Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 15, 2013

Release Date: 2013-02-15

Criticality level : Highly critical
Impact : Cross Site Scripting
Manipulation of data
System access
Where : From remote
Solution Status : Unpatched

Software: OpenEMR 4.x

Description:
Multiple vulnerabilities have been discovered in OpenEMR, which can be exploited by malicious users to conduct SQL injection attacks and by malicious people to conduct cross-site scripting attacks and compromise a vulnerable system.

1) The library/openflashchart/php-ofc-library/ofc_upload_image.php script allows the upload of files with arbitrary extensions to a folder inside the webroot. This can be exploited to execute arbitrary PHP code by uploading a malicious PHP script.

2) Input passed via the "provider_id" and "pc_category" GET parameters to interface/main/calendar/index.php (when "module" is set to "PostCalendar" and "func" is set to "search") is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) Input passed via the "form_patient_id" GET parameter to interface/reports/chart_location_activity.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the "tplview", "pc_category", and "pc_topic" GET parameters to interface/main/calendar/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Input passed via the "noteid" POST parameter (when "task" is set to "add") to interface/main/messages/messages.php is not properly sanitised before being returned to the user within an error message. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) Input passed via the "sortby", "sortorder", and "begin" GET parameters to interface/main/messages/messages.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) Input passed via the "sortby", "sortorder", and "begin" GET parameters to interface/main/messages/messages.php is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 4.1.1. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
1) Gjoko Krstic, Zero Science Lab.
2, 3) Mehdi Boukazoula and Houssam Sahli.
4 - 7) Houssam Sahli.

Original Advisory:
ZSL-2013-5126:
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5126.php

Houssam Sahli:
http://packetstormsecurity.org/files/view/103810/openemr-xss.txt

http://secunia.com/advisories/52145/

Release Date : 2013-02-15

Criticality level: Less critical
Impact : Security Bypass
Exposure of sensitive information
Where: From remote
Solution Status: Vendor Patch

Operating System :
Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for Qt. This fixes a weakness and a vulnerability, which can be exploited by malicious, local users to bypass certain security restrictions and by malicious people to disclose potentially sensitive information.

Solution:
Apply updated packages.

Original Advisory:
USN-1723-1:
http://www.ubuntu.com/usn/usn-1723-1/

http://secunia.com/advisories/52217/

ArcSight Connectors / Logger Information Disclosure and Command Injection Vulnerabilities

Release Date : 2013-02-15

Criticality level: Less critical
Impact : Exposure of sensitive information
Privilege escalation
System access
Where: From local network
Solution Status: Vendor Patch

Operating System : ArcSight Connectors 6.x
ArcSight Logger

Software: ArcSight Logger 5.x

Description:
Multiple Vulnerabilities have been reported in ArcSight Connectors and ArcSight Logger, which can be exploited by malicious, local users to gain escalated privileges, by malicious users to compromise a vulnerable system, and by malicious people to disclose potentially sensitive information.

1) An unspecified error can be exploited to inject and execute arbitrary commands. No further information is currently available.

2) An unspecified error can be exploited to disclose certain data. No further information is currently available.

3) An unspecified error can be exploited by local users to inject and execute arbitrary commands. No further information is currently available.

The vulnerabilities are reported in ArcSight Connectors versions 6.3 and prior and Arcsight Logger versions 5.2 and prior.

Solution:
Update to a patched version.

Provided and/or discovered by:
The vendor credits Chris Botelho of Errord Security, Shawn Asmus of Fishnet Security, and TEB Quantum Technology (Malaysia) Professional Security Service Team.

Original Advisory:
HPSBMU02836 SSRT101056:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03606700

http://secunia.com/advisories/52229/

Release Date : 2013-02-15

Criticality level : Less critical
Impact : Cross Site Scripting
Solution Status : Vendor Patch

Software: Mahara 1.x

Description:
A vulnerability has been reported in Mahara, which can be exploited by malicious people to conduct cross-site scripting attacks.

The application bundles a vulnerable version of Flowplayer.

The vulnerability is reported in versions prior to 1.5.8 and 1.6.3.

Solution:
Update to version 1.5.8 or 1.6.3.

Provided and/or discovered by:
Wan Ikram

Original Advisory:
https://mahara.org/interaction/forum/topic.php?id=5237

http://secunia.com/advisories/52074/

Release Date: 2013-02-14

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status: Vendor Patch

Software: nori gem for Ruby 2.x

Description:
A vulnerability has been reported in the nori gem for Ruby, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an error when parsing XML parameters, which allows symbol and yaml types to be a part of the request and can be exploited to execute arbitrary commands.

The vulnerability is reported in version 2.0.2. Prior versions may also be affected.

Solution:
Update to version 2.0.3.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
https://github.com/savonrb/nori/blob/master/CHANGELOG.md

http://secunia.com/advisories/52193/

Symantec Encryption Desktop Two Privilege Escalation Vulnerabilities

Release Date : 2013-02-14

Criticality level: Less critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch

Software: Symantec Encryption Desktop (formerly PGP Desktop) 10.x

Description:
Two vulnerabilities have been reported in Symantec Encryption Desktop, which can be exploited by malicious, local users to gain escalated privileges.

1) An integer overflow error in pgpwded.sys can be exploited to gain escalated privileges.

2) An unspecified error in pgpwded.sys can be exploited to cause a buffer overflow.

NOTE: This vulnerability affects Microsoft Windows XP and Windows Server 2003 platforms only.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code with escalated privileges.

The vulnerabilities are reported in PGP Desktop versions 10.0.x, 10.1.x, and 10.2.x and in Symantec Encryption Desktop version 10.3.0.

Solution:
Apply update.

Provided and/or discovered by:
The vendor credits Nikita Tarakanov.

Original Advisory:
SYM13-001:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&suid=20130213_00

http://secunia.com/advisories/52219/

Apple iOS for iPhone Emergency Call Sleep Button "Passcode Lock" Bypass Weakness

Release Date: 2013-02-15

Criticality level: Not critical
Impact : Cross Site Scripting
Where : Local system
Solution Status : Unpatched

Operating System : Apple iOS 6.x for iPhone 3GS and later

Description:
A weakness has been discovered in Apple iOS for iPhone, which can be exploited by malicious people with physical access to the device to bypass certain security restrictions.

The weakness is caused due to an error when handling emergency calls when the sleep button is pressed, which can be exploited to bypass the "Passcode Lock" feature and e.g. disclose contact information or conduct phone calls.

The weakness is confirmed in version 6.1 running on iPhone 4 and reported in versions 6.0.1 and 6.0.2. Other versions may also be affected.

Solution:
No official solution is currently available. Reportedly the vendor is planning to release an update.

Provided and/or discovered by:
videosdebarraquito within a YouTube video.

http://secunia.com/advisories/52173/

Pacemaker Authentication Request Processing Denial of Service Vulnerability

Release Date: 2013-02-15

Criticality level: Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Workaround

Software: Pacemaker 1.x

Description:
A vulnerability has been reported in Pacemaker, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error when processing remote connections and performing authentication and can be exploited to block the application indefinitely.

Successful exploitation requires remote Cluster Information Base (CIB) cluster's configuration and cluster's resources management to be enabled.

The vulnerability is reported in version 1.2. Other versions may also be affected.

Solution:
Fixed in the GIT repository.

Provided and/or discovered by:
David Vossel, Red Hat.

Original Advisory:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-0281

http://secunia.com/advisories/52171/

Linux Kernel "__skb_recv_datagram()" Denial of Service Vulnerability

Release Date: 2013-02-15

Criticality level: Less critical
Impact : DoS
Where : Local system
Solution Status : Vendor Workaround

Operating System:
Linux Kernel 3.4.x

Description:
A vulnerability has been reported in the Linux Kernel, which can be exploited by malicious, local users to cause a DoS (Denial of Service).

The vulnerability is caused due to an error within the "__skb_recv_datagram()" function (net/core/datagram.c) when handling packets with no payload, which can be exploited to trigger an infinite loop and render the system unusable.

The vulnerability is reported in version 3.4.31. Other versions may also be affected.

Solution:
Fixed in the GIT repository.

Provided and/or discovered by:
Disclosed in a GIT commit.

Original Advisory:
http://www.openwall.com/lists/oss-security/2013/02/14/7

http://secunia.com/advisories/52170/

Release Date : 2013-02-14

Criticality level : Moderately critical
Impact : System access
Where : From local network
Solution Status : Vendor Patch

Software: SAP NetWeaver 7.x

Description:
Core Security has reported two vulnerabilities in SAP NetWeaver, which can be exploited by malicious people to compromise a vulnerable system.

1) An array indexing error exists within the "_MsJ2EE_AddStatistics()" function in Message Server (msg_server.exe) and can be exploited to cause a memory corruption via a specially crafted request.

2) An error within the "WRITE_C()" function in msg_server.exe when handling packets with opcode 0x15 can be exploited to cause a memory corruption.

Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

The vulnerabilities are reported in the following versions:
* SAP NetWeaver 7.01 SR1 (msg_server.exe version v7010.29.15.58313)
* SAP NetWeaver 7.02 SP06 (msg_server.exe version v7200.70.18.23869)
* SAP NetWeaver 7.30 SP04 (msg_server.exe version v7200.201.0.0)

Solution:
Apply SAP security note 1800603.

Provided and/or discovered by:
1) Martin Gallo and Francisco Falcon, Core Security
2) Martin Gallo, Core Security

Original Advisory:
SAP:
https://service.sap.com/sap/support/notes/1800603

Core Security:
www.coresecurity.com/content/SAP-netweaver-msg-srv-multiple-vulnerabilities

http://secunia.com/advisories/52215/

Red Hat update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform

Release Date : 2013-02-14

Criticality level : Less critical
Impact : Security Bypass
Where : From remote
Solution Status : Vendor Patch

Software:
JBoss Enterprise Application Platform 5.x
JBoss Enterprise Web Platform 5.x

Description:
Red Hat has issued an update for JBoss Enterprise Application Platform and JBoss Enterprise Web Platform. This fixes a security issue and a vulnerability, which can be exploited by malicious people to bypass certain security restrictions.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0256-1:
https://rhn.redhat.com/errata/RHSA-2013-0256.html

RHSA-2013:0257-1:
https://rhn.redhat.com/errata/RHSA-2013-0257.html

RHSA-2013:0258-1:
https://rhn.redhat.com/errata/RHSA-2013-0258.html

RHSA-2013:0259-1:
https://rhn.redhat.com/errata/RHSA-2013-0259.html

http://secunia.com/advisories/52183/

Release Date: 2013-02-15

Criticality level: Less critical
Impact : Spoofing
Where : From remote
Solution Status : Vendor Patch

Operating System :
openSUSE 12.1
openSUSE 12.2

Description:
SUSE has issued an update for gnome-online-accounts. This fixes a security issue, which can be exploited by malicious people to conduct spoofing attacks.

Solution:
Apply updated packages via the zypper package manager.

Original Advisory:
openSUSE-SU-2013:0301-1:
http://lists.opensuse.org/opensuse-updates/2013-02/msg00046.html

http://secunia.com/advisories/52198/