>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CA BrightStor ARCserve is in the penalty box again this week. The
> number of critical vulnerabilities in CA's back-up products is deeply
> troubling because many organizations using CA software do not patch
> their back-up products and many more do not even know about the
> vulnerabilities in CA backup products. Yet organizations put
> their most
> sensitive data on their back-ups.
>
>
> *****************************
> Widely-Deployed Software
> *****************************
>
> (1) CRITICAL: Computer Associates BrightStor ARCserve
> Multiple Buffer Overflows
> Affected:
> Computer Associates BrightStor ARCserve Backup versions 9.01,
> r11, r11.1, r11.5, r11.5 SP2
> Computer Associates Enterprise Backup version r10.5
> Computer Associates Server Protection Suite r2
> Computer Associates Business Protection Suite r2
>
> Description: Computer Associates BrightStor ARCserve Backup contains
> multiple buffer overflows in its handling of Sun RPC requests. Sun RPC
> is an Internet-standard remote procedure call (RPC) mechanism. By
> sending an RPC request to the affected system containing
> specially-crafted strings, an attacker can trigger any of these buffer
> overflows. Successfully exploiting these buffer overflows
> will allow an
> attacker to execute arbitrary code with the privileges of the
> vulnerable
> process. The affected process runs on an arbitrary TCP port; this port
> can be discovered via the Sun RPC "portmap" mechanism.
>
> Status: Computer Associates confirmed, updates available.
>
> Council Site Actions:
>
> References:
> Computer Associates Advisory
> http://archives.neohapsis.com/archives/bugtraq/2007-04/0456.html
> Zero Day Initiative Advisory
> http://zerodayinitiative.com/advisories/ZDI-07-022.html
> Wikipedia Article on Sun RPC
> http://en.wikipedia.org/wiki/ONC_RPC
> SecurityFocus BID
> http://www.securityfocus.com/bid/23635
>
> *********************************************************************
>
> (2) HIGH: QuickTime Java Remote Code Execution Vulnerability
> Affected:
> QuickTime on Mac and Windows systems
>
> Description: QuickTime player, a very widely used multimedia player,
> installs its own Java libraries. The Java library installed
> by QuickTime
> contains a vulnerability that can be exploited to execute
> arbitrary code
> on a Windows or Mac system. The exploitation can occur when a user
> visits a malicious webpage with a Java-enabled web browser. Note that
> QuickTime must be installed to use an Apple iPod; therefore
> the install
> base of QuickTime is in the millions of users. Most web browsers are
> Java-enabled by default. Hence, this flaw can be exploited to
> compromise
> millions of computer systems. The vulnerability was demonstrated to
> conduct a successful 0-day attack against a fully patched Mac OS X
> system at the CanSecWest security conference. The technical details of
> the vulnerability are not publicly available. Blog and other postings
> indicate that researchers are working towards uncovering the flaw.
>
> Status: Apple has been provided with the vulnerability details. A
> workaround is to disable the Java support for web browsers.
>
> Council Site Actions:
>
> References:
> ZDNet Article
> http://blogs.zdnet.com/security/?p=177
> ZDNet Blog Posting
> http://blogs.zdnet.com/security/?p=174
> SecurityFocus BID
> http://www.securityfocus.com/bid/23608
>
> **************************************************************
> *****************
>
> (3) HIGH: Asterisk SIP Processing Multiple Vulnerabilities
> Affected:
> Asterisk versions prior to 1.2.18
> Asterisk versions prior to 1.4.3
>
> Description: Asterisk, a popular open source Voice-over-IP (VoIP)
> telephony platform, contains multiple vulnerabilities:
>
> (1) Two stack-based buffer overflows exist in the handling of
> "T38FaxRateManagement" and "T38FaxUdpEC" SDP parameters. A
> specially-crafted SDP packet containing one of these parameters can
> trigger a buffer overflow. Successfully exploiting any of these buffer
> overflows will allow an attacker to execute arbitrary code with the
> privileges of the Asterisk process. Note that T38 fax
> functionality must
> be enabled on the Asterisk system for the system to be vulnerable.
>
> (2) Asterisk fails to properly handle certain malformed responses from
> remote SIP endpoints. A malicious endpoint sending an invalid UDP
> response could cause an Asterisk process to die. This could prevent
> further telephony service. Note that, because Asterisk is
> open source,
> technical details for these vulnerabilities are available via source
> code analysis. Additionally, proofs-of-concept and technical
> details are
> publicly available for some of these vulnerabilities.
>
> Status: Asterisk confirmed, updates available.
>
> Council Site Actions:
>
> References:
> Asterisk Security Advisories
> http://archives.neohapsis.com/archives/bugtraq/2007-04/0443.html
> http://archives.neohapsis.com/archives/bugtraq/2007-04/0442.html
> http://www.securityfocus.com/archive/1/466911
> Proofs of Concept
> http://downloads.securityfocus.com/vulnerabilities/exploits/23
> 648-1.txt
> http://downloads.securityfocus.com/vulnerabilities/exploits/23
> 648-2.txt
> Asterisk Home Page
> http://www.asterisk.org
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/23649
> http://www.securityfocus.com/bid/23648
> http://www.securityfocus.com/bid/23093
>
> **************************************************************
> *****************
>
> (4) MODERATE: Courier IMAP Server Remote Command Execution
> Affected:
> Courier IMAP Server versions prior to 4.0.6-r2
>
> Description: The Courier IMAP server, a popular open source
> mail server,
> contains a remote command execution vulnerability. Several
> scripts used
> by the IMAP server fail to properly sanitize the "XMAILDIR" variable.
> By sending a specially-crafted request, it is suspected that
> an attacker
> could execute arbitrary shell commands with root privileges. However,
> it has not been confirmed that this vulnerability is
> exploitable without
> authenticated access.
>
> Status: The latest version of Courier IMAP is confirmed to not be
> vulnerable. However, there is not been an official
> confirmation of this
> vulnerability in the Courier IMAP change log.
>
> Council Site Actions:
>
> References:
> Gentoo Security Advisory
> http://www.gentoo.org/security/en/glsa/glsa-200704-18.xml
> Gentoo Bug Tracking
> http://bugs.gentoo.org/show_bug.cgi?id=168196
> SecurityFocus BID
> http://www.securityfocus.com/bid/23589
>
> **************************************************************
> *****************
>
> ****************
> Other Software
> ****************
>
> (5) HIGH: 3proxy Buffer Overflow
> Affected:
> 3proxy versions prior to 0.5.3h
>
> Status: 3proxy is a popular cross-platform web proxy, supporting
> multiple platforms and operating systems. 3proxy fails to properly
> handle certain overly-long requests. A specially-crafted
> request to the
> proxy could trigger a buffer overflow, and allow arbitrary code
> execution with the privileges of the 3proxy process. Note
> that, because
> 3proxy is open source, technical details for this vulnerability are
> available via source code analysis.
>
> Status: 3proxy confirmed, updates available.
>
> Council Site Actions:
>
> References:
> Posting by Vladimir Dubrovin
> http://archives.neohapsis.com/archives/bugtraq/2007-04/0394.html
> 3proxy Change Log
> http://3proxy.ru/0.5.3i/Changelog.txt
> 3proxy Home Page
> http://3proxy.ru
> SecurityFocus BID
> http://www.securityfocus.com/bid/23545
>
> **************************************************************
> *****************
>
> (6) MODERATE: Multiple Cisco Products PHP Buffer Overflow
> Affected:
> Cisco Network Analysis Modules for Cisco 6500 switches and
> 7600 routers
> Cisco CiscoWorks Wireless LAN Solution Engine and Engine Express
> Cisco Unified Application Environment
> Cisco Hosting Solution Engine
>
> Description: The version of PHP included with certain Cisco products
> contains a well-known vulnerability that has been patched in
> more recent
> versions of PHP. A specially-crafted request to the portion of the
> system utilizing PHP could result in a buffer overflow. Successfully
> exploiting this buffer overflow could lead to arbitrary code execution
> with the privileges of the PHP process.
>
> Status: Cisco confirmed, updates available.
>
> Council Site Actions:
>
> References:
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sr-20070425-http.shtml
> Cisco Applied Intelligence Document
> http://www.cisco.com/warp/public/707/cisco-air-20070425-http.shtml
> Hardened PHP Advisory
> http://www.hardened-php.net/advisory_132006.138.html
> Previous @RISK Entry (details a similarly affected product)
> http://www.sans.org/newsletters/risk/display.php?v=5&i=48#widely4
> SecurityFocus BID
> http://www.securityfocus.com/bid/20879
>
> **************************************************************
> *****************
>
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
> Week 18, 2007
>
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5436 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
>
>
> 07.18.9 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Adobe Photoshop Multiple File Format Buffer Overflow
> Description: Adobe Photoshop is an application that allows users to
> view and edit various graphic formats. The application is exposed to a
> buffer overflow issue because it fails to bounds check user-supplied
> data before copying it into an insufficiently sized buffer. Adobe
> Photoshop versions CS2 and CS3 are affected.
> Ref: http://www.securityfocus.com/bid/23621
> ______________________________________________________________________
>
> 07.18.10 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Corel Paint Shop Pro Photo Malformed CLP File Buffer Overflow
> Description: Corel Paint Shop Pro Photo is an application that allows
> users to view and edit various graphic formats. The application is
> exposed to a buffer overflow issue because it fails to bounds check
> user-supplied data before copying it into an insufficiently sized
> buffer. Corel Paint Shop Pro Photo version 11.20 is affected.
> Ref: http://www.securityfocus.com/bid/23604
> ______________________________________________________________________
>
> 07.18.11 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: WSFTP Null Pointer Dereference Remote Denial of Service
> Description: WSFTP is a file transfer protocol application available
> for multiple Microsoft Windows platforms. The application is exposed
> to a remote denial of service issue because the application fails to
> handle exceptional conditions. Ipswitch WS_FTP Home 2007 and Server
> Professional 2007 are affected.
> Ref: http://www.securityfocus.com/archive/1/466576
> ______________________________________________________________________
>
>
> 07.18.17 CVE: Not Available
> Platform: Unix
> Title: Courier-IMAP XMAILDIR Shell Command Injection
> Description: Courier-IMAP is an IMAP daemon for Linux and UNIX
> systems. The application is exposed to a shell command injection issue
> because it fails to properly sanitize user-supplied input to the
> "XMAILDIR" variable. Courier-IMAP versions for Gentoo prior to
> 4.0.6-r2 are affected.
> Ref: http://bugs.gentoo.org/show_bug.cgi?id=168196
> ______________________________________________________________________
>
> 07.18.18 CVE: Not Available
> Platform: Unix
> Title: FreePBX SIP Packet Multiple HTML Injection Vulnerabilities
> Description: FreePBX is a web-based configuration tool for the open
> source Asterisk PBX. The application is exposed to multiple HTML
> injection issues because it fails to properly sanitize user-supplied
> input from Asterisk's log files before using it in dynamically
> generated content. The FreePBX 2.2 series is affected.
> Ref: http://www.securityfocus.com/bid/23575
> ______________________________________________________________________
>
> 07.18.20 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple Web Browsers Digest Authentication HTTP Response
> Splitting
> Description: Multiple web browsers are prone to an HTTP response
> splitting vulnerability. This issue is caused by a failure to properly
> sanitize user-supplied input before using it to create dynamic
> content. Microsoft Internet Explorer version 7.0.5730.11 and Mozilla
> Firefox version 2.0.0.3 are affected.
> Ref: http://www.securityfocus.com/bid/23668
> ______________________________________________________________________
>
>
> 07.18.22 CVE: Not Available
> Platform: Cross Platform
> Title: Apple QuickTime MP4 FlipFileTypeAtom_BtoN Integer Overflow
> Description: Apple QuickTime is a media player that supports multiple
> file formats. The application is exposed to an integer overflow issue
> because it fails to properly verify user-supplied input in the
> "FlipFileTypeAtom_BtoN()" function when the application processes
> malicious MP4 files. Apple QuickTime Player versions 7.1.5 and earlier
> are affected.
> Ref: http://security-protocols.com/sp-x46-advisory.php
> ______________________________________________________________________
>
> 07.18.23 CVE: CVE-2007-2029
> Platform: Cross Platform
> Title: Clam AntiVirus ClamAV PDF Handling Remote Denial of Service
> Description: ClamAV is an antivirus application for Microsoft Windows
> and UNIX like operating systems. The application is exposed to a
> remote denial of service issue because of a file descriptor leakage
> when handling malicious PDF files.
> Ref: http://www.securityfocus.com/bid/23656
> ______________________________________________________________________
>
> 07.18.25 CVE: Not Available
> Platform: Cross Platform
> Title: Apple QuickTime MOV File JVTCompEncodeFrame Heap Overflow
> Description: Apple QuickTime is a media player that supports multiple
> file formats. The application is exposed to a heap overflow issue
> because it fails to properly bounds check user-supplied input. Apple
> QuickTime Player versions 7.1.5 and earlier are affected.
> Ref: http://security-protocols.com/sp-x45-advisory.php
> ______________________________________________________________________
>
> 07.18.26 CVE: CVE-2007-2139
> Platform: Cross Platform
> Title: Computer Associates BrightStor ArcServe Media Server Multiple
> Remote Buffer Overflow Vulnerabilities
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup and restore protection. The application is exposed to
> multiple remote buffer overflow issues because it fails to properly
> bounds check user-supplied data before copying it into an
> insufficiently sized memory buffer.
> Ref: http://www.zerodayinitiative.com/advisories/ZDI-07-022.html
> http://www.kb.cert.org/vuls/id/979825
> ______________________________________________________________________
>
> 07.18.28 CVE: Not Available
> Platform: Cross Platform
> Title: ACDSee XPMHeaders Buffer Overflow
> Description: ACDSee is a photo viewer available for multiple
> platforms. The application is exposed to a buffer overflow issue
> because it fails to bounds check user-supplied input before copying it
> into an insufficiently sized buffer. ACDSee version 9.0 is affected.
> Ref: http://www.securityfocus.com/bid/23620
> ______________________________________________________________________
>
> 07.18.29 CVE: Not Available
> Platform: Cross Platform
> Title: XnView XPMHeaders Buffer Overflow
> Description: XnView is a photo viewer application available for
> multiple platforms. The application is exposed to a buffer overflow
> issue because it fails to bounds check user-supplied input before
> copying it into an insufficiently sized buffer. XnView version
> 1.90.3 is affected.
> Ref: http://www.securityfocus.com/bid/23625
> ______________________________________________________________________
>
> 07.18.89 CVE: Not Available
> Platform: Network Device
> Title: Asterisk SIP T.38 SDP Parsing Remote Stack Buffer Overflow
> Vulnerabilities
> Description: Asterisk is a private branch exchange (PBX) application
> available for Linux, BSD and Mac OS X platforms. The application is
> exposed to multiple remote buffer overflow issues because it fails to
> perform adequate boundary checks on user-supplied data before copying
> it to insufficiently sized buffers. Asterisk versions prior
> to Asterisk
> Open Source version 1.4.3, AsteriskNOW Beta 6, and Asterisk Appliance
> Developer Kit version 0.4.0 are affected.
> Ref: http://www.securityfocus.com/archive/1/466883
> ______________________________________________________________________
>
> 07.18.90 CVE: Not Available
> Platform: Network Device
> Title: Asterisk ManagerInterface Manager.Conf Remote Denial of Service
> Description: Asterisk is a private branch exchange (PBX) application
> available for Linux, BSD and Mac OS X platforms. The application is
> exposed to a remote denial of service issue because it fails to handle
> exceptional conditions. Asterisk versions prior to Business Edition
> B.1.3.3 are affected.
> Ref: http://www.securityfocus.com/archive/1/466911
> ______________________________________________________________________
>
> 07.18.92 CVE: Not Available
> Platform: Network Device
> Title: Linksys SPA941 7 Character Denial of Service
> Description: Linksys SPA941 phones are VOIP enabled telephony
> products. Linksys SPA941 phones are exposed to a remote denial of
> service issue when handling SIP messages containing the character "7".
> Linksys SPA941 with firmware version 5.1.5 is affected.
> Ref: http://www.securityfocus.com/bid/23619
> ______________________________________________________________________
>
> 07.18.93 CVE: Not Available
> Platform: Network Device
> Title: IPv6 Protocol Type 0 Route Header Denial of Service
> Description: IPv6 protocol implementations are prone to a denial of
> service issue due to a design error. The issue exists in the IPv6 type
> 0 route headers of vulnerable protocol implementations.
> Ref:
> http://www.cisco.com/warp/public/707/cisco-sa-20070124-IOS-IPv6.shtml
> ______________________________________________________________________
>
> (c) 2007. All rights reserved. The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only. In some
> cases, copyright for material in this newsletter may be held
> by a party
> other than Qualys (as indicated herein) and permission to use such
> material must be requested from the copyright owner.
>
>