VULNERABILITIES \ FIXES - November 4, 2008

Release Date: 2008-11-04

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


Software: HP System Management Homepage 2.x



Description:
A vulnerability has been reported in HP System Management Homepage (SMH), which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to an unspecified error, which can be exploited to e.g. create a local unauthorized access.

The vulnerability is reported in HP SMH version 2.2.6 and earlier running on HP-UX B.11.11 and B.11.23, and HP SMH version 2.2.6, 2.2.8, and earlier running on HP-UX B.11.23 and B.11.31.

Solution:
Apply updates.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
HPSBMA02380 SSRT080121:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01586921

Release Date: 2008-11-04

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for net-snmp. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0971:
https://rhn.redhat.com/errata/RHSA-2008-0971.html

Other References:
SA32560:
http://secunia.com/advisories/32560/

Release Date: 2008-11-04

Critical:
Highly critical
Impact: Security Bypass
Cross Site Scripting
Spoofing
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Gentoo Linux 1.x

Description:
Gentoo has issued an update for opera. This fixes some vulnerabilities, which can be exploited by malicious people to disclose system and potentially sensitive information, conduct spoofing and cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a user's system.

Solution:
Update to "www-client/opera-9.62" or later.

Original Advisory:
GLSA-200811-01:
http://www.gentoo.org/security/en/glsa/glsa-200811-01.xml

Other References:
SA31549:
http://secunia.com/advisories/31549/

SA32177:
http://secunia.com/advisories/32177/

SA32299:
http://secunia.com/advisories/32299/

SA32452:
http://secunia.com/advisories/32452/

Release Date: 2008-11-04

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Ubuntu Linux 6.06
Ubuntu Linux 7.10
Ubuntu Linux 8.04
Ubuntu Linux 8.10

Description:
Ubuntu has issued an update for enscript. This fixes some vulnerabilities, which can be exploited by malicious people to compromise a vulnerable system.

Solution:
Apply updated packages.

Original Advisory:
USN-660-1:
https://lists.ubuntu.com/archives/ubu...ty-announce/2008-November/000769.html

Other References:
SA32137:
http://secunia.com/advisories/32137/

Release Date: 2008-11-04

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Acc Autos 4.x
Acc Real Estate 4.x
Acc Statistics 1.x

Description:
Hakxer has reported a vulnerability in multiple Acc Scripts products, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the applications allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain administrative access to the application by creating the cookie "username_cookie" and assigning it the value "admin".

This vulnerability is reported in Acc Real Estate and Autos version 4.0 and Acc Statistics version 1.1. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
Hakxer

Original Advisory:
http://milw0rm.com/exploits/6964
http://milw0rm.com/exploits/6965
http://milw0rm.com/exploits/6968

Release Date: 2008-11-04



Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Chilkat Crypt ActiveX Component 4.x

Description:
shinnai has discovered a vulnerability in Chilkat Crypt ActiveX Component, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to the ChilkatCrypt2.ChilkatCrypt2.1 (ChilkatCrypt2.dll) ActiveX control including the insecure "WriteFile()" method. This can be exploited to write arbitrary data to arbitrary files in the context of the currently logged-on user.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in ChilkatCrypt2.dll version 4.3.2.1. Other versions may also be affected.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
shinnai

Original Advisory:
http://milw0rm.com/exploits/6963

Release Date: 2008-11-04

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Vendor Workaround


OS: Linux Kernel 2.6.x


Description:
Some vulnerabilities have been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

1) A vulnerability is caused due to the "hfsplus_find_cat()" function in fs/hfsplus/catalog.c not properly checking the catalog name length. This can be exploited to crash a system by e.g. mounting a specially crafted hfsplus file system.

2) A vulnerability is caused due to the "hfsplus_block_allocate()" function in fs/hfsplus/bitmap.c not properly checking the return values of "read_mapping_page()" function before using them. This can be exploited to crash a system by e.g. mounting a specially crafted hfsplus file system.

Solution:
Fixed in version 2.6.28-rc1.

Provided and/or discovered by:
Eris Sesterhenn

Original Advisory:
http://kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.28-rc1

Release Date: 2008-11-04

Critical:
Moderately critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: Acc PHP eMail 1.x



Description:
Hakxer has reported a vulnerability in Acc PHP eMail, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application allowing access to the admin interface by checking if a certain cookie exists. This can be exploited to gain access to the administrative interface by creating the cookie "NEWSLETTERLOGIN" and assigning it the value "admin".

This vulnerability is reported in version 1.1. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
Hakxer

Original Advisory:
http://milw0rm.com/exploits/6966

Release Date: 2008-11-04

Critical:
Less critical
Impact: DoS
Privilege escalation
Exposure of sensitive information

Where: Local system
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)

Description:
Red Hat has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), to disclose potentially sensitive information, or to potentially gain escalated privileges.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
https://rhn.redhat.com/errata/RHSA-2008-0957.html

Other References:
SA23073:
http://secunia.com/advisories/23073/

SA23361:
http://secunia.com/advisories/23361/

SA25895:
http://secunia.com/advisories/25895/

SA26389:
http://secunia.com/advisories/26389/

SA31509:
http://secunia.com/advisories/31509/

Release Date: 2008-11-04

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: TBmnetCMS 1.x

Description:
d3v1l has discovered a vulnerability in TBmnetCMS, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "content" parameter in index.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

This vulnerability is confirmed in version 1.0. Other versions may also be affected.

Solution:
Edit the source to ensure that input is properly verified.

Provided and/or discovered by:
d3v1l

Original Advisory:
http://milw0rm.com/exploits/6973

Release Date: 2008-11-04

Critical:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Unpatched


Software: Fantastico De Luxe 2.x (module for cPanel)



Description:
Khashayar Fereidani has reported some vulnerabilities in the Fantastico De Luxe module for cPanel, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "$localapp", "$updatedir", "$scriptpath_show", "$domain_show", "$thispage", "$thisapp", and "$currentversion" parameters are not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Solution:
Edit the source code to ensure that input is properly sanitised.

Do not follow untrusted links or browse untrusted web sites when being logged-in to the application.

Provided and/or discovered by:
Khashayar Fereidani

Original Advisory:
http://milw0rm.com/exploits/6897

Release Date: 2008-11-04

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Adobe Acrobat 8.x
Adobe Reader 8.x

Description:
Secunia Research has discovered a vulnerability in Adobe Reader/Acrobat, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" Javascript function and can be exploited to cause a stack-based buffer overflow via a specially crafted PDF.

Successful exploitation may allow execution of arbitrary code, but requires that the user is e.g. tricked into opening a malicious PDF file.

The vulnerability is confirmed in Adobe Reader version 8.1.2. Other versions may also be affected.

Solution:
The vendor will be releasing fixes later today.

NOTE: This was supposed to be a coordinated disclosure with Adobe, but a third party has leaked the information.

Provided and/or discovered by:
Dyon Balding, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2008-14/

On October 30, 2008, Sprint Nextel severed its peering relationship with Cogent Communications due to a contractual dispute. A temporary repeering between the two providers occurred on November 2, 2008. Please note that this repeering is only temporary and outstanding issues between Sprint Nextel and Cogent Communications still need to be addressed.

As best practice, Internet Service Provider (ISP) diversity is recommended as stated in the NIST Special Publication 800-053A "Guide for Assessing the Security Controls in Federal Information Systems" Section CP-8. Organizations should ensure that critical mission/business functions are available through alternate telecommunications services if their primary service provider is unavailable.

More: http://www.us-cert.gov/current/current_activity.html#sprint_nextel_cogent_communications_depeering

Microsoft study: fewer vulnerabilities, but more are critical and more easily exploited

4 November 2008

The infection rate of Windows Vista ? with SP1 ? is, at 4 per cent, just half that of Windows XP ? with SP3 ?, at 8 per cent. This is one of the results from Microsoft's six monthly Security Intelligence Report. The report analyses the statistics provided by the Malicious Software Removal Tool (MSRT), which checks computers for infection. An updated version of MSRT is sent out each patch day. Microsoft also includes data from the vulnerability report produced by the National Institute of standards (NIST).

More: http://www.heise-online.co.uk/security/Microsoft-study-fewer-vulnerabilities-but-more-are-critical-and-more-easily-exploited--/news/111867

4 November 2008

The local mail delivery agent tmail is vulnerable to a buffer overflow which allows logged-in users to execute code at an elevated privilege level. In certain circumstances, tmail is installed with a set SUID bit, making it run in the root context. Code which has been injected and executed via the buffer overflow will then also run at this privilege level. According to an advisory, the overflow can be triggered by entering an overlong directory name when starting tmail.

More: http://www.heise-online.co.uk/security/Security-update-for-tmail-mail-delivery-agent--/news/111869

An evil spell

By John Leyden

4th November 2008

Miscreants are taking advantage of slowness in patching systems with an emergency Windows security fix issued late last month to spread malware.

Exploit toolkits for the MS08-067 are dropping bots that turn compromised machines into drones in a DDoS attack network, among other attacks. The attack code, thought to originate in China, takes advantage of a flaw in Windows RPC code to weave its evil spell.

Microsoft patched the vulnerability with an out-of-sequence patch on 23 October. Trojans exploiting the flaw were spotted the day afterwards. Analysis of these strains suggested they may have been in circulation before Microsoft issued its patch.

More: http://www.theregister.co.uk/2008/11/04/win_rpc_exploit/

Release Date: 2008-11-04

Critical:
Moderately critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Software: Apache Struts 2.x

Description:
Some vulnerabilities have been reported in Apache Struts, which can be exploited by malicious people to bypass certain security restrictions or to disclose sensitive information.

Solution:
Update to version 2.0.12.

Provided and/or discovered by:
1) Reported in an XWork bug by Meder Kydyraliev, Google Security Team.
2) The vendor credits Csaba Barta and L

Everytime I try to download the software I get thrown off line. I have tried it at home on dial up. I tried it 11 3 08 at work on T-1 high spead broadband as well. Something has gotten hold of my computar.

added November 4, 2008 at 02:03 pm

Adobe has released a Security Bulletin to address multiple vulnerabilities in Adobe Reader 8 and Acrobat 8. These vulnerabilities may allow an attacker to execute arbitrary code or cause a denial-of-service condition.

US-CERT encourages users and administrators to review Adobe Security Bulletin APSB08-19 and apply the solution provided in that document to help mitigate the risks.

Additional information and workarounds regarding these vulnerabilities can be found in the Vulnerability Notes Database.


http://www.us-cert.gov/current/current_activity.html#adobe_releases_security_bulletin1