Summary of Security Items from November 17 through November 23, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
Multiple vulnerabilities have been reported in Winmail Server that could let remote malicious users conduct Cross-Site Scripting and arbitrarily manipulate files.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
Cerberus FTP Server Denial of Service
Low
Secunia Advisory: SA17650, November 23, 2005
Costal Data Management
e-Quick Cart
An input validation vulnerability has been reported in e-Quick Cart that could let remote malicious user conduct Cross-Site Scripting, perform SQL injection, or execute arbitrary code.
No workaround or patch available at time of publishing.
Security Tracker, Alert ID: 1015236, November 17, 2005
Hitachi
Cosminexus Collaboration, Groupmax Collaboration
A vulnerability has been reported in Cosminexus Collaboration and Groupmax Collaboration that could let remote malicious users conduct Cross-Site Scripting or cause a Denial of Service.
Cosminexus Collaboration and Groupmax Collaboration Cross-Site Scripting or Denial of Service
Medium
Hitachi, Software Vulnerability Information HS05-023, November 18, 2005
MailEnable Professional 1.6, Enterprise 1.1
A buffer overflow vulnerability has been reported in MailEnable that could let remote malicious users execute arbitrary code or cause a Denial of Service.
A vulnerability has been reported when validating the ownership of the cache directory, which could let a remote malicious user obtain elevated privileges.
Debian Security Advisory, DSA 811-1, September 14, 2005
Debian Security Advisory, DSA 811-2, November 21, 2005
Eric S Raymond
Fetchmail 6.x
A vulnerability has been reported in the 'fetchmailconf' configuration utility due to a race condition, which could let a malicious user obtain sensitive information.
A vulnerability has been reported due to a security weakness when extracting an archive to a world or group writeable directory, which could let a malicious user modify file permissions.
Security Focus, Bugtraq ID: 15523, November 22, 2005
libpng
pnmtopng 2.38, 2.37.3-2.37.6
A buffer overflow vulnerability has been reported in 'Alphas_Of
_Color' due to insufficient bounds checking of user-supplied data prior to copying it to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15427, November 15, 2005
Debian Security Advisory, DSA 904-1, November 21, 2005
Ubuntu Security Notice, USN-218-1, November 21, 2005
Lite Speed Technologies
LiteSpeed Web Server 2.1.5
A Cross-Site Scripting vulnerability has been reported in 'admin'/config'confMgr.php' due to insufficient sanitization of the 'm' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Several vulnerabilities have been reported: a vulnerability was reported in the 'index.lok' lock file when indexing music files due to the insecure creation of temporary files, which could let a remote malicious user overwrite arbitrary files; and a Directory Traversal vulnerability was reported when processing certain CGI parameters and cookie values due to an input validation error, which could let a remote malicious user obtain sensitive information.
Ubuntu Security Notice, USN-192-1, September 30, 2005
Debian Security Advisory, DSA 828-1, September 30, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:181, October 11, 2005
SCO Security Advisory, SCOSA-2005.44, November 1, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Multiple Vendors
Ubuntu Linux 5.10 powerpc, i386, amd64, 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
TouchTunes Rhapsody,
TouchTunes Maestro;
SuSE UnitedLinux 1.0, Novell Linux Desktop 9.0, Linux Professional 10.0 OSS, 10.0, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Personal 10.0 OSS, 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, 9.0 x86_64, 9.0, Linux Enterprise Server 9, 8, Linux Desktop 1.0;
RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, 2.1 IA64, 2.1, AS 4, AS 3, AS 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; GTK+ 2.8.6, 2.6.4, 2.4.14, 2.4.13, 2.4.10, 2.4.9, 2.4.1, 2.2.4, 2.2.3;
GNOME GdkPixbuf 0.22;
Gentoo Linux ; Ardour 0.99
Multiple vulnerabilities have been reported: an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' due to the insufficient validation of the 'n_col' value before using to allocate memory, which could let a remote malicious user execute arbitrary code; a remote Denial of Service vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when processing an XPM file that contains a large number of colors; and an integer overflow vulnerability was reported in '/gtk+/gdk-pixbuf/io-xpm.c' when performing calculations using the height, width, and colors of a XPM file, which could let a remote malicious user execute arbitrary code or cause a Denial of Service.
Format string vulnerabilities have been reported in 'gda-log.c' due to format string errors in the 'gda_log_error()' and 'gda_
log_message()' functions, which could let a remote malicious user execute arbitrary code.
Security Focus Bugtraq IDs: 15226 & 15228, October 28, 2005
Debian Security Advisory DSA 877-1, October 28, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Gentoo Linux Security Advisory, GLSA 200511-05, November 6, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Multiple Vendors
GNU gnump3d 2.9-2.9.5;
Gentoo Linux
A Cross-Site Scripting vulnerability has been reported due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
Gentoo Linux Security Advisory GLSA 200511-05, November 7, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Multiple Vendors
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11
A vulnerability has been reported in the Linux kernel in the Radionet Open Source Environment (ROSE) implementation in the 'rose_rt_ioctl()' function due to insufficient validation of a new routes' ndigis argument. The impact was not specified.
Security Focus, Bugtraq ID: 15528, November 22, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/
request_key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
Trustix Secure Linux Security Advisory, TSLSA-2005-0057, October 14, 2005
Fedora Update Notifications,
FEDORA-2005-1013, October 20, 2005
RedHat Security Advisory, RHSA-2005:808-14, October 27, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
A Denial of Service vulnerability has been in 'sysctl.c' due to an error when handling the un-registration of interfaces in '/proc/sys/net/ipv4/conf/.'
Ubuntu Security Notice, USN-219-1, November 22, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported when handling asynchronous USB access via usbdevio; and a Denial of Service vulnerability was reported in the 'ipt_recent.c' netfilter module due to an error in jiffies comparison.
A vulnerability has been reported because fusermount fails to securely handle special characters specified in mount points, which could let a malicious user cause a Denial of Service or add arbitrary mount points.
Gentoo Linux Security Advisory, GLSA 200511-17, November 22, 2005
Multiple Vendors
RedHat Enterprise Linux WS 4, WS 3, 2.1, IA64, ES 4, ES 3, 2.1, IA64, AS 4, AS 3, AS 2.1, IA64, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1, IA64; OpenSSL Project OpenSSL 0.9.3-0.9.8, 0.9.2 b, 0.9.1 c; FreeBSD 6.0 -STABLE, -RELEASE, 5.4 -RELENG, -RELEASE, 5.3 -STABLE, -RELENG, -RELEASE, 5.3, 5.2.1 -RELEASE, -RELENG, 5.2 -RELEASE, 5.2, 5.1 -RELENG, -RELEASE/Alpha, 5.1 -RELEASE-p5, -RELEASE, 5.1, 5.0 -RELENG, 5.0, 4.11 -STABLE, -RELENG, 4.10 -RELENG, -RELEASE, 4.10
A vulnerability has been reported due to the implementation of the 'SSL_OP_MSIE_SSLV2_
RSA_PADDING' option that maintains compatibility with third party software, which could let a remote malicious user bypass security.
A buffer overflow vulnerability has been reported due to insufficient bounds checking of user-supplied data prior to copying it to an insufficiently sized memory buffer, which could let a remote malicious user execute arbitrary code.
Trustix Secure
Linux Security Advisory, TSLSA-2005-0034,
July 8, 2005
Fedora Update Notifications,
FEDORA-2005
-561 & 562, July 13, 2005
RedHat Security Advisory, RHSA-2005:720-04, August 9, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:137, August 11, 2005
Ubuntu Security Notice, USN-190-1, September 29, 2005
RedHat Security Advisory, RHSA-2005:395-18, October 5, 2005
Conectiva Linux Announcement, CLSA-2005:1032, October 13, 2005
Avaya Security Advisory, ASA-2005-225, October 18, 200
SUSE Security Summary Report, Announcement ID: SUSE-SR:2005:024, October 21, 2005
Debian Security Advisory, DSA 873-1, October 26, 2005
Ubuntu Security Notice, USN-190-2, November 21, 2005
Openswan
Openswan 2.2-2.4, 2.1.4-2.1.6, 2.1.2, 2.1.1
Several vulnerabilities have been reported: a remote Denial of Service vulnerability was reported when handling IKE packets that have an invalid 3DES key length; and a remote Denial of Service vulnerability was reported when handling certain specially crafted IKE packets.
CERT-FI & NISCC Joint Vulnerability Advisory, November 15, 2005
Astaro Security Linux Update, November 16, 2005
Fedora Update Notifications,
FEDORA-2005-1092 & 1093, November 21, 2005
Opera Software
Opera Web Browser 8.5, 8.0-8.0 2
A vulnerability has been reported due to insufficient sanitization of user-supplied data passed through a URI, which could let a remote malicious user execute arbitrary code.
A vulnerability has been reported in 'pcre_compile.c' due to an integer overflow, which could let a remote/local malicious user potentially execute arbitrary code.
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability has been reported in 'libraries/auth/cookie.
auth.lib.php' due to insufficient sanitization, which could let a remote malicious user execute arbitrary HTML and script code; and a Cross-Site Scripting vulnerability has been reported in 'error.php' due to insufficient sanitization of the 'error' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
Debian Security Advisory, DSA 880-1, November 2, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
SUSE Security Announcement, SUSE-SA:2005:066, November 18, 2005
phpMyAdmin
phpMyAdmin 2.x
Several vulnerabilities have been reported: a vulnerability was reported due to insufficient verification of certain configuration parameters, which could let a remote malicious user include arbitrary files; and a Cross-Site Scripting vulnerability was reported in 'left.php,' 'queryframe.php,' and 'server_databases.php' due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code.
Fedora Update Notifications,
FEDORA-2005-1009 & 1010, October 20, 2005
Mandriva Linux Security Advisory, MDKSA-2005:195, October 26, 2005
SCO Security Advisory, SCOSA-2005.44, November 1, 2005
SUSE Security Summary Report, SUSE-SR:2005:025, November 4, 2005
Security Focus, Bugtraq ID: 15157, November 10, 2005
SUSE Security Summary Report, SUSE-SR:2005:027, November 18, 2005
Sylpheed
Sylpheed 2.0-2.0.3, 1.0.0-1.0.5
A buffer overflow vulnerability has been reported in 'ldif.c' due to a boundary error in the 'ldif_
get_line()' function when importing a LDIF file into the address book, which could let a remote malicious user obtain unauthorized access.
Fedora Update Notification,
FEDORA-2005-1063, November 9, 2005
Gentoo Linux Security Advisory, GLSA 200511-13, November 15, 2005
Debian Security Advisory, DSA 906-1, November 22, 2005
Todd Miller
Sudo 1.x
A vulnerability has been reported in the environment cleaning due to insufficient sanitization, which could let a malicious user obtain elevated privileges.
A vulnerability has been reported due to a failure to ensure that cancellation requests from users are performed only by authorized users, which could let a remote malicious user issue cancel requests and potentially cause a Denial of Service.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15483, November 17, 2005
Zope
Zope 2.6-2.8.1
A vulnerability has been reported in 'docutils' due to an unspecified error and affects all instances which exposes 'Restructured
Text' functionality via the web. The impact was not specified.
A Cross-Site Scripting vulnerability has been reported in 'popup.php' due to insufficient sanitization of the 'poll_ident' parameter, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, Proof of Concept exploits have been published.
Security Focus, Bugtraq ID: 15506, November 21, 2005
Almond
Soft.Com
Almond Classifieds
A vulnerability has been reported due to a failure to verify that the password supplied matches the given entry, which could let a remote malicious user obtain unauthorized access.
No workaround or patch available at time of publishing.
Security Focus, Bugtraq ID: 15505, November 21, 2005
Apache Software Foundation
Struts 1.2.7
A Cross-Site Scripting vulnerability has been reported in error response due to insufficient sanitization of user-supplied input, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15512, November 21, 2005
APBoard
APBoard
An SQL injection vulnerability was reported in 'thread.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15513, November 21, 2005
Arki-DB
Arki-DB 2.0, 1.0
An SQL injection vulnerability has been reported in 'index.php' due to insufficient sanitization of user-supplied input before using in an SQL query, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
Security Focus, Bugtraq ID: 15467, November 16, 2005
Check Point Software
VPN-1/Firewall-1 NG with AI R55W, VPN-1/Firewall-1 NG with AI R55P, VPN-1/Firewall-1 NG with AI R55, VPN-1/Firewall-1 NG with AI R54, VPN-1 Pro NGX R60, FireWall-1 GX 3.0, Express CI R57
A remote Denial of Service vulnerability has been reported due to unspecified vulnerabilities in the IPSec implementation.
Check Point has addressed these issues in the latest Hotfix Accumulators.
Vulnerability can be reproduced with the PROTOS IPSec Test Suite.
Check Point Firewall-1 & VPN-1 ISAKMP IKE Remote Denial of Service
Arhont Ltd.- Information Security Advisory, November 22, 2005
Digital Dominion
PHP-Fusion 6.00.206 & prior
Several vulnerabilities have been reported: an SQL injection vulnerability was reported in 'options.php' due to insufficient sanitization of the 'forum_id' and 'thread_id' parameters and in 'viewforum.php' and 'index.php' due to insufficient sanitization of the 'lastvisite' parameter, which could let a remote malicious user execute arbitrary SQL code; and a path disclosure vulnerability was reported in 'subheader.php.'
Exponent Content Management System 0.96.4, 0.96.1, 0.95, 0.94
Several vulnerabilities have been reported because file permissions on user files are incorrectly set, which could let a remote malicious obtain sensitive information or execute arbitrary script code.
No workaround or patch available at time of publishing.
There is no exploit code required.
Exponent Content Management System Multiple Improper File Permission
Security Focus, Bugtraq ID: 15503, November 19, 2005
Google
Google Search Appliance, Mini Search Appliance
Several vulnerabilities have been reported: a vulnerability was reported in the 'proxystyle
sheet' parameter due to insufficient sanitization before returned to the user in an error message, which could let a remote malicious user execute arbitrary HTML and script code; a vulnerability was reported in 'XSLT style sheets due to insufficient sanitization of the 'proxystylesheet' parameter, which could let a remote malicious user execute arbitrary Java class methods; and a vulnerability was reported because it is possible to enumerate open ports on other systems by providing the full URL containing hostname and port number.
A patch is reportedly available from the vendor.
There is no exploit code required; however, Proof of Concept exploits and an exploit script have been published.
Google Mini Search Appliance Multiple Vulnerabilities
Multiple vulnerabilities have been reported: a vulnerability was reported because the SNMP service allows read-write access using any credentials, which could let a remote/local malicious user retrieve and modify the device configuration; a vulnerability was reported due to an undocumented open port 3390/tcp that allows access to the Unidata Shell upon connection, which could let a remote/local malicious user obtain sensitive information and cause a Denial of Service; a vulnerability was reported due to a hardcoded administrative password, which could let a remote/local malicious user obtain unauthorized access; and a vulnerability was reported because the default index page of the phone's HTTP server (8080/tcp) discloses sensitive information.
Users are advised to contact the vendor for details on obtaining the appropriate updates.
There is no exploit code required.
Hitachi WirelessIP5000 IP Phone Multiple Vulnerabilities
