VULNERABILITIES \ FIXES - October 7, 2008

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: SUSE Linux Enterprise Server 10

Description:
SUSE has issued an update for openssh. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an incorrect patch for CVE-2006-5051.

Solution:
Updated packages are available via YaST Online Update and the SUSE FTP server.

Original Advisory:
SUSE-SR:2008:020:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html

Other References:
SA22173:
http://secunia.com/advisories/22173/

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: CMME 1.x

Description:
AmnPardaz Security Research & Penetration Testing Group has discovered some security issues in CMME, which can be exploited by malicious people to disclose sensitive information.

Solution:
Restrict web access to "data/admin/users" and "info.php" (e.g. with a .htaccess file).

Provided and/or discovered by:
AmnPardaz Security Research & Penetration Testing Group

Original Advisory:
http://www.bugreport.ir/index_55.htm

Release Date: 2008-10-07

Critical:
Less critical
Impact: DoS

Where: From local network
Solution Status: Vendor Patch


OS: HP-UX 11.x

Description:
A vulnerability has been reported in HP-UX, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an unspecified error in the NFS/ONCplus package and can be exploited to cause a DoS.

The vulnerability is reported in HP-UX B.11.31 running NFS/ONCplus version B.11.31_04 or prior.

Solution:
HP-UX B.11.31:
Install ONCplus_B.11.31.05.depot or later.
http://software.hp.com/portal/swdepot...yProductInfo.do?productNumber=ONCplus

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
HPSBUX02375 SSRT080122:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01570585

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: Security Bypass
DoS

Where: From remote
Solution Status: Vendor Patch


OS: openSUSE 10.2
openSUSE 10.3
openSUSE 11.0


Description:
SUSE has issued an update for dovecot and graphicsmagic. This fixes a security issue and some vulnerabilities, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

Solution:
Updated packages are available via YaST Online Update or the SUSE FTP server.

Original Advisory:
SUSE-SR:2008:020:
http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00004.html

Other References:
SA28271:
http://secunia.com/advisories/28271/

SA29295:
http://secunia.com/advisories/29295/

SA30879:
http://secunia.com/advisories/30879/

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for php5. This fixes some vulnerabilities, which can potentially be exploited by malicious people to cause a DoS (Denial of Service) or compromise a vulnerable system.

Solution:
Apply updated packages.

Original Advisory:
http://www.debian.org/security/2008/dsa-1647

Other References:
SA31409:
http://secunia.com/advisories/31409/

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: Kwalbum 2.x

Description:
A vulnerability has been discovered in Kwalbum, which can be exploited by malicious users to compromise a vulnerable system.

A vulnerability is caused due to improper restrictions in "ReplaceBadFilenameChars()" on what file types users are allowed to upload. This can be exploited to execute arbitrary PHP code.

Successful exploitation requires an account on the Kwalbum site with privileges to upload files and requires that PICS_PATH resides within the webroot.

This vulnerability is confirmed in versions 2.0.2 and 2.0.4. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
CWH Underground

Original Advisory:
http://milw0rm.com/exploits/6664

Release Date: 2008-10-07

Critical:
Highly critical
Impact: Security Bypass
Exposure of system information
Exposure of sensitive information
DoS
System access

Where: From remote
Solution Status: Vendor Patch


OS: SUSE Linux Enterprise Server 10

Description:
SUSE has issued an update for MozillaFirefox. This fixes some vulnerabilities, which can be exploited by malicious people to bypass certain security restrictions, to disclose sensitive information, or to potentially compromise a user's system.

Solution:
Updated packages are available via the SuSE Linux Maintenance Web.
http://support.novell.com/techcenter/psdb/39ddcb62480cca4cc1867664cac5707c.html

Original Advisory:
http://download.novell.com/Download?buildid=WZXONb-tqBw~

Other References:
SA31984:
http://secunia.com/advisories/31984/

iseemedia LPViewer ActiveX Control Multiple Buffer Overflow Vulnerabilities

Release Date: 2008-10-07

Critical:
Highly critical
Impact: System access

Where: From remote
Solution Status: Unpatched


Software: iseemedia LPViewer ActiveX Control

Description:
Will Dormann has reported some vulnerabilities in the iseemedia LPViewer ActiveX control, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to boundary errors within the "url()", "toolbar()", and "enableZoomPastMax()" methods provided by the iseemedia LPViewer (LPControl.dll) ActiveX control. These can be exploited to cause stack-based buffer overflows when a user is tricked into visiting a malicious website.

Successful exploitation allows execution of arbitrary code.

Solution:
Set the kill-bit for the affected ActiveX control.

Provided and/or discovered by:
Will Dormann, CERT/CC

Original Advisory:
US-CERT VU#848873:
http://www.kb.cert.org/vuls/id/848873

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: Security Bypass
Exposure of sensitive information
DoS

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0
Debian GNU/Linux unstable alias sid

Description:
Debian has issued an update for lighttpd. This fixes a weakness and some vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
DSA-1645-1:
http://lists.debian.org/debian-security-announce/2008/msg00236.html

Other References:
SA32069:
http://secunia.com/advisories/32069/

Release Date: 2008-10-07

:
Less critical
Impact: Cross Site Scripting

Where: From remote
Solution Status: Vendor Patch


OS: Fedora 8
Fedora 9

Description:
Fedora has issued an update for mediawiki. This fixes a vulnerability, which can be exploited by malicious people to conduct cross-site scripting attacks.

Solution:
Apply updated packages using the yum utility ("yum update mediawiki").

Original Advisory:
FEDORA-2008-8678:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00220.html

FEDORA-2008-8639:
https://www.redhat.com/archives/fedor...e-announce/2008-October/msg00179.html

Other References:
SA32131:
http://secunia.com/advisories/32131/

Release Date: 2008-10-07

Critical:
Not critical
Impact: DoS

Where: Local system
Solution Status: Vendor Patch


Software: D-Bus 1.x

Description:
A weakness has been reported in D-Bus, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The weakness is caused due to an error within the "_dbus_validate_signature_with_reason()" function when validating a malformed signature. This can be exploited to terminate applications using D-Bus by tricking them into validating a specially crafted signature.

The weakness is reported in versions prior to 1.2.4.

Solution:
Update to version 1.2.4.
http://www.freedesktop.org/wiki/Softw...0dab297a44f1d7a3b1259cfc06b583fd6a88a

Provided and/or discovered by:
Reported in a D-Bus bug by schelte at wanadoo dot nl.

Original Advisory:
D-Bus:
http://www.freedesktop.org/wiki/Softw...0dab297a44f1d7a3b1259cfc06b583fd6a88a

freedesktop.org bug #17803:
https://bugs.freedesktop.org/show_bug.cgi?id=17803

Release Date: 2008-10-07

Critical:
Less critical
Impact: Manipulation of data

Where: From local network
Solution Status: Unpatched


OS: Juniper IVE OS Software 1.x
Juniper IVE OS Software 2.x
Juniper IVE OS Software 3.x
Juniper IVE OS Software 4.x
Juniper IVE OS Software 5.x
Juniper IVE OS Software 6.x
Juniper Networks DXOS 5.x
Juniper Networks IDP 4.x
Juniper Networks Infranet Controller 4000
Juniper Networks Infranet Controller 6000
Juniper Networks Secure Access 2000
Juniper Networks Secure Access 4000 (NetScreen-SA 3000 Series)
Juniper Networks Secure Access 6000 (NetScreen-SA 5000 Series)
Juniper Networks Secure Access 6000 SP
Juniper Networks Secure Access 700
Juniper Networks Session and Resource Control (SRC) 1.x
Juniper Networks Session and Resource Control (SRC) 2.x
Juniper Networks WX Series
Juniper Networks WXC Series

Description:
A vulnerability has been reported in multiple Juniper Networks products, which can be exploited by malicious people to manipulate the router's neighbor cache.

The vulnerability is caused due to an error in the implementation of the Neighbor Discovery protocol when processing neighbor solicitation requests. This can be exploited to add a fake entry to the router's neighbor cache via a neighbor solicitation request containing a spoofed IPv6 address.

Successful exploitation may allow the interception or disruption of network traffic, but requires that the IPv6 nodes involved in the attack are using the same router.

NOTE: The vendor has not published a publicly available advisory and has also refused to provide a list of the affected products or patches as information about vulnerabilities is provided to registered customers only. It is therefore unclear if only a subset of the products reported as vulnerable in this advisory are affected.

Solution:
It is currently unclear whether fixes are available.

Provided and/or discovered by:
US-CERT credits David Miles.

Original Advisory:
Juniper (login required):
https://www.juniper.net/alerts/viewal...ber=PSN-2008-09-036&viewMode=view

US-CERT:
http://www.kb.cert.org/vuls/id/MAPG-7H2RZU

Other References:
US-CERT VU#472363:
http://www.kb.cert.org/vuls/id/472363

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: DoS

Where: From remote
Solution Status: Vendor Patch


OS: Debian GNU/Linux 4.0

Description:
Debian has issued an update for squid. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
http://www.debian.org/security/2008/dsa-1646

Other References:
SA27910:
http://secunia.com/advisories/27910/

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: Cross Site Scripting
Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: Atarone CMS 1.x



Description:
Some vulnerabilities have been discovered in Atarone CMS, which can be exploited by malicious users to conduct SQL injection attacks and disclose sensitive information, and by malicious people to conduct cross-site scripting attacks.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Reported by an anonymous person.

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: DoS
Privilege escalation

Where: From remote
Solution Status: Vendor Patch


Software: IBM Lotus Quickr 8.x

Description:
Some security issues and a vulnerability have been reported in IBM Lotus Quickr, which can be exploited by malicious users to perform certain actions with escalated privileges and potentially by malicious people to cause a DoS (Denial of Service).

Solution:
Update to version 8.1.0.1.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (WBSI7GZAZ6, THES7BZM66, XFXF7HF5HB):
http://www-01.ibm.com/support/docview.wss?uid=swg27013341

Release Date: 2008-10-07

Critical:
Less critical
Impact: Exposure of sensitive information

Where: From local network
Solution Status: Vendor Patch


Software: Hammer Software MetaGauge 1.x

Description:
Brad Antoniewicz has reported a vulnerability in MetaGauge, which can be exploited by malicious people to disclose potentially sensitive information.

The vulnerability is caused due to MetaGauge not properly sanitising HTTP requests before using them. This can be exploited to display arbitrary files via directory traversal attacks.

The vulnerability is reported in versions 1.0.0.17 and 1.0.1.20.

Solution:
Update to version 1.0.3.38.

Provided and/or discovered by:
Brad Antoniewicz

Original Advisory:
http://www.milw0rm.com/exploits/6686

Release Date: 2008-10-07

Critical:
Less critical
Impact: Cross Site Scripting
Manipulation of data

Where: From remote
Solution Status: Unpatched


Software: H-Sphere 3.x

Description:
C1c4Tr1Z has reported some vulnerabilities in H-Sphere, which can be exploited by malicious people to conduct cross-site scripting and cross-site request forgery attacks.

Solution:
Filter malicious characters and character sequences in a web proxy. Do not browse untrusted websites while logged on to the application.

Provided and/or discovered by:
C1c4Tr1Z

Original Advisory:
http://packetstorm.linuxsecurity.com/0810-exploits/webshell431-xssxsrf.txt

Release Date: 2008-10-07

Critical:
Moderately critical
Impact: Manipulation of data
Exposure of sensitive information

Where: From remote
Solution Status: Unpatched


Software: noName CMS 1.x



Description:
~!Dok_tOR!~ has reported two vulnerabilities in noName CMS, which can be exploited by malicious people to conduct SQL injection attacks.

Input passed to the "file_id" parameter in index.php (when "action" is set to "detailansicht") and "kategorie" in index.php (when "action" is set to "kategorien") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows e.g. retrieval of usernames, passwords, and e-mail addresses, but requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are reported in version 1.0. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
~!Dok_tOR!~

Original Advisory:
http://milw0rm.com/exploits/6644

7 October 2008

Novell has released a patch (8.7.3 SP10 FTF1) for its eDirectory network directory service, correcting several errors. Among these are two critical vulnerabilities which could allow a remote attacker to crash or take control of an affected system. The exploits are based on heap overflows during the execution of certain commands to the directory service. On its list of current security problems, the US Computer Emergency Readiness Team (US-CERT) recommends installing the updates as soon as possible.

More: http://www.heise-online.co.uk/security/Security-update-for-Novell-eDirectory--/news/111674

7 October 2008

VMWare has announced updates for its Virtual Center, VMware Workstation, VMware Player, VMware ACE, VMware Server and VMware ESXi to resolve vulnerabilities. Only 64-bit versions of Windows and FreeBSD are affected, not Linux.

More: http://www.heise-online.co.uk/security/VMware-patches-holes--/news/111675