General discussion

VULNERABILITIES - March 2, 2007

Recent Threat/Vulnerability Developments

Published: 2007-03-02,
Last Updated: 2007-03-02 04:10:13 UTC
by Kevin Liston (Version: 1)
There have been a few recent minor developments that I think warrant a mention.

There have been a handful of viruses recently that specifically target USB removable media, Win32.Agent,wj and VBS.Solow.E just two mention two. This harks back to the old days of floppy-disk boot-sector viruses. This is not the only old-school re-visitation I've seen in malicious code trends, there have also been a few destructive viruses recently reported.

A vulnerability in Adobe Acrobat that allows a malicious PDF file to call arbitrary file:// URLs was announced last night.


Things to keep an eye on over the weekend:

This Year of MOXB continues with PHP. Something interesting is bound to turn up out of that.
The College Basketball championship begins in the US. I would be surprised to not see any "March Madness" related schemes develop.

http://isc.sans.org/

Discussion is locked
Follow
Reply to: VULNERABILITIES - March 2, 2007
PLEASE NOTE: Do not post advertisements, offensive materials, profanity, or personal attacks. Please remember to be considerate of other members. If you are new to the CNET Forums, please read our CNET Forums FAQ. All submitted content is subject to our Terms of Use.
Reporting: VULNERABILITIES - March 2, 2007
This post has been flagged and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.
Sorry, there was a problem flagging this post. Please try again now or at a later time.
If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.
Comments
- Collapse -
IBM Lenovo ThinkPad Security Update Fixes Ethernet Privilege

IBM Lenovo ThinkPad Security Update Fixes Ethernet Privilege Escalation Vulnerability

Advisory ID : FrSIRT/ADV-2007-0801
CVE ID : CVE-2006-6385
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in IBM Lenovo ThinkPad, which could be exploited by local attackers to obtain elevated privileges. This issue is due to an error in the Intel PRO/1000 LAN adapter software. For additional information, see : FrSIRT/ADV-2006-4871

Affected Products

IBM Lenovo ThinkPad T60
IBM Lenovo ThinkPad T60p
IBM Lenovo ThinkPad X60
IBM Lenovo ThinkPad X60s
IBM Lenovo ThinkPad X60 Tablet

Solution

Apply patch :
http://www-307.ibm.com/pc/support/site.wss/license.do?filename=mobiles/7ira09ww.exe

References

http://www.frsirt.com/english/advisories/2007/0801
http://www-307.ibm.com/pc/support/site.wss/document.do?lndocid=MIGR-67116

- Collapse -
Novell Access Management SSLVPN Server Security Restrictions

Novell Access Management SSLVPN Server Security Restrictions Bypass Vulnerability

Advisory ID : FrSIRT/ADV-2007-0800
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Novell Access Manager, which could be exploited by malicious users to bypass security policies. This issue is due a design within the "actX.ocx" ActiveX control that relies on the "policy.txt" file created by the application to grant access to network resources, which allows authenticated attackers to bypass the server's controls and gain unauthorized access to any resources on the LAN (that would normally be prohibited) by manipulating the affected file.

Affected Products

Novell Access Manager version 3.0 IR1

Solution

Apply patch :
http://download.novell.com/protected/Export.jsp?buildid=Siiw_-VRqLE~

References

http://www.frsirt.com/english/advisories/2007/0800
http://download.novell.com/Download?buildid=Siiw_-VRqLE~

Credits

Vulnerability reported by the vendor

- Collapse -
Symantec Mail Security for SMTP Header Handling Remote Code

Symantec Mail Security for SMTP Header Handling Remote Code Execution Vulnerability

Advisory ID : FrSIRT/ADV-2007-0799
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Symantec Mail Security for SMTP, which could be exploited by attackers or worms to take complete control of an affected system. This issue is due to a buffer overflow error when handling malformed email headers, which could be exploited by remote attackers or malware to execute arbitrary commands with SYSTEM privileges by sending a specially crafted email message through a vulnerable application.

Affected Products

Symantec Mail Security for SMTP version 5.0 and prior

Solution

Apply patch 175 :
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/5.0_smtp/updates/

References

http://www.frsirt.com/english/advisories/2007/0799
ftp://ftp.symantec.com/public/english_us_canada/products/symantec_mail_security/5.0_smtp/updates/release_notes_p175.txt
http://www.kb.cert.org/vuls/id/875633

Credits

Vulnerability reported by Steve Arvanitis

- Collapse -
MPlayer "DMO_VideoDecoder()" File Handling Client-Side Buff

MPlayer "DMO_VideoDecoder()" File Handling Client-Side Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0794
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-01

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in MPlayer, which could be exploited by remote attackers to execute arbitrary commands. This issue is due to a buffer overflow error within the "DMO_VideoDecoder()" [loader/dmo/DMO_VideoDecoder.c] function that does not validate certain values before being copied into an insufficiently sized buffer via a "memcpy()" call, which could be exploited by attackers to crash an affected application or compromise a vulnerable system by tricking a user into opening a specially crafted video file.

Affected Products

MPlayer version 1.0rc1 and prior

Solution

A fix is available via CVS :
http://svn.mplayerhq.hu/mplayer/trunk/loader/dmo/DMO_VideoDecoder.c

References

http://www.frsirt.com/english/advisories/2007/0794

Credits

Vulnerability reported by Moritz Jodeit

- Collapse -
Tcpdump "parse_elements()" 802.11 Frame Parsing Remote Buffe

Tcpdump "parse_elements()" 802.11 Frame Parsing Remote Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0793
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-01

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

A vulnerability has been identified in Tcpdump, which could be exploited by remote attackers to cause a denial of service or execute arbitrary commands. This issue is due to an off-by-one buffer overflow error within the "parse_elements()" [print-802_11.c] function when processing malformed 802.11 frames, which could be exploited by attackers to crash an affected application or potentially compromise a vulnerable system.

Affected Products

Tcpdump version 3.9.5 and prior

Solution

A fix is available via CVS :
http://cvs.tcpdump.org/cgi-bin/cvsweb/tcpdump/print-802_11.c

References

http://www.frsirt.com/english/advisories/2007/0793

Credits

Vulnerability reported by Moritz Jodeit

- Collapse -
Gentoo Security Update Fixes ClamAV Multiple Remote Denial o

Gentoo Security Update Fixes ClamAV Multiple Remote Denial of Service Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-0797
CVE ID : CVE-2007-0897 - CVE-2007-0898
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address multiple vulnerabilities identified in ClamAV. These issues could be exploited by attackers to cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0623

Affected Products

app-antivirus/clamav versions prior to 0.90

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=app-antivirus/clamav-0.90"

References

http://www.frsirt.com/english/advisories/2007/0797
http://www.gentoo.org/security/en/glsa/glsa-200703-03.xml

- Collapse -
Gentoo Security Update Fixes SpamAssassin Remote Denial of S

Gentoo Security Update Fixes SpamAssassin Remote Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-0796
CVE ID : CVE-2007-0451
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address a vulnerability identified SpamAssassin. This issue could be exploited by attackers to cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0628

Affected Products

mail-filter/spamassassin versions prior to 3.1.8

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=mail-filter/spamassassin-3.1.8"

References

http://www.frsirt.com/english/advisories/2007/0796
http://www.gentoo.org/security/en/glsa/glsa-200703-02.xml

- Collapse -
Gentoo Security Update Fixes Snort DCE/RPC Preprocessor Buff

Gentoo Security Update Fixes Snort DCE/RPC Preprocessor Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-0795
CVE ID : CVE-2006-5276
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-03-02

Technical Description Receive your personalized alerts in a Text format Receive your personalized alerts in a PDF format Receive your personalized alerts in an XML format

Gentoo has released security updates to address a vulnerability identified in Snort. This issue could be exploited by attackers to execute arbitrary commands or cause a denial of service. For additional information, see : FrSIRT/ADV-2007-0656

Affected Products

net-analyzer/snort versions prior to 2.6.1.3

Solution

Upgrade the affected package :
# emerge --sync
# emerge --ask --oneshot --verbose " >=net-analyzer/snort-2.6.1.3"

References

http://www.frsirt.com/english/advisories/2007/0795
http://www.gentoo.org/security/en/glsa/glsa-200703-01.xml

- Collapse -
aWebNews listing.php File Inclusion Vulnerability

Secunia Advisory: SA24351
Release Date: 2007-03-02


Critical:
Highly critical
Impact: System access

Where: From remote

Solution Status: Unpatched


Software: aWebNews 1.x

http://secunia.com/advisories/24351/

- Collapse -
Contelligent "MoveSortedContentAction" Security Bypass

Secunia Advisory: SA24364
Release Date: 2007-03-02


Critical:
Less critical
Impact: Security Bypass

Where: From remote

Solution Status: Vendor Patch


Software: Contelligent 9.x


Description:
A security issue has been reported in Contelligent, which can be exploited by malicious users to bypass certain security restrictions.

The security issue is caused due to the "MoveSortedContentAction" action not properly checking additional security configurations, which can be exploited to reorder components.

Successful exploitation requires that the attacker has write access to the location.

The security issue is reported in version 9.1.4. Prior versions may also be affected.

Solution:
Update to version 9.1.5.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.contelligent.com/contell/c...gent/changelog.html?fromRelease=9.1.4

- Collapse -
Kaspersky AntiVirus UPX File Decompression DoS Vulnerability
DESCRIPTION

Remote exploitation of a denial of service (DoS) vulnerability in Kaspersky Lab's Antivirus could allow an attacker to conduct a DoS attack on a targeted host.

The antivirus engine is vulnerable to a DoS condition when processing an executable packed with UPX compression. Malformed compressed data causes the decompression routine to enter an infinite loop. Specifically, a negative data offset results in the same compressed data chunk being processed endlessly.

ANALYSIS

Exploitation allows an attacker to conduct a DoS attack.

If this attack is conducted against an e-mail gateway running Kaspersky, legitimate clients may be unable to send e-mail through the server.

The infinite loop being executed consists of a short sequence of instructions, which results in maximum CPU usage. On a client desktop, the infinite loop will render the machine nearly unusable. On a server, it severely degrades the quality of service of other applications running.

DETECTION

iDefense has confirmed the existence of this vulnerability in Kaspersky Labs Antivirus Engine version 6.0.1.411 for Windows and 5.5-10 for Linux. Previous versions may also be affected. Any products that use the scanning engine are also affected, which includes the Kaspersky e-mail gateway scanner.

WORKAROUND

iDefense is currently unaware of any workarounds for this issue.

VENDOR RESPONSE

Kaspersky Lab reports that it has fixed this vulnerability as of February 7th, 2007. In addition, they stated the following.

"There is no need to download any special patches. All installed Kaspersky Lab products are updated automatically through the regular signature-update functionality. There is not need to contact Kaspersky Lab to obtain this fix."

DISCLOSURE TIMELINE

01/24/2007 Initial vendor notification
03/01/2007 Initial vendor response
03/02/2007 Coordinated public disclosure

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=485

CNET Forums