cyber security - U.S. CERT

VU#515749: Microsoft Internet Explorer CSS style element vulnerability

US-CERT — Tue, 24 Nov 2009 06:09:31 -0800

2009-11-24T14:09:31-04:00

Vulnerability Note VU#515749

Microsoft Internet Explorer CSS style element vulnerability

Overview

Microsoft Internet Explorer (IE) does not safely reference CSS style elements. Using a specially crafted HTML page, an attacker can cause IE to crash and potentially execute arbitrary code.

I. Description

IE contains a vulnerability in the way it references CSS style elements. Processing a specially crafted HTML page could cause IE to access an invalid memory location and crash. Using heap-spraying techniques, an attacker could leverage the crash to execute arbitrary code.

Please see Microsoft Security Advisory (977981).

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message), an attacker could execute arbitrary code with the privileges of the user.

III. Solution

A complete solution is not available.

Disable Active scripting

As noted in Microsoft Security Advisory (977981), consider disabling Active Scripting. Instructions for disabling Active scripting can be found in Microsoft Security Advisory (977981 and "Securing Your Web Browser."

Enable DEP

As noted in Microsoft Security Advisory (977981), consider enabling Data Execution Prevention (DEP).

Disabling scripting and enabling DEP do not resolve the vulnerability, but they greatly lower the chances of an attacker being able to execute arbitrary code.

Use Internet Explorer 8

According to Microsoft Security Advisory (977981), Internet Explorer 8 is not affected.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable	2009-11-23	2009-11-24

References

http://www.microsoft.com/technet/security/advisory/977981.mspx
http://www.securityfocus.com/archive/1/507984/30/0/threaded
http://www.symantec.com/connect/blogs/zero-day-internet-explorer-exploit-published
http://www.computerworld.com/s/article/9141278/New_attack_fells_Internet_Explorer
http://seclists.org/bugtraq/2009/Nov/148
http://blogs.msdn.com/ie/archive/2008/04/08/ie8-security-part-I_3A00_-dep-nx-memory-protection.aspx

Credit

This vulnerability was publicly disclosed by info@securitylab.ir and/or K4mr4n_st@yahoo.com.

This document was written by Art Manion.

Other Information

Date Public:	2009-11-20
Date First Published:	2009-11-24
Date Last Updated:	2009-11-27
CERT Advisory:
CVE-ID(s):	CVE-2009-3672
NVD-ID(s):	CVE-2009-3672
US-CERT Technical Alerts:
Metric:	29.25
Document Revision:	15

VU#723308: TCP may keep its offered receive window closed indefinitely (RFC 1122)

US-CERT — Mon, 23 Nov 2009 07:43:31 -0800

Vulnerability Note VU#723308

TCP may keep its offered receive window closed indefinitely (RFC 1122)

Overview

Part of the Transmission Control Protocol (TCP) specification (RFC 1122) allows a receiver to advertise a zero byte window, instructing the sender to maintain the connection but not send additional TCP payload data. The sender should then probe the receiver to check if the receiver is ready to accept data. Narrow interpretation of this part of the specification can create a denial-of-service vulnerability. By advertising a zero receive window and acknowledging probes, a malicious receiver can cause a sender to consume resources (TCP state, buffers, and application memory), preventing the targeted service or system from handling legitimate connections.

I. Description

TCP implementations from multiple vendors are vulnerable to malicious or misbehaving connections that indefinitely advertize a zero receive window. RFC 1122 section 4.2.2.17 states that "A TCP MAY keep its offered receive window closed indefinitely. As long as the receiving TCP continues to send acknowledgments in response to the probe segments, the sending TCP MUST allow the connection to stay open." The TCP connection is open however no data is being transmitted. This "stalled" state is generally referred to as the TCP persist condition.

The intent of RFC 1122 section 4.2.2.17 is that TCP must not terminate connections in the persist condition under normal operating conditions. It is possible to interpret the language narrowly to mean that TCP must not terminate connections in the persist condition under any circumstances, and this interpretation is likely to cause denial-of-services vulnerabilities. An attacker can asymmetrically consume server resources by making TCP connections, optionally requesting data, then setting the receive window to zero and repeatedly acknowledging window probes from the server.

General consensus of the IETF TCP Maintenance and Minor Extensions (TCPM) working group is that an operating system or application can abort TCP connections for any reason, including resource exhaustion. TCP itself cannot reliably decide to abort connections, and doing so would violate protocol standards, however there is no guidance against an operating system or application from aborting connections to recover memory resources.

This vulnerability, one specific attack (section 3), and a proposed defense (section 7) are further described in the individual IETF Internet-Draft "Clarification of sender behaviour in persist condition." A more comprehensive review of TCP state vulnerabilities is presented in CPNI Technical Note 3/2009: Security Assessment of the Transmission Control Protocol (TCP). The CPNI document describes the persist condition in section 3.7.2 and suggests countermeasures in section 7.1.2.

Persist condition attacks are implemented in the sockstress and Nkiller2 tools. Typically, these tools leverage a lightweight userland connection framework to generate many attacking connections without the overhead of full TCP state. There are different variants of attacks that exploit the persist condition, and some attack tools exploit other timers and states in TCP. Please see the CERT-FI Advisory on the Outpost24 TCP Issues for further information about sockstress including vendor responses.

The security aspects of the TCP persist condition has been discussed on the TCPM working group mailing list since at least 2006.

II. Impact

A remote, unauthenticated attacker can cause a denial of service. The attacker may be able to cause the operating system or network application to be unresponsive for the duration of the attack.

III. Solution

Modifications can be made to TCP implementations, interfaces, operating systems, and network applications, however any changes should consider the balance between improved resiliency and decreased interoperability. The IETF TCPM is considering the problem and any potential changes to TCP or guidance to implementors. As of the publication of this vulnerability note, the IETF has not yet decided whether additional clarifications of the TCP specifications are necessary. Some vendors have implemented changes to improve resiliency against zero window and other TCP state attacks.

Consider the analysis and advice provided in the CPNI assessment.

Abort misbehaving TCP connections under resource exhaustion conditions

The consensus of the TCPM discussion seems to be that an operating system or application that faces resource exhaustion can selectively abort TCP connections that appear to be malicious (i.e., in persist condition and consuming relatively large amounts of memory). TCP must implement the persist behavior in RFC 1122, but a higher protocol layer can decide to abort a connection for any reason, including resource exhaustion. How and when to abort connections are open questions, and beyond the scope of the TCP protocol specification.

Section 7 of the "Clarification..." I-D describes an approach in which an application can limit how long the underlying TCP socket should tolerate connections in the persist condition. However, section 7.1.2 of the CPNI assessment warns that "...an attacker could simply open the window (i.e., advertise a TCP window larger than zero) from time to time to prevent this enforced limit from causing his malicious connections to be aborted."

A system that aborts TCP connections too aggressively is likely to drop legitimate connections. Carefully consider the likelihood of attack, the cost of dropping legitimate connections, and the benefit of dropping malicious connections before making design or configuration changes to TCP components of operating systems and applications. It is unlikely that one setting will work well for every TCP system.

Restrict Access

Restricting access or limiting connections to TCP services using firewalls can mitigate zero window attacks, at the cost of potentially blocking legitimate connections.

Systems Affected

Generally, any system or product that implements or uses TCP could be affected by this vulnerability, depending on how the product handles resource exhaustion and TCP connections in persist. By design, TCP does not inherently defend against denial-of-service attacks based on resource exhaustion. Decisions about how to detect and respond to such attacks are the responsibility of individual systems or products.

Please see the CERT-FI Advisory on the Outpost24 TCP Issues for further vendor information.

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2009-06-26	2009-06-26
ACCESS	Unknown	2009-06-26	2009-06-26
Alcatel-Lucent	Unknown	2009-06-26	2009-06-26
Apple Inc.	Unknown	2009-06-26	2009-06-26
AT&T	Unknown	2009-06-26	2009-06-26
Avaya, Inc.	Unknown	2009-06-26	2009-06-26
Barracuda Networks	Unknown	2009-06-26	2009-06-26
Belkin, Inc.	Unknown	2009-06-26	2009-06-26
Borderware Technologies	Unknown	2009-06-26	2009-06-26
Charlotte's Web Networks	Unknown	2009-06-26	2009-06-26
Check Point Software Technologies	Vulnerable	2009-06-26	2009-11-05
Cisco Systems, Inc.	Vulnerable	2009-06-26	2009-11-18
Clavister	Unknown	2009-06-26	2009-06-26
Computer Associates	Unknown	2009-06-26	2009-06-26
Computer Associates eTrust Security Management	Unknown	2009-06-26	2009-06-26
Conectiva Inc.	Unknown	2009-06-26	2009-06-26
Cray Inc.	Unknown	2009-06-26	2009-06-26
D-Link Systems, Inc.	Unknown	2009-06-26	2009-06-26
Debian GNU/Linux	Unknown	2009-06-26	2009-06-26
DragonFly BSD Project	Unknown	2009-06-26	2009-06-26
EMC Corporation	Unknown	2009-06-26	2009-06-26
Engarde Secure Linux	Unknown	2009-06-26	2009-06-26
Enterasys Networks	Unknown	2009-06-26	2009-06-26
Ericsson	Unknown	2009-06-26	2009-06-26
eSoft, Inc.	Unknown	2009-06-26	2009-06-26
Extreme Networks	Vulnerable	2009-06-26	2009-10-14
F5 Networks, Inc.	Unknown	2009-06-26	2009-06-26
Fedora Project	Unknown	2009-06-26	2009-06-26
Force10 Networks, Inc.	Unknown	2009-06-26	2009-06-26
Fortinet, Inc.	Unknown	2009-06-26	2009-06-26
Foundry Networks, Inc.	Unknown	2009-06-26	2009-06-26
FreeBSD, Inc.	Unknown	2009-06-26	2009-06-26
Fujitsu	Unknown	2009-06-26	2009-06-26
Gentoo Linux	Unknown	2009-06-26	2009-06-26
Global Technology Associates	Unknown	2009-06-26	2009-06-26
Hewlett-Packard Company	Vulnerable	2009-06-26	2009-11-18
Hitachi	Unknown	2009-06-26	2009-06-26
IBM Corporation	Unknown	2009-06-26	2009-06-26
IBM Corporation (zseries)	Unknown	2009-11-23	2009-11-23
IBM eServer	Unknown	2009-06-26	2009-06-26
Infoblox	Unknown	2009-06-26	2009-06-26
Intel Corporation	Unknown	2009-06-26	2009-06-26
Internet Security Systems, Inc.	Unknown	2009-06-26	2009-06-26
Intoto	Unknown	2009-06-26	2009-06-26
IP Filter	Unknown	2009-06-26	2009-06-26
IP Infusion, Inc.	Unknown	2009-10-14	2009-10-14
Juniper Networks, Inc.	Unknown	2009-06-26	2009-06-26
Linux Kernel Archives	Vulnerable		2009-11-18
Luminous Networks	Unknown	2009-06-26	2009-06-26
m0n0wall	Unknown	2009-06-26	2009-06-26
Mandriva S. A.	Unknown	2009-06-26	2009-06-26
McAfee	Unknown	2009-06-26	2009-06-26
Microsoft Corporation	Vulnerable	2009-06-26	2009-11-23
MontaVista Software, Inc.	Unknown	2009-06-26	2009-06-26
Multitech, Inc.	Unknown	2009-06-26	2009-06-26
NEC Corporation	Unknown	2009-06-26	2009-06-26
NetApp	Not Vulnerable	2009-06-26	2009-10-14
NetBSD	Unknown	2009-06-26	2009-06-26
netfilter	Unknown	2009-06-26	2009-06-26
Nokia	Unknown	2009-06-26	2009-06-26
Nortel Networks, Inc.	Unknown	2009-06-26	2009-06-26
Novell, Inc.	Unknown	2009-06-26	2009-06-26
OpenBSD	Unknown	2009-06-26	2009-06-26
Openwall GNU/*/Linux	Unknown	2009-06-26	2009-06-26
PePLink	Unknown	2009-06-26	2009-06-26
Process Software	Unknown	2009-06-26	2009-06-26
Q1 Labs	Unknown	2009-06-26	2009-06-26
QNX, Software Systems, Inc.	Unknown	2009-06-26	2009-06-26
Quagga	Unknown	2009-06-26	2009-06-26
RadWare, Inc.	Unknown	2009-06-26	2009-06-26
Red Hat, Inc.	Unknown	2009-06-26	2009-06-26
Redback Networks, Inc.	Unknown	2009-06-26	2009-06-26
SafeNet	Unknown	2009-06-26	2009-06-26
Secureworx, Inc.	Unknown	2009-06-26	2009-06-26
Silicon Graphics, Inc.	Unknown	2009-06-26	2009-06-26
Slackware Linux Inc.	Unknown	2009-06-26	2009-06-26
SmoothWall	Unknown	2009-06-26	2009-06-26
Snort	Unknown	2009-06-26	2009-06-26
Soapstone Networks	Unknown	2009-06-26	2009-06-26
Sony Corporation	Unknown	2009-06-26	2009-06-26
Sourcefire	Unknown	2009-06-26	2009-06-26
Stonesoft	Unknown	2009-06-26	2009-06-26
Sun Microsystems, Inc.	Vulnerable	2009-06-26	2009-11-05
SUSE Linux	Unknown	2009-06-26	2009-06-26
Symantec	Unknown	2009-06-26	2009-06-26
The SCO Group	Unknown	2009-06-26	2009-06-26
TippingPoint, Technologies, Inc.	Unknown	2009-06-26	2009-06-26
Turbolinux	Unknown	2009-06-26	2009-06-26
U4EA Technologies, Inc.	Unknown	2009-06-26	2009-06-26
Ubuntu	Unknown	2009-06-26	2009-06-26
Unisys	Unknown	2009-06-26	2009-06-26
VMware	Not Vulnerable	2009-09-04	2009-10-14
Vyatta	Unknown	2009-06-26	2009-06-26
Watchguard Technologies, Inc.	Unknown	2009-06-26	2009-06-26
Wind River Systems, Inc.	Unknown	2009-06-26	2009-06-26
ZyXEL	Unknown	2009-06-26	2009-06-26

References

http://tools.ietf.org/html/rfc1122#page-92
http://tools.ietf.org/html/draft-ananth-tcpm-persist-01
http://tools.ietf.org/html/draft-mahesh-persist-timeout-02
http://www.cpni.gov.uk/Docs/tn-03-09-security-assessment-TCP.pdf
https://www.cert.fi/haavoittuvuudet/2008/tcp-vulnerabilities.html
http://shlang.com/netkill/
http://www.phrack.org/issues.html?issue=66&id=9#article
http://isc.sans.org/diary.html?storyid=5104
http://www.t2.fi/2008/08/27/jack-c-louis-and-robert-e-lee-to-talk-about-new-dos-attack-vectors/
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=164939&WT.svl=tease2_2
http://www.ietf.org/mail-archive/web/tcpm/current/msg04040.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg03826.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg03503.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg02870.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg02557.html
http://www.ietf.org/mail-archive/web/tcpm/current/msg02189.html
http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.31.y.git;a=blob;f=net/ipv4/tcp_timer.c;h=b144a26359bcf34a4b0606e171f97dc709afdfbb;hb=120f68c426e746771e8c09736c0f753822ff3f52#l233
http://sla.ckers.org/forum/read.php?14,27324
http://www.checkpoint.com/defense/advisories/public/announcement/090809-tcpip-dos-sockstress.html
http://www.securityfocus.com/archive/1/archive/1/506331/100/0/

Credit

Thanks to Mahesh Jethanandani and CERT-FI for their efforts researching and coordinating vendor responses to this vulnerability. Thanks also to Barry Greene, Lars Eggert, Wesley Eddy, and David Borman for their review and comments.

This document was written by David Warren and Art Manion.

Other Information

Date Public:	2006-07-20
Date First Published:	2009-11-23
Date Last Updated:	2009-11-25
CERT Advisory:
CVE-ID(s):	CVE-2009-1926; CVE-2008-4609
NVD-ID(s):	CVE-2009-1926 CVE-2008-4609
US-CERT Technical Alerts:
Metric:	15.59
Document Revision:	116

VU#632633: Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

US-CERT — Thu, 19 Nov 2009 07:07:10 -0800

2009-11-19T15:07:10-04:00

Vulnerability Note VU#632633

Wyse Simple Imager (WSI) includes vulnerable versions of TFTPD32

Overview

Wyse Simple Imager (WSI) includes older versions version of TFTPD32 that contains publicly known vulnerabilities. An attacker could exploit these vulnerabilities to potentially execute arbitrary code on the system running WSI and TFTPD32.

I. Description

Wyse Simple Imager (WSI) is a component of Wyse Device Manager (WDM, formerly known as Wyse Rapport). WSI includes TFTPD32 as the TFTP service to load firmware images on client devices. The versions of TFTPD32 contains several known vulnerabilities. The following list of TFTPD32 vulnerabilities is based on public information:

CVE-2002-2226 Buffer overflow in tftpd of TFTP32 2.21 and earlier allows remote attackers to execute arbitrary code via a long filename argument.
CVE-2002-2237 tftp32 TFTP server 2.21 and earlier allows remote attackers to cause a denial of service via a GET request with a DOS device name such as com1 or aux.
CVE-2002-2353 tftpd32 2.50 and 2.50.2 allows remote attackers to read or write arbitrary files via a full pathname in GET and PUT requests.
CVE-2006-0328 Format string vulnerability in Tftpd32 2.81 allows remote attackers to cause a denial of service via format string specifiers in a filename in a (1) GET or (2) SEND request.
CVE-2006-6141 Buffer overflow in Tftpd32 3.01 allows remote attackers to cause a denial of service via a long GET or PUT request, which is not properly handled when the request is displayed in the title of the gauge window.
OSVDB ID: 12898 Tftpd32 contains a flaw that may allow a remote denial of service. The issue is triggered when the server receives a TFTP request with a long filename, and will result in loss of availability for the service.

II. Impact

An attacker with network access to TFTPD32 could execute arbitrary code or cause a denial of service on a vulnerable system.

III. Solution

Use Wyse WDM and USB Imaging Tool

According to Wyse, WSI 1.3.x is a legacy product and its functionality is included in Wyse WDM 4.7.2 and Wyse USB Imaging Tool. Customers are strongly advised to migrate to WDM and USB Imaging Tool. Customers who are unable to migrate promptly, can refer to Wyse Knowledge Base article 18555 for remedial action. Wyse Knowledge Base is accessible through http://suppport.wyse.com/.

Upgrade TFTPD32

Upgrade TFTPD32 by downloading the latest version.

WSI 1.3.6 provides TFTPD32 version 2.0 in the directory ftproot\Rapport\Tools\saTil\ and TFTPD32 version 2.80 in ftproot\Rapport\Tools\saTil\TFTPD280\. Consider using TFTPD32 version 2.80 or downloading the most current version of TFTPD32.

This table is based on public information, a brief exchange with the author of TFTPD32, and limited testing. This information may not be completely accurate, please send corrections to cert@cert.org.

Vulnerability	Fixed Version	Wyse Resolution
CVE-2002-2226	2.50.2	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2237	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2002-2353	2.51	Addressed by WSB09-01 (using TFTPD32 version 2.80).
CVE-2006-0328	2.8.2	?
CVE-2006-6141	3.10b	?
OSVDB ID: 12898	2.80	Addressed by WSB09-01 (using TFTPD32 version 2.80).

Restrict Access to WSI

To limit the exposure of TFTPD32, run WSI systems on a physically isolated network, such as a staging network where client devices are imaged before production deployment..

Systems Affected

Vendor	Status	Date Notified	Date Updated
TFTPD32	Vulnerable		2009-11-11
Wyse	Vulnerable	2009-07-04	2009-11-19

References

http://tftpd32.jounin.net/tftpd32_news.html
http://tftpd32.jounin.net/tftpd32.html
http://osvdb.org/show/osvdb/12898
http://secway.org/advisory/ad20050108.txt
http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Credit

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft and Art Manion.

This document was written by Art Manion.

Other Information

Date Public:	2009-07-10
Date First Published:	2009-11-19
Date Last Updated:	2009-11-19
CERT Advisory:
CVE-ID(s):	CVE-2002-2226; CVE-2002-2237; CVE-2002-2353; CVE-2006-0328; CVE-2003-6141
NVD-ID(s):	CVE-2002-2226 CVE-2002-2237 CVE-2002-2353 CVE-2006-0328 CVE-2003-6141
US-CERT Technical Alerts:
Metric:	13.51
Document Revision:	54

VU#120541: SSL and TLS protocols renegotiation vulnerability

US-CERT — Wed, 11 Nov 2009 02:31:10 -0800

2009-11-11T10:31:10-04:00

Vulnerability Note VU#120541

SSL and TLS protocols renegotiation vulnerability

Overview

A vulnerability exists in SSL and TLS protocols that may allow attackers to execute an arbitrary HTTP transaction.

I. Description

The Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP. A vulnerability in the way SSL and TLS protocols allow renegotiation requests may allow an attacker to inject plaintext into an application protocol stream. This could result in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source. According to the Network Working Group:

The server treats the client's initial TLS handshake as a renegotiation and thus believes that the initial data transmitted by the attacker is from the same entity as the subsequent client data.

This issue affects SSL version 3.0 and newer and TLS version 1.0 and newer.

II. Impact

A remote, unauthenticated attacker may be able to inject an arbitrary amount of chosen plaintext into the beginning of the application protocol stream. This could allow and attacker to issue HTTP requests, or take action impersonating the user, among other consequences.

III. Solution

Users should contact vendors for specific patch information.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com Inc	Unknown	2009-11-05	2009-11-05
ACCESS	Unknown	2009-11-05	2009-11-05
Alcatel-Lucent	Unknown	2009-11-05	2009-11-05
Apache-SSL	Unknown	2009-11-05	2009-11-05
Apache HTTP Server Project	Unknown	2009-11-05	2009-11-05
Apple Inc.	Unknown	2009-11-05	2009-11-05
Aruba Networks, Inc.	Unknown	2009-11-05	2009-11-05
Attachmate	Unknown	2009-11-05	2009-11-05
AT&T	Unknown	2009-11-05	2009-11-05
Avaya, Inc.	Unknown	2009-11-05	2009-11-05
Barracuda Networks	Unknown	2009-11-05	2009-11-05
Belkin, Inc.	Unknown	2009-11-05	2009-11-05
Borderware Technologies	Unknown	2009-11-05	2009-11-05
Certicom	Unknown	2009-11-05	2009-11-05
Charlotte's Web Networks	Unknown	2009-11-05	2009-11-05
Check Point Software Technologies	Unknown	2009-11-05	2009-11-05
Cisco Systems, Inc.	Unknown	2009-11-05	2009-11-05
Clavister	Unknown	2009-11-05	2009-11-05
Computer Associates	Unknown	2009-11-05	2009-11-05
Conectiva Inc.	Unknown	2009-11-05	2009-11-05
Cray Inc.	Unknown	2009-11-05	2009-11-05
Cryptlib	Not Vulnerable	2009-11-05	2009-11-11
Crypto++ Library	Unknown	2009-11-05	2009-11-05
D-Link Systems, Inc.	Unknown	2009-11-05	2009-11-05
Debian GNU/Linux	Vulnerable	2009-11-05	2009-11-11
DragonFly BSD Project	Unknown	2009-11-05	2009-11-05
EMC Corporation	Unknown	2009-11-05	2009-11-05
Engarde Secure Linux	Unknown	2009-11-05	2009-11-05
Enterasys Networks	Unknown	2009-11-05	2009-11-05
Ericsson	Unknown	2009-11-05	2009-11-05
eSoft, Inc.	Unknown	2009-11-05	2009-11-05
Extreme Networks	Unknown	2009-11-05	2009-11-05
F5 Networks, Inc.	Unknown	2009-11-05	2009-11-05
Fedora Project	Unknown	2009-11-05	2009-11-05
Force10 Networks, Inc.	Unknown	2009-11-05	2009-11-05
Fortinet, Inc.	Unknown	2009-11-05	2009-11-05
Foundry Networks, Inc.	Unknown	2009-11-05	2009-11-05
FreeBSD Project	Unknown	2009-11-05	2009-11-05
Fujitsu	Unknown	2009-11-05	2009-11-05
Gentoo Linux	Unknown	2009-11-05	2009-11-05
Global Technology Associates, Inc.	Unknown	2009-11-05	2009-11-05
GnuTLS	Vulnerable	2009-11-05	2009-11-11
Hewlett-Packard Company	Unknown	2009-11-05	2009-11-05
Hitachi	Unknown	2009-11-05	2009-11-05
IBM Corporation	Vulnerable	2009-11-05	2009-11-11
IBM eServer	Unknown	2009-11-05	2009-11-05
Infoblox	Unknown	2009-11-05	2009-11-05
Intel Corporation	Unknown	2009-11-05	2009-11-05
Internet Security Systems, Inc.	Unknown	2009-11-05	2009-11-05
Intoto	Unknown	2009-11-05	2009-11-05
IP Filter	Unknown	2009-11-05	2009-11-05
IP Infusion, Inc.	Unknown	2009-11-05	2009-11-05
Juniper Networks, Inc.	Unknown	2009-11-05	2009-11-05
libgcrypt	Not Vulnerable	2009-11-05	2009-11-11
Lotus Software	Unknown	2009-11-05	2009-11-05
Luminous Networks	Unknown	2009-11-05	2009-11-05
m0n0wall	Unknown	2009-11-05	2009-11-05
Mandriva S. A.	Unknown	2009-11-05	2009-11-05
McAfee	Vulnerable	2009-11-05	2009-11-11
Microsoft Corporation	Unknown	2009-11-05	2009-11-05
Microsoft Internet Explorer	Unknown	2009-11-05	2009-11-05
Mirapoint, Inc.	Unknown	2009-11-05	2009-11-05
mod_ssl	Unknown	2009-11-05	2009-11-05
MontaVista Software, Inc.	Unknown	2009-11-05	2009-11-05
Mozilla - Network Security Services	Unknown	2009-11-05	2009-11-05
Multitech, Inc.	Unknown	2009-11-05	2009-11-05
National Center for Supercomputing Applications	Unknown	2009-11-05	2009-11-05
NEC Corporation	Unknown	2009-11-05	2009-11-05
NetApp	Unknown	2009-11-05	2009-11-05
NetBSD	Unknown	2009-11-05	2009-11-05
netfilter	Unknown	2009-11-05	2009-11-05
Netscape NSS	Unknown	2009-11-05	2009-11-05
Nokia	Unknown	2009-11-05	2009-11-05
Nortel Networks, Inc.	Unknown	2009-11-05	2009-11-05
Novell, Inc.	Unknown	2009-11-05	2009-11-05
OpenBSD	Unknown	2009-11-05	2009-11-05
OpenSSL	Unknown	2009-11-05	2009-11-05
Openwall GNU/*/Linux	Unknown	2009-11-05	2009-11-05
PePLink	Unknown	2009-11-05	2009-11-05
Process Software	Unknown	2009-11-05	2009-11-05
Q1 Labs	Unknown	2009-11-05	2009-11-05
QNX Software Systems Inc.	Unknown	2009-11-05	2009-11-05
Quagga	Unknown	2009-11-05	2009-11-05
RadWare, Inc.	Unknown	2009-11-05	2009-11-05
Red Hat, Inc.	Unknown	2009-11-05	2009-11-05
Redback Networks, Inc.	Not Vulnerable	2009-11-05	2009-11-11
SafeNet	Not Vulnerable	2009-11-05	2009-11-19
Secureworx, Inc.	Unknown	2009-11-05	2009-11-05
Silicon Graphics, Inc.	Unknown	2009-11-05	2009-11-05
Slackware Linux Inc.	Unknown	2009-11-05	2009-11-05
SmoothWall	Unknown	2009-11-05	2009-11-05
Snort	Unknown	2009-11-05	2009-11-05
Soapstone Networks	Unknown	2009-11-05	2009-11-05
Sony Corporation	Unknown	2009-11-05	2009-11-05
Sourcefire	Unknown	2009-11-05	2009-11-05
Spyrus	Unknown	2009-11-05	2009-11-05
Stonesoft	Unknown	2009-11-05	2009-11-05
Stunnel	Unknown	2009-11-05	2009-11-05
Sun Microsystems, Inc.	Vulnerable	2009-11-05	2009-11-06
SUSE Linux	Unknown	2009-11-05	2009-11-05
Symantec	Unknown	2009-11-05	2009-11-05
The SCO Group	Unknown	2009-11-05	2009-11-05
TippingPoint Technologies Inc.	Unknown	2009-11-05	2009-11-05
Turbolinux	Unknown	2009-11-05	2009-11-05
Ubuntu	Unknown	2009-11-05	2009-11-05
Unisys	Unknown	2009-11-05	2009-11-05
VMware	Unknown	2009-11-05	2009-11-05
Vyatta	Unknown	2009-11-05	2009-11-05
Watchguard Technologies, Inc.	Unknown	2009-11-05	2009-11-05
Wind River Systems, Inc.	Unknown	2009-11-05	2009-11-05
ZyXEL	Unknown	2009-11-05	2009-11-05

References

http://extendedsubset.com/?p=8
http://www.links.org/?p=780
http://www.links.org/?p=786
http://www.links.org/?p=789
http://blogs.iss.net/archive/sslmitmiscsrf.html
http://www.ietf.org/mail-archive/web/tls/current/msg03948.html
https://bugzilla.redhat.com/show_bug.cgi?id=533125
http://lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00014.html
http://cvs.openssl.org/chngview?cn=18790
http://www.links.org/files/no-renegotiation-2.patch
http://blog.zoller.lu/2009/11/new-sslv3-tls-vulnerability-mitm.html
https://svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
http://www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html

Credit

Thanks to Marsh Ray of PhoneFactor for reporting this vulnerability. This issue was also independently discovered and publicly disclosed by Martin Rex of SAP.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-11-05
Date First Published:	2009-11-11
Date Last Updated:	2009-11-19
CERT Advisory:
CVE-ID(s):	CVE-2009-3555
NVD-ID(s):	CVE-2009-3555
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	31

VU#257117: Adobe Acrobat and Reader contain vulnerabilities in multiple Document Object JavaScript methods

US-CERT — Tue, 13 Oct 2009 08:10:22 -0700

2009-10-13T15:10:22-04:00

Vulnerability Note VU#257117

Adobe Acrobat and Reader contain vulnerabilities in multiple Document Object JavaScript methods

Overview

A vulnerability in the way Adobe Acrobat and Reader enforce privileges on JavaScript in PDF files could allow arbitrary files to be written to the local file system of an affected system.

I. Description

Adobe Reader and the Adobe Acrobat family of software are designed to create, view, and edit Portable Document Format (PDF) files. Adobe Reader is widely deployed, and the Acrobat Reader Plug-In displays PDF inside a web browser.

Adobe Reader and Acrobat support JavaScript. According to the JavaScript for Acrobat API reference, certain methods are designed to be unavailable or have security restrictions in a non-privileged context. As a result, it should not be possible to call these methods from non-privileged events, such as page open or mouse-up.

Adobe Acrobat and Reader fail to enforce the Privileged Context and Safe Path restrictions on certain JavaScript methods. This failure results in a vulnerability that allows methods that accept a cPath parameter to write to an arbitrary file extension and arbitrary path rather than those intended to be limited by the Safe Path restriction.

II. Impact

By convincing a user to open a specially crafted PDF file, an attacker may be able to execute certain privileged JavaScript methods that can be used to create arbitrary files and folders on an affected system, subject to the normal permissions of the victim user.

III. Solution

Update

Adobe has released updates to address this issue. Users are encouraged to read Adobe Security Bulletin APSB09-15 and update vulnerable versions of Adobe Reader and Acrobat.

Enable Data Execution Prevention (DEP) in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but it can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. Use of DEP should be considered in conjunction with the application of patches or other mitigations described in this document.

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript prevents these vulnerabilities from being exploited and reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To disable JavaScript in Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences... option.
Choose the JavaScript section.
Uncheck the Enable Acrobat JavaScript check box.

Disabling JavaScript will not resolve the vulnerabilities, it will only disable the vulnerable JavaScript component. When JavaScript is disabled, Adobe Reader and Acrobat prompt to re-enable JavaScript when opening a PDF that contains JavaScript.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]
"EditFlags"=hex:00,00,00,00

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser reduces attack surface. If this workaround is applied to updated versions of Adobe Reader and Acrobat, it may protect against future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser with Adobe Reader:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences... option.
Choose the Internet section.
Uncheck the Display PDF in browser check box.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Adobe	Vulnerable	2009-09-04	2009-10-13

References

http://www.adobe.com/support/security/bulletins/apsb09-15.html

Credit

Thanks to Richard van Eeden of IOActive, for reporting this issue.

This document was written by Chad R Dougherty.

Other Information

Date Public:	2009-09-01
Date First Published:	2009-10-13
Date Last Updated:	2009-10-27
CERT Advisory:
CVE-ID(s):	CVE-2009-2993
NVD-ID(s):	CVE-2009-2993
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	15

VU#654545: Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities

US-CERT — Mon, 12 Oct 2009 17:20:50 -0700

2009-10-13T00:20:50-04:00

Vulnerability Note VU#654545

Wyse Device Manager (WDM) HServer and HAgent contain multiple vulnerabilities

Overview

Wyse Device Manager (WDM) Server and HAgent contain several vulnerabilities. An attacker with network access to WDM components could execute arbitrary code on vulnerable systems.

I. Description

Wyse Device Manager (WDM, formerly known as Wyse Rapport) manages thin clients. Part of the server component (HServer) is implemented as an ISAPI filter on the Microsoft Windows Internet Information Server (IIS) platform. The client component (HAgent) runs as a service on Microsoft Windows systems.

WDM components contain several vulnerabilities:

HServer (hserver.dll) User-Agent header stack buffer overflow and
HAgent (hagent.exe) heap overflow (both overflows are CVE-2009-0693)
HAgent does not authenticate commands (CVE-2009-0695)

The first two issues are implementation defects. The third issue is caused by the lack of adequate cryptographic authentication and authorization.

II. Impact

An attacker with network access to WDM components could execute arbitrary code on a vulnerable system. The attacker could also execute unauthenticated management commands on a system running HAgent.

III. Solution

Please see Wyse Security Bulletin WSB09-01.

Enable HTTPS

Enabling HTTPS provides authentication between Hserver and HAgent nodes. HTTPS authenticates communication from an HServer host to an HAgent host. Depending on key distribution and PKI architecture, HTTPS should prevent an unauthenticated attacker from running management commands on an HAgent host.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Wyse	Vulnerable	2009-07-04	2009-07-23

References

http://osvdb.org/show/osvdb/55808
http://www.wyse.com/serviceandsupport/support/WSB09-01.zip
http://www.wyse.com/serviceandsupport/Wyse%20Security%20Bulletin%20WSB09-01.pdf
http://www.theregister.co.uk/2009/07/10/wyse_remote_exploit_bugs/
http://archives.neohapsis.com/archives/fulldisclosure/2009-07/0101.html

Credit

These vulnerabilities were analyzed and reported by Kevin Finisterre of Netragard/SNOsoft.

This document was written by Art Manion.

Other Information

Date Public:	2009-07-10
Date First Published:	2009-10-13
Date Last Updated:	2009-10-16
CERT Advisory:
CVE-ID(s):	CVE-2009-0693; CVE-2009-0695
NVD-ID(s):	CVE-2009-0693 CVE-2009-0695
US-CERT Technical Alerts:
Metric:	13.51
Document Revision:	23

VU#676492: Wireshark Endace ERF unsigned integer wrap vulnerability

US-CERT — Mon, 05 Oct 2009 12:16:44 -0700

2009-10-05T19:16:44-04:00

Vulnerability Note VU#676492

Wireshark Endace ERF unsigned integer wrap vulnerability

Overview

Wireshark contains an unsigned integer wrap vulnerability that may occur when parsing Endace Extensible Record Format (ERF) files.

I. Description

Wireshark is a protocol analyzer that can open or import previously saved files. When processing an Endace ERF file an unsigned integer wrap vulnerability may cause Wireshark to allocate a very large buffer. To exploit this issue, an attacker would have to convince a user to open a crafted ERF file using Wireshark.

This issue also affects Tshark, the console version of Wireshark.

II. Impact

A remote attacker can cause Wireshark to crash. It may be possible, although unlikely, for an attacker to execute arbitrary code. Exploiting the vulnerability could result in a NULL pointer dereference, which can lead to code execution on certain platforms.

III. Solution

Update

Wireshark 1.2.2 has been released to address this and other issues.

Do not run Wireshark with root or administrator privileges

Running Wireshark with a limited user account will reduce the impact of this and other vulnerabilities.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Wireshark	Vulnerable		2009-10-05

References

http://www.wireshark.org/docs/relnotes/wireshark-1.2.2.html
http://anonsvn.wireshark.org/viewvc/trunk/wiretap/erf.c?view=markup&pathrev=29364
https://www.securecoding.cert.org/confluence/display/cplusplus/INT30-CPP.+Ensure+that+unsigned+integer+operations+do+not+wrap
http://wiki.wireshark.org/Security#head-ac69042aeeb98cdaed2ec2ff1bd2c983fa03cffd
http://xorl.wordpress.com/2009/11/10/cve-2009-3829-wireshark-endace-erf-protocol-integer-underflow/
http://www.juniper.net/solutions/literature/white_papers/Vector-Rewrite-Attack.pdf

Credit

This issue was discovered by Ryan Giobbi.

This document was written by Ryan Giobbi and Art Manion.

Other Information

Date Public:	2009-09-15
Date First Published:	2009-10-05
Date Last Updated:	2009-11-24
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	1.28
Document Revision:	27

VU#180065: Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

US-CERT — Tue, 15 Sep 2009 07:50:49 -0700

2009-09-15T14:50:49-04:00

Vulnerability Note VU#180065

Nginx ngx_http_parse_complex_uri() buffer underflow vulnerability

Overview

A vulnerability in the nginx web server may allow remote attackers to execute arbitrary code on an affected system.

I. Description

nginx is an HTTP server and mail proxy server that is available for a number of different platforms. A buffer underflow vulnerability exists in the ngx_http_parse_complex_uri() function when handling specially crafted URIs. Exploitation of this vulnerability would cause the nginx server to write data contained in the URI to heap memory before the allocated buffer.

II. Impact

As with a number of other web servers, nginx is designed to operate with a single privileged master process and multiple unprivileged worker processes handling specific requests. A remote, unauthenticated attacker may be able to execute arbitrary code in the context of the worker process or cause the worker process to crash, resulting in a denial of service.

III. Solution

Upgrade or apply a patch

Updated versions of the nginx package have been released to address this issue. Users should consult the Systems Affected section of this document for information about specific vendors.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apple Inc.	Unknown	2009-09-05	2009-09-06
Conectiva Inc.	Unknown	2009-09-05	2009-09-06
Cray Inc.	Unknown	2009-09-05	2009-09-06
Debian GNU/Linux	Vulnerable	2009-09-05	2009-09-14
DragonFly BSD Project	Unknown	2009-09-05	2009-09-06
EMC Corporation	Unknown	2009-09-05	2009-09-06
Engarde Secure Linux	Unknown	2009-09-05	2009-09-06
F5 Networks, Inc.	Unknown	2009-09-05	2009-09-06
Fedora Project	Unknown	2009-09-05	2009-09-06
FreeBSD, Inc.	Unknown	2009-09-05	2009-09-06
Fujitsu	Unknown	2009-09-05	2009-09-06
Gentoo Linux	Unknown	2009-09-05	2009-09-06
Hewlett-Packard Company	Unknown	2009-09-05	2009-09-06
Hitachi	Unknown	2009-09-05	2009-09-06
IBM Corporation	Unknown	2009-09-05	2009-09-06
IBM eServer	Unknown	2009-09-05	2009-09-06
Infoblox	Unknown	2009-09-05	2009-09-06
Juniper Networks, Inc.	Unknown	2009-09-05	2009-09-06
Mandriva S. A.	Unknown	2009-09-05	2009-09-06
MontaVista Software, Inc.	Unknown	2009-09-05	2009-09-06
NEC Corporation	Unknown	2009-09-05	2009-09-06
NetBSD	Unknown	2009-09-05	2009-09-06
nginx	Vulnerable		2009-09-15
Nokia	Unknown	2009-09-05	2009-09-06
Novell, Inc.	Unknown	2009-09-05	2009-09-06
OpenBSD	Unknown	2009-09-05	2009-09-06
Openwall GNU/*/Linux	Unknown	2009-09-05	2009-09-06
QNX Software Systems Inc.	Unknown	2009-09-05	2009-09-06
Red Hat, Inc.	Unknown	2009-09-05	2009-09-06
SafeNet	Unknown	2009-09-05	2009-09-06
Silicon Graphics, Inc.	Unknown	2009-09-05	2009-09-06
Slackware Linux Inc.	Unknown	2009-09-05	2009-09-06
Sony Corporation	Unknown	2009-09-05	2009-09-06
Sun Microsystems, Inc.	Not Vulnerable	2009-09-05	2009-09-09
SUSE Linux	Not Vulnerable	2009-09-05	2009-09-08
The SCO Group	Not Vulnerable	2009-09-05	2009-09-08
Turbolinux	Unknown	2009-09-05	2009-09-06
Ubuntu	Unknown	2009-09-05	2009-09-06
Unisys	Unknown	2009-09-05	2009-09-06
Wind River Systems, Inc.	Unknown	2009-09-05	2009-09-06

References

Credit

Thanks to Chris Ries of the Carnegie Mellon University Information Security Office for reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

Date Public:	2009-09-14
Date First Published:	2009-09-15
Date Last Updated:	2009-09-15
CERT Advisory:
CVE-ID(s):	CVE-2009-2629
NVD-ID(s):	CVE-2009-2629
US-CERT Technical Alerts:
Metric:	4.22
Document Revision:	8

VU#135940: Windows SMB version 2 vulnerability

US-CERT — Thu, 10 Sep 2009 04:35:30 -0700

2009-09-10T11:35:30-04:00

Vulnerability Note VU#135940

Windows SMB version 2 vulnerability

Overview

Microsoft Windows Vista and Server 2008 do not correctly parse SMB version 2 messages.This vulnerability could allow an attacker to execute arbitrary code.

I. Description

The Server Message Block version 2 (SMBv2) protocol is the successor to the original SMB protocol. SMBv2 is available in Windows Vista, Server 2008 and Windows 7 release candidates.

Windows Vista and Server 2008 fail to properly process fails to properly parse the headers for the Negotiate Protocol Request portion of an SMBv2 message.

II. Impact

An attacker may be able to execute arbitrary code or cause a vulnerable system to crash.

III. Solution

There is currently no solution to this problem. Until patches are available, users and administrators are encouraged to review the below workarounds.

Restrict access

Blocking access to ports 139/tcp and 445/tcp on vulnerable systems will mitigate this vulnerability. Administrators can configure mobile systems that use the Windows Firewall to open these ports when only when authenticated to a domain controller by using the firewall's "profile" feature.

Disable SMBv2

Disabling SMBv2 will mitigate this issue. The below steps to disable SMBv2 are provided in Microsoft Security Advisory 975497.

Click Start, click Run, type Regedit in the Open box, and then click OK.
Locate and then click the following registry subkey:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
Click LanmanServer.
Click Parameters.
Right-click to add a new DWORD (32 bit) Value.
Enter smb2 in the Name data field, and change the Value data field to 0.
Exit.
From a command prompt and with administrator privileges, type net stop server and then net start server.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-09-10

References

http://www.microsoft.com/technet/security/advisory/975497.mspx
http://technet.microsoft.com/en-us/library/dd734783(WS.10).aspx
http://g-laurent.blogspot.com/2009/09/windows-vista7-smb20-negotiate-protocol.html

Credit

Thanks to Microsoft and Laurent Gaffié for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-09-07
Date First Published:	2009-09-10
Date Last Updated:	2009-09-10
CERT Advisory:
CVE-ID(s):	CVE-2009-3103
NVD-ID(s):	CVE-2009-3103
US-CERT Technical Alerts:
Metric:	62.70
Document Revision:	14

VU#336053: Cyrus IMAPd buffer overflow vulnerability

US-CERT — Wed, 09 Sep 2009 02:31:30 -0700

2009-09-09T09:31:30-04:00

Vulnerability Note VU#336053

Cyrus IMAPd buffer overflow vulnerability

Overview

The Cyrus IMAP server contains a vulnerability that may allow an authenticated attacker to execute code.

I. Description

The Cyrus IMAP mail server supports the SIEVE mail filtering language. Cyrus IMAP versions 2.2 through 2.3.14 contain a buffer overflow vulnerability that may be triggered by a specially crafted SIEVE script. To install this type of script, the attacker would need to have direct access to a mail account on the server.

II. Impact

An attacker with the ability to install SIEVE scripts may be able to gain elevated privileges and use the new permissions to execute code, read other user's mail, or send spoofed email messages.

III. Solution

Update

The Cyrus IMAP team has released an update to address this issue. See http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html for more information.

Disable SIEVE

Administrators who compile Cyrus IMAP from source can use the --disable-sieve option to mitigate this issue.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apple Inc.	Unknown	2009-09-04	2009-09-05
Conectiva Inc.	Unknown	2009-09-04	2009-09-05
Cray Inc.	Unknown	2009-09-04	2009-09-05
Debian GNU/Linux	Vulnerable	2009-09-04	2009-09-10
DragonFly BSD Project	Unknown	2009-09-04	2009-09-05
EMC Corporation	Unknown	2009-09-04	2009-09-05
Engarde Secure Linux	Unknown	2009-09-04	2009-09-05
F5 Networks, Inc.	Unknown	2009-09-04	2009-09-05
Fedora Project	Unknown	2009-09-04	2009-09-05
FreeBSD, Inc.	Unknown	2009-09-04	2009-09-05
Fujitsu	Unknown	2009-09-04	2009-09-05
Gentoo Linux	Unknown	2009-09-04	2009-09-05
Hewlett-Packard Company	Unknown	2009-09-04	2009-09-05
Hitachi	Unknown	2009-09-04	2009-09-05
IBM Corporation	Unknown	2009-09-04	2009-09-05
IBM eServer	Unknown	2009-09-04	2009-09-05
Infoblox	Unknown	2009-09-04	2009-09-05
Juniper Networks, Inc.	Unknown	2009-09-04	2009-09-05
Mandriva S. A.	Unknown	2009-09-04	2009-09-05
Microsoft Corporation	Unknown	2009-09-04	2009-09-05
MontaVista Software, Inc.	Unknown	2009-09-04	2009-09-05
NEC Corporation	Unknown	2009-09-04	2009-09-05
NetBSD	Unknown	2009-09-04	2009-09-05
Nokia	Unknown	2009-09-04	2009-09-05
Novell, Inc.	Unknown	2009-09-04	2009-09-05
OpenBSD	Unknown	2009-09-04	2009-09-05
Openwall GNU/*/Linux	Unknown	2009-09-04	2009-09-10
QNX Software Systems Inc.	Unknown	2009-09-04	2009-09-05
Red Hat, Inc.	Unknown	2009-09-04	2009-09-05
SafeNet	Unknown	2009-09-04	2009-09-05
Silicon Graphics, Inc.	Unknown	2009-09-04	2009-09-05
Slackware Linux Inc.	Not Vulnerable	2009-09-04	2009-09-11
Sony Corporation	Unknown	2009-09-04	2009-09-05
Sun Microsystems, Inc.	Not Vulnerable	2009-09-04	2009-09-10
SUSE Linux	Vulnerable	2009-09-04	2009-09-10
The SCO Group	Vulnerable	2009-09-04	2009-09-08
Turbolinux	Unknown	2009-09-04	2009-09-05
Ubuntu	Unknown	2009-09-04	2009-09-05
Unisys	Unknown	2009-09-04	2009-09-05
Wind River Systems, Inc.	Unknown	2009-09-04	2009-09-05

References

http://lists.andrew.cmu.edu/pipermail/cyrus-announce/2009-September/000068.html
http://cyrusimap.web.cmu.edu/imapd/install-compile.html
http://en.wikipedia.org/wiki/Sieve_(mail_filtering_language)

Credit

Thanks to the Cyrus IMAP development team and Bron Gondwana for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-09-07
Date First Published:	2009-09-09
Date Last Updated:	2009-09-11
CERT Advisory:
CVE-ID(s):	CVE-2009-2632
NVD-ID(s):	CVE-2009-2632
US-CERT Technical Alerts:
Metric:	0.56
Document Revision:	18

VU#444513: VMware VMnc AVI video codec image height heap overflow

US-CERT — Sat, 05 Sep 2009 02:42:30 -0700

2009-09-05T09:42:30-04:00

Vulnerability Note VU#444513

VMware VMnc AVI video codec image height heap overflow

Overview

The VMware VMnc video codec fails to properly handle the image height value in AVI files, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Several VMware products include the ability to create and play movies of running virtual machines. The codec used in these movies is called VMnc, which is based on the VNC RFB protocol. The VMnc decoder is provided by the file vmnc.dll. The VMnc codec fails to properly handle video content with a specified height of less than 8 pixels. This flaw can lead to heap memory corruption. The vulnerable code in vmnc.dll may be reached via Windows applications that supports the DirectShow API.

II. Impact

By convincing a user to parse a specially crafted VMnc codec AVI file, a remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system. This may occur as the result of several actions, including playing an AVI file with Windows Media Player, viewing a web page that uses the Windows Media Player ActiveX control or plug-in, or even simply by selecting an AVI file in Windows Explorer.

III. Solution

Apply an update

This issue is addressed in VMware Movie Decoder 6.5.3, Workstation 6.5.3, Player 6.5.3, and ACE 2.5.3. Details for obtaining these versions are available in VMware Security Advisory VMSA-2009-0012.

Remove the VMnc codec

If you are unable to apply an update, this vulnerability can be mitigated by removing the vmnc.dll file. Note that this will prevent a system from being able to play VMnc codec AVI files.

Systems Affected

Vendor	Status	Date Notified	Date Updated
VMware	Vulnerable	2009-06-22	2009-09-05

References

http://lists.vmware.com/pipermail/security-announce/2009/000065.html

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:	2009-09-04
Date First Published:	2009-09-05
Date Last Updated:	2009-09-05
CERT Advisory:
CVE-ID(s):	CVE-2009-2628
NVD-ID(s):	CVE-2009-2628
US-CERT Technical Alerts:
Metric:	4.05
Document Revision:	17

VU#276653: Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

US-CERT — Mon, 31 Aug 2009 01:57:19 -0700

2009-08-31T08:57:19-04:00

Vulnerability Note VU#276653

Microsoft Internet Information Server (IIS) FTP server NLST stack buffer overflow

Overview

The Microsoft IIS FTP server contains a stack buffer overflow in the handling of directory names, which may allow a remote attacker to execute arbitrary code on a vulnerable system.

I. Description

IIS is a web server that comes with Microsoft Windows. IIS also includes FTP server functionality. The IIS FTP server fails to properly parse specially-crafted directory names. By issuing an FTP NLST (NAME LIST) command on a specially-named directory, an attacker may cause a stack buffer overflow. The attacker can create the specially-named directory if FTP is configured to allow write access using Anonymous account or another account that is available to the attacker.

II. Impact

A remote attacker may be able to execute arbitrary code on a vulnerable server. For servers that allow anonymous file uploads, the attacker would typically be unauthenticated.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the workarounds listed in Microsoft Security Advisory (975191), which include:

Disable anonymous FTP write access

Configuring IIS to disallow write access to anonymous FTP users will limit the ability of the attacker to create a directory that can trigger this vulnerability.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-09-02

References

http://www.microsoft.com/technet/security/advisory/975191.mspx
http://blog.g-sec.lu/2009/09/iis-5-iis-6-ftp-vulnerability.html
http://milw0rm.com/exploits/9541

Credit

This vulnerability was publicly disclosed by Kingcope.

This document was written by Will Dormann.

Other Information

Date Public:	2009-08-31
Date First Published:	2009-08-31
Date Last Updated:	2009-09-02
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	20.81
Document Revision:	23

VU#582244: Libpurple buffer overflow vulnerability

US-CERT — Fri, 21 Aug 2009 08:06:32 -0700

2009-08-21T15:06:32-04:00

Vulnerability Note VU#582244

Libpurple buffer overflow vulnerability

Overview

The Libpurple instant messenger library contains a vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Libpurple is an instant messenger (IM) library that is used by various programs to connect to multiple networks. Libpurple contains a buffer overflow vulnerability that can be triggered by sending specially crafted MSNSLP messages to a program that is using an affected version of the library.

For more technical details, see CORE Advisory CORE-2009-0727.

II. Impact

An attacker may be able to execute arbitrary code or cause an IM program to crash.

III. Solution

Upgrade

Instant messenger programs may distribute Libpurple and will provide an updated version to their users as a security update. See the systems affected portion of this document for a partial list of affected IM clients. Users who compile Libpurple or IM programs should see the Libpurple site or their operating system vendor for updated software.

Restrict Access

The most likely attack vector for this issue would be via the MSN IM network. Administrators may be able to temporarily mitigate this issue by blocking access to the MSN IM network. This workaround is not likely to be totally effective.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Pidgin	Vulnerable		2009-08-21

References

http://pidgin.im/news/security/?id=34
http://developer.pidgin.im/wiki/WhatIsLibpurple
http://www.coresecurity.com/content/libpurple-arbitrary-write#lref.4
http://msnpiki.msnfanatic.com/index.php/MSNC:MSNSLP
http://supportwiki.cisco.com/ViewWiki/index.php/How_to_configure_the_PIX_500_Series_Firewall_with_software_version_6.x_in_order_to_block_the_MSN_messenger_with_the_access-list_command

Credit

Information from CORE Advisory CORE-2009-0727 was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-08-18
Date First Published:	2009-08-21
Date Last Updated:	2009-08-21
CERT Advisory:
CVE-ID(s):	CVE-2009-2694
NVD-ID(s):	CVE-2009-2694
US-CERT Technical Alerts:
Metric:	10.19
Document Revision:	12

VU#485961: Acer AcerCtrls.APlunch ActiveX Control fails to properly restrict access to methods

US-CERT — Tue, 18 Aug 2009 09:39:05 -0700

2009-08-18T16:39:05-04:00

Vulnerability Note VU#485961

Acer AcerCtrls.APlunch ActiveX Control fails to properly restrict access to methods

Overview

The Acer AcerCtrls.APlunch ActiveX control contains methods that can allow a remote, unauthenticated attacker to run arbitrary commands on a vulnerable system.

I. Description

The Acer AcerCtrls.APlunch ActiveX control is provided by acerctrl.ocx. It contains a method called Run(), which takes two parameters: Drive and FileName. Although the control is not inherently marked as safe for scripting via the IObjectSafety interface, it may be distributed with the appropriate Implemented Categories registry key to make it safe for scripting. This means that a web page in Internet Explorer can call the Run() method of the control.

Note that this vulnerability is similar to but not the same issue as VU#221700. This control has different parameters and uses a different CLSID that is not included in the killbits provided with Microsoft Security Bulletin MS07-027.

II. Impact

By convincing a victim to view an HTML document (web page, HTML email, or email attachment), an attacker could run arbitrary commands with the privileges of the user running IE.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable the Acer AcerCtrls.APlunch ActiveX control in Internet Explorer

The Acer AcerCtrls.APlunch ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSID:

{

3895DD35-7573-11D2-8FED-00606730D3AA

}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for this control:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{

3895DD35-7573-11D2-8FED-00606730D3AA

}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE

\Wow6432Node

\Microsoft\Internet Explorer\ActiveX Compatibility\{

3895DD35-7573-11D2-8FED-00606730D3AA

}]

"Compatibility Flags"=dword:00000400

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Acer	Vulnerable	2007-05-09	2009-08-17

References

http://www.kb.cert.org/vuls/id/221700
http://vuln.sg/acerlunchapp-en.html
http://support.microsoft.com/kb/240797

Credit

Thanks to Michael Costa of Crosshair Information Technology & Security LLC for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2009-08-16
Date First Published:	2009-08-18
Date Last Updated:	2009-08-18
CERT Advisory:
CVE-ID(s):	CVE-2009-2627
NVD-ID(s):	CVE-2009-2627
US-CERT Technical Alerts:
Metric:	5.06
Document Revision:	13

VU#456745: ActiveX controls built with Microsoft ATL fail to properly handle initialization data

US-CERT — Tue, 28 Jul 2009 08:42:54 -0700

2009-07-28T15:42:54-04:00

Vulnerability Note VU#456745

ActiveX controls built with Microsoft ATL fail to properly handle initialization data

Overview

ActiveX controls that are built using a Microsoft ATL template may fail to properly handle initialization data, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Active Template Library (ATL) is a set of C++ classes that are designed to simplify the creation of COM objects and ActiveX controls. An ActiveX control can be designated as "safe for scripting," which means that it can be used by an untrusted caller such as JavaScript in a web page, and/or it may be designated as "safe for initialization," which means that it can accept untrusted initialization data. ActiveX controls that are developed using the Microsoft ATL technology may fail to properly handle initialization data. The specific vulnerabilities include the use of uninitialized objects, unsafe usage of OleLoadFromStream, and the failure to check for a terminating NULL character. This may result in memory corruption that can be leveraged to execute code, or it may bypass Internet Explorer kill bit restrictions on unsafe controls.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This vulnerability has been addressed in the update for Internet Explorer provided in Microsoft Security Bulletin MS09-034. This update helps prevent ActiveX controls that were built with the vulnerable ATL versions from being initialized with unsafe data patterns in Internet Explorer. This also includes techniques that can be used to bypass the kill bit in Internet Explorer.

Update and recompile ActiveX controls

Developers who have created ActiveX controls using Microsoft ATL should install the update for Microsoft Security Bulletin MS09-035 and recompile the ActiveX controls. This will cause the controls to use an updated ATL version that addresses these vulnerabilities.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Adobe	Vulnerable		2009-07-30
Alcatel-Lucent	Unknown	2009-07-28	2009-07-28
America Online, Inc.	Unknown	2009-07-28	2009-07-28
Apple Inc.	Not Vulnerable	2009-07-28	2009-07-31
Attachmate	Unknown	2009-07-28	2009-07-28
Aurigma Inc.	Vulnerable	2009-07-28	2009-07-29
Axis	Unknown	2009-07-28	2009-07-28
BT	Unknown	2009-07-28	2009-07-28
Business Objects	Unknown	2009-07-28	2009-07-28
Callisto Corporation	Unknown	2009-07-28	2009-07-28
Cisco Systems, Inc.	Vulnerable	2009-07-28	2009-07-29
Computer Associates eTrust Security Management	Unknown	2009-07-28	2009-07-28
Computer Emergency Response Team Brazil	Unknown	2009-07-28	2009-07-28
Corel Corporation	Unknown	2009-07-28	2009-07-28
E-Book Systems Inc.	Unknown	2009-07-28	2009-07-28
eBay	Unknown	2009-07-28	2009-07-28
Electronic Arts	Unknown	2009-07-28	2009-07-28
ESET, LLC.	Unknown	2009-07-28	2009-07-28
F5 Networks, Inc.	Vulnerable	2009-07-28	2009-07-29
GameTap-Turner Broadcasting subsidiary	Unknown	2009-07-28	2009-07-28
GOVCERT-NL	Unknown	2009-07-28	2009-07-28
Gracenote	Unknown	2009-07-28	2009-07-28
Hewlett-Packard Company	Unknown	2009-07-28	2009-07-28
Husdawg	Unknown	2009-07-28	2009-07-28
IBM Corporation	Not Vulnerable	2009-07-28	2009-07-29
Iconics, Inc.	Unknown	2009-07-28	2009-07-28
IncrediMail Ltd.	Unknown	2009-07-28	2009-07-28
Infotriever, Inc.	Unknown	2009-07-28	2009-07-28
InterActual Technologies, Inc.	Unknown	2009-07-28	2009-07-28
Intuit, Inc.	Unknown	2009-07-28	2009-07-28
Juniper Networks, Inc.	Unknown	2009-07-28	2009-07-28
Kodak Easy Share Gallery	Unknown	2009-07-28	2009-07-28
Lenovo	Unknown	2009-07-28	2009-07-28
LizardTech, Inc	Unknown	2009-07-28	2009-07-28
LogicNP	Not Vulnerable	2009-07-28	2009-07-30
Lotus Software	Unknown	2009-07-28	2009-07-28
Media Technology Group	Unknown	2009-07-28	2009-07-28
Microsoft Corporation	Vulnerable		2009-07-28
Motive	Unknown	2009-07-28	2009-07-28
Move Networks, Inc.	Unknown	2009-07-28	2009-07-28
Namzak Labs Inc.	Unknown	2009-07-28	2009-07-28
Nokia	Unknown	2009-07-28	2009-07-28
Novell, Inc.	Unknown	2009-07-28	2009-07-28
Oracle Corporation	Unknown	2009-07-28	2009-07-28
OSISoft	Vulnerable		2009-08-04
Panda Software Ltd.	Unknown	2009-07-28	2009-07-28
PNI Digital Media	Unknown	2009-07-28	2009-07-28
Radiant Systems	Unknown	2009-07-28	2009-07-28
RealNetworks, Inc.	Unknown	2009-07-28	2009-07-28
Research in Motion (RIM)	Unknown	2009-07-28	2009-07-28
SafeNet	Unknown	2009-07-28	2009-07-28
SAP	Unknown	2009-07-28	2009-07-28
ScriptLogic	Unknown	2009-07-28	2009-07-28
Siemens	Unknown	2009-07-28	2009-07-28
Simba Technologies	Unknown	2009-07-28	2009-07-28
SoftArtisans, Inc	Unknown	2009-07-28	2009-07-28
SonicWall	Vulnerable	2009-07-28	2009-10-28
Sun Microsystems, Inc.	Vulnerable		2009-08-05
SupportSoft, Inc.	Unknown	2009-07-28	2009-07-28
SwiftView	Unknown	2009-07-28	2009-07-28
Symantec	Unknown	2009-07-28	2009-07-28
Trend Micro	Unknown	2009-07-28	2009-07-28
Unigraphics Solutions	Unknown	2009-07-28	2009-07-28
VanDyke Software	Not Vulnerable	2009-07-28	2009-08-04
View22	Unknown	2009-07-28	2009-07-28
WeOnlyDo! Software	Unknown	2009-07-28	2009-07-28
WinZip Computing, Inc.	Unknown	2009-07-28	2009-07-28
Worldspan	Unknown	2009-07-28	2009-07-28
Xerox	Unknown	2009-07-28	2009-07-28
Yahoo, Inc.	Unknown	2009-07-28	2009-07-28

References

http://www.kb.cert.org/vuls/id/180513
http://www.microsoft.com/technet/security/bulletin/ms09-034.mspx
http://www.microsoft.com/technet/security/bulletin/ms09-035.mspx
http://www.microsoft.com/security/atl.aspx
http://blogs.technet.com/msrc/archive/2009/07/28/microsoft-security-advisory-973882-microsoft-security-bulletins-ms09-034-and-ms09-035-released.aspx
http://blogs.msdn.com/sdl/archive/2009/07/28/atl-ms09-035-and-the-sdl.aspx
http://blogs.technet.com/ecostrat/archive/2009/07/27/threat-complexity-requires-new-levels-of-collaboration.aspx
http://www.microsoft.com/technet/security/advisory/973882.mspx
http://msdn.microsoft.com/en-us/library/ms680103(VS.85).aspx
http://msdn.microsoft.com/en-us/library/aa751977(VS.85).aspx
http://msdn.microsoft.com/en-us/library/t9adwcde(VS.80).aspx
http://support.microsoft.com/kb/168371
http://support.microsoft.com/kb/240797
http://blogs.adobe.com/psirt/2009/07/impact_of_microsoft_atl_vulner.html
http://www.adobe.com/support/security/advisories/apsa09-04.html
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://www.adobe.com/support/security/bulletins/apsb09-11.html
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
http://blogs.technet.com/srd/archive/2009/07/28/msvidctl-ms09-032-and-the-atl-vulnerability.aspx
http://blogs.technet.com/srd/archive/2009/07/28/atl-vulnerability-developer-deep-dive.aspx
http://blogs.technet.com/srd/archive/2009/07/28/internet-explorer-mitigations-for-atl-data-stream-vulnerabilities.aspx
http://blogs.technet.com/srd/archive/2009/07/28/overview-of-the-out-of-band-release.aspx
http://blogs.technet.com/bluehat/archive/2009/07/27/black-hat-usa-atl-killbit-bypass.aspx

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn credit David Dewey of IBM ISS X-Force and Ryan Smith of Verisign iDefense labs.

This document was written by Will Dormann.

Other Information

Date Public:	2009-07-09
Date First Published:	2009-07-28
Date Last Updated:	2009-10-28
CERT Advisory:
CVE-ID(s):	CVE-2009-0901; CVE-2009-2493; CVE-2009-2495
NVD-ID(s):	CVE-2009-0901 CVE-2009-2493 CVE-2009-2495
US-CERT Technical Alerts:	TA09-209A
Metric:	47.08
Document Revision:	41

VU#725188: ISC BIND 9 vulnerable to denial of service via dynamic update request

US-CERT — Tue, 28 Jul 2009 01:28:08 -0700

2009-07-28T08:28:08-04:00

Vulnerability Note VU#725188

ISC BIND 9 vulnerable to denial of service via dynamic update request

Overview

ISC BIND 9 contains a vulnerability that may allow a remote, unauthenticated attacker to create a denial-of-service condition.

I. Description

The Berkeley Internet Name Domain (BIND) is a popular Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). It includes support for dynamic DNS updates as specified in IETF RFC 2136. BIND 9 can crash when processing a specially-crafted dynamic update packet.

ISC notes that this vulnerability affects all servers that are masters for one or more zones and is not limited to those that are configured to allow dynamic updates. ISC also indicates that the attack packet has to be constructed for a zone for which the target system is configured as a master; launching the attack against slave zones does not trigger the vulnerability.

II. Impact

By sending a specially-crafted dynamic update packet to a BIND 9 server, a remote, unauthenticated attacker can cause a denial of service by causing BIND to crash.

III. Solution

Apply an update

Users who obtain BIND from a third-party vendor, such as their operating system vendor, should see the systems affected portion of this document for a partial list of affected vendors.

This vulnerability is addressed in ISC BIND versions 9.4.3-P3, 9.5.1-P3, and BIND 9.6.1-P1. Users of BIND from the original source distribution should upgrade to one of these versions, as appropriate.

See also https://www.isc.org/node/474.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Alcatel-Lucent	Unknown	2009-07-28	2009-07-28
Apple Inc.	Unknown	2009-07-28	2009-07-28
BlueCat Networks, Inc.	Vulnerable	2009-07-28	2009-07-29
Check Point Software Technologies	Unknown	2009-07-28	2009-07-28
Conectiva Inc.	Unknown	2009-07-28	2009-07-28
Cray Inc.	Unknown	2009-07-28	2009-07-28
Debian GNU/Linux	Unknown	2009-07-28	2009-07-28
DragonFly BSD Project	Unknown	2009-07-28	2009-07-28
EMC Corporation	Unknown	2009-07-28	2009-07-28
Engarde Secure Linux	Unknown	2009-07-28	2009-07-28
Ericsson	Unknown	2009-07-28	2009-07-28
F5 Networks, Inc.	Unknown	2009-07-28	2009-07-28
Fedora Project	Unknown	2009-07-28	2009-07-28
FreeBSD, Inc.	Vulnerable	2009-07-28	2009-07-29
Fujitsu	Unknown	2009-07-28	2009-07-28
Gentoo Linux	Unknown	2009-07-28	2009-07-28
Gnu ADNS	Unknown	2009-07-28	2009-07-28
GNU glibc	Unknown	2009-07-28	2009-07-28
Hewlett-Packard Company	Unknown	2009-07-28	2009-07-28
Hitachi	Unknown	2009-07-28	2009-07-28
IBM Corporation	Unknown	2009-07-28	2009-07-28
IBM eServer	Unknown	2009-07-28	2009-07-28
Infoblox	Vulnerable	2009-07-28	2009-07-29
Internet Systems Consortium	Vulnerable	2009-07-28	2009-07-28
Juniper Networks, Inc.	Unknown	2009-07-28	2009-07-28
Mandriva S. A.	Unknown	2009-07-28	2009-07-28
McAfee	Unknown	2009-07-28	2009-07-28
Men & Mice	Unknown	2009-07-28	2009-07-28
Metasolv Software, Inc.	Unknown	2009-07-28	2009-07-28
MontaVista Software, Inc.	Unknown	2009-07-28	2009-07-28
NEC Corporation	Unknown	2009-07-28	2009-07-28
NetBSD	Unknown	2009-07-28	2009-07-28
Nixu	Vulnerable	2009-07-28	2009-07-29
Nokia	Unknown	2009-07-28	2009-07-28
Nominum	Not Vulnerable	2009-07-28	2009-07-29
Nortel Networks, Inc.	Unknown	2009-07-28	2009-07-28
Novell, Inc.	Unknown	2009-07-28	2009-07-28
OpenBSD	Vulnerable	2009-07-28	2009-07-29
Openwall GNU/*/Linux	Unknown	2009-07-28	2009-07-28
QNX, Software Systems, Inc.	Unknown	2009-07-28	2009-07-28
Red Hat, Inc.	Unknown	2009-07-28	2009-07-28
SafeNet	Unknown	2009-07-28	2009-07-28
Shadowsupport	Unknown	2009-07-28	2009-07-28
Silicon Graphics, Inc.	Unknown	2009-07-28	2009-07-28
Slackware Linux Inc.	Unknown	2009-07-28	2009-07-28
Sony Corporation	Unknown	2009-07-28	2009-07-28
Sun Microsystems, Inc.	Unknown	2009-07-28	2009-07-28
SUSE Linux	Unknown	2009-07-28	2009-07-28
The SCO Group	Unknown	2009-07-28	2009-07-28
Turbolinux	Unknown	2009-07-28	2009-07-28
Ubuntu	Vulnerable	2009-07-28	2009-07-29
Unisys	Unknown	2009-07-28	2009-07-28
Wind River Systems, Inc.	Unknown	2009-07-28	2009-07-28

References

https://www.isc.org/node/474
http://tools.ietf.org/html/rfc2136
http://oldwww.isc.org/sw/bind/view?release=9.4.3-P3&noframes=1
http://oldwww.isc.org/sw/bind/view?release=9.5.1-P3&noframes=1
http://oldwww.isc.org/sw/bind/view?release=9.6.1-P1&noframes=1
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975

Credit

Thanks to ISC for reporting this vulnerability.

This document was written by Will Dormann and Chad Dougherty.

Other Information

Date Public:	2009-07-28
Date First Published:	2009-07-28
Date Last Updated:	2009-07-30
CERT Advisory:
CVE-ID(s):	CVE-2009-0696
NVD-ID(s):	CVE-2009-0696
US-CERT Technical Alerts:
Metric:	26.32
Document Revision:	32

VU#259425: Adobe Flash vulnerability affects Flash Player and other Adobe products

US-CERT — Wed, 22 Jul 2009 03:54:34 -0700

2009-07-22T10:54:34-04:00

Vulnerability Note VU#259425

Adobe Flash vulnerability affects Flash Player and other Adobe products

Overview

Adobe Flash contains a vulnerability that may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. Adobe Flash Player, Reader, Acrobat, and other products that include Flash support are affected.

I. Description

Adobe Flash is a widely deployed multimedia platform typically used to provide content in web sites. Adobe Flash Player, Reader, Acrobat, and other Adobe products include Flash support.

Adobe Flash Player contains a code execution vulnerability. An attacker may be able to trigger this vulnerability by convincing a user to open a specially crafted Flash (SWF) file. The SWF file could be hosted or embedded in a web page or contained in a Portable Document Format (PDF) file. If an attacker can take control of a website or web server, trusted sites may exploit this vulnerability.

This vulnerability affects Adobe Flash versions 9.0.159.0 and 10.0.22.87 and earlier 9.x and 10.x versions. Adobe Reader 9, Acrobat 9, and other Adobe products (including Photoshop CS3, PhotoShop Lightroom, Freehand MX, Fireworks) provide Flash support independent of Flash Player. As of 2009-07-22, Adobe Reader 9.1.2 includes Flash 9.0.155.0, which is likely vulnerable to issues addressed by Flash 9.0.159.0 (APSB09-01).

This vulnerability is being actively exploited.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), PDF file, Microsoft Office document, or any other document that supports embedded SWF content, an attacker may be able to execute arbitrary code.

III. Solution

Apply an update

This issue is addressed in Flash Player 10.0.32.18. Please see Adobe Security Bulletin APSB09-10 for more details. Note that Microsoft Windows users should update both the ActiveX and Plug-in versions of Flash Player for increased protection.

Disable Flash in your web browser

Disable Flash or selectively enable Flash content as described in Securing Your Web Browser.

Disable Flash and 3D & Multimedia support in Adobe Reader 9

Flash and 3D & Multmedia support are implemented as plugin libraries in Adobe Reader. Disabling Flash in Adobe Reader will only mitigate attacks using a SWF embedded in a PDF file. Disabling 3D & Multimedia support does not directly address the vulnerability, but does provide additional mitigation and results in a more user-friendly error message instead of a crash.

To disable Flash and 3D & Multimedia support in Adobe Reader 9 on Microsoft Windows, delete or rename these files:

"%ProgramFiles%\Adobe\Reader 9.0\Reader\authplay.dll"

"%ProgramFiles%\Adobe\Reader 9.0\Reader\rt3d.dll"

For Apple Mac OS X, delete or rename these files:

"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/AuthPlayLib.bundle"

"/Applications/Adobe Reader 9/Adobe Reader.app/Contents/Frameworks/Adobe3D.framework"

For GNU/Linux delete or rename these files (locations may vary among distributions):

"/opt/Adobe/Reader9/Reader/intellinux/lib/libauthplay.so"

"/opt/Adobe/Reader9/Reader/intellinux/lib/librt3d.so"

File locations may be different for Adobe Acrobat or other Adobe products that include Flash and 3D & Multimedia support. Disabling these plugins will reduce functionality, and will not protect against SWF files hosted on web sites. Depending on the update schedule for products other than Flash Player, consider leaving Flash and 3D & Multimedia support disabled unless they are absolutely required.

Remove Flash

Adobe has provided a TechNote with utilities for uninstalling the Flash Player plug-in and ActiveX control on Windows and Mac OS X systems. Removing these components can mitigate the web browser attack vector for this vulnerability. Note that this will not remove the instances of Flash Player that is installed with Adobe Reader 9 or other Adobe products.

Enable DEP in Microsoft Windows

Consider enabling Data Execution Prevention (DEP) in supported versions of Windows. DEP should not be treated as a complete workaround, but DEP can mitigate the execution of attacker-supplied code in some cases. Microsoft has published detailed technical information about DEP in Security Research & Defense blog posts "Understanding DEP as a mitigation technology" part 1 and part 2. Use of DEP should be considered in conjunction with the application of patches or other mitigations described in this document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Adobe	Vulnerable		2009-07-23

References

http://www.us-cert.gov/reading_room/securing_browser/
http://www.adobe.com/support/security/bulletins/apsb09-10.html
http://blogs.adobe.com/psirt/2009/07/potential_adobe_reader_and_fla.html
http://blogs.adobe.com/psirt/2009/07/update_on_adobe_reader_acrobat.html
http://www.adobe.com/support/security/advisories/apsa09-03.html
http://bugs.adobe.com/jira/browse/FP-1265
http://www.symantec.com/connect/blogs/next-generation-flash-vulnerability
http://kb2.adobe.com/cps/141/tn_14157.html
http://blog.fireeye.com/research/2009/07/actionscript_heap_spray.html
http://blogs.technet.com/srd/archive/2009/06/05/understanding-dep-as-a-mitigation-technology-part-1.aspx
http://blogs.technet.com/srd/archive/2009/06/12/understanding-dep-as-a-mitigation-technology-part-2.aspx

Credit

This vulnerability was reported on the Adobe PSIRT blog. Thanks to Department of Defense Cyber Crime Center/DCISE for information used in this document.

This document was written by Chris Taschner, Will Dormann, Chad Dougherty, and Art Manion.

Other Information

Date Public:	2009-07-22
Date First Published:	2009-07-22
Date Last Updated:	2009-08-07
CERT Advisory:
CVE-ID(s):	CVE-2009-1862
NVD-ID(s):	CVE-2009-1862
US-CERT Technical Alerts:	TA09-204A
Metric:	35.34
Document Revision:	48

VU#545228: Microsoft Office Web Components Spreadsheet ActiveX control vulnerability

US-CERT — Wed, 15 Jul 2009 03:54:34 -0700

2009-07-15T10:54:34-04:00

Vulnerability Note VU#545228

Microsoft Office Web Components Spreadsheet ActiveX control vulnerability

Overview

The Microsoft Office Web Components Spreadsheet ActiveX controls (OWC10 and OWC11) contain a vulnerability that may allow an attacker to take control of a vulnerable system.

I. Description

The Office Web Components Spreadsheet ActiveX control contains a code execution vulnerability. Public reports indicate that this vulnerability is being actively exploited.

Per the MSRC blog, the following products may install the affected control on a system:

Microsoft Office XP Service Pack 3, Microsoft Office 2003 Service Pack 3, Microsoft Office XP Web Components Service Pack 3, Microsoft Office Web Components 2003 Service Pack 3, Microsoft Office 2003 Web Components for the 2007 Microsoft Office system Service Pack 1, Microsoft Internet Security and Acceleration Server 2004 Standard Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Service Pack 3, Microsoft Internet Security and Acceleration Server 2006, Internet Security and Acceleration Server 2006 Supportability Update, Microsoft Internet Security and Acceleration Server 2006 Service Pack 1, Microsoft Office Small Business Accounting 2006.

Further details are available from the Microsoft Security Research & Defense blog.

II. Impact

A remote attacker may be able to take control of a vulnerable system.

III. Solution

Until updates are available, the below workaround will mitigate this vulnerability.

Disable the Office Web Components Spreadsheet ActiveX controls in Internet Explorer

The vulnerable controls can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{0002E541-0000-0000-C000-000000000046}

{0002E559-0000-0000-C000-000000000046}

More information about how to set the kill bit is available in Microsoft Support Document 240797. Alternatively, the following text can be saved as a .REG file and imported to set the kill bit for these controls:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\

Wow6432Node\

Microsoft\Internet Explorer\ActiveX Compatibility\{0002E541-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\

Wow6432Node\

Microsoft\Internet Explorer\ActiveX Compatibility\{0002E559-0000-0000-C000-000000000046}]

"Compatibility Flags"=dword:00000400

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-07-15

References

http://www.cert.org/tech_tips/securing_browser/
http://www.microsoft.com/technet/security/advisory/973472.mspx
http://blogs.technet.com/msrc/archive/2009/07/13/microsoft-security-advisory-973472-released.aspx
http://blogs.technet.com/srd/archive/2009/07/13/more-information-about-the-office-web-components-activex-vulnerability.aspx
http://support.microsoft.com/kb/240797

Credit

Thanks to Microsoft for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-07-13
Date First Published:	2009-07-15
Date Last Updated:	2009-08-07
CERT Advisory:
CVE-ID(s):	CVE-2009-1136
NVD-ID(s):	CVE-2009-1136
US-CERT Technical Alerts:	TA09-195A
Metric:	44.04
Document Revision:	17

VU#466161: XML signature HMAC truncation authentication bypass

US-CERT — Tue, 14 Jul 2009 08:26:34 -0700

2009-07-14T15:26:34-04:00

Vulnerability Note VU#466161

XML signature HMAC truncation authentication bypass

Overview

The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.

I. Description

XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2104. However, the XMLDsig specification does not follow the RFC2104 recommendation to not allow truncation to less than half of the length of the hash output or less than 80 bits. When HMAC truncation is under the control of an attacker this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.

II. Impact

This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.

III. Solution

Apply an update

Please check with your vendor for available updates. Erratum E03 for the XMLDsig recommendation has been added, which specifies minimum values for HMAC truncation.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2009-07-09	2009-07-09
ACCESS	Unknown	2009-07-09	2009-07-09
Alcatel-Lucent	Unknown	2009-07-09	2009-07-09
Apache XML Security	Vulnerable		2009-07-14
Apple Inc.	Vulnerable	2009-07-09	2009-07-10
AT&T	Unknown	2009-07-09	2009-07-09
Avaya, Inc.	Unknown	2009-07-09	2009-07-09
Barracuda Networks	Unknown	2009-07-09	2009-07-09
Belkin, Inc.	Unknown	2009-07-09	2009-07-09
Borderware Technologies	Unknown	2009-07-09	2009-07-09
CERT-Bund	Unknown	2009-06-22	2009-06-22
Certicom	Unknown	2009-02-18	2009-02-18
Charlotte's Web Networks	Unknown	2009-07-09	2009-07-09
Check Point Software Technologies	Unknown	2009-07-09	2009-07-09
Cisco Systems, Inc.	Unknown	2009-07-09	2009-07-09
Clavister	Unknown	2009-07-09	2009-07-09
Computer Associates	Unknown	2009-07-09	2009-07-09
Computer Associates eTrust Security Management	Unknown	2009-07-09	2009-07-09
Conectiva Inc.	Unknown	2009-07-09	2009-07-09
Cray Inc.	Unknown	2009-07-09	2009-07-09
D-Link Systems, Inc.	Unknown	2009-07-09	2009-07-09
Debian GNU/Linux	Vulnerable	2009-07-09	2009-07-14
DragonFly BSD Project	Unknown	2009-07-09	2009-07-09
EMC Corporation	Unknown	2009-07-09	2009-07-09
Engarde Secure Linux	Unknown	2009-07-09	2009-07-09
Enterasys Networks	Unknown	2009-07-09	2009-07-09
Ericsson	Unknown	2009-07-09	2009-07-09
eSoft, Inc.	Unknown	2009-07-09	2009-07-09
Extreme Networks	Unknown	2009-07-09	2009-07-09
F5 Networks, Inc.	Unknown	2009-07-09	2009-07-09
Fedora Project	Unknown	2009-07-09	2009-07-09
Force10 Networks, Inc.	Not Vulnerable	2009-07-09	2009-07-14
Fortinet, Inc.	Unknown	2009-07-09	2009-07-09
Foundry Networks, Inc.	Unknown	2009-07-09	2009-07-09
FreeBSD, Inc.	Unknown	2009-07-09	2009-07-09
Fujitsu	Unknown	2009-07-09	2009-07-09
Gentoo Linux	Unknown	2009-07-09	2009-07-09
Global Technology Associates	Unknown	2009-07-09	2009-07-09
Hewlett-Packard Company	Unknown	2009-07-09	2009-07-09
Hitachi	Unknown	2009-07-09	2009-07-09
IBM Corporation	Vulnerable	2009-07-09	2009-07-14
IBM eServer	Unknown	2009-07-09	2009-07-09
Infoblox	Unknown	2009-07-09	2009-07-09
Intel Corporation	Unknown	2009-07-09	2009-07-09
Internet Security Systems, Inc.	Unknown	2009-07-09	2009-07-09
Intoto	Unknown	2009-07-09	2009-07-09
IP Filter	Unknown	2009-07-09	2009-07-09
IP Infusion, Inc.	Unknown	2009-07-09	2009-07-09
Juniper Networks, Inc.	Unknown	2009-07-09	2009-07-09
Luminous Networks	Unknown	2009-07-09	2009-07-09
m0n0wall	Not Vulnerable	2009-07-09	2009-07-10
Mandriva S. A.	Unknown	2009-07-09	2009-07-09
McAfee	Unknown	2009-07-09	2009-07-09
Microsoft Corporation	Unknown	2009-07-09	2009-07-09
Mono-Project	Vulnerable		2009-07-10
MontaVista Software, Inc.	Unknown	2009-07-09	2009-07-09
Multitech, Inc.	Unknown	2009-07-09	2009-07-09
NEC Corporation	Unknown	2009-07-09	2009-07-09
NetApp	Unknown	2009-07-09	2009-07-09
NetBSD	Unknown	2009-07-09	2009-07-09
netfilter	Unknown	2009-07-09	2009-07-09
Nokia	Unknown	2009-07-09	2009-07-09
Nortel Networks, Inc.	Unknown	2009-07-09	2009-07-09
Novell, Inc.	Unknown	2009-07-09	2009-07-09
Openwall GNU/*/Linux	Unknown	2009-07-09	2009-07-09
Oracle Corporation	Vulnerable		2009-07-13
PePLink	Not Vulnerable	2009-07-09	2009-07-20
Process Software	Unknown	2009-07-09	2009-07-09
Q1 Labs	Not Vulnerable	2009-07-09	2009-07-10
QNX, Software Systems, Inc.	Unknown	2009-07-09	2009-07-09
Quagga	Unknown	2009-07-09	2009-07-09
RadWare, Inc.	Unknown	2009-07-09	2009-07-09
Red Hat, Inc.	Unknown	2009-07-09	2009-07-09
Redback Networks, Inc.	Unknown	2009-07-09	2009-07-09
RSA Security, Inc.	Vulnerable		2009-07-14
SafeNet	Unknown	2009-07-09	2009-07-09
Secureworx, Inc.	Unknown	2009-07-09	2009-07-09
Silicon Graphics, Inc.	Unknown	2009-07-09	2009-07-09
Slackware Linux Inc.	Unknown	2009-07-09	2009-07-09
SmoothWall	Unknown	2009-07-09	2009-07-09
Snort	Unknown	2009-07-09	2009-07-09
Soapstone Networks	Unknown	2009-07-09	2009-07-09
Sony Corporation	Unknown	2009-07-09	2009-07-09
Sourcefire	Unknown	2009-07-09	2009-07-09
Stonesoft	Unknown	2009-07-09	2009-07-09
Sun Microsystems, Inc.	Vulnerable	2009-07-09	2009-08-05
SUSE Linux	Unknown	2009-07-09	2009-07-09
Symantec	Unknown	2009-07-09	2009-07-09
The SCO Group	Not Vulnerable	2009-07-09	2009-07-13
TippingPoint, Technologies, Inc.	Unknown	2009-07-09	2009-07-09
Turbolinux	Unknown	2009-07-09	2009-07-09
U4EA Technologies, Inc.	Unknown	2009-07-09	2009-07-09
Ubuntu	Unknown	2009-07-09	2009-07-09
Unisys	Unknown	2009-07-09	2009-07-09
VMware	Not Vulnerable	2009-07-09	2009-07-14
Vyatta	Unknown	2009-07-09	2009-07-09
Watchguard Technologies, Inc.	Unknown	2009-07-09	2009-07-09
Wind River Systems, Inc.	Not Vulnerable	2009-07-09	2009-07-13
XML Security Library	Vulnerable		2009-07-10
ZyXEL	Unknown	2009-07-09	2009-07-09

References

http://www.w3.org/2008/06/xmldsigcore-errata.html#e03
http://www.w3.org/QA/2009/07/hmac_truncation_in_xml_signatu.html
http://www.rsa.com/blog/blog_entry.aspx?id=1492
http://www.w3.org/TR/xmldsig-core/
http://www.w3.org/TR/xmldsig-core/#sec-HMAC
http://tools.ietf.org/html/rfc2104#section-5
http://www.oasis-open.org/specs/index.php#wss
http://www.w3.org/2000/xp/Group/
http://msdn.microsoft.com/en-us/library/ms996502.aspx
http://www.ibm.com/support/docview.wss?rs=180&uid=swg21384925
http://santuario.apache.org/download.html
http://www.mono-project.com/Vulnerabilities
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
http://www.aleksey.com/xmlsec/downloads.html
http://blogs.sun.com/security/entry/cert_vulnerability_note_vu_466161
http://rdist.root.org/2009/07/19/xmldsig-welcomes-all-signatures/

Credit

Thanks to Thomas Roessler of the W3C for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2009-07-14
Date First Published:	2009-07-14
Date Last Updated:	2009-08-05
CERT Advisory:
CVE-ID(s):	CVE-2009-0217
NVD-ID(s):	CVE-2009-0217
US-CERT Technical Alerts:
Metric:	8.16
Document Revision:	28

VU#410676: ISC DHCP dhclient stack buffer overflow

US-CERT — Tue, 14 Jul 2009 04:10:50 -0700

2009-07-14T11:10:50-04:00

Vulnerability Note VU#410676

ISC DHCP dhclient stack buffer overflow

Overview

The ISC DHCP dhclient application contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code with root privileges.

I. Description

As described in RFC 2131, "The Dynamic Host Configuration Protocol (DHCP) provides a framework for passing configuration information to hosts on a TCP/IP network." ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client, and relay agent.

The ISC DHCP client code (dhclient) contains a stack buffer overflow in the script_write_params() method. dhclient fails to check the length of the server-supplied subnet-mask option before copying it into a buffer. According to ISC, the following versions are affected:

II. Impact

A rogue DHCP server may be able to execute arbitrary code with root privileges on a vulnerable client system.

III. Solution

Apply a patch or update from your vendor

For vendor-specific information regarding vulnerable status and patch availability, please see the Systems Affected section of this document.

Upgrade your version of DHCP

Upgrade your system as specified by your vendor. If you need to upgrade DHCP manually, according to ISC:

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2009-06-23	2009-06-23
ACCESS	Unknown	2009-06-23	2009-06-23
Alcatel-Lucent	Unknown	2009-06-23	2009-06-23
Apple Inc.	Not Vulnerable	2009-06-23	2009-06-24
AT&T	Unknown	2009-06-23	2009-06-23
Avaya, Inc.	Unknown	2009-06-23	2009-06-23
Barracuda Networks	Unknown	2009-06-23	2009-06-23
Belkin, Inc.	Unknown	2009-06-23	2009-06-23
Borderware Technologies	Unknown	2009-06-23	2009-06-23
Bro	Unknown	2009-06-23	2009-06-23
Charlotte's Web Networks	Unknown	2009-06-23	2009-06-23
Check Point Software Technologies	Unknown	2009-06-23	2009-06-23
Cisco Systems, Inc.	Unknown	2009-06-23	2009-06-23
Clavister	Unknown	2009-06-23	2009-06-23
Computer Associates	Unknown	2009-06-23	2009-06-23
Computer Associates eTrust Security Management	Not Vulnerable	2009-06-23	2009-06-25
Conectiva Inc.	Unknown	2009-06-23	2009-06-23
Cray Inc.	Unknown	2009-06-23	2009-06-23
D-Link Systems, Inc.	Unknown	2009-06-26	2009-06-26
Debian GNU/Linux	Unknown	2009-06-23	2009-06-23
DragonFly BSD Project	Unknown	2009-06-23	2009-06-23
EMC Corporation	Unknown	2009-06-23	2009-06-23
Engarde Secure Linux	Unknown	2009-06-23	2009-06-23
Enterasys Networks	Unknown	2009-06-23	2009-06-23
Ericsson	Unknown	2009-06-23	2009-06-23
eSoft, Inc.	Unknown	2009-06-23	2009-06-23
Extreme Networks	Unknown	2009-06-23	2009-06-23
F5 Networks, Inc.	Unknown	2009-06-23	2009-06-23
Fedora Project	Unknown	2009-06-23	2009-06-23
Force10 Networks, Inc.	Not Vulnerable	2009-06-23	2009-07-14
Fortinet, Inc.	Unknown	2009-06-23	2009-06-23
Foundry Networks, Inc.	Unknown	2009-06-23	2009-06-23
FreeBSD, Inc.	Unknown	2009-06-23	2009-06-23
Fujitsu	Unknown	2009-06-23	2009-06-23
Gentoo Linux	Vulnerable	2009-06-23	2009-07-14
Global Technology Associates	Unknown	2009-06-23	2009-06-23
Hewlett-Packard Company	Unknown	2009-06-23	2009-06-23
Hitachi	Unknown	2009-06-23	2009-06-23
IBM Corporation	Unknown	2009-06-24	2009-06-24
IBM eServer	Unknown	2009-06-23	2009-06-23
Infoblox	Unknown	2009-06-23	2009-06-23
Intel Corporation	Unknown	2009-06-23	2009-06-23
Internet Security Systems, Inc.	Vulnerable	2009-06-23	2009-07-15
Internet Systems Consortium	Unknown	2009-06-24	2009-06-24
Internet Systems Consortium - DHCP	Unknown	2009-06-24	2009-06-24
Intoto	Unknown	2009-06-23	2009-06-23
IP Filter	Unknown	2009-06-23	2009-06-23
Juniper Networks, Inc.	Unknown	2009-06-23	2009-06-23
Luminous Networks	Unknown	2009-06-23	2009-06-23
m0n0wall	Unknown	2009-06-23	2009-06-23
Mandriva S. A.	Unknown	2009-06-23	2009-06-23
McAfee	Unknown	2009-06-23	2009-06-23
Microsoft Corporation	Not Vulnerable	2009-06-23	2009-06-24
MontaVista Software, Inc.	Unknown	2009-06-23	2009-06-23
Multitech, Inc.	Unknown	2009-06-23	2009-06-23
NEC Corporation	Unknown	2009-06-23	2009-06-23
NetApp	Unknown	2009-06-23	2009-06-23
NetBSD	Vulnerable	2009-06-23	2009-07-15
netfilter	Unknown	2009-06-23	2009-06-23
Nokia	Unknown	2009-06-25	2009-06-25
Nortel Networks, Inc.	Unknown	2009-06-23	2009-06-23
Novell, Inc.	Unknown	2009-06-23	2009-06-23
Openwall GNU/*/Linux	Unknown	2009-06-23	2009-06-23
PePLink	Vulnerable	2009-06-23	2009-06-24
Process Software	Unknown	2009-06-23	2009-06-23
Q1 Labs	Unknown	2009-06-23	2009-06-23
QNX, Software Systems, Inc.	Not Vulnerable	2009-06-23	2009-07-07
Quagga	Unknown	2009-06-23	2009-06-23
RadWare, Inc.	Unknown	2009-06-23	2009-06-23
Red Hat, Inc.	Vulnerable	2009-06-23	2009-07-16
Redback Networks, Inc.	Unknown	2009-06-23	2009-06-23
SafeNet	Not Vulnerable	2009-06-23	2009-07-03
Secureworx, Inc.	Unknown	2009-06-23	2009-06-23
Silicon Graphics, Inc.	Unknown	2009-06-23	2009-06-23
Slackware Linux Inc.	Unknown	2009-06-23	2009-06-23
SmoothWall	Not Vulnerable	2009-06-23	2009-06-25
Snort	Unknown	2009-06-23	2009-06-23
Soapstone Networks	Unknown	2009-06-23	2009-06-23
Sony Corporation	Unknown	2009-06-23	2009-06-23
Sourcefire	Unknown	2009-06-23	2009-06-23
Stonesoft	Unknown	2009-06-23	2009-06-23
Sun Microsystems, Inc.	Not Vulnerable	2009-06-23	2009-06-26
SUSE Linux	Unknown	2009-06-23	2009-06-23
Symantec	Unknown	2009-06-23	2009-06-23
The SCO Group	Not Vulnerable	2009-06-23	2009-06-30
TippingPoint, Technologies, Inc.	Unknown	2009-06-23	2009-06-23
Turbolinux	Unknown	2009-06-23	2009-06-23
U4EA Technologies, Inc.	Unknown	2009-06-23	2009-06-23
Ubuntu	Vulnerable	2009-06-23	2009-07-14
Unisys	Unknown	2009-06-23	2009-06-23
VMware	Unknown	2009-06-29	2009-06-29
Vyatta	Unknown	2009-06-23	2009-06-23
Watchguard Technologies, Inc.	Unknown	2009-06-23	2009-06-23
Wind River Systems, Inc.	Not Vulnerable	2009-06-23	2009-06-29
ZyXEL	Unknown	2009-06-23	2009-06-23

References

https://www.isc.org/node/468

Credit

This vulnerability was reported by ISC, who in turn credit the Mandriva Linux Engineering Team with discovering and reporting the vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2009-07-14
Date First Published:	2009-07-14
Date Last Updated:	2009-07-16
CERT Advisory:
CVE-ID(s):	CVE-2009-0692
NVD-ID(s):	CVE-2009-0692
US-CERT Technical Alerts:
Metric:	19.95
Document Revision:	27

VU#443060: Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability

US-CERT — Tue, 14 Jul 2009 01:09:51 -0700

2009-07-14T08:09:51-04:00

Vulnerability Note VU#443060

Mozilla Firefox 3.5 TraceMonkey JavaScript engine uninitialized memory vulnerability

Overview

Mozilla Firefox's javascript engine contains a vulnerability that may allow an attacker to execute code.

I. Description

Mozilla Firefox version 3.5 contains a vulnerability in the TraceMonkey components of Firefox's JavaScript engine.

Per Mozilla Bug Bug 503286:
"This is a JS engine bug dealing with deep bailing not properly restoring the return value from the result of the (fast native) escape function. We then try to do something with the uninitialized memory and crash in the interpreter."

Note that proof of concept code that demonstrates issue this is publicly available.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code or cause Firefox to crash.

III. Solution

Firefox 3.5.1 has been released to address this issue. See Mozilla Foundation Security Advisory 2009-41 for more information. Until updates can be applied, the below workarounds may mitigate this issue.

Disable TraceMonkey

To disable the vulnerable components, use the about:config interface to set javascript.options.jit.content and javascript.options.jit.chrome to false. This will still allow JavaScript to run, but it will disable the TraceMonkey performance enhancements.

Use NoScript

Using the Mozilla Firefox NoScript extension to whitelist web sites that can run scripts will help to mitigate this vulnerability. Further details for configuring NoScript are available in the Securing Your Web Browser document.

Disable JavaScript

For instructions on how to disable JavaScript in Firefox, please refer to the Firefox section of the Securing Your Web Browser document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Mozilla	Vulnerable		2009-07-14

References

http://www.mozilla.org/security/announce/2009/mfsa2009-41.html
http://blog.mozilla.com/security/2009/07/14/critical-javascript-vulnerability-in-firefox-35/
https://bugzilla.mozilla.org/show_bug.cgi?id=503286
http://milw0rm.com/exploits/9137
http://kb.mozillazine.org/Firefox_:_FAQs_:_About:config_Entries
http://voices.washingtonpost.com/securityfix/2009/07/stopgap_fix_for_critical_firef.html?wprss=securityfix

Credit

Information from zbyte, Mozilla, and other sources was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-07-09
Date First Published:	2009-07-14
Date Last Updated:	2009-07-17
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	40.50
Document Revision:	21

VU#180513: Microsoft Video ActiveX control stack buffer overflow

US-CERT — Mon, 06 Jul 2009 10:16:50 -0700

2009-07-06T17:16:50-04:00

Vulnerability Note VU#180513

Microsoft Video ActiveX control stack buffer overflow

Overview

The Microsoft Video ActiveX control contains a stack buffer overflow vulnerability, which can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.

I. Description

Microsoft Windows comes with an ActiveX component called "ActiveX control for streaming video," which is provided by msvidctl.dll. This component provides a number of Class Identifiers (CLSIDs) that are marked as Safe for Scripting and Safe for Initialization, which means that they can be used by Internet Explorer. The ActiveX controls provided by msvidctl.dll fail to properly handle file input, which can result in stack memory corruption. This can allow the Structured Exception Handler (SEH) to be overwritten, thus allowing subversion of the program execution flow.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary code with the privileges of the user.

III. Solution

Microsoft has released an update to address this issue. See Microsoft Security Bulletin MS09-032 for more information.

Disable the vulnerable ActiveX controls

Microsoft Security Advisory (972890) explains how to disable the 45 ActiveX controls provided by msvidctl.dll to mitigate this vulnerability. A Microsoft Fix it application is provided in Microsoft Knowledgebase article 972890 to disable these controls.

Disable ActiveX

Disabling ActiveX controls in the Internet Zone (or any zone used by an attacker) appears to prevent exploitation of this and other ActiveX vulnerabilities. Instructions for disabling ActiveX in the Internet Zone can be found in the "Securing Your Web Browser" document.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-07-15

References

http://www.cert.org/tech_tips/securing_browser/
http://www.microsoft.com/technet/security/advisory/972890.mspx
http://support.microsoft.com/kb/972890
http://dvlabs.tippingpoint.com/blog/2009/07/09/microsoft-video-activex-control-0day-technical-details
http://addxorrol.blogspot.com/2009/07/poking-around-msvidctldll.html
http://isc.sans.org/diary.html?storyid=6733
http://www.csis.dk/dk/nyheder/nyheder.asp?tekstID=799
http://blogs.technet.com/srd/archive/2009/07/06/new-vulnerability-in-mpeg2tunerequest-activex-control-object-in-msvidctl-dll.aspx
http://www.us-cert.gov/cas/techalerts/TA09-187A.html
http://www.us-cert.gov/cas/techalerts/TA09-195A.html
http://www.microsoft.com/technet/security/bulletin/ms09-032.mspx

Credit

This document was written by Will Dormann.

Other Information

Date Public:	2009-07-04
Date First Published:	2009-07-06
Date Last Updated:	2009-07-15
CERT Advisory:
CVE-ID(s):	CVE-2008-0015
NVD-ID(s):	CVE-2008-0015
US-CERT Technical Alerts:	TA09-187A; TA09-195A
Metric:	65.31
Document Revision:	24

VU#251793: Foxit Reader contains multiple vulnerabilities in the processing of JPX data

US-CERT — Fri, 19 Jun 2009 03:12:47 -0700

2009-06-19T10:12:47-04:00

Vulnerability Note VU#251793

Foxit Reader contains multiple vulnerabilities in the processing of JPX data

Overview

Foxit Reader contains multiple vulnerabilities that may allow an attacker to execute arbitrary code.

I. Description

Foxit Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser. Foxit Reader contains multiple vulnerabilities in the handling of JPX (JPEG2000) streams. These vulnerabilities may result in memory corruption.

Note: Foxit Reader does not contain the ability to decode JPEG2000 data by default. The JPEG2000 / JBIG Decoder add-on must be installed for Foxit Reader to be vulnerable. When Foxit Reader encounters a PDF document that has JPEG2000 or JBIG data, the user will automatically be prompted to install the add-on, however.

II. Impact

By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

III. Solution

Apply an update

This issue is addressed in Foxit Reader 3.0 Build 1817. Updating to this version should trigger the process to upgrade the JPEG2000 / JBIG Decoder component to be updated to version 2.0.2009.616 if a vulnerable version is already installed. Additional details are available in the Foxit Reader security advisory.

Disable JavaScript in Foxit Reader

Disabling JavaScript may help prevent this and other vulnerabilities from being exploited. Foxit Reader JavaScript can be disabled in the preferences dialog (Edit -> Preferences -> JavaScript and uncheck Enable JavaScript Actions). Note that this will not block the vulnerability. Foxit Reader still may crash when parsing specially crafted PDF documents.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Foxit Reader configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\FoxitReader.Document]

"EditFlags"=hex:00,00,00,00

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser may help mitigate this vulnerability. If this workaround is applied to updated versions of the Foxit reader, it may help mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser:

Open Foxit Reader.
Open the Edit menu.
Choose the Preferences option.
Choose the Internet section.
Uncheck the "Display PDF in browser" check box.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Foxit Software Company	Vulnerable	2009-06-02	2009-06-19

References

http://www.foxitsoftware.com/pdf/reader/
http://www.foxitsoftware.com/pdf/reader/security.htm#0602
http://www.foxitsoftware.com/downloads/addons/jpg_decoder2.0.20096.html

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:	2009-06-19
Date First Published:	2009-06-19
Date Last Updated:	2009-06-19
CERT Advisory:
CVE-ID(s):	CVE-2009-0690; CVE-2009-0691
NVD-ID(s):	CVE-2009-0690 CVE-2009-0691
US-CERT Technical Alerts:
Metric:	1.02
Document Revision:	10

VU#568153: Adobe Reader contains multiple vulnerabilities in the processing of JPX data

US-CERT — Tue, 09 Jun 2009 09:18:46 -0700

2009-06-09T16:18:46-04:00

Vulnerability Note VU#568153

Adobe Reader contains multiple vulnerabilities in the processing of JPX data

Overview

Adobe Reader and Acrobat contain multiple vulnerabilities that may allow an attacker to execute arbitrary code.

I. Description

Adobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser. Adobe Reader and Acrobat contain multiple vulnerabilities in the handling of JPX (JPEG2000) streams. These vulnerabilities may result in heap memory corruption.

II. Impact

By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

III. Solution

Apply an update

This issue is addressed in Adobe Reader and Acrobat versions 9.1.2, 8.1.6, and 7.1.3. More details are available in Adobe Security Bulletin APSB09-07 .

Disable JavaScript in Adobe Reader and Acrobat

Disabling JavaScript may prevent this vulnerability from being exploited. Acrobat JavaScript can be disabled in the preferences dialog (Edit -> Preferences -> JavaScript and uncheck Enable Acrobat JavaScript). Note that this will not block the vulnerability. Adobe products still may crash when parsing specially crafted PDF documents. Disabling JavaScript will mitigate a common method used to achieve code execution with this vulnerability. Also note that when JavaScript is disabled in Adobe Reader, the software will prompt the user to enable JavaScript when it opens a document that uses the feature. So although JavaScript is a single click away, setting this preference can help mitigate exploits that use JavaScript.

Some vendors ship JavaScript support in a separate package. Removing this package may remove JavaScript support in the Adobe PDF reader.

Prevent Internet Explorer from automatically opening PDF documents

The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\AcroExch.Document.7]

"EditFlags"=hex:00,00,00,00

Disable the displaying of PDF documents in the web browser

Preventing PDF documents from opening inside a web browser may mitigate this vulnerability. If this workaround is applied to updated versions of the Adobe reader, it may mitigate future vulnerabilities.

To prevent PDF documents from automatically being opened in a web browser:

Open Adobe Acrobat Reader.
Open the Edit menu.
Choose the Preferences option.
Choose the Internet section.
Uncheck the "Display PDF in browser" check box.

Disable Adobe Acrobat Windows Shell integration

Adobe Acrobat and Reader integrate themselves with the Windows shell. The file pdfshell.dll is used to configure Windows Explorer to launch Adobe components to render, preview, and obtain details from a PDF document, all without actually opening the PDF document itself. Windows shell integration for Adobe Acrobat and Reader can be disabled by unregistering the pdfshell.dll by running the following command:

regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"

Disable the Adobe Acrobat Indexing Service filter

Adobe Reader and Adobe Acrobat install an Indexing Service filter that is used to parse PDF files. These filters are provided by AcroRdIF.dll and AcroIF.dll, respectively. When an application that uses the Adobe IFilters indexes a malicious PDF document, the vulnerability may be triggered. This attack vector can be mitigated by unregistering the Adobe IFilter files.
Adobe Acrobat users should locate the Acrobat directory and run: regsvr32 /u AcroIF.dll
Adobe Reader users should locate the Adobe Reader directory and run: regsvr32 /u AcroRdIF.dll

Note: After disabling the Windows shell integration or the Indexing Service filter by unregistering the appropriate DLL, the Windows Installer MSI resiliency feature may trigger a "repair" of those features when an advertised shortcut for Adobe Reader is clicked. To prevent this from occurring, delete the Adobe Reader icon from the Windows start menu and then re-create a normal, non-advertised shortcut. More details are available in the CERT/CC Vulnerability Analysis Blog.

Do not access PDF documents from untrusted sources

Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Adobe	Vulnerable	2009-05-08	2009-06-09

References

http://www.us-cert.gov/cas/tips/ST04-010.html
http://www.cert.org/tech_tips/securing_browser/
http://www.cert.org/blogs/vuls/2009/03/windows_installer_application.html
http://www.adobe.com/support/security/bulletins/apsb09-07.html

Credit

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Other Information

Date Public:	2009-06-09
Date First Published:	2009-06-09
Date Last Updated:	2009-06-17
CERT Advisory:
CVE-ID(s):	CVE-2009-1861
NVD-ID(s):	CVE-2009-1861
US-CERT Technical Alerts:
Metric:	2.89
Document Revision:	13

VU#983731: eBay Enhanced Picture Uploader ActiveX control vulnerable to arbitrary command execution

US-CERT — Tue, 09 Jun 2009 07:01:52 -0700

2009-06-09T14:01:52-04:00

Vulnerability Note VU#983731

eBay Enhanced Picture Uploader ActiveX control vulnerable to arbitrary command execution

Overview

The eBay Enhanced Picture Uploader ActiveX control allows arbitrary commands to be executed.

I. Description

The eBay Enhanced Picture Uploader ActiveX control is used by the eBay web site to give Internet Explorer users additional functionality when uploading pictures to an auction. This ActiveX control is provided by the file EPUWALcontrol.dll. If an attacker provides a specially-crafted PictureUrls property or initialization parameter, the ActiveX control will execute the commands that are specified.

II. Impact

By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML email message or attachment), an attacker may be able to execute arbitrary commands with the privileges of the user.

III. Solution

Apply an update

This update is addressed in version 1.0.27 of the Ebay Enhanced Picture Control software. This update can be obtained by visiting the eBay web site, creating a new auction and uploading images with the Internet Explorer web browser. This control is also disabled in Internet Explorer with the update for Microsoft Security Advisory (969898). Please see the eBay security center announcement for additional details.

Please also consider the following workarounds:

Disable the eBay Enhanced Picture Uploader ActiveX control in Internet Explorer

The vulnerable ActiveX control can be disabled in Internet Explorer by setting the kill bit for the following CLSIDs:

{4C39376E-FA9D-4349-BACC-D305C1750EF3}

{C3EB1670-84E0-4EDA-B570-0B51AAE81679}

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

{4C39376E-FA9D-4349-BACC-D305C1750EF3}

]

"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\

{C3EB1670-84E0-4EDA-B570-0B51AAE81679}

]

"Compatibility Flags"=dword:00000400

Systems Affected

Vendor	Status	Date Notified	Date Updated
eBay	Vulnerable	2008-08-27	2009-06-09

References

http://www.cert.org/tech_tips/securing_browser/#Internet_Explorer
http://pages.ebay.com/securitycenter/activex/index.html
http://www.microsoft.com/technet/security/advisory/969898.mspx
http://support.microsoft.com/kb/240797

Credit

Thanks to Chris Weber of Casaba Security for reporting this vulnerability.

This document was written by Will Dormann.

Other Information

Date Public:	2009-06-09
Date First Published:	2009-06-09
Date Last Updated:	2009-06-09
CERT Advisory:
CVE-ID(s):	CVE-2008-2475
NVD-ID(s):	CVE-2008-2475
US-CERT Technical Alerts:
Metric:	7.36
Document Revision:	9

VU#710316: NSD vulnerable to one-byte overflow

US-CERT — Wed, 20 May 2009 09:06:16 -0700

2009-05-20T16:06:16-04:00

Vulnerability Note VU#710316

NSD vulnerable to one-byte overflow

Overview

A vulnerability exists in the way NSD processes certain types of packets that may lead to a one-byte buffer overflow.

I. Description

Name server daemon (NSD) is an open source name server developed by NLnet Labs. NSD contains an off-by-one error that can cause a one-byte buffer overflow when certain packets are processed. The vulnerability exits in the packet_read_query_section() function in packet.c in versions 3.x and in the process_query_section() function in query.c in versions 2.x.

Note that this issue affects NSD versions 2.0.0 through 3.2.1.

II. Impact

A remote, unauthenticated attacker may be able to cause the DNS software to crash resulting in a denial-of-service condition.

III. Solution

Apply patch

NLnet Labs has released NSD version 3.2.2 and patches for versions 3.2.1 and 2.3.7. More information and links to these patches can be found in NLnet Labs NSD Announcement.

Users are encouraged to check with their vendor to determine the appropriate patch or update to apply.

Systems Affected

Vendor	Status	Date Notified	Date Updated
3com, Inc.	Unknown	2009-05-19	2009-05-19
ACCESS	Unknown	2009-05-19	2009-05-19
Alcatel-Lucent	Unknown	2009-05-19	2009-05-19
Apple Computer, Inc.	Not Vulnerable	2009-05-19	2009-05-20
AT&T	Unknown	2009-05-19	2009-05-19
Avaya, Inc.	Unknown	2009-05-19	2009-05-19
Barracuda Networks	Unknown	2009-05-19	2009-05-19
Belkin, Inc.	Unknown	2009-05-19	2009-05-19
Borderware Technologies	Unknown	2009-05-19	2009-05-19
Bro	Unknown	2009-05-19	2009-05-19
Charlotte's Web Networks	Unknown	2009-05-19	2009-05-19
Check Point Software Technologies	Unknown	2009-05-19	2009-05-19
Cisco Systems, Inc.	Unknown	2009-05-19	2009-05-19
Clavister	Unknown	2009-05-19	2009-05-19
Computer Associates	Not Vulnerable	2009-05-19	2009-05-22
Computer Associates eTrust Security Management	Not Vulnerable	2009-05-19	2009-05-22
Conectiva Inc.	Unknown	2009-05-19	2009-05-19
Cray Inc.	Not Vulnerable	2009-05-19	2009-05-20
Debian GNU/Linux	Vulnerable	2009-05-19	2009-05-20
DragonFly BSD Project	Unknown	2009-05-19	2009-05-19
EMC Corporation	Unknown	2009-05-19	2009-05-19
Engarde Secure Linux	Unknown	2009-05-19	2009-05-19
Enterasys Networks	Unknown	2009-05-19	2009-05-19
Ericsson	Not Vulnerable	2009-05-19	2009-05-20
eSoft, Inc.	Unknown	2009-05-19	2009-05-19
Extreme Networks	Not Vulnerable	2009-05-19	2009-05-22
F5 Networks, Inc.	Unknown	2009-05-19	2009-05-19
Fedora Project	Unknown	2009-05-19	2009-05-19
Force10 Networks, Inc.	Unknown	2009-05-19	2009-05-19
Fortinet, Inc.	Unknown	2009-05-19	2009-05-19
Foundry Networks, Inc.	Unknown	2009-05-19	2009-05-19
FreeBSD, Inc.	Unknown	2009-05-19	2009-05-19
Gentoo Linux	Not Vulnerable	2009-05-19	2009-05-22
Global Technology Associates	Unknown	2009-05-19	2009-05-19
Hewlett-Packard Company	Unknown	2009-05-19	2009-05-19
Hitachi	Unknown	2009-05-19	2009-05-19
IBM Corporation	Unknown	2009-05-19	2009-05-19
IBM eServer	Unknown	2009-05-19	2009-05-19
Internet Security Systems, Inc.	Unknown	2009-05-19	2009-05-19
Intoto	Unknown	2009-05-19	2009-05-19
IP Filter	Unknown	2009-05-19	2009-05-19
Juniper Networks, Inc.	Unknown	2009-05-19	2009-05-19
Luminous Networks	Unknown	2009-05-19	2009-05-19
m0n0wall	Unknown	2009-05-19	2009-05-19
Mandriva S. A.	Unknown	2009-05-19	2009-05-19
McAfee	Unknown	2009-05-19	2009-05-19
MontaVista Software, Inc.	Unknown	2009-05-19	2009-05-19
Multitech, Inc.	Unknown	2009-05-19	2009-05-19
NEC Corporation	Unknown	2009-05-19	2009-05-19
NetApp	Unknown	2009-05-19	2009-05-19
NetBSD	Unknown	2009-05-19	2009-05-19
netfilter	Unknown	2009-05-19	2009-05-19
NLnet Labs	Unknown	2009-05-28	2009-05-28
Nokia	Unknown	2009-05-19	2009-05-19
Nortel Networks, Inc.	Unknown	2009-05-19	2009-05-19
Novell, Inc.	Unknown	2009-05-19	2009-05-19
OpenBSD	Unknown	2009-05-19	2009-05-19
Openwall GNU/*/Linux	Unknown	2009-05-19	2009-05-19
PePLink	Not Vulnerable	2009-05-19	2009-05-20
Process Software	Unknown	2009-05-19	2009-05-19
Q1 Labs	Not Vulnerable	2009-05-19	2009-06-01
QNX, Software Systems, Inc.	Unknown	2009-05-19	2009-05-19
Quagga	Unknown	2009-05-19	2009-05-19
RadWare, Inc.	Unknown	2009-05-19	2009-05-19
Red Hat, Inc.	Not Vulnerable	2009-05-19	2009-05-20
Redback Networks, Inc.	Unknown	2009-05-19	2009-05-19
SafeNet	Not Vulnerable	2009-05-19	2009-05-22
Secureworx, Inc.	Unknown	2009-05-19	2009-05-19
Silicon Graphics, Inc.	Unknown	2009-05-19	2009-05-19
Slackware Linux Inc.	Unknown	2009-05-19	2009-05-19
SmoothWall	Unknown	2009-05-19	2009-05-19
Snort	Unknown	2009-05-19	2009-05-19
Soapstone Networks	Unknown	2009-05-19	2009-05-19
Sony Corporation	Unknown	2009-05-19	2009-05-19
Sourcefire	Unknown	2009-05-19	2009-05-19
Stonesoft	Unknown	2009-05-19	2009-05-19
Sun Microsystems, Inc.	Not Vulnerable	2009-05-19	2009-05-20
SUSE Linux	Unknown	2009-05-19	2009-05-19
Symantec	Unknown	2009-05-19	2009-05-19
The SCO Group	Not Vulnerable	2009-05-19	2009-05-20
TippingPoint, Technologies, Inc.	Unknown	2009-05-19	2009-05-19
Turbolinux	Unknown	2009-05-19	2009-05-19
U4EA Technologies, Inc.	Unknown	2009-05-19	2009-05-19
Ubuntu	Unknown	2009-05-19	2009-05-19
Unisys	Unknown	2009-05-19	2009-05-19
Vyatta	Unknown	2009-05-19	2009-05-19
Watchguard Technologies, Inc.	Unknown	2009-05-19	2009-05-19
Wind River Systems, Inc.	Unknown	2009-05-19	2009-05-19
ZyXEL	Unknown	2009-05-19	2009-05-19

References

http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html

Credit

This issue was reported in NLnet Labs NSD Announcement.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-05-18
Date First Published:	2009-05-20
Date Last Updated:	2009-06-01
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	8.40
Document Revision:	10

VU#787932: Microsoft IIS WebDAV Remote Authentication Bypass

US-CERT — Tue, 19 May 2009 10:00:53 -0700

2009-05-19T17:00:53-04:00

Vulnerability Note VU#787932

Microsoft IIS WebDAV Remote Authentication Bypass

Overview

A vulnerability exists in the way Microsoft Internet Information Server (IIS) handles unicode tokens that may allow authentication bypass.

I. Description

Web-based Distributed Authoring and Versioning (WebDAV) is a set of HTTP extensions that allow collaborative management and editing of files collected on remote servers. The way that Microsoft IIS's implementation of WebDAV handles unicode tokens may allow authentication bypass. According to Nikolaos Rangos:

The specific flaw exists within the WebDAV functionality of IIS 6.0. The Web Server fails to properly handle unicode tokens when parsing the URI and sending back data.

According to Thierry Zoller:
The bug discovered by Rangos seems to suffer from a similar logic mistake when requesting source (translate:f) that has been introduced in the Webdav component. It appears that unicode characters are removed after the security checks.

Note that this issue affects IIS versions prior to 7.0

II. Impact

A remote attacker may be able to bypass the access restrictions and list, download, upload and modify protected files.

III. Solution

We are currently unaware of a practical solution to this problem. Please consider the following workarounds:

Disable WebDAV
Disabling WebDAV prevents this vulnerability from being exploited and reduces attack surface. WebDAV functionality is disabled by default in IIS version 6.0 on systems that have not had services that utilize WebDAV installed.

Please note that disabling WebDAV may affect the functionality of other applications such as SharePoint.

Filter external HTTP requests
Administrators who are unable to disable WebDAV may be able to mitigate some risk by configuring their IDS to refuse external HTTP requests containing "Translate: f" HTTP headers.

Please see Microsoft Security Advisory 971492 for further mitigation information.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Vulnerable		2009-05-19

References

http://seclists.org/fulldisclosure/2009/May/0134.html
http://blog.zoller.lu/2009/05/iis-6-webdac-auth-bypass-and-data.html
http://milw0rm.com/exploits/8704
http://www.microsoft.com/technet/security/advisory/971492.mspx

Credit

This vulnerability was publicly disclosed by Nikolaos Rangos.

This document was written by Chris Taschner.

Other Information

Date Public:	2009-03-12
Date First Published:	2009-05-19
Date Last Updated:	2009-05-20
CERT Advisory:
CVE-ID(s):	CVE-2009-1535
NVD-ID(s):	CVE-2009-1535
US-CERT Technical Alerts:
Metric:	0.00
Document Revision:	17

VU#853097: ntpd autokey stack buffer overflow

US-CERT — Mon, 18 May 2009 03:02:07 -0700

2009-05-18T10:02:07-04:00

Vulnerability Note VU#853097

ntpd autokey stack buffer overflow

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

I. Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

III. Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.

Disable autokey

This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Apple Computer, Inc.	Unknown	2009-05-06	2009-05-06
Conectiva Inc.	Unknown	2009-05-06	2009-05-06
Cray Inc.	Not Vulnerable	2009-05-06	2009-05-08
Debian GNU/Linux	Vulnerable	2009-05-06	2009-05-11
DragonFly BSD Project	Not Vulnerable	2009-05-06	2009-05-07
EMC Corporation	Unknown	2009-05-06	2009-05-06
Engarde Secure Linux	Unknown	2009-05-06	2009-05-06
F5 Networks, Inc.	Unknown	2009-05-06	2009-05-06
Fedora Project	Unknown	2009-05-06	2009-05-06
FreeBSD, Inc.	Vulnerable	2009-05-06	2009-05-15
Fujitsu	Unknown	2009-05-06	2009-05-06
Gentoo Linux	Vulnerable	2009-05-07	2009-05-20
Hewlett-Packard Company	Unknown	2009-05-06	2009-05-06
Hitachi	Unknown	2009-05-06	2009-05-06
IBM Corporation	Unknown	2009-05-06	2009-05-06
IBM Corporation (zseries)	Unknown	2009-05-06	2009-05-06
IBM eServer	Unknown	2009-05-06	2009-05-06
Ingrian Networks, Inc.	Unknown	2009-05-06	2009-05-06
Juniper Networks, Inc.	Not Vulnerable	2009-05-06	2009-05-15
Mandriva S. A.	Unknown	2009-05-06	2009-05-06
Microsoft Corporation	Not Vulnerable	2009-05-06	2009-05-07
MontaVista Software, Inc.	Unknown	2009-05-06	2009-05-06
NEC Corporation	Unknown	2009-05-06	2009-05-06
Nokia	Unknown	2009-05-06	2009-05-06
Novell, Inc.	Unknown	2009-05-06	2009-05-06
Openwall GNU/*/Linux	Unknown	2009-05-06	2009-05-06
QNX, Software Systems, Inc.	Unknown	2009-05-06	2009-05-06
Red Hat, Inc.	Vulnerable	2009-05-06	2009-05-18
SafeNet	Not Vulnerable	2009-05-12	2009-05-15
Silicon Graphics, Inc.	Unknown	2009-05-06	2009-05-06
Slackware Linux Inc.	Unknown	2009-05-06	2009-05-06
Sony Corporation	Unknown	2009-05-06	2009-05-06
Sun Microsystems, Inc.	Unknown	2009-05-06	2009-05-13
SUSE Linux	Vulnerable	2009-05-06	2009-07-31
The SCO Group	Not Vulnerable	2009-05-06	2009-05-12
Turbolinux	Unknown	2009-05-06	2009-05-06
Ubuntu	Vulnerable	2009-05-06	2009-05-20
Unisys	Unknown	2009-05-06	2009-05-06
Wind River Systems, Inc.	Unknown	2009-05-06	2009-05-06

References

http://www.ntp.org/downloads.html
https://rhn.redhat.com/errata/RHSA-2009-1039.html
http://www.ubuntu.com/usn/usn-777-1
http://bugs.gentoo.org/show_bug.cgi?id=268962
http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/

Credit

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

Date Public:	2009-05-18
Date First Published:	2009-05-18
Date Last Updated:	2009-07-31
CERT Advisory:
CVE-ID(s):	CVE-2009-1252
NVD-ID(s):	CVE-2009-1252
US-CERT Technical Alerts:
Metric:	9.45
Document Revision:	31

VU#238019: Cyrus SASL library buffer overflow vulnerability

US-CERT — Thu, 14 May 2009 08:16:00 -0700

2009-05-14T15:16:00-04:00

Vulnerability Note VU#238019

Cyrus SASL library buffer overflow vulnerability

Overview

The Cyrus SASL library contains a buffer overflow vulnerability that could allow an attacker to execute code or cause a vulnerable program to crash.

I. Description

SASL (Simple Authentication and Security Layer) is a method for adding authentication support to various protocols. SASL is commonly used by mail servers to request authentication from clients and by clients to authenticate to servers.

The sasl_encode64() function converts a string into base64. The Cyrus SASL library contains buffer overflows that occur because of unsafe use of the sasl_encode64() function.

II. Impact

A remote attacker might be able to execute code, or cause any programs relying on SASL to crash or be unavailable.

III. Solution

Upgrade

Cyrus SASL 2.1.23 has been released to address this issue. Before releasing fixed binaries, maintainers are encouraged to review the Cyrus vendor statement associated with this note.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Conectiva Inc.	Unknown	2009-04-28	2009-04-28
Cray Inc.	Unknown	2009-04-28	2009-04-28
Cyrus-IMAP	Vulnerable		2009-05-13
Debian GNU/Linux	Unknown	2009-04-28	2009-04-28
Engarde Secure Linux	Unknown	2009-04-28	2009-04-28
Fedora Project	Unknown	2009-04-28	2009-04-28
Gentoo Linux	Vulnerable	2009-04-28	2009-05-20
Hewlett-Packard Company	Unknown	2009-04-28	2009-04-28
IBM Corporation (zseries)	Unknown	2009-04-28	2009-04-28
IBM eServer	Unknown	2009-04-28	2009-04-28
Ingrian Networks, Inc.	Unknown	2009-04-28	2009-04-28
Juniper Networks, Inc.	Unknown	2009-05-18	2009-05-18
Mandriva S. A.	Unknown	2009-04-28	2009-04-28
MontaVista Software, Inc.	Unknown	2009-04-28	2009-04-28
Novell, Inc.	Unknown	2009-04-28	2009-04-28
Openwall GNU/*/Linux	Unknown	2009-04-28	2009-04-28
Red Hat, Inc.	Vulnerable	2009-04-28	2009-05-14
SafeNet	Not Vulnerable	2009-05-13	2009-06-15
Slackware Linux Inc.	Unknown	2009-04-28	2009-04-28
Sun Microsystems, Inc.	Vulnerable	2009-04-28	2009-05-14
SUSE Linux	Unknown	2009-04-28	2009-04-28
The SCO Group	Vulnerable	2009-04-28	2009-05-15
Turbolinux	Unknown	2009-04-28	2009-04-28
Ubuntu	Unknown	2009-04-28	2009-04-28

References

ftp://ftp.andrew.cmu.edu/pub/cyrus-mail/cyrus-sasl-2.1.23.tar.gz
http://xorl.wordpress.com/2009/05/18/cve-2009-0688-cmu-cyrus-sasl-off-by-one-overflow/
http://en.wikipedia.org/w/index.php?title=Base64&oldid=285664115

Credit

Thanks to James Ralston for reporting this issue and providing technical information.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2009-04-08
Date First Published:	2009-05-14
Date Last Updated:	2009-06-15
CERT Advisory:
CVE-ID(s):	CVE-2009-0688
NVD-ID(s):	CVE-2009-0688
US-CERT Technical Alerts:
Metric:	4.04
Document Revision:	24

VU#576996: NuPoint Messenger server transmits authentication credentials in plain text

US-CERT — Tue, 05 May 2009 23:31:31 -0700

2009-05-06T06:31:31-04:00

Vulnerability Note VU#576996

NuPoint Messenger server transmits authentication credentials in plain text

Overview

NuPoint Messenger is a unified communications product that connects to a Microsoft Exchange server. When communicating with the mail server the NuPoint Messenger server transmits Exchange usernames and passwords in cleartext.

I. Description

The NuPoint Messenger server can connect to a Microsoft Exchange server via the IMAP or MAPI protocols. During the authentication process, the NuPoint server will send user domain authentication credentials in cleartext to the Exchange server. Older versions of the NuPoint Messenger product may transmit the NuPoint server's root password without encryption instead of individual usernames and passwords. Administrators are encouraged review the "NuPoint communication with MS Exchange" document for more information.

II. Impact

An attacker with access to network data may be able to obtain domain (Exchange) usernames and passwords.

III. Solution

There is no solution to this issue. Administrators are encourgaed to review the below workarounds to mitigate the impact of this vulnerability.

Encrypt connections between NuPoint and Exchange Servers

If the MAPI protocol is enabled, connections from the NuPoint server will be encrypted.
Using IPSec or some other VPN technology to encrypt the connection between the NuPoint and Exchange server will mitigate this vulnerability.

Restrict access

The NuPoint Messenger server should not use IMAP to connect to remote Exchange servers. If IMAP is enabled, the NuPoint server should be directly connected to the same isolated network as the Exchange server that it is communicating with.

Systems Affected

Vendor	Status	Date Notified	Date Updated
Mitel Networks, Inc.	Vulnerable	2009-04-30	2009-05-05

References

http://www.mitel.com/resources/NuPoint_and_Exchange.pdf
http://en.wikipedia.org/w/index.php?title=Messaging_Application_Programming_Interface&oldid=276195526

Credit

Simon Laurin of Simon Laurin Services-Conseils inc. reported this issue and provided valuable feedback. Mitel provided technical information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public:	2008-12-04
Date First Published:	2009-05-06
Date Last Updated:	2009-05-06
CERT Advisory:
CVE-ID(s):
NVD-ID(s):
US-CERT Technical Alerts:
Metric:	1.80
Document Revision:	23

TA09-195A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA09-204A: Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products

Adobe Flash Vulnerability Affects Flash Player and Other Adobe Products

TA09-209A: Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities

Microsoft Windows, Internet Explorer, and Active Template Library (ATL) Vulnerabilities

TA09-218A: Apple Updates for Multiple Vulnerabilities

Apple Updates for Multiple Vulnerabilities

TA09-223A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA09-251A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA09-286A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

TA09-286B: Adobe Reader and Acrobat Vulnerabilities

Adobe Reader and Acrobat Vulnerabilities

TA09-294A: Oracle Updates for Multiple Vulnerabilities

Oracle Updates for Multiple Vulnerabilities

TA09-314A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-160A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-187A: Microsoft Video ActiveX Control Vulnerability

Microsoft Video ActiveX Control Vulnerability

SA09-195A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-209A: Microsoft Windows and Internet Explorer Vulnerabilities

Microsoft Windows and Internet Explorer Vulnerabilities

SA09-218A: Apple Updates for Multiple Vulnerabilities

Apple Updates for Multiple Vulnerabilities

SA09-223A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-251A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-286A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SA09-286B: Multiple Vulnerabilities Affect Adobe Reader and Acrobat

Multiple Vulnerabilities Affect Adobe Reader and Acrobat

SA09-314A: Microsoft Updates for Multiple Vulnerabilities

Microsoft Updates for Multiple Vulnerabilities

SB09-264: Vulnerability Summary for the Week of September 14, 2009

Vulnerability Summary for the Week of September 14, 2009

SB09-271: Vulnerability Summary for the Week of September 21, 2009

Vulnerability Summary for the Week of September 21, 2009

SB09-278: Vulnerability Summary for the Week of September 28, 2009

Vulnerability Summary for the Week of September 28, 2009

SB09-285: Vulnerability Summary for the Week of October 5, 2009

Vulnerability Summary for the Week of October 5, 2009

SB09-292: Vulnerability Summary for the Week of October 12, 2009

Vulnerability Summary for the Week of October 12, 2009

SB09-299: Vulnerability Summary for the Week of October 19, 2009

Vulnerability Summary for the Week of October 19, 2009

SB09-306: Vulnerability Summary for the Week of October 26, 2009

Vulnerability Summary for the Week of October 26, 2009

SB09-313: Vulnerability Summary for the Week of November 2, 2009

Vulnerability Summary for the Week of November 2, 2009

SB09-320: Vulnerability Summary for the Week of November 9, 2009

Vulnerability Summary for the Week of November 9, 2009

SB09-327: Vulnerability Summary for the Week of November 16, 2009

Vulnerability Summary for the Week of November 16, 2009