AusCERT - Security Bulletins

Subscribe to AusCERT - Security Bulletins hírcsatorna
Latest published security bulletins. See https://www.auscert.org.au/rss/ for feed information.
Frissítve: 12 perc 19 másodperc
2022. április 14.

ESB-2022.1614 - [Cisco] Cisco IOS XR Software: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1614 Cisco IOS XR Software Border Gateway Protocol Ethernet VPN Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XR Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20758 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb Comment: CVSS (Max): 6.8 CVE-2022-20758(CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XR Software Border Gateway Protocol Ethernet VPN Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-bgpevpn-zWTRtPBb First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz26082 CVE Names: CVE-2022-20758 CWEs: CWE-399 Summary o A vulnerability in the implementation of the Border Gateway Protocol (BGP) Ethernet VPN (EVPN) functionality in Cisco IOS XR Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to the incorrect processing of a BGP update message that contains specific EVPN attributes. An attacker could exploit this vulnerability by sending a BGP update message that contains specific EVPN attributes. To exploit this vulnerability, an attacker must control a BGP speaker that has an established trusted peer connection to an affected device that is configured with the address family L2VPN EVPN to receive and process the update message. This vulnerability cannot be exploited by any data that is initiated by clients on the Layer 2 network or by peers that are not configured to accept the L2VPN EVPN address family. A successful exploit could allow the attacker to cause the BGP process to restart unexpectedly, resulting in a DoS condition. The Cisco implementation of BGP accepts incoming BGP updates only from explicitly defined peers. For this vulnerability to be exploited, the malicious BGP update message must either come from a configured, valid BGP peer or be injected by the attacker into the affected BGP network on an existing, valid TCP connection to a BGP peer. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb This advisory is part of the April 2022 release of the Cisco IOS XR Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Cisco IOS XR Software Security Advisory Bundled Publication . Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco IOS XR Software and had BGP configured with at least one peer that was configured with the address family L2VPN EVPN. For information about which Cisco software releases were vulnerable at the time of publication, see the Fixed Software section of this advisory. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. Determine Whether the Device is Configured for BGP To determine whether the device is configured for BGP, use the show running-config router bgp EXEC CLI command. If the router is configured for BGP, this command will return output, as shown in the following example: # show running-config router bgp router bgp 65536... Determine Whether the Device has L2VPN EVPN Neighbors Configured To determine whether the device has any neighbors that are configured for the L2VPN EVPN address family, use the show running-config router bgp AS-number EXEC CLI command. The following example shows the partial output of the show running-config router bgp AS-number command on a device that has the L2VPN EVPN address family configured: # show running-config router bgp 65536 router bgp 65536address-family l2vpn evpn.. neighbor-group example address-family l2vpn evpn. neighbor 2001:DB8::1 use neighbor-group example ! Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XE Software NX-OS Software Details o EVPN is a next-generation solution that provides Ethernet multipoint services over MPLS networks. Customers can learn more about EVPN and configuration options in guides, such as L2VPN and Ethernet Services Configuration Guide for Cisco ASR 9000 Series Routers , and in guides for other platforms that support this feature. Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Fixed Releases At the time of publication, the release information in the following table (s) was accurate. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information. The left column lists Cisco software releases, and the right column indicates whether a release was affected by the vulnerability described in this advisory and which release included the fix for this vulnerability. Cisco IOS XR Software Release First Fixed Release 6.5 and earlier Not vulnerable. 6.6 Vulnerable; migrate to a fixed release. 6.7 Vulnerable; migrate to a fixed release. 6.8 Vulnerable; migrate to a fixed release. 7.0 Vulnerable; migrate to a fixed release. 7.1 Vulnerable; migrate to a fixed release. 7.2 Vulnerable; migrate to a fixed release. 7.3 7.3.2 7.4 7.4.2 7.5 and later Not affected. At the time of publication, Cisco had released the following SMUs to address this vulnerability. See the Details section in the bug ID(s) at the top of this advisory for the most complete and current information, including SMU availability. Customers who require SMUs for platforms or releases that are not listed are advised to contact their support organization. Cisco IOS XR Software Release Platform SMU Name 7.1.2 NCS5500 ncs5500-7.1.2.CSCvz26082 7.4.15 IOSXRWBD iosxrwbd-7.4.15.CSCvz26082 7.4.16 IOSXRWBD iosxrwbd-7.4.16.CSCvz26082 The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Cisco IOS XR Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-bgpevpn-zWTRtPBb Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiWONLKJtyKPYoAQg8YBAAhF1FjbtezyXACWoWYi5ZImuwvM+/HY7F I9BXxhCrroudWobjji9u2eF9nkEMi5N3mnMWhmk6eDAB3/xYyUOAcCYZc3nub+/k o0s4rocRTvjQkEopB49xR0CYV2wlnICVe3CFVn+tUjpRi2A6r5KLIYbbdWksmTPA qn8MXUpacaiBPXn5OdEnM2kn7lAO81gNeCt0Vz40YxJaec5UYgZRbYLeM8gfvSzD yE6OFMAder5tQ9Ub1pkvAW3m2SYf80hgrh+Gk++mlw7dB/S1zAS4K+oBjUnAgPHc 9BSoZHYk3DEoVb+g/01uxGvaF7dCodBKCjej4dh0jScLiuRQwpulySRVwx8nTHGb IlBsL1ElN8UxkDb0zgJwYOMiOLSYcj2UiopLhUhj9VITm4mX2aaA56wPlGvUVL3G 5DD6YYIvt2gw0VKYsMydBja43WzjtoqpKt/nBxgE0y2ofuGdXsG+W8bTro6CV1jx kJL4To2huS4J5OjpzMErC9cAWYt+GsggueXY7s2IlMa0/aNF4NJRQOZusFbO5nGj EaOWOCOa3NFkt7jQirnSzCLpkh0RXBUpdwtY1lvV672JP+DvADkkzawb8zgR0bqK 7sbjnChm+kfQA55a9aEzk+76OCz9wpRMTPyvy1vl7V8N7h0mmzcaFA/rdoicq+FX ZTo/YrTUAuo= =WePK -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1613 - [Cisco] Cisco IOS XE Wireless Controller Software: CVSS (Max): 7.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1613 Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Trap Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Wireless Controller Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20684 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey Comment: CVSS (Max): 7.4 CVE-2022-20684 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family SNMP Trap Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-c9800-snmp-trap-dos-mjent3Ey First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCvs71784 CVE Names: CVE-2022-20684 CWEs: CWE-190 Summary o A vulnerability in Simple Network Management Protocol (SNMP) trap generation for wireless clients of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, adjacent attacker to cause an affected device to unexpectedly reload, resulting in a denial of service (DoS) condition on the device. This vulnerability is due to a lack of input validation of the information used to generate an SNMP trap related to a wireless client connection event. An attacker could exploit this vulnerability by sending an 802.1x packet with crafted parameters during the wireless authentication setup phase of a connection. A successful exploit could allow the attacker to cause the device to reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family and are configured to send SNMP traps for wireless client exclusion events (disabled by default): Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches Catalyst 9800 Series Wireless Controllers Catalyst 9800-CL Wireless Controllers for Cloud Embedded Wireless Controllers on Catalyst Access Points For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Device Configuration To determine whether any SNMP trapflags for client exclusion events are enabled on a device, log in to the device and run the show running-config | include trapflags client excluded command on the CLI to check for the presence of the trapflags client excluded command in the global configuration. If any output is returned, then the device is considered vulnerable. The following example shows the output of the show running-config | include trapflags client excluded command for a device that has SNMP client event trapflags configured: Router# show running-config | include trapflags client excluded trapflags client excluded Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Wireless LAN Controller (WLC) AireOS Software Workarounds o Customers who do not require SNMP traps for wireless-excluded clients can disable them from the CLI with the global configuration command, as shown in the following example: WLC(config)#no trapflags client excluded While this workaround has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-snmp-trap-dos-mjent3Ey Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiS+NLKJtyKPYoAQiyaQ//ZBLp9yyHI5RKZJqTBsnAixuIYNsC2UBL nzhMTgB3zr8ip2mPG5pQMWPGQ4UgnHfqUG2D8IdiesyMeLhB3Mw4P6rrVZ8yVOch IwbNLCRqcGJkqgnVBHUeJ6oPIbGIoLpkpyIpemjfSQE18DB5JGIQyo1A3XtrKA7a PSdeowN2tuJM63AXuBcbFRDpoDdOpV1WNGHC1pOtJzApZB6W9/ZtvI8g7ES9/Uwe MFd2Pm8+pq4U8dHSDGVdkKX3fwkdyZ7fGyDf7d5QJSqH0GkqUe7RDX20GuhLlxf2 W5jvsHcc27F+52tMKJwWYQJQhKOzuz5bKnz5u8PHVnhCHVWK6sJwX/yJo1xkRhBL 5hWNaosMqfmU2QUuUmhFMCPpE66yXYhcZWti6K0Qhi7IcF4kI/yVg2gwqM8CDK7X Qu2o6pH5i1F3SLPWILJhKD2oIeylOFIUSMQTdnHGnRxz3FfFpjaL3RWHGONs49ol mNnvoD+6MB6CwZCo1miaqww4wJzxkstHoX8/V20YzFEyrCqbPEddbNfJlyPlstFA GTwMN6IS8OqNL9DwKQiS21KEta2YihFqOwAg0gLNB1X+LXQh77CXHaAubBUMk6kx Wj3apxU0rRSEIa6f7Rd93MMnghZafgV4WTC619Km34O7MIsJrtsSR/0nLLmTvLLm 7zQPDjQ8waI= =2qLW -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1612 - [Cisco] Cisco IOS XE Wireless Controller Software: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1612 Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Wireless Controller Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20682 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU Comment: CVSS (Max): 8.6 CVE-2022-20682 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family CAPWAP Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-c9800-capwap-mdns-6PSn7gKU First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy07717 CVE Names: CVE-2022-20682 CWEs: CWE-690 Summary o A vulnerability in the Control and Provisioning of Wireless Access Points (CAPWAP) protocol processing of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to inadequate input validation of incoming CAPWAP packets encapsulating multicast DNS (mDNS) queries. An attacker could exploit this vulnerability by connecting to a wireless network and sending a crafted mDNS query, which would flow through and be processed by the wireless controller. A successful exploit could allow the attacker to cause the affected device to crash and reload, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS XE Wireless Controller Software for the Catalyst 9000 Family and have the mDNS gateway feature enabled (disabled by default): Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches Catalyst 9800 Series Wireless Controllers Catalyst 9800-CL Wireless Controllers for Cloud Embedded Wireless Controllers on Catalyst Access Points For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Device Configuration To determine whether the mDNS gateway feature is enabled on a device, log in to the device CLI and issue the command show mdns-sd summary . If the mDNS gateway feature is enabled, then issue the command show run | section wlan to verify whether any WLANs are configured to use the mDNS gateway. If both conditions are true, the device is vulnerable. The following example shows the output of the commands listed above for a device that has the mDNS gateway feature globally enabled and active on a WLAN: WLC#show mdns-sd summary mDNS Gateway: Enabled Mode: Default Active Query Periodicity (in minutes): 30 Transport Type: IPv4 mDNS AP service policy: default-mdns-service-policy WLC#show run | section wlan aaa attribute list wlan_lobby_access wlan ssidname policy default-policy-profile wlan ssidname 1 ssidname mdns-sd-interface gateway no shutdown Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Wireless LAN Controller (WLC) AireOS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-capwap-mdns-6PSn7gKU Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiPuNLKJtyKPYoAQhGow//bpEaCMuzegyhhyHZkrD2ax9Ohu8v4tmN DybXD9cbtk8VnQqVEjwpbONkK31WM9PJpKbJ2qWtB9G3UomhPcQBGXGFLoqvzEMY iZ7f1huq3RTOXO7LZ5snGAedydnVRnFlgYFSR8Uy+swvsmiw+qdEYTuuJT2N6ALB S/izlSK7EgCHYIe4oHks8eIrc5LBhBnhEwuA1gSsPvmmFskHTDIjAPfe0acOB+qM +K2eUJYQJSUtoVq2mXVEaeMYwi4K40IW7DXDg6xqEoJ5ZQePWnxxq5BI40jmYMg0 X+fIBt5LGVENGS9Te0zhdD8gq04HuJSauKp7G/+D6wBb4ZStVGasH6ljq9wRorNQ VW2i2hXNBCkJMXlMxN/iLdVYvjokyofzXU4vEReDTPkQxOlLDe+wC/B0lHWUc0XE 1Ul1d+pfG5viWPt28Ch01Cs5mvp1bEnDyEP7QRDY2cmaloh1AYuacKG/AsPSMb6m CHanzUGEjxIyXE52SnUccQ9jdSn47HmP4L+F4kWMUTxY45Uz4mvI4k5creSvNHFF yx6SZkxIp4+O0Imh2pB4j7J6qeBBibq6ESjIuHSDRGsttQI0nbmNbV9MuU5Zys2b Kmg1hdI2GwkqCuQlHP+kxOu63dzWxxfGS1SlWrLDU8rGhB1fU7svLOh+bUI930Lc FWeqYfaiO+U= =x/pN -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1611 - [Cisco] Cisco IOS XE Software: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1611 Cisco IOS XE Software for Cisco Catalyst 9000 Family Switches and Catalyst 9000 Family Wireless Controllers Privilege Escalation Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20681 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5 Comment: CVSS (Max): 7.8 CVE-2022-20681 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software for Cisco Catalyst 9000 Family Switches and Catalyst 9000 Family Wireless Controllers Privilege Escalation Vulnerability Priority: High Advisory ID: cisco-sa-ewlc-priv-esc-ybvHKO5 First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz37647 CVE Names: CVE-2022-20681 CWEs: CWE-266 Summary o A vulnerability in the CLI of Cisco IOS XE Software for C isco Catalyst 9000 Family Switches and Cisco Catalyst 9000 Family Wireless Controllers could allow an authenticated, local attacker to elevate privileges to level 15 on an affected device. This vulnerability is due to insufficient validation of user privileges after the user executes certain CLI commands. An attacker could exploit this vulnerability by logging in to an affected device as a low-privileged user and then executing certain CLI commands. A successful exploit could allow the attacker to execute arbitrary commands with level 15 privileges on the affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5 This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software for C isco Catalyst 9000 Family Switches or Cisco Catalyst 9000 Family Wireless Controllers: Catalyst 9300 Series Switches Catalyst 9400 Series Switches Catalyst 9500 Series Switches Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches Catalyst 9800 Series Wireless Controllers Catalyst 9800-CL Wireless Controllers for Cloud Embedded Wireless Controllers on Catalyst Access Points For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco software: IOS Software IOS XR Software Meraki products NX-OS Software Wireless LAN Controller (WLC) AireOS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ewlc-priv-esc-ybvHKO5 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiM+NLKJtyKPYoAQj92RAAr+Rs6jc7pA4/xd3fhsb/70QoGhXcdfK9 ylajEZxhoFLMNGhaAW6gerrZkwyEV/DlTolxnCmkOUaGjvZD5pt19r/g+CxL1md8 dgGCJBnPKnc20tcLW/P8ai8+Nsh9AosvhP3jmR8ml+ba6IZmfXlXAf+LF/tojC5n uPsVo9hliWQJgrHgxBY2f0QXb4ZuG7hC6hWju3B2T5OzR7pwit+PHVuKRoCxe//q RqaFrSG4wyWPzmAr8JtK9JKBvb2WFZJv+/bH5sQB0vQVYbpPyvwUB2o2fRGRDq/W aVQnk38FxNzj9vNibS/LknHgsLqpEXvaR5nCH6riljxNy6D/v8GIOhDzLPj1VAIA FQdxhbshDze0D7amCoXWXPV5Pr6zkeG2bSFui24SVQb5Z6IUxgHdSS/0D8+Qtkn7 DTnV9FmgHZLlC4e5qdPUn8cyRNAPnE+pP/pjsTNMTY42DgLz9LVLbq5/GBvwYqjV fuSmodPLhIdLt0OE+OJ57u4hg/qzYsL30U2JnrPfZvJ8WN06k37Rj2dXRrgerwE3 TUOjH/qwGP0PC5eD5h0QV0pqoBQegFqW9cygqvfkWvgOAKCIoSBsn7kwNpBu9aY+ Or7c9u+gE3Ip+y2PbvW5EN0XhAreRwHxrndmjfrILjL4VhTtiwdYh2tPdukwXe25 raNHtk6SU1M= =oxzS -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1610 - [Cisco] Cisco IOS XE Software: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1610 Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Application Visibility and Control Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20683 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge Comment: CVSS (Max): 8.6 CVE-2022-20683 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software for Catalyst 9800 Series Wireless Controllers Application Visibility and Control Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-c9800-fnf-dos-bOL5vLge First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvx21714 CVE Names: CVE-2022-20683 CWEs: CWE-124 Summary o A vulnerability in the Application Visibility and Control (AVC-FNF) feature of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless Controllers could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient packet verification for traffic inspected by the AVC feature. An attacker could exploit this vulnerability by sending crafted packets from the wired network to a wireless client, resulting in the crafted packets being processed by the wireless controller. A successful exploit could allow the attacker to cause a crash and reload of the affected device, resulting in a DoS condition. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects the following Cisco devices if they are running a vulnerable release of Cisco IOS XE Software for Cisco Catalyst 9800 Series Wireless Controllers, have the AVC-FNF feature enabled for wireless networks (disabled by default), and have any access points (APs) in an operating mode other than FlexConnect Local Switching or fabric: Catalyst 9800 Series Wireless Controllers Catalyst 9800-CL Wireless Controllers for Cloud Note: Certain AP modes are not affected by this vulnerability. Wireless deployments that wholly consist of APs in either FlexConnect Local Switching or fabric mode are not vulnerable. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Device Configuration To determine if a device is affected, verify whether the AVC-FNF feature is enabled for wireless networks. Log in to the web UI of the wireless controller with Administrator privileges and navigate to Configuration > Services > Application Visibility . If the counter under Enable AVC shows zero enabled networks, then AVC-FNF is disabled and the device is not considered vulnerable. If the counter under Enable AVC shows more than zero enabled networks and there are wireless APs in local, bridge, or FlexConnect Central Switching operating mode broadcasting any AVC-FNF-enabled wireless networks, then the device is considered vulnerable. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Catalyst 9800 Embedded Wireless Controllers for Catalyst 9300, 9400, and 9500 Series Switches Embedded Wireless Controllers on Catalyst Access Points IOS Software IOS XR Software Meraki products NX-OS Software Wireless LAN Controller (WLC) AireOS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-c9800-fnf-dos-bOL5vLge Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiJ+NLKJtyKPYoAQjRcw//ToB/JXWTfXMxx1URpD0i/UO1E7pDsSAV 5oxoFQeoHgJf1VPCMZ/PCCBhp1+j4bg4mqXlpMQhFOIJmROCxhIYrRjogiL7bNis Gp2s+VTqHp6w1FogzpTf4QS6skPg79CwKEo6KMNnxHq1fiTI7FeBC7MAPTvlDAcN ZiLptQOe91G7O1dEiiqKDX5OqJ5dRNqk0djknUnVZCTkn9C/RiraRLefux5yIrxG G3hA87iSSRyRxPA3bftrTmuldAYh37cFVYUtwngMjogt35bqok8N30U/XQkA6KQr pdOmdV2UbKZ43RY5hy2TLpK8h8apKCw34RYVThmf+buCT2SmAXuwVdwaq8i6OOAc LU0FL0dPrKie1ULjHLy5bF3jPiWK+gfRiOqn7e+Clw2lKOJFj/qCZCM8X9b9I+HO ZNuqP4GFVxAvHKxb7xB1feU8Cut8/dydhq0BHaA1Gi4iYy5puq71JUcDOW+iPxYK QP7q7j5LbW6yTH5xZBzeQKhtPL5G+wywzKe//Q3zLd0jPftuXY3+rZmqVQuL+Y2g 9yiiqOxOE9X8N0zhUPNzrcD92B9lWM86h5OgZ/S5W1sdhIEhaYNNODZc91Krb51P eJG9zkLlAj+h/cNxqCr5tDKPtEkPzL4LW3EeIWt8CAfbBFWaeEIud3H9UzsC66+v ZXwWMqw7XMs= =DJff -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1609 - [Cisco] Cisco IOS XE Software: CVSS (Max): 4.7

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1609 Cisco IOS XE Software Web UI API Injection Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20693 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od Comment: CVSS (Max): 4.7 CVE-2022-20693 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software Web UI API Injection Vulnerability Priority: Medium Advisory ID: cisco-sa-webuiapi-inj-Nyrq92Od First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy95612 CVE Names: CVE-2022-20693 CWEs: CWE-74 Summary o A vulnerability in the web UI feature of Cisco IOS XE Software could allow an authenticated, remote attacker to perform an injection attack against an affected device. This vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by sending crafted input to the web UI API. A successful exploit could allow the attacker to inject commands to the underlying operating system with root privileges. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco products if they were running a vulnerable release of Cisco IOS XE Software and had the web UI feature enabled. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the HTTP Server Configuration To determine whether the HTTP Server feature is enabled for a device, log in to the device and use the show running-config | include ip http server| secure|active command in the CLI to check for the presence of the ip http server command or the ip http secure-server command in the global configuration. If either command is present, the HTTP Server feature is enabled for the device. The following example shows the output of the show running-config | include ip http server|secure|active command for a device that has the HTTP Server feature enabled: Router# show running-config | include ip http server|secure|active ip http server ip http secure-server Note: The presence of either command or both commands in the device configuration indicates that the web UI feature is enabled. If the ip http server command is present and the configuration also contains ip http active-session-modules none , the vulnerability is not exploitable over HTTP. If the ip http secure-server command is present and the configuration also contains ip http secure-active-session-modules none , the vulnerability is not exploitable over HTTPS. Products Confirmed Not Vulnerable Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Disabling the HTTP Server feature eliminates the attack vector for this vulnerability and may be a suitable mitigation until affected devices can be upgraded. To disable the HTTP Server feature, use the no ip http server or no ip http secure-server command in global configuration mode. If both the HTTP server and HTTPS server are in use, both commands are required to disable the HTTP Server feature. While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank the National Security Agency (NSA) for reporting this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-webuiapi-inj-Nyrq92Od Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiHeNLKJtyKPYoAQjJGQ/7BDfYIvkiXKwUpgQiwgSorEErjHqoCF3t hBEz9/8QEtcXelpg2Q/MxvCNTfU27N+WJj0DAMCDSSSrJR4+kCHfJSZcK2Lz5bTm dlRORc+Y1Sp5r0UA0lz5Pj6VrWdIfxkRFWvQYPFdHBLtRMmVOvjJj8kd1gNuqi+Q 2WtFW26+0txmbRvCL5dpGJs3An6iIZX65KOCTvfXQVb34ZL5vjiC+PuCFChA+IJ3 ehGuDOcIaDESVO8Awf4rI1MkjDjUIoJ46fcwQlkDxW1ZeZ3G4p0Gbs4gF0RSgUdZ jUch/egrd8/6rMmKzzjc2YROQbXpkEQVyGOF8q1fJIPUTVyRS3HW2l0X8LpFaVpR nHtuakcEM+jruAFLaoZKXuNuTS+X0Hw1quWswZwUKoIVQbN5kxWiV6pYe6tkoRGe OyOndmvBSHg+GeEIlj18Vzh9YQbKGeHJzHw63KdtbT85gGZogA/P2XcYG2x3KIU4 PxulpYOel0Cms+x+O4k7BtB6Sx3G57jN8Tl0ozhGy7S9EL9t0fJf9A2/9rwLgbq2 ZKuZBm59IUXewFZZApUSShAijAOe/zeyGAXlvoAbs0f5fTLqRTRkTbJE8NYzjGSD gnrqiHgRU7MGpk9B+FjVZTewMXzrHH18r8i2CQP5crfpO6l99dTDDzgqYrXXNg3T H2HRQOOQnWA= =1BZl -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1608 - [Cisco] Cisco IOS XE Software: CVSS (Max): 5.1

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1608 Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20676 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU Comment: CVSS (Max): 5.1 CVE-2022-20676 (CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:N - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software Tool Command Language Privilege Escalation Vulnerability Priority: Medium Advisory ID: cisco-sa-iosxe-priv-esc-grbtubU First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy35833 CVE Names: CVE-2022-20676 CWEs: CWE-250 Summary o A vulnerability in the Tool Command Language (Tcl) interpreter of Cisco IOS XE Software could allow an authenticated, local attacker to escalate from privilege level 15 to root- level privileges. This vulnerability is due to insufficient input validation of data that is passed into the Tcl interpreter. An attacker could exploit this vulnerability by loading malicious Tcl code on an affected device. A successful exploit could allow the attacker to execute arbitrary commands as root . By default, Tcl shell access requires privilege level 15. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of Cisco IOS XE Software and supported the tclsh command. Note: Devices are not considered vulnerable if they do not support the command or if the command returns an error. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during internal security testing by X.B. of the Cisco Advanced Security Initiatives Group (ASIG). Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-priv-esc-grbtubU Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiEuNLKJtyKPYoAQgl8g/8DTFuzR4FIv7+dEKXZr7ZUJtZJ1F6UdJN wj/1P+IvayU2+x1/oD7wkS1QPiriMrmER7h65OAZaL0Pnkahc2V2Ys+IxoXnK48A r6BC8Yp6KZkB0BIZnGaD9qI28heaOAhRo5FCV1sSi76ZbS+fHJGjKYX8vePfipLW E06ZLrHMQcRSIY3FlsLpttkqjZfLVGO9Fp684QUcvkFyS0nu6YmP9ZauVzJxBjz6 Ryz100hgyh4TOyKTrGOTU8haz7MjpefnEtCEaQxtQwdEQ3YosS5EACKAvCitUtkO QO7pMkJBBqlek3ywNMC2Q4bJ4uRGKBtzTyAj/qKoyyiW0BHvAElTbsHkwcS9tWMJ 0cI9DTXJsroiboOv5LP5hMGrUrTVxL89aUQVM77WppkvFmLbwZT60D5YmICI5/kY ncDaz/ZMbpS1DZxL/x26pzb+SHFkjaRr7itVQ0yelQTHPuV9KGxZUjjTqHd6B+Vd oW5GYcHjFJ+GnFlwIracFc68Jf2Iz+Wf7JxDDwDzkt+P1axhgzD4G21MS7EGrk5j d+srQr9riaRywh80gkJs1bQzPZO2ME0qmHDb/hQZpnMxqOR+c2dSa/0GpIzt5GTt wWK0s9oKUFsA+K2QAHbHAunNpNoBHbQSVf/GzEWLUEhkV1f7p4WYXBUziZoRsXNo 9O+D4gocELY= =j+tD -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1607 - [Cisco] Cisco IOS XE Software: CVSS (Max): 7.7

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1607 Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20692 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8 Comment: CVSS (Max): 7.7 CVE-2022-20692 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software NETCONF Over SSH Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-ncossh-dos-ZAkfOdq8 First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy95621 CVE Names: CVE-2022-20692 CWEs: CWE-400 Summary o A vulnerability in the NETCONF over SSH feature of Cisco IOS XE Software could allow a low-privileged, authenticated, remote attacker to cause a denial of service condition (DoS) on an affected device. This vulnerability is due to insufficient resource management. An attacker could exploit this vulnerability by initiating a large number of NETCONF over SSH connections. A successful exploit could allow the attacker to exhaust resources, causing the device to reload and resulting in a DoS condition on an affected device. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8 This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco products if they are running a vulnerable release of Cisco IOS XE Software and have the NETCONF over SSH feature enabled. Note : NETCONF over SSH is not enabled by default. Note : Releases 17.3.1 and later are not affected. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine if NETCONF over SSH is Enabled To determine whether NETCONF over SSH is enabled, administrators can issue the show running-config | include netconf-yang command. The following output shows a device with NETCONF over SSH enabled. Router# show running-config | include netconf-yang netconf-yang Router# If the command returns no output, the device is not affected. Products Confirmed Not Vulnerable Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o Cisco would like to thank the National Security Agency (NSA) who reported this vulnerability. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ncossh-dos-ZAkfOdq8 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldiCeNLKJtyKPYoAQhIoBAAgzMCLDTk3WNYcF9mvZZ7QRfm9v3JuHqO koGB8zAmKC20DmI2UIMtW7Pf2/i3tU1IDIYStTp+VgVD1U4ZxRCsenOMAOuN+yWb VBwMSTD4oSI3UzjYp2ds6HIkHE2StH3QU5G37QjE44yKayXCkSvGlT5sBQM65Kn6 JWgeVabSDWas4sLgL+BXnqJXvZ9YjfLm61ID7gR3h/3Z5G398BGAAWY9Su09ocjh fRSdcUAehaVhNjEVeU0gEx3csoBsCZO7KVGMXC/9zU9q0tOuU4fARnrxkewTwUla Y2k91weypt5i8//M3SQbJnb+1+lVqud2EcSXJ9fLah0i0TJfNUWYGYebwQD/AXut m0gwd0tD+ZjT3RZ1QXcu21v9Vkfzdlq28bVegbQnj/uKeRS6OmQfTQJzvJFisazK rlqJhqBGGYUCpvjtYXIT25iod/GPV1I04PM7SLE6p8/2+33Zc6GmJPvCL7QA526L eKyWohWhAq30HP9OQVRNOhrAZN+p2hFCz5GvhxwdDPK0TerljxJGXUtlq+a1xzKH PBQjc3jf1BS3ZJbIoY8bFSWslQ3iGk8ubI8wJIyyoFYxpvculGM6DQ+lEBTbijgo V+3x7F4M25vqKlactGt6ImSJn9yD4boF9YjVfHWXLEM0ugyamnDJ/5LCkn5Z8llb XODTIe1iG8M= =eXOL -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1606 - [Cisco] Cisco IOS XE Software: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1606 Cisco IOS XE Software IPSec Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20679 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV Comment: CVSS (Max): 6.8 CVE-2022-20679 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software IPSec Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-qfp-ipsec-GQmqvtqV First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: Yes Cisco Bug IDs: CSCvz55575 CVE Names: CVE-2022-20679 CWEs: CWE-20 Summary o A vulnerability in the IPSec decryption routine of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to buffer exhaustion that occurs while traffic on a configured IPsec tunnel is being processed. An attacker could exploit this vulnerability by sending traffic to an affected device that has a maximum transmission unit (MTU) of 1800 bytes or greater. A successful exploit could allow the attacker to cause the device to reload. To exploit this vulnerability, the attacker may need access to the trusted network where the affected device is in order to send specific packets to be processed by the device. All network devices between the attacker and the affected device must support an MTU of 1800 bytes or greater. This access requirement could limit the possibility of a successful exploit. Cisco has released software updates that address this vulnerability. There are workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products At the time of publication, this vulnerability affected the following Cisco products if they were configured to terminate IPsec VPN connections and were running a vulnerable release of Cisco IOS XE Software that was running in autonomous or controller mode: 1000 Series Integrated Services Routers 4221 Integrated Services Routers 4321 Integrated Services Routers 4331 Integrated Services Routers 4351 Integrated Services Routers Catalyst 8200 Series Edge Platform Catalyst 8300 Series Edge Platform For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the Device Configuration A device that is running Cisco IOS XE Software is configured to terminate IPsec VPN connections. If one of the following conditions match, the device is affected: A crypto map is configured for at least one interface The device is configured with IPsec virtual tunnel interfaces (VTIs) The MTU of the interface that is used for encryption must also be increased to 1800 bytes or greater. To determine whether a crypto map is configured for at least one interface, use the show running-config | include ^interface|^ crypto map |^ mtu command. The following example shows a crypto map named map-group1 and increased MTU configured on the GigabitEthernet 0/0/0 interface: Router# show running-config | include ^interface|^ crypto map |^ mtu interface GigabitEthernet0/0/0 mtu 1800 crypto map map-group1 To determine whether the device is configured with IPsec VTIs, use the show running-config | include ^interface|^ tunnel protection ipsec profile |^ mtu command and verify that the returned output contains tunnel protection ipsec profile configured under at least one tunnel interface and that the MTU has been increased on the physical interface associated to the tunnel. The following example shows VTI interface Tunnel1 and increased MTU on GigabitEthernet0/0/0: Router# show running-config | include ^interface|^ tunnel protection ipsec profile |^ mtu interface Tunnel1 tunnel protection ipsec profile vti-1 interface GigabitEthernet0/0/0 mtu 1800 Note : IPsec VPN is not configured by default. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There is a workaround that addresses this vulnerability. Lower the MTU to less than 1800 bytes on all IPsec-enabled interfaces on affected devices by using the following command: Router(config-if)#mtu 1750 Note: This will require changing the MTU on all peers of the IPsec connection. While this workaround has been deployed and proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-qfp-ipsec-GQmqvtqV Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldh+ONLKJtyKPYoAQjH5g//Sl2Zj4rBSzOlRiBt127CXDTh6FBsNb5e 9EIN7Ieap/LCtHx4U9DNd9gMTWb81Mdi9mNrb9kofh/5ChS+Air7WTtKHL0R7zO7 O6y0K5GCyOy6g4aM5qtohElQygSZtKs10bVXcekinYnbVUs+KhGdkYVDmNi9cSER vtvxpGeg529HZRpeZOz5KoBu8rAN8zunK/d8BC/4QnGO+Kx7xFl1BVb15Z0JmV9b SiDQKT0kEA4YLlL2CNmj0i8wjuYYDjvzPPAjKa9FeWP9HgVqxz3pUWEVW47L3xrm WDCm9Q94ggkUIRAQvoQeoRYjtTORn9U5l3VkKTpTW0Mr3YP18vCBn1yOicAideUa SOeSWo3hMxKlCAOcjFe1V+E/w20Pz3fLl4DTpfenhri21JKATT3lQxxyTdEdS5i3 QRNCrG7DBOhPD/T4iLZo3ZawoPUDl3Uh5ge6A2xeY2aF4BZ4RDE2AT6Toua/U2up P3FN/jQu/aya5kKaxr/vRElMO4SZrcvba/qFtizhVMGN6QRPioQCRkfaiShzv4VD 5H4/gz9adRSm/CRDkM5YtwhyiI/CvbPTEsfkSqeQa8E+2a9//4ruQYrvpb8pZJnm B9I/yR2ERlKBR4PVxpGtsJtbnKKg9mriEV3xwmiMUoFEfkmLKvDFVn5JOO2jlaKu IplCA3OsbDs= =vbWM -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1605 - [Cisco] Cisco IOS XE Software: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1605 Cisco IOS XE Software Border Gateway Protocol Resource Public Key Infrastructure Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20694 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE Comment: CVSS (Max): 6.8 CVE-2022-20694 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software Border Gateway Protocol Resource Public Key Infrastructure Denial of Service Vulnerability Priority: Medium Advisory ID: cisco-sa-iosxe-rpki-dos-2EgCNeKE First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz55292 CVE Names: CVE-2022-20694 CWEs: CWE-617 Summary o A vulnerability in the implementation of the Resource Public Key Infrastructure (RPKI) feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause the Border Gateway Protocol (BGP) process to crash, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of a specific RPKI to Router (RTR) Protocol packet header. An attacker could exploit this vulnerability by compromising the RPKI validator server and sending a specifically crafted RTR packet to an affected device. Alternatively, the attacker could use man-in-the-middle techniques to impersonate the RPKI validator server and send a crafted RTR response packet over the established RTR TCP connection to the affected device. A successful exploit could allow the attacker to cause a DoS condition because the BGP process could constantly restart and BGP routing could become unstable. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products At the time of publication, this vulnerability affected Cisco devices if they were running a vulnerable release of IOS XE Software and had the RPKI feature configured and in use . For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether RPKI is Enabled To determine whether RPKI is enabled, issue the show bgp rpki servers command. If the command returns output, RPKI is enabled and the device is vulnerable. The following example shows the output of a device with RPKI configured with a server at the IP address 10.10.10.10 on port 10000: Router# show bgp rpki servers % Command accepted but obsolete, unreleased or unsupported; see documentation. BGP SOVC neighbor is 10.10.10.10/10000 connected to port 10000 Flags 0, Refresh time is 600, Serial number is 0, Session ID is 0 InQ has 0 messages, OutQ has 0 messages, formatted msg 0 Session IO flags 0, Session flags 4000 Neighbor Statistics: . . . Router# Note : The IP addresses displayed for configured neighbors depend on the device configuration. If the command returns no output, the device is not affected. Products Confirmed Not Vulnerable Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. However, administrators can remove the RPKI configuration as a mitigation. If RPKI servers are either not in use or removed from the configuration, the device is considered not vulnerable. The decision to remove the RPKI configuration needs careful consideration. While this mitigation has been deployed and was proven successful in a test environment, customers should determine the applicability and effectiveness in their own environment and under their own use conditions. Customers should be aware that any workaround or mitigation that is implemented may negatively impact the functionality or performance of their network based on intrinsic customer deployment scenarios and limitations. Customers should not deploy any workarounds or mitigations before first evaluating the applicability to their own environment and any impact to such environment. Fixed Software o When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was reported to the Cisco PSIRT for resolution by the U.S. National Security Agency (NSA). Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-iosxe-rpki-dos-2EgCNeKE Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldh7ONLKJtyKPYoAQgp1g/8DIsSZtlkyzckFPDW4WJtiUHLxz7/pNeF 08tRDQ9k0CEGfXBPBqfVt/40mK9UIsALovsEtFuK8Dul7wWxpeXkw/KHMXqLGkQB HRmD0DG51I7F5J22l6NB/GSsF5sNgxR/QZaZBZHTVIYEyYlGBbzc/sZBSmSN35BW +YJU+asPEJcg5d5ShUNomNZq9Nla9kILbrhrQR954aprtlj4Ajzmh830rYojBRqB jqt/t4CRCH2CwtJ+IQKhfeAMwaLrSVs/Uc6iHqVt3psQ5DraD0Vs2jRi2y9hIV8j +YD72GKIScmDpqEAiUQ1PXC/2fHMMmQSZ5Rvu7nX5Btkr41oEqjyrnp9MPxFwlsq Yk9XKDVtWuJdiUsuktWTKkVdJHAzaILHek5BVMEgjN/Qr/PU9BhqNXr5R8rsMQkk 6Rag9PHeo3PYj5B+T24j6FGgRcifieaSHSCDbSKaoM+qwZ/zpHZCHCvionAZfQPi TTCMyeqoWpmBEpUPt5dkaL3JO3DqW43jQCiXxJ5jByjG+dQOB4jVNFy4B5r2sGRw Ayp1n7R6LaabvlGtYeB6QvadpIvLhoEDxSckwcQRHfJLG4fG7wHuXu+wrycQSSR0 cftAwgbX9wuKALd0nQqq34Iz/wU/YGwlRbdksNNiO6AbXi/gpSZagRqfscDQYh7k I7gjACiw/hs= =ym5B -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1604 - [Cisco] Cisco IOS XE Software: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1604 Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco IOS XE Software Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20678 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4 Comment: CVSS (Max): 8.6 CVE-2022-20678 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco IOS XE Software AppNav-XE Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-appnav-xe-dos-j5MXTR4 First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvx26652 CVE Names: CVE-2022-20678 CWEs: CWE-413 Summary o A vulnerability in the AppNav-XE feature of Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause an affected device to reload, resulting in a denial of service (DoS) condition. This vulnerability is due to the incorrect handling of certain TCP segments. An attacker could exploit this vulnerability by sending a stream of crafted TCP traffic at a high rate through an interface of an affected device. That interface would need to have AppNav interception enabled. A successful exploit could allow the attacker to cause the device to reload. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4 This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects the following Cisco products if they are running a vulnerable release of Cisco IOS XE Software and have the AppNav-XE feature enabled: 1000 Series Integrated Services Routers 4000 Series Integrated Services Routers ASR 1001-X Routers ASR 1002-X Routers Catalyst 8300 Series Routers Catalyst 8500 Series Routers Catalyst 8000V Edge Software Cloud Services Router 1000V Series Note: The AppNav-XE feature is disabled by default in Cisco IOS XE Software. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine the AppNav-XE Configuration To determine the AppNav-XE configuration, first verify that all of the following are true: AppNav interception is enabled on at least one interface An AppNav Controller group is configured and has at least one AppNav Controller member A service node group is configured and has at least one service node member A service context of type waas is configured, enabled, and links to an AppNav Controller group, a service node group, and a service policy To determine whether AppNav interception is enabled on at least one interface, use either of the following options: Use the show running-config | include ^interface|service-insertion waas CLI command and confirm that service-insertion waas is configured under at least one interface. The following example shows the output on a device that has AppNav interception enabled on interface GigabitEthernet1: Router#show running-config | include ^interface|service-insertion waas interface VirtualPortGroup0 interface GigabitEthernet1 service-insertion waas interface GigabitEthernet2 Router# Use the show service-insertion status | begin AppNav Enabled Interfaces CLI command and confirm that at least one interface is listed in the resulting output. The following example shows the output on a device that has the AppNav-XE feature enabled on interface GigabitEthernet1: Router#show service-insertion status | begin AppNav Enabled Interfaces AppNav Enabled Interfaces: GigabitEthernet1 Router# To determine whether an AppNav Controller group , a service node group , and a service context of type waas are configured and enabled, use the show running-config | section service-insertion CLI command. The following example shows the output on a device that fulfills all of the requirements: Router#show running-config | section service-insertion service-insertion service-node-group WNG-Default-1 service-node 192.168.100.102 service-node 192.168.100.2 service-insertion appnav-controller-group scg appnav-controller 192.168.10.10 service-insertion service-context waas/1 appnav-controller-group scg service-node-group WNG-Default-1 service-policy APPNAV-1-PMAP vrf default enable service-insertion waas Router# Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: AppNav Controllers running Cisco Wide Area Application Services (WAAS) Software IOS Software IOS XR Software Meraki products NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found during the resolution of a Cisco TAC support case. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-appnav-xe-dos-j5MXTR4 Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldh4uNLKJtyKPYoAQizIw//SsUnvnwAyaqnWiA/2LY3rjJT6cwiQrcy KIrNeFDoggp5NUH2NVuF3GbKXi8OiJFHIO80kCIwU2EmeIX0QFXBzojmkDleTOj8 rm6q+eG5ueonQlgyXgatoRnHmvUCR17I7tiH6UJvooXSHng+U3wVcv+7IJR1pvOo eaHwFchh7zLpb3GV205NxXlzBMdDvvibTDPu6H81du32zNLjOFmlAJVdm9tpTBUU FRphoCiMUyAP9WiFucOu1UiMCyMeAIAjfZOxZ5vQs6HideVS4VG60uTw/7QmK6kO CLfYdTFkId2eKzMsdCI8XNPgajtbaAPuqTHjKZXIALSYGkFpglDPEsgupCWHRdjR 21xHTzMu5ymZ7RKACXIRGlNTz0al0sGZn+zx5xzCXM4wIijtwTUN7zIjlbnmT002 873wrOyf6rUQ50tvJdutkwYdnXp7Lzgn7xyqOh2fpON3attYqAn+GIN2HvcgcaLC Bjn+OR2qfHwsMIX5a57gAF25NAEWgINZAjSHseg0yqp50yh3AURCjh9GCeMX+Onc RUM5h7kLsbW1n14gAvM5DW6mHtQRYmZNLJO0f8Xz4/KOgQc70sV/Q6HXzut3QW9c mh8TB6S/4nMQgEV2KEJWnxqbLWMnYG0VkeCnAlm3MnY16LUPV3c2Abc40RmIZffh LXO02Pqeft8= =E4+n -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1603 - [Cisco] Cisco Embedded Wireless Controller: CVSS (Max): 8.6

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1603 Cisco Embedded Wireless Controller with Catalyst Access Points IP Flood Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Embedded Wireless Controller Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20622 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ Comment: CVSS (Max): 8.6 CVE-2022-20622 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Embedded Wireless Controller with Catalyst Access Points IP Flood Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-ap-ip-flood-dos-6hxxENVQ First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvx88847 CVE Names: CVE-2022-20622 CWEs: CWE-770 Summary o A vulnerability in IP ingress packet processing of the Cisco Embedded Wireless Controller with Catalyst Access Points Software could allow an unauthenticated, remote attacker to cause the device to reload unexpectedly, causing a denial of service (DoS) condition. The device may experience a performance degradation in traffic processing or high CPU usage prior to the unexpected reload. This vulnerability is due to improper rate limiting of IP packets to the management interface. An attacker could exploit this vulnerability by sending a steady stream of IP traffic at a high rate to the management interface of the affected device. A successful exploit could allow the attacker to cause the device to reload. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ Affected Products o Vulnerable Products This vulnerability affects Cisco devices if they are running a vulnerable release of Cisco Embedded Wireless Controller with Catalyst Access Points Software. Note: To be vulnerable, devices must have the default configuration. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by this vulnerability. Cisco has confirmed that this vulnerability does not affect the following Cisco products: Catalyst 9800 Embedded Wireless Controller for Catalyst 9300, 9400, and 9500 Series Switches IOS Software IOS XE Software IOS XR Software Meraki products NX-OS Software Wireless LAN Controller (WLC) AireOS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases The process to upgrade an access point (AP) requires administrators to upgrade the wireless controller to which the AP is registered. Customers are advised to upgrade to an appropriate fixed software release as indicated in the following table(s): Cisco Embedded Wireless Controller with Catalyst Access First Fixed Release Points Software Release 16.12 and earlier Not affected. 17.2 Not affected. 17.3 17.3.4 17.4 Migrate to a fixed release. 17.5 Migrate to a fixed release. 17.6 17.6.1 The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Miroslav Popovic of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-ap-ip-flood-dos-6hxxENVQ Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldh1uNLKJtyKPYoAQjj7A/9EpVRy8zOcc4xauJykUTN2JTSwg3JmGAf n6h1eECsrWf7Q2z8k5EAw0cx6WldZpeizMQ9ZX4M5Mu5LdlmPyYX9Hl7uyOSbLbd pMkL0Qi5yJXhD5TnnCrBNkSWaX9nwOFRZ+eXhGJRQSiF2SeOccGui5Iml9CecCfw ves3mTDzv4gz9r7plLz8lSUVHZrR313iu5x5ibfnfVr4+mLXjRmF2Z5+krVz4For 6fdFPinX9/WNU6j8XwL2KEQNyho9xnWu4SoqwZfnoXcvYpmQ7tZqa0e0BdZrQOro TCAHygacC2GrAJavDDZXlhOlC4NqoTrrBlpV5dZrJPWVmA8iY0fLYRcQYBcHdOfn kC8Dn1wt4t9MRVAFJCdLy2njqVNf4Fi87KCWt3kEmj6bUAvW5mHOhIGg6tVU6O/P jftVwbGhyWqpyQNTmyR7Refooc6+Q8UczBKhgCZAvBSSG38yEvvPJPvUwO7ze4lP M7BUciLK88GJUMMeyqcAAcHx7jtZsOGeU6oxmazsWajD0h4F0kr9U0o6bfbBOdya lcR8jVfUcogI8ODA5gNZDktsmaZTOJHEXX+/c3rsF6ID8pRhAdoBH5nl1gU5LWFG 2CFofJ5NsTynsPMBlz3cXB9D9EwymWsQCTO/FpD80Ux3l02O1OjPAP3KSl38eeGv 0Ryvb5Gg84s= =0D2H -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1602 - [Cisco] Cisco Catalyst products: CVSS (Max): 6.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1602 Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches Vulnerabilities 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco Catalyst Digital Building Series Switches Cisco Catalyst Micro Switches Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20731 CVE-2022-20713 CVE-2022-20661 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-vulns-KJjFtNb Comment: CVSS (Max): 6.8 CVE-2022-20731 (CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches Vulnerabilities Priority: High Advisory ID: cisco-sa-cdb-cmicr-vulns-KJjFtNb First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvz02634 CSCvz30892 CSCvz34674 CSCvz42624 CSCvz57636 CVE Names: CVE-2022-20661 CVE-2022-20731 CWEs: CWE-1221 CWE-489 Summary o Multiple vulnerabilities that affect Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches could allow an attacker to execute persistent code at boot time or to permanently prevent the device from booting, resulting in a permanent denial of service (DoS) condition. For more information about these vulnerabilities, see the Details section of this advisory. Cisco has released software updates that address these vulnerabilities. There are no workarounds that address these vulnerabilities. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-dos-KJjFtNb Affected Products o Vulnerable Products These vulnerabilities affect the following Cisco products if they are running a release of Cisco IOS Software that contains Cisco Boot Loader Version 15.2(7r)E2: Catalyst Digital Building Series Switches with product identifiers (PIDs) CDB-8P and CDB-8U (CVE-2022-20661 and CVE-2022-20731) Catalyst Micro Switches with PIDs CMICR-4PS and CMICR-4PC (CVE-2022-20661) For information about which Cisco IOS Software releases contain the fixed boot loader, see the Fixed Software section of this advisory. Determine the Boot Loader Version To determine the boot loader version, use the show version | include BOOTLDR command on the device CLI. Cisco Catalyst Digital Building Series Switches The following example shows the output of the show version | include BOOTLDR command on a Cisco Catalyst Digital Building Series Switch that is running Cisco Boot Loader Version 15.2(7r)E2: cdb> show version | include BOOTLDR BOOTLDR: CDB Boot Loader (CDB-HBOOT-M) Version 15.2(7r)E2, RELEASE SOFTWARE (fc2) Any other output indicates that the device is not affected by these vulnerabilities. Cisco Catalyst Micro Switches The following example shows the output of the show version | include BOOTLDR command on a Cisco Catalyst Micro Switch that is running Cisco Boot Loader Version 15.2(7r)E2: cmicr> show version | include BOOTLDR BOOTLDR: CMICR Boot Loader (CMICR-HBOOT-M) Version 15.2(7r)E2, RELEASE SOFTWARE (fc2) Any other output indicates that the device is not affected by these vulnerabilities. Products Confirmed Not Vulnerable Only products listed in the Vulnerable Products section of this advisory are known to be affected by these vulnerabilities. Cisco has confirmed that these vulnerabilities do not affect the following Cisco products: Catalyst Micro Switch with PID CMICR-4PT IOS XE Software IOS XR Software Meraki products NX-OS Software Details o The vulnerabilities are not dependent on one another. Exploitation of one of the vulnerabilities is not required to exploit the other vulnerability. In addition, a software release that is affected by one of the vulnerabilities may not be affected by the other vulnerability. Details about the vulnerabilities are as follows: CVE-2022-20731: Cisco Catalyst Digital Building Series Switches Boot Loader Arbitrary Code Execution Vulnerability A vulnerability in the boot loader of Cisco Catalyst Digital Building Series Switches could allow an authenticated, local attacker with level 15 privileges or an unauthenticated attacker with physical access to an affected device to execute persistent code at boot time and break the chain of trust. This vulnerability exists because Secure Boot is not properly enabled. An attacker could exploit this vulnerability by loading unsigned code. A successful exploit could allow the attacker to execute persistent code on the underlying operating system. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvz34674 CVE ID: CVE-2022-20731 Security Impact Rating (SIR): High CVSS Base Score: 6.8 CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2022-20661: Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches Permanent Denial of Service Vulnerability A vulnerability in the boot loader of Cisco Catalyst Digital Building Series Switches and Cisco Catalyst Micro Switches could allow an unauthenticated attacker with physical access to an affected device to permanently prevent the device from booting, resulting in a permanent denial of service (DoS) condition. This vulnerability exists because the affected devices have an internal Cisco development boot loader that includes capabilities beyond those present in a normal boot loader. An attacker with physical access to an affected device could exploit this vulnerability by causing the device to reboot, breaking into the ROM monitor (ROMMON) during the boot cycle, and then executing specific commands at the ROMMON prompt. A successful exploit could allow the attacker to irrecoverably corrupt the boot ROM in such a way that the device will be unable to boot correctly during the next boot cycle. The device will continue to operate normally until it is reloaded or power-cycled. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. Bug ID(s): CSCvz02634 , CSCvz30892 , CSCvz42624 , CSCvz57636 CVE ID: CVE-2022-20661 Security Impact Rating (SIR): Medium CVSS Base Score: 4.6 CVSS Vector: CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Workarounds o There are no workarounds that address these vulnerabilities. Fixed Software o Cisco has released free software updates that address the vulnerabilities described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Fixed Releases In the following table(s), the left column lists Cisco software releases. The right column indicates whether a release is affected by the vulnerabilities described in this advisory and the first release that includes the fix for these vulnerabilities. Customers are advised to upgrade to an appropriate fixed software release as indicated in this section. Catalyst Digital Building Series Switches (CVE-2022-20661 and CVE-2022-20713) Cisco IOS Software Release First Fixed Release 15.2(5)EX Migrate to a fixed release. 15.2(7)E and earlier 15.2(7)E5 Catalyst Micro Switches (CVE-2022-20661) Cisco IOS Software Release First Fixed Release 15.2(7)E and earlier 15.2(7)E5 15.2(8)E 15.2(8)E1 The Cisco Product Security Incident Response Team (PSIRT) validates only the affected and fixed release information that is documented in this advisory. Exploitation and Public Announcements o The Cisco PSIRT is not aware of any public announcements or malicious use of the vulnerabilities that are described in this advisory. Source o These vulnerabilities were found during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cdb-cmicr-vulns-KJjFtNb Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldhyeNLKJtyKPYoAQg4Cw//Wnl8EeNCdwmLO2AWdQt+Te7FcVN2y3Ek tVubgXe27fu65y9R1neCaj8Da14M3FSZIktKTSrHnyKd2tap7zETv/f9BEDXokfa PhMA9U8nyCmpHhjY/Bx/N+TFtgEKEuT6A0QyNzO1XCuENE5cV/5vDlV3UfArMkO5 cs/4jkrGyGATHJ5DnJTy68Pkckrd1jw2S4Gs/ulpxWBs2+MASRzF7yWayP3MsVuU AucGzfsKP2UDzHVndafntm5BWAR971nl21di/pHaSm/LUmt9e/zo8dPRDM7Qxdxp ZfWDZYlLIllO8UT1uLPSB+3xcc31eDwc3lL8c1R4dKeVwEOgf7nJ0CldOGblGNYi JG+wza2QmYAdcCJ6hNPLCPGANLE7USjleb5DINIhN26tIzv59y1HY8ncjPqXck63 4N8QGya50J0GZhlDDobWyxd5OSr6a67qgl9obwknkuYv4sVRFanZLhsKnX48HTWE sIWyK9MOwEDRHQ1x2Xks6xOsoXA30iqBUAw0ZPllBinnMqomut1JeMFio1aefiHP ydS6Fb66ezIiGjekgIhVocd3uQ6u4o51jNe06UxGjDrlm7HhF8eHqtOV/lhxWb7X 5K+w+V3oOGqbd6d8yc6fq0nCP4wI/AmukQWIL+C/yW/VDCCgmbTmhGcS0v4DIYOO 7fYGbaIPPYY= =aWEK -----END PGP SIGNATURE-----
2022. április 14.

ESB-2022.1601 - [Cisco] Cisco 1000 Series Connected Grid Router: CVSS (Max): 7.4

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1601 Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial of Service Vulnerability 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Cisco 1000 Series Connected Grid Router Publisher: Cisco Systems Operating System: Cisco Resolution: Patch/Upgrade CVE Names: CVE-2022-20761 Original Bulletin: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh Comment: CVSS (Max): 7.4 CVE-2022-20761 (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H) CVSS Source: Cisco Systems Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Cisco 1000 Series Connected Grid Router Integrated Wireless Access Point Denial of Service Vulnerability Priority: High Advisory ID: cisco-sa-cgr1k-ap-dos-mSZR4QVh First Published: 2022 April 13 16:00 GMT Version 1.0: Final Workarounds: No workarounds available Cisco Bug IDs: CSCvy41951 CVE Names: CVE-2022-20761 CWEs: CWE-248 Summary o A vulnerability in the integrated wireless access point (AP) packet processing of the Cisco 1000 Series Connected Grid Router (CGR1K) could allow an unauthenticated, adjacent attacker to cause a denial of service condition on an affected device. This vulnerability is due to insufficient input validation of received traffic. An attacker could exploit this vulnerability by sending crafted traffic to an affected device. A successful exploit could allow the attacker to cause the integrated AP to stop processing traffic, resulting in a DoS condition. It may be necessary to manually reload the CGR1K to restore AP operation. Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability. This advisory is available at the following link: https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh This advisory is part of the April 2022 release of the Cisco IOS and IOS XE Software Security Advisory Bundled Publication. For a complete list of the advisories and links to them, see Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication. Affected Products o Vulnerable Products This vulnerability affects Cisco 1000 Series Connected Grid Routers if they are running a vulnerable release of Cisco IOS Software and have the integrated wireless access point enabled. For information about which Cisco software releases are vulnerable, see the Fixed Software section of this advisory. Determine Whether the Wireless Access Point is Enabled To determine whether the integrated wireless access point is enabled, use the show interface | include Dot11Radio command and checking the output. The following output shows the integrated wireless access point as enabled (up): Router> show interface | include Dot11Radio Dot11Radio2/1 is up, line protocol is up Router> If the output indicates administratively down , the integrated wireless access point is disabled. Products Confirmed Not Vulnerable Cisco has confirmed that this vulnerability does not affect the following Cisco products: IOS Software on non-CGR1K platforms IOS XE Software IOS XR Software NX-OS Software Workarounds o There are no workarounds that address this vulnerability. Fixed Software o Cisco has released free software updates that address the vulnerability described in this advisory. Customers with service contracts that entitle them to regular software updates should obtain security fixes through their usual update channels. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license: https://www.cisco.com/c/en/us/products/end-user-license-agreement.html Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades. The Cisco Support and Downloads page on Cisco.com provides information about licensing and downloads. This page can also display customer device support coverage for customers who use the My Devices tool. When considering software upgrades , customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories page , to determine exposure and a complete upgrade solution. In all cases, customers should ensure that the devices to be upgraded contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers. Customers Without Service Contracts Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC: https://www.cisco.com/c /en/us/support/web/tsd-cisco-worldwide-contacts.html Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade. Cisco IOS and IOS XE Software To help customers determine their exposure to vulnerabilities in Cisco IOS and IOS XE Software, Cisco provides the Cisco Software Checker to identify any Cisco Security Advisories that impact a specific software release and the earliest release that fixes the vulnerabilities described in each advisory ("First Fixed"). If applicable, the tool also returns the earliest release that fixes all the vulnerabilities described in all the advisories identified ("Combined First Fixed"). Customers can use the Cisco Software Checker to search advisories in the following ways: Choose the software and one or more releases Upload a .txt file that includes a list of specific releases Enter the output of the show version command After initiating a search, customers can customize the search to include all Cisco Security Advisories, a specific advisory, or all advisories in the most recent bundled publication. By default, the Cisco Software Checker includes results only for vulnerabilities that have a Critical or High Security Impact Rating (SIR). To include results for Medium SIR vulnerabilities, customers can use the Cisco Software Checker on Cisco.com and check the Medium check box in the drop-down list under Impact Rating when customizing a search. Exploitation and Public Announcements o The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements or malicious use of the vulnerability that is described in this advisory. Source o This vulnerability was found by Burt Welsh of Cisco during internal security testing. Cisco Security Vulnerability Policy o To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy . This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco. Related to This Advisory o Cisco Event Response: April 2022 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication URL o https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cgr1k-ap-dos-mSZR4QVh Revision History o +----------+---------------------------+----------+--------+--------------+ | Version | Description | Section | Status | Date | +----------+---------------------------+----------+--------+--------------+ | 1.0 | Initial public release. | - | Final | 2022-APR-13 | +----------+---------------------------+----------+--------+--------------+ - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldhtuNLKJtyKPYoAQhwiw//R9PgN+mBSCMZ1I80mc8mUsyOUuPCkY5s 4MrnuNH1ZTBX4+RcaAT+40rwrSRcA4k27kMmCTfgDwFB06u63XZan8Jt7mB3HYMq ijmqF9DTXckjHjb4nzG5jS1ZAPr6GonK2LVaaatSbfkdJlEqy9M83nmvphUh3C8a c4mKnqmpqj11M3xiiXLNsCW02FSx+0/Zo9KaKZsvmSSDJtpRhZdWCeerOiS+McK6 Z9wTEHsOrGnfPlJfFoCsAJTBaUAZ5basyaz2OIAnua8qgjy7KnxqC/giPTO6qFqc iTf5PkmXZ6jasa+Nfj9XREI2x+iFXV+U0vvPAyW9rc88mKNi1/5YmVbO5ofQHmZO i4gdI084PnyliYap7DZN5zpMCIX0qwFCAZU7oIXR1T5CJQMR0iIUW36LLc3Yq9gW K+CDJQYkqHYDFoKHY7uY/MeZ/3jMLn45gQ3tka7+o5uVOT123ZGuO/u5whmrIOVO SdO+s4V9TV3s8Szkd5ljQ4fC8cKOw0cfGQ0oUONf6A1Pw0/JmXCIJ9qoR4IOCGxl qpDAevLLblGp37oBxSlfnfTrka1Iv27eNJ6O/XGgBIfvunVIB06zFhrlITcXLyCY JRULVPoLKAAv4t47ncZnfCgfJ7K9CjwfpOwpi3rPmNcvuhBbR+JJAkCUl6+OwdVP mGnr1y9ak1M= =5h4T -----END PGP SIGNATURE-----
2022. április 14.

ASB-2022.0086.3 - UPDATE [Win][UNIX/Linux] Nginx Zero-Day:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0086.3 NGINX Zero-Day 14 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nginx Zero-Day Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Mitigation Revision History: April 14 2022: Re-formatting April 13 2022: Formatting April 13 2022: Initial Release OVERVIEW A new zero-day vulnerability in the Nginx web server has been claimed by hacktivist group called "Against the West" allowing remote code execution on a vulnerable system.[3] NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only. "NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."[1] NGINX noted in its advisory that it is published as a reference implementation and is not a production-grade LDAP solution. "For example, there is no encryption of the username and password used for the sample login page, and security notices call this out."[3] Currently the hacktivist group informed their findings to NGINX team and are looking for reward but they also mentioned that they have been offered significant amounts from other interested groups for the exploit[4]. IMPACT NGINX determined that only the reference implementation is affected and also there are conditions for the exploit. "When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers."[1] These are the conditions for the exploit[1]: 1. Command-line parameters are used to configure the Python daemon 2. There are unused, optional configuration parameters 3. LDAP authentication depends on specific group membership MITIGATION NGINX suggested these mitigations: Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration (nginx-ldap-auth.conf in the repo)[1]. Mitigating Condition 2: Unused, Optional Configuration Parameters As in Condition 1, an attacker can pass specially crafted HTTP request headers to override certain configuration parameters, depending on the configuration used for the LDAP search template. To protect against this, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration[1]. Mitigating Condition 3: LDAP Group Membership Is Required The Python daemon does not sanitize its inputs. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters - ( ) - and the equal sign (=), which all have special meaning for LDAP servers. The backend daemon in the LDAP reference implementation will be updated in this way in due course[1]. REFERENCES [1] Addressing Security Weaknesses in the NGINX LDAP Reference Implementation https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/ [2] Nginx Zero-Day RCE Vulnerability Alert https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/ [3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues https://thestack.technology/nginx0-day-claims/ [4] NginxDay https://github.com/AgainstTheWest/NginxDay AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYldMtONLKJtyKPYoAQh5/Q//aOBO5bfpEUidaXJwIcdSumm9thOoUPDf V56Am+WBZgZGPUrU+g0YLunGV4f8vvQrujfKF6M6XdrTqcRmm5ikdMeuWcpuDL0v ZT292akonXlDMYjzpPPEW/n5iJXa4Cdtak1KEUM1VNEZc0Zd8R6jMRN07eIGXruo p0ihV062JUTP4+1Z3t6pdkeWIv8IvDzyINXsoP2JMmLtntrTaHeY7cf4dzFKwOEA /3lNZSTCQM+zBAjUQtcpZ9e83nMy6ShU4TGZ3hva2UyNH7H+NGJbAe7pRtBe0YqX EPgNZN1Auh+5HR2jVTwYbFucXNVhvXsD89Crs96yC9w2iAOE8rnLidW7C1Db2U+X UmltsDgPcwnaS9uBAKqVqHoWJM2o4RuDIdeekJJ60bIUl+XVYg6zBw3HKAFdrFZy s8hqayogc+112+AhCvo9buErzCVfjpN+9w5BzSXM7oct8xZPk9aDOdA/RkGkuZ6Z gi44/i+nNBZ3a3aOd2/rS0P4wZkk6i7mBOhshUhezpYdyc56qwyyoNwxefQ+YMye LGAin8mi1vCEgyJ5dKLxLrv0XTUFo8JMc0gKJGhpPgxCmHmQbDpRVrOJgRUNnjQQ 670MgXDwWmwG8fUg9ju/xn76x9VGNEFs3/X9qdvpvyHPvlnzDsB7/U9ovwwdb9RH LkBoQL2B5zM= =POtm -----END PGP SIGNATURE-----
2022. április 13.

ASB-2022.0086.2 - UPDATE [Win][UNIX/Linux] Nginx Zero-Day:

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2022.0086.2 NGINX Zero-Day 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Nginx Zero-Day Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Mitigation Revision History: April 13 2022: Formatting April 13 2022: Initial Release OVERVIEW A new zero-day vulnerability in the Nginx web server has been claimed by hacktivist group called "Against the West" allowing remote code execution on a vulnerable system.[3] NGINX confirmed security vulnerabilities in the NGINX LDAP reference implementation only. "NGINX Open Source and NGINX Plus are not themselves affected, and no corrective action is necessary if you do not use the reference implementation."[1] NGINX noted in its advisory that it is published as a reference implementation and is not a production-grade LDAP solution. "For example, there is no encryption of the username and password used for the sample login page, and security notices call this out."[3] Currently the hacktivist group informed their findings to NGINX team and are looking for reward but they also mentioned that they have been offered significant amounts from other interested groups for the exploit[4]. IMPACT NGINX determined that only the reference implementation is affected and also there are conditions for the exploit. "When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers."[1] These are the conditions for the exploit[1]: 1. Command-line parameters are used to configure the Python daemon 2. There are unused, optional configuration parameters 3. LDAP authentication depends on specific group membership MITIGATION NGINX suggested these mitigations: Mitigating Condition 1: Command-Line Parameters Are Used to Configure the Python Daemon When configuration parameters are specified on the command line, an attacker can override some or all of them by passing specially crafted HTTP request headers. To protect against this, ensure that the corresponding configuration parameters have an empty value in the location = /auth-proxy block in the NGINX configuration (nginx-ldap-auth.conf in the repo)[1]. Mitigating Condition 2: Unused, Optional Configuration Parameters As in Condition 1, an attacker can pass specially crafted HTTP request headers to override certain configuration parameters, depending on the configuration used for the LDAP search template. To protect against this, ensure that any unused, optional parameters have an empty value in the location = /auth-proxy block in the NGINX configuration[1]. Mitigating Condition 3: LDAP Group Membership Is Required The Python daemon does not sanitize its inputs. To mitigate against this, ensure that the backend daemon that presents the login form strips any special characters from the username field. In particular, it must remove the opening and closing parenthesis characters - ( ) - and the equal sign (=), which all have special meaning for LDAP servers. The backend daemon in the LDAP reference implementation will be updated in this way in due course[1]. REFERENCES [1] Addressing Security Weaknesses in the NGINX LDAP Reference Implementation https://www.nginx.com/blog/addressing-security-weaknesses-nginx-ldap-reference-implementation/ [2] Nginx Zero-Day RCE Vulnerability Alert https://securityonline.info/nginx-zero-day-rce-vulnerability-alert/ [3] Is there a 0day in NGINX? F5 investigates claims, finds LDAP issues https://thestack.technology/nginx0-day-claims/ [4] NginxDay https://github.com/AgainstTheWest/NginxDay AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlZuKONLKJtyKPYoAQiA1Q//ciAexxm5EaSPlZ+Pu5Cw1WC95DMjzcEP RZuY/y/S781CnBBpR91w+rF/SwUMa90ByAH6oLX/vQwlQzDRt76RVuuVCGb0l+N6 Mq9DVDilQ9JU46c2CZZOHOvehqDA3+wHZ/h5U5KTVkRU6tVm/XmxXk2Oz2Z7QhFP e46JosLUEP4e7GDokXmQipZUSH8X4844NkHMgug2KXybWSEBtgtYhw0o14FqW1KJ YyrPwAJ5liEwSB6zIE42rTsHQmxWNvMpJdtwKuEf/Qv9yh1kPKgoDZpp5rsvIEvB P0zYKQNDOuc9XqJead5L9ZQzVrJJTDjufBEecpqiwgp8T7bUDqnFfslFUMtFKyFe YB8pK5i/1eTl+DeaXof0cbvyH+iXCJa14OJyUMNJ3eggdiDbSFnDSyDL90eQMd4T 4kpgMrTrIHl3gp8jqRoB5JM4go0ed70tTeARQT0q5r0AfHdV9AY555aNBOk57fU7 e44J/y0cmEIDCwGXubMfGcOArCPkvkEUMITibgolmzjlu+SEzVuch2dZa8p4NpKH /x7OOyab0JlmDkJNoCycpKsyuk75akYCgBqboTfju5r5Pf7lC5JztndRrUSTNQeO XNsyADuCZbAKoiX3jbSweG3A80hluhOAgk1s8uolUKNGx1gKw3x31x0HEeE18cZ6 b/FwBcA1g3I= =xJNz -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1600 - [Win][UNIX/Linux] Jenkins Plugins: CVSS (Max): 8.0

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1600 Jenkins plugins security advisory 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Jenkins Plugins Publisher: Jenkins Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-29052 CVE-2022-29051 CVE-2022-29050 CVE-2022-29049 CVE-2022-29048 CVE-2022-29047 CVE-2022-29046 CVE-2022-29045 CVE-2022-29044 CVE-2022-29043 CVE-2022-29042 CVE-2022-29041 CVE-2022-29040 CVE-2022-29039 CVE-2022-29038 CVE-2022-29037 CVE-2022-29036 CVE-2017-2601 Original Bulletin: https://www.jenkins.io/security/advisory/2022-04-12/ Comment: CVSS (Max): 8.0 CVE-2022-29049 (CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Jenkins Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Jenkins Security Advisory 2022-04-12 This advisory announces vulnerabilities in the following Jenkins deliverables: o Credentials Plugin o CVS Plugin o Extended Choice Parameter Plugin o Gerrit Trigger Plugin o Git Parameter Plugin o Google Compute Engine Plugin o Jira Plugin o Job Generator Plugin o Mask Passwords Plugin o Node and Label parameter Plugin o Pipeline: Shared Groovy Libraries Plugin o promoted builds Plugin o Publish Over FTP Plugin o Subversion Plugin Descriptions Stored XSS vulnerabilities in multiple plugins providing additional parameter types SECURITY-2617 / CVE-2022-29036 (Credentials), CVE-2022-29037 (CVS), CVE-2022-29038 (Extended Choice Parameter), CVE-2022-29039 (Gerrit Trigger), CVE-2022-29040 (Git Parameter), CVE-2022-29041 (Jira), CVE-2022-29042 (Job Generator), CVE-2022-29043 (Mask Passwords), CVE-2022-29044 (Node and Label Parameter), CVE-2022-29045 (promoted builds), CVE-2022-29046 (Subversion) Multiple plugins do not escape the name and description of the parameter types they provide: o Credentials Plugin 1111.v35a_307992395 and earlier (SECURITY-2690 / CVE-2022-29036) o CVS Plugin 2.19 and earlier (SECURITY-2700 / CVE-2022-29037) o Extended Choice Parameter Plugin 346.vd87693c5a_86c and earlier (SECURITY-2704 / CVE-2022-29038) o Gerrit Trigger Plugin 2.35.2 and earlier (SECURITY-2703 / CVE-2022-29039) o Git Parameter Plugin 0.9.15 and earlier (SECURITY-2699 / CVE-2022-29040) o Jira Plugin 3.7 and earlier (SECURITY-2691 / CVE-2022-29041) o Job Generator 1.22 and earlier (SECURITY-2263 / CVE-2022-29042) o Mask Passwords Plugin 3.0 and earlier (SECURITY-2701 / CVE-2022-29043) o Node and Label parameter Plugin 1.10.3 and earlier (SECURITY-2702 / CVE-2022-29044) o promoted builds Plugin 873.v6149db_d64130 and earlier (SECURITY-2692 / CVE-2022-29045) o Subversion Plugin 2.15.3 and earlier (SECURITY-2698 / CVE-2022-29046) This results in stored cross-site scripting (XSS) vulnerabilities exploitable by attackers with Item/Configure permission. Exploitation of these vulnerabilities requires that parameters are listed on another page, like the "Build With Parameters" and "Parameters" pages provided by Jenkins (core), and that those pages are not hardened to prevent exploitation. Jenkins (core) has prevented exploitation of vulnerabilities of this kind on the "Build With Parameters" and "Parameters" pages since 2.44 and LTS 2.32.2 as part of the SECURITY-353 / CVE-2017-2601 fix. Additionally, the following plugins have been updated to list parameters in a way that prevents exploitation by default. o Maven Release Plugin 0.16.3 (SECURITY-2669) o Pipeline: Build Step Plugin 2.17 and 2.15.2 (SECURITY-2611) o Pipeline: Input Step Plugin 447.v95e5a_6e3502a_ and 2.12.1 (SECURITY-2674) o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 (SECURITY-2670) o Rebuilder Plugin 1.33.1 (SECURITY-2671) o Release Plugin 2.14 (SECURITY-2672) Older releases of these plugins allow exploitation of the vulnerabilities listed above. As of publication of this advisory, the following plugins have not yet been updated to list parameters in a way that prevents exploitation of these vulnerabilities: o Coordinator Plugin (SECURITY-2668) o Show Build Parameters Plugin (SECURITY-2325) o Unleash Maven Plugin (SECURITY-2673) These are not vulnerabilities in these plugins. Only plugins defining parameter types can be considered to be vulnerable to this issue. Some plugins both define parameter types and implement a page listing Note parameters, so they can appear in multiple lists and may have both a security fix and a security hardening applied. The following plugins have been updated to escape the name and description of the parameter types they provide in the versions specified: o Credentials Plugin 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, and 2.6.1.1 o CVS Plugin 2.19.1 o Gerrit Trigger Plugin 2.35.3 o Git Parameter Plugin 0.9.16 o Jira Plugin 3.7.1 and 3.6.1 o Mask Passwords Plugin 3.1 o Node and Label parameter Plugin 1.10.3.1 o promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 o Subversion Plugin 2.15.4 As of publication of this advisory, there is no fix available for the following plugins: o Extended Choice Parameter Plugin (SECURITY-2704 / CVE-2022-29038) o Job Generator (SECURITY-2263 / CVE-2022-29042) Untrusted users can modify some Pipeline libraries in Pipeline: Shared Groovy Libraries Plugin SECURITY-1951 / CVE-2022-29047 Multibranch Pipelines by default limit who can change the Pipeline definition from the Jenkinsfile. This is useful for SCMs like GitHub: Jenkins can build content from users without commit access, but who can submit pull requests, without granting them the ability to modify the Pipeline definition. In that case, Jenkins will just use the Pipeline definition in the pull request's destination branch instead. In Pipeline: Shared Groovy Libraries Plugin 564.ve62a_4eb_b_e039 and earlier the same protection does not apply to uses of the library step with a retriever argument pointing to a library in the current build's repository and branch (e.g., library(..., retriever: legacySCM(scm))). This allows attackers able to submit pull requests (or equivalent), but not able to commit directly to the configured SCM, to effectively change the Pipeline behavior by changing the library behavior in their pull request, even if the Pipeline is configured to not trust them. Pipeline: Shared Groovy Libraries Plugin 566.vd0a_a_3334a_555 and 2.21.3 aborts library retrieval if the library would be retrieved from the same repository and revision as the current build, and the revision being built is untrusted. CSRF vulnerability in Subversion Plugin SECURITY-2075 / CVE-2022-29048 Subversion Plugin 2.15.3 and earlier does not require POST requests for several form validation methods, resulting in cross-site request forgery (CSRF) vulnerabilities. These vulnerabilities allow attackers to connect to an attacker-specified URL. Subversion Plugin 2.15.4 requires POST requests for the affected form validation methods. Promotion names in promoted builds Plugin are not validated when using Job DSL SECURITY-2655 / CVE-2022-29049 promoted builds Plugin provides dedicated support for defining promotions using Job DSL Plugin. promoted builds Plugin 873.v6149db_d64130 and earlier does not validate the names of promotions defined in Job DSL. This allows attackers with Job/ Configure permission to create a promotion with an unsafe name. As a result, the promotion name could be used for cross-site scripting (XSS) or to replace other config.xml files. promoted builds Plugin 876.v99d29788b_36b_ and 3.10.1 validates the name of promotions. CSRF vulnerability and missing permission checks in Publish Over FTP Plugin SECURITY-2321 / CVE-2022-29050 (CSRF), CVE-2022-29051 (missing permission check) Publish Over FTP Plugin 1.16 and earlier does not perform permission checks in methods implementing form validation. This allows attackers with Overall/Read permission to connect to an FTP server using attacker-specified credentials. Additionally, these form validation methods do not require POST requests, resulting in a cross-site request forgery (CSRF) vulnerability. Publish Over FTP Plugin 1.17 requires POST requests and appropriate permissions for the affected form validation methods. Private key stored in plain text by Google Compute Engine Plugin SECURITY-2045 / CVE-2022-29052 Google Compute Engine Plugin 4.3.8 and earlier stores private keys unencrypted in cloud agent config.xml files on the Jenkins controller as part of its configuration. These private keys can be viewed by users with Agent/Extended Read permission or access to the Jenkins controller file system. Google Compute Engine Plugin 4.3.9 stores private keys encrypted. Severity o SECURITY-1951: High o SECURITY-2045: Medium o SECURITY-2075: Medium o SECURITY-2321: Medium o SECURITY-2617: High o SECURITY-2655: High Affected Versions o Credentials Plugin up to and including 1111.v35a_307992395 o CVS Plugin up to and including 2.19 o Extended Choice Parameter Plugin up to and including 346.vd87693c5a_86c o Gerrit Trigger Plugin up to and including 2.35.2 o Git Parameter Plugin up to and including 0.9.15 o Google Compute Engine Plugin up to and including 4.3.8 o Jira Plugin up to and including 3.7 o Job Generator Plugin up to and including 1.22 o Mask Passwords Plugin up to and including 3.0 o Node and Label parameter Plugin up to and including 1.10.3 o Pipeline: Shared Groovy Libraries Plugin up to and including 564.ve62a_4eb_b_e039 o promoted builds Plugin up to and including 873.v6149db_d64130 o Publish Over FTP Plugin up to and including 1.16 o Subversion Plugin up to and including 2.15.3 Fix o Credentials Plugin should be updated to version 1112.vc87b_7a_3597f6, 1087.1089.v2f1b_9a_b_040e4, 1074.1076.v39c30cecb_0e2, or 2.6.1.1 o CVS Plugin should be updated to version 2.19.1 o Gerrit Trigger Plugin should be updated to version 2.35.3 o Git Parameter Plugin should be updated to version 0.9.16 o Google Compute Engine Plugin should be updated to version 4.3.9 o Jira Plugin should be updated to version 3.7.1 or 3.6.1 o Mask Passwords Plugin should be updated to version 3.1 o Node and Label parameter Plugin should be updated to version 1.10.3.1 o Pipeline: Shared Groovy Libraries Plugin should be updated to version 566.vd0a_a_3334a_555 or 2.21.3 o promoted builds Plugin should be updated to version 876.v99d29788b_36b_ or 3.10.1 o Publish Over FTP Plugin should be updated to version 1.17 o Subversion Plugin should be updated to version 2.15.4 These versions include fixes to the vulnerabilities described above. All prior versions are considered to be affected by these vulnerabilities unless otherwise indicated. As of publication of this advisory, no fixes are available for the following plugins: o Extended Choice Parameter Plugin o Job Generator Plugin Credit The Jenkins project would like to thank the reporters for discovering and reporting these vulnerabilities: o Daniel Beck, CloudBees, Inc. for SECURITY-2045 o James Nord, CloudBees, Inc. and Daniel Beck, CloudBees, Inc. for SECURITY-2075 o James Nord, CloudBees, Inc. and Jesse Glick, CloudBees, Inc. for SECURITY-1951 o Kevin Guerroudj, CloudBees, Inc. and Wadeck Follonier, CloudBees, Inc. for SECURITY-2655 o Kevin Guerroudj, CloudBees, Inc., Wadeck Follonier, CloudBees, Inc., and Daniel Beck, CloudBees, Inc. for SECURITY-2617 o Kevin Guerroudj, Justin Philip, Marc Heyries for SECURITY-2321 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlY+EeNLKJtyKPYoAQh1Rg//R3y9nfT0/xI/f1QZr1D0AHDlpvtAF5qq 6bvqmpq6uNAl928i3Wh0VXr8znNgovb83sSXDHF316kXlcZxssh8Mnpl7tTg59QF BOwEkjAtcZ9WzpB7fZuDOMbvM2vRs96qGIFvE5ukhCsTNuz5yZ+6D3P77kEe/EaX lWA/kHgfdyxVexk0sZCgPFNRmvT00kSwg7fjSl4nibubO66E2AXl/4OWzadOgRI9 ul+ygnJcoRSSG1IwhOrXSDfnzqp4FedllkF2qYEn5bthBdOC4xyb99yD9PzxB+nt VoTYDqzSdeInFx7ZeQPFbf9sGCEsbFTJ+/K1UUTV7dTkZlSg8nWH+1q5hpR+prAo s7Sx1NHddI2ubrhUoeiFWoNfG17kIBl0sXCmwqqwvSYLUKjcaI/WvS6mTaV2ghmu 1QrUDhIQyBpn5KsGeSRPqwWFKgr5rny5WAcBXWDRJAQG+304UpGjRwTbgat4oCyz jbjc/S4Qwdfmjp/lySHLEwG+nZcYJ6OYTQvLFoMN7xpHcieLeTNf7WJAM5Ey9uwn GsMPKbunCPtFPM1Jp7Mwpa39ZmcJpZHPz8K2zhAYArFDYONYfJPY6zSVS0iOIF80 3n9y5Ey3NT0FV23OC/NA0nQ4WzwnAHLsaN4j/eaqziuNo0AIbvgWTd0RhArT7c6H KbnznZ+H4fk= =CIgj -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1599 - [Win][UNIX/Linux] Apache Struts: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1599 CVE-2021-31805: Apache Struts: Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to RCE 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Struts Publisher: Apache Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2021-31805 Original Bulletin: https://cwiki.apache.org/confluence/display/WW/S2-062 Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- Summary Forced OGNL evaluation, when evaluated on raw not validated user input in tag attributes, may lead to remote code execution - same as S2-061. Who should read this All Struts 2 developers and users Impact of vulnerability Possible Remote Code Execution vulnerability Maximum security rating Important Recommendation Upgrade to Struts 2.5.30 or greater Affected Software Struts 2.0.0 - Struts 2.5.29 Reporters Chris McCown CVE Identifier CVE-2021-31805 Problem The fix issued for CVE-2020-17530 (S2-061) was incomplete. Still some of the tag's attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation. Solution Avoid using forced OGNL evaluation on untrusted user input, and/or upgrade to Struts 2.5.30 or greater which checks if expression evaluation won't lead to the double evaluation. DISCLAIMER Struts won't accept double evaluation issues caused by not validated end-user input (owing to developer error) anymore as vulnerability. We accepted this one as vulnerability because it's about an error in our previously accepted vulnerability. We welcome and appreciate reports in this regard to minimize developer error effect albeit! Backward compatibility No issues expected when upgrading to Struts 2.5.30 Workaround Do not use forced OGNL evaluation in the tag's attributes based on untrusted/ unvalidated user input, please follow out recommendations from the Security Guide. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlY8bONLKJtyKPYoAQgcOhAAl+rUHWJCdMGzdMV+Q2NY5PFrPlfSnzQt kq9/JVwrniFMUp5foAV1VqrAVS2SMt62qNKmXmGvbcbP4K9ypuxdqGzlnCcxW/9T mEztJqJFv8gHDZXe6nBjau7CgPbS/dUYMXRQRXM0JjA05NJDhZurLd0lWFYhJgQo AM7e2dYZDPBpr05C8pwhn6oHAyf33Do7nJBGM1YZmDTc8oWTpxug78I5I9mPsjtw m266jljx8KLJYIb/0HhbpCnyV0m4FXJm+tiGZXqnB8lalMfXC2muLjrISeVnaaOV xdt5whpeV0XcQO/fIdyumoPKxk0p5AcpW6rRHYT8/8uX44JwYJXgQet4K6tVJsyL pYRbXHKgjerE8jkSuj9qz4hCz5qKsSVB8O4dwZrvMhBmK92hJb7Qm6b4SGPv1b+I AGBFqPGspfFgaP9OK2fhviI7ZD8zNTqGUoYkAzOnqWYPosdmcqTeSD/qorfPXYKu fGJOQtq2aXmEvywwuBfOYWHCd/NYzfeVLnZ/5NVo2hIr2jfzcK6nlYuaR5n/kLNw Fn/oJUMxRHSRFCCf3rDY3UrDGbv8fGHM6aXxs6E6MaePl6+LEMfhhZ43GZXumGTm tG3JWuzAW/OjKkPKXOYCYlUaMizFDQ3826ZIcbFR0gpvq1mg5FzBx4rMGBlcT+eF esGM9UE5mcA= =tr7Q -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1598 - [Win][UNIX/Linux] Google Chrome: CVSS (Max): None

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1598 Stable Channel Update for Desktop 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Google Chrome Publisher: Google Operating System: Windows UNIX variants (UNIX, Linux, OSX) Resolution: Patch/Upgrade CVE Names: CVE-2022-1314 CVE-2022-1313 CVE-2022-1312 CVE-2022-1311 CVE-2022-1310 CVE-2022-1309 CVE-2022-1308 CVE-2022-1307 CVE-2022-1306 CVE-2022-1305 Original Bulletin: http://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html Comment: CVSS (Max): None available when published - --------------------------BEGIN INCLUDED TEXT-------------------- The Stable channel has been updated to 100.0.4896.88 for Windows, Mac and Linux which will roll out over the coming days/weeks. A full list of changes in this build is available in the log. Interested in switching release channels? Find out how here. If you find a new issue, please let us know by filing a bug. The community help forum is also a great place to reach out for help or learn about common issues. Security Fixes and Rewards Note: Access to bug details and links may be kept restricted until a majority of users are updated with a fix. We will also retain restrictions if the bug exists in a third party library that other projects similarly depend on, but haven't yet fixed. This update includes 11 security fixes. Below, we highlight fixes that were contributed by external researchers. Please see the Chrome Security Page for more information. [$6000][1285234] High CVE-2022-1305: Use after free in storage. Reported by Anonymous on 2022-01-07 [$3000][1299287] High CVE-2022-1306: Inappropriate implementation in compositing. Reported by Sven Dysthe on 2022-02-21 [$3000][1301873] High CVE-2022-1307: Inappropriate implementation in full screen. Reported by Irvan Kurniawan (sourc7) on 2022-03-01 [$1000][1283050] High CVE-2022-1308: Use after free in BFCache. Reported by Samet Bekmezci @sametbekmezci on 2021-12-28 [$TBD][1106456] High CVE-2022-1309: Insufficient policy enforcement in developer tools. Reported by David Erceg on 2020-07-17 [$TBD][1307610] High CVE-2022-1310: Use after free in regular expressions. Reported by Brendon Tiszka on 2022-03-18 [$TBD][1310717] High CVE-2022-1311: Use after free in Chrome OS shell. Reported by Nan Wang(@eternalsakura13) and Guang Gong of 360 Alpha Lab on 2022-03-28 [$TBD][1311701] High CVE-2022-1312: Use after free in storage. Reported by Leecraso and Guang Gong of 360 Vulnerability Research Institute on 2022-03-30 [$TBD][1270539] Medium CVE-2022-1313: Use after free in tab groups. Reported by Thomas Orlita on 2021-11-16 [$TBD][1304658] Medium CVE-2022-1314: Type Confusion in V8. Reported by Bohan Liu (@P4nda20371774) of Tencent Security Xuanwu Lab on 2022-03-09 We would also like to thank all security researchers that worked with us during the development cycle to prevent security bugs from ever reaching the stable channel. As usual, our ongoing internal security work was responsible for a wide range of fixes: [1315276] Various fixes from internal audits, fuzzing and other initiatives Many of our security bugs are detected using AddressSanitizer, MemorySanitizer, UndefinedBehaviorSanitizer, Control Flow Integrity, libFuzzer, or AFL. PrudhviKumar Bommana Google Chrome - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlY5H+NLKJtyKPYoAQhGUA/8Du6SBb1fVcGPoRTfnNpE9UDjXstjBfTW 0zJtG8NpL38Qpw4RnqRZWGIFqOIf2+m8ai6L5WQOdvlxxODDtFEYgZX/MhsoEx8h A5uTnPbxChE8myuDSZwnZxEgri/FcFNvpk48X7HcnUoDdgGysggda0hFkLUwW2W9 UuxTi9BbPzT5MY4VIVlYmBMmUuZRTpMzT5wDCz8hgGkrJsMen4tG2UFLTaEnhExg po1tYrLsrB7psX1MsLO30QV87VMVz7dPXCKNLwIEjbz3glip1fqYrKP+Ai9saPFJ xZZkyoY4JG+3dD/c2io656rRaxU0q3PpLJbL+6oaZRh6YvgmWkk1PPCcu1Gw94OC auI2IUk79oZPC3zVuItQLdYexxJJ0dhDonWQpu87wWAnMxHW03aH3oUuYIiVeJC4 TRhutiz2ulP2qn1+LcFnBJUYuPeUInZ28UXga11cqZ7Qh54CIWwnmvLTllxcYw6u X52IsJfJ2wjyl8Ttgyc9gYGj15dj650hWJqcFDZonrtYm260e2CLhlaiKu7uBLtF M3GPfQArY7qaYMDkPrv9f2RIP0iVaIGHZywZDjj5kZJJwt/HVdiVYmP1i9UAc/sv VfSVgm8aOo93vrx3aYMzHhwP2oY+a5sqtw74eDliDYmg5g61BGiXdrT1ZG8zQ2Iv hNTrQgITn48= =kpq+ -----END PGP SIGNATURE-----
2022. április 13.

ESB-2022.1597 - [Win][Mac] Adobe Acrobat and Acrobat Reader: CVSS (Max): 7.8

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.1597 APSB22-16 : Security update available for Adobe Acrobat and Reader 13 April 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Adobe Acrobat Acrobat Reader Publisher: Adobe Operating System: Windows macOS Resolution: Patch/Upgrade CVE Names: CVE-2022-28269 CVE-2022-28268 CVE-2022-28267 CVE-2022-28266 CVE-2022-28265 CVE-2022-28264 CVE-2022-28263 CVE-2022-28262 CVE-2022-28261 CVE-2022-28260 CVE-2022-28259 CVE-2022-28258 CVE-2022-28257 CVE-2022-28256 CVE-2022-28255 CVE-2022-28254 CVE-2022-28253 CVE-2022-28252 CVE-2022-28251 CVE-2022-28250 CVE-2022-28249 CVE-2022-28248 CVE-2022-28247 CVE-2022-28246 CVE-2022-28245 CVE-2022-28244 CVE-2022-28243 CVE-2022-28242 CVE-2022-28241 CVE-2022-28240 CVE-2022-28239 CVE-2022-28238 CVE-2022-28237 CVE-2022-28236 CVE-2022-28235 CVE-2022-28234 CVE-2022-28233 CVE-2022-28232 CVE-2022-28231 CVE-2022-28230 CVE-2022-27802 CVE-2022-27801 CVE-2022-27800 CVE-2022-27799 CVE-2022-27798 CVE-2022-27797 CVE-2022-27796 CVE-2022-27795 CVE-2022-27794 CVE-2022-27793 CVE-2022-27792 CVE-2022-27791 CVE-2022-27790 CVE-2022-27789 CVE-2022-27788 CVE-2022-27787 CVE-2022-27786 CVE-2022-27785 CVE-2022-24104 CVE-2022-24103 CVE-2022-24102 CVE-2022-24101 CVE-2022-24092 CVE-2022-24091 CVE-2021-45067 CVE-2021-45064 CVE-2021-44739 CVE-2021-44706 CVE-2021-44702 Original Bulletin: https://helpx.adobe.com/security/products/acrobat/apsb22-16.html Comment: CVSS (Max): 7.8 CVE-2022-28233 (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) CVSS Source: Adobe Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Security update available for Adobe Acrobat and Reader | APSB22-16 Bulletin ID Date Published Priority APSB22-16 April 12, 2022 2 Summary Adobe has released security updates for Adobe Acrobat and Reader for Windows and macOS. These updates address multiple critical , important and moderate vulnerabilities. Successful exploitation could lead to arbitrary code execution, memory leak, security feature bypass and privilege escalation. Affected Versions Product Track Affected Versions Platform Acrobat DC Continuous 22.001.20085 and earlier versions Windows & macOS Acrobat Reader Continuous 22.001.20085 and earlier versions Windows & DC macOS 20.005.30314 and earlier versions (Windows) Acrobat 2020 Classic Windows & 2020 macOS 20.005.30311 and earlier versions (macOS) 20.005.30314 and earlier versions (Windows) Acrobat Reader Classic Windows & 2020 2020 macOS 20.005.30311 and earlier versions (macOS) Acrobat 2017 Classic 17.012.30205 and earlier versions Windows & 2017 macOS Acrobat Reader Classic 17.012.30205 and earlier versions Windows & 2017 2017 macOS For questions regarding Acrobat DC, please visit the Acrobat DC FAQ page . For questions regarding Acrobat Reader DC, please visit the Acrobat Reader DC FAQ page . Solution Adobe recommends users update their software installations to the latest versions by following the instructions below. The latest product versions are available to end users via one of the following methods: o Users can update their product installations manually by choosing Help > Check for Updates. o The products will update automatically, without requiring user intervention, when updates are detected. o The full Acrobat Reader installer can be downloaded from the Acrobat Reader Download Center . For IT administrators (managed environments): o Refer to the specific release note version for links to installers. o Install updates via your preferred methodology, such as AIP-GPO, bootstrapper, SCUP/SCCM (Windows), or on macOS, Apple Remote Desktop and SSH. Adobe categorizes these updates with the following priority ratings and recommends users update their installation to the newest version: Product Track Updated Platform Priority Availability Versions Rating 22.001.20117 (Win) Acrobat DC Continuous Windows and 2 Release macOS Notes 22.001.20112 (Mac) 22.001.20117 (Win) Acrobat Reader Continuous Windows and 2 Release DC macOS Notes 22.001.20112 (Mac) 20.005.30334 Classic (Win) Windows and Release Acrobat 2020 2020 macOS 2 Notes 20.005.30331 (Mac) 20.005.30334 Acrobat Reader Classic (Win) Windows and Release 2020 2020 macOS 2 Notes 20.005.30331 (Mac) 17.012.30229 (Win) Acrobat 2017 Classic Windows and 2 Release 2017 macOS Notes 17.012.30227 (Mac) 17.012.30229 (Win) Acrobat Reader Classic Windows and 2 Release 2017 2017 macOS Notes 17.012.30227 (Mac) Vulnerability Details Vulnerability Vulnerability Severity CVSS base CVSS vector CVE Number Category Impact score CVSS:3.0/ Use After AV:L/AC:L/ Free ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-24101 CWE-416 ) S:U/C:L/I:N/ A:N CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24103 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24104 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27785 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-24102 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27786 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27787 CWE-787 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27788 CWE-787 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27789 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27790 CWE-416 ) execution S:U/C:H/I:H/ A:H Stack-based CVSS:3.0/ Buffer Arbitrary AV:L/AC:L/ Overflow ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27791 CWE-121 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27792 CWE-787 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27793 CWE-787 ) execution S:U/C:H/I:H/ A:H Access of CVSS:3.0/ Uninitialized Arbitrary AV:L/AC:L/ Pointer ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27794 CWE-824 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27795 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27796 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27797 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27798 CWE-787 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27799 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27800 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27801 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-27802 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28230 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28231 CWE-125 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28232 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28233 CWE-416 ) execution S:U/C:H/I:H/ A:H Heap-based CVSS:3.1/ Buffer Arbitrary AV:L/AC:L/ Overflow ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28234 CWE-122 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28235 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Write ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28236 CWE-787 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28237 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28238 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28239 CWE-125 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28240 CWE-416 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Out-of-bounds Arbitrary AV:L/AC:L/ Read ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28241 CWE-125 ) execution S:U/C:H/I:H/ A:H CVSS:3.0/ Use After Arbitrary AV:L/AC:L/ Free ( code Critical 7.8 PR:N/UI:R/ CVE-2022-28242 CWE-416 ) execution S:U/C:H/I:H/ A:H Out-of-bounds Arbitrary CVSS:3.0AV:L Read ( code Critical 7.8 /AC:L/PR:N/ CVE-2022-28243 CWE-125 ) execution UI:R/S:U/C:H /I:H/A:H Violation of CVSS:3.1/ Secure Design Arbitrary AV:L/AC:L/ Principles ( code Important 6.3 PR:N/UI:R/ CVE-2022-28244 CWE-657 ) execution S:C/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28245 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28246 CWE-125 ) S:U/C:H/I:N/ A:N Missing CVSS:3.1/ Support for Privilege AV:L/AC:H/ Integrity escalation Important 6.7 PR:L/UI:R/ CVE-2022-28247 Check ( S:U/C:H/I:H/ CWE-353 ) A:H CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28248 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28249 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Use After AV:L/AC:L/ Free ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28250 CWE-416 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28251 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.0/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28252 CWE-125 ) S:U/C:L/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28253 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28254 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28255 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Use After AV:L/AC:L/ Free ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28256 CWE-416 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28257 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28258 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28259 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28260 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28261 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28262 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28263 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28264 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28265 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28266 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.1/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Important 5.5 PR:N/UI:R/ CVE-2022-28267 CWE-125 ) S:U/C:H/I:N/ A:N CVSS:3.0/ Out-of-bounds AV:L/AC:L/ Read ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-28268 CWE-125 ) S:U/C:L/I:N/ A:N CVSS:3.0/ Use After AV:L/AC:L/ Free ( Memory Leak Moderate 3.3 PR:N/UI:R/ CVE-2022-28269 CWE-416 ) S:U/C:L/I:N/ A:N Acknowledgements Adobe would like to thank the following for reporting these issues and for working with Adobe to help protect our customers: o Mat Powell of Trend Micro Zero Day Initiative - CVE-2022-28250, CVE-2022-28251, CVE-2022-28252, CVE-2022-28253, CVE-2022-28254, CVE-2022-28255, CVE-2022-28256, CVE-2022-28257, CVE-2022-28258, CVE-2022-28259, CVE-2022-28260, CVE-2022-28261, CVE-2022-28262, CVE-2022-28263, CVE-2022-28264, CVE-2022-28265, CVE-2022-28266, CVE-2022-28267, CVE-2022-28268, CVE-2022-28239, CVE-2022-28240, CVE-2022-28241, CVE-2022-28242, CVE-2022-28243, CVE-2022-27800, CVE-2022-27802, CVE-2022-24101 o Anonymous working with Trend Micro Zero Day Initiative - CVE-2022-27785, CVE-2022-27786, CVE-2022-27787, CVE-2022-27788, CVE-2022-27790, CVE-2022-27791, CVE-2022-27792, CVE-2022-27793, CVE-2022-27794, CVE-2022-27797, CVE-2022-27798, CVE-2022-27801, CVE-2022-28231, CVE-2022-28232, CVE-2022-28233, CVE-2022-28236, CVE-2022-28237, CVE-2022-28238, CVE-2022-28245, CVE-2022-28246, CVE-2022-28248, CVE-2022-28269 o Rich working with Trend Micro Zero Day Initiative - CVE-2022-24102, CVE-2022-24103, CVE-2022-24104, o Mark Vincent Yason (@MarkYason) working with Trend Micro Zero Day Initiative - CVE-2022-27795, CVE-2022-27796, CVE-2022-27799, CVE-2022-28230, CVE-2022-28235 o Krishnakant Patil and Ashfaq Ansari - HackSys Inc working with Trend Micro Zero Day Initiative - CVE-2022-28249, CVE-2022-27789 o HackAndPwn (hackandpwn) - CVE-2022-28247 o Gehirn Inc. - Maru Asahina, Ren Hirasawa, Tatsuki Maekawa(@mtk0308), Tsubasa Iinuma, Hikaru Ida(@howmuch515) - CVE-2022-28244 o RUC_SE_SEC (ruc_se_sec) - CVE-2022-28234 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYlY10uNLKJtyKPYoAQgbsBAAqf3nXO/cNCMg0wNC8t/loBw9IR+QaY6u 2MDInGEzY7dpIFQv7+KLJrCS27AvTDySWpExr2M3lWPUZfBWNZA9lYd3aYsmErYN kWMZj1muou8QCO92kj7H97OBRRBY8Iz9saWs509EoNHY9WfPc54fmFLI96J3V9OQ XJCnIzl8lAooaTa+6MG3+xpUrYJIobSTAYtUyAf28JpEyI+1SVCpQcgY396gmApj P/6BSWf6P/0Y7ASJI5MU0Zi/5q51toAkAZorO4eRBZ8Rxis99NXPmBHvwESTGXo5 t/TKhse2vhFW6Vi9hYDxqppsK9eX+b7CPLtA6NaFhNHi6K+tolIbYqA4ZLXojorR 118j7HX9AL91l+j0TxuTBBW6j5ZcFFUPBhRngXYPEB79/wTqAqHt9Kbz5skX+hSZ qhrriQiZaRmsjSpZECH3RTlCQCmAKT83+dSc7Tk0N6VD7mA47XruPVkS6nMUWoUM 2/0+gdpj8fsXHeqlK2LEflMj2PZohU4nptVZ8dGUppICpSH5MfBF++5RsOR4zX1B ccuojxPplyo4mWm8p6RESDnrEzLiyfIEluvGHRG/KNlMVS+aeFwy8rZPcjg0ka2r ib9IAgRYrm5dAvSPDkI+OxL6YmsD5nJohLsKmJgdAaJETnKwD9nAgPGAcwv/xGj6 01HbAnWE1qg= =K/x6 -----END PGP SIGNATURE-----