VU#702452: Qualcomm Android OS kernel privilege escalation and denial of service vulnerabilites

Vulnerability Note VU#702452
Qualcomm Android OS kernel privilege escalation and denial of service vulnerabilites

Original Release date: 07 Dec 2012 | Last revised: 07 Dec 2012

Overview

Android OS kernels running on certain Qualcomm devices contain multiple vulnerabilities which could allow an attacker to cause privilege escalation or Denial of Service (DoS).

Description

The Qualcomm Innovation Center, Inc. advisory states:

Summary:
A locally installed application can cause privilege escalation or Denial of Service (DoS) by passing a specially crafted input to diagchar_ioctl call of Diagnostics (DIAG) kernel mode driver for Android. The involved CVE IDs are CVE-2012-4220 (untrusted pointer dereference), CVE-2012-4221 (integer overflow). A patch which can be applied to Gingerbread, Ice Cream Sandwich and Jelly Bean source is made available from the location below.

A locally installed application can cause DoS by passing a specially crafted input to kgsl_ioctl call of Graphics KGSL kernel mode driver for Android. The involved CVE ID is CVE-2012-4222 (null pointer dereference). A patch which can be applied to Gingerbread, Ice Cream Sandwich and Jelly Bean source is made available from the location below.

Affected version:
All Android releases from CAF prior to November 15, 2012 using Linux kernel from the following heads: msm-3.4, msm-3.0, jb_*, ics_*, gingerbread_*

Note: Permission changes in ICS and Jelly Bean that restrict /dev/diag access to qcom_diag group mitigate CVE-2012-4220 and CVE-2012-4221.

Impact

By convincing a user to install a specially crafted android application, a remote attacker may be able to cause a privilege escalation or Denial of Service (DoS) allowing them to gain control of the affected device.

Solution

Update

The vendor states that these vulnerabilities have been addressed in PATCH_17010_jweEF843feG. Users are advised to apply the patch to affected devices. Fix for CVE-2012-4220 and CVE-2012-4221 in msm-3.4 can be found here. Fix for CVE-2012-4222 in msm-3.4 can be found here.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedQUALCOMM IncorporatedAffected01 Nov 201230 Nov 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
6.0
AV:L/AC:H/Au:S/C:C/I:C/A:C

Temporal
4.7
E:POC/RL:OF/RC:C

Environmental
5.2
CDP:L/TD:H/CR:ND/IR:ND/AR:ND

References

https://www.codeaurora.org/participate/security-advisories/cve-2012-4220-cve-2012-4221-cve-2012-4222/
https://www.codeaurora.org/patches/quic/la/.PATCH_17010_jweEF843feG.tar.gz

Credit

Thanks to giantpune@gmail.com for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs:
CVE-2012-4220
CVE-2012-4221
CVE-2012-4222

Date Public:
15 Nov 2012

Date First Published:
07 Dec 2012

Date Last Updated:
07 Dec 2012

Document Revision:
14

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#408099: CA ARCserve Backup authentication service denial-of-service vulnerability

Vulnerability Note VU#408099
CA ARCserve Backup authentication service denial-of-service vulnerability

Original Release date: 30 Oct 2012 | Last revised: 30 Oct 2012

Overview

The CA ARCserve Backup authentication service, caauthd.exe, is susceptible to a denial-of-service vulnerability. CA ARCserve Backup r16 SP1 was reported to be vulnerable.

Description

The Offensive Security advisory states:

By specifying an invalid field size for the encrypted username or password in a crafted RPC packet, the authentication service performs an invalid pointer dereference while trying to decrypt the character string. Authentication is not required to trigger the vulnerability and successful exploitation of this vulnerability for the caauthd.exe process will lead to a denial of service.

Additional details may be found in CA20121018-01: Security Notice for CA ARCserve Backup.

Impact

An unauthenticated remote attacker may be able to trigger a denial-of-service condition.

Solution

Apply a Patch

CA ARCserve Backup for Windows r12.5 apply patch RO49917
CA ARCserve Backup for Windows r15 apply patch RO49916
CA ARCserve Backup for Windows r16 apply patch RO49750

If you cannot patch for whatever reason please consider the following workarounds.

Restrict access

As a general good security practice, only allow connections from trusted hosts and networks.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate UpdatedCA TechnologiesAffected11 Jul 201231 Aug 2012If you are a vendor and your product is affected, let
us know.

CVSS Metrics (Learn More)

Group
Score
Vector

Base
7.8
AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal
6.1
E:POC/RL:OF/RC:C

Environmental
6.1
CDP:ND/TD:ND/CR:ND/IR:ND/AR:ND

References

https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={F9EEA31E-8089-423E-B746-41B5C9DD2AC1}

Credit

Thanks to Matteo Memelli of Offensive Security for reporting this vulnerability.

This document was written by Jared Allar.

Other Information

CVE IDs:
CVE-2012-2972

Date Public:
31 Aug 2012

Date First Published:
30 Oct 2012

Date Last Updated:
30 Oct 2012

Document Revision:
22

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

VU#154307: Synel SY-780/A terminal denial-of-service vulnerability

Vulnerability Note VU#154307
Synel SY-780/A terminal denial-of-service vulnerability

Original Release date: 09 Jul 2012 | Last revised: 09 Jul 2012

Overview

Synel SY-780/A terminals contain a denial-of-service vulnerability when specific ports of the device are scanned.

Description

VU#149070: Symantec Endpoint Protection network threat protection module Microsoft IIS denial of service vulnerability

Vulnerability Note VU#149070
Symantec Endpoint Protection network threat protection module Microsoft IIS denial of service vulnerability

Original Release date: 05 Jun 2012 | Last revised: 05 Jun 2012

Overview

Symantec Endpoint Protection (SEP) Network Threat Protection module running on a Microsoft Internet Information Services (IIS) web…

VU#551715: Quagga contains multiple vulnerabilities