Spyware, viruses, & security forum: VULNERABILITIES / FIXES - February 22, 2013

Release Date : 2013-02-22

Criticality level : Less critical
Impact : DoS
Exposure of sensitive information
Where: From remote
Solution Status : Vendor Patch

Operating System :
Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04
Ubuntu Linux 8.04

Description:
Ubuntu has issued an update for openssl. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose potentially sensitive information and cause a DoS (Denial of Service) of the application using the library.

Solution:
Apply updated packages.

Original Advisory:
USN-1732-1:
http://www.ubuntu.com/usn/usn-1732-1

http://secunia.com/advisories/52352/

Release Date : 2013-02-22

Criticality level : Less critical
Impact : DoS
Where: From remote
Solution Status : Vendor Patch

Operating System :
Ubuntu Linux 11.10
Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for nova. This fixes a vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service).

Solution:
Apply updated packages.

Original Advisory:
USN-1734-1:
http://www.ubuntu.com/usn/usn-1734-1

http://secunia.com/advisories/52338/

Release Date : 2013-02-22

Criticality level : Highly critical
Impact : System access
Where: From remote
Solution Status : Vendor Patch

Software:
Red Hat Enterprise Linux Desktop Supplementary (v. 6)
Red Hat Enterprise Linux Server Supplementary (v. 6)
Red Hat Enterprise Linux Workstation Supplementary (v. 6)
RHEL Desktop Supplementary (v. 5 client)
RHEL Supplementary (v. 5 server)

Description:
Red Hat has issued an update for acroread. This fixes two vulnerabilities, which can be exploited by malicious people to compromise a user's system.

Solution:
Updated packages are available via Red Hat Network.

Original Advisory:
RHSA-2013:0551-01:
https://rhn.redhat.com/errata/RHSA-2013-0551.html

http://secunia.com/advisories/52356/

Release Date : 2013-02-22

Criticality level : Highly critical
Impact : Exposure of sensitive information
Manipulation of data
System access
Where: From remote
Solution Status : Vendor Patch


Operating System :
Ubuntu Linux 10.04
Ubuntu Linux 11.10
Ubuntu Linux 12.04

Description:
Ubuntu has issued an update for openjdk-6. This fixes multiple vulnerabilities, which can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, and compromise a user's system.

Solution:
Apply updated packages.

Original Advisory:
USN-1735-1:
http://www.ubuntu.com/usn/usn-1735-1

http://secunia.com/advisories/52355/

Release Date : 2013-02-22

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: Geeklog 1.x

Description:
Two vulnerabilities have been discovered in geeklog, which can be exploited by malicious users to conduct script insertion attacks.

1) Input passed via the "Topic" or "Answer[][]" POST parameters to admin/plugins/polls/index.php is not properly sanitised before being stored and returned to the user. This can be exploited to insert arbitrary HTML and script code, which will execute in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires "Polls Admin" permissions.

2) Input passed via the "Topic" POST parameter to admin/topic.php is not properly sanitised before being stored and returned to the user. This can be exploited to insert arbitrary HTML and script code, which will execute in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires "Topic Admin" permissions.

The vulnerabilities are confirmed in version 1.8.2. Prior versions may also be affected.

Solution:
Update to version 1.8.2sr1.

Provided and/or discovered by:
The vendor credits Trustwave Spiderlabs.

Original Advisory:
Geeklog:
http://www.geeklog.net/article.php/geeklog-1.8.2sr1

http://secunia.com/advisories/52264/

Atlassian JIRA SOAP API Arbitrary File Overwrite Vulnerability

Release Date : 2013-02-22

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: Atlassian JIRA 5.x

Description:
A vulnerability has been reported in Atlassian JIRA, which can be exploited by malicious users to manipulate certain data.

The vulnerability is caused due to an error within the SOAP API and can be exploited to e.g. overwrite arbitrary files and execute arbitrary JAVA code in the context of the JIRA server.

Successful exploitation requires the SOAP API to be enabled (disabled by default).

The vulnerability is reported in versions prior to 5.1.5.

Solution:
Upgrade to version 5.1.5 or later, or apply patches.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
Atlassian:
https://confluence.atlassian.com/display/JIRA/JIRA+Security+Advisory+2013-02-21

http://secunia.com/advisories/52341/

Release Date : 2013-02-22

Criticality level: Highly critical
Impact : Manipulation of data
DoS
Exposure of sensitive information
System access
Where: From remote
Solution Status : Vendor Patch

Operating System :
VMware ESX Server 3.x
VMware ESX Server 4.x
VMware ESXi 3.x
VMware ESXi 4.x
VMware ESXi 5.x

Software:
VMware vCenter Server 4.x
VMware vCenter Server 5.x
VMware VirtualCenter 2.x

Description:
VMware has acknowledged multiple vulnerabilities in multiple VMware products, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, cause a DoS (Denial of Service), and potentially compromise a vulnerable system.

1) An error in the handling of the NFC (Network File Copy) protocol can be exploited to corrupt memory.

Successful exploitation requires the ability to conduct a MitM (Man-in-the-Middle) attack against a vCenter Server or ESXi/ESX system and a client.

2) The products bundle a vulnerable version of OpenSSL.

3) The products bundle a vulnerable version of Oracle Java.

Please see the vendor's advisory for a list of affected products and versions.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
1) The vendor credits Alex Chapman, Context Information Security.

Original Advisory:
http://www.vmware.com/security/advisories/VMSA-2013-0003.html

http://secunia.com/advisories/52332/

SAP Xcelsius Dashboard Cross-Site Request Forgery Vulnerability

Release Date : 2013-02-22

Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Vendor Patch

Software: SAP Xcelsius Dashboard

Description:
ERPScan has reported a vulnerability in SAP Xcelsius Dashboard, which can be exploited by malicious people to conduct cross-site request forgery attacks.

The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in user visits a malicious web site.

Solution:
Apply SAP Note 1412864.

Provided and/or discovered by:
Alexey Tyurin, ERPScan

Original Advisory:
SAP:
https://service.sap.com/sap/support/notes/1412864

DSECRG-13-001:
http://erpscan.com/advisories/dsecrg-13-001-sap-xcelsius-insecure-crossdomain-policy/

http://secunia.com/advisories/52278/

Release Date : 2013-02-22

Criticality level : Moderately critical
Impact : Security Bypass
Cross Site Scripting
Exposure of sensitive information
System access
Where: From remote
Solution Status : Vendor Patch

Software: ownCloud 4.x

Description:
Multiple vulnerabilities have been reported in ownCloud, which can be exploited by malicious users to bypass certain security restrictions and compromise a vulnerable system and by malicious people to disclose potentially sensitive information and conduct cross-site scripting and request forgery attacks.

1) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. change the LDAP authentication server or import a user account if a logged-in administrator visits a malicious web site.

2) Certain unspecified input passed via POST parameters to /core/ajax/translations.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code.

The vulnerabilities #1 and #2 are reported in versions prior to 4.0.12 and 4.5.7.

3) An error due to the application bundling the testing suite of Amazon SDK can be exploited to disclose certain sensitive information.

This vulnerability is reported in versions prior to 4.0.12.

4) Certain input when sharing an event via the calendar application is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

5) Input passed via the "dir" and "file" GET parameters to apps/files_pdfviewer/viewer.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

6) Input passed via the "mountpoint" POST parameter to apps/files_external/addMountPoint.php is not properly sanitised before being used. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed.

Successful exploitation of this vulnerability requires the "files_external" app to be enabled (disabled by default).

7) Certain unspecified input passed via POST parameters to /core/settings.php is not properly sanitised before being used. This can be exploited to inject and execute arbitrary PHP code.

8) An error due to the application not properly restricting access to the calendar can be exploited to access the calender of other users.

The vulnerabilities #4 and #8 are reported in versions prior to 4.5.7.

Solution:
Update to version 4.0.12 or 4.5.7.

Provided and/or discovered by:
1-7) Reported by the vendor.
8) Romain Severin, Intrinsec.

Original Advisory:
oC-SA-2013-003:
http://owncloud.org/about/security/advisories/oC-SA-2013-003/

oC-SA-2013-004:
http://owncloud.org/about/security/advisories/oC-SA-2013-004/

oC-SA-2013-005:
http://owncloud.org/about/security/advisories/oC-SA-2013-005/

oC-SA-2013-006:
http://owncloud.org/about/security/advisories/oC-SA-2013-006/

oC-SA-2013-007:
http://owncloud.org/about/security/advisories/oC-SA-2013-007/

ISEC-V2013-01-v-1.0:
http://securite.intrinsec.com/wp-content/uploads/2013/02/ISEC-V2013-01-v-1.0-Owncloud-4.5.4-Arbitrary-calendar-export.pdf

http://secunia.com/advisories/52303/

Invensys Wonderware Intelligence Tableau Server Multiple Vulnerabilities

Release Date : 2013-02-22

Criticality level: Highly critical
Impact : System access
Where: From remote
Solution Status : Vendor Patch

Software: Invensys Wonderware Intelligence 2012

Description:
Two vulnerabilities have been reported in Invensys Wonderware Intelligence, which can be exploited by malicious people to compromise a vulnerable system.

The application bundles a vulnerable version of Tableau Server.

The vulnerabilities are reported in versions prior to 1.5 SP1.

Solution:
Update to version 1.5 SP1.

Original Advisory:
https://wonderwarepacwest.com/support/tech-news/security-release-tableau-713-intelligence-2012

ICSA-13-036-01:
http://ics-cert.us-cert.gov/pdf/ICSA-13-036-01A.pdf

http://secunia.com/advisories/52369/

Tableau Server Ruby on Rails XML Parameter Parsing Vulnerability

Release Date : 2013-02-22

Criticality level: Highly critical
Impact : System access
Where: From remote
Solution Status : Vendor Patch

Software: Tableau Server 6.x

Description:
A vulnerability has been reported in Tableau Server, which can be exploited by malicious people to compromise a vulnerable system.

The application bundles a vulnerable version of Ruby on Rails.

The vulnerability is reported in versions prior to 6.1.12.

Solution:
Update to version 6.1.12.

Original Advisory:
http://kb.tableausoftware.com/articles/knowledgebase/Ruby-on-Rails-Vulnerabililty

http://secunia.com/advisories/52367/

Release Date : 2013-02-22

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
Where: From remote
Solution Status : Vendor Patch

Software: Red Hat CloudForms

Description:
Red Hat has issued an update for Red Hat CloudForms. This fixes multiple security issues and vulnerabilities, which can be exploited by malicious, local users to manipulate certain data and disclose certain sensitive information, by malicious users to bypass certain security restrictions, and by malicious people to cause a DoS (Denial of Service).

1) The "aeolus-configserver-setup" script creates certain files within the "/tmp" directory with insecure world-readable permissions. This can be exploited to disclose authentication credentials.

2) The "katello-generate-passphrase" utility creates the "/etc/katello/secure/passphrase" file with insecure world-readable permissions. This can be exploited to disclose the passphrase for Katello.

3) The "katello-configure" utility generates a RPM file containing the pem file with embedded CA certificate with insecure world-readable and world-writable permissions. This can be exploited to install or remove software on Katello client systems via Man-in-the-Middle (MitM) attacks.

4) The Aeolus Configuration Server creates the "/var/log/aeolus-configserver/configserver.log" file with insecure world-readable permissions. This can be exploited to e.g. disclose administrative credentials for other services.

5) An error due to Conductor not properly restricting modifications of quota for number of instances can be exploited to manipulate the quota and e.g. monopolise resources.

Solution:
Updated packages are available via Red Hat Network.

Provided and/or discovered by:
The vendor credits:
1, 2) Aaron Weitekamp, Red Hat Cloud Quality Engineering team.
3) Dominic Cleal and James Laska, Red Hat.
4) James Laska, Red Hat.
5) Tomas Sedovic, Red Hat.

Original Advisory:
RHSA-2013:0545-01:
https://rhn.redhat.com/errata/RHSA-2013-0545.html

RHSA-2013:0547-01:
https://rhn.redhat.com/errata/RHSA-2013-0547.html

RHSA-2013:0548-01:
https://rhn.redhat.com/errata/RHSA-2013-0548.html

http://secunia.com/advisories/52359/

Release Date : 2013-02-22

Criticality level : Moderately critical
Impact : Security Bypass
Manipulation of data
Exposure of sensitive information
DoS
Where: From remote
Solution Status : Vendor Patch

Software: Red Hat Subscription Asset Manager 1.x

Description:
Red Hat has issued an update for Red Hat Subscription Asset Manager. This fixes a security issue and multiple vulnerabilities, which can be exploited by malicious users to disclose and manipulate certain data and by malicious people to conduct SQL injection attacks, bypass certain security restrictions, and cause a DoS (Denial of Service).

1) The security issue is caused due to an error in rubygem-ldap_fluff when handling "Active Directory" authentication and can be exploited to bypass the authentication.

Solution:
Updated packages are available via Red Hat Network.

Provided and/or discovered by:
1) The vendor credits Og Maciel, Red Hat.

Original Advisory:
RHSA-2013:0544-01:
https://rhn.redhat.com/errata/RHSA-2013-0544.html

http://secunia.com/advisories/52360/

Release Date : 2013-02-22

Criticality level : Less critical
Impact : Security Bypass
Where : From local network
Solution Status : Unpatched

Operating System :
RaidSonic ICY BOX NAS-4220-B
RaidSonic ICY BOX NAS-5220

Description:
Michael Messner has reported two security issues in Raidsonic ICY BOX NAS-4220-B and NAS-5220, which can be exploited by malicious people to bypass certain security restrictions.

1) An error when handling a HTTP request to nav.cgi (when "foldName" is set to "adm" and "localePreference" is set to "en") can be exploited to bypass the authentication.

2) The device does not properly restrict access to cgi/time/timeHandler.cgi, which can be exploited to conduct script insertion attacks and execute arbitrary shell commands.

The security issues are reported in firmware version 2.6.3.IB.1.RS.1 running on ICY BOX NAS-4220-B and in firmware version 2.6.3-20100206S running on ICY BOX NAS-5220.

Solution:
No official solution is currently available.

Provided and/or discovered by:
Michael Messner

Original Advisory:
http://www.s3cur1ty.de/m1adv2013-010

http://secunia.com/advisories/52216/