Apr 25, 2017

4/10週のCVE ... High Vulnerabilities

ふぅ~、4/17週も出ているのだが、追い付いていない。

Primary
Vendor -- Product
Description
Published
CVSS Score
Source & Patch Info
amazon -- fire_os
Stack-based buffer overflow in the havok_write function in drivers/staging/havok/havok.c in Amazon Fire OS before 2016-01-15 allows attackers to cause a denial of service (panic) or possibly have unspecified other impact via a long string to /dev/hv.

2017-04-09
atlassian -- jira
The JIRA Workflow Designer Plugin in Atlassian JIRA Server before 6.3.0 improperly uses an XML parser and deserializer, which allows remote attackers to execute arbitrary code, read arbitrary files, or cause a denial of service via a crafted serialized Java object.

2017-04-10
axis -- axis_communications_firmware
AXIS Communications products with firmware through 5.80.x allow remote attackers to modify arbitrary files as root via vectors involving Open Script Editor, aka a "resource injection vulnerability."

2017-04-09
botan_project -- botan
botan before 1.11.22 improperly validates certificate paths, which allows remote attackers to cause a denial of service (infinite loop and memory consumption) via a certificate with a loop in the certificate chain.
2017-04-10
botan_project -- botan
botan 1.11.x before 1.11.22 improperly handles wildcard matching against hostnames, which might allow remote attackers to have unspecified impact via a valid X.509 certificate, as demonstrated by accepting *.example.com as a match forbar.foo.example.com.
2017-04-10
botan_project -- botan
The Curve25519 code in botan before 1.11.31, on systems without a native 128-bit integer type, might allow attackers to have unspecified impact via vectors related to undefined behavior, as demonstrated on 32-bit ARM systems compiled by Clang.

2017-04-10
cisco -- aironet_access_point
A vulnerability in login authentication management in Cisco Aironet 1800, 2800, and 3800 Series Access Point platforms could allow an authenticated, local attacker to gain unrestricted root access to the underlying Linux operating system. The root Linux shell is provided for advanced troubleshooting and should not be available to individual users, even those with root privileges. The attacker must have the root password to exploit this vulnerability. More Information: CSCvb13893. Known Affected Releases: 8.2(121.0) 8.3(102.0). Known Fixed Releases: 8.4(1.53) 8.4(1.52) 8.3(111.0) 8.3(104.23) 8.2(130.0) 8.2(124.1).

root Linuxシェルはトラブルシューティングの為に提供されるとは言うものの、たとえroot権限を持っていたとしても個々のユーザに与えられるべきではない。(攻撃するには)攻撃者はrootパスワードを知っている必要がある」
自組織内ではID管理の徹底を。運用外注の場合はroot作業の監視、といったところか。
BIDによるとアップデートが有るので、摘要すれば良い、とのこと

2017-04-07
cisco -- firepower_extensible_operating_system
A vulnerability in the local-mgmt CLI command of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61394 CSCvb86816. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1658) 2.0(1.115).
2017-04-07
cisco -- firepower_extensible_operating_system
A vulnerability in the debug plug-in functionality of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to execute arbitrary commands, aka Privilege Escalation. More Information: CSCvb86725 CSCvb86797. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.105) 92.1(1.1733) 2.1(1.69).
2017-04-07
cisco -- firepower_extensible_operating_system
A vulnerability in the CLI of the Cisco Unified Computing System (UCS) Manager, Cisco Firepower 4100 Series Next-Generation Firewall (NGFW), and Cisco Firepower 9300 Security Appliance could allow an authenticated, local attacker to perform a command injection attack. More Information: CSCvb61351 CSCvb61637. Known Affected Releases: 2.0(1.68) 3.1(1k)A. Known Fixed Releases: 92.2(1.101) 92.1(1.1645) 2.0(1.82) 1.1(4.136.
2017-04-07
cisco -- firepower_management_center
A vulnerability in the detection engine reassembly of Secure Sockets Layer (SSL) packets for Cisco Firepower System Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition because the Snort process consumes a high level of CPU resources. Affected Products: This vulnerability affects Cisco Firepower System Software running software releases 6.0.0, 6.1.0, 6.2.0, or 6.2.1 when the device is configured with an SSL policy that has at least one rule specifying traffic decryption. More Information: CSCvc58563. Known Affected Releases: 6.0.0 6.1.0 6.2.0 6.2.1.
2017-04-07
cisco -- mobility_services_engine
A vulnerability in the CLI command parser of the Cisco Mobility Express 2800 and 3800 Series Wireless LAN Controllers could allow an authenticated, local attacker to obtain access to the underlying operating system shell with root-level privileges. More Information: CSCvb70351. Known Affected Releases: 8.3(102.0).
2017-04-07
cloudviewnms -- cloudview_nms
CloudView NMS before 2.10a has a format string issue exploitable over SNMP.

Ref.
  CloudView NMS: Network Management, Monitoring and SCADA Solution
2017-04-09
dataprobe -- ibootbar_firmware
Dataprobe iBootBar (with 2007-09-20 and possibly later released firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCRABBIT cookie.

2017-04-07
dataprobe -- ibootbar_firmware
Dataprobe iBootBar (with 2007-09-20 and possibly later beta firmware) allows remote attackers to bypass authentication, and conduct power-cycle attacks on connected devices, via a DCCOOKIE cookie.
2017-04-07
dell -- integrated_remote_access_controller_firmware
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has a format string issue in racadm getsystinfo.

アップデートが有るので、摘要すれば良い。
次善策としては前述のID管理や作業監視だろうなぁ
2017-04-09
dell -- integrated_remote_access_controller_firmware
Dell Integrated Remote Access Controller (iDRAC) 6 before 2.80 and 7/8 before 2.21.21.21 allows attackers to cause a denial of service (buffer overflow) or possibly have unspecified other impact via a long SSH username or input.
2017-04-09
dell -- integrated_remote_access_controller_firmware
Dell Integrated Remote Access Controller (iDRAC) 7/8 before 2.21.21.21 has XXE.
2017-04-09
gnu -- binutils
elflink.c in the Binary File Descriptor (BFD) library (aka libbfd), as distributed in GNU Binutils 2.28, has a "member access within null pointer" undefined behavior issue, which might allow remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via an "int main() {return 0;}" program.
2017-04-09
google -- android
A remote code execution vulnerability in libavc in Mediaserver could enable an attacker using a specially crafted file to cause memory corruption during media file and data processing. This issue is rated as Critical due to the possibility of remote code execution within the context of the Mediaserver process. Product: Android. Versions: 6.0, 6.0.1, 7.0, 7.1.1. Android ID: A-33641588.
2017-04-07
google -- android
他にもMediaserverプロセスの権限で、コード実行。
CVSS Scoreはいずれも9.3
影響あるAndroidバージョン4.4.4, 5.0.2, 5.1.1, 6.0, 6.0.1, 7.0, 7.1.1.(個々のCVEでは、一部のversionに留まるケースも)
2017-04-07
google -- android
他にCameraBase (CVE-2017-0544), Audioserver (CVE-2017-0545), SurfaceFlinger (CVE-2017-0546),等で、任意のコード実行、委細割愛
2017-04-07
google -- android
remote DoS in libskia (CVE-2017-0548), libavc (CVE-2017-0549CVE-2017-0550CVE-2017-0551CVE-2017-0552) in Mediaserver
2017-04-07

gynoii -- gcw-1010
Gynoii has a password of guest for the backdoor guest account and a password of 12345 for the backdoor admin account.
2017-04-09
ibaby -- m3s_baby_monitor_firmware
iBaby M3S has a password of admin for the backdoor admin account.
2017-04-09
lens_laboratories -- peek-a-view_firmware
Lens Peek-a-View has a password of 2601hx for the backdoor admin account, a password of user for the backdoor user account, and a password of guest for the backdoor guest account.
2017-04-09
linux -- linux_kernel
An elevation of privilege vulnerability in the Qualcomm audio driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-33353700. References: QC-CR#1104067.
2017-04-07
linux -- linux_kernel
An elevation of privilege vulnerability in the Qualcomm Seemp driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as High because it first requires compromising a privileged process. Product: Android. Versions: Kernel-3.18. Android ID: A-33353601. References: QC-CR#1102288.
2017-04-07
linux -- linux_kernel
A remote code execution vulnerability in the Broadcom Wi-Fi firmware could enable a remote attacker to execute arbitrary code within the context of the Wi-Fi SoC. This issue is rated as Critical due to the possibility of remote code execution in the context of the Wi-Fi SoC. Product: Android. Versions: Kernel-3.10, Kernel-3.18. Android ID: A-34199105. References: B-RB#110814.

他にBroadcom Wi-Fi driverに関する rate high, score 7.6の脆弱性も。
2017-04-07
linux -- linux_kernel
An elevation of privilege vulnerability in the HTC touchscreen driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device. Product: Android. Versions: Kernel-3.10. Android ID: A-32089409.

別の permanent device compromise で、CVE-2017-0564 も score 9.3
2017-04-07
linux -- linux_kernel
他にも、色々。一部抜粋すると・・・
An elevation of privilege vulnerability
in the Qualcomm Wi-Fi driver (CVE-2017-0575)
in the Qualcomm crypto engine driver (CVE-2017-0576)
in the HTC touchscreen driver (CVE-2017-0577)
in the Qualcomm video driver (CVE-2017-0579)
in the Synaptics Touchscreen driver (CVE-2017-0580)
in the Synaptics Touchscreen driver (CVE-2017-0581)
in the HTC OEM fastboot command (CVE-2017-0582)
in the Qualcomm CP access driver (CVE-2017-0583)
・・・
crypto/ahash.c in the Linux kernel through 4.10.9 allows attackers to cause a DoS (CVE-2017-7618)
2017-04-07
news_system_project -- news_system
SQL injection vulnerability in NewsController.php in the News module 5.3.2 and earlier for TYPO3 allows unauthenticated users to execute arbitrary SQL commands via vectors involving overwriteDemand for order and OrderByAllowed.
2017-04-07
ninka_project -- ninka
Ninka before 1.3.2 might allow remote attackers to obtain sensitive information, manipulate license compliance scan results, or cause a denial of service (process hang) via a crafted filename.
2017-04-10
osram -- lightify_home
OSRAM SYLVANIA Osram Lightify Home before 2016-07-26 allows remote attackers to execute arbitrary commands via TCP port 4000.

アプリでお好みの明るさ、色を選べる模様。 目覚ましの他、「留守中に、あたかも主人が居るかのような照明オン・オフ」機能がユニーク。
2017-04-09
philips -- in.sight_b120\37
Philips In.Sight B120/37 has a password of b120root for the backdoor root account, a password of /ADMIN/ for the backdoor admin account, a password of merlin for the backdoor mg3500 account, a password of M100-4674448 for the backdoor user account, and a password of M100-4674448 for the backdoor admin account.

2017-04-09
proxygen_project -- proxygen
The SPDY/2 codec in Facebook Proxygen before 2015-11-09 truncates a certain field to two bytes, which allows hijacking and injection attacks.

2017-04-09
schneider-electric -- conext_combox_865-1058_firmware
An issue was discovered in Schneider Electric Conext ComBox, model 865-1058, all firmware versions prior to V3.03 BN 830. A series of rapid requests to the device may cause it to reboot.
2017-04-07
sierrawireless -- aleos_firmware
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 have weak passwords for admin, rauser, sconsole, and user.
2017-04-09
sierrawireless -- aleos_firmware
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 allow Hayes AT command injection.

2017-04-09
sierrawireless -- aleos_firmware
Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 execute the management web application as root.
2017-04-09
sophos -- cyberoam_cr25ing_utm_firmware
Sophos Cyberoam UTM CR25iNG 10.6.3 MR-5 allows remote authenticated users to bypass intended access restrictions via direct object reference, as demonstrated by a request for Licenseinformation.jsp. This is fixed in 10.6.5.
2017-04-07
summer_infant -- baby_zoom_wifi_monitor_firmware
Summer Baby Zoom Wifi Monitor & Internet Viewing System allows remote attackers to bypass authentication, related to the MySnapCam web service.

2017-04-09
trendnet -- tv-ip743sic
TRENDnet WiFi Baby Cam TV-IP743SIC has a password of admin for the backdoor root account.

2017-04-09
vertivco -- liebert_multilink_automated_shutdown
Liebert MultiLink Automated Shutdown v4.2.4 allows local users to gain privileges by replacing the LiebertM executable file.

2017-04-09

No comments: