16/5/2017 Vulnerability Summary for the Week of May 8, 2017 Bulletin (SB17­135) Vulnerability Summary for the Week of May 8, 2017 Original release date: May 15, 2017 | Last revised: May 16, 2017 The US­CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US­CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information. The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores: High ­ Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 ­ 10.0 Medium ­ Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 ­ 6.9 Low ­ Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 ­ 3.9 Entries may include additional information provided by organizations and efforts sponsored by US­CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US­CERT analysis. High Vulnerabilities Primary Description Published CVSS Source & Vendor ­­ Product Score Patch Info ibm ­­ websphere_cast_iron_solution IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to a denial of service, 2017­05­05 9.0 CVE­2016­9691 caused by an XML External Entity Injection (XXE) error when processing XML data. A CONFIRM remote attacker could exploit this vulnerability to expose highly sensitive information or BID consume all available memory resources. IBM X­Force ID: 119515. ibm ­­ websphere_cast_iron_solution IBM WebSphere Cast Iron Solution 7.0.0 and 7.5.0.0 is vulnerable to External Service 2017­05­05 7.8 CVE­2016­9692 Interaction attack, caused by improper validation of user­supplied input. A remote attacker CONFIRM could exploit this vulnerability to induce the application to perform server­side DNS lookups BID or HTTP requests to arbitrary domain names. By submitting suitable payloads, an attacker can cause the application server to attack other systems that it can interact with. IBM X­ Force ID: 119516. Back to top Medium Vulnerabilities Primary Description Published CVSS Source & Vendor ­­ Product Score Patch Info genixcms ­­ genixcms forgotpassword.php in GeniXCMS 1.0.2 lacks a rate limit, which might allow remote 2017­05­08 6.4 CVE­2017­8827 attackers to cause a denial of service (login inability) or possibly conduct Arbitrary User MISC Password Reset attacks via a series of requests. ibm ­­ marketing_platform IBM Marketing Platform 9.1 and 10.0 is vulnerable to stored cross­site scripting, caused by 2017­05­05 4.3 CVE­2016­0255 improper validation of user­supplied input. A remote attacker could exploit this vulnerability CONFIRM to inject malicious script into a Web page which would be executed in a victim's Web BID browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie­based authentication credentials. IBM X­Force ID: 110564. imagemagick ­­ imagemagick In ImageMagick 7.0.5­6, the ReadBMPImage function in bmp.c:1379 allows attackers to 2017­05­08 4.3 CVE­2017­8830 cause a denial of service (memory leak) via a crafted file. CONFIRM Back to top Low Vulnerabilities Primary Description Published CVSS Source & Vendor ­­ Product Score Patch Info There were no low vulnerabilities recorded this week. Back to top Severity Not Yet Assigned https://www.us­cert.gov/ncas/bulletins/SB17­135 1/25 16/5/2017 Vulnerability Summary for the Week of May 8, 2017 Primary Description Published CVSS Source & Vendor ­­ Product Score Patch Info adobe ­­ experience_manager_forms Adobe Experience Manager Forms versions 6.2, 6.1, 6.0 have an 2017­05­09 not yet CVE­2017­ information disclosure vulnerability resulting from abuse of the pre­ calculated 3067 population service in AEM Forms. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ memory corruption vulnerability in the ConvolutionFilter class. Successful calculated 3070 exploitation could lead to arbitrary code execution. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ memory corruption vulnerability in the BlendMode class. Successful calculated 3069 exploitation could lead to arbitrary code execution. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ memory corruption vulnerability in the BitmapData class. Successful calculated 3072 exploitation could lead to arbitrary code execution. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ use after free vulnerability when masking display objects. Successful calculated 3071 exploitation could lead to arbitrary code execution. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ memory corruption vulnerability in the Graphics class. Successful calculated 3074 exploitation could lead to arbitrary code execution. BID CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ use after free vulnerability when handling multiple mask properties of calculated 3073 display objects, aka memory corruption. Successful exploitation could BID lead to arbitrary code execution. CONFIRM adobe ­­ flash_player Adobe Flash Player versions 25.0.0.148 and earlier have an exploitable 2017­05­09 not yet CVE­2017­ memory corruption vulnerability in the Advanced Video Coding engine. calculated 3068 Successful exploitation could lead to arbitrary code execution. BID CONFIRM adodb ­­ adodb Cross­site scripting vulnerability in ADOdb versions prior to 5.20.6 allows 2017­05­12 not yet CVE­2016­ remote attackers to inject arbitrary web script or HTML via unspecified calculated 4855 vectors. JVN CONFIRM advantech ­­ b+b_smartworx_mesr901 A Use of Client­Side Authentication issue was discovered in Advantech 2017­05­05 not yet CVE­2017­ B+B SmartWorx MESR901 firmware versions 1.5.2 and prior. The web calculated 7909 interface uses JavaScript to check client authentication and redirect BID unauthorized users. Attackers may intercept requests and bypass MISC authentication to access restricted web pages. advantech ­­ webaccess An Absolute Path Traversal issue was discovered in Advantech 2017­05­05 not yet CVE­2017­ WebAccess Version 8.1 and prior. The absolute path traversal vulnerability calculated 7929 has been identified, which may allow an attacker to traverse the file BID system to access restricted files or directories. MISC allendisk ­­ id_parameter Allen Disk 1.6 has XSS in the id parameter to downfile.php. 2017­05­08 not yet CVE­2017­ calculated 8832 CONFIRM allendisk ­­ setpass.php Allen Disk 1.6 has CSRF in setpass.php with an impact of changing a 2017­05­08 not yet CVE­2017­ password. calculated 8848 MISC ambari ­­ ambari In Ambari 2.4.x (before 2.4.3) and Ambari 2.5.0, an authorized user of the 2017­05­12 not yet CVE­2017­ Ambari Hive View may be able to gain unauthorized read access to files calculated 5654 on the host where the Ambari server executes. CONFIRM CONFIRM artifexghostscript ­­ mark_line_tr The mark_line_tr function in gxscanc.c in Artifex Ghostscript 9.21 allows 2017­05­12 not yet CVE­2017­ remote attackers to cause a denial of service (out­of­bounds read) via a calculated 8908 crafted PostScript document. MISC asus_rt­ac_rt­n ­­ firmware ASUS RT­AC* and RT­N* devices with firmware before 3.0.0.4.380.7378 2017­05­10 not yet CVE­2017­ allow JSONP Information Disclosure such as a network map. calculated 5892 MISC MISC https://www.us­cert.gov/ncas/bulletins/SB17­135 2/25 16/5/2017 Vulnerability Summary for the Week of May 8, 2017 Primary Description Published CVSS Source & Vendor ­­ Product Score Patch Info asus_rt­ac_rt­n ­­ firmware ASUS RT­AC* and RT­N* devices with firmware before 3.0.0.4.380.7378 2017­05­10 not yet CVE­2017­ have Login Page CSRF and Save Settings CSRF. calculated 5891 MISC MISC asus_rt­ac_rt­n ­­ asus_rt_ac_rt_n ASUS RT­AC* and RT­N* devices with firmware before 3.0.0.4.380.7378 2017­05­10 not yet CVE­2017­ allow remote authenticated users to discover the Wi­Fi password via calculated 8878 WPS_info.xml. MISC asus_rt­ac_rt­n ­­ asus_rt_ac_rt_n ASUS RT­AC* and RT­N* devices with firmware through 3.0.0.4.380.7378 2017­05­10 not yet CVE­2017­ allow JSONP Information Disclosure such as the SSID. calculated 8877 MISC atlassian ­­ hipchat Acceptance of invalid/self­signed TLS certificates in Atlassian HipChat 2017­05­05 not yet CVE­2017­ before 3.16.2 for iOS allows a man­in­the­middle and/or physically calculated 8058 proximate attacker to silently intercept information sent during the login BID API call. MISC basercms ­­ basercms Cross­site request forgery (CSRF) vulnerability in baserCMS version 2017­05­12 not yet CVE­2016­ 3.0.10 and earlier allows remote attackers to hijack the authentication of calculated 4878 administrators via unspecified vectors.