Monthly Archives: March 2016

Drupal

Scald File – Critical – Remote Code Execution – SA-CONTRIB-2016-015

Description

When a PDF is uploaded in Scald File, various tools can be executed if they’re installed on the server, to try to generate a thumbnail out of that PDF.

This is mitigated by the need to have the sufficient permissions to upload a file in Scald, and also to have at least one of the thumbnail creation tools installed on the server (pdfdraw, convert or mudraw).
It could also be partially mitigated by using the transliteration module for uploaded files.

CVE identifier(s) issued

  • A CVE identifier will be requested, and added upon issuance, in accordance with Drupal Security Team processes.

Versions affected

  • Scald File module 7.x-1.x versions prior to 7.x-1.2.

Drupal core is not affected. If you do not use the contributed Scald File Provider module, there is nothing you need to do.

Solution

Install the latest version:

Also see the Scald File Provider project page.

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at https://www.drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Follow the Drupal Security Team on Twitter at https://twitter.com/drupalsecurity

Full Disclosure

[CORE-2016-0004] – SAP Download Manager Password Weak Encryption

Posted by CORE Advisories Team on Mar 09

1. Advisory Information

Title: SAP Download Manager Password Weak Encryption
Advisory ID: CORE-2016-0004
Advisory URL: http://www.coresecurity.com/advisories/sap-download-manager-password-weak-encryption
Date published: 2016-03-08
Date of last update: 2016-03-07
Vendors contacted: SAP
Release mode: Coordinated release

2. Vulnerability Information

Class: Storing Passwords in a Recoverable Format [CWE-257]
Impact: Information leak
Remotely…

Full Disclosure

[CORE-2016-0003] – Samsung SW Update Tool MiTM

Posted by CORE Advisories Team on Mar 09

1. Advisory Information

Title: Samsung SW Update Tool MiTM
Advisory ID: CORE-2016-0003
Advisory URL: http://www.coresecurity.com/advisories/samsung-sw-update-tool-mitm
Date published: 2016-03-07
Date of last update: 2016-03-04
Vendors contacted: Samsung
Release mode: Coordinated release

2. Vulnerability Information

Class: Cleartext Transmission of Sensitive Information [CWE-319], Insufficient Verification of Data Authenticity
[CWE-345]…

Full Disclosure

Re: Windows Mail Find People DLL side loading vulnerability

Posted by Securify B.V. on Mar 09

Hi Stefan,

See below.

They still use LoadLibrary() to load wab32res.dll. Previously, the
fetched a path from HKLMSoftwareMicrosoftWABDLLPath and appended
wab32res.dll to the result, which was fed into LoadLibrary().

With MS16-025 they sanitize DLLpath using PathRemoveFileSpec(). By
default DLLPath is set to %CommonProgramFiles%Systemwab32.dll,
PathRemoveFileSpec() removes wab32.dll from the path. They also call…

Security

Mandos Encrypted File System Unattended Reboot Utility 1.7.5

The Mandos system allows computers to have encrypted root file systems and at the same time be capable of remote or unattended reboots. The computers run a small client program in the initial RAM disk environment which will communicate with a server over a network. All network communication is encrypted using TLS. The clients are identified by the server using an OpenPGP key that is unique to each client. The server sends the clients an encrypted password. The encrypted password is decrypted by the clients using the same OpenPGP key, and the password is then used to unlock the root file system.

Security

Ubuntu Security Notice USN-2917-1

Ubuntu Security Notice 2917-1 – Francis Gabriel discovered a buffer overflow during ASN.1 decoding in NSS. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit this to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Bob Clary, Christoph Diehl, Christian Holler, Andrew McCreight, Daniel Holbert, Jesse Ruderman, Randell Jesup, Carsten Book, Gian-Carlo Pascutto, Tyson Smith, Andrea Marchesini, and Jukka Jylanki discovered multiple memory safety issues in Firefox. If a user were tricked in to opening a specially crafted website, an attacker could potentially exploit these to cause a denial of service via application crash, or execute arbitrary code with the privileges of the user invoking Firefox. Various other issues were also addressed.