Note: the current version of the following document is available here:https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04491186SUPPORT COMMUNICATION - SECURITY BULLETINDocument ID: c04491186Version: 1HPSBUX03159 SSRT101785 rev.1 - HP-UX kernel, Local Denial of Service (DoS)NOTICE: The information in this Security Bulletin should be acted upon assoon as possible.Release Date: 2014-10-28Last Updated: 2014-10-28Potential Security Impact: Local Denial of Service (DoS)Source: Hewlett-Packard Company, HP Software Security Response TeamVULNERABILITY SUMMARYA potential security vulnerability has been identified in the HP-UX kernel.This vulnerability could allow local users to create a Denial of ServiceDoS).
____________________________________________________________
___________ Mandriva Linux Security Advisory MDVSA-2014:211 http://www.mandriva.com/en/support/security/ _______________________________________________________________________ Package : wpa_supplicant Date : October 29, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated wpa_supplicant packages fix security vulnerability: A vulnerability was found in the mechanism wpa_cli and hostapd_cli use for executing action scripts. An unsanitized string received from a remote device can be passed to a system() call resulting in arbitrary command execution under the privileges of the wpa_cli/hostapd_cli process (which may be root in common use cases) (CVE-2014-3686). Using the wpa_supplicant package, systems are exposed to the vulnerability if operating as a WPS registrar. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686 http://advisories.mageia.org/MGASA-2014-0429.html _______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2014:212 http://www.mandriva.com/en/support/security/ ____________________________________________________________
___________ Package : wget Date : October 29, 2014 Affected: Business Server 1.0 _______________________________________________________________________ Problem Description: Updated wget package fixes security vulnerability: Wget was susceptible to a symlink attack which could create arbitrary files, directories or symbolic links and set their permissions when retrieving a directory recursively through FTP (CVE-2014-4877). The default settings in wget have been changed such that wget no longer creates local symbolic links, but rather traverses them and retrieves the pointed-to file in such a retrieval. The old behaviour can be attained by passing the --retr-symlinks=no option to the wget command. _______________________________________________________________________
Advisory ID: HTB23238Product: EspoCRMVendor: http://www.espocrm.comVulnerable Version(s): 2.5.2 and probably priorTested Version: 2.5.2Advisory Publication: October 8, 2014 [without technical details]Vendor Notification: October 8, 2014Vendor Patch: October 10, 2014Public Disclosure: October 29, 2014Vulnerability Type: PHP File Inclusion [CWE-98], Improper Access Control [CWE-284], Cross-Site Scripting [CWE-79]CVE References: CVE-2014-7985, CVE-2014-7986, CVE-2014-7987Risk Level: HighCVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)Solution Status: Fixed by VendorDiscovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )------------------------------------------------------------
-----------------------------------Advisory Details:High-Tech Bridge Security Research Lab discovered multiple high-risk vulnerabilities in EspoCRM, which can be exploited by remote attacker to execute arbitrary PHP code on a vulnerable system, reinstall the application from scratch, and compromise the entire system as the result. EspoCRM is also vulnerable to less critical Cross-Site Scripting attacks.1. PHP File Inclusion in EspoCRM: CVE-2014-7985The vulnerability exists due to absence of sanitization of input data passed via the "action" HTTP GET parameter to "/install/index.php" script before using them in PHP "include()" function. A remote unauthenticated attacker can include and execute arbitrary local PHP files on the system with privileges of the web server.Successful exploitation of the vulnerability may allow complete application and system compromise.Below is a simple PoC (Proof-of-Concept) code that uses path traversal technique to include "/tmp/file.php" file (you can include any other file, content of which you control):http://[host]/install/index.php?installProcess=1&action=../../../../../../../../ tmp/fileThe installation script is not deleted after installation, and is accesible without any authentication by default.
