Vulnerability Summary for the Week of February 1, 2010

Released
Feb 09, 2010
Document ID
SB10-040

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
debian -- lintianMultiple format string vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to have an unspecified impact via vectors involving (1) check scripts and (2) the Lintian::Schedule module.2010-02-027.5CVE-2009-4014
BID
debian -- lintianLintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allows remote attackers to execute arbitrary commands via shell metacharacters in filename arguments.2010-02-027.5CVE-2009-4015
BID
enanocms -- enanocmsSQL injection vulnerability in the comment submission interface (includes/comment.php) in Enano CMS before 1.0.6pl1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters.2010-02-027.5CVE-2010-0471
CONFIRM
files2links -- f2l_3000_applianceSQL injection vulnerability in Files2Links F2L 3000 appliance 4.0.0, and possibly other versions and models, allows remote attackers to execute arbitrary SQL commands via unspecified parameters to the login page.2010-02-027.5CVE-2010-0469
XF
SECUNIA
MISC
OSVDB
FULLDISC
geopp -- geo++_gncasterThe HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack.2010-02-047.5CVE-2010-0554
XF
BUGTRAQ
MISC
SECUNIA
OSVDB
maildrop -- maildropmain.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file.2010-02-047.2CVE-2010-0301
CONFIRM
XF
DEBIAN
CONFIRM
SECTRACK
SECUNIA
SECUNIA
MLIST
MLIST
MLIST
MLIST
CONFIRM
microsoft -- ie
microsoft -- windows_2000
microsoft -- windows_server_2003
microsoft -- windows_server_2008
microsoft -- windows_vista
microsoft -- windows_xp
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving the product's use of text/html as the default content type for files that are encountered after a redirection, aka the URLMON sniffing vulnerability, a variant of CVE-2009-1140 and related to CVE-2008-1448.2010-02-049.3CVE-2010-0555
BID
BID
BUGTRAQ
MISC
MISC
MISC
MISC
microsoft -- ie
microsoft -- windows_2000
microsoft -- windows_server_2003
microsoft -- windows_server_2008
microsoft -- windows_vista
microsoft -- windows_xp
Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448.2010-02-049.3CVE-2010-0255
BID
BID
BUGTRAQ
CONFIRM
MISC
MISC
CONFIRM
viewvc -- viewvcquery.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query.2010-01-297.5CVE-2010-0005
CONFIRM
wireshark -- wiresharkMultiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function.2010-02-037.5CVE-2010-0304
VUPEN
xerox -- workcentre_5632
xerox -- workcentre_5638
xerox -- workcentre_5645
xerox -- workcentre_5655
xerox -- workcentre_5665
xerox -- workcentre_5675
xerox -- workcentre_5687
Multiple unspecified vulnerabilities in the Network Controller and Web Server in Xerox WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, and 5687 allow remote attackers to (1) access mailboxes via unknown vectors that bypass Scan to Mailbox authorization or (2) read device configuration information via via unknown vectors that bypass web server authorization.2010-02-047.8CVE-2010-0548
CONFIRM
xerox -- workcentre_6400_net_controller
xerox -- workcentre_6400_system_software
Unspecified vulnerability in the Network Controller in Xerox WorkCentre 6400 System Software 060.070.109.11407 through 060.070.109.29510, and Net Controller 060.079.11410 through 060.079.29310, allows remote attackers to access "directory structure" via a crafted PostScript file, aka "Unauthorized Directory Structure Access Vulnerability."2010-02-047.8CVE-2010-0549
CONFIRM

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
adobe -- coldfusionThe default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL.2010-02-035.0CVE-2010-0185
XF
VUPEN
SECTRACK
BID
CONFIRM
SECUNIA
OSVDB
CONFIRM
apache -- http_serverInteger overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow.2010-02-026.8CVE-2010-0010
XF
VUPEN
BID
BUGTRAQ
MISC
SECUNIA
MISC
CONFIRM
MISC
FULLDISC
apple -- iphone_osRecovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2, allows physically proximate attackers to bypass device locking, and read or modify arbitrary data, via a USB control message that triggers memory corruption.2010-02-034.6CVE-2010-0038
BID
CONFIRM
APPLE
asterisk -- asteriskAsterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number.2010-02-045.0CVE-2010-0441
CONFIRM
CONFIRM
chillcreations -- com_ccnewsletterDirectory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php.2010-02-025.0CVE-2010-0467
XF
BID
MISC
MISC
CONFIRM
SECUNIA
cisco -- secure_desktopCross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html.2010-02-034.3CVE-2010-0440
CONFIRM
comtrend -- ct-507it_adsl_routerCross-site scripting (XSS) vulnerability in scvrtsrv.cmd in Comtrend CT-507IT ADSL Router allows remote attackers to inject arbitrary web script or HTML via the srvName parameter.2010-02-024.3CVE-2010-0470
BID
SECUNIA
MISC
debian -- lintianMultiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to overwrite arbitrary files or obtain sensitive information via vectors involving (1) control field names, (2) control field values, and (3) control files of patch systems.2010-02-026.4CVE-2009-4013
BID
dinko_korunic -- hybserv2mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 through 1.9.4 allows remote attackers to cause a denial of service (daemon crash) via a ":help " private message to the MemoServ service.2010-02-045.0CVE-2010-0303
CONFIRM
freebit -- serversmanFreeBit ServersMan 3.1.5 on Apple iPhone OS 3.1.2, and iPhone OS for iPod touch, allows remote attackers to cause a denial of service (daemon crash) via a HEAD request for the / URI.2010-02-035.0CVE-2010-0496
XF
SECUNIA
FULLDISC
geopp -- geo++_gncasteradmin.htm in Geo++ GNCASTER 1.4.0.7 and earlier does not properly enforce HTTP Digest Authentication, which allows remote authenticated users to use HTTP Basic Authentication, bypassing intended server policy.2010-02-044.0CVE-2010-0550
XF
BUGTRAQ
MISC
SECUNIA
OSVDB
geopp -- geo++_gncasterHTTP authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to read authentication headers of other users via a large request with an incorrect authentication attempt, which includes sensitive memory in the response. NOTE: this is referred to as a "memory leak" by some sources, but is better characterized as "memory disclosure."2010-02-045.0CVE-2010-0551
XF
BUGTRAQ
MISC
SECUNIA
OSVDB
geopp -- geo++_gncasterGeo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via multiple requests for a non-existent file using a long URI.2010-02-045.0CVE-2010-0552
XF
BUGTRAQ
MISC
SECUNIA
OSVDB
geopp -- geo++_gncasterGeo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a long NMEA data sentence.2010-02-046.5CVE-2010-0553
XF
BUGTRAQ
MISC
SECUNIA
OSVDB
gnu -- gzipThe huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression.2010-01-296.8CVE-2009-2624
CONFIRM
VUPEN
UBUNTU
MANDRIVA
DEBIAN
SECUNIA
SECUNIA
SECUNIA
SUSE
CONFIRM
CONFIRM
MLIST
gnu -- gzipInteger underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error.2010-01-296.8CVE-2010-0001
CONFIRM
VUPEN
UBUNTU
REDHAT
OSVDB
MANDRIVA
MANDRIVA
DEBIAN
SECTRACK
SECUNIA
SECUNIA
SECUNIA
SECUNIA
CONFIRM
SUSE
CONFIRM
horde -- impHorde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.2010-01-295.0CVE-2010-0463
CONFIRM
hp -- enterprise_cluster_master_toolkitUnspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECMT) B.05.00 on HP-UX B.11.23 (11i v2) and HP-UX B.11.31 (11i v3) allows local users to gain access to an Oracle or Sybase database via unknown vectors.2010-02-036.2CVE-2009-4184
VUPEN
SECTRACK
BID
SECUNIA
HP
HP
hp -- openvms_rmsUnspecified vulnerability in Record Management Services (RMS) before VMS83A_RMS-V1100 for HP OpenVMS on the Alpha platform allows local users to gain privileges via unknown vectors.2010-02-046.8CVE-2010-0443
VUPEN
HP
HP
ibm -- db2kuddb2 in Tivoli Monitoring for DB2, as distributed in IBM DB2 9.7 FP1 on Linux, allows remote attackers to cause a denial of service (daemon crash) via a certain byte sequence.2010-02-025.0CVE-2010-0472
BID
MISC
ibm -- websphere_service_registry_and_repositoryIBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 does not have the intended configuration properties, which allows remote authenticated users to obtain unspecified data access via a property query.2010-02-045.5CVE-2009-2750
CONFIRM
ircd-hybrid -- ircd-hybrid
ircd-ratbox -- ircd-ratbox
oftc -- oftc-hybrid
Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command.2010-02-046.8CVE-2009-4016
DEBIAN
CONFIRM
ircd-ratbox -- ircd-ratboxcache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a HELP command.2010-02-045.0CVE-2010-0300
DEBIAN
CONFIRM
SECUNIA
SECUNIA
MLIST
lighttpd -- lighttpdlighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate.2010-02-035.0CVE-2010-0295
BID
CONFIRM
CONFIRM
CONFIRM
mozilla -- seamonkey
mozilla -- thunderbird
Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird.2010-01-295.0CVE-2009-4629
MISC
CONFIRM
mozilla -- bugzillaBugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances.2010-02-035.0CVE-2009-3387
VUPEN
mozilla -- bugzillaBugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt.2010-02-034.3CVE-2009-3989
CONFIRM
CONFIRM
VUPEN
paperthin -- commonspot_content_serverCross-site scripting (XSS) vulnerability in utilities/longproc.cfm in PaperThin CommonSpot Content Server allows remote attackers to inject arbitrary web script or HTML via the url parameter.2010-02-024.3CVE-2010-0468
XF
BID
BUGTRAQ
FULLDISC
postgresql -- postgresqlThe bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow."2010-02-026.5CVE-2010-0442
CONFIRM
CONFIRM
XF
BID
MLIST
SECTRACK
MISC
CONFIRM
CONFIRM
MISC
MLIST
MLIST
process-one -- ejabberdejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload.2010-02-035.0CVE-2010-0305
MLIST
MLIST
roundcube -- roundcube_webmailRoundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests.2010-01-295.0CVE-2010-0464
CONFIRM
squid-cache -- squidlib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header.2010-02-034.0CVE-2010-0308
MISC
sun -- opensolaris
sun -- solaris
The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and OpenSolaris snv_69 through snv_133, when running on x86 architectures, allows local users to cause a denial of service (panic) via a request with a 0 size value to the UCODE_GET_VERSION IOCTL, which triggers a NULL pointer dereference in the ucode_get_rev function, related to retrieval of the microcode revision.2010-02-034.9CVE-2010-0453
VUPEN
CONFIRM
symantec -- altiris_notification_serverThe web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials.2010-02-024.3CVE-2009-3035
CONFIRM
viewvc -- viewvcViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view.2010-01-295.0CVE-2010-0004
FEDORA
FEDORA
MLIST
MLIST
MLIST
CONFIRM
CONFIRM
CONFIRM
SUSE

Back to top


Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
samba -- sambaclient/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string.2010-02-042.1CVE-2010-0547
CONFIRM

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.