Newsflash: Multiple vulnerabilities in CTP platforms

 
Introduction
 
CVE-2010-1168, CVE-2011-3597, CVE-2012-5195, CVE-2012-6329, CVE-2008-5302, CVE-2008-5303, CVE-2010-0212, CVE-2012-5526, CVE-2015-3183, CVE-2011-1024, CVE-2010-2761, CVE-2010-4410, CVE-2013-4449: 2016-04 Security Bulletin: CTP Series: Multiple vulnerabilities in CTP Series. These issues can affect any CTP Series device running CTPOS 7.1R1 or earlier.
 
Explanation
 
CVE-2010-1168: The Safe (aka Safe.pm) module before 2.25 for Perl allows context-dependent attackers to bypass intended (1) Safe::reval and (2) Safe::rdo access restrictions, and inject and execute arbitrary code, via vectors involving implicitly called methods and implicitly blessed objects, as demonstrated by the (a) DESTROY and (b) AUTOLOAD methods, related to "automagic methods."
 
CVE-2011-3597: Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.
 
CVE-2012-5195: Heap-based buffer overflow in the Perl_repeatcpy function in util.c in Perl 5.12.x before 5.12.5, 5.14.x before 5.14.3, and 5.15.x before 15.15.5 allows context-dependent attackers to cause a denial of service (memory consumption and crash) or possibly execute arbitrary code via the 'x' string repeat operator.
 
CVE-2012-6329: The _compile function in Maketext.pm in the Locale::Maketext implementation in Perl before 5.17.7 does not properly handle backslashes and fully qualified method names during compilation of bracket notation, which allows context-dependent attackers to execute arbitrary commands via crafted input to an application that accepts translation strings from users, as demonstrated by the TWiki application before 5.1.3, and the Foswiki application 1.0.x through 1.0.10 and 1.1.x through 1.1.6.
 
CVE-2013-1667: The rehash mechanism in Perl 5.8.2 through 5.16.x allows context-dependent attackers to cause a denial of service (memory consumption and crash) via a crafted hash key.
 
CVE-2008-5302: Race condition in the rmtree function in File::Path 1.08 and 2.07 (lib/File/Path.pm) in Perl 5.8.8 and 5.10.0 allows local users to create arbitrary setuid binaries via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5303 due to affected versions.
 
CVE-2008-5303: Race condition in the rmtree function in File::Path 1.08 (lib/File/Path.pm) in Perl 5.8.8 allows local users to allows local users to delete arbitrary files via a symlink attack, a different vulnerability than CVE-2005-0448, CVE-2004-0452, and CVE-2008-2827. NOTE: this is a regression error related to CVE-2005-0448. It is different from CVE-2008-5302 due to affected versions.
 
CVE-2010-0212: OpenLDAP 2.4.22 allows remote attackers to cause a denial of service (crash) via a modrdn call with a zero-length RDN destination string, which is not properly handled by the smr_normalize function and triggers a NULL pointer dereference in the IA5StringNormalize function in schema_init.c, as demonstrated using the Codenomicon LDAPv3 test suite.
 
CVE-2012-5526: CGI.pm module before 3.63 for Perl does not properly escape newlines in (1) Set-Cookie or (2) P3P headers, which might allow remote attackers to inject arbitrary headers into responses from applications that use CGI.pm.
 
CVE-2015-3183: The chunked transfer coding implementation in the Apache HTTP Server before 2.4.14 does not properly parse chunk headers, which allows remote attackers to conduct HTTP request smuggling attacks via a crafted request, related to mishandling of large chunk-size values and invalid chunk-extension characters in modules/http/http_filters.c.
 
CVE-2011-1024: chain.c in back-ldap in OpenLDAP 2.4.x before 2.4.24, when a master-slave configuration with a chain overlay and ppolicy_forward_updates (aka authentication-failure forwarding) is used, allows remote authenticated users to bypass external-program authentication by sending an invalid password to a slave server.
 
CVE-2010-2761: The multipart_init function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier uses a hardcoded value of the MIME boundary string in multipart/x-mixed-replace content, which allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via crafted input that contains this value, a different vulnerability than CVE-2010-3172.
 
CVE-2010-4410: CRLF injection vulnerability in the header function in (1) CGI.pm before 3.50 and (2) Simple.pm in CGI::Simple 1.112 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via vectors related to non-whitespace characters preceded by newline characters, a different vulnerability than CVE-2010-2761 and CVE-2010-3172.
 
CVE-2013-4449: The rwm overlay in OpenLDAP 2.4.23, 2.4.36, and earlier does not properly count references, which allows remote attackers to cause a denial of service (slapd crash) by unbinding immediately after a search request, which triggers rwm_conn_destroy to free the session context while it is being used by rwm_op_search.
 
Workaround
 
CVE-2010-1168, CVE-2011-3597, CVE-2012-5195, CVE-2012-6329, CVE-2008-5302, CVE-2008-5303, CVE-2010-0212, CVE-2012-5526, CVE-2015-3183, CVE-2011-1024, CVE-2010-2761, CVE-2010-4410, CVE-2013-4449: Use access lists or firewalls to limit access to the device only from trusted hosts.
 
Conclusion
 
CVE-2010-1168, CVE-2011-3597, CVE-2012-5195, CVE-2012-6329, CVE-2008-5302, CVE-2008-5303, CVE-2010-0212, CVE-2012-5526, CVE-2015-3183, CVE-2011-1024, CVE-2010-2761, CVE-2010-4410, CVE-2013-4449: These vulnerabilities are resolved in CTPOS 7.1R2, 7.2R1, and all subsequent releases.
 
Priority
 
CVE-2010-1168, CVE-2011-3597, CVE-2012-5195, CVE-2012-6329, CVE-2008-5302, CVE-2008-5303, CVE-2010-0212, CVE-2012-5526, CVE-2015-3183, CVE-2011-1024, CVE-2010-2761, CVE-2010-4410, CVE-2013-4449: High
 
For more information and assistance please contact Infradata by phone +31 (0)71 750 15 25 or by mail support@infradata.nl.