• Shortcuts : 'n' next unread feed - 'p' previous unread feed • Styles : 1 2
Arrow New window US-CERT Recently Published Vulnerability Notes
aA :  -   + pdf Infos Unsubscribe

» Publishers, Monetize your RSS feeds with FeedShow:  More infos  (Show/Hide Ads)


VU#632633: Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32   New window
Date: Thursday, 19 Nov 2009 20:07

Vulnerability Note VU#632633

Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Overview

Wyse Simple Imager (WSI) includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32.

I. Description

Wyse Simple Imager (WSI) is a component of Wyse Device Manager (WDM, formerly known as Wyse Rapport). WSI includes TFTPD32 as the TFTP service to load firmware images on client devices. The versions of TFTPD32 contains several known vulnerabilities. The following list of TFTPD32 vulnerabilities is based on public information:
  1. CVE-2002-2226 Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
  2. CVE-2002-2237 tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a denial of service via a GET request with a DOS device name such as com1 or aux.
  3. CVE-2002-2353 tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbitrary files via a full pathname in GET and PUT requests.
  4. CVE-2006-0328 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.
  5. CVE-2006-6141 Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.
  6. OSVDB ID: 12898 Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service.

II. Impact

An attacker with network access to TFTPD32 could execute arbitrary code or cause a denial of service on a vulnerable system.

III. Solution

Use Wyse WDM and USB Imaging Tool


According to Wyse, WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool. Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through http://suppport.wyse.com/.

Upgrade TFTPD32

Upgrade TFTPD32 by downloading the latest version.

WSI 1.3.6 provides TFTPD32 version 2.0 in the directory ftproot\Rapport\Tools\sa\util\ and TFTPD32 version 2.80 in ftproot\Rapport\Tools\sa\util\TFTPD280\. Consider using TFTPD32 version 2.80 or downloading the most current version of TFTPD32.

This table is based on public information, a brief exchange with the author of TFTPD32, and limited testing. This information may not be completely accurate, please send corrections to cert@cert.org.


VulnerabilityFixed VersionWyse Resolution
CVE-2002-22262.50.2Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-22372.51Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-23532.51Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2006-03282.8.2?
CVE-2006-61413.10b?
OSVDB ID: 128982.80Addressed by WSB09-01 (using TFTPD32 version 2.80).

Restrict Access to WSI

To limit the exposure of TFTPD32, run WSI systems on a physically isolated network, such as a staging network where client devices are imaged before production deployment..

Systems Affected
VendorStatusDate NotifiedDate Updated
TFTPD32Vulnerable2009-11-11
WyseVulnerable2009-07-042009-11-19

References


http://tftpd32.jounin.net/tftpd32_news.html
http://tftpd32.jounin.net/tftpd32.html
http://osvdb.org/show/osvdb/12898
http://secway.org/advisory/ad20050108.txt
http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Credit

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft and Art Manion.

This document was written by Art Manion.

Other Information

Date Public:2009-07-10
Date First Published:2009-11-19
Date Last Updated:2009-11-19
CERT Advisory: 
CVE-ID(s):CVE-2002-2226; CVE-2002-2237; CVE-2002-2353; CVE-2006-0328; CVE-2003-6141
NVD-ID(s):CVE-2002-2226 CVE-2002-2237 CVE-2002-2353 CVE-2006-0328 CVE-2003-6141
US-CERT Technical Alerts: 
Metric:13.51
Document Revision:54
Author: "US-CERT (cert@cert.org)" Tags: "wyse, wdm, hagent, tftp32d, tftp, rappor..."
Send by mail Print  Save  Delicious 
VU#120541: SSL and TLS protocols renegotiation vulnerability   New window
Date: Thursday, 19 Nov 2009 15:31

Vulnerability Note VU#120541

SSL and TLS protocols renegotiation vulnerability

Overview

A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction.

I. Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP. A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source. According to the Network Working Group:

The server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.

This issue affects SSL version 3.0 and newer and TLS version 1.0 and newer.

II. Impact

A remote, unauthenticated attacker may be able to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This could allow and attacker to issue HTTP requests, or take action impersonating the user, among other consequences.

III. Solution

Users should contact vendors for specific patch information.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com IncUnknown2009-11-052009-11-05
ACCESSUnknown2009-11-052009-11-05
Alcatel-LucentUnknown2009-11-052009-11-05
Apache-SSLUnknown2009-11-052009-11-05
Apache HTTP Server ProjectUnknown2009-11-052009-11-05
Apple Inc.Unknown2009-11-052009-11-05
Aruba Networks, Inc.Unknown2009-11-052009-11-05
AttachmateUnknown2009-11-052009-11-05
AT&T;Unknown2009-11-052009-11-05
Avaya, Inc.Unknown2009-11-052009-11-05
Barracuda NetworksUnknown2009-11-052009-11-05
Belkin, Inc.Unknown2009-11-052009-11-05
Borderware TechnologiesUnknown2009-11-052009-11-05
CerticomUnknown2009-11-052009-11-05
Charlotte's Web NetworksUnknown2009-11-052009-11-05
Check Point Software TechnologiesUnknown2009-11-052009-11-05
Cisco Systems, Inc.Unknown2009-11-052009-11-05
ClavisterUnknown2009-11-052009-11-05
Computer AssociatesUnknown2009-11-052009-11-05
Conectiva Inc.Unknown2009-11-052009-11-05
Cray Inc.Unknown2009-11-052009-11-05
CryptlibNot Vulnerable2009-11-052009-11-11
Crypto++ LibraryUnknown2009-11-052009-11-05
D-Link Systems, Inc.Unknown2009-11-052009-11-05
Debian GNU/LinuxVulnerable2009-11-052009-11-11
DragonFly BSD ProjectUnknown2009-11-052009-11-05
EMC CorporationUnknown2009-11-052009-11-05
Engarde Secure LinuxUnknown2009-11-052009-11-05
Enterasys NetworksUnknown2009-11-052009-11-05
EricssonUnknown2009-11-052009-11-05
eSoft, Inc.Unknown2009-11-052009-11-05
Extreme NetworksUnknown2009-11-052009-11-05
F5 Networks, Inc.Unknown2009-11-052009-11-05
Fedora ProjectUnknown2009-11-052009-11-05
Force10 Networks, Inc.Unknown2009-11-052009-11-05
Fortinet, Inc.Unknown2009-11-052009-11-05
Foundry Networks, Inc.Unknown2009-11-052009-11-05
FreeBSD ProjectUnknown2009-11-052009-11-05
FujitsuUnknown2009-11-052009-11-05
Gentoo LinuxUnknown2009-11-052009-11-05
Global Technology Associates, Inc.Unknown2009-11-052009-11-05
GnuTLSVulnerable2009-11-052009-11-11
Hewlett-Packard CompanyUnknown2009-11-052009-11-05
HitachiUnknown2009-11-052009-11-05
IBM CorporationVulnerable2009-11-052009-11-11
IBM eServerUnknown2009-11-052009-11-05
InfobloxUnknown2009-11-052009-11-05
Intel CorporationUnknown2009-11-052009-11-05
Internet Security Systems, Inc.Unknown2009-11-052009-11-05
IntotoUnknown2009-11-052009-11-05
IP FilterUnknown2009-11-052009-11-05
IP Infusion, Inc.Unknown2009-11-052009-11-05
Juniper Networks, Inc.Unknown2009-11-052009-11-05
libgcryptNot Vulnerable2009-11-052009-11-11
Lotus SoftwareUnknown2009-11-052009-11-05
Luminous NetworksUnknown2009-11-052009-11-05
m0n0wallUnknown2009-11-052009-11-05
Mandriva S. A.Unknown2009-11-052009-11-05
McAfeeVulnerable2009-11-052009-11-11
Microsoft CorporationUnknown2009-11-052009-11-05
Microsoft Internet ExplorerUnknown2009-11-052009-11-05
Mirapoint, Inc.Unknown2009-11-052009-11-05
mod_sslUnknown2009-11-052009-11-05
MontaVista Software, Inc.Unknown2009-11-052009-11-05
Mozilla - Network Security ServicesUnknown2009-11-052009-11-05
Multitech, Inc.Unknown2009-11-052009-11-05
National Center for Supercomputing ApplicationsUnknown2009-11-052009-11-05
NEC CorporationUnknown2009-11-052009-11-05
NetAppUnknown2009-11-052009-11-05
NetBSDUnknown2009-11-052009-11-05
netfilterUnknown2009-11-052009-11-05
Netscape NSSUnknown2009-11-052009-11-05
NokiaUnknown2009-11-052009-11-05
Nortel Networks, Inc.Unknown2009-11-052009-11-05
Novell, Inc.Unknown2009-11-052009-11-05
OpenBSDUnknown2009-11-052009-11-05
OpenSSLUnknown2009-11-052009-11-05
Openwall GNU/*/LinuxUnknown2009-11-052009-11-05
PePLinkUnknown2009-11-052009-11-05
Process SoftwareUnknown2009-11-052009-11-05
Q1 LabsUnknown2009-11-052009-11-05
QNX Software Systems Inc.Unknown2009-11-052009-11-05
QuaggaUnknown2009-11-052009-11-05
RadWare, Inc.Unknown2009-11-052009-11-05
Red Hat, Inc.Unknown2009-11-052009-11-05
Redback Networks, Inc.Not Vulnerable2009-11-052009-11-11
SafeNetNot Vulnerable2009-11-052009-11-19
Secureworx, Inc.Unknown2009-11-052009-11-05
Silicon Graphics, Inc.Unknown2009-11-052009-11-05
Slackware Linux Inc.Unknown2009-11-052009-11-05
SmoothWallUnknown2009-11-052009-11-05
SnortUnknown2009-11-052009-11-05
Soapstone NetworksUnknown2009-11-052009-11-05
Sony CorporationUnknown2009-11-052009-11-05
SourcefireUnknown2009-11-052009-11-05
SpyrusUnknown2009-11-052009-11-05
StonesoftUnknown2009-11-052009-11-05
StunnelUnknown2009-11-052009-11-05
Sun Microsystems, Inc.Vulnerable2009-11-052009-11-06
SUSE LinuxUnknown2009-11-052009-11-05
SymantecUnknown2009-11-052009-11-05
The SCO GroupUnknown2009-11-052009-11-05
TippingPoint Technologies Inc.Unknown2009-11-052009-11-05
TurbolinuxUnknown2009-11-052009-11-05
UbuntuUnknown2009-11-052009-11-05
UnisysUnknown2009-11-052009-11-05
VMwareUnknown2009-11-052009-11-05
VyattaUnknown2009-11-052009-11-05
Watchguard Technologies, Inc.Unknown2009-11-052009-11-05
Wind River Systems, Inc.Unknown2009-11-052009-11-05
ZyXELUnknown2009-11-052009-11-05

References


http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786
http://www.links.org/?p=789
http://blogs.iss.net/archive/sslmitmiscsrf.html
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
https://bugzilla.redhat.com/show_bug.cgi?id=533125
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html
http://cvs.openssl.org/chngview?cn=18790
http://www.links.org/files/no-renegotiation-2.patch
http://blog.zoller.lu/2009/11/new-sslv3-tls-vulnerability-mitm.html
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

Credit

Thanks to Marsh Ray of PhoneFactor for reporting this vulnerability. This issue was also independently discovered and publicly disclosed by Martin Rex of SAP.

This document was written by Chris Taschner.

Other Information

Date Public:2009-11-05
Date First Published:2009-11-11
Date Last Updated:2009-11-19
CERT Advisory: 
CVE-ID(s):CVE-2009-3555
NVD-ID(s):CVE-2009-3555
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:31
Author: "US-CERT (cert@cert.org)" Tags: "SSL, TLS, man-in-the-middle, MITM, https"
Send by mail Print  Save  Delicious 
VU#456745: ActiveX controls built with Microsoft ATL fail to properly handle initialization data   New window
Date: Wednesday, 28 Oct 2009 19:42

Vulnerability Note VU#456745

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-07-30
Alcatel-LucentUnknown2009-07-282009-07-28
America Online, Inc.Unknown2009-07-282009-07-28
Apple Inc.Not Vulnerable2009-07-282009-07-31
AttachmateUnknown2009-07-282009-07-28
Aurigma Inc. Vulnerable2009-07-282009-07-29
AxisUnknown2009-07-282009-07-28
BTUnknown2009-07-282009-07-28
Business ObjectsUnknown2009-07-282009-07-28
Callisto CorporationUnknown2009-07-282009-07-28
Cisco Systems, Inc.Vulnerable2009-07-282009-07-29
Computer Associates eTrust Security ManagementUnknown2009-07-282009-07-28
Computer Emergency Response Team BrazilUnknown2009-07-282009-07-28
Corel CorporationUnknown2009-07-282009-07-28
E-Book Systems Inc.Unknown2009-07-282009-07-28
eBayUnknown2009-07-282009-07-28
Electronic ArtsUnknown2009-07-282009-07-28
ESET, LLC.Unknown2009-07-282009-07-28
F5 Networks, Inc.Vulnerable2009-07-282009-07-29
GameTap-Turner Broadcasting subsidiaryUnknown2009-07-282009-07-28
GOVCERT-NLUnknown2009-07-282009-07-28
GracenoteUnknown2009-07-282009-07-28
Hewlett-Packard CompanyUnknown2009-07-282009-07-28
HusdawgUnknown2009-07-282009-07-28
IBM CorporationNot Vulnerable2009-07-282009-07-29
Iconics, Inc.Unknown2009-07-282009-07-28
IncrediMail Ltd.Unknown2009-07-282009-07-28
Infotriever, Inc.Unknown2009-07-282009-07-28
InterActual Technologies, Inc. Unknown2009-07-282009-07-28
Intuit, Inc.Unknown2009-07-282009-07-28
Juniper Networks, Inc.Unknown2009-07-282009-07-28
Kodak Easy Share GalleryUnknown2009-07-282009-07-28
LenovoUnknown2009-07-282009-07-28
LizardTech, IncUnknown2009-07-282009-07-28
LogicNPNot Vulnerable2009-07-282009-07-30
Lotus SoftwareUnknown2009-07-282009-07-28
Media Technology GroupUnknown2009-07-282009-07-28
Microsoft CorporationVulnerable2009-07-28
MotiveUnknown2009-07-282009-07-28
Move Networks, Inc.Unknown2009-07-282009-07-28
Namzak Labs Inc.Unknown2009-07-282009-07-28
NokiaUnknown2009-07-282009-07-28
Novell, Inc.Unknown2009-07-282009-07-28
Oracle CorporationUnknown2009-07-282009-07-28
OSISoftVulnerable2009-08-04
Panda Software Ltd.Unknown2009-07-282009-07-28
PNI Digital MediaUnknown2009-07-282009-07-28
Radiant SystemsUnknown2009-07-282009-07-28
RealNetworks, Inc.Unknown2009-07-282009-07-28
Research in Motion (RIM)Unknown2009-07-282009-07-28
SafeNetUnknown2009-07-282009-07-28
SAPUnknown2009-07-282009-07-28
ScriptLogicUnknown2009-07-282009-07-28
SiemensUnknown2009-07-282009-07-28
Simba TechnologiesUnknown2009-07-282009-07-28
SoftArtisans, IncUnknown2009-07-282009-07-28
SonicWallVulnerable2009-07-282009-10-28
Sun Microsystems, Inc.Vulnerable2009-08-05
SupportSoft, Inc.Unknown2009-07-282009-07-28
SwiftViewUnknown2009-07-282009-07-28
SymantecUnknown2009-07-282009-07-28
Trend MicroUnknown2009-07-282009-07-28
Unigraphics SolutionsUnknown2009-07-282009-07-28
VanDyke SoftwareNot Vulnerable2009-07-282009-08-04
View22Unknown2009-07-282009-07-28
WeOnlyDo! SoftwareUnknown2009-07-282009-07-28
WinZip Computing, Inc.Unknown2009-07-282009-07-28
WorldspanUnknown2009-07-282009-07-28
XeroxUnknown2009-07-282009-07-28
Yahoo, Inc.Unknown2009-07-282009-07-28

References

http://www.kb.cert.org/vuls/id/180513
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
http://www.microsoft.com/security/atl.aspx
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx
http://www.microsoft.com/technet/security/advisory/973882.mspx
http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx
http://support.microsoft.com/kb/168371
http://support.microsoft.com/kb/240797
http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
http://www.adobe.com/support/security/advisories/apsa09-04.html
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://www.adobe.com/support/security/bulletins/apsb09-11.html
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx
http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx
http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

Date Public:2009-07-09
Date First Published:2009-07-28
Date Last Updated:2009-10-28
CERT Advisory: 
CVE-ID(s):CVE-2009-0901; CVE-2009-2493; CVE-2009-2495
NVD-ID(s):CVE-2009-0901 CVE-2009-2493 CVE-2009-2495
US-CERT Technical Alerts:TA09-209A
Metric:47.08
Document Revision:41
Author: "US-CERT (cert@cert.org)" Tags: "Microsoft, Internet Explorer, IE, COM, k..."
Send by mail Print  Save  Delicious 
VU#257117: Adobe Acrobat and Reader contain vulnerabilities in multiple Document Object JavaScript methods   New window
Date: Tuesday, 27 Oct 2009 19:10

Vulnerability Note VU#257117

Adobe Acrobat and Reader contain vulnerabilities in multiple Document Object JavaScript methods

Overview

A vulnerability in the way Adobe Acrobat and Reader enforce privileges on JavaScript in PDF files could allow arbitrary files to be written to the local file system of an affected system.

I. Description

Adobe Reader and the Adobe Acrobat family of software are designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.

Adobe Reader and Acrobat support JavaScript. According to the JavaScript for Acrobat API reference, certain methods are designed to be unavailable or have security restrictions in a non-privileged context. As a result, it should not be possible to call these methods from non-privileged events, such as page open or mouse-up.

Adobe Acrobat and Reader fail to enforce the Privileged Context and Safe Path restrictions on certain JavaScript methods. This failure results in a vulnerability that allows methods that accept a cPath parameter to write to an arbitrary file extension and arbitrary path rather than those intended to be limited by the Safe Path restriction.

II. Impact

By convincing a user to open a specially crafted PDF file, an attacker may be able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on an affected system, subject to the normal permissions of the victim user.

III. Solution

Update

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB09-15 and update vulnerable versions of Adobe Reader and Acrobat.

Enable Data Execution Prevention (DEP) in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. Use of DEP should be considered in conjunction with the application of patches or other mitigations described in this document.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the Preferences... option.
  4. Choose the JavaScript section.
  5. Uncheck the Enable Acrobat JavaScript check box.
Disabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:
  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the Preferences... option.
  4. Choose the Internet section.
  5. Uncheck the Display PDF in browser check box.

Systems Affected
VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-09-042009-10-13

References


http://www.adobe.com/support/security/bulletins/apsb09-15.html

Credit

Thanks to Richard van Eeden of IOActive, for reporting this issue.

This document was written by Chad R Dougherty.

Other Information

Date Public:2009-09-01
Date First Published:2009-10-13
Date Last Updated:2009-10-27
CERT Advisory: 
CVE-ID(s):CVE-2009-2993
NVD-ID(s):CVE-2009-2993
US-CERT Technical Alerts: 
Metric:0.00
Document Revision:15
Author: "US-CERT (cert@cert.org)" Tags: "Adobe, JavaScript, safe path, privileged..."
Send by mail Print  Save  Delicious 
VU#654545: Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities   New window
Date: Friday, 16 Oct 2009 04:20

Vulnerability Note VU#654545

Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities

Overview

Wyse Device Manager (WDM) Server and HAgent contain several vulnerabilities. An attacker with network access to WDM components could execute arbitrary code on vulnerable systems.

I. Description

Wyse Device Manager (WDM, formerly known as Wyse Rapport) manages thin clients. Part of the server component (HServer) is implemented as an ISAPI filter on the Microsoft Windows Internet Information Server (IIS) platform. The client component (HAgent) runs as a service on Microsoft Windows systems.

WDM components contain several vulnerabilities:

  1. HServer (hserver.dll) User-Agent header stack buffer overflow and
  2. HAgent (hagent.exe) heap overflow (both overflows are CVE-2009-0693)
  3. HAgent does not authenticate commands (CVE-2009-0695)
The first two issues are implementation defects. The third issue is caused by the lack of adequate cryptographic authentication and authorization.

II. Impact

An attacker with network access to WDM components could execute arbitrary code on a vulnerable system. The attacker could also execute unauthenticated management commands on a system running HAgent.

III. Solution

Please see Wyse Security Bulletin WSB09-01.

Enable HTTPS

Enabling HTTPS provides authentication between Hserver and HAgent nodes. HTTPS authenticates communication from an HServer host to an HAgent host. Depending on key distribution and PKI architecture, HTTPS should prevent an unauthenticated attacker from running management commands on an HAgent host.

Systems Affected

VendorStatusDate NotifiedDate Updated
WyseVulnerable2009-07-042009-07-23

References


http://osvdb.org/show/osvdb/55808
http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Credit

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft.

This document was written by Art Manion.

Other Information

Date Public:2009-07-10
Date First Published:2009-10-13
Date Last Updated:2009-10-16
CERT Advisory: 
CVE-ID(s):CVE-2009-0693; CVE-2009-0695
NVD-ID(s):CVE-2009-0693 CVE-2009-0695
US-CERT Technical Alerts: 
Metric:13.51
Document Revision:23
Author: "US-CERT (cert@cert.org)" Tags: "wyse, wdm, hagent, tftp32d, tftp, rappor..."
Send by mail Print  Save  Delicious 
VU#676492: Wireshark unsigned integer wrap vulnerability   New window
Date: Tuesday, 06 Oct 2009 14:21

Vulnerability Note VU#676492

Wireshark unsigned integer wrap vulnerability

Overview

Wireshark contains an unsigned integer wrap vulnerability that may occur when importing files.

I. Description

Wireshark is a protocol analyzer that can open or import previously saved files. When processing an erf file an unsigned integer wrap vulnerability may cause Wireshark to allocate a very large buffer. To exploit this issue, an attacker would have to convince a user to open a crafted erf file using Wireshark.

This issue also affects Tshark, the console version of Wireshark.

II. Impact

A remote attacker may be able to execute code or cause Wireshark to crash.

III. Solution

Update

Wireshark 1.2.2 has been released to address this and other issues.

Do not run Wireshark with root or administrator privileges

Running Wireshark with a limited user account will reduce the impact of this and other vulnerabilities.

Systems Affected

VendorStatusDate NotifiedDate Updated
WiresharkVulnerable2009-10-05

References


http://www.wireshark.org/docs/relnotes/wireshark-1.2.2.html
http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364
https://www.securecoding.cert.org/confluence/display/cplusplus/INT30-CPP.+Ensure+that+unsigned+integer+operations+do+not+wrap
http://wiki.wireshark.org/Security#head-ac69042aeeb98cdaed2ec2ff1bd2c983fa03cffd

Credit

This issue was discovered and this document was written by Ryan Giobbi.

Other Information

Date Public:2009-09-15
Date First Published:2009-10-05
Date Last Updated:2009-10-06
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:1.28
Document Revision:18
Author: "US-CERT (cert@cert.org)" Tags: "Wireshark, unsigned integer wrap, wiresh..."
Send by mail Print  Save  Delicious 
VU#180065: Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability   New window
Date: Tuesday, 15 Sep 2009 18:50

Vulnerability Note VU#180065

Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

Overview

A vulnerability in the nginx web server may allow remote attackers to execute arbitrary code on an affected system.

I. Description

nginx is an HTTP server and mail proxy server that is available for a number of different platforms. A buffer underflow vulnerability exists in the ngx_http_parse_complex_uri() function when handling specially crafted URIs. Exploitation of this vulnerability would cause the nginx server to write data contained in the URI to heap memory before the allocated buffer.

II. Impact

As with a number of other web servers, nginx is designed to operate with a single privileged master process and multiple unprivileged worker processes handling specific requests. A remote, unauthenticated attacker may be able to execute arbitrary code in the context of the worker process or cause the worker process to crash, resulting in a denial of service.

III. Solution

Upgrade or apply a patch

Updated versions of the nginx package have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Inc.Unknown2009-09-052009-09-06
Conectiva Inc.Unknown2009-09-052009-09-06
Cray Inc.Unknown2009-09-052009-09-06
Debian GNU/LinuxVulnerable2009-09-052009-09-14
DragonFly BSD ProjectUnknown2009-09-052009-09-06
EMC CorporationUnknown2009-09-052009-09-06
Engarde Secure LinuxUnknown2009-09-052009-09-06
F5 Networks, Inc.Unknown2009-09-052009-09-06
Fedora ProjectUnknown2009-09-052009-09-06
FreeBSD, Inc.Unknown2009-09-052009-09-06
FujitsuUnknown2009-09-052009-09-06
Gentoo LinuxUnknown2009-09-052009-09-06
Hewlett-Packard CompanyUnknown2009-09-052009-09-06
HitachiUnknown2009-09-052009-09-06
IBM CorporationUnknown2009-09-052009-09-06
IBM eServerUnknown2009-09-052009-09-06
InfobloxUnknown2009-09-052009-09-06
Juniper Networks, Inc.Unknown2009-09-052009-09-06
Mandriva S. A.Unknown2009-09-052009-09-06
MontaVista Software, Inc.Unknown2009-09-052009-09-06
NEC CorporationUnknown2009-09-052009-09-06
NetBSDUnknown2009-09-052009-09-06
nginxVulnerable2009-09-15
NokiaUnknown2009-09-052009-09-06
Novell, Inc.Unknown2009-09-052009-09-06
OpenBSDUnknown2009-09-052009-09-06
Openwall GNU/*/LinuxUnknown2009-09-052009-09-06
QNX Software Systems Inc.Unknown2009-09-052009-09-06
Red Hat, Inc.Unknown2009-09-052009-09-06
SafeNetUnknown2009-09-052009-09-06
Silicon Graphics, Inc.Unknown2009-09-052009-09-06
Slackware Linux Inc.Unknown2009-09-052009-09-06
Sony CorporationUnknown2009-09-052009-09-06
Sun Microsystems, Inc.Not Vulnerable2009-09-052009-09-09
SUSE LinuxNot Vulnerable2009-09-052009-09-08
The SCO GroupNot Vulnerable2009-09-052009-09-08
TurbolinuxUnknown2009-09-052009-09-06
UbuntuUnknown2009-09-052009-09-06
UnisysUnknown2009-09-052009-09-06
Wind River Systems, Inc.Unknown2009-09-052009-09-06

References


Credit

Thanks to Chris Ries of the Carnegie Mellon University Information Security Office for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:2009-09-14
Date First Published:2009-09-15
Date Last Updated:2009-09-15
CERT Advisory: 
CVE-ID(s):CVE-2009-2629
NVD-ID(s):CVE-2009-2629
US-CERT Technical Alerts: 
Metric:4.22
Document Revision:8
Author: "US-CERT (cert@cert.org)"
Send by mail Print  Save  Delicious 
VU#336053: Cyrus IMAPd buffer overflow vulnerability   New window
Date: Friday, 11 Sep 2009 13:31

Vulnerability Note VU#336053

Cyrus IMAPd buffer overflow vulnerability

Overview

The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.

I. Description

The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server.

II. Impact

An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user's mail, or send spoofed email messages.

III. Solution

Update

The Cyrus IMAP team has released an update to address this issue. See http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html for more information.

Disable SIEVE

Administrators who compile Cyrus IMAP from source can use the --disable-sieve option to mitigate this issue.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Inc.Unknown2009-09-042009-09-05
Conectiva Inc.Unknown2009-09-042009-09-05
Cray Inc.Unknown2009-09-042009-09-05
Debian GNU/LinuxVulnerable2009-09-042009-09-10
DragonFly BSD ProjectUnknown2009-09-042009-09-05
EMC CorporationUnknown2009-09-042009-09-05
Engarde Secure LinuxUnknown2009-09-042009-09-05
F5 Networks, Inc.Unknown2009-09-042009-09-05
Fedora ProjectUnknown2009-09-042009-09-05
FreeBSD, Inc.Unknown2009-09-042009-09-05
FujitsuUnknown2009-09-042009-09-05
Gentoo LinuxUnknown2009-09-042009-09-05
Hewlett-Packard CompanyUnknown2009-09-042009-09-05
HitachiUnknown2009-09-042009-09-05
IBM CorporationUnknown2009-09-042009-09-05
IBM eServerUnknown2009-09-042009-09-05
InfobloxUnknown2009-09-042009-09-05
Juniper Networks, Inc.Unknown2009-09-042009-09-05
Mandriva S. A.Unknown2009-09-042009-09-05
Microsoft CorporationUnknown2009-09-042009-09-05
MontaVista Software, Inc.Unknown2009-09-042009-09-05
NEC CorporationUnknown2009-09-042009-09-05
NetBSDUnknown2009-09-042009-09-05
NokiaUnknown2009-09-042009-09-05
Novell, Inc.Unknown2009-09-042009-09-05
OpenBSDUnknown2009-09-042009-09-05
Openwall GNU/*/LinuxUnknown2009-09-042009-09-10
QNX Software Systems Inc.Unknown2009-09-042009-09-05
Red Hat, Inc.Unknown2009-09-042009-09-05
SafeNetUnknown2009-09-042009-09-05
Silicon Graphics, Inc.Unknown2009-09-042009-09-05
Slackware Linux Inc.Not Vulnerable2009-09-042009-09-11
Sony CorporationUnknown2009-09-042009-09-05
Sun Microsystems, Inc.Not Vulnerable2009-09-042009-09-10
SUSE LinuxVulnerable2009-09-042009-09-10
The SCO GroupVulnerable2009-09-042009-09-08
TurbolinuxUnknown2009-09-042009-09-05
UbuntuUnknown2009-09-042009-09-05
UnisysUnknown2009-09-042009-09-05
Wind River Systems, Inc.Unknown2009-09-042009-09-05

References


http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html
http://cyrusimap.web.cmu.edu/imapd/install-compile.html
http://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)

Credit

Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-09-07
Date First Published:2009-09-09
Date Last Updated:2009-09-11
CERT Advisory: 
CVE-ID(s):CVE-2009-2632
NVD-ID(s):CVE-2009-2632
US-CERT Technical Alerts: 
Metric:0.56
Document Revision:18
Author: "US-CERT (cert@cert.org)" Tags: "Cyrus, IMAPD"
Send by mail Print  Save  Delicious 
VU#135940: Windows SMB version 2 vulnerability   New window
Date: Thursday, 10 Sep 2009 15:35

Vulnerability Note VU#135940

Windows SMB version 2 vulnerability

Overview

Microsoft Windows Vista and Server 2008 do not correctly parse SMB version 2 messages.This vulnerability could allow an attacker to execute arbitrary code.

I. Description

The Server Message Block version 2 (SMBv2) protocol is the successor to the original SMB protocol. SMBv2 is available in Windows Vista, Server 2008 and Windows 7 release candidates.

Windows Vista and Server 2008 fail to properly process fails to properly parse the headers for the Negotiate Protocol Request portion of an SMBv2 message.

II. Impact

An attacker may be able to execute arbitrary code or cause a vulnerable system to crash.

III. Solution

There is currently no solution to this problem. Until patches are available, users and administrators are encouraged to review the below workarounds.


Restrict access

Blocking access to ports 139/tcp and 445/tcp on vulnerable systems will mitigate this vulnerability. Administrators can configure mobile systems that use the Windows Firewall to open these ports when only when authenticated to a domain controller by using the firewall's "profile" feature.

Disable SMBv2

Disabling SMBv2 will mitigate this issue. The below steps to disable SMBv2 are provided in Microsoft Security Advisory 975497.

  1. Click Start, click Run, type Regedit in the Open box, and then click OK.
  2. Locate and then click the following registry subkey:
  3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
  4. Click LanmanServer.
  5. Click Parameters.
  6. Right-click to add a new DWORD (32 bit) Value.
  7. Enter smb2 in the Name data field, and change the Value data field to 0.
  8. Exit.
  9. From a command prompt and with administrator privileges, type net stop server and then net start server.

Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable2009-09-10

References


http://www.microsoft.com/technet/security/advisory/975497.mspx
http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Credit

Thanks to Microsoft and Laurent Gaffié for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-09-07
Date First Published:2009-09-10
Date Last Updated:2009-09-10
CERT Advisory: 
CVE-ID(s):CVE-2009-3103
NVD-ID(s):CVE-2009-3103
US-CERT Technical Alerts: 
Metric:62.70
Document Revision:14
Author: "US-CERT (cert@cert.org)" Tags: "windows, vista, 7, sever message block, ..."
Send by mail Print  Save  Delicious 
VU#444513: VMware VMnc AVI video codec image height heap overflow   New window
Date: Saturday, 05 Sep 2009 13:42

Vulnerability Note VU#444513

VMware VMnc AVI video codec image height heap overflow

Overview

The VMware VMnc video codec fails to properly handle the image height value in AVI files, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Several VMware products include the ability to create and play movies of running virtual machines. The codec used in these movies is called VMnc, which is based on the VNC RFB protocol. The VMnc decoder is provided by the file vmnc.dll. The VMnc codec fails to properly handle video content with a specified height of less than 8 pixels. This flaw can lead to heap memory corruption. The vulnerable code in vmnc.dll may be reached via Windows applications that supports the DirectShow API.

II. Impact

By convincing a user to parse a specially crafted VMnc codec AVI file, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This may occur as the result of several actions, including playing an AVI file with Windows Media Player, viewing a web page that uses the Windows Media Player ActiveX control or plug-in, or even simply by selecting an AVI file in Windows Explorer.

III. Solution

Apply an update

This issue is addressed in VMware Movie Decoder 6.5.3, Workstation 6.5.3, Player 6.5.3, and ACE 2.5.3. Details for obtaining these versions are available in VMware Security Advisory VMSA-2009-0012.

Remove the VMnc codec

If you are unable to apply an update, this vulnerability can be mitigated by removing the vmnc.dll file. Note that this will prevent a system from being able to play VMnc codec AVI files.

Systems Affected

VendorStatusDate NotifiedDate Updated
VMwareVulnerable2009-06-222009-09-05

References


http://lists.vmware.com/pipermail/security-announce/2009/000065.html

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:2009-09-04
Date First Published:2009-09-05
Date Last Updated:2009-09-05
CERT Advisory: 
CVE-ID(s):CVE-2009-2628
NVD-ID(s):CVE-2009-2628
US-CERT Technical Alerts: 
Metric:4.05
Document Revision:17
Author: "US-CERT (cert@cert.org)" Tags: "vmnc.dll, directshow, codec, video, vmwa..."
Send by mail Print  Save  Delicious 
VU#970180: Adobe Reader and Acrobat customDictionaryOpen() and getAnnots() JavaScript vulnerabilities   New window
Date: Saturday, 05 Sep 2009 02:27

Vulnerability Note VU#970180

Adobe Reader and Acrobat customDictionaryOpen() and getAnnots() JavaScript vulnerabilities

Overview

Adobe Reader and Acrobat contain vulnerabilities in the customDictionaryOpen() and getAnnots() JavaScript methods.

I. Description

Adobe Reader and the Adobe Acrobat family of software is designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.

Adobe Reader and Acrobat support JavaScript. The JavaScript methods customDictionaryOpen() (CVE-2009-1493) and getAnnots() (CVE-2009-1492) do not safely handle specially crafted arguments and can be manipulated to execute arbitrary code. Publicly available exploit code claims to work on Adobe Reader 9.1 and 8.1.4 on GNU/Linux. Limited testing shows that Adobe Reader and Acrobat on and Microsoft Windows platforms crash when parsing a PDF file that contains a specially crafted getAnnots() call. As of 2009-04-29 we have not confirmed the reported customDictionaryOpen() vulnerability.

Adobe Security Advisory APSA09-02 states that the getAnnots() vulnerability affects Adobe Reader and Acrobat for Microsoft Windows, Apple Mac OS X, and UNIX, while the customDictionaryOpen() vulnerability appears to only affect Adobe Reader for UNIX.

II. Impact

By convincing a user to open a specially crafted PDF file, an attacker may be able to execute arbitrary code.

III. Solution

Update

From Adobe Security Bulletin APSB09-06, update to version 9.1.1, 8.1.5, or 7.1.2 of Adobe Reader and Adobe Acrobat Standard, Pro and Pro Extended.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the Preferences... option.
  4. Choose the JavaScript section.
  5. Uncheck the Enable Acrobat JavaScript check box.
Disabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Some vendors ship JavaScript support in a separate package. Removing this package may remove JavaScript support.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\AcroExch.Document.7]
    "EditFlags"=hex:00,00,00,00
Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:
  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the Preferences... option.
  4. Choose the Internet section.
  5. Uncheck the Display PDF in browser check box.
Rename or remove Annots.api

To disable the vulnerable getAnnots() method, rename or remove the Annots.api file. This will disable some Annotation functionality, however annotations can still be viewed. This does not protect against the customDictionaryOpen() vulnerability.

On Windows, Annots.api is typically located here:
    "%ProgramFiles%\Adobe\Reader 9.0\Reader\plug_ins"
Example location on GNU/Linux:
    /opt/Adobe/Reader8/Reader/intellinux/plug_ins/Annots.api
Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Systems Affected
VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-04-282009-05-13

References


http://www.adobe.com/support/security/bulletins/apsb09-06.html
http://www.adobe.com/support/security/advisories/apsa09-02.html
http://blogs.adobe.com/psirt/2009/04/potential_adobe_reader_issue.html
http://blogs.adobe.com/psirt/2009/04/update_on_adobe_reader_issue.html
http://blogs.adobe.com/psirt/2009/05/adobe_reader_issue_update.html
http://www.adobe.com/devnet/acrobat/pdfs/js_api_reference.pdf
http://www.securityfocus.com/bid/34736/
http://www.securityfocus.com/bid/34740/

Credit

These vulnerabilities were publicly reported by Arr1val.

This document was written by Art Manion.

Other Information

Date Public:2009-04-28
Date First Published:2009-04-29
Date Last Updated:2009-09-04
CERT Advisory: 
CVE-ID(s):CVE-2009-1492; CVE-2009-1493
NVD-ID(s):CVE-2009-1492 CVE-2009-1493
US-CERT Technical Alerts:TA09-133B
Metric:21.80
Document Revision:44
Author: "US-CERT (cert@cert.org)" Tags: "adobe, reader, acrobat, customdictionary..."
Send by mail Print  Save  Delicious 
VU#276653: Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow   New window
Date: Wednesday, 02 Sep 2009 12:57

Vulnerability Note VU#276653

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Overview

The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

I. Description

IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.

II. Impact

A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:

Disable anonymous FTP write access

Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.

Systems Affected

VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable2009-09-02

References


http://www.microsoft.com/technet/security/advisory/975191.mspx
http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html
http://milw0rm.com/exploits/9541

Credit

This vulnerability was publicly disclosed by Kingcope.

This document was written by Will Dormann.

Other Information

Date Public:2009-08-31
Date First Published:2009-08-31
Date Last Updated:2009-09-02
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:20.81
Document Revision:23
Author: "US-CERT (cert@cert.org)" Tags: "Microsoft, IIS, inetinfo.exe, NLST, dire..."
Send by mail Print  Save  Delicious 
VU#582244: Libpurple buffer overflow vulnerability   New window
Date: Friday, 21 Aug 2009 19:06

Vulnerability Note VU#582244

Libpurple buffer overflow vulnerability

Overview

The Libpurple instant messenger library contains a vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Libpurple is an instant messenger (IM) library that is used by various programs to connect to multiple networks. Libpurple contains a buffer overflow vulnerability that can be triggered by sending specially crafted MSNSLP messages to a program that is using an affected version of the library.

For more technical details, see CORE Advisory CORE-2009-0727.

II. Impact

An attacker may be able to execute arbitrary code or cause an IM program to crash.

III. Solution

Upgrade

Instant messenger programs may distribute Libpurple and will provide an updated version to their users as a security update. See the systems affected portion of this document for a partial list of affected IM clients. Users who compile Libpurple or IM programs should see the Libpurple site or their operating system vendor for updated software.

Restrict Access

The most likely attack vector for this issue would be via the MSN IM network. Administrators may be able to temporarily mitigate this issue by blocking access to the MSN IM network. This workaround is not likely to be totally effective.

Systems Affected

VendorStatusDate NotifiedDate Updated
PidginVulnerable2009-08-21

References


http://pidgin.im/news/security/?id=34
http://developer.pidgin.im/wiki/WhatIsLibpurple
http://www.coresecurity.com/content/libpurple-arbitrary-write#lref.4
http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_500_Series_Firewall_with_software_version_6.x_in_order_to_block_the_MSN_messenger_with_the_access-list_command

Credit

Information from CORE Advisory CORE-2009-0727 was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-08-18
Date First Published:2009-08-21
Date Last Updated:2009-08-21
CERT Advisory: 
CVE-ID(s):CVE-2009-2694
NVD-ID(s):CVE-2009-2694
US-CERT Technical Alerts: 
Metric:10.19
Document Revision:12
Author: "US-CERT (cert@cert.org)" Tags: "Libpurple, msn_slplink_process_msg(), ar..."
Send by mail Print  Save  Delicious 
VU#485961: Acer AcerCtrls.APlunch ActiveX Control fails to properly restrict access to methods   New window
Date: Tuesday, 18 Aug 2009 20:39

Vulnerability Note VU#485961

Acer AcerCtrls.APlunch ActiveX Control fails to properly restrict access to methods

Overview

The Acer AcerCtrls.APlunch ActiveX control contains methods that can allow a remote, unauthenticated attacker to run arbitrary commands on a vulnerable system.

I. Description

The Acer AcerCtrls.APlunch ActiveX control is provided by acerctrl.ocx. It contains a method called Run(), which takes two parameters: Drive and FileName. Although the control is not inherently marked as safe for scripting via the IObjectSafety interface, it may be distributed with the appropriate Implemented Categories registry key to make it safe for scripting. This means that a web page in Internet Explorer can call the Run() method of the control.

Note that this vulnerability is similar to but not the same issue as VU#221700. This control has different parameters and uses a different CLSID that is not included in the killbits provided with Microsoft Security Bulletin MS07-027.

II. Impact

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary commands with the privileges of the user running IE.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:


Disable the Acer AcerCtrls.APlunch ActiveX control in Internet Explorer

The Acer AcerCtrls.APlunch ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

    {3895DD35-7573-11D2-8FED-00606730D3AA}
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{3895DD35-7573-11D2-8FED-00606730D3AA}]
    "Compatibility Flags"=dword:00000400
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{3895DD35-7573-11D2-8FED-00606730D3AA}]
    "Compatibility Flags"=dword:00000400
Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected
VendorStatusDate NotifiedDate Updated
AcerVulnerable2007-05-092009-08-17

References

http://www.kb.cert.org/vuls/id/221700
http://vuln.sg/acerlunchapp-en.html
http://support.microsoft.com/kb/240797

Credit

Thanks to Michael Costa of Crosshair Information Technology & Security LLC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2009-08-16
Date First Published:2009-08-18
Date Last Updated:2009-08-18
CERT Advisory: 
CVE-ID(s):CVE-2009-2627
NVD-ID(s):CVE-2009-2627
US-CERT Technical Alerts: 
Metric:5.06
Document Revision:13
Author: "US-CERT (cert@cert.org)" Tags: "Acer, AcerCtrls.APlunch, ActiveX Control..."
Send by mail Print  Save  Delicious 
VU#545228: Microsoft Office Web Components Spreadsheet ActiveX control vulnerability   New window
Date: Friday, 07 Aug 2009 14:54

Vulnerability Note VU#545228

Microsoft Office Web Components Spreadsheet ActiveX control vulnerability

Overview

The Microsoft Office Web Components Spreadsheet ActiveX controls (OWC10 and OWC11) contain a vulnerability that may allow an attacker to take control of a vulnerable system.

I. Description

The Office Web Components Spreadsheet ActiveX control contains a code execution vulnerability. Public reports indicate that this vulnerability is being actively exploited.

Per the MSRC blog, the following products may install the affected control on a system:

    Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.
Further details are available from the Microsoft Security Research & Defense blog.

II. Impact

A remote attacker may be able to take control of a vulnerable system.

III. Solution

Until updates are available, the below workaround will mitigate this vulnerability.

Disable the Office Web Components Spreadsheet ActiveX controls in Internet Explorer

The vulnerable controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

    {0002E541-0000-0000-C000-000000000046} (OWC10)
    {0002E559-0000-0000-C000-000000000046}     (OWC11)
More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
    [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]
    "Compatibility Flags"=dword:00000400
Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected
VendorStatusDate NotifiedDate Updated
Microsoft CorporationVulnerable2009-07-15

References

http://www.cert.org/tech_tips/securing_browser/
http://www.microsoft.com/technet/security/advisory/973472.mspx
http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
http://support.microsoft.com/kb/240797

Credit

Thanks to Microsoft for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-07-13
Date First Published:2009-07-15
Date Last Updated:2009-08-07
CERT Advisory: 
CVE-ID(s):CVE-2009-1136
NVD-ID(s):CVE-2009-1136
US-CERT Technical Alerts:TA09-195A
Metric:44.04
Document Revision:17
Author: "US-CERT (cert@cert.org)" Tags: "microsoft, security advisory, 973472, of..."
Send by mail Print  Save  Delicious 
VU#259425: Adobe Flash vulnerability affects Flash Player and other Adobe products   New window
Date: Friday, 07 Aug 2009 14:54

Vulnerability Note VU#259425

Adobe Flash vulnerability affects Flash Player and other Adobe products

Overview

Adobe Flash contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Flash Player, Reader, Acrobat, and other products that include Flash support are affected.

I. Description

Adobe Flash is a widely deployed multimedia platform typically used to provide content in web sites. Adobe Flash Player, Reader, Acrobat, and other Adobe products include Flash support.

Adobe Flash Player contains a code execution vulnerability. An attacker may be able to trigger this vulnerability by convincing a user to open a specially crafted Flash (SWF) file. The SWF file could be hosted or embedded in a web page or contained in a Portable Document Format (PDF) file. If an attacker can take control of a website or web server, trusted sites may exploit this vulnerability.

This vulnerability affects Adobe Flash versions 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions. Adobe Reader 9, Acrobat 9, and other Adobe products (including Photoshop CS3, PhotoShop Lightroom, Freehand MX, Fireworks) provide Flash support independent of Flash Player. As of 2009-07-22, Adobe Reader 9.1.2 includes Flash 9.0.155.0, which is likely vulnerable to issues addressed by Flash 9.0.159.0 (APSB09-01).

This vulnerability is being actively exploited.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This issue is addressed in Flash Player 10.0.32.18. Please see Adobe Security Bulletin APSB09-10 for more details. Note that Microsoft Windows users should update both the ActiveX and Plug-in versions of Flash Player for increased protection.

Disable Flash in your web browser

Disable Flash or selectively enable Flash content as described in Securing Your Web Browser.

Disable Flash and 3D & Multimedia support in Adobe Reader 9

Flash and 3D & Multmedia support are implemented as plugin libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks using a SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but does provide additional mitigation and results in a more user-friendly error message instead of a crash.

To disable Flash and 3D & Multimedia support in Adobe Reader 9 on Microsoft Windows, delete or rename these files:

    "%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"
    "%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"
For Apple Mac OS X, delete or rename these files:
    "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"
    "/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"
For GNU/Linux delete or rename these files (locations may vary among distributions):
    "/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"
    "/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"
File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plugins will reduce functionality, and will not protect against SWF files hosted on web sites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required.

Remove Flash

Adobe has provided a TechNote with utilities for uninstalling the Flash Player plug-in and ActiveX control on Windows and Mac OS X systems. Removing these components can mitigate the web browser attack vector for this vulnerability. Note that this will not remove the instances of Flash Player that is installed with Adobe Reader 9 or other Adobe products.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. Use of DEP should be considered in conjunction with the application of patches or other mitigations described in this document.

Systems Affected
VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-07-23

References

http://www.us-cert.gov/reading_room/securing_browser/
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html
http://www.adobe.com/support/security/advisories/apsa09-03.html
http://bugs.adobe.com/jira/browse/FP-1265
http://www.symantec.com/connect/blogs/next-generation-flash-vulnerability
http://kb2.adobe.com/cps/141/tn_14157.html
http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html
http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx

Credit

This vulnerability was reported on the Adobe PSIRT blog. Thanks to Department of Defense Cyber Crime Center/DCISE for information used in this document.

This document was written by Chris Taschner, Will Dormann, Chad Dougherty, and Art Manion.

Other Information

Date Public:2009-07-22
Date First Published:2009-07-22
Date Last Updated:2009-08-07
CERT Advisory: 
CVE-ID(s):CVE-2009-1862
NVD-ID(s):CVE-2009-1862
US-CERT Technical Alerts:TA09-204A
Metric:35.34
Document Revision:48
Author: "US-CERT (cert@cert.org)" Tags: "adobe, flash, swf, pdf, portable documen..."
Send by mail Print  Save  Delicious 
VU#466161: XML signature HMAC truncation authentication bypass   New window
Date: Wednesday, 05 Aug 2009 19:26

Vulnerability Note VU#466161

XML signature HMAC truncation authentication bypass

Overview

The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.

I. Description

XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2104. However, the XMLDsig specification does not follow the RFC2104 recommendation to not allow truncation to less than half of the length of the hash output or less than 80 bits. When HMAC truncation is under the control of an attacker this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.

II. Impact

This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.

III. Solution

Apply an update

Please check with your vendor for available updates. Erratum E03 for the XMLDsig recommendation has been added, which specifies minimum values for HMAC truncation.

Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown2009-07-092009-07-09
ACCESSUnknown2009-07-092009-07-09
Alcatel-LucentUnknown2009-07-092009-07-09
Apache XML SecurityVulnerable2009-07-14
Apple Inc.Vulnerable2009-07-092009-07-10
AT&T;Unknown2009-07-092009-07-09
Avaya, Inc.Unknown2009-07-092009-07-09
Barracuda NetworksUnknown2009-07-092009-07-09
Belkin, Inc.Unknown2009-07-092009-07-09
Borderware TechnologiesUnknown2009-07-092009-07-09
CERT-BundUnknown2009-06-222009-06-22
CerticomUnknown2009-02-182009-02-18
Charlotte's Web NetworksUnknown2009-07-092009-07-09
Check Point Software TechnologiesUnknown2009-07-092009-07-09
Cisco Systems, Inc.Unknown2009-07-092009-07-09
ClavisterUnknown2009-07-092009-07-09
Computer AssociatesUnknown2009-07-092009-07-09
Computer Associates eTrust Security ManagementUnknown2009-07-092009-07-09
Conectiva Inc.Unknown2009-07-092009-07-09
Cray Inc.Unknown2009-07-092009-07-09
D-Link Systems, Inc.Unknown2009-07-092009-07-09
Debian GNU/LinuxVulnerable2009-07-092009-07-14
DragonFly BSD ProjectUnknown2009-07-092009-07-09
EMC CorporationUnknown2009-07-092009-07-09
Engarde Secure LinuxUnknown2009-07-092009-07-09
Enterasys NetworksUnknown2009-07-092009-07-09
EricssonUnknown2009-07-092009-07-09
eSoft, Inc.Unknown2009-07-092009-07-09
Extreme NetworksUnknown2009-07-092009-07-09
F5 Networks, Inc.Unknown2009-07-092009-07-09
Fedora ProjectUnknown2009-07-092009-07-09
Force10 Networks, Inc.Not Vulnerable2009-07-092009-07-14
Fortinet, Inc.Unknown2009-07-092009-07-09
Foundry Networks, Inc.Unknown2009-07-092009-07-09
FreeBSD, Inc.Unknown2009-07-092009-07-09
FujitsuUnknown2009-07-092009-07-09
Gentoo LinuxUnknown2009-07-092009-07-09
Global Technology AssociatesUnknown2009-07-092009-07-09
Hewlett-Packard CompanyUnknown2009-07-092009-07-09
HitachiUnknown2009-07-092009-07-09
IBM CorporationVulnerable2009-07-092009-07-14
IBM eServerUnknown2009-07-092009-07-09
InfobloxUnknown2009-07-092009-07-09
Intel CorporationUnknown2009-07-092009-07-09
Internet Security Systems, Inc.Unknown2009-07-092009-07-09
IntotoUnknown2009-07-092009-07-09
IP FilterUnknown2009-07-092009-07-09
IP Infusion, Inc.Unknown2009-07-092009-07-09
Juniper Networks, Inc.Unknown2009-07-092009-07-09
Luminous NetworksUnknown2009-07-092009-07-09
m0n0wallNot Vulnerable2009-07-092009-07-10
Mandriva S. A.Unknown2009-07-092009-07-09
McAfeeUnknown2009-07-092009-07-09
Microsoft CorporationUnknown2009-07-092009-07-09
Mono-ProjectVulnerable2009-07-10
MontaVista Software, Inc.Unknown2009-07-092009-07-09
Multitech, Inc.Unknown2009-07-092009-07-09
NEC CorporationUnknown2009-07-092009-07-09
NetAppUnknown2009-07-092009-07-09
NetBSDUnknown2009-07-092009-07-09
netfilterUnknown2009-07-092009-07-09
NokiaUnknown2009-07-092009-07-09
Nortel Networks, Inc.Unknown2009-07-092009-07-09
Novell, Inc.Unknown2009-07-092009-07-09
Openwall GNU/*/LinuxUnknown2009-07-092009-07-09
Oracle CorporationVulnerable2009-07-13
PePLinkNot Vulnerable2009-07-092009-07-20
Process SoftwareUnknown2009-07-092009-07-09
Q1 LabsNot Vulnerable2009-07-092009-07-10
QNX, Software Systems, Inc.Unknown2009-07-092009-07-09
QuaggaUnknown2009-07-092009-07-09
RadWare, Inc.Unknown2009-07-092009-07-09
Red Hat, Inc.Unknown2009-07-092009-07-09
Redback Networks, Inc.Unknown2009-07-092009-07-09
RSA Security, Inc.Vulnerable2009-07-14
SafeNetUnknown2009-07-092009-07-09
Secureworx, Inc.Unknown2009-07-092009-07-09
Silicon Graphics, Inc.Unknown2009-07-092009-07-09
Slackware Linux Inc.Unknown2009-07-092009-07-09
SmoothWallUnknown2009-07-092009-07-09
SnortUnknown2009-07-092009-07-09
Soapstone NetworksUnknown2009-07-092009-07-09
Sony CorporationUnknown2009-07-092009-07-09
SourcefireUnknown2009-07-092009-07-09
StonesoftUnknown2009-07-092009-07-09
Sun Microsystems, Inc.Vulnerable2009-07-092009-08-05
SUSE LinuxUnknown2009-07-092009-07-09
SymantecUnknown2009-07-092009-07-09
The SCO GroupNot Vulnerable2009-07-092009-07-13
TippingPoint, Technologies, Inc.Unknown2009-07-092009-07-09
TurbolinuxUnknown2009-07-092009-07-09
U4EA Technologies, Inc.Unknown2009-07-092009-07-09
UbuntuUnknown2009-07-092009-07-09
UnisysUnknown2009-07-092009-07-09
VMwareNot Vulnerable2009-07-092009-07-14
VyattaUnknown2009-07-092009-07-09
Watchguard Technologies, Inc.Unknown2009-07-092009-07-09
Wind River Systems, Inc.Not Vulnerable2009-07-092009-07-13
XML Security LibraryVulnerable2009-07-10
ZyXELUnknown2009-07-092009-07-09

References


http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.rsa.com/blog/blog_entry.aspx?id=1492
http://www.w3.org/TR/xmldsig-core/
http://www.w3.org/TR/xmldsig-core/#sec-HMAC
http://tools.ietf.org/html/rfc2104#section-5
http://www.oasis-open.org/specs/index.php#wss
http://www.w3.org/2000/xp/Group/
http://msdn.microsoft.com/en-us/library/ms996502.aspx
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://santuario.apache.org/download.html
http://www.mono-project.com/Vulnerabilities
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.aleksey.com/xmlsec/downloads.html
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://rdist.root.org/2009/07/19/xmldsig-welcomes-all-signatures/

Credit

Thanks to Thomas Roessler of the W3C for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:2009-07-14
Date First Published:2009-07-14
Date Last Updated:2009-08-05
CERT Advisory: 
CVE-ID(s):CVE-2009-0217
NVD-ID(s):CVE-2009-0217
US-CERT Technical Alerts: 
Metric:8.16
Document Revision:28
Author: "US-CERT (cert@cert.org)" Tags: "XML signature, XMLDsig, XML-DSig, XML-Si..."
Send by mail Print  Save  Delicious 
VU#853097: ntpd autokey stack buffer overflow   New window
Date: Friday, 31 Jul 2009 14:02

Vulnerability Note VU#853097

ntpd autokey stack buffer overflow

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

I. Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

III. Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.

Disable autokey

This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Unknown2009-05-062009-05-06
Conectiva Inc.Unknown2009-05-062009-05-06
Cray Inc.Not Vulnerable2009-05-062009-05-08
Debian GNU/LinuxVulnerable2009-05-062009-05-11
DragonFly BSD ProjectNot Vulnerable2009-05-062009-05-07
EMC CorporationUnknown2009-05-062009-05-06
Engarde Secure LinuxUnknown2009-05-062009-05-06
F5 Networks, Inc.Unknown2009-05-062009-05-06
Fedora ProjectUnknown2009-05-062009-05-06
FreeBSD, Inc.Vulnerable2009-05-062009-05-15
FujitsuUnknown2009-05-062009-05-06
Gentoo LinuxVulnerable2009-05-072009-05-20
Hewlett-Packard CompanyUnknown2009-05-062009-05-06
HitachiUnknown2009-05-062009-05-06
IBM CorporationUnknown2009-05-062009-05-06
IBM Corporation (zseries)Unknown2009-05-062009-05-06
IBM eServerUnknown2009-05-062009-05-06
Ingrian Networks, Inc.Unknown2009-05-062009-05-06
Juniper Networks, Inc.Not Vulnerable2009-05-062009-05-15
Mandriva S. A.Unknown2009-05-062009-05-06
Microsoft CorporationNot Vulnerable2009-05-062009-05-07
MontaVista Software, Inc.Unknown2009-05-062009-05-06
NEC CorporationUnknown2009-05-062009-05-06
NokiaUnknown2009-05-062009-05-06
Novell, Inc.Unknown2009-05-062009-05-06
Openwall GNU/*/LinuxUnknown2009-05-062009-05-06
QNX, Software Systems, Inc.Unknown2009-05-062009-05-06
Red Hat, Inc.Vulnerable2009-05-062009-05-18
SafeNetNot Vulnerable2009-05-122009-05-15
Silicon Graphics, Inc.Unknown2009-05-062009-05-06
Slackware Linux Inc.Unknown2009-05-062009-05-06
Sony CorporationUnknown2009-05-062009-05-06
Sun Microsystems, Inc.Unknown2009-05-062009-05-13
SUSE LinuxVulnerable2009-05-062009-07-31
The SCO GroupNot Vulnerable2009-05-062009-05-12
TurbolinuxUnknown2009-05-062009-05-06
UbuntuVulnerable2009-05-062009-05-20
UnisysUnknown2009-05-062009-05-06
Wind River Systems, Inc.Unknown2009-05-062009-05-06

References


http://www.ntp.org/downloads.html
https://rhn.redhat.com/errata/RHSA-2009-1039.html
http://www.ubuntu.com/usn/usn-777-1
http://bugs.gentoo.org/show_bug.cgi?id=268962
http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/

Credit

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

Date Public:2009-05-18
Date First Published:2009-05-18
Date Last Updated:2009-07-31
CERT Advisory: 
CVE-ID(s):CVE-2009-1252
NVD-ID(s):CVE-2009-1252
US-CERT Technical Alerts: 
Metric:9.45
Document Revision:31
Author: "US-CERT (cert@cert.org)" Tags: "ntpd, autokey, OpenSSL, sprintf, buffer ..."
Send by mail Print  Save  Delicious 
VU#725188: ISC BIND 9 vulnerable to denial of service via dynamic update request   New window
Date: Thursday, 30 Jul 2009 12:28

Vulnerability Note VU#725188

ISC BIND 9 vulnerable to denial of service via dynamic update request

Overview

ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.

I. Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.

ISC notes that this vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. ISC also indicates that the attack packet has to be constructed for a zone for which the target system is configured as a master; launching the attack against slave zones does not trigger the vulnerability.

II. Impact

By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.

III. Solution

Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.

See also https://www.isc.org/node/474.

Systems Affected

VendorStatusDate NotifiedDate Updated
Alcatel-LucentUnknown2009-07-282009-07-28
Apple Inc.Unknown2009-07-282009-07-28
BlueCat Networks, Inc.Vulnerable2009-07-282009-07-29
Check Point Software TechnologiesUnknown2009-07-282009-07-28
Conectiva Inc.Unknown2009-07-282009-07-28
Cray Inc.Unknown2009-07-282009-07-28
Debian GNU/LinuxUnknown2009-07-282009-07-28
DragonFly BSD ProjectUnknown2009-07-282009-07-28
EMC CorporationUnknown2009-07-282009-07-28
Engarde Secure LinuxUnknown2009-07-282009-07-28
EricssonUnknown2009-07-282009-07-28
F5 Networks, Inc.Unknown2009-07-282009-07-28
Fedora ProjectUnknown2009-07-282009-07-28
FreeBSD, Inc.Vulnerable2009-07-282009-07-29
FujitsuUnknown2009-07-282009-07-28
Gentoo LinuxUnknown2009-07-282009-07-28
Gnu ADNSUnknown2009-07-282009-07-28
GNU glibcUnknown2009-07-282009-07-28
Hewlett-Packard CompanyUnknown2009-07-282009-07-28
HitachiUnknown2009-07-282009-07-28
IBM CorporationUnknown2009-07-282009-07-28
IBM eServerUnknown2009-07-282009-07-28
InfobloxVulnerable2009-07-282009-07-29
Internet Systems ConsortiumVulnerable2009-07-282009-07-28
Juniper Networks, Inc.Unknown2009-07-282009-07-28
Mandriva S. A.Unknown2009-07-282009-07-28
McAfeeUnknown2009-07-282009-07-28
Men & MiceUnknown2009-07-282009-07-28
Metasolv Software, Inc.Unknown2009-07-282009-07-28
MontaVista Software, Inc.Unknown2009-07-282009-07-28
NEC CorporationUnknown2009-07-282009-07-28
NetBSDUnknown2009-07-282009-07-28
NixuVulnerable2009-07-282009-07-29
NokiaUnknown2009-07-282009-07-28
NominumNot Vulnerable2009-07-282009-07-29
Nortel Networks, Inc.Unknown2009-07-282009-07-28
Novell, Inc.Unknown2009-07-282009-07-28
OpenBSDVulnerable2009-07-282009-07-29
Openwall GNU/*/LinuxUnknown2009-07-282009-07-28
QNX, Software Systems, Inc.Unknown2009-07-282009-07-28
Red Hat, Inc.Unknown2009-07-282009-07-28
SafeNetUnknown2009-07-282009-07-28
ShadowsupportUnknown2009-07-282009-07-28
Silicon Graphics, Inc.Unknown2009-07-282009-07-28
Slackware Linux Inc.Unknown2009-07-282009-07-28
Sony CorporationUnknown2009-07-282009-07-28
Sun Microsystems, Inc.Unknown2009-07-282009-07-28
SUSE LinuxUnknown2009-07-282009-07-28
The SCO GroupUnknown2009-07-282009-07-28
TurbolinuxUnknown2009-07-282009-07-28
UbuntuVulnerable2009-07-282009-07-29
UnisysUnknown2009-07-282009-07-28
Wind River Systems, Inc.Unknown2009-07-282009-07-28

References


https://www.isc.org/node/474
http://tools.ietf.org/html/rfc2136
http://oldwww.isc.org/sw/bind/view?release=9.4.3-P3&noframes=1
http://oldwww.isc.org/sw/bind/view?release=9.5.1-P3&noframes=1
http://oldwww.isc.org/sw/bind/view?release=9.6.1-P1&noframes=1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975

Credit

Thanks to ISC for reporting this vulnerability.

This document was written by Will Dormann and Chad Dougherty.

Other Information

Date Public:2009-07-28
Date First Published:2009-07-28
Date Last Updated:2009-07-30
CERT Advisory: 
CVE-ID(s):CVE-2009-0696
NVD-ID(s):CVE-2009-0696
US-CERT Technical Alerts: 
Metric:26.32
Document Revision:32
Author: "US-CERT (cert@cert.org)" Tags: "BIND 9"
Send by mail Print  Save  Delicious 
VU#443060: Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability   New window
Date: Friday, 17 Jul 2009 12:09

Vulnerability Note VU#443060

Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability

Overview

Mozilla Firefox's javascript engine contains a vulnerability that may allow an attacker to execute code.

I. Description

Mozilla Firefox version 3.5 contains a vulnerability in the TraceMonkey components of Firefox's JavaScript engine.

Per Mozilla Bug Bug 503286:
"This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter."

Note that proof of concept code that demonstrates issue this is publicly available.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash.

III. Solution

Firefox 3.5.1 has been released to address this issue. See Mozilla Foundation Security Advisory 2009-41 for more information. Until updates can be applied, the below workarounds may mitigate this issue.

Disable TraceMonkey

To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts will help to mitigate this vulnerability. Further details for configuring NoScript are available in the Securing Your Web Browser document.

Disable JavaScript

For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

VendorStatusDate NotifiedDate Updated
MozillaVulnerable2009-07-14

References


http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
https://bugzilla.mozilla.org/show_bug.cgi?id=503286
http://milw0rm.com/exploits/9137
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html?wprss=securityfix

Credit

Information from zbyte, Mozilla, and other sources was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:2009-07-09
Date First Published:2009-07-14
Date Last Updated:2009-07-17
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:40.50
Document Revision:21
Author: "US-CERT (cert@cert.org)" Tags: "mozilla, firefox, artbitrary code"
Send by mail Print  Save  Delicious 
Next page
» You can also retrieve older items : Read
» © All content and copyrights belong to their respective authors.«
» © FeedShow - Online RSS Feeds Reader