The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.

**Overview**

The Linux kernel, versions 3.9+, IP implementation is vulnerable to denial of service conditions with low rates of specially modified packets.

**Description**

**CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')** - CVE-2018-5391

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly.

An attacker may cause a denial of service condition by sending specially crafted IP fragments.

Various vulnerabilities in IP fragmentation have been discovered and fixed over the years. The current vulnerability (CVE-2018-5391) became exploitable in the Linux kernel with the increase of the IP fragment reassembly queue size.

**Impact**

An attacker may be able to trigger a denial-of-service condition against the system.

**Solution**

**Apply a patch**  
Patches are available from OS vendors to address the vulnerability.

If you are unable to apply a patch, see the following mitigations:

**Modify Default Configurations**  
Change the (default) values of

net.ipv4/ipv6.ipfrag\_high\_thresh

and

net.ipv4/ipv6.ipfrag\_low\_thresh

back to 256kB and 192 kB (respectively) or below.

Example:

sysctl -w net.ipv4.ipfrag\_low\_thresh=196608  
sysctl -w net.ipv4.ipfrag\_high\_thresh=262144  
sysctl -w net.ipv6.ip6frag\_low\_thresh=196608  
sysctl -w net.ipv6.ip6frag\_high\_thresh=262144

Update:  
Further testing shows that these mitigations are not a 100% fix. A significantly strong attack will still result in a denial of service condition.

**Revert Commit**  
Another sufficient mitigation is to revert the commit

 c2a936600f78aea00d3312ea4b66a79a4619f9b4

**Vendor Information**

Filter by content: Additional information available

 Sort by:

  
**CVSS Metrics**

Group

Score

Vector

Base

7.8

AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal

6.6

E:U/RL:ND/RC:ND

Environmental

6.6

CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

  
**References****Acknowledgements**

Thanks to Juha-Matti Tilli (Aalto University, Department of Communications and Networking / Nokia Bell Labs) for reporting this vulnerability.

This document was written by Trent Novelly.

**Other Information**

**CVE IDs:**

CVE-2018-5391

**Date Public:**

2018-08-14

**Date First Published:**

2018-08-14

**Date Last Updated:**

2018-10-12 12:31 UTC

**Document Revision:**

37

CVE-2018-5391: CERT/CC Vulnerability Note VU#641765

The mm subsystem in the Linux kernel through 3.2 does not properly enforce the CONFIG_STRICT_DEVMEM protection mechanism, which allows local users to read or write to kernel memory locations in the first megabyte (and bypass slab-allocation access restrictions) via an application that opens the /dev/mem file, related to arch/x86/mm/init.c and drivers/char/mem.c.

Permalink

Browse files

mm: Tighten x86 /dev/mem with zeroing reads

Under CONFIG\_STRICT\_DEVMEM, reading System RAM through /dev/mem is
disallowed. However, on x86, the first 1MB was always allowed for BIOS
and similar things, regardless of it actually being System RAM. It was
possible for heap to end up getting allocated in low 1MB RAM, and then
read by things like x86info or dd, which would trip hardened usercopy:

usercopy: kernel memory exposure attempt detected from ffff880000090000 (dma-kmalloc-256) (4096 bytes)

This changes the x86 exception for the low 1MB by reading back zeros for
System RAM areas instead of blindly allowing them. More work is needed to
extend this to mmap, but currently mmap doesn't go through usercopy, so
hardened usercopy won't Oops the kernel.

Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Tested-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Kees Cook <keescook@chromium.org>

*   Loading branch information

CVE-2017-7889: mm: Tighten x86 /dev/mem with zeroing reads · torvalds/linux@a4866aa

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

/ By bluehat / October 06, 2014 / 7 min read

It’s that time of year and BlueHat v14 is almost upon us. As always, BlueHat is an opportunity for us to bring the brightest minds in security together, both internal and external, to discuss and tackle some of the hardest problems facing the industry today. Through this conference, our engineering teams get deep technical information and education on the latest threats from proven industry experts.

BlueHat kicks off on October 9th where we will spend the day focusing on researcher methodologies such as fuzzing, red team assessments, malware analysis and BIOS attacks. On the second day, we will have three tracks starting with Security & Identity, followed by State of the Hack (focusing on next generation of advanced persistent threats and web exploit detection) and then finally, we will end with Security in Deployed Environments.

We are very excited about interaction between Microsoft engineers and other top security experts who are coming to speak at the event. Here is a list of their talks:

\*Please note that this schedule is subject to change.

**October 9th, 2014**

**START**

**END**

**SPEAKER**

**TALK TITLE**

9:00 AM

9:40 AM

Chris Betz

**Keynote**

9:40 AM

10:20 AM

Stefano Zanero

**Botintime - Phoenix: DGA-based Botnet Tracking and Intelligence** Its common knowledge that a malicious domain automatically generated will not become popular and also an attacker will register a domain with a Top Level Domain that does not require clearance. Hence, we use phoenix which filters out domains likely to be generated by humans. The core of Phoenix is its ability to separate DGA from non-DGA domains, using linguistic features.

10:20 AM

10:35 AM

Break

10:35 AM

11:15 AM

Scott Longheyer

**Government Snooping Potentially Now Constitutes an Advance Persistent Threat** Security is the application of Privacy’s intentions, so open the pocketbook and check your ciphers. Gain a deeper understanding of Microsoft’s position on privacy and how online services intend to protect customer data.

11:15 AM

11:55 AM

Stefano Zanero

**Jackdaw talk - Automatic Malware Behavior Extraction and Tagging** This talk will focus on our approach for extracting (interesting) behavior specifications in an automatic way from a large collection of (untagged) malware. If you wonder why? It’s because we believe in giving support to the analyst by providing a list of important behaviors, with a rough explanation, to prioritize the analysis.

11:55 AM

12:55 PM

Lunch

12:55 PM

1:15 PM

Xeno Kovah

**UEFI - What would it take to enable global firmware vulnerability & integrity checking?** This talk will describe what actions are being taken to improve security for PC firmware, and what different groups in Microsoft can do to help.

1:15 PM

1:35 PM

Yuriy Bulygin

**UEFI - Summary of Attacks against BIOS and Secure Boot** A variety of attacks targeting platform firmware have been discussed publicly, drawing attention to the pre-boot and firmware components of the platform such as BIOS and SMM, UEFI secure boot and Full Disk Encryption solutions. This talk will detail and organize some of the attacks and how they work. We will cover attacks against BIOS write protection, attacks leveraging hardware configuration against SMM memory protections, attacks using vulnerabilities in SMI handlers, attacks against BIOS update implementations, attacks bypassing secure boot, and various other issues. We will describe underlying vulnerabilities and how to assess systems for these issues. After watching, you should understand how these attacks work, how they are mitigated, and how to verify if your system has any of these problems.

1:35 PM

2:15 PM

Josh Thomas

**Behind the NDA: How to attack a product under deadline** This talk will focus on a brief security assessment of the Windows Phone / Nokia Lumia platforms with the intent of exploring attack methodologies. This talk will focus on how we as consultants approach a new problem / technology and how we can quickly become productive on new and previously unknown / unexplored hardware and software components.

2:15 PM

2:35 PM

Sergey Bratus, Julian Bangert

**Defining and Enforcing Intent Semantics at ABI level** Dominant OS security policy designs treat a process as an opaque entity that has a “bag” of permissions to access some OS resources at any time, in any order. Now that the sensitive data that we most want to protect may never touch the filesystem or even cross a process boundary, these designs fail at their purpose. We introduce a design that has a much higher granularity of protection, yet is compatible with existing ABI, standard build chains, and binary utilities.

2:35 PM

2:50 PM

Break

2:50 PM

3:30 PM

Andrew Ruef

**Build It Break It Competition** We created a competition where students design and implement secure programs, and identify bugs in each other’s programs. We’ll talk about the design of the competition, the data we’ve gathered from executing the competition, our plans for future competitions, and what the data is telling us about software security, programming languages, education, and software development.

3:30 PM

4:10 PM

Ram Shankar Siva Kumar, John Walton

**Subverting machine learning detections for fun and profit** If you are using Machine learning in your feature, it can be attacked! This talk is a primer on Adversarial Machine learning wherein we show how attackers can manipulate machine learning systems to get the result they want you to see. You will learn how to protect yourself and detect such attacks. You don’t need to know about Machine learning to attend this talk – we’ve got you covered.

4:10 PM

4:40 PM

Lightning Talks

**October 10th, 2014**

9:00 AM

10:00 AM

Lightning Talks & Breakfast

10:00 AM

10:40 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 1** This talk will focus on the how Windows authentication works in the real world and what are the popular attacks against it. You will learn the thought process of attackers in the real world and how it differs from a defender’s perspective. We’ll also cover post-exploitation tools and techniques such as Mimikatz. Finally, we’ll discuss next steps – How do you design services that are breach-resistant and make authentication harder to crack.

10:40 AM

11:20 AM

Benjamin Delpy, Chris Campbell, Skip Duckwall

**The Attacker’s View of Windows Authentication and Post Exploitation part 2**

11:20 AM

11:35 AM

Break

11:35 AM

12:15 PM

Ho John Lee

**Privacy and Security in a Personalized Services World** An introduction and discussion of current policy issues around personalized mobile and cloud-based knowledge services. In this talk you will learn about some of the privacy and policy issues associated with large scale, cloud based personalization that are different from those in web search, email, or social networks. I will also present some concepts and patterns for building mobile and personalized services that honor individual user data obligations while also enabling offline data analysis and global, low latency serving infrastructure.

12:15 PM

12:55 PM

Bo Qu

**The failure and success in IE fuzzing** The road to success is often paved with failure. In this presentation we will discuss the mistakes and challenges we overcame while developing our fuzzer that has successfully discovered over 100 vulnerabilities in Internet Explorer. Welcome to the school of hard knocks!

12:55 PM

1:55 PM

Lunch

1:55 PM

2:35 PM

John Walton

**Next Generation Advanced Persistent Threat™** What will tomorrow’s threat landscape, look like? How can attacks become even more advanced than we are observing today? What will the adversary’s arsenal contain? The Next Generation Advanced Persistent Threat™ talk will peer into the future and these exact questions. Come discover how we will continue to be outmaneuvered during every phase of the cyber kill chain

2:35 PM

2:55 PM

David Finn

**Fighting Cybercrime with Big Data** The Microsoft Digital Crimes Unit (“DCU”) is a team of about 100 people, including former prosecutors, law enforcement officials, security analysts, investigators, attorneys, and intelligence analysts, dedicated to the fight against global cybercrime. In this presentation about DCU’s CSI-like blend of crime fighting and technology, find out how Big Data and analytics is revolutionizing everything DCU does – helping protect internet users, and disrupting and dismantling criminal organizations all over the world.

2:55 PM

3:10 PM

Break

3:10 PM

3:30 PM

Alexandra Savelieva, Daniel Eshner, Nuwan Ginige, Mohammad Usman

**Data Isolation In Multitenant Cloud Environment** In our talk, you’ll learn about a new solution that we built to address the problem of managing access to data across various fabrics and processing environments to mitigate top security threats of a cloud-based distributed application platform shared by multiple partners, including isolation of mutually distrustful tenant applications running side-by-side on a commodity server.

3:30 PM

4:30 PM

Daniel Edwards

**Engineer’s guide to DDOS** Are you ready to discuss DDoS? Can your online service be weaponized to attack? It’s already happened to others. Is yours next?

**Related Posts**

*   Hey Yara, find some vulnerabilities
*   Microsoft Vulnerability Severity Classification for Online Services Publication
*   マイクロソフトのオンラインサービスにおける、脆弱性の深刻度分類の公開

BlueHat v14 is almost here

Heap-based buffer overflow in the read function in filters/words/msword-odf/wv2/src/styles.cpp in the Microsoft import filter in KOffice 2.3.3 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via a crafted ODF style in an ODF document. NOTE: this is the same vulnerability as CVE-2012-3456, but it was SPLIT by the CNA even though Calligra and KOffice share the same codebase.

*   Products
    *   Openwall GNU/\*/Linux   _server OS_
    *   Linux Kernel Runtime Guard
    *   John the Ripper   _password cracker_
        *   Free & Open Source for any platform
        *   in the cloud
        *   Pro for Linux
        *   Pro for macOS
    *   Wordlists   _for password cracking_
    *   passwdqc   _policy enforcement_
        *   Free & Open Source for Unix
        *   Pro for Windows (Active Directory)
    *   yescrypt   _KDF & password hashing_
    *   yespower   _Proof-of-Work (PoW)_
    *   crypt\_blowfish   _password hashing_
    *   phpass   _ditto in PHP_
    *   tcb   _better password shadowing_
    *   Pluggable Authentication Modules
    *   scanlogd   _port scan detector_
    *   popa3d   _tiny POP3 daemon_
    *   blists   _web interface to mailing lists_
    *   msulogin   _single user mode login_
    *   php\_mt\_seed   _mt\_rand() cracker_
*   Services
*   Publications
    *   Articles
    *   Presentations
*   Resources
    *   Mailing lists
    *   Community wiki
    *   Source code repositories (GitHub)
    *   Source code repositories (CVSweb)
    *   File archive & mirrors
    *   How to verify digital signatures
    *   OVE IDs
*   What's new

\[<prev\] \[next>\] \[<thread-prev\] \[thread-next>\] \[day\] \[month\] \[year\] \[list\]

Date: Mon, 06 Aug 2012 13:07:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Charlie Miller <charlie.miller@...uvant.com>,
        "Jorge Manuel B. S. Vicetto" <jmbsvicetto@...il.com>
Subject: Re: CVE request for Calligra

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2012 05:27 PM, Charlie Miller wrote:
> Hi Kurt.
> 
> Yes, sorry I didn't report directly to the correct people.  I only
> knew that the vulnerability existed for sure in the Nokia Documents
> app and also in the version of Koffice I happen to have on my
> system.  I didn't know what library it was in (I'd never even heard
> of Calligra), if it was already known about upstream, what other
> software depend on this library, etc.  As you're probably aware, it
> can be a very time consuming process to try to get that stuff
> sorted out, so I just report it to the vendor and let them deal
> with these issues.  In that spirit, I reported to Nokia early last
> month.  As for your questions, I have not asked for CVE's for any
> of these vulnerabilities.  Feel free to request them yourselves.  I
> believe the only vulnerability I know enough details about to say
> is a security issue is the one in the document about parsing word
> documents.  I hope that clears up any questions you might have.
> Thanks!
> 
> Charlie
> 
> On Aug 5, 2012, at 3:25 PM, Kurt Seifried wrote:
> 
> On 08/05/2012 09:06 AM, Jorge Manuel B. S. Vicetto wrote:
>>>> Hi.
>>>> 
>>>> On Sat, Aug 4, 2012 at 4:58 PM, Jeff Mitchell
>>>> <mitchell@....org> wrote:
>>>>> On 08/04/2012 11:56 AM, Agostino Sarubbo wrote:
>>>>>> On Saturday 04 August 2012 11:44:33 Jeff Mitchell wrote:
>>>>>>> What commit code do you want?
>>>>>> Please post the diff between the vulnerable code and the
>>>>>> fix so we are sure that is a security issue.
>>>>>> 
>>>>> 
>>>>> Hi,
>>>>> 
>>>>> You can read all about the details of the vulnerability in
>>>>> the Black Hat 2012 presentation by Charlie Miller (c)
>>>>> 
>>>>> 
> -- details of the Calligra (and KOffice) exploit start at page 39.
>>>>> 
>>>>> Unfortunately, he did not notify us ahead of time of his
>>>>> intent to disclose, so it's already public.
> 
> I suspect he may not have known about it (this is the first time I
> can remember hearing of Calligra). Trying to keep track of all
> possible project forks is pretty much impossible in the modern Open
> Source world.
> 
> Charlie 1): have you requested CVE #'s for this issue for Koffice?
> 
> Charlie 2): it appears there are quite a few other security issues
> in the presentation, are they in open source components, if yes can
> you please send a CVE request(s) for the issue to oss-security@ so
> I can assign CVE's for them? Thanks.
> 
> Once Charlie replies (either way) I'll assign CVE's.
> 
>>>>> 
>>>>> Thanks, Jeff
>>>> 
>>>> 
>>>> As reported by Thorsten Zachmann to the kde-packagers ml,
>>>> here are the commit ids:
>>>> 
>>>> 
>>>> The commit IDs for master is 
>>>> 8652ab672eaaa145dfb3782f5011de58aa4cc046 c
>>>> 
>>>> The commit ID for calligra/2.5 is 
>>>> f04d585ca1d3ee27f125d0129a23ca7b7850902d 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=f04d585ca1d3ee27f125d0129a23ca7b7850902d&rev\_to=b1bf5264e31cdab9e0b2fa74b7ae8393d6195af1
>>>>
>>>>
>>>> 
The commit ID for calligra/2.4 is
>>>> 7d72f7dd8d28d18c59a08a7d43bd4e0654043103 
>>>> https://projects.kde.org/projects/calligra/repository/diff?rev=7d72f7dd8d28d18c59a08a7d43bd4e0654043103&rev\_to=7a9fa21b1f812b74b3e1501480dd14d10aeb347b
>>>>
>>>>
>>>> 
Regards,
>>>> 
>>>> Jorge Manuel B. S. Vicetto
>>>> 

For this DOC rendering issue please use CVE-2012-3455 for KOffice and
please use 2012-3456 for Calligra.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJQIBXaAAoJEBYNRVNeJnmTV/wQAI2BRqWGJwDMKoh2jUduowkU
xp+5Rf3dPJhI0o9FVaTkk7kWkmLnheecervdNwmthoL6l0D/yvl26gxcBaCr5CBq
JwQNsIeA4sNBJ4gDSCB7CQ1EpRJnCAar/M6wPAg9lUfwNqH+NKD4TJxvpELoOYiu
17Hgj36KnGn/hEmaq7ugIBpf0nY+PDjGwMI+SeCiLBMJU92y49MA6kjbZ5wZZcnA
91pedfhW1Ia1P/4HhTV/WfcepfyqYAld+QMPiq66JHPLxbXY4sZu3F8Ff9RfwBK7
an+auUf3ITng2CscSjjlRtabQdPismt1JS9eI/X6A+kjB3oE6tFOW5rM0DWitH+B
E7MvwJW9rV3VTleQlQgzQEJJrJWRdDpJrwmCAgYDD5OEdjmoXSJQD9/2oWJmcED0
pQC6jt3hOZAXsu2XO6Ib0QBKCSfgJ7gFT3u5YJbydAWLxN8B+P6H4fUupbVhcDCS
eN/WZRSdKzXICglriLM+CdG8r0tmQbC+76KwKtvtEYrQRJv/S8Hpc3RaRxWVcEpW
6JW0Hacol4xoZDPyl25VQlNqcaekXKUdFHYZJic0cv5OEeRnmYA6jcZEgDmvZWFo
HReRIsstQjWGsjli90U7EQQHt7ZwyaccXpOnIfPXw1I/31PBJViMBuL4Zuxuue4H
RQvuo6IFqkXGFCBNneK5
=S3Bf
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.

CVE-2012-3455: security - Re: CVE request for Calligra

The WDB target agent debug service in Wind River VxWorks 6.x, 5.x, and earlier, as used on the Rockwell Automation 1756-ENBT series A with firmware 3.2.6 and 3.6.1 and other products, allows remote attackers to read or modify arbitrary memory locations, perform function calls, or manage tasks via requests to UDP port 17185, a related issue to CVE-2005-3804.

**3com Inc. (Inactive) Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**ARRIS Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Statement Date:   January 20, 2011**

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The following products have been reported to be affected: ARRIS C3™ Cable Modem Termination System Firmware Release <=4.4.4.13

**Actelis Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Alcatel-Lucent Enterprise Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Allied Telesis Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Alvarion (Inactive) Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Aperto Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Apple Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Avaya Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Broadcom Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ceragon Networks Inc Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Cisco Affected**

**D-Link Systems Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Dell Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Dell EMC Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Digicom Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**DrayTek Corporation Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Enablence Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Enterasys Networks Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ericsson Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Fluke Networks Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Foundry Brocade Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Gilat Network Systems Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Guangzhou Gaoke Communications Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Hewlett Packard Enterprise Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Huawei Affected**

Updated: 2020-08-31

**Statement Date:   June 18, 2010**

**Vendor Statement**

We have not received a statement from the vendor.

**IWATSU Voice Networks Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Keda Communications Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Knovative Inc Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Lenovo Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Lutron Electronics Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Maipu Communication Technology Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Mitel Networks Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Motorola Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Netgear Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Nokia Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Nortel Networks Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Polycom Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Statement Date:   December 07, 2010**

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The release notes for SoundPoint IP/SoundStation IP SIP software states that version 3.1.2 has closed the debug port. "47450: Port 17185 is open, presenting a security risk" http://downloads.polycom.com/voice/voip/relnotes/spip\_ssip\_v3\_1\_6\_Legacy\_release\_notes.pdf

**Proxim Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Rad Vision Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Ricoh Company Ltd. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**SEIKO EPSON Corp. / Epson America Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**SFR Affected**

Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

newsoft reports that the SFR (formerly Neuf Cegetel and Neuf Telecom) Trio3C has the debug service enabled.

**SMC Networks Inc. Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Schneider Electric Affected**

Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**CERT Addendum**

The Modicon M340 with firmware version 2.5 was reported to run VxWorks 6.4 and have the debug port enabled.

**ShoreTel Inc. Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Siemens Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

Security Advisory Report - OBSO-1010-01 Enabled VxWorks debug service Creation Date: 2010-10-15 Last Update: 2010-10-15 Summary A security researcher has identified a large number of products based on the VxWorks platform provided by Wind River Systems with a debug service enabled by default at port 17185/udp. Vulnerability Details The debug service provides full access to the memory of an affected device and allows for memory to be written as well as functions to be called. Of the various products based on VxWorks, the following are not affected by this vulnerability: HiPath Wireless Convergence, RG 8700, optiPoint 410/420 SIP and HFA (V5). Affected Products HiPath 3000 (HG 1500 Gateway) HiPath 4000 (HG 35xx Gateway) optiPoint 410/420 HFA, versions before V5 optiPoint 600 office Recommended Actions In general, it is recommended not to attach the mentioned systems directly at the internet. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp). The problem is solved in the following versions; an update to these or higher versions is highly recommended: HiPath 3000 V8: V8 R5.2.0 HiPath 4000 V4: V4 R4.1.12 HiPath 4000 V5: V5 R1.2.4 Please note: HiPath 3000 V7: You need to upgrade the HG 1500 gateway only. Please use V8 R5.2.0 for this. You may keep the system itself in V7. HiPath 3000 V6 and earlier have reached end of SW support; please consider an upgrade to V7 or V8 HiPath 4000 V3 and earlier have reached end of SW support; please consider an upgrade to V4 or higher. Some older, unsupported versions of optiPoint 410/420 HFA IP phones are also vulnerable. Please ensure, that V5 is installed on all phones. optiPoint 600 office has reached end of life since a few years already; an update is unfortunately not available References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2965 http://blog.metasploit.com/2010/08/vxworks-vulnerabilities.html http://www.kb.cert.org/vuls/id/362332 Revision History 2010-10-15 Initial release Contact and Disclaimer OpenScale Baseline Security Office obso@siemens-enterprise.com © Siemens Enterprise Communications GmbH & Co KG 2010 Siemens Enterprise Communications GmbH & Co. KG is a Trademark Licensee of Siemens AG The information provided in this document is subject to change without notice. Siemens Enterpise Communications GmbH & Co KG (SEN) assumes no responsibility for any errors that may appear in this document, and it does not affect your current support agreements with SEN. Any trademarks referenced in this document are the property of their respective owners. ---End Vendor Statement-------------------------------------------------------------------

**CERT Addendum**

The vendor provided the above advisory information for their affected products.

**TRENDnet Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Tut Systems Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Wind River Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

Wind River has analyzed VU#362332, and determined that all versions of VxWorks could be vulnerable if the WDB agent is left enabled in production systems and the system is network attached. VxWorks has a very strong track record of offering secure products and Wind River is committed to active threat monitoring, rapid assessment, threat prioritization, expedited remediation, response and proactive customer contact. Customers are encouraged to follow the remediation actions outlined in the SOLUTION section of the vulnerability post. Registered users can access Wind River's online support for more information by following this link: https://support.windriver.com/olsPortal/faces/maintenance/downloadDetails.jspx?contentId=033708 Or contact Wind River technical support for more information: http://windriver.com/support/

**CERT Addendum**

Within the VxWorks Kernel programmers guide it states: “For production systems, you will want to reconfigure VxWorks with only those components needed for deployed operation, and to build it as the appropriate type of system image. You will likely want to remove components required for host development support, such as the WDB target agent and debugging components (INCLUDE\_WDB and INCLUDE\_DEBUG), as well as to remove any other operating system components not required to support your application. Other considerations may include reducing the memory requirements of the system, speeding up boot time, and security issues.”

**Xerox Affected**

Notified:  2010-06-14 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**amx Affected**

Notified:  2010-06-29 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Canon Not Affected**

Notified:  2010-06-18 Updated: 2020-08-31

**CVE-2010-2965**

Not Affected

**Vendor Statement**

We have not received a statement from the vendor.

**Brocade Communication Systems Unknown**

Notified:  2010-08-03 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

**Intel Unknown**

Notified:  2010-07-02 Updated: 2020-08-31

**Vendor Statement**

We have not received a statement from the vendor.

Tag

#nokia