SSD Advisory – Linux Kernel XFRM Privilege Escalation

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerability Summary
The following advisory describes a Use-after-free vulnerability found in Linux kernel that can lead to privilege escalation. The vulnerability found in Netlink socket subsystem – XFRM.

Netlink is used to transfer information between the kernel and user-space processes. It consists of a standard sockets-based interface for user space processes and an internal kernel API for kernel modules.

Credit
An independent security researcher, Mohamed Ghannam, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
The vulnerability has been addressed as part of 1137b5e (“ipsec: Fix aborted xfrm policy dump crash”) patch: CVE-2017-16939

Continue reading SSD Advisory – Linux Kernel XFRM Privilege Escalation

SSD Advisory – Cambium Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities Summary
The following advisory describes three (3) vulnerabilities found in Cambium Network Updater Tool and Networks Services Server.

The Network Updater Tool is “a free-of-charge tool that applies packages to upgrade the device types that the release notes for the release that you are using list as supported. Because this tool is available, an operator does not need to visit each module in the network or even each AP where they would otherwise use the SM Autoupdate capability of the radios”

The Cambium Networks Services (CNS) Server is “a network management application provided by Cambium Networks to manage ePMP devices.”

The vulnerabilities found in Cambium products are:

  • Cambium Network Updater Tool (CNUT) – Unauthenticated File Path Traversal
  • Cambium Networks Services Server (CNSS) – Unauthenticated Access Control Bypass
  • Cambium Networks Services Server (CNSS) – Capture credentials for Device Discovery

Credit
An independent security researcher, Karn Ganeshen, has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response
Cambium has released patches to address those vulnerabilities.

For more details: https://help.endian.com/hc/en-us/articles/115012996087 – Support Case 131840

Continue reading SSD Advisory – Cambium Multiple Vulnerabilities

SSD Advisory – DblTek Multiple Vulnerabilities

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

Vulnerabilities summary
The following advisory describes 2 (two) vulnerabilities found in DblTek webserver.

DBL is “specialized in VoIP products, especially GoIPs. We design, develop, manufacture, and sell our products directly and via distributors to customers. Our GoIP models now cover 1, 4, 8, 16, and 32-channel in order to meet the wide range of market demands. All our products are priced very attractively and probably the lowest in the market. Because of the price and performance, GoIPs have been widely adopted by system integrators, VoIP service providers, and many other business and individual users.”

The vulnerabilities found are:

  • Pre-authentication Information Disclosure
  • Command Execution

It is possible to combine the 2 vulnerabilities and gain unauthenticated remote command execution.

Credit
An independent security researcher has reported this vulnerability to Beyond Security’s SecuriTeam Secure Disclosure program

Vendor response

DblTek has released patches to address those vulnerabilities.

CVE-2017-16934

Continue reading SSD Advisory – DblTek Multiple Vulnerabilities

SSD安全公告–GraphicsMagick多个漏洞

Want to get paid for a vulnerability similar to this one?
Contact us at: sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom
See our full scope at: https://blogs.securiteam.com/index.php/product_scope

漏洞概要

以下安全公告描述了在GraphicsMagick中发现的两个漏洞。

GraphicsMagick是“图像处理方面的瑞士军刀。 基础包中的源码共有267K行(根据David A. Wheeler统计),它提供了强大而有效的工具和库,支持读,写超过88种主要图像处理格式,包括DPX,GIF,JPEG,JPEG-2000,PNG,PDF,PNM和TIFF等重要格式。

在GraphicsMagick中发现的两个漏洞是:

  • 内存信息泄露
  • 堆溢出

漏洞提交者
一位独立的安全研究人员Jeremy Heng(@nn_amon)和Terry Chia(Ayrx)向 Beyond Security 的 SSD 报告了该漏洞

厂商响应

厂商已经发布了这些漏洞的补丁(15237:e4e1c2a581d8 and 15238:7292230dd18)。获取更多信息: ftp://ftp.graphicsmagick.org/pub/GraphicsMagick/snapshots/ChangeLog.txt

Continue reading SSD安全公告–GraphicsMagick多个漏洞