[CORE-2017-0010] - Kaspersky Secure Mail Gateway Multiple Vulnerabilities
Core Security - Corelabs Advisory http://corelabs.coresecurity.com/ Kaspersky Secure Mail Gateway Multiple Vulnerabilities 1. *Advisory Information* Title: Kaspersky Secure Mail Gateway Multiple Vulnerabilities Advisory ID: CORE-2017-0010 Advisory URL: http://www.coresecurity.com/advisories/kaspersky-secure-mail-gateway-multiple-vulnerabilities Date published: 2018-02-01 Date of last update: 2018-02-01 Vendors contacted: Kaspersky Lab Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross-Site Request Forgery [CWE-352], Improper Neutralization of Special Elements in Output Used by a Downstream Component [CWE-74], Improper Privilege Management [CWE-269], Improper Neutralization of Input During Web Page Generation [CWE-79] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: Yes CVE Name: CVE-pending-assignment-1, CVE-pending-assignment-2, CVE-pending-assignment-3, CVE-pending-assignment-4 3. *Vulnerability Description* >From Kaspersky Labs website: Kaspersky Secure Mail Gateway [1] gives you a fully integrated email system; mail security solution - including anti-spam, anti-malware, anti-phishing and more - in a single virtual appliance. It's easy to install and manage - so you save time on day-to-day mail and mail security tasks, while we deliver award-winning security that helps you keep your business safe and boost user productivity. Multiple vulnerabilities were found in the Kaspersky Mail Gateway Web Management Console. It is possible for a remote attacker to abuse these vulnerabilities and gain command execution as root. 4. *Vulnerable Packages* Kaspersky Secure Mail Gateway 1.1.0.379 Other products and versions might be affected, but they were not tested. 5. *Vendor Information, Solutions and Workarounds* Kaspersky Labs published the following advisory . https://support.kaspersky.com/vulnerability.aspx?el=12430#010218 6. *Credits* These vulnerabilities were discovered and researched by Leandro Barragan from Core Security Consulting Services. The publication of this advisory was coordinated by Alberto Solino from Core Advisories Team. 7. *Technical Description / Proof of Concept Code* Kaspersky Secure Mail Gateway is a virtual appliance designed to be deployed inside the organization's network infrastructure. It comes bundled with a Web Management Console to monitor the application status and manage its operation. This Management Console provides no cross-site request forgery protection site-wide, which could result in administrative account takeover as shown in 7.1. In addition, an attacker who manages to get access to the Web Console could gain command execution as root (7.2) by injecting arbitrary content into the appliance's Postfix configuration. It is also possible to elevate privileges from kluser to root (7.3) by abusing a setuid binary shipped with the appliance, which executes a script located on an attacker-controlled location with root privileges. Apart from this, a reflected cross-site scripting vulnerability (7.4) was found which affects the Management Console. 7.1. *Cross-site Request Forgery leading to Administrative account takeover* [CVE-pending-assignment-1] There are no Anti-CSRF tokens in any forms on the Web interface. This would allow an attacker to submit authenticated requests when an authenticated user browses an attacker-controlled domain. The "Import Application Settings" feature is particularly interesting because it allows users to restore a backup file that overwrites the appliance's configuration. A settings backup file contains five zlib segments: /- $ binwalk KSMG_settings.kz DECIMAL HEXADECIMAL DESCRIPTION -- 160x10Zlib compressed data, default compression 390x27Zlib compressed data, default compression 2242 0x8C2 Zlib compressed data, default compression 2268 0x8DC Zlib compressed data, default compression 3072 0xC00 Zlib compressed data, default compression -/ The last segment is a compressed backup of /var/opt/kaspersky/klms/db /passwd, which contains a list of usernames, passwords, and profiles, for example: /- # cat /var/opt/kaspersky/klms/db/passwd Administrator:7{E{I'}Ap{RpY~t/V28\lZ&,FM&97s5`6f5e51bd7ade638785f5e7476351839e:admin -/ An attacker can craft a backup file that contains its own passwd file, and then submit it by abusing the CSRF vulnerability. The appliance then overwrites the original passwd file giving the attacker access to Administrator account. The following proof-of-concept request restores only account information in order to avoid changing appliance's current configuration. Please note that the file contents were removed to make it more readable. /- POST /ksmg/cgi-bin/klwi?action=importSettings=CC3262C5 HTTP/1.1 Host: server User-Agent: Mozilla/5.0 (X11;
[SECURITY] [DSA 4104-1] p7zip security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4104-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 04, 2018 https://www.debian.org/security/faq - - Package: p7zip CVE ID : CVE-2017-17969 Debian Bug : 888297 'landave' discovered a heap-based buffer overflow vulnerability in the NCompress::NShrink::CDecoder::CodeReal method in p7zip, a 7zr file archiver with high compression ratio. A remote attacker can take advantage of this flaw to cause a denial-of-service or, potentially the execution of arbitrary code with the privileges of the user running p7zip, if a specially crafted shrinked ZIP archive is processed. For the oldstable distribution (jessie), this problem has been fixed in version 9.20.1~dfsg.1-4.1+deb8u3. For the stable distribution (stretch), this problem has been fixed in version 16.02+dfsg-3+deb9u1. We recommend that you upgrade your p7zip packages. For the detailed security status of p7zip please refer to its security tracker page at: https://security-tracker.debian.org/tracker/p7zip Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlp3b2tfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TrkA//VNLdog0TJNf4fHBagj2qd9UFUInov6I6r4Bc0nfuyL66LY57riC8yLnF jiqq3+q86aXqokRO6/enP2v8d4OCS/jcZhMFmg86CE+1em+jBFdUcNijZUzIZjpA pEEbfNCYZ+aOrhDHAZn4HvjCnxRk5zseGmvfCNPtbJOxbeUh5tVcbXy/2768t/v0 s9n9cAI1BsvE/4M6/6PH/HEemJbHQpYUi+cE2WR0GEAszQd4U988Vf4LG/1ZhuN9 /rpfbvDw/OwTYlWFQyvzPl+lnyWrUXgY5EYrhllNXBUFfIzQg+NqlapWj37AR54+ 1UI4FVTjmcio6DYvtCfG704oL2yviKjxPddOSg+nJBuQTOcpskJtQPXHq3k0ELRE vWRehSemSj+XhZI9NV7TQ0n2UQfUQTIK04l2LOxN7Uozf7S6rRe653TFnk4VGsLi 1CQr1ek7YwepfSuaLl2eyUZl6xe3tFIeDtDbTLU9g1Cv8RIlMOU1KiVaSPhfjO/3 Gnx29JzqwM216gQl/8N9SUA7vtZJDbwAwzo/bMDHEpvvoqR4jVEKK4pLRm9UsQyX EKT26ZJqEuegV792xcowNpvn3s2H0TM+3u6DLGHUq2xC2TgsgHYy5zWeDnnx/5R2 yr0F9qPl9kefqabDCM4Tqvu32YYym5UUIqiq+iYQaDwDorDx7Bo= =T7ze -END PGP SIGNATURE-
[slackware-security] php (SSA:2018-034-01)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 [slackware-security] php (SSA:2018-034-01) New php packages are available for Slackware 14.0, 14.1, 14.2, and -current to fix security issues. Here are the details from the Slackware 14.2 ChangeLog: +--+ patches/packages/php-5.6.33-i586-1_slack14.2.txz: Upgraded. This update fixes bugs and security issues, including: Potential infinite loop in gdImageCreateFromGifCtx. Reflected XSS in .phar 404 page. For more information, see: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5711 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5712 (* Security fix *) +--+ Where to find the new packages: +-+ Thanks to the friendly folks at the OSU Open Source Lab (http://osuosl.org) for donating FTP and rsync hosting to the Slackware project! :-) Also see the "Get Slack" section on http://slackware.com for additional mirror sites near you. Updated package for Slackware 14.0: ftp://ftp.slackware.com/pub/slackware/slackware-14.0/patches/packages/php-5.6.33-i486-1_slack14.0.txz Updated package for Slackware x86_64 14.0: ftp://ftp.slackware.com/pub/slackware/slackware64-14.0/patches/packages/php-5.6.33-x86_64-1_slack14.0.txz Updated package for Slackware 14.1: ftp://ftp.slackware.com/pub/slackware/slackware-14.1/patches/packages/php-5.6.33-i486-1_slack14.1.txz Updated package for Slackware x86_64 14.1: ftp://ftp.slackware.com/pub/slackware/slackware64-14.1/patches/packages/php-5.6.33-x86_64-1_slack14.1.txz Updated package for Slackware 14.2: ftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/php-5.6.33-i586-1_slack14.2.txz Updated package for Slackware x86_64 14.2: ftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/php-5.6.33-x86_64-1_slack14.2.txz Updated package for Slackware -current: ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/php-7.2.2-i586-1.txz Updated package for Slackware x86_64 -current: ftp://ftp.slackware.com/pub/slackware/slackware64-current/slackware64/n/php-7.2.2-x86_64-1.txz MD5 signatures: +-+ Slackware 14.0 package: fb0ddc5f3aac90db9c4955dd06ee648b php-5.6.33-i486-1_slack14.0.txz Slackware x86_64 14.0 package: 3d4c2a311034e6be99a83c0e23362417 php-5.6.33-x86_64-1_slack14.0.txz Slackware 14.1 package: 084a921e451e5ed86a32fa40775521cb php-5.6.33-i486-1_slack14.1.txz Slackware x86_64 14.1 package: ae8af5aea4e619ac247f27ba05538db7 php-5.6.33-x86_64-1_slack14.1.txz Slackware 14.2 package: 1cede7e8a45f875e5bd7675ca0c4a2b1 php-5.6.33-i586-1_slack14.2.txz Slackware x86_64 14.2 package: d6c22d0f22118b23331b45866cf2da6c php-5.6.33-x86_64-1_slack14.2.txz Slackware -current package: 3bae03039f6c7b371da207719cb0e7bc n/php-7.2.2-i586-1.txz Slackware x86_64 -current package: 969ff7188ac0f3725514effdf6f3a2b4 n/php-7.2.2-x86_64-1.txz Installation instructions: ++ Upgrade the package as root: # upgradepkg php-5.6.33-i586-1_slack14.2.txz Then, restart Apache httpd: # /etc/rc.d/rc.httpd stop # /etc/rc.d/rc.httpd start +-+ Slackware Linux Security Team http://slackware.com/gpg-key secur...@slackware.com ++ | To leave the slackware-security mailing list: | ++ | Send an email to majord...@slackware.com with this text in the body of | | the email message: | || | unsubscribe slackware-security | || | You will get a confirmation message back containing instructions to| | complete the process. Please do not reply to this email address. | ++ -BEGIN PGP SIGNATURE- iEYEARECAAYFAlp2aP0ACgkQakRjwEAQIjNeNQCglA2PA8NyMQO7z9K5fPGmA5/o iwIAn2vBrMbKnrhUrVsYema+eEsPjcrj =GJn8 -END PGP SIGNATURE-