CVE-2017-6627 Cisco IOS and IOS XE Software UDP Packet Processing Denial of Service Vulnerability (cisco-sa-20170906-ios-udp)

漏洞类别:Cisco

漏洞等级:

漏洞信息

A vulnerability in the UDP processing code of Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the input queue of an affected system to hold UDP packets, causing an interface queue wedge and a denial of service condition.
The vulnerability is due to Cisco IOS Software application changes that create UDP sockets and leave the sockets idle without closing them.

漏洞危害

An attacker could exploit this vulnerability by sending UDP packets with a destination port of 0 to an affected device. A successful exploit could allow the attacker to cause UDP packets to be held in the input interfaces queue, resulting in a DoS condition. The input interface queue will stop holding UDP packets when it receives 250 packets.

解决方案

Refer to Cisco advisory cisco-sa-20170906-ios-udp for updates and patch information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

cisco-sa-20170906-snmp: CISCO IOS

0daybank

CVE-2017-12611 Apache Struts Freemarker Tag Remote Code Execution Vulnerability (S2-053)

漏洞类别:Local

漏洞等级:

漏洞信息

Apache Struts is an open-source Model-View-Controller (MVC) framework for creating elegant, modern Java web applications.

A RCE attack is possible when developer is using wrong construction in Freemarker tags (CVE-2017-12611). Affected software:
Struts 2.0.1 – Struts 2.3.33, Struts 2.5 – Struts 2.5.10

QID detection logic (Authenticated):
Detection looks for “struts core” jar files in deployed web applications directories and lib folder of Tomcat server. Once it successfully finds the jar file, version information is extracted from that jar files and compared.
Please note: Our detection does not support if the applications are deployed with server configuration unpackWARs=false.

漏洞危害

A remote attacker could exploit this vulnerability to execute arbitrary code.

解决方案

The vendor has released advisories and updates to fix these vulnerabilities.
Refer to the following link for further details: Apache Struts Announcements 07 September 2017

Patch:
Following are links for downloading patches to fix the vulnerabilities:

S2-053 (Apache Struts )

0daybank

CVE-2017-3142 IBM AIX BIND Security Bypass Vulnerability (bind_advisory16)

漏洞类别:AIX

漏洞等级:

漏洞信息

ISC BIND could allow a remote attacker to bypass security restrictions, caused by an error when an attacker can send and receive messages to an authoritative DNS server and has knowledge of a valid TSIG key name.

Affected Versions:
AIX 6.1, 7.1
APAR versions:
IV98826m9a, IV98827m3a

Note:The detection requires root privileges to run “emgr -c” to check for patches. In absence of such privileges, the detection may not output actual results.

漏洞危害

By sending a specially crafted request packet, an attacker could exploit this vulnerability to bypass TSIG authentication on AXFR requests and transfer the target zone.

解决方案

The vendor has released fixes to resolve this vulnerability. Refer to AIX bind_advisory16 to obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

bind_advisory16

0daybank

CVE-2017-10108 IBM AIX Java Multiple Vulnerabilities (java_july2017_advisory)

漏洞类别:AIX

漏洞等级:

漏洞信息

There are multiple vulnerabilities in IBM SDK Java Technology Edition Versions 6, 7, 7.1, 8 that are used by AIX. These issues were disclosed as part of the IBM Java SDK updates in July 2017.

Affected Versions:-
AIX 5.3, 6.1, 7.1, 7.2

漏洞危害

Successful exploitation allows remote attackers to affect confidentiality, integrity, and availability impact.

解决方案

The vendor has released fixes to resolve this vulnerability. Refer to AIX java_july2017_advisory to obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

java_july2017_advisory: AIX

0daybank

CVE-2017-11283 Adobe Security Hotfix for ColdFusion (APSB17-30)

漏洞类别:Local

漏洞等级:

漏洞信息

Adobe ColdFusion is an application for developing Web sites.

Adobe has released security hotfixes for ColdFusion version 11 and the 2016 release. These hotfixes resolve an input validation issue that could be used in reflected XSS (cross-site scripting), External XML Entity (XXE) Reference and Deserialization of untrusted data.

Affected Versions:
ColdFusion (2016 release) Update 4 and earlier versions
ColdFusion 11 Update 12 and earlier versions

漏洞危害

Depending on the vulnerability being exploited, an unauthenticated, remote attacker could execution arbitrary Java or Javascript code or exploit XXE.

解决方案

The vendor has released a hotfix to patch this vulnerability. Please refer to APSB17-30 for detailed information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

APSB17-30

0daybank

CVE-2017-11281 Adobe Flash Player Remote Code Execution Vulnerability (APSB17-28)

漏洞类别:Local

漏洞等级:

漏洞信息

Adobe Flash Player is a Cross-platform plugin plays animations, videos and sound files in .SWF format.

These vulnerabilities that could potentially allow an attacker to take control of the affected system. (CVE-2017-11281,CVE-2017-11282)

Affected Versions:
Adobe Flash Player 26.0.0.151 and earlier.

漏洞危害

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary code on a targeted system.

解决方案

Customers are advised to refer to APSB17-28 for updates pertaining to this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

APSB17-28: Windows

APSB17-28: MAC OS X

0daybank

CVE-2017-8676 Microsoft Lync and Skype for Business Security Update for September 2017

漏洞类别:Office Application

漏洞等级:

漏洞信息

Microsoft released security updates that resolve vulnerabilities in Microsoft Office that could allow remote code execution if a user opens a specially crafted Office file. The following updates were released in September 2017:
CVE-2017-8676: An information disclosure vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in memory, allowing an attacker to retrieve information from a targeted system.
CVE-2017-8695: An information disclosure vulnerability exists when Windows Uniscribe improperly discloses the contents of its memory. An attacker who successfully exploited the vulnerability could obtain information to further compromise the users system.
CVE-2017-8696: A remote code execution vulnerability exists due to the way Windows Uniscribe handles objects in memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

KB Articles associated with this update:
3213568, 4011040, 4011107, 4025865, 4025866, 4025867

漏洞危害

Successful exploitation allows an attacker to execute arbitrary code and bypass security restrictions to gain access to sensitive information.

解决方案

Customers are advised to refer to Microsoft Security Guidance for more details pertaining to this vulnerability.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

KB4011107

KB4025865

KB4025866

KB4025867

KB3213568

KB4011040

0daybank

CVE-2017-1000250 Red Hat Update for bluez (RHSA-2017:2685) (Blueborne)

漏洞类别:RedHat

漏洞等级:

漏洞信息

The bluez packages contain the following utilities for use in Bluetooth applications: hcitool, hciattach, hciconfig, bluetoothd, l2ping, start scripts (Red Hat), and pcmcia configuration files.

An information-disclosure flaw was found in the bluetoothd implementation of the Service Discovery Protocol (SDP). A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys. (CVE-2017-1000250)
Affected Products:
Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Server – Extended Update Support 7.4 x86_64
Red Hat Enterprise Linux Server – AUS 7.4 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 7.4 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Power, big endian 6 ppc64
Red Hat Enterprise Linux for Power, big endian – Extended Update Support 7.4 ppc64
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
Red Hat Enterprise Linux for Scientific Computing 6 x86_64
Red Hat Enterprise Linux EUS Compute Node 7.4 x86_64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le
Red Hat Enterprise Linux for Power, little endian – Extended Update Support 7.4 ppc64le
Red Hat Enterprise Linux Server for ARM 7 aarch64
Red Hat Enterprise Linux Server (for IBM Power LE) – 4 Year Extended Update Support 7.4 ppc64le
Red Hat Enterprise Linux Server – 4 Year Extended Update Support 7.4 x86_64

漏洞危害

A specially crafted Bluetooth device could, without prior pairing or user interaction, retrieve portions of the bluetoothd process memory, including potentially sensitive information such as Bluetooth encryption keys.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:2685 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:2685: Red Hat Enterprise Linux

0daybank

CVE-2017-1000251 Red Hat Update for kernel (RHSA-2017:2682) (Blueborne)

漏洞类别:RedHat

漏洞等级:

漏洞信息

The kernel packages contain the Linux kernel, the core of any Linux operating system.

A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)
Affected Products:
Red Hat Enterprise Linux Server – Extended Update Support 6.7 x86_64
Red Hat Enterprise Linux Server – Extended Update Support 6.7 i386
Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 6.7 s390x
Red Hat Enterprise Linux for Power, big endian – Extended Update Support 6.7 ppc64
Red Hat Enterprise Linux EUS Compute Node 6.7 x86_64

漏洞危害

An unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:2682 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:2682: Red Hat Enterprise Linux

0daybank

CVE-2017-1000251 Red Hat Update for kernel (RHSA-2017:2680) (Blueborne)

漏洞类别:RedHat

漏洞等级:

漏洞信息

The kernel packages contain the Linux kernel, the core of any Linux operating system.

A stack buffer overflow flaw was found in the way the Bluetooth subsystem of the Linux kernel processed pending L2CAP configuration responses from a client. On systems with the stack protection feature enabled in the kernel (CONFIG_CC_STACKPROTECTOR=y, which is enabled on all architectures other than s390x and ppc64[le]), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to crash the system. Due to the nature of the stack protection feature, code execution cannot be fully ruled out, although we believe it is unlikely. On systems without the stack protection feature (ppc64[le]; the Bluetooth modules are not built on s390x), an unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges. (CVE-2017-1000251, Important)
Affected Products:
Red Hat Enterprise Linux Server – Extended Update Support 7.3 x86_64
Red Hat Enterprise Linux for IBM z Systems – Extended Update Support 7.3 s390x
Red Hat Enterprise Linux for Power, big endian – Extended Update Support 7.3 ppc64
Red Hat Enterprise Linux EUS Compute Node 7.3 x86_64
Red Hat Enterprise Linux for Power, little endian – Extended Update Support 7.3 ppc64le
Red Hat Enterprise Linux Server (for IBM Power LE) – 4 Year Extended Update Support 7.3 ppc64le
Red Hat Enterprise Linux Server – 4 Year Extended Update Support 7.3 x86_64

漏洞危害

An unauthenticated attacker able to initiate a connection to a system via Bluetooth could use this flaw to remotely execute arbitrary code on the system with ring 0 (kernel) privileges.

解决方案

Upgrade to the latest packages which contain a patch. Refer to Applying Package Updates to RHEL system for details.

Refer to Red Hat security advisory RHSA-2017:2680 to address this issue and obtain more information.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

RHSA-2017:2680: Red Hat Enterprise Linux

0daybank