[CORE-2017-0010] - Kaspersky Secure Mail Gateway Multiple Vulnerabilities

[Core Security Advisories Team]

Core Security - Corelabs Advisory
http://corelabs.coresecurity.com/

Kaspersky Secure Mail Gateway Multiple Vulnerabilities

1. *Advisory Information*

Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities
Advisory ID: CORE-2017-0010
Advisory URL:
http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities
Date published: 2018-02-01
Date of last update: 2018-02-01
Vendors contacted: Kaspersky Lab
Release mode: Coordinated release

2. *Vulnerability Information*

Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of
Special Elements in Output Used by a Downstream Component [CWE-74], Improper
Privilege Management [CWE-269], Improper Neutralization of Input During Web
Page Generation [CWE-79]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2,
CVE-pending-assignment-3, CVE-pending-assignment-4

3. *Vulnerability Description*

>From Kaspersky Labs website:

Kaspersky Secure Mail Gateway [1] gives you a fully integrated email
system; mail security solution - including anti-spam, anti-malware,
anti-phishing and more - in a single virtual appliance. It's easy to
install and manage - so you save time on day-to-day mail and mail
security tasks, while we deliver award-winning security that helps you
keep your business safe and boost user productivity.

Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web
Management Console. It is possible for a remote attacker to abuse these
vulnerabilities and gain command execution as root.

4. *Vulnerable Packages*

Kaspersky Secure Mail Gateway 1.1.0.379
Other products and versions might be affected, but they were not tested.

5. *Vendor Information, Solutions and Workarounds*

Kaspersky Labs published the following advisory
   . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218

6. *Credits*

These vulnerabilities were discovered and researched by Leandro Barragan
from Core Security Consulting Services. The publication of this advisory
was coordinated by Alberto Solino from Core Advisories Team.

7. *Technical Description / Proof of Concept Code*

Kaspersky Secure Mail Gateway is a virtual appliance designed to be
deployed inside the organization's network infrastructure. It comes
bundled with a Web Management Console to monitor the application status
and manage its operation.

This Management Console provides no cross-site request forgery
protection site-wide, which could result in administrative account
takeover as shown in 7.1.

In addition, an attacker who manages to get access to the Web Console
could gain command execution as root (7.2) by injecting arbitrary
content into the appliance's Postfix configuration.

It is also possible to elevate privileges from kluser to root (7.3) by
abusing a setuid binary shipped with the appliance, which executes a
script located on an attacker-controlled location with root privileges.

Apart from this, a reflected cross-site scripting vulnerability (7.4)
was found which affects the Management Console.

7.1. *Cross-site Request Forgery leading to Administrative account takeover*

[CVE-pending-assignment-1]
There are no Anti-CSRF tokens in any forms on the Web interface. This
would allow an attacker to submit authenticated requests when an
authenticated user browses an attacker-controlled domain.

The "Import Application Settings" feature is particularly interesting
because it allows users to restore a backup file that overwrites the
appliance's configuration.

A settings backup file contains five zlib segments:

/-
$ binwalk KSMG_settings.kz

DECIMAL   HEXADECIMAL DESCRIPTION
--
160x10Zlib compressed data, default compression
390x27Zlib compressed data, default compression
2242  0x8C2   Zlib compressed data, default compression
2268  0x8DC   Zlib compressed data, default compression
3072  0xC00   Zlib compressed data, default compression

-/
The last segment is a compressed backup of /var/opt/kaspersky/klms/db
/passwd, which contains a list of usernames, passwords, and profiles,
for example:

/-
# cat /var/opt/kaspersky/klms/db/passwd
Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin
-/

An attacker can craft a backup file that contains its own passwd file,
and then submit it by abusing the CSRF vulnerability.

The appliance then overwrites the original passwd file giving the
attacker access to Administrator account.

The following proof-of-concept request restores only account information
in order to avoid changing appliance's current configuration. Please
note that the file contents were removed to make it more readable.

/-
POST /ksmg/cgi-bin/klwi?action=importSettings=CC3262C5 HTTP/1.1
Host: server
User-Agent: Mozilla/5.0 (X11; 

[SECURITY] [DSA 4104-1] p7zip security update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4104-1   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
February 04, 2018 https://www.debian.org/security/faq
- -

Package: p7zip
CVE ID : CVE-2017-17969
Debian Bug : 888297

'landave' discovered a heap-based buffer overflow vulnerability in the
NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file
archiver with high compression ratio. A remote attacker can take
advantage of this flaw to cause a denial-of-service or, potentially the
execution of arbitrary code with the privileges of the user running
p7zip, if a specially crafted shrinked ZIP archive is processed.

For the oldstable distribution (jessie), this problem has been fixed
in version 9.20.1~dfsg.1-4.1+deb8u3.

For the stable distribution (stretch), this problem has been fixed in
version 16.02+dfsg-3+deb9u1.

We recommend that you upgrade your p7zip packages.

For the detailed security status of p7zip please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/p7zip

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp3b2tfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TrkA//VNLdog0TJNf4fHBagj2qd9UFUInov6I6r4Bc0nfuyL66LY57riC8yLnF
jiqq3+q86aXqokRO6/enP2v8d4OCS/jcZhMFmg86CE+1em+jBFdUcNijZUzIZjpA
pEEbfNCYZ+aOrhDHAZn4HvjCnxRk5zseGmvfCNPtbJOxbeUh5tVcbXy/2768t/v0
s9n9cAI1BsvE/4M6/6PH/HEemJbHQpYUi+cE2WR0GEAszQd4U988Vf4LG/1ZhuN9
/rpfbvDw/OwTYlWFQyvzPl+lnyWrUXgY5EYrhllNXBUFfIzQg+NqlapWj37AR54+
1UI4FVTjmcio6DYvtCfG704oL2yviKjxPddOSg+nJBuQTOcpskJtQPXHq3k0ELRE
vWRehSemSj+XhZI9NV7TQ0n2UQfUQTIK04l2LOxN7Uozf7S6rRe653TFnk4VGsLi
1CQr1ek7YwepfSuaLl2eyUZl6xe3tFIeDtDbTLU9g1Cv8RIlMOU1KiVaSPhfjO/3
Gnx29JzqwM216gQl/8N9SUA7vtZJDbwAwzo/bMDHEpvvoqR4jVEKK4pLRm9UsQyX
EKT26ZJqEuegV792xcowNpvn3s2H0TM+3u6DLGHUq2xC2TgsgHYy5zWeDnnx/5R2
yr0F9qPl9kefqabDCM4Tqvu32YYym5UUIqiq+iYQaDwDorDx7Bo=
=T7ze
-END PGP SIGNATURE-

[slackware-security] php (SSA:2018-034-01)

[Slackware Security Team]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

[slackware-security]  php (SSA:2018-034-01)

New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to
fix security issues.


Here are the details from the Slackware 14.2 ChangeLog:
+--+
patches/packages/php-5.6.33-i586-1_slack14.2.txz:  Upgraded.
  This update fixes bugs and security issues, including:
  Potential infinite loop in gdImageCreateFromGifCtx.
  Reflected XSS in .phar 404 page.
  For more information, see:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712
  (* Security fix *)
+--+


Where to find the new packages:
+-+

Thanks to the friendly folks at the OSU Open Source Lab
(http://osuosl.org) for donating FTP and rsync hosting
to the Slackware project!  :-)

Also see the "Get Slack" section on http://slackware.com for
additional mirror sites near you.

Updated package for Slackware 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.33-i486-1_slack14.0.txz

Updated package for Slackware x86_64 14.0:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.33-x86_64-1_slack14.0.txz

Updated package for Slackware 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.33-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.33-x86_64-1_slack14.1.txz

Updated package for Slackware 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/php-5.6.33-i586-1_slack14.2.txz

Updated package for Slackware x86_64 14.2:
ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/php-5.6.33-x86_64-1_slack14.2.txz

Updated package for Slackware -current:
ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-7.2.2-i586-1.txz

Updated package for Slackware x86_64 -current:
ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-7.2.2-x86_64-1.txz


MD5 signatures:
+-+

Slackware 14.0 package:
fb0ddc5f3aac90db9c4955dd06ee648b  php-5.6.33-i486-1_slack14.0.txz

Slackware x86_64 14.0 package:
3d4c2a311034e6be99a83c0e23362417  php-5.6.33-x86_64-1_slack14.0.txz

Slackware 14.1 package:
084a921e451e5ed86a32fa40775521cb  php-5.6.33-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:
ae8af5aea4e619ac247f27ba05538db7  php-5.6.33-x86_64-1_slack14.1.txz

Slackware 14.2 package:
1cede7e8a45f875e5bd7675ca0c4a2b1  php-5.6.33-i586-1_slack14.2.txz

Slackware x86_64 14.2 package:
d6c22d0f22118b23331b45866cf2da6c  php-5.6.33-x86_64-1_slack14.2.txz

Slackware -current package:
3bae03039f6c7b371da207719cb0e7bc  n/php-7.2.2-i586-1.txz

Slackware x86_64 -current package:
969ff7188ac0f3725514effdf6f3a2b4  n/php-7.2.2-x86_64-1.txz


Installation instructions:
++

Upgrade the package as root:
# upgradepkg php-5.6.33-i586-1_slack14.2.txz

Then, restart Apache httpd:
# /etc/rc.d/rc.httpd stop
# /etc/rc.d/rc.httpd start


+-+

Slackware Linux Security Team
http://slackware.com/gpg-key
secur...@slackware.com

++
| To leave the slackware-security mailing list:  |
++
| Send an email to majord...@slackware.com with this text in the body of |
| the email message: |
||
|   unsubscribe slackware-security   |
||
| You will get a confirmation message back containing instructions to|
| complete the process.  Please do not reply to this email address.  |
++
-BEGIN PGP SIGNATURE-

iEYEARECAAYFAlp2aP0ACgkQakRjwEAQIjNeNQCglA2PA8NyMQO7z9K5fPGmA5/o
iwIAn2vBrMbKnrhUrVsYema+eEsPjcrj
=GJn8
-END PGP SIGNATURE-