VULNERABILITIES \ FIXES - October 22, 2008

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Security Bypass
Spoofing
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for ruby. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0897:
https://rhn.redhat.com/errata/RHSA-2008-0897.html

Other References:
SA31430:
http://secunia.com/advisories/31430/

SA31602:
http://secunia.com/advisories/31602/

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Exposure of sensitive information
Privilege escalation
DoS

Where: From local network
Solution Status: Vendor Patch


OS: openSUSE 10.3

Description:
SUSE has issued an update for the kernel. This fixes some vulnerabilities, which can be exploited by malicious, local users to cause a DoS (Denial of Service), disclose potentially sensitive information, and gain escalated privileges, and by malicious people to cause a DoS.

Solution:
Apply updated packages.

Original Advisory:
SUSE-SA:2008:052:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00008.html

Other References:
SA30580:
http://secunia.com/advisories/30580/

SA31048:
http://secunia.com/advisories/31048/

SA31366:
http://secunia.com/advisories/31366/

SA31509:
http://secunia.com/advisories/31509/

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Unknown
Exposure of sensitive information
DoS

Where: From remote
Solution Status: Vendor Patch


Software: IBM DB2 9.x

Description:
Some vulnerabilities have been reported in IBM DB2, where some have an unknown impact and others can be exploited by malicious people to cause a DoS (Denial of Service) and disclose potentially sensitive information.

Solution:
Apply Fixpack 6.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www-01.ibm.com/support/docview.wss?uid=swg27013892
ftp://ftp.software.ibm.com/ps/product...lish-us/aparlist/db2_v91/APARLIST.TXT

Release Date: 2008-10-22

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for php-smarty. This fixes a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Apply updated packages via the yum utility ("yum update php-Smarty").

Original Advisory:
FEDORA-2008-8945:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00522.html

FEDORA-2008-8956:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00633.html

Other References:
SA32329:
http://secunia.com/advisories/32329/

Release Date: 2008-10-22

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Ubuntu Linux 7.10
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for amarok. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

Solution:
Apply updated packages.

Original Advisory:
USN-657-1:
http://www.ubuntu.com/usn/usn-657-1

Other References:
SA31418:
http://secunia.com/advisories/31418/

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Security Bypass
Spoofing
DoS

Where: From remote
Solution Status: Vendor Patch


OS: RedHat Enterprise Linux AS 3
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux WS 3

Description:
Red Hat has issued an update for ruby. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, cause a DoS (Denial of Service), and conduct spoofing attacks.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Original Advisory:
RHSA-2008-0896:
http://rhn.redhat.com/errata/RHSA-2008-0896.html

Other References:
SA31430:
http://secunia.com/advisories/31430/

Release Date: 2008-10-22

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Unpatched


Software: FlashChat 5.x

Description:
eLiSiA has discovered a vulnerability in FlashChat, which can be exploited by malicious users to bypass certain security restrictions.

The application allows access to administrative functionality by checking if a certain parameter is set. This can be exploited to perform administrative operations by setting the parameter "s" to the value "7".

This vulnerability is confirmed in version 5.0.8. Other versions may also be affected.

Solution:
Ensure that proper access restrictions are implemented.

Provided and/or discovered by:
eLiSiA

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/flashchat-bypass.txt

Release Date: 2008-10-22

Critical:
Not critical
Impact: System access

Where: From remote
Solution Status: Vendor Patch


OS: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux Desktop Workstation (v. 5 client)
RedHat Enterprise Linux AS 2.1
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 4
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 4

Description:
Red Hat has issued an update for ed. This fixes a security issue, which can be exploited by malicious people to compromise a vulnerable system.

The security issue is caused due to an error within the "strip_escapes()" function in signal.c when processing overly long filenames. This can be exploited to cause a heap-based buffer overflow by passing a specially crafted filename to the application.

Solution:
Updated packages are available via Red Hat Network.
http://rhn.redhat.com

Provided and/or discovered by:
Alfredo Ortega, Core Security Technologies

Original Advisory:
RHSA-2008-0946:
https://rhn.redhat.com/errata/RHSA-2008-0946.html

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Exposure of system information
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: LightBlog 9.x

Description:
JosS has discovered two vulnerabilities in LightBlog, which can be exploited by malicious people to disclose sensitive information.

Input passed to the "username_post" parameter in login.php (when "password_post" is set) and the "Lightblog_username" cookie in check_user.php (when the "Lightblog_password" cookie is set) is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 9.8. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified.

Use another product.

Provided and/or discovered by:
JosS

Original Advisory:
http://milw0rm.com/exploits/6797

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Unknown

Where: From remote
Solution Status: Vendor Patch


Software: TikiWiki CMS/Groupware 2.x

Description:
Two vulnerabilities with unknown impact have been reported in TikiWiki CMS/Groupware.

The vulnerabilities are caused due to unknown errors. No further information is currently available.

The vulnerabilities are reported in all 2.x versions prior to 2.2.

Solution:
Update to version 2.2.

Provided and/or discovered by:
Reported by the vendor, who credits Emanuele Gentili for one of the issues.

Original Advisory:
http://info.tikiwiki.org/tiki-read_article.php?articleId=41

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Newsletter 2.x (plugin for WordPress)

Description:
r45c4l has reported a vulnerability in the Newsletter plugin for WordPress, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "newsletter" parameter in stnl_iframe.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of administrator usernames, password hashes, and e-mail addresses, but requires knowledge of the database table prefix.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
r45c4l

Original Advisory:
http://milw0rm.com/exploits/6777

Release Date: 2008-10-22

Critical:
Less critical
Impact: Privilege escalation

Where: Local system
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for qemu. This fixes a vulnerability, which can be exploited by malicious, local users to perform certain actions with escalated privileges.

The vulnerability is caused due to temporary files being created insecurely and can be exploited to e.g. overwrite arbitrary files via symlink attacks.

Solution:
Apply updated packages.

Original Advisory:
DSA-1657-1:
http://www.us.debian.org/security/2008/dsa-1657

Release Date: 2008-10-22

Critical:
Less critical
Impact: Security Bypass

Where: From remote
Solution Status: Vendor Patch


Software: Smarty 2.x

Description:
A vulnerability has been reported in Smarty, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to an error when processing data with embedded variables. This can be exploited to potentially execute arbitrary PHP code.

This vulnerability is reported in version 2.6.19.

Solution:
Update to version 2.6.20-1.

Provided and/or discovered by:
Reported by the vendor.

Release Date: 2008-10-22

Critical:
Less critical
Impact: Security Bypass

Where: From local network
Solution Status: Vendor Patch


OS: Sun Integrated Lights-Out Manager 2.x
Sun Netra T5220 Server
Sun SPARC Enterprise T5140 Server
Sun SPARC Enterprise T5240 Server

Description:
A vulnerability has been reported in Sun Integrated Lights-Out Manager, which can be exploited by malicious users to bypass certain security restrictions.

The vulnerability is caused due to an unspecified error in the included web interface. This can be exploited to gain unauthorized access to the service processor (SP) or to the host system.

Solution:
Update to a fixed firmware version. Please see vendor's advisory for more information.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://sunsolve.sun.com/search/document.do?assetkey=1-66-243486-1

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: GNU Enscript 1.x

Description:
Secunia Research has discovered a vulnerability in GNU Enscript, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error within the "read_special_escape()" function in src/psgen.c. This can be exploited to cause a stack-based buffer overflow by tricking the user into converting a malicious file.

Successful exploitation allows execution of arbitrary code, but requires that special escapes processing is enabled with the "-e" option.

The vulnerability is confirmed in versions 1.6.1 and 1.6.4 (beta). Other versions may also be affected.

Solution:
Do not convert untrusted files.

Various Linux vendors will issue patched versions soon.

Provided and/or discovered by:
Ulf Harnhammar, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2008-41/

Release Date: 2008-10-22

Critical:
Moderately critical
Impact: System access

Where: From local network
Solution Status: Vendor Patch


Software: Trend Micro OfficeScan Corporate Edition 7.x
Trend Micro OfficeScan Corporate Edition 8.x

Description:
Secunia Research has discovered a vulnerability in Trend Micro OfficeScan, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a boundary error when parsing CGI requests and can be exploited to cause a stack-based buffer overflow via an HTTP request with specially crafted form data.

Successful exploitation allows execution of arbitrary code.

The vulnerability is confirmed in version 7.3 with Patch 4 build 1362 applied. Other versions may also be affected.

Solution:
Apply patches.

Trend Micro OfficeScan 8.0 SP1 Patch 1:
http://www.trendmicro.com/ftp/product...Patch1_Win_EN_CriticalPatch_B3110.exe

Trend Micro OfficeScan 7.3:
http://www.trendmicro.com/ftp/product...CE_7.3_Win_EN_CriticalPatch_B1374.exe

Provided and/or discovered by:
Dyon Balding, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2008-40/

Trend Micro:
http://www.trendmicro.com/ftp/documen..._sp1p1_CriticalPatch_B3110_readme.txt
http://www.trendmicro.com/ftp/documen...CE_7.3_CriticalPatch_B1374_readme.txt

Release Date: 2008-10-22

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Unpatched


Software: HP OpenView Performance Agent 4.x
HP OpenView Reporter 3.x

Description:
Secunia Research has discovered a vulnerability in various HP products, which can be exploited by malicious people to cause a DoS (Denial of Service).

A specific sequence of RPC requests made to the OpenView Shared Trace Service causes incorrect usage of an object pointer. This results in an access violation or division by zero error terminating the process.

The vulnerability has been confirmed in HP OpenView Reporter 3.70 and HP Performance Agent 4.70. Other versions may also be affected.

Solution:
Restrict untrusted access to TCP ports 5051 and 5053.

Provided and/or discovered by:
Dyon Balding, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2007-83/

Second fix only for developers and still threadbare

By John Leyden

22nd October 2008

Google has issued a second partial fix to Chrome for an infamous carpet-bombing vulnerability that affected multiple browser packages, but it is only available via the developer version of its browser.

The patch has not been published as an automatic update to general users, though it is possible for the tech-savvy to get the security fix by changing default settings on the browser. Other lesser security updates are also developer-only.

The carpet-bombing bug is a blended threat that kicks in when Apple's Safari browser is installed on the same systems as other browser packages. The flaw means that (potentially) executable files might be automatically downloaded onto a user's desktop where they might be subsequently executed. The vulnerability was identified by independent security researcher Billy Rios in May and patched by Apple - after initial denials that the bug was a problem - in June.

More: http://www.theregister.co.uk/2008/10/22/chrome_carpet_bombing/

22 October 2008,

Version 1.0.4 of the free network analyser Wireshark eliminates five vulnerabilities that make the program crash when analysing certain packets. The errors are located in the dissectors, which are modules for processing Bluetooth ACLs, RFCOMM connections, and the Q.931 protocol.

The dissectors for the rarely encountered parallel redundancy protocol (PRP), MATE, and Tamos CommView capture files also contain similar errors. Versions 0.10.3 to 1.0.3 inclusive are affected.

More: http://www.heise-online.co.uk/security/Security-update-for-Wireshark--/news/111768

22 October 2008

Opera has released security update 9.61 for its browser of the same name, resolving three vulnerabilities. Among them is the possibility of web sites extracting the browser history, as well as a cross site scripting hole when changing pages. In addition, the update fixes minor flaws in the user interface. The new version is available to download for Windows, Mac OS X, Linux, FreeBSD and Solaris.

More: http://www.heise-online.co.uk/security/Security-update-for-Opera--/news/111769

22 October 2008

TikiWiki version 2.2 has been released, fixing a number of bugs in the content management system and also eliminating a number of vulnerabilities. Unfortunately, the change log for the update does not give any details on the severity of those vulnerabilities and whether they are critical or not. For security though, users of TikiWiki should update to this new version.

More: http://www.heise-online.co.uk/security/TikiWiki-update-eliminates-several-vulnerabilities--/news/111771

Vulnerability in RealVNC?s free viewer allows access to the client


22 October 2008

RealVNC's free VNC Viewer contains an error, which allows an attacker to execute code on a client machine. For this to take place, the victim has to be connected to a malicious server. The privileges of the remotely injected code are dependent on the rights that the user was working under at the time of the attack. The bug was found in version 4.1.2 and happens when specially crafted server packets are processed. Version 4.1.3 fixes the error.

More: http://www.heise-online.co.uk/security/Vulnerability-in-RealVNC-s-free-viewer-allows-access-to-the-client--/news/111773

added October 22, 2008 at 09:05 am

Trend Micro has released a Critical Patch to address a vulnerability in OfficeScan. This vulnerability is due to a stack-based buffer overflow condition. By sending a specially crafted HTTP request containing form data to the server CGI module, an attacker may be able to execute arbitrary code on the affected system.

US-CERT encourages users and administrators to review Trend Micro Critical Patch Release overview for Build 1374 and Build 3110 and apply any necessary updates to help mitigate the risks.


http://www.us-cert.gov/current/current_activity.html#trend_micro_officescan_critical_patch

22 Oct. 2008

Summary
Opera browser is vulnerable to stored Cross Site Scripting. A malicious attacker is able to inject arbitrary browser content through the websites visited with the Opera browser. The code injection is rendered into the Opera History Search page which displays URL and a short description of the visited pages.

Credit:
The information has been provided by Roberto Suggi Liverani.
The original article can be found at: http://www.security-assessment.com/files/advisories/2008-10-22_Opera_Stored_Cross_Site_Scripting.pdf

http://www.securiteam.com/securitynews/6R00L0KMUG.html

Published: 2008-10-22,
Last Updated: 2008-10-22 20:38:22 UTC
by Mari Kirby Nichols (Version: 1)

One of our readers, David, wrote in to let us know that Opera has released version 9.6.1 for Windows which is a recommended security upgrade. Some of the Opera rated "extemely and highly severe" issues fixed include revealing browser history and news feeds as well as a Fast Forward cross-site scripting vulnerability. You can view the changelog here: http://www.opera.com/docs/changelogs/windows/961/


http://isc.sans.org/