@RISK: The Consensus Security Vulnerability Alert

As an MIT grad, I always took a little (unearned) pride in the fact that MIT created Kerberos - the powerful authentication systems used by many large organizations that really care about security. So this week's critical flaws found in Kerberos - and in numerous unnamed derivative products - was a bummer. An iTunes vulnerability was also discovered that affects both Widows and Mac implementations. Alan

Table Of Contents

Widely Deployed Software

• (1) CRITICAL: MIT Kerberos Multiple Vulnerabilities
• Affected:
  • MIT Kerberos versions prior to 1.6.3 and 1.5.5

• Description: MIT's implementation of the Kerberos authentication protocol contains multiple vulnerabilities in its "kadmind" administration daemon. This daemon runs on servers that act as Kerberos controllers. This server exports a Sun RPC (also called ONC RPC) interface that can be used to administer the service. The first vulnerability lies in the handling of RPCSEC_GSS authentication information and can be exploited by unauthenticated users. The second vulnerability stems from a failure to properly parse arguments to certain exported procedures, and requires authentication to exploit. An attacker who successfully exploited these vulnerabilities would be able to execute arbitrary code with the privileges of the vulnerable process (usually root). Note that the first vulnerability exists in the RPC library shipped with Kerberos; other products using this library may also be vulnerable. MIT Kerberos or products based thereupon are shipped by default with numerous Unix and Unix-like systems. Technical details for these vulnerabilities are available via source code analysis.

• Status: MIT confirmed, updates available.

• References:
  • MIT Advisory
  • http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-006.txt
  • Wikipedia Article on Kerberos
  • http://en.wikipedia.org/wiki/Kerberos_%28protocol%29
  • Wikipedia Article on Sun RPC
  • http://en.wikipedia.org/wiki/Sun_RPC
  • Kerberos Home Page
  • http://web.mit.edu/kerberos/www/index.html
  • SecurityFocus BIDs
  • http://www.securityfocus.com/bid/25533
  • http://www.securityfocus.com/bid/25534

• (2) HIGH: Apple iTunes Music File Buffer Overflow
• Affected:
  • Apple iTunes versions prior to 7.4

• Description: Apple iTunes contains a buffer overflow in its handling of album cover art. These images can be embedded in music files so that iTunes can display the cover art for that song. A specially crafted song file containing malicious cover art data could trigger this buffer overflow and execute arbitrary code with the privileges of the current user. Note that iTunes on both Apple Mac OS X and Microsoft Windows is vulnerable.

• Status: Apple confirmed, updates available.

• References:
  • Apple Security Advisory
  • http://docs.info.apple.com/article.html?artnum=306404
  • iTunes Home Page
  • http://www.apple.com/itunes
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25567

• (3) HIGH: Apache Struts/OpenSymphony WebWork OGNL Remote Code Execution
• Affected:
  • Apache Struts versions prior to 2.0.9
  • OpenSymphony WebWork versions prior to 2.0.4
  • OpenSymphony XWork versions prior to 2.0.4

• Description: Apache Struts and OpenSymphony WebWork provide a Java-based development environment for internet applications. A failure to properly handle invalid user form input could allow an attacker to execute arbitrary Open Graph Navigation Language (OGNL) code. OGNL is an expression language for Java that allows simpler interaction with JavaBeans. An attacker who submitted a specially crafted web form to a vulnerable system could cause the server to execute arbitrary OGNL code with the privileges of the vulnerable process. This could in turn lead to arbitrary Java code execution. Technical details are available for this vulnerability, both in the advisory and through source code analysis. A simple proof-of-concept is included in the advisory.

• Status: Apache and OpenSymphony confirmed, updates available.

• References:
  • Apache Security Advisory
  • http://struts.apache.org/ 2.x/docs/s2-001.html"> http://struts.apache.org/ 2.x/docs/s2-001.html
  • Wikipedia Article on OGNL
  • http://en.wikipedia.org/wiki/OGNL
  • Product Home Pages
  • http://www.opensymphony.com/webwork/wikidocs/OGNL.html
  • http://struts.apache.org/
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25524

• (4) MODERATE: Microsoft Visual FoxPro ActiveX Control Buffer Overflow
• Affected:
  • Microsoft Visual FoxPro version 6.0 and possibly prior

• Description: Microsoft Visual FoxPro is Microsoft's integrated development environment for the FoxPro programming language. It installs the "FPLOE.OCX" ActiveX control, which contains a buffer overflow in its "FoxDoCmd" method. A malicious web page that instantiated this control could exploit this buffer overflow to execute arbitrary code with the privileges of the current user. A proof-of-concept for this vulnerability is publicly available.

• Status: Microsoft has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the control via Microsoft's "kill bit" mechanism for CLSID EF28418F-FFB2-11D0-861A-00A0C903A97F.

• References:
  • Proof-of-Concept
  • http://downloads.securityfocus.com/vulnerabilities/exploits/25571.html
  • Microsoft Knowledge Base Article (details the "kill bit" mechanism)
  • http://support.microsoft.com/kb/240797
  • Product Home Page
  • http://msdn2.microsoft.com/en-us/vfoxpro/default.aspx
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25571

• (5) MODERATE: Intuit QuickBooks Online Edition ActiveX Control Multiple Vulnerabilities
• Affected:
  • Intuit Quickbooks Online Edition ActiveX Control versions prior to 10

• Description: Intuit QuickBooks Online Edition is a version of Intuit's popular QuickBooks bookkeeping application implemented as an ActiveX control that can be run within Microsoft Internet Explorer. This ActiveX control contains multiple buffer overflows in several methods. Additionally, the "httpGETToFile" and "httpPOSTFromFile" methods can be used to overwrite or upload arbitrary files on the victim's system. Some technical details are available for these vulnerabilities.

• Status: Intuit confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit". Doing so will impact normal application functionality.

• References:
  • US-CERT Vulnerability Notes
  • http://www.kb.cert.org/vuls/id/979638
  • http://www.kb.cert.org/vuls/id/907481
  • Secunia Advisory
  • http://secunia.com/advisories/26659/
  • Product Home Page
  • http://oe.quickbooks.com/
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25544

• (6) LOW: Cisco Catalyst Content Switching Module Multiple Denials of Service
• Affected:
  • Cisco Catalyst Content Switching Modules versions prior to 4.2.3a
  • Cisco Catalyst Content Switching Modules with SSL versions prior to 2.1.2a

• Description: Cisco Catalyst switches can use Content Switching Modules (CSMs) to provide integrated load balancing. These modules contain two denial of service vulnerabilities. Failure to properly handle out-of-order TCP packets can lead to excessive CPU utilization on the CSM, leading to a general denial of service. Additionally, when the CSM is configured to perform service termination, high traffic loads can cause the CSM to reload. This can cause denials of service for hosts that depend on the CSM for load balancing.

• Status: Cisco confirmed, updates available.

• References:
  • Cisco Security Advisory
  • http://www.cisco.com/en/US/products/products_security_advisory09186a00808b4d3b.s
    html
  • Product Home Pages
  • http://www.cisco.com/en/US/products/hw/modules/ps2706/products_qanda_item0900aec
    d801cad00.shtml
  • http://www.cisco.com/en/US/products/hw/modules/ps2706/ps780/index.html
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25547

Other Software

• (7) HIGH: Lighttpd FastCGI Buffer Overflow
• Affected:
  • Lighttpd versions prior to 1.4.18

• Description: Lighttpd is an open source, cross platform, high performance web server. It contains a buffer overflow in its handling of overlong HTTP headers when interacting with FastCGI-based applications. FastCGI is a method of accelerating Common Gateway Interface (CGI) applications running on web servers. A specially crafted HTTP request containing an overlong header could trigger this vulnerability and allow arbitrary code to be executed with the privileges of the vulnerable process. Full technical details and a proof-of-concept are available for this vulnerability.

• Status: Lighttpd confirmed, updates available.

• References:
  • Lighttpd Security Advisory
  • http://www.lighttpd.net/ assets/2007/9/9/lighttpd_sa_2007_12.txt"> http://www.lighttpd.net/ assets/2007/9/9/lighttpd_sa_2007_12.txt
  • SECWEB Security Advisory
  • http://secweb.se/en/advisories/lighttpd-fastcgi-remote-vulnerability/
  • Proof-of-Concept
  • http://secweb.se/files/lighttpd-fastcgi-remote-vulnerability.c
  • Wikipedia Article on CGI
  • http://en.wikipedia.org/wiki/Common_Gateway_Interface
  • Product Home Page
  • http://www.lighttpd.net/
  • SecurityFocus BID
  • Not yet available.

• (8) MODERATE: Borderbund Expressit 3DGreetings Player ActiveX Control Multiple Vulnerabilities
• Affected:
  • Broderbund Expressit 3DGreetings Player ActiveX Control

• Description: The Broderbund Expressit 3DGreetings Plaer is an ActiveX player for 3D web-based greeting cards. Several buffer overflow vulnerabilities have been discovered in various exported methods of this control. A malicious web page that instantiated this control could exploit these vulnerabilities to execute arbitrary code with the privileges of the current user. Note that no technical details are currently available for these vulnerabilities, but that several tools exist that can automatically audit arbitrary ActiveX controls.

• Status: Broderbund has not confirmed, no updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID 0C3F7D74-ADA5-4976-8908-A8189590DAFA. Note that disabling this control will impact normal application functionality.

• References:
  • US-CERT Vulnerability Note
  • http://www.kb.cert.org/vuls/id/574401
  • Microsoft Knowledge Base Article (details the "kill bit" mechanism)
  • http://support.microsoft.com/kb/240797
  • SecurityFocus BID
  • Not yet available.

• (9) MODERATE: Earth Resource Mapper JPEG2000 Plug-In ActiveX Control Multiple Buffer Overflows
• Affected:
  • Earth Resource Mapper ECW JPEG2000 Plug-In versions prior to 8.1

• Description: Earth Resource Mapper is a geospatial image processing application. Its ECW JPEG 2000 Plug-In package installs an ActiveX control that has been discovered to contain multiple buffer overflow vulnerabilities in exported methods. A malicious web page that instantiated this control could trigger one of these buffer overflows and execute arbitrary code with the privileges of the current user.

• Status: Vendor confirmed, updates available. Users can mitigate the impact of this vulnerability by disabling the vulnerable control via Microsoft's "kill bit" mechanism for CLSID 8EC18CE2-D7B4-11D2-88C8-006008A717FD.

• References:
  • US-CERT Vulnerability Note
  • http://www.kb.cert.org/vuls/id/589188
  • Microsoft Knowledge Base Article (details the "kill bit" mechanism)
  • http://support.microsoft.com/kb/240797
  • Product Home Page
  • http://www.ermapper.com/ProductView.aspx?t=27
  • SecurityFocus BID
  • http://www.securityfocus.com/bid/25584