ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 6 No. 21



> 
> *****************************
> Widely Deployed Software
> *****************************
> 
> (1) CRITICAL: Samba Multiple Remote Code Execution Vulnerabilities
> Affected:
> Samba versions prior to 3.0.25
> 
> Description: Samba is an open source implementation of the Common
> Internet Filesystem (CIFS)/Server Message Block (SMB) 
> protocol designed
> to facilitate interaction between Microsoft Windows and other 
> operating
> systems. It is included by default in Mac OS X and many Unix, 
> Unix-like,
> and Linux operating system distributions. It contains following
> vulnerabilities:
> 
> (1) Samba exports Remote Procedure Call (RPC) interfaces to 
> clients just
> like a Windows system. A specially-crafted MS-RPC call to 
> some of these
> interfaces can trigger a memory corruption or buffer overflow that can
> be exploited to execute arbitrary code on the Samba server. In many
> installations, Samba is run with "root" privileges.
> 
> (2) If the "username map script" option is enabled in the Samba
> configuration (it is disabled by default), an attacker sending a
> specially-crafted password change request could execute 
> arbitrary shell
> commands.
> 
> Note that, because Samba is open source, technical details 
> may be gained
> via source code analysis. A working exploit is reported to be 
> available
> for members of Immunity's partner program.
> 
> Status: Samba confirmed, updates available. A workaround is 
> to block the
> ports 139/tcp and 445/tcp from the Internet.
> 
> Council Site Actions:  Only one of the reporting council sites is
> responding at this time.  They are waiting on the patches from some
> vendors.  They plan to address in their next regularly 
> scheduled system
> maintenance cycle.
> 
> References:
> Samba Advisories
> http://www.securityfocus.com/archive/1/468565 
> http://www.securityfocus.com/archive/1/468542 
> Zero Day Initiative Advisories
> http://zerodayinitiative.com/advisories/ZDI-07-033.html 
> http://zerodayinitiative.com/advisories/ZDI-07-032.html 
> http://zerodayinitiative.com/advisories/ZDI-07-031.html 
> http://zerodayinitiative.com/advisories/ZDI-07-030.html 
> http://zerodayinitiative.com/advisories/ZDI-07-029.html 
> iDefense Advisory
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=534 
> Samba Home Page
> http://www.samba.org
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/23972 
> http://www.securityfocus.com/bid/23973 
> 
> *****************************************************************
> 
> (2) HIGH: Symantec Norton Internet Security and Personal 
> Firewall ActiveX Control Vulnerabilities
> Affected:
> Symantec Norton Internet Security 2004
> Symantec Norton Personal Firewall 2004
> 
> Description: The Symantec Norton Internet Security and 
> Personal Firewall
> products are shipped with an ActiveX control. This control is 
> vulnerable
> to a buffer overflow that can be triggered by specially crafted
> parameters to its "Get" and "Set" methods. A malicious web page that
> instantiates this control can successfully exploit the buffer overflow
> to execute arbitrary code with the privileges of the current user.
> 
> Status: Symantec confirmed, updates available.
> 
> Council Site Actions: The affected software and/or 
> configuration are not
> in production or widespread use, or are not officially 
> supported at any
> of the responding council sites. They reported that no action was
> necessary.
> 
> References:
> Symantec Security Advisory
> http://www.symantec.com/avcenter/security/Content/2007.05.16.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/23936 
> 
> *****************************************************************
> 
> (4) HIGH: Sun Java Development Kit Image Processing Vulnerabilities
> Affected:
> Sun Java Development Kit versions prior to 1.6_01-b06
> Sun Java Development Kit versions prior to 1.5_11-b03
> It is believed that the Sun Java Runtime Environment may also 
> be affected, but this is unconfirmed.
> 
> Description: The Sun Java Development Kit, used to develop 
> applications
> that run on the Sun Java platform, contains multiple 
> vulnerabilities in
> the way it handles BMP and JPEG images. A JPEG image containing
> specially-crafted ICC color correction data could trigger a buffer
> overflow in the Java virtual machine. Successfully exploiting this
> buffer overflow would allow an attacker to execute arbitrary code with
> the privileges of the vulnerable process. Additionally, a
> specially-crafted BMP image can result in a denial-of-service 
> condition.
> 
> Status: Sun confirmed, updates available.
> 
> Council Site Actions:  Two of the reporting council sites are 
> responding
> to this item. The first site plans to deploy the patch during the next
> maintenance window.  The second site is still investigating. 
> They don't
> believe they have any internal applications using this kit; however,
> they are waiting on additional information for the various support
> teams.
> 
> References:
> Advisory by Chris Evans
> http://scary.beasts.org/security/CESA-2006-004.html 
> Wikipedia Article on ICC Color Correction Profiles
> http://en.wikipedia.org/wiki/ICC_Profile 
> Sun Java Home Page
> http://java.sun.com 
> SecurityFocus BID
> http://www.securityfocus.com/bid/24004   
> 
> *****************************************************************
> 
> (5) MODERATE: Multiple Vendor IPS/IDS Bypass Vulnerability
> Affected:
> IPS and/or IDS products from the following vendors:
> Checkpoint
> Cisco
> 3Com (TippingPoint)
> IBM ISS
> Snort
> Other vendors may be affected; users are advised to check 
> with their vendor.
> 
> Description: Multiple Intrusion Prevention and Intrusion Detection
> Systems (IPS/IDS) fail to properly inspect HTTP requests when the
> requests are encoded with full-width or half-width Unicode characters.
> By sending a specially-crafted HTTP request an attacker could
> potentially bypass IPS/IDS inspection. This may result in the 
> compromise
> of vulnerable systems behind the IPS/IDS.
> 
> Status: Some vendors have confirmed. Users are advised to check with
> their vendor or the CERT advisory.
> 
> Council Site Actions: Most of the reporting council sites are 
> responding
> to this issue.  They plan to distribute the patches as they become
> available for the different platforms.  A few of the sites are working
> with the respective vendors on the appropriate response.
> 
> References:
> GamaSEC Advisory
> http://www.gamasec.net/english/gs07-01.html 
> CERT Advisory
> http://www.kb.cert.org/vuls/id/739224 
> ISC Handler's Diary Entry
> http://isc.sans.org/diary.html?storyid=2807 
> Cisco Security Advisory
> http://www.cisco.com/warp/public/707/cisco-sr-20070514-unicode.shtml 
> 3Com Security Advisory 
> http://www.3com.com/securityalert/alerts/3COM-07-001.html 
> SecurityFocus BID
> http://www.securityfocus.com/bid/23980 
> 
> Part II - Comprehensive List of Newly Discovered Vulnerabilities from
> Qualys (www.qualys.com)
> Week 21, 2007
> 
> 
> 07.21.7 CVE: CVE-2007-1689
> Platform: Third Party Windows Apps
> Title: Symantec Norton Personal Firewall 2004 ActiveX Control Buffer
> Overflow
> Description: Symantec Norton Personal Firewall ActiveX Control is
> exposed to a buffer overflow issue that occurs because the application
> fails to bounds check user-supplied data before copying it into an
> insufficiently sized buffer. Symantec Norton Personal Firewall 2004
> and Symantec Norton Internet Security 2004 are affected.
> Ref: http://www.kb.cert.org/vuls/id/983953
> ____________________________________________________________________
> 
> 
> 07.21.11 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Multiple Personal Firewall Products Local Protection Mechanism
> Bypass
> Description: Multiple personal firewall products are exposed to a
> protection mechanism bypass issue due to a failure of the applications
> to properly implement protection mechanisms based on valid
> process identifiers. Comodo Firewall Pro 2.4.18.184, Comodo Personal
> Firewall 2.3.6.81, and ZoneAlarm Pro 6.1.744.001 are affected.
> Ref: http://www.securityfocus.com/archive/1/468643
> ____________________________________________________________________
> 
> 07.21.25 CVE: CVE-2007-1497
> Platform: Linux
> Title: Linux Kernel Netfilter nf_conntrack IPv6 Packet Reassembly Rule
> Bypass
> Description: The Linux kernel is exposed to a firewall rule-bypass
> issue due to a failure of the Linux netfilter code to properly
> classify network packets. The "nf_conntrack" module in the Linux
> kernel fails to properly classify IPv6 fragments. During packet
> reassembly, the "nfctinfo" structure is left initialized as zero.
> Linux kernel versions in the 2.6 series prior to 2.6.20.3 are
> affected.
> Ref: http://rhn.redhat.com/errata/RHSA-2007-0347.html
> ____________________________________________________________________
> 
> 07.21.29 CVE: Not Available
> Platform: Linux
> Title: CommuniGate Pro Web Mail HTML Injection
> Description: CommuniGate Pro is a communication server application for
> multiple operating systems. The application is exposed to an
> HTML injection issue because it fails to properly sanitize
> user-supplied input passed to HTML email messages in the web mail
> portion of the application. CommuniGate Pro versions 5.1.8 and earlier
> are affected.
> Ref: http://seclists.org/fulldisclosure/2007/May/0187.html
> ____________________________________________________________________
> 
> 07.21.36 CVE: Not Available
> Platform: Solaris
> Title: Sun JDK JPG/BMP Parser Multiple Vulnerabilities
> Description: Sun JDK is exposed to multiple integer overflow 
> issues that
> occur because the affected application fails to properly 
> parse malicious
> ICC profiles when handling JPG images. It is also exposed to a denial
> of service issue that occurs when the BMP file parser tries 
> to open and
> read from "/dev/tty". Sun JDK version 1.5.0_07-b03 is affected.
> Ref: http://www.securityfocus.com/bid/24004
> ____________________________________________________________________
> 
> 07.21.37 CVE: Not Available
> Platform: Unix
> Title: Exim SpamAssassin Reply Remote Buffer Overflow
> Description: Exim is a freely-available mail transfer agent available
> for multiple Unix and Unix-like platforms. The application is exposed
> to a remote buffer overflow issue when used in conjunction with remote
> SpamAssassin servers. This issue is due to a failure of the
> application to properly bounds check user-supplied input prior to
> copying it to an insufficiently-sized memory buffer. Exim version 4.66
> is affected.
> Ref: http://www.securityfocus.com/bid/23977
> ____________________________________________________________________
> 
> 07.21.38 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Soap Engine Make_HTTP_Soap_Request Weak Nonce HTTP
> Authentication Weakness
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The application is exposed to an authentication weakness which arise
> from a design error in the "make_http_soap_request()" function.
> Ref: http://www.securityfocus.com/bid/24034
> ____________________________________________________________________
> 
> 07.21.42 CVE: CVE-2007-1375
> Platform: Cross Platform
> Title: PHP 5 Substr_Count Integer Overflow
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> The PHP 5 "substr_count()" function is exposed to an integer overflow
> issue because it fails to ensure that integer values aren't overrun.
> Due to a lack of proper validation on integer values, attackers may
> cause the function to return data outside of an allocated buffer. PHP
> 5 versions 5.2.1 and earlier are affected.
> Ref: http://www.php-security.org/MOPB/MOPB-14-2007.html
> ____________________________________________________________________
> 
> 07.21.48 CVE: Not Available
> Platform: Cross Platform
> Title: PHP MCrypt_Create_IV Insecure Encryption Weakness
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> PHP is exposed to an insecure encryption weakness due to a design
> error in the "mcrypt_create_iv()" function. It generates the
> initialization vector using the "php_rand_r()" function with an
> uninitialized seed. This results in weaker encryption of 
> sensitive data.
> Ref: http://www.securityfocus.com/bid/23984
> ____________________________________________________________________
> 
> 07.21.51 CVE: Not Available
> Platform: Cross Platform
> Title: Cisco IPS Full/Half Width Unicode Detection Evasion
> Description: Cisco IPS is an intrusion detection and prevention
> system. The application is exposed to a Unicode detection evasion that
> arises due to a design error. The problem occurs when malicious HTTP
> traffic contains full-width and half-width Unicode characters.
> Ref: http://www.kb.cert.org/vuls/id/739224
> ____________________________________________________________________
> 07.21.52 CVE: CVE-2007-2447
> Platform: Cross Platform
> Title: Samba MS-RPC Remote Shell Command Execution
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. It is available for multiple
> operating platforms. The application is exposed to an issue that
> allows arbitrary shell commands to run because the software fails to
> adequately escape user-supplied input through MS-RPC before using it
> as arguments to "bin/sh". Samba versions 3.0.0 to 3.0.25rc3 are
> affected.
> Ref:
> http://labs.idefense.com/intelligence/vulnerabilities/display.
> php?id=534
> http://www.kb.cert.org/vuls/id/268336
> ____________________________________________________________________
> 
> 07.21.53 CVE: CVE-2007-2446
> Platform: Cross Platform
> Title: Samba NDR MS-RPC Request Heap-Based Buffer Overflow
> Description: Samba is a suite of software that provides file and print
> services for "SMB/CIFS" clients. It is available for multiple
> operating platforms. The application is exposed to multiple remote
> heap-based buffer overflow issues because it fails to properly
> bounds check user-supplied data before copying it to an insufficiently
> sized memory buffer.
> Ref: http://www.zerodayinitiative.com/advisories/ZDI-07-029.html
> ____________________________________________________________________
> 
> 07.21.59 CVE: CVE-2007-0754
> Platform: Cross Platform
> Title: Apple QuickTime MOV File STSD Heap Buffer Overflow
> Description: Apple QuickTime is a media player that supports multiple
> file formats. The application is exposed to a heap-based
> buffer overflow issue because it fails to properly check boundaries on
> user-supplied data before copying it into an insufficiently sized
> memory buffer. QuickTime 7 versions prior to 7.1.3 are affected.
> Ref: http://dvlabs.tippingpoint.com/advisory/TPTI-07-07
> ____________________________________________________________________

> (c) 2007.  All rights reserved.  The information contained in this
> newsletter, including any external links, is provided "AS IS," with no
> express or implied warranty, for informational purposes only.  In some
> cases, copyright for material in this newsletter may be held by a
> party other than Qualys (as indicated herein) and permission to use
> such material must be requested from the copyright owner.
> 



 




Copyright © Lexa Software, 1996-2009.