Technical advisories

Ollama is an open-source system for running and managing large language models (LLMs). NCC Group identified a DNS rebinding vulnerability in Ollama that permits attackers to access its API without authorization, and perform various malicious activities, such as exfiltrating sensitive file data from vulnerable systems.

Introduction This is the third Technical Advisory post in a series wherein I audit the security of popular Remote Monitoring and Management (RMM) tools. The first post in the series can be found at Multiple Vulnerabilities in Faronics Insight, the second post can be found at Multiple Vulnerabilities in Nagios…

Introduction This is the second Technical Advisory post in a series wherein I audit the security of popular Remote Monitoring and Management (RMM) tools. (First: Multiple Vulnerabilities in Faronics Insight). I was joined in this security research by Colin Brum, Principal Security Consultant at NCC Group. In this post I…

Vendor: Sonos Vendor URL: https://www.sonos.com/ Versions affected: * Confirmed 73.0-42060 Systems Affected: Sonos Era 100 Author: Ilya Zhuravlev Advisory URL: Not provided by Sonos. Sonos state an update was released on 2023-11-15 which remediated the issue. CVE Identifier: N/A Risk: High Summary Sonos Era 100 is a smart speaker released…

Multiple vulnerabilities identified in Adobe ColdFusion allow an unauthenticated attacker to obtain the service account NTLM password hash, verify the existence of a file or directory on the underlying operating system, and configure central config server settings.

Summary The com.proxyman.NSProxy.HelperTool application (version 1.4.0), a privileged helper tool distributed with the Proxyman application (up to an including versions 4.10.1) for macOS 13 Ventura and earlier allows a local attacker to use earlier versions of the Proxyman application to maliciously change the System Proxy settings and redirect traffic to…

Connectize’s G6 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local Wi-Fi network and browser. The Connectize G6 router is a general consumer Wi-Fi router with an integrated web admin interface for configuration, and is available for purchase by the general public.…

Multiple Unauthenticated SQL Injection Issues Security Filter Bypass – CVE-2023-34133 Description The GMS web application was found to be vulnerable to numerous SQL injection issues. Additionally, security mechanisms that were in place to help prevent against SQL Injection attacks could be bypassed. Impact An unauthenticated attacker could exploit these issues…

Back in October of 2022, this announcement by AMI caught my eye. AMI has contributed a product named “Tektagon Open Edition” to the Open Compute Project (OCP).  Tektagon OpenEdition is an open-source Platform Root of Trust (PRoT) solution with foundational firmware security features that detect platform firmware corruption, recover the…

In this post, I will be focusing on two additional BIOS vulnerabilities. The first bug impacts the Bluetooth keyboard driver (HidKbDxe in BluetoothPkg) and the second bug impacts a touch panel driver (I2cTouchPanelDxe in AlderLakePlatSamplePkg).

Description The NSIS uninstaller package did not enforce appropriate permissions on the temporary directory used during the uninstall process. Furthermore, it did not ensure that the temporary directory was removed before running executable content from it. This could potentially result in privilege escalation under certain scenarios. Impact A low-privileged, local…

Product Details Name System.Linq.Dynamic.Core Affected versions 1.0.7.10 to 1.2.25 Fixed versions >= 1.3.0 URL https://www.dynamic-linq.net/ Vulnerability Summary CVE CVE-2023-32571 CWE CWE-184: Incomplete List of Disallowed Inputs CVSSv3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSSv3.1 base score 9.1 Overview What is Dynamic Linq? Dynamic Linq is an open source .NET library that allows developers to…

Introduction Faronics Insight is a feature rich software platform which is deployed on premises in schools. The application enables teachers to administer, control and interact with student devices. The application contains numerous features, including allowing teachers to transfer files to/from students and remotely viewing the contents of student screens. Generally…

In October of 2022, Intel’s Alder Lake BIOS source code was leaked online. The leaked code was comprised of firmware components that originated from three sources: I obtained a copy of the leaked code and began to hunt for vulnerabilities. This writeup focuses on the vulnerabilities that I found and…

Summary U-Boot is a popular and feature-rich bootloader for embedded systems. It includes optional support for the USB Device Firmware Update (DFU) protocol, which can be used by devices to download new firmware, or upload their current firmware. The U-Boot DFU implementation does not bound the length field in USB…

The Galaxy App Store is an alternative application store that comes pre-installed on Samsung Android devices. Several Android applications are available on both the Galaxy App Store and Google App Store, and users have the option to use either store to install specific applications. Two vulnerabilities were uncovered with the…

Summary NXP System-on-a-Chip (SoC) fuse configurations with the SDP READ_REGISTER operation disabled (SDP_READ_DISABLE=1) but other serial download functionality still enabled (SDP_DISABLE=0) can be abused to read memory contents in warm and cold boot attack scenarios. In lieu of an enabled SDP READ_REGISTER operation, an attacker can use a series of…

Vendor: OpenJDK Project Vendor URL: https://openjdk.java.net Versions affected: 8-17+ (and likely earlier versions) Systems Affected: All supported systems Author: Jeff Dileo <jeff.dileo[at]nccgroup[dot]com> Advisory URL / CVE Identifier: TBD Risk: Low (implicit data validation bypass) Summary The private static InetAddress::getAllByName(String,InetAddress) method is used internally and by the public static InetAddress::getAllByName(String) to…

Juplink’s RX4-1800 WiFi router was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. An attacker can remotely take over a device after using a targeted or phishing attack to change the router’s administrative password, effectively locking…

UNISOC (formerly Spreadtrum) is a rapidly growing semiconductor company that is nowadays focused on the Android entry-level smartphone market. While still a rare sight in the west, the company has nevertheless achieved impressive growth claiming 11% of the global smartphone application processor market, according to Counterpoint Research. Recently, it’s been…

The following vulnerabilities were found as part of a research project looking at the state of security of the different Nuki (smart lock) products. The main goal was to look for vulnerabilities which could affect to the availability, integrity or confidentiality of the different devices, from hardware to software. Eleven…

Summary ExpressLRS is a high-performance open source radio control link. It aims to provide a low latency radio control link while also achieving maximum range. It runs on a wide variety of hardware in both 900 Mhz and 2.4 GHz frequencies. ExpressLRS is very popular in FPV drone racing and…

By Nicolas Bidron, and Nicolas Guigo. [Editor’s note: This is an updated/expanded version of these advisories which we originally published on June 3 2022.] U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most linux based embedded systems such…

The Trendnet TEW-831DR WiFi Router was found to have multiple vulnerabilities exposing the owners of the router to potential intrusion of their local WiFi network and possible takeover of the device. Five vulnerabilities were discovered. Below are links to the associated technical advisories: Technical Advisory: Stored XSS in Web Interface…

By Nicolas Bidron, and Nicolas Guigo. U-boot is a popular boot loader for embedded systems with implementations for a large number of architectures and prominent in most Linux based embedded systems such as ChromeOS and Android Devices. Two vulnerabilities were uncovered in the IP Defragmentation algorithm implemented in U-Boot, with…

On the 6th of April 2022, NCC Group's Fox-IT discovered two separate flaws in FUJITSU CentricStor Control Center V8.1 which allows an attacker to gain remote code execution on the appliance without prior authentication or authorization.

Current Vendor: SerComm Vendor URL: https://www.sercomm.com Systems Affected: SerComm h500s Versions affected: lowi-h500s-v3.4.22 Authors: Diego Gómez Marañón @rsrdesarrollo CVE Identifier: CVE-2021-44080 Risk: 6.6(Medium)- AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H Summary The h500s is a router device manufactured by SerComm and packaged by a few telecoms providers in Spain (and possibly other regions) to provide CPE…

Summary The Kwikset/Weiser Kevo line of smart locks support Bluetooth Low Energy (BLE) passive entry through their Touch-to-Open functionality. When a user touches the exterior portion of the lock, the lock checks that an authorized BLE device is exterior to and within a short distance of the smart lock, and…

Summary The Tesla Model 3 and Model Y employ a Bluetooth Low Energy (BLE) based passive entry system. This system allows users with an authorized mobile device or key fob within a short range of the vehicle to unlock and operate the vehicle, with no user interaction required on the…

Summary Many products implement Bluetooth Low Energy (BLE) based proximity authentication, where the product unlocks or remains unlocked when a trusted BLE device is determined to be nearby. Common examples of such products include automotive Phone-as-a-Key systems, residential smart locks, BLE-based commercial building access control systems, and smartphones and laptops…

Summary Ruby on Rails is a web application framework that follows the Model-view-controller (MVC) pattern. It offers some protections against Cross-site scripting (XSS) attacks in its helpers for the views. Several tag helpers in ActionView::Helpers::FormTagHelper and ActionView::Helpers::TagHelper are vulnerable against XSS because their current protection does not restrict properly the…

This blog post describes an unchecked return value vulnerability found and exploited in September 2021 by Alex Plaskett, Cedric Halbronn and Aaron Adams working at the Exploit Development Group (EDG) of NCC Group. We successfully exploited it at Pwn2Own 2021 competition in November 2021 when targeting the Western Digital PR4100.

Summary In October 2021, Apple released a fix for CVE-2021-30833. This was an arbitrary file-write vulnerability in the xar utility and was due to improper handling of path separation (forward-slash) characters when processing files contained within directory symlinks. Whilst analysing the patch for CVE-2021-30833, an additional vulnerability was identified which…

Summary The ImController service comes installed on certain Lenovo devices, for example NCC found the service installed on a ThinkPad workstation. The service runs as the SYSTEM user and periodically executes child processes which perform system configuration and maintenance tasks. Impact Elevation of privilege. An attacker can elevate their privileges…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from an unauthenticated arbitrary file-delete vulnerability which can be exploited by a remote attacker to delete arbitrary files from the underlying Operating System. This vulnerability exists in the sonicfiles RAC_DOWNLOAD_TAR method, which allows users to download…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a Stored Cross-Site Scripting (XSS) vulnerability within the management interface. This vulnerability arises due to lack of sufficient output encoding when displaying postscript file names within the management interface. Due to CVE-2021-20040, this issue can…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below, are vulnerable to multiple stack-based and heap-based buffer overflows in the fileexplorer component, which can be reached by an unauthenticated attacker, calling the sonicfiles RAC_COPY_TO method. These vulnerabilities arise due to the unchecked use of strcpy with…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv suffer from a post-authenticated command injection vulnerability, which can be exploited to execute arbitrary commands with root privileges. The vulnerability exists in the Python management API, which is exposed remotely via HTTP, and is accessible to authenticated administrative users.…

Summary SonicWall SMA 100 Series appliances running firmware versions 10.2.0.8-37sv, 10.2.1.1-19sv and below suffer from a heap-based buffer overflow vulnerability in the sonicfiles RAC_GET_BOOKMARKS_HTML5 API. This vulnerability arises due to the unchecked use of the strcat function on a fixed size buffer, when displaying user bookmarks. This vulnerability requires authentication…

Summary SonicWall SMA 100-series appliances running versions 10.2.0.8-37sv, 10.2.1.1-19sv and earlier, suffer from an unauthenticated file upload vulnerability. This could allow an unauthenticated remote attacker to use path traversal to upload files outside of the intended directory. Impact An unauthenticated attacker may be able to write files with controlled content…

Summary The Network Flow Analysis software (formerly known as CA Network Flow Analysis) is a network traffic monitoring solution, which is used to monitor and optimize the performance of network infrastructures. The “Interfaces” Section of the Network Flow Analysis web application made use of a Flash application, which performed SOAP…

Victure’s WR1200 WiFi router, also sometimes referred to as AC1200, was found to have multiple vulnerabilities exposing its owners to potential intrusion in their local WiFi network and complete overtake of the device. Three vulnerabilities were uncovered, with links to the associated technical advisories below: Technical Advisory – Default WiFi…

Summary Stark Bank is a financial technology company that provides services to simplify and automate digital banking, by providing APIs to perform operations such as payments and transfers. In addition, Stark Bank maintains a number of cryptographic libraries to perform cryptographic signing and verification. These popular libraries are meant to…

Summary XAR is a file archive format used in macOS, and is part of various file formats, including .xar, .pkg, .safariextz, and .xip files. XAR archives are extracted using the xar command-line utility. XAR was initially developed under open source, however, the original project appears to be no longer maintained.…

Summary When connecting to the UPF port for the PFCP protocol (8805) and sending an Association Setup Request followed by a Session Establishment Request with a PDI Network Instance set to ‘internet’, it causes a stack corruption to occur. Impact Exploitation of this vulnerability would lead to denial of service…

Summary McAfee’s Complete Data Protection package contained the Drive Encryption (DE) software. This software was used to transparently encrypt the drive contents. The versions prior to 7.3.0 HF1 had a vulnerability in the kernel driver MfeEpePC.sys that could be exploited on certain Windows systems for privilege escalation or DoS. Impact…

Summary Garuda is a modern Linux distribution based on Arch Linux with nice blur effects and icons.  Garuda Linux performs an insecure user creation and authentication, that allows a local attacker  to impersonate a user account while it is being created.  The user is created in two steps:  First the user is created without…

Summary PDFTron’s WebViewer UI 8.0 or below renders dangerous URLs as hyperlinks in supported documents, including JavaScript URLs, allowing the execution of arbitrary JavaScript code. Impact An attacker could steal a victim’s session tokens, log their keystrokes, steal private data, or perform privileged actions in the context of a victim’s…

Summary The New York State (NYS) Excelsior scanner app is used by businesses or event venues to scan the QR codes contained in the NYS Excelsior wallet app to verify that an individual has either a negative COVID-19 test or their vaccination status. We have found that some data about the…

Summary New York State developed an application called NYS Excelsior Pass Wallet that allows users to acquire and store a COVID-19 vaccine credential. During some research it was discovered that this application does not validate vaccine credentials added to it, allowing forged credentials to be stored by users. Impact This…

Summary The Pulse Connect Secure appliance suffers from an uncontrolled archive extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. This vulnerability is a bypass of the patch for CVE-2020-8260. Impact Successful exploitation of this issue results in Remote Code Execution on…

Summary Sunhillo is an industry leader in surveillance data distribution. The Sunhillo SureLine application contained an unauthenticated operating system (OS) command injection vulnerability that allowed an attacker to execute arbitrary commands with root privileges. This would have allowed for a threat actor to establish an interactive channel, effectively taking control…

Summary ICTFax is fax to email software maintained by ICTInnovations. In version 7-4 of this product, available through the CentOS software repository, an indirect object reference allows a user of any privilege level to change the password of any other user within the application – including administrators.  Impact Successful exploitation…

Summary Nagios Log Server is a Centralized Log Management, Monitoring, and Analysis software that allows organizations to monitor, manage, visualize, archive, analyse, and alert on all of their log data. Version 2.1.8 of the application was found to be vulnerable to Stored and Reflected XSS. This occurs when malicious JavaScript…

Summary Thin clients are often found in secure environments as their diskless operation reduces physical security risks. Wyse Management Suite (WMS) acts a central hub for Dell’s thin client hardware, providing centralised provisioning and configuration. The Wyse Management Suite web interface and the configuration services used by the Thin Clients…

Summary In the Shop app when adding a package, any data that matches a specific format defined by Shopify that is contained on the global pasteboard (iOS) or clipboard (Android) is automatically sent without user interaction to Shopify’s servers. Impact Sensitive PII such as credit card numbers and passwords can…

Summary Upon start of the ParcelTrack application any data contained on the global pasteboard (iOS) or clipboard (Android) will be sent to Parcel Track’s servers. Impact Sensitive PII such as credit card numbers and passwords often live on the global pasteboard. If any sensitive data is contained on the pasteboard…

Summary When running PC-Doctor modules, the Dell SupportAssist service attempted to load DLLs from a world-writable directory. Furthermore, it did not validate the signature of libraries loaded from this directory, leading to a “DLL Hijacking” vulnerability. Impact Successful exploitation of this issue would allow a low privileged user to execute…

Multiple vulnerabilities were found in Netgear ProSafe Plus JGS516PE switches that may pose a serious risk to their users. The most critical vulnerability could allow unauthenticated users to gain arbitrary code execution. The following vulnerabilities were the most relevant identified during the internal research: Unauthenticated Remote Code Execution (CVE-2020-26919) NSDP…

Current Vendor: Gigaset Vendor URL: https://www.gigaset.com/es_es/gigaset-dx600a-isdn/ Versions affected: V41.00-175.00.00-SATURN-175.00 Systems Affected: DX600A Authors: Manuel Ginés - manuel.gines[at]nccgroup[dot]com Admin Service Weak Authentication CVE Identifier: CVE-2021-25309 Risk: 8.8 (High) - AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H AT Command Buffer Overflow CVE Identifier: CVE-2021-25306 Risk: 4.5 (Medium) - AV:A/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H Summary According to the oficial documentation, the Gigaset DX600A…

Current Vendor: Belkin (Linksys) Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL Authors: Manuel Ginés - Manuel.Gines[at]nccgroup[dot]com Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2021-25310 Risk: 8.8 (High) - AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after the…

Summary Silver Peak’s Unity EdgeConnect offering enables customers to easily setup and manage virtual networks using SD-WAN (Software Defined Wide Area Networking). At a high level it consists of physical or virtual EdgeConnect appliances and the Orchestrator management platform. The EdgeConnect appliances are essentially network devices that are installed at…

Summary Based on the Oracle product documentation page, “Oracle Communications Diameter Signaling Router is a market-leading cloud-ready Diameter signaling controller solution that centralizes routing, traffic management and load balancing, creating an architecture that enables IMS and LTE networks to be truly elastic and adapt to increasing service and traffic demands…

Vendor: KineticaVendor URL: https://www.kinetica.com/Versions affected: 7.0.9.2.20191118151947Systems Affected: AllAuthor: Gary Swales Gary.Swales@nccgroup.com Advisory URL / CVE Identifier: CVE-2020-8429Risk: High (Command Injection on the underlying operating system) Summary The Kinetica Admin web application version 7.0.9.2.20191118151947 did not properly sanitise the input for the function getLogs. This lack of sanitisation could be exploited…

Summary Pulse Connect Secure suffers from an arbitrary file read vulnerability in the pre/post logon message component. An authenticated administrative user could exploit this issue to read arbitrary files from the underlying Operating System. Impact Successful exploitation of this issue could facilitate the attacker in extracting source code, credentials, or…

Summary The Pulse Connect Secure appliance suffers from an uncontrolled gzip extraction vulnerability which allows an attacker to overwrite arbitrary files, resulting in Remote Code Execution as root. Impact Successful exploitation by an authenticated administrator results in Remote Code Execution on the underlying Operating System with root privileges. An attacker…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27162 Risk: 8.3 (High) – AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H Summary Jitsi is an open source online communication suite. It includes a variety of audio, video, text and screen sharing capabilities. Both server, client,…

Current Vendor: Jitsi Vendor URL: https://jitsi.org Versions affected: 1.x.x Systems Affected: Jitsi Meet Electron Authors: Robert Wessen robert[dot]wessen[at]nccgroup[dot]com CVE Identifier: CVE-2020-27161 Risk: 5.3 (Medium) AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N Summary Impact Jitsi Meet Electron includes apparent debugging code which ignores certificate validation errors, and therefore allows for man-in-the-middle attacks against limited, specially named Jitsi…

Current Vendor: Belkin Vendor URL: https://www.linksys.com/sg/p/P-WRT160NL/ Versions affected: Latest FW version - 1.0.04 build 2 (FW_WRT160NL_1.0.04.002_US_20130619_code.bin) Systems Affected: Linksys WRT160NL (maybe others) Authors: Diego Gómez Marañón – Diego.GomezMaranon[at]nccgroup[dot]com CVE Identifier: CVE-2020-26561 Risk: 8.8 (High) – AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Summary The Linksys WRT160NL is a switch device initially owned by Cisco and, after…

This research was conducted by our intern Ilya Zhuravlev, who has returned to school but will be rejoining our team after graduation, and was advised by Jeremy Boone of NCC Group’s Hardware Embedded Systems Practice. With the advent of affordable toolchains, such as ChipWhisperer, fault injection is no longer an…

Vendor: Pulse Secure Vendor URL: https://www.pulsesecure.net/ Versions affected: Pulse Connect Secure (PCS) 9.1Rx or below, Pulse Policy Secure (PPS) 9.1Rx or below Systems Affected: Pulse Connect Secure (PCS) Appliances Authors: Richard Warren - richard.warren[at]nccgroup[dot]com, David Cash – david.cash[at]nccgroup[dot]com CVE Identifier: CVE-2020-8243 Advisory URL: https://kb.pulsesecure.net/articles/Pulse_Security_Advisories/SA44588 Risk: 7.2 High CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Summary Pulse…

Summary: Lansweeper is an application that gathers hardware and software information of computers and other devices on a computer network for management and compliance and audit purposes. The application also encompasses a ticket based help desk system and capabilities for software updates on target devices. Location: http://[LANSWEEPER_URL]/configuration/HelpdeskUsers/HelpdeskusersActions.aspx Impact: An attacker…

wolfSSL is a C-language-based SSL/TLS library targeted at IoT, embedded, and RTOS environments. wolfSSL incorrectly implements the TLS 1.3 client state machine. This allows attackers in a privileged network position to completely impersonate any TLS 1.3 servers and read or modify potentially sensitive information between clients using the wolfSSL library…

Multiple HTML injection vulnerabilities were found in several KaiOS mobile applications that are pre-installed on KaiOS mobile devices. The following vulnerabilities affected multiple KaiOS mobile devices: KaiOS Email Application HTML Injection (CVE-2019-14756) KaiOS Contacts Application HTML Injection (CVE-2019-14757) KaiOS File Manager Application HTML Injection (CVE-2019-14758) KaiOS Recorder Application HTML Injection…

Summary: The User Control Panel (UCP) application is vulnerable to multiple authenticated SQL Injection vulnerabilities which can result in the compromise of administrative accounts as well as the PBX appliance itself. FreePBX has a sizable install base, with Shodan showing over 32 thousand public results for the Sangoma Apache server…

Vendor: TP-Link Vendor URL: https://www.tp-link.com/uk/ Versions affected: 1.7.0 Systems Affected: Tapo C200 Author: Dale Pavey Risk: High Summary: The device is vulnerable to the heartbleed vulnerability and a Pass-the-Hash attack. Impact: Successfully exploiting the Heartbleed vulnerability leads to the device being remotely taken over using the memory-leaked user hash and…

Summary: KwikTag is a digital document management solution. KwikTag Web Admin is used to administrate accounts and permissions of the KwikTag instance. KwikTag Web Admin grants an active session without properly validating expired admin credentials. Location: ~/ktadmin/Default.aspx Impact: An attacker can gain administrative access to KwikTag Web Admin by logging…

A local macOS user or process may be able to modify or replace files executed by Installer. This could allow a low-privileged user or process to gain arbitrary code execution with root privileges, effectively leading to a full system compromise.

Vendor: ARM Vendor URL: https://os.mbed.com/ Versions affected: Prior to 5.15.2 Systems Affected: ARM Mbed OS Author: Ilya Zhuravlev Risk: High Summary: The ARM Mbed operating system contains a USB Mass Storage driver (USBMD), which allows emulation of a mass storage device over USB. This driver contains a three (3) memory…

Summary: PlaySMS is an open source SMS gateway, which has a web management portal written in PHP. PlaySMS supports a custom PHP templating system, called tpl (https://github.com/antonraharja/tpl). PlaySMS double processes a server-side template, resulting in unauthenticated user control of input to the PlaySMS template engine. The template engine’s implementation then…

Vendor: SumppleVendor URL: http://www.sumpple.comVersions affected: S610 firmware 9063.SUMPPLE.7601 - 9067.SUMPPLE.7601 Sumpple IP Cam Android V1.1.33 – V1.11 IOS 1.51.5986 (Previous versions are also likely to be affected)Systems Affected: Sumpple S610 WiFi Wireless PTZ Outdoor Security Video Network IP Camera Summple IP Cam Android and IOS mobile application.Author: Sebastian Parker-Fitch (@scorpioitsec)Advisory…

  Vendor: CyberArkVendor URL: https://www.cyberark.comVersions affected: CyberArk Endpoint Privilege Manager prior to version 10.7Windows XP, Windows Vista, Windows 7, Windows 8, Windows 10, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016Author: Jason CrowderAdvisory URL / CVE Identifier: CVE-2019-9627Risk:…

Vendor: LansweeperVendor URL: https://www.lansweeper.com/Versions affected: prior to 7.1.117.4Systems Affected: Lansweeper applicationAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://www.lansweeper.com/changelog/ - CVE-2019-13462Risk: Critical when MSSQL database is in use (not default) Summary The Lansweeper application is agentless network inventory software that can be used for IT asset management. It uses the…

15 Security Advisories, 128 Jenkins Plugin Vulnerabilities and 1 Core Vulnerability118 CVEs, 1 CVE pending, 10 issues with no CVE requested About the Vulnerabilities NCC Group Security Consultant Viktor Gazdag has identified 128 security vulnerabilities across Jenkins plugins and one within the Jenkins core with the following distribution: Credentials stored…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers. The vulnerability list below was found affecting to some Ricoh printers: Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300) Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307) Buffer Overflow Parsing LPD Packets (CVE-2019-14308) No…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers. The vulnerability list below was found affecting to several Brother printers: Stack Buffer Overflow in Cookie Values (CVE-2019-13193) Heap Overflow in IPP Attribute Name (CVE-2019-13192) Information Disclosure Vulnerability (CVE-2019-13194) Technical Advisories: Stack Buffer Overflow…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers. The vulnerability list below was found affecting to several Xerox printers: Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171) Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168) Multiple Buffer Overflows in Web Server (CVE-2019-13169,…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers. The vulnerability list below was found affecting to several Kyocera printers: Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206) Multiple Buffer Overflows in IPP Service (CVE-2019-13204) Buffer Overflow in LPD Service…

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Buffer Overflow in Web Server (CVE-2019-6326) Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324) Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)   Technical Advisories: Multiple Buffer Overflows in IPP Service (CVE-2019-6327) Vendor:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: ThoughtSpot - Authorization Bypass Allows for Pinboard Corruption Release Date: 2019-06-10 Application: ThoughtSpot Versions: 5.x before 5.1.2 4.4.1.x onwards Severity: Medium Author: Will Enright Vendor Status: Update Released [2] CVE Candidate: CVE-2019-12782 Reference: https://www.vsecurity.com/resources/advisory/201912782-1.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Product Description ~-----------------~ From ThoughtSpot's…

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. The vulnerability list below was found affecting to several Lexmark printers: SNMP Denial of Service Vulnerability (CVE-2019-9931) Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935) Information Disclosure Vulnerability…

Vendor: IntelVendor URL: http://www.intel.com/Versions affected: Intel Driver Support Assistance prior to version 19.4.18Systems Affected: Microsoft WindowsAuthor: Richard Warren <richard.warren[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11114.Risk: Medium Summary This vulnerability allows a low privileged user to escalate their privileges to SYSTEM. Location Intel Driver Support Assistance – DSAService (DSACore.dll) Impact Upon successful…

Vendor: CitrixVendor URL: http://www.citrix.com/Versions affected: Citrix Workspace App versions prior to 1904 and Receiver for Windows versions prior to LTSR 4.9 CU6 version 4.9.6001Systems Affected: Microsoft WindowsAuthor: Ollie Whitehouse <ollie.whitehouse[at]nccgroup[dot]com> Richard Warren <richard.warren[at]nccgroup[dot]com> Martin Hill <martin.hill[at]nccgroup[dot]com>Advisory URL / CVE Identifier: CVE-2019-11634.Risk: Critical Summary The Citrix Workspace / Receiver client suffers…

Vendor: SmarterToolsVendor URL: https://www.smartertools.com/ Versions affected: prior to Build 6985 (CVE-2019-7214), prior to Build 7040 (CVE-2019-7211, CVE-2019-7212, CVE-2019-7213)Systems Affected: SmarterMailAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-7214, CVE-2019-7213, CVE-2019-7212, CVE-2019-7211 https://www.smartertools.com/smartermail/release-notes/current Risk: Critical and High Summary The SmarterMail application is a popular mail server with rich features for normal…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Deltek Vision - Arbitrary SQL Execution Release Date: 2019-04-09 Application: Deltek Vision Versions: 7.x before 7.6 March 2019 CU (Cumulative Update) Severity: High Author: Robert Wessen Vendor Status: Updates available, see vendor for information. CVE Candidate: CVE-2018-18251 Reference: https://www.vsecurity.com/download/advisories/2018-18251.txt =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=…

Vendor: MailEnableVendor URL: https://www.mailenable.com/ Versions affected: versions before 10.24, 9.83, 8.64, 7.62, 6.90 (20th June 2019)Systems Affected: tested on Enterprise Premium but all versions have been patchedAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: CVE-2019-12923, CVE-2019-12924, CVE-2019-12925, CVE-2019-12926, CVE-2019-12927 http://www.mailenable.com/Premium-ReleaseNotes.txt http://www.mailenable.com/Premium-ReleaseNotes9.txt http://www.mailenable.com/Premium-ReleaseNotes8.txt http://www.mailenable.com/Premium-ReleaseNotes7.txt http://www.mailenable.com/Premium-ReleaseNotes6.txtRisk: Critical, High, Medium Summary The MailEnable…

Vendor: AvayaVendor URL: https://www.avaya.com/Versions affected: 10.0 through 10.1 SP3, 11.0Systems Affected: Avaya IP OfficeAuthor: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]comAdvisory URL: https://downloads.avaya.com/css/P8/documents/101054317Advisory URL / CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15614Risk: Medium Summary The One-X Web Portal was vulnerable to multiple persistent or stored cross-site scripting (XSS) vulnerabilities. This occurs when JavaScript or HTML code entered as…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Systems Affected: Microsoft OutlookAuthor: Soroush DaliliCVE Identifiers: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8572, https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-11927Risk: Medium – Possible SMB Hash Hijacking or User Tracking Summary Microsoft Outlook could be abused to send SMB handshakes externally after a victim opening or simply viewing an email. A WebDAV request was sent even when the SMB…

Vendor: libSSHVendor URL: https://www.libssh.org/Versions affected: Versions of libSSH 0.6 and above, prior to 0.7.6 or 0.8.4.Author: Peter Winter-Smith peter.winter-smith[at]nccgroup.comAdvisory URL / CVE Identifier: CVE-2018-10933 - https://www.libssh.org/security/advisories/CVE-2018-10933.txtRisk: Critical – Authentication Bypass Summary libSSH is a library written in C which implements the SSH protocol and can be used to implement both…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before July 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2018-8284 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Mitel Vendor URL: https://www.mitel.com Versions affected: 5330e IP Phone Systems Affected: Mitel MiVoice Author: Mattia Reggiani mattia.reggiani[at]nccgroup[dot]trust Advisory URL: https://www.mitel.com/support/security-advisories/mitel-product-security-advisory-18-0009 CVE Identifier: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15497 Risk: Low-High (case dependent) – Denial of Service and possible Remote Code Execution Summary The Mitel MiVoice 5330e VoIP device is affected by a memory corruption…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: .NET Framework before September 2018 patchSystems Affected: .NET Framework Workflow libraryAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8421 Risk: Critical Summary In the .NET Framework, workflows can be created by compiling an XOML file using the libraries within the System.Workflow namespace. The workflow compiler…

Vendor: Virgin MediaVendor URL: https://www.virginmedia.com/Versions affected: products before Aug 2018 rollout / 9.1.116V and 9.1.885JSystems Affected: Hub 3.0Author: Balazs Bucsay (@xoreipeip)Advisory URL / CVE Identifier: NoneRisk: Critical Summary Multiple security vulnerabilities were found in the device’s firmware that could be chained and led to unauthenticated remote command execution. Location Multiple…

Vendors affected: Multiple Versions affected: Multiple Author: Keegan Ryan <keegan.ryan[at]nccgroup[dot]trust> <@inf_0_> Advisory URL / CVE Identifier: CVE-2018-0495 Risk: Medium (Key disclosure is possible, but only through certain side channels) Summary We have discovered an implementation flaw in multiple cryptographic libraries that allows a side-channel based attacker to recover ECDSA or…

Vendor: ManageEngineVendor URL: https://www.manageengine.com/products/desktop-central/Versions affected: 10.0.124 and 10.0.184 verified, all versions <= 10.0.184 suspectedSystems Affected: AllAuthor: Ben Lincoln <ben.lincoln[at]nccgroup[dot]trust>Advisory URLs: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5337, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5338, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5339, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5340, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5341, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5342Risk: Critical (unauthenticated remote code execution) Summary Desktop Central is integrated desktop and mobile device management software that helps in managing servers, laptops, desktops, smartphones,…

Vendor: MicrosoftVendor URL: https://www.microsoft.com/Versions affected: products before July 2018 patchSystems Affected: Visual Studio, .NET Framework, SharePointAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8172 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8260 https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-8300Risk: Medium to High Summary A number of deserialisation issues within the resource files (.resx and .resources) were reported to Microsoft in January 2018 by…

Vendor: RedgateVendor URL: https://www.red-gate.com/Versions affected: prior to 10.0.7.774 (24th July, 2018)Systems Affected: .NET ReflectorAuthor: Soroush Dalili (@irsdl)Advisory URL / CVE Identifier: https://documentation.red-gate.com/ref10/release-notes-and-other-versions/net-reflector-10-0-release-notes (CVE-2018-14581)Risk: Critical Summary It was possible to execute code by decompiling a compiled .Net object (such as DLL or EXE) with an embedded resource file. An attacker could…

Vendor: Jenkins Delivery Pipeline Plugin Vendor URL: https://plugins.jenkins.io/delivery-pipeline-plugin Versions affected: 1.0.7 (up to and including) Systems Affected: Jenkins Author: Viktor Gazdag viktor.gazdag[at]nccgroup[dot]trust Advisory URL / CVE Identifier: https://jenkins.io/security/advisory/2017-11-16/ Risk: Medium – 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) (Reflected Cross-Site Scripting) Summary The Delivery Pipeline Plugin is a Jenkins plugin that helps visualizing the delivery/build…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Bomgar Remote Support - Local Privilege Escalation Release Date: 2017-10-26 Application: Bomgar Remote Support Versions: 15.2.x before 15.2.3 16.1.x before 16.1.5 16.2.x before 16.2.4 Severity: High/Medium Author: Robert Wessen Author: Mitch Kucia Vendor Status: Update Released [2] CVE Candidate: CVE-2017-5996…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11284Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Vendor: AdobeVendor URL: https://www.adobe.com/uk/products/coldfusion-family.htmlSystems Affected: ColdFusion 2016 update 4 and below, ColdFusion 11 update 12 and belowAuthor: Nick Bloor (@NickstaDB) / nick.bloor@nccgroup.comAdvisory URL: https://helpx.adobe.com/security/products/coldfusion/apsb17-30.htmlCVE Identifier: CVE-2017-11283Risk: Critical (unauthenticated remote code/command execution) Summary Adobe ColdFusion supports Flex integration to enable Flash applications to interact with ColdFusion components. This is achieved using…

Vendor: PAC4j Vendor URL: http://www.pac4j.org/ Versions affected: All versions through 3.0.0 (latest at time of writing) Author: James Chambers <james.chambers[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: High (an attacker can bypass path-based authentication rules) Summary Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the…

Summary Regular expressions used for path-based authentication by the play-pac4j library are evaluated against the full URI provided in a user’s HTTP request. If a requested URI matches one of these expressions, the associated authentication rule will be applied. These rules are only intended to validate the path and query…

Vendor: tsl0922Vendor URL: https://github.com/tsl0922/ttyd/ (https://tsl0922.github.io/ttyd/)Versions affected: 1.3.0 (<=)Author: Donato Ferrante <donato.ferrante[at]nccgroup[dot]trust>Patch URL: https://github.com/tsl0922/ttyd/commit/4d31e534c0ec20582d91210990969c19b68ab3b0Risk: Critical Summary ttyd is a cross platform (e.g. macOS, Linux, FreeBSD, OpenWrt/LEDE, Windows) tool for sharing a terminal over the web, inspired by GoTTY. ttyd may allow remote attackers to execute shell commands on a victim’s system,…

Vendor: Microsoft Vendor URL: https://www.microsoft.com/ Versions affected: IE 10, 11, and Edge prior to July 2017 patch Systems Affected: Windows with above versions affected Author: Soroush Dalili Advisory URL / CVE Identifier: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8592 Risk: Low Summary Internet Explorer (or Edge) could be used to send arbitrary messages to a target…

Title                                  D-LINK DIR-850L web admin interface vulnerable to stack-based buffer overflow Reference                         VT-95 Discoverer                …

Vendor: Oracle Vendor URL: http://www.oracle.com/  Versions affected: 11.1.2.4 (previous versions may also be affected) Systems Affected: Oracle Hyperion Financial Reporting Web Studio Author: Mathew Nash Mathew.Nash[at]nccgroup[dot]trust, Fabio Pires Fabio.pires[at]nccgroup[dot]trust Advisory URL: http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html  CVE Identifier: CVE-2017-10310 Risk: High (Unauthenticated local file read, server-side request forgery or denial of service) Summary The…

Vendor: macvim-dev Vendor URL: http://macvim.org Versions affected: snapshot-110 Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Bug discovery credit: Anonymous Advisory URL / CVE Identifier: TBD Risk: Critical Summary MacVim is a Mac OS port of Vim. MacVim is vulnerable to shell injection in mvim:// URIs through the column parameter, allowing attacks through a…

Vendor: Atlassian Vendor URL: http://atlassian.com Versions affected: v1.9.8 known affected version, earlier versions possible Systems Affected: Mac OS X known affected, others possible Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: https://jira.atlassian.com/browse/SRCTREE-4481 Risk: Critical (reliable remote code execution) Summary SourceTree is a product for working with various types of…

Vendor: Accellion, Inc. Vendor URL: http://www.accellion.com/ Versions affected: FTA_9_12_40, FTA_9_12_51, FTA_9_12_110, others likely Systems Affected: Accellion File Transfer Appliance Author: Daniel Crowley <daniel.crowley[at]nccgroup[dot]trust> Advisory URL / CVE Identifier: TBD Risk: Critical Summary The Accellion File Transfer Appliance (FTA) is an alternative to traditional email and FTP services for file transfers.…

Title                                  Privilege Escalation in CA Common Services casrvc due to Arbitrary WriteReference                        VT-37Discoverer                      …

Vendor: Rapid7, Inc.Vendor URL: http://rapid7.comVersions affected: 6.4.9 2016-11-30 and potentially all prior releases.Systems Affected: Nexpose Vulnerability ScannerAuthor: Noah Beddome, Justin Lemay, and Ben LincolnAdvisory URL / CVE Identifier: 2017-5230Risk: Medium - Requires specific access criteria Summary The Nexpose vulnerability scanner by Rapid7 is widely used to identify network and application…

Title                             Java RMI Registry.bind() Unvalidated DeserializationReference                   VT-87Discoverer                  Nick Bloor (@NickstaDB)Vendor                  …

Title                           iOS MobileSlideShow USB Image Class arbitrary code executionRelease Date           15 December 2016Reference                 NCC00249Discoverer                Andy DavisVendor  …

Title                             Denial of Service in Parsing a URL by ierutil.dllReference                   VT-20Discoverer                  Soroush DaliliVendor            …

Vulnerability Summary Title: Microsoft Office Memory Corruption VulnerabilityRelease Date: 10 March 2016Reference: NCC00886Discoverer: Richard WarrenVendor: MicrosoftVendor: Reference MS16-029Systems Affected: Tested on Microsoft Office 2010 on Windows 7CVE Reference: CVE-2016-0021Risk: MediumStatus: Fixed Download technical advisory

Vulnerability Summary Title                                     Windows 10 USB Mass Storage driver arbitrary code execution in kernel mode Release Date                     10 March 2016 Reference  …

Title                           Flash local-with-filesystem Bypass in navigateToURLReference                 VT-19Discoverer                Soroush Dalili and Matthew EvansVendor                    …

Title                                  D-Link routers vulnerable to Remote Code Execution (RCE) Release Date                   11 Aug 2016 Reference                    …

Vulnerability Summary Title                               Potential false redirection of web site content in Internet in SAP NetWeaver web applications Release Date               8 March 2016 Reference              …

Vulnerability Summary Title                               Multiple security vulnerabilities in SAP NetWeaver BSP Logon Release Date               8 March 2016 Reference                    NCC00837 Discoverer      …

Vulnerability Summary Title: Xen HYPERVISOR_xen_version stack memory revelationRelease Date: 6 March 2015Reference: NCC00817Discoverer: Aaron AdamsVendor: XenVendor Reference: XSA-122Systems Affected: AllCVE Reference: CVE-2015-2045Risk: LowStatus: Fixed Download our technical advisory

Summary Name: Windows Remote Desktop Memory Corruption Leading to RCE on XPSP3Release Date: 30 November 2012Reference: NGS00288Discoverer: Edward Torkington Vendor: MicrosoftVendor Reference:Systems Affected: Windows XP SP3Risk: CriticalStatus: Published TimeLine Discovered:  2 April 2012Released: 11 May 2012Approved: 11 May 2012Reported: 16 April 2012Fixed: 14 August 2012Published: 30 November 2012 Description Terminal Services…

Summary Name: SysAid Helpdesk Pro – Blind SQL InjectionRelease Date: 30 November 2012Reference: NGS00241Discoverer: Daniel Compton Vendor: SysAidVendor Reference:Systems Affected: SysAid Helpdesk 8.5 ProRisk: HighStatus: Published TimeLine Discovered: 12 March 2012Released: 12 March 2012Approved: 12 March 2012Reported: 14 March 2012Fixed:  1 August 2012Published: 30 November 2012 Description SysAid Helpdesk V8.5.04 Pro…

Summary Name: Symantec Messaging Gateway – SSH with backdoor user account + privilege escalation to root due to very old KernelRelease Date: 30 November 2012Reference: NGS00267Discoverer: Ben Williams Vendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: HighStatus: Published TimeLine Discovered: 18 April 2012Released: 18 April 2012Approved: 29 April 2012Reported: 30 April…

Summary Name: Symantec Messaging Gateway – Easy CSRF to add a backdoor-administrator (for example)Release Date: 30 November 2012Reference: NGS00263Discoverer: Ben Williams Vendor: SymantecVendor Reference:Systems Affected: Symantec Messaging Gateway 9.5.3-3Risk: HighStatus: Published TimeLine Discovered: 16 April 2012Released: 16 April 2012Approved: 29 April 2012Reported: 30 April 2012Fixed: 27 August 2012Published: 30 November 2012…

Summary Name: Symantec Backup Exec 2012 – Persistent XSS Vulnerability Affecting Custom ReportsRelease Date: 2 October 2013Reference: NGS00341Discoverer: Daniele Costa Vendor: SymantecCVE Reference: CVE-2013-4676Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Published TimeLine Discovered: 10 July 2012Released: 10 July 2012Approved: 10 July 2012Reported: 10 July 2012Fixed: 1 August 2013Published: 30 September 2013…

Summary Name: Symantec Backup Exec 2012 – OS version and service pack information leakRelease Date: 2 October 2013Reference: NGS00344Discoverer: Andy DavisVendor: SymantecCVE Reference: CVE-2013-4678Systems Affected: Symantec Backup Exec 2012Risk: MediumStatus: Published TimeLine Discovered: 18 July 2012Released: 18 July 2012Approved: 18 July 2012Reported: 18 July 2012Fixed: 1 August 2013Published: 30 September…

Summary Name: Symantec Backup Exec 2012 – Linux Backup Agent Heap OverflowRelease Date: 10 August 2012Reference: NGS00342Discoverer: Perran Hill <perran.hill@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4575Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Released TimeLine Discovered: 13 July 2012Released: 13 July 2012Approved: 13 July 2012Reported: 13 July 2012Fixed: 1 August 2013Published: 30 September 2013…

Summary Name: Symantec Backup Exec 2012 Backup/Restore Data Traverses Memory with Weak ACLs (RW Everyone)Release Date: 2 October 2013Reference: NGS00347Discoverer: Edward Torkington <edward.torkington@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4677Systems Affected: Symantec Backup Exec 2012Risk: MediumStatus: Published TimeLine Discovered: 24 July 2012Released: 24 July 2012Approved: 24 July 2012Reported: 24 July 2012Fixed: 1 August 2013Published:…

Summary Name: Symantec Backup Exec 2012 – Backup Exec Utility Stored XSS when adding Groups, Servers and ComputersRelease Date: 20 August 2012Reference: NGS00340Discoverer: Matt Lewis <matt.lewis@nccgroup.com>Vendor: SymantecCVE Reference: CVE-2013-4676Systems Affected: Symantec Backup Exec 2012Risk: HighStatus: Released TimeLine Discovered: 6 July 2012Released: 6 July 2012Approved: 6 July 2012Reported: 6 July 2012Fixed:…

Summary Name: Squiz CMS – File Path TraversalRelease Date: 30 November 2012Reference: NGS00330Discoverer: Robert Ray Vendor: SquizVendor Reference: 11846Systems Affected: Squiz CMS V11654Risk: HighStatus: Published TimeLine Discovered: 29 June 2012Released: 29 June 2012Approved:  2 July 2012Reported:  9 July 2012Fixed:  9 August 2012Published: 30 November 2012 Description Squiz CMS V11654 – File…

Summary – 02.11.2011 Name: Solaris 11 USB Hub Class descriptor kernel stack overflowRelease Date:  2 November 2011Reference: NGS00042Discoverer: Andy Davis Vendor: OracleVendor Reference:Systems Affected: Solaris 8, 9, 10, and 11 ExpressRisk: HighStatus: Published TimeLine Discovered: 27 January 2011Released: 27 January 2011Approved: 27 January 2011Reported: 27 January 2011Fixed: 19 July 2011Published:  2 November…

VULNERABILITY SUMMARY Title: SmarterMail – Stored XSS in emailsRelease: Date 6 March 2015Reference: NCC00776Discoverer: Soroush DaliliVendor: Smarter ToolsSystems Affected: v13.1.5451 and priorCVE Reference: TBCRisk: MediumStatus: Fixed Download our technical advisory

Summary Name: Remote code execution in ImpressPages CMSRelease Date:  5 January 2012Reference: NGS00109Discoverer: David Middlehurst Vendor: ImpressPagesVendor Reference:Systems Affected: ImpressPages CMS 1.0.12Risk: HighStatus: Published TimeLine Discovered: 28 August 2011Released: 28 August 2011Approved: 28 August 2011Reported:  5 September 2011Fixed: 21 September 2011Published:  5 January 2012 Description ImpressPages CMS (1.0.12) is prone to…

Summary – 28.06.2011 Name: OS X 10.6.6 Camera Raw Library Memory CorruptionReference: NGS00052Discoverer: Paul Harrington Vendor: AppleVendor Reference: 140299872Systems Affected: OS X 10.6.6 with RawCamera.bundle < 3.6Risk: HighStatus: Published TimeLine Discovered: 22 February 2011Released: 22 February 2011Approved: 22 February 2011Reported: 23 February 2011Fixed: 21 March 2011Published: 28 June 2011 Description A corrupt…

Vulnerability Summary Title:            Oracle Java Installer Adds a System Path Which is Writable by All Users Release Date:      21 January 2015 Reference:         NCC00767 Discoverer:        Edd Torkington Vendor:              Oracle Vendor Reference:  S0514586 Systems Affected:  Oracle Java 8 Version 25 CVE Reference:    …

Summary Name: Oracle Hyperion 11 – Directory TraversalRelease Date: 30 July 2013Reference: NGS00434Discoverer: Richard Warren <richard.warren@nccgroup.com>Vendor: OracleVendor Reference: S0318807Systems Affected: Oracle Hyperion 11.1.1.3, 11.1.1.4.107 and earlier, 11.1.2.1.129 and earlier, and 11.1.2.2.305 and earlierRisk: HighStatus: Published TimeLine Discovered: 20 November 2012Released: 20 November 2012Approved: 20 November 2012Reported: 20 November 2012Fixed: 16…

Vulnerability Summary Title:                       Oracle E-Business Suite Pre-Auth SQLi with DBA Privileges Release Date:          21 January 2015 Reference:               NCC00774 Discoverer:              Edd Torkington Vendor:                   Oracle Vendor Reference:    S0524388 Systems Affected:     11.5.10.2, 12.0.4,…

Title: Nessus Authenticated Scan – Local Privilege EscalationRelease Date: 20 March 2014Reference: NGS00643Discoverer: Neil JonesVendor: TenableVendor Reference: RWZ-21387-181Systems Affected: Nessus appliance engine version 5.2.1 the plugin set201402092115CVE ReferenceRisk: HighStatus: Fixed Download our technical advisory

NCC Group’s Cyber Defence Operations team has released a technical note about the Derusbi Server variant, which we encountered on an engagement at the end of last year.   You can download this using the link to the right. Download our technical advisory

Summary Name: Nagios XI Network Monitor – Stored and Reflective XSSRelease Date: 30 November 2012Reference: NGS00195Discoverer: Daniel Compton Vendor: NagiosVendor Reference: 0000284Systems Affected: 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed:  4 June 2012Published: 30 November 2012 Description Nagios XI Network Monitor…

Vulnerability Summary Title: Multiple Vulnerabilities in MailEnable Release Date: 10 March 2015 Reference: NCC00777, NCC00778, NCC00779, NCC00780 Discoverer: Soroush Dalili (@irsdl) Vendor: MailEnable Vendor Reference: http://www.mailenable.com/ Systems Affected: Tested on version 8.56 (versions prior to 8.60, 7.60, 6.88, and 5.62 should be vulnerable) CVE Reference: TBC Risk: High Status: Fixed…

Vulnerability Summary*******************Title Microsoft Internet Explorer CMarkup Use-After-FreeRelease Date 6 October 2014Reference NGS00704Discoverer Edward TorkingtonVendor MicrosoftVendor Reference 19160Systems Affected IE6-11CVE Reference CVE-2014-1799Risk HighStatus Fixed Resolution Timeline****************Discovered 22 May 2014Reported 22 May 2014Released 22 May 2014Fixed 22 June 2014Published 6 October 2014(The time between the bug being fixed and this advisory published…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Session hijacking (andbypassing client-side session timeouts)Release Date: 30 November 2012Reference: NGS00154Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered:  7 November 2011Released: 28 November 2011Approved: 28 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published: 30 November 2012 Description McAfee…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Password hashes can berecovered from a system backup and easily crackedRelease Date: 30 November 2012Reference: NGS00157Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered: 25 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Arbitrary filedownload is possible with a crafted URL, when logged in as any userRelease Date: 30 November 2012Reference: NGS00158Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered: 26 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Any logged-in user canbypass controls to reset passwords of other administratorsRelease Date: 30 November 2012Reference: NGS00155Discoverer: Ben WilliamsVendor: McAfeeVendor Reference:Systems Affected:Risk: HighStatus: Published TimeLine Discovered:  7 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published:…

Summary Name: McAfee Email and Web Security Appliance v5.6 – Active session tokensof other users are disclosed within the UIRelease Date: 30 November 2012Reference: NGS00156Discoverer: Ben Williams Vendor: McAfeeVendor Reference:Systems Affected:Risk: MediumStatus: Published TimeLine Discovered:  8 November 2011Released: 29 November 2011Approved: 29 November 2011Reported:  4 December 2011Fixed: 13 March 2012Published: 30…

Title: iOS 7 arbitrary code execution in kernel modeRelease Date: 14 March 2014Reference: NGS00596Discoverer: Andy DavisVendor: AppleVendor Reference: 600217059Systems Affected: iPhone 4 and later, iPod touch (5th generation) and later, iPad 2 and laterCVE Reference: CVE-2014-1287Risk: HighStatus: Fixed Download our technical advisory

Summary – 24.08.2011 Name: Lumension Device Control (formerly Sanctuary) remote memory corruptionRelease Date: 24 August 2011Reference: NGS00054Discoverer: Andy Davis <andy.davis@ngssecure.com>Vendor: LumensionVendor Reference:Systems Affected: Lumension Device Control v4.4 SR6Risk: HighStatus: Published TimeLine Discovered:  3 March 2011Released:  3 March 2011Approved:  3 March 2011Reported:  3 March 2011Fixed:     24 May 2011Published:  24 August 2011 Description…

Summary – 31.07.2011 Name: LibAVCodec AMV Out of Array WriteRelease Date:  31 July 2011Reference: NGS00068Discoverer: Dominic ChellVendor: VideoLANVendor Reference: CVE-2011-1931Systems Affected: VLC media player 1.1.9 and earlier releasesRisk: HighStatus: Published TimeLine Discovered: 31 March 2011Released: 31 March 2011Approved: 31 March 2011Reported: 21 April 2011Fixed: 21 April 2011Published: 31 July 2011 Description…

Summary Name: Increased exploitation of Oracle GlassFish Server Administration Console Remote Authentication Bypass VulnerabilityRelease Date:  5 January 2012Reference: NGS00106Discoverer: David Spencer Vendor: OracleVendor Reference:Systems Affected: Oracle GlassFish Server 2.1 and 3Risk: HighStatus: Published TimeLine Discovered: 26 August 2011Released: 26 August 2011Approved: 26 August 2011Reported: 26 August 2011Fixed: July 2011Published:  5 January…

Vulnerability Summary Title:             Flash security restrictions bypass: File upload by URLRequest Release Date:   13 March 2015 Reference:         NCC00765 Discoverer:        Soroush Dalili Vendor:            Adobe Vendor Reference:  PSIRT-3146 Systems Affected:  Adobe Flash Player <=16.0.0.305, <=13.0.0.269, 11.2.202.442 CVE Reference:     CVE-2015-0340…

Summary – 22.03.2011 Name: Immunity Debugger Buffer OverflowRelease Date: 22 March 2011Reference: NGS00016Discoverer: Paul HarringtonVendor: Immunity IncVendor Reference: Support #3171Systems Affected: WindowsRisk: LowStatus: Fixed TimeLine Discovered: 28 October 2010Released: 28 October 2010Approved: 28 October 2010Reported: 28 October 2010Fixed:  6 December 2010Published: 22 March 2011 Description Immunity Debugger V1.73 contains a  buffer…

Summary Name: DataArmor Full Disk Encryption 3.0.12c – Restricted Environment breakout, Privilege Escalation and Full Disk DecryptionRelease Date: 30 November 2012Reference: NGS00193Discoverer: Stuart Passe Vendor: Mobile ArmorVendor Reference: KB #1060043Systems Affected: All versions of DataArmor and DriveArmor prior to v3.0.12.861Risk: CriticalStatus: Published TimeLine Discovered: 10 January 2012Released: 17 January 2012Approved: 17…

VULNERABILITY SUMMARY Title: cups-filters remote code executionRelease Date: 6 March 2015Reference: NCC00816Discoverer: Paul CollettVendor: Linux FoundationSystems Affected: All LinuxCVE Reference: CVE-2014-2707Risk: HighStatus: Published Download our technical advisory

=======Summary=======Name: SAP Message Server Heap OverflowRelease Date: 5 July 2007Reference: NGS00485Discover: Mark Litchfield lt;mark@ngssoftware.comVendor: SAPVendor Reference: SECRES-292Systems Affected: All VersionsRisk: CriticalStatus: Fixed ========TimeLine========Discovered: 4 January 2007Released: 19 January 2007Approved: 29 January 2007Reported: 11 January 2007Fixed: 2 May 2007Published: ===========Description===========The Message Server is a service used by the different applications serversto…

=======Summary=======Name: SAP DB Web Server Stack OverflowRelease Date: 5 July 2007Reference: NGS00486Discover: Mark Litchfield lt;mark@ngssoftware.comVendor: SAPVendor Reference: SECRES-291Systems Affected: All VersionsRisk: CriticalStatus: Fixed ========TimeLine========Discovered: 3 January 2007Released: 19 January 2007Approved: 29 January 2007Reported: 11 January 2007Fixed: 27 March 2007Published: ===========Description===========SAP DB is an open source database server sponsored by SAP…

=======Summary=======Name: Ingres remote unauthenticated pointer overwrite 2Release Date: 25 June 2007Reference: NGS00392Discover: Chris Anley chris@ngssoftware.comVendor: IngresVendor Reference: [Ingres bug 115927, CVE-2007-3336, CAID 35450]Systems Affected: Ingres 2006 9.0.4 and priorRisk: CriticalStatus: Published ========TimeLine========Discovered: 29 March 2006Released: 29 March 2006Approved: 29 March 2006Reported: 29 March 2006Fixed: 21 June 2007Published: 25 June 2007…

=======Summary=======Name: Ingres remote unauthenticated pointer overwrite 1Release Date: 25 June 2007Reference: NGS00391Discover: Chris Anley chris@ngssoftware.comVendor: IngresVendor Reference: Ingres bug 115927, CVE-2007-3336, CAID 35450Systems Affected: Ingres 2006 9.0.4 and priorRisk: CriticalStatus: Published ========TimeLine========Discovered: 29 March 2006Released: 29 March 2006Approved: 29 March 2006Reported: 29 March 2006Fixed: 21 June 2007Published: 25 June 2007…

Summary – 28.06.2011 Name: Cisco VPN Client Privilege EscalationReference: NGS00051Discoverer: Gavin Jones Vendor: CiscoVendor Reference:Systems Affected: Cisco VPN client (Windows 64 Bit)Risk: HighStatus: Fixed TimeLine Discovered: 15 February 2011Released: 15 February 2011Approved: 15 February 2011Reported: 22 February 2011Fixed: 24 March 2011Published: 28 June 2011 Description The 64 Bit Cisco VPN Client…

Summary – 22.03.2011 Name: Cisco IPSec VPN Implementation Group Name EnumerationReference: NGS00014Discoverer: Gavin JonesVendor: CiscoVendor Reference: CSCei51783, CSCtj96108 Systems Affected: ASA 5500 Series Adaptive Security Appliances -Cisco PIX 500 Series Security Appliances -Cisco VPN 3000 Series Concentrators (models 3005, 3015, 3020, 3030, 3060, and 3080)Risk: LowStatus: Published TimeLine Discovered: 20…

Summary – 05.07.2011 Name: Blue Coat BCAAA Remote Code Execution Vulnerability Release Date:  5 July 2011Reference: NGS00060Discoverer: Paul HarringtonVendor: Blue Coat Systems IncVendor Reference: 2-358686722Systems Affected: All versions of BCAAA associated with ProxySG releases 4.2.3, 4.3, 5.2, 5.3, 5.4, 5.5, and 6.1 available prior to April 21, 2011 or with a build…

Vulnerability Summary Title: BlackBerry Link Installs A WebDAV Server Which Does not Require Authentication to Access Release Date: 12 November 2013 Reference: NCC00622 Discoverer: Ollie Whitehouse Vendor: BlackBerry (formerly Research In Motion) Vendor Refefence: BSRT-2013-012 Systems Affected: Microsoft Windows, Mac OS X CVE Reference: CVE-2013-3694 CVSS: 6.8 Risk: High Status: Published

Summary Name: Bit51 Better WP Security Plugin – Unauthenticated Stored XSS to RCERelease Date: 30 July 2013Reference: NGS00500Discoverer: Richard Warren <richard.warren@nccgroup.com>Vendor: Bit51Vendor Reference:Systems Affected: Bit51 Better WP Security Plugin Version 3.4.8/3.4.9/3.4.10/3.5.2/3.5.3Risk: HighStatus: Published TimeLine Discovered: 1 April 2013Released: 1 April 2013Approved: 1 April 2013Reported: 1 April 2013Fixed: 21 July 2013Published:…

NGSSoftware Insight Security Research Advisory Name: Back Office Web Administration Authentication Bypass Systems Affected: Microsoft’s Back Office Web Administrator 4.0, 4.5 Severity: Medium/High Vendor URL: http://www.microsoft.com Author: David Litchfield (david@ngssoftware.com) Date: 17th April 2002 Advisory number: #NISR17042002A Advisory URL: http://www.ngssoftware.com/advisories/boa.txt Issue: Attackers can bypass the logon page and access the…

Mark Litchfield and John Heasman of NGSSoftware have discovered two highrisk vulnerabilities in the AtHoc Toolbar. The AtHoc toolbar is a plugin forMicrosoft’s Internet Explorer. The toolbar is redistributed to users of eBayAccentureThomasRegisterThomasRegionalJuniper NetworksWiredNewsCarFaxAgile PLM The flaws, that include a remotely exploitable buffer overflow and a formatstring bug, have been…

NGSSoftware Insight Security Research Advisory   Name: Sybase ASE convert overflow Systems Affected: Sybase Adaptive Server Enterprise 12.5.1 and lower Severity: High Vendor URL: http://www.sybase.com Author: Sherief Hammad [ sherief@ngssoftware.com ] Date of Technical Advisory: 25th June 2004   Details   There is an exploitable stack overflow in the Sybase…

Look at our old advisories! Adobe Acrobat Reader XML Forms Data Format Buffer Overflow ASE 1251 Datatype Overflow Athoc Toolbar Back Office Web Administration Authentication Bypass Critical Vulnerability In Snmpc Critical Risk Vulnerability In Ingres Pointer Overwrite 1 Critical Risk Vulnerability In Ingres Pointer Overwrite 2 Critical Risk Vulnerability In…

~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Vulnerability Summary~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Title Apple QuickTime Player m4a Processing Buffer OverflowRelease Date 23 October 2014Reference NGS00677Discoverer Karl SmithVendor AppleVendor Reference 16247108Systems Affected Windows 7, XPCVE Reference CVE-2014-4351Risk HighStatus Fixed~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Resolution Timeline~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Discovered 3 March 2014Reported 6 March 2014Released 6 March 2014Fixed 16 October 2014Published 23 October 2014~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.Vulnerability Description~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.QuickTime player on OS X and Windows…

Summary – 10.10.2011 Name: Apple OSX / iPhone iOS ImageIO TIFF getBandProcTIFF TileWidth Heap OverflowReference: NGS00062Discoverer: Dominic Chell Vendor: AppleVendor Reference: 145575681Systems Affected: Apple OSX / iPhone iOS / Possibly others using LibTiffRisk: HighStatus: Fixed TimeLine Discovered: 27 February 2011Released: 27 February 2011Approved: 29 March 2011Reported: 29 March 2011Fixed: 23 June 2011Published:…

Summary – 28.06.2011 Name: Apple Mac OS X ImageIO TIFF Integer OverflowReference: NGS00057Discoverer: Dominic Chell <dominic.chell@ngssecure.com>Vendor: AppleVendor Reference: 142522746Systems Affected: Mac OS X v10.6 through v10.6.6, Mac OS X Server v10.6 through v10.6.6. This issue does not affect systems prior to Mac OS X v10.6Risk: HighStatus: Published TimeLine Discovered: 8…

Title: Apple CoreAnimation Heap OverflowRelease:  Date 3 March 2014Reference:  NGS00550Discoverer:  Karl SmithVendor:  AppleVendor Reference:  15229587Systems Affected:  OS X Mountain Lion v10.8.5, OS X Mavericks 10.9 and 10.9.1CVE Reference:  CVE-2014-1258Risk:  HighStatus:  Fixed Download our technical advisory

Title: Adobe flash sandbox bypass to navigate to local drivesRelease: Date 12 August 2014Reference: NGS00711Discoverer: Soroush DaliliVendor: AdobeVendor Reference: PSIRT-2823Systems Affected: Flash Player 14.0.0.125 (tested with IE 11)CVE Reference: CVE-2014-0541Risk: MediumStatus: Fixed Download our technical advisory

Vulnerability Summary Title:                      Adobe Flash Player Cross Domain Policy Bypass Release Date:        13 March 2015 Reference:            NCC00761 Discoverer:            Soroush Dalili Vendor:             …

NGSSoftware Insight Security Research Advisory Name: Adobe Acrobat Reader XML Forms Data Format Buffer OverflowSystems Affected: Adobe Acrobat Reader version 5.1Severity: High RiskVendor URL: http://www.adobe.com/Author: David Litchfield [ david@ngssoftware.com ]Date Vendor Notified: 7th February 2004Date of Public Advisory: 3rd March 2004Advisory number: #NISR03022004Advisory URL: http://www.ngssoftware.com/advisories/adobexfdf.txt Description***********Adobe Acrobat Reader is a…

Summary Name: Oracle Gridengine sgepasswd Buffer OverflowRelease Date: 30 November 2012Reference: NGS00107Discoverer: Edward Torkington <edward.torkington@ngssecure.com>Vendor: OracleVendor Reference:Systems Affected: Multiple packages – version 6_2u7Risk: HighStatus: Published TimeLine Discovered:  1 August 2011Released:  1 August 2011Approved:  1 August 2011Reported:  3 August 2011Fixed: 17 April 2012Published: 30 November 2012 Description http://www.oracle.com/us/products/tools/oracle-grid-engine-075549.html “Oracle Grid Engine…

Summary Name: Nagios XI Network Monitor – OS Command InjectionRelease Date: 30 November 2012Reference: NGS00196Discoverer: Daniel Compton <daniel.compton@ngssecure.com>Vendor: NagiosVendor Reference: 0000283Systems Affected: Nagios XI Network Monitor 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed: 23 May 2012Published: 30 November 2012 Description…

Summary Name: Nagios XI Network Monitor – Blind SQL InjectionRelease Date: 30 November 2012Reference: NGS00194Discoverer: Daniel Compton <daniel.compton@ngssecure.com>Vendor: NagiosVendor Reference: 0000282Systems Affected: Nagios XI Network Monitor 2011R1.9Risk: HighStatus: Published TimeLine Discovered: 30 January 2012Released: 31 January 2012Approved: 31 January 2012Reported: 31 January 2012Fixed:  7 June 2012Published: 30 November 2012 Description…

Oops you’ve come to this page in error You are not authorised to access the document you have requested

Vulnerability Summary Title OSX afpserver remote code executionRelease Date 2 July 2015Reference NCC00836Discoverer Dean JerkovichVendor AppleVendor Reference 2015-005Systems Affected OS X YosemiteCVE Reference CVE-2015-3674Risk HighStatus Published Download technical advisory

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Shellshock Advisory 25 Sep 2014 – iSEC Partners Executive Summary Immediate patches are required to fix a vulnerability in bash that allows arbitrary code execution from unauthenticated users. The…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple Foundation NSXMLParser XML eXternal Entity (XXE) Flaw Release Date: 2014-09-17 Application: Apple iOS Foundation Framework Apple OS X Foundation Framework Versions: iOS 7.0, 7.1, OS X 10.9 - 10.9.4 Severity: High Author: George D. Gal Vendor Status: Fix Available…

This research was originally performed by researchers from iSec Partners (now NCC Group), and has been migrated to research.nccgroup.com for posterity. Heartbleed (CVE-2014-0160) Advisory 10 Apr 2014 – Andy Grant, Justin Engler, Aaron Grattafiori News of a major widespread vulnerability discovered by Neel Mehta came out Monday, April 7 2014.…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Encrypted URL Parameter Vulnerable to Padding Oracle Attacks Release Date: 2013-06-19 Application: IBM WebSphere Commerce Versions: 5.6.X, 6.0.X, 7.0.X, possibly others Credit: Timothy D. Morgan George D. Gal Vendor Status: Patch Available by Request [5] CVE Candidate: CVE-2013-0523 Reference: http://www.vsecurity.com/resources/advisory/20130619-1/…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: HTC IQRD Android Permission Leakage Release Date: 2012-04-20 Application: IQRD on HTC Android Phones Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidate: CVE-2012-2217 Reference: http://www.vsecurity.com/resources/advisory/20120420-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- The IQRD service is HTC's implementation of a Carrier IQ…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: libraptor - XXE in RDF/XML File Interpretation Release Date: 2012-03-24 Applications: libraptor / librdf (versions 1.x and 2.x) Also Affected: OpenOffice 3.x, LibreOffice 3.x, AbiWord, KOffice Author: tmorgan {a} vsecurity * com Vendor Status: Patches available; major downstream vendors and…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: VMware Tools Multiple Vulnerabilities Release Date: 2011-06-03 Application: VMware Guest Tools Severity: High Author: Dan Rosenberg Vendor Status: Patch Released [2] CVE Candidate: CVE-2011-1787, CVE-2011-2145, CVE-2011-2146 Reference: http://www.vsecurity.com/resources/advisory/20110603-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From [1]: "VMware Tools is a suite of…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Apple HFS+ Information Disclosure Vulnerability Release Date: 2011-03-22 Application: Apple OS X kernel (XNU) Versions: All versions fbt_offset + user_bootstrapp->fbt_length > 1024) return EINVAL; If a user provides values for the fbt_offset and fbt_length members such that their sum overflows…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: OpenOffice.org Multiple Memory Corruption Vulnerabilities Release Date: 2011-01-26 Application: Oracle OpenOffice.org Versions: 3.2 and earlier Severity: High Author: Dan Rosenberg Vendor Status: Patch Released CVE Candidates: CVE-2010-3451, CVE-2010-3452, CVE-2010-3453, CVE-2010-3454 Reference: http://www.vsecurity.com/resources/advisory/20110126-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product Description ------------------- From [1]: "OpenOffice.org 3…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Citrix Access Gateway Command Injection Vulnerability Release Date: 2010-12-21 Application: Citrix Access Gateway Versions: Access Gateway Enterprise Edition (up to 9.2-49.8) Access Gateway Standard & Advanced Edition (prior to 5.0) Severity: High Author: George D. Gal Vendor Status: Updated Software…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Linux RDS Protocol Local Privilege Escalation Release Date: 2010-10-19 Application: Linux Kernel Versions: 2.6.30 - 2.6.36-rc8 Severity: High Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com > Vendor Status: Patch Released [3] CVE Candidate: CVE-2010-3904 Reference: http://www.vsecurity.com/resources/advisory/20101019-1/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Coda Filesystem Kernel Memory Disclosure Release Date: 2010-08-16 Application: Coda kernel module for NetBSD and FreeBSD Versions: All known versions Severity: Medium Author: Dan Rosenberg < drosenberg (at) vsecurity (dot) com > Vendor Status: Patch Released [2][3] CVE Candidate: CVE-2010-3014…

VSR Security Advisory http://www.vsecurity.com/ -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebLogic Plugin HTTP Injection via Encoded URLs Release Date: 2010-07-13 Application: WebLogic Plugin Versions: All known versions Severity: High Discovered by: Timothy D. Morgan < tmorgan (at) vsecurity {dot} com > Contributors: George D. Gal < ggal {at} vsecurity (dot) com > Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Cisco CSS / ACE Client Certificate and HTTP Header Manipulation Vulnerabilities Release Date: 2010-07-02 Application: Cisco Content Services Switch (CSS) / ACE Products Versions: Cisco CSS 11500 - 08.20.1.01 Cisco ACE 4710 - Version A3(2.5) [build 3.0(0)A3(2.5) (Other versions…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Authentication Bypass Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.2.1 and possibly earlier Severity: Critical Discovered by: Jon Hart and Timothy D. Morgan Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Static SSH Host Keys Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: High Discovered by: Jon Hart Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: TANDBERG Video Communication Server Arbitrary File Retrieval Release Date: 2010-04-09 Application: Video Communication Server (VCS) Versions: x4.3.0, x4.2.1, and possibly earlier Severity: Medium Discovered by: Jon Hart Advisory by: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status: Firmware…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Chrome Password Manager Cross Origin Weakness Release Date: 2010-02-15 Application: Google Chrome Web Browser Versions: 4.0.249.78, 3.0.195.38, and likely earlier Severity: Medium/Low Author: Timothy D. Morgan <tmorgan (a) vsecurity . com> Vendor Status: Update Released [2] CVE Candidate: CVE-2010-0556 Reference:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Java Web Start File Inclusion via System Properties Override Release Date: 2008-12-03 Application: Sun Java Runtime Environment / Java Web Start Versions: See below Severity: High Author: Timothy D. Morgan <tmorgan {a} vsecurity.com> Vendor Status: Patch Released [3] CVE Candidate:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Format String Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.5 and likely earlier. 2.2.6-2.2.8 contain a subset of these vulnerabilities. Severity: Low Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified, Limited Fixes…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Shell Metacharacter Injections in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0-2.2.8 and likely earlier versions Severity: Low to Medium Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified CVE Candidate: CVE-2007-2055 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-shellinject.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Multiple Buffer Overflows Discovered in AFFLIB Release Date: 2007-04-27 Application: AFFLIB(TM) Versions: 2.2.0 and likely earlier Severity: High Author: Timothy D. Morgan <tmorgan {at} vsecurity {dot} com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2007-2053 Reference: http://www.vsecurity.com/bulletins/advisories/2007/afflib-overflows.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Product…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: PDF Form Filling and Flattening Tool Buffer Overflow Release Date: 2006-05-23 Application: PDF Tools AG - PDF Form Filling and Flattening Tool Version: 3.0 (Windows) (other versions and platforms untested) Severity: High Author: George D. Gal <ggal_at_vsecurity.com> Vendor Status: Vendor…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: WebSense content filter bypass when deployed in conjunction with Cisco filtering devices Release Date: 2006-05-08 Application: Websense in Conjunction with Cisco PIX Version: Websense 5.5.2 Cisco PIX OS / ASA < 7.0.4.12 Cisco PIX OS < 6.3.5(112) FWSM 2.3.x FWSM…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10 (other versions untested) Severity: High Author: Timothy D. Morgan <tmorgan (at) vsecurity (dot) com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference:…

Virtual Security Research, LLC. http://www.vsecurity.com/ Security Advisory -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Advisory Name: Remote Directory Traversal and File Retrieval Release Date: 2006-02-03 Application: IBM Tivoli Access Manager Version: 5.1.0.10 (other versions untested) Severity: High Author: Timothy D. Morgan <tmorgan (at) vsecurity (dot) com> Vendor Status: Vendor Notified, Fix Available CVE Candidate: CVE-2006-0513 Reference:…