ESB-2018.0219 - [Win][UNIX/Linux][Debian] openocd: Execute arbitrary code/commands - Remote with user interaction 2018-01-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0219
             openocd security update addresses a vulnerability
                              22 January 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           openocd
Publisher:         Debian
Operating System:  Debian GNU/Linux 8
                   Debian GNU/Linux 9
                   Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-5704  

Original Bulletin: 
   http://www.debian.org/security/2018/dsa-4093

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running openocd check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-4093-1                   security@debian.org
https://www.debian.org/security/                                         
January 21, 2018                      https://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : openocd
CVE ID         : CVE-2018-5704
Debian Bug     : 887488

Josef Gajdusek discovered that OpenOCD, a JTAG debugger for ARM and MIPS,
was vulnerable to Cross Protocol Scripting attacks. An attacker could
craft a HTML page that, when visited by a victim running OpenOCD, could
execute arbitrary commands on the victims host.

This fix also sets the OpenOCD default binding to localhost, instead of
every network interfaces. This can be changed with the added "bindto"
command argument.

For the oldstable distribution (jessie), this problem has been fixed
in version 0.8.0-4+deb7u1.

For the stable distribution (stretch), this problem has been fixed in
version 0.9.0-1+deb8u1.

We recommend that you upgrade your openocd packages.

For the detailed security status of openocd please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/openocd

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEayzFlnvRveqeWJspbsLe9o/+N3QFAlplTRkACgkQbsLe9o/+
N3SoCQ//YBD0bq5cBK382flGHmfA5mu7unG6aUxd9+bDCvoKqbZdmgModuh/nBG/
qF/0kUOInDN0gYXFAoXFKKn2aIjOQ3SHc6miyu5XA+I/Ie4TVDtpndajW6rqvrNd
Ylt8fxRexRctY1MXWMB9Jv+uP+8MU/18abMGxFdltBZOLQM6DsKyS0AKlbd08zBu
ykdgg4X9qRm44fPU4KyPCWroAhAfUkRWdg8YFweRLY6uOetkwoUR0MKbw3zZjMyA
3qQ+ejjoC6/vFZ0Nmy3QRHabqLSiR/ierLx/n0ZC4xiGfQBYiPpOyyN8bQtkzGf8
csFvDh77PxUeaA1RC8tlY3cR/vvB+GaODRmxKzQPrsUf0HoWxHTfGT1/MbcKuuxP
s8Vn5Plwg/v7H9KJYOUbNyzNq/xt/sxcZdTXDF049vaagmEwQnM0iXG5D6quLQkS
iXn2qzHw0Xv73yA6msdxu/v5d8i/6ly+qzkf/qUNE1Vc1WTfWw41qb6VxLB6W/3A
fVBIp3Jpykj+QlDFhgYTenuaPim86G8JjvsZDb2x9k0ThJQQs4SD8ikhwoYrhlnm
JsHe/uFjDyLWUZxRumPS16pZMrMjDKO93NiR17R8u/KV1jPWkwq/2D6WSIyJfiT8
sYUEV1rhsYSD82sP6+vpMJF89LOeHpl+YI0SLL91Oixw0RypB9k=
=8CD/
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWmVUwIx+lLeg9Ub1AQgmAhAAkM7F3DBH6iNj2RuZJKF6ey0FZykV7Eaj
3bKwxGvJ65e4rRyMpToivMsJdd8VBMT98g5SvPS/r98aNS2pfq90xT0y0UKraq+D
Y4C7cHDAFaq2lziSkqepLAb9gZiD0sE0xtavqcROBqgmuszYGvSWIsmDBJw6Ryd5
e0bpDp+OW/osjHbeeZ8qmszYmTi71rtvwpNLywzW4HoBV5vGkIjlPqHaF3F0u2qs
bH1VYUmv7gOFA5ijBaVjS8eo3QrkGtLy5cFZPsGvJZhPo0Ntq2mxHhArhYBdzuZU
VhVUMRq27xrssUH5ptDE8+XEznplQP/OeophAC1aJI8Pz05ZQoXzgCc2yiyVrdsM
kiSLjhyNjdStolqeARgaPDTCKCHNQ3rspzmL+XaGc1fneU3jRBoSjTrXEEFtaFPO
Dlt1RbpivU2WlklHIFI9qs3nnwEC2NGXNU6tKBLgSCgiTKo5Q4ycLiKLdIzqQAXi
V/3m9k79gsoE0rlt24zmPbuBW2iAZLU2yEYweYe4yNkYIREHtcn/I/BWEOXLko5s
5cehCuDyZg+rIOiXs4lkFZ4oOAR+M2zaSCv2zCgQ6d5TuzVHxnfKpcSEmCTlfJVD
H7LoxC87vXADLzuZ0KOuFIusoiMtbZ1oGEn61Ww4kL2XiNszj6z2ghuitGLarKIg
bBTXnnUcBLo=
=lVnM
-----END PGP SIGNATURE-----

« Back to bulletins