U.S. Flag Official website of the Department of Homeland Security

Bulletin (SB13-322)

Vulnerability Summary for the Week of November 11, 2013

Original release date: November 18, 2013

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- coldfusionAdobe ColdFusion 10 before Update 12 allows remote attackers to read arbitrary files via unspecified vectors.2013-11-127.8CVE-2013-5328
adobe -- adobe_airAdobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5330.2013-11-1210.0CVE-2013-5329
adobe -- adobe_airAdobe Flash Player before 11.7.700.252 and 11.8.x and 11.9.x before 11.9.900.152 on Windows and Mac OS X and before 11.2.202.327 on Linux, Adobe AIR before 3.9.0.1210, Adobe AIR SDK before 3.9.0.1210, and Adobe AIR SDK & Compiler before 3.9.0.1210 allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2013-5329.2013-11-1210.0CVE-2013-5330
cisco -- adaptive_security_appliance_softwareThe auto-update implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier allows remote attackers to cause a denial of service (device reload) via crafted update data, aka Bug ID CSCui33308.2013-11-137.1CVE-2013-5568
google -- chromeMultiple unspecified vulnerabilities in Google Chrome before 31.0.1650.48 allow attackers to execute arbitrary code or possibly have other impact via unknown vectors.2013-11-1310.0CVE-2013-2931
google -- chromeUse-after-free vulnerability in Google Chrome before 31.0.1650.48 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to the x-webkit-speech attribute in a text INPUT element.2013-11-137.5CVE-2013-6621
google -- chromeUse-after-free vulnerability in Google Chrome before 31.0.1650.48 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving the string values of id attributes.2013-11-137.5CVE-2013-6624
justsystems -- ichitaroUnspecified vulnerability in JustSystems Ichitaro 2006 through 2011; Ichitaro Government 6, 7, and 2006 through 2010; Ichitaro 2011 Sou; Ichitaro 2012 Shou; Ichitaro 2013 Gen and Gen Trial Edition; Ichitaro Pro; Ichitaro Pro 2 and Pro 2 Trial Edition; Ichitaro Viewer; and Ichitaro Portable with oreplug allows remote attackers to execute arbitrary code via a crafted document.2013-11-139.3CVE-2013-5990
microsoft -- officeMicrosoft Office 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code via a crafted WordPerfect document (.wpd) file, aka "WPD File Format Memory Corruption Vulnerability."2013-11-129.3CVE-2013-0082
microsoft -- officeStack-based buffer overflow in Microsoft Office 2003 SP3, 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT allows remote attackers to execute arbitrary code via a crafted WordPerfect document (.wpd) file, aka "Word Stack Buffer Overwrite Vulnerability."2013-11-129.3CVE-2013-1324
microsoft -- officeHeap-based buffer overflow in Microsoft Office 2003 SP3 and 2007 SP3 allows remote attackers to execute arbitrary code via a crafted WordPerfect document (.wpd) file, aka "Word Heap Overwrite Vulnerability."2013-11-129.3CVE-2013-1325
microsoft -- windows_8Microsoft Windows 8 and Windows Server 2012, when Hyper-V is used, does not ensure memory-address validity, which allows guest OS users to execute arbitrary code in all guest OS instances, and allows guest OS users to cause a denial of service (host OS crash), via a guest-to-host hypercall with a crafted function parameter, aka "Address Corruption Vulnerability."2013-11-127.9CVE-2013-3898
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 9 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2013-11-129.3CVE-2013-3910
microsoft -- internet_explorerMicrosoft Internet Explorer 9 and 10 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2013-11-129.3CVE-2013-3911
microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3916.2013-11-129.3CVE-2013-3912
microsoft -- internet_explorerMicrosoft Internet Explorer 9 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability."2013-11-129.3CVE-2013-3914
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3917.2013-11-129.3CVE-2013-3915
microsoft -- internet_explorerMicrosoft Internet Explorer 8 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3912.2013-11-129.3CVE-2013-3916
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 11 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted web site, aka "Internet Explorer Memory Corruption Vulnerability," a different vulnerability than CVE-2013-3915.2013-11-129.3CVE-2013-3917
microsoft -- internet_explorerThe InformationCardSigninHelper Class ActiveX control in icardie.dll in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (out-of-bounds write) via a crafted web page that is accessed by Internet Explorer, as exploited in the wild in November 2013, aka "InformationCardSigninHelper Vulnerability."2013-11-129.3CVE-2013-3918
microsoft -- windows_2003_serverInteger overflow in the Graphics Device Interface (GDI) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted image in a Windows Write (.wri) document, which is not properly handled in WordPad, aka "Graphics Device Interface Integer Overflow Vulnerability."2013-11-129.3CVE-2013-3940
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
apache -- tomcat** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI. NOTE: the vendor disputes the significance of this report, stating that "the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application ... as they require a reckless system administrator."2013-11-136.8CVE-2013-6357
cisco -- content_services_gatewayCisco IOS 12.4(24)MDB9 and earlier on Content Services Gateway (CSG) devices does not properly implement the "parse error drop" feature, which allows remote attackers to bypass intended access restrictions via a crafted series of packets, aka Bug ID CSCug90143.2013-11-136.4CVE-2013-5552
cisco -- adaptive_security_appliance_softwareThe IPv6 implementation in Cisco Adaptive Security Appliance (ASA) Software 9.1.3 and earlier, when NAT64 or NAT66 is enabled, does not properly process NAT rules, which allows remote attackers to cause a denial of service (device reload) via crafted packets, aka Bug ID CSCue34342.2013-11-135.4CVE-2013-5560
cisco -- adaptive_security_appliance_softwareThe phone-proxy implementation in Cisco Adaptive Security Appliance (ASA) Software 9.0.3.6 and earlier does not properly validate X.509 certificates, which allows remote attackers to cause a denial of service (connection-database corruption) via an invalid entry, aka Bug ID CSCui33299.2013-11-136.4CVE-2013-6682
cisco -- nx-osThe IPv6 implementation in Cisco NX-OS does not properly handle neighbor-table adjacencies, which allows remote attackers to cause a denial of service (NS processing outage) via a series of malformed packets, aka Bug ID CSCtd15904.2013-11-136.1CVE-2013-6683
cisco -- wireless_lan_controllerThe web framework on Cisco Wireless LAN Controller (WLC) devices does not properly validate configuration parameters, which allows remote authenticated users to cause a denial of service via a crafted HTTP request, aka Bug ID CSCuh81011.2013-11-136.8CVE-2013-6684
cisco -- unified_ip_phone_8961The firmware on Cisco Unified IP phones 8961, 9951, and 9971 uses weak permissions for memory block devices, which allows local users to gain privileges by mounting a device with a setuid file in its filesystem, aka Bug ID CSCui04382.2013-11-136.6CVE-2013-6685
google -- chromeUse-after-free vulnerability in the HTMLMediaElement::didMoveToNewDocument function in core/html/HTMLMediaElement.cpp in Blink, as used in Google Chrome before 31.0.1650.48, allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors involving the movement of a media element between documents.2013-11-136.8CVE-2013-6622
google -- chromeThe SVG implementation in Blink, as used in Google Chrome before 31.0.1650.48, allows remote attackers to cause a denial of service (out-of-bounds read) by leveraging the use of tree order, rather than transitive dependency order, for layout.2013-11-134.3CVE-2013-6623
google -- chromeUse-after-free vulnerability in core/dom/ContainerNode.cpp in Blink, as used in Google Chrome before 31.0.1650.48, allows remote attackers to cause a denial of service or possibly have unspecified other impact by leveraging improper handling of DOM range objects in circumstances that require child node removal after a (1) mutation or (2) blur event.2013-11-136.8CVE-2013-6625
google -- chromeThe WebContentsImpl::AttachInterstitialPage function in content/browser/web_contents/web_contents_impl.cc in Google Chrome before 31.0.1650.48 does not cancel JavaScript dialogs upon generating an interstitial warning, which allows remote attackers to spoof the address bar via a crafted web site.2013-11-134.3CVE-2013-6626
google -- chromenet/http/http_stream_parser.cc in Google Chrome before 31.0.1650.48 does not properly process HTTP Informational (aka 1xx) status codes, which allows remote web servers to cause a denial of service (out-of-bounds read) via a crafted response.2013-11-135.0CVE-2013-6627
google -- chromenet/socket/ssl_client_socket_nss.cc in the TLS implementation in Google Chrome before 31.0.1650.48 does not ensure that a server's X.509 certificate is the same during renegotiation as it was before renegotiation, which might allow remote web servers to interfere with trust relationships by renegotiating a session.2013-11-134.3CVE-2013-6628
ibm -- lotus_sametimeIBM Lotus Sametime 8.5.2 and 8.5.2.1 allows remote attackers to cause a denial of service (WebPlayer Firefox extension crash) via a crafted Audio Visual (AV) session.2013-11-084.3CVE-2013-3986
ibm -- security_network_protection_xgs_5100Cross-site scripting (XSS) vulnerability in the Local Management Interface (LMI) in IBM Security Network Protection on XGS 5100 devices with firmware 5.1 before 5.1.0.6 and 5.1.1 before 5.1.1.1 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2013-11-134.3CVE-2013-5442
ibm -- security_appscanIBM Security AppScan Enterprise 8.5 through 8.7.0.1, when Jazz authentication is enabled, allows man-in-the-middle attackers to obtain sensitive information or modify data by leveraging an improperly protected URL to obtain a session token.2013-11-134.0CVE-2013-5450
linux -- linux_kernelMultiple integer overflows in Alchemy LCD frame-buffer drivers in the Linux kernel before 3.12 allow local users to create a read-write memory mapping for the entirety of kernel memory, and consequently gain privileges, via crafted mmap operations, related to the (1) au1100fb_fb_mmap function in drivers/video/au1100fb.c and the (2) au1200fb_fb_mmap function in drivers/video/au1200fb.c.2013-11-126.9CVE-2013-4511
linux -- linux_kernelBuffer overflow in the exitcode_proc_write function in arch/um/kernel/exitcode.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact by leveraging root privileges for a write operation.2013-11-124.7CVE-2013-4512
linux -- linux_kernelBuffer overflow in the oz_cdev_write function in drivers/staging/ozwpan/ozcdev.c in the Linux kernel before 3.12 allows local users to cause a denial of service or possibly have unspecified other impact via a crafted write operation.2013-11-124.9CVE-2013-4513
linux -- linux_kernelMultiple buffer overflows in drivers/staging/wlags49_h2/wl_priv.c in the Linux kernel before 3.12 allow local users to cause a denial of service or possibly have unspecified other impact by leveraging the CAP_NET_ADMIN capability and providing a long station-name string, related to the (1) wvlan_uil_put_info and (2) wvlan_set_station_nickname functions.2013-11-124.7CVE-2013-4514
linux -- linux_kernelThe bcm_char_ioctl function in drivers/staging/bcm/Bcmchar.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel memory via an IOCTL_BCM_GET_DEVICE_DRIVER_INFO ioctl call.2013-11-124.9CVE-2013-4515
linux -- linux_kernelThe mp_get_count function in drivers/staging/sb105x/sb_pci_mp.c in the Linux kernel before 3.12 does not initialize a certain data structure, which allows local users to obtain sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.2013-11-124.9CVE-2013-4516
linux -- linux_kernelThe uio_mmap_physical function in drivers/uio/uio.c in the Linux kernel before 3.12 does not validate the size of a memory block, which allows local users to cause a denial of service (memory corruption) or possibly gain privileges via crafted mmap operations, a different vulnerability than CVE-2013-4511.2013-11-126.9CVE-2013-6763
microsoft -- windows_2003_serverMicrosoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allow remote attackers to cause a denial of service (daemon hang) via a web-service request containing a crafted X.509 certificate that is not properly handled during validation, aka "Digital Signatures Vulnerability."2013-11-125.0CVE-2013-3869
microsoft -- windows_7The Ancillary Function Driver (AFD) in afd.sys in the kernel-mode drivers in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, and Windows Server 2012 allows local users to obtain sensitive information from kernel memory by leveraging improper copy operations, aka "Ancillary Function Driver Information Disclosure Vulnerability."2013-11-124.9CVE-2013-3887
microsoft -- outlookMicrosoft Outlook 2007 SP3, 2010 SP1 and SP2, 2013, and 2013 RT does not properly expand metadata contained in S/MIME certificates, which allows remote attackers to obtain sensitive network configuration and state information via a crafted certificate in an e-mail message, aka "S/MIME AIA Vulnerability."2013-11-125.0CVE-2013-3905
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 10 allows user-assisted remote attackers to bypass the Same Origin Policy and obtain sensitive information from any visited document via a crafted web page that is not properly handled during a print-preview action, aka "Internet Explorer Information Disclosure Vulnerability."2013-11-124.3CVE-2013-3908
microsoft -- internet_explorerMicrosoft Internet Explorer 6 through 8 allows remote attackers to read content from a different (1) domain or (2) zone via crafted characters in Cascading Style Sheets (CSS) token sequences, aka "Internet Explorer Information Disclosure Vulnerability."2013-11-124.3CVE-2013-3909
openbsd -- opensshThe mm_newkeys_from_blob function in monitor_wrap.c in sshd in OpenSSH 6.2 and 6.3, when an AES-GCM cipher is used, does not properly initialize memory for a MAC context data structure, which allows remote authenticated users to bypass intended ForceCommand and login-shell restrictions via packet data that provides a crafted callback address.2013-11-086.0CVE-2013-4548
openvz -- vzkernelvzkernel before 042stab080.2 in the OpenVZ modification for the Linux kernel 2.6.32 does not initialize certain length variables, which allows local users to obtain sensitive information from kernel stack memory via (1) a crafted ploop driver ioctl call, related to the ploop_getdevice_ioc function in drivers/block/ploop/dev.c or (2) a crafted quotactl system call, related to the compat_quotactl function in fs/quota/quota.c.2013-11-124.7CVE-2013-2239
qualcomm -- quic_mobile_station_modem_kernelgoodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, relies on user-space length values for kernel-memory copies of procfs file content, which allows attackers to gain privileges or cause a denial of service (memory corruption) via an application that provides crafted values.2013-11-126.9CVE-2013-4740
qualcomm -- quic_mobile_station_modem_kernelgoodix_tool.c in the Goodix gt915 touchscreen driver for the Linux kernel 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, does not properly synchronize updates to a global variable, which allows local users to bypass intended access restrictions or cause a denial of service (memory corruption) via crafted arguments to the procfs write handler.2013-11-126.9CVE-2013-6122
samba -- sambaSamba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).2013-11-134.0CVE-2013-4475
silverstripe -- silverstripesecurity/MemberLoginForm.php in SilverStripe 3.0.3 supports login using a GET request, which makes it easier for remote attackers to conduct phishing attacks without detection by the victim.2013-11-125.8CVE-2013-2653
silverstripe -- silverstripesecurity/MemberLoginForm.php in SilverStripe 3.0.3 supports credentials in a GET request, which allows remote or local attackers to obtain sensitive information by reading web-server access logs, web-server Referer logs, or the browser history, a similar vulnerability to CVE-2013-2653.2013-11-125.0CVE-2013-6789
tapbots -- tweetbotTweetbot 1.3.3 for Mac, and 2.8.5 for iPad and iPhone, does not require confirmation of (1) follow or (2) favorite actions, which allows remote attackers to automatically force the user to perform undesired actions, as demonstrated via the tweetbot:///follow/ URL.2013-11-126.8CVE-2013-5726
yahoo -- yuiCross-site scripting (XSS) vulnerability in uploader.swf in the Uploader component in Yahoo! YUI 2.5.0 through 2.9.0 allows remote attackers to inject arbitrary web script or HTML via the allowedDomain parameter.2013-11-134.3CVE-2013-6780
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- coldfusionCross-site scripting (XSS) vulnerability in Adobe ColdFusion 9.0 before Update 12, 9.0.1 before Update 11, 9.0.2 before Update 6, and 10 before Update 12, when the CFIDE directory is available, allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors.2013-11-123.5CVE-2013-5326
ibm -- lotus_sametimeThe Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 allows remote authenticated users to spoof the origin of shared links by leveraging meeting-attendance privileges.2013-11-083.5CVE-2013-0537
ibm -- lotus_sametimeThe Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 allows remote authenticated users to spoof the origin of chat messages, or compose anonymous chat messages, by leveraging meeting-attendance privileges.2013-11-083.5CVE-2013-3044
ibm -- lotus_sametimeThe Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 allows remote authenticated users to share crafted links via the Library function.2013-11-083.5CVE-2013-3045
ibm -- lotus_sametimeThe Enterprise Meeting Server in IBM Lotus Sametime 8.5.2 and 8.5.2.1 does not properly restrict application cookies, which allows remote attackers to read session variables by leveraging a weak setting of the Domain variable.2013-11-082.9CVE-2013-3985
ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 8.x before 8.0.0.1 CF8 allows remote authenticated users to inject arbitrary web script or HTML by leveraging incorrect IBM Connections integration.2013-11-133.5CVE-2013-5378
ibm -- websphere_portalCross-site scripting (XSS) vulnerability in IBM WebSphere Portal 7.x before 7.0.0.2 CF25 and 8.x before 8.0.0.1 CF8 allows remote authenticated users to inject arbitrary web script or HTML by leveraging improper tagging functionality.2013-11-133.5CVE-2013-5379
ibm -- security_appscanIBM Security AppScan Enterprise 5.6 through 8.7.0.1 allows remote authenticated users to read arbitrary report files by leveraging knowledge of filenames that cannot be easily predicted.2013-11-133.5CVE-2013-5453
samba -- sambaSamba 4.0.x before 4.0.11 and 4.1.x before 4.1.1, when LDAP or HTTP is provided over SSL, uses world-readable permissions for a private key, which allows local users to obtain sensitive information by reading the key file, as demonstrated by access to the local filesystem on an AD domain controller.2013-11-131.2CVE-2013-4476
Back to top


This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top