Category Archives: Security

Security

US-CERT

SB14-216: Vulnerability Summary for the Week of July 28, 2014

Original release date: August 04, 2014

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High – Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 – 10.0

  • Medium – Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 – 6.9

  • Low – Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 – 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
apple — quicktime Apple QuickTime allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a malformed version number and flags in an mvhd atom. 2014-07-26 9.3 CVE-2014-4979
MISC
codeaurora — android-msm The kgsl graphics driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly prevent write access to IOMMU context registers, which allows local users to select a custom page table, and consequently write to arbitrary memory locations, by using a crafted GPU command stream to modify the contents of a certain register. 2014-08-01 7.2 CVE-2014-0972
fonality — trixbox SQL injection vulnerability in maint/modules/endpointcfg/endpoint_generic.php in Fonality trixbox allows remote attackers to execute arbitrary SQL commands via the mac parameter in a Submit action. 2014-07-28 7.5 CVE-2014-5109
XF
MISC
fonality — trixbox maint/modules/home/index.php in Fonality trixbox allows remote attackers to execute arbitrary commands via shell metacharacters in the lang parameter. 2014-07-28 7.5 CVE-2014-5112
MISC
h3c — secbladefw Unspecified vulnerability in HP and H3C VPN Firewall Module products SECPATH1000FE before 5.20.R3177 and SECBLADEFW before 5.20.R3177 allows remote attackers to cause a denial of service via unknown vectors. 2014-07-28 7.8 CVE-2013-4840
hp — network_virtualization Directory traversal vulnerability in the storedNtxFile function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to read arbitrary files via crafted input, aka ZDI-CAN-2023. 2014-07-26 8.5 CVE-2014-2625
MISC
hp — network_virtualization Directory traversal vulnerability in the toServerObject function in HP Network Virtualization 8.6 (aka Shunra Network Virtualization) allows remote attackers to create files, and consequently execute arbitrary code, via crafted input, aka ZDI-CAN-2024. 2014-07-26 9.4 CVE-2014-2626
MISC
ibm — websphere_portal SQL injection vulnerability in the Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2014-07-29 7.5 CVE-2014-3055
XF
AIXAPAR
linux — linux_kernel arch/s390/kernel/ptrace.c in the Linux kernel before 3.15.8 on the s390 platform does not properly restrict address-space control operations in PTRACE_POKEUSR_AREA requests, which allows local users to obtain read and write access to kernel memory locations, and consequently gain privileges, via a crafted application that makes a ptrace system call. 2014-08-01 7.2 CVE-2014-3534
CONFIRM
CONFIRM
mailpoet — mailpoet_newsletters The MailPoet Newsletters (wysija-newsletters) plugin before 2.6.7 for WordPress allows remote attackers to bypass authentication and execute arbitrary PHP code by uploading a crafted theme using wp-admin/admin-post.php and accessing the theme in wp-content/uploads/wysija/themes/mailp/. 2014-07-27 7.5 CVE-2014-4725
MLIST
MISC
MISC
MISC
MISC
mailpoet — mailpoet_newsletters Unspecified vulnerability in the MailPoet Newsletters (wysija-newsletters) plugin before 2.6.8 for WordPress has unspecified impact and attack vectors. 2014-07-27 7.5 CVE-2014-4726
MLIST
microsoft — windows_xp Microsoft Windows XP SP3 does not validate addresses in certain IRP handler routines, which allows local users to write data to arbitrary memory locations, and consequently gain privileges, via a crafted address in an IOCTL call, related to (1) the MQAC.sys driver in the MQ Access Control subsystem and (2) the BthPan.sys driver in the Bluetooth Personal Area Networking subsystem. 2014-07-26 7.2 CVE-2014-4971
MISC
MISC
FULLDISC
FULLDISC
moodle — moodle The Repositories component in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to conduct PHP object injection attacks and execute arbitrary code via serialized data associated with an add-on. 2014-07-29 7.5 CVE-2014-3541
MLIST
morpho — itemiser_3 Morpho Itemiser 3 8.17 has hardcoded administrative credentials, which makes it easier for remote attackers to obtain access via a login request. 2014-07-26 10.0 CVE-2014-2363
MISC
ol-commerce_project — ol-commerce Multiple SQL injection vulnerabilities in ol-commerce 2.1.1 allow remote attackers to execute arbitrary SQL commands via the (1) a_country parameter in a process action to affiliate_signup.php, (2) affiliate_banner_id parameter to affiliate_show_banner.php, (3) country parameter in a process action to create_account.php, or (4) entry_country_id parameter in an edit action to admin/create_account.php. 2014-07-28 7.5 CVE-2014-5104
BID
MISC
sabreairlinesolutions — crew_management Multiple SQL injection vulnerabilities in CWPLogin.aspx in Sabre AirCentre Crew products 2010.2.12.20008 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) username or (2) password field. 2014-07-26 7.5 CVE-2014-4858
sap — solution_manager The License Measurement servlet in SAP Solution Manager 7.1 allows remote attackers to bypass authentication via unspecified vectors, related to a verb tampering attack and SAP_JTECHS. 2014-07-31 7.5 CVE-2014-5175
CONFIRM
XF
BID
MISC
FULLDISC
CONFIRM
vbulletin — vbulletin SQL injection vulnerability in vBulletin 5.0.4 through 5.1.3 Alpha 5 allows remote attackers to execute arbitrary SQL commands via the criteria[startswith] parameter to ajax/render/memberlist_items. 2014-07-25 7.5 CVE-2014-5102
MISC
MISC
webidsupport — webid WeBid 1.1.1 allows remote attackers to conduct an LDAP injection attack via the (1) js or (2) cat parameter. 2014-07-29 7.5 CVE-2014-5114
BID
MISC

Back to top

Medium Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
aas9 — zerocms Cross-site scripting (XSS) vulnerability in zero_user_account.php in ZeroCMS 1.0 allows remote attackers to inject arbitrary web script or HTML via the Full Name field. 2014-07-29 4.3 CVE-2014-4710
MISC
EXPLOIT-DB
acmailer — acmailer Multiple cross-site request forgery (CSRF) vulnerabilities in CGI programs in Seeds acmailer before 3.8.17 and 3.9.x before 3.9.10 Beta allow remote attackers to hijack the authentication of arbitrary users for requests that modify or delete data, as demonstrated by modifying data affecting authorization. 2014-07-29 6.8 CVE-2014-3896
CONFIRM
JVNDB
JVN
apple — cups The web interface in CUPS before 2.0 does not check that files have world-readable permissions, which allows remote attackers to obtains sensitive information via unspecified vectors. 2014-07-29 5.0 CVE-2014-5031
MLIST
MLIST
DEBIAN
SECUNIA
cairographics — cairo The cairo_image_surface_get_data function in Cairo 1.10.2, as used in GTK+ and Wireshark, allows context-dependent attackers to cause a denial of service (NULL pointer dereference) via a large string. 2014-07-29 5.0 CVE-2014-5116
CONFIRM
OSVDB
EXPLOIT-DB
caucho — resin The ISO-8859-1 encoder in Resin Pro before 4.0.40 does not properly perform Unicode transformations, which allows remote attackers to bypass intended text restrictions via crafted characters, as demonstrated by bypassing an XSS protection mechanism. 2014-07-26 5.0 CVE-2014-2966
cisco — webex_meetings_server The ProfileAction controller in Cisco WebEx Meetings Server (CWMS) 1.5(.1.131) and earlier allows remote attackers to obtain sensitive information by reading stack traces in returned messages, aka Bug ID CSCuj81700. 2014-07-26 5.0 CVE-2014-3301
cisco — webex_meetings_server user.php in Cisco WebEx Meetings Server 1.5(.1.131) and earlier does not properly implement the token timer for authenticated encryption, which allows remote attackers to obtain sensitive information via a crafted URL, aka Bug ID CSCuj81708. 2014-08-01 5.8 CVE-2014-3302
cisco — webex_meetings_server The web framework in Cisco WebEx Meetings Server does not properly restrict the content of query strings, which allows remote attackers to obtain sensitive information by reading (1) web-server access logs, (2) web-server Referer logs, or (3) the browser history, aka Bug ID CSCuj81713. 2014-07-28 4.0 CVE-2014-3303
cisco — webex_meetings_server The OutlookAction Class in Cisco WebEx Meetings Server allows remote attackers to enumerate user accounts by entering crafted URLs and examining the returned messages, aka Bug ID CSCuj81722. 2014-07-28 5.0 CVE-2014-3304
cisco — webex_meetings_server Cross-site request forgery (CSRF) vulnerability in the web framework in Cisco WebEx Meetings Server 1.5(.1.131) and earlier allows remote attackers to hijack the authentication of unspecified victims via unknown vectors, aka Bug ID CSCuj81735. 2014-07-26 6.8 CVE-2014-3305
cisco — telepresence_server_software Multiple cross-site scripting (XSS) vulnerabilities in the login page in the administrative web interface in Cisco TelePresence Server Software 4.0(2.8) allow remote attackers to inject arbitrary web script or HTML via a crafted parameter, aka Bug ID CSCup90060. 2014-07-26 4.3 CVE-2014-3324
cisco — security_manager SQL injection vulnerability in the web framework in Cisco Security Manager 4.5 and 4.6 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors, aka Bug ID CSCup26957. 2014-07-26 6.5 CVE-2014-3326
cisco — unified_presence_server The Intercluster Sync Agent Service in Cisco Unified Presence Server allows remote attackers to cause a denial of service via a TCP SYN flood, aka Bug ID CSCun34125. 2014-07-26 5.0 CVE-2014-3328
cisco — prime_data_center_network_manager Cross-site scripting (XSS) vulnerability in the web-server component in Cisco Prime Data Center Network Manager (DCNM) 6.3(2) and earlier allows remote attackers to inject arbitrary web script or HTML via a crafted URL, aka Bug ID CSCum86620. 2014-07-29 4.3 CVE-2014-3329
concrete5 — concrete5 concrete5 before 5.6.3 allows remote attackers to obtain the installation path via a direct request to (1) system/basics/editor.php, (2) system/view.php, (3) system/environment/file_storage_locations.php, (4) system/mail/importers.php, (5) system/mail/method.php, (6) system/permissions/file_types.php, (7) system/permissions/files.php, (8) system/permissions/tasks.php, (9) system/permissions/users.php, (10) system/seo/view.php, (11) view.php, (12) users/attributes.php, (13) scrapbook/view.php, (14) pages/attributes.php, (15) files/attributes.php, or (16) files/search.php in single_pages/dashboard/. 2014-07-28 5.0 CVE-2014-5107
BID
MISC
OSVDB
concrete5 — concrete5 Cross-site scripting (XSS) vulnerability in single_pagesdownload_file.php in concrete5 before 5.6.3 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to index.php/download_file. 2014-07-28 4.3 CVE-2014-5108
BID
MISC
OSVDB
dirphp_project — dirphp Absolute path traversal vulnerability in DirPHP 1.0 allows remote attackers to read arbitrary files via a full pathname in the phpfile parameter to index.php. 2014-07-29 5.0 CVE-2014-5115
EXPLOIT-DB
elasticsearch — elasticsearch The default configuration in Elasticsearch before 1.2 enables dynamic scripting, which allows remote attackers to execute arbitrary MVEL expressions and Java code via the source parameter to _search. NOTE: this only violates the vendor’s intended security policy if the user does not run Elasticsearch in its own independent virtual machine. 2014-07-28 6.8 CVE-2014-3120
MISC
BID
MISC
OSVDB
EXPLOIT-DB
MISC
fonality — trixbox Cross-site scripting (XSS) vulnerability in user/help/html/index.php in Fonality trixbox allows remote attackers to inject arbitrary web script or HTML via the id_nodo parameter. 2014-07-28 4.3 CVE-2014-5110
XF
MISC
fonality — trixbox Multiple directory traversal vulnerabilities in Fonality trixbox allow remote attackers to read arbitrary files via a .. (dot dot) in the lang parameter to (1) home/index.php, (2) asterisk_info/asterisk_info.php, (3) repo/repo.php, or (4) endpointcfg/endpointcfg.php in maint/modules/. 2014-07-28 5.0 CVE-2014-5111
MISC
gnu — glibc Multiple directory traversal vulnerabilities in GNU C Library (aka glibc or libc6) before 2.20 allow context-dependent attackers to bypass ForceCommand restrictions and possibly have other unspecified impact via a .. (dot dot) in a (1) LC_*, (2) LANG, or other locale environment variable. 2014-07-29 6.8 CVE-2014-0475
CONFIRM
SECTRACK
MLIST
MLIST
DEBIAN
gurock — testrail Cross-site scripting (XSS) vulnerability in Gurock TestRail before 3.1.3 allows remote attackers to inject arbitrary web script or HTML via the Created By field in a project activity. 2014-07-26 4.3 CVE-2014-4857
homepage_decorator_perlmailer_project — homepage_decorator_perlmailer Cross-site scripting (XSS) vulnerability in Homepage Decorator PerlMailer 3.10 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2014-07-29 4.3 CVE-2014-3897
JVNDB
JVN
hp — nonstop_netbatch Unspecified vulnerability in HP NonStop NetBatch G06.14 through G06.32.01, H06 through H06.28, and J06 through J06.17.01 allows remote authenticated users to gain privileges for NetBatch job execution via unknown vectors. 2014-08-01 5.2 CVE-2014-2627
hp — data_protector ** DISPUTED ** Multiple directory traversal vulnerabilities in crs.exe in the Cell Request Service in HP Data Protector allow remote attackers to create arbitrary files via an opcode-1091 request, or create or delete arbitrary files via an opcode-305 request. NOTE: the vendor reportedly asserts that this behavior is “by design.” 2014-08-01 6.4 CVE-2014-5160
MISC
MISC
ibm — atlas_ediscovery_process_management Multiple cross-site scripting (XSS) vulnerabilities in IBM Atlas Suite (aka Atlas Policy Suite), as used in Atlas eDiscovery Process Management through 6.0.3, Disposal and Governance Management for IT through 6.0.3, and Global Retention Policy and Schedule Management through 6.0.3, allow remote attackers to inject arbitrary web script or HTML via unspecified parameters. 2014-07-29 4.3 CVE-2014-0889
XF
CONFIRM
ibm — rational_software_architect_design_manager Unspecified vulnerability in the server in IBM Rational Software Architect Design Manager 4.0.6 allows remote authenticated users to execute arbitrary code via a crafted update site. 2014-07-30 6.5 CVE-2014-0947
XF
ibm — rational_software_architect_design_manager Unspecified vulnerability in IBM Rational Software Architect Design Manager and Rational Rhapsody Design Manager 3.x and 4.x before 4.0.7 allows remote authenticated users to execute arbitrary code via a crafted ZIP archive. 2014-07-30 6.0 CVE-2014-0948
XF
ibm — embedded_websphere_application_server install.sh in the Embedded WebSphere Application Server (eWAS) 7.0 before FP33 in IBM Tivoli Integrated Portal (TIP) 2.1 and 2.2 sets world-writable permissions for the installRoot directory tree, which allows local users to gain privileges via a Trojan horse program. 2014-07-29 6.9 CVE-2014-3020
XF
ibm — websphere_portal Multiple open redirect vulnerabilities in the Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allow remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors. 2014-07-29 5.8 CVE-2014-3054
XF
AIXAPAR
ibm — websphere_portal The Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allows remote attackers to obtain potentially sensitive information about environment variables and JAR versions via unspecified vectors. 2014-07-29 5.0 CVE-2014-3056
XF
AIXAPAR
ibm — websphere_portal Cross-site scripting (XSS) vulnerability in the Unified Task List (UTL) Portlet for IBM WebSphere Portal 7.x and 8.x through 8.0.0.1 CF12 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2014-07-29 4.3 CVE-2014-3057
XF
AIXAPAR
ibm — infosphere_information_server Cross-site scripting (XSS) vulnerability in the Data Quality Console in IBM InfoSphere Information Server 11.3 allows remote attackers to inject arbitrary web script or HTML via a crafted URL for adding a project connection. 2014-07-26 4.3 CVE-2014-3071
XF
ibm — sametime Cross-site scripting (XSS) vulnerability in the Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows remote attackers to inject arbitrary web script or HTML via a crafted URL. 2014-07-26 4.3 CVE-2014-4748
XF
innominate — mguard_firmware Innominate mGuard before 7.6.4 and 8.x before 8.0.3 does not require authentication for snapshot downloads, which allows remote attackers to obtain sensitive information via a crafted HTTPS request. 2014-07-30 5.0 CVE-2014-2356
invisionpower — invision_power_board Cross-site scripting (XSS) vulnerability in Invision Power IP.Board (aka IPB or Power Board) 3.4.x through 3.4.6 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header to admin/install/index.php. 2014-07-28 4.3 CVE-2014-5106
XF
BID
BUGTRAQ
iodata — ts-ptcam/poe_camera The I-O DATA TS-WLCAM camera with firmware 1.06 and earlier, TS-WLCAM/V camera with firmware 1.06 and earlier, TS-WPTCAM camera with firmware 1.08 and earlier, TS-PTCAM camera with firmware 1.08 and earlier, TS-PTCAM/POE camera with firmware 1.08 and earlier, and TS-WLC2 camera with firmware 1.02 and earlier allow remote attackers to bypass authentication, and consequently obtain sensitive credential and configuration data, via unspecified vectors. 2014-07-29 6.4 CVE-2014-3895
JVNDB
JVN
libndp — libndp Buffer overflow in the ndp_msg_opt_dnssl_domain function in libndp allows remote routers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted DNS Search List (DNSSL) in an IPv6 router advertisement. 2014-07-31 6.8 CVE-2014-3554
CONFIRM
XF
MLIST
linux — linux_kernel The mountpoint_last function in fs/namei.c in the Linux kernel before 3.15.8 does not properly maintain a certain reference count during attempts to use the umount system call in conjunction with a symlink, which allows local users to cause a denial of service (memory consumption or use-after-free) or possibly have unspecified other impact via the umount program. 2014-08-01 6.2 CVE-2014-5045
CONFIRM
MLIST
CONFIRM
linux — linux_kernel The sctp_assoc_update function in net/sctp/associola.c in the Linux kernel through 3.15.8, when SCTP authentication is enabled, allows remote attackers to cause a denial of service (NULL pointer dereference and OOPS) by starting to establish an association between two endpoints immediately after an exchange of INIT and INIT ACK chunks to establish an earlier association between these endpoints in the opposite direction. 2014-08-01 5.4 CVE-2014-5077
MLIST
moodle — moodle mod/lti/service.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. 2014-07-29 4.3 CVE-2014-3542
MLIST
moodle — moodle mod/imscp/locallib.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote attackers to read arbitrary files via a package with a manifest file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue affecting IMSCP resources and the IMSCC format. 2014-07-29 4.3 CVE-2014-3543
MLIST
moodle — moodle Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to execute arbitrary code via a calculated question in a quiz. 2014-07-29 6.0 CVE-2014-3545
MLIST
moodle — moodle Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce certain capability requirements in (1) notes/index.php and (2) user/edit.php, which allows remote attackers to obtain potentially sensitive username and course information via a modified URL. 2014-07-29 5.0 CVE-2014-3546
MLIST
moodle — moodle Multiple cross-site scripting (XSS) vulnerabilities in badges/renderer.php in Moodle 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via an external badge. 2014-07-29 4.3 CVE-2014-3547
MLIST
moodle — moodle Multiple cross-site scripting (XSS) vulnerabilities in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger an AJAX exception dialog. 2014-07-29 4.3 CVE-2014-3548
MLIST
moodle — moodle Cross-site scripting (XSS) vulnerability in the get_description function in lib/classes/event/user_login_failed.php in Moodle 2.7.x before 2.7.1 allows remote attackers to inject arbitrary web script or HTML via a crafted username that is improperly handled during the logging of an invalid login attempt. 2014-07-29 4.3 CVE-2014-3549
MLIST
moodle — moodle Multiple cross-site scripting (XSS) vulnerabilities in admin/tool/task/scheduledtasks.php in Moodle 2.7.x before 2.7.1 allow remote attackers to inject arbitrary web script or HTML via vectors that trigger a crafted (1) error or (2) success message for a scheduled task. 2014-07-29 4.3 CVE-2014-3550
MLIST
moodle — moodle The Shibboleth authentication plugin in auth/shibboleth/index.php in Moodle through 2.3.11, 2.4.x before 2.4.11, and 2.5.x before 2.5.7 does not check whether a session ID is empty, which allows remote authenticated users to hijack sessions via crafted plugin interaction. 2014-07-29 6.0 CVE-2014-3552
MLIST
moodle — moodle mod/forum/classes/post_form.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 does not enforce the moodle/site:accessallgroups capability requirement before proceeding with a post to all groups, which allows remote authenticated users to bypass intended access restrictions by leveraging two or more group memberships. 2014-07-29 4.9 CVE-2014-3553
MLIST
netty_project — netty The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. 2014-07-31 5.0 CVE-2014-3488
CONFIRM
SECUNIA
ol-commerce_project — ol-commerce Multiple cross-site scripting (XSS) vulnerabilities in ol-commerce 2.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) a_country parameter in a process action to affiliate_signup.php or (2) entry_country_id parameter in an edit action to admin/create_account.php. 2014-07-28 4.3 CVE-2014-5105
BID
MISC
omeka — omeka Multiple cross-site request forgery (CSRF) vulnerabilities in Omeka before 2.2.1 allow remote attackers to hijack the authentication of administrators for requests that (1) add a new super user account via a request to admin/users/add, (2) insert cross-site scripting (XSS) sequences via the api_key_label parameter to admin/users/api-keys/1, or (3) disable file validation via a request to admin/settings/edit-security. 2014-07-25 6.8 CVE-2014-5100
XF
XF
MISC
MISC
BID
EXPLOIT-DB
MISC
reviewboard — review_board Cross-site scripting (XSS) vulnerability in Review Board 1.7.x before 1.7.27 and 2.0.x before 2.0.4 allows remote attackers to inject arbitrary web script or HTML via a query parameter to a diff fragment page. 2014-07-25 4.3 CVE-2014-5027
BID
MLIST
MLIST
sap — hana Multiple cross-site scripting (XSS) vulnerabilities in the XS Administration Tools in SAP HANA allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2014-07-31 4.3 CVE-2014-5172
CONFIRM
XF
BID
BUGTRAQ
MISC
FULLDISC
CONFIRM
MISC
sap — hana_extend_application_services SAP HANA Extend Application Services (XS) allows remote attackers to bypass access restrictions via a request to a private IU5 SDK application that was once public. 2014-07-31 5.0 CVE-2014-5173
CONFIRM
XF
BUGTRAQ
FULLDISC
CONFIRM
MISC
sap — fi_manager_self-service SAP FI Manager Self-Service has a hard-coded user name, which makes it easier for remote attackers to obtain access via unspecified vectors. 2014-07-31 6.0 CVE-2014-5176
CONFIRM
XF
BID
BUGTRAQ
MISC
FULLDISC
CONFIRM
MISC
silver-peak — vx Cross-site request forgery (CSRF) vulnerability in php/user_account.php in Silver Peak VX through 6.2.4 allows remote attackers to hijack the authentication of administrators for requests that create administrative accounts. 2014-07-28 6.8 CVE-2014-2974
silver-peak — vx Cross-site scripting (XSS) vulnerability in php/user_account.php in Silver Peak VX before 6.2.4 allows remote attackers to inject arbitrary web script or HTML via the user_id parameter. 2014-07-28 4.3 CVE-2014-2975
torproject — tor Tor before 0.2.4.23 and 0.2.5 before 0.2.5.6-alpha maintains a circuit after an inbound RELAY_EARLY cell is received by a client, which makes it easier for remote attackers to conduct traffic-confirmation attacks by using the pattern of RELAY and RELAY_EARLY cells as a means of communicating information about hidden service names. 2014-07-30 4.3 CVE-2014-5117
CONFIRM
MLIST
MLIST
MISC
transmissionbt — transmission Integer overflow in the tr_bitfieldEnsureNthBitAlloced function in bitfield.c in Transmission before 2.84 allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted peer message, which triggers an out-of-bounds write. 2014-07-29 6.8 CVE-2014-4909
MISC
CONFIRM
CONFIRM
UBUNTU
BID
OSVDB
MLIST
MLIST
DEBIAN
SECUNIA
SECUNIA
SECUNIA
FEDORA
MISC
ubnt — unifi_video The default Flash cross-domain policy (crossdomain.xml) in Ubiquiti Networks UniFi Video (formerly AirVision aka AirVision Controller) before 3.0.1 does not restrict access to the application, which allows remote attackers to bypass the Same Origin Policy via a crafted SWF file. 2014-07-25 6.0 CVE-2014-2227
BID
MISC
FULLDISC
visualware — myconnection_server Multiple cross-site scripting (XSS) vulnerabilities in test.php in Visualware MyConnection Server 9.7i allow remote attackers to inject arbitrary web script or HTML via the (1) testtype, (2) ver, (3) cm, (4) map, (5) lines, (6) pps, (7) bpp, (8) codec, (9) provtext, (10) provtextextra, (11) provlink, or (12) duration parameter. 2014-07-28 4.3 CVE-2014-5113
BID
MISC
MISC
vitamin_plugin_project — vitamin Multiple directory traversal vulnerabilities in the Vitamin plugin before 1.1.0 for WordPress allow remote attackers to access arbitrary files via a .. (dot dot) in the path parameter to (1) add_headers.php or (2) minify.php. 2014-07-31 5.0 CVE-2012-6651
BID
MLIST
MLIST
webidsupport — webid Multiple cross-site scripting (XSS) vulnerabilities in WeBid 1.1.1 allow remote attackers to inject arbitrary web script or HTML via the (1) TPL_name, (2) TPL_nick, (3) TPL_email, (4) TPL_year, (5) TPL_address, (6) TPL_city, (7) TPL_prov, (8) TPL_zip, (9) TPL_phone, (10) TPL_pp_email, (11) TPL_authnet_id, (12) TPL_authnet_pass, (13) TPL_worldpay_id, (14) TPL_toocheckout_id, or (15) TPL_moneybookers_email in a first action to register.php or the (16) username parameter in a login action to user_login.php. 2014-07-25 4.3 CVE-2014-5101
BID
MISC
wireshark — wireshark The dissect_log function in plugins/irda/packet-irda.c in the IrDA dissector in Wireshark 1.10.x before 1.10.9 does not properly strip ‘n’ characters, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. 2014-08-01 5.0 CVE-2014-5161
wireshark — wireshark The read_new_line function in wiretap/catapult_dct2000.c in the Catapult DCT2000 dissector in Wireshark 1.10.x before 1.10.9 does not properly strip ‘n’ and ‘r’ characters, which allows remote attackers to cause a denial of service (off-by-one buffer underflow and application crash) via a crafted packet. 2014-08-01 5.0 CVE-2014-5162
wireshark — wireshark The APN decode functionality in (1) epan/dissectors/packet-gtp.c and (2) epan/dissectors/packet-gsm_a_gm.c in the GTP and GSM Management dissectors in Wireshark 1.10.x before 1.10.9 does not completely initialize a certain buffer, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. 2014-08-01 5.0 CVE-2014-5163
CONFIRM
wireshark — wireshark The rlc_decode_li function in epan/dissectors/packet-rlc.c in the RLC dissector in Wireshark 1.10.x before 1.10.9 initializes a certain structure member only after this member is used, which allows remote attackers to cause a denial of service (application crash) via a crafted packet. 2014-08-01 5.0 CVE-2014-5164
CONFIRM
wireshark — wireshark The dissect_ber_constrained_bitstring function in epan/dissectors/packet-ber.c in the ASN.1 BER dissector in Wireshark 1.10.x before 1.10.9 does not properly validate padding values, which allows remote attackers to cause a denial of service (buffer underflow and application crash) via a crafted packet. 2014-08-01 5.0 CVE-2014-5165
CONFIRM
CONFIRM
zohocorp — manageengine_eventlog_analyzer Cross-site scripting (XSS) vulnerability in ZOHO ManageEngine EventLog Analyzer 9 build 9000 allows remote attackers to inject arbitrary web script or HTML via the j_username parameter to event/j_security_check. 2014-07-25 4.3 CVE-2014-5103
BUGTRAQ
MISC

Back to top

Low Vulnerabilities

Primary
Vendor — Product		 Description Published CVSS Score Source & Patch Info
apache — subversion svnwcsub.py in Subversion 1.8.0 before 1.8.3, when using the –pidfile option and running in foreground mode, allows local users to gain privileges via a symlink attack on the pid file. NOTE: this issue was SPLIT due to different affected versions (ADT3). The irkerbridge.py issue is covered by CVE-2013-7393. 2014-07-28 2.4 CVE-2013-4262
apache — subversion The daemonize.py module in Subversion 1.8.0 before 1.8.2 allows local users to gain privileges via a symlink attack on the pid file created for (1) svnwcsub.py or (2) irkerbridge.py when the –pidfile option is used. NOTE: this issue was SPLIT from CVE-2013-4262 based on different affected versions (ADT3). 2014-07-28 2.4 CVE-2013-7393
apple — cups The web interface in CUPS 1.7.4 allows local users in the lp group to read arbitrary files via a symlink attack on a file in /var/cache/cups/rss/ and language[0] set to null. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-3537. 2014-07-29 1.5 CVE-2014-5029
MLIST
MLIST
DEBIAN
SECUNIA
apple — cups CUPS before 2.0 allows local users to read arbitrary files via a symlink attack on (1) index.html, (2) index.class, (3) index.pl, (4) index.php, (5) index.pyc, or (6) index.py. 2014-07-29 1.9 CVE-2014-5030
MLIST
MLIST
DEBIAN
SECUNIA
ibm — maximo_asset_management Cross-site scripting (XSS) vulnerability in IBM Maximo Asset Management 6.2 through 6.2.8 and 6.x and 7.x through 7.5.0.6, Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 6.2 through 6.2.8 for Tivoli IT Asset Management for IT and Maximo Service Desk allows remote authenticated users to inject arbitrary web script or HTML via the Query Description Field. 2014-07-30 3.5 CVE-2014-0914
XF
AIXAPAR
ibm — maximo_asset_management Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via (1) the KPI display name field or (2) a portlet field. 2014-07-30 3.5 CVE-2014-0915
XF
AIXAPAR
ibm — infosphere_master_data_management The GDS component in IBM InfoSphere Master Data Management – Collaborative Edition 10.0 through 11.0 and InfoSphere Master Data Management Server for Product Information Management 9.0 and 9.1 does not properly handle FRAME elements, which makes it easier for remote authenticated users to conduct phishing attacks via a crafted web site. 2014-08-01 3.5 CVE-2014-3009
XF
ibm — maximo_asset_management Multiple cross-site scripting (XSS) vulnerabilities in IBM Maximo Asset Management 6.2 through 6.2.8, 6.x and 7.1 through 7.1.1.2, and 7.5 through 7.5.0.6; Maximo Asset Management 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk; and Maximo Asset Management 6.2 through 6.2.8, 7.1 through 7.1.1.2, and 7.2 for Tivoli Asset Management for IT and certain other products allow remote authenticated users to inject arbitrary web script or HTML via unspecified input to a .jsp file under webclient/utility/. 2014-07-30 3.5 CVE-2014-3025
XF
AIXAPAR
ibm — maximo_asset_management CRLF injection vulnerability in IBM Maximo Asset Management 7.5 through 7.5.0.6, and 7.5 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, allows remote authenticated users to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors. 2014-07-29 3.5 CVE-2014-3026
XF
ibm — rational_team_concert IBM Rational Team Concert (RTC) 3.x before 3.0.1.6 IF3 and 4.x before 4.0.7 does not properly integrate with build engines, which allows remote authenticated users to discover credentials via unspecified vectors. 2014-07-29 3.5 CVE-2014-3050
XF
ibm — sametime The Classic Meeting Server in IBM Sametime 8.x through 8.5.2.1 allows physically proximate attackers to discover a meeting password hash by leveraging access to an unattended workstation to read HTML source code within a victim’s browser. 2014-07-26 2.1 CVE-2014-4747
moodle — moodle Cross-site scripting (XSS) vulnerability in user/profile.php in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allows remote authenticated users to inject arbitrary web script or HTML via the Skype ID profile field. 2014-07-29 3.5 CVE-2014-3544
MISC
MLIST
moodle — moodle Multiple cross-site scripting (XSS) vulnerabilities in the advanced-grading implementation in Moodle through 2.3.11, 2.4.x before 2.4.11, 2.5.x before 2.5.7, 2.6.x before 2.6.4, and 2.7.x before 2.7.1 allow remote authenticated users to inject arbitrary web script or HTML via a crafted (1) qualification or (2) rating field in a rubric. 2014-07-29 3.5 CVE-2014-3551
MLIST
sap — hana_extend_application_services SAP HANA Extend Application Services (XS) does not encrypt transmissions for applications that enable form based authentication using SSL, which allows remote attackers to obtain credentials and other sensitive information by sniffing the network. 2014-07-31 2.9 CVE-2014-5171
CONFIRM
BUGTRAQ
MISC
FULLDISC
CONFIRM
MISC
sap — netweaver_business_warehouse The SAP Netweaver Business Warehouse component does not properly restrict access to the functions in the BW-SYS-DB-DB4 function group, which allows remote authenticated users to obtain sensitive information via unspecified vectors. 2014-07-31 3.5 CVE-2014-5174
CONFIRM
XF
BID
MISC
CONFIRM
MISC
ubnt — unifi_controller Ubiquiti UniFi Controller before 3.2.1 logs the administrative password hash in syslog messages, which allows man-in-the-middle attackers to obtains sensitive information via unspecified vectors. 2014-07-29 2.6 CVE-2014-2226
BID
MISC
FULLDISC
MISC
zarafa — webapp WebAccess in Zarafa before 7.1.10 and WebApp before 1.6 stores credentials in cleartext, which allows local Apache users to obtain sensitive information by reading the PHP session files. 2014-07-29 2.1 CVE-2014-0103
CONFIRM
BID
FEDORA
FEDORA

Back to top

 

This product is provided subject to this Notification and this Privacy & Use policy.

US-CERT

TA14-212A: Backoff Point-of-Sale Malware

Original release date: July 31, 2014 | Last revised: August 27, 2014

Systems Affected

Point-of-Sale Systems

 

Overview

This advisory was prepared in collaboration with the National Cybersecurity and Communications Integration Center (NCCIC), United States Secret Service (USSS), Financial Sector Information Sharing and Analysis Center (FS-ISAC), and Trustwave Spiderlabs, a trusted partner under contract with the USSS.  The purpose of this release is to provide relevant and actionable technical indicators for network defense against the PoS malware dubbed “Backoff” which has been discovered exploiting businesses’ administrator accounts remotely and exfiltrating consumer payment data.

Over the past year, the Secret Service has responded to network intrusions at numerous businesses throughout the United States that have been impacted by the “Backoff” malware. Seven PoS system providers/vendors have confirmed that they have had multiple clients affected. Reporting continues on additional compromised locations, involving private sector entities of all sizes, and the Secret Service currently estimates that over 1,000 U.S. businesses are affected.

Recent investigations revealed that malicious actors are using publicly available tools to locate businesses that use remote desktop applications. Remote desktop solutions like Microsoft’s Remote Desktop [1], Apple Remote Desktop [2], Chrome Remote Desktop [3], Splashtop 2 [4], and LogMeIn [5] offer the convenience and efficiency of connecting to a computer from a remote location. Once these applications are located, the suspects attempted to brute force the login feature of the remote desktop solution. After gaining access to what was often administrator or privileged access accounts, the suspects were then able to deploy the point-of-sale (PoS) malware and subsequently exfiltrate consumer payment data via an encrypted POST request.

Organizations that believe they have been impacted should contact their local Secret Service field office and may contact the NCCIC for additional information.

Description

“Backoff” is a family of PoS malware and has been discovered recently. The malware family has been witnessed on at least three separate forensic investigations. Researchers have identified three primary variants to the “Backoff” malware including 1.4, 1.55 (“backoff”, “goo”, “MAY”, “net”), and 1.56 (“LAST”).

These variations have been seen as far back as October 2013 and continue to operate as of July 2014. In total, the malware typically consists of the following four capabilities. An exception is the earliest witnessed variant (1.4) which does not include keylogging functionality. Additionally, 1.55 ‘net’ removed the explorer.exe injection component:

  • Scraping memory for track data
  • Logging keystrokes
  • Command & control (C2) communication
  • Injecting malicious stub into explorer.exe

The malicious stub that is injected into explorer.exe is responsible for persistence in the event the malicious executable crashes or is forcefully stopped. The malware is responsible for scraping memory from running processes on the victim machine and searching for track data. Keylogging functionality is also present in most recent variants of “Backoff”. Additionally, the malware has a C2 component that is responsible for uploading discovered data, updating the malware, downloading/executing further malware, and uninstalling the malware.

Variants

Based on compiled timestamps and versioning information witnessed in the C2 HTTP POST requests, “Backoff” variants were analyzed over a seven month period. The five variants witnessed in the “Backoff” malware family have notable modifications, to include:

1.55 “backoff”

  • Added Local.dat temporary storage for discovered track data
  • Added keylogging functionality
  • Added “gr” POST parameter to include variant name
  • Added ability to exfiltrate keylog data
  • Supports multiple exfiltration domains
  • Changed install path
  • Changed User-Agent

1.55 “goo”

  • Attempts to remove prior version of malware
  • Uses 8.8.8.8 as resolver

1.55 “MAY”

  • No significant updates other than changes to the URI and version name

1.55 “net”

  • Removed the explorer.exe injection component

1.56 “LAST”

  • Re-added the explorer.exe injection component
  • Support for multiple domain/URI/port configurations
  • Modified code responsible for creating exfiltration thread(s)
  • Added persistence techniques

Command & Control Communication

All C2 communication for “Backoff” takes place via HTTP POST requests. A number of POST parameters are included when this malware makes a request to the C&C server.

  • op : Static value of ‘1’
  • id : randomly generated 7 character string
  • ui : Victim username/hostname
  • wv : Version of Microsoft Windows
  • gr (Not seen in version 1.4) : Malware-specific identifier
  • bv : Malware version
  • data (optional) : Base64-encoded/RC4-encrypted data

The ‘id’ parameter is stored in the following location, to ensure it is consistent across requests:

  • HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

If this key doesn’t exist, the string will be generated and stored. Data is encrypted using RC4 prior to being encoded with Base64. The password for RC4 is generated from the ‘id’ parameter, a static string of ‘jhgtsd7fjmytkr’, and the ‘ui’ parameter. These values are concatenated together and then hashed using the MD5 algorithm to form the RC4 password. In the above example, the RC4 password would be ‘56E15A1B3CB7116CAB0268AC8A2CD943 (The MD5 hash of ‘vxeyHkSjhgtsd7fjmytkrJosh @ PC123456).

File Indicators:

The following is a list of the Indicators of Compromise (IOCs) that should be added to the network security to search to see if these indicators are on their network.

1.4

Packed MD5: 927AE15DBF549BD60EDCDEAFB49B829E

Unpacked MD5: 6A0E49C5E332DF3AF78823CA4A655AE8

Install Path: %APPDATA%AdobeFlashPlayermswinsvc.exe

Mutexes:

uhYtntr56uisGst

uyhnJmkuTgD

Files Written:

%APPDATA%mskrnl

%APPDATA%winserv.exe

%APPDATA%AdobeFlashPlayermswinsvc.exe

Static String (POST Request): zXqW9JdWLM4urgjRkX

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

User-Agent: Mozilla/4.0

URI(s): /aircanada/dark.php

1.55 “backoff”

Packed MD5: F5B4786C28CCF43E569CB21A6122A97E

Unpacked MD5: CA4D58C61D463F35576C58F25916F258

Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe

Mutexes:

Undsa8301nskal

uyhnJmkuTgD

Files Written:

%APPDATA%mskrnl

%APPDATA%winserv.exe

%APPDATA%AdobeFlashPlayermswinhost.exe

%APPDATA%AdobeFlashPlayerLocal.dat

%APPDATA%AdobeFlashPlayerLog.txt

Static String (POST Request): ihasd3jasdhkas

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s): /aero2/fly.php

1.55 “goo”

Pa  cked MD5: 17E1173F6FC7E920405F8DBDE8C9ECAC

Unpacked MD5: D397D2CC9DE41FB5B5D897D1E665C549

Install Path: %APPDATA%OracleJavajavaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%nsskrnl

%APPDATA%winserv.exe

%APPDATA%OracleJavajavaw.exe

%APPDATA%OracleJavaLocal.dat

%APPDATA%OracleJavaLog.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

User-Agent:

URI(s): /windows/updcheck.php

1.55 “MAY”

Packed MD5: 21E61EB9F5C1E1226F9D69CBFD1BF61B

Unpacked MD5: CA608E7996DED0E5009DB6CC54E08749

Install Path: %APPDATA%OracleJavajavaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%nsskrnl

%APPDATA%winserv.exe

%APPDATA%OracleJavajavaw.exe

%APPDATA%OracleJavaLocal.dat

%APPDATA%OracleJavaLog.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.55 “net”

Packed MD5: 0607CE9793EEA0A42819957528D92B02

Unpacked MD5: 5C1474EA275A05A2668B823D055858D9

Install Path: %APPDATA%AdobeFlashPlayermswinhost.exe

Mutexes:

nUndsa8301nskal

Files Written:

%APPDATA%AdobeFlashPlayermswinhost.exe

%APPDATA%AdobeFlashPlayerLocal.dat

%APPDATA%AdobeFlashPlayerLog.txt

Static String (POST Request): ihasd3jasdhkas9

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

User-Agent:

URI(s): /windowsxp/updcheck.php

1.56 “LAST”

Packed MD5: 12C9C0BC18FDF98189457A9D112EEBFC

Unpacked MD5: 205947B57D41145B857DE18E43EFB794

Install Path: %APPDATA%OracleJavajavaw.exe

Mutexes:

nUndsa8301nskal

nuyhnJmkuTgD

Files Written:

%APPDATA%nsskrnl

%APPDATA%winserv.exe

%APPDATA%OracleJavajavaw.exe

%APPDATA%OracleJavaLocal.dat

%APPDATA%OracleJavaLog.txt

Static String (POST Request): jhgtsd7fjmytkr

Registry Keys:

HKCUSOFTWAREMicrosoftWindowsCurrentVersionidentifier

HKCU SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

HKLM SOFTWARE MicrosoftWindowsCurrentVersionRunWindows NT Service

HKCUSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath

HKLMSOFTWARE\MicrosoftActive SetupInstalled Components{B3DB0D62-B481-4929-888B-49F426C1A136}StubPath

User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:24.0) Gecko/20100101 Firefox/24.0

URI(s):  /windebug/updcheck.php

Impact

The impact of a compromised PoS system can affect both the businesses and consumer by exposing customer data such as names, mailing addresses, credit/debit card numbers, phone numbers, and e-mail addresses to criminal elements. These breaches can impact a business’ brand and reputation, while consumers’ information can be used to make fraudulent purchases or risk compromise of bank accounts. It is critical to safeguard your corporate networks and web servers to prevent any unnecessary exposure to compromise or to mitigate any damage that could be occurring now.

Solution

At the time this advisory is released, the variants of the “Backoff’ malware family are largely undetected by anti-virus (AV) vendors. However, shortly following the publication of this technical analysis, AV companies will quickly begin detecting the existing variants. It’s important to maintain up‐to‐date AV signatures and engines as new threats such as this are continually being added to your AV solution. Pending AV detection of the malware variants, network defenders can apply indicators of compromise (IOC) to a variety of prevention and detection strategies.[6],[7],[8] IOCs can be found above.

The forensic investigations of compromises of retail IT/payment networks indicate that the network compromises allowed the introduction of memory scraping malware to the payment terminals. Information security professionals recommend a defense in depth approach to mitigating risk to retail payment systems. While some of the risk mitigation recommendations are general in nature, the following strategies provide an approach to minimize the possibility of an attack and mitigate the risk of data compromise:

Remote Desktop Access

  • Configure the account lockout settings to lock a user account after a period of time or a specified number of failed login attempts. This prevents unlimited unauthorized attempts to login whether from an unauthorized user or via automated attack types like brute force.[9]
  • Limit the number of users and workstation who can log in using Remote Desktop.
  • Use firewalls (both software and hardware where available) to restrict access to remote desktop listening ports (default is TCP 3389).[10]
  • Change the default Remote Desktop listening port.
  • Define complex password parameters. Configuring an expiration time and password length and complexity can decrease the amount of time in which a successful attack can occur.[11]
  • Require two-factor authentication (2FA) for remote desktop access.[12]
  • Install a Remote Desktop Gateway to restrict access.[13]
  • Add an extra layer of authentication and encryption by tunneling your Remote Desktop through IPSec, SSH or SSL.[14],[15]
  • Require 2FA when accessing payment processing networks. Even if a virtual private network is used, it is important that 2FA is implemented to help mitigate keylogger or credential dumping attacks.
  • Limit administrative privileges for users and applications.
  • Periodically review systems (local and domain controllers) for unknown and dormant users.

Network Security

  • Review firewall configurations and ensure that only allowed ports, services and Internet protocol (IP) addresses are communicating with your network. This is especially critical for outbound (e.g., egress) firewall rules in which compromised entities allow ports to communicate to any IP address on the Internet. Hackers leverage this configuration to exfiltrate data to their IP addresses.
  • Segregate payment processing networks from other networks.
  • Apply access control lists (ACLs) on the router configuration to limit unauthorized traffic to payment processing networks.
  • Create strict ACLs segmenting public-facing systems and back-end database systems that house payment card data.
  • Implement data leakage prevention/detection tools to detect and help prevent data exfiltration.
  • Implement tools to detect anomalous network traffic and anomalous behavior by legitimate users (compromised credentials).

Cash Register and PoS Security

  • Implement hardware-based point-to-point encryption. It is recommended that EMV-enabled PIN entry devices or other credit-only accepting devices have Secure Reading and Exchange of Data (SRED) capabilities. SRED-approved devices can be found at the Payment Card Industry Security Standards website.
  • Install Payment Application Data Security Standard-compliant payment applications.
  • Deploy the latest version of an operating system and ensure it is up to date with security patches, anti-virus software, file integrity monitoring and a host-based intrusion-detection system.
  • Assign a strong password to security solutions to prevent application modification. Use two-factor authentication (2FA) where feasible.
  • Perform a binary or checksum comparison to ensure unauthorized files are not installed.
  • Ensure any automatic updates from third parties are validated. This means performing a checksum comparison on the updates prior to deploying them on PoS systems. It is recommended that merchants work with their PoS vendors to obtain signatures and hash values to perform this checksum validation.
  • Disable unnecessary ports and services, null sessions, default users and guests.
  • Enable logging of events and make sure there is a process to monitor logs on a daily basis.
  • Implement least privileges and ACLs on users and applications on the system.

References

Revision History

  • July, 31 2014 – Initial Release
  • August 18, 2014 – Minor revision to remote desktop solutions list
  • August 22, 2014 – Changes to the Overview section
  • August 26, 2014 – Minor revision to remote desktop solutions list

This product is provided subject to this Notification and this Privacy & Use policy.

Redhat

Controlling access to smart cards

Smart cards are increasingly used in workstations as an authentication method. They are mainly used to provide public key operations (e.g., digital signatures) using keys that cannot be exported from the card. They also serve as a data storage, e.g., for the corresponding certificate to the key. In RHEL and Fedora systems low-level access to smart cards is provided using the pcsc-lite daemon, an implementation of the PC/SC protocol, defined by the PC/SC industry consortium. In brief the PC/SC protocol allows the system to execute certain pre-defined commands on the card and obtain the result. The implementation on the pcsc-lite daemon uses a privileged process that handles direct communication with the card (e.g., using the CCID USB protocol), while applications can communicate with the daemon using the SCard API. That API hides, the underneath communication between the application and the pcsc-lite daemon which is based on unix domain sockets.

However, there is a catch. As you may have noticed there is no mention of access control in the communication between applications and the pcsc-lite daemon. That is because it is assumed that the access control included in smart cards, such as PINs, pinpads, and biometrics, would be sufficient to counter most threats. That isn’t always the case. As smart cards typically contain embedded software in the form of firmware there will be bugs that can be exploited by a malicious application, and these bugs even if known they are not easy nor practical to fix. Furthermore, there are often public files (e.g., without the protection of a PIN) present on a smart card that while they were intended to be used by the smart card user, it is not always desirable to be accessible by all system users. Even worse, there are certain smart cards that would allow any user of a system to erase all smart card data by re-initializing it. All of these led us to introduce additional access control to smart cards, in par with the access control used for external hard disks. The main idea is to be able to provide fine-grained access control on the system, and specify policies such as “the user on the console should be able to fully access the smart card, but not any other user”. For that we used polkit, a framework used by applications to grant access to privileged operations. The reason of this decision is mainly because polkit has already been successfully used to grant access to external hard disks, and unsurprisingly the access control requirements for smart cards share many similarities with removable devices such as hard disks.

The pcsc-lite access control framework is now part of pcsc-lite 1.8.11 and will be enabled by default in Fedora 21. The advantages that it offers is that it can prevent unauthorized users from issuing commands to smart cards, and prevent unauthorized users from reading, writing or (in some cases) erasing any public data from a smart card. The access control is imposed during the session initialization, thus reducing to minimal any potential overhead. The default policy in Fedora 21 will treat any user on the console as authorized, as physical access to the console implies physical access to the card, but remote users, e.g., via ssh, or system daemons will be treated as unauthorized unless they have administrative rights.

Let’s now see how the smart card access control can be administered. The system-wide policy for pcsc-lite daemon is available at /usr/share/polkit-1/actions/org.debian.pcsc-lite.policy. That file is a polkit XML file that contains the default rules needed to access the daemon. The default policy that will be shipped in Fedora 21 consists of the following.

  <action id="org.debian.pcsc-lite.access_pcsc">
    <description>Access to the PC/SC daemon</description>
    <message>Authentication is required to access the PC/SC daemon</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

  <action id="org.debian.pcsc-lite.access_card">
    <description>Access to the smart card</description>
    <message>Authentication is required to access the smart card</message>
    <defaults>
      <allow_any>auth_admin</allow_any>
      <allow_inactive>auth_admin</allow_inactive>
      <allow_active>yes</allow_active>
    </defaults>
  </action>

The syntax format is explained in more details in the polkit manual page. The pcsc-lite relevant parts are the action IDs. The action with ID “org.debian.pcsc-lite.access_pcsc” contains the policy in order to access the pcsc-lite daemon and issue commands to it, i.e., access the unix domain socket. The latter action with ID “org.debian.pcsc-lite.access_card” contains the policy to issue commands to smart cards available to the pcsc-lite daemon. That distinction allows for example programs to query the number of readers and cards present, but not issue any commands to them. Under both policies only active (console) processes are allowed to access the pcsc-lite daemon and smart cards, unless they are privileged processes.

Polkit, is quite more flexible though. With it we can provide even more fine-grained access control, e.g., to specific card readers. For example, if we have a web server that utilizes a smart card we can restrict it to use only the smart cards under a given reader. These rules are expressed in Javascript and can be added in a separate file in /usr/share/polkit-1/rules.d/. Let’s now see how the rules for our example would look like.

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "apache") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'name_of_reader' &&
        subject.user == "apache") {
            return polkit.Result.YES;    }
});

Here we add two rules. The first one allows the user “apache”, which is the user the web-server runs under, to access the pcsc-lite daemon. That rule explicitly allows access to the daemon because in our default policy only administrator and console user can access it. The latter rule, it allows the same user to access the smart card reader identified by “name_of_reader”. The name of the reader can be obtained using the commands pcsc_scan or opensc-tool -l.

With these changes to pcsc-lite we manage to provide reasonable default settings for the users of smart cards that apply to most, if not all, typical uses. These default settings increase the overall security of the system, by denying access to the smart card firmware, as well as to data and operations for non-authorized users.

Microsft

MS14-037 – Critical: Cumulative Security Update for Internet Explorer (2975687) – Version: 1.1

Severity Rating: Critical
Revision Note: V1.1 (July 29, 2014): Corrected the severity table and vulnerability information to add CVE-2014-4066 as a vulnerability addressed by this update. This is an informational change only. Customers who have already successfully installed the update do not have to take any action.
Summary: This security update resolves one publicly disclosed vulnerability and twenty-four privately reported vulnerabilities in Internet Explorer. The most severe of these vulnerabilities could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsft

MS13-098 – Critical: Vulnerability in Windows Could Allow Remote Code Execution (2893294) – Version: 1.6

Severity Rating: Critical
Revision Note: V1.6 (July 29, 2014): Revised bulletin to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature.
Summary: This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if a user or application runs or installs a specially crafted, signed portable executable (PE) file on an affected system.

Microsft

2915720 – Changes in Windows Authenticode Signature Verification – Version: 1.4

Revision Note: V1.4 (July 29, 2014): Revised advisory to announce that Microsoft no longer plans to enforce the stricter verification behavior as a default functionality on supported releases of Microsoft Windows. It remains available as an opt-in feature. See the Advisory FAQ section for more information.
Summary: Microsoft is announcing the availability of an update for all supported releases of Microsoft Windows to change how signatures are verified for binaries signed with the Windows Authenticode signature format. The change is included with Security Bulletin MS13-098, but will only be enabled on an opt-in basis. When enabled, the new default behavior for Windows Authenticode signature verification will no longer allow extraneous information in the WIN_CERTIFICATE structure, and Windows will no longer recognize non-compliant binaries as signed.

VMWare

UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.9
Synopsis:    VMware product updates address OpenSSL 
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and 
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3 
   Workstation 9.x prior to 9.0.4 

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0
      
   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2 

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3 

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x        
   Pivotal Web Server prior to 5.4.1 
 
   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.5.1.1

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
      Security Advisory (see Reference section below), do not affect
      any VMware products.     

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below, 
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to 
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of 
      OpenSSL 1.0.1. can be mitigated by using a secure network such as 
      VPN (see Table 2 below).
      
      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network. 

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers. 

      VMware recommends customers consider 
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG 

      Big Data Extensions             1.1               2.0.0 

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm 

      Horizon Mirage Edge Gateway     4.4.x             4.4.3 

      Horizon View                    5.x               5.3.2 

      Horizon View Feature Pack       5.x               5.3 FP3 

      NSX for Multi-Hypervisor        4.1.2             4.1.3 
      NSX for Multi-Hypervisor        4.0.3             4.0.4 
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3 
      
      vCloud Networking and Security  5.5.2             5.5.2.1 
      vCloud Networking and Security  5.1.4             5.1.4.1 

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web 
                                                        Server 5.4.1 

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8 
      or 1.0.1 and communicating over an untrusted network. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a 
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3 
      Workstation                     9.x      any      9.0.4 
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5 
      Player                          6.x      any      6.0.3 
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1 

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2 

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2 
      OVF Tool                        3.0.1             3.5.2 

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1 
          
      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1 

      vCenter Site Recovery Manager   5.5.x             5.5.1.1  
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating 
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2

 
      ITBM Standard                   1.0.1             patch pending 
      ITBM Standard                   1.0               patch pending 

      Studio                          2.6.0.0           patch pending 
    
      Usage Meter                     3.3               patch pending 
     
      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1 
  
      vCloud Application Director     6.0.x             patch pending 
      vFabric Application Director    5.2.0             patch pending 
      vFabric Application Director    5.0.0             patch pending 

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending 
      
      vMA (Management Assistant)      5.1.0.1           patch pending     
  
      vSphere PowerCLI                5.x               See VMware 
                                                        KB 2082132 
     
      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1 
      vSphere Replication             5.6               patch pending
 
      vSphere SDK for Perl            5.5               patch pending
 
      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4 

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2 
   --------------
   Download: 
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download: 
   http://kb.vmware.com/kb/2082181

   Workstation
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player  
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   vCenter Server 5.1 Update 2a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1 

   vCenter Server 5.0 Update 3a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0 

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager 
   ---------------------------------
   Download link: 
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-converter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------
  
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
   
   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, 
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, 
   vCenter Configuration Manager 5.7.2, vCenter 
   Converter Standalone 5.5.2, vCenter Operations 
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, 
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1, 
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1, 
   NSX for Multi-Hypervisor 4.1.3, 
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support 
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of 
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of 
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.5.1.1 and 
   vSphere Replication 5.5.1.1 on 2014-07-17


   2014-07-22 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 
   on 2014-07-22
- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----
VMWare

UPDATED : VMSA-2014-0006.9 VMware product updates address OpenSSL security vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----------------------------------------------------------------------
VMware Security Advisory

Advisory ID: VMSA-2014-0006.9
Synopsis:    VMware product updates address OpenSSL 
             security vulnerabilities
Issue date:  2014-06-10
Updated on:  2014-07-22
CVE numbers: CVE-2014-0224, CVE-2014-0198, CVE-2010-5298, and 
             CVE-2014-3470
- -----------------------------------------------------------------------

1. Summary

   VMware product updates address OpenSSL security vulnerabilities.

2. Relevant Releases

   Big Data Extensions prior to 2.0.0

   ESXi 5.5 without patch ESXi550-201406401-SG
   ESXi 5.1 without patch ESXi510-201406401-SG
   ESXi 5.0 without patch ESXi500-201407401-SG

   Workstation 10.x prior to 10.0.3 
   Workstation 9.x prior to 9.0.4 

   Player 6.x prior to 6.0.3
   Player 5.x prior to 5.0.4

   Fusion 6.x prior to 6.0.4
   Fusion 5.x prior to 5.0.5

   Horizon Mirage Edge Gateway prior to 4.4.3

   Horizon View prior to 5.3.2
   Horizon View 5.3 Feature Pack X prior to Feature Pack 3

   Horizon Workspace Server 1.5.x without patch horizon-nginx-rpm-
                                                1.5.0.0-1876270.
                                                x86_64.rpm

   Horizon Workspace Server 1.8.x without patch horizon-nginx-rpm-
                                                1.8.2.1820-1876338.
                                                x86_64.rpm

   Horizon View Clients prior to 3.0
      
   vCD 5.5.x prior to 5.5.1.2
   vCD 5.1.x prior to 5.1.3.1

   vCenter prior to 5.5u1b
   vCenter prior to 5.1 U2a
   vCenter prior to 5.0U3a

   vCenter Support Assistant prior to 5.5.1.1

   vCloud Automation Center prior to 6.0.1.2 

   vCenter Configuration Manager prior to 5.7.2

   vCenter Converter Standalone prior to 5.5.2
   Converter Standalone prior to 5.1.1

   vCenter Operations Manager prior to 5.8.2
   vCenter Operations Manager prior to 5.7.3 

   vCenter Chargeback Manager 2.6 prior to 2.6.0.1

   vCloud Networking and Security prior to 5.5.2.1
   vCloud Networking and Security prior to 5.1.4.1

   vSphere PowerCLI 5.x

   vCSA prior to 5.5u1b
   vCSA prior to 5.1u2a
   vCSA prior to 5.0u3a

   OVF Tool prior to 5.3.2

   Update Manager prior to 5.5u1b

   VDDK prior to 5.5.2
   VDDK prior to 5.1.3
   VDDK prior to 5.0.4

   NSX for Multi-Hypervisor 4.1.x prior to 4.1.3
   NSX for Multi-Hypervisor 4.0.x prior to 4.0.4
   NVP 3.0.x prior to 3.2.3
   NSX 6.0.x for vSphere prior to 6.0.5

   vFabric Web Server 5.x        
   Pivotal Web Server prior to 5.4.1 
 
   vCenter Site Recovery Manager prior to 5.5.1.1
   vCenter Site Recovery Manager  prior to 5.1.2.1
   vCenter Site Recovery Manager  prior to 5.0.3.2

   vSphere Replication prior to 5.5.1.1

3. Problem Description

   a. OpenSSL update for multiple products.

      OpenSSL libraries have been updated in multiple products to
      versions 0.9.8za and 1.0.1h in order to resolve multiple security
      issues.
 
      The Common Vulnerabilities and Exposures project (cve.mitre.org)
      has assigned the names CVE-2014-0224, CVE-2014-0198,
      CVE-2010-5298, CVE-2014-3470, CVE-2014-0221 and CVE-2014-0195 to
      these issues. The most important of these issues is
      CVE-2014-0224.

      CVE-2014-0198, CVE-2010-5298 and CVE-2014-3470 are considered to
      be of moderate severity. Exploitation is highly unlikely or is
      mitigated due to the application configuration.

      CVE-2014-0221 and CVE-2014-0195, which are listed in the OpenSSL 
      Security Advisory (see Reference section below), do not affect
      any VMware products.     

      CVE-2014-0224 may lead to a Man-in-the-Middle attack if a server
      is running a vulnerable version of OpenSSL 1.0.1 and clients are
      running a vulnerable version of OpenSSL 0.9.8 or 1.0.1. Updating
      the server will mitigate this issue for both the server and all
      affected clients.

      CVE-2014-0224 may affect products differently depending on
      whether the product is acting as a client or a server and of
      which version of OpenSSL the product is using. For readability
      the affected products have been split into 3 tables below, 
      based on the different client-server configurations and
      deployment scenarios.

      MITIGATIONS

      Clients that communicate with a patched or non-vulnerable server
      are not vulnerable to CVE-2014-0224. Applying these patches to 
      affected servers will mitigate the affected clients (See Table 1
      below).

      Clients that communicate over untrusted networks such as public
      Wi-Fi and communicate to a server running a vulnerable version of 
      OpenSSL 1.0.1. can be mitigated by using a secure network such as 
      VPN (see Table 2 below).
      
      Clients and servers that are deployed on an isolated network are
      less exposed to CVE-2014-0224 (see Table 3 below). The affected
      products are typically deployed to communicate over the
      management network. 

      RECOMMENDATIONS

      VMware recommends customers evaluate and deploy patches for
      affected Servers in Table 1 below as these patches become
      available. Patching these servers will remove the ability to
      exploit the vulnerability described in CVE-2014-0224 on both
      clients and servers. 

      VMware recommends customers consider 
      applying patches to products listed in Table 2 & 3 as required.

      Column 4 of the following tables lists the action required to
      remediate the vulnerability in each release, if a solution is
      available.

      Table 1
      =======
      Affected servers running a vulnerable version of OpenSSL 1.0.1. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      ESXi                            5.5      ESXi     ESXi550-
                                                        201406401-SG 

      Big Data Extensions             1.1               2.0.0 

      vCenter Chargeback Manager      2.6               2.6.0.1

      Horizon Workspace Server        1.5.x             horizon-nginx-
                                                        rpm-1.5.0.0-
                                                        1876270.
                                                        x86_64.rpm
      Horizon Workspace Server        1.8.x             horizon-nginx-
                                                        rpm-1.8.2.1820-
                                                        1876338.
                                                        x86_64.rpm 

      Horizon Mirage Edge Gateway     4.4.x             4.4.3 

      Horizon View                    5.x               5.3.2 

      Horizon View Feature Pack       5.x               5.3 FP3 

      NSX for Multi-Hypervisor        4.1.2             4.1.3 
      NSX for Multi-Hypervisor        4.0.3             4.0.4 
      NSX for vSphere                 6.0.4             6.0.5
      NVP                             3.2.2             3.2.3 
      
      vCloud Networking and Security  5.5.2             5.5.2.1 
      vCloud Networking and Security  5.1.4             5.1.4.1 

      Pivotal Web Server              5.4               5.4.1
      vFabric Web Server              5.x               Pivotal Web 
                                                        Server 5.4.1 

      Table 2
      ========
      Affected clients running a vulnerable version of OpenSSL 0.9.8 
      or 1.0.1 and communicating over an untrusted network. 

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCSA                            5.5               5.5u1b
      vCSA                            5.1               5.1u2a 
      vCSA                            5.0               5.0u3a

      ESXi                            5.1      ESXi     ESXi510-
                                                        201406401-SG
      ESXi                            5.0      ESXi     ESXi500-
                                                        201407401-SG

      Workstation                     10.x     any      10.0.3 
      Workstation                     9.x      any      9.0.4 
      Fusion                          6.x      OSX      6.0.4
      Fusion                          5.x      OSX      5.0.5 
      Player                          6.x      any      6.0.3 
      Player                          5.x      any      5.0.4

      vCenter Chargeback Manager      2.5.x             2.6.0.1 

      Horizon Workspace Client        1.x      OSX      1.8.2
      Horizon Workspace Client        1.x      Windows  1.8.2 

      Horizon View Client             2.x      Android  3.0
      Horizon View Client             2.x      iOS      3.0
      Horizon View Client             2.x      OSX      3.0
      Horizon View Client             2.x      Windows  3.0
      Horizon View Client             2.x      WinStore 3.0

      OVF Tool                        3.5.1             3.5.2 
      OVF Tool                        3.0.1             3.5.2 

      vCenter Operations Manager      5.8.x             5.8.2
      vCenter Operations Manager      5.7.x             5.7.3

      vCenter Support Assistant       5.5.1             5.5.1.1 
          
      vCD                             5.5.1.x           5.5.1.2
      vCD                             5.1.x             5.1.3.1 

      vCenter Site Recovery Manager   5.5.x             5.5.1.1  
      vCenter Site Recovery Manager   5.1.x             5.1.2.1
      vCenter Site Recovery Manager   5.0.3.x           5.0.3.2

      vSphere Client                  5.5       Windows 5.5u1b
      vSphere Client                  5.1       Windows 5.1u2a
      vSphere Client                  5.0       Windows 5.0u3a

      Table 3
      =======
      The following table lists all affected clients running a
      vulnerable version of OpenSSL 0.9.8 or 1.0.1 and communicating 
      over a trusted or isolated network.

      VMware                          Product  Running  Replace with/
      Product                         Version  on       Apply Patch 
      ==============                  =======  =======  =============
      vCenter Server                  5.5      any      5.5u1b
      vCenter Server                  5.1      any      5.1u2a
      vCenter Server                  5.0      any      5.0u3a

      Update Manager                  5.5      Windows  5.5u1b

      vCenter Configuration
      Manager (VCM)                   5.6               5.7.2

 
      ITBM Standard                   1.0.1             patch pending 
      ITBM Standard                   1.0               patch pending 

      Studio                          2.6.0.0           patch pending 
    
      Usage Meter                     3.3               patch pending 
     
      vCenter Converter Standalone    5.5               5.5.2
      vCenter Converter Standalone    5.1               5.1.1 
  
      vCloud Application Director     6.0.x             patch pending 
      vFabric Application Director    5.2.0             patch pending 
      vFabric Application Director    5.0.0             patch pending 

      vCloud Automation Center        6.0.x             6.0.1.2

      VIX API                         1.12              patch pending 
      
      vMA (Management Assistant)      5.1.0.1           patch pending     
  
      vSphere PowerCLI                5.x               See VMware 
                                                        KB 2082132 
     
      vSphere Data Protection         5.5.6             patch pending
      vSphere Data Protection         5.1.11            patch pending

      vSphere Replication             5.5.1             5.5.1.1 
      vSphere Replication             5.6               patch pending
 
      vSphere SDK for Perl            5.5               patch pending
 
      VDDK                            5.5.x             5.5.2
      VDDK                            5.1.x             5.1.3
      VDDK                            5.0.x             5.0.4 

   4. Solution

   Big Data Extensions 2.0.0
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-bde

   ESXi 5.5, 5.1 and 5.0
   ----------------------------
   Download:
   https://www.vmware.com/patchmgr/findPatch.portal

   Horizon Mirage Edge Gateway 4.4.3
   ---------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-horizon-mirage

   vCD 5.5.1.2
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download/vcloud-director

   vCenter Server 5.5u1b, 5.1u2a, 5.0u3a
   ------------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   vCSA 5.5u1b, 5.1u2a and 5.0u3a
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   Update Manager 5.5u1b
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere

   VDDK 5.x
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/support/developer/vddk

   vCenter Configuration Manager (VCM) 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download_vcm

   vCenter Operations Manager 5.8 and 5.7.3
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-vsphere-ops-mgr

   OVF Tool 3.5.2 
   --------------
   Download: 
   https://www.vmware.com/support/developer/ovf/

   vCenter Converter Standalone 5.5.2
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/download-converter

   Horizon View 5
   ----------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon View 5.3 Feature Pack 3
   -----------------------------------
   Downloads and Documentation:
   https://www.vmware.com/go/downloadview

   Horizon Workspace Server 1.5 and 1.8.x
   ----------------------------
   Release Notes and download: 
   http://kb.vmware.com/kb/2082181

   Workstation
   ---------------------- 
   https://www.vmware.com/go/downloadworkstation

   Fusion 
   ------------------ 
   https://www.vmware.com/go/downloadfusion

   VMware Player  
   ------------------ 
   https://www.vmware.com/go/downloadplayer 

   vCenter Server 5.1 Update 2a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_1 

   vCenter Server 5.0 Update 3a 
   ---------------------------------------------------- 
   Download link: 
  
https://my.vmware.com/web/vmware/info/slug/datacenter_cloud_infrastructure/
vmware_vsphere/5_0 

   vCloud Networking and Security 5.5.2.1
   ------------------------------------
   Download
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS552_GA&productId
=353&rPId=5255

   vCloud Networking and Security 5.1.4.1
   ------------------------------------
   Download:
  
https://my.vmware.com/web/vmware/details?downloadGroup=VCNS514_GA&productId
=285&rPId=5131

   NSX for Multi-Hypervisor, NSX for vSphere and NVP
   -------------------------------------------------
   Remediation Instructions and Download, available under support:
   http://www.vmware.com/products/nsx

   vCD 5.5.1.2 and vCD 5.1.3.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-vcd-ns

   VMware vCenter Chargeback Manager 
   ---------------------------------
   Download link: 
   https://www.vmware.com/go/download-chargeback

   Converter Standalone 5.1.1
   ---------------------------
   Download link: 
   https://www.vmware.com/go/download-converter

   vCenter Support Assistant
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vsphere

   Pivotal Web Server 5.4.1
   ------------------------
  
https://my.vmware.com/web/vmware/details?downloadGroup=VF_530_PVTL_WSVR_541
&productId=335&rPId=6214

   vCloud Automation Center
   --------------------------
   Downloads:
   https://www.vmware.com/go/download-vcac

   vCenter Site Recovery Manager 5.5.1.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081861

   vCenter Site Recovery Manager 5.1.2.1 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081860

   vCenter Site Recovery Manager 5.0.3.2 
   -------------------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2081859

   vSphere Replication 5.5.1.1
   ---------------------------
   Remediation Instructions and Download:
   http://kb.vmware.com/kb/2082666

5. References

   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298
   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3470
   
   https://www.openssl.org/news/secadv_20140605.txt
   http://www.gopivotal.com/security/cve-2014-0224

   VMware Knowledge Base Article 2082132
   http://kb.vmware.com/kb/2082132

- -----------------------------------------------------------------------

6. Change Log

   2014-06-10 VMSA-2014-0006
   Initial security advisory in conjunction with the release of
   ESXi 5.5 updates on 2014-06-10

   2014-06-12 VMSA-2014-0006.1
   Updated security advisory in conjunction with the release of
   Big Data Extensions 2.0.0, Horizon Mirage Edge Gateway 4.4.3, 
   vCD 5.5.1.2, vCenter Server 5.5u1b, vCSA 5.5u1b, and Update
   Manager 5.5u1b on 2014-06-12

   2014-06-17 VMSA-2014-0006.2
   Updated security advisory in conjunction with the release of
   ESXi 5.1 updates, VDDK 5.5.2, 5.1.3, and 5.0.4 on 2014-06-17

   2014-06-24 VMSA-2014-0006.3
   Updated security advisory in conjunction with the release of
   Horizon View 5.3.2, Horizon View 5.3 Feature Pack 3, 
   vCenter Configuration Manager 5.7.2, vCenter 
   Converter Standalone 5.5.2, vCenter Operations 
   Manager 5.8.2, OVF Tool 5.3.2 on 2014-06-24

   2014-07-01 VMSA-2014-0006.4
   Updated security advisory in conjunction with the release of
   ESX 5.0 patches, Workstation 10.0.3, Player 6.0.3, Fusion 6.0.4,
   Horizon Workspace Server 1.5.x and 1.8.x updates, vCD 
   5.1.3.1, vCenter Server 5.1 update 2a and 5.0 update 3a, 
   vCSA 5.1 update 2a and 5.0 update 3a, Converter Standalone 5.1.1,
   vCenter Chargeback Manager 2.6.0.1, 
   vCloud Networking and Security 5.5.2.1 and 5.1.4.1, 
   NSX for Multi-Hypervisor 4.1.3, 
   NSX for Multi-Hypervisor 4.0.4, NVP 3.2.3 and
   NSX 6.0.5 for vSphere on 2014-07-01

   2014-07-03 VMSA-2014-0006.5
   Updated security advisory in conjunction with the release of
   Workstation 9.0.4, Player 5.0.4, Fusion 5.0.5, vCenter Support 
   Assistant 5.5.1.1, on 2014-07-03

   2014-07-08 VMSA-2014-0006.6
   Updated security advisory in conjunction with the release of 
   vSphere PowerCLI 5.x on 2014-07-04 and Pivotal Web Server 5.4.1 
   on 2014-07-08

   2014-07-10 VMSA-2014-0006.7
   Updated security advisory in conjunction with the release of 
   vCloud Automation Center 6.0.1.2 and vCenter Operations Manager
   5.7.3 on 2014-07-10

   2014-07-18 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.5.1.1 and 
   vSphere Replication 5.5.1.1 on 2014-07-17


   2014-07-22 VMSA-2014-0006.8
   Updated security advisory in conjunction with the release of 
   patches for vCenter Site Recovery Manager 5.1.2.1 and 5.0.3.2 
   on 2014-07-22
- -----------------------------------------------------------------------
 
7. Contact

   E-mail list for product security notifications and announcements:
   http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce

   This Security Advisory is posted to the following lists:

    security-announce at lists.vmware.com
    bugtraq at securityfocus.com
    fulldisclosure at seclists.org

   E-mail: security at vmware.com
   PGP key at: http://kb.vmware.com/kb/1055

   VMware Security Advisories
   http://www.vmware.com/security/advisories

   VMware Security Response Policy
   https://www.vmware.com/support/policies/security_response.html

   VMware Lifecycle Support Phases
   https://www.vmware.com/support/policies/lifecycle.html
 
   Twitter
   https://twitter.com/VMwareSRC

   Copyright 2014 VMware Inc.  All rights reserved.

-----BEGIN PGP SIGNATURE-----
Version: Encryption Desktop 10.3.0 (Build 8741)
Charset: utf-8

wj8DBQFTzpZcDEcm8Vbi9kMRAga+AKCzEY/Ut+tN3qGTilKf5KslUPO6aQCfXuRp
/7HxhovpiO8xURBCf/uu8EI=
=YjIJ
-----END PGP SIGNATURE-----
Apache

[ANNOUNCEMENT] Apache HTTP Server 2.4.10 Released

           Apache HTTP Server 2.4.10 Released

The Apache Software Foundation and the Apache HTTP Server Project
are pleased to announce the release of version 2.4.10 of the Apache
HTTP Server ("Apache").  This version of Apache is our latest GA
release of the new generation 2.4.x branch of Apache HTTPD and
represents fifteen years of innovation by the project, and is
recommended over all previous releases. This release of Apache is
principally a security, feature and bug fix release.

CVE-2014-0117 (cve.mitre.org)
mod_proxy: Fix crash in Connection header handling which 
allowed a denial of service attack against a reverse proxy
with a threaded MPM.

CVE-2014-3523 (cve.mitre.org)
Fix a memory consumption denial of service in the WinNT MPM (used in all Windows
installations). Workaround: AcceptFilter <protocol> {none|connect}

CVE-2014-0226 (cve.mitre.org)
Fix a race condition in scoreboard handling, which could lead to
a heap buffer overflow.

CVE-2014-0118 (cve.mitre.org)
mod_deflate: The DEFLATE input filter (inflates request bodies) now
limits the length and compression ratio of inflated request bodies to avoid
denial of sevice via highly compressed bodies.  See directives
DeflateInflateLimitRequestBody, DeflateInflateRatioLimit,
and DeflateInflateRatioBurst.

CVE-2014-0231 (cve.mitre.org)
mod_cgid: Fix a denial of service against CGI scripts that do
not consume stdin that could lead to lingering HTTPD child processes
filling up the scoreboard and eventually hanging the server.  By
default, the client I/O timeout (Timeout directive) now applies to
communication with scripts.  The CGIDScriptTimeout directive can be
used to set a different timeout for communication with scripts.

Also in this release are some exciting new features including:

*) Proxy FGI and websockets improvements
*) Proxy capability via handler
*) Finer control over scoping of RewriteRules
*) Unix Domain Socket (UDS) support for mod_proxy backends.
*) Support for larger shared memory sizes for mod_socache_shmcb
*) mod_lua and mod_ssl enhancements
*) Support named groups and backreferences within the LocationMatch,
   DirectoryMatch, FilesMatch and ProxyMatch directives.

We consider this release to be the best version of Apache available, and
encourage users of all prior versions to upgrade.

Apache HTTP Server 2.4.10 is available for download from:

http://httpd.apache.org/download.cgi

Apache 2.4 offers numerous enhancements, improvements, and performance
boosts over the 2.2 codebase.  For an overview of new features
introduced since 2.4 please see:

http://httpd.apache.org/docs/trunk/new_features_2_4.html

Please see the CHANGES_2.4 file, linked from the download page, for a
full list of changes. A condensed list, CHANGES_2.4.10 includes only
those changes introduced since the prior 2.4 release.  A summary of all 
of the security vulnerabilities addressed in this and earlier releases 
is available:

http://httpd.apache.org/security/vulnerabilities_24.html

This release requires the Apache Portable Runtime (APR) version 1.5.x
and APR-Util version 1.5.x. The APR libraries must be upgraded for all
features of httpd to operate correctly.

This release builds on and extends the Apache 2.2 API.  Modules written
for Apache 2.2 will need to be recompiled in order to run with Apache
2.4, and require minimal or no source code changes.

http://svn.apache.org/repos/asf/httpd/httpd/trunk/VERSIONING

When upgrading or installing this version of Apache, please bear in mind
that if you intend to use Apache with one of the threaded MPMs (other
than the Prefork MPM), you must ensure that any modules you will be
using (and the libraries they depend on) are thread-safe.