Spyware, viruses, & security forum: VULNERABILITIES \ FIXES - August 27, 2007

Sophos Anti-Virus UPX and BZIP Processing Denial of Service Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-2972
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

Two vulnerabilities have been identified in Sophos Anti-Virus products, which could be exploited by remote attackers or malware to cause a denial of service.

The first issue is caused by an error when processing malformed UPX files, which could be exploited by attackers to crash an affected application via a specially crafted file, creating a denial of service condition.

The second vulnerability is caused by an error when handling malformed BZIP archives, which could be exploited by attackers to cause a vulnerable gateway or endpoint to use up all of the available space on the disc volume used for Engine temporary files.

Affected Products

Sophos Anti-Virus engine versions prior to 2.48.0

Solution

Upgrade to virus engine version 2.48.0 :
http://www.sophos.com/support/updates/

References

http://www.frsirt.com/english/advisories/2007/2972
http://www.sophos.com/support/knowledgebase/article/28407.html

Credits

Vulnerabilities reported by Sergio shadown Alvarez (n.runs).

MapServer Buffer Overflow and Multiple Cross Site Scripting Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-2974
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

Multiple vulnerabilities have been identified in MapServer, which could be exploited by attackers to execute arbitrary scripting code, cause a denial of service, or potentially compromise an affected system.

The first issue is caused by input validation errors in the template processing code when processing and displaying user-supplied data, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.

The second vulnerability is caused by an unspecified buffer overflow error in the template processing code, which could be exploited by attackers to cause a denial of service or potentially execute arbitrary code.

Affected Products

MapServer version 4.10.2 and prior

Solution

Upgrade to MapServer version 4.10.3 :
http://mapserver.gis.umn.edu/download

References

http://www.frsirt.com/english/advisories/2007/2974
http://mapserver.gis.umn.edu/download/current/HISTORY.TXT/
http://trac.osgeo.org/mapserver/ticket/2256
http://trac.osgeo.org/mapserver/ticket/2252

Credits

Vulnerabilities reported by the vendor.

Alpha Centauri Software SIDVault Login Mechanism Buffer Overflow Vulnerability

Advisory ID : FrSIRT/ADV-2007-2976
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

A vulnerability has been identified in Alpha Centauri Software SIDVault, which could be exploited by remote attackers to cause a denial of service or take complete control of an affected system. This issue is caused by a buffer overflow error in the login mechanism when processing user-supplied requests, which could be exploited by remote unauthenticated attackers to crash an affected application or execute arbitrary code with elevated privileges.

Affected Products

Alpha Centauri Software SIDVault versions prior to 2.0f

Solution

Upgrade to Alpha Centauri Software SIDVault version 2.0f :
http://www.alphacentauri.co.nz/downloads.htm

References

http://www.frsirt.com/english/advisories/2007/2976

Credits

Vulnerability reported by Joxean Koret.

Asterisk IMAP Backend Storage for Voicemail Denial of Service Vulnerability

Advisory ID : FrSIRT/ADV-2007-2978
CVE ID : CVE-2007-4521
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

A vulnerability has been identified in Asterisk, which could be exploited by remote attackers to cause a denial of service. This issue is caused by an error when processing an email with a malformed MIME body while the application is configured to use IMAP as its backend storage for voicemail, which could be exploited by remote attackers to crash an affected application, leading to a denial of service condition.

Affected Products

Asterisk versions 1.4.5 through 1.4.11

Solution

Apply patch or upgrade to Asterisk version 1.4.12 :
http://svn.digium.com/view/asterisk?view=rev&rev=80750

References

http://www.frsirt.com/english/advisories/2007/2978
http://downloads.digium.com/pub/asa/AST-2007-021.pdf

Credits

Vulnerability reported by Kevin Stewart.

Fedora Security Update Fixes Bochs Floppy Disk Controller DoS Vulnerability

Advisory ID : FrSIRT/ADV-2007-2960
CVE ID : CVE-2007-2894
Rated as : Moderate Risk
Remotely Exploitable : No
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

A vulnerability has been identified in Fedora, which could be exploited by local attackers to cause a denial of service. This issue is caused by an error in Bochs. For additional information, see : FrSIRT/ADV-2007-1936

Affected Products

Fedora 7

Solution

Upgrade the affected packages

References

http://www.frsirt.com/english/advisories/2007/2960
https://www.redhat.com/archives/fedora-package-announce/2007-August/msg00362.html

Fedora Security Update Fixes pam_ssh "auth_via_key()" Security Bypass Issue

Advisory ID : FrSIRT/ADV-2007-2962
CVE ID : CVE-2007-0844
Rated as : Moderate Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

A vulnerability has been identified in Fedora, which could be exploited by attackers to bypass security restrictions. This issue is caused by an error in pam_ssh. For additional information, see : FrSIRT/ADV-2007-0524

Affected Products

Fedora 7

Solution

Upgrade the affected packages

References

http://www.frsirt.com/english/advisories/2007/2962
https://www.redhat.com/archives/fedora-package-announce/2007-August/msg00378.html

rPath Security Update Fixes Tar Archive Processing Directory Traversal Issue

Advisory ID : FrSIRT/ADV-2007-2964
CVE ID : CVE-2007-4131
Rated as : Low Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

A vulnerability has been identified in rPath, which could be exploited by attackers to bypass security restrictions. This issue is caused by an error in Tar. For additional information, see : FrSIRT/ADV-2007-2958

Affected Products

rPath Linux 1

Solution

Upgrade the affected packages :
tar=/conary.rpath.com at rpl:devel//1/1.15.1-7.2-1

References

http://www.frsirt.com/english/advisories/2007/2964
http://lists.rpath.com/pipermail/security-announce/2007-August/000231.html

Ubuntu Security Update Fixes Mozilla Thunderbird Code Execution Vulnerabilities

Advisory ID : FrSIRT/ADV-2007-2966
CVE ID : CVE-2007-3670 - CVE-2007-3734 - CVE-2007-3735 - CVE-2007-3844 - CVE-2007-3845
Rated as : Critical
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-08-27
Technical Description

Multiple vulnerabilities have been identified in Ubuntuproducts, which could be exploited by attackers to execute arbitrary code. These issues are caused by errors in Mozilla Thunderbird. For additional information, see : FrSIRT/ADV-2007-2564 - FrSIRT/ADV-2007-2667

Affected Products

Ubuntu 6.06 LTS
Ubuntu 6.10
Ubuntu 7.04

Solution

Ubuntu 6.06 LTS - Upgrade to mozilla-thunderbird 1.5.0.13-0ubuntu0.6.06
Ubuntu 6.10 - Upgrade to mozilla-thunderbird 1.5.0.13-0ubuntu0.6.10
Ubuntu 7.04 - Upgrade to mozilla-thunderbird 1.5.0.13-0ubuntu0.7.04

References

http://www.frsirt.com/english/advisories/2007/2966
http://www.ubuntu.com/usn/vulnerabilities

Avaya Products Apache Multi-Processing Module Denial of Service

Secunia Advisory: SA26611
Release Date: 2007-08-27


Critical:
Not critical
Impact: DoS

Where: Local system

Solution Status: Unpatched


OS: Avaya Converged Communications Server (CCS) 2.x
Avaya Converged Communications Server (CCS) 3.x
Avaya Intuity LX
Avaya Message Networking 2.x
Avaya Modular Messaging 2.x
Avaya Modular Messaging 3.x
Avaya SIP Enablement Services (SES) 3.x


Description:
Avaya has acknowledged a vulnerability in various Avaya products, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

For more information see vulnerability #2 in:
SA25827

The following products are affected:
* Avaya Communication Manager (CM 2.x, 3.x, 4.x)
* Avaya Intuity LX (all versions)
* Avaya EMMC (all versions)
* Avaya Messaging Storage Server (all versions)
* Avaya Message Networking (all versions)
* Avaya CCS/SES (SES 4.0 and earlier)
* Avaya AES (all versions)

Solution:
The vendor recommends that local and network access to the affected systems be restricted until an update is available.

Original Advisory:
http://support.avaya.com/elmodocs2/security/ASA-2007-363.htm

Other References:
SA25827:
http://secunia.com/advisories/25827/

TITLE:
PLANET VC-200M Denial of Service Vulnerability

SECUNIA ADVISORY ID:
SA26559

VERIFY ADVISORY:
http://secunia.com/advisories/26559/

CRITICAL:
Less critical

IMPACT:
DoS

WHERE:
From local network

OPERATING SYSTEM:
PLANET VC-200M VDSL2 Router
http://secunia.com/product/15502/

DESCRIPTION:
A vulnerability has been reported in the PLANET VC-200M VDSL2 router,
which can be exploited by malicious people to cause a DoS (Denial of
Service).

The vulnerability is caused due to an error in the handling of HTTP
requests within the built-in HTTP server and can be exploited to
disable the administration interface by sending an HTTP request
without an "Host:" field.

SOLUTION:
Use the device in a trusted network environment only.

PROVIDED AND/OR DISCOVERED BY:
Dmitry Zubov

ORIGINAL ADVISORY:
http://securityvulns.com/Rdocument847.html

TITLE:
ALPass "Import Site Information" Multiple Vulnerabilities

SECUNIA ADVISORY ID:
SA26616

VERIFY ADVISORY:
http://secunia.com/advisories/26616/

CRITICAL:
Moderately critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
ALPass (Korean) 3.x
http://secunia.com/product/15495/
ALPass 2.x
http://secunia.com/product/15494/

DESCRIPTION:
Tan Chew Keong has reported some vulnerabilities in ALPass, which can
be exploited by malicious people to compromise a user's system.

1) A boundary error exists within the "Import Site Information"
feature when decrypting the file-key of an an ALPass DB File (APW)
file. This can be exploited to cause a stack-based buffer overflow by
e.g. tricking a user into importing information from a specially
crafted APW file.

Successful exploitation allows execution if arbitrary code.

2) A format-string error exists within the handling of path names
when importing information from an APW file. This can be exploited to
crash the application and may potentially allow the execution of
arbitrary code by e.g. tricking a user into importing information
from a specially crafted APW file.

3) An error exists within the handling of the size information of
encrypted records within an APW file. This can be exploited to cause
a heap-based buffer overflow by e.g. tricking a user into importing
information from a specially crafted APW file.

The vulnerabilities are reported in version 2.72 (English) and 3.02
(Korean).

SOLUTION:
Update to 2.74 (English).

Reportedly, an updated Korean version will be available soon.

PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, vuln.sg

ORIGINAL ADVISORY:
http://vuln.sg/alpass27-en.html

TITLE:
Tikiwiki "username" Cross-Site Scripting

SECUNIA ADVISORY ID:
SA26618

VERIFY ADVISORY:
http://secunia.com/advisories/26618/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
Tikiwiki 1.x
http://secunia.com/product/3356/

DESCRIPTION:
A vulnerability has been discovered in Tikiwiki, which can be
exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to the "username" parameter in tiki-remind_password.php
(when "remind" is set to "send me my password") is not properly
sanitised before being returned to the user. This can be exploited to
execute arbitrary HTML and script code (for example with meta
refreshes to a javascript: URL) in a user's browser session in
context of an affected site.

The vulnerability is confirmed in version 1.9.7 with the BasicEnabled
profile selected during installation. Other versions may also be
affected.

SOLUTION:
Edit the source code to ensure that input is properly sanitised.

PROVIDED AND/OR DISCOVERED BY:
morin.josh and an anonymous person

TITLE:
escafeWeb (Tuigwaa) Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA26577

VERIFY ADVISORY:
http://secunia.com/advisories/26577/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
escafeWeb (Tuigwaa) 1.x
http://secunia.com/product/15496/

DESCRIPTION:
A vulnerability has been reported in escafeWeb (Tuigwaa), which can
be exploited by malicious people to conduct cross-site scripting
attacks.

Input passed to unspecified parameters is not properly sanitised
before being returned to a user. This can be exploited to execute
arbitrary HTML and script code in a user's browser session in context
of an affected site.

The vulnerability is reported in versions prior to 1.0.5.

SOLUTION:
Update to version 1.0.5.

PROVIDED AND/OR DISCOVERED BY:
Fukumori

ORIGINAL ADVISORY:
escafeWeb:
http://www.escafe.org/main/Security

JVN:
http://jvn.jp/jp/JVN%2382276964/index.html

TITLE:
Mayaa Character Encoding Cross-Site Scripting Vulnerability

SECUNIA ADVISORY ID:
SA26597

VERIFY ADVISORY:
http://secunia.com/advisories/26597/

CRITICAL:
Less critical

IMPACT:
Cross Site Scripting

WHERE:
From remote

SOFTWARE:
Mayaa 1.x
http://secunia.com/product/15492/

DESCRIPTION:
A vulnerability has been reported in Mayaa, which can be exploited by
malicious people to conduct cross-site scripting attacks.

Input passed in certain character encodings (e.g. UTF-7) is not
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.

The vulnerability is reported in versions prior to 1.1.12.

SOLUTION:
Update to version 1.1.12 or later.

PROVIDED AND/OR DISCOVERED BY:
Fukumori

ORIGINAL ADVISORY:
Seasar:
http://mayaa.seasar.org/news/vulnerability20070816.html

JVN:
http://jvn.jp/jp/JVN%2338199598/index.html