Next Page >>
processing
Security Appliances and Cisco PIX Security Appliances that may result
in a reload of the device or disclosure of confidential information.
This security advisory outlines details of the following
vulnerabilities:
* Erroneous SIP Processing Vulnerabilities
* IPSec Client Authentication Processing Vulnerability
* SSL VPN Memory Leak Vulnerability
* URI Processing Error Vulnerability in SSL VPNs
* Potential Information Disclosure in Clientless VPNs
Multiple vulnerabilities exist in the Session Initiation Protocol
(SIP) implementation in Cisco IOS Software and Cisco IOS XE Software
that could allow an unauthenticated, remote attacker to cause a
reload of an affected device or trigger memory leaks that may result
in system instabilities. Affected devices would need to be configured
to process SIP messages for these vulnerabilities to be exploitable.
Cisco has released free software updates that address these
vulnerabilities. There are no workarounds for devices that must run
SIP; however, mitigations are available to limit exposure to the
vulnerabilities.
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
configured to process SIP messages are affected.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the command "dial-peer voice"
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS Software versions that are
configured to process SIP messages with the Cisco Unified Border
Element feature are affected. Cisco IOS devices that are not
configured for SIP and Cisco Unified Border Element feature are not
affected by this vulnerability.
Note: Cisco Unified Border Element feature (previously known as the
Vulnerable Products
+------------------
Cisco devices running affected Cisco IOS versions and that may
process SIP messages are affected. The only requirement for these
vulnerabilities is that the Cisco IOS device processes SIP messages
as part of configured voice over IP (VoIP) functionality (this does
not apply to processing of SIP messages as part of the NAT and
firewall feature sets.) Recent versions of Cisco IOS do not process
SIP messages by default, but creating a "dial peer" via the command
Dan Yefimov wrote:
> > > The signal in question in the given situation is issued by PRIVILEGED process,
> > > no matter how.
> >
> > And that's the bug,
>
> The case we consider is of course a bug. But generally privileged process
> sending a signal to another privileged process is of course not a bug.
Vulnerable Products
+------------------
Cisco devices are affected when they are running affected Cisco IOS
Software versions that are configured to process SIP messages.
Recent versions of Cisco IOS Software do not process SIP messages by
default. Creating a dial peer by issuing the dial-peer voice command
will start the SIP processes, causing the Cisco IOS device to process
SIP messages. In addition, several features within Cisco Unified
VENDOR SOFTWARE DESCRIPTION:
---------------
SUPERAntiSpyware is the most thorough scanner on the market. Our
Multi-Dimensional Scanning and Process Interrogation Technology will
detect spyware that other products miss! SUPERAntiSpyware will remove
ALL the Spyware, NOT just the easy ones!
Super Ad Blockerâ„¢ is the first ad-blocker designed to block all new
forms of advertising! Blocks all Rich Media, Flash, pop-ups,
emulator based on the QEMU emulator [4]. Public reports as of February
27th, 2008 state that the Android SDK has been downloaded 750,000 times
since November 2007 [5].
Several vulnerabilities have been found in Android's core libraries for
processing graphic content in some of the most used image formats (PNG,
GIF an BMP). While some of these vulnerabilities stem from the use of
outdated and vulnerable open source image processing libraries other
were introduced by native Android code that use them or that implements
new functionality.
On Tue, 14 Aug 2007, Wojciech Purczynski wrote:
>
> ===[ ABSTRACT ]=========================================================
>
> An unprivileged local user may send arbitrary signal to a child process
> despite security restrictions.
>
>
> ===[ AFFECTED SOFTWARE ]================================================
>
On Thu, 16 Aug 2007, Glynn Clements wrote:
> > The signal in question in the given situation is issued by PRIVILEGED process,
> > no matter how.
>
> And that's the bug,
The case we consider is of course a bug. But generally privileged process
sending a signal to another privileged process is of course not a bug.
Yes, the user toggles a signal that privileged process sends to another one,
Dan Yefimov wrote:
> > > If setuid program just
> > > trusts the environment in that it doesn't properly handle or block signals
> > > whose default action is terminating the process and doesn't perform it's
> > > actions in a fail-safe manner, it is certainly broken. Setuid program must
> > > always be careful in signal handling and data processing.
> >
> > Ordinarily, a process can assume that certain signals (those which can
> > only be generated by kill()) can only be received as a result of an
applied or with any client-side bug for which a fix has not been
developed after dismissing the bug as not exploitable or of low
priority. The vulnerability does not seem usable to escape from a
virtualized OS (guest) to execute code in the context of the
non-virtualized OS (host). Use of the vulnerability to implement covert
inter-process communications within the virtualized OS or to establish
inter-VM communication have not been researched in full but are deemed
possible.
4. *Vulnerable packages*
denies access. It takes N + M milliseconds to realize the operation.
5. You got it. If you can measure the number of milliseconds it takes for the system to reply on a
real login you are aware of (Administrator, root, ...) then you can predict other real logins by
discarding all the attempts that ran only ~(N) milliseconds as you are only looking for attempts
that took ~(N + M) milliseconds to be processed.
There is a security advisory published in 2003 by Marco Ivaldi detailing exactly this kind of flaw
against SSH [1].
More recently, also about SSH, Dawn Xiaodong Song, David Wagner and Xuqing Tian wrote an interesting
advisory.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications.
. Contact the vendor for fixed versions of the product.
*Vendor Information, Solutions and Workarounds*
In general process control networks should be physically isolated from
corporate or other publicly accessible data networks as such an isolated
network will limit the exposure of systems with network facing
vulnerabilities only to accidental disruption or potentially malicious
users or systems within the process control network itself.
===[ ABSTRACT ]=========================================================
An unprivileged local user may send arbitrary signal to a child process
despite security restrictions.
===[ AFFECTED SOFTWARE ]================================================
Linux 2.6
be affected by these vulnerabilities.
Details
=======
Cisco Unified Communications Manager is the call processing component
of the Cisco IP Telephony solution that extends enterprise telephony
features and functions to packet telephony network devices such as IP
phones, media processing devices, VoIP gateways, and multimedia
applications.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01114023
Version: 1
HPSBMA02244 SSRT061260 rev.1 - HP OpenView Business Process Insight and Related Products Running Shared Trace Service, Remote Arbitrary Code Execution
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2007-08-07
Last Updated: 2007-08-07
are not correctly handled when applying file handling rules or access
restrictions. By abusing of these flaws an attacker can bypass security
options implemented in the web server. For instance, 'file.shtml' will
become 'FILE~1.SHT'. This will cause the file to be handled as a '.sht'
file, not a '.shtml' file. The result of this is that instead of
processing SSI directives as would normally be the case with a '.shtml'
file, the file would be served unprocessed. Additionally, Nginx does not
correctly handle extraneous spaces after file extensions when applying
preprocessing rules or access restrictions.
. Cherokee Web Server [2]. On Cherokee Web Server for Windows, short
A vulnerability exists in the Cisco IOS software implementation of
Layer 2 Tunneling Protocol (L2TP), which affects limited Cisco IOS
software releases.
Several features enable the L2TP mgmt daemon process within Cisco IOS
software, including but not limited to Layer 2 virtual private
networks (L2VPN), Layer 2 Tunnel Protocol Version 3 (L2TPv3), Stack
Group Bidding Protocol (SGBP) and Cisco Virtual Private Dial-Up
Networks (VPDN). Once this process is enabled the device is
vulnerable.
Summary
=======
Cisco Unified Communications Manager contains a memory leak
vulnerability that could be triggered through the processing of
malformed Session Initiation Protocol (SIP) messages. Exploitation of
this vulnerability could cause an interruption of voice services.
Cisco has released free software updates for supported Cisco Unified
Communications Manager versions to address the vulnerability. A
workaround exists for this SIP vulnerability.
Cisco IOS Software contains two vulnerabilities related to Cisco IOS
Intrusion Prevention System (IPS) and Cisco IOS Zone-Based Firewall
features. These vulnerabilities are:
* Memory leak in Cisco IOS Software
* Cisco IOS Software Denial of Service when processing specially
crafted HTTP packets
Cisco has released free software updates that address these
vulnerabilities.
* Cisco IOS User Datagram Protocol Delivery Issue For IPv4/IPv6
Dual-stack Routers
http://www.cisco.com/warp/public/707/cisco-sa-20080326-IPv4IPv6.shtml
* Vulnerability in Cisco IOS with OSPF, MPLS VPN, and Supervisor
32, Supervisor 720, or Route Switch Processor 720
http://www.cisco.com/warp/public/707/cisco-sa-20080326-queue.shtml
* Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak
http://www.cisco.com/warp/public/707/cisco-sa-20080326-mvpn.shtml
------------------------------------------------------------------------
The following functions are affected by these issues:
Evolution plugin:
* processTnef()
* saveVCard()
* saveVCalendar()
* saveVTask()
yTNEF:
Details:
PHP uses the following macro on the first usage of rand() or
mt_rand() within a PHP process to seed the different random
number generators.
#ifdef PHP_WIN32
#define GENERATE_SEED() ((long) (time(0) * GetCurrentProcessId() \
* 1000000 * php_combined_lcg(TSRMLS_C)))
Summary
=======
Cisco Unified Communications Manager contains two denial of service
(DoS) vulnerabilities that affect the processing of Session
Initiation Protocol (SIP) messages. Exploitation of these
vulnerabilities could cause an interruption of voice services.
To address these vulnerabilities, Cisco has released free software
updates. There is a workaround for these vulnerabilities.
IMPACT
------
The vulnerability described in this document could hypothetically be
exploited by unprivileged code running in a VMware virtual machine
(guest) in order to execute code in the host VMX process, thereby
breaking out of the virtual machine; however, such exploitation has
not been proven. In the event that arbitrary code execution in the
VMX process is possible, kernel privileges can be obtained on a
Windows host by abusing the VMX process's special access to a VMware
driver, meaning the maximum possible impact of this vulnerability is
issues. Contact SAP for further information.
Martin Gallo proposed the following actions to mitigate the impact of
the vulnerabilities:
1. Disable work processes' Developer Traces for the 'Dialog
Processing' component (for the vulnerabilities [CVE-2011-1516],
[CVE-2011-1517], [CVE-2012-2511] and [CVE-2012-2512]).
2. Restrict access to the Dispatcher service's TCP ports (3200/3299)
(for all vulnerabilities).
3. Restrict access to the work process management transactions
Summary
=======
Cisco Media Experience Engine (MXE) 5600 devices that are running
Cisco Media Processing Software releases prior to 1.2 ship with a
root administrator account that is enabled by default with a default
password. An unauthorized user could use this account to modify the
software configuration and operating system settings or gain complete
administrative control of the device. A software upgrade is not
required to resolve this vulnerability. Customers can change the root
Next Page>>
|
