Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 24, 2012

Release Date : 2012-04-24

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: SUSE Linux Enterprise Server (SLES) 10

Description:
SUSE has issued an update for freetype2. This fixes some vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) or compromise an application using the library.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
SUSE-SU-2012:0553-1:
http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00020.html

http://secunia.com/advisories/48951/

NET-i viewer ActiveX Controls "ConnectDDNS()" Code Execution Vulnerabilities

Release Date : 2012-04-24

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Unpatched

Software: NET-i viewer 1.x
STWConfig ActiveX Control 1.x
STWConfigNVR ActiveX Control 1.x

Description:
Luigi Auriemma has discovered two vulnerabilities in NET-i viewer, which can be exploited by malicious people to compromise a user's system.

The vulnerabilities are caused due to an error in the STWConfigNVR and STWConfig ActiveX controls when handling the "ConnectDDNS()" method. This can be exploited to perform a virtual function call into an arbitrary memory location.

Successful exploitation allows execution of arbitrary code.

The vulnerabilities are confirmed in version 1.37.120316 within the following ActiveX controls:
* STWConfigNVR ActiveX Control version 1.1.13.15.
* STWConfig ActiveX Control version 1.1.14.13.

Solution:
Set the kill-bit for the affected ActiveX controls.

Provided and/or discovered by:
Luigi Auriemma

Original Advisory:
http://aluigi.altervista.org/adv/netiware_1-adv.txt

http://secunia.com/advisories/48965/

Release Date : 2012-04-24

Criticality level : Moderately critical
Impact : Security Bypass
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: Asterisk 1.x
Asterisk 10.x
Asterisk Business Edition 3.x

Description:
Multiple vulnerabilities have been reported in Asterisk and Asterisk Business Edition, which can be exploited by malicious users to cause a DoS (Denial of Service), bypass certain security restrictions, and compromise a vulnerable system.

1) An error within the Asterisk Manager Interface when handling "originate" actions in the MixMonitor application or the "GetVar" or "Status" manager actions with the "SHELL" and "EVAL" functions does not properly restrict access and can be exploited to execute arbitrary shell commands.

This vulnerability is reported in Asterisk versions 1.6.2.x prior to 1.6.2.24, 1.8.x prior to 1.8.11.1, and 10.x prior to 10.3.1 and Asterisk Business Edition versions 3.x prior to 3.7.4.

2) A boundary error within the Skinny channel driver when handling KEYPAD_BUTTON_MESSAGE events can be exploited to cause a heap-based buffer overflow via specially crafted KEYPAD_BUTTON_MESSAGE events.

Successful exploitation of this vulnerability may allow execution of code.

This vulnerability is reported in Asterisk versions 1.6.2.x prior to 1.6.2.24, 1.8.x prior to 1.8.11.1, and 10.x prior to 10.3.1.

3) An error within the SIP channel driver can be exploited to cause a crash via specially crafted SIP UPDATE requests.

Successful exploitation of this vulnerability requires that the "trustrpid" setting is set to "True".

This vulnerability is reported in Asterisk versions 1.8.x prior to 1.8.11.1 and 10.x prior to 10.3.1 and Asterisk Business Edition versions 3.x prior to 3.7.4.

Solution:
Update to a fixed version.

Provided and/or discovered by:
The vendor credits:
1) David Woolley.
2) Russell Bryant.
3) Thomas Arimont.

Original Advisory:
http://downloads.asterisk.org/pub/security/AST-2012-004.html
http://downloads.asterisk.org/pub/security/AST-2012-005.html
http://downloads.asterisk.org/pub/security/AST-2012-006.html

http://secunia.com/advisories/48891/

Release Date : 2012-04-24

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched

Software: Exponent CMS 2.x

Description:
Mavituna Security has discovered a vulnerability in Exponent CMS, which can be exploited by malicious people to conduct cross-site scripting attacks.

Input passed via the "src" parameter to index.php (when "controller" is set to "expTag" and "action" is set to "show") is not properly sanitised framework/modules/core/views/expTag/show.tpl before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

The vulnerability is confirmed in version 2.0.6. Prior versions may also be affected.

Solution:
Edit the source code to ensure that input is properly sanitised.

Provided and/or discovered by:
Onur Yilmaz, Mavituna Security.

Original Advisory:
Mavituna Security:
http://www.mavitunasecurity.com/blog/xss-and-blind-sql-injection-vulnerabilities-in-exponentcms/

http://secunia.com/advisories/48911/

Liferay Portal "addUser" Method Security Bypass Vulnerability

Release Date : 2012-04-24

Criticality level : Moderately critical
Impact : Security Bypass
Where : From remote
Solution Status : Unpatched

Software: Liferay Portal 6.x

Description:
Jelmer Kuperus has discovered a vulnerability in Liferay Portal, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the "addUser" method in UserServiceUtil class accepting the "roleId" parameter while registering a new user, which can be exploited to register a new user with administrative privileges.

The vulnerability is confirmed in version 6.1 GA 1. Other versions may also be affected.

Solution:
Restrict access to the add-user service to trusted hosts only.

Provided and/or discovered by:
Jelmer Kuperus

Original Advisory:
http://archives.neohapsis.com/archives/bugtraq/2012-04/0152.html

http://secunia.com/advisories/43687/

Release Date : 2012-04-24

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Red Hat Enterprise Linux Desktop 6
Red Hat Enterprise Linux Server 6
Red Hat Enterprise Linux Workstation 6

Description:
Red Hat has issued an update for wireshark. This fixes multiple vulnerabilities, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2012:0509-01:
https://rhn.redhat.com/errata/RHSA-2012-0509.html

http://secunia.com/advisories/48947/

Release Date : 2012-04-24

Criticality level : Less critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: SUSE Manager 1.x

Description:
SUSE has issued an update for SUSE Manager. This fixes a vulnerability, which can be exploited by malicious users to compromise a vulnerable system.

Solution:
Apply updated packages via the zypper package manager.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
SUSE-SU-2012:0552-1:
http://lists.opensuse.org/opensuse-security-announce/2012-04/msg00019.html

http://secunia.com/advisories/48953/

Release Date : 2012-04-24

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: WebCalendar 1.x

Description:
Egidio Romano has discovered a vulnerability in WebCalendar, which can be exploited by malicious users to disclose sensitive information.

Input passed via the "pref_THEME" parameter to pref.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerability is confirmed in version 1.2.4. Prior versions may also be affected.

Solution:
Update to version 1.2.5.

Provided and/or discovered by:
Egidio Romano.

Original Advisory:
WebCalendar:
http://webcalendar.cvs.sourceforge.net/viewvc/webcalendar/webcalendar/ChangeLog?pathrev=REL_1_2

Egidio Romano:
http://archives.neohapsis.com/archives/bugtraq/2012-04/0182.html

http://secunia.com/advisories/48906/

Release Date : 2012-04-24

Criticality level : Moderately critical
Impact : Unknown
Where : From remote
Solution Status : Vendor Patch

Software: MAPI 1.x (plugin for vBulletin)
vBulletin 4.x

Description:
A vulnerability with an unknown impact has been reported in vBulletin Suite, vBulletin Forum, and the MAPI plugin for vBulletin.

The vulnerability is caused due to an error within the MAPI functionality. No further information is currently available.

The vulnerability is reported in the following products and versions:
* vBulletin Suite versions 4.1.2 through 4.1.12.
* vBulletin Forum versions 4.1.2 through 4.1.12.
* vBulletin 3.x MAPI plugin prior to 1.4.3.

Solution:
Apply patch or update (please see the vendor's advisories for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
vBulletin Suite and Forum:
https://www.vbulletin.com/forum/showthread.php/400165-vBulletin-Security-Patch-for-vBulletin-4-1-12-for-Suite-amp-Forum-04-23-2012
https://www.vbulletin.com/forum/showthread.php/400164-vBulletin-Security-Patch-for-vBulletin-4-1-2-4-1-11-for-Suite-amp-Forum-04-23-2012

vBulletin 3.x MAPI Plugin:
https://www.vbulletin.com/forum/showthread.php/400162-vBulletin-3-x-MAPI-Plugin-1-4-3-released-with-security-patch-04-23-2012

http://secunia.com/advisories/48917/