Next Page >>
obtained
authentication protocol causing the server to generate duplicate
challenges/nonces and an information leak allow an unauthenticated
remote attacker without any kind of credentials to access the SMB
service of the target system under the credentials of an authorized
user. Depending on the privileges of the user, the attacker will be able
to obtain and modify files on the target system and execute arbitrary code.
3.Vulnerable Systems
--------------------
This vulnerability was verified by the authors on the following platforms:
can cause an integer overflow resulting in a denial of service.
CVE-2010-3296
Dan Rosenberg discovered an issue in the cxgb network driver that allows
unprivileged users to obtain the contents of sensitive kernel memory.
CVE-2010-3297
Dan Rosenberg discovered an issue in the eql network driver that allows
local users to obtain the contents of sensitive kernel memory.
Exposures project identifies the following problems:
CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux implementation of the
Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to
sensitive kernel memory.
CVE-2011-0695
Jens Kuehnel reported an issue in the InfiniBand stack. Remote attackers can
malicious redirects.
CVE-2010-3875
Vasiliy Kulikov discovered an issue in the Linux implementation of the
Amateur Radio AX.25 Level 2 protocol. Local users may obtain access to
sensitive kernel memory.
CVE-2010-4075
Dan Rosenberg reported an issue in the tty layer that may allow local
Recommendation:
We strongly recommend that RSA customers should obtain the following hot fixes:
RSA AAOP 6.0.2.1 SP1 Patch 2 customers should obtain Hotfix 430 from SecurCare Online.
RSA AAOP 6.0.2.1 SP1 Patch 3 customers should obtain Hotfix 130 from SecurCare Online.
RSA AAOP 6.0.2.1 SP2 customers should obtain Hotfix 360 from SecurCare Online.
RSA AAOP 6.0.2.1 SP2 Patch 1 customers should obtain Hotfix 140 from SecurCare Online.
than CVE-2010-4164. (CVE-2010-3873)
The bcm_connect function Broadcast Manager in the Controller Area
Network (CAN) implementation in the Linux creates a publicly accessible
file with a filename containing a kernel memory address, which allows
local users to obtain potentially sensitive information about kernel
memory use by listing this filename. (CVE-2010-4565)
The install_special_mapping function in mm/mmap.c does not make an
expected security_file_mmap function call, which allows local users
to bypass intended mmap_min_addr restrictions and possibly conduct
that specifies a small value, leading to a divide-by-zero error or
incorrect use of a signed integer. (CVE-2010-4165)
The copy_shmid_to_user function in ipc/shm.c in the Linux kernel
does not initialize a certain structure, which allows local users to
obtain potentially sensitive information from kernel stack memory
via vectors related to the shmctl system call and the old shm
interface. (CVE-2010-4072)
The ipc subsystem in the Linux kernel does not initialize certain
structures, which allows local users to obtain potentially sensitive
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier,
5.0 Update 27 and earlier, and 1.4.2_29 earlier allows remote
untrusted Java Web Start applications and untrusted Java applets to
affect integrity via unknown vectors related to Networking. NOTE: the
previous information was obtained from the February 2011 CPU. Oracle
has not commented on claims from a downstream vendor that this issue
involves DNS cache poisoning by untrusted applets. (CVE-2010-4448)
Unspecified vulnerability in the Java Runtime Environment (JRE)
in Oracle Java SE and Java for Business 6 Update 23 and earlier for
file using an URI specified in UNC form and force the local content to
be rendered as an HTML document, which will permit to run scripting
commands and instantiate certain ActiveX controls.
As a result of a successful attack, security or privacy-sensitive
information can be obtained by an attacker including but not limited to
user authentication credentials for any web application domain, HTTP
cookies, session management data, cached content of web applications in
different domains and any files stored on local filesystems.
The bug is related to a lack of enforcement of security policies
Summary
=======
The Cisco Application Extension Platform contains a privilege escalation
vulnerability in the tech support diagnostic shell that may allow an
authenticated user to obtain administrative access to a vulnerable Cisco
Application Extension Platform module. Cisco has released free software updates
that address this vulnerability. There is no workaround for this vulnerability.
This advisory is posted at:
The Cisco IP Phone Personal Address Book (PAB) Synchronizer feature
of Cisco Unified Communications Manager allows users to keep their
Cisco Unified Communications Manager address book synchronized with
their Microsoft Windows address book. The IP Phone PAB Synchronizer
feature contains a privilege escalation vulnerability that may allow
an attacker to obtain complete administrative access to a vulnerable
Cisco Unified Communications Manager system. After an IP Phone PAB
Synchronizer client successfully authenticates to a Cisco Unified
Communications Manager device over a HTTPS connection, the Cisco
Unified Communications Manager returns credentials for a user account
that is used to manage the Cisco Unified Communications Manager
Recommendation:
We strongly recommend that all customers follow these remediation steps:
RSA AAOP 5.7.x customers should obtain hot fix 110 from RSA SecurCare® Online.
RSA AAOP 6.x customers should obtain hot fix 40 from RSA SecurCare® Online.
RSA AAOP customers who are still on 2.x versions should contact Support for remediation assistance.
WordPress 2+ version and PHP >= 5.0
III. DESCRIPTION
-------------------------
WP-Forum fails to sanitized user supplied input and is vulnerable to
SQL Injection and Blind SQL Injection. An attacker can obtain any data
of the database including user logins and password's of the WordPress
installation, allowing him to obtain access to the application and
gain administration privileges.
For the SQL Injection vulnerability, is possible to concatenate other
------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
While doing a quick sweep over the code base of FreeWebshop.org (FWS)
several vulnerabilities have been found in FWS. These vulnerabilities
allow attackers to obtain arbitrary information from the webserver and
database. It is even possible to execute arbitrary code with the
privileges of FWS. In some cases it may even be possible to fully
compromise the system on which FWS is installed. Most of these issues
are related to the fact that FWS fully trusts the content of the cookies
that it receives. These issues were discovered within a very small
execute arbitrary code via a crafted application, related to NetX
(CVE-2009-1896).
Some variables and data structures without the final
keyword definition allows context-depend attackers to
obtain sensitive information. The target variables and
data structures are stated as follow: (1) LayoutQueue, (2)
Cursor.predefined, (3) AccessibleResourceBundle.getContents,
(4) ImageReaderSpi.STANDARD_INPUT_TYPE, (5)
ImageWriterSpi.STANDARD_OUTPUT_TYPE, (6) the imageio plugins, (7)
DnsContext.debug, (8) RmfFileReader/StandardMidiFileWriter.types,
for privileged or unprivileged access, the phone password
parameter must additionally be configured to permit telnet
access. By entering a specially crafted command on a phone
configured to permit unprivileged access, it may be possible for
an unprivileged-level, authenticated user to trigger a buffer
overflow and obtain privileged-level access to the phone. It is
possible to workaround this issue by disabling the internal
telnet server on vulnerable phones. This vulnerability is
corrected in SIP firmware version 8.8(0). This vulnerability is
documented in CVE-2008-0529 leavingcisco.com and Cisco Bug ID
CSCsj78359.
Recommendation:
We strongly recommend that customers who have not already obtained the mentioned patch or a later patch (which contains the Flash Shockwave file) obtain the patch from RSA SecurCare® Online.
Obtaining The Patch:
Privilege Escalation Vulnerability
+---------------------------------
A vulnerability exists in Cisco DMM versions 5.0.x and 5.1.x that could
allow authenticated, but unauthorized users to change the configuration
and obtain full access of the device.
This vulnerability is documented in Cisco Bug ID CSCtc46008 and has
been assigned Common Vulnerabilities and Exposures (CVE) identifier
CVE-2010-0571.
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
are 2 problems with this approach:
The encrypted text for a specific image always remains the same
fix the CAPTCHA value to a specific value and send that value to the
server as part of every request and gain access to protected
resources.
The Formshield CAPTCHA uses a dynamic key stored in the __VIEWSTATE of
the request and sends encrypted text to the server for obtaining and
displaying new image text in the CAPTCHA on the page every time. There
are 2 problems with this approach:
The encrypted text for a specific image always remains the same
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
+------------------
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
* Local Management Users may obtain full admin rights (CSCsv62283)
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Appliance is located on the About page of the IronPort Encryption
Appliance administration interface.
Note: Customers should contact IronPort support to determine which
software fixes are applicable for their environment. Please consult
the Obtaining Fixed Software section of this advisory for more
information.
Products Confirmed Not Vulnerable
+--------------------------------
to access kernel memory via an out-of-range offset. (CVE-2008-0007)
Integer overflow in the hrtimer_start function in kernel/hrtimer.c
in the Linux kernel before 2.6.23.10 allows local users to execute
arbitrary code or cause a denial of service (panic) via a large
relative timeout value. NOTE: some of these details are obtained from
third party information. (CVE-2007-5966)
The shmem_getpage function (mm/shmem.c) in Linux kernel 2.6.11
through 2.6.23 does not properly clear allocated memory in some
rare circumstances related to tmpfs, which might allow local
listens on, it may be possible to bypass authentication checks and
gain read-only access to information about a CUCM cluster. The
information available includes performance statistics, user names,
and configured IP phones. This information may be used to mount
further attacks. No passwords or other sensitive CUCM configuration
may be obtained via this vulnerability. No CUCM configuration changes
can be made.
There is no workaround for this vulnerability. This vulnerability is
fixed in CUCM versions 4.2(3)SR4, 4.3(2)SR1, 5.1(3), and 6.1(1). For
CUCM 4.x versions, this vulnerability is documented in Cisco Bug ID
* Copying a system backup to a remote, user-specified server
* Restoring a user-specified configuration from a remote server
* Execute arbitrary operating system commands
An attacker could exploit this vulnerability to cause a denial of
service condition, obtain sensitive configuration information,
overwrite configuration parameters, or execute arbitrary commands
with full administrative privileges.
This vulnerability is documented in CVE-2008-1154 and the following
Cisco Bug IDs:
Summary
=======
A vulnerability exists in the Cisco Network Admission Control (NAC)
Appliance that can allow an attacker to obtain the shared secret that
is used between the Cisco Clean Access Server (CAS) and the Cisco Clean
Access Manager (CAM).
Cisco has released free software updates that address this
vulnerability.
Background
Bytehoard is a web application written in PHP that serves as a file
storage and sharing system.
It has two levels of security, a user level and an admin level. Login is
required but it can be configured to allow anyone to obtain a user level
account if desired.
Summary
Refer to the Managing User Accounts chapter of the Cisco Wireless Control
System Configuration Guide for more information about changing administrative
accounts.
Obtaining Fixed Software
========================
Cisco will make free software available to address this vulnerability for
affected customers. This advisory will be updated as fixed software becomes
available. Prior to deploying software, customers should consult their
applications from your desktop to your device.
A vulnerability has been discovered in the mechanism that Microsoft
uses to obfuscate the password when it's sent over the USB network
interface between the device and the host machine. This enables malicious
software on the host to either impersonate a device in order to obtain
the current password or, if in a position to sniff network traffic, obtain
the password for trivial decoding.
Details:
Next Page>>
|
