Signed third party UEFI bootloaders are vulnerable to Secure Boot bypass

Overview A security feature bypass vulnerability exists in signed 3rd party UEFI bootloaders that allows bypass of the UEFI Secure Boot feature. An attacker who successfully exploits this vulnerability can bypass the UEFI Secure Boot feature and execute unsigned code during the boot process...

Portable SDK for UPnP Devices (libupnp) contains multiple buffer overflows in SSDP

Overview The Portable SDK for UPnP Devices libupnp library contains multiple buffer overflow vulnerabilities. Devices that use libupnp may also accept UPnP queries over the WAN interface, therefore exposing the vulnerabilities to the internet. Description Universal Plug and Play UPnP is a set of...

Apache Tomcat UTF8 Directory Traversal Vulnerability

Overview Apache Tomcat contains a vulnerability that may allow directory traversal. Description Apache Tomcat is an implementation of the Java Servlet and JavaServer Page JSP technologies. Apache Tomcat contains a vulnerability in the way malformed requests are handled. According to the Apache...

Embedded TCP/IP stacks have memory corruption vulnerabilities

Overview Multiple open-source embedded TCP/IP stacks, commonly used in Internet of Things IoT and embedded devices, have several vulnerabilities stemming from improper memory management. These vulnerabilities are also tracked as ICS-VU-633937 and JVNVU96491057 as well as the name AMNESIA:33...

Multiple vulnerabilities in Quest Kace System Management Appliance

Overview The Quest Kace System Management K1000 Appliance contains multiple vulnerabilities, including a blind SQL injection vulnerability and a stored cross site scripting vulnerability. It also suffers from misconfigurations in the cross-origin resource sharing CORS mechanism and improperly...

NTP Project Network Time Protocol daemon (ntpd) contains multiple vulnerabilities (Updated)

Overview The NTP Project ntpd version 4.2.7 and pervious versions contain several vulnerabilities. ntp-keygen prior to version 4.2.7p230 also uses a non-cryptographic random number generator when generating symmetric keys. These vulnerabilities may affect ntpd acting as a server or client...

CGI web servers assign Proxy header values from client requests to internal HTTP_PROXY environment variables

Overview Web servers running in a CGI or CGI-like context may assign client request Proxy header values to internal HTTPPROXY environment variables. This vulnerability can be leveraged to conduct man-in-the-middle MITM attacks on internal subrequests or to direct the server to initiate connection...

ImageMagick does not properly validate input before processing images using a delegate

Overview ImageMagick does not properly validate user input before processing it using a delegate, which may lead to arbitrary code execution. This issue is also known as "ImageTragick". Description CWE-20: Improper Input Validation - CVE-2016-3714According to the researchers in a mailing list pos...

OpenSSL TLS heartbeat extension read overflow discloses sensitive information

Overview OpenSSL 1.0.1 and 1.0.2 beta contain a vulnerability that could disclose sensitive private information to an attacker. This vulnerability is commonly referred to as "heartbleed." Description OpenSSL versions 1.0.1 through 1.0.1f and 1.0.2 beta through 1.0.2-beta1 contain a flaw in its...

Veritas Backup Exec is vulnerable to privilege escalation due to OPENSSLDIR location

Overview Veritas Backup Exec contains a privilege escalation vulnerability due to the use of an OPENSSLDIR variable that specifies a location where an unprivileged Windows user can create files. Description CVE-2019-1552 Veritas Backup Exec includes an OpenSSL component that specifies an OPENSSLD...

Microsoft Windows Object Linking and Embedding (OLE) OleAut32 library SafeArrayRedim function vulnerable to remote code execution via Internet Explorer

Overview A vulnerability in Microsoft Windows OLE could allow remote code execution if a user views a specially-crafted web page in Internet Explorer. Description The Microsoft Windows OLE OleAut32.dll library provides the SafeArrayRedim function that allows resizing of SAFEARRAY objects in memor...

CollabNet ScrumWorks Basic Server transmits credential information in plaintext

Overview Communication between the Collabnet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client transmits credential information in plaintext. Description The communication between the CollabNet ScrumWorks Basic Server and CollabNet ScrumWorks Desktop Client is transmitting credentia...

Ruby on Rails 3.0 and 2.3 JSON Parser vulnerability

Overview The Ruby on Rails 3.0 and 2.3 JSON parser contain a vulnerability that may result in arbitrary code execution. Description The Ruby on Rails advisory states:There is a vulnerability in the JSON code for Ruby on Rails which allows attackers to bypass authentication systems, inject arbitra...

Datalex airline booking software allowed authorization bypass for arbitrary users

Overview Datalex provides a suite of software offerings for the airline industry which supports a customizable flight browsing, booking, payment, and analytics. The Datalex airline booking software contained an error in its error handling routines which allows authorization bypass and loss of...

NTP can be abused to amplify denial-of-service attack traffic

Overview UDP protocols such as NTP can be abused to amplify denial-of-service attack traffic. Servers running the network time protocol NTP based on implementations of ntpd prior to version 4.2.7p26 that use the default unrestricted query configuration are susceptible to a reflected...

Microsoft Windows animated cursor stack buffer overflow

Overview Microsoft Windows contains a stack buffer overflow in the handling of animated cursor files. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition. Description Animated cursor files .ani contain animated graphics for icons and...

NTP.org ntpd contains multiple denial of service vulnerabilities

Overview NTP.org ntpd versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not including ntp-4.3.94 contain multiple denial of service vulnerabilities. Description NTP.org's ntpd, versions ntp-4.2.7p385 up to but not including ntp-4.2.8p9 and ntp-4.3.0 up to but not...

ntpd autokey stack buffer overflow

Overview ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service. Description NTP Network Time Protocol is a method by which client machines can synchronize the local date and time wit...

Adobe Reader and Acrobat util.printf() JavaScript function stack buffer overflow

Overview Adobe Reader and Acrobat contain a stack buffer overflow in the util.printf JavaScript function, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Adobe Reader is software designed to view Portable Document Format PDF files...

Various WiMAX routers contain a authentication bypass vulnerability in custom libmtk httpd plugin

Overview WiMAX routers from several vendors making use of a custom httpd plugin for libmtk are vulnerable to an authentication bypass allowing a remote, unauthenticated attacker to change the administrator password on the device. Description CWE-306: Missing Authentication for Critical Function -...

Oracle Java JRE 1.7 Expression.execute() and SunToolkit.getField() fail to restrict access to privileged code

Overview Oracle Java Runtime Environment JRE 1.7 contains a vulnerability that may allow an applet to call setSecurityManager in a way that allows setting of arbitrary permissions. Description The Oracle Java Runtime Environment JRE 1.7 allows users to run Java applications in a browser or as...

EMC Legato NetWorker portmapper allows remote calls to "pmap_set" and "pmap_unset"

Overview The EMC Legato NetWorker PortMapper allows remote access to pmapset and pmapunset. This could allow a remote attacker to cause a denial of service or potentially to eavesdrop on communications between NetWorker programs. Description EMC Legato NetWorker is a cross-platform backup and...

Multiple vulnerabilities in SNMPv1 trap handling

Overview Multiple vendor SNMPv1 Trap handling implementations contain vulnerabilities that may allow unauthorized privileged access, denial-of-service conditions, or unstable behavior . If your site uses SNMP in any capacity, the CERT/CC encourages you to read the information provided below...

Microsoft Windows SMB Tree Connect Response denial of service vulnerability

Overview Microsoft Windows contains a memory corruption bug in the handling of SMB traffic, which may allow a remote, unauthenticated attacker to cause a denial of service on a vulnerable system. Description Microsoft Windows fails to properly handle traffic from a malicious server. In particular...

Apache HTTPD 1.3/2.x Range header DoS vulnerability

Overview Apache HTTPD server contains a denial-of-service vulnerability in the way multiple overlapping ranges are handled. Both the 'Range' header and the 'Range-Request' header are vulnerable. An attack tool, commonly known as 'Apache Killer', has been released in the wild. The attack tool caus...

Oracle Weblogic Apache connector vulnerable to buffer overflow

Overview Oracle Weblogic formerly BEA Weblogic contains a vulnerability which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Description Oracle Weblogic Server and Weblogic Express applicaiton servers can be integrated with the Apache webserver usin...

Digital Alert Systems DASDEC and Monroe Electronics R189 One-Net firmware exposes private root SSH key

Overview Digital Alert Systems DASDEC and Monroe Electronics One-Net E189 Emergency Alert System EAS devices exposed a shared private root SSH key in publicly available firmware images. An attacker with SSH access to a device could use the key to log in with root privileges. Description The Digit...

ISC BIND named negative caching vulnerability

Overview ISC BIND contains a vulnerability in the processing of large RRSIG RRsets included in a negative cache response. Description According to ISC:DNS systems use negative caching to improve DNS response time. This will keep a DNS resolver from repeatedly looking up domains that do not exist...

Exim fails to properly handle trailing backslashes in string_interpret_escape()

Overview Exim versions up to and including 4.92.1 do not properly handle trailing backslash characters in the stringinterpretescape function. This function is used to handle peer distinguished names DN and Sever Name Indication SNI during a TLS negotiation. This vulnerability could allow a local ...

D-Link DIR-850L web admin interface contains a stack-based buffer overflow vulnerability

Overview D-Link DIR-850L, firmware versions 1.14B07, 2.07.B05, and possibly others, contains a stack-based buffer overflow vulnerability in the web administration interface HNAP service. Other models may also be affected. Description CWE-121: Stack-based Buffer Overflow - CVE-2017-3193D-Link...

Brocade Vyatta 5400 vRouter contains multiple vulnerabilities

Overview Brocade Vyatta 5400 vRouter versions 6.4Rx, 6.6Rx, and 6.7R1 contain multiple vulnerabilities. Description Brocade Vyatta 5400 vRouter versions 6.4Rx, 6.6Rx, and 6.7R1 contain the following vulnerabilities:CWE-78: Improper Neutralization of Special Elements used in an OS Command 'OS...

ISC BIND 9 named denial of service vulnerability

Overview ISC BIND 9 contains a remote packet denial of service vulnerability when running as an authoritative or recursive server. Description According to ISC:A defect in the affected BIND 9 versions allows an attacker to remotely cause the "named" process to exit using a specially crafted packe...

Postfix SMTP server Cyrus SASL support contains a memory corruption vulnerability

Overview The Postfix SMTP server has a memory corruption error when the Cyrus SASL library is used with authentication mechanisms other than PLAIN and LOGIN. Description The Postfix Advisory for CVE-2011-1720 states:"The Postfix SMTP server fails to create a new Cyrus SASL server handle after...

Sudo set_cmd() is vulnerable to heap-based buffer overflow

Overview A heap-based overflow has been discovered in the setcmd function in sudo, which may allow a local attacker to execute commands with elevated administrator privileges. Description From the Sudo Main Page: Sudo su "do" allows a system administrator to delegate authority to give certain use...

POODLE vulnerability in SSL 3.0

Overview Many modern TLS clients can fall back to version 3.0 of the SSL protocol, which is vulnerable to a padding-oracle attack when Cypher-block chaining CBC mode is used. This is commonly referred to as the "POODLE" Padding Oracle On Downgraded Legacy Encryption attack. Description CWE-327: U...

Huawei networking equipment weak password cipher

Overview Huawei networking equipment use a DES encryption algorithm for password and encryption. DES is publicly known to be easily cracked. Description Huawei Security Advisory Huawei-SA-20120827-01-CX600 states:In multiple Huawei products, DES encryption algorithm is used for password and the...

Network traffic encrypted using RSA-based SSL certificates over SSLv2 may be decrypted by the DROWN attack

Overview Network traffic encrypted using an RSA-based SSL certificate may be decrypted if enough SSLv2 handshake data can be collected. This is known as the "DROWN" attack in the media. Description According to the researcher, "DROWN" is a new form of cross-protocol Bleichenbacher padding oracle...

McAfee ePolicy Orchestrator fails to properly validate SSL/TLS certificates

Overview McAfee ePolicy Orchestrator versions 4.6.8 and earlier and 5.1.1 and earlier fail to properly validate SSL/TLS certificates. Description CWE-295: Improper Certificate Validation - CVE-2015-2859McAfee ePolicy Orchestrator ePO supports integration with external registered servers for a...

Microsoft DNS Client buffer overflow

Overview The Microsoft DNS Client service contains a remote code execution vulnerability that could allow a remote attacker to take complete control of the affected system. Description From Microsoft TechNet: The Domain Name System DNS client service resolves and caches DNS names. The DNS client...

Microsoft Server service RPC stack buffer overflow vulnerability

Overview A stack buffer overflow vulnerability in the Microsoft Windows Server service may allow a remote, unauthenticated attacker to execute arbitrary code with SYSTEM privileges. Description MS08-067 includes the following information about the Microsoft Server service:The Server service...

Microsoft Windows Network Connection Manager (NCM) handler routine may execute code with LocalSystem privileges

Overview A locally exploitable vulnerability exists in the Microsoft Windows 2000 Network Connection Manager NCM. Exploitation of this vulnerability may permit a local user to gain full privileges on the system. Description Microsoft Windows 2000 Network Connection Manager NCM provides routines t...

HTTP/2 implementations do not robustly handle abnormal traffic and resource exhaustion

Overview Multiple HTTP/2 implementations are vulnerable to a variety of denial-of-service DoS attacks. Description The Security Considerations section of RFC7540 discusses some of the considerations needed for HTTP/2 connections as they demand more resources to operate than HTTP/1.1 connections...

The Border Gateway Protocol relies on persistent TCP sessions without specifying authentication requirements

Overview A vulnerability exists in the reliance of the Border Gateway Protocol BGP on the Transmission Control Protocol TCP to maintain persistent sessions. Sustained exploitation of this vulnerability could lead to a denial-of-service condition affecting a large segment of the Internet community...

Accellion Kiteworks contains multiple vulnerabilities

Overview The Accellion Kiteworks appliance prior to version kw2016.03.00 contains multiple vulnerabilities. Description CWE-276: Incorrect Default Permissions - CVE-2016-5662 The /opt/bin/cli script has setuid permissions by default, allowing an authenticated KiteWorks users to escalate privilege...

Adobe Flash ActionScript AVM2 newfunction vulnerability

Overview Adobe Flash contains a vulnerability in the handling of the ActionScript newfunction instruction, which can allow a remote, unauthenticated attacker to execute arbitrary code. Description Adobe Flash 9 and later versions support ActionScript 3, which is executed by the ActionScript Virtu...

InsydeH2O UEFI software impacted by multiple vulnerabilities in SMM

Overview The InsydeH2O Hardware-2-Operating System H2O UEFI firmware contains multiple vulnerabilities related to memory management in System Management Mode SMM. Description UEFI software provides an extensible interface between an operating system and platform firmware. UEFI software uses a...

Linux kernel RDS protocol vulnerability

Overview The RDS protocol implementation of Linux kernels 2.6.30 through 2.6.38-rc8 contain a local privilege escalation vulnerability. Description Kernel functions fail to properly check if a user supplied address exists in the user segment of memory. By providing a kernel address to a socket ca...

Rockwell Automation Allen-Bradley MicroLogix PLC authentication and authorization vulnerabilities

Overview Rockwell Automation Allen-Bradley MicroLogix programmable logic controllers PLCs do not adequately authenticate or authorize remote connections or commands. An attacker with network access can obtain the management password or issue commands that bypass the authentication mechanism...

Universal Plug and Play (UPnP) SUBSCRIBE can be abused to send traffic to arbitrary destinations

Overview The Universal Plug and Play UPnP protocol in effect prior to April 17, 2020 can be abused to send traffic to arbitrary destinations using the SUBSCRIBE functionality. Description The UPnP protocol, as specified by the Open Connectivity Foundation OCF, is designed to provide automatic...

S2 NetBox allows unauthenticated HTTP access to node logs, backups, and employee photographs

Overview S2 NetBox and related products do not adequately restrict access to node logs, backups, and employee photographs. A remote, unauthenticated attacker could use information obtained from a vulnerable system to aid in further attacks. Description S2 NetBox is a line of "...open architecture...