilities can be exploited by remote attackers with low privileged web-application user account and low user interaction. For security demonstration or to reproduce the remote vulnerability follow the provided information and steps below. Manual steps to reproduce the vulnerability: 1. Login with the user account to the barracuda networks web firewall appliance application 2. Goto Firewall Captive Portal Basic Configuration User Access Policy Exceptions 3. Inject the following Payload
Cisco Security Advisory: Cisco Prime Infrastructure Command Execution Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Prime Infrastructure Command Execution Vulnerability Advisory ID: cisco-sa-20140226-pi Revision 1.0 For Public Release 2014 February 26 16:00 UTC (GMT) Summary === A vulnerability in Cisco Prime Infrastructure could allow an authenticated, remote attacker to execute arbitrary commands with root-level privileges. The vulnerability is due to improper validation of URL requests. An attacker could exploit this vulnerability by requesting an unauthorized command via a specific URL. Successful exploitation could allow an authenticated attacker to execute system commands with root-level privileges. Cisco has released free software updates that address this vulnerability. A software patch that addresses this vulnerability in all affected versions is also available. Workarounds that mitigate this vulnerability are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140226-pi -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJTDf6tAAoJEIpI1I6i1Mx3NYgQALW6jEKLiPRD5IZ1j/V4eD5O nsjvGer3XNJVdp3BM1+KU4j/JWSSuCimZcRiZpRDvOeb5ecSDnlyRYzygMo+bsdV fY0PrzOBJ9JxCfWX/9+0MsJZbaBFX1uI/Kic/4vZRhTwE4VsQKV6fhO3drbPaTsT BlkePdhE7tezBoxA2Ek7IXMyRDf/fQOhJE1//INtxkAoig2jauDvQ7k+qSnE2iXq zZRgSCmm9y462U/uf+zWBbGkeyPADEHpBTZB1eiVD7bsQIVmi9iKIUgamCaPtLs4 PeSpwOgvCfA6YEot34HoOP1/XupqekXiWdRnDXromDZACUKe8QpQxVVN/uauaz4s +klrPDoiCDoDKV83LLPIVd7lGW0VzEAgMBk8hy06PGGRwqMSDBmRs8EyoRf2o3J1 nn/FVty8FGhd2CZAcnG8WccUcCjUGZNHKDe1Y7aIdE8b6hvHUgWEgOpE2o2WLZ+w Ivnlk8AQuJrKHmO8sKDk39BNk42U5+PX64bolo60RyCA/0yQ4wmBPFZxxx8JaFYT Vpq/dp99m8B1EpMnZpnBsKsNjMoNWvNhoafbpIRbqIBJx5+JNibmQajke9S+Ge9H SUXY930hKqOKXFFFgHKfoQHL8/P69dPi826VKeOCkPxQm1eHkSVVuJ2enQdkHRug hee5aSj00KvSKL/W1KUA =VfwX -END PGP SIGNATURE-