Next Page >>
publication
*Vendor Information, Solutions and Workarounds*
In general process control networks should be physically isolated from
corporate or other publicly accessible data networks as such an isolated
network will limit the exposure of systems with network facing
vulnerabilities only to accidental disruption or potentially malicious
users or systems within the process control network itself.
However, if physical isolation of the process control network is not
/*
*
* Copyright (C) darkfig
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
Advisory ID: cisco-sa-20110928-dlsw
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-ipv6
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-ipv6mpls
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-nat
Revision 1.0
For Public Release 2011 Sep 28 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-sip
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-zbfw
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-ipsla
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20110928-smart-install
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+--------------------------------------------------------------------
Summary
=======
Cisco Security Advisory: Cisco IOS Software Session Initiation
Protocol Denial of Service Vulnerabilities
Advisory ID: cisco-sa-20100922-sip
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sip.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
Cisco IOS SSL VPN Vulnerability
Advisory ID: cisco-sa-20100922-sslvpn
http://www.cisco.com/warp/public/707/cisco-sa-20100922-sslvpn.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
Cisco Security Advisory: Cisco IOS Software Internet Group Management
Protocol Denial of Service Vulnerability
Advisory ID: cisco-sa-20100922-igmp
http://www.cisco.com/warp/public/707/cisco-sa-20100922-igmp.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
Cisco Security Advisory: Cisco IOS Software Network Address
Translation Vulnerabilities
Advisory ID: cisco-sa-20100922-nat
http://www.cisco.com/warp/public/707/cisco-sa-20100922-nat.shtml
Revision 1.0
For Public Release 2010 September 22 1600 UTC (GMT)
Advisory ID: cisco-sa-20110928-c10k
Revision 1.0
For Public Release 2011 September 28 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
9. *Report Timeline*
. 2009-01-09:
Core Security Technologies notifies Sun Security Coordination Team of
the vulnerability, setting the estimated publication date of the
advisory to Feb 2nd. Technical details are sent to Communications
Express team.
. 2009-01-09:
The vendor acknowledges reception of the report and asks Core to
Advisory ID: cisco-sa-20100324-sip
Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Vendor says that it is still investigating the bug and will have more
concrete details in a few days.
. 2009-09-14:
Core Security Technologies acknowledges receipt and says it will be in
touch to coordinate the publication date and the bug details.
. 2009-09-16:
Vendor says that they are still investigating the issue since it is a
very complex one with many dependencies. The vendor confirms the
vulnerability reproduction code is working and that they are assessing
Advisory ID: cisco-sa-20100324-sccp
Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
Advisory ID: cisco-sa-20100324-ipsec
Revision 1.0
For Public Release 2010 March 24 1600 UTC (GMT)
+---------------------------------------------------------------------
Summary
=======
*Report Timeline*
. 2008-01-30: Initial contact email sent by to Wonderware setting the
estimated publication date of the advisory to February 25th.
. 2008-01-30: Contact email re-sent to Wonderware asking for a software
security contact for Wonderware InTouch.
. 2008-02-06: New email sent to Wonderware asking for a response and for
a software security contact for Wonderware InTouch.
. 2008-02-28: Core makes direct phone calls to Wonderware headquarters
. 2008-02-19:
Core indicated that it will split the report in two security advisories.
CORE-2008-0123 will address the vulnerability in iCal server
(CVE-2008-1000) and will be published in coordination with the release
of the vendor's March software update. The publication date for the
second advisory, will dealt bydealing with the three vulnerabilities in
the iCal client application will be coordinated for a date after the
March update unless there are clear indications of the vulnerability
being exploited in the wild, in which case if Core considers that the
information provided in the advisory would help end users to decide how
. 2008-02-19:
Core indicated that it will split the report in two security advisories.
CORE-2008-0123 will address the vulnerability in iCal server
(CVE-2008-1000) and will be published in coordination with the release
of the vendor's March software update. The publication date for the
second advisory, will dealt bydealing with the three vulnerabilities in
the iCal client application will be coordinated for a date after the
March update unless there are clear indications of the vulnerability
being exploited in the wild, in which case if Core considers that the
information provided in the advisory would help end users to decide how
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
is AOL's business-oriented version of AIM targeted for professional use
with an emphasis on "business-grade" security and integration with email
client and other productivity applications
(http://aimpro.premiumservices.aol.com/) AIM Lite, as defined in its
website (http://x.aim.com/laim/), is a reference application used to test
new technology also developed by AOL and available for the public in the
form of a "light IM client".
A vulnerability was discovered in these three popular versions of AOL
Instant Messaging software, AIM 6.1 (and 6.2 beta), AIM Pro and AIM Lite,
which expose workstations running the IM clients and their users to
This vulnerability was discovered and researched by Anibal Sacco
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Anibal_Sacco]
and Matias Eissler
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Matias_Eissler],
from Core Security Technologies. Publication was coordinated by Fernando
Russ and Pedro Varangot.
7. *Technical Description*
7. *Credits*
This vulnerability was discovered and researched by Francisco Falcon
from Core Security Technologies during Bugweek 2010 [4]. Additional
research was performed by Alejandro Rodriguez. Publication was
coordinated by Carlos Sarraute.
8. *Technical Description / Proof of Concept Code*
. 2010-12-06:
Initial notification sent to Oracle.
. 2010-12-07:
Oracle replies that the bug has been forwarded to the product engineers,
and requests Core to postpone the publication of the advisory.
. 2010-12-09:
Core replies that the publication of the advisory can be postponed as
long as Oracle provides a timeline for the release of fixes.
6. *Vendor Information, Solutions and Workarounds*
Contact the vendor for information concerning a fix for this
vulnerability. As a generic mitigation, don't open or paste into the
Publisher program publications from untrusted sources.
7. *Credits*
This vulnerability was discovered and researched by Daniel Kazimirow
and that the third-party vendor has been notified but there isn't a
schedule for fixes yet. HP SSRT indicates that it is sure HP will not
have a solution ready by September 7th.
. 2009-08-27:
Core informs the HP team that the publication was re-scheduled to
September 21st and requests an update to continue coordinating the
release of fixes and publication of the advisory as soon as possible.
. 2009-08-28:
The HP team informs Core that the third party if planning a release on
Next Page>>
|
