Next Page >>
accesses
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02544568
Version: 1
HPSBGN02589 SSRT100296 rev.1 - HP ProCurve Access Points, Access Controllers, and Mobility Controllers, Privilege Escalation
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-10-13
Last Updated: 2010-10-13
versions 7.1.x, 7.2.x, 8.0.x, 8.1.x, and 8.2.x are affected when they
are configured for any of the following features:
* SSL VPNs
* Cisco Adaptive Security Device Manager (ASDM) Administrative
Access
* Telnet Access
* SSH Access
* Virtual Telnet
* Virtual HTTP
* Transport Layer Security (TLS) Proxy for Encrypted Voice
* Crafted H.323 packet DoS vulnerability
* SQL*Net packet DoS vulnerability
* Access control list (ACL) bypass vulnerability
Workarounds are available for some of the vulnerabilities.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090408-asa.shtml.
+-------
IronPort C-Series, X-Series, and M-Series appliances utilize code
covered by this advisory, but are not susceptible to any security
risk. IronPort C-Series, X-Series, and M-Series incorporate the
libraries under the advisory to provide anonymous read-only access to
system health data. There is no risk of escalated authorization
privileges allowing a 3rd party to make any configuration changes to
the IronPort devices. IronPort S-Series and Encryption Appliances are
not affected by this advisory. This announcement has also been posted
on the IronPort Support Portal, available to IronPort customers:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Remote Access VPN and SIP Vulnerabilities in
Cisco PIX and Cisco ASA
Advisory ID: cisco-sa-20080903-asa
Revision 1.0
Cisco Unified IP Phone 7940, 7940G, 7960 and 7960G devices
running SIP firmware contain a buffer overflow vulnerability in
their internal telnet server. The telnet server is disabled by
default and can be configured to allow either privileged or
unprivileged user-level access. If the telnet server is enabled
for privileged or unprivileged access, the phone password
parameter must additionally be configured to permit telnet
access. By entering a specially crafted command on a phone
configured to permit unprivileged access, it may be possible for
an unprivileged-level, authenticated user to trigger a buffer
* Crafted TCP ACK Packet Vulnerability
* Crafted TLS Packet Vulnerability
* Instant Messenger Inspection Vulnerability
* Vulnerability Scan Denial of Service
* Control-plane Access Control List Vulnerability
The first four vulnerabilities may lead to a denial of service (DoS)
condition and the fifth vulnerability may allow an attacker to bypass
control-plane access control lists (ACL).
The Cisco ACE Application Control Engine Module and Cisco ACE 4710
Application Control Engine Cisco ACE Module and Cisco ACE 4710
Application Control Engine contain multiple vulnerabilities that, if
exploited, can could result in any of the following impacts:
* Administrative level access via default user names and passwords
* Privilege escalation
* A denial of service (DoS) condition
Cisco has released free software updates available for affected
customers. Workarounds that mitigate some of the vulnerabilities are
details of the following vulnerabilities:
* Default credentials
* Privilege escalation
* Unauthorized information interception
* Unauthorized information access
Cisco has released free software updates that address these
vulnerabilities. Workarounds that mitigate some of the listed
vulnerabilities are available.
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
http://intellishield.cisco.com/security/alertmanager/cvss
* CSCsj80609 - Memory Leak Due to TCPFUZZ on Port 2444 (CTLProvider)
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
Summary
=======
The Secure Shell server (SSH) implementation in Cisco IOS contains
multiple vulnerabilities that allow unauthenticated users the ability
to generate a spurious memory access error or, in certain cases,
reload the device.
The IOS SSH server is an optional service that is disabled by
default, but its use is highly recommended as a security best
practice for management of Cisco IOS devices. SSH can be configured
* This function is called by the
* get()/post()/formdata() functions.
* You don't have to call it, this is
* the main function.
*
* @access private
* @return string $this->recv ServerResponse
*
*/
function sock()
{
Multiple vulnerabilities exist in the Cisco Application Networking
Manager (ANM) and Cisco Application Control Engine (ACE) Device
Manager applications. These vulnerabilities are independent of each
other. Successful exploitation of these vulnerabilities may result in
unauthorized system or host operating system access.
This security advisory identifies the following vulnerabilities:
* ACE Device Manager and ANM invalid directory permissions
vulnerability
The Cisco Wireless LAN Controller (WLC) product family is affected by
these vulnerabilities:
* Two denial of service (DoS) vulnerabilities
* Three privilege escalation vulnerabilities
* Two access control list (ACL) bypass vulnerabilities
Note: These vulnerabilities are independent of one another. A device
may be affected by one vulnerability and not affected by another.
Cisco has released free software updates that address these
===============
II. The Finding
===============
Three separate issues have been identified:
1. Unauthenticated Guest Access
-------------------------------
It is possible for unauthenticated users to access certain pages with guest
privileges (according to Oracle's security representative - this is a
standard functionality of this component). While some pages may not be
directly accessible as a guest in this manner, this can be bypassed by
service (DoS) vulnerability during the TCP establishment phase. The
vulnerability could cause embryonic TCP connections to remain in a
SYNRCVD or SYNSENT state. Enough embryonic TCP connections in these
states could consume system resources and prevent an affected device
from accepting or initiating new TCP connections, including any
TCP-based remote management access to the device.
No authentication is required to exploit this vulnerability. An attacker
does not need to complete a three-way handshake to trigger this
vulnerability; therefore, this this vunerability can be exploited using
spoofed packets. This vulnerability may be triggered by normal network
1.Vulnerability information
---------------------------
Impact: An unauthenticated remote attacker without any kind of
credentials can access the SMB service under the credentials of an
authorized user. Depending on the privileges of the authorized user, and
the configuration of the remote system, an attacker can gain read/write
access to the remote file system and execute arbitrary code by using
DCE/RPC over SMB.
Remotely Exploitable: Yes
I actually DID try to access the .sdb in Ubuntu but that was before I identified the file format of the db as myDB as noted. I do not know of a 'nix based tool for access to the db. If you just want to verify, you can open the .sdb with a text/hex editor and parse out a filename for yourself - it's pretty straight forward. If you want to script the download of all files on a vulnerable server (for testing, of course) then you'll probably need to go ahead and set up a VM.
t
From: Rohit Patnaik [mailto:quanticle@gmail.com]
Sent: Tuesday, December 15, 2009 6:29 PM
To: Thor (Hammer of God)
Cc: bugtraq@securityfocus.com; full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] File Access Vulnerability in Easy File Sharing Web Server
"AMG-2000 is an AP Management Gateway dedicatedly designed for small to
medium-sized network deployment and management, making it an ideal solution
for easily creating and extending WLANs in SMB offices. With its user
management features, administrators will be able to manage the whole process
of wireless network access. In addition, Access Point (AP) management
functions allow administrators to discover, configure, update, and monitor all
managed APs from a single secured interface, and from there, gain full control
of entire wireless network."
=======
Cisco Unified Communications Manager, formerly CallManager, contains
a privilege escalation vulnerability in the IP Phone Personal Address
Book (PAB) Synchronizer feature that may allow an attacker to gain
complete administrative access to a vulnerable Cisco Unified
Communications Manager system. If Cisco Unified Communications
Manager is integrated with an external directory service, it may be
possible for an attacker to leverage the privilege escalation
vulnerability to gain access to additional systems configured to use
the directory service for authentication.
Advisory:
/////////
Multiple Hewlett-Packard notebook series are prone to a remote code execution attack.
The manufacturer's preinstalled software contains a critical flaw within the software
built to support one-touch button quick feature access.
Summary
=======
Cisco IronPort Encryption Appliance devices contain two
vulnerabilities that allow remote, unauthenticated access to any file
on the device and one vulnerability that allows remote,
unauthenticated users to execute arbitrary code with elevated
privileges. There are workarounds available to mitigate these
vulnerabilities.
> > IMHO; no bug or security issue, just a misunderstanding of the
> > mechanism...
Correct. It is a completely flawed assumption.
In Unix, an open() of a file checks access permissions as
specified in the files inode. If someone wants access control
applied to a file, then he MUST do so using the permission in
the file inode.
Making assumptions about directory search and acces permissions
+----------------------------------------------------
Because of a Microsoft Windows NT Domain authentication issue the Cisco
ASA and Cisco PIX devices may be susceptible to a VPN authentication
bypass vulnerability. Cisco ASA or Cisco PIX security appliances that
are configured for IPSec or SSL-based remote access VPN using Microsoft
Windows NT Domain authentication may be vulnerable. Devices that are
using any other type of external authentication (that is, LDAP, RADIUS,
TACACS+, SDI, or local database) are not affected by this vulnerability.
The following example demonstrates how Windows NT domain authentication
The PIX and ASA security appliances are also affected by a crafted TLS
packet vulnerability that affects devices running certain 7.x software
versions if the software has one or more features configured that cause
TLS sessions to terminate on the PIX or ASA security appliance. These
functions include, but are not limited to, clientless WebVPN, HTTPS
management, cut-through proxy for network access, and TLS proxy for
encrypted voice inspection. Version 6.3.x is not affected. Features that
cause TLS sessions to terminate on the PIX and ASA security appliances
are not enabled by default. For specific affected versions, please refer
to the "Software Versions and Fixes" section.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
ESA-2010-014: RSA, The Security Division of EMC, releases security hot fixes for potential vulnerability in RSA® Access Manager Server under certain conditions.
Security Advisory
Updated August 31, 2010
* Secure Socket Layer Virtual Private Network (SSL VPN)
* When the affected device is configured to accept Cisco Adaptive
Security Device Manager (ASDM) connections
* TLS Proxy for Encrypted Voice Inspection
* Cut-Through Proxy for Network Access when using HTTPS
SSL VPN (or WebVPN) is enabled with the "enable <interface name>"
command in "webvpn" configuration mode. SSL VPN is disabled by default.
The following configuration snippet provides an example of a SSL VPN
configuration.
CSCtc38985 - CCM Coredump on SCCP StationCapabilitiesRes Message with MaxCap Exceeded
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
> If the file owner in fact allows writing to it, why should Linux
> prevent that from happening?
Because securing a file by securing directories that lead to it is a
valid and important (and expected) feature of file access semantics.
That said, the user in the example already has access to the file (in
a running process), and would be able to do so again, *if he had
access to a directory where the file was hard-linked*. Pavel
described that the sysadmin checked for that, but even if this worked
Next Page>>
|
