Daily Archives: July 9, 2018

Patch Tuesday, July 2018

July's Patch Tuesday is here with patches for 53 CVEs and the standard roll up of patches for critical remote code execution vulnerabilities in Adobe Flash. Of those 53 CVEs patched, 17 are rated "Critical", 34 are rated "Important" and...

CVE-2018-1000620 (cryptiles)

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

CVE-2018-1000619 (ovidentia)

Ovidentia version 8.4.3 and earlier contains a Unsanitized User Input vulnerability in utilit.php, bab_getAddonFilePathfromTg that can result in Authenticated Remote Code Execution. This attack appear to be exploitable via The attacker must have permission to upload addons.

CVE-2018-1000613 (legion-of-the-bouncy-castle-java-crytography-api)

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.

CVE-2018-1000622 (rust)

The Rust Programming Language rustdoc version Between 0.8 and 1.27.0 contains a CWE-427: Uncontrolled Search Path Element vulnerability in rustdoc plugins that can result in local code execution as a different user. This attack appear to be exploitable via using the --plugin flag without the --plugin-path flag. This vulnerability appears to have been fixed in 1.27.1.

CVE-2018-1000623 (artifactory)

JFrog JFrog Artifactory version Prior to version 6.0.3, since version 4.0.0 contains a Directory Traversal vulnerability in The "Import Repository from Zip" feature, available through the Admin menu -> Import & Export -> Repositories, triggers a vulnerable UI REST endpoint (/ui/artifactimport/upload) that can result in Directory traversal / file overwrite and remote code execution. This attack appear to be exploitable via An attacker with Admin privileges may use the aforementioned UI endpoint and exploit the publicly known "Zip Slip" vulnerability, to add/overwrite files outside the target directory. This vulnerability appears to have been fixed in 6.0.3.

CVE-2018-1000618 (eos)

EOSIO/eos eos version after commit f1545dd0ae2b77580c2236fdb70ae7138d2c7168 contains a stack overflow vulnerability in abi_serializer that can result in attack eos network node. This attack appear to be exploitable via network request. This vulnerability appears to have been fixed in after commit cf7209e703e6d3f7a5413e0cb1fe88a4d8e4b38d .

CVE-2018-1000621 (mycroft-core)

Mycroft AI mycroft-core version 18.2.8b and earlier contains a Incorrect Access Control vulnerability in Websocket configuration that can result in code execution. This impacts ONLY the Mycroft for Linux and "non-enclosure" installs - Mark 1 and Picroft unaffected. This attack appear to be exploitable remote access to the unsecured websocket server. This vulnerability appears to have been fixed in No fix currently available.

CVE-2018-4858 (digsi_4_firmware, digsi_5_firmware, ec_61850_system_configurator_firmware, sicam_pas/pqs_firmware, sicam_pq_analyzer_firmware, sicam_scc_firmware)

A vulnerability has been identified in IEC 61850 system configurator (All versions < V5.80), DIGSI 5 (affected as IEC 61850 system configurator is incorporated) (All versions < V7.80), DIGSI 4 (All versions), SICAM PAS/PQS (All versions < V8.11), SICAM PQ Analyzer (All versions < V3.11), SICAM SCC (All versions). A service of the affected products listening on all of the host's network interfaces on either port 4884/TCP, 5885/TCP, or port 5886/TCP could allow an attacker to either exfiltrate limited data from the system or to execute code with Microsoft Windows user permissions. Successful exploitation requires an attacker to be able to send a specially crafted network request to the vulnerable service and a user interacting with the service's client application on the host. In order to execute arbitrary code with Microsoft Windows user permissions, an attacker must be able to plant the code in advance on the host by other means. The vulnerability has limited impact to confidentiality and integrity of the affected system. At the time of advisory publication no public exploitation of this security vulnerability was known. Siemens confirms the security vulnerability and provides mitigations to resolve the security issue.

CVE-2018-13787 (a1sa_firmware, a1sai_firmware, a1sai1_firmware, a1sam_firmware, a1srm_firmware, a2san_firmware, a2sap_firmware, a2sav_firmware, b10drg_firmware, b10dri_firmware, b10drt_firmware, b1dri_firmware, b1sa4_firmware, b1sd2tf_firmware, c7b250_firmware, c7h270_firmware, c7q270_firmware, c7x99oc_firmware, c7z170_firmware, c7z170o_firmware, c7z170oce_firmware, c7z270c_firmware, c7z270cg_firmware, c7z270l_firmware, c7z270m_firmware, c7z270p_firmware, c7z370i_firmware, c7z370l_firmware, c7z87oc_firmware, c7z97mf_firmware, c7z97oc_firmware, c9x299_firmware, k1spes_firmware, k1spi_firmware, x10dai_firmware, x10dal_firmware, x10dali_firmware, x10dax_firmware, x10ddw3_firmware, x10ddw4_firmware, x10ddwi_firmware, x10ddwn_firmware, x10dgo_firmware, x10drc_firmware, x10drd_firmware, x10drdl_firmware, x10drff_firmware, x10drfg_firmware, x10drfr_firmware, x10drg_firmware, x10drgh_firmware, x10drgo_firmware, x10drh_firmware, x10drh4_firmware, x10dri1_firmware, x10drl_firmware, x10drlc_firmware, x10drln_firmware, x10drs_firmware, x10drt_firmware, x10drtb_firmware, x10drth_firmware, x10drtl_firmware, x10drtps_firmware, x10drts_firmware, x10dru_firmware, x10drul_firmware, x10drux_firmware, x10drw_firmware, x10drwn_firmware, x10drx_firmware, x10dsc_firmware, x10dscp_firmware, x10dsn_firmware, x10qrh_firmware, x10sba_firmware, x10sddf_firmware, x10sde_firmware, x10sdvf_firmware, x10sdvt_firmware, x10sra_firmware, x10srd_firmware, x10srg_firmware, x10srh_firmware, x10sri_firmware, x10srl_firmware, x10srm_firmware, x10srw_firmware, x11sae_firmware, x11sae_m_firmware, x11sat_firmware, x11sba_firmware, x11sra_firmware, x11srm_firmware, x11ssn_firmware, x11ssq_firmware, x11ssql_firmware, x11ssv_firmware, x11ssz_firmware, x8sia_firmware, x8sie_firmware, x8sil_firmware, x8sit_firmware, x8siu_firmware, x9dbl_firmware, x9drf_firmware, x9drffp_firmware, x9drgqf_firmware, x9drth_firmware, x9sae_firmware)

Certain Supermicro X11S, X10, X9, X8SI, K1SP, C9X299, C7, B1, A2, and A1 products have a misconfigured Descriptor Region, allowing OS programs to modify firmware.

CVE-2018-6831 (c1_firmware, c1_lite_firmware, c2_firmware, fi9800p_firmware, fi9803ep_firmware, fi9803p_firmware, fi9804p_firmware, fi9804w_firmware, fi9805e_firmware, fi9805p_firmware, fi9805w_firmware, fi9815p_firmware, fi9816p_firmware, fi9818w_firmware, fi9821ep_firmware, fi9821p_firmware, fi9821w_firmware, fi9826p_firmware, fi9826w_firmware, fi9828p_firmware, fi9828w_firmware, fi9831p_firmware, fi9831w_firmware, fi9851p_firmware, fi9853ep_firmware, fi9900ep_firmware, fi9900p_firmware, fi9901ep_firmware, fi9928p_firmware, fi9961ep_firmware, r2_firmware, r4_firmware)

The setSystemTime function in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote authenticated users to execute arbitrary commands via a ';' in the ntpServer argument. NOTE: this issue exists because of an incomplete fix for CVE-2017-2849.

CVE-2018-6830 (c1_firmware, c1_lite_firmware, c2_firmware, fi9800p_firmware, fi9803ep_firmware, fi9803p_firmware, fi9804p_firmware, fi9804w_firmware, fi9805e_firmware, fi9805p_firmware, fi9805w_firmware, fi9815p_firmware, fi9816p_firmware, fi9818w_firmware, fi9821ep_firmware, fi9821p_firmware, fi9821w_firmware, fi9826p_firmware, fi9826w_firmware, fi9828p_firmware, fi9828w_firmware, fi9831p_firmware, fi9831w_firmware, fi9851p_firmware, fi9853ep_firmware, fi9900ep_firmware, fi9900p_firmware, fi9901ep_firmware, fi9928p_firmware, fi9961ep_firmware, r2_firmware, r4_firmware)

Directory traversal vulnerability in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote attackers to delete arbitrary files via a .. (dot dot) in the URI path component.

CVE-2018-6832 (c1_firmware, c1_lite_firmware, c2_firmware, fi9800p_firmware, fi9803ep_firmware, fi9803p_firmware, fi9804p_firmware, fi9804w_firmware, fi9805e_firmware, fi9805p_firmware, fi9805w_firmware, fi9815p_firmware, fi9816p_firmware, fi9818w_firmware, fi9821ep_firmware, fi9821p_firmware, fi9821w_firmware, fi9826p_firmware, fi9826w_firmware, fi9828p_firmware, fi9828w_firmware, fi9831p_firmware, fi9831w_firmware, fi9851p_firmware, fi9853ep_firmware, fi9900ep_firmware, fi9900p_firmware, fi9901ep_firmware, fi9928p_firmware, fi9961ep_firmware, r2_firmware, r4_firmware)

Stack-based buffer overflow in the getSWFlag function in Foscam Cameras C1 Lite V3, and C1 V3 with firmware 2.82.2.33 and earlier, FI9800P V3, FI9803P V4, FI9851P V3, and FI9853EP V2 2.84.2.33 and earlier, FI9816P V3, FI9821EP V2, FI9821P V3, FI9826P V3, and FI9831P V3 2.81.2.33 and earlier, C1, C1 V2, C1 Lite, and C1 Lite V2 2.52.2.47 and earlier, FI9800P, FI9800P V2, FI9803P V2, FI9803P V3, and FI9851P V2 2.54.2.47 and earlier, FI9815P, FI9815P V2, FI9816P, and FI9816P V2, 2.51.2.47 and earlier, R2 and R4 2.71.1.59 and earlier, C2 and FI9961EP 2.72.1.59 and earlier, FI9900EP, FI9900P, and FI9901EP 2.74.1.59 and earlier, FI9928P 2.74.1.58 and earlier, FI9803EP and FI9853EP 2.22.2.31 and earlier, FI9803P and FI9851P 2.24.2.31 and earlier, FI9821P V2, FI9826P V2, FI9831P V2, and FI9821EP 2.21.2.31 and earlier, FI9821W V2, FI9831W, FI9826W, FI9821P, FI9831P, and FI9826P 2.11.1.120 and earlier, FI9818W V2 2.13.2.120 and earlier, FI9805W, FI9804W, FI9804P, FI9805E, and FI9805P 2.14.1.120 and earlier, FI9828P, and FI9828W 2.13.1.120 and earlier, and FI9828P V2 2.11.1.133 and earlier allows remote attackers to cause a denial of service (crash and reboot), via the callbackJson parameter.

Timehop admits attacker stole 21 million users’ data

Timehop, a popular app that reminds you of your social media posts from the same day in past years, is the latest service to suffer a data breach. The attacker struck on July 4th, and grabbed a database which included names and/or usernames along with email addresses for around 21 million users. About 4.7 million of those accounts had phone numbers linked to them, which some people use to log in with instead of a Facebook account.

Via: The Register

Source: Timehop

CVE-2018-1000404 (aws_codebuild)

Jenkins project Jenkins AWS CodeBuild Plugin version 0.26 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSClientFactory.java, CodeBuilder.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.27 and later.

CVE-2018-1000401 (aws_codepipeline)

Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.

CVE-2018-1000403 (aws_codedeploy)

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodeDeployPublisher.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 1.20 and later.

CVE-2018-1000402 (aws_codedeploy)

Jenkins project Jenkins AWS CodeDeploy Plugin version 1.19 and earlier contains a File and Directory Information Exposure vulnerability in AWSCodeDeployPublisher.java that can result in Disclosure of environment variables. This vulnerability appears to have been fixed in 1.20 and later.

CVE-2018-11542 (sbc_swe_lite_firmware, sonus_sbc_1000_firmware, sonus_sbc_2000_firmware)

A Remote Command Execution (RCE) vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows for the execution of arbitrary commands via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to Build 485. It affects the SWe Lite devices 6.1.x up to Build 111 and 7.0.x up to Build 140.

CVE-2018-11543 (sbc_swe_lite_firmware, sonus_sbc_1000_firmware, sonus_sbc_2000_firmware)

A Local File Inclusion (LFI) vulnerability in the Sonus SBC 1000 / SBC 2000 / SBC SWe Lite web interface allows for the downloading of arbitrary files via an unspecified vector. It affects the 1000 and 2000 devices 6.0.x up to Build 446, 6.1.x up to Build 492, and 7.0.x up to Build 485. It affects the SWe Lite devices 6.1.x up to Build 111 and 7.0.x up to Build 140.