[security bulletin] HPSBUX03159 SSRT101785 rev.1 - HP-UX kernel, Local Denial of Service (DoS)

Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04491186

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04491186
Version: 1

HPSBUX03159 SSRT101785 rev.1 - HP-UX kernel, Local Denial of Service (DoS)

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-10-28
Last Updated: 2014-10-28

Potential Security Impact: Local Denial of Service (DoS)

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified in the HP-UX kernel.
This vulnerability could allow local users to create a Denial of Service
DoS).

[ MDVSA-2014:211 ] wpa_supplicant

 ____________________________________________________________
___________

 Mandriva Linux Security Advisory                         MDVSA-2014:211
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wpa_supplicant
 Date    : October 29, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wpa_supplicant packages fix security vulnerability:

 A vulnerability was found in the mechanism wpa_cli and hostapd_cli use
 for executing action scripts. An unsanitized string received from a
 remote device can be passed to a system() call resulting in arbitrary
 command execution under the privileges of the wpa_cli/hostapd_cli
 process (which may be root in common use cases) (CVE-2014-3686).

 Using the wpa_supplicant package, systems are exposed to the
 vulnerability if operating as a WPS registrar.
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3686
 http://advisories.mageia.org/MGASA-2014-0429.html
 _______________________________________________________________________

[ MDVSA-2014:212 ] wget

 Mandriva Linux Security Advisory                         MDVSA-2014:212
 http://www.mandriva.com/en/support/security/
 ____________________________________________________________
___________

 Package : wget
 Date    : October 29, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wget package fixes security vulnerability:

 Wget was susceptible to a symlink attack which could create arbitrary
 files, directories or symbolic links and set their permissions when
 retrieving a directory recursively through FTP (CVE-2014-4877).

 The default settings in wget have been changed such that wget no longer
 creates local symbolic links, but rather traverses them and retrieves
 the pointed-to file in such a retrieval. The old behaviour can be
 attained by passing the --retr-symlinks=no option to the wget command.
 _______________________________________________________________________

Multiple vulnerabilities in EspoCRM

Advisory ID: HTB23238
Product: EspoCRM
Vendor: http://www.espocrm.com
Vulnerable Version(s): 2.5.2 and probably prior
Tested Version: 2.5.2
Advisory Publication:  October 8, 2014  [without technical details]
Vendor Notification: October 8, 2014
Vendor Patch: October 10, 2014
Public Disclosure: October 29, 2014
Vulnerability Type: PHP File Inclusion [CWE-98], Improper Access Control [CWE-284], Cross-Site Scripting [CWE-79]
CVE References: CVE-2014-7985, CVE-2014-7986, CVE-2014-7987
Risk Level: High
CVSSv2 Base Scores: 7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C), 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P), 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (https://www.htbridge.com/advisory/ )

------------------------------------------------------------
-----------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple high-risk vulnerabilities in EspoCRM, which can be exploited by remote attacker to execute arbitrary PHP code on a vulnerable system, reinstall the application from scratch, and compromise the entire system as the result. EspoCRM is also vulnerable to less critical Cross-Site Scripting attacks.


1. PHP File Inclusion in EspoCRM: CVE-2014-7985

The vulnerability exists due to absence of sanitization of input data passed via the "action" HTTP GET parameter to "/install/index.php" script before using them in PHP "include()" function. A remote unauthenticated attacker can include and execute arbitrary local PHP files on the system with privileges of the web server.

Successful exploitation of the vulnerability may allow complete application and system compromise.

Below is a simple PoC (Proof-of-Concept) code that uses path traversal technique to include "/tmp/file.php" file (you can include any other file, content of which you control):

http://[host]/install/index.php?installProcess=1&action=../../../../../../../../ tmp/file

The installation script is not deleted after installation, and is accesible without any authentication by default.