ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 42



> 
> *****************************
> Widely Deployed Software
> *****************************
> 
> (1) CRITICAL: Snort Back Orifice Preprocessor Buffer Overflow
> Affected:
> Snort versions 2.4.x prior to 2.4.3
> 
> Description: Snort is a popular open-source intrusion detection and
> prevention system. Snort uses "preprocessors" to perform protocol
> decoding before the Snort detection engine is invoked. The 
> preprocessor
> "bo" is used to detect traffic related to the Back Orifice backdoor.
> This preprocessor contains a stack-based buffer overflow that can be
> triggered by a specially crafted UDP packet (Back Orifice ping). The
> overflow can be exploited to execute arbitrary code on the 
> Snort system
> with the same privileges used to run Snort, usually "root/SYSTEM".
> Injecting the malicious UDP packet in a network being 
> protected by Snort
> is sufficient to exploit this overflow. Further, the UDP packet can be
> spoofed and have any source/destination ports, which may lead to
> bypassing firewalls. Exploit code has been posted.
> 
> Status: Vendor confirmed; version 2.4.3 has been released to address
> this issue. A workaround is to comment out the line "preprocessor bo"
> in snort.conf and restart snort. The workaround, however, 
> will leave the
> network open to Back Orifice attacks, and should be used only if the
> fixed version cannot be installed. Please also check for 
> updates for any
> third party products that use snort. The CERT Vulnerability 
> Note can be
> used to track third party products that are vulnerable 
> because they rely
> on Snort. At this time, Nortel Threat Protection System is reported to
> be vulnerable.
> 
> Council Site Actions:  Most of the reporting council sites are running
> the affected software and have already patched their systems.
> 
> References:
> ISS X-Force Advisory
> http://xforce.iss.net/xforce/alerts/id/207  
> Snort Advisory
> http://www.snort.org/pub-bin/snortnews.cgi#99  
> CERT Advisory and Vulnerability Note
> http://www.us-cert.gov/cas/techalerts/TA05-291A.html  
> http://www.kb.cert.org/vuls/id/175500  
> Exploit Code
> http://archives.neohapsis.com/archives/fulldisclosure/2005-10/
> att-0417/snort_bo_ping.pm 
> Snort Preprocessors
> http://www.snort.org/docs/snort_htmanuals/htmanual_2.4/node11.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/15131  
> 
> ****************************************************************
> 
> (2) HIGH: Oracle Critical Patch Update October 2005
> Affected:
> Multiple Oracle Products (Refer to the Oracle Security Advisory)
> 
> Description: Oracle has released its critical patch update 
> for multiple
> Oracle products including Database Server, application server,
> e-business suite, Collaboration Suite, Enterprise Manager and 
> Peoplesoft
> products. The patch addresses more than 80 vulnerabilities 
> ranging from
> PL/SQL injections to buffer overflows. According to 
> NGSSoftware, one of
> the seven discoverers for the flaws patched in this update, some the
> flaws can be exploited to completely compromise the database 
> server. The
> technical details for the flaws have not been posted yet.
> 
> Council Site Actions: Many reporting council sites are using the
> affected software.  Several of the sites are in the process of
> investigating the updates and doing regression testing.  
> Others plan to
> patch during their next maintenance cycle.
> 
> References:
> Oracle Advisory
> http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html  
> CERT Advisory
> http://www.us-cert.gov/cas/techalerts/TA05-292A.html 
> NGSSoftware Advisory
> http://archives.neohapsis.com/archives/bugtraq/2005-10/0217.html
> Posting by Alexander (Red Database Security)
> http://archives.neohapsis.com/archives/fulldisclosure/2005-10/
> 0421.html 
> http://archives.neohapsis.com/archives/fulldisclosure/2005-10/
> 0420.html  
> Integrigy Analysis
> http://www.integrigy.com/info/IntegrigySecurityAnalysis-CPU1005.pdf  
> SecurityFocus BID
> http://www.securityfocus.com/bid/15134 
> 
> ****************************************************************
> 
> ************************
> Other Software
> ************************
> 
> (3) HIGH: GFi MailSecurity Web Module Overflow
> Affected:
> GFi MailSecurity version 8.1
> 
> Description: GFi MailSecurity uses multiple virus scanning engines to
> scan emails for viruses, Trojans, spyware and malicious 
> attachments. The
> product can be used as an SMTP gateway or integrates with Exchange
> 2000/2003 server. The product offers a web interface for configuration
> and managing quarantine emails. This web interface contains a buffer
> overflow that can be triggered by overlong HTTP headers. An
> unauthenticated attacker can exploit the overflow to execute arbitrary
> code on the mail server with SYSTEM privileges. Note that this product
> is likely to be deployed in an enterprise DMZ. Hence, successful
> exploitation grants an attacker a foothold in the DMZ for launching
> further attacks.
> 
> Status: Vendor confirmed; updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> Sec-1 Advisory
> http://archives.neohapsis.com/archives/vuln-dev/2005-q4/0007.html  
> Product Homepage
> http://www.gfi.com/mailsecurity/ 
> SecurityFocus BID
> http://www.securityfocus.com/bid/15081 
> 
> ****************************************************************
> 
> ****************************************************************
> 
> *************
> Exploits
> *************
> 
> (8) RSA WebAgent Buffer Overflow 
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> Exploit Code targeting IIS servers
> http://metasploit.com/projects/Framework/modules/exploits/rsa_
> iiswebagent_redirect.pm 
> Previous @RISK Posting
> http://www.sans.org/newsletters/risk/display.php?v=4&i=19#othe
> r2  (Rating: HIGH)
> 
> ****************************************************************
> 
> (9) Computer Associates CAM Unicenter Overflow
> 
> Council Site Actions: Only one council site is using the affected
> software.  They are currently investigating with their Windows support
> group on the appropriate action. The related traffic is 
> blocked at their
> network perimeter points.
> 
> References:
> Exploit Code for Windows Platform
> http://metasploit.com/projects/Framework/modules/exploits/caca
> m_logsecurity_win32.pm  
> Posting by Computer Associates
> http://archives.neohapsis.com/archives/bugtraq/2005-10/0225.html 
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=4&i=34#wide
> ly1 (Rating: HIGH)
> 
> ****************************************************************
> 
> (10) Veritas NetBackup Format String Vulnerability
> 
> References:
> Exploit Code
> http://www.frsirt.com/exploits/20051020.VERITAS-Linux.pl.php 
> http://www.frsirt.com/exploits/20051020.VERITAS-WIN32.pl.php 
> http://www.frsirt.com/exploits/20051020.VERITAS-OSX.pl.php
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=4&i=41#othe
> r3 (Rating: HIGH)
> 
> ******************************************************************
> 
> (11) MailEnable IMAP SELECT Request Overflow
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the council sites. They reported that no action was necessary.
> 
> References:
> Exploit Code
> http://metasploit.com/projects/Framework/modules/exploits/mail
> enable_imap.pm 
> Previous @RISK Newsletter Posting
> http://www.sans.org/newsletters/risk/display.php?v=4&i=28#othe
> r1 (Rating: MODERATE)
> 
> ****************************************************************
> 
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 42, 2005
> 
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 4587 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
> 
> ______________________________________________________________________
> 
> 05.42.1 CVE: Not Available
> Platform: Windows
> Title: Windows Unspecified Remote Code Execution
> Description: Microsoft Windows is vulnerable to an unspecified remote
> code execution in a default installation of Media Player and Internet
> Explorer. Windows NT, 2000, XP SP1, SP2 and Windows 2003 SP0 and SP1
> are reported to be vulnerable.
> Ref: http://www.eeye.com/html/research/upcoming/20051017.html 
> ______________________________________________________________________
> 
> 05.42.2 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: WinRAR Command Line Buffer Overflow
> Description: RARLAB WinRAR is a compression application. It is
> vulnerable to a buffer overflow issue in the command line processing
> functionality when processing long archive name parameter. RARLAB
> WinRar versions 3.50 and earlier are vulnerable.
> Ref: http://www.rarlabs.com/rarnew.htm 
> ______________________________________________________________________
> 
> 
> 05.42.5 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Symantec Brightmail AntiSpam Malformed MIME Message Denial Of
> Service
> Description: Symantec Brightmail AntiSpam runs at the gateway. It is
> vulenerable to a denial of service issue due to a failure of the
> application to properly handle certain malformed MIME content. A
> remote attacker could crash the application by exploiting this issue.
> Symantec Brightmail AntiSpam version 6.0 builds 1 and 2 are vulnerable
> to this issue.
> Ref: 
> http://www.symantec.com/avcenter/security/Content/2005.10.12d.html
> ______________________________________________________________________
> >
______________________________________________________________________
> 
> 05.42.12 CVE: CAN-2005-3120
> Platform: Unix
> Title: Lynx NNTP Article Header Buffer Overflow
> Description: Lynx is affected by a buffer overflow issue when handling
> NNTP article headers. The issue exists in the "HTrjis()" function
> where data from NNTP article headers are copied into a finite
> stack-based buffer without sufficient bounds checking on the size of
> the source data.
> Ref: http://www.securityfocus.com/archive/1/413590 
> ______________________________________________________________________
> 
> 05.42.13 CVE: CAN-2005-3185
> Platform: Unix
> Title: Multiple Vendor WGet/Curl NTLM Username Buffer Overflow
> Vulnerability
> Description: GNU wget is a software package for retrieving files using
> HTTP, HTTPS and FTP. CURL is a command line tool for transferring
> files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
> TELNET, DICT, FILE and LDAP. They are reported to be vulnerable to a
> buffer overflow issue due to improper boundary checking on user
> supplied data.
> Ref: http://www.securityfocus.com/bid/15102 
> ______________________________________________________________________
> 
> 05.42.14 CVE: Not Available
> Platform: Cross Platform
> Title: Oracle Workflow Multiple Unspecified Cross-Site Scripting
> Vulnerabilities
> Description: Oracle Workflow is a business process management solution
> embedded in the Oracle database. It is prone to multiple unspecified
> cross-site scripting vulnerabilities due to insuffiecient sanitization
> of user-supplied input. Oracle Workflow versions 11.5.9.5 and 11.5.1
> are reported to be affected.
> Ref: http://www.securityfocus.com/bid/15139 
> ______________________________________________________________________
> 
> 05.42.15 CVE: Not Available
> Platform: Cross Platform
> Title: Snort Back Orifice Preprocessor Remote Stack Buffer Overflow
> Description: Snort is a open source intrusion detection system. It is
> susceptible to a remote buffer overflow vulnerability due to a failure
> of the application to securely copy network-derived data into
> sensitive process buffers. This issue presents itself when the Back
> Orifice preprocessor attempts to determine the direction of network
> packets in relation to a server. A stack-based buffer overflow may be
> triggered. Snort versions 2.4.0 through 2.4.2 are affected by this
> issue.
> Ref: http://www.kb.cert.org/vuls/id/175500 
> ______________________________________________________________________
> 
> 05.42.16 CVE: Not Available
> Platform: Cross Platform
> Title: Opera Web Browser Multiple Denial of Service Vulnerabilities
> Description: Opera Web browser is vulnerable to multiple denial of
> service issues when the browser attempts to process malformed HTML
> content such as a "U" HTML tag with an overly long argument. Opera Web
> Browser versions 8.0 2 and ealier are reported to be vulnerable.
> Ref: http://www.securityfocus.com/bid/15124/info 
> ______________________________________________________________________
> 
> > 
> 05.42.18 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Thunderbird Insecure SMTP Authentication
> Description: Thunderbird is a cross-platform mail client. It is prone
> to an insecure SMTP authentication protocol negotiation weakness. The
> PLAIN and CRAM-MD5 authentication combined with secure SMTP over TLS
> for encryption is exploitable when the application uses PLAIN
> authentication if CRAM-MD5 or STARTTLS between a client and a server
> cannot be established. Thunderbird does not warn users about the
> failure and sends authentication credentials to a server in an
> insecure manner. Mozilla Thunderbird versions 1.0.7 and 1.5 Beta 2 are
> reported to be vulnerable.
> Ref: http://www.henlich.de/moz-smtp/ 
> ______________________________________________________________________
> 
> > 
> 05.42.21 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus  File Handling Denial Of Service
> Description: ClamAV is an anti-virus application. It is vulnerable to
> a denial of service issue due to a failure in the application to
> handle malformed OLE2 files.
> The problem presents itself when malformed OLE2 files (DOC files) are
> being scanned. Clam Anti-Virus ClamAV 0.87 -1 is vulnerable.
> Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=333566 
> ______________________________________________________________________
> 




 




Copyright © Lexa Software, 1996-2009.