Spyware, viruses, & security forum: VULNERABILITIES / FIXES - August 31, 2012

Apache Struts Cross-Site Request Forgery and Denial of Service Vulnerabilities

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Cross Site Scripting
DoS
Where : From remote
Solution Status : Vendor Patch

Software: Apache Struts 2.x

Description:
Two vulnerabilities have been reported in Apache Struts, which can be exploited by malicious people to conduct cross-site request forgery attacks and cause a DoS (Denial of Service).

1) An error within the token handling mechanism does not properly validate the token name configuration parameter, which can be exploited to conduct cross-site request forgery attacks by manipulating the token value parameter to the value of the session attribute.

2) An error when handling request parameters can be exploited to consume CPU resources and cause a DoS via a specially crafted parameter name containing an OGNL expression.

The vulnerabilities are reported in versions prior to 2.3.4.1.

Solution:
Update to version 2.3.4.1.

Provided and/or discovered by:1) The vendor credits James K. Williams
2) The vendor credits Johno Crawford

Original Advisory:
http://struts.apache.org/2.x/docs/s2-010.html
http://struts.apache.org/2.x/docs/s2-011.html

http://secunia.com/advisories/50420/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Cross Site Scripting
Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Debian GNU/Linux 6.0

Description:
Debian has issued an update for typo3-src. This fixes some vulnerabilities, which can be exploited by malicious users to conduct script insertion attacks, disclose sensitive information, and compromise a vulnerable system and by malicious people to conduct cross-site scripting attacks.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2537-1:
http://www.us.debian.org/security/2012/dsa-2537

http://secunia.com/advisories/50455/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Operating System: Debian GNU/Linux 6.0

Description:
Debian has issued an update for otrs2. This fixes a vulnerability, which can be exploited by malicious people to conduct script insertion attacks.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2536-1:
http://www.debian.org/security/2012/dsa-2536

http://secunia.com/advisories/50454/

Release Date : 2012-08-31

Criticality level : Less critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch

Software: Magnum MNS-6K 14.x
Magnum MNS-6K 4.x

Description:
A security issue has been reported in Magnum MNS-6K, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application using a hard-coded password, which may allow full administrative access to the system.

The security issue is reported in the following versions:
* Magnum MNS-6K version 4.1.14, and prior.
* Magnum MNS-6K version 14.1.14 SECURE and prior.

Solution:
Update to version 4.1.15 and 14.1.15.

Provided and/or discovered by:
ICS-CERT credits Justin W. Clarke, Cylance Inc.

Original Advisory:
GarretCom:
http://www.garrettcom.com/techsupport/6k_dl/6k14115a_rn.pdf

ICS-CERT:
http://www.us-cert.gov/control_systems/pdf/ICSA-12-243-01.pdf

http://secunia.com/advisories/50418/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: OTRS (Open Ticket Request System) 2.x
OTRS Help Desk 3.x

Description:
A vulnerability has been reported in OTRS Help Desk, which can be exploited by malicious people to conduct script insertion attacks.

Input passed within HTML e-mail messages is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation requires that the victim user is running Firefox or Opera.

The vulnerability is reported in versions prior to 2.4.14, 3.0.16, and 3.1.10.

Solution:
Update to version 2.4.14, 3.0.16, or 3.1.10.

Provided and/or discovered by:
Mike Eduard, Znuny via US-CERT

Original Advisory:
OTRS:
http://www.otrs.com/de/open-source/community-news/security-advisories/security-advisory-2012-02/

Znuny:
http://znuny.com/en/#!/advisory/ZSA-2012-02

US-CERT VU#511404
http://www.kb.cert.org/vuls/id/511404

http://secunia.com/advisories/50465/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: EMC NetWorker 7.x
EMC NetWorker 8.x

Description:
A vulnerability has been reported in EMC NetWorker, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to a format string error in librpc.dll within the nsrd RPC service when parsing RPC data. This can be exploited to corrupt memory via a specially crafted request sent to TCP port 9319.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in versions prior to 7.6.4.1 and 8.0.0.1.

Solution:
Update to version 7.6.4.1 or 8.0.0.1.

Provided and/or discovered by:
Independently discovered by Aaron Portnoy, Exodus Intelligence and Luigi Auriemma.

Original Advisory:
Exodus Intelligence:
http://blog.exodusintel.com/2012/08/29/when-wrapping-it-up-goes-wrong/

EMC:
http://archives.neohapsis.com/archives/bugtraq/2012-08/att-0219/ESA-2012-038.txt

Luigi Auriemma:
http://aluigi.org/misc/aluigi0216_story.txt

http://secunia.com/advisories/50453/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Security Bypass
System access
Where : From remote
Solution Status : Vendor Patch

Software: Asterisk 1.x
Asterisk 10.x
Asterisk Business Edition 3.x

Description:
Two vulnerabilities have been reported in Asterisk, which can be exploited by malicious users to bypass certain security restrictions and compromise a vulnerable system.

1) An error within the Asterisk Manager Interface when handling "originate" actions does not properly restrict access and can be exploited to execute arbitrary shell commands via the "ExternalIVR" application action.

Successful exploitation of this vulnerability requires an attacker to have the ability to place calls.

2) An error when making IAX2 calls on behalf of a peer may result in certain ACL rules to be ignored for the call attempt.

Successful exploitation of this vulnerability requires an attacker to have credentials of a peer defined in a dynamic Asterisk Realtime Architecture (ARA) backend.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
The vendor credits:
1) Zubair Ashraf, IBM X-Force Research.
2) Alan Frisch.

Original Advisory:
http://downloads.asterisk.org/pub/security/AST-2012-012.html
http://downloads.asterisk.org/pub/security/AST-2012-013.html

http://secunia.com/advisories/50456/

Release Date : 2012-08-31

Criticality level : Less critical
Impact : Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: SugarCRM 6.x

Description:
Brendan Coles has discovered a weakness and some vulnerabilities in SugarCRM, which can be exploited by malicious users to conduct script insertion attacks, disclose sensitive information, and conduct SQL injection attacks and by malicious people to disclose certain system information.

1) The application discloses the full installation path via the cache/include/externalAPI.cache.js file.

Successful exploitation requires the completion of the user wizard by any user.

2) Input passed via a file to index.php (when "module" is set to "Documents" and "action is set to "Save" or when when "module" is set to "Notes" and "action is set to "Save") is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

3) The application discloses the password hashes of users via JSON queries to index.php (when "entryPoint" is set to "json_server").

4) Input passed via the "group" JSON parameter to index.php (when "entryPoint" is set to "json_server") is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 6.5.2. Prior versions may also be affected.

Solution:
Update to version 6.5.3.

Provided and/or discovered by:
Brendan Coles, IT Security Solutions

Original Advisory:
http://itsecuritysolutions.org/2012-08-30-SugarCRM-Community-Edition-6.5.2-multiple-vulnerabilities/

http://secunia.com/advisories/50384/

Release Date : 2012-08-31

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status : Unpatched

Software: SugarCRM 6.x

Description:
Brendan Coles has discovered a weakness and a vulnerability, which can be exploited by malicious people to disclose sensitive information.

1) The application does not properly restrict access to certain functionality via the vcal_server.php script and can be exploited to enumerate user names or email addresses.

2) The application does not properly restrict access to certain functionality via the ical_server.php script and can be exploited to disclose potentially sensitive calendar information.

Successful exploitation requires that the "key" parameter for accessing the iCalendar is known (empty by default).

The weakness and the vulnerability are confirmed in version 6.5.4. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Brendan Coles, IT Security Solutions

Original Advisory:
http://itsecuritysolutions.org/2012-08-30-SugarCRM-Community-Edition-6.5.2-multiple-vulnerabilities/

http://secunia.com/advisories/50388/

Release Date : 2012-08-31

Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Exposure of system information
Exposure of sensitive information
Privilege escalation
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Operating System: VMware ESX Server 4.x
VMware ESXi 4.x

Description:
VMware acknowledged multiple vulnerabilities in VMware ESX Server and VMware ESXi.

1) The application bundles a vulnerable version of the OpenSSL library.

This vulnerability is reported in ESXi version 4.1 and ESX version 4.1.

2) Some vulnerabilities exist in the Linux Kernel.

3) Some vulnerabilities exist in the bundled version of Perl.

4) An error exists in the bundled version of the XML2 library.

5) Some vulnerabilities exist in the bundled version of GNU C library

6) Some vulnerabilities exist in the bundled version of GNU TLS library.

7) Some vulnerabilities exist in the bundled version of the RPM packager.

The vulnerabilities are reported in ESX version 4.1.

Solution:
Apply updates (please see the vendor's advisory for details).

Original Advisory:
VMSA-2012-0013:
http://www.vmware.com/security/advisories/VMSA-2012-0013.html

http://secunia.com/advisories/50476/

Release Date : 2012-08-31

Criticality level : Moderately critical
Impact : Exposure of sensitive information
Security Bypass
Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: MediaWiki 1.x

Description:
A weakness, two security issues and some vulnerabilities have been reported in MediaWiki, which can be exploited by malicious users to disclose potentially sensitive information and by malicious people to conduct cross-site scripting, script insertion, and cross-site request forgery attacks and bypass certain security restrictions.

1) Input passed via the comment of a "File:" tag to a non-existing file is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site if malicious data is viewed.

2) Input passed via the "uselang" parameter to index.php is not properly sanitised before being returned to the user via certain gadgets. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

3) The application allows users to perform certain actions HTTP requests without performing proper validity checks to verify the requests. This can be exploited to perform certain unspecified actions when a logged-in user visits a specially crafted web page.

4) An error when handling IP address blocking of the GlobalBlocking extension can be exploited to bypass the blocking mechanism and e.g. create an account from a blocked address.

5) The application stores user credentials used via external authentication plugins (e.g. LDAP extension) additionally in the local database and can potentially be exploited to bypass the strict function of an authentication plugin and log-in by using an old password.

6) An error when handling the blocking of users can be exploited to disclose the block reason via another block attempt.

Successful exploitation of this weakness requires administrative privileges.

The weakness, security issues, and vulnerabilities are reported in versions prior to 1.18.5 and prior to 1.19.2.

Solution:
Update to version 1.18.5 or 1.19.2 and apply the vendor workaround in case only external authentication is used (please see the vendor's advisory for details).

Provided and/or discovered by:
1) Writ Keeper in a MediaWiki bug report.
2) Fomafix in a MediaWiki bug report.
3, 4, 5, and 6) Reported by the vendor.

Original Advisory:
MediaWiki:
http://lists.wikimedia.org/pipermail/mediawiki-announce/2012-August/000119.html
https://www.mediawiki.org/wiki/Release_notes/1.18
https://www.mediawiki.org/wiki/Release_notes/1.19
https://bugzilla.wikimedia.org/show_bug.cgi?id=37587
https://bugzilla.wikimedia.org/show_bug.cgi?id=39180
https://bugzilla.wikimedia.org/show_bug.cgi?id=39184
https://bugzilla.wikimedia.org/show_bug.cgi?id=39700
https://bugzilla.wikimedia.org/show_bug.cgi?id=39823
https://bugzilla.wikimedia.org/show_bug.cgi?id=39824

http://secunia.com/advisories/50477/

Release Date : 2012-08-31

Criticality level : Not critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Workaround

Software: OpenStack Dashboard (Horizon) 2012.x

Description:
A weakness has been reported in OpenStack Dashboard (Horizon), which can be exploited by malicious people to conduct spoofing attacks.

Input passed via the "next" parameter to auth/login/ is not properly verified before being used to redirect users. This can be exploited to redirect a user to an arbitrary website e.g. when a user clicks a specially crafted link to the affected script hosted on a trusted domain.

The weakness is reported in version Essex (2012.1).

Solution:
Fixed in the GIT repository.

Provided and/or discovered by:
The vendor credits Thomas Biege, SUSE.

Original Advisory:
http://www.openwall.com/lists/oss-security/2012/08/30/4
https://bugs.launchpad.net/horizon/+bug/1039077

http://secunia.com/advisories/50480/