SB17-212: Vulnerability Summary for the Week of July 24, 2017

[The Patriot]

SB17-212: Vulnerability Summary for the Week of July 24, 2017

07-31-2017 08:12 AM

Original release date: July 31, 2017
The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

• High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0
  
• Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9
  
• Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9
  

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

*

High Vulnerabilities

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoappsec-labs -- appsec_labsAppUse 4.0 allows shell command injection via a proxy field.2017-07-257.2CVE-2017-11566
MISCbuffalo -- wapm-1166d_firmwareWAPM-1166D firmware Ver.1.2.7 and earlier, WAPM-APG600H firmware Ver.1.16.1 and earlier allows remote attackers to bypass authentication and access the configuration interface via unspecified vectors.2017-07-2110.0CVE-2017-2126
CONFIRM
JVNfinecms -- finecmsdayrui FineCms 5.0.9 has SQL Injection via the num parameter in an action=related or action=tags request to libraries/Template.php.2017-07-237.5CVE-2017-11582
MISCfinecms -- finecmsdayrui FineCms 5.0.9 has SQL Injection via the catid parameter in an action=related request to libraries/Template.php.2017-07-237.5CVE-2017-11583
MISCfinecms -- finecmsdayrui FineCms 5.0.9 has SQL Injection via the field parameter in an action=module, action=member, action=form, or action=related request to libraries/Template.php.2017-07-237.5CVE-2017-11584
MISCfinecms -- finecmsdayrui FineCms 5.0.9 has remote PHP code execution via the param parameter in an action=cache request to libraries/Template.php, aka Eval Injection.2017-07-237.5CVE-2017-11585
MISCfortinet -- fortiwlmA hard-coded account named 'upgrade' in Fortinet FortiWLM 8.3.0 and lower versions allows a remote attacker to log-in and execute commands with 'upgrade' account privileges.2017-07-227.5CVE-2017-7336
BID
CONFIRMgeutebrueck -- gcoreStack-based buffer overflow in GCoreServer.exe in the server in Geutebrueck Gcore 1.3.8.42 and 1.4.2.37 allows remote attackers to execute arbitrary code via a long URI in a GET request.2017-07-217.5CVE-2017-11517
EXPLOIT-DBgreenpacket -- dx-350_firmwareGreen Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb has a default password of admin for the admin account.2017-07-217.5CVE-2017-9932
MISCgreenpacket -- dx-350_firmwareIn Green Packet DX-350 Firmware version v2.8.9.5-g1.4.8-atheeb, the "PING" (aka tag_ipPing) feature within the web interface allows performing command injection, via the "pip" parameter.2017-07-217.5CVE-2017-9980
MISCimagemagick -- imagemagickMemory leak in AcquireVirtualMemory in ImageMagick before 7 allows remote attackers to cause a denial of service (memory consumption) via unspecified vectors.2017-07-257.8CVE-2016-7539
CONFIRM
MLIST
BID
CONFIRM
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadOneJNGImage function in coders/png.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a malformed JNG file.2017-07-217.1CVE-2017-11505
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadTXTImage function in coders/txt.c in ImageMagick through 6.9.9-0 and 7.x through 7.0.6-1 allows remote attackers to cause a denial of service (infinite loop) via a crafted file, because the end-of-file condition is not considered.2017-07-227.1CVE-2017-11523
CONFIRM
CONFIRM
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadCINImage function in coders/cin.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.2017-07-227.1CVE-2017-11525
BID
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadOneMNGImage function in coders/png.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (large loop and CPU consumption) via a crafted file.2017-07-227.1CVE-2017-11526
BID
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadDPXImage function in coders/dpx.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.2017-07-227.1CVE-2017-11527
CONFIRM
CONFIRMimagemagick -- imagemagickThe ReadEPTImage function in coders/ept.c in ImageMagick before 6.9.9-0 and 7.x before 7.0.6-1 allows remote attackers to cause a denial of service (memory consumption) via a crafted file.2017-07-227.1CVE-2017-11530
CONFIRM
CONFIRMinmarsat -- amosconnect_8Hard-coded credentials in AmosConnect 8 allow remote attackers to gain full administrative privileges, including the ability to execute commands on the Microsoft Windows host platform with SYSTEM privileges by abusing AmosConnect Task Manager.2017-07-2210.0CVE-2017-3222
BID
CERT-VNlibinfinity_project -- libinfinitylibinfinity before 0.6.6-1 does not validate expired SSL certificates, which allows remote attackers to have unspecified impact via unknown vectors.2017-07-217.5CVE-2015-3886
MLIST
CONFIRM
CONFIRM
CONFIRM
CONFIRMrootkit_hunter_project -- rkhunterrkhunter versions before 1.4.4 are vulnerable to file download over insecure channel when doing mirror update resulting into potential remote code execution.2017-07-217.5CVE-2017-7480
MLISTsony -- wg-c10_firmwareWG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary OS commands via unspecified vectors.2017-07-219.0CVE-2017-2275
MISC
JVNsony -- wg-c10_firmwareBuffer overflow in WG-C10 v3.0.79 and earlier allows an attacker to execute arbitrary commands via unspecified vectors.2017-07-219.0CVE-2017-2276
MISC
JVNtcpdump -- tcpdumptcpdump 4.9.0 has a heap-based buffer over-read in the lldp_print function in print-lldp.c, related to util-print.c.2017-07-227.5CVE-2017-11541
BID
MISCtcpdump -- tcpdumptcpdump 4.9.0 has a heap-based buffer over-read in the pimv1_print function in print-pim.c.2017-07-227.5CVE-2017-11542
BID
MISCtcpdump -- tcpdumptcpdump 4.9.0 has a buffer overflow in the sliplink_print function in print-sl.c.2017-07-227.5CVE-2017-11543
BID
MISCtilde_cms_project -- tilde_cmsAn issue was discovered in Tilde CMS 1.0.1. Due to missing escaping of the backtick character, a SELECT query in class.SystemAction.php is vulnerable to SQL Injection. The vulnerability can be triggered via a POST request to /actionphp/action.input.php with the id parameter.2017-07-247.5CVE-2017-11324
MISCBack to top
*

Medium Vulnerabilities

Primary
Vendor -- ProductDescriptionPublishedCVSS ScoreSource & Patch Infoansible -- ansibleAnsible versions 2.2.3 and earlier are vulnerable to an information disclosure flaw due to the interaction of call back plugins and the no_log directive where the information may not be sanitized properly.2017-07-215.0CVE-2017-7473
MISCatmail -- atmailCross-site scripting (XSS) vulnerability in atmail prior to version 7.8.0.2 allows remote attackers to inject arbitrary web script or HTML within the body of an email via an IMG element with both single quotes and double quotes.2017-07-254.3CVE-2017-11617
MISC
MISCatutor -- atutorDirectory Traversal exists in ATutor before 2.2.2 via the icon parameter to /mods/_core/courses/users/create_course.php. The attacker can read an arbitrary file by visiting get_course_icon.php?id= after the traversal attack.2017-07-225.0CVE-2016-10400
MISC
MISCbuffalotech -- wmr-433w_firmwareCross-site scripting vulnerability in WMR-433 firmware Ver.1.02 and earlier, WMR-433W firmware Ver.1.40 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2017-07-214.3CVE-2017-2274
CONFIRM
JVNcanonical -- ubuntu_linuxThe simulate dbus method in aptdaemon before 1.1.1+bzr982-0ubuntu3.1 as packaged in Ubuntu 15.04, before 1.1.1+bzr980-0ubuntu1.1 as packaged in Ubuntu 14.10, before 1.1.1-1ubuntu5.2 as packaged in Ubuntu 14.04 LTS, before 0.43+bzr805-0ubuntu10 as packaged in Ubuntu 12.04 LTS allows local users to obtain sensitive information, or access files with root permissions.2017-07-214.9CVE-2015-1323
BID
UBUNTUcisco -- prime_collaboration_provisioningA vulnerability in the web portal of the Cisco Prime Collaboration Provisioning (PCP) Tool could allow an unauthenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web interface of an affected system. More Information: CSCvc90312. Known Affected Releases: 12.1.2017-07-254.3CVE-2017-6755
BID
SECTRACK
CONFIRMcontao -- contao_cmsContao before 3.5.28 and 4.x before 4.4.1 allows remote attackers to include and execute arbitrary local PHP files via a crafted parameter in a URL, aka Directory Traversal.2017-07-216.5CVE-2017-10993
CONFIRMcygwin -- cygwinCygwin versions 1.7.2 up to and including 1.8.0 are vulnerable to buffer overflow vulnerability in wcsxfrm/wcsxfrm_l functions resulting into denial-of-service by crashing the process or potential hijack of the process running with administrative privileges triggered by specially crafted input string.2017-07-215.0CVE-2017-7523
MISCektron -- ektron_content_management_systemCross-site scripting (XSS) vulnerability in Ektron Content Management System before 9.1.0.184SP3(9.1.0.184.3.127) allows remote attackers to inject arbitrary web script or HTML via the rptStatus parameter in a Report action to WorkArea/SelectUserGroup.aspx.2017-07-254.3CVE-2016-6133
BUGTRAQeshop_project -- eshopThe eshop_checkout function in checkout.php in the Wordpress Eshop plugin 6.3.11 and earlier does not validate variables in the "eshopcart" HTTP cookie, which allows remote attackers to perform cross-site scripting (XSS) attacks, or a path disclosure attack via crafted variables named after target PHP variables.2017-07-214.3CVE-2015-3421
BID
MISCexiv2 -- exiv2There is an illegal address access in the extend_alias_table function in localealias.c of Exiv2 0.26. A crafted input will lead to remote denial of service.2017-07-225.0CVE-2017-11553
MISCexiv2 -- exiv2There is a Floating point exception in the Exiv2::ValueType function in Exiv2 0.26 that will lead to a remote denial of service attack via crafted input.2017-07-235.0CVE-2017-11591
MISCexiv2 -- exiv2There is a Mismatched Memory Management Routines vulnerability in the Exiv2::FileIo::seek function of Exiv2 0.26 that will lead to a remote denial of service attack (heap memory corruption) via crafted input.2017-07-235.0CVE-2017-11592
MISCfedoraproject -- fedoraThe log_config_command function in ntp_parser.y in ntpd in NTP before 4.2.7p42 allows remote attackers to cause a denial of service (ntpd crash) via crafted logconfig commands.2017-07-215.0CVE-2015-5194
CONFIRM
FEDORA
FEDORA
SUSE
SUSE
SUSE
REDHAT
REDHAT
DEBIAN
MLIST
BID
UBUNTU
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRMfedoraproject -- fedorantp_openssl.m4 in ntpd in NTP before 4.2.7p112 allows remote attackers to cause a denial of service (segmentation fault) via a crafted statistics or filegen configuration command that is not enabled during compilation.2017-07-215.0CVE-2015-5195
FEDORA
FEDORA
FEDORA
REDHAT
REDHAT
DEBIAN
MLIST
BID
UBUNTU
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRMfedoraproject -- fedoraThe ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.2017-07-215.0CVE-2015-5219
CONFIRM
CONFIRM
FEDORA
FEDORA
FEDORA
SUSE
SUSE
REDHAT
REDHAT
DEBIAN
MLIST
BID
UBUNTU
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRM
CONFIRMfedoraproject -- fedoraUse-after-free vulnerability in the mif_process_cmpt function in libjasper/mif/mif_cod.c in the JasPer JPEG-2000 library before 1.900.2 allows remote attackers to cause a denial of service (crash) via a crafted JPEG 2000 image file.2017-07-254.3CVE-2015-5221
SUSE
SUSE
SUSE
MLIST
REDHAT
CONFIRM
CONFIRM
FEDORA
FEDORA
FEDORAfinecms -- finecmsdayrui FineCms 5.0.9 has Cross Site Scripting (XSS) in admin/Login.php via a payload in the username field that does not begin with a '