Category Archives: Vulnerability Management

Cisco September 2012 Security Advisory Bundle Review

Vulnerability Management

Cisco has release, the 26 September 2012, during his bi-annual Security Advisory Bundle, 9 security bulletins dealing with 8 vulnerabilities. Eight of the advisories address vulnerabilities in Cisco IOS Software, and one advisory addresses a vulnerability in Cisco Unified Communications Manager.

cisco-sa-20120926-bgp – Cisco IOS Software Malformed Border Gateway Protocol Attribute Vulnerability

cisco-sa-20120926-bgp is concerning Cisco IOS, IOS-XR and Cisco IOS-XE Softwares how contains a vulnerability in the Border Gateway Protocol (BGP) routing protocol feature. Repeated exploitation of the vulnerability could lead to inability to route packets to BGP neighbors during reconvergence times.

The vulnerability is identified as CVE-2012-4617, with a CVSS base score of 7.1, and was internally discovered by Cisco during testing.

cisco-sa-20120926-ios-ips – Cisco IOS Software Intrusion Prevention System Denial of Service Vulnerability

cisco-sa-20120926-ios-ips is concerning Intrusion Prevention System (IPS) feature present in Cisco IOS Software. An unauthenticated, remote attacker could cause a reload of an affected device.

The vulnerability is identified as CVE-2012-3950, with a CVSS base score of 7.8, and was discovered when handling customer support requests.

cisco-sa-20120926-nat – Cisco IOS Software Network Address Translation Vulnerabilities

cisco-sa-20120926-nat is concerning Cisco IOS Software Network Address Translation (NAT) how contains two denial of service (DoS) vulnerabilities.

CVE-2012-4618 and CVE-2012-4619 vulnerabilities have both a CVSS base score of 7.8, and were discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-c10k-tunnels – Cisco IOS Software Tunneled Traffic Queue Wedge Vulnerability

cisco-sa-20120926-c10k-tunnels is concerning Cisco IOS Software on Cisco 10000 Series router how contains a vulnerability when processing IP tunneled packets. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4620, with a CVSS base score of 7.8, and was discovered during troubleshooting of a customer issue.

cisco-sa-20120926-dhcpv6 – Cisco IOS Software DHCP Version 6 Server Denial of Service Vulnerability

cisco-sa-20120926-dhcpv6 is concerning Cisco IOS Software and Cisco IOS XE Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4623, with a CVSS base score of 7.1, and was discovered by Cisco during internal testing.

cisco-sa-20120926-ecc – Cisco Catalyst 4500E Series Switch with Cisco Catalyst Supervisor Engine 7L-E Denial of Service Vulnerability

cisco-sa-20120926-ecc is concerning Catalyst 4500E series switch with Supervisor Engine 7L-E how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4622, with a CVSS base score of 7.8, and was discovered when handling customer service requests.

cisco-sa-20120926-dhcp – Cisco IOS Software DHCP Denial of Service Vulnerability

cisco-sa-20120926-dhcp is concerning Cisco IOS Software how contain a vulnerability how could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-4621, with a CVSS base score of 7.8, and was discovered during the troubleshooting of customer service requests.

cisco-sa-20120926-cucm – Cisco Unified Communications Manager Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-cucm is concerning Cisco Unified Communications Manager how contains a vulnerability in its Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

cisco-sa-20120926-sip – Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability

cisco-sa-20120926-sip is concerning Cisco IOS Software and Cisco IOS XE Software how contains a vulnerability in there Session Initiation Protocol (SIP) implementation. This vulnerability could lead to denial of service (DoS).

The vulnerability is identified as CVE-2012-3949, with a CVSS base score of 7.8, and was discovered during troubleshooting of TAC service requests.

MS12-063 Out-of-Band Microsoft Security Update for Internet Explorer Fix 0day

Vulnerability Management,

Microsoft has release, the 21 September 2012, as planned in his “Microsoft Security Bulletin Advance Notification for September 2012“, one security bulletin MS12-063 in order to fix multiple 5 security vulnerabilities, including the 0day vulnerability I discovered last week-end.

MS12-063 bulletin is classified as Critical for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows clients and Moderate for Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, and Internet Explorer 9 on Windows servers.

CVE-2012-1529 has an unknown CVSS base score and was discovered and privately reported by an anonymous researcher, working with VeriSign iDefense Labs. CVE number was assigned the 2012-03-08.

CVE-2012-2546 has an unknown CVSS base score and was discovered and privately reported by Rosario Valotta. CVE number was assigned the 2012-05-09.

CVE-2012-2548 has an unknown CVSS base score and was discovered and privately reported by Stephen Fewer of Harmony Security, working with TippingPoint’s Zero Day Initiative. CVE number was assigned the 2012-05-09.

CVE-2012-2557 has an unknown CVSS base score and was discovered and privately reported by an anonymous researcher, working with TippingPoint’s Zero Day Initiative. CVE number was assigned the 2012-05-09.

CVE-2012-4969 has a CVSS base score of 9.3 and was discovered and privately reported, regarding Microsoft, by an anonymous researcher, working with TippingPoint’s Zero Day Initiative and to Mitre. CVE number was assigned the 2012-09-18. Something is wrong with this credit, I will write another blog post regarding this story.

I advise you to update as soon as possible.

VMware Security Advisory VMSA-2012-0013 Review

Vulnerability Management

VMware has release,the 30 August 2012, one security advisory VMSA-2012-0013 concerning VMware vSphere and vCOps updates to third-party libraries.

vCenter and ESX update to JRE 1.6.0 Update 31

Oracle Java used in vCenter and ESX are updated to JRE 1.6.0 Update 31 how fix multiple vulnerabilities patched during Oracle Java SE CPU of February 2012. Oracle Java SE CPU of Jun 2012 is still not pushed to be updated, with 14 vulnerabilities and 9 of these 14 vulnerabilities have a CVSS base score upper to 7.0. Also known exploit for vulnerability CVE-2012-1723 is still active. Also CVE-2012-0547 fixed the 30 August 2012 Oracle Security alert is not fixed, but CVSS base score of this vulnerability is 0.0.

vCenter 4.1 and ESX 4.1 are affected by this update, but no patch are available for vCenter 5.0 and Update Manager 5.0, the patches are pending.

vCenter Update Manager update to JRE 1.5.0 Update 36

Oracle Java used in vCenter and ESX are update to JRE 1.5.0 Update 36 how fix multiple vulnerabilities patched during Oracle Java SE CPU of Jun 2012. Update Manager 4.1 is affected by this update, but no patch are available for vCenter 4.0, VirtualCenter 2.5, Update Manager 4.0, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX/ESXi userworld OpenSSL library

OpenSSL library used in ESX and ESXi are updated from version 0.9.8p to version 0.9.8t to resolve nine security issues. Two of these nine security issues have a CVSS base score upper to 7.0. ESXi 4.1 and ESX 4.1 are affected by this update, but no patch are available for ESXi 5.0, ESXi 4.0, ESXi 3.5, ESX 4.0 and ESX 3.5, the patches are pending.

Update to ESX service console OpenSSL RPM

OpenSSL RPM used in ESX is updated to version 0.9.8e-22.el5_8.3 to resolve a security issue. This security issue, CVE-2012-2110, has a CVSS base score of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console kernel

kernel used in ESX is updated to resolve 14 security issues. 3 of these 14 security issues have a CVSS base score upper to 7.0, and CVE-2011-1833 and CVE-2011-3209 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console Perl RPM

Perl RPM used by ESX is updated to perl-5.8.8.32.1.8999.vmw to three multiple security issues. 1 of these 3 security issues has a CVSS base core of 7.5. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console libxml2 RPM

libxml2 RPM used by ESX is updated to libxml2-2.6.26-2.1.15.el5_8.2 and libxml2-python-2.6.26-2.1.15.el5_8.2 to resolve a security issue. This security issue, CVE-2012-0841, has an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console glibc RPM

glibc RPM used by ESX is updated to version glibc-2.5-81.el5_8.1 to resolve six security issues. CVE-2009-5029, CVE-2011-4609 and CVE-2012-0864 have an unknown CVSS base score. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console GnuTLS RPM

GnuTLS RPM used by ESX is updated to version 1.4.1-7.el5_8.2 to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Update to ESX service console popt, rpm, rpm-libs, and rpm-python RPMS

popt, rpm, rpm-libs and rpm-python used in ESX are updated to resolve three multiple security issues. ESX 4.1 is affected by this update, but no patch is available for ESX 4.0, the patch is pending.

Vulnerability in third-party Apache Struts component

Apache Strust used in vCOps to version 2.3.4 to resolve five multiple security issues. 2 of these 5 security issues have a CVSS base score of 9.3 with active exploits. vCOps 5.0.x and 1.0.x are affected by this patch.

CVE-2012-4681 Vulnerability Patched in Out-of-Band Oracle Java Update

Vulnerability Management,

Oracle was under pressure since 26 August, release date of technical information’s and exploit code of the Oracle Java 0day consisting in two highly critical vulnerabilities.

Four days later Oracle has release an out-of-band security patch Java SE versions 7u7 (1.7.0_07) and 6u35 (1.6.0_35).

This out-of-band update correct 4 vulnerabilities, 3 of the 4 vulnerabilities have a base CVSS score of 10.0.

CVE-2012-4681, with a CVSS base score of 10.0, is one of the well known vulnerabilities of Java 7 0day and has been discovered by Adam Gowdiak of Security Explorations in April 2012. This vulnerability was affecting Java 7 Update 6 and before.

CVE-2012-1682, with a CVSS base score of 10.0. This vulnerability was affecting Java 7 Update 6 and before.

CVE-2012-3136, with a CVSS base score of 10.0. This vulnerability was affecting Java 7 Update 6 and before.

CVE-2012-0547, with a CVSS base score of 0.0. This vulnerability was affecting Java 7 Update 6 and before, Java 6 Update 34 and before.

But regarding Security Explorations they are still around 26 reported vulnerabilities how are open and with unknown impact.

By default installed Java is configured on automatic update notification, but this process is also configured by default to be activate only every Sunday at 9:00 PM. This elapse time will provide more times to bad guys…We highly recommend you to update asap your Java installation !

But unfortunately the new update Java 7 Update 7 contain a critical flaw, discovered 24 hours by Security Explorations after the release of the patch. This new discovered security flaw allows an attacker to bypass the Java security sandbox completely, making it possible to install malware or execute malicious code on affected systems. No details are actually public and no known exploit of the new flaw has yet been found in the wild. We could hope that this new security flaw will not be discovered by bad guys and that Oracle will patch them during his next release plan, the October 16.