ðòïåëôù 


  áòèé÷ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  óôáôøé 


  ðåòóïîáìøîïå 


  ðòïçòáííù 



ðéûéôå
ðéóøíá














     áòèé÷ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FW: @RISK: The Consensus Security Vulnerability Alert Vol. 4 No. 51



> 
> *************************
> Widely Deployed Software
> *************************
> 
> (1) HIGH: Symantec AntiVirus Products RAR Handling Buffer Overflow 
> Affected:
> Symantec Norton, Gateway Security, Client Security, Brightmail and
> Corporate Antivirus product lines Third-party products using version
> 3.2.14.3 or prior of the "Dec2Rar.DLL" library
> 
> Description: Symantec anti-virus products contain multiple heap-based
> buffer overflows in the "Dec2Rar.DLL" library that is responsible for
> scanning RAR archives to detect viruses. The overflows can be 
> triggered
> by RAR archives with specially crafted "sub-block" headers, and
> exploited to execute arbitrary code. The technical details including a
> disassembler output has been publicly posted. Note that for 
> compromising
> gateway and server products sending a malicious email is 
> sufficient i.e.
> no user-interaction is required.
> 
> Status: Symantec is working on getting the patches ready. A 
> workaround,
> in the meanwhile, is to disable RAR processing on the anti-virus
> products. Such a configuration, however, will also let RAR-compressed
> viruses go undetected.
> 
> Council Site Actions:  All reporting council sites are awaiting
> confirmation from the vendor. Some sites have notified their system
> support group of the issue.  One site commented that if a patch is not
> release before an exploit, they will disable RAR scanning.
> 
> References:
> Posting by Alex Wheeler
> http://www.rem0te.com/public/images/symc2.pdf 
> FrSIRT Advisory
> http://www.frsirt.com/english/advisories/2005/3003
> RAR File Format
> http://www.wotsit.org/search.asp?page=2&s=archive  
> SecurityFocus BID
> http://www.securityfocus.com/bid/15971 
> 
> **********************************************************************
> 
> (2) HIGH: Trend Micro ServerProtect Multiple Vulnerabilities
> Affected:
> Trend Micro ServerProtect for Windows and Netware version 5.58
> 
> Description: TrendMicro ServerProtect products are designed to provide
> real-time protection from viruses, Trojans and other malware for
> Microsoft, Linux or Novell-based servers. The Management 
> Console, which
> allows a remote web-based administration of these products, contains
> multiple buffer overflows. These flaws can be triggered by
> "chunk-encoded" HTTP POST request to "isaNVWRequest.DLL" and 
> "relay.DLL"
> scripts, and exploited to execute arbitrary code with 
> possibly "SYSTEM"
> privileges. Additionally, a flaw exists in the ServerProtect 
> EarthAgent
> daemon that can be exploited to cause a denial-of-service. By 
> sending a
> TCP packet containing the magic string "\x21\x43\x65\x87" to 
> port 5005,
> an attacker can cause the ServerProtect process to consume 100% of the
> CPU time. The technical details have been publicly posted.
> 
> Status: Vendor has acknowledged all vulnerabilities. No patch 
> available
> for the buffer overflows. A hotfix is available for the DoS issue.
> Workarounds are to prevent access to the ServerProtect 
> Management Server
> as well as to the port 5005/tcp from the Internet.
> 
> Council Site Actions: Only one of the reporting council sites is using
> the affected software.  They have notified their system support group
> and are awaiting patches from the vendor.
> 
> References:
> iDefense Security Advisories
> http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0066.html 
> http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0067.html 
> http://archives.neohapsis.com/archives/vulnwatch/2005-q4/0068.html
> TrendMicro HotFix
> http://kb.trendmicro.com/solutions/search/main/search/solution
> Detail.asp?solutionID=25254 
> Product Homepage
> http://www.trendmicro.com/en/products/file-server/overview.htm  
> SecurityFocus BIDs
> http://www.securityfocus.com/bid/15865 
> http://www.securityfocus.com/bid/15866 
> http://www.securityfocus.com/bid/15868  
> 
> ****************************************************************
> 
> ***************
> Other Products
> ***************
> 
> (3) CRITICAL: Eudora Qualcomm WorldMail Buffer Overflows
> Affected:
> Eudora Qualcomm WorldMail 3.0 and prior
> 
> Description: Eudora Qualcomm's WorldMail is an enterprise-grade email
> and messaging server solution. This server contains buffer 
> overflows in
> handling IMAP commands such as "AUTHENTICATE" and "LIST". An
> unauthenticated attacker can trigger these flaws by sending overlong
> command arguments ending with a string of "}" characters. The 
> overflows
> can be leveraged to execute arbitrary code on the server with "SYSTEM"
> privileges. Exploit code has been publicly posted.
> 
> Status: Vendor has not confirmed, no patches available.
> 
> Council Site Actions: Only one of the reporting council sites is using
> the affected software.  They have notified their system support group
> and are awaiting patches from the vendor.
> 
> References:
> Posting by Tim Shelton
> http://archives.neohapsis.com/archives/fulldisclosure/2005-12/
> 1014.html 
> iDefense Advisory
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?type=vulnerabilities&id=359 
> Exploit Code
> http://www.frsirt.com/exploits/20051220.worldmail.py.php 
> Product Homepage
> http://www.eudora.com/worldmail/ 
> SecurityFocus BID
> http://www.securityfocus.com/bid/15980 
> 
> ****************************************************************
> 
> 05.51.1 CVE: CVE-2005-4131
> Platform: Microsoft Office
> Title: Excel Unspecified Memory Corruption
> Description: Microsoft Excel is vulnerable to two unspecified memory
> corruption vulnerabilities when the application attempts to process
> malformed or corrupted XLS files. All versions of Microsoft Excel are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/15926/info 
> ______________________________________________________________________
> 
> 05.51.2 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Internet Information Server 5.1 DLL Request Denial of Service
> Description: Microsoft Internet Information Server 5.1 is affected by
> a denial of service condition which occurs when several requests are
> received for a DLL within a virtual directory causing the
> "inetinfo.exe" process to crash.
> Ref: 
> http://ingehenriksen.blogspot.com/2005/12/microsoft-iis-remote
> -dos-dll-url.html 
> ______________________________________________________________________
> 
> 05.51.4 CVE: CVE-2005-1928
> Platform: Third Party Windows Apps
> Title: Trend Micro ServerProtect EarthAgent Daemon Denial of Service
> Description: Trend Micro ServerProtect is an antivirus scanner. The
> EarthAgent Daemon is vulnerable to a denial of service issue when
> receiving a crafted packet on TCP port 5005. Trend Micro ServerProtect
> version 5.58 with Control Manager 2.5 or 3.0 and Damage Cleanup Server
> 1.1 is vulnerable.
> Ref:
> http://solutionfile.trendmicro.com/SolutionFile/25254/en/Hotfi
> x_Readme_SPNT5_58_B1137.txt
> ______________________________________________________________________
> 
> 05.51.5 CVE: CVE-2005-1930
> Platform: Third Party Windows Apps
> Title: ServerProtect RPTServer.ASP Directory Traversal
> Description: Trend Micro Server Protect Management Console is
> vulnerable to a directory traversal issue in the Crystal Report
> component due to insufficient sanitization of user-supplied input to
> the "IMAGE" parameter of the "rptserver.asp" script. Trend Micro
> ServerProtect for Windows Management Console 5.58 running with Trend
> Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server
> 1.1 is vulnerable.
> Ref:
> http://www.idefense.com/application/poi/display?id=352&type=vu
> lnerabilities&flashstatus=true
> ______________________________________________________________________
> 
> 05.51.6 CVE: CVE-2005-1929
> Platform: Third Party Windows Apps
> Title: Trend Micro ServerProtect Relay Heap Overflow
> Description: Trend Micro ServerProtect is an antivirus scanner for
> servers that also offers a Windows-based administration console. A
> remotely exploitable heap-based buffer overflow vulnerability is
> present in the Trend Micro ServerProtect "relay.dll" component in the
> Management Console. This vulnerability may be triggered by an
> excessive HTTP POST request to the component that specifies a length
> value that will cause an integer wrap. Arbitrary code execution would
> occur in the context of the underlying Web server. This issue is
> reported to affect ServerProtect 5.58 for Windows running with Trend
> Micro Control Manager 2.5/3.0 and Trend Micro Damage Cleanup Server
> 1.1.
> Ref: 
> http://www.idefense.com/intelligence/vulnerabilities/display.p
> hp?id=354 
> ______________________________________________________________________
> 
> 05.51.12 CVE: CVE-2005-3657
> Platform: Third Party Windows Apps
> Title: McAfee VirusScan Security Center ActiveX Control Arbitrary File
> Overwrite
> Description: McAfee VirusScan is a commercially available virus
> scanning product for the Microsoft Windows platform. Security Center
> is a component that combines various security protection applications.
> It ships with McAfee VirusScan. McAfee VirusScan Security Center is
> prone to an arbitrary file overwrite vulnerability.  This issue arises
> due to an access validation error. The application ships with an
> ActiveX control that does not properly restrict access and the control
> may be loaded in arbitrary domains. Successful exploitation can lead
> to various attacks including potential arbitrary code execution and
> remote unauthorized access.
> Ref: http://www.securityfocus.com/archive/1/419896 
> ______________________________________________________________________
> 
> 05.51.16 CVE: Not Available
> Platform: Linux
> Title: Info-ZIP UnZip File Name Buffer Overflow
> Description: Info-ZIP unzip is a decompression utility. It is
> vulnerable to a filename buffer overflow issue due to insufficient
> sanitization of user-supplied input to the command line of the
> filename argument. Info-ZIP UnZip versions 5.52 and earlier are
> vulnerable.
> Ref: http://www.securityfocus.com/bid/15968 
> ______________________________________________________________________
> 
> 
> 05.51.28 CVE: CVE-2005-1929
> Platform: Cross Platform
> Title: Trend Micro ServerProtect ISANVWRequest Heap Overflow
> Description: Trend Micro ServerProtect is an antivirus scanner for
> servers. A remotely exploitable heap-based buffer overflow
> vulnerability is present in the Trend Micro ServerProtect
> "isaNVWRequest.dll" ISAPI component of the Management Console. Trend
> Micro ServerProtect version 5.58 for Windows running with
> Trend Micro Control Manager version 2.5/3.0 and Trend Micro Damage
> Cleanup Server version 1.1 is affected. Other versions and platforms
> may be affected as well.
> Ref: 
> http://www.idefense.com/application/poi/display?id=353&type=vu
> lnerabilities 
> ______________________________________________________________________
> 
> 05.51.30 CVE: CVE-2005-3652
> Platform: Cross Platform
> Title: Citrix Program Neighborhood Application Enumeration Buffer
> Overflow
> Description: Citrix Program Neighborhood is a client for connecting to
> various Citrix server products. It fails to properly bounds check the
> application names returned from the server causing a buffer overflow
> condition. Citrix Program Neighborhood versions 9.1 and earlier are
> affected.
> Ref: http://support.citrix.com/article/CTX108354 
> ______________________________________________________________________
> ______________________________________________________________________
> 
> 05.51.39 CVE: Not Available
> Platform: Cross Platform
> Title: Symantec Antivirus Library RAR Decompression Heap Overflow
> Description: The Symantec antivirus library is vulnerable to multiple
> heap-based buffer overflow issues that could be exploited to
> compromise computers running applications that utilize the affected
> library. Please refer to the link below for a list of vulnerable
> systems.
> Ref: http://www.securityfocus.com/bid/15971/info 
> ______________________________________________________________________
> 
> 05.51.42 CVE: Not Available
> Platform: Cross Platform
> Title: Clearswift MIMEsweeper For Web Executable File Bypass
> Description: Clearswift MIMEsweeper For web is a security product
> deployed on gateway systems. It is vulnerable to a file bypass issue
> due to a design error which fails to filter executable files that are
> named without the ".exe" file extension. All current versions of
> Clearswift MIMEsweeper For Web are considered to be vulnerable at the
> moment.
> Ref: http://www.securityfocus.com/archive/1/419904 
> ______________________________________________________________________
> 
> 05.51.44 CVE: CVE-2005-4267
> Platform: Cross Platform
> Title: Qualcomm WorldMail IMAPD Buffer Overflow
> Description: WorldMail is mail server software for the Microsoft
> Windows platform. The IMAPd service is a daemon process for accepting
> and handling IMAP requests. WorldMail IMAPd service is prone to a
> remote buffer overflow vulnerability. This issue occurs when multiple
> instances of the "}" character follows the following IMAP commands:
> LIST, LSUB, SEARCH TEXT, STATUS INBOX, AUTHENTICATE, FETCH, SELECT and
> COPY; other commands may also be affected. This issue is reported to
> affect IMAPd service version 6.1.19.0 of WorldMail 3.0; other versions
> may also be vulnerable.
> Ref: http://www.securityfocus.com/bid/15980/exploit 
> ______________________________________________________________________
> 
> 05.51.45 CVE: CVE-2005-4348
> Platform: Cross Platform
> Title: Fetchmail Missing Email Header Remote Denial of Service
> Description: Fetchmail is a mail retrieval utility. It is vulnerable
> to a remote denial of service issue due to insufficient handling of
> unexpected input when retrieving an email message without headers.
> Fetchmail versions 6.2.5.4 and 6.3.0 are vulnerable.
> Ref: http://fetchmail.berlios.de/fetchmail-SA-2005-03.txt 
> ______________________________________________________________________
> 
> 
> 05.51.47 CVE: Not Available
> Platform: Cross Platform
> Title: LiveJournal Cleanhtml.PL HTML Injection
> Description: LiveJournal is an online journal application. It is
> vulnerable to an HTML injection issue due to insufficient sanitization
> of user-supplied input to HTML attributes of the "cleanhtml.pl"
> script. All versions of LiveJournal are vulnerable.
> Ref: http://www.securityfocus.com/bid/15990/info 
> ______________________________________________________________________
> 
> 05.51.48 CVE: Not Available
> Platform: Cross Platform
> Title: Multiple Fortinet Products IKE Exchange Denial of Service
> Vulnerabilities
> Description: Fortinet FortiGate, FortiManager, and FortiClient
> products are commercial network security products. They are prone to
> denial of service vulnerabilities due to security flaws in Fortinet's
> IPSec implementation. FortiOS versions 3.0 and earlier, FortiManager
> versions 3.0 and earlier, and FortiClient version 2.0 are affected.
> Ref: http://www.niscc.gov.uk/niscc/docs/re-20051114-01014.pdf?lang=en 
> ______________________________________________________________________
> 
> 05.51.49 CVE: Not Available
> Platform: Cross Platform
> Title: VMWare Remote Arbitrary Code Execution
> Description: VMWare is virtualization software that allows multiple
> virtual machines to run on a single computer. It is affected by a code
> execution issue which arises in "vmnat.exe" on Windows and
> "vmnet-natd" on Linux when a malicious guest is using a NAT networking
> configuration. An attacker can exploit this issue by issuing specially
> crafted FTP "EPRT" and "PORT" commands. VMWare Workstation, VMWare GSX
> Server, VMWare ACE, and VMWare Player are affected. Please see
> attached link for a list of vulnerable versions.
> Ref: http://www.securityfocus.com/bid/15998/info 
> ______________________________________________________________________
> 
> 05.51.134 CVE: Not Available
> Platform: Network Device
> Title: Multiple Linksys Routers LanD Packet Denial Of Service
> Description: Multiple Linksys devices are prone to a denial of service
> vulnerability. These devices are susceptible to a remote denial of
> service vulnerability when handling TCP "LanD" packets containing the
> PUSH, ACK, SYN, and URG flags. Linksys BEFW11S4 and WRT54GS devices
> are affected by this issue.
> Ref: http://www.securityfocus.com/bid/15861/exploit 
> ______________________________________________________________________
> 
> 
> 05.51.137 CVE: CVE-2005-4332
> Platform: Network Device
> Title: Clean Access Multiple Access Validation Issues
> Description: Cisco Clean Access scans devices attempting to connect to
> a network. It is vulnerable to remote attackers to bypass
> authentication through various Web server JSP pages such as
> admin/uploadclient.jsp and apply_firmware_action.jsp. Cisco Clean
> Access versions 3.5.5 and earlier are vulnerable.
> Ref: http://www.securityfocus.com/bid/15909 
> ______________________________________________________________________
> 
> 05.51.138 CVE: Not Available
> Platform: Network Device
> Title: Cisco EIGRP Protocol HELLO Packet Replay
> Description: EIGRP (Enhanced Interior Gateway Routing Protocol) is a
> proprietary protocol developed by Cisco. It supports using the MD5
> algorithm to authenticate router communications. The Cisco EIGRP
> protocol is susceptible to a vulnerability that allows HELLO packet
> replay attacks. The protocol uses the Opcode, AS number, Flags,
> Sequence Number, and Nexthop packet fields when creating the MD5
> message authentication code. By capturing a valid HELLO packet,
> attackers may utilize the included key digest to create their own
> EIGRP HELLO packets. This issue allows attackers to gain access to
> potentially sensitive network information in EIGRP UPDATE reply
> packets, or to cause a denial of service condition by flooding routers
> with HELLO packets.
> Ref: http://www.securityfocus.com/archive/1/419830 
> ______________________________________________________________________
> 
> 05.51.139 CVE: Not Available
> Platform: Network Device
> Title: Cisco EIGRP Protocol Unauthenticated Goodbye Packet Remote
> Denial of Service
> Description: EIGRP (Enhanced Interior Gateway Routing Protocol) is a
> proprietary protocol developed by Cisco. It is affected by a denial of
> service issue which can be triggered by sending spoofed EIGRP
> "Goodbye" packets or packets with mismatched "k" values set.
> Ref: 
> http://www.cisco.com/en/US/tech/tk365/technologies_security_no
> tice09186a008011c5e1.html 
> ______________________________________________________________________
> 




 




Copyright © Lexa Software, 1996-2009.