CERT Recently Published Vulnerability Notes

VU#628568: Sierra Wireless GX, ES, and LS gateways running ALEOS contains hard-coded credentials

2015-08-07T18:41:16-04:00

Vulnerability Note VU#628568

Sierra Wireless GX, ES, and LS gateways running ALEOS contains hard-coded credentials

Original Release date: 07 Aug 2015 | Last revised: 07 Aug 2015

Overview

Sierra Wireless GX, ES, and LS gateway devices running ALEOS versions 4.4.1 and earlier contain hard-coded credentials.

Description

CWE-259: Use of Hard-coded Password - CVE-2015-2897

Sierra Wireless devices running ALEOS, including AirLink GX, ES, and LS gateways, contain multiple hard-coded accounts with root privileges. These accounts are enabled by default and accessible by telnet or SSH in systems using ALEOS 4.3.4 or earlier. The accounts also exist and are enabled in versions 4.3.5 to 4.4.1, though remote access is disabled by default.

Impact

A remote, unauthenticated attacker may be able to gain full control of an affected device.

Solution

Apply an update

Sierra Wireless has released version 4.4.2 to address this issue by disabling access to the hard-coded accounts by default. Users unable or unwilling to update may also consider the following workaround.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks. Restricting access would prevent an attacker from using credentials from a blocked network location.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Sierra Wireless	Affected	17 Jul 2015	03 Aug 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	9.0	AV:N/AC:L/Au:S/C:C/I:C/A:C
Temporal	7.0	E:POC/RL:OF/RC:C
Environmental	6.2	CDP:MH/TD:M/CR:ND/IR:H/AR:ND

References

Credit

Thanks to the reporter who wishes to remain anonymous.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2897
Date Public: 07 Aug 2015
Date First Published: 07 Aug 2015
Date Last Updated: 07 Aug 2015
Document Revision: 30

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#360431: Chiyu Technology fingerprint access control contains multiple vulnerabilities

2015-07-31T14:29:16-04:00

Vulnerability Note VU#360431

Chiyu Technology fingerprint access control contains multiple vulnerabilities

Original Release date: 31 Jul 2015 | Last revised: 31 Jul 2015

Overview

Multiple models of Chiyu Technology fingerprint access control devices contain a cross-site scripting (XSS) vulnerability and an authentication bypass vulnerability.

Description

CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) - CVE-2015-2870

According to the reporter, <script> tags are not filtered out of a URL passed to the device, allowing an attacker to perform a reflected XSS attack.

CWE-288: Authentication Bypass Using an Alternate Path or Channel - CVE-2015-2871

According to the reporter, an attacker can view and modify the existing configuration of the device without authentication by directly accessing known paths. The path varies slightly depending on model and services available.

Model BF-660C:

http://<host>/net.htm - Communication settings

Model BF-630, BF-630W:

http://<host>/voice.htm - Voice Time Set
http://<host>/bf.htm - UniFinger Setup

The reporter has identified models BF-660C, BF-630, BF-630W as being vulnerable; other models may also be vulnerable.

The CERT/CC has been unable to verify this information with the vendor.

The CVSS score below is based on CVE-2015-2871.

Impact

An unauthenticated remote attacker may be able to view or modify device configuration, or obtain user credentials.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Chiyu Technologies	Affected	03 Jun 2015	07 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.4	E:POC/RL:U/RC:UR
Environmental	4.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Maxim Rupp for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2870 CVE-2015-2871
Date Public: 31 Jul 2015
Date First Published: 31 Jul 2015
Date Last Updated: 31 Jul 2015
Document Revision: 28

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#577140: BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

2015-07-30T16:03:19-04:00

Vulnerability Note VU#577140

BIOS implementations fail to properly set UEFI write protections after waking from sleep mode

Original Release date: 30 Jul 2015 | Last revised: 30 Jul 2015

Overview

Multiple BIOS implementations fail to properly set write protections after waking from sleep, leading to the possibility of an arbitrary BIOS image reflash.

Description

According to Cornwell, Butterworth, Kovah, and Kallenberg, who reported the issue affecting certain Dell client systems (CVE-2015-2890):

There are a number of chipset mechanisms on Intel x86-based computers that provide protection of the BIOS from arbitrary reflash with attacker-controlled data. One of these is the BIOSLE and BIOSWE pair of bits found in the BIOS_CNTL register in the chipset. When the BIOSLE bit is set, the protection mechanism is enabled. The BIOS_CNTL is reset to its default value after a system reset. By default, the BIOSLE bit of the BIOS_CNTL register is cleared (disabled). The BIOS is responsible for re-enabling it after a reset. When a system goes to sleep and then wakes up, this is considered a reset from the hardware's point of view.

Therefore, the BIOS_CNTL register must be reconfigured after waking from sleep. In a normal boot, the BIOS_CNTL is properly configured. However, in some instances BIOS makers do not properly re-set BIOS_CNTL bits upon wakeup. Therefore, an attacker is free to reflash the BIOS with an arbitrary image simply by forcing the system to go to sleep and wakes again. This bypasses the enforcement of signed updates or any other vendor mechanisms for protecting the BIOS from an arbitary reflash.

A similar issue affecting Apple systems (CVE-2015-3692) involves the FLOCKDN bit remaining unset after waking from sleep. For more information, refer to Pedro Vilaça's blog disclosure.

Impact

A privileged attacker with console access can reflash the BIOS of affected systems to an arbitrary image.

Solution

Apply an update

Refer to the Vendor Information section below for a list of affected Dell products, and visit their support page to download updates. Apple updates addressing this issue have been pushed via the App Store beginning June 30, 2015. We are continuing to communicate with vendors as they investigate this vulnerability.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Apple	Affected	01 Jun 2015	30 Jul 2015
Dell Computer Corporation, Inc.	Affected	29 Jun 2015	30 Jul 2015
American Megatrends Incorporated (AMI)	Unknown	16 Jul 2015	16 Jul 2015
AsusTek Computer Inc.	Unknown	16 Jul 2015	16 Jul 2015
Hewlett-Packard Company	Unknown	16 Jul 2015	16 Jul 2015
IBM Corporation	Unknown	16 Jul 2015	16 Jul 2015
Insyde Software Corporation	Unknown	16 Jul 2015	16 Jul 2015
Intel Corporation	Unknown	16 Jul 2015	16 Jul 2015
Lenovo	Unknown	16 Jul 2015	16 Jul 2015
Phoenix Technologies Ltd.	Unknown	16 Jul 2015	16 Jul 2015
Sony Corporation	Unknown	16 Jul 2015	16 Jul 2015
Toshiba America Information Systems, Inc.	Unknown	16 Jul 2015	16 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	7.2	CDP:MH/TD:H/CR:ND/IR:H/AR:ND

References

Credit

Thanks to Sam Cornwell, John Butterworth, Xeno Kovah, and Corey Kallenberg for reporting this vulnerability in Dell products, and to Pedro Vilaça for disclosing the issue in Apple products.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2890 CVE-2015-3692
Date Public: 30 Jul 2015
Date First Published: 30 Jul 2015
Date Last Updated: 30 Jul 2015
Document Revision: 29

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#924951: Android Stagefright contains multiple vulnerabilities

2015-07-28T15:11:16-04:00

Vulnerability Note VU#924951

Android Stagefright contains multiple vulnerabilities

Original Release date: 28 Jul 2015 | Last revised: 07 Aug 2015

Overview

Stagefright is the media playback service for Android, introduced in Android 2.2 (Froyo). Stagefright in versions of Android prior to 5.1.1_r9 may contain multiple vulnerabilities, including several integer overflows, which may allow a remote attacker to execute code on the device.

Description

According to a Zimperium zLabs blog post, Android's Stagefright engine contains multiple vulnerabilities, including several integer overflows, allowing a remote attacker to access files or possibly execute code on the device. This vulnerability may at least partially affect all versions of Android starting from 2.2 (Froyo) and prior to 5.1.1_r9 (Lollipop).

An attacker with a victim's cell phone number may send maliciously crafted multimedia messages (MMS) which may be improperly parsed by the Stagefright tool. Other attack vectors may be possible.

According to Ars Technica, "successful exploits at the very least provide direct access to a phone's audio and camera feeds and to the external storage ... many older phones grant elevated system privileges to Stagefright code, a design that could allow attackers access to many more device resources."

Zimperium has released more information on these vulnerabilities, including a proof of concept code, patches, a video demoing the exploit and an Android app that detects the vulnerability.

The vulnerabilities include:
1. CVE-2015-1538, P0006, Google Stagefright ‘stsc’ MP4 Atom Integer Overflow Remote Code Execution
2. CVE-2015-1538, P0004, Google Stagefright ‘ctts’ MP4 Atom Integer Overflow Remote Code Execution
3. CVE-2015-1538, P0004, Google Stagefright ‘stts’ MP4 Atom Integer Overflow Remote Code Execution
4. CVE-2015-1538, P0004, Google Stagefright ‘stss’ MP4 Atom Integer Overflow Remote Code Execution
5. CVE-2015-1539, P0007, Google Stagefright ‘esds’ MP4 Atom Integer Underflow Remote Code Execution
6. CVE-2015-3827, P0008, Google Stagefright ‘covr’ MP4 Atom Integer Underflow Remote Code Execution
7. CVE-2015-3826, P0009, Google Stagefright 3GPP Metadata Buffer Overread
8. CVE-2015-3828, P0010, Google Stagefright 3GPP Integer Underflow Remote Code Execution
9. CVE-2015-3824, P0011, Google Stagefright ‘tx3g’ MP4 Atom Integer Overflow Remote Code Execution
10. CVE-2015-3829, P0012, Google Stagefright ‘covr’ MP4 Atom Integer Overflow Remote Code Execution

Since integer overflow is a type of memory error, Address Space Layout Randomization (ASLR) appears to partially mitigate this issue; Forbes reports that Android before 4.1 (Jelly Bean) have "inadequate exploit mitigations." ASLR was introduced in Android 4.0 and fully enabled in Android 4.1.

Impact

A remote attacker may be able to execute code on the Android device.

Solution

Apply an update

The Android Open Source Project (AOSP) has released Android 5.1.1_r9 to address this issue. Currently this update is only available for Nexus and Samsung phones.

In the US, cell phone carriers largely control the updating process. The update may or may not be available for your phone. Contact your cell phone carrier or manufacturer for update information.

Alternatively, the vulnerability may be mitigated by the following workarounds:

Block all text messages from unknown senders

Blocking all text messages from unknown senders in your default text message handling app may mitigate this issue.

Turn off "Auto Retrieve" for multimedia messages

If your default text messaging app does not allow blocking of senders, you may also disable the auto retrieve feature for multimedia messages. This may prevent the autoloading of MMS content into Stagefright.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Amazon	Affected	-	28 Jul 2015
Barnes and Noble	Affected	-	28 Jul 2015
Google	Affected	-	28 Jul 2015
HTC	Affected	-	28 Jul 2015
Huawei Technologies	Affected	-	28 Jul 2015
Kyocera Communications	Affected	-	28 Jul 2015
LG Electronics	Affected	-	28 Jul 2015
Motorola, Inc.	Affected	-	28 Jul 2015
Samsung Mobile	Affected	-	07 Aug 2015
Sony Corporation	Affected	-	28 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	5.8	AV:N/AC:M/Au:N/C:P/I:P/A:N
Temporal	4.7	E:POC/RL:W/RC:UR
Environmental	3.5	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Joshua Drake at Zimperium’s zLabs for working with Google to develop patches and publicly disclose these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-1538 CVE-2015-1539 CVE-2015-3824 CVE-2015-3826 CVE-2015-3827 CVE-2015-3828 CVE-2015-3829
Date Public: 21 Jul 2015
Date First Published: 28 Jul 2015
Date Last Updated: 07 Aug 2015
Document Revision: 90

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#819439: Fiat Chrysler Automobiles UConnect allows a vehicle to be remotely controlled

2015-07-24T11:31:16-04:00

Vulnerability Note VU#819439

Fiat Chrysler Automobiles UConnect allows a vehicle to be remotely controlled

Original Release date: 24 Jul 2015 | Last revised: 27 Jul 2015

Overview

Fiat Chrysler Automobiles (FCA) UConnect may allow a remote attacker to control physical vehicle functions.

Description

According to a WIRED news article, an unknown vulnerability in FCA UConnect software allows some functions of recent models of Jeep Cherokee to be controlled by a remote attacker. Other FCA makes (including Chrysler, Dodge, and Ram) that use UConnect may also be vulnerable.

FCA with the National Highway and Transportation Safety Administration (NHTSA) has initiated a safety recall (NHTSA campaign 15V461000, "Radio Software Security Vulnerabilities") for all possibly affected makes and models:

2013-2015 Ram 1500 Pickup
2013-2015 Ram 3500 Cab Chassis
2013-2015 Ram 2500 Pickup
2013-2015 Ram 3500 Pickup
2013-2015 Ram 4500/5500 Cab Chassis
2013-2015 Dodge Viper
2014-2015 Jeep Cherokee
2014-2015 Jeep Grand Cherokee
2014-2015 Dodge Durango
2015 Chrysler 200s
2015 Chrysler 300s
2015 Dodge Challenger
2015 Dodge Charger

For more information, see NHTSA's report and the chronology of events leading to the recall.

It appears that some UConnect systems were configured with services listening on the Sprint mobile network. An attacker would have to have access to the Sprint mobile network.

FCA vehicles are designed with safety systems that mitigate, but do not completely prevent, this type of attack.

The paper Comprehensive Experimental Analyses of Automotive Attack Surfaces, published in 2011, documents similar research, including successful experiments gaining remote control of physical vehicle functions.

Impact

A remote attacker could control some physical functions of a vulnerable vehicle, potentially causing significant physical damage and serious or fatal injury.

The WIRED article states that the researchers were able to remotely disable the transmission, and that the car had to be stopped and restarted to restore normal operation. WIRED also reports:

Furthermore, an attacker could remotely control "...the air-conditioning, radio, and windshield wipers."

An FCA blog post states that the researchers could "...remotely controlled some functions..." but that "To FCA’s knowledge, there has not been a single real world incident of an unlawful or unauthorized remote hack into any FCA vehicle."

Solution

Apply an update

FCA has provided an update to address this vulnerabilities, and has initiated a safety recall (NHTSA campaign 15V461000). Owners of affected models are advised to update their vehicle's UConnect software immediately. Owners can perform the update themselves or take their vehicle to a dealer to perform the update free of charge. For more information on obtaining the update or finding out if your vehicle is affected, please see FCA's news release and the recall notice at safercar.gov.

Technical Service Bulletin (TSB) 08-072-15 includes a fix for "Improved Radio security protection to reduce the potential risk of unauthorized and unlawful access to vehicle systems." The UConnect update, among other things, changes the configuration to close the listening services.

For 2013-2014 model years, update to UConnect radio version 15.26.1 or higher. For 2015 model years, update to UConnect radio version 15.17.5 or higher.

Restrict network access

Additionally, FCA provided the following statement:

Threat modeling and secure architecture

Complex software systems contain latent vulnerabilities. Updating software to resolve vulnerabilities as they are discovered is a necessary but insufficient defensive activity. Complex, safety-critical software systems require resilient, secure design considerations.

Vehicle manufacturers should use threat models that consider skilled and potentially well-funded attackers and remote network communications. Manufacturers should also design vehicle networks to isolate or carefully limit access to safety critical systems from telematics, infotainment, diagnostic and remote communications systems.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Fiat Chrysler Automobiles	Affected	-	27 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	8.5	AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal	6.7	E:POC/RL:OF/RC:C
Environmental	6.2	CDP:H/TD:M/CR:M/IR:H/AR:H

References

Credit

This vulnerability was publicly demonstrated by Charlie Miller and Chris Valasek, and initially reported by WIRED magazine. Thanks to FCA for quickly working with us to issue this vulnerability note.

This document was written by Garret Wassermann and Art Manion.

Other Information

CVE IDs: Unknown
Date Public: 21 Jul 2015
Date First Published: 24 Jul 2015
Date Last Updated: 27 Jul 2015
Document Revision: 70

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#857948: Honeywell Tuxedo Touch Controller contains multiple vulnerabilities

2015-07-24T14:17:17-04:00

Vulnerability Note VU#857948

Honeywell Tuxedo Touch Controller contains multiple vulnerabilities

Original Release date: 24 Jul 2015 | Last revised: 24 Jul 2015

Overview

All versions of Honeywell Tuxedo Touch Controller are vulnerable to authentication bypass and cross-site request forgery (CSRF).

Description

CWE-603: Use of Client-Side Authentication - CVE-2015-2847

The Honeywell Tuxedo Touch Controller web interface uses JavaScript to check for client authentication and redirect unauthorized users to a login page. By intercepting and dropping requests containing the string USERACCT=USERNAME:_,PASSWORD:_, an unauthenticated user may bypass authentication and access restricted pages.

CWE-353: Cross-Site Request Forgery (CSRF) - CVE-2015-2848

Honeywell Tuxedo Touch Controller contains a global cross-site request forgery (CSRF) vulnerability. An attacker can perform actions with the same permissions as a victim user, provided the victim has an active session and is induced to trigger the malicious request. Note that these actions may include issuing commands to home automation devices controlled by the Tuxedo Touch Controller, such as unlocking or locking doors.

The CVSS score reflects CVE-2015-2848.

Impact

A remote, unauthenticated attacker may be able to bypass authentication checks to view restricted pages, or trick an authenticated user into making an unintentional request to the web server which will be treated as an authentic request. Compromised Tuxedo Touch Controllers may be leveraged to operate home automation devices, such as unlocking or locking doors.

Solution

Apply an update

Honeywell has released firmware version TUXW_V5.2.19.0_VA to address these vulnerabilities. Since all prior firmware versions are affected, users are strongly encouraged to update their devices.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Honeywell	Affected	15 May 2015	16 Jun 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:N/AC:M/Au:N/C:P/I:P/A:P
Temporal	5.3	E:POC/RL:OF/RC:C
Environmental	1.8	CDP:LM/TD:L/CR:ND/IR:H/AR:ND

References

Credit

Thanks to Maxim Rupp for reporting this vulnerability.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2847 CVE-2015-2848
Date Public: 24 Jul 2015
Date First Published: 24 Jul 2015
Date Last Updated: 24 Jul 2015
Document Revision: 17

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#912036: N-Able RSMWinService contains hard coded security constants allowing decryption of domain administrator password

2015-07-20T15:22:58-04:00

Vulnerability Note VU#912036

N-Able RSMWinService contains hard coded security constants allowing decryption of domain administrator password

Original Release date: 20 Jul 2015 | Last revised: 20 Jul 2015

Overview

SolarWinds N-Able N-Central is an agent-based enterprise support and management solution. N-Able N-Central contains several hard-coded encryption constants in the web interface that allow decryption of the password when combined.

Description

CWE-547: Use of Hard-coded, Security-relevant Constants

N-Able N-Central's RSM service stores the N-Able domain administrator account password in an encrypted (AES128) format. According to the reporter, however, the encrypted password is accessible by any authenticated local or remote user from within from the RSM web page source. The credentials are also available in an encrypted format via local RSM configuration files accessible by any local user with rights to browse program files. The encryption keys as well as other parameters needed for decryption are hard-coded and may be extracted from the N-Able RSM software stored on the local users system. An attacker can use this information to decrypt and obtain the domain administrator password used by the N-Able software.

The reporter states that N-Able N-Central version 9.5.0 is vulnerable to these problems, and version 9.0 through 9.4 may also be vulnerable.

The CERT/CC has been unable to confirm these vulnerabilities with SolarWinds.

Impact

According to the reporter, a remote attacker with domain user credentials or access to RSM files on an installed system can obtain domain administrator access.

Solution

Apply an Update

According to the reporter, N-Able Support Manager Build 178 and N-Able N-Central Agent version 9.5.1.4514 or above, or 10.0.0.1722 or above, have addressed remote access to this issue. Users are encouraged to update N-Able software as soon as possible.

The CERT/CC has been unable to confirm with SolarWinds that this update fully addresses these issues.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
SOLARWINDS	Affected	05 Jun 2015	01 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.7	AV:A/AC:L/Au:S/C:C/I:C/A:C
Temporal	6.6	E:POC/RL:U/RC:UR
Environmental	4.9	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

None

Credit

Thanks to Gary Blosser for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: Unknown
Date Public: 20 Jul 2015
Date First Published: 20 Jul 2015
Date Last Updated: 20 Jul 2015
Document Revision: 43

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#813631: Total Commander File Info plugin vulnerable to denial of service via an out-of-bounds read

2015-07-20T10:18:59-04:00

Vulnerability Note VU#813631

Total Commander File Info plugin vulnerable to denial of service via an out-of-bounds read

Original Release date: 20 Jul 2015 | Last revised: 20 Jul 2015

Overview

Total Commander's File Info plugin version 2.21 attempts an out-of-bounds read when reading a file carefully crafted by an attacker.

Description

CWE-125: Out-of-bounds Read - CVE-2015-2869

An attacker that can control the contents of certain file types may be able to cause an out-of-bounds read error in Total Commander File Plugin version 2.21 by specifying overly large values of certain properties. An attacker who successfully exploits this vulnerability may cause the Total Commander application to unexpectedly terminate.

This attack has been noted in at least two different file types due to the software's improper use of the strncmp function.

COFF Archive Library (.lib) files may be used by specifying overly large values for the 'Size' field of the Archive Member Header or the "Number Of Symbols" field in the 1st Linker Member.

Linear Executable files may be used by specifying overly large values for the "Resource Table Count" field of the LE Header or the "Object" field at offset 0x8 from a "Resource Table Entry".

Out-of-bounds reads may allow remote code execution in some circumstances; the CERT/CC is currently unaware of such an attack on the Total Commander File Info plugin, however.

Impact

An attacker may be able to cause the application to terminate.

Solution

Apply an update

Total Commander File Info plugin has released version 2.22, which addresses this issue. Affected users are encouraged to update as soon as possible

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Total Commander File Info Plugin	Affected	-	16 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.7	AV:L/AC:M/Au:N/C:N/I:N/A:C
Temporal	3.7	E:POC/RL:OF/RC:C
Environmental	0.9	CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Cisco TALOS for reporting this vulnerability to us. Cisco Talos credits Marcin Noga for discovering this vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2869
Date Public: 16 Jul 2015
Date First Published: 20 Jul 2015
Date Last Updated: 20 Jul 2015
Document Revision: 36

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#919604: Kaseya Virtual System Administrator contains multiple vulnerabilities

2015-07-13T13:10:54-04:00

Vulnerability Note VU#919604

Kaseya Virtual System Administrator contains multiple vulnerabilities

Original Release date: 13 Jul 2015 | Last revised: 13 Jul 2015

Overview

Kaseya Virtual System Administrator (VSA), versions R9 and possibly earlier, contains arbitrary file download and open redirect vulnerabilities.

Description

CWE-22: Improper Limitation of Pathname to a Restricted Directory ('Path Traversal') - CVE-2015-2862

Kaseya VSA is an IT management platform with a help desk ticketing system. An authenticated attacker can traverse directories and download arbitrary files by submitting a specially crafted HTTP request to the server hosting the VSA software.

CWE-601: URL Redirection to Untrusted Site ('Open Redirect') - CVE-2015-2863

Kaseya VSA, versions V7.x, R8.x and R9.x, contain an open redirect vulnerability. An attacker may be able to leverage users' trust in the domain to induce them to visit a site with malicious content.

The CVSS score below refers to CVE-2015-2862.

Impact

A remote, authenticated attacker can download arbitrary files. A remote, unauthenticated attacker may be able to redirect users to arbitrary web sites.

Solution

Apply an update

The vendor has released the following patches to address these issues:

R9.1: install patch 9.1.0.4
R9.0: install patch 9.0.0.14
R8.0: install patch 8.0.0.18
V7.0: install patch 7.0.0.29

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Kaseya, Inc.	Unknown	27 Apr 2015	27 Apr 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	4.3	AV:N/AC:M/Au:N/C:N/I:P/A:N
Temporal	3.4	E:POC/RL:OF/RC:C
Environmental	2.5	CDP:N/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Thanks to Pedro Ribeiro (pedrib@gmail.com) of Agile Information Security for reporting these vulnerabilities.

This document was written by Joel Land.

Other Information

CVE IDs: CVE-2015-2862 CVE-2015-2863
Date Public: 13 Jul 2015
Date First Published: 13 Jul 2015
Date Last Updated: 13 Jul 2015
Document Revision: 13

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#918568: Adobe Flash ActionScript 3 BitmapData memory corruption vulnerability

2015-07-12T11:08:54-04:00

Vulnerability Note VU#918568

Adobe Flash ActionScript 3 BitmapData memory corruption vulnerability

Original Release date: 12 Jul 2015 | Last revised: 14 Jul 2015

Overview

Adobe Flash Player contains a vulnerability in the ActionScript 3 BitmapData object, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Adobe Flash Player versions 9.0 through version 18.0.0.204 contain amemory corruption vulnerability in the AS3 BitmapData class. Proof-of-concept exploit code for this vulnerability is publicly available.

Please see Adobe Security Bulletin APSA15-04 for more details about affected Flash versions.

Impact

An attacker may be able to execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document.

Solution

Apply an update

This issue is addressed in Flash Player Desktop 18.0.0.209. See Adobe Security Bulletin APSB15-18 for more details. Please also consider the following workarounds:

Do not run untrusted Flash content

To defend against this and other, as yet unknown vulnerabilities, disable Flash in your browser or enable Click-to-Play features. Adobe has also provided instructions for how to uninstall Flash on Windows and Mac platforms.

Use the Microsoft Enhanced Mitigation Experience Toolkit

The Microsoft Enhanced Mitigation Experience Toolkit (EMET) can be used to help prevent exploitation of this vulnerability. In particular, Attack Surface Reduction (ASR) can be configured to help restrict Microsoft Office and Internet Explorer from loading the Flash ActiveX control.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Adobe	Affected	-	12 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	6.8	E:POC/RL:U/RC:C
Environmental	6.7	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was reported by TrendMicro, based on the HackingTeam leak.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2015-5123
Date Public: 05 Jul 2015
Date First Published: 12 Jul 2015
Date Last Updated: 14 Jul 2015
Document Revision: 19

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#338736: Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability

2015-07-11T10:58:53-04:00

Vulnerability Note VU#338736

Adobe Flash ActionScript 3 opaqueBackground use-after-free vulnerability

Original Release date: 11 Jul 2015 | Last revised: 14 Jul 2015

Overview

Adobe Flash Player contains a vulnerability in the ActionScript 3 opaqueBackground property, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Adobe Flash Player versions 9.0 through version 18.0.0.204 contain a use-after-free vulnerability in the AS3 opaqueBackground class. This can allow attacker-controlled memory corruption. Exploit code for this vulnerability is publicly available.

Please see Adobe Security Bulletin APSA15-04 for more details about affected Flash versions.

Impact

An attacker can execute arbitrary code in the context of the user running Flash Player. Attacks typically involve enticing a user to visit a web site containing specially-crafted Flash content, or to open a specially-crafted Microsoft Office document.

Solution

Apply an update

This issue is addressed in Flash Player Desktop 18.0.0.209. See Adobe Security Bulletin APSB15-18 for more details. Please also consider the following workarounds:

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Adobe	Affected	-	11 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	7.5	E:H/RL:U/RC:C
Environmental	7.5	CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2015-5122
Date Public: 05 Jul 2015
Date First Published: 11 Jul 2015
Date Last Updated: 14 Jul 2015
Document Revision: 26

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#103336: Windows Adobe Type Manager privilege escalation vulnerability

2015-07-08T15:20:54-04:00

Vulnerability Note VU#103336

Windows Adobe Type Manager privilege escalation vulnerability

Original Release date: 08 Jul 2015 | Last revised: 14 Jul 2015

Overview

The Adobe Type Manager module contains a memory corruption vulnerability, which can allow an attacker to obtain SYSTEM privileges on an affected Windows system.

Description

Adobe Type Manager, which is provided by atmfd.dll, is a kernel module that is provided by Windows and provides support for OpenType fonts. A memory-corruption flaw in Adobe Type Manager allows for manipulation of Windows kernel memory, which can result in a wide range of impacts. Although not related to this specific vulnerability, the j00ru//vx tech blog has details about the Adobe Type Manager Font Driver.

Note that exploit code for this vulnerability is publicly available, as part of the HackingTeam compromise. We have confirmed that the exploit code successfully obtains SYSTEM privileges on Windows XP through Windows 8.1 systems, both 32-bit and 64-bit.

Impact

This vulnerability can allow an attacker to gain SYSTEM privileges on an affected Windows system. This can be used to bypass web browser and other OS-level sandboxing and protections.

Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS15-077. Please see this document for update and workaround information.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Affected	08 Jul 2015	14 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.8	AV:L/AC:L/Au:S/C:C/I:C/A:C
Temporal	6.8	E:H/RL:U/RC:C
Environmental	6.8	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This document was written by Will Dormann.

Other Information

CVE IDs: Unknown
Date Public: 05 Jul 2015
Date First Published: 08 Jul 2015
Date Last Updated: 14 Jul 2015
Document Revision: 18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#253708: Grandsteam GXV3611_HD camera is vulnerable to SQL injection

2015-07-07T14:44:26-04:00

Vulnerability Note VU#253708

Grandsteam GXV3611_HD camera is vulnerable to SQL injection

Original Release date: 07 Jul 2015 | Last revised: 07 Jul 2015

Overview

The Grandsteam GXV3611_HD is an IP network camera used for surveillance and security. The Grandsteam GXV3611_HD is vulnerable to a SQL injection attack.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2866

The Grandstream GXV3611_HD camera with firmware of 1.0.3.6 or before does not correctly perform input validation on the username field of the telnet login. An attacker may exploit this weakness to execute a SQL injection attack on the camera's configuration.

Impact

A remote unauthenticated attacker may be able to perform a SQL injection to view or modify the configuration of the device.

Solution

Update the firmware

Grandstream has released firmware 1.0.3.9 beta to address this issue. Consider updating your camera's firmware as soon as possible.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Grandstream	Affected	-	30 Jun 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:N
Temporal	5.0	E:POC/RL:OF/RC:C
Environmental	3.8	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

http://www.grandstream.com/support/firmware

Credit

Thanks to the Living Lab at IUPUI for reporting this vulnerability to us.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2866
Date Public: 07 Jul 2015
Date First Published: 07 Jul 2015
Date Last Updated: 07 Jul 2015
Document Revision: 51

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#561288: Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability

2015-07-07T14:46:54-04:00

Vulnerability Note VU#561288

Adobe Flash ActionScript 3 ByteArray use-after-free vulnerability

Original Release date: 07 Jul 2015 | Last revised: 11 Jul 2015

Overview

Adobe Flash Player contains a vulnerability in the ActionScript 3 ByteArray class, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

Description

Adobe Flash Player versions 9.0 through version 18.0.0.194 contain a use-after-free vulnerability in the AS3 ByteArray class. This can allow attacker-controlled memory corruption. Exploit code for this vulnerability is publicly available.

Impact

Solution

Apply an update

This issue is addressed in Flash Player Desktop 18.0.0.203. Please see Adobe Security Bulletin APSB15-16 for more details and fix versions for other platforms.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
Adobe	Affected	06 Jul 2015	08 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.5	AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal	7.1	E:H/RL:W/RC:C
Environmental	7.1	CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was discovered by HackingTeam.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2015-5119
Date Public: 05 Jul 2015
Date First Published: 07 Jul 2015
Date Last Updated: 11 Jul 2015
Document Revision: 37

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#485324: ANTLabs InnGate gateway device contains SQL injection and reflected cross-site scripting vulnerabilities

2015-07-06T13:20:35-04:00

Vulnerability Note VU#485324

ANTLabs InnGate gateway device contains SQL injection and reflected cross-site scripting vulnerabilities

Original Release date: 06 Jul 2015 | Last revised: 06 Jul 2015

Overview

ANTlabs InnGate is a gateway device designed for operating corporate guest/visitor networks. Multiple InnGate models have been confirmed to be vulnerable to SQL injection and cross-site scripting attacks.

Description

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - CVE-2015-2849

The ppli URL parameter of the main.ant page is vulnerable to SQL injection. A remote attacker can perform arbitrary queries on the underlying database. According to ANTLabs, only https connections are vulnerable to this attack.

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CVE-2015-2850

A reflected cross-site scripting vulnerability also exists in the msg URL parameter of the index-login.ant page.

Affected models include the following:

InnGate 3.01 E-Series
InnGate 3.10 E-Series
InnGate 3.10 M-Series
IG3100
SG 4
SSG 4

The CVSS score below is based on CVE-2015-2849.

Impact

A remote attacker may be able exploit CVE-2015-2849 to execute arbitrary queries on the backend datastore.

A remote attacker may be able to exploit CVE-2015-2850 to obtain user credentials to the administrator panel if a user can be enticed to click an XSS-injected link.

Solution

Apply an update

ANTLabs has released a firmware update addressing these issues for affected models. All affected users are encouraged to update as soon as possible. The update is available on the ANTlabs customer portal or via the system update mechanism.

Vendor Information (Learn More)

Vendor	Status	Date Notified	Date Updated
ANTlabs	Affected	20 Apr 2015	06 Jul 2015

If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group	Score	Vector
Base	7.8	AV:A/AC:L/Au:N/C:C/I:C/A:N
Temporal	6.1	E:POC/RL:OF/RC:C
Environmental	4.6	CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

None

Credit

Thanks to Devesh Logendran for reporting these vulnerabilities.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-2849 CVE-2015-2850
Date Public: 06 Jul 2015
Date First Published: 06 Jul 2015
Date Last Updated: 06 Jul 2015
Document Revision: 42

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.