October 03, 2007 - Current Activity

Axis IP Camera Vulnerabilities

US-CERT is aware of several publicly reported cross-site scripting and cross-site request forgery vulnerabilities in Axis IP cameras. Currently, these vulnerabilities have not been confirmed by US-CERT.

US-CERT encourages users to implement the following best-practice security policies to reduce the risk of cross-site scripting vulnerabilities:

• Do not save passwords for the affected devices.
  
• Use NoScript to allow only trusted sites to execute JavaScript.
• Restrict device access to only private, trusted networks.
• Do not navigate to other websites while logged into the device.
  
• Filter known cross-site scripting vulnerabilities with an application firewall, intrusion prevention system or reverse proxy.

Google's Gmail XSRF Vulnerability

US-CERT is aware of a publicly reported cross-site request forgery vulnerability in Google's Gmail. A cross-site request forgery vulnerability may allow a request from an attacker to be interpreted as originating from an authenticated user.  Public reports indicate that this vulnerability may allow an attacker to create arbitrary filters for a user's Gmail account.  

More information regarding this vulnerability can be found in Vulnerability Note VU#571584.

Apple Releases Update for iPhone

Apple has released an update to address several vulnerabilities in the iPhone. These vulnerabilities may allow an attacker to execute arbitrary code or commands, cause a denial-of-service condition, or conduct cross-site scripting attacks on an affected device.

More information about these vulnerabilities and the iPhone v1.1.1 update can be found in the Apple update advisory.

US-CERT strongly encourages users to review the advisory and follow best-practice security policies to determine what updates should be applied.

CA BrightStor Hierarchical Storage Manager Vulnerabilities

US-CERT is aware of several vulnerabilities that affect the CA BrightStor Hierarchical Storage Manager version r11.5.  These vulnerabilities may allow an attacker to execute arbitrary code or gain control of the system.

More information regarding these vulnerabilities can be found in the CA BrightStor Hierarchical Storage Manager CsAgent Security Notice.

US-CERT recommends that users upgrade to the latest version to help mitigate the security risks.

Cisco Products Loopback Vulnerability

Cisco has released a Security Response regarding a vulnerability in the way that Cisco Catalyst 6500 and Cisco 7600 series devices use addresses from the loopback range. Cisco reports that an attacker can exploit this to bypass access control lists.

US-CERT encourages users to apply the workarounds and software updates as listed in the Cisco Security Response.

US-CERT will provide additional information as it becomes available.

CA ARCserve Backup for Laptops and Desktops contains multiple vulnerabilities

US-CERT is aware of several vulnerabilities that affect the CA ARCserve Backup for Laptops and Desktops product. These vulnerabilities may allow an attacker to execute arbitrary code, bypass authentication, or cause a denial-of-service condition.

More information regarding these vulnerabilities and which applications are affected can be found in the CA Security Advisor "CA ARCserve Backup for Laptops and Desktops Multiple Server Vulnerabilities" document.

US-CERT recommends that users upgrade to the latest versions to help mitigate the security risks.

Google Search Appliance Vulnerability

US-CERT is aware of a publicly reported cross-site scripting (XSS) vulnerability in Google's search appliance. Cross-site scripting vulnerabilities may allow a remote, unauthenticated attacker to inject malicious script into a web page.

US-CERT encourages users to follow best-practice security policies as described in the Securing Your Web Browser document.

US-CERT will provide additional information as it becomes available.