>
> *****************************
> Widely Deployed Software
> *****************************
>
> (1) CRITICAL: Snort Back Orifice Preprocessor Buffer Overflow
> Affected:
> Snort versions 2.4.x prior to 2.4.3
>
> Description: Snort is a popular open-source intrusion detection and
> prevention system. Snort uses "preprocessors" to perform protocol
> decoding before the Snort detection engine is invoked. The
> preprocessor
> "bo" is used to detect traffic related to the Back Orifice backdoor.
> This preprocessor contains a stack-based buffer overflow that can be
> triggered by a specially crafted UDP packet (Back Orifice ping). The
> overflow can be exploited to execute arbitrary code on the
> Snort system
> with the same privileges used to run Snort, usually "root/SYSTEM".
> Injecting the malicious UDP packet in a network being
> protected by Snort
> is sufficient to exploit this overflow. Further, the UDP packet can be
> spoofed and have any source/destination ports, which may lead to
> bypassing firewalls. Exploit code has been posted.
>
> Status: Vendor confirmed; version 2.4.3 has been released to address
> this issue. A workaround is to comment out the line "preprocessor bo"
> in snort.conf and restart snort. The workaround, however,
> will leave the
> network open to Back Orifice attacks, and should be used only if the
> fixed version cannot be installed. Please also check for
> updates for any
> third party products that use snort. The CERT Vulnerability
> Note can be
> used to track third party products that are vulnerable
> because they rely
> on Snort. At this time, Nortel Threat Protection System is reported to
> be vulnerable.
>
> Council Site Actions: Most of the reporting council sites are running
> the affected software and have already patched their systems.
>
> References:
> ISS X-Force Advisory
>
> Snort Advisory
>
> CERT Advisory and Vulnerability Note
>
>
> Exploit Code
>
> att-0417/snort_bo_ping.pm
> Snort Preprocessors
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) HIGH: Oracle Critical Patch Update October 2005
> Affected:
> Multiple Oracle Products (Refer to the Oracle Security Advisory)
>
> Description: Oracle has released its critical patch update
> for multiple
> Oracle products including Database Server, application server,
> e-business suite, Collaboration Suite, Enterprise Manager and
> Peoplesoft
> products. The patch addresses more than 80 vulnerabilities
> ranging from
> PL/SQL injections to buffer overflows. According to
> NGSSoftware, one of
> the seven discoverers for the flaws patched in this update, some the
> flaws can be exploited to completely compromise the database
> server. The
> technical details for the flaws have not been posted yet.
>
> Council Site Actions: Many reporting council sites are using the
> affected software. Several of the sites are in the process of
> investigating the updates and doing regression testing.
> Others plan to
> patch during their next maintenance cycle.
>
> References:
> Oracle Advisory
>
> CERT Advisory
>
> NGSSoftware Advisory
>
> Posting by Alexander (Red Database Security)
>
> 0421.html
>
> 0420.html
> Integrigy Analysis
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> ************************
> Other Software
> ************************
>
> (3) HIGH: GFi MailSecurity Web Module Overflow
> Affected:
> GFi MailSecurity version 8.1
>
> Description: GFi MailSecurity uses multiple virus scanning engines to
> scan emails for viruses, Trojans, spyware and malicious
> attachments. The
> product can be used as an SMTP gateway or integrates with Exchange
> 2000/2003 server. The product offers a web interface for configuration
> and managing quarantine emails. This web interface contains a buffer
> overflow that can be triggered by overlong HTTP headers. An
> unauthenticated attacker can exploit the overflow to execute arbitrary
> code on the mail server with SYSTEM privileges. Note that this product
> is likely to be deployed in an enterprise DMZ. Hence, successful
> exploitation grants an attacker a foothold in the DMZ for launching
> further attacks.
>
> Status: Vendor confirmed; updates available.
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Sec-1 Advisory
>
> Product Homepage
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> ****************************************************************
>
> *************
> Exploits
> *************
>
> (8) RSA WebAgent Buffer Overflow
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Exploit Code targeting IIS servers
>
> iiswebagent_redirect.pm
> Previous @RISK Posting
>
> r2 (Rating: HIGH)
>
> ****************************************************************
>
> (9) Computer Associates CAM Unicenter Overflow
>
> Council Site Actions: Only one council site is using the affected
> software. They are currently investigating with their Windows support
> group on the appropriate action. The related traffic is
> blocked at their
> network perimeter points.
>
> References:
> Exploit Code for Windows Platform
>
> m_logsecurity_win32.pm
> Posting by Computer Associates
>
> Previous @RISK Newsletter Posting
>
> ly1 (Rating: HIGH)
>
> ****************************************************************
>
> (10) Veritas NetBackup Format String Vulnerability
>
> References:
> Exploit Code
>
>
>
> Previous @RISK Newsletter Posting
>
> r3 (Rating: HIGH)
>
> ******************************************************************
>
> (11) MailEnable IMAP SELECT Request Overflow
>
> Council Site Actions: The affected software and/or
> configuration are not
> in production or widespread use, or are not officially
> supported at any
> of the council sites. They reported that no action was necessary.
>
> References:
> Exploit Code
>
> enable_imap.pm
> Previous @RISK Newsletter Posting
>
> r1 (Rating: MODERATE)
>
> ****************************************************************
>
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 42, 2005
>
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 4587 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
>
> ______________________________________________________________________
>
> 05.42.1 CVE: Not Available
> Platform: Windows
> Title: Windows Unspecified Remote Code Execution
> Description: Microsoft Windows is vulnerable to an unspecified remote
> code execution in a default installation of Media Player and Internet
> Explorer. Windows NT, 2000, XP SP1, SP2 and Windows 2003 SP0 and SP1
> are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 05.42.2 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: WinRAR Command Line Buffer Overflow
> Description: RARLAB WinRAR is a compression application. It is
> vulnerable to a buffer overflow issue in the command line processing
> functionality when processing long archive name parameter. RARLAB
> WinRar versions 3.50 and earlier are vulnerable.
> Ref:
> ______________________________________________________________________
>
>
> 05.42.5 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Symantec Brightmail AntiSpam Malformed MIME Message Denial Of
> Service
> Description: Symantec Brightmail AntiSpam runs at the gateway. It is
> vulenerable to a denial of service issue due to a failure of the
> application to properly handle certain malformed MIME content. A
> remote attacker could crash the application by exploiting this issue.
> Symantec Brightmail AntiSpam version 6.0 builds 1 and 2 are vulnerable
> to this issue.
> Ref:
>
> ______________________________________________________________________
> >
______________________________________________________________________
>
> 05.42.12 CVE: CAN-2005-3120
> Platform: Unix
> Title: Lynx NNTP Article Header Buffer Overflow
> Description: Lynx is affected by a buffer overflow issue when handling
> NNTP article headers. The issue exists in the "HTrjis()" function
> where data from NNTP article headers are copied into a finite
> stack-based buffer without sufficient bounds checking on the size of
> the source data.
> Ref:
> ______________________________________________________________________
>
> 05.42.13 CVE: CAN-2005-3185
> Platform: Unix
> Title: Multiple Vendor WGet/Curl NTLM Username Buffer Overflow
> Vulnerability
> Description: GNU wget is a software package for retrieving files using
> HTTP, HTTPS and FTP. CURL is a command line tool for transferring
> files with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, GOPHER,
> TELNET, DICT, FILE and LDAP. They are reported to be vulnerable to a
> buffer overflow issue due to improper boundary checking on user
> supplied data.
> Ref:
> ______________________________________________________________________
>
> 05.42.14 CVE: Not Available
> Platform: Cross Platform
> Title: Oracle Workflow Multiple Unspecified Cross-Site Scripting
> Vulnerabilities
> Description: Oracle Workflow is a business process management solution
> embedded in the Oracle database. It is prone to multiple unspecified
> cross-site scripting vulnerabilities due to insuffiecient sanitization
> of user-supplied input. Oracle Workflow versions 11.5.9.5 and 11.5.1
> are reported to be affected.
> Ref:
> ______________________________________________________________________
>
> 05.42.15 CVE: Not Available
> Platform: Cross Platform
> Title: Snort Back Orifice Preprocessor Remote Stack Buffer Overflow
> Description: Snort is a open source intrusion detection system. It is
> susceptible to a remote buffer overflow vulnerability due to a failure
> of the application to securely copy network-derived data into
> sensitive process buffers. This issue presents itself when the Back
> Orifice preprocessor attempts to determine the direction of network
> packets in relation to a server. A stack-based buffer overflow may be
> triggered. Snort versions 2.4.0 through 2.4.2 are affected by this
> issue.
> Ref:
> ______________________________________________________________________
>
> 05.42.16 CVE: Not Available
> Platform: Cross Platform
> Title: Opera Web Browser Multiple Denial of Service Vulnerabilities
> Description: Opera Web browser is vulnerable to multiple denial of
> service issues when the browser attempts to process malformed HTML
> content such as a "U" HTML tag with an overly long argument. Opera Web
> Browser versions 8.0 2 and ealier are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> >
> 05.42.18 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Thunderbird Insecure SMTP Authentication
> Description: Thunderbird is a cross-platform mail client. It is prone
> to an insecure SMTP authentication protocol negotiation weakness. The
> PLAIN and CRAM-MD5 authentication combined with secure SMTP over TLS
> for encryption is exploitable when the application uses PLAIN
> authentication if CRAM-MD5 or STARTTLS between a client and a server
> cannot be established. Thunderbird does not warn users about the
> failure and sends authentication credentials to a server in an
> insecure manner. Mozilla Thunderbird versions 1.0.7 and 1.5 Beta 2 are
> reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> >
> 05.42.21 CVE: Not Available
> Platform: Cross Platform
> Title: Clam Anti-Virus File Handling Denial Of Service
> Description: ClamAV is an anti-virus application. It is vulnerable to
> a denial of service issue due to a failure in the application to
> handle malformed OLE2 files.
> The problem presents itself when malformed OLE2 files (DOC files) are
> being scanned. Clam Anti-Virus ClamAV 0.87 -1 is vulnerable.
> Ref:
> ______________________________________________________________________
>
