Search the Community
Showing results for tags 'range'.
Affected software: Appweb Web Server CVE ID: CVE-2014-9708 Description: An HTTP request with a Range header of the form "Range: x=," (ie. with an empty range value) will cause a null pointer dereference, leading to a remotely-triggerable DoS. Fixed versions: 4.6.6, 5.2.1 Bug entry: https://github.com/embedthis/appweb/issues/413 Fix: https://github.com/embedthis/appweb/commit/7e6a925f5e86a19a7934a94bbd6959101d0b84eb#diff-7ca4d62c70220e0e226e7beac90c95d9L17348 Reported by: Matthew Daley - Matthew Daley Source: http://dl.packetstormsecurity.net/1503-exploits/appweb-dos.txt
Another security advisory covering Siemens industrial kit has reached the public, this time covering wireless industrial networking hardware. ICS-CERT advises that the Ruggedcom range of 802.16e (Wimax, for those with long memories) switches from the company carries a range of vulnerabilities that let attackers scam admin privileges for themselves. The vulnerabilities are: CVE- 2015-1448 – attackers can get administrative access to the kit over the network, without authentication; CVE- 2015-1449 – a buffer overflow in the integrated Web server means an attacker over port 443 might get remote code execution access; and CVE- 2015-1357 – a real treat: password hashes and other sensitive information “might” be stored in an insecure format and accessible from local files or security logs. Products impacted are in the company's WIN 51xx, WIN 52xx, WIN 70xx and WIN 72xx series. These are Wimax base stations designed for harsh environment deployments. The ICS-CERT note puts the kit in a wide range of industries worldwide, including chemical, communications, critical manufacturing, dams, defence, energy, food and agriculture, government facilities, transportation systems, and water and wastewater systems. Siemens is asking customers to get in touch (online support request to get a firmware update. And in a separate advisory, the company also updated the firmware for its Scalance-X switches (which connect things like programmable logic controllers to the control interfaces) to block yet a separate authentication failure in the Web interface. Details here. Source