Posted by Karn Ganeshen on Feb 03
DLink DVGN5402SP File Path Traversal, Weak Credentials Management, and
Sensitive Info Leakage Vulnerabilities
*Timelines*
Reported to CERT + Vendor: August 2015
Dlink released beta release: Oct 23, 2015
New fix release: MD5 (GRNV6.1U23J-83-DL-R1B114-SG_Normal.EN.img) =
04fd8b901e9f297a4cdbea803a9a43cb
No public disclosure till date – Dlink waiting for Service providers to ask
for new release + CERT opted out
*Vulnerable Models, Firmware,…
Posted by Martin Jartelius on Feb 03
Vulnerabilities
—————
CVSS 10 – INSECURE CREDENTIAL STORAGE (Pass the Hash) CVE-2015-7914
CVSS 10 – INSECURE TRANSMISSION OF CREDENTIALS CVE-2015-7915
CVSS 7.4 – CROSS-SITE SCRIPTING CVE-2015-7916
Other risk exposures
—————
Undocumented default accounts
Note that default accounts with changeable passwords, even when those
are undocumented and do not look as user accounts neither in interface
or documentation,…
Several vulnerabilities were discovered in krb5, the MIT implementation
of Kerberos. The Common Vulnerabilities and Exposures project identifies
the following problems:
Mezzanine version 4.1.0 suffers from a cross site scripting vulnerability.
Mezzanine version 4.1.0 suffers from an arbitrary file upload vulnerability.
MailPoet Newsletters version 2.6.19 suffers from a cross site scripting vulnerability.
Ubuntu Security Notice 2891-1 – Qinghao Tang discovered that QEMU incorrectly handled PCI MSI-X support. An attacker inside the guest could use this issue to cause QEMU to crash, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. Lian Yihan discovered that QEMU incorrectly handled the VNC server. A remote attacker could use this issue to cause QEMU to crash, resulting in a denial of service. Various other issues were also addressed.
Red Hat Security Advisory 2016-0118-01 – Red Hat JBoss Operations Network is a Middleware management solution that provides a single point of control to deploy, manage, and monitor JBoss Enterprise Middleware, applications, and services. This JBoss Operations Network 3.3.5 release serves as a replacement for JBoss Operations Network 3.3.4, and includes several bug fixes.
Debian Linux Security Advisory 3465-1 – Several vulnerabilities have been discovered in OpenJDK, an implementation of the Oracle Java platform, resulting in breakouts of the Java sandbox, information disclosure, denial of service and insecure cryptography.