cat52
wifi2
wifi3
cat51
tower2
tower3
tower5
tower4
wifi1
tower1
Security and Firewalls PDF Print E-mail
Written by Administrator   
Tuesday, April 26 2011 09:15

In today's internet, intrusion dectection is a must to ensure data reliablity for all parties. Nexus offers a state-of-the-art security solution to combat unauthorized access to your network. Firewalls are monitored contantly 24x7 by a trained staff with failsafe backup servers at every turn. Whether wirleline or wireless, Nexus has the manpower and resourses to protect your data.

 

Last Updated on Wednesday, March 27 2013 08:26
 

CERT Cyber Security Bulletins

US-CERT Bulletins
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • SB15-082: Vulnerability Summary for the Week of March 16, 2015
    Original release date: March 23, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0333, CVE-2015-0335, and CVE-2015-0339.2015-03-1310.0CVE-2015-0332
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0335, and CVE-2015-0339.2015-03-1310.0CVE-2015-0333
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0336.2015-03-139.3CVE-2015-0334
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0333, and CVE-2015-0339.2015-03-1310.0CVE-2015-0335
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code by leveraging an unspecified "type confusion," a different vulnerability than CVE-2015-0334.2015-03-139.3CVE-2015-0336
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerInteger overflow in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors.2015-03-1310.0CVE-2015-0338
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2015-0332, CVE-2015-0333, and CVE-2015-0335.2015-03-1310.0CVE-2015-0339
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerUse-after-free vulnerability in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0342.2015-03-1310.0CVE-2015-0341
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerUse-after-free vulnerability in Adobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2015-0341.2015-03-1310.0CVE-2015-0342
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    cisco -- telepresence_server_softwareCisco Virtual TelePresence Server Software does not properly restrict use of the serial port, which allows local users to execute arbitrary OS commands as root by leveraging vSphere controller administrative privileges, aka Bug ID CSCus61123.2015-03-137.2CVE-2015-0660
    SECTRACK
    CISCO
    cisco -- anyconnect_secure_mobility_clientCisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier allows local users to gain privileges via crafted IPC messages that trigger use of root privileges for a software-package installation, aka Bug ID CSCus79385.2015-03-167.2CVE-2015-0662
    CISCO
    hp -- arcsight_loggerMultiple unspecified vulnerabilities in HP ArcSight Logger before 6.0P1 have unknown impact and remote authenticated attack vectors.2015-03-139.0CVE-2014-7884
    CERT-VN
    HP
    SECTRACK
    hp -- arcsight_enterprise_security_managerMultiple unspecified vulnerabilities in HP ArcSight Enterprise Security Manager (ESM) before 6.8c have unknown impact and remote attack vectors.2015-03-1310.0CVE-2014-7885
    CERT-VN
    HP
    SECTRACK
    ibm -- rational_doors_next_generationThe XML parser in IBM Rational DOORS Next Generation 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 and Rational Requirements Composer 2.x and 3.x before 3.0.1.6 iFix5 and 4.x before 4.0.7 iFix3 does not properly detect recursion during entity expansion, which allows remote attackers to cause a denial of service (memory consumption) via a crafted XML document containing a large number of nested entity references, a similar issue to CVE-2003-1564.2015-03-187.8CVE-2015-0132
    CONFIRM
    linux -- linux_kernelThe implementation of certain splice_write file operations in the Linux kernel before 3.16 does not enforce a restriction on the maximum size of a single file, which allows local users to cause a denial of service (system crash) or possibly have unspecified other impact via a crafted splice system call, as demonstrated by use of a file descriptor associated with an ext4 filesystem.2015-03-167.2CVE-2014-7822
    CONFIRM
    CONFIRM
    DEBIAN
    REDHAT
    REDHAT
    REDHAT
    CONFIRM
    linux -- linux_kernelThe pmd_none_or_trans_huge_or_clear_bad function in include/asm-generic/pgtable.h in the Linux kernel before 3.13 on NUMA systems does not properly determine whether a Page Middle Directory (PMD) entry is a transparent huge-table entry, which allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact via a crafted MADV_WILLNEED madvise system call that leverages the absence of a page-table lock.2015-03-167.2CVE-2014-8173
    CONFIRM
    CONFIRM
    REDHAT
    CONFIRM
    linux -- linux_kernelThe XFS implementation in the Linux kernel before 3.15 improperly uses an old size value during remote attribute replacement, which allows local users to cause a denial of service (transaction overrun and data corruption) or possibly gain privileges by leveraging XFS filesystem access.2015-03-167.2CVE-2015-0274
    CONFIRM
    CONFIRM
    SECTRACK
    REDHAT
    CONFIRM
    linux -- linux_kernelUse-after-free vulnerability in the sctp_assoc_update function in net/sctp/associola.c in the Linux kernel before 3.18.8 allows remote attackers to cause a denial of service (slab corruption and panic) or possibly have unspecified other impact by triggering an INIT collision that leads to improper handling of shared-key data.2015-03-1610.0CVE-2015-1421
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    DEBIAN
    CONFIRM
    mybb -- mybbThe cache handler in MyBB (aka MyBulletinBoard) before 1.8.4 does not properly check the encoding of input to the var_export function, which allows attackers to have an unspecified impact via unknown vectors.2015-03-197.5CVE-2015-2352
    CONFIRM
    openssl -- opensslInteger underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.2015-03-197.5CVE-2015-0292
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    scadaengine -- bacnet_opc_serverHeap-based buffer overflow in the SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to execute arbitrary code via a crafted packet.2015-03-139.0CVE-2015-0979
    MISC
    scadaengine -- bacnet_opc_serverFormat string vulnerability in BACnOPCServer.exe in the SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to execute arbitrary code via format string specifiers in a request.2015-03-139.0CVE-2015-0980
    MISC
    scadaengine -- bacnet_opc_serverThe SOAP web interface in SCADA Engine BACnet OPC Server before 2.1.371.24 allows remote attackers to bypass authentication and read or write to arbitrary database fields via unspecified vectors.2015-03-137.5CVE-2015-0981
    MISC
    schneider_electric -- pelco_ds-nvBuffer overflow in an unspecified DLL in Schneider Electric Pelco DS-NVs before 7.8.90 allows remote attackers to execute arbitrary code via unspecified vectors.2015-03-137.5CVE-2015-0982
    MISC
    CONFIRM
    suse -- opensuse_oscosc before 0.151.0 allows remote attackers to execute arbitrary commands via shell metacharacters in a _service file.2015-03-167.5CVE-2015-0778
    CONFIRM
    SUSE
    SUSE
    wpml -- wpmlSQL injection vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the lang parameter in the HTTP Referer header in a wp-link-ajax action to comments/feed.2015-03-177.5CVE-2015-2314
    BUGTRAQ
    CONFIRM
    FULLDISC
    MISC
    MISC
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows remote attackers to bypass the Same Origin Policy via unspecified vectors.2015-03-135.0CVE-2015-0337
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    adobe -- flash_playerAdobe Flash Player before 13.0.0.277 and 14.x through 17.x before 17.0.0.134 on Windows and OS X and before 11.2.202.451 on Linux allows remote attackers to bypass intended file-upload restrictions via unspecified vectors.2015-03-135.0CVE-2015-0340
    CONFIRM
    SECTRACK
    SUSE
    SUSE
    SUSE
    SUSE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1068
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1069
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1070
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1071
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1072
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1073
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1074
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1075
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1076
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1077
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1078
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1079
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1080
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1081
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1082
    CONFIRM
    APPLE
    apple -- safariWebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted web site, a different vulnerability than other CVEs listed in APPLE-SA-2015-03-17-1.2015-03-186.8CVE-2015-1083
    CONFIRM
    APPLE
    apple -- safariThe user interface in WebKit, as used in Apple Safari before 6.2.4, 7.x before 7.1.4, and 8.x before 8.0.4, does not display URLs consistently, which makes it easier for remote attackers to conduct phishing attacks via a crafted URL.2015-03-185.0CVE-2015-1084
    CONFIRM
    APPLE
    automount_project -- automountautomount 5.0.8, when a program map uses certain interpreted languages, uses the calling user's USER and HOME environment variable values instead of the values for the user used to run the mapped program, which allows local users to gain privileges via a Trojan horse program in the user home directory.2015-03-184.4CVE-2014-8169
    CONFIRM
    CONFIRM
    SUSE
    cimon -- cmnviewUntrusted search path vulnerability in CmnView.exe in CIMON CmnView 2.14.0.1 and 3.x before UltimateAccess 3.02 allows local users to gain privileges via a Trojan horse DLL in the current working directory.2015-03-136.9CVE-2014-9207
    MISC
    cisco -- anyconnect_secure_mobility_clientCisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier does not properly implement access control for IPC messages, which allows local users to write to arbitrary files via crafted messages, aka Bug ID CSCus79392.2015-03-166.6CVE-2015-0663
    CISCO
    cisco -- anyconnect_secure_mobility_clientThe IPC channel in Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier allows local users to write to arbitrary userspace memory locations, and consequently gain privileges, via crafted messages, aka Bug ID CSCus79195.2015-03-184.3CVE-2015-0664
    CISCO
    cisco -- anyconnect_secure_mobility_clientThe Hostscan module in Cisco AnyConnect Secure Mobility Client 4.0(.00051) and earlier allows local users to write to arbitrary files via crafted IPC messages, aka Bug ID CSCus79173.2015-03-166.6CVE-2015-0665
    CISCO
    cisco -- content_services_switch_11500_firmwareThe Management Interface on Cisco Content Services Switch (CSS) 11500 devices 8.20.4.02 and earlier allows remote attackers to bypass intended restrictions on local-network device access via crafted SSH packets, aka Bug ID CSCut14855.2015-03-185.0CVE-2015-0667
    CISCO
    cisco -- webex_meetings_serverCross-site scripting (XSS) vulnerability in the administration portal in Cisco WebEx Meetings Server 2.5 and 2.5.99.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCuq66737.2015-03-194.3CVE-2015-0668
    CISCO
    cisco -- videoscape_delivery_system_for_internet_streamerThe DNS implementation in Cisco Videoscape Distribution Suite for Internet Streaming (VDS-IS) 3.2(1) allows remote attackers to cause a denial of service (CPU consumption and network-resource consumption) via crafted packets, aka Bug ID CSCun15911.2015-03-195.0CVE-2015-0671
    CISCO
    ecryptfs -- ecryptfs-utilseCryptfs 104 and earlier uses a default salt to encrypt the mount passphrase, which makes it easier for attackers to obtain user passwords via a brute force attack.2015-03-165.0CVE-2014-9687
    MISC
    UBUNTU
    MLIST
    MLIST
    MLIST
    elipse -- e3Multiple untrusted search path vulnerabilities in (1) EQATEC.Analytics.Monitor.Win32_vc100.dll and (2) EQATEC.Analytics.Monitor.Win32_vc100-x64.dll in Elipse E3 4.5.232 through 4.6.161 allow local users to gain privileges via a Trojan horse DLL in an unspecified directory. NOTE: this may overlap CVE-2015-2264.2015-03-136.9CVE-2015-0978
    MISC
    extplorer -- extplorerMultiple cross-site scripting (XSS) vulnerabilities in eXtplorer before 2.1.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-03-184.3CVE-2015-0896
    CONFIRM
    JVNDB
    JVN
    ge -- hydran_m2The 17046 Ethernet card before 94450214LFMT100SEM-L.R3-CL for the GE Digital Energy Hydran M2 does not properly generate random values for TCP Initial Sequence Numbers (ISNs), which makes it easier for remote attackers to spoof packets by predicting these values.2015-03-135.0CVE-2014-5409
    MISC
    MISC
    hp -- operations_manager_i_management_packHP Operations Manager i Management Pack 1.x before 1.01 for SAP allows local users to execute OS commands by leveraging SAP administrative privileges.2015-03-136.8CVE-2015-2107
    SECTRACK
    HP
    ibm -- rational_collaborative_lifecycle_managementIBM Rational Jazz Team Server (JTS), as used in Rational Collaborative Lifecycle Management 3.x and 4.x before 4.0.7 iFix4 and 5.x before 5.0.2 iFix2; Rational Quality Manager 2.x and 3.x before 3.0.1.6 iFix5, 4.x before 4.0.7 iFix4, and 5.x before 5.0.2 iFix2; Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix5, 4.x before 4.0.7 iFix4, and 5.x before 5.0.2 iFix2; Rational DOORS Next Generation 4.x before 4.0.7 iFix4 and 5.x before 5.0.2 iFix2; Rational Requirements Composer 2.x and 3.x before 3.0.1.6 iFix5; and other products, allows remote authenticated users to delete the dashboards of arbitrary users via unspecified vectors.2015-03-185.5CVE-2014-6129
    CONFIRM
    ibm -- rational_collaborative_lifecycle_managementIBM Rational Jazz Team Server (JTS), as used in Rational Collaborative Lifecycle Management 3.x and 4.x before 4.0.7 iFix4 and 5.x before 5.0.2 iFix2; Rational Quality Manager 2.x and 3.x before 3.0.1.6 iFix5, 4.x before 4.0.7 iFix4, and 5.x before 5.0.2 iFix2; Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix5, 4.x before 4.0.7 iFix4, and 5.x before 5.0.2 iFix2; Rational DOORS Next Generation 4.x before 4.0.7 iFix4 and 5.x before 5.0.2 iFix2; Rational Requirements Composer 2.x and 3.x before 3.0.1.6 iFix5; and other products, allows remote authenticated users to read the dashboards of arbitrary users via unspecified vectors.2015-03-184.0CVE-2014-6131
    CONFIRM
    ibm -- api_managementThe developer portal in IBM API Management 3.0 before 3.0.4.1 does not properly restrict access to the public and private APIs, which allows remote authenticated users to obtain sensitive information or modify data via unspecified API calls.2015-03-185.5CVE-2015-0149
    CONFIRM
    AIXAPAR
    ibm -- libertyThe Java overlay feature in IBM Bluemix Liberty before 1.13-20150209-1122 for Java does not properly support WAR applications, which allows remote attackers to obtain sensitive information via unspecified vectors.2015-03-184.3CVE-2015-0178
    CONFIRM
    libarchive -- libarchiveAbsolute path traversal vulnerability in bsdcpio in libarchive 3.1.2 and earlier allows remote attackers to write to arbitrary files via a full pathname in an archive.2015-03-156.4CVE-2015-2304
    CONFIRM
    CONFIRM
    CONFIRM
    MLIST
    MLIST
    DEBIAN
    linux -- linux_kernelThe InfiniBand (IB) implementation in the Linux kernel package before 2.6.32-504.12.2 on Red Hat Enterprise Linux (RHEL) 6 does not properly restrict use of User Verbs for registration of memory regions, which allows local users to access arbitrary physical memory locations, and consequently cause a denial of service (system crash) or gain privileges, by leveraging permissions on a uverbs device under /dev/infiniband/.2015-03-166.9CVE-2014-8159
    CONFIRM
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    REDHAT
    linux -- linux_kernelThe filesystem implementation in the Linux kernel before 3.13 performs certain operations on lists of files with an inappropriate locking approach, which allows local users to cause a denial of service (soft lockup or system crash) via unspecified use of Asynchronous I/O (AIO) operations.2015-03-164.9CVE-2014-8172
    CONFIRM
    CONFIRM
    MLIST
    REDHAT
    CONFIRM
    linux -- linux_kernelThe stack randomization feature in the Linux kernel before 3.19.1 on 64-bit platforms uses incorrect data types for the results of bitwise left-shift operations, which makes it easier for attackers to bypass the ASLR protection mechanism by predicting the address of the top of the stack, related to the randomize_stack_top function in fs/binfmt_elf.c and the stack_maxrandom_size function in arch/x86/mm/mmap.c.2015-03-165.0CVE-2015-1593
    MLIST
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    DEBIAN
    MISC
    CONFIRM
    mybb -- mybbCross-site scripting (XSS) vulnerability in member.php in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-03-184.3CVE-2015-2332
    CONFIRM
    mybb -- mybbCross-site scripting (XSS) vulnerability in the MyCode editor in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2015-03-184.3CVE-2015-2333
    CONFIRM
    mybb -- mybbCross-site request forgery (CSRF) vulnerability in the Admin Control Panel (ACP) login in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.2015-03-186.8CVE-2015-2334
    CONFIRM
    mybb -- mybbA JSON library in MyBB (aka MyBulletinBoard) before 1.8.4 allows remote attackers to obtain the installation path via unknown vectors.2015-03-185.0CVE-2015-2335
    CONFIRM
    openssl -- opensslThe dtls1_listen function in d1_lib.c in OpenSSL 1.0.2 before 1.0.2a does not properly isolate the state information of independent data streams, which allows remote attackers to cause a denial of service (application crash) via crafted DTLS traffic, as demonstrated by DTLS 1.0 traffic to a DTLS 1.2 server.2015-03-195.0CVE-2015-0207
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe ASN.1 signature-verification implementation in the rsa_item_verify function in crypto/rsa/rsa_ameth.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via crafted RSA PSS parameters to an endpoint that uses the certificate-verification feature.2015-03-194.3CVE-2015-0208
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslUse-after-free vulnerability in the d2i_ECPrivateKey function in crypto/ec/ec_asn1.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a malformed Elliptic Curve (EC) private-key file that is improperly handled during import.2015-03-196.8CVE-2015-0209
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe ssl3_client_hello function in s3_clnt.c in OpenSSL 1.0.2 before 1.0.2a does not ensure that the PRNG is seeded before proceeding with a handshake, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by sniffing the network and then conducting a brute-force attack.2015-03-194.3CVE-2015-0285
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe ASN1_TYPE_cmp function in crypto/asn1/a_type.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly perform boolean-type comparisons, which allows remote attackers to cause a denial of service (invalid read operation and application crash) via a crafted X.509 certificate to an endpoint that uses the certificate-verification feature.2015-03-195.0CVE-2015-0286
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe ASN1_item_ex_d2i function in crypto/asn1/tasn_dec.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not reinitialize CHOICE and ADB data structures, which might allow attackers to cause a denial of service (invalid write operation and memory corruption) by leveraging an application that relies on ASN.1 structure reuse.2015-03-195.0CVE-2015-0287
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe X509_to_X509_REQ function in crypto/x509/x509_req.c in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a might allow attackers to cause a denial of service (NULL pointer dereference and application crash) via an invalid certificate key.2015-03-195.0CVE-2015-0288
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe PKCS#7 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a does not properly handle a lack of outer ContentInfo, which allows attackers to cause a denial of service (NULL pointer dereference and application crash) by leveraging an application that processes arbitrary PKCS#7 data and providing malformed data with ASN.1 encoding, related to crypto/pkcs7/pk7_doit.c and crypto/pkcs7/pk7_lib.c.2015-03-195.0CVE-2015-0289
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe multi-block feature in the ssl3_write_bytes function in s3_pkt.c in OpenSSL 1.0.2 before 1.0.2a on 64-bit x86 platforms with AES NI support does not properly handle certain non-blocking I/O cases, which allows remote attackers to cause a denial of service (pointer corruption and application crash) via unspecified vectors.2015-03-195.0CVE-2015-0290
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe sigalgs implementation in t1_lib.c in OpenSSL 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by using an invalid signature_algorithms extension in the ClientHello message during a renegotiation.2015-03-195.0CVE-2015-0291
    CONFIRM
    CONFIRM
    CONFIRM
    openssl -- opensslThe SSLv2 implementation in OpenSSL before 0.9.8zf, 1.0.0 before 1.0.0r, 1.0.1 before 1.0.1m, and 1.0.2 before 1.0.2a allows remote attackers to cause a denial of service (s2_lib.c assertion failure and daemon exit) via a crafted CLIENT-MASTER-KEY message.2015-03-195.0CVE-2015-0293
    CONFIRM
    CONFIRM
    CONFIRM
    python-requests -- requestsThe resolve_redirects function in sessions.py in requests 2.1.0 through 2.5.3 allows remote attackers to conduct session fixation attacks via a cookie without a host value in a redirect.2015-03-186.8CVE-2015-2296
    CONFIRM
    CONFIRM
    UBUNTU
    MLIST
    MLIST
    schneider-electric -- device_type_managerStack-based buffer overflow in Device Type Manager (DTM) 3.1.6 and earlier for Schneider Electric Invensys SRD Control Valve Positioner devices 960 and 991 allows local users to gain privileges via a malformed DLL file.2015-03-136.9CVE-2014-9206
    MISC
    CONFIRM
    wpml -- wpmlCross-site scripting (XSS) vulnerability in the WPML plugin before 3.1.9 for WordPress allows remote attackers to inject arbitrary web script or HTML via the target parameter in a reminder_popup action to the default URI.2015-03-174.3CVE-2015-2315
    BUGTRAQ
    CONFIRM
    FULLDISC
    MISC
    MISC
    yoast -- wordpress_seoMultiple SQL injection vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote authenticated users to execute arbitrary SQL commands via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page to wp-admin/admin.php. NOTE: this can be leveraged using CSRF to allow remote attackers to execute arbitrary SQL commands.2015-03-176.5CVE-2015-2292
    CONFIRM
    MISC
    CONFIRM
    SECTRACK
    FULLDISC
    MISC
    yoast -- wordpress_seoMultiple cross-site request forgery (CSRF) vulnerabilities in admin/class-bulk-editor-list-table.php in the WordPress SEO by Yoast plugin before 1.5.7, 1.6.x before 1.6.4, and 1.7.x before 1.7.4 for WordPress allow remote attackers to hijack the authentication of certain users for requests that conduct SQL injection attacks via the (1) order_by or (2) order parameter in the wpseo_bulk-editor page.2015-03-176.8CVE-2015-2293
    CONFIRM
    MISC
    CONFIRM
    SECTRACK
    FULLDISC
    MISC
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    ibm -- rational_quality_managerCross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x and 3.x before 3.0.1.6 iFix4, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-183.5CVE-2015-0124
    CONFIRM
    ibm -- rational_doors_next_generationCross-site scripting (XSS) vulnerability in IBM Rational DOORS Next Generation 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 and Rational Requirements Composer 4.x before 4.0.7 iFix3 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-183.5CVE-2015-0125
    CONFIRM
    ibm -- rational_quality_managerCross-site scripting (XSS) vulnerability in IBM Rational Quality Manager 2.x and 3.x before 3.0.1.6 iFix4, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-183.5CVE-2015-0128
    CONFIRM
    ibm -- content_collectorIBM Content Collector for Email 3.0 before 3.0.0.6-IBM-ICC-Server-IF001 and 4.0 before 4.0.0.3-IBM-ICC-Server-IF001 does not properly handle an unspecified query operator during searches of IBM FileNet P8 systems with IBM Content Search Services, which allows local users to bypass intended document-access restrictions and obtain sensitive information via a crafted search query.2015-03-182.1CVE-2015-0146
    CONFIRM
    linux -- linux_kernelRace condition in the handle_to_path function in fs/fhandle.c in the Linux kernel through 3.19.1 allows local users to bypass intended size restrictions and trigger read operations on additional memory locations by changing the handle_bytes value of a file handle during the execution of this function.2015-03-162.1CVE-2015-1420
    CONFIRM
    MLIST
    DEBIAN
    MLIST
    mybb -- mybbMultiple cross-site scripting (XSS) vulnerabilities in the administrative backend in MyBB (aka MyBulletinBoard) before 1.8.4 allow remote authenticated users to inject arbitrary web script or HTML via the (1) MIME-type field in an add action in the config-attachment_types module to admin/index.php; (2) title or (3) short description field in an add action in the (a) config-mycode or (b) user-groups module to admin/index.php; (4) title field in an add action in the (c) forum-management or (d) tool-tasks module to admin/index.php; (5) name field in an add_set action in the style-templates module to admin/index.php; (6) title field in an add_template_group action in the style-templates module to admin/index.php; (7) name field in an add action in the config-post_icons module to admin/index.php; (8) "title to assign" field in an add action in the user-titles module to admin/index.php; or (9) username field in the config-banning module to admin/index.php.2015-03-183.5CVE-2015-2149
    CONFIRM
    MISC
    MLIST
    MLIST
    FULLDISC
    openssl -- opensslThe ssl3_get_client_key_exchange function in s3_srvr.c in OpenSSL 1.0.2 before 1.0.2a, when client authentication and an ephemeral Diffie-Hellman ciphersuite are enabled, allows remote attackers to cause a denial of service (daemon crash) via a ClientKeyExchange message with a length of zero.2015-03-192.6CVE-2015-1787
    CONFIRM
    CONFIRM
    CONFIRM
    xen -- xenXen 4.5.x and earlier enables certain default backends when emulating a VGA device for an x86 HVM guest qemu even when the configuration disables them, which allows local guest users to obtain access to the VGA console by (1) setting the DISPLAY environment variable, when compiled with SDL support, or connecting to the VNC server on (2) ::1 or (3) 127.0.0.1, when not compiled with SDL support.2015-03-181.9CVE-2015-2152
    CONFIRM
    SECTRACK
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB15-075: Vulnerability Summary for the Week of March 9, 2015
    Original release date: March 16, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    agilent_technologies -- feature_extractionThe AnnotationX.AnnList.1 ActiveX control in Agilent Technologies Feature Extraction allows remote attackers to execute arbitrary code via a crafted object parameter in the Insert function, related to "Index Out-Of-Bounds."2015-03-097.5CVE-2015-2092
    MISC
    ajsquare -- zeuscartMultiple SQL injection vulnerabilities in the administrative backend in ZeusCart 4 allow remote administrators to execute arbitrary SQL commands via the id parameter in a (1) disporders detail or (2) subadminmgt edit action or (3) cid parameter in an editcurrency action to admin/.2015-03-107.5CVE-2015-2183
    MISC
    BID
    EXPLOIT-DB
    MISC
    MLIST
    MLIST
    FULLDISC
    MISC
    apache -- standard_taglibsApache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.2015-03-097.5CVE-2015-0254
    BID
    MISC
    MLIST
    apple -- apple_tvIOSurface in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 allows attackers to execute arbitrary code in a privileged context via a crafted app that leverages "type confusion" during serialized-object handling.2015-03-129.3CVE-2015-1061
    CONFIRM
    CONFIRM
    CONFIRM
    APPLE
    APPLE
    APPLE
    apple -- iphone_osCoreTelephony in Apple iOS before 8.2 allows remote attackers to cause a denial of service (NULL pointer dereference and device restart) via a Class 0 SMS message.2015-03-127.8CVE-2015-1063
    CONFIRM
    APPLE
    apple -- mac_os_xOff-by-one error in IOAcceleratorFamily in Apple OS X through 10.10.2 allows attackers to execute arbitrary code in a privileged context via a crafted app.2015-03-1210.0CVE-2015-1066
    CONFIRM
    APPLE
    avinu -- phpmoadminThe saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.2015-03-127.5CVE-2015-2208
    MLIST
    MLIST
    EXPLOIT-DB
    FULLDISC
    MISC
    bestpractical -- request_trackerThe email gateway in RT (aka Request Tracker) 3.0.0 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to cause a denial of service (CPU and disk consumption) via a crafted email.2015-03-097.1CVE-2014-9472
    DEBIAN
    CONFIRM
    betster_project -- betsterMultiple SQL injection vulnerabilities in Betster (aka PHP Betoffice) 1.0.4 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) showprofile.php or (2) categoryedit.php or (3) username parameter in a login to index.php.2015-03-127.5CVE-2015-2237
    BUGTRAQ
    MISC
    cisco -- expressway_softwareThe Session Description Protocol (SDP) implementation in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X8.2 and Cisco TelePresence Conductor before XC2.4 allows remote attackers to cause a denial of service (mishandled exception and device reload) via a crafted media description, aka Bug IDs CSCus96593 and CSCun73192.2015-03-127.8CVE-2015-0652
    CISCO
    cisco -- expressway_softwareThe management interface in Cisco TelePresence Video Communication Server (VCS) and Cisco Expressway before X7.2.4, X8 before X8.1.2, and X8.2 before X8.2.2 and Cisco TelePresence Conductor before X2.3.1 and XC2.4 before XC2.4.1 allows remote attackers to bypass authentication via crafted login parameters, aka Bug IDs CSCur02680 and CSCur05556.2015-03-1210.0CVE-2015-0653
    CISCO
    cisco -- intrusion_prevention_systemRace condition in the TLS implementation in MainApp in the management interface in Cisco Intrusion Prevention System (IPS) Software before 7.3(3)E4 allows remote attackers to cause a denial of service (process hang) by establishing many HTTPS sessions, aka Bug ID CSCuq40652.2015-03-127.1CVE-2015-0654
    CISCO
    emc -- rsa_certificate_managerEMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allow remote attackers to cause an Administration Server denial of service via an invalid MIME e-mail message with a multipart/* Content-Type header.2015-03-127.8CVE-2015-0523
    BUGTRAQ
    emc -- secure_remote_servicesSQL injection vulnerability in the Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-03-127.5CVE-2015-0524
    BUGTRAQ
    emc -- secure_remote_servicesThe Gateway Provisioning service in EMC Secure Remote Services Virtual Edition (ESRS VE) 3.02 and 3.03 allows remote attackers to execute arbitrary OS commands via unspecified vectors.2015-03-127.5CVE-2015-0525
    BUGTRAQ
    google -- chromeThe SkBitmap::ReadRawPixels function in core/SkBitmap.cpp in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation.2015-03-087.5CVE-2015-1213
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeInteger overflow in the SkAutoSTArray implementation in include/core/SkTemplates.h in the filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a reset action with a large count value, leading to an out-of-bounds write operation.2015-03-087.5CVE-2015-1214
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe filters implementation in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an out-of-bounds write operation.2015-03-087.5CVE-2015-1215
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeUse-after-free vulnerability in the V8Window::namedPropertyGetterCustom function in bindings/core/v8/custom/V8WindowCustom.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a frame detachment.2015-03-087.5CVE-2015-1216
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe V8LazyEventListener::prepareListenerObject function in bindings/core/v8/V8LazyEventListener.cpp in the V8 bindings in Blink, as used in Google Chrome before 41.0.2272.76, does not properly compile listeners, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that leverage "type confusion."2015-03-087.5CVE-2015-1217
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeMultiple use-after-free vulnerabilities in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger movement of a SCRIPT element to different documents, related to (1) the HTMLScriptElement::didMoveToNewDocument function in core/html/HTMLScriptElement.cpp and (2) the SVGScriptElement::didMoveToNewDocument function in core/svg/SVGScriptElement.cpp.2015-03-087.5CVE-2015-1218
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeInteger overflow in the SkMallocPixelRef::NewAllocate function in core/SkMallocPixelRef.cpp in Skia, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger an attempted allocation of a large amount of memory during WebGL rendering.2015-03-087.5CVE-2015-1219
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeUse-after-free vulnerability in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging incorrect ordering of operations in the Web SQL Database thread relative to Blink's main thread, related to the shutdown function in web/WebKit.cpp.2015-03-087.5CVE-2015-1221
    CONFIRM
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeMultiple use-after-free vulnerabilities in the ServiceWorkerScriptCacheMap implementation in content/browser/service_worker/service_worker_script_cache_map.cc in Google Chrome before 41.0.2272.76 allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger a ServiceWorkerContextWrapper::DeleteAndStartOver call, related to the NotifyStartedCaching and NotifyFinishedCaching functions.2015-03-087.5CVE-2015-1222
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeMultiple use-after-free vulnerabilities in core/html/HTMLInputElement.cpp in the DOM implementation in Blink, as used in Google Chrome before 41.0.2272.76, allow remote attackers to cause a denial of service or possibly have unspecified other impact via vectors that trigger extraneous change events, as demonstrated by events for invalid input or input to read-only fields, related to the initializeTypeInParsing and updateType functions.2015-03-087.5CVE-2015-1223
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe DragImage::create function in platform/DragImage.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not initialize memory for image drawing, which allows remote attackers to have an unspecified impact by triggering a failed image decoding, as demonstrated by an image for which the default orientation cannot be used.2015-03-087.5CVE-2015-1227
    CONFIRM
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe RenderCounter::updateCounter function in core/rendering/RenderCounter.cpp in Blink, as used in Google Chrome before 41.0.2272.76, does not force a relayout operation and consequently does not initialize memory for a data structure, which allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted Cascading Style Sheets (CSS) token sequence.2015-03-087.5CVE-2015-1228
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe getHiddenProperty function in bindings/core/v8/V8EventListenerList.h in Blink, as used in Google Chrome before 41.0.2272.76, has a name conflict with the AudioContext class, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via JavaScript code that adds an AudioContext event listener and triggers "type confusion."2015-03-087.5CVE-2015-1230
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeMultiple unspecified vulnerabilities in Google Chrome before 41.0.2272.76 allow attackers to cause a denial of service or possibly have other impact via unknown vectors.2015-03-087.5CVE-2015-1231
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    CONFIRM
    REDHAT
    CONFIRM
    google -- chromeArray index error in the MidiManagerUsb::DispatchSendMidiData function in media/midi/midi_manager_usb.cc in Google Chrome before 41.0.2272.76 allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging renderer access to provide an invalid port index that triggers an out-of-bounds write operation, a different vulnerability than CVE-2015-1212.2015-03-087.5CVE-2015-1232
    CONFIRM
    CONFIRM
    CONFIRM
    google -- chromeMultiple unspecified vulnerabilities in Google V8 before 4.1.0.21, as used in Google Chrome before 41.0.2272.76, allow attackers to cause a denial of service or possibly have other impact via unknown vectors.2015-03-087.5CVE-2015-2238
    CONFIRM
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSMICR.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2512.2015-03-0910.0CVE-2014-7888
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSLineDisplay.ocx for Retail RP7 VFD Customer Display monitors, Retail Integrated 2x20 Display monitors, Retail Integrated 2x20 Complex monitors, POS Pole Display monitors, Graphical POS Pole Display monitors, and LCD Pole Display monitors, aka ZDI-CAN-2511.2015-03-0910.0CVE-2014-7889
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSToneIndicator.ocx for POS keyboards and POS keyboards with MSR, aka ZDI-CAN-2510.2015-03-0910.0CVE-2014-7890
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSPOSKeyboard.ocx for POS keyboards and POS keyboards with MSR, aka ZDI-CAN-2509.2015-03-0910.0CVE-2014-7891
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSMSR.ocx for Mini MSR magnetic stripe readers, Retail Integrated Dual-Head MSR magnetic stripe readers, Integrated Single Head MSR w/o SRED magnetic stripe readers, Integrated Single Head w/o MSR SRED magnetic stripe readers, RP7 Single Head MSR w/o SRED magnetic stripe readers, POS keyboards, and POS keyboards with MSR, aka ZDI-CAN-2508.2015-03-0910.0CVE-2014-7892
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSCheckScanner.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2507.2015-03-0910.0CVE-2014-7893
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSPOSPrinter.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, and Value Serial/USB Receipt printers, aka ZDI-CAN-2506.2015-03-0910.0CVE-2014-7894
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSCashDrawer.ocx for PUSB Thermal Receipt printers, SerialUSB Thermal Receipt printers, Hybrid POS printers with MICR, Value PUSB Receipt printers, Value Serial/USB Receipt printers, and USB Standard Duty cash drawers, aka ZDI-CAN-2505.2015-03-0910.0CVE-2014-7895
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via vectors involving OPOSScanner.ocx for Imaging Barcode scanners, Linear Barcode scanners, Presentation Barcode scanners, Retail Integrated Barcode scanners, Wireless Barcode scanners, and 2D Value Wireless scanners.2015-03-0910.0CVE-2014-7897
    HP
    SECTRACK
    hp -- ole_point_of_sale_driverThe OLE Point of Sale (OPOS) drivers before 1.13.003 on HP Point of Sale Windows PCs allow remote attackers to execute arbitrary code via unspecified vectors.2015-03-0910.0CVE-2014-7898
    HP
    SECTRACK
    ibm -- java_sdkUnspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to escape the Java sandbox and execute arbitrary code via unspecified vectors related to the security manager.2015-03-0610.0CVE-2014-8891
    CONFIRM
    CONFIRM
    CONFIRM
    SUSE
    SUSE
    SUSE
    ibm -- java_sdkUnspecified vulnerability in the Java Virtual Machine (JVM) in IBM SDK, Java Technology Edition 5.0 before SR16-FP9, 6 before SR16-FP3, 6R1 before SR8-FP3, 7 before SR8-FP10, and 7R1 before SR2-FP10 allows remote attackers to bypass intended access permissions and obtain sensitive information via unspecified vectors related to the security manager.2015-03-067.8CVE-2014-8892
    CONFIRM
    CONFIRM
    CONFIRM
    SUSE
    SUSE
    SUSE
    microsoft -- internet_explorervbscript.dll in Microsoft VBScript 5.6 through 5.8, as used with Internet Explorer 8 through 11 and other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "VBScript Memory Corruption Vulnerability."2015-03-119.3CVE-2015-0032
    MS
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1623 and CVE-2015-1626.2015-03-119.3CVE-2015-0056
    MS
    microsoft -- windows_7The Windows Registry Virtualization feature in the kernel in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict changes to virtual stores, which allows local users to gain privileges via a crafted application, aka "Registry Virtualization Elevation of Privilege Vulnerability."2015-03-117.2CVE-2015-0073
    MS
    microsoft -- windows_2003_serverThe kernel in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, and Windows 7 SP1 does not properly constrain impersonation levels, which allows local users to gain privileges via a crafted application, aka "Impersonation Level Check Elevation of Privilege Vulnerability."2015-03-117.2CVE-2015-0075
    MS
    microsoft -- windows_8win32k.sys in the kernel-mode drivers in Microsoft Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly validate the token of a calling thread, which allows local users to gain privileges via a crafted application, aka "Win32k Elevation of Privilege Vulnerability."2015-03-117.2CVE-2015-0078
    MS
    microsoft -- windows_7The Remote Desktop Protocol (RDP) implementation in Microsoft Windows 7 SP1, Windows 8, Windows 8.1, and Windows Server 2012 Gold and R2 allows remote attackers to cause a denial of service (memory consumption and RDP outage) by establishing many RDP sessions that do not properly free allocated memory, aka "Remote Desktop Protocol (RDP) Denial of Service Vulnerability."2015-03-117.8CVE-2015-0079
    MS
    microsoft -- windows_2003_serverWindows Text Services (WTS) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "WTS Remote Code Execution Vulnerability."2015-03-119.3CVE-2015-0081
    MS
    microsoft -- excelUse-after-free vulnerability in Microsoft Office 2007 SP3, Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Office 2010 SP2, Excel 2010 SP2, PowerPoint 2010 SP2, Word 2010 SP2, Office 2013 Gold and SP1, Word 2013 Gold and SP1, Office 2013 RT Gold and SP1, Word 2013 RT Gold and SP1, Excel Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Excel Services on SharePoint Server 2013 Gold and SP1, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, Office Web Apps Server 2010 SP2, Web Apps Server 2013 Gold and SP1, SharePoint Server 2007 SP3, Windows SharePoint Services 3.0 SP3, SharePoint Foundation 2010 SP2, SharePoint Server 2010 SP2, SharePoint Foundation 2013 Gold and SP1, and SharePoint Server 2013 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Office Component Use After Free Vulnerability."2015-03-119.3CVE-2015-0085
    MS
    microsoft -- officeMicrosoft Word 2007 SP3, Office 2010 SP2, Word 2010 SP2, Word 2013 Gold and SP1, Word 2013 RT Gold and SP1, Word Viewer, Office Compatibility Pack SP3, Word Automation Services on SharePoint Server 2010 SP2, Word Automation Services on SharePoint Server 2013 Gold and SP1, Web Applications 2010 SP2, and Web Apps Server 2013 Gold and SP1 allow remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted RTF document, aka "Microsoft Office Memory Corruption Vulnerability."2015-03-119.3CVE-2015-0086
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0090, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.2015-03-119.3CVE-2015-0088
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0091, CVE-2015-0092, and CVE-2015-0093.2015-03-119.3CVE-2015-0090
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0092, and CVE-2015-0093.2015-03-119.3CVE-2015-0091
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0093.2015-03-119.3CVE-2015-0092
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code via a crafted (1) web site or (2) file, aka "Adobe Font Driver Remote Code Execution Vulnerability," a different vulnerability than CVE-2015-0088, CVE-2015-0090, CVE-2015-0091, and CVE-2015-0092.2015-03-119.3CVE-2015-0093
    MS
    microsoft -- windows_7Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."2015-03-119.3CVE-2015-0096
    MS
    microsoft -- excelMicrosoft Excel 2007 SP3, PowerPoint 2007 SP3, Word 2007 SP3, Excel 2010 SP2, PowerPoint 2010 SP2, and Word 2010 SP2 allow remote attackers to execute arbitrary code via a crafted Office document, aka "Microsoft Word Local Zone Remote Code Execution Vulnerability."2015-03-119.3CVE-2015-0097
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2015-03-119.3CVE-2015-0099
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 8 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2015-03-119.3CVE-2015-0100
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 10 and 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2015-03-119.3CVE-2015-1622
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0056 and CVE-2015-1626.2015-03-119.3CVE-2015-1623
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2015-03-119.3CVE-2015-1624
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1634.2015-03-119.3CVE-2015-1625
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-0056 and CVE-2015-1623.2015-03-119.3CVE-2015-1626
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2015-1625.2015-03-119.3CVE-2015-1634
    MS
    nvidia -- gpu_driver_r304The NVIDIA Display Driver R304 before 309.08, R340 before 341.44, R343 before 345.20, and R346 before 347.52 does not properly validate local client impersonation levels when performing a "kernel administrator check," which allows local users to gain administrator privileges via unspecified API calls.2015-03-067.2CVE-2015-1170
    CONFIRM
    palosanto -- elastixSQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter.2015-03-117.5CVE-2015-1875
    MISC
    ptc -- creo_viewHeap-based buffer overflow in the browser plugin for PTC Creo View allows remote attackers to execute arbitrary code via vectors involving setting a large buffer to an unspecified attribute.2015-03-097.5CVE-2015-2061
    MISC
    MISC
    siemens -- spc4000_firmwareSiemens SPC controllers SPC4000, SPC5000, and SPC6000 before 3.6.0 allow remote attackers to cause a denial of service (device restart) via crafted packets.2015-03-067.8CVE-2014-9369
    CONFIRM
    siemens -- simatic_s7-300_cpuSiemens SIMATIC S7-300 CPU devices allow remote attackers to cause a denial of service (defect-mode transition) via crafted packets on (1) TCP port 102 or (2) Profibus.2015-03-067.8CVE-2015-2177
    CONFIRM
    solarwinds -- orion_ip_address_managerMultiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwinds Orion Platform 2015.1, as used in Network Performance Monitor (NPM) before 11.5, NetFlow Traffic Analyzer (NTA) before 4.1, Network Configuration Manager (NCM) before 7.3.2, IP Address Manager (IPAM) before 4.3, User Device Tracker (UDT) before 3.2, VoIP & Network Quality Manager (VNQM) before 4.2, Server & Application Manager (SAM) before 6.2, Web Performance Monitor (WPM) before 2.2, and possibly other Solarwinds products, allow remote authenticated users to execute arbitrary SQL commands via the (1) dir or (2) sort parameter to the (a) GetAccounts or (b) GetAccountGroups endpoint.2015-03-107.5CVE-2014-9566
    MISC
    CONFIRM
    EXPLOIT-DB
    MISC
    FULLDISC
    MISC
    OSVDB
    theforeman -- foremanSmart Proxy (aka Smart-Proxy and foreman-proxy) in Foreman before 1.5.4 and 1.6.x before 1.6.2 does not validate SSL certificates, which allows remote attackers to bypass intended authentication and execute arbitrary API request via a request without a certificate.2015-03-097.5CVE-2014-3691
    CONFIRM
    CONFIRM
    REDHAT
    REDHAT
    CONFIRM
    ubuntu -- upstartThe logrotation script (/etc/cron.daily/upstart) in the Ubuntu Upstart package before 1.13.2-0ubuntu9, as used in Ubuntu Vivid 15.04, allows local users to execute arbitrary commands and gain privileges via a crafted file in /run/user/*/upstart/sessions/.2015-03-127.2CVE-2015-2285
    CONFIRM
    MISC
    FULLDISC
    MISC
    webgate -- webgate_embedded_standard_protocol_sdkMultiple buffer overflows in WebGate Embedded Standard Protocol (WESP) SDK allow remote attackers to execute arbitrary code via unspecified vectors to the (1) LoadImage or (2) LoadImageEx function in the WESPMonitor.WESPMonitorCtrl.1 control, (3) ChangePassword function in the WESPCONFIGLib.UserItem control, Connect function in the (4) WESPSerialPort.WESPSerialPortCtrl.1 or (5) WESPPLAYBACKLib.WESPPlaybackCtrl control, or (6) AddID function in the WESPCONFIGLib.IDList control or a (7) long string to the second argument to the ConnectEx3 function in the WESPPLAYBACKLib.WESPPlaybackCtrl control.2015-03-097.5CVE-2015-2097
    MISC
    MISC
    MISC
    FULLDISC
    webgateinc -- winrdsStack-based buffer overflow in the WESPPlayback.WESPPlaybackCtrl.1 control in WebGate WinRDS allows remote attackers to execute arbitrary code via unspecified vectors to the (1) PrintSiteImage, (2) PlaySiteAllChannel, (3) StopSiteAllChannel, or (4) SaveSiteImage function.2015-03-097.5CVE-2015-2094
    MISC
    MISC
    MISC
    MISC
    webshophun -- webshop_hunMultiple SQL injection vulnerabilities in Webshop hun 1.062S allow remote attackers to execute arbitrary SQL commands via the (1) termid or (2) nyelv_id parameter to index.php.2015-03-097.5CVE-2015-2242
    MISC
    FULLDISC
    MISC
    webshophun -- webshop_hunDirectory traversal vulnerability in Webshop hun 1.062S allows remote attackers to have unspecified impact via directory traversal sequences in the mappa parameter to index.php.2015-03-097.5CVE-2015-2243
    MISC
    FULLDISC
    MISC
    xen -- xenThe x86 emulator in Xen 3.2.x through 4.5.x does not properly ignore segment overrides for instructions with register operands, which allows local guest users to obtain sensitive information, cause a denial of service (memory corruption), or possibly execute arbitrary code via unspecified vectors.2015-03-127.2CVE-2015-2151
    CONFIRM
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    ajsquare -- zeuscartCross-site scripting (XSS) vulnerability in ZeusCart 4.0 and earlier allows remote attackers to inject arbitrary web script or HTML via the search parameter in a search action to index.php.2015-03-114.3CVE-2010-5322
    MISC
    BID
    EXPLOIT-DB
    MISC
    MISC
    MISC
    MLIST
    FULLDISC
    MISC
    OSVDB
    ajsquare -- zeuscartMultiple cross-site scripting (XSS) vulnerabilities in ZeusCart 4 allow remote attackers to inject arbitrary web script or HTML via the (1) schltr parameter in a brands action or (2) brand parameter in a viewbrands action to index.php. NOTE: The search parameter vector is already covered by CVE-2010-5322.2015-03-114.3CVE-2015-2182
    MISC
    BID
    EXPLOIT-DB
    MISC
    MISC
    MISC
    MLIST
    MLIST
    FULLDISC
    MISC
    OSVDB
    ajsquare -- zeuscartZeusCart 4 allows remote attackers to obtain configuration information via a getphpinfo action to admin/, which calls the phpinfo function.2015-03-105.0CVE-2015-2184
    MISC
    BID
    EXPLOIT-DB
    MISC
    MLIST
    MLIST
    FULLDISC
    MISC
    apache -- http_serverThe lua_websocket_read function in lua_request.c in the mod_lua module in the Apache HTTP Server through 2.4.12 allows remote attackers to cause a denial of service (child-process crash) by sending a crafted WebSocket Ping frame after a Lua script has called the wsupgrade function.2015-03-075.0CVE-2015-0228
    CONFIRM
    CONFIRM
    apache -- mod-gnutlsThe authentication hook (mgs_hook_authz) in mod-gnutls 0.5.10 and earlier does not validate client certificates when "GnuTLSClientVerify require" is set, which allows remote attackers to spoof clients via a crafted certificate.2015-03-135.0CVE-2015-2091
    CONFIRM
    DEBIAN
    MISC
    apple -- apple_tvMobileStorageMounter in Apple iOS before 8.2 and Apple TV before 7.1 does not delete invalid disk-image folders, which allows attackers to create folders in arbitrary filesystem locations via a crafted app.2015-03-125.0CVE-2015-1062
    CONFIRM
    CONFIRM
    APPLE
    APPLE
    apple -- iphone_osMultiple buffer overflows in iCloud Keychain in Apple iOS before 8.2 and Apple OS X through 10.10.2 allow man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream during keychain recovery.2015-03-125.4CVE-2015-1065
    CONFIRM
    CONFIRM
    APPLE
    APPLE
    apple -- apple_tvSecure Transport in Apple iOS before 8.2, Apple OS X through 10.10.2, and Apple TV before 7.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1637.2015-03-105.0CVE-2015-1067
    CONFIRM
    CONFIRM
    CONFIRM
    MISC
    APPLE
    APPLE
    APPLE
    bestpractical -- request_trackerRT (aka Request Tracker) 3.8.8 through 4.x before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to obtain sensitive RSS feed URLs and ticket data via unspecified vectors.2015-03-095.0CVE-2015-1165
    DEBIAN
    CONFIRM
    bestpractical -- request_trackerRT (aka Request Tracker) before 4.0.23 and 4.2.x before 4.2.10 allows remote attackers to hijack sessions via an RSS feed URL.2015-03-096.4CVE-2015-1464
    DEBIAN
    CONFIRM
    cfdbplugin -- contact_form_dbCross-site request forgery (CSRF) vulnerability in the Contact Form DB (aka CFDB and contact-form-7-to-database-extension) plugin before 2.8.32 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete all plugin records via a request in the CF7DBPluginSubmissions page to wp-admin/admin.php.2015-03-096.8CVE-2015-1874
    CONFIRM
    MISC
    FULLDISC
    MISC
    djangoproject -- djangoCross-site scripting (XSS) vulnerability in the contents function in admin/helpers.py in Django before 1.7.6 and 1.8 before 1.8b2 allows remote attackers to inject arbitrary web script or HTML via a model attribute in ModelAdmin.readonly_fields, as demonstrated by a @property.2015-03-124.3CVE-2015-2241
    CONFIRM
    CONFIRM
    emc -- rsa_certificate_managerCross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote attackers to inject arbitrary web script or HTML via vectors related to the email address parameter.2015-03-124.3CVE-2015-0522
    BUGTRAQ
    fedoraproject -- 389_directory_server389 Directory Server before 1.3.2.27 and 1.3.3.x before 1.3.3.9 does not properly restrict access to the "cn=changelog" LDAP sub-tree, which allows remote attackers to obtain sensitive information from the changelog via unspecified vectors.2015-03-105.0CVE-2014-8105
    REDHAT
    REDHAT
    CONFIRM
    CONFIRM
    fedoraproject -- 389_directory_server389 Directory Server 1.3.1.x, 1.3.2.x before 1.3.2.27, and 1.3.3.x before 1.3.3.9 stores "unhashed" passwords even when the nsslapd-unhashed-pw-switch option is set to off, which allows remote authenticated users to obtain sensitive information by reading the Changelog.2015-03-104.0CVE-2014-8112
    CONFIRM
    REDHAT
    CONFIRM
    CONFIRM
    google -- chromecontent/renderer/device_sensors/device_motion_event_pump.cc in Google Chrome before 41.0.2272.76 does not properly restrict access to high-rate accelerometer data, which makes it easier for remote attackers to capture keystrokes via a crafted web site that listens for ondevicemotion events, a different vulnerability than CVE-2015-1231.2015-03-085.0CVE-2011-5319
    CONFIRM
    CONFIRM
    MISC
    CONFIRM
    MISC
    google -- chromecontent/renderer/device_sensors/device_orientation_event_pump.cc in Google Chrome before 41.0.2272.76 does not properly restrict access to high-rate gyroscope data, which makes it easier for remote attackers to obtain speech signals from a device's physical environment via a crafted web site that listens for ondeviceorientation events, a different vulnerability than CVE-2015-1231.2015-03-085.0CVE-2014-9689
    MISC
    MISC
    CONFIRM
    CONFIRM
    CONFIRM
    google -- chromeUse-after-free vulnerability in the GIFImageReader::parseData function in platform/image-decoders/gif/GIFImageReader.cpp in Blink, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted frame size in a GIF image.2015-03-086.8CVE-2015-1220
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe VpxVideoDecoder::VpxDecode function in media/filters/vpx_video_decoder.cc in the vpxdecoder implementation in Google Chrome before 41.0.2272.76 does not ensure that alpha-plane dimensions are identical to image dimensions, which allows remote attackers to cause a denial of service (out-of-bounds read) via crafted VPx video data.2015-03-085.0CVE-2015-1224
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromePDFium, as used in Google Chrome before 41.0.2272.76, allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors.2015-03-085.0CVE-2015-1225
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeThe DebuggerFunction::InitAgentHost function in browser/extensions/api/debugger/debugger_api.cc in Google Chrome before 41.0.2272.76 does not properly restrict what URLs are available as debugger targets, which allows remote attackers to bypass intended access restrictions via a crafted extension.2015-03-085.0CVE-2015-1226
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromenet/http/proxy_client_socket.cc in Google Chrome before 41.0.2272.76 does not properly handle a 407 (aka Proxy Authentication Required) HTTP status code accompanied by a Set-Cookie header, which allows remote proxy servers to conduct cookie-injection attacks via a crafted response.2015-03-085.0CVE-2015-1229
    CONFIRM
    CONFIRM
    BID
    REDHAT
    CONFIRM
    google -- chromeGoogle Chrome before 41.0.2272.76, when Instant Extended mode is used, does not properly consider the interaction between the "1993 search" features and restore-from-disk RELOAD transitions, which makes it easier for remote attackers to spoof the address bar for a search-results page by leveraging (1) a compromised search engine or (2) an XSS vulnerability in a search engine, a different vulnerability than CVE-2015-1231.2015-03-084.3CVE-2015-2239
    CONFIRM
    CONFIRM
    CONFIRM
    ibm -- websphere_portalCross-site request forgery (CSRF) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF15 and 8.5.0 before CF05 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.2015-03-126.8CVE-2014-6214
    CONFIRM
    AIXAPAR
    ibm -- websphere_commerceIBM WebSphere Commerce 7.0 Feature Pack 4 through 8 allows remote attackers to read arbitrary files and possibly obtain administrative privileges via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.2015-03-125.0CVE-2015-0133
    CONFIRM
    AIXAPAR
    libssh2 -- libssh2The kex_agree_methods function in libssh2 before 1.5.0 allows remote servers to cause a denial of service (crash) or have other unspecified impact via crafted length values in an SSH_MSG_KEXINIT packet.2015-03-136.8CVE-2015-1782
    CONFIRM
    DEBIAN
    microsoft -- windows_2003_serverThe NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability."2015-03-114.3CVE-2015-0005
    MS
    microsoft -- windows_2003_serverAdobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly allocate memory, which allows remote attackers to cause a denial of service via a crafted (1) web site or (2) file, aka "Adobe Font Driver Denial of Service Vulnerability."2015-03-114.3CVE-2015-0074
    MS
    microsoft -- windows_2003_serverThe photo-decoder implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly initialize memory for rendering of JXR images, which allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "JPEG XR Parser Information Disclosure Vulnerability."2015-03-114.3CVE-2015-0076
    MS
    microsoft -- windows_2003_serverMicrosoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize memory for rendering of malformed PNG images, which allows remote attackers to obtain sensitive information from process memory via a crafted web site, aka "Malformed PNG Parsing Information Disclosure Vulnerability."2015-03-114.3CVE-2015-0080
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to obtain sensitive information from kernel memory, and possibly bypass the KASLR protection mechanism, via a crafted font, aka "Adobe Font Driver Information Disclosure Vulnerability," a different vulnerability than CVE-2015-0089.2015-03-115.0CVE-2015-0087
    MS
    microsoft -- windows_7Adobe Font Driver in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to obtain sensitive information from kernel memory, and possibly bypass the KASLR protection mechanism, via a crafted font, aka "Adobe Font Driver Information Disclosure Vulnerability," a different vulnerability than CVE-2015-0087.2015-03-115.0CVE-2015-0089
    MS
    microsoft -- windows_7The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow local users to cause a denial of service (NULL pointer dereference and blue screen), or obtain sensitive information from kernel memory and possibly bypass the ASLR protection mechanism, via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability."2015-03-115.6CVE-2015-0095
    MS
    microsoft -- internet_explorerMicrosoft Internet Explorer 7 through 11 allows remote attackers to gain privileges via a crafted web site, aka "Internet Explorer Elevation of Privilege Vulnerability."2015-03-114.3CVE-2015-1627
    MS
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted X-OWA-Canary cookie in an AD.RecipientType.User action, aka "OWA Modified Canary Parameter Cross Site Scripting Vulnerability."2015-03-114.3CVE-2015-1628
    MS
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "ExchangeDLP Cross Site Scripting Vulnerability."2015-03-114.3CVE-2015-1629
    MS
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka "Audit Report Cross Site Scripting Vulnerability."2015-03-114.3CVE-2015-1630
    MS
    microsoft -- exchange_serverMicrosoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to spoof meeting organizers via unspecified vectors, aka "Exchange Forged Meeting Request Spoofing Vulnerability."2015-03-115.0CVE-2015-1631
    MS
    microsoft -- exchange_serverCross-site scripting (XSS) vulnerability in errorfe.aspx in Outlook Web App (OWA) in Microsoft Exchange Server 2013 SP1 and Cumulative Update 7 allows remote attackers to inject arbitrary web script or HTML via the msgParam parameter in an authError action, aka "Exchange Error Message Cross Site Scripting Vulnerability."2015-03-114.3CVE-2015-1632
    MS
    microsoft -- windows_2003_serverSchannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue, a different vulnerability than CVE-2015-0204 and CVE-2015-1067.2015-03-065.0CVE-2015-1637
    CONFIRM
    MISC
    MS
    myupb -- ultimate_php_boardMultiple cross-site scripting (XSS) vulnerabilities in Ultimate PHP Board (aka myUPB) 2.2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) q parameter to search.php or (2) avatar parameter to profile.php.2015-03-104.3CVE-2015-2217
    BUGTRAQ
    MISC
    phpmyadmin -- phpmyadminlibraries/select_lang.lib.php in phpMyAdmin 4.0.x before 4.0.10.9, 4.2.x before 4.2.13.2, and 4.3.x before 4.3.11.1 includes invalid language values in unknown-language error responses that contain a CSRF token and may be sent with HTTP compression, which makes it easier for remote attackers to conduct a BREACH attack and determine this token via a series of crafted requests.2015-03-095.0CVE-2015-2206
    CONFIRM
    CONFIRM
    pivotal_software -- spring_frameworkThe Java SockJS client in Pivotal Spring Framework 4.1.x before 4.1.5 generates predictable session ids, which allows remote attackers to send messages to other sessions via unspecified vectors.2015-03-105.0CVE-2015-0201
    CONFIRM
    redhat -- openstackThe log-viewing function in the Red Hat redhat-access-plugin before 6.0.3 for OpenStack Dashboard (horizon) allows remote attackers to read arbitrary files via a crafted path.2015-03-104.0CVE-2015-0271
    REDHAT
    siemens -- simatic_cfcUntrusted search path vulnerability in Siemens SIMATIC ProSave before 13 SP1; SIMATIC CFC before 8.0 SP4 Upd9 and 8.1 before Upd1; SIMATIC STEP 7 before 5.5 SP1 HF2, 5.5 SP2 before HF7, 5.5 SP3, and 5.5 SP4 before HF4; SIMOTION Scout before 4.4; and STARTER before 4.4 HF3 allows local users to gain privileges via a Trojan horse application file.2015-03-066.9CVE-2015-1594
    CONFIRM
    siemens -- spcanywhereThe Siemens SPCanywhere application for Android and iOS does not use encryption during lookups of system ID to IP address mappings, which allows man-in-the-middle attackers to discover alarm IP addresses and spoof servers by intercepting the client-server data stream.2015-03-064.3CVE-2015-1595
    CONFIRM
    siemens -- spcanywhereThe Siemens SPCanywhere application for Android and iOS does not properly verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof servers and obtain sensitive information via a crafted certificate.2015-03-065.8CVE-2015-1596
    CONFIRM
    siemens -- spcanywhereThe Siemens SPCanywhere application for Android does not use encryption during the loading of code, which allows man-in-the-middle attackers to execute arbitrary code by modifying the client-server data stream.2015-03-066.8CVE-2015-1597
    CONFIRM
    telerik -- analytics_monitor_libraryMultiple untrusted search path vulnerabilities in (1) EQATEC.Analytics.Monitor.Win32_vc100.dll and (2) EQATEC.Analytics.Monitor.Win32_vc100-x64.dll in Telerik Analytics Monitor Library before 3.2.125 allow local users to gain privileges via a Trojan horse (a) csunsapi.dll, (b) swift.dll, (c) nfhwcrhk.dll, or (d) surewarehook.dll file in an unspecified directory.2015-03-126.9CVE-2015-2264
    CERT-VN
    tips_and_tricks_hq -- all_in_one_wordpress_security_and_firewallSQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2015-03-066.0CVE-2015-0894
    CONFIRM
    JVNDB
    JVN
    tips_and_tricks_hq -- all_in_one_wordpress_security_and_firewallCross-site request forgery (CSRF) vulnerability in the All In One WP Security & Firewall plugin before 3.9.0 for WordPress allows remote attackers to hijack the authentication of administrators for requests that delete logs of 404 (aka Not Found) HTTP status codes.2015-03-066.8CVE-2015-0895
    CONFIRM
    JVNDB
    JVN
    unace_project -- unaceInteger overflow in unace 1.2b allows remote attackers to cause a denial of service (crash) via a small file header in an ace archive, which triggers a buffer overflow.2015-03-094.3CVE-2015-2063
    CONFIRM
    MLIST
    DEBIAN
    webgateinc -- webeyeaudioStack-based buffer overflow in the Connect function in the WebGate WebEyeAudio ActiveX control allows remote attackers to execute arbitrary code via a crafted value.2015-03-096.8CVE-2015-2093
    MISC
    webgateinc -- edvr_managerHeap-based buffer overflow in the SetConnectInfo function in the WESPPTZ.WESPPTZCtrl.1 ActiveX control in WebGate eDVR Manager allows remote attackers to execute arbitrary code via crafted arguments.2015-03-096.8CVE-2015-2095
    MISC
    webgateinc -- edvr_managerUse-after-free vulnerability in the Connect function in the WESPMonitor.WESPMonitorCtrl.1 ActiveX control in WebGate eDVR Manager allows remote attackers to execute arbitrary code via an invalid IP address and a page reload.2015-03-096.8CVE-2015-2096
    MISC
    webshophun -- webshop_hunMultiple cross-site scripting (XSS) vulnerabilities in Webshop hun 1.062S allow remote attackers to inject arbitrary web script or HTML via the (1) param, (2) center, (3) lap, (4) termid, or (5) nyelv_id parameter to index.php.2015-03-094.3CVE-2015-2244
    MISC
    FULLDISC
    MISC
    wireshark -- wiresharkThe dissect_atn_cpdlc_heur function in asn1/atn-cpdlc/packet-atn-cpdlc-template.c in the ATN-CPDLC dissector in Wireshark 1.12.x before 1.12.4 does not properly follow the TRY/ENDTRY code requirements, which allows remote attackers to cause a denial of service (stack memory corruption and application crash) via a crafted packet.2015-03-075.0CVE-2015-2187
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkepan/dissectors/packet-wcp.c in the WCP dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 does not properly initialize a data structure, which allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via a crafted packet that is improperly handled during decompression.2015-03-075.0CVE-2015-2188
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkOff-by-one error in the pcapng_read function in wiretap/pcapng.c in the pcapng file parser in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (out-of-bounds read and application crash) via an invalid Interface Statistics Block (ISB) interface ID in a crafted packet.2015-03-075.0CVE-2015-2189
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkepan/proto.c in Wireshark 1.12.x before 1.12.4 does not properly handle integer data types greater than 32 bits in size, which allows remote attackers to cause a denial of service (assertion failure and application exit) via a crafted packet that is improperly handled by the LLDP dissector.2015-03-075.0CVE-2015-2190
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkInteger overflow in the dissect_tnef function in epan/dissectors/packet-tnef.c in the TNEF dissector in Wireshark 1.10.x before 1.10.13 and 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.2015-03-075.0CVE-2015-2191
    CONFIRM
    CONFIRM
    CONFIRM
    wireshark -- wiresharkInteger overflow in the dissect_osd2_cdb_continuation function in epan/dissectors/packet-scsi-osd.c in the SCSI OSD dissector in Wireshark 1.12.x before 1.12.4 allows remote attackers to cause a denial of service (infinite loop) via a crafted length field in a packet.2015-03-075.0CVE-2015-2192
    CONFIRM
    CONFIRM
    CONFIRM
    wotlab -- community_galleryCross-site scripting (XSS) vulnerability in WoltLab Community Gallery 2.0 before 2014-12-26 allows remote attackers to inject arbitrary web script or HTML via the parameters[data][7][title] parameter in a saveImageData action to index.php/AJAXProxy.2015-03-124.3CVE-2015-2275
    BUGTRAQ
    MISC
    FULLDISC
    MISC
    xen -- xenXen 3.3.x through 4.5.x does not properly restrict access to PCI command registers, which might allow local guest users to cause a denial of service (non-maskable interrupt and host crash) by disabling the (1) memory or (2) I/O decoding for a PCI Express device and then accessing the device, which triggers an Unsupported Request (UR) response.2015-03-124.9CVE-2015-2150
    CONFIRM
    zohocorp -- manageengine_admanager_plusMultiple cross-site scripting (XSS) vulnerabilities in ZOHO ManageEngine ADManager Plus before 6.2 Build 6270 allow remote attackers to inject arbitrary web script or HTML via the (1) technicianSearchText parameter to the Help Desk Technician page or (2) rolesSearchText parameter to the Help Desk Roles.2015-03-114.3CVE-2015-1026
    BUGTRAQ
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    DescriptionPublishedCVSS ScoreSource & Patch Info
    apple -- iphone_osSpringboard in Apple iOS before 8.2 allows physically proximate attackers to bypass an intended activation requirement and read the home screen by leveraging an application crash during the activation process.2015-03-121.9CVE-2015-1064
    CONFIRM
    APPLE
    emc -- rsa_certificate_managerCross-site scripting (XSS) vulnerability in EMC RSA Certificate Manager (RCM) before 6.9 build 558 and RSA Registration Manager (RRM) before 6.9 build 558 allows remote authenticated users to inject arbitrary web script or HTML via vectors related to the CMP shared secret parameter.2015-03-123.5CVE-2015-0521
    BUGTRAQ
    ibm -- rational_quality_managerCross-site scripting (XSS) vulnerability in IBM Rational Quality Manager (RQM) 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-123.5CVE-2014-6144
    CONFIRM
    ibm -- rational_team_concertCross-site scripting (XSS) vulnerability in IBM Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0123.2015-03-123.5CVE-2015-0122
    CONFIRM
    ibm -- rational_team_concertCross-site scripting (XSS) vulnerability in IBM Rational Team Concert 2.x and 3.x before 3.0.1.6 iFix 5, 4.x before 4.0.7 iFix3, and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL, a different vulnerability than CVE-2015-0122.2015-03-123.5CVE-2015-0123
    CONFIRM
    ibm -- rational_quality_managerCross-site scripting (XSS) vulnerability in IBM Rational Quality Manager (RQM) 4.x before 4.0.7 iFix3 and 5.x before 5.0.2 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-123.5CVE-2015-0129
    CONFIRM
    ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.0.0 through 8.0.0.1 CF15 and 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-123.5CVE-2015-0139
    CONFIRM
    AIXAPAR
    ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.5.0 before CF05 allows remote authenticated users to inject arbitrary web script or HTML via a crafted URL.2015-03-123.5CVE-2015-0177
    CONFIRM
    AIXAPAR
    microsoft -- windows_2003_serverThe kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly initialize function buffers, which allows local users to obtain sensitive information from kernel memory, and possibly bypass the ASLR protection mechanism, via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability."2015-03-112.1CVE-2015-0077
    MS
    microsoft -- windows_7The Task Scheduler in Microsoft Windows 7 SP1, Windows Server 2008 R2 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly constrain impersonation levels, which allows local users to bypass intended restrictions on launching executable files via a crafted task, aka "Task Scheduler Security Feature Bypass Vulnerability."2015-03-112.1CVE-2015-0084
    MS
    microsoft -- windows_7The kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 do not properly restrict the availability of address information during a function call, which makes it easier for local users to bypass the ASLR protection mechanism via a crafted application, aka "Microsoft Windows Kernel Memory Disclosure Vulnerability."2015-03-112.1CVE-2015-0094
    MS
    microsoft -- sharepoint_foundationCross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2010 SP2, SharePoint Server 2010 SP2, SharePoint Foundation 2013 Gold and SP1, and SharePoint Server 2013 Gold and SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability."2015-03-113.5CVE-2015-1633
    MS
    microsoft -- sharepoint_foundationCross-site scripting (XSS) vulnerability in Microsoft SharePoint Foundation 2013 Gold and SP1 and SharePoint Server 2013 Gold and SP1 allows remote authenticated users to inject arbitrary web script or HTML via a crafted request, aka "Microsoft SharePoint XSS Vulnerability."2015-03-113.5CVE-2015-1636
    MS
    openkm -- openkmCross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp.2015-03-113.5CVE-2014-9017
    MISC
    FULLDISC
    FULLDISC
    MISC
    siemens -- spcanywhereThe Siemens SPCanywhere application for Android does not properly store application passwords, which allows physically proximate attackers to obtain sensitive information by examining the device filesystem.2015-03-062.1CVE-2015-1598
    CONFIRM
    siemens -- spcanywhereThe Siemens SPCanywhere application for iOS allows physically proximate attackers to bypass intended access restrictions by leveraging a filesystem architectural error.2015-03-062.1CVE-2015-1599
    CONFIRM
    xen -- xenThe emulation routines for unspecified X86 devices in Xen 3.2.x through 4.5.x does not properly initialize data, which allow local HVM guest users to obtain sensitive information via vectors involving an unsupported access size.2015-03-122.1CVE-2015-2044
    CONFIRM
    SECTRACK
    xen -- xenThe HYPERVISOR_xen_version hypercall in Xen 3.2.x through 4.5.x does not properly initialize data structures, which allows local guest users to obtain sensitive information via unspecified vectors.2015-03-122.1CVE-2015-2045
    CONFIRM
    SECTRACK
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


  • SB15-069: Vulnerability Summary for the Week of March 2, 2015
    Original release date: March 10, 2015

    The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

    The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

    • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

    • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

    • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

    Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

    High Vulnerabilities

    Primary
    Vendor -- Product
    Description Published CVSS Score Source & Patch Info
    clip-bucket -- clipbucket
    SQL injection vulnerability in view_item.php in ClipBucket 2.7 RC3 (2.7.0.4.v2929-rc3) allows remote attackers to execute arbitrary SQL commands via the item parameter. 2015-02-27 7.5 CVE-2015-2102
    EXPLOIT-DB
    MISC
    OSVDB
    dns-sync_project -- dns-sync
    The dns-sync module before 0.1.1 for node.js allows context-dependent attackers to execute arbitrary commands via shell metacharacters in the first argument to the resolve API function. 2015-02-27 10.0 CVE-2014-9682
    CONFIRM
    CONFIRM
    MLIST
    freebsd -- freebsd
    Integer overflow in FreeBSD before 8.4 p24, 9.x before 9.3 p10. 10.0 before p18, and 10.1 before p6 allows remote attackers to cause a denial of service (crash) via a crafted IGMP packet, which triggers an incorrect size calculation and allocation of insufficient memory. 2015-02-27 7.8 CVE-2015-1414
    FREEBSD
    DEBIAN
    iij -- seil/b1
    npppd in the PPP Access Concentrator (PPPAC) on SEIL SEIL/x86 Fuji routers 1.00 through 3.30, SEIL/X1 routers 3.50 through 4.70, SEIL/X2 routers 3.50 through 4.70, and SEIL/B1 routers 3.50 through 4.70 allows remote attackers to cause a denial of service (infinite loop and device hang) via a crafted SSTP packet. 2015-02-27 7.1 CVE-2015-0887
    CONFIRM
    JVNDB
    JVN
    kent-web -- joyful_note
    KENT-WEB Joyful Note before 5.3 allows remote attackers to delete files or write to files, and consequently execute arbitrary code, via vectors involving an article. 2015-02-27 7.5 CVE-2015-0889
    CONFIRM
    JVNDB
    JVN
    ninjaforms -- ninja_forms
    Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users. 2015-03-05 7.5 CVE-2014-9688
    CONFIRM
    photocati_media -- photocrati
    SQL injection vulnerability in ecomm-sizes.php in the Photocrati theme 4.x for WordPress allows remote attackers to execute arbitrary SQL commands via the prod_id parameter. 2015-03-05 7.5 CVE-2015-2216
    MISC
    symantec -- netbackup_opscenter
    Symantec NetBackup OpsCenter 7.6.0.2 through 7.6.1 on Linux and UNIX allows remote attackers to execute arbitrary JavaScript code via unspecified vectors. 2015-03-05 10.0 CVE-2015-1483
    CONFIRM
    BID
    web-dorado -- spider_calendar
    SQL injection vulnerability in Spider Event Calendar 1.4.9 for WordPress allows remote attackers to execute arbitrary SQL commands via the cat_id parameter in a spiderbigcalendar_month action to wp-admin/admin-ajax.php. 2015-03-03 7.5 CVE-2015-2196
    EXPLOIT-DB
    Back to top

    Medium Vulnerabilities

    Primary
    Vendor -- Product
    Description Published CVSS Score Source & Patch Info
    beehive_forum -- beehive_forum
    Multiple cross-site scripting (XSS) vulnerabilities in edit_prefs.php in Beehive Forum 1.4.4 allow remote attackers to inject arbitrary web script or HTML via the (1) homepage_url, (2) pic_url, or (3) avatar_url parameter, which are not properly handled in an error message. 2015-03-03 4.3 CVE-2015-2198
    EXPLOIT-DB
    CONFIRM
    bestwebsoft -- captcha
    The BestWebSoft Captcha plugin before 4.0.7 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. 2015-03-03 5.0 CVE-2014-9283
    CONFIRM
    JVNDB
    JVN
    bestwebsoft -- google_captcha
    The BestWebSoft Google Captcha (aka reCAPTCHA) plugin before 1.13 for WordPress allows remote attackers to bypass the CAPTCHA protection mechanism and obtain administrative access via unspecified vectors. 2015-03-03 5.0 CVE-2015-0890
    CONFIRM
    JVNDB
    JVN
    canonical -- ubuntu_linux
    The em_sysenter function in arch/x86/kvm/emulate.c in the Linux kernel before 3.18.5, when the guest OS lacks SYSENTER MSR initialization, allows guest OS users to gain guest OS privileges or cause a denial of service (guest OS crash) by triggering use of a 16-bit code segment for emulation of a SYSENTER instruction. 2015-03-02 4.7 CVE-2015-0239
    CONFIRM
    CONFIRM
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    MLIST
    CONFIRM
    MLIST
    CONFIRM
    checkpw_project -- checkpw
    checkpw 1.02 and earlier allows remote attackers to cause a denial of service (infinite loop) via a -- (dash dash) in a username. 2015-02-27 5.0 CVE-2015-0885
    JVNDB
    JVN
    CONFIRM
    CONFIRM
    cisco -- secure_access_control_system
    Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka Bug ID CSCuj83189. 2015-03-05 6.5 CVE-2014-2130
    CISCO
    cisco -- ios
    The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693. 2015-03-05 6.8 CVE-2015-0598
    CISCO
    cisco -- ios
    The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connection attempt with a blank password, aka Bug IDs CSCuo09400 and CSCun16016. 2015-03-05 4.3 CVE-2015-0607
    SECTRACK
    BID
    CONFIRM
    CISCO
    cisco -- unified_web_and_e-mail_interaction_manager
    Cross-site scripting (XSS) vulnerability in Unified Web Interaction Manager in Cisco Unified Web and E-Mail Interaction Manager allows remote attackers to inject arbitrary web script or HTML via vectors related to a POST request, aka Bug ID CSCus74184. 2015-02-27 4.3 CVE-2015-0655
    CISCO
    cisco -- network_analysis_module_firmware
    Cross-site scripting (XSS) vulnerability in the login page in Cisco Network Analysis Module (NAM) allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, aka Bug ID CSCum81269. 2015-03-03 4.3 CVE-2015-0656
    CISCO
    cisco -- ios_xr
    Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192. 2015-03-05 5.0 CVE-2015-0657
    CISCO
    cisco -- ios
    The Autonomic Networking Infrastructure (ANI) implementation in Cisco IOS allows remote attackers to trigger self-referential adjacencies via a crafted Autonomic Networking (AN) message, aka Bug ID CSCup62157. 2015-03-05 5.0 CVE-2015-0659
    CISCO
    cisco -- ios_xr
    The SNMPv2 implementation in Cisco IOS XR allows remote authenticated users to cause a denial of service (snmpd daemon reload) via a malformed SNMP packet, aka Bug ID CSCur25858. 2015-03-05 4.0 CVE-2015-0661
    CISCO
    cosmoshop -- cosmoshop
    Cross-site scripting (XSS) vulnerability in the admin-login panel (admin/index.cgi) in Cosmoshop allows remote attackers to inject arbitrary web script or HTML via the username field (u_name parameter). 2015-02-27 4.3 CVE-2015-2103
    BUGTRAQ
    MISC
    dlguard -- dlguard
    DLGuard 4.5 allows remote attackers to obtain the installation path via the c parameter to index.php. 2015-03-04 5.0 CVE-2015-2209
    MISC
    FULLDISC
    ffmpeg -- ffmpeg
    The seg_write_packet function in libavformat/segment.c in ffmpeg 2.1.4 and earlier does not free the correct memory location, which allows remote attackers to cause a denial of service ("invalid memory handler") and possibly execute arbitrary code via a crafted video that triggers a use after free. 2015-02-27 6.8 CVE-2014-9676
    MLIST
    fortinet -- fortimail
    Cross-site scripting (XSS) vulnerability in the Web Action Quarantine Release feature in the WebGUI in Fortinet FortiMail before 4.3.9, 5.0.x before 5.0.8, 5.1.x before 5.1.5, and 5.2.x before 5.2.3 allows remote attackers to inject arbitrary web script or HTML via the release parameter to module/releasecontrol. 2015-03-04 4.3 CVE-2014-8617
    CONFIRM
    FULLDISC
    fusion_project -- fusion
    Unrestricted file upload vulnerability in the fusion_options function in functions.php in the Fusion theme 3.1 for Wordpress allows remote authenticated users to execute arbitrary code by uploading a file with an executable extension in a fusion_save action, then accessing it via unspecified vectors. 2015-03-03 6.5 CVE-2015-2194
    MISC
    hp -- xp7_global_link_manager_software
    Multiple cross-site scripting (XSS) vulnerabilities in HP XP P9000 Command View Advanced Edition Software Online Help, as used in HP Device Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Tiered Storage Manager 6.x through 8.x before 8.1.2-00, HP XP P9000 Replication Manager 6.x and 7.x before 7.6.1-06, and HP XP7 Global Link Manager Software (aka HGLM) 6.x through 8.x before 8.1.2-00, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-03 4.3 CVE-2014-7896
    HP
    ibm -- notes_traveler_companion
    The IBM Notes Traveler Companion application 1.0 and 1.1 before 201411010515 for Window Phone, as distributed in IBM Notes Traveler 9.0.1, does not properly restrict the number of executions of the automatic configuration option, which makes it easier for remote attackers to capture credentials by conducting a phishing attack involving an encrypted e-mail message. 2015-03-01 4.3 CVE-2014-8921
    CONFIRM
    impliedbydesign -- navigate
    Cross-site scripting (XSS) vulnerability in the Navigate bar in the Navigate module before 6.x-1.1 and 7.x-1.x before 7.x-1.1 for Drupal allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-02-27 4.3 CVE-2015-2101
    MISC
    CONFIRM
    CONFIRM
    BID
    kent-web -- clip_board
    KENT-WEB Clip Board before 4.1 allows remote attackers to delete arbitrary files via unspecified vectors. 2015-02-27 6.4 CVE-2015-0888
    CONFIRM
    JVNDB
    JVN
    linux -- linux_kernel
    net/netfilter/nf_conntrack_proto_generic.c in the Linux kernel before 3.18 generates incorrect conntrack entries during handling of certain iptables rule sets for the SCTP, DCCP, GRE, and UDP-Lite protocols, which allows remote attackers to bypass intended access restrictions via packets with disallowed port numbers. 2015-03-02 5.0 CVE-2014-8160
    CONFIRM
    CONFIRM
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    MLIST
    MLIST
    CONFIRM
    magic_hills -- wonderplugin_audio_player
    Multiple cross-site scripting (XSS) vulnerabilities in the wp_ajax_save_item function in wonderpluginaudio.php in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) item[name] or (2) item[customcss] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or the itemid parameter in the (3) wonderplugin_audio_show_item or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. 2015-03-05 4.3 CVE-2015-2218
    MISC
    EXPLOIT-DB
    MISC
    OSVDB
    OSVDB
    microsoft -- windows_2003_server
    Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for remote attackers to conduct cipher-downgrade attacks to EXPORT_RSA ciphers via crafted TLS traffic, related to the "FREAK" issue. 2015-03-06 5.0 CVE-2015-1637
    CONFIRM
    mindrot -- jbcrypt
    Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. 2015-02-27 5.0 CVE-2015-0886
    CONFIRM
    CONFIRM
    JVNDB
    JVN
    netcat -- netcat
    NetCat 5.01 and earlier allows remote attackers to obtain the installation path via the redirect_url parameter to netshop/post.php. 2015-03-05 5.0 CVE-2015-2214
    MISC
    FULLDISC
    MISC
    ninjaforms -- ninja_forms
    Multiple cross-site scripting (XSS) vulnerabilities in the Ninja Forms plugin before 2.8.9 for WordPress allow (1) remote attackers to inject arbitrary web script or HTML via the ninja_forms_field_1 parameter in a ninja_forms_ajax_submit action to wp-admin/admin-ajax.php or (2) remote administrators to inject arbitrary web script or HTML via the fields[1] parameter to wp-admin/post.php. 2015-03-05 4.3 CVE-2015-2220
    MISC
    BUGTRAQ
    MISC
    sap -- hana
    Multiple cross-site scripting (XSS) vulnerabilities in SAP HANA 73 (1.00.73.00.389160) and HANA Developer Edition 80 (1.00.80.00.391861) allow remote attackers to inject arbitrary web script or HTML via unspecified vectors to (1) ide/core/plugins/editor/templates/trace/hanaTraceDetailService.xsjs or (2) xs/ide/editor/templates/trace/hanaTraceDetailService.xsjs, aka SAP Note 2069676. 2015-02-27 4.3 CVE-2015-2072
    BID
    BUGTRAQ
    FULLDISC
    MISC
    sap -- businessobjects_edge
    SAP BussinessObjects Edge 4.0 allows remote attackers to delete audit events from the auditee queue via a clearData CORBA operation, aka SAP Note 2011396. 2015-02-27 5.0 CVE-2015-2075
    BID
    BUGTRAQ
    FULLDISC
    MISC
    sap -- businessobjects_edge
    The Auditing service in SAP BussinessObjects Edge 4.0 allows remote attackers to obtains sensitive information by reading an audit event, aka SAP Note 2011395. 2015-02-27 5.0 CVE-2015-2076
    BID
    BUGTRAQ
    FULLDISC
    MISC
    services_single_sign-on_server_helper_project -- services_single_sign-on_server_helper
    Open redirect vulnerability in the Services single sign-on server helper (services_sso_server_helper) module for Drupal allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified parameters. 2015-03-05 5.8 CVE-2015-2215
    MISC
    BID
    sharelatex -- sharelatex
    Common LaTeX Service Interface (CLSI) before 0.1.3, as used in ShareLaTeX before 0.1.3, allows remote authenticated users to execute arbitrary code via ` (backtick) characters in a filename. 2015-03-03 6.5 CVE-2015-0934
    CERT-VN
    tips_and_tricks_hq -- all_in_one_wordpress_security_and_firewall
    SQL injection vulnerability in the All In One WP Security & Firewall plugin before 3.8.8 for WordPress allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2015-03-06 6.0 CVE-2015-0894
    CONFIRM
    JVNDB
    JVN
    tisa -- maroyaka_simple_board
    Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Simple Board allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0891
    JVNDB
    JVN
    MISC
    tisa -- maroyaka_image_album
    Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Image Album allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0892
    JVNDB
    JVN
    MISC
    tisa -- maroyaka_relay_novel
    Cross-site scripting (XSS) vulnerability in Maroyaka CGI Maroyaka Relay Novel allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2015-03-04 4.3 CVE-2015-0893
    JVNDB
    JVN
    MISC
    toshiba -- bluetooth_stack
    Unquoted Windows search path vulnerability in Toshiba Bluetooth Stack for Windows before 9.10.32(T) and Service Station before 2.2.14 allows local users to gain privileges via a Trojan horse application with a name composed of an initial substring of a path that contains a space character. 2015-02-27 6.9 CVE-2015-0884
    CERT-VN
    CONFIRM
    CONFIRM
    MISC
    wonderplugin -- audio_player
    Multiple SQL injection vulnerabilities in the WonderPlugin Audio Player plugin before 2.1 for WordPress allow (1) remote authenticated users to execute arbitrary SQL commands via the item[id] parameter in a wonderplugin_audio_save_item action to wp-admin/admin-ajax.php or remote administrators to execute arbitrary SQL commands via the itemid parameter in the (2) wonderplugin_audio_show_item, (3) wonderplugin_audio_show_items, or (4) wonderplugin_audio_edit_item page to wp-admin/admin.php. 2015-03-03 6.5 CVE-2015-2199
    MISC
    EXPLOIT-DB
    MISC
    OSVDB
    OSVDB
    wp_media_cleaner_project -- wp_media_cleaner
    Multiple cross-site scripting (XSS) vulnerabilities in the WP Media Cleaner plugin 2.2.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) view, (2) paged, or (3) s parameter in the wp-media-cleaner page to wp-admin/upload.php. 2015-03-03 4.3 CVE-2015-2195
    BUGTRAQ
    Back to top

    Low Vulnerabilities

    Primary
    Vendor -- Product
    Description Published CVSS Score Source & Patch Info
    canonical -- ubuntu_linux
    Off-by-one error in the ecryptfs_decode_from_filename function in fs/ecryptfs/crypto.c in the eCryptfs subsystem in the Linux kernel before 3.18.2 allows local users to cause a denial of service (buffer overflow and system crash) or possibly gain privileges via a crafted filename. 2015-03-03 3.6 CVE-2014-9683
    CONFIRM
    CONFIRM
    UBUNTU
    UBUNTU
    UBUNTU
    UBUNTU
    MLIST
    CONFIRM
    CONFIRM
    entity_api_project -- entity_api
    Cross-site scripting (XSS) vulnerability in the Entity API module before 7.x-1.6 for Drupal allows remote authenticated users to inject arbitrary web script or HTML via a field label in the Token API. 2015-03-03 3.5 CVE-2015-2197
    MISC
    CONFIRM
    BID
    linux -- linux_kernel
    The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a module name in the salg_name field, a different vulnerability than CVE-2014-9644. 2015-03-02 2.1 CVE-2013-7421
    MISC
    MLIST
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    CONFIRM
    linux -- linux_kernel
    The Crypto API in the Linux kernel before 3.18.5 allows local users to load arbitrary kernel modules via a bind system call for an AF_ALG socket with a parenthesized module template expression in the salg_name field, as demonstrated by the vfat(aes) expression, a different vulnerability than CVE-2013-7421. 2015-03-02 2.1 CVE-2014-9644
    MISC
    CONFIRM
    CONFIRM
    MLIST
    CONFIRM
    CONFIRM
    sharelatex -- sharelatex
    Absolute path traversal vulnerability in ShareLaTeX 0.1.3 and earlier, when the paranoid openin_any setting is omitted, allows remote authenticated users to read arbitrary files via a \include command. 2015-03-03 3.5 CVE-2015-0933
    CERT-VN
    Back to top

    This product is provided subject to this Notification and this Privacy & Use policy.


CERT Technical Feed

US-CERT Alerts
Alerts warn about vulnerabilities, incidents, and other security issues that pose a significant risk.
  • TA15-051A: Lenovo Superfish Adware Vulnerable to HTTPS Spoofing
    Original release date: February 20, 2015 | Last revised: February 24, 2015

    Systems Affected

    Lenovo consumer PCs that have Superfish VisualDiscovery installed.

    Overview

    Superfish adware installed on some Lenovo PCs install a non-unique trusted root certification authority (CA) certificate, allowing an attacker to spoof HTTPS traffic.

    Description

    Starting in September 2014, Lenovo pre-installed Superfish VisualDiscovery spyware on some of their PCs. This software intercepts users’ web traffic to provide targeted advertisements.  In order to intercept encrypted connections (those using HTTPS), the software installs a trusted root CA certificate for Superfish. All browser-based encrypted traffic to the Internet is intercepted, decrypted, and re-encrypted to the user’s browser by the application – a classic man-in-the-middle attack.  Because the certificates used by Superfish are signed by the CA installed by the software, the browser will not display any warnings that the traffic is being tampered with.  Since the private key can easily be recovered from the Superfish software, an attacker can generate a certificate for any website that will be trusted by a system with the Superfish software installed.  This means websites, such as banking and email, can be spoofed without a warning from the browser.

    Although Lenovo has stated they have discontinued the practice of pre-installing Superfish VisualDiscovery, the systems that came with the software already installed will continue to be vulnerable until corrective actions have been taken.

    To detect a system with Superfish installed, look for a HTTP GET request to:

    superfish.aistcdn.com

    The full request will look like:

    http://superfish.aistcdn.com/set.php?ID=[GUID]&Action=[ACTION]

    Where [ACTION] is at least 1, 2, or 3.  1 and then 2 are sent when a computer is turned on. 3 is sent when a computer is turned off.    

    Superfish uses a vulnerable SSL decryption library by Komodia. Other applications that use the library may be similarly affected. Please refer to CERT Vulnerability Note VU#529496 for more details and updates.

    Impact

    A machine with Superfish VisualDiscovery installed will be vulnerable to SSL spoofing attacks without a warning from the browser.

    Solution

    Uninstall Superfish VisualDiscovery and associated root CA certificate

    Users should uninstall Superfish VisualDiscovery. Lenovo has provided a tool to uninstall Superfish and remove all associated certificates.

    It is also necessary to remove affected root CA certificates. Simply uninstalling the software does not remove the certificate. Microsoft provides guidance on deleting and managing certificates in the Windows certificate store. In the case of Superfish VisualDiscovery, the offending trusted root certification authority certificate is issued to “Superfish, Inc.”

    Mozilla provides similar guidance for their software, including the Firefox and Thunderbird certificate stores.

    References

    Revision History

    • February 20, 2015: Initial release
    • February 20, 2015: Clarified software release dates
    • February 24, 2015: Updated description and solution details

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-353A: Targeted Destructive Malware
    Original release date: December 19, 2014 | Last revised: December 25, 2014

    Systems Affected

    Microsoft Windows

    Overview

    US-CERT was recently notified by a trusted third party of cyber threat actors using a Server Message Block (SMB) Worm Tool to conduct cyber exploitation activities recently targeting a major entertainment company. This SMB Worm Tool is equipped with a Listening Implant, Lightweight Backdoor, Proxy Tool, Destructive Hard Drive Tool, and Destructive Target Cleaning Tool.

    SMB Worm Tool: This worm uses a brute force authentication attack to propagate via Windows SMB shares. It connects home every five minutes to send log data back to command and control (C2) infrastructure if it has successfully spread to other Windows hosts via SMB port 445. The tool also accepts new scan tasking when it connects to C2. There are two main threads: the first thread calls home and sends back logs (a list of successful SMB exploitations), and the second thread attempts to guess passwords for SMB connections. If the password is correctly guessed, a file share is established and file is copied and run on the newly-infected host.

    Listening Implant: During installation of this tool, a portion of the binaries is decrypted using AES, with a key derived from the phrase "National Football League." Additionally, this implant listens for connections on TCP port 195 (for "sensvc.exe" and "msensvc.exe") and TCP port 444 (for "netcfg.dll"). Each message sent to and from this implant is preceded with its length, then XOR encoded with the byte 0x1F. Upon initial connection, the victim sends the string, "HTTP/1.1 GET /dns?\x00." The controller then responds with the string "200 www.yahoo.com!\x00" (for "sensvc.exe" and "msensvc.exe") or with the string "RESPONSE 200 OK!!" (for "netcfg.dll"). The controller sends the byte "!" (0x21) to end the network connection. This special message is not preceded with a length or XOR encoded.

    Lightweight Backdoor: This is a backdoor listener that is designed as a service DLL. It includes functionality such as file transfer, system survey, process manipulation, file time matching and proxy capability. The listener can also perform arbitrary code execution and execute commands on the command line. This tool includes functionality to open ports in a victim host's firewall and take advantage of universal Plug and Play (UPNP) mechanisms to discover routers and gateway devices, and add port mappings, allowing inbound connections to victim hosts on Network Address Translated (NAT) private networks. There are no callback domains associated with this malware since connections are inbound only on a specified port number.

    Proxy Tool: Implants in this malware family are typically loaded via a dropper installed as a service, then configured to listen on TCP port 443. The implant may have an associated configuration file which can contain a configurable port. This proxy tool has basic backdoor functionality, including the ability to fingerprint the victim machine, run remote commands, perform directory listings, perform process listings, and transfer files.

    Destructive Hard Drive Tool: This tool is a tailored hard-drive wiping tool that is intended to destroy data past the point of recovery and to complicate the victim machine’s recovery. If the CNE operator has administrator-level privileges on the host, the program will over-write portions of up-to the first four physical drives attached, and over-write the master boot record (MBR) with a program designed to cause further damage if the hard drive is re-booted. This further results in the victim machine being non-operational with irrecoverable data (There is a caveat for machines installed with the windows 7 operating system: windows 7 machines will continue to operate in a degraded state with the targeted files destroyed until after reboot, in which the infected MBR then wipes the drive.) If the actor has user-level access, the result includes specific files being deleted and practically irrecoverable, but the victim machine would remain usable.

    Destructive Target Cleaning Tool: This tool renders victim machines inoperable by overwriting the Master Boot Record. The tool is dropped and installed by another executable and consists of three parts: an executable and a dll which contain the destructive components, and an encoded command file that contains the actual destruction commands to be executed.

    Network Propagation Wiper: The malware has the ability to propagate throughout the target network via built-in Windows shares. Based on the username/password provided in the configuration file and the hostname/IP address of target systems, the malware will access remote network shares in order to upload a copy of the wiper and begin the wiping process on these remote systems. The malware uses several methods to access shares on the remote systems to begin wiping files. Checking for existing shares via “\\hostname\admin$\system32” and “\\hostname\shared$\system32” or create a new share “cmd.exe /q /c net share shared$=%SystemRoot% /GRANT:everyone, FULL”. Once successful, the malware uploads a copy of the wiper file “taskhostXX.exe”, changes the file-time to match that of the built-in file “calc.exe”, and starts the remote process. The remote process is started via the command “cmd.exe /c wmic.exe /node:hostname /user:username /password:pass PROCESS CALL CREATE”. Hostname, username, and password are then obtained from the configuration file. Afterwards, the remote network share is removed via “cmd.exe /q /c net share shared$ /delete”. Once the wiper has been uploaded, the malware reports its status back to one of the four C2 IP addresses.

    Technical and strategic mitigation recommendations are included in the Solution section below.

    US-CERT recommends reviewing the Security Tip Handling Destructive Malware #ST13-003.

    Description

    Cyber threat actors are using an SMB worm to conduct cyber exploitation activities.  This tool contains five components – a listening implant, lightweight backdoor, proxy tool, destructive hard drive tool, and destructive target cleaning tool.

    The SMB worm propagates throughout an infected network via brute-force authentication attacks, and connects to a C2 infrastructure.

    Impact

    Due to the highly destructive functionality of this malware, an organization infected could experience operational impacts including loss of intellectual property and disruption of critical systems.

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information).
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).
    • Review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Review Recommended Practices for Control Systems, and Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies (pdf).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    Import Hashes:

    SMB worm tool:

    Import hash: f6f48551d7723d87daeef2e840ae008f

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

            Earliest PE compile Time: 20141001T072107Z

            Most Recent PE compile Time: 20141001T072107Z

     

    Import hash: 194ae075bf53aa4c83e175d4fa1b9d89

    Characterization: File Hash Watchlist

    Notes: "SMB worm tool"

             Earliest PE compile Time: 20141001T120954Z

             Most Recent PE compile Time: 20141001T142138Z

     

    Lightweight backdoor:

    Import hash: f57e6156907dc0f6f4c9e2c5a792df48

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110411T225224Z

             Latest PE compile time: 20110411T225224Z

     

    Import hash: 838e57492f632da79dcd5aa47b23f8a9

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110517T050015Z

             Latest PE compile time: 20110605T204508Z

     

    Import hash: 11c9374cea03c3b2ca190b9a0fd2816b

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20110729T062417Z

             Latest PE compile time: 20110729T062958Z

     

    Import hash: 7fb0441a08690d4530d2275d4d7eb351

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120128T071327Z

             Latest PE compile time: 20120128T071327Z

     

    Import hash: 7759c7d2c6d49c8b0591a3a7270a44da

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120309T105837Z

             Latest PE compile time: 20120309T105837Z

     

    Import hash: 7e48d5ba6e6314c46550ad226f2b3c67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120311T090329Z

             Latest PE compile time: 20120311T090329Z

     

    Import hash: 0a87c6f29f34a09acecce7f516cc7fdb

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20120325T053138Z

             Latest PE compile time: 20130513T090422Z

     

    Import hash: 25fb1e131f282fa25a4b0dec6007a0ce

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130802T054822Z

             Latest PE compile time: 20130802T054822Z

     

    Import hash: 9761dd113e7e6673b94ab4b3ad552086

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20130913T013016Z

             Latest PE compile time: 20130913T013016Z

     

    Import hash: c905a30badb458655009799b1274205c

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140205T090906Z

             Latest PE compile time: 20140205T090906Z

     

    Import hash: 40adcd738c5bdc5e1cc3ab9a48b3df39

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140320T152637Z

             Latest PE compile time: 20140402T023748Z

     

    Import hash: 68a26b8eaf2011f16a58e4554ea576a1

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140321T014949Z

             Latest PE compile time: 20140321T014949Z

     

    Import hash: 74982cd1f3be3d0acfb0e6df22dbcd67

    Characterization: File Hash Watchlist

    Notes: "Lightweight backdoor"

             Earliest PE compile time: 20140506T020330Z

             Latest PE compile time: 20140506T020330Z

     

    Proxy tool:

    Import hash: 734740b16053ccc555686814a93dfbeb

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064905Z

             Latest PE compile time: 20140611T064905Z

     

    Import hash: 3b9da603992d8001c1322474aac25f87

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140617T035143Z

             Latest PE compile time: 20140617T035143Z

     

    Import hash: e509881b34a86a4e2b24449cf386af6a

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time : 20140618T064527Z

             Latest PE compile time: 20140618T064527Z

     

    Import hash: 9ab7f2bf638c9d911c2c742a574db89e

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T011233Z

             Latest PE compile time: 20140724T011233Z

     

    Import hash: a565e8c853b8325ad98f1fac9c40fb88

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140724T065031Z

             Latest PE compile time: 20140902T135050Z

     

    Import hash: 0bb82def661dd013a1866f779b455cf3

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140819T024812Z

             Latest PE compile time: 20140819T024812Z

     

    Import hash: b8ffff8b57586d24e1e65cd0b0ad9173

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140902T172442Z

             Latest PE compile time: 20140902T172442Z

     

    Import hash: 4ef0ad7ad4fe3ef4fb3db02cd82bface

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20141024T134136Z

             Latest PE compile time: 20141024T134136Z

     

    Import hash: eb435e86604abced7c4a2b11c4637a52

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140526T010925Z

             Latest PE compile time: 20140526T010925Z

     

    Import hash: ed7a9c6d9fc664afe2de2dd165a9338c

    Characterization: File Hash Watchlist

    Notes: "Proxy tool"

             Earliest PE compile time: 20140611T064904Z

     

    Destructive hard drive tool:

    Import hash: 8dec36d7f5e6cbd5e06775771351c54e

    Characterization: File Hash Watchlist

    Notes: "Destructive hard drive tool"

             Earliest PE compile time: 20120507T151820Z

             Latest PE compile time: 20120507T151820Z

     

    Import hash: a385900a36cad1c6a2022f31e8aca9f7

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003315Z

             Latest PE compile time: 20130318T003315Z

     

    Import hash: 7bea4323807f7e8cf53776e24cbd71f1

    Characterization: File Hash Watchlist

    Notes: "Destructive target cleaning tool"

             Earliest PE compile time: 20130318T003319Z

             Latest PE compile time: 20130318T003319Z

     

    Name: d1c27ee7ce18675974edf42d4eea25c6.bin

    Size: 268579 bytes (268.6 KB)

    MD5: D1C27EE7CE18675974EDF42D4EEA25C6

    PE Compile Time: 2014-11-22 00:06:54

     

    The malware has the following characteristics:

    While the original filename of this file is unknown, it was likely “diskpartmg16.exe”. This file serves as a dropper. It drops destructive malware: “igfxtrayex.exe”. When the dropper file was executed, it started a second instance of itself with “-i” as an argument, and then terminated. The second instance of the dropper file installed itself as the “WinsSchMgmt” service with “-k” as a command line argument, started the service, and then terminated. The “WinsSchMgmt” service executed the file with “-k” as an argument, which started another instance of the file using “-s” as an argument. The “-s” instance dropped and executed “igfxtrayex.exe”, created “net_ver.dat”, and began generating network traffic over TCP ports 445 and 139 to victim IP addresses.

     

    Name: net_ver.dat

    Size: 4572 bytes (4.6 KB)  (size will vary)

    MD5: 93BC819011B2B3DA8487F964F29EB934  (hash will vary)

     

    This is a log file created by the dropper, and appended to as the scans progress  It contains what appear to be hostnames, IP addresses, and the number 2.   Entries in the file have the structure “HOSTNAME | IP Address | 2”.

     

    Name: igfxtrayex.exe

    Size: 249856 bytes (249.9 KB)

    MD5: 760C35A80D758F032D02CF4DB12D3E55

    PE Compile Time: 2014-11-24 04:11:08

     

    This file is destructive malware: a disk wiper with network beacon capabilities. If “igfxtrayex.exe” is run with no parameters, it creates and starts a copy of itself with the “–i” argument. After 10 minutes, the “igfxtrayex.exe” makes three copies of itself and places them in the same directory from which it was executed. These copies are named according to the format “taskhostXX.exe” (where X is a randomly generated ASCII character). These copies are then executed, each with a different argument (one being “-m”, one being “-d” and the other “-w”). Network connection attempts are made to one of three hard-coded IP addresses in a random order to port 8080 or 8000. If a connection to the IP address cannot be made, it attempts to connect to another of the three IP addresses, until connections to all three IP addresses have been attempted. The following command-line string is then executed: “cmd.exe /c net stop MSExchangeIS /y”. A 120-minute (2 hour) sleep command is issued after which the computer is shut down and rebooted.

     

    Name: iissvr.exe

    Size: 114688 bytes (114.7 KB)

    MD5: E1864A55D5CCB76AF4BF7A0AE16279BA

    PE Compile Time: 2014-11-13 02:05:35

     

    This file, when executed, starts a listener on localhost port 80. It has 3 files contained in the resource section; all xor’d with 0x63.

     

    Name: usbdrv3_32bit.sys

    Size: 24280 bytes (24.3 KB)

    MD5: 6AEAC618E29980B69721158044C2E544

    PE Compile Time: 2009-08-21 06:05:32

     

    This SYS file is a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (32-bit). It is dropped from resource ID 0x81 of “igfxtrayex.exe”.

     

    Name: usbdrv3_64bit.sys

    Size: 28120 bytes (28.1 KB)

    MD5: 86E212B7FC20FC406C692400294073FF

    PE Compile Time: 2009-08-21 06:05:35

     

    This SYS file is a also a commercially available tool that allows read/write access to files and raw disk sectors for user mode applications in Windows 2000, XP, 2003, Vista, 2008 (64-bit). It is dropped from resource ID 0x83 of “igfxtrayex.exe”.

     

    Name: igfxtpers.exe

    Size: 91888 bytes (91.9 KB)

    MD5: e904bf93403c0fb08b9683a9e858c73e

    PE Compile Time: 2014-07-07 08:01:09

     

    A summary of the C2 IP addresses:

    IP Address

    Country

    Port

    Filename

    203.131.222.102

    Thailand

    8080

    Diskpartmg16.exe
    igfxtrayex.exe
    igfxtpers.exe

    217.96.33.164

    Poland

    8000

    Diskpartmg16.exe
    igfxtrayex.exe

    88.53.215.64

    Italy

    8000

    Diskpartmg16.exe
    igfxtrayex.exe

    200.87.126.116

    Bolivia

    8000

    --

    58.185.154.99

    Singapore

    8080

    --

    212.31.102.100

    Cypress

    8080

    --

    208.105.226.235

    United States

    --

    igfxtpers.exe

     

    Snort signatures:

    SMB Worm Tool (not necessarily the tool itself):

    alert tcp any any -> any any (msg:"Wiper 1"; sid:42000001; rev:1; flow:established; content:"|be 64 ba f2 a8 64|"; depth:6; offset:16; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Wiper 2"; sid:42000002; rev:1; flow:established; content:"|c9 06 d9 96 fc 37 23 5a fe f9 40 ba 4c 94 14 98|"; depth:16; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Wiper 3"; sid:42000003; rev:1; flow:established; content:"|aa 64 ba f2 56|"; depth:50; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Wiper 4"; sid:42000004; rev:1; content:"|aa 74 ba f2 b9 75|"; depth:74; classtype:bad-unknown;)

    alert tcp any any -> any [8000,8080] (msg:"Wiper 5"; sid:42000005; rev:1; flow:established,to_server; dsize:42; byte_test:2,=,40,0,little; content:"|04 00 00 00|"; depth:4; offset:38; classtype:bad-unknown;)

     

    Listening Implant:

    alert tcp any any -> any any (msg:"Listening Implant 1"; sid:42000006; rev:1; flow:established; content:"|0c 1f 1f 1f 4d 5a 4c 4f 50 51 4c 5a 3f 2d 2f 2f 3f 50 54 3e 3e 3e|"; depth:22; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 2"; sid:42000007; rev:1; flow:established; content:"|d3 c4 d2 d1 ce cf d2 c4 a1 b3 b1 b1 a1 ce ca a0 a0 a0|"; depth:18; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 3"; sid:42000008; rev:1; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78 47 47|"; depth:24; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 4"; sid:42000009; rev:1; content:"|4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20 1f|"; depth:23; classtype:bad-unknown;)

    alert ip any any -> any any (msg:"Listening Implant 5"; sid:42000010; rev:1; content:"|15 02 14 17 08 09 14 02 67 75 77 77 67 08 0c 66 66 66|"; depth:22; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 6"; sid:42000011; rev:1; flow:established; content:"|09 22 33 30 28 35 2c|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 7"; sid:42000012; rev:1; flow:established; content:"|13 2f 22 35 22 67 26 35 22 29 27 33 67 28 37 22 29 67 37 28 35 33 34 69|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 8"; sid:42000013; rev:1; flow:established; content:"|43 47 47 47 45 67 47 47 43 47 47 47 44 67 47 47|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 9"; sid:42000014; rev:1; flow:established; content:"|43 47 47 47 42 67 47 47 43 47 47 47 4f 67 47 47 43 47 47 47 43 67 47 47 43 47 47 47 4e 67 47 47|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 10"; sid:42000015; rev:1; flow:established; content:"|d1 ce d2 d5 a1 c9 d5 d5 d1 a1 d3 c4 d0 d4 c4 d2 d5 be|"; depth:18; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 11"; sid:42000016; rev:1; flow:established; content:"|17 08 14 13 67 0f 13 13 17 67 15 02 16 12 02 14 13 78|"; depth:18; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Listening Implant 12"; sid:42000017; rev:1; flow:established; content:"|0c 1f 1f 1f 4f 50 4c 4b 3f 57 4b 4b 4f 3f 4d 5a 4e 4a 5a 4c 4b 20|"; classtype:bad-unknown;)

     

    Lightweight Backdoor:

    alert tcp any 488 -> any any (msg:"Lightweight Backdoor 1"; sid:42000018; rev:1; flow:established,from_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any 488 (msg:"Lightweight Backdoor 2"; sid:42000019; rev:1; flow:established,to_server; content:"|60 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 3"; sid:42000020; rev:1; flow:established; content:"|4c 4c|"; depth:2; offset:16; content:"|75 14 2a 2a|"; distance:4; within:4; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 4"; sid:42000021; rev:1; flow:established; content:"|8a 10 80 c2 67 80 f2 24 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 24 80 ea 67 88 10|"; classtype:bad-unknown;)

    alert tcp any 488 -> any any (msg:"Lightweight Backdoor 5"; sid:42000022; rev:1; flow:established,from_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any any -> any 488 (msg:"Lightweight Backdoor 6"; sid:42000023; rev:1; flow:established,to_server; content:"|65 db 37 37 37 37 37 37|"; fast_pattern:only; classtype:bad-unknown;)

    alert tcp any [547,8080,133,117,189,159] -> any any (msg:"Lightweight Backdoor 7"; sid:42000024; rev:1; flow:established,from_server; content:"|7b 08 2a 2a|"; offset:17; content:"|08 2a 2a 01 00|"; distance:0; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 8"; sid:42000025; rev:1; flow:established; content:"|8a 10 80 ea 62 80 f2 b4 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 b4 80 c2 62 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 9"; sid:42000026; rev:1; flow:established; content:"|8a 10 80 c2 4e 80 f2 79 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 79 80 ea 4e 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Lightweight Backdoor 10"; sid:42000027; rev:1; flow:established; content:"Sleepy!@#qaz13402scvsde890"; fast_pattern:only; content:"BC435@PRO62384923412!@3!"; nocase; classtype:bad-unknown;)

     

    Proxy Tool:

    alert tcp any any -> any any (msg:"Proxy Tool 1"; sid:42000028; rev:1; flow:established; content:"|8a 10 80 c2 3a 80 f2 73 88 10|"; fast_pattern:only; content:"|8a 10 80 f2 73 80 ea 3a 88 10|"; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Proxy Tool 2"; sid:42000029; rev:1; flow:established; content:!"HTTP/1"; content:"|e2 1d 49 49|"; depth:4; fast_pattern; content:"|49 49 49 49|"; distance:4; within:4; classtype:bad-unknown;)

    alert tcp any any -> any any (msg:"Proxy Tool 3"; sid:42000030; rev:1; flow:established; content:"|82 f4 de d4 d3 c2 ca f5 c8 c8 d3 82 fb f4 de d4 d3 c2 ca 94 95 fb d4 d1 c4 cf c8 d4 d3 89 c2 df c2 87 8a cc 87 00|"; fast_pattern:only; classtype:bad-unknown;)

     

    Malware associated with the cyber threat actor:

    alert tcp any any -> any [8000,8080] (msg:"WIPER4";flow: established, to_server;dsize:42;content:"|28 00|";depth:2;content:"|04 00 00 00|";offset:38;depth:4;sid:123;)

     

    Host Based Indicators

    Below are potential YARA signatures to detect malware binaries on host machines:

     

    SMB Worm Tool:

    strings:

    $STR1 = "Global\\FwtSqmSession106829323_S-1-5-19"

    $STR2 ="EVERYONE"

    $STR3 = "y0uar3@s!llyid!07,ou74n60u7f001"

    $STR4 = "\\KB25468.dat" condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) ==0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = ''NetMgStart"

    $STR2 = ''Netmgmt.srg"

    condition:

    (uint16(0) == 0x5A4D) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = "prxTroy" ascii wide nocase

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 E8 64 C6 45 E9 61 C6 45 EA 79 C6 45 EB 69 C6 45 EC 70 C6 45 ED 6D C6 45 EE 72 C6 45 EF 2E C6 45 F0 74 C6 45 F1  62 C6 45 F2 6C } // 'dayipmr.tbl' being moved to ebp

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 61 C6 45 F5 6E C6 45 F6 73 C6 45 F7 69 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'ansi.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $strl  = { C6 45 F4 74 C6 45 F5 6C C6 45 F6 76 C6 45 F7 63 C6 45 F8 2E C6 45 F9 6E C6 45 FA 6C C6 45 FB 73 } // 'tlvc.nls' being moved to ebp

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Lightweight Backdoor:

    strings:

    $STR1 = { 8A 10 80 ?? 4E 80 ?? 79 88 10}

    $STR2 = {SA 10 80?? 79 80 ?? 4E 88 10}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR1 = "pmsconfig.msi" wide

    $STR2 = "pmslog.msi" wide

    condition:

    (uint16(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and any of them

     

    Proxy Tool:

    strings:

    $STR1 = { 82 F4 DE D4 D3 C2 CA F5 C8 C8 D3 82 FB F4 DE D4 D3 C2 CA 94 95 FB D4 Dl  C4 CF C8 D4 D3 89 C2 DF C2 87 8A CC 87 00 } // '%SystemRoot%\System32\svchost.exe -k' xor A7

    condition:

    (uint16(0) == 0x5A4D or uintl6(0) == 0xCFD0 or uint16(0) == 0xC3D4 or

    uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Proxy Tool:

    strings:

    $STR2 = {8A 04 17 8B FB 34 A7 46 88 02 83 C9 FF}

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and $STR2

     

    Destructive Hard Drive Tool:

    strings:

    $str0= "MZ"

    $str1 = {c6 84 24 ?? ( 00 | 01 ) 00 00 }

    $xorInLoop = { 83 EC 20 B9 08 00 00 00 33 D2 56 8B 74 24 30 57 8D 7C 24 08

    F3 A5 8B 7C 24 30 85 FF 7E 3A 8B 74 24 2C 8A 44 24 08 53 8A 4C 24 21 8A 5C 24 2B 32 C1 8A 0C 32 32 C3 32 C8 88 0C 32 B9 1E 00 00 00 8A 5C 0C 0C 88 5C 0C 0D 49 83 F9 FF 7F F2 42 88 44 24 0C 3B D7 7C D0 5B 5F 5E 83 C4 20 C3 }

    condition:

    $str0 at 0 and $xorInLoop and #str1 > 300

     

    Destructive Target Cleaning Tool:

    strings:

    $s1  = {d3000000 [4] 2c000000 [12] 95000000 [4] 6a000000 [8] 07000000}

    condition:

    (uintl6(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $secureWipe= { 83 EC 34 53 55 8B 6C 24 40 56 57 83 CE FF 55 C7 44 24 2C D3 00 00 00 C7 44 24 30 2C 00 00 00 89 74 24 34 89 74 24 38 C7 44 24 3C 95 00 00 00 C7 44 24 40 6A 00 00 00 89 74 24 44 C7 44 24 14 07 00 00 00 FF 15 ?? ?? ?? ?? 3B C6 89 44 24 1C 0F 84 (D8 | d9) 01 00 00 33 FF 68 00 00 01 00 57 FF 15 ?? ?? ?? ?? 8B D8 3B DF 89 5C 24 14 0F 84 (BC | BD) 01 00 00 8B 44 24 1C A8 01 74 0A 24 FE 50 55 FF 15 ?? ?? ?? ?? 8B 44 24 4C 2B C7 74 20 48 74 0F 83 E8 02 75 1C C7 44 24 10 03 00 00 00 EB 12 C7 44 24 10 01 00 00 00 89 74 24 28 EB 04 89 7C 24 10 8B 44 24 10 89 7C 24 1C 3B C7 0F 8E ( 5C | 5d ) 01 00 00 8D 44 24 28 89 44 24 4C EB 03 83 CE FF 8B 4C 24 4C 8B 01 3B C6 74 17 8A D0 B9 00 40 00 00 8A F2 8B FB 8B C2 C1 E0 10 66 8B C2 F3 AB EB ( 13 | 14) 33 F6 (E8 | ff 15) ?? ?? ?? ?? 88 04 1E 46 81 FE 00 00 01 00 7C ( EF | ee) 6A 00 6A 00 6A 03 6A 00 6A 03 68 00 00 00 C0 55 FF 15 ?? ?? ?? ?? 8B F0 83 FE FF 0F 84 FA 00 00 00 8D 44 24 20 50 56 FF 15 ?? ?? ?? ?? 8B 2D ?? ?? ?? ?? 6A 02 6A 00 6A FF 56 FF D5 8D 4C 24 18 6A 00 51 6A 01 53 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 8B 44 24 24 8B 54 24 20 33 FF 33 DB 85 CO 7C 5A 7F 0A 85 D2 76 54 EB 04 8B 54 24 20 8B CA BD 00 00 01 00 2B CF 1B C3 85 C0 7F 0A 7C 04 3B CD 73 04 2B D7 8B EA 8B 44 24 14 8D 54 24 18 6A 00 52 55 50 56 FF 15 ?? ?? ?? ?? 8B 6C 24 18 8B 44 24 24 03 FD 83 D3 00 3B D8 7C BE 7F 08 8B 54 24 20 3B FA 72 B8 8B 2D ?? ?? ?? ?? 8B 5C 24 10 8B 7C 24 1C 8D 4B FF 3B F9 75 17 56 FF 15 ?? ?? ?? ?? 6A 00 6A 00 6A 00 56 FF D5 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 56 FF 15 ?? ?? ?? ?? 8B 4C 24 4C 8B 6C 24 48 47 83 C1 04 3B FB 8B 5C 24 14 89 7C 24 1C 89 4C 24 4C 0F 8C ( AE | AD) FE FF FF 6A 00 55 E8 ?? ?? ?? ?? 83 C4 08 53 FF 15 ?? ?? ?? ?? 5F 5E 5D 5B 83 C4 34 C3}

    condition:

    $secureWipe

     

    Destructive Target Cleaning Tool:

    strings:

    $S1_CMD_Arg = ""/install'"' fullword

    $S2_CMD_Parse= ""\""%s'"'  /install \""%s\""'"' fullword

    $S3_CMD_Builder= ""\'"'%s\""  \""%s\'"' \""%s\'"' %s'"' fullword

    condition:

    all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $BATCH_SCRIPT_LN1_0 = ""goto x"" fullword

    $BATCH_SCRIPT_LN1_1 = '"'del"" fullword

    $BATCH_SCRIPT_LN2_0 = ""if exist"" fullword

    $BATCH_SCRIPT_LN3_0 = "":x'"' fullword

    $BATCH_SCRIPT_LN4_0 = ""zz%d.bat"'' fullword

    condition:

    (#BATCH_SCRIPT_LNl_l == 2) and all of them"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_DLL_ZLIB_COMPRESSED2=

    {5CECABAE813CC9BCD5A542F454910428343479806F71D5521E2AOD}

    condition:

    $MCU_DLL_ZLIB_COMPRESSED2"

     

    Destructive Target Cleaning Tool:

    strings:

    $MCU_INF_StartHexDec =

    {010346080A30D63633000B6263750A5052322A00103D1B570A30E67F2A00130952690A50 3A0D2A000E00A26El5104556766572636C7669642E657865}

    $MCU_INF_StartHexEnc =

    {6C3272386958BF075230780A0A54676166024968790C7A6779588F5E47312739310163615B3D59686721CF5F2120263ElF5413531FlE004543544C55}

    condition:

    $MCU_INF_StartHexEnc or

    $MCU_INF_StartHexDec

    Destructive Target Cleaning Tool:

    strings:

    $ = "SetFilePointer"

    $ = "SetEndOfFile"

    $ = {75 17 56 ff 15 ?? ?? ?? ?? 6a 00 6a 00 6a 00 56 ffD5 56 ff 15?? ?? ??

    ?? 56}

    condition:

    (uint16(0) == 0x5A4D and uint16(uint32(0x3c)) == 0x4550) and all of them

     

    Destructive Target Cleaning Tool:

    strings:

    $license=

    {E903FFFF820050006F007200740069006F006E007300200063006F007000790072006900670068007400200052006F006200650072007400200064006500200042006100740068002C0020004A006F007200690073002000760061006E002000520061006E007400770069006A006B002C002000440065006C00690061006E000000000000000250000000000A002200CE000800EA03FFFF8200}

    $PuTTY= {50007500540054005900}

    condition:

    (uint16(0) == 0x5A4D and uintl6(uint32(0x3c)) == 0x4550) and $license and not $PuTTY

     

    Malware used by cyber threat actor:

    strings:

    $heapCreateFunction_0 = {33C06A003944240868001000000F94C050FF15????????85C0A3???????07436E893FEFFFF83F803A3???????0750D68F8030000E8??00000059EB0A83F8027518E8????000085C0750FFF35???????0FF15???????033C0C36A0158C3}

    $heapCreateFunction =

    {558BECB82C120000E8????FFFF8D8568FFFFFF5350C78568FFFFFF94000000FF1????????085C0741A83BD78FFFFFF02751183BD6CFFFFFF0572086A0158E9020100008D85D4EDFFF68901000005068???????0FF15???????085C00F84D000000033DB8D8DD4EDFFFF389DD4EDFFFF74138A013C617C083C7A7F042C20880141381975ED8D85D4EDFFFF6A165068???????0E8????000083C40C85C075088D85D4EDFFFFEB498D8564FEFFFF68040100005053FF15???????0389D64FEFFFF8D8D64FEFFFF74138A013C617C083C7A7F042C20880141381975ED8D8564FEFFFF508D85D4EDFFFF50E8????????59593BC3743E6A2C50E8????????593BC3597430408BC83818740E80393B75048819EB0141381975F26A0A5350E8????000083C40C83F802741D83F803741883F80174138D45FC50E898FEFFFF807DFC06591BC083C0035BC9C3}

    $getMajorMinorLinker =

    {568B7424086A00832600FF15???????06681384D5A75148B483C85C9740D03C18A481A880E8A401B8846015EC3}

    $openServiceManager =

    {FF15???0?0?08B?885??74????????????????5?FF15???0?0?08B?????0?0?08BF?85F?74}

    condition:

    all of them

     

    Malware used by cyber threat actor:

    strings:

    $str1 = "_quit"

    $str2 = "_exe"

    $str3 = "_put"

    $str4 = "_got"

    $str5 = "_get"

    $str6 ="_del"

    $str7 = "_dir"

    $str8 = { C7 44 24 18 1F F7}

    condition:

    (uintl6(0) == 0x5A4D or uintl6(0) == 0xCFD0  or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Malware used by cyber threat actor:

    strings:

    $STR1 = { 50 68 80 00 00 00 68 FF FF 00 00 51 C7 44 24 1C 3a 8b 00 00 }

    condition:

    (uintl6(0) == 0x5A4D or uint16(0) == 0xCFD0 or uintl6(0) == 0xC3D4 or uint32(0) == 0x46445025 or uint32(1) == 0x6674725C) and all of them

     

    Recommended Security Practices

    Because of the highly destructive functionality of the malware, an organization infected with the malware could experience operational impacts including loss of intellectual property (IP) and disruption of critical systems. Actual impact to organizations may vary depending on the type and number of systems impacted.

    Tactical Mitigations

    • Implement the indicators of compromise within your systems for detection and mitigation purposes.
    • Encourage users to transfer critical files to network shares, to allow for central backed up.
    • Execute daily backups of all critical systems.
    • Periodically execute an “offline” backup of critical files to removable media.
    • Establish emergency communications plans should network resources become unavailable.
    • Isolate any critical networks (including operations networks) from business systems.
    • Identify critical systems and evaluate the need for having on-hand spares to quickly restore service.
    • Ensure antivirus is up to date.
    • Disable credential caching for all desktop devices with particular importance on critical systems such as servers and restrict the number of cached credential for all portable devices to no more than three if possible. This can be accomplished through a Group Policy Object (GPO).
    • Disable AutoRun and Autoplay for any removable media device.
    • Prevent or limit the use of all removable media devices on systems to limit the spread or introduction of malicious software and possible exfiltration data, except where there is a valid business case for use. This business case must be approved by the organization Chief IT Security Officer, with policy/guidance on how such media should be used.
    • Consider restricting account privileges. It is our recommendation that all daily operations should be executed using standard user accounts unless administrative privileges are required for that specific function. Configure all standard user accounts to prevent the execution and installation of any unknown or unauthorized software. Both standard and administrative accounts should have access only to services required for nominal daily duties, enforcing the concept of separation of duties. Lastly, disable Web and email capabilities on administrative accounts. Compromise of admin accounts is one vector that allows malicious activity to become truly persistent in a network environment.
    • Ensure that password policy rules are enforced and Admin password values are changed periodically.
    • Consider prohibiting hosts within the production environment or DMZ from sharing an Active Directory enterprise with hosts on other networks. Each environment should have separate forests within Active Directory, with no trust relationships allowed between the forests if at all possible. If necessary, the trust relationships should be one-way with the low integrity environment trusting the higher integrity environment.
    • Consider deployment of a coaching page with click through acceptance; these are traditionally deployed in an environment to log the acceptance of network acceptable use policy or to notify users of monitoring. Coaching pages also provide some measure of protection from automated malicious activity. This occurs because automated malware is normally incapable of physically clicking an acceptance radial button. Automated malware is traditionally hardcoded to execute, then retrieve commands or additional executables from the Internet. If the malware is unable to initiate an active connection, the full train of infection is potentially halted. The danger still exists that the physical user will authorize access, but through the use of coaching pages, infections can be limited or at least the rate of infection reduced.
    • Monitor logs -- Maintain and actively monitor a centralized logging solution that keeps track of all anomalous and potentially malicious activity.
    • Ensure that all network operating systems, web browsers, and other related network hardware and software remain updated with all current patches and fixes.

    Strategic Mitigations

    • Organizations should review Security Tip Handling Destructive Malware #ST13-003 and evaluate their capabilities encompassing planning, preparation, detection, and response for such an event.
    • Always keep your patch levels up to date, especially on computers that host public services accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
    • Build host systems, especially critical systems such as servers, with only essential applications and components required to perform the intended function. Any unused applications or functions should be removed or disabled, if possible, to limit the attack surface of the host.
    • Implement network segmentation through V-LANs to limit the spread of malware.
    • Consider the deployment of Software Restriction Policy set to only allow the execution of approved software (application whitelisting)
    • Recommend the whitelisting of legitimate executable directories to prevent the execution of potentially malicious binaries.
    • Consider the use of two-factor authentication methods for accessing privileged root level accounts or systems.
    • Consider deploying a two-factor authentication through a hardened IPsec/VPN gateway with split-tunneling prohibited for secure remote access.
    • Deny direct Internet access, except through the use of proxies for Enterprise servers and workstations. Perform regular content filtering at the proxies or external firewall points of presence. Also consider the deployment of an explicit versus transparent proxy policy.
    • Implement a Secure Socket Layer (SSL) inspection capability to inspect both ingress and egress encrypted network traffic for potential malicious activity.
    • Isolate network services, such as email and Web application servers by utilizing a secure multi-tenant virtualization technology. This will limit the damage sustained from a compromise or attack of a single network component.
    • Implement best practice guidance and policy to restrict the use of non-Foundation assets for processing or accessing Foundation-controlled data or systems (e.g., working from home, or using a personal device while at the office). It is difficult to enforce corporate policies, detect intrusions, and conduct forensic analysis or remediate compromises on non-corporate owned devices.
    • Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.
    • Place control system networks behind firewalls, and isolate or air gap them from the business network.
    • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
    • Industrial Control System (ICS)-CERT and US-CERT remind organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

    References

    Revision History

    • December 19, 2014: Initial Release
    • December 24, 2014: Updates to information in the Solutions section.

    This product is provided subject to this Notification and this Privacy & Use policy.


  • TA14-329A: Regin Malware
    Original release date: November 25, 2014

    Systems Affected

    Microsoft Windows NT, 2000, XP, Vista, and 7

    Overview

    On November 24, 2014, Symantec released a report on Regin, a sophisticated backdoor Trojan used to conduct intelligence-gathering campaigns. At this time, the Regin campaign has not been identified targeting any organizations within the United States.

    Description

    Regin is a multi-staged, modular threat—meaning it has a number of components, each dependent on others to perform an attack. Each of the five stages is hidden and encrypted, with the exception of the first stage. The modular design poses difficulties to analysis, as all components must be available in order to fully understand the Trojan.  

    Impact

    Regin is a remote access Trojan (RAT), able to take control of input devices, capture credentials, monitor network traffic, and gather information on processes and memory utilization. The complex design provides flexibility to actors, as they can load custom features tailored to individual targets. [1]

    Solution

    Users and administrators are recommended to take the following preventive measures to protect their computer networks:

    • Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date (see Understanding Anti-Virus Software for more information). [2]
    • Keep your operating system and application software up-to-date – Install software patches so that attackers can't take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it (see Understanding Patches for more information).

    The following is a list of the Indicators of Compromise (IOCs) that can be added to network security solutions to determine whether they are present on a network.

    MD5s: [1]

    Stage 1 files, 32 bit:

    06665b96e293b23acc80451abb413e50

    187044596bc1328efa0ed636d8aa4a5c

    1c024e599ac055312a4ab75b3950040a

    2c8b9d2885543d7ade3cae98225e263b

    4b6b86c7fec1c574706cecedf44abded

    6662c390b2bbbd291ec7987388fc75d7

    b269894f434657db2b15949641a67532

    b29ca4f22ae7b7b25f79c1d4a421139d

    b505d65721bb2453d5039a389113b566

    26297dc3cd0b688de3b846983c5385e5

    ba7bb65634ce1e30c1e5415be3d1db1d

    bfbe8c3ee78750c3a520480700e440f8

    d240f06e98c8d3e647cbf4d442d79475

    ffb0b9b5b610191051a7bdf0806e1e47

    Unusual stage 1 files apparently compiled from various public source codes merged with malicious code:

    01c2f321b6bfdb9473c079b0797567ba

    47d0e8f9d7a6429920329207a32ecc2e

    744c07e886497f7b68f6f7fe57b7ab54

    db405ad775ac887a337b02ea8b07fddc

    Stage 1, 64-bit system infection:

    bddf5afbea2d0eed77f2ad4e9a4f044d

    c053a0a3f1edcbbfc9b51bc640e808ce

    e63422e458afdfe111bd0b87c1e9772c

    Stage 2, 32 bit:

    18d4898d82fcb290dfed2a9f70d66833

    b9e4f9d32ce59e7c4daf6b237c330e25

    Stage 2, 64 bit:

    d446b1ed24dad48311f287f3c65aeb80

    Stage 3, 32 bit:

    8486ec3112e322f9f468bdea3005d7b5

    da03648948475b2d0e3e2345d7a9bbbb

    Stage 4, 32 bit:

    1e4076caa08e41a5befc52efd74819ea

    68297fde98e9c0c29cecc0ebf38bde95

    6cf5dc32e1f6959e7354e85101ec219a

    885dcd517faf9fac655b8da66315462d

    a1d727340158ec0af81a845abd3963c1

    Stage 4, 64 bit:

    de3547375fbf5f4cb4b14d53f413c503

    Note: Stages 2, 3, and 4 do not appear on infected systems as real files on disk. Hashes are provided for research purposes only.

    Registry branches used to store malware stages 2 and 3:

    \REGISTRY\Machine\System\CurrentControlSet\Control\RestoreList

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{39399744-44FC-AD65-474B-E4DDF-8C7FB97}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{3F90B1B4-58E2-251E-6FFE-4D38C5631A04}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{4F20E605-9452-4787-B793-D0204917CA58}

    \REGISTRY\Machine\System\CurrentControlSet\Control\Class\{9B9A8ADB-8864-4BC4-8AD5-B17DFDBB9F58}

    IP IOCs [3]:

    61.67.114.73

    202.71.144.113

    203.199.89.80

    194.183.237.145

    References

    Revision History

    • November 25, 2014: Initial Release

    This product is provided subject to this Notification and this Privacy & Use policy.


Valid XHTML 1.0 Transitional CSS ist valide!