Category Archives: Security Focus

Security Focus

Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability


Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Bugtraq ID: 101303
Class: Unknown
CVE:

CVE-2017-10416

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 19 2017 10:03AM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7
Oracle E-Business Suite 12.2.6
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.4

Not Vulnerable:

lcms2 CVE-2016-10165 Out-of-Bounds Read Denial of Service Vulnerability

Vulnerable:

Oracle JRockit R28.3.15
Oracle JRE(Windows Production Release) 1.9
Oracle JRE(Windows Production Release) 1.8 Update 144
Oracle JRE(Windows Production Release) 1.7 Update 151
Oracle JRE(Solaris Production Release) 1.9
Oracle JRE(Solaris Production Release) 1.8 Update 144
Oracle JRE(Solaris Production Release) 1.7 Update 151
Oracle JRE(Linux Production Release) 1.9
Oracle JRE(Linux Production Release) 1.8 Update 144
Oracle JRE(Linux Production Release) 1.7 Update 151
Oracle JDK(Windows Production Release) 1.9
Oracle JDK(Windows Production Release) 1.8 Update 144
Oracle JDK(Windows Production Release) 1.7 Update 151
Oracle JDK(Solaris Production Release) 1.9
Oracle JDK(Solaris Production Release) 1.8 Update 144
Oracle JDK(Solaris Production Release) 1.7 Update 151
Oracle JDK(Linux Production Release) 1.9
Oracle JDK(Linux Production Release) 1.8 Update 144
Oracle JDK(Linux Production Release) 1.7 Update 151
lcms2 lcms2 0
Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64

Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability


Oracle E-Business Suite CVE-2017-10417 Remote Security Vulnerability

Bugtraq ID: 101308
Class: Unknown
CVE:

CVE-2017-10417

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7
Oracle E-Business Suite 12.2.6
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.4

Not Vulnerable:

Powered by WPeMatico

Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability


Oracle E-Business Suite CVE-2017-10329 Remote Security Vulnerability

Bugtraq ID: 101300
Class: Unknown
CVE:

CVE-2017-10329

Remote: Yes
Local: No
Published: Oct 17 2017 12:00AM
Updated: Oct 17 2017 10:03PM
Credit: Juan Pablo Perez Etchegoyen of Onapsis
Vulnerable:

Oracle E-Business Suite 12.2.7
Oracle E-Business Suite 12.2.6
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.1.2
Oracle E-Business Suite 12.1.1
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.4
Oracle E-Business Suite 12.1.3

Not Vulnerable:

Powered by WPeMatico

SecurityFocus

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA512

– ————————————————————————

Debian Security Advisory DSA-3999-1 security (at) debian (dot) org [email concealed]
https://www.debian.org/security/ Yves-Alexis Perez
October 16, 2017 https://www.debian.org/security/faq
– ————————————————————————

Package : wpa
CVE ID : CVE-2017-13077 CVE-2017-13078 CVE-2017-13079 CVE-2017-13080
CVE-2017-13081 CVE-2017-13082 CVE-2017-13086 CVE-2017-13087
CVE-2017-13088

Mathy Vanhoef of the imec-DistriNet research group of KU Leuven discovered
multiple vulnerabilities in the WPA protocol, used for authentication in
wireless networks. Those vulnerabilities applies to both the access point
(implemented in hostapd) and the station (implemented in wpa_supplicant).

An attacker exploiting the vulnerabilities could force the vulnerable system to
reuse cryptographic session keys, enabling a range of cryptographic attacks
against the ciphers used in WPA1 and WPA2.

More information can be found in the researchers’s paper, Key Reinstallation
Attacks: Forcing Nonce Reuse in WPA2.

CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake
CVE-2017-13078: reinstallation of the group key in the Four-way handshake
CVE-2017-13079: reinstallation of the integrity group key in the Four-way
handshake
CVE-2017-13080: reinstallation of the group key in the Group Key handshake
CVE-2017-13081: reinstallation of the integrity group key in the Group Key
handshake
CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation
Request and reinstalling the pairwise key while processing it
CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey
(TPK) key in the TDLS handshake
CVE-2017-13087: reinstallation of the group key (GTK) when processing a
Wireless Network Management (WNM) Sleep Mode Response frame
CVE-2017-13088: reinstallation of the integrity group key (IGTK) when
processing a Wireless Network Management (WNM) Sleep Mode
Response frame

For the oldstable distribution (jessie), these problems have been fixed
in version 2.3-1+deb8u5.

For the stable distribution (stretch), these problems have been fixed in
version 2:2.4-1+deb9u1.

For the testing distribution (buster), these problems have been fixed
in version 2:2.4-1.1.

For the unstable distribution (sid), these problems have been fixed in
version 2:2.4-1.1.

We recommend that you upgrade your wpa packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce (at) lists.debian (dot) org [email concealed]
—–BEGIN PGP SIGNATURE—–

iQEzBAEBCgAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAlnkeBwACgkQ3rYcyPpX
RFtQLAgAv5ntBMhlw9vrNGPxIrnFZiqI6rOCeiu9fw1ijrGKDmuIdewuIO8IY+KA
lYbxd5f+4X6nV2kwG6NwLzxV/Tl16hs8vRC9OGWEPPn9eW8XJE8jNU/m4Ca9cBGF
JaNT2ntdCHrSlORaMf2wv8AaV799Dh3ZRiO0+IyAtQQucfEndwmUHEGO+igTElJ3
aBrfRRs+SFjYsSSw+JOM7jwk9XPX/0Isg05JNMYYUbo5vjidjiCLkSIYQp7ssMlj
8ObfHdQzxGiyDHCeA0SJv34X4LYEOs2PT7krRCaFms+6A3o8AJx9Tw6K8iO24cYs
ttgxTMQRvkOyYBaV4h2rI7IOW2ViAA==
=/khK
—–END PGP SIGNATURE—–

[ reply ]

Powered by WPeMatico

SecurityFocus

SEC Consult Vulnerability Lab Security Advisory
=======================================================================
title: Multiple vulnerabilities
product: Micro Focus VisiBroker C++
vulnerable version: 8.5 SP2
fixed version: 8.5 SP4 HF3
CVE number: CVE-2017-9281, CVE-2017-9282, CVE-2017-9283
impact: High
homepage: https://www.microfocus.com/products/corba/visibroker/
found: 2017-04
by: W. Ettlinger (Office Vienna)
SEC Consult Vulnerability Lab

An integrated part of SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

https://www.sec-consult.com

=======================================================================

Vendor description:
——————-
“VisiBroker(TM) is a comprehensive CORBA environment for developing, deploying,
and managing distributed applications. Built on open industry standards and a
high-performance architecture, VisiBroker is especially suited to low-latency,
complex, data-oriented, transaction-intensive, mission-critical environments.
Using VisiBroker(R), organizations can develop, connect, and deploy complex
distributed applications that have to meet very high performance and reliability
standards. With more than 30 million licenses in use, VisiBroker is the worldâ??s
most widely deployed CORBA Object Request Broker (ORB) infrastructure.”

URL: https://www.microfocus.com/products/corba/visibroker/

Business recommendation:
————————
During a superficial fuzzing test, SEC Consult found several memory corruption
vulnerabilities that allow denial of service attacks or potentially arbitrary
code execution. Although the fuzzing test only had a very limited coverage,
several vulnerabilities have been identified. Assuming the code quality is
homogenous, it is possible that other parts of the application exhibit similar
issues.

SEC Consult did not attempt to fully evaluate the potential impact of the
identified vulnerabilities.

SEC Consult recommends to decommission any VisiBroker C++ component that
communicates with untrusted entities until a full security audit has been
performed. Moreover, SEC Consult recommends to restrict network access to all
CORBA services that utilize the VisiBroker C++ environment.

Vulnerability overview/description:
———————————–
1) Integer Overflow / Out of Bounds Read (Denial of Service) [CVE-2017-9281]
By specifying a large value for a length field, an integer overflow occurs.
As a result, the application reads memory until a non-mapped memory region
is reached. This causes the application to encounter a segmentation fault.

2) Integer Overflow (Heap Overwrite) [CVE-2017-9282]
By specifying a manipulated value for a length field an attacker can cause an
integer overflow. This causes the application to allocate too little memory.
When the application attempts to write to this memory buffer, heap memory is
overwritten leading to denial of service or potentially arbitrary code
execution.

3) Out of Bounds Read [CVE-2017-9283]
By specifying a manipulated value for a length field, an attacker can cause
the application to read past an allocated memory region.

4) Use after Free
SEC Consult found that the application under certain circumstances tries to
access a memory region that has been deallocated before.

It is unclear whether Micro Focus fixed the root cause of this behaviour. As
the vendor was unable to reproduce the vulnerability in the current version,
Micro Focus believes that the vulnerability was fixed with a previous update.

Since SEC Consult is unsure whether Micro Focus found the root cause of the
vulnerability, we refrain from releasing proof of concept code.

Proof of concept:
—————–
A service implementing the following IDL was used to identify the
vulnerabilities listed here:

module Bank {
interface Account {
float balance(in string test);
};
interface AccountManager {
Account open(in string name);
};
};

The implemented service was based on the Visibroker example project
“bank_agent”.

1) Integer Overflow / Out of Bounds Read (Denial of Service)
The method

CORBA_MarshalOutBuffer *__cdecl CORBA_MarshalOutBuffer::put(
CORBA_MarshalOutBuffer *this,
const char *src,
unsigned int size)

is used to copy/append a char[] into a buffer. If the size of the data that is
stored in the buffer plus the size of the char[] to be appended exceeds the
allocated size, the method reallocates the buffer. By choosing the
size of the char[] as e.g. 0xffffffff (on 32 bit systems) an integer overflow
can be caused. The method then continues without allocating additional memory.

However, the application then expects that the source buffer contains 0xffffffff
bytes of memory. Since this would exceed the available process memory on 32 bit
systems, the application’s attempt to copy data to the destination buffer fails
with an out of bounds read.

The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d4300000004
00000010
2f62616e6b5f6167656e745f706f610000ffffff42616e6b4d616e616765720000000005
6f70656e
0000000000000002000000010000000c0000000000010001000101095649530600000005
00070801
83000000000000000000000e4a61636b20422e20517569636b00

2) Integer Overflow (Heap Overwrite)
The method

int __cdecl CORBA::string_alloc(unsigned int size)

is used to allocate buffers for strings. Since it allocates size + 1 bytes of
heap memory, specifying 0xffffffff causes an integer overflow leading to the
allocation of 0 bytes. This causes heap memory to be overwritten.

SEC Consult was able to use the following request to cause corruption of heap
structures:
47494f5001020000000000860000000203000000000000000000002b00504d4300000004
00000010
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e616765720000000005
6f70656e
0000000000000002000000010000000c0000000000010001000101095649530600000005
00070801
8300000000000000ffffffff4a61636b20422e20517569636b00

3) Out of Bounds Read
The constructor

int __cdecl VISServiceId::VISServiceId(
VISServiceId *this,
CORBA_MarshalInBuffer *a2,
unsigned __int32 a3,
unsigned __int8 *a4)

parses the GIOP key address. The VisiBroker key address consists of two strings.
Before each string, a long (32 bit) value specifies the length of the
string. To calculate the offset of the second string, the size of the first
string is used. If this value is chosen so that the offset of the second string
is outside of the GIOP message, an out of bounds read occurs.

The following binary request demonstrates this issue for the IDL above:
47494f5001020000000000860000000203000000000000000000002b00504d4300000004
80000000
2f62616e6b5f6167656e745f706f61000000000b42616e6b4d616e616765720000000005
6f70656e
0000000000000002000000010000000c0000000000010001000101095649530600000005
00070801
83000000000000000000000e4a61636b20422e20517569636b00

4) Use after Free / Denial of Service
Micro Focus did not clearly state that the root cause of the vulnerability has
been fixed. As a precaution we refrain from releasing proof of concept code.

Vulnerable / tested versions:
—————————–
At least VisiBroker C++ 8.5 SP2 has been found to be vulnerable. According to
the vendor VisiBroker 8.5 prior to SP4 HF3 are vulnerable to issues #1 – #3.

Vendor contact timeline:
————————
2017-05-03: Contacting vendor through security (at) microfocus (dot) com [email concealed], attaching
encrypted security advisory
2017-05-03: Vendor: will inform us about the timeframe once the findings
have been reproduced
2017-05-26: Vendor: were able to reproduce first 3 issues; requested
further information for vulnerability #4
2017-05-30: Providing further information for vulnerability #4
2017-06-21: Requesting status update
2017-06-28: Vendor: First three issues have been fixed by the development team,
“They have reproduced the fourth and are working on it now.”
2017-06-30: Vendor: Patch will be available in a few weeks
2017-07-28: Requesting status update
2017-08-02: Vendor: There is no fixed release date for the patch yet
2017-08-28: Vendor: Initial test run found an issue that has been fixed
2017-09-15: Requesting status update
2017-09-15: Vendor: “The patches were just released on the 12th and 13th”
2017-09-18: Asking for further information about CVEs, affected versions
2017-09-21: Vendor: Issue #4 has not been fixed since the team was unable to
reproduce it (the vendor stated that the issue has been reproduced,
see 2017-06-26). “They [the team] believe it was already fixed by
an earlier modification.”
2017-09-27: Requesting clarification for issue #4
2017-09-27: Vendor: The team initially thought they had reproduced the issue;
this was an unrelated issue that was fixed as well.
2017-10-16: Public release of the advisory;

Solution:
———
Upgrade to version 8.5 Service Pack 4 Hotfix 3. The release notes with
information on how to obtain this hotfix can be obtained here:
https://community.microfocus.com/microfocus/corba/visibroker_-_world_cla
ss_middleware/w/knowledge_base/29171/visibroker-8-5-service-pack-4-hotfi
x-3-security-fixes

Workaround:
———–
None

Advisory URL:
————-
https://www.sec-consult.com/en/vulnerability-lab/advisories/index.html

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult
Bangkok – Berlin – Linz – Luxembourg – Montreal – Moscow
Kuala Lumpur – Singapore – Vienna (HQ) – Vilnius – Zurich

About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult. It
ensures the continued knowledge gain of SEC Consult in the field of network
and application security to stay ahead of the attacker. The SEC Consult
Vulnerability Lab supports high-quality penetration testing and the evaluation
of new offensive and defensive technologies for our customers. Hence our
customers obtain the most current information about vulnerabilities and valid
recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://www.sec-consult.com/en/career/index.html

Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://www.sec-consult.com/en/contact/index.html
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult

EOF W. Ettlinger / @2017

0? *?H?÷
 ?0?10
`?He0? *?H?÷
 ?0?¯0?? à#Ë?S?­anzTgk!0
*?H?÷
0o10 USE10U
AddTrust AB1&0$UAddTrust External TTP Network1″0 UAddTrust External CA Root0
141222000000Z
200530104838Z0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0?”0
*?H?÷
?0?
??±
ÚzSNpR¼V¦&·¸Ià?çQ«ñðZI£´?`¼zQB§y?¤”ßaN?Õv#
ÓJ¶ ?n¥=Ùº»þ¡?©.CRC|¯2PȦOZéØÏ?%?{?è0dæ¤øV?ý*$3?¬Dåi?£FKÂ3Ôé@?°±¬?@¹
µ?:?*S£Û= a8ÿß?õ¬I¾Ê÷s?:2«??:=F:WtaP¾Æ@?Ëäâ?¢!£?0?0U#0?­½?z4´&÷
úÄ&Tï½à$ËT0U?ak?ᢠªOìgñ£÷´?Áì0Uÿ?0Uÿ0
ÿ0U%0++0U
00U 0DU=0;09 7 5?3http://crl.usertrust.com/AddTrustExternalCARoot.crl05
+)0’0%+0?http://ocsp.usertrust.com0
*?H?÷
?*n¬UÁ:«?ÅØíÍUóªka+À #?Åfjo±õ´µw^aß}þ³¤??üû[jr
A¼ºÁXÕ&ÂêÕM?ûþ??ÏXã”c?Rø»6«}X¥Þ«;cåÚÕsïìàû{â£ÿðB#?ʶM>äK²¨-ÔØ»BKi
?Û¦74è{à¥?Ê:Ç?O?4n?eÐ?»©ÜÊÊ6ÑôüÂd)5¯Ö±§qÒC±>?ì?2Sôv?Ê?4¹,ÊæJØ?
Á?â?ûZBj#!éeÇõÕ»~ê?? bêÑ:,YÅ?3ò8?å¶ézyöJ&ú|?û?0?a0?I +?þ%³`??5T«´0
*?H?÷
0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA0
170301000000Z
200229235959Z0?W10 UAT1
0U270010UNiederoesterreich10UWr. Neustadt10U Komarigasse 14/11.0,U
%SEC Consult Unternehmensberatung GmbH1I0GU@Issued through SEC Consult Unternehmensberatung GmbH E-PKI Manag10UCorporate Secure Email1&0$USEC Consult Vulnerability Lab1’0% *?H?÷
research (at) sec-consult (dot) com0 [email concealed]?”0
*?H?÷
?0?
?çââ³×p¼¬ÉÓ#ëäoú=1XÏsÍldhmþ·}jµ?ýySüx??¡%Vl´9«ÖHÍO½ËZ|¢ò?q4äËg?7ò?ù?t¥Á±å1Pzò¦<*WÒj,?%x?? ä??F¼ÜpF/*ÛЩk*TÅöb²??ÖӏñÏZ?QP´?wH;qf¢?r5·ÉyhXcü(#1~ ôYS"YÐ`U
?øô¤rP1u^ËØP.ëë?f}SÅäÖ[Hd¥¢áorà­ÔB?{u·@J·²¨°×®6vL±
h:?i -V£?ËLBóa£?à0?Ü0U#0??ak?ᢠªOìgñ£÷´?Áì0U
G?gx.§~¢Òü¥El?%0Uÿ 0Uÿ00U%0++0FU ?0=0;+²10+0)+https://secure.comodo.net/CPS0]UV0T0R P
 N?Lhttp://crl.comodoca.com/COMODOSHA256ClientAuthenticationandSecureEma
ilCA.crl0+?0?0X+0?Lhttp://crt.comodoca.com/COMODOS
HA256ClientAuthenticationandSecureEmailCA.crt0$+0?http://ocsp.c
omodoca.com0#U0research (at) sec-consult (dot) com0 [email concealed]
*?H?÷
?CÑË×úpÿtR
ðH§Àz7!]J ºæû¼]¨µX i?òÉ£­©cwSÀ/?­?ÓOÑ:þÚøw?P[óü¹ÁÒ&©ã?ü-6?L5Y?ù6àòÀõ$Äð?z¼.È?ïNþ±ñ?øK×ÈV ® ¯ä@nÞ9ó¹Rk«*Ò¶èDÞÞ
(D’I5Ëé
{Ë­à¦]FϨújRO^pº=õ?æ?18!??¤q µa=c@2ÞTC?ïþ´4?~-?ø¿À?Hÿ¹¨r.ÁØØXW?YÊÆ?á:??ZÔûµ4àÒ2CSq3»?`Û?I?Ö²Ë3gj?ù»ºx1?A0?=0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
`?He ?a0 *?H?÷
1 *?H?÷
0 *?H?÷
1
171016064804Z0/ *?H?÷
1″ ±?Ù0©®té?Á=Nù?»Iì:=¡õ3?u^)0l *?H?÷
1_0]0 `?He*0 `?He0
*?H?÷
0*?H?÷
?0
*?H?÷
@0+0
*?H?÷
(0Á +?71³0°0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0Ã*?H?÷
1³ °0?10 UGB10UGreater Manchester10USalford10U
COMODO CA Limited1A0?U8COMODO SHA-256 Client Authentication and Secure Email CA+?þ%³`??5T«´0
*?H?÷
?ºåÐâô G???C)¢4]?cÐ{;QEfÛ÷î¾=ÝÞ9ô!!r-­ÚT«¤?f:é·¹?²^§?s??6?þ
2tÑörÚ ð}ã»t^!­?
¾?Ì?§?®QòYI}ÏKV]?®?O¶=Å¿ýÐÒ:ý·?’?Êè{UõlA¢xkr§4ÏH?ÏJq//?Öy:þ)>?@
^?¨9??Ü?$lvUZøß́ÖhOè«÷·ÕTQ?Raeº?+Gè^ÕÝm?D?¢#¾Ûþ?Ybµ?Ïä.?ñ”dlÅ
b?Aù¬Î?(Íçiályª)ox­*?rÙy

[ reply ]

Powered by WPeMatico

SecurityFocus

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA256

Note: the current version of the following document is available here:

https://softwaresupport.hpe.com/km/KM02987868

SUPPORT COMMUNICATION – SECURITY BULLETIN

Document ID: KM02987868

Version: 1

MFSBGN03786 rev.1 – HPE Connected Backup, Local Escalation of Privilege

NOTICE: The information in this Security Bulletin should be acted upon as

soon as possible.

Release Date: 2017-10-13

Last Updated: 2017-10-13

Potential Security Impact: Local: Elevation of Privilege

Source: Micro Focus, Product Security Response Team

VULNERABILITY SUMMARY

A potential security vulnerability has been identified in the HPE Connected

Backup agent. This vulnerability could be exploited locally to allow

escalation of privilege.

References:

– CVE-2017-14355 – Local Escalation of Privilege

SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.

– Connected Backup – v8.6, v8.8.6

BACKGROUND

CVSS Base Metrics

=================

Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector

Micro Focus would like to thank Peter Lapp (lappsec) for reporting this issue

to security-alert (at) hpe (dot) com [email concealed]

RESOLUTION

Micro Focus has made the following mitigation steps available to resolve the

vulnerability in the impacted versions of Connected Backup.

* **SaaS customers** – Connected Backup agent version 8.8.7.1 is available

via your Support Center

* **On-prem/licensed customers** – Connected Backup agent version 8.8.7.1 is

available at

HISTORY

Version:1 (rev.1) – 13 October 2017 Initial release

Third Party Security Patches: Third party security patches that are to be installed on

systems running Micro Focus products should be applied in accordance with the customer’s

patch management policy.

Support: For issues about implementing the recommendations of this Security Bulletin, contact normal Micro Focus services support channel.

For other issues about the content of this Security Bulletin, send e-mail to cyber-psrt (at) hpe (dot) com. [email concealed]

Report: To report a potential security vulnerability for any supported product:

Web form: https://www.microfocus.com/support-and-services/report-security

Email: cyber-psrt (at) hpe (dot) com [email concealed]

Software Product Category: The Software Product Category is represented in

the title by the two characters following Micro Focus Security Bulletin.

3P = 3rd Party Software

GN = Micro Focus General Software

MU = Multi-Platform Software

System management and security procedures must be reviewed frequently to maintain system integrity.

Micro Focus is continually reviewing and enhancing the security features of software products to provide

customers with current secure solutions.

“Micro Focus is broadly distributing this Security Bulletin in order to bring to the attention of users of the

affected Micro Focus products the important security information contained in this Bulletin. Micro Focus recommends

that all users determine the applicability of this information to their individual situations and take appropriate action.

Micro Focus does not warrant that this information is necessarily accurate or complete for all user situations and, consequently,

Micro Focus will not be responsible for any damages resulting from user’s use or disregard of the information provided in

this Security Bulletin. To the extent permitted by law, Micro Focus disclaims all warranties, either express or

implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.”

Copyright 2017 EntIT Software LLC

Micro Focus shall not be liable for technical or editorial errors or omissions contained herein.

The information provided is provided “as is” without warranty of any kind. To the extent permitted by law,

neither Micro Focus nor its affiliates, subcontractors or suppliers will be liable for incidental, special

or consequential damages including downtime cost; lost profits; damages relating to the procurement of

substitute products or services; or damages for loss of data, or software restoration.

The information in this document is subject to change without notice. Micro Focus and the names of

Micro Focus products referenced herein are trademarks of Micro Focus in the United States and other countries.

Other product and company names mentioned herein may be trademarks of their respective owners.
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1

iQEcBAEBCAAGBQJZ4SE6AAoJEHfErXedNUNK/moH/2FLMQWcsZbe5Y131SjWKPa2
+ZYN2qhXJXK638+k2HjfeLn0rdTpNgStthx9NNZOQONH3PtDjZr0TRBQsy9BgH5f
cdlhdVbXdcx9IcozalYOzcDSkeeGCROUrA6NVIsQZeESCMJ2xwFdXjNk1o+s9qZz
nEqIMaMtIcX+KC511vnb3fXkBbQZpebXRSIsX6NS10G2GfUSZA0jkDCRIH3YB6ED
juWXdRfHExA8QXxIveXDLkoNMkTGSsInELLyrVVUUuxdSi0olWRbWh+7lJSG9A2S
QBrHJGdjQ2F7kuN3UtULs2ERrk15vtDzz58pvN14m9A5+b2VJzKQG4situ52odY=
=QfZo
—–END PGP SIGNATURE—–

[ reply ]

Powered by WPeMatico

SecurityFocus

X41 D-Sec GmbH Security Advisory: X41-2017-010

Command Execution in Shadowsocks-libev
======================================

Overview
——–
Severity Rating: High
Confirmed Affected Versions: 3.1.0
Confirmed Patched Versions: N/A
Vendor: Shadowsocks
Vendor URL: https://github.com/shadowsocks/shadowsocks-libev
Vector: Local
Credit: X41 D-Sec GmbH, Niklas Abel
Status: Public
CVE: not yet assigned
Advisory-URL:
https://www.x41-dsec.de/lab/advisories/x41-2017-010-shadowsocks-libev/

Summary and Impact
——————
Shadowsocks-libev offers local command execution per configuration file
or/and additionally, code execution per UDP request on 127.0.0.1.

The configuration file on the file system or the JSON configuration
received via UDP request is parsed and the arguments are passed to the
“add_server” function.
The function calls “construct_command_line(manager, server);” which
returns a string from the parsed configuration.
The string gets executed at line 486 “if (system(cmd) == -1) {“, so if a
configuration parameter contains “||evil command&&” within the “method”
parameter, the evil command will get executed.

The ss-manager uses UDP port 8830 to get control commands on 127.0.0.1.
By default no authentication is required, although a password can be set
with the ‘-k’ parameter.

Product Description
——————-
Shadowsocks-libev is a lightweight secured SOCKS5 proxy for embedded
devices and low-end boxes. The ss-manager is meant to control
Shadowsocks servers for multiple users, it spawns new servers if needed.

It is a port of Shadowsocks created by @clowwindy, and maintained by
@madeye and @linusyang.

Proof of Concept
—————-
As passed configuration requests are getting executed, the following command
will create file “evil” in /tmp/ on the server:

nc -u 127.0.0.1 8839
add: {“server_port”:8003, “password”:”test”, “method”:”||touch
/tmp/evil||”}

The code is executed through shadowsocks-libev/src/manager.c.
If the configuration file on the file system is manipulated, the code
would get executed as soon as a Shadowsocks instance is started from
ss-manage, as long as the malicious part of the configuration has not
been overwritten.

Workarounds
———–
There is no workaround available, do not use ss-manage until a patch is
released.

About X41 D-Sec GmbH
——————–
X41 D-Sec is a provider of application security services. We focus on
application code reviews, design review and security testing. X41 D-Sec
GmbH was founded in 2015 by Markus Vervier. We support customers in
various industries such as finance, software development and public
institutions.

Timeline
——–
2017-09-28 Issues found
2017-10-05 Vendor contacted
2017-10-09 Vendor contacted, replied to use GitHub for a full disclosure
2017-10-11 Vendor contacted, asked if the vendor is sure to want a full
disclosure
2017-10-12 Vendor contacted, replied to create a public issue on GitHub
2017-10-13 Created public issue on GitHub
2017-10-13 Advisory release

—–BEGIN PGP SIGNATURE—–

iQJLBAEBCAA1FiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlng7XEXHGFkdmlzb3Jp
ZXNAeDQxLWRzZWMuZGUACgkQo5Klpg50CxA20g/+M1wym8i30w0sMis8QyOj0nM8
U1wXzFG2OtrotRj3TFL93ir48BWJ3DuumbkS5egMXqcxLAMPbQQu/yTilOIPeQyK
YqWvttQi0/2Gn4OfslFaZEy8naLhPj4Q7rf09XPpzjqWMbQLiCoRvpxJrGr7p0k2
BKzvr9JjGMH7qe5mRGIIXrI7Judx6KXvDh2B2QVqABmkdVevS5k7lcivjRJlof3T
yF17cRJhhchxSGGMJoGo9HQ5SkiSiwTtrMsCy7XdYcVHuiwL3SzXqW5ZpKBwL2F0
F0i8yzBwW95sa+mgQchLWKrr5qtTfdzNwV7yFLPEhiAZq07i7aJweqH0NeY6m1u1
Y+Hd4+ValfIHrvmOoZr+4A/c5acosSYm/yZZ3bgYKGbbHPoqMm4bhVn97SzEGujW
vbT0lcHomtKIaxeuL3jDrkEMOcwjdm9h4kKysgkcI2qkuBFBzvv0m38HG20SBzzg
SuaIWlZ566YWD3Jwg4xwFcDTxd0K9fDnv7cyLLHH959ks2pCjv0yYhCtl/8AyiKe
vUH5/ivdu7tvobE56NewtRZdavylkPw0rHe6G+JV3t3kb+B4N3xuZlV4sMzLHQvo
i3jApT7T+Xs20rDco+dgSwNcyEaYtUWhviOUWVmrzrfkPZFd41XJ1zBLjy16EVvT
sEynEPVCuKPXgtW5pAM=
=QSN3
—–END PGP SIGNATURE—–

[ reply ]

Powered by WPeMatico

Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability


Oracle E-Business Suite CVE-2017-10416 Remote Security Vulnerability

Bugtraq ID: 101303
Class: Unknown
CVE:

CVE-2017-10416

Remote: Yes
Local: No
Published: Oct 18 2017 12:00AM
Updated: Oct 18 2017 12:00AM
Credit: Vahagn Vardanyan of ERPScan
Vulnerable:

Oracle E-Business Suite 12.2.7
Oracle E-Business Suite 12.2.6
Oracle E-Business Suite 12.2.3
Oracle E-Business Suite 12.2.5
Oracle E-Business Suite 12.2.4

Not Vulnerable:

Powered by WPeMatico