11.5 C
London
Sunday, October 22, 2017

VU#346175: Imagely NextGen Gallery plugin for WordPress contains a local file...

The Imagely NextGen Gallery plugin for Wordpress prior to version 2.1.57 may execute code from an uploaded malicious file.

VU#548487: BSD libc contains a buffer overflow vulnerability in link_ntoa()

The BSD libc library's link_ntoa()function may be vulnerable to a classic buffer overflow.
It is currently unclear if this issue is exploitable.

VU#480428: Juniper ScreenOS is vulnerable to a denial of service from...

Juniper ScreenOS 6.3,and possibly earlier versions,is vulnerable to a denial of service from malformed SSL packets.

VU#600724: ZTE F460/F660 cable modems contain an unauthenticated backdoor

ZTE F460/F660 cable modems contain an unauthenticated backdoor.

VU#797896: CGI web servers assign Proxy header values from client requests...

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables Original Release date: 18 Jul 2016 | Last revised: 19 Jul 2016 Overview Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables.

This vulnerability can be leveraged to conduct man-in-the-middle (MITM) attacks on internal subrequests or to direct the server to initiate connections to arbitrary hosts. Description CWE-807: Reliance on Untrusted Inputs in a Security Decision, CWE-454: External Initialization of Trusted Variables or Data Stores Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTP_PROXY environment variables.

The vulnerable behavior is the result of a naming convention for meta-variables, defined in RFC 3876, which leads to a name collision: "The HTTP header field name is converted to upper case, has all occurrences of "-" replaced with "_" and has "HTTP_" prepended to give the meta-variable name."According to the researchers, a web server is vulnerable if: A web server, programming language or framework (and in some limited situations the application itself) sets the environmental variable HTTP_PROXY from the user supplied Proxy header in the web request, or sets a similarly used variable (essentially when the request header turns from harmless data into a potentially harmful environmental variable). A web application makes use of HTTP_PROXY or similar variable unsafely (e.g. fails to check the request type) resulting in an attacker controlled proxy being used (essentially when HTTP_PROXY is actually used unsafely). By sending a specially crafted request to a vulnerable server, a remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts.

For more information, refer to httpoxy.org. Impact A remote, unauthenticated attacker may be able to conduct MITM attacks on internal server subrequests or direct the server to initiate connections to arbitrary hosts. Solution Apply an updateWhere applicable, affected products and components should be updated to address this vulnerability.

Check with vendors for information about patching.Where patches are unavailable or updating is not an option, consider the following workarounds. Filter Proxy request headersThe researchers and community have identified several filtering strategies that are product-dependent: Apache/CGIIn this configuration, any language may be vulnerable (the HTTP_PROXY env var is "real").
If you are using mod_headers , you can unset the "Proxy" header with this directive:    RequestHeader unset ProxyIf you are using mod_security, you can use a rule like (vary the action to taste):    SecRuleEngine On    SecRule &REQUEST_HEADERS:Proxy "@gt 0"    "id:1000005,log,deny,msg:'httpoxy denied'"Refer to Apache's response for more information.HAProxy    httprequest delheader Proxy lighttpd <= 1.4.40 (reject requests containing "Proxy" header)Create "/path/to/deny-proxy.lua", read-only to lighttpd, with content:    if (lighty.request["Proxy"] == nil) then return 0 else return 403 endModify lighttpd.conf to load mod_magnet and run lua code    server.modules += ( "mod_magnet" )   magnet.attract-raw-url-to = ( "/path/to/deny-proxy.lua" )lighttpd2 (development) (strip "Proxy" header from request)Add to lighttpd.conf:    req_header.remove "Proxy"; Nginx/FastCGIUse this to block the Proxy header from being passed on to PHPFPM, PHPPM, etc.    fastcgi_param HTTP_PROXY ""; Nginx with proxy_passThe following setting should work for people who are using "proxy_pass" with nginx:    proxy_set_header Proxy ""; Microsoft has provided the following guidance for IIS servers utilizing affected third-party frameworks:Microsoft IIS Mitigation steps:Update apphost.config with the following rule:<system.webServer>   <rewrite>        <rules>            <rule name=3D"Erase HTTP_PROXY" patternSyntax=3D"Wildcard">                <match url=3D"*.*" />                <serverVariables>                    <set name=3D"HTTP_PROXY" value=3D"" />                </serverVariables>                <action type=3D"None" />            </rule>        </rules>    </rewrite></system.webServer> Vendor Information (Learn More) Vendor Status Date Notified Date Updated Apache HTTP Server Project Affected 12 Jul 2016 18 Jul 2016 Go Programming Language Affected - 18 Jul 2016 HAProxy Affected - 13 Jul 2016 HHVM Affected - 18 Jul 2016 lighttpd Affected - 19 Jul 2016 Microsoft Corporation Affected 12 Jul 2016 13 Jul 2016 nginx Affected - 13 Jul 2016 Python Affected - 18 Jul 2016 The PHP Group Affected - 18 Jul 2016 EfficientIP SAS Not Affected 12 Jul 2016 12 Jul 2016 ACCESS Unknown 12 Jul 2016 12 Jul 2016 Alcatel-Lucent Unknown 12 Jul 2016 12 Jul 2016 Apple Unknown 12 Jul 2016 12 Jul 2016 Arista Networks, Inc. Unknown 12 Jul 2016 12 Jul 2016 ARRIS Unknown 12 Jul 2016 12 Jul 2016 If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More) Group Score Vector Base 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P Temporal 4.6 E:POC/RL:ND/RC:C Environmental 1.1 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND References Credit Thanks to Dominic Scheirlinck and Scott Geary of Vend for reporting this vulnerability. This document was written by Joel Land. Other Information Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#582497: Multiple Android applications fail to properly validate SSL certificates

Multiple Android applications fail to properly validate SSL certificates provided by HTTPS connections,which may allow an attacker to perform a man-in-the-middle(MITM)attack.

VU#758382: Unauthorized modification of UEFI variables in UEFI systems

Certain firmware implementations may not correctly protect and validate information contained in certain UEFI variables. Exploitation of such vulnerabilities could potentially lead to bypass of security features and/or denial of service for the platform.

VU#143335: mDNSResponder contains multiple memory-based vulnerabilities

mDNSResponder contains multiple memory-based vulnerabilities Original Release date: 20 Jun 2016 | Last revised: 20 Jun 2016 Overview mDNSResponder provides unicast and multicast mDNS services on UNIX-like operating systems such as OS X. mDNSResponder version 379.27 and above prior to version 625.41.2 is vulnerable to several buffer overflow vulnerabilities, as well as a null pointer dereference. Description CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') - CVE-2015-7987 Improper bounds checking in "GetValueForIPv4Addr()", "GetValueForMACAddr()", "rfc3110_import()", and "CopyNSEC3ResourceRecord()" functions may allow an attacker to read or write memory.CWE-476: NULL Pointer Dereference - CVE-2015-7988Improper input validation in "handle_regservice_request()" may allow an attacker to execute arbitrary code or cause a denial of service.Apple has also issued a security advisory for these issues.mDNSResponder-379.27 and later before mDNSResponder-625.41.2 are vulnerable to both issues.

The CVSS score below is based on CVE-2015-7987. Impact A remote attacker may be able to execute arbitrary code or cause a denial of service on the system running mDNSResponder. Solution Apply an updatemDNSResponder 625.41.2 has been released to address these issues.

Affected users should update as soon as possible. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Android Open Source Project Affected 03 Nov 2015 27 Jan 2016 Apple Affected 16 Oct 2015 23 Oct 2015 Arista Networks, Inc. Not Affected 22 Jan 2016 15 Feb 2016 CoreOS Not Affected 22 Jan 2016 25 Jan 2016 Debian GNU/Linux Not Affected 23 Oct 2015 23 Oct 2015 Fedora Project Not Affected 23 Oct 2015 22 Jan 2016 Infoblox Not Affected 22 Jan 2016 25 Jan 2016 Intel Corporation Not Affected 22 Jan 2016 25 Jan 2016 Red Hat, Inc. Not Affected 23 Oct 2015 22 Jan 2016 ACCESS Unknown 21 Mar 2016 21 Mar 2016 Alcatel-Lucent Unknown 21 Mar 2016 21 Mar 2016 Arch Linux Unknown 23 Oct 2015 23 Oct 2015 Aruba Networks Unknown 21 Mar 2016 21 Mar 2016 AT&T Unknown 21 Mar 2016 21 Mar 2016 Avaya, Inc. Unknown 22 Jan 2016 22 Jan 2016 If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More) Group Score Vector Base 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Temporal 5.3 E:POC/RL:OF/RC:C Environmental 4.0 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References Credit Thanks to Apple for reporting this issue to us and working with us to coordinate the fix with vendors. This document was written by Garret Wassermann. Other Information CVE IDs: CVE-2015-7987 CVE-2015-7988 Date Public: 20 Jun 2016 Date First Published: 20 Jun 2016 Date Last Updated: 20 Jun 2016 Document Revision: 82 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#867968: Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Microsoft Windows contains a memory corruption bug in the handling of SMB traffic,which may allow a remote,unauthenticated attacker to cause a denial of service on a vulnerable system.

VU#978508: OpenSSL is vulnerable to a man-in-the-middle attack

OpenSSL is vulnerable to a man-in-the-middle attack.

VU#338624: U by BB&T iOS banking application fails to properly validate...

U by BB&amp;T iOS banking application fails to properly validate SSL certificates Original Release date: 30 Sep 2016 | Last revised: 06 Oct 2016 Overview U by BB&T for iOS, version 1.5.4 and earlier, fails to properly validate SSL certificate...

VU#712660: Raritian PX power distribution software is vulnerable to the cipher...

Raritan PX power distribution software version 01.05.08 and previous running on a model DPXR20A-16 device allows remote attackers to bypass authentication and execute arbitrary IPMI commands by using cipher suite 0(aka cipher zero)and an arbitrary password.