Stefan Kanthak | 27 Nov 21:28 2014
Picon

Defense in depth -- the Microsoft way (part 22): no DEP in Windows' filesystem (and ASLR barely used)

Hi  <at> ll,

more than 20 years ago Microsoft introduced the NTFS filesystem
(supporting ACLs) and "user profiles" to separate user data
(with emphasis on "data") from the OS and each other.

More than 13 years ago Microsoft introduced "software restriction
policies" alias SAFER (<https://support.microsoft.com/kb/310791>,
<https://support.microsoft.com/kb/324036>,
<https://technet.microsoft.com/library/bb457006.aspx>,
<https://technet.microsoft.com/library/cc786941.aspx>,
<https://technet.microsoft.com/library/cc507878.aspx>).

JFTR: <http://csrc.nist.gov/itsec/SP800-68r1.pdf>
      <http://books.google.de/books?isbn=1437914926>
      <http://www.nsa.gov/ia/_files/os/win2k/application_whitelisting_using_srp.pdf>

      <http://www.asd.gov.au/infosec/top35mitigationstrategies.htm>

      | At least 85% of the targeted cyber intrusions that the Australian
                            ~~~~~~~~
      | Signals Directorate (ASD) responds to could be prevented by
      | following the Top 4 mitigation strategies listed in our Strategies
      | to Mitigate Targeted Cyber Intrusions:
      | #1 use application whitelisting to help prevent malicious software
      |    and unapproved programs from running
      ...

More than 10 years ago Microsoft introduced "data execution prevention"
alias DEP (<https://support.microsoft.com/kb/875352>,
(Continue reading)

security-alert | 27 Nov 19:28 2014
Picon

[security bulletin] HPSBGN03209 rev.1 - HP Application Lifecycle Management running SSLv3, Remote Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04509419

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04509419
Version: 1

HPSBGN03209 rev.1 - HP Application Lifecycle Management running SSLv3, Remote
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-11-27
Last Updated: 2014-11-27

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP Application
Lifecycle Management running SSLv3.

This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy
Encryption" also known as "Poodle", which could be exploited remotely to
allow disclosure of information.
(Continue reading)

security | 27 Nov 18:52 2014

[ MDVSA-2014:233 ] wordpress


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:233
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : wordpress
 Date    : November 27, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated wordpress package fixes security vulnerabilities:

 XSS in wptexturize() via comments or posts, exploitable for
 unauthenticated users (CVE-2014-9031).

 XSS in media playlists (CVE-2014-9032).

 CSRF in the password reset process (CVE-2014-9033).

 Denial of service for giant passwords. The phpass library by Solar
 Designer was used in both projects without setting a maximum password
 length, which can lead to CPU exhaustion upon hashing (CVE-2014-9034).

 XSS in Press This (CVE-2014-9035).

 XSS in HTML filtering of CSS in posts (CVE-2014-9036).
(Continue reading)

Salvatore Bonaccorso | 27 Nov 17:55 2014
Picon

[SECURITY] [DSA 3078-1] libksba security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3078-1                   security <at> debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
November 27, 2014                      http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : libksba
CVE ID         : CVE-2014-9087
Debian Bug     : 770972

An integer underflow flaw, leading to a heap-based buffer overflow, was
found in the ksba_oid_to_str() function of libksba, an X.509 and CMS
(PKCS#7) library. By using special crafted S/MIME messages or ECC based
OpenPGP data, it is possible to create a buffer overflow, which could
cause an application using libksba to crash (denial of service), or
potentially, execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 1.2.0-2+deb7u1.

For the upcoming stable distribution (jessie), this problem has been
fixed in version 1.3.2-1.

For the unstable distribution (sid), this problem has been fixed in
version 1.3.2-1.

We recommend that you upgrade your libksba packages.

Further information about Debian Security Advisories, how to apply
(Continue reading)

Egidio Romano | 27 Nov 14:51 2014

[KIS-2014-13] Tuleap <= 7.6-4 (register.php) PHP Object Injection Vulnerability


-----------------------------------------------------------------
Tuleap <= 7.6-4 (register.php) PHP Object Injection Vulnerability
-----------------------------------------------------------------

[-] Software Links:

https://www.tuleap.org/
https://www.enalean.com/

[-] Affected Versions:

Version 7.6-4 and prior versions.

[-] Vulnerability Description:

The vulnerable code is located in the /src/www/project/register.php script:

27.	$request = HTTPRequest::instance();
28.	
29.	if (Config::get('sys_create_project_in_one_step')) {
30.	    $router = new Project_OneStepCreation_OneStepCreationRouter(
31.	        ProjectManager::instance(),
32.	        new Project_CustomDescription_CustomDescriptionFactory(new Project_CustomDescription ...
33.	    );
34.	    $router->route($request);
35.	    exit;
36.	}
37.	
38.	$current_step = $request->exist('current_step') ? $request->get('current_step') : 0;
(Continue reading)

security | 27 Nov 12:05 2014

[ MDVSA-2014:232 ] glibc


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:232
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : glibc
 Date    : November 27, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated glibc package fixes security vulnerability:

 The function wordexp\(\) fails to properly handle the WRDE_NOCMD
 flag when processing arithmetic inputs in the form of $((... ``))
 where ... can be anything valid. The backticks in the arithmetic
 epxression are evaluated by in a shell even if WRDE_NOCMD forbade
 command substitution. This allows an attacker to attempt to pass
 dangerous commands via constructs of the above form, and bypass the
 WRDE_NOCMD flag. This update fixes the issue (CVE-2014-7817).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7817
 http://advisories.mageia.org/MGASA-2014-0496.html
 _______________________________________________________________________
(Continue reading)

security | 27 Nov 11:59 2014

[ MDVSA-2014:231 ] icecast


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:231
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : icecast
 Date    : November 27, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated icecast package fixes security vulnerability:

 Icecast did not properly handle the launching of scripts on connect
 or disconnect of sources. This could result in sensitive information
 from these scripts leaking to (external) clients (CVE-2014-9018).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9018
 http://advisories.mageia.org/MGASA-2014-0494.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
(Continue reading)

security | 27 Nov 09:26 2014

[ MDVSA-2014:230 ] kernel


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:230
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : kernel
 Date    : November 27, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Multiple vulnerabilities has been found and corrected in the Linux
 kernel:

 The WRMSR processing functionality in the KVM subsystem in the
 Linux kernel through 3.17.2 does not properly handle the writing of a
 non-canonical address to a model-specific register, which allows guest
 OS users to cause a denial of service (host OS crash) by leveraging
 guest OS privileges, related to the wrmsr_interception function in
 arch/x86/kvm/svm.c and the handle_wrmsr function in arch/x86/kvm/vmx.c
 (CVE-2014-3610).

 Race condition in the __kvm_migrate_pit_timer function in
 arch/x86/kvm/i8254.c in the KVM subsystem in the Linux kernel through
 3.17.2 allows guest OS users to cause a denial of service (host OS
 crash) by leveraging incorrect PIT emulation (CVE-2014-3611).

(Continue reading)

security-alert | 26 Nov 18:27 2014
Picon

[security bulletin] HPSBGN03202 rev.1 - HP CMS: Configuration Manager running OpenSSL, Remote Disclosure of Information


Note: the current version of the following document is available here:
https://h20564.www2.hp.com/portal/site/hpsc/public/kb/
docDisplay?docId=emr_na-c04507568

SUPPORT COMMUNICATION - SECURITY BULLETIN

Document ID: c04507568
Version: 1

HPSBGN03202 rev.1 - HP CMS: Configuration Manager running OpenSSL, Remote
Disclosure of Information

NOTICE: The information in this Security Bulletin should be acted upon as
soon as possible.

Release Date: 2014-11-26
Last Updated: 2014-11-26

Potential Security Impact: Remote disclosure of information

Source: Hewlett-Packard Company, HP Software Security Response Team

VULNERABILITY SUMMARY
A potential security vulnerability has been identified with HP CMS:
Configuration Manager running OpenSSL.

This is the SSLv3 vulnerability known as "Padding Oracle on Downgraded Legacy
Encryption" also known as "Poodle", which could be exploited remotely to
allow disclosure of information.
(Continue reading)

Moritz Muehlenhoff | 26 Nov 20:10 2014
Picon

[SECURITY] [DSA 3077-1] openjdk-6 security update


-------------------------------------------------------------------------
Debian Security Advisory DSA-3077-1                   security <at> debian.org
http://www.debian.org/security/                        Moritz Muehlenhoff
November 26, 2014                      http://www.debian.org/security/faq
-------------------------------------------------------------------------

Package        : openjdk-6
CVE ID         : CVE-2014-6457 CVE-2014-6502 CVE-2014-6504 CVE-2014-6506 
                 CVE-2014-6511 CVE-2014-6512 CVE-2014-6517 CVE-2014-6519
                 CVE-2014-6531 CVE-2014-6558

Several vulnerabilities have been discovered in OpenJDK, an 
implementation of the Oracle Java platform, resulting in the execution 
of arbitrary code, information disclosure or denial of service.

For the stable distribution (wheezy), these problems have been fixed in
version 6b33-1.13.5-2~deb7u1.

We recommend that you upgrade your openjdk-6 packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce <at> lists.debian.org
security | 26 Nov 17:02 2014

[ MDVSA-2014:229 ] libvncserver


 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2014:229
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : libvncserver
 Date    : November 26, 2014
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated libvncserver packages fix security vulnerabilities:

 A malicious VNC server can trigger incorrect memory management handling
 by advertising a large screen size parameter to the VNC client. This
 would result in multiple memory corruptions and could allow remote
 code execution on the VNC client (CVE-2014-6051, CVE-2014-6052).

 A malicious VNC client can trigger multiple DoS conditions on the VNC
 server by advertising a large screen size, ClientCutText message length
 and/or a zero scaling factor parameter (CVE-2014-6053, CVE-2014-6054).

 A malicious VNC client can trigger multiple stack-based buffer
 overflows by passing a long file and directory names and/or
 attributes (FileTime) when using the file transfer message feature
 (CVE-2014-6055).

(Continue reading)


Gmane