Source: Hewlett Packard Enterprise, Product Security Response Team
VULNERABILITY SUMMARY A potential security vulnerability has been identified in HPE Integrated Lights-out (iLO 4). The vulnerability could be exploited remotely to allow authentication bypass and execution of code.
References:
- CVE-2017-12542
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
- HP Integrated Lights-Out 4 (iLO 4), Prior to 2.53
Hewlett Packard Enterprise would like to thank Fabien Perigaud of Airbus Defense and Space CyberSecurity for reporting this vulnerability.
RESOLUTION
HPE has provided software updates to resolve the vulnerability in HPE Integrated Lights-out 4 (iLO 4). Please upgrade to HPE Integrated Lights-out 4 (iLO 4) firmware version 2.53 or newer.
HISTORY Version:1 (rev.1) - 24 August 2017 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy.
Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com.
Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB.
3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX
Copyright 2016 Hewlett Packard Enterprise
Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
A read buffer overflow was discovered in the idtech3 (Quake III Arena) family of game engines. This allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted packet.
For the oldstable distribution (jessie), this problem has been fixed in version 1.36+u20140802+gca9eebb-2+deb8u2.
For the stable distribution (stretch), this problem has been fixed in version 1.36+u20161101+dfsg1-2+deb9u1.
We recommend that you upgrade your ioquake3 packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Hossein Lotfi and Jakub Jirasek from Secunia Research have discovered multiple vulnerabilities in LibRaw, a library for reading RAW images. An attacker could cause a memory corruption leading to a DoS (Denial of Service) with craft KDC or TIFF file.
For the oldstable distribution (jessie), these problems have been fixed in version 0.16.0-9+deb8u3.
For the stable distribution (stretch), these problems have been fixed in version 0.17.2-6+deb9u1.
We recommend that you upgrade your libraw packages.
Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/
Advisory: WebClientPrint Processor 2.0: No Validation of TLS Certificates
RedTeam Pentesting discovered that WebClientPrint Processor (WCPP) does not validate TLS certificates when initiating HTTPS connections. Thus, a man-in-the-middle attacker may intercept and/or modify HTTPS traffic in transit. This may result in a disclosure of sensitive information and the integrity of printed documents cannot be guaranteed.
Neodynamic's WebClientPrint Processor is a client-side application, which allows server-side applications to print documents on a client's printer without user interaction, bypassing the browser's print functionality. The server-side application may be written in ASP.NET or PHP while on the client-side multiple platforms and browsers are supported.
"Send raw data, text and native commands to client printers without showing or displaying any print dialog box!" (Neodynamic's website)
More Details ============
Upon installation under Microsoft Windows, WCPP registers itself as a handler for the "webclientprint" URL scheme. Thus, any URL starting with "webclientprint:" is handled by WCPP. For example, entering
webclientprint:-about
in the URL bar of a browser opens the about box of WCPP.
Neodynamic prodvides an online demo for test printing at the following URL:
On the host 10.0.2.2, a self-signed certificate can be generated and afterwards socat[1] can be used to intercept and display the encrypted HTTP traffic as follows:
Any modern browser displays a warning due to the invalid TLS certificate presented by socat.
On the contrary, WCPP simply accepts any certificate it is presented with, when, for examplem printing a demo TXT file. Such a request is given in the listing below. The output has been shortened and wrapped manually for better readability.
------------------------------------------------------------------------ GET /DemoPrintFile.ashx?clientPrint&useDefaultPrinter=undefined& printerName=null&filetype=TXT HTTP/1.0\r Host: webclientprint.azurewebsites.net\r User-Agent: WCPP/2.0.15.109(Windows; 6.1)\r Accept-Encoding: gzip, deflate\r \r < 2015/09/07 10:29:27.478913 length=3538 from=0 to=3537 HTTP/1.1 200 OK\r Cache-Control: private\r Content-Length: 3180\r Content-Type: application/octet-stream\r Server: Microsoft-IIS/8.0\r X-AspNet-Version: 4.0.30319\r X-Powered-By: ASP.NET\r Set-Cookie: ARRAffinity=23c01e1a9de38f884445e396de9940aef5941b9af3f6d9 cfa57066fe4d5fcb16;Path=/;Domain=webclientprint.azurewebsites.net\r Date: Mon, 07 Sep 2015 08:29:27 GMT\r Connection: close\r \r cpj..\v...\v..wcpPF:9c8d5316ffeb403d8be09565c2391f92.TXT|Printed By WebClientPrint\r =========================\r \r Lorem ipsum dolor sit amet, consectetur adipiscing elit. Fusce urna massa, eleifend non posuere quis, iaculis et libero. Curabitur lacinia dolor non nisl pharetra tempus. [...] Etiam nisl nisi, eleifend vel molestie tincidunt, porttitor ac nunc. Vestibulum vulputate magna gravida neque imperdiet ac viverra nulla suscipit..Acopian Technical Company - 1 WebApp Lic - 2 WebServer Lic|xxxxxxxxxxxxxxxxxxxxx ------------------------------------------------------------------------
This shows that WCPP does not verify TLS certificates when establishing HTTPS connections.
Workaround ==========
Affected users should disable the WCPP handler and upgrade to a fixed version as soon as possible.
Fix ===
Install a WCPP version greater or equal to 2.0.15.910[0].
Security Risk =============
WCPP does not verify TLS certificates when establishing HTTPS connections. Man-in-the-middle attackers can therefore intercept those connections with little effort. This may lead to a disclosure of confidential information if sensitive documents are printed via WCPP. Furthermore, the integrity of the printed documents cannot be guaranteed as attackers are able to modify the documents in transit.
The described attack requires a man-in-the-middle position which is a rather strong prerequisite. It is therefore estimated that the vulnerability poses a medium risk.
Timeline ========
2015-08-24 Vulnerability identified 2015-09-03 Customer approved disclosure to vendor 2015-09-04 Asked vendor for security contact 2015-09-04 CVE number requested 2015-09-04 Vendor responded with security contact 2015-09-07 Vendor notified 2015-09-07 Vendor acknowledged receipt of advisory 2015-09-15 Vendor released fixed version 2015-09-16 Customer asked to wait with advisory release until all their clients are updated 2017-07-31 Customer approved advisory release 2017-08-22 Advisory released
RedTeam Pentesting offers individual penetration tests performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.
Working at RedTeam Pentesting =============================
RedTeam Pentesting is looking for penetration testers to join our team in Aachen, Germany. If you are interested please visit: https://www.redteam-pentesting.de/jobs/