Spyware, viruses, & security forum: VULNERABILITIES / FIXES - March 17, 2011

Release Date : 2011-03-17

Criticality level : Moderately critical
Impact : DoS
Where : From remote
Solution Status : Vendor Patch

Software: Asterisk 1.x

Description:
Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious people to cause a DoS (Denial of Service).

1) The Asterisk Manager Interface does not properly handle failed writes to manager clients, which can be exploited to cause a CPU and memory exhaustion by opening, sending invalid data, and closing multiple connections in a short period of time.

Successful exploitation requires that the manager interface is enabled (disabled by default).

2) A NULL pointer dereference error within the "handle_tcptls_connection()" function in main/tcptls.c can be exploited to cause a crash by opening multiple connections to services using the "ast_tcptls_*" API (e.g. chan_sip, manager, and res_phoneprov) in a short period of time.

The vulnerabilities are reported in Asterisk Open Source versions 1.6.1.x prior to 1.6.1.23, 1.6.2.x prior to 1.6.2.17.1, and 1.8.x prior to 1.8.3.1.

Solution:
Update to versions 1.6.1.23, 1.6.2.17.1, or 1.8.3.1 or apply patches.
Provided and/or discovered by:
The vendor credits:
1) Blake Cornell
2) Blake Cornell and Chris Maj

Original Advisory:
1) http://downloads.asterisk.org/pub/security/AST-2011-003.html
2) http://downloads.asterisk.org/pub/security/AST-2011-004.html

http://secunia.com/advisories/43722/

Release Date : 2011-03-17

Criticality level : Not critical
Impact : DoS
Where : Local system
Solution Status: Vendor Workaround

Software: Xen 3.x

Description:
A vulnerability has been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "arch_set_info_guest()" function in xen/arch/x86/domain.c.

Solution:
Fixed in the Mercurial repository.

Provided and/or discovered by:
Reported in a SUSE bug by Jan Beulich.

Original Advisory:
SUSE Bug #679344:
https://bugzilla.novell.com/show_bug.cgi?id=679344

Xen commit:
http://xenbits.xen.org/hg/staging/xen-unstable.hg/rev/c79aae866ad8

http://secunia.com/advisories/43803/

Release Date : 2011-03-17

Criticality level : Less critical
Impact : Security Bypass
Privilege escalation
Where : Local system
Solution Status: Vendor Patch

Operating System: Debian GNU/Linux 6.0

Description:
Debian has issued an update for libcgroup. This fixes a weakness and a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions and gain escalated privileges.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2193-1:
http://www.debian.org/security/2011/dsa-2193

http://secunia.com/advisories/43758/

Pointter PHP Content Management System Multiple Vulnerabilities

Release Date : 2011-03-17

Criticality level : Moderately critical
Impact : Cross Site Scripting
Manipulation of data
Where : From remote
Solution Status : Unpatched

Software: Pointter PHP Content Management System 1.x

Description:
Gjoko Krstic has discovered multiple vulnerabilities in Pointter PHP Content Management System, which can be exploited by malicious people to conduct script insertion and SQL injection attacks.

1) Input passed via the "category" parameter to admin/functions/createcategory.php is not properly sanitised before being displayed to the user. This can be exploited to insert HTML and script code, which will be executed in a user's browser session in context of the affected site when the malicious data is viewed.

2) Input passed via the "onoff", "pos", "count", "boxname", "tonoff", "tpos", "tname", "monoff", "mpos", "mname", "nonoff", "npos", "nname", "memonoff", "mempos", "memname", "searchonoff", "searchname", and "mail" parameters to admin/functions/editsettings.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability requires that "magic_quotes_gpc" is disabled.

NOTE: Some issues, which can overwrite arbitrary files within the webroot and render the application unusable have also been reported.

The vulnerabilities are confirmed in version 1.2. Other versions may also be affected.

Solution:
Edit the source code to ensure that input is properly verified and sanitised.

Provided and/or discovered by:
Gjoko 'LiquidWorm' Krstic

Original Advisory:
Zero Science Lab:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php

http://secunia.com/advisories/43778/

OneBridge Mobile Groupware Server and DMZ Proxy Unspecified Vulnerability

Release Date : 2011-03-17

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Unpatched

Software: OneBridge Mobile Groupware 5.x

Description:
A vulnerability with an unknown impact has been reported in OneBridge Mobile Groupware.

The vulnerability is caused due to an unspecified error in the iMailGateway service within the OneBridge Server and DMZ Proxy. No further information is currently available.

The vulnerability is reported in versions 5.5.2008.0312, 5.6.2008.0312, and later.

Solution:
The vendor recommends to disable the iMailGateway service.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.sybase.com/detail?id=1092074

http://secunia.com/advisories/43781/

Release Date : 2011-03-17

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Vendor Patch

Software: IBM Lotus Quickr 8.x

Description:
A vulnerability with an unknown impact has been reported in IBM Lotus Quickr.

The vulnerability is caused due to an unspecified error. No further information is currently available.

The vulnerability is reported in IBM Lotus Quickr for Domino versions 8.1.

Solution:
Apply APAR LO58209 or update to version 8.1 Fix pack 27 (8.1.0.27).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
IBM (LO58209):
http://www.ibm.com/support/docview.wss?uid=swg27013341

http://secunia.com/advisories/43689/

IBM AIX 'FC SCSI' Protocol Driver Denial of Service Vulnerability

Bugtraq ID: 45931
Class: Design Error
Remote: No
Local: Yes
Published: Jan 20 2011 12:00AM
Updated: Mar 17 2011 01:27PM

IBM AIX is prone to a denial-of-service vulnerability.

Exploits will cause the system to crash, denying service to legitimate users.

IBM AIX 6.1 and 7.1 are vulnerable; other versions may also be affected.

Solution:
Vendor updates are available.
http://www.securityfocus.com/bid/45931/references

http://www.securityfocus.com/bid/45931/discuss

WordPress SodaHead Polls Plugin Two Cross-Site Scripting Vulnerabilities

Release Date : 2011-03-17

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status: Vendor Patch

Software: WordPress SodaHead Polls Plugin 2.x

Description:
High-Tech Bridge SA has reported two vulnerabilities in the SodaHead Polls plugin for WordPress, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed to the "customize" parameter in wp-content/plugins/sodahead-polls/poll.php and "poll_id" parameter in wp-content/plugins/sodahead-polls/customizer.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerabilities are reported in version 2.0.2. Other versions may also be affected.

Solution:
Update to version 2.0.4.

Provided and/or discovered by:
High-Tech Bridge SA

Original Advisory:
SodaHead Polls:
http://wordpress.org/extend/plugins/sodahead-polls/changelog/

High-Tech Bridge SA (HTB22893):
http://www.htbridge.ch/advisory/xss_in_sodahead_polls_wordpress_plugin.html

High-Tech Bridge SA (HTB22894):
http://www.htbridge.ch/advisory/xss_in_sodahead_polls_wordpress_plugin_1.html

http://secunia.com/advisories/43786/

Release Date : 2011-03-17

Criticality level : Not critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status: Unpatched

Software: Microsiga Protheus 10.x
Microsiga Protheus 8.x

Description:
Flavio do Carmo Junior has reported a weakness in Microsiga Protheus, which can be exploited by malicious people to disclose sensitive information.

The authentication procedure returns different messages depending on the existence of the provided username. This can be exploited to enumerate valid usernames.

The weakness is reported in versions 8 and 10. Other versions may also be affected.

Solution:
Restrict access to trusted users only.

Provided and/or discovered by:
Flavio do Carmo Junior (waKKu), DcLabs Security Research Group

Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2011-03/0062.html

http://secunia.com/advisories/43654/

Progea Movicon "TCPUploadServer.exe" Unrestricted Access Vulnerability

VUPEN ID : VUPEN/ADV-2011-0690
CVE ID : GENERIC-MAP-NOMATCH
Rated as : Critical
Release Date : 2011-03-17

Technical Description:
A vulnerability has been identified in Progea Movicon, which could be exploited by remote attackers to cause a denial of service or compromise a vulnerable system. This issue is caused by an access validation error within the "TCPUploadServer.exe" component that does not restrict access to administrative functions available via port 10651/TCP, which could allow remote unauthenticated attackers to obtain sensitive information, delete arbitrary files, or execute a program with arbitrary arguments.

Affected Products:
Progea Movicon versions prior to 11.2 Build 1084

Solution :
Upgrade to the latest version :
http://support.progea.com/download/Mov11.2_Setup.zip

References:
http://www.us-cert.gov/control_systems/pdf/ICSA-11-056-01.pdf

http://www.vupen.com/english/advisories/2011/0690