{"enchantments": {"score": {"value": 7.5, "vector": "NONE"}, "vulnersScore": 7.5}, "reporter": "Dennis Fisher", "id": "CRITICAL-REMOTELY-EXPLOITABLE-BUGS-FOUND-IN-SCHNEIDER-ELECTRIC-PROCLIMA-SOFTWARE/109961", "modified": "2014-12-18T15:58:29", "published": "2014-12-18T10:58:00", "threatPostCategory": "Critical Infrastructure", "history": [], "bulletinFamily": "info", "viewCount": 2, "cvelist": [], "type": "threatpost", "hash": "0b85c735b29d0f294969a0d56c5ec28ddc056c4eb53cda8292ca19f2b56cdcbf", "references": ["https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01"], "description": "There are a number of critical, remotely exploitable command injection vulnerabilities in Schneider Electric\u2019s ProClima software, which is used in manufacturing and energy facilities.\n\nThe ProClima application is a utility that customers use to design control panel enclosures in industrial facilities to help manage the heat from enclosed electrical devices. The bugs affect ProClima versions 6.0.1 and earlier, according to an advisory released by ICS-CERT. The flaws exists in two separate components of the ProClia software, MDraw30.ocx and Atx45.ocx.\n\n\u201cMDraw30.ocx control can be initialized and called by malicious scripts potentially causing buffer overflows, which may allow an attacker to execute code remotely,\u201d the [advisory](<https://ics-cert.us-cert.gov/advisories/ICSA-14-350-01>) says.\n\nThe same scenario is true for the vulnerabilities in Atx45.ocx. All of the vulnerabilities can be exploited remotely, and ICS-CERT said that an attacker with relatively low skills would be able to exploit the bugs. There aren\u2019t any known exploits for the vulnerabilities at this point, however.\n\nThe vendor has pushed out a new version of the ProClima package that contains fixes for the vulnerabilities.\n\n\u201cSchneider Electric has released an updated version of the ProClima software, Version 6.1.7, which mitigates these vulnerabilities. Customers are encouraged to download the new version and update their installations. It is important that customers first uninstall the current version,\u201d the ICS-CERT advisory says.\n\nThe vulnerabilities were reported to Schneider Electric by Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc through the Zero Day Initiative.", "title": "Critical Remotely Exploitable Bugs Found in Schneider Electric ProClima Software", "href": "https://threatpost.com/critical-remotely-exploitable-bugs-found-in-schneider-electric-proclima-software/109961/", "lastseen": "2016-09-04T20:45:10", "edition": 1, "objectVersion": "1.2", "cvss": {"score": 0.0, "vector": "NONE"}}

{"hackread": [{"lastseen": "2018-09-22T00:00:37", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "By [Waqas](<https://www.hackread.com/author/hackread/>)\n\nZaif is the 35th largest cryptocurrency exchange by turnover. Hackers have stolen a whopping $60 million (6.7 billion yen) worth of cryptocurrency from Zaif, the 35th largest cryptocurrency exchange dealing in Bitcoin, Bitcoin Cash, and Monacoin. The exchange is owned by Tech Bureau, Corp. based in Nishi-Ku, Osaka, Japan. The hack attack took place on September 14th after hackers gained [\u2026]\n\nThis is a post from HackRead.com Read the original post: [Hackers steal $60 million from Japan's Zaif cryptocurrency exchange](<https://www.hackread.com/hackers-steal-from-japan-zaif-cryptocurrency-exchange/>)", "reporter": "Waqas", "published": "2018-09-21T22:58:40", "type": "hackread", "title": "Hackers steal $60 million from\u00a0Japan\u2019s Zaif cryptocurrency\u00a0exchange", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T22:58:40", "id": "HACKREAD:A5AB726D9265EC18FC7D3DE48E7C4B5E", "href": "https://www.hackread.com/hackers-steal-from-japan-zaif-cryptocurrency-exchange/", "cvss": {"score": 0.0, "vector": "NONE"}}], "malwarebytes": [{"lastseen": "2018-09-22T00:00:42", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "The threat landscape is changing once again, now that the ocean of cryptocurrency miners has shrunk to a small lake. Over the last couple months, we've seen cybercriminals lean back on tried and true methods of financial theft and extortion, with the rise of a familiar Banking Trojan: [Emotet](<https://blog.malwarebytes.com/detections/trojan-emotet/>).\n\nHowever, over the last few days, we've noticed a large increase in malicious spam spreading Emotet, as well as a higher number of detections from our customers. Looks like we're in the middle of an active Emotet campaign.\n\n### What is Emotet?\n\nFor those who are unfamiliar, Emotet is a nasty piece of malware that has had numerous purposes over the years, including stealing data and eavesdropping on network traffic. For its latest trick, Emotet is spreading other [banking Trojans](<https://blog.malwarebytes.com/glossary/banking-trojan/>), or malware that steals your financial information, bank logins, and in some cases, Bitcoin wallets.\n\nEmotet has the ability to propagate through a network by using the popular EternalBlue vulnerability, first seen in use in the famous [WannaCry ransomware outbreak](<https://blog.malwarebytes.com/cybercrime/2017/05/wanacrypt0r-ransomware-hits-it-big-just-before-the-weekend/>). This functionality makes the malware even more dangerous to businesses, which have numerous endpoints linked together.\n\nOnce a system is infected, Emotet can then spread itself outside the network via built-in spam module. Imagine an Emotet-infected endpoint as a flower. Emotet's spam module, then, would be the bees that spread pollen from flower to flower. The spam module sends new infections to other systems, which (if the users fall victim) creates even more new infections, which then blast spam to even more systems. And the process continues again.\n\nNow, accelerate our metaphorical pollination process by at least 1000x, and you can begin to see how Emotet is quickly making a lot of\u2026um, flowers\u2026for businesses.\n\n### Spam campaign\n\nRecently, the security community noticed an increase in malicious spam either spreading Emotet or coming from systems infected with Emotet. In addition to Emotet, this malspam campaign is also pushing [Trickbot](<https://blog.malwarebytes.com/detections/trojan-trickbot/>), a popular information-stealing malware that [we spoke about last year](<https://blog.malwarebytes.com/threat-analysis/2017/08/trickbot-comes-with-new-tricks-attacking-outlook-and-browsing-data/>) when unused code was discovered using the same exploit as WannaCry.\n\n> We're seeing a large [#Emotet](<https://twitter.com/hashtag/Emotet?src=hash&ref_src=twsrc%5Etfw>) spam campaign with maldocs, originally spewing malicious Word documents, but now sending out PDFs. At its peak, we blocked over 300k spam emails in 3 hrs. Detection name: TrojanDownloader:PDF/Domepidief.A <https://t.co/pWja45EInR> [pic.twitter.com/8uAdQ6d7v3](<https://t.co/8uAdQ6d7v3>)\n> \n> -- Windows Defender Security Intelligence (@WDSecurity) [September 18, 2018](<https://twitter.com/WDSecurity/status/1042198523867885568?ref_src=twsrc%5Etfw>)\n\nThis spam campaign is pushing malicious documents to users: first Microsoft Word documents with malicious macro scripts and then PDFs with built-in malicious scripts. This method of attack (malspam), using these specific file types (malicious documents), has become the de-facto default method of spreading malware today.\n\nMalicious spam emails that are spreading Emotet and Trickbot right now have similar subject lines. Below is a list of common subject lines for this campaign:\n \n \n Sales Invoice Account\n September Invoice **** from ****\n Statement 20/09/2018 for customer ****\n Your Invoice: **** - Our Ref: ****\n Account Alert - Your recent Wellsfargo payment notice\n Activity Alert: Money transfer details\n Activity Alert: Your recent payment notification\n Payment details\n Your recent payment notice\n August Invoice ****\n Invoice **** from ****\n Invoice for August\n Invoice **** - ****\n Invoice No - ****\n Invoice number ****\n Invoice **** from **** for Order : ****\n Invoices from ****\n INV-****\n **** Complete invoice ****\n **** report: Complete invoice Q7370 - 21 September 2018\n OVERDUE INVOICE\n Re: Your recent invoice request for your account\n Sales invoice from ****\n **** Invoice Ready To View\n September Invoice INV-B58986 from ****\n SERVICE INVOICE\n **** Invoice/Credit\n **** Statements/Invoices Ready To View\n Your **** Invoice for billing period 08/2018\n\n### Increase in stats\n\nIn addition to the increase of malspam spreading Emotet, we've also observed an increase in Emotet detections from our users. The chart below shows a five month period, from mid-April to mid-September 2018, broken down by the day. You can see a steady increase of Emotet through the end of the summer into September, with the largest spike in Emotet detections happening only a few days ago. While this is not a sign that it will rain Emotet, when you combine that spike with the known ability of Emotet to spread itself quickly and efficiently, we could be in for some nasty infections over the weekend.\n\n\n\nDespite its ups and downs\u2014Emotet has not seen a continuous rise over the past year, though there was a similar massive Emotet and Trickbot campaign earlier in 2018\u2014Emotet has been a bit of a thorn in the side of the security community for most of the year. That's because when it _is_ active, it has potential to do a lot of damage.\n\nHow much damage? Emotet is dangerous not only because of its capabilities to spread like wildfire and steal sensitive financial data, but also because it can download and install additional malware, which leaves the door open for anything coming through, from spyware to ransomware. Potential fallout could include:\n\n * Theft of Personally Identifiable Information (PII), which [could lead to identity theft ](<https://blog.malwarebytes.com/101/2017/09/equifax-aftermath-how-to-protect-against-identity-theft/>)\n * Stolen financial information, which can later lead to extortion\n * Stolen proprietary information, which can be held for [ransom](<https://blog.malwarebytes.com/101/2016/04/how-to-protect-your-business-from-ransomware/>)\n * Credential theft, which means other accounts and passwords are vulnerable\n * Theft of locally-stored cryptocurrency wallet\n * Protracted remediation times for network admins\n * Loss of productivity for workers whose endpoints must be taken off the network\n\n### Stay protected\n\nStaying safe from the current Emotet campaign is not particularly difficult, since it is spread through malicious spam. However, users who don't have a keen eye or little training in common phishing techniques might fall victim. One of the easiest ways to stay protected against Emotet is simply to keep a keen eye out for shady emails, especially if they have one of the subject lines mentioned above, include an Office document or PDF attachment, and come from unrecognizable email addresses. However, when it comes to [social engineering](<https://blog.malwarebytes.com/cybercrime/2018/08/social-engineering-attacks-what-makes-you-susceptible/>), there is no guarantee someone won't be fooled.\n\nThankfully, even if they open the email and download the document, Malwarebytes users (both those who purchased [Malwarebytes Premium](<http://www.malwarebytes.com/premium>) and [business customers](<http://www.malwarebytes.com/business>)) will be safe from the malicious code within the document, as our anti-exploit technology identifies the malicious script and puts a stop to it.\n\n\n\nAlso, users that have real-time protection enabled will have the malware itself blocked if it somehow manages to get through the anti-exploit defenses.\n\n\n\nAnother way to stay safe: Make sure systems are [patched for the EternalBlue vulnerability](<https://docs.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010>), which is still exploitable\u2014preferably _before_ encountering this threat.\n\nMalwarebytes has worked hard to keep an eye on this threat, and more importantly, how to stop it. Emotet is a mean adversary, and we expect to continue dealing with it through the rest of the year, as well as any future evolutions or copy cats.\n\nThat being said, making sure you, your family, and your employees know how to recognize emails attempting to deliver Emotet\u2014or any other threat\u2014is a key pillar in the fight against cybercrime, right alongside having a [strong security solution](<https://www.malwarebytes.com/business/solutions/>) and a \"worst case scenario\" plan to protect your data, users, and remediate your machines.\n\nThanks for reading, good luck out there, and safe surfing!\n\nThe post [Emotet on the rise with heavy spam campaign](<https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Adam Kujawa", "published": "2018-09-21T22:55:12", "type": "malwarebytes", "title": "Emotet on the rise with heavy spam campaign", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T22:55:12", "id": "MALWAREBYTES:63E5B693C4B12D99078E04508F0A331C", "href": "https://blog.malwarebytes.com/cybercrime/2018/09/emotet-rise-heavy-spam-campaign/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T15:59:35", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "[Simple Authentication and Security Layer (SASL)](<https://docs.oracle.com/cd/E23824_01/html/819-2145/sasl.intro.20.html>) is an authentication layer used in Internet protocols. SASL is not a protocol, but rather a framework that provides developers of applications and shared libraries with mechanisms for authentication, data integrity\u2013checking, and encryption.\n\nWithin the framework and a few of its plugins, there are a couple of known vulnerabilities that we want to make you aware of. Although patches have been issued, not everyone has implemented them.\n\n### Why would I need to know about SASL?\n\nMost server administrators will recognize the acronym from this type of error message or report:\n\n\u201cSASL LOGIN authentication failed: authentication failure\u201d\n\nUsually the message will contain more details about the failure, depending on the specific software and plugins that you are using. While receiving such a message in itself is not a reason for alarm, if you see it repeatedly and originating from the same IP address, then there is reason to investigate further. Possibly someone is trying to gain access to your server and planning to use it as a spam-box. They might be looking for a way to use your server and your resources to send out a spam campaign.\n\n### Countermeasures against brute force attacks\n\nSASL attacks usually turn out to be [brute force attacks](<https://workaround.org/ispmail/stretch/fighting-brute-force-attacks/>), meaning an automated script or a bot is trying over and over to log into an existing email account on your server, trying many combinations of credentials to find a valid username and password pair. Thankfully, there are some countermeasures you can take against these attacks.\n\n * If you have the option to make your server listen on a different port, doing so might make you a less likely target for new attacks.\n * If the SASL message is from the same IP all the time, block that IP in your firewall.\n * If the attackers keep coming at you from different IPs, there are software solutions that use machine learning to automatically block any new assailant. One caveat to this solution: Be vigilant about false positives so that you don\u2019t shut out legitimate users, such as remote employees.\n\nIf you are seeing some of these attacks, there is no reason to feel singled out. There are [threat actors](<https://blog.malwarebytes.com/glossary/threat-actor/>) out there that constantly sweep the Internet for new servers listening on port 25.\n\n### SASL framework\n\nSASL is a framework for application protocols, such as SMTP or IMAP, that adds authentication support. It checks whether the user has the proper permissions to use the server in the way they request. It also offers a framework for data integrity\u2013checking and encryption.\n\nFor a better understanding of how the framework actually works and where the vulnerabilities throw a wrench in the process, we want to give you some background about the flow of information between server and clients.\n\nThe following figure shows the basic SASL architecture:\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/09/sasl-archit.png> \"\" )\n\nClient and server applications make calls to their local copies of the SASL library, or libsasl, through the SASL API. The libsasl then communicates with the SASL mechanisms through the SASL service provider interface (SPI).\n\nThe following diagram shows steps in the SASL life cycle. The client actions are shown on the left and the server actions on the right. The arrows in the middle show interactions between the client and server over an external connection.\n\n[](<https://blog.malwarebytes.com/wp-content/uploads/2018/09/sasl-flowchart-overview.png> \"\" )\n\n### Memcached vulnerability\n\n[Memcached](<https://thenewstack.io/70000-memcached-servers-can-hacked-using-eight-month-old-flaws/>) is a software package that implements a high-performance caching server for storing chunks of data obtained from database and API calls in RAM. This helps speed up dynamic web applications, making it well suited for large websites and big-data projects.\n\nIn 2016, security researchers from Cisco\u2019s Talos found three remote code execution vulnerabilities. All of these flaws affected memcached\u2019s binary protocol for storing and retrieving data, and [one of them](<https://www.talosintelligence.com/reports/TALOS-2016-0221/>) was in the Simple Authentication and Security Layer (SASL) implementation. These vulnerabilities were fixed by Memcached later that year, but there has been a bad adoption rate.\n\n### Dovecot server vulnerabilities\n\nA [Denial of Service vulnerability](<https://seclists.org/oss-sec/2016/q4/564>) was found in the SASL [authentication component](<https://fortiguard.com/encyclopedia/ips/43742>) of the Dovecot server. Remote attackers can crash vulnerable systems due to a validation error when the vulnerable software handles a crafted username when processing SASL authentication _if_ the auth-policy component has been activated. The vulnerable versions were 2.2.25 through 2.2.26.1, and unfortunately some of these are still in active use.\n\n[Another flaw](<https://access.redhat.com/security/cve/cve-2017-15132>) was found in Dovecot 2.0 up to 2.2.33 and 2.3.0. An abort of SASL authentication results in a memory leak in the Dovecot auth client used by login processes. The leak has an impact on high-performance configurations where the same login processes are reused and can cause the process to crash due to memory exhaustion.\n\n### More recent vulnerabilities\n\nA more recent vulnerability was found in Apache Qpid Broker. Both the Qpid broker and Qpid clients use the Cyrus SASL library, a full-featured authentication framework, which offers many configuration options. An authentication of incoming AMQP connections in Apache Qpid Broker-J is performed by special entities called \"Authentication Providers.\" Each Authentication Provider can support several SASL mechanisms, which are offered to the connecting clients as part of SASL negotiation process.\n\nThe vulnerability that was discovered is a [Denial of Service vulnerability](<https://qpid.apache.org/cves/CVE-2018-1298.html>), and it was found in Apache Qpid Broker-J 7.0.0 in the functionality for authentication of connections for AMQP protocols 0-8, 0-9, 0-91, and 0-10 when either PLAIN or XOAUTH2 SASL mechanism is used. The vulnerability allows an unauthenticated attacker to crash the Broker instance.\n\n### Update your software\n\nAs you can see, there are quite a few of these vulnerabilities still active, and I didn\u2019t even touch on the older ones. In fact, there are a lot more older vulnerabilities than new ones, and I\u2019m afraid that not all of them have been patched.\n\nSo we can\u2019t say this enough, and we won\u2019t stop telling you, either: Always make sure you are running the latest and patched version of the software you are using. This is especially true when talking about Internet-facing servers, and absolutely vital if one of their jobs is to keep your resources safe and secure. SASL is a vital authentication mechanism, in particular where many email servers are concerned.\n\nStay safe, everyone!\n\n \n\n_The figures in this article are courtesy of [Oracle](<https://docs.oracle.com/cd/E23824_01/html/819-2145/sasl.intro.20.html>)._\n\nThe post [Simple Authentication and Security Layer (SASL) vulnerabilities](<https://blog.malwarebytes.com/cybercrime/2018/09/simple-authentication-and-security-layer-sasl-vulnerabilities/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).", "reporter": "Pieter Arntz", "published": "2018-09-21T15:00:00", "type": "malwarebytes", "title": "Simple Authentication and Security Layer (SASL) vulnerabilities", "enchantments": {}, "bulletinFamily": "blog", "cvelist": ["CVE-2017-15132", "CVE-2018-1298"], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T15:00:00", "id": "MALWAREBYTES:E9C6FBB13C0612B24380EAB2014AE448", "href": "https://blog.malwarebytes.com/cybercrime/2018/09/simple-authentication-and-security-layer-sasl-vulnerabilities/", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}}], "suse": [{"lastseen": "2018-09-22T00:03:42", "references": ["https://bugzilla.suse.com/1108189"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "0.3.9+git.1537184752.d624424-9.3.1", "arch": "noarch", "packageFilename": "obs-service-refresh_patches-0.3.9+git.1537184752.d624424-9.3.1.noarch.rpm", "packageName": "obs-service-refresh_patches", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "0.3.9+git.1537184752.d624424-lp150.2.3.1", "arch": "noarch", "packageFilename": "obs-service-refresh_patches-0.3.9+git.1537184752.d624424-lp150.2.3.1.noarch.rpm", "packageName": "obs-service-refresh_patches", "operator": "lt"}], "description": "This update for obs-service-refresh_patches fixes the following security\n issue:\n\n - An attacker creating a specially formated archive could have tricked the\n service in deleting directories that shouldn't be deleted (boo#1108189)\n\n", "edition": 1, "reporter": "Suse", "published": "2018-09-21T22:03:53", "title": "Security update for obs-service-refresh_patches (moderate)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": [], "modified": "2018-09-21T22:03:53", "id": "OPENSUSE-SU-2018:2801-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00045.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-22T00:03:42", "references": ["https://bugzilla.suse.com/1109084"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "hylafax+-debugsource-5.6.1-15.1.x86_64.rpm", "packageName": "hylafax+-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "hylafax+-debuginfo-5.6.1-15.1.i586.rpm", "packageName": "hylafax+-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "libfaxutil5_6_1-debuginfo-5.6.1-15.1.x86_64.rpm", "packageName": "libfaxutil5_6_1-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "hylafax+-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "hylafax+", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "hylafax+-debugsource-5.6.1-15.1.i586.rpm", "packageName": "hylafax+-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "hylafax+-client-5.6.1-15.1.i586.rpm", "packageName": "hylafax+-client", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "hylafax+-client-debuginfo-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "hylafax+-client-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "hylafax+-client-debuginfo-5.6.1-15.1.i586.rpm", "packageName": "hylafax+-client-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "libfaxutil5_6_1-5.6.1-15.1.i586.rpm", "packageName": "libfaxutil5_6_1", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "hylafax+-client-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "hylafax+-client", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "hylafax+-debuginfo-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "hylafax+-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "libfaxutil5_6_1-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "libfaxutil5_6_1", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "hylafax+-5.6.1-15.1.x86_64.rpm", "packageName": "hylafax+", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "hylafax+-client-debuginfo-5.6.1-15.1.x86_64.rpm", "packageName": "hylafax+-client-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "hylafax+-client-5.6.1-15.1.x86_64.rpm", "packageName": "hylafax+-client", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "libfaxutil5_6_1-5.6.1-15.1.x86_64.rpm", "packageName": "libfaxutil5_6_1", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "libfaxutil5_6_1-debuginfo-5.6.1-15.1.i586.rpm", "packageName": "libfaxutil5_6_1-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "i586", "packageFilename": "hylafax+-5.6.1-15.1.i586.rpm", "packageName": "hylafax+", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "libfaxutil5_6_1-debuginfo-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "libfaxutil5_6_1-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "42.3", "packageVersion": "5.6.1-15.1", "arch": "x86_64", "packageFilename": "hylafax+-debuginfo-5.6.1-15.1.x86_64.rpm", "packageName": "hylafax+-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "5.6.1-lp150.5.6.1", "arch": "x86_64", "packageFilename": "hylafax+-debugsource-5.6.1-lp150.5.6.1.x86_64.rpm", "packageName": "hylafax+-debugsource", "operator": "lt"}], "description": "This update for hylafax+ fixes the following issues:\n\n Security issues fixed in 5.6.1:\n\n - CVE-2018-17141: multiple vulnerabilities affecting fax page reception in\n JPEG format Specially crafted input may have allowed remote execution of\n arbitrary code (boo#1109084)\n\n Additionally, this update also contains all upstream corrections and\n bugfixes in the 5.6.1 version, including:\n\n - fix RFC2047 encoding by notify\n - add jobcontrol PageSize feature\n - don't wait forever after +FRH:3\n - fix faxmail transition between a message and external types\n - avoid pagehandling from introducing some unnecessary EOM signals\n - improve proxy connection error handling and logging\n - add initial ModemGroup limits feature\n - pass the user's uid onto the session log file for sent faxes\n - improve job waits to minimize triggers\n - add ProxyTaglineFormat and ProxyTSI features\n\n", "edition": 1, "reporter": "Suse", "published": "2018-09-21T21:49:49", "title": "Security update for hylafax+ (critical)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-17141"], "modified": "2018-09-21T21:49:49", "id": "OPENSUSE-SU-2018:2797-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00044.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T18:03:12", "references": ["https://bugzilla.suse.com/1104169", "https://bugzilla.suse.com/1101999"], "affectedPackage": [{"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk-4_0-injected-bundles-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk-4_0-injected-bundles", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "typelib-1_0-WebKit2-4_0-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "typelib-1_0-WebKit2-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit-jsc-4-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit-jsc-4-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "libjavascriptcoregtk-4_0-18-debuginfo-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "libjavascriptcoregtk-4_0-18-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "libwebkit2gtk-4_0-37-debuginfo-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "libwebkit2gtk-4_0-37-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk-4_0-injected-bundles-debuginfo-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk-4_0-injected-bundles-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "noarch", "packageFilename": "libwebkit2gtk3-lang-2.20.5-lp150.2.6.1.noarch.rpm", "packageName": "libwebkit2gtk3-lang", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk-4_0-injected-bundles-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk-4_0-injected-bundles", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "typelib-1_0-WebKit2WebExtension-4_0-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "typelib-1_0-WebKit2WebExtension-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-debugsource-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk3-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-32bit-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-32bit-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk3-debugsource-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk3-debugsource", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit-jsc-4-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit-jsc-4", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "typelib-1_0-JavaScriptCore-4_0-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "typelib-1_0-JavaScriptCore-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk3-plugin-process-gtk2-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk3-devel-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk3-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "libwebkit2gtk-4_0-37-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "libwebkit2gtk-4_0-37", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "typelib-1_0-JavaScriptCore-4_0-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "typelib-1_0-JavaScriptCore-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-32bit-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-32bit-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-devel-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk3-devel", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "typelib-1_0-WebKit2-4_0-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "typelib-1_0-WebKit2-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "typelib-1_0-WebKit2WebExtension-4_0-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "typelib-1_0-WebKit2WebExtension-4_0", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-32bit-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libwebkit2gtk-4_0-37-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libwebkit2gtk-4_0-37-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "webkit-jsc-4-debuginfo-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "webkit-jsc-4-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit-jsc-4-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit-jsc-4", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-plugin-process-gtk2-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk3-plugin-process-gtk2-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk3-plugin-process-gtk2", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "webkit2gtk-4_0-injected-bundles-debuginfo-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "webkit2gtk-4_0-injected-bundles-debuginfo", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "x86_64", "packageFilename": "libjavascriptcoregtk-4_0-18-32bit-2.20.5-lp150.2.6.1.x86_64.rpm", "packageName": "libjavascriptcoregtk-4_0-18-32bit", "operator": "lt"}, {"OS": "openSUSE Leap", "OSVersion": "15.0", "packageVersion": "2.20.5-lp150.2.6.1", "arch": "i586", "packageFilename": "libjavascriptcoregtk-4_0-18-2.20.5-lp150.2.6.1.i586.rpm", "packageName": "libjavascriptcoregtk-4_0-18", "operator": "lt"}], "description": "This update for webkit2gtk3 to version 2.20.5 fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2018-12911: Fix off-by-one in xdg_mime_get_simple_globs\n (bsc#1101999).\n - CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264,\n CVE-2018-4265, CVE-2018-4267, CVE-2018-4272, CVE-2018-4284: Processing\n maliciously crafted web content may lead to arbitrary code execution. A\n memory corruption issue was addressed with improved memory handling.\n - CVE-2018-4266: A malicious website may be able to cause a denial of\n service. A race condition was addressed with additional validation.\n - CVE-2018-4270, CVE-2018-4271, CVE-2018-4273: Processing maliciously\n crafted web content may lead to an unexpected application crash. A\n memory corruption issue was addressed with improved input validation.\n - CVE-2018-4278: A malicious website may exfiltrate audio data\n cross-origin. Sound fetched through audio elements may be exfiltrated\n cross-origin. This issue was addressed with improved audio taint\n tracking.\n\n Other bugs fixed:\n\n - Fix rendering artifacts in some web sites due to a bug introduced in\n 2.20.4.\n - Fix a crash when leaving accelerated compositing mode.\n - Fix non-deterministic build failure due to missing\n JavaScriptCore/JSContextRef.h.\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "reporter": "Suse", "published": "2018-09-21T15:08:10", "title": "Security update for webkit2gtk3 (moderate)", "type": "suse", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-4270", "CVE-2018-12911", "CVE-2018-4266", "CVE-2018-4272", "CVE-2018-4264", "CVE-2018-4261", "CVE-2018-4267", "CVE-2018-4273", "CVE-2018-4271", "CVE-2018-4278", "CVE-2018-4263", "CVE-2018-4284", "CVE-2018-4265", "CVE-2018-4262"], "modified": "2018-09-21T15:08:10", "id": "OPENSUSE-SU-2018:2781-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2018-09/msg00042.html", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "schneier": [{"lastseen": "2018-09-21T22:00:42", "_object_types": ["robots.models.rss.RssBulletin", "robots.models.base.Bulletin"], "references": [], "description": "On [James Island](<https://www.bclocalnews.com/news/rare-squid-influx-draws-crowds-to-central-saanich-dock/>).\n\nAs usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.\n\nRead my blog posting guidelines [here](<https://www.schneier.com/blog/archives/2017/03/commenting_poli.html>).", "reporter": "Bruce Schneier", "published": "2018-09-21T21:14:57", "type": "schneier", "title": "Friday Squid Blogging: British Columbia \"Squid Run\" Is a Tourist Attraction", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T21:14:57", "id": "SCHNEIER:79D0B619BC472DD6B4D4116488EB1C78", "href": "https://www.schneier.com/blog/archives/2018/09/friday_squid_bl_643.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T20:00:20", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "Lots of people are e-mailing me about [this new result](<https://www.quantamagazine.org/a-chemist-shines-light-on-a-surprising-prime-number-pattern-20180514/>) on the distribution of prime numbers. While interesting, it has nothing to do with cryptography. Cryptographers aren't interested in how to find prime numbers, or even in the distribution of prime numbers. Public-key cryptography algorithms like RSA get their security from the difficulty of factoring large composite numbers that are the product of two prime numbers. That's completely different.", "reporter": "Bruce Schneier", "published": "2018-09-21T19:14:21", "type": "schneier", "title": "New Findings About Prime Number Distribution Almost Certainly Irrelevant to Cryptography", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T19:14:21", "id": "SCHNEIER:F916E1A90C8B0A9FAAA19C8A4D67674D", "href": "https://www.schneier.com/blog/archives/2018/09/new_findings_ab.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T16:01:25", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "NIST has released a [new study](<https://nvlpubs.nist.gov/nistpubs/gcr/2018/NIST.GCR.18-017.pdf>) [concluding](<https://www.nist.gov/news-events/news/2018/09/nists-encryption-standard-has-minimum-250-billion-economic-benefit>) that the AES encryption standard has resulted in a $250-billion worldwide economic benefit over the past 20 years. I have no idea how to even begin to assess the quality of the study and its conclusions -- it's all in the 150-page report, though -- but I do like the pretty block diagram of AES on the report's cover.", "reporter": "Bruce Schneier", "published": "2018-09-21T11:37:20", "type": "schneier", "title": "AES Resulted in a $250-Billion Economic Benefit", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T11:37:20", "id": "SCHNEIER:53E672AAD674505EC8D3B85CAA24DB0F", "href": "https://www.schneier.com/blog/archives/2018/09/aes_resulted_in.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "thn": [{"lastseen": "2018-09-21T17:59:52", "_object_types": ["robots.models.thn.ThnBulletin", "robots.models.base.Bulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-zWX2wVCXmLo/W6Up7zTgz_I/AAAAAAAAyLs/NzwuAevH1x4dFlJURseiz9N8rY7VvT9uwCLcBGAs/s728-e100/windows-zero-day-vulnerability.jpg>)\n\nA security researcher has publicly disclosed an unpatched zero-day vulnerability in all supported versions of Microsoft Windows operating system (including server editions) after the company failed to patch a responsibly disclosed bug within the 120-days deadline. \n \nDiscovered by** Lucas Leong** of the Trend Micro Security Research team, the zero-day vulnerability resides in Microsoft Jet Database Engine that could allow an attacker to remotely execute malicious code on any vulnerable Windows computer. \n \nThe Microsoft JET Database Engine, or simply JET (Joint Engine Technology), is a database engine integrated within several Microsoft products, including Microsoft Access and Visual Basic. \n\n\n \nAccording to the an [advisory](<https://www.zerodayinitiative.com/advisories/ZDI-18-1075/>) released by Zero Day Initiative (ZDI), the vulnerability is due to a problem with the management of indexes in the Jet database engine that, if exploited successfully, can cause an out-out-bounds memory write, leading to remote code execution. \n \nAn attacker must convince a targeted user into opening a specially crafted JET database file in order to exploit this vulnerability and remotely execute malicious code on a targeted vulnerable Windows computer. \n\n\n> \"Crafted data in a database file can trigger a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code under the context of the current process,\" Trend Micro's Zero Day Initiative wrote in its [blog post](<https://www.thezdi.com/blog/2018/9/20/zdi-can-6135-a-remote-code-execution-vulnerability-in-the-microsoft-windows-jet-database-engine>). \n \n\"Various applications use this database format. An attacker using this would be able to execute code at the level of the current process.\"\n\nAccording to the ZDI researchers, the vulnerability exists in all supported Windows versions, including Windows 10, Windows 8.1, Windows 7, and Windows Server Edition 2008 to 2016. \n\n\n \nZDI reported the vulnerability to Microsoft on May 8, and the tech giant confirmed the bug on 14 May, but failed to patch the vulnerability and release an update within a 120-day (4 months) deadline, making ZDI go public with the vulnerability details. \n \nProof-of-concept exploit code for the vulnerability has also been [published](<https://github.com/thezdi/PoC/tree/master/ZDI-18-1075>) by the Trend Micro its GitHub page. \n \nMicrosoft is working on a patch for the vulnerability, and since it was not included in September Patch Tuesday, you can expect the fix in Microsoft's October patch release. \n \nTrend Micro recommends all affected users to \"restrict interaction with the application to trusted files,\" as a mitigation until Microsoft comes up with a patch.\n", "reporter": "The Hacker News", "published": "2018-09-21T17:32:00", "type": "thn", "title": "Researcher Discloses New Zero-Day Affecting All Versions of Windows", "enchantments": {}, "bulletinFamily": "info", "cvelist": [], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-09-21T17:36:27", "id": "THN:9E7307638026C7B186E9C54362E0B94C", "href": "https://thehackernews.com/2018/09/windows-zero-day-vulnerability.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T09:59:12", "_object_types": ["robots.models.base.Bulletin", "robots.models.thn.ThnBulletin"], "references": [], "description": "[](<https://1.bp.blogspot.com/-65YYEpMj4nY/W6SuDTxkjeI/AAAAAAAAyLY/s7ebAQDcL6QcUtm14o8DIXGozH00KxIGACLcBGAs/s728-e100/4g-ee-wifi-modem-hack.jpg>)\n\nA high-severity vulnerability has been discovered in 4G-based wireless 4GEE Mini modem sold by mobile operator EE that could allow an attacker to run a malicious program on a targeted computer with the highest level of privileges in the system. \n \nThe vulnerability\u2014discovered by 20-year-old **Osanda Malith**, a Sri Lankan security researcher at ZeroDayLab\u2014can be exploited by a low privileged user account to escalate privileges on any Windows computer that had once connected to the EE Mini modem via USB. \n \nThis, in turn, would allow an attacker to gain full system access to the targeted remote computer and thereby, perform any malicious actions, such as installing malware, rootkits, keylogger, or stealing personal information. \n\n\n \n4G Mini WiFi modem is manufactured by Alcatel and sold by EE, a mobile operator owned by BT Group\u2014 Britain's largest digital communications company that serves over 31 million connections across its mobile, fixed and wholesale networks. \n \n\n\n### How Does the Attack Work?\n\n \nThe local privilege escalation flaw, tracked as CVE-2018-14327, resides in the driver files installed by EE 4G Mini WiFi modem on a Windows system and originates because of folder permissions, allowing any low privileged user to \"read, write, execute, create, delete do anything inside that folder and it's subfolders.\" \n \nFor successful exploitation of the vulnerability, all an attacker or malware just needs to do is replace \"ServiceManager.exe\" file from the driver folder with a malicious file to trick the vulnerable driver into executing it with higher SYSTEM privileges after reboot. \n\n\nMalith also posted a video demonstration showing that how attackers can exploit this flaw to escalate their privileges on a Windows machine to gain a reverse shell. \n\n\n> \"An attacker can plant a reverse shell from a low privileged user account and by restarting the computer, the malicious service will be started as \"NT AUTHORITY\\SYSTEM\" by giving the attacker full system access to the remote PC,\" he [explains](<https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/>) in his blog.\n\n \n\n\n### Patch Your 4G Wi-Fi Mini Modems\n\n \nThe researcher reported the vulnerability to EE and Alcatel in July, and the company acknowledged the issue and rolled out a firmware patch earlier this month to address the vulnerability. \n\n\n \nIf you own a G-based wireless 4GEE Mini modem from EE, you are advised to update the firmware modem to the latest \"EE40_00_02.00_45\" version and remove previous vulnerable versions. \n\n\n[](<https://1.bp.blogspot.com/-qqWBi9h-tdw/W6SvEHN04kI/AAAAAAAAyLg/AnPK13sfKMQxOQWQ0Cj9tdq_iKWeyjvGgCLcBGAs/s728-e100/4g-ee-wifi-modem-hack.jpg>)\n\nFollow these simple steps to update your 4GEE Mini modem to the latest patch update: \n\n\n * Go to your router's default gateway: http://192.168.1.1.\n * Click on the \"Check for Update\" to update your firmware.\n * Once updated to the patched software version EE40_00_02.00_45, remove the previously installed software version from your computer.\nFor more details on the vulnerability, you can head on to [Malith's blog](<https://osandamalith.com/2018/09/17/ee-4gee-mini-local-privilege-escalation-vulnerability-cve-2018-14327/>), and the detailed [advisory](<http://blog.zerodaylab.com/2018/09/zerodaylab-discovers-ee-unquoted.html>) released by ZeroDayLab.\n", "reporter": "The Hacker News", "published": "2018-09-21T08:45:00", "type": "thn", "title": "Flaw in 4GEE WiFi Modem Could Leave Your Computer Vulnerable", "enchantments": {}, "bulletinFamily": "info", "cvelist": ["CVE-2018-14327"], "_object_type": "robots.models.thn.ThnBulletin", "modified": "2018-09-21T08:45:25", "id": "THN:20C9FC0CFE440CBA16ACA69BAA89C8FF", "href": "https://thehackernews.com/2018/09/4g-ee-wifi-modem-hack.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "krebs": [{"lastseen": "2018-09-21T20:01:02", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "It is now free in every U.S. state to freeze and unfreeze your credit file and that of your dependents, a process that blocks identity thieves and others from looking at private details in your consumer credit history. If you've been holding out because you're not particularly worried about ID theft, here's another reason to reconsider: The credit bureaus profit from selling copies of your file to others, so freezing your file also lets you deny these dinosaurs a valuable revenue stream.\n\n\n\nEnacted in May 2018, the [Economic Growth, Regulatory Relief and Consumer Protection Act](<https://www.congress.gov/bill/115th-congress/senate-bill/2155>) rolls back some of the restrictions placed on banks in the wake of the Great Recession of the last decade. But it also includes a silver lining. Previously, states allowed the bureaus to charge a confusing range of fees for placing, temporarily thawing or lifting a credit freeze. Today, those fees no longer exist.\n\nA security freeze essentially blocks any potential creditors from being able to view or \u201cpull\u201d your credit file, unless you affirmatively unfreeze or thaw your file beforehand. With a freeze in place on your credit file, ID thieves can apply for credit in your name all they want, but they will not succeed in getting new lines of credit in your name because few if any creditors will extend that credit without first being able to gauge how risky it is to loan to you (i.e., view your credit file).\n\nAnd because each credit inquiry caused by a creditor has the potential to lower your credit score, the freeze also helps protect your score, which is what most lenders use to decide whether to grant you credit when you truly do want it and apply for it.\n\nTo file a freeze, consumers must contact each of the three major credit bureaus online, by phone or by mail. Here's the updated contact information for the big three:\n\nOnline: [Equifax Freeze Page](<https://www.equifax.com/personal/credit-report-services/>) \nBy phone: 800-685-1111 \nBy Mail: Equifax Security Freeze \nP.O. Box 105788 \nAtlanta, Georgia 30348-5788\n\nOnline: [Experian](<https://www.experian.com/freeze/center.html#content-01>) \nBy phone: 888-397-3742 \nBy Mail: Experian Security Freeze \nP.O. Box 9554, Allen, TX 75013\n\nOnline: [TransUnion](<https://service.transunion.com/dss/orderStep1_form.page>) \nBy Phone: 888-909-8872 \nBy Mail: TransUnion LLC \nP.O. Box 2000 Chester, PA 19016\n\nSpouses may request freezes for each other by phone as long as they pass authentication.\n\nThe new law also makes it free to place, thaw and lift freezes for dependents under the age of 16, or for incapacitated adult family members. However, this process is not currently available online or by phone, as it requires parents/guardians to submit written documentation (\"sufficient proof of authority\"), such as a copy of a birth certificate and copy of a Social Security card issued by the Social Security Administration, or -- in the case of an incapacitated family member -- proof of power of attorney.\n\nIn addition, the law requires the big three bureaus to offer free electronic credit monitoring services to all active duty military personnel. It also changes the rules for \u201c**fraud alerts**,\u201d which currently are free but only last for 90 days. With a fraud alert on your credit file, lenders or service providers should not grant credit in your name without first contacting you to obtain your approval \u2014 by phone or whatever other method you specify when you apply for the fraud alert.\n\nAnother important change: Fraud alerts now last for one year (previously they lasted just 90 days) but consumers can renew them each year. Bear in mind, however, that while lenders and service providers are supposed to seek and obtain your approval before granting credit in your name if you have a fraud alert on your file, they\u2019re not legally required to do this.\n\n#### MANAGING EXPECTATIONS\n\nHaving a freeze in place does nothing to prevent you from using existing lines of credit you may already have, such as credit, mortgage and bank accounts. By the same token, freezes do nothing to prevent crooks from abusing unauthorized access to these existing accounts.\n\nAccording to experts, the bureaus make about $1 every time they sell access your credit file. However, a freeze on your file does nothing to prevent the bureaus from collecting information about you as a consumer \u2014 including your spending habits and preferences \u2014 and packaging, splicing and reselling that information to marketers.\n\nWhen you place a freeze, each credit bureau will assign you a personal identification number (PIN) that needs to be supplied if and when you ever wish to open a new line of credit. When that time comes, consumers can temporarily thaw a freeze for a specified duration either online or by phone (see above resources). Needless to say, it's a good idea to keep these PINs somewhere safe and reliable in the event you wish to unfreeze.\n\n\n\nOne important caveat: It's best not to wait until the last minute before starting the freeze thawing process, which can be instantaneous or can take a few days. The easiest way to unfreeze your file for the purposes of gaining new credit is to spend a few minutes on the phone with the company from which you hope to gain the line of credit (or research the matter online) to see which credit bureau they rely upon for credit checks. It will most likely be one of the major bureaus. Once you know which bureau the creditor uses, contact that bureau either via phone or online and supply the PIN they gave you when you froze your credit file with them. The thawing process should not take more than 24 hours, but hiccups in the thawing process sometimes make things take longer.\n\n#### CREDIT LOCKS AND CREDIT MONITORING\n\nAll three big bureaus tout their \"**credit lock\" **services as an easier and faster alternative to freezes -- mainly because these alternatives aren't as disruptive to their bottom lines. According to a recent post by [CreditKarma.com](<https://www.creditkarma.com/id-theft/i/lock-freeze-credit-file/>), consumers can use these services to quickly lock or unlock access to credit inquiries, although some bureaus can take up to 48 hours. In contrast, they can take up to five business days to act on a freeze request, although in my experience the automated freeze process via the bureaus\u2019 freeze sites has been more or less instantaneous (assuming the request actually goes through).\n\nTransUnion and Equifax both offer free credit lock services, while Experian\u2019s is free for 30 days and $19.99 for each additional month. However, TransUnion says those who take advantage of their free lock service agree to receive targeted marketing offers. What\u2019s more, TransUnion also pushes consumers who sign up for its free lock service to subscribe to its \u201cpremium\u201d lock services for a monthly fee with a perpetual auto-renewal.\n\nUnsurprisingly, the bureaus\u2019 use of the term credit lock has confused many consumers; this was almost certainly by design. But here\u2019s one basic fact consumers should keep in mind about these lock services: Unlike freezes, locks are not governed by any law, meaning that the credit bureaus can change the terms of these arrangements when and if it suits them to do so.\n\nIf you have already signed up for credit monitoring services, placing a freeze on your file should not impact those services. However, it is generally not possible to sign up for new credit monitoring services once a freeze is in place. So if you wish to avail yourself of credit monitoring, it's best to sign up _before_ placing a freeze.\n\nMany consumers erroneously believe that credit monitoring services will protect them from identity thieves. In truth, despite incessant marketing by the bureaus and others to the contrary, these services do not prevent thieves from using your identity to open new lines of credit, or from damaging your good name for years to come in the process. The most you can hope for is that credit monitoring services will alert you soon _after_ an ID thief does steal your identity.\n\nCredit monitoring services are principally useful in helping consumers _recover_ from identity theft. Doing so often requires dozens of hours writing and mailing letters, and spending time on the phone contacting creditors and credit bureaus to straighten out the mess. In cases where identity theft leads to prosecution for crimes committed in your name by an ID thief, you may incur legal costs as well. Most of these services offer to reimburse you up to a certain amount for out-of-pocket expenses related to those efforts. But a better solution is to prevent thieves from stealing your identity in the first place by placing a freeze.\n\n#### WHAT ELSE SHOULD YOU DO?\n\nFreezing your credit file at the big three bureaus is a great start, but ID thieves can and do abuse other parts of the credit system to wreak havoc on consumers. Beyond the big three bureaus, **Innovis** is a distant fourth bureau that some entities use to check consumer creditworthiness. Fortunately, [filing a freeze with Innovis also is free](<https://www.innovis.com/personal/securityFreeze>) and relatively painless.\n\nIn addition, many wireless phone companies currently check consumer credit using a little-known credit reporting bureau operated by Equifax called the **National Consumer Telecommunications and Utilities Exchange** (NCTUE). Freezing your credit with Equifax won't necessarily block inquiries to the NCTUE, but fortunately the NCTUE also offers a freeze process, [as detailed in this story](<https://krebsonsecurity.com/2018/05/another-credit-freeze-target-nctue-com/>).\n\nIt's a good idea to periodically order a free copy of your credit report. There are several forms of identity theft that probably will not be blocked by a freeze. But neither will they be blocked by a fraud alert or a credit lock. That\u2019s why it\u2019s so important to regularly review your credit file with the major bureaus for any signs of unauthorized activity.\n\nBy law, each of the three major credit reporting bureaus must provide a free copy of your credit report each year \u2014 but only if you request it via the government-mandated site [annualcreditreport.com](<http://annualcreditreport.com/>). The best way to take advantage of this right is to make a notation in your calendar to request a copy of your report every 120 days, to review the report and to report any inaccuracies or questionable entries when and if you spot them. Avoid other sites that offer \u201cfree\u201d credit reports and then try to trick you into signing up for something else.\n\nAccording to the **Federal Trade Commission**, having a freeze in place should not affect a consumer\u2019s ability to obtain copies of their credit report from annualcreditreport.com.\n\nIt\u2019s also a good idea to notify a company called **ChexSystems** to keep an eye out for fraud committed in your name. Thousands of banks rely on ChexSystems to verify customers that are requesting new checking and savings accounts, and ChexSystems lets consumers place a security alert on their credit data to make it more difficult for ID thieves to fraudulently obtain checking and savings accounts. For more information on doing that with ChexSystems, see [this link](<https://www.chexsystems.com/web/chexsystems/consumerdebit/page/securityfreeze/information/!ut/p/z1/04_Sj9CPykssy0xPLMnMz0vMAfIjo8ziDRxdHA1Ngg183AP83QwcXX39LIJDfYwMvM30w1EV-HuEGAEVuPq4Gxt5G7oHmuhHkaQfTYGBOWX6gQrA-nEARwN9L1QL0NzvaggKAaMiX2ffdP2ogsSSDN3MvLR8_QhPIFmUCw4loBOiCBmCXwEolPD6ExQMhDxSkBsaGlHlkxbsmekIAE6xunk!/dz/d5/L2dBISEvZ0FBIS9nQSEh/>).\n\nFinally, ID thieves like to intercept offers of new credit and insurance sent via postal mail, so it\u2019s a good idea to opt out of pre-approved credit offers. If you decide that you don\u2019t want to receive prescreened offers of credit and insurance, you have two choices: You can opt out of receiving them for five years or opt out of receiving them permanently.\n\nTo opt out for five years: Call toll-free 1-888-5-OPT-OUT (1-888-567-8688) or visit [optoutprescreen.com](<https://www.optoutprescreen.com>). The phone number and website are operated by the major consumer reporting companies. To complete your request for a permanent opt-out, you must return the signed Permanent Opt-Out Election form provided after you initiate your online request.", "reporter": "BrianKrebs", "published": "2018-09-21T16:31:43", "type": "krebs", "title": "Credit Freezes are Free: Let the Ice Age Begin", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T16:31:43", "id": "KREBS:BF5AB817A8E3E07B984D0B0B33E3BEBB", "href": "https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/", "cvss": {"score": 0.0, "vector": "NONE"}}], "cisco": [{"lastseen": "2018-09-21T17:03:24", "_object_types": ["robots.models.base.Bulletin", "robots.models.cisco.CiscoBulletin"], "references": ["https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm"], "description": "A vulnerability in Cisco Video Surveillance Manager (VSM) Software running on certain Cisco Connected Safety and Security Unified Computing System (UCS) platforms could allow an unauthenticated, remote attacker to log in to an affected system by using the root account, which has default, static user credentials.\n\nThe vulnerability is due to the presence of undocumented, default, static user credentials for the root account of the affected software on certain systems. An attacker could exploit this vulnerability by using the account to log in to an affected system. A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands as the root user.\n\nCisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm\"]", "reporter": "Cisco", "published": "2018-09-21T16:00:00", "type": "cisco", "title": "Cisco Video Surveillance Manager Appliance Default Password Vulnerability", "enchantments": {}, "bulletinFamily": "software", "affectedSoftware": [{"name": "Cisco Video Surveillance Manager", "version": "any", "operator": "eq"}], "cvelist": ["CVE-2018-15427"], "_object_type": "robots.models.cisco.CiscoBulletin", "modified": "2018-09-21T16:00:02", "id": "CISCO-SA-20180921-VSM", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180921-vsm", "cvss": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "akamaiblog": [{"lastseen": "2018-09-21T15:59:34", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "The rise of credential stuffing attacks globally is made possible by the tendency of customers' re-using the same credentials across different websites and attackers' easy access to stolen credential lists.\n\nCredential stuffing attacks is the result of attackers using stolen credentials (username and passwords), validating logins using botnets and taking over accounts to commit fraud.\n\nExamples of fraud can range from the purchase of goods, gift cards or voucher codes at e-commerce firms, to stealing points in loyalty programs of airlines and hotel chains. \n\nCompanies who have been the target of such attacks suffer from financial losses and increased rates of customer churn.\n\nIt is difficult for companies to differentiate between legitimate users from attackers as the stolen credentials may be valid. \n\nIn December 2017, security researchers found an interactive database on the Dark Web that contained over 1.4 billon clear text credentials, organized for easy search and retrieval. \n\nThe researchers validated that the credentials were valid by contacting a small subset of credential owners, many who were unaware that their credentials were exposed in past security breaches.\n\nTools such as Sentry MBA enables attackers to automate the validation process easily without the need to write their own scripts.\n\nAkamai commissioned the Ponemon Institute to survey companies in Asia Pacific on the impact of credential stuffing, to determine the scale and financial impact.\n\nHere are the key highlights from the research collated from 538 security professional who are familiar with credential stuffing and are responsible for the security of their companies' websites.\n\nCompanies experience an average of 12.2 credential stuffing attacks a month, with each attack impacting an average of 954 accounts.\n\n\u00b7 51% of respondents agree that moving applications to the cloud have increased the risk of credential stuffing.\n\n\u00b7 59% of respondents believe they have no visibility into credential stuffing attacks.\n\n\u00b7 Over 80% of respondents shared that it is difficult to detect and to remediate credential stuffing attacks.\n\n\u00b7 The average cost of credential stuffing excluding fraud is USD$3.85 million.\n\n\u00b7 The cost of fraud varies from USD $284,649 to USD$28.5 million.\n\nFor the full details of the research, you can download the[ report](<https://www.akamai.com/us/en/multimedia/documents/white-paper/the-cost-of-credential-stuffing-asia-pacific.pdf>).\n\n", "reporter": "Don Ng", "published": "2018-09-21T14:57:54", "type": "akamaiblog", "title": "Rise of Credential Stuffing in Asia Pacific and Japan.", "enchantments": {}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T15:00:04", "id": "AKAMAIBLOG:A73D0B6B63FA48F02C68A5D62FA7749A", "href": "http://feedproxy.google.com/~r/TheAkamaiBlog/~3/Fj5jzD68jz4/rise-of-credential-stuffing-in-asia-pacific-and-japan.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "slackware": [{"lastseen": "2018-09-21T23:17:59", "references": [], "affectedPackage": [{"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-modules-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-modules-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-modules-4.4.157-x86_64-1.txz", "packageName": "kernel-modules", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "x86", "packageFilename": "kernel-headers-4.4.157_smp-x86-1.txz", "packageName": "kernel-headers", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-generic-4.4.157-i586-1.txz", "packageName": "kernel-generic", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-huge-4.4.157-i586-1.txz", "packageName": "kernel-huge", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "20180913_44d4fca", "arch": "noarch", "packageFilename": "kernel-firmware-20180913_44d4fca-noarch-1.txz", "packageName": "kernel-firmware", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "20180913_44d4fca", "arch": "noarch", "packageFilename": "kernel-firmware-20180913_44d4fca-noarch-1.txz", "packageName": "kernel-firmware", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-generic-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-generic-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "noarch", "packageFilename": "kernel-source-4.4.157-noarch-1.txz", "packageName": "kernel-source", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-generic-4.4.157-x86_64-1.txz", "packageName": "kernel-generic", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "noarch", "packageFilename": "kernel-source-4.4.157_smp-noarch-1.txz", "packageName": "kernel-source", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86", "packageFilename": "kernel-headers-4.4.157-x86-1.txz", "packageName": "kernel-headers", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "x86_64", "packageFilename": "kernel-huge-4.4.157-x86_64-1.txz", "packageName": "kernel-huge", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157_smp", "arch": "i686", "packageFilename": "kernel-huge-smp-4.4.157_smp-i686-1.txz", "packageName": "kernel-huge-smp", "operator": "lt"}, {"OS": "Slackware", "OSVersion": "14.2", "packageVersion": "4.4.157", "arch": "i586", "packageFilename": "kernel-modules-4.4.157-i586-1.txz", "packageName": "kernel-modules", "operator": "lt"}], "description": "New kernel packages are available for Slackware 14.2 to fix a security issue.\n\n\nHere are the details from the Slackware 14.2 ChangeLog:\n\npatches/packages/linux-4.4.157/*: Upgraded.\n This kernel removes the unnecessary vmacache_flush_all code which could have\n led to a use-after-free situation and potentially local privilege escalation.\n In addition, it fixes some regressions which may have led to diminished X\n performance.\n Be sure to upgrade your initrd after upgrading the kernel packages.\n If you use lilo to boot your machine, be sure lilo.conf points to the correct\n kernel and initrd and run lilo as root to update the bootloader.\n If you use elilo to boot your machine, you should run eliloconfig to copy the\n kernel and initrd to the EFI System Partition.\n For more information, see:\n https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17182\n (* Security fix *)\n\nWhere to find the new packages:\n\nThanks to the friendly folks at the OSU Open Source Lab\n(http://osuosl.org) for donating FTP and rsync hosting\nto the Slackware project! :-)\n\nAlso see the &quot;Get Slack&quot; section on http://slackware.com for\nadditional mirror sites near you.\n\nUpdated packages for Slackware 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-firmware-20180913_44d4fca-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-generic-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-generic-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-headers-4.4.157_smp-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-huge-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-huge-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-modules-4.4.157-i586-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-modules-smp-4.4.157_smp-i686-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware-14.2/patches/packages/linux-4.4.157/kernel-source-4.4.157_smp-noarch-1.txz\n\nUpdated packages for Slackware x86_64 14.2:\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-firmware-20180913_44d4fca-noarch-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-generic-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-headers-4.4.157-x86-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-huge-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-modules-4.4.157-x86_64-1.txz\nftp://ftp.slackware.com/pub/slackware/slackware64-14.2/patches/packages/linux-4.4.157/kernel-source-4.4.157-noarch-1.txz\n\n\nMD5 signatures:\n\nSlackware 14.2 packages:\n4cbc3917d30e3ec997f23aadfbb20d2f kernel-firmware-20180913_44d4fca-noarch-1.txz\ndf3e3e6e806a744b5c2a85ca9a581666 kernel-generic-4.4.157-i586-1.txz\n4786d7445be8ff55f83be49ac7762703 kernel-generic-smp-4.4.157_smp-i686-1.txz\nc1a300d12e24e2321e0b9b30cddbdf5f kernel-headers-4.4.157_smp-x86-1.txz\nb19ce77fa8dd71de87f79237619610bf kernel-huge-4.4.157-i586-1.txz\n0e3bfc4ca162f7e804f9503355d85bec kernel-huge-smp-4.4.157_smp-i686-1.txz\n8bf4a2236dae7c3c4bdbac5df2e4818e kernel-modules-4.4.157-i586-1.txz\nedaaa0d85fba3e7181f94ab8c3f21dfb kernel-modules-smp-4.4.157_smp-i686-1.txz\n0f67c5ebc78917d5e94bf07bcdefb8b6 kernel-source-4.4.157_smp-noarch-1.txz\n\nSlackware x86_64 14.2 packages:\n4cbc3917d30e3ec997f23aadfbb20d2f kernel-firmware-20180913_44d4fca-noarch-1.txz\n4e50bbe9a3b7232aeb0679eda5325f87 kernel-generic-4.4.157-x86_64-1.txz\nef8d303cfa4855d39a28f94181752936 kernel-headers-4.4.157-x86-1.txz\n9f531d40bd2151bc0276f8cb5342c38c kernel-huge-4.4.157-x86_64-1.txz\n9911b7530358ba7877eacc8bf1c7d215 kernel-modules-4.4.157-x86_64-1.txz\n91cfbd23a457cdf43ddcfd6b4ae567a5 kernel-source-4.4.157-noarch-1.txz\n\n\nInstallation instructions:\n\nUpgrade the packages as root:\n > upgradepkg kernel-*.txz\n\nIf you are using an initrd, you'll need to rebuild it.\n\nFor a 32-bit SMP machine, use this command (substitute the appropriate\nkernel version if you are not running Slackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.157-smp | bash\n\nFor a 64-bit machine, or a 32-bit uniprocessor machine, use this command\n(substitute the appropriate kernel version if you are not running\nSlackware 14.2):\n > /usr/share/mkinitrd/mkinitrd_command_generator.sh -k 4.4.157 | bash\n\nPlease note that &quot;uniprocessor&quot; has to do with the kernel you are running,\nnot with the CPU. Most systems should run the SMP kernel (if they can)\nregardless of the number of cores the CPU has. If you aren't sure which\nkernel you are running, run &quot;uname -a&quot;. If you see SMP there, you are\nrunning the SMP kernel and should use the 4.4.157-smp version when running\nmkinitrd_command_generator. Note that this is only for 32-bit -- 64-bit\nsystems should always use 4.4.157 as the version.\n\nIf you are using lilo or elilo to boot the machine, you'll need to ensure\nthat the machine is properly prepared before rebooting.\n\nIf using LILO:\nBy default, lilo.conf contains an image= line that references a symlink\nthat always points to the correct kernel. No editing should be required\nunless your machine uses a custom lilo.conf. If that is the case, be sure\nthat the image= line references the correct kernel file. Either way,\nyou'll need to run &quot;lilo&quot; as root to reinstall the boot loader.\n\nIf using elilo:\nEnsure that the /boot/vmlinuz symlink is pointing to the kernel you wish\nto use, and then run eliloconfig to update the EFI System Partition.", "edition": 1, "reporter": "Slackware Linux Project", "published": "2018-09-21T12:47:55", "title": "Slackware 14.2 kernel", "type": "slackware", "enchantments": {}, "bulletinFamily": "unix", "cvelist": ["CVE-2018-17182"], "modified": "2018-09-21T12:47:55", "id": "SSA-2018-264-01", "href": "http://www.slackware.com/security/viewer.php?l=slackware-security&y=2018&m=slackware-security.693090", "cvss": {"score": 0.0, "vector": "NONE"}}], "atlassian": [{"lastseen": "2018-09-21T21:26:21", "references": [], "description": "Support for using os_username and os_password to authenticate when used as url query parameters has been deprecated in Jira 8.0.0. It is possible to disable support for os_username & os_password as url query parameters for authentication by setting allowUrlParameterValue to false in web.xml .", "edition": 1, "reporter": "dblack", "published": "2018-09-21T10:27:37", "title": "Deprecate support for authenticating using os_username, os_password as url query parameters", "type": "atlassian", "enchantments": {}, "bulletinFamily": "software", "affectedSoftware": [{"name": "JIRA Server (including JIRA Core)", "version": "8.0.0", "operator": "lt"}, {"name": "JIRA Server (including JIRA Core)", "version": "7.12.2", "operator": "le"}], "cvelist": [], "modified": "2018-09-21T10:31:03", "id": "ATLASSIAN:JRASERVER-67979", "href": "https://jira.atlassian.com/browse/JRASERVER-67979", "cvss": {"score": 0.0, "vector": "NONE"}}], "pentestpartners": [{"lastseen": "2018-09-21T16:43:55", "_object_types": ["robots.models.base.Bulletin", "robots.models.rss.RssBulletin"], "references": [], "description": "\n\nOne of the most interesting legal cases I\u2019ve read recently involves a theft of two containers of cobalt metal briquettes from a terminal at the port of Antwerp.\n\nOriginal judgment: <https://www.casemine.com/judgement/uk/5a8ff72360d03e7f57ea85a9>\n\nAppeal: <http://www.bailii.org/ew/cases/EWCA/Civ/2017/365.html>\n\nWhat drew me to this case was the amount of useful data that had entered the public domain concerning a crime involving containerised transport. Details of poor security practice had been disclosed in to the public domain as a result of the legal case.\n\nI believe the shipping industry can learn a great deal about basic security controls from this.\n\n### Container release\n\nIn many ports, containers are released to hauliers from a port on supply of a PIN code. The truck driver provides the PIN and will receive the appropriate container. This is known as an electronic release system or \u2018ERS\u2019 and was first implemented at Antwerp in 2011.\n\nThis PIN is communicated to the haulier in different ways depending on the port. This could involve email or a mobile application.\n\nIt didn\u2019t take long for criminals to realise that this single factor of authentication would be easy to exploit and use to steal containers: the crime took place in 2012.\n\nHowever, one also needs to know which container to target in order to maximise return on the theft: high value, easily tradable, untraceable commodities would be ideal.\n\nOne route to identify container contents would be to tap the EDIFACT messaging system, perhaps at a shipping agent. Agents also manage the process of issuing release codes from the port authority. An ideal candidate for the hacker to attack.\n\n### Improved release process\n\nThe judgements refer to an improved release process implemented after the original loss. Section 15 of the document discusses that containers will only be released to drivers from a specific transport company. ID would also be requested from the driver.\n\n * Clearly that isn\u2019t going to cause too much difficulty to a seasoned criminal intent on stealing high value container contents!\n\nSurely a better method would be to validate the driver via the transport company?\n\n### The hack\n\nForensic investigations carried out as part of criminal proceedings are referenced in the appeal documents.\n\nWhilst there is dispute whether the investigation ever occurred (clause 72), it suggests that PWC were engaged and discovered evidence of back doors or similar on the MSC agents (Steinweg) network. This may have led to container release codes being intercepted by hackers.\n\n**Clause 72:**\n\n\n\n_On 5 January 2017 Mr Duval was copied in on an email message from Glencore's solicitors \u2013 Gateley Plc - referring to an article in Bloomberg which suggested computer hacking at the offices of MSC Belgium. The article reported that technicians had found a bunch of surveillance devices on an MSC network and that MSC had hired a private investigator who had called PWC's digital forensics team which learned that computer hackers were intercepting network traffic to steal pin codes. Gateley on behalf of Glencore sought disclosure from MSC of documents in their control in respect of the matters referred to in the article. Mr Duval emailed later saying that he was instructed by MSC that there was not and never had been a PWC report._\n\n\n\nIt appears from clause 73 that two attempts were made via malicious PDF attachments to email, sent to a general mail account at Steinweg.\n\n**Clause 73:**\n\n\n\n_The material obtained from the criminal file included two statements which, Mr Duval suggested, revealed that the hacking had not been at MSC but at Steinweg. The first statement from Ms Sarah Ooms to the police dated 20 June 2012, two days before MSC Belgium sent the codes to Steinweg, stated that on 14 June 2012 her computer was hacked and that a second attempt was made on 19 June 2012 on both her computer and that of Charles Reynolds-Payne, Steinweg's commercial manager._\n\n\n\nClause 74 suggests that these were not in fact PDF attachments, but malicious files that would install rogue software. This is classic email-borne phishing activity.\n\nWhilst information in clause 74 indicates that no-one installed the rogue file, I find that hard to believe.\n\n**Clause 74:**\n\n\n\n_What the hacking consisted of was that an email of 14 June 2012 appeared to come from CSAV, another shipping line which makes use of the MSC Home Terminal, and was sent to what was a general email address for Steinweg so that everyone in the office received it. Attached to the email was a PDF file to which a CSAV bill of lading was attached. In the bill, Ms Ooms was mentioned in the box specifying Steinweg as the Notify Party as the person for whose attention any notification should be given. On opening the document she received an indication that she should execute an Acrobat Reader update from a specified website. She did not do so. Nor did she believe that any of her colleagues did so either. She contacted a man at CSAV in the Netherlands who said that he had not sent the email._\n\n\n\nSeveral individuals at different organisations involved in the PIN release system received similar emails, forged to appear to come from each other.\n\nThis shows knowledge of the release system and operational processes. Clearly, the hackers either knew the process from insider information or had worked it out from open source intelligence gathering.\n\nWhether or not this was the source of the back door is not clear, as there is also evidence of physical compromise of the agents offices:\n\n### Physical compromise\n\nClause 78 indicates that a physical implant was placed at the agents office. An unauthorised NAS was found on the network, an \u2018appliance which permits unlawful remote\u2019 access. Aside from the amusing misunderstanding of the function of a NAS, the agents IT department claimed that their firewall had blocked its access to the internet. I find it very hard to believe that a hacker prepared to take the risk of planting a physical back door would have any difficulty circumventing that firewall!\n\n**Clause 78:**\n\n\n\n_The second statement was from Mr Graziano Asnot, the Steinweg systems manager, and was dated 15 July 2014. He stated that an NAS appliance was found in the office next to the office of Steinweg's financial director. This is apparently an appliance which permits unlawful remote electronic eavesdropping and snooping. A check was made of log data which revealed that an active appliance had tried to make outside contact. This had been blocked by the fire wall so that, Mr Asnot suspected, no data had got out through the company network. There was no information as to when the appliance was placed and MSC submits that there was, therefore, no reason to think that it had not been in place for a long period and indeed as far back as June 2012, the time of the theft. On that evidence there is, in fact, no way of telling._\n\n\n\nThe agent IT systems manager stated that the firewall logs were checked. A skilled hacker would have little difficulty modifying the logs if any errors had been made with configuration of the firewall.\n\nPlanting of physical back doors indicates a well resourced criminal group that had detailed knowledge of port and agent systems.\n\n### Inconsistencies in the evidence\n\n\u201cconfirmation from the IT department that employees were not allowed to perform updates save onto laptops.\u201d\n\nThe email attachment was not an update. It was malware! That employees were not allowed to install updates probably didn\u2019t have much bearing on the success of the malware.\n\n\u201cunderstood from the police that it was thought that in some way the thieves were able to hack one or other of the parties involved in order to gain the containers but that, so far as he was aware, the police inquiries into the incident had not yet reached a conclusion.\u201d\n\nI believe this comment is from the initial trial in 2014. Two years after the incident and police authorities had still not concluded an investigation!\n\n### Wider issue at the Port of Antwerp?\n\nSteinweg apparently had another case of cobalt briquettes being stolen in November 2011, through a similar method.\n\nHowever \u2018_cyber-crime had been an issue in the port of Antwerp__\u2019 _Wow!\n\n### Conclusion and learnings\n\nCriminals clearly realised that the single-factor PIN release system at the port of Antwerp was vulnerable to compromise.\n\nThrough relatively simple phishing and then placement of physical back doors at shipping agent(s), the PIN release codes were compromised.\n\nHigh value, untraceable commodities were stolen in containers over a significant period of time.\n\nGiven the returns from the crimes, I would not be surprised to discover that inside information had been extracted from employees by the criminals.\n\nEven after the thefts were discovered, sufficiently robust controls were not immediately put in place to prevent future theft.\n\nThis incident is from 2012. It shows to me that, where security controls are weak, criminals will quickly take advantage.\n\nYet, even today, shipping lines, agents and ports do not put sufficient effort in to securing their systems from attack. The returns for criminals are significant, load theft will continue apace.", "reporter": "Ken Munro", "published": "2018-09-21T08:01:51", "type": "pentestpartners", "title": "Container theft, the legal system and poor maritime security", "enchantments": {"score": {"modified": "2018-09-21T16:43:55", "vector": "NONE", "value": 5.0}}, "bulletinFamily": "blog", "cvelist": [], "_object_type": "robots.models.rss.RssBulletin", "modified": "2018-09-21T08:01:51", "id": "PENTESTPARTNERS:5B46895B1C377A650C984B31AE71B072", "href": "https://www.pentestpartners.com/security-blog/container-theft-the-legal-system-and-poor-maritime-security/", "cvss": {"score": 0.0, "vector": "NONE"}}], "kitploit": [{"lastseen": "2018-09-21T10:59:42", "references": [], "description": "[  ](<https://3.bp.blogspot.com/-K50Pj5B5cf8/UrbxaO95lDI/AAAAAAAABao/4MCO0p2-Omk/s1600/find_alnum.png>)\n\n \n \n\n\nThe WinAppDbg python module allows developers to quickly code instrumentation scripts in Python under a Windows environment. \n\n \n\n\nIt uses ctypes to wrap many Win32 API calls related to debugging, and provides an object-oriented abstraction layer to manipulate threads, libraries and processes, attach your script as a debugger, trace execution, hook API calls, handle events in your debugee and set breakpoints of different kinds (code, hardware and memory). Additionally it has no native code at all, making it easier to maintain or modify than other debuggers on Windows. \n\n \n\n\nThe intended audience are QA engineers and software security auditors wishing to test / fuzz Windows applications with quickly coded Python scripts. Several ready to use utilities are shipped and can be used for this purposes. \n\n \n\n\nCurrent features also include disassembling x86/x64 native code, debugging multiple processes simultaneously and produce a detailed log of application crashes, useful for fuzzing and automated testing. \n\n \n\n\n** What\u2019s new in this version? **\n\n \n\n\nIn a nutshell\u2026 \n\n * full 64-bit support (including function hooks!) \n * added support for Windows Vista and above. \n * database code migrated to SQLAlchemy, tested on: \n\n * MySQL \n * SQLite 3 \n * Microsoft SQL Server \n\nshould work on other servers too (let me know if it doesn\u2019t!) \n\n * added integration with more disassemblers: \n\n * BeaEngine: [ http://www.beaengine.org/ ](<http://www.beaengine.org/>)\n * Capstone: [ http://capstone-engine.org/ ](<http://capstone-engine.org/>)\n * Libdisassemble: [ http://www.immunitysec.com/resources-freesoftware.shtml ](<https://www.immunitysec.com/resources-freesoftware.shtml>)\n * PyDasm: [ https://code.google.com/p/libdasm/ ](<https://code.google.com/p/libdasm/>)\n * added support for postmortem (just-in-time) debugging \n * added support for deferred breakpoints \n * now fully supports manipulating and debugging system services \n * the interactive command-line debugger is now launchable from your scripts (thanks Zen One for the idea!) \n * more UAC-friendly, only requests the privileges it needs before any action \n * added functions to work with UAC and different privilege levels, so it\u2019s now possible to run debugees with lower privileges than the debugger \n * added memory search and registry search support \n * added string extraction functionality \n * added functions to work with DEP settings \n * added a new event handler, EventSift, that can greatly simplify coding a debugger script to run multiple targets at the same time \n * added new utility functions to work with colored console output \n * several improvements to the Crash Logger tool \n * integration with already open debugging sessions from other libraries is now possible \n * improvements to the Process and GUI instrumentation functionality \n * implemented more anti-antidebug tricks \n * more tools and code examples, and improvements to the existing ones \n * more Win32 API wrappers \n * lots of miscellaneous improvements, more documentation and bugfixes as usual! \n \n\n\n** [ Download WinAppDbg 1.5 ](<http://winappdbg.sourceforge.net/#download>) **\n", "edition": 2, "reporter": "KitPloit", "published": "2018-09-21T04:16:40", "title": "[WinAppDbg 1.5] Python Debugger", "type": "kitploit", "enchantments": {"score": {"modified": "2018-09-21T10:59:42", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-09-21T04:16:40", "toolHref": "http://winappdbg.sourceforge.net/#download", "id": "KITPLOIT:2859184193185447815", "href": "http://www.kitploit.com/2013/12/winappdbg-15-python-debugger.html", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-09-21T11:01:30", "references": ["https://github.com/fredericopissarra/t50"], "description": "[  ](<https://4.bp.blogspot.com/-o_Hx6Yydl1k/V3nJ2aWOmgI/AAAAAAAAF1E/0LLrkwJlQzgpfvebsNyvMhQLkuIyy2MywCLcB/s1600/t50.png>)\n\n \n\n\nT50 (f.k.a. F22 Raptor) is a tool designed to perform \"Stress Testing\". The concept started on 2001, right after release 'nb-isakmp.c', and the main goal was: \n\n * Having a tool to perform TCP/IP protocol fuzzer, covering common regular protocols, such as: ICMP, TCP and UDP. \n\n \n\n\nThings have changed, and the T50 became a good unique resource capable to perform \"Stress Testing\". And, after checking the \"/usr/include/linux\", some protocols were chosen to be part of its coverage: \n\n 1. ICMP - Internet Control Message Protocol \n 2. IGMP - Internet Group Management Protocol \n 3. TCP - Transmission Control Protocol \n 4. UDP - User Datagram Protocol \n\n \n\n\nWhy \"Stress Testing\"? Well, because when people are designing a new network infra-structure (eg. Datacenter serving to Cloud Computing) they think about: \n\n 1. High-Availability \n 2. Load Balancing \n 3. Backup Sites (Cold Sites, Hot Sites, and Warm Sites) \n 4. Disaster Recovery \n 5. Data Redundancy \n 6. Service Level Agreements \n 7. Etc... \n\n \n\n\nBut almost nobody thinks about \"Stress Testing\", or even performs any test to check how the networks infra-structure behaves under stress, under overload, and under attack. Even during a Penetration Test, people prefer not running any kind of Denial-of-Service testing. Even worse, those people are missing one of the three key concepts of security that are common to risk management: \n\n * Confidentiality \n * Integrity \n * AVAILABILITY \n\n \n\n\nT50 was designed to perform \u201cStress Testing\u201d on a variety of infra-structure network devices (Version 2.45), using widely implemented protocols, and after some requests it was was re-designed to extend the tests (as of Version 5.3), covering some regular protocols (ICMP, TCP and UDP), some infra-structure specific protocols (GRE, IPSec and RSVP), and some routing protocols (RIP, \n\nEIGRP and OSPF). \n\n \n\n\nThis new version (Version 5.3) is focused on internal infra-structure, which allows people to test the availability of its resources, and cobering: \n\n 1. Interior Gateway Protocols (Distance Vector Algorithm): \n 1. Routing Information Protocol (RIP) \n 2. Enhanced Interior Gateway Routing Protocol (EIGRP) \n 2. Interior Gateway Protocols (Link State Algorithm): \n 1. Open Shortest Path First (OSPF) \n 3. Quality-of-Service Protocols: \n 1. Resource ReSerVation Protocol (RSVP). \n 4. Tunneling/Encapsulation Protocols: \n 1. Generic Routing Encapsulation (GRE). \n\n \n\n\nT50 is a powerful and unique packet injector tool, which is capable to: \n\n 1. Send sequentially the following fifteen (15) protocols: \n 1. ICMP - Internet Control Message Protocol \n 2. IGMPv1 - Internet Group Management Protocol v1 \n 3. IGMPv3 - Internet Group Management Protocol v3 \n 4. TCP - Transmission Control Protocol \n 5. EGP - Exterior Gateway Protocol \n 6. UDP - User Datagram Protocol \n 7. RIPv1 - Routing Information Protocol v1 \n 8. RIPv2 - Routing Information Protocol v2 \n 9. DCCP - Datagram Congestion Control Protocol \n 10. RSVP - Resource ReSerVation Protocol \n 11. GRE - Generic Routing Encapsulation \n 12. IPSec - Internet Protocol Security (AH/ESP) \n 13. EIGRP - Enhanced Interior Gateway Routing Protocol \n 14. OSPF - Open Shortest Path First \n 2. It is the only tool capable to encapsulate the protocols (listed above) within Generic Routing Encapsulation (GRE). \n 3. Send an (quite) incredible amount of packets per second, making it a \"second to none\" tool: \n * More than 1,000,000 pps of SYN Flood (+50% of the network uplink) in a 1000BASE-T Network (Gigabit Ethernet). \n * More than 120,000 pps of SYN Flood (+60% of the network uplink) in a 100BASE-TX Network (Fast Ethernet). \n* Perform \"Stress Testing\" on a variety of network infrastructure, network devices and security solutions in place. \n* Simulate \"Distributed Denial-of-Service\" &amp; \"Denial-of-Service\" attacks, validating Firewall rules, Router ACLs, Intrusion Detection System and Intrusion Prevention System policies. \n\n \n\n\nThe main differentiator of the T50 is that it is able to send all protocols, sequentially, using one single SOCKET, besides it is capable to be used to modify network routes, letting IT Security Professionals performing advanced \"Penetration Test\". \n\n \n** Install ** \n\n \n \n sudo apt-get install build-essential\n git clone https://github.com/fredericopissarra/t50\n cd t50\n ./configure\n sudo make install\n\n \n** Usage ** \n\n \n \n $ t50 --help\n T50 Experimental Mixed Packet Injector Tool 5.6.3\n Originally created by Nelson Brito\n Previously maintained by Fernando Merc\u00eas\n Maintained by Frederico Lamberti Pissarra\n \n Usage: t50 host [options]\n Common Options:\n --threshold NUM Threshold of packets to send (default 1000)\n --flood This option supersedes the 'threshold'\n --encapsulated Encapsulated protocol (GRE) (default OFF)\n -B,--bogus-csum Bogus checksum (default OFF)\n --turbo Extend the performance (default OFF)\n -l,--list-protocols List all available protocols\n -v,--version Print version and exit\n -h,--help Display this help and exit\n \n GRE Options:\n --gre-seq-present GRE sequence # present (default OFF)\n --gre-key-present GRE key present (default OFF)\n --gre-sum-present GRE checksum present (default OFF)\n --gre-key NUM GRE key (default RANDOM)\n --gre-sequence NUM GRE sequence # (default RANDOM)\n --gre-saddr ADDR GRE IP source IP address (default RANDOM)\n --gre-daddr ADDR GRE IP destination IP address (default RANDOM)\n \n DCCP/TCP/UDP Options:\n --sport NUM DCCP|TCP|UDP source port (default RANDOM)\n --dport NUM DCCP|TCP|UDP destination port (default RANDOM)\n \n TCP Options:\n --acknowledge NUM TCP ACK sequence # (default RANDOM)\n --sequence NUM TCP SYN sequence # (default RANDOM)\n --data-offset NUM TCP data offset (default 5)\n -F,--fin TCP FIN flag (default OFF)\n -S,--syn TCP SYN flag (default OFF)\n -R,--rst TCP RST flag (default OFF)\n -P,--psh TCP PSH flag (default OFF)\n -A,--ack TCP ACK flag (default OFF)\n -U,--urg TCP URG flag (default OFF)\n -E,--ece TCP ECE flag (default OFF)\n -C,--cwr TCP CWR flag (default OFF)\n -W,--window NUM TCP Window size (default NONE)\n --urg-pointer NUM TCP URG pointer (default NONE)\n --mss NUM TCP Maximum Segment Size (default NONE)\n --wscale NUM TCP Window Scale (default NONE)\n --tstamp NUM:NUM TCP Timestamp (TSval:TSecr) (default NONE)\n --sack-ok TCP SACK-Permitted (default OFF)\n --ttcp-cc NUM T/TCP Connection Count (CC) (default NONE)\n --ccnew NUM T/TCP Connection Count (CC.NEW) (default NONE)\n --ccecho NUM T/TCP Connection Count (CC.ECHO) (default NONE)\n --sack NUM:NUM TCP SACK Edges (Left:Right) (default NONE)\n --md5-signature TCP MD5 signature included (default OFF)\n --authentication TCP-AO authentication included (default OFF)\n --auth-key-id NUM TCP-AO authentication key ID (default 1)\n --auth-next-key NUM TCP-AO authentication next key (default 1)\n --nop TCP No-Operation (default EOL)\n \n IP Options:\n -s,--saddr ADDR IP source IP address (default RANDOM)\n --tos NUM IP type of service (default 0x40)\n --id NUM IP identification (default RANDOM)\n --frag-offset NUM IP fragmentation offset (default 0)\n --ttl NUM IP time to live (default 255)\n --protocol PROTO IP protocol (default TCP)\n \n ICMP Options:\n --icmp-type NUM ICMP type (default 8)\n --icmp-code NUM ICMP code (default 0)\n --icmp-gateway ADDR ICMP redirect gateway (default RANDOM)\n --icmp-id NUM ICMP identification (default RANDOM)\n --icmp-sequence NUM ICMP sequence # (default RANDOM)\n \n EGP Options:\n --egp-type NUM EGP type (default 3)\n --egp-code NUM EGP code (default 3)\n --egp-status NUM EGP status (default 1)\n --egp-as NUM EGP autonomous system (default RANDOM)\n --egp-sequence NUM EGP sequence # (default RANDOM)\n --egp-hello NUM EGP hello interval (default RANDOM)\n --egp-poll NUM EGP poll interval (default RANDOM)\n \n RIP Options:\n --rip-command NUM RIPv1/v2 command (default 2)\n --rip-family NUM RIPv1/v2 address family (default 2)\n --rip-address ADDR RIPv1/v2 router address (default RANDOM)\n --rip-metric NUM RIPv1/v2 router metric (default RANDOM)\n --rip-domain NUM RIPv2 router domain (default RANDOM)\n --rip-tag NUM RIPv2 router tag (default RANDOM)\n --rip-netmask ADDR RIPv2 router subnet mask (default RANDOM)\n --rip-next-hop ADDR RIPv2 router next hop (default RANDOM)\n --rip-authentication RIPv2 authentication included (default OFF)\n --rip-auth-key-id NUM RIPv2 authentication key ID (default 1)\n --rip-auth-sequence NUM RIPv2 authentication sequence # (default RANDOM)\n \n DCCP Options:\n --dccp-data-offset NUM DCCP data offset (default VARY)\n --dccp-cscov NUM DCCP checksum coverage (default 0)\n --dccp-ccval NUM DCCP HC-Sender CCID (default RANDOM)\n --dccp-type NUM DCCP type (default 0)\n --dccp-extended DCCP extend for sequence # (default OFF)\n --dccp-sequence-1 NUM DCCP sequence # (default RANDOM)\n --dccp-sequence-2 NUM DCCP extended sequence # (default RANDOM)\n --dccp-sequence-3 NUM DCCP sequence # low (default RANDOM)\n --dccp-service NUM DCCP service code (default RANDOM)\n --dccp-acknowledge-1 NUM DCCP acknowledgment # high (default RANDOM)\n --dccp-acknowledge-2 NUM DCCP acknowledgment # low (default RANDOM)\n --dccp-reset-code NUM DCCP reset code (default RANDOM)\n \n RSVP Options:\n --rsvp-flags NUM RSVP flags (default 1)\n --rsvp-type NUM RSVP message type (default 1)\n --rsvp-ttl NUM RSVP time to live (default 254)\n --rsvp-session-addr ADDR RSVP SESSION destination address (default RANDOM)\n --rsvp-session-proto NUM RSVP SESSION protocol ID (default 1)\n --rsvp-session-flags NUM RSVP SESSION flags (default 1)\n --rsvp-session-port NUM RSVP SESSION destination port (default RANDOM)\n --rsvp-hop-addr ADDR RSVP HOP neighbor address (default RANDOM)\n --rsvp-hop-iface NUM RSVP HOP logical interface (default RANDOM)\n --rsvp-time-refresh NUM RSVP TIME refresh interval (default 360)\n --rsvp-error-addr ADDR RSVP ERROR node address (default RANDOM)\n --rsvp-error-flags NUM RSVP ERROR flags (default 2)\n --rsvp-error-code NUM RSVP ERROR code (default 2)\n --rsvp-error-value NUM RSVP ERROR value (default 8)\n --rsvp-scope NUM RSVP SCOPE # of address(es) (default 1)\n --rsvp-address ADDR,... RSVP SCOPE address(es) (default RANDOM)\n --rsvp-style-option NUM RSVP STYLE option vector (default 18)\n --rsvp-sender-addr ADDR RSVP SENDER TEMPLATE address (default RANDOM)\n --rsvp-sender-port NUM RSVP SENDER TEMPLATE port (default RANDOM)\n --rsvp-tspec-traffic RSVP TSPEC service traffic (default OFF)\n --rsvp-tspec-guaranteed RSVP TSPEC service guaranteed (default OFF)\n --rsvp-tspec-r NUM RSVP TSPEC token bucket rate (default RANDOM)\n --rsvp-tspec-b NUM RSVP TSPEC token bucket size (default RANDOM)\n --rsvp-tspec-p NUM RSVP TSPEC peak data rate (default RANDOM)\n --rsvp-tspec-m NUM RSVP TSPEC minimum policed unit (default RANDOM)\n --rsvp-tspec-M NUM RSVP TSPEC maximum packet size (default RANDOM)\n --rsvp-adspec-ishop NUM RSVP ADSPEC IS HOP count (default RANDOM)\n --rsvp-adspec-path NUM RSVP ADSPEC path b/w estimate (default RANDOM)\n --rsvp-adspec-m NUM RSVP ADSPEC minimum path latency (default RANDOM)\n --rsvp-adspec-mtu NUM RSVP ADSPEC composed MTU (default RANDOM)\n --rsvp-adspec-guaranteed RSVP ADSPEC service guaranteed (default OFF)\n --rsvp-adspec-Ctot NUM RSVP ADSPEC ETE composed value C (default RANDOM)\n --rsvp-adspec-Dtot NUM RSVP ADSPEC ETE composed value D (default RANDOM)\n --rsvp-adspec-Csum NUM RSVP ADSPEC SLR point composed C (default RANDOM)\n --rsvp-adspec-Dsum NUM RSVP ADSPEC SLR point composed D (default RANDOM)\n --rsvp-adspec-controlled RSVP ADSPEC service controlled (default OFF)\n --rsvp-confirm-addr ADDR RSVP CONFIRM receiver address (default RANDOM)\n \n IPSEC Options:\n --ipsec-ah-length NUM IPSec AH header length (default NONE)\n --ipsec-ah-spi NUM IPSec AH SPI (default RANDOM)\n --ipsec-ah-sequence NUM IPSec AH sequence # (default RANDOM)\n --ipsec-esp-spi NUM IPSec ESP SPI (default RANDOM)\n --ipsec-esp-sequence NUM IPSec ESP sequence # (default RANDOM)\n \n EIGRP Options:\n --eigrp-opcode NUM EIGRP opcode (default 1)\n --eigrp-flags NUM EIGRP flags (default RANDOM)\n --eigrp-sequence NUM EIGRP sequence # (default RANDOM)\n --eigrp-acknowledge NUM EIGRP acknowledgment # (default RANDOM)\n --eigrp-as NUM EIGRP autonomous system (default RANDOM)\n --eigrp-type NUM EIGRP type (default 258)\n --eigrp-length NUM EIGRP length (default NONE)\n --eigrp-k1 NUM EIGRP parameter K1 value (default 1)\n --eigrp-k2 NUM EIGRP parameter K2 value (default 0)\n --eigrp-k3 NUM EIGRP parameter K3 value (default 1)\n --eigrp-k4 NUM EIGRP parameter K4 value (default 0)\n --eigrp-k5 NUM EIGRP parameter K5 value (default 0)\n --eigrp-hold NUM EIGRP parameter hold time (default 360)\n --eigrp-ios-ver NUM.NUM EIGRP IOS release version (default 12.4)\n --eigrp-rel-ver NUM.NUM EIGRP PROTO release version (default 1.2)\n --eigrp-next-hop ADDR EIGRP [in|ex]ternal next-hop (default RANDOM)\n --eigrp-delay NUM EIGRP [in|ex]ternal delay (default RANDOM)\n --eigrp-bandwidth NUM EIGRP [in|ex]ternal bandwidth (default RANDOM)\n --eigrp-mtu NUM EIGRP [in|ex]ternal MTU (default 1500)\n --eigrp-hop-count NUM EIGRP [in|ex]ternal hop count (default RANDOM)\n --eigrp-load NUM EIGRP [in|ex]ternal load (default RANDOM)\n --eigrp-reliability NUM EIGRP [in|ex]ternal reliability (default RANDOM)\n --eigrp-daddr ADDR/CIDR EIGRP [in|ex]ternal address(es) (default RANDOM)\n --eigrp-src-router ADDR EIGRP external source router (default RANDOM)\n --eigrp-src-as NUM EIGRP external autonomous system (default RANDOM)\n --eigrp-tag NUM EIGRP external arbitrary tag (default RANDOM)\n --eigrp-proto-metric NUM EIGRP external protocol metric (default RANDOM)\n --eigrp-proto-id NUM EIGRP external protocol ID (default 2)\n --eigrp-ext-flags NUM EIGRP external flags (default RANDOM)\n --eigrp-address ADDR EIGRP multicast sequence address (default RANDOM)\n --eigrp-multicast NUM EIGRP multicast sequence # (default RANDOM)\n --eigrp-authentication EIGRP authentication included (default OFF)\n --eigrp-auth-key-id NUM EIGRP authentication key ID (default 1)\n \n OSPF Options:\n --ospf-type NUM OSPF type (default 1)\n --ospf-length NUM OSPF length (default NONE)\n --ospf-router-id ADDR OSPF router ID (default RANDOM)\n --ospf-area-id ADDR OSPF area ID (default 0.0.0.0)\n -1,--ospf-option-MT OSPF multi-topology / TOS-based (default RANDOM)\n -2,--ospf-option-E OSPF external routing capability (default RANDOM)\n -3,--ospf-option-MC OSPF multicast capable (default RANDOM)\n -4,--ospf-option-NP OSPF NSSA supported (default RANDOM)\n -5,--ospf-option-L OSPF LLS data block contained (default RANDOM)\n -6,--ospf-option-DC OSPF demand circuits supported (default RANDOM)\n -7,--ospf-option-O OSPF Opaque-LSA (default RANDOM)\n -8,--ospf-option-DN OSPF DOWN bit (default RANDOM)\n --ospf-netmask ADDR OSPF router subnet mask (default RANDOM)\n --ospf-hello-interval NUM OSPF HELLO interval (default RANDOM)\n --ospf-hello-priority NUM OSPF HELLO router priority (default 1)\n --ospf-hello-dead NUM OSPF HELLO router dead interval (default 360)\n --ospf-hello-design ADDR OSPF HELLO designated router (default RANDOM)\n --ospf-hello-backup ADDR OSPF HELLO backup designated (default RANDOM)\n --ospf-neighbor NUM OSPF HELLO # of neighbor(s) (default NONE)\n --ospf-address ADDR,... OSPF HELLO neighbor address(es) (default RANDOM)\n --ospf-dd-mtu NUM OSPF DD MTU (default 1500)\n --ospf-dd-dbdesc-MS OSPF DD master/slave bit option (default RANDOM)\n --ospf-dd-dbdesc-M OSPF DD more bit option (default RANDOM)\n --ospf-dd-dbdesc-I OSPF DD init bit option (default RANDOM)\n --ospf-dd-dbdesc-R OSPF DD out-of-band resync (default RANDOM)\n --ospf-dd-sequence NUM OSPF DD sequence # (default RANDOM)\n --ospf-dd-include-lsa OSPF DD include LSA header (default OFF)\n --ospf-lsa-age NUM OSPF LSA age (default 360)\n --ospf-lsa-do-not-age OSPF LSA do not age (default OFF)\n --ospf-lsa-type NUM OSPF LSA type (default 1)\n --ospf-lsa-id ADDR OSPF LSA ID address (default RANDOM)\n --ospf-lsa-router ADDR OSPF LSA advertising router (default RANDOM)\n --ospf-lsa-sequence NUM OSPF LSA sequence # (default RANDOM)\n --ospf-lsa-metric NUM OSPF LSA metric (default RANDOM)\n --ospf-lsa-flag-B OSPF Router-LSA border router (default RANDOM)\n --ospf-lsa-flag-E OSPF Router-LSA external router (default RANDOM)\n --ospf-lsa-flag-V OSPF Router-LSA virtual router (default RANDOM)\n --ospf-lsa-flag-W OSPF Router-LSA wild router (default RANDOM)\n --ospf-lsa-flag-NT OSPF Router-LSA NSSA translation (default RANDOM)\n --ospf-lsa-link-id ADDR OSPF Router-LSA link ID (default RANDOM)\n --ospf-lsa-link-data ADDR OSPF Router-LSA link data (default RANDOM)\n --ospf-lsa-link-type NUM OSPF Router-LSA link type (default 1)\n --ospf-lsa-attached ADDR OSPF Network-LSA attached router (default RANDOM)\n --ospf-lsa-larger OSPF ASBR/NSSA-LSA ext. larger (default OFF)\n --ospf-lsa-forward ADDR OSPF ASBR/NSSA-LSA forward (default RANDOM)\n --ospf-lsa-external ADDR OSPF ASBR/NSSA-LSA external (default RANDOM)\n --ospf-vertex-router OSPF Group-LSA type router (default RANDOM)\n --ospf-vertex-network OSPF Group-LSA type network (default RANDOM)\n --ospf-vertex-id ADDR OSPF Group-LSA vertex ID (default RANDOM)\n --ospf-lls-extended-LR OSPF LLS Extended option LR (default OFF)\n --ospf-lls-extended-RS OSPF LLS Extended option RS (default OFF)\n --ospf-authentication OSPF authentication included (default OFF)\n --ospf-auth-key-id NUM OSPF authentication key ID (default 1)\n --ospf-auth-sequence NUM OSPF authentication sequence # (default RANDOM)\n \n Some considerations while running this program:\n 1. There is no limitation of using as many options as possible.\n 2. Report t50 bugs at https://github.com/fredericopissarra/t50.git.\n 3. Some header fields with default values MUST be set to '0' for RANDOM.\n 4. Mandatory arguments to long options are mandatory for short options too.\n 5. Be nice when using t50, the author DENIES its use for DoS/DDoS purposes.\n 6. Running t50 with '--protocol T50' option sends ALL protocols sequentially.\n \n\n \n[ \n](<https://github.com/fredericopissarra/t50>) \n\n\n[ ** Download T50 ** ](<https://github.com/fredericopissarra/t50>)\n", "edition": 2, "reporter": "KitPloit", "published": "2018-09-21T02:20:53", "title": "T50 - The Fastest Packet Injector", "type": "kitploit", "enchantments": {"score": {"modified": "2018-09-21T11:01:30", "vector": "NONE", "value": 7.5}}, "bulletinFamily": "tools", "cvelist": [], "modified": "2018-09-21T02:20:53", "toolHref": "https://github.com/fredericopissarra/t50", "id": "KITPLOIT:296108905078973984", "href": "http://www.kitploit.com/2016/07/t50-fastest-packet-injector.html", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2018-09-21T16:05:29", "references": ["https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html"], "pluginID": "1361412562310891512", "description": "n Open Redirect vulnerability has been discovered in sympa. The\n", "edition": 1, "reporter": "Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net", "published": "2018-09-21T00:00:00", "title": "Debian LTS Advisory ([SECURITY] [DLA 1512-1] sympa security update)", "type": "openvas", "enchantments": {}, "naslFamily": "Debian Local Security Checks", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-1000671"], "modified": "2018-09-21T00:00:00", "id": "OPENVAS:1361412562310891512", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891512", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: deb_dla_1512.nasl 11515 2018-09-21 08:49:04Z cfischer $\n#\n# Auto-generated from advisory DLA 1512-1 using nvtgen 1.0\n# Script version: 1.0\n#\n# Author:\n# Greenbone Networks\n#\n# Copyright:\n# Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891512\");\n script_version(\"$Revision: 11515 $\");\n script_cve_id(\"CVE-2018-1000671\");\n script_name(\"Debian LTS Advisory ([SECURITY] [DLA 1512-1] sympa security update)\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-09-21 10:49:04 +0200 (Fri, 21 Sep 2018) $\");\n script_tag(name:\"creation_date\", value:\"2018-09-21 00:00:00 +0200 (Fri, 21 Sep 2018)\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2018/09/msg00023.html\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2018 Greenbone Networks GmbH http://greenbone.net\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\\.[0-9]+\");\n script_tag(name:\"affected\", value:\"sympa on Debian Linux\");\n script_tag(name:\"insight\", value:\"Sympa is a scalable and highly customizable modern mailing list manager\ncapable of handling big setups: 20.000 lists with 700,000 subscribers.\");\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', this problem has been fixed in version\n6.1.23~dfsg-2+deb8u3.\n\nWe recommend that you upgrade your sympa packages.\");\n script_tag(name:\"summary\", value:\"n Open Redirect vulnerability has been discovered in sympa. The\n'referer' parameter of the wwsympa.fcgi login action can result in\nOpen redirection and potential Cross Site Scripting via data URIs.\nThis attack appear to be exploitable via Victim browser opening a\ncrafted URL supplied by the attacker.\");\n script_tag(name:\"vuldetect\", value:\"This check tests the installed software version using the apt package manager.\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"sympa\", ver:\"6.1.23~dfsg-2+deb8u3\", rls_regex:\"DEB8\\.[0-9]+\", remove_arch:TRUE )) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99);\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}]}