Summary of Security Items from December 8 through December 14, 2005
Information in the US-CERT Cyber Security Bulletin is a compilation and includes information published by outside sources, therefore the information should not be considered the result of US-CERT analysis. Software vulnerabilities are categorized in the appropriate section reflecting the operating system on which the vulnerability was reported; however, this does not mean that the vulnerability only affects the operating system reported since this information is obtained from open-source information.
This bulletin provides a summary of new or updated vulnerabilities, exploits, trends, viruses, and trojans. Updates to vulnerabilities that appeared in previous bulletins are listed in bold text. The text in the Risk column appears in red for vulnerabilities ranking High. The risks levels applied to vulnerabilities in the Cyber Security Bulletin are based on how the "system" may be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch Available" column that indicates whether a workaround or patch has been published for the vulnerability which the script exploits.
The table below summarizes vulnerabilities that have been identified, even if they are not being exploited. Complete details about patches or workarounds are available from the source of the information or from the URL provided in the section. CVE numbers are listed where applicable. Vulnerabilities that affect both Windows and Unix Operating Systems are included in the Multiple Operating Systems section.
Note: All the information included in the following tables has been discussed in newsgroups and on web sites.
The Risk levels defined below are based on how the system may be impacted:
Note: Even though a vulnerability may allow several malicious acts to be performed, only the highest level risk will be defined in the Risk column.
High - A high-risk vulnerability is defined as one that will allow an intruder to immediately gain privileged access (e.g., sysadmin or root) to the system or allow an intruder to execute code or alter arbitrary system files. An example of a high-risk vulnerability is one that allows an unauthorized user to send a sequence of instructions to a machine and the machine responds with a command prompt with administrator privileges.
Medium - A medium-risk vulnerability is defined as one that will allow an intruder immediate access to a system with less than privileged access. Such vulnerability will allow the intruder the opportunity to continue the attempt to gain privileged access. An example of medium-risk vulnerability is a server configuration error that allows an intruder to capture the password file.
Low - A low-risk vulnerability is defined as one that will provide information to an intruder that could lead to further compromise attempts or a Denial of Service (DoS) attack. It should be noted that while the DoS attack is deemed low from a threat potential, the frequency of this type of attack is very high. DoS attacks against mission-critical nodes are not included in this rating and any attack of this nature should instead be considered to be a "High" threat.
A directory traversal vulnerability has been reported in CF_Nuke that could let remote malicious users conduct Cross-Site Scripting or disclose information.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit has been published.
CF_Nuke Cross-Site Scripting or Information Disclosure
V1.3 Updated to note availability of Microsoft Knowledge Base Article 909596 and to clarify an issue affecting Windows 2000 SP4 customers, also updates of file versions.
V1.4 Updated to note complications of the DirectX 8.1 update on machines running DirectX 9.
V2.0 Updated to advise customers that a
new version of the security update is available for select systems.
Currently we are not aware of any exploits for this vulnerability.
Microsoft DirectX DirectShow Arbitrary Code Execution
Security Tracker, Alert ID: 1015333, December 8, 2005
Microsoft
Internet Explorer
A vulnerability has been reported in Internet Explorer, by mismatched DOM objects, that could let remote malicious users to obtain unauthorized access.
Microsoft, Security Bulletin MS05-055, December 13, 2005
Microsoft
Windows 2000 SP3 & SP4, Windows XP 64-Bit Edition SP1
(Itanium), Windows XP 64-Bit Edition Version 2003
(Itanium), Windows Server 2003, Windows Server 2003 for Itanium-based
Systems
A buffer overflow vulnerability exists when handling Server Message Block (SMB) traffic, which could let a remote malicious user execute arbitrary code.
Microsoft Windows NT 4.0 has also been found vulnerable to the issue; however, this platform is no longer publicly supported by Microsoft. A patch is available for customers that have an active end-of-life support agreement including extended Windows NT 4.0 support. Information regarding the end-of-life support agreement can be found at the following location: http://www.microsoft.com/
presspass/features/2004/
dec04/12-03NTSupport.asp
V1.1 Revised to advise of Knowledge Base Article 896427, detailing a potential issue encountered after installing this update.
A vulnerability has been reported because a remote malicious user can hide a 'File Download' dialog box underneath a new browser window and entice a user into double clicking a specific area in the window, which could lead to the remote arbitrary code execution.
A vulnerability has been reported due to insecure default directory ACLs set on the 'SunnComm Shared' directory, which could let a malicious user obtain elevated privileges.
A vulnerability has been reported in Perl due to a failure to correctly drop privileges, which could let a remote malicious user obtain elevated privileges. Note: The impact depends on how a Perl application is written to use the affected Perl functionality.
No workaround or patch available at time of publishing.
Currently we are not aware of any exploits for this vulnerability.
A Cross-Site Scripting vulnerability has been reported in 'search.php' due to insufficient sanitization of the 'keywords' parameter before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
No workaround or patch available at time of publishing.
A buffer overflow vulnerability has been reported due to insufficient bounds checks on user-supplied data before using in a finite sized buffer, which could let a local/remote malicious user execute arbitrary code.
Security Focus, Bugtraq ID: 15756, December 7, 2005
Mandriva Linux Security Advisory, MDKSA-2005:224, December 8, 2005
Fedora Update Notifications,
FEDORA-2005-1129 & 1130, December 8, 2005
Debian Security Advisory, DSA 919-1, December 12, 2005
DRZES HMS
DRZES HMS 3.2
Several vulnerabilities have been reported: a Cross-Site Scripting vulnerability was reported in 'login.php' due to insufficient sanitization of user-supplied input before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code; and an SQL injection vulnerability was reported in the ' invoiceID' parameter due to insufficient sanitization, which could let a remote malicious user execute arbitrary SQL code.
No workaround or patch available at time of publishing.
There is no exploit code required; however, a Proof of Concept exploit script has been published.
Security Focus, Bugtraq ID: 15766, December 7, 2005
Horde Project
Mnemo 2.0.2
HTML injection vulnerabilities have been reported due to insufficient sanitization of the notepad name and other note data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15803, December 12, 2005
Horde Project
Turba Contact Manager 2.0.4
HTML injection vulnerabilities have been reported due to insufficient sanitization of the address book name and certain contact data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15802, December 12, 2005
Horde Project
Horde Application Framework 3.0-3.0.7
HTML injection vulnerabilities have been reported due to insufficient sanitization of unspecified input, which could let a remote malicious user execute arbitrary HTML and script code.
HTML injection vulnerabilities have been reported due to insufficient sanitization of the calendar name and certain event data fields, which could let a remote malicious user execute arbitrary HTML and script code.
HTML injection vulnerabilities have been reported due to insufficient sanitization of certain tasklist names and task data fields, which could let a remote malicious user execute arbitrary HTML and script code.
Security Focus, Bugtraq ID: 15523, November 22, 2005
Ubuntu Security Notice, USN-221-1, December 01, 2005
Gentoo Linux Security Advisory, GLSA 200512-04, December 12, 2005
Mike Neuman
osh 1.7
A buffer overflow vulnerability has been reported in 'main.c' due to an error when handling environment variable substitutions, which could let a remote malicious user execute arbitrary with superuser privileges.
Debian Security Advisory, DSA 918-1, December 9, 2005
Mike Neuman
osh 1.7
A buffer overflow vulnerability exists in 'main.c' due to insufficient bounds checking in the 'iopen()' function, which could let a remote malicious user execute arbitrary code.
Debian Security Advisory, DSA 918-1, December 9, 2005
Mozilla.org
Firefox 0.x, 1.x
Multiple vulnerabilities have been reported: a vulnerability was reported due to an error because untrusted events generated by web content are delivered to the browser user interface; a vulnerability was reported because scripts in XBL controls can be executed even when JavaScript has been disabled; a vulnerability was reported because remote malicious users can execute arbitrary code by tricking the user into using the 'Set As Wallpaper' context menu on an image URL that is really a javascript; a vulnerability was reported in the 'Install
Trigger.install()' function due to an error in the callback function, which could let a remote malicious user execute arbitrary code; a vulnerability was reported due to an error when handling 'data:' URL that originates from the sidebar, which could let a remote malicious user execute arbitrary code; an input validation vulnerability was reported in the 'InstallVersion.compareTo()' function when handling unexpected JavaScript objects, which could let a remote malicious user execute arbitrary code; a vulnerability was reported because it is possible for a remote malicious user to steal information and possibly execute arbitrary code by using standalone applications such as Flash and QuickTime to open a javascript: URL; a vulnerability was reported due to an error when handling DOM node names with different namespaces, which could let a remote malicious user execute arbitrary code; and a vulnerability was reported due to insecure cloning of base objects, which could let a remote malicious user execute arbitrary code.
Ubuntu Security Notices, USN-157-1 & 157-2 August 1& 2, 2005
SUSE Security Announcement, SUSE-SA:2005:045, August 11, 2005
Debian Security Advisory, DSA 775-1, August 15, 2005
SGI Security Advisory, 20050802-01-U, August 15, 2005
Debian Security Advisory, DSA 777-1, August 17, 2005
Debian Security Advisory, DSA 779-1, August 20, 2005
Debian Security Advisory, DSA 781-1, August 23, 2005
Gentoo Linux Security Advisory, GLSA 200507-24, August 26, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:127-1, August 26, 2005
Slackware Security Advisory, SSA:2005-085-01, August 28, 2005
Debian Security Advisory, DSA 779-2, September 1, 2005
Debian Security Advisory, DSA 810-1, September 13, 2005
Fedora Legacy Update Advisory, FLSA:160202, September 14, 2005
HP Security Bulletin, HPSBOV01229, September 19, 2005
HP Security Bulletin,
HPSBUX01230, October 3, 2005
Ubuntu Security Notice, USN-155-3, October 04, 2005
Sun(sm) Alert Notification
Sun Alert ID: 101952, October 17, 2005
SUSE Security Summary Report, SUSE-SR:2005:028, December 2, 2005
Mandriva Linux Security Advisory, MDKSA-2005:226, December 12, 2005
Multiple Vendors
Xpdf 3.0 pl2 & pl3, 3.0 1, 3.00, 2.0-2.03, 1.0 0, 1.0 0a, 0.90-0.93; RedHat Fedora Core4, Core3, Enterprise Linux WS 4, WS 3, WS 2.1 IA64, WS 2.1, ES 4, ES 3, ES 2.1 IA64, 2.1, Enterprise Linux AS 4, AS 3, 2.1 IA64, 2.1, Desktop 4.0, 3.0, Advanced Workstation for the Itanium Processor 2.1 IA64, 2.1; teTeX 2.0.1, 2.0; Poppler poppler 0.4.2;
KDE kpdf 0.5, KOffice 1.4.2 ; PDFTOHTML DFTOHTML 0.36
Multiple vulnerabilities have been reported: a heap-based buffer overflow vulnerability was reported in the 'DCTStream::read
BaselineSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'DCTStream::read
ProgressiveSOF()' function in 'xpdf/Stream.cc' when copying data from a PDF file, which could let a remote malicious user potentially execute arbitrary code; a buffer overflow vulnerability was reported in the 'StreamPredictor::
StreamPredictor()' function in 'xpdf/Stream.cc' when using the 'numComps' value to calculate the memory size, which could let a remote malicious user potentially execute arbitrary code; and a vulnerability was reported in the 'JPXStream:
:readCodestream()' function in 'xpdf/JPXStream.cc' when using the 'nXTiles' and 'nYTiles' values from a PDF file to copy data from the file into allocated memory, which could let a remote malicious user potentially execute arbitrary code.
Fedora Update Notifications,
FEDORA-2005-1007 & 1013, October 20, 2005
Security Focus, Bugtraq ID: 15156, October 31, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.15
An integer overflow vulnerability has been reported in 'INVALIDATE_INODE_
PAGES2' which could lead to a Denial of Service and possibly execution of arbitrary code.
Cross-Site Scripting vulnerabilities have been reported in the 'HTTP_HOST' variable and certain scripts in the libraries directory due to insufficient sanitization before returning to the user, which could let a remote malicious user execute arbitrary HTML and script code.
phpMyAdmin security announcement PMASA-2005-8, December 5, 2005
Gentoo Linux Security Advisory, GLSA 200512-03, December 12, 2005
Multiple Vendors
RedHat Enterprise Linux WS 3, ES 3, AS 3, Desktop 3.0;
Linux kernel 2.4-2.4.28
A Denial of Service vulnerability has been reported in the 'find_target' function due to a failure to properly handle unexpected conditions when attempting to handle a NULL return value from another function.
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Debian Security Advisories, DSA 921-1 & 922-1, December 14, 2005
Multiple Vendors
SuSE Linux Professional
9.3, x86_64,
9.2, x86_64, Linux Personal 9.3, x86_64; Linux kernel
2.6-2.6.12
A buffer overflow vulnerability has been reported in the XFRM network architecture code due to insufficient validation of user-supplied input, which could let a malicious user execute arbitrary code.
Trustix Secure Linux Bugfix Advisory, 2005-0068, December 12, 2005
Multiple Vendors
Trustix Secure Linux 3.0, 2.2, Secure Enterprise Linux 2.0, SuSE Novell Linux Desktop 9.0, Linux Professional 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Personal 9.3 x86_64, 9.3, 9.2 x86_64, 9.2, 9.1 x86_64, 9.1, Linux Enterprise Server for S/390 9.0, Linux Enterprise Server 9; 2.6-2.6.12 .4
A Denial of Service vulnerability has been reported due to a failure to handle malformed compressed files.
Security Focus, Bugtraq ID: 15536, November 22, 2005
Ubuntu Security Notice, USN-219-1, November 22, 2005
Debian Security Advisory, DSA 922-1, December 14, 2005
Multiple Vendors
Ubuntu Linux 5.0 4 powerpc, i386, amd64, 4.1 ppc, ia64, ia32;
Linux kernel 2.6.10, 2.6.8
A vulnerability was reported has been reported in the 'mmap()' function because memory maps can be created with a start address after the end address, which could let a malicious user cause a Denial of Service or potentially obtain elevated privileges.
A vulnerability has been reported in the
authentication daemon because access is granted to accounts that are already deactivated, which could let a remote malicious user obtain unauthorized access.
A race condition vulnerability has been reported in ia32 emulation, that could let local malicious users obtain root privileges or create a buffer overflow.
Trustix Secure Linux Security Advisory,
TSLSA-2005-
0036, July 14, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
Debian Security Advisory, DSA 921-1, December 14, 2005
Multiple Vendors
Linux kernel
2.6 prior to 2.6.12.1
A vulnerability has been reported in the 'restore_sigcontext()' function due to a failure to restrict access to the 'ar.rsc' register, which could let a malicious user cause a Denial of Service or obtain elevated privileges.
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
RedHat Security Advisory, RHSA-2005:663-19, September 28, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Debian Security Advisories, DSA 921-1 & 922-1, December 14, 2005
Multiple Vendors
Linux kernel
2.6-2.6.11
A vulnerability has been reported in the '/sys' file system due to a mismanagement of integer signedness, which could let a malicious user cause a Denial of Service and potentially execute arbitrary code.
RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005
SUSE Security Announce-
ment, SUSE-SA:2005:044, August 4, 2005
Mandriva Linux Security Advisory, MDKSA-2005:218, November 30, 2005
Debian Security Advisory, DSA 922-1, December 14, 2005
Multiple Vendors
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11
A vulnerability has been reported in the Linux kernel in the Radionet Open Source Environment (ROSE) implementation in the 'rose_rt_ioctl()' function due to insufficient validation of a new routes' ndigis argument. The impact was not specified.
Security Focus, Bugtraq ID: 14791, September 9, 2005
Ubuntu Security Notice, USN-178-1, September 09, 2005
Mandriva Linux Security Update Advisory, MDKSA-2005:171, October 3, 2005
RedHat Security Advisory, RHSA-2005:514-46, October 5, 2005
Mandriva Linux Security Advisories, MDKSA-2005:219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6.8-2.6.10, 2.4.21
Several vulnerabilities have been reported: a buffer overflow vulnerability was reported in 'msg_control' when copying 32 bit contents, which could let a malicious user obtain root privileges and execute arbitrary code; and a vulnerability was reported in the 'raw_sendmsg()' function, which could let a malicious user obtain sensitive information or cause a Denial of Service.
Ubuntu Security Notice, USN-219-1, November 22, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219 & 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.13.1
A Denial of Service vulnerability has been reported due to an omitted call to the 'sockfd_put()' function in the 32-bit compatible 'routing_ioctl()' function.
Security Tracker Alert ID: 1014944, September 21, 2005
Ubuntu Security Notice, USN-187-1, September 25, 2005
Mandriva Linux Security Advisories, MDKSA-2005:218, 219, 220, November 30, 2005
SUSE Security Announcement, SUSE-SA:2005:067, December 6, 2005
SUSE Security Announcement, SUSE-SA:2005:068, December 14, 2005
Multiple Vendors
Linux kernel 2.6-2.6.14
Several vulnerabilities have been reported: a Denial of Service vulnerability was reported due to a memory leak in '/security/keys/request_
key_auth.c;' a Denial of Service vulnerability was reported due to a memory leak in '/fs/namei.c' when the 'CONFIG_AUDITSYSCALL' option is enabled; and a vulnerability was reported because the orinoco wireless driver fails to pad data packets with zeroes when increasing the length, which could let a malicious user obtain sensitive information.
