Spyware, viruses, & security forum: VULNERABILITIES / FIXES - December 04, 2012

Release Date: 2012-12-04

Criticality level : Less critical
Impact Privilege escalation
DoS
Where : Local system
Solution Status : Vendor Patch

Software: Xen 3.x
Xen 4.x

Description:
Multiple vulnerabilities have been reported in Xen, which can be exploited by malicious, local users in a guest virtual machine to cause a DoS (Denial of Service) and potentially gain escalated privileges.

1) An error when downgrading a grant table version of a guest can be exploited to cause a hypervisor crash.

2) An error when handling certain HVM control operations can be exploited to consume physical CPU resources.

3) An array-indexing error in the "HVMOP_set_mem_access" operation handler can be exploited to cause a crash.

4) An error in the "XENMEM_exchange" handler may result in guest provided addresses to be included in the hypervisor's reserved range.

5) An error in the "guest_physmap_mark_populate_on_demand()" function when checking subject GFNs can be exploited to cause a hang.

6) An error when handling "extent_order" values for "XENMEM_decrease_reservation", "XENMEM_populate_physmap", and "XENMEM_exchange" can be exploited to cause a hang.

7) An error in the "get_page_from_gfn()" function when handling an input GFN can be exploited to reference memory outside of the frame table.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Xen (XSA-26, XSA-27, XSA-28, XSA-29, XSA-30, XSA-31, XSA-32):
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00000.html
http://seclists.org/oss-sec/2012/q4/401
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00003.html
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00004.html
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00005.html
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00001.html
http://lists.xen.org/archives/html/xen-announce/2012-12/msg00002.html

http://secunia.com/advisories/51397/

Release Date : 2012-12-04

Criticality level : Moderately critical
Impact : Exposure of sensitive information
DoS
System access
Where : From local network
Solution Status : Vendor Patch

Operating System : Debian GNU/Linux 6.0

Description:
Debian has issued an update for mysql-5.1. This fixes multiple vulnerabilities, which can be exploited by malicious, local users to disclose potentially sensitive information, by malicious users to cause a DoS (Denial of Service) and potentially execute arbitrary code, and by malicious people to potentially compromise a vulnerable system.

Solution:
Apply updated packages via the apt-get package manager.

Original Advisory:
DSA-2581-1:
http://lists.debian.org/debian-security-announce/2012/msg00225.html

http://secunia.com/advisories/51416/

ConcourseConnect Script Insertion and Cross-Site Request Forgery Vulnerabilities

Release Date : 2012-12-04

Criticality level : Moderately critical
Impact : Cross Site Scripting
Where : From remote
Solution Status: Vendor Patch

Software: ConcourseConnect 2.x
ConcourseConnect 4.x

Description:
Matthew Joyce has discovered multiple vulnerabilities in ConcourseConnect, which can be exploited by malicious people to conduct script insertion and cross-site request forgery attacks.

1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. to assign a user administrative privileges if a logged-in user visits a malicious web site.

2) Input passed via the "City" and "State/Province" fields when creating a user profile is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code when viewing a user profile, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

The vulnerabilities are confirmed in version 2.0.2. Other versions may also be affected.

Solution:
Update to the fixed version.

Provided and/or discovered by:
Matthew Joyce via Secunia.

Original Advisory:
SA-CORE-2012-001:
http://www.concursive.com/show/concourseconnect-support/wiki/SA-CORE-2012-001

http://secunia.com/advisories/51142/

Release Date : 2012-12-04

Criticality level : Not critical
Impact : Security Bypass
Where : From remote
Solution Status : Unpatched

Software: The Sleuth Kit 4.x

Description:
A weakness has been reported in The Sleuth Kit, which can be exploited by malicious people to hide certain data.

The weakness is caused due to an error within the FAT filesystem handling code when processing special file names and can be exploited to hide a file by renaming it to "." (dot-file).

The weakness is reported in version 4.0.1. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Reported by Wim Bertels via a mailing list.

Original Advisory:
Wim Bertels:
http://sourceforge.net/mailarchive/forum.php?thread_name=1305739444.2355.35.camel%40zwerfkat&forum_name=sleuthkit-users

http://secunia.com/advisories/51399/