Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 38
September 27, 2004

SANS Newsletters Home

Last week's Windows Office JPEG vulnerability is now being exploited. (See Number 2 below) If you haven't repaired your systems, do so soon.

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Windows
    • 0 (#1, #2)
    • Third Party Windows Apps
    • 6 (#4)
    • Linux
    • 1
    • BSD
    • 1
    • Unix
    • 3 (#5)
    • Cross Platform
    • 7
    • Web Application
    • 9 (#6)
    • Network Device
    • 2
    • Hardware
    • 2 (#3)

**************** Sponsored This Week by Radware *************************

Radware Intrusion Prevention Switch protects against worms, viruses, malicious intrusions, Denial of Service attacks and Trojans - securing networked applications at 3-Gbps. Featuring inline security switching and accelerated, stateful and deep-packet inspection, DefensePro isolates attacks and dynamically moderates bandwidth to stop propagation across the network.

http://www.radware.com/content/products/dp/whtpaper/_download-20040204b/form.asp

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
BSD
Unix
Cross Platform
Web Application
Network Device
Hardware

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages.

Online threat worries? Download white papers on McAfee(r) intrusion prevention solutions now. http://www.sans.org/info.php?id=596

********************** Security Training Update *************************

Featured Training program of the Week: SANS Cyber Defense Initiative CDI is in two parts: CDI South in New Orleans November 1-4 ( http://www.sans.org/cdisouth04) and CDI East in Washington, DC, December 7-14 ( http://www.sans.org/cdieast04)

New Orleans offers a whole new type of program that many people have asked us to provide: 18 one and two day courses on issues shaping the future of information security, from the newest hacker tools to changes in legal issues surrounding security. Perfect for people who have taken SANS courses and want updates and for people who just don't have time to attend a full class. On the other hand, Washington offers 13 full length immersion courses an a few short courses.

**************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) LOW: Windows XP SP2 Firewall Configuration Error
  • Affected:
    • Windows XP SP2

  • Description: Under certain conditions, the firewall configuration of a Windows XP system after the XP SP2 upgrade, contains a flaw. The flaw may be exploited by any remote attacker to access the shared folders and printers on the system. An attacker can also leverage the flaw to launch a brute force password guessing attack for the "Administrator" account, which may result in a complete compromise of the system. The flaw affects a number of broadband users who rely on the Windows firewall feature to keep the hackers at bay.

  • Status: Microsoft has not confirmed the flaw. Please refer to the posted advisories for the steps to correct the firewall configuration. A workaround for the enterprises is to block ports 139 and 445 at the network perimeter.

  • Council Site Actions: Most of the sites are either testing SP2 or have not yet rolled it out. One site is blocking and monitoring ports 139 and 445. Another site is waiting for confirmation from Microsoft before deciding what action to take. They have notified the Windows administrators. The final site has approximately 7,000 XP SP2 machines. They said that the Windows Firewall special cases for ports 137, 138, 139, and 445 are not well suited to their site, although not for the same reasons that are stated in the PC.Welt article. They plan to advise their system owners to turn off file and printer sharing when not required.

  • References:
  • (2) UPDATE: Microsoft JPEG Image Processing Overflow (MS04-028)

  • Description: Multiple exploits and a toolkit (posted on the th-research mailing list) that create specially crafted JPEG files are now available. Viewing such JPEG files using Internet Explorer, Outlook, Word etc., results in the execution of arbitrary code. Some security analysts predict the outbreak of an email virus exploiting the JPEG vulnerability by the end of this month.

  • Council Site Actions: All of the council sites have either patched the systems, are in the process of patching the systems (or testing the patches) or plan to patch in the near future. In addition, one site is working with their network staff to enable appropriate IPS-like filters at the network perimeter. Another site reported they were hit with this attack and have taken steps to block it (details not provided).

  • References:
Other Software
  • (3) CRITICAL: Symantec Firewall/VPN Default SNMP Community String
  • Affected:
    • Symantec Firewall/VPN Appliance 100, 200/200R (firmware builds prior to build 1.63)
    • Symantec Gateway Security 320, 360/360R (firmware builds prior to build 622)

  • Description: The Symantec Firewall/VPN and the Gateway Security appliances are designed to protect small business networks. These appliances use "public" as the default read/write community string for the SNMP service. In addition, the appliances do not perform sufficient checks on the UDP packets with the source port set to 53 i.e. a DNS response. An attacker can exploit these flaws in tandem via specially crafted SNMP "GET" or "SET" requests with a source port of 53. Such crafted requests may permit the attacker to make arbitrary changes to the firewall configuration, thereby putting the entire network protected by the firewall at risk. Note that the firewall administrator can neither disable the SNMP service nor change the default SNMP community string.

  • Status: Symantec confirmed. Firmware updates are available for all the affected products. The updates also fix a denial of service attack vulnerability that can be triggered by performing a UDP scan on the firewall appliances.

  • Council Site Actions: The affected software is not in production or widespread use at any of the council sites. They reported that no action was necessary.

  • References:
Patches
  • (6) MODERATE: HP Web Jetadmin Multiple Vulnerabilities

  • Council Site Actions: Three of the reporting council sites are responding to this item. One site is currently testing the patch compatibility. The second site plans to let attrition deal with the problem since they don't have the Jetadmin port exposed to the Internet. The third site has a small number of machines that are directly exposed to the Internet. They will recommend Web Jetadmin version 7.6 on the affected hosts.

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 38, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3729 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.38.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Lords of the Realm III Nickname Denial of Service
  • Description: Lords of the Realm III is a windows-based game. It is reported to be vulnerable to a denial of service issue due to improper handling of "nicknames" of excessive length.
  • Ref: http://aluigi.altervista.org/adv/lotr3boom-adv.txt
  • 04.38.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: EmuLive Server4 Authentication Bypass and Denial of Service
  • Description: EmuLive Server4 is a web and media-streaming server. It is reported to be vulnerable to an authentication bypass and denial of service issues. These problems exist due to improper access validation and failure to handle exceptional conditions.
  • Ref: http://www.securityfocus.com/archive/1/375842
  • 04.38.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Pop Messenger Illegal Character Denial of Service
  • Description: LeadMind Pop Messenger is an instant messenger application. Pop Messenger is vulnerable to a remote denial of service due to a failure to handle certain characters that are received. After 15 errors, the software will crash. Pop Messenger versions 1.60 and earlier are known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/popmsgboom-adv.txt
  • 04.38.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ActivePost Messenger Multiple Remote Vulnerabilities
  • Description: ActivePost Messenger is an instant messenger suite that includes a server and a client. ActivePost Messenger is affected by multiple remote vulnerabilities. These issues are due to a failure of the application to validate user-supplied input, a failure of the application to handle exceptional conditions, and a design error that fails to properly secure forum passwords. ActivePost Standard 3.x and earlier are affected.
  • Ref: http://aluigi.altervista.org/adv/actp-adv.txt
  • 04.38.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Google Toolbar About.HTML HTML Injection
  • Description: Google Toolbar is reported to be vulnerable to an HTML injection issue. The issue exists in the "ABOUT.HTML" page which allows the injection of HTML and JavaScript code. This vulnerability is reported to affect GoogleToolbar version 2.0.114.1, and other versions might also be affected.
  • Ref: http://www.securityfocus.com/archive/1/375538
  • 04.38.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: DNS4Me Denial of Service and Cross-Site Scripting
  • Description: DNS4Me allows users to run servers without the requirement of having static IP addresses. The first vulnerability presents itself when the built-in web server receives a large amount of data resulting in consuming all CPU resources. The second vulnerability is due to a failure of the application to properly sanitize user-supplied URI input exposing itself to a cross-site scripting type of attack. DNS4Me versions 3.0.0.4 and earlier are affected.
  • Ref: http://www.gulftech.org/?node=research&article_id=00049-09162004
  • 04.38.7 - CVE: CAN-2004-0750
  • Platform: Linux
  • Title: Red Hat redhat-config-nfs Exported Shares Configuration Vulnerability
  • Description: The Red Hat redhat-config-nfs is a graphical user interface for creating, modifying, and deleting network file system (NFS) shares. There is an issue in redhat-config-nfs that could lead to incorrect permissions on exported shares when exporting to multiple hosts. This could cause an option such as "all_squash" to not be applied to all of the listed hosts. RedHat released the security advisory RHSA-2004:434-06 to fix this issue.
  • Ref: http://rhn.redhat.com/errata/RHSA-2004-434.html
  • 04.38.8 - CVE: Not Available
  • Platform: BSD
  • Title: OpenBSD Radius Authentication Bypass Vulnerability
  • Description: OpenBSD is reportedly vulnerable to an authentication bypass issue when using Radius authentication. This issue can be leveraged by spoofing traffic on a vulnerable network and carrying out a man-in-the-middle attack to gain unauthorized access to an OpenBSD host. This was reported for OpenBSD versions 3.2 and 3.5.
  • Ref: http://www.reseau.nl/advisories/0400-openbsd-radius.txt
  • 04.38.9 - CVE: Not Available
  • Platform: Unix
  • Title: Jabber Studio JabberD Remote Denial of Service
  • Description: The "jabberd" instant messaging daemon is reportedly vulnerable to a remote denial of service issue. The application fails to handle malformed network messages properly and crashes, denying service to legitimate users. All current versions are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/375955
  • 04.38.10 - CVE: Not Available
  • Platform: Unix
  • Title: Xine-lib DVD Subpicture Decoder Heap Overflow
  • Description: Xine is a multimedia player designed for Unix/Linux variants. Xine-lib is a C library that may be used to develop other applications. It is reported to be vulnerable to a buffer overflow in the DVD subpicture component. The issue exists due to improper sanitization of MPEG data. The issue has been fixed in xine 1-rc6a and xine-lib 1-rc6a.
  • Ref: http://www.securityfocus.com/archive/1/375482
  • 04.38.11 - CVE: Not Available
  • Platform: Unix
  • Title: FreeRADIUS Access-Request Denial of Service
  • Description: FreeRADIUS is an implementation of the RADIUS protocol. Insufficient sanitization of the "Tunnel-Password" attribute in the "Access-Request" packet causes the server to crash. FreeRADIUS versions 1.0 and earlier are affected.
  • Ref: http://www.gentoo.org/security/en/glsa/glsa-200409-29.xml
  • 04.38.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Symantec ON Command CCM Default Password
  • Description: Symantec ON Command is a software package designed to facilitate central management of network-based computers. Four default username/password pairs are present in the Sybase database backend used by ON Command CCM 5.x servers. CCM versions 5.x are known to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/375760
  • 04.38.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: LaTeX2rtf Buffer Overflow
  • Description: LaTeX2rtf is a translator program designed to translate LaTeX source files to RDF formatted files. Insufficient boundary checks of the buffer passed to "strcpy()" function in the "expandmacro()" module exposes a buffer overflow issue. LaTeX2rtf version 1.9.15 is affected.
  • Ref: http://www.securitytracker.com/alerts/2004/Sep/1011367.html
  • 04.38.14 - CVE: CAN-2004-0746, CAN-2004-0866, CAN-2004-0867
  • Platform: Cross Platform
  • Title: Multiple Browser Cross-Domain Cookie Injection Vulnerabilities
  • Description: Web browsers from multiple vendors are reportedly vulnerable to a cross-domain cookie injection issue. Malicious web sites could use this to hijack arbitrary web browser sessions. Microsoft Internet Explorer, KDE Konqueror, and Mozilla were reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7181
  • 04.38.15 - CVE: CAN-2004-0811
  • Platform: Cross Platform
  • Title: Apache Satisfy Directive Access Control Bypass Vulnerability
  • Description: Apache Web Server is vulnerable to an access control bypass issue due to an error in the merging of the "Satisfy" directive. This is used to specify several criteria when granting access to resources. Apache version 2.0.51 is affected.
  • Ref: http://issues.apache.org/bugzilla/show_bug.cgi?id=31315
  • 04.38.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Macromedia JRun Multiple Remote Vulnerabilities
  • Description: Macromedia JRun is a J2EE application server. Jrun is vulnerable to multiple security issues that include session hijacking, authentication bypass, source code disclosure and denial of service. JRun versions 3.0, 3.1, and 4.0 are known to be vulnerable.
  • Ref: http://www.macromedia.com/devnet/security/security_zone/mpsb04-08.html
  • 04.38.17 - CVE: CAN-2004-0749
  • Platform: Cross Platform
  • Title: Subversion Mod_Authz_Svn Metadata Information Disclosure
  • Description: Subversion is a software version control system. It is reported that Subversions mod_authz_svn module is susceptible to an information disclosure vulnerability. The issue presents itself when paths that are marked as unreadable are accessed by particular Subversion client commands. Subversion versions 1.0.8, 1.1.0-rc4 and earlier are affected.
  • Ref: http://subversion.tigris.org/security/CAN-2004-0749-advisory.txt
  • 04.38.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Tutos Multiple Remote Input Validation Vulnerabilities
  • Description: Tutos is team organization software. Insufficient sanitization of the "t" parameter in the "app_new.php" script exposes a cross-site scripting issue. An SQL injection issue is exposed due to insufficient sanitization of the "link_id" parameter in the "file_overview.php" script. Tutos versions 1.1.2004-04-14 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/375757
  • 04.38.19 - CVE: Not Available
  • Platform: Web Application
  • Title: YaBB Multiple Input Validation Vulnerabilities
  • Description: YaBB (Yet Another Bulletin Board) is web forum software. YaBB 1 Gold is affected by two input validation vulnerabilities due to insufficient sanitization of user supplied data in the "settings.pl" script and an input validation error in the handling of the "subject" variable. YaBB version 1 GOLD SP 1.3.2 was released to fix these issues.
  • Ref: http://secunia.com/advisories/12609/
  • 04.38.20 - CVE: Not Available
  • Platform: Web Application
  • Title: AllWebScripts MySQLGuest HTML Injection Vulnerability
  • Description: AllWebScripts MySQLGuest is a collection of PHP scripts that enable guest book functionality. It is reported to be vulnerable to HTML injection problems. The issue exists due to improper sanitization of "Name", "Email", "Homepage" and "Comments" fields of the "AWSguest.php" script.
  • Ref: http://www.securitytracker.com/alerts/2004/Sep/1011376.html
  • 04.38.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Virtual Programming VP-ASP Denial of Service
  • Description: VP-ASP is a shopping cart system designed for online retailers. The "shoprestoreorder.asp" script fails to close the database connection allowing attackers to possibly cause further database connections to fail. VP-ASP versions 5.0 and earlier are affected.
  • Ref: http://www.vpasp.com/virtprog/info/faq_securityfixes.htm
  • 04.38.22 - CVE: Not Available
  • Platform: Web Application
  • Title: Computer Associates Unicenter Management Username Disclosure
  • Description: Computer Associates Unicenter Management Portal is a Web-based enterprise management system. The "Forgot your Password?" link on the portal produces different messages depending on whether the submitted username is valid or not. This may allow attackers to brute force usernames. Unicenter Management Portal versions 2.0 and 3.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/375913
  • 04.38.23 - CVE: Not Available
  • Platform: Web Application
  • Title: YaBB Administrator Command Execution Vulnerability
  • Description: YaBB (Yet Another Bulletin Board) web-based bulletin board is reportedly vulnerable to an arbitrary command execution issue due to insufficient sanitization of the "IMG" HTML tags. All current versions of YaBB are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/375537
  • 04.38.24 - CVE: Not Available
  • Platform: Web Application
  • Title: YaBB.pl IMSend Cross-Site Scripting
  • Description: YaBB (Yet Another Bulletin Board) is a web-based bulletin board application. Insufficient sanitization of the "imsend" parameter of the "YaBB.pl" script exposes a cross-site scripting issue. YaBB 1 Gold SP versions 1.3.1 and earlier are affected.
  • Ref: http://www.securityfocus.com/archive/1/375537
  • 04.38.25 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Memory Information Disclosure
  • Description: PHP is vulnerable to random memory information disclosure due to improper array parsing in the "php_variables.c" file. This condition can be exposed when specially crafted variables are sent to a PHP script and it attemps to display them. PHP has released a patch for this.
  • Ref: http://www.securityfocus.com/archive/1/375294/2004-09-14/2004-09-20/0
  • 04.38.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Remository Module SQL Injection
  • Description: Mambo web-based content management system's "ReMOSitory" module is vulnerable to a SQL injection issue. This is due to insufficient sanitization of the "com_repository" option in the "index.php" script. This could allow the remote backend database to be compromised. This issue was reported for version 4.5.1 (1.09) of ReMOSitory.
  • Ref: http://www.securityfocus.com/archive/1/375609
  • 04.38.27 - CVE: Not Available
  • Platform: Web Application
  • Title: Mambo Multiple Input Validation Vulnerabilities
  • Description: Mambo web-based content management system is vulnerable to multiple input-validation issues. These include cross-site scripting, SQL injection and remote code execution. Mambo version 4.5.1 (1.0.9) is affected.
  • Ref: http://www.securityfocus.com/archive/1/375771
  • 04.38.28 - CVE: Not Available
  • Platform: Network Device
  • Title: Motorola WR850G Wireless Router Remote Authentication Bypass
  • Description: Motorola WR850G wireless router is vulnerable to a remote authentication bypass and administrators session hijacking issues that may allow an attacker to take complete control of the device. Motorola wireless router WR850G running firmware version 4.03 is known to be vulnerable.
  • Ref: http://secunia.com/product/3942/
  • 04.38.29 - CVE: Not Available
  • Platform: Network Device
  • Title: Inkra Router Remote Denial of Service
  • Description: The Inkra 1504GX router is reportedly vulnerable to a remote denial of service issue. The router fails to handle certain malformed network packets properly and its "Service Processing Module" eventually crashes. Attackers could thereby deny service to legitimate network users.
  • Ref: http://secunia.com/advisories/12538/
  • 04.38.30 - CVE: Not Available
  • Platform: Hardware
  • Title: Symantec Enterprise Firewall/VPN Appliance Multiple Vulnerabilities
  • Description: Symantec Enterprise Firewall/VPN Appliance is vulnerable to multiple issues. A UDP port scan on the WAN interface causes the device to lock up and requires a reboot to restore normal operation. A filter bypass issue exists that exposes tftpd, snmpd, and isakmp services. Finally the SNMP community strings are by default globally readable and writable, which could aid an attacker in carrying out further attacks. Symantec Firewall/VPN Appliance 100,200/200R with firmware builds earlier than 1.63 and Symantec Gateway Security 320, 360/360R with firmware builds earlier than 622 are affected.
  • Ref: http://www.sarc.com/avcenter/security/Content/2004.09.22.html
  • 04.38.31 - CVE: Not Available
  • Platform: Hardware
  • Title: Pinnacle ShowCenter Denial of Service
  • Description: Pinnacle Systems ShowCenter is an appliance that allows users to play multimedia movies on a television. Insufficient sanitization of the "Skin" URL parameter in the "SettingsBase.php" script exposes a denial of service issue. Pinnacle Systems ShowCenter version 1.51 is affected.
  • Ref: http://www.securityfocus.com/archive/1/375995

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other than listed above, without prior written permission.

There are many places to get Security Training, but SANS is premium training.
-Carl Ness, University of Iowa

Get an iPad or Nexus 10 with Online Training

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"SANS is a great place to enhance your technical and hands-on skills and tools. I thoroughly recommend it."
- Aaron Waugh, Datacom NZ Ltd

"Just amazing content and instruction, it's really a 'must do' for any info sec professional."
- Mark Austin, PHH Mortgage