Monthly Archives: April 2016

Ubuntu

USN-2949-1: Linux kernel (Vivid HWE) vulnerabilities

Ubuntu Security Notice USN-2949-1

6th April, 2016

linux-lts-vivid vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 14.04 LTS

Summary

Several security issues were fixed in the kernel.

Software description

  • linux-lts-vivid
    – Linux hardware enablement kernel from Vivid for Trusty

Details

Venkatesh Pottem discovered a use-after-free vulnerability in the Linux
kernel’s CXGB3 driver. A local attacker could use this to cause a denial of
service (system crash) or possibly execute arbitrary code. (CVE-2015-8812)

Xiaofei Rex Guo discovered a timing side channel vulnerability in the Linux
Extended Verification Module (EVM). An attacker could use this to affect
system integrity. (CVE-2016-2085)

David Herrmann discovered that the Linux kernel incorrectly accounted file
descriptors to the original opener for in-flight file descriptors sent over
a unix domain socket. A local attacker could use this to cause a denial of
service (resource exhaustion). (CVE-2016-2550)

It was discovered that the Linux kernel did not enforce limits on the
amount of data allocated to buffer pipes. A local attacker could use this
to cause a denial of service (resource exhaustion). (CVE-2016-2847)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 14.04 LTS:
linux-image-3.19.0-58-powerpc64-smp

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-lowlatency

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-generic

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-generic-lpae

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-powerpc-e500mc

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-powerpc64-emb

3.19.0-58.64~14.04.1
linux-image-3.19.0-58-powerpc-smp

3.19.0-58.64~14.04.1

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

ATTENTION: Due to an unavoidable ABI change the kernel updates have
been given a new version number, which requires you to recompile and
reinstall all third party kernel modules you might have installed.
Unless you manually uninstalled the standard kernel metapackages
(e.g. linux-generic, linux-generic-lts-RELEASE, linux-virtual,
linux-powerpc), a standard system upgrade will automatically perform
this as well.

References

CVE-2015-8812,

CVE-2016-2085,

CVE-2016-2550,

CVE-2016-2847

Drupal

Drupal Commerce – Less Critical – Information disclosure – SA-CONTRIB-2016-019

Description

This module enables you to build an online store that uses nodes to display products through the use of product reference fields. The default widget for those fields is an autocomplete textfield similar to the taxonomy term reference field’s autocomplete widget. As you type in the textfield, the Commerce Product module returns a JSON array of matching product SKUs / titles for you to select.

The module doesn’t sufficiently restrict access to the autocomplete path under the default configuration of the field. A visitor to the website could browse directly to the autocomplete path to see a list of products that would ordinarily be returned to the autocomplete JavaScript to populate the autocomplete dropdown. Default parameters on the function used to generate this list cause it to bypass the product access control check that would ordinarily restrict product visibility to end users based on your site’s permissions.

This vulnerability is mitigated by the fact that an attacker must know what the autocomplete path is and what arguments to include in it to generate a valid response based on your site’s architecture. Additionally, in most eCommerce sites, product SKUs and titles are not by themselves considered private information.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Drupal Commerce 7.x-1.x versions prior to 7.x-1.13.

Drupal core is not affected. If you do not use the contributed Drupal Commerce module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Drupal Commerce project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Drupal version: 
Drupal 7.x
Avast

What WhatsApp’s new end-to-end encryption means for you

WhatsApp’s new end-to-end encryption means that the only people who can read your messages are you and the person that you’re chatting with.

Last night, I was chatting with a friend from home via WhatsApp, when a message appeared within my chat informing me that my messages and calls in WhatsApp were now secured with end-to-end encryption.

WhatsApp_encryption.jpg

What is end-to-end encryption?

Think of encryption as a high-tech form of scrambled eggs — when you send messages, make a call, or send photos or videos with the latest version of WhatsApp, your messages are randomly mixed and secured. Only the person receiving your message has the key to unscramble your message so that it can be read. This makes it impossible for hackers, governments and even WhatsApp itself to access any of your messages. In the case that messages are intercepted by criminals or authorities, encryption renders messages unreadable to the unauthorized viewers.

Full Disclosure

Check out faraday v1.0.18! New CLI mode, Jira support & bug fixes!

Posted by Francisco Amato on Apr 06

Today we are happy to announce that Faraday v1.0.18 is ready!

A short iteration, filled with small powerups – brand new CLI mode
allows you to process reports in batch, new helpers and plugin fixes.

We know that our users rely on a lot of different systems and
solutions and we want to integrate Faraday in that workflow. In that
order we added the ability to easily export data into a JIRA
installation, allowing users to share the findings…

Full Disclosure

MeshCMS 3.6 – Multiple vulnerabilities

Posted by xiong piaox on Apr 06

Exploit Title: MeshCMS 3.6 – Multiple vulnerabilities

Date: 2016-04-03

Exploit Author: piaox xiong(xiongyaofu351 () pingan com cn)

Vendor Homepage: http://www.cromoteca.com/en/meshcms/

Software Link: http://www.cromoteca.com/en/meshcms/download/

Version: 3.6

Tested on: Windows OS

#############

Application Description:

MeshCMS is an online editing system written in Java. It provides a set of
features usually included in a CMS, but it…

Full Disclosure

Fireware XTM Web UI – Open Redirect

Posted by Manuel Mancera on Apr 06

================================================================
Fireware XTM Web UI – Open Redirect
================================================================

Information
——————–
Name: Fireware XTM Web UI – Open Redirect
Affected Software : Fireware XTM Web UI
Affected Versions: < 11.10.7
Vendor Homepage : http://www.watchguard.com/
Vulnerability Type : Open Redirect
Severity : Low
CVE: n/a

Product
——————–…

Full Disclosure

hardwear.io CFP 2016 – Hardware Security Conference Call for Papers

Posted by Hardwear Team on Apr 06

Dear Hackers and Security Gurus,

hardwear.io is seeking innovative research on hardware security. If you
have done interesting research on attacks or mitigation on any
Hardware and want to showcase it to the security community, just
submit your research paper. Please find all the relevant details for
the submission below.

About hardwear.io
—————————-
hardwear.io Security Conference is a platform for hardware and
security…

Full Disclosure

Panda Security Multiple Business Products – Privilege Escalation

Posted by Kyriakos Economou on Apr 06

* CVE: CVE-2016-3943
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Endpoint Administration Agent < v7.50.00
* Fixed Version: Panda Endpoint Administration Agent v7.50.00

Description:
Panda Endpoint Administration Agent v7.30.2 allows a local attacker to elevate his privileges from any account type
(Guest included) and execute code as SYSTEM,…

Full Disclosure

Panda Security 2016 Home User Products – Privilege Escalation

Posted by Kyriakos Economou on Apr 06

* CVE: CVE-2015-7378
* Vendor: Panda Security
* Reported by: Kyriakos Economou
* Date of Release: 05/04/2016
* Affected Products: Multiple
* Affected Version: Panda Security URL Filtering < v4.3.1.9
* Fixed Version: Panda Security URL Filtering v4.3.1.9

Description:
All Panda Security 2016 Home User products for Windows are vulnerable to privilege escalation, which allows a local
attacker to execute code as SYSTEM from any account (Guest…

Full Disclosure

CVE-2016-3672 – Unlimiting the stack not longer disables ASLR

Posted by Hector Marco-Gisbert on Apr 06

Hi everyone,

We have fixed an old and very known weakness in the Linux ASLR implementation.

The weakness allowed any user able to running 32-bit applications in a x86
machine disable the ASLR by setting the RLIMIT_STACK resource to unlimited.

This is a very old trick to disable ASLR, but unfortunately it was still present
in current Linux systems.

Details at:…