>
> This is a week for security flaws in security vendors'
> software: McaFee,
> Symantec, Computer Associates and TrendMicro. If you thought you were
> seeing an increasing number of flaws in security vendor's
> products, you
> are correct. The flaws may have always been there, but the trend
> attacker community has targeted these products because they
> (and back-up
> products) are so often trusted and so rarely updated. They provide
> fertile territory for circumventing firewalls.
>
> One of the more interesting elements of this issue is the Xerox
> vulnerability and the lack of any way to fix them. Printers,
> especially
> dual-homed printers are one of the most effective attack vectors for
> penetrating sensitive areas of companies. Most printers with network
> interface cards have multiple vulnerabilities, but most sited
> don't even
> try to patch them.
> Alan
>
> *************************
> Widely Deployed Software
> *************************
>
> (1) CRITICAL: McAfee ePolicy Orchestrator/ProtectionPilot
> Remote Buffer Overflow
> Affected:
> McAfee ePolicy Orchestrator versions 3.0 SP2a and prior
> McAfee ProtectionPilot versions 1.1.1 patch 2 and prior
>
> Description: The web server component used in both McAfee ePolicy
> Orchestrator (used to monitor and maintain enterprise policy)
> and McAfee
> Protection Pilot (used to monitor and maintain threat protection
> software) contains an exploitable buffer overflow. By sending a
> specially-crafted request to this server component, an attacker could
> trigger this buffer overflow and execute arbitrary code with the
> privileges of the process - often SYSTEM. Note that multiple working
> exploits have been publicly posted for these vulnerabilities.
> Users are
> advised to block access to port 81/TCP at the network perimeter, if
> possible.
>
> Status: McAfee confirmed, updates available.
>
> Council Site Actions: Only one of the responding council
> sites is using
> the affected software and they plan to deploy the patch during their
> next regularly scheduled system maintenance cycle.
>
> Technical Explanation by BackTrack
>
> Proofs-of-Concept
>
>
> McAfee Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (2) HIGH: Computer Associates Multiple Products Multiple
> Vulnerabilities
> Affected:
> BrightStor ARCserve Backup R11.5 Client
> BrightStor ARCserve Backup R11.5 Server
> BrightStor Enterprise Backup 10.5
> BrightStor ARCserve Backup v9.01
> CA Server Protection Suite r2
> CA Business Protection Suite r2
>
> Description: Several Computer Associates products suffer from multiple
> vulnerabilities: (1) An exploitable heap overflow exists in
> the Message
> Engine RPC service. (2) An exploitable stack-based buffer overflow
> exists in the Discovery Service, running on ports 41524/UDP and
> 41523/TCP. By exploiting either or both of these vulnerabilities, an
> attacker could execute arbitrary code with the privileges of the
> vulnerable process - often SYSTEM. No authentication is required to
> exploit either of these vulnerabilities. Some technical
> details for both
> of these vulnerabilities have been publicly posted.
>
> Status: Computer Associates confirmed, updates available.
>
> References:
> Zero Day Initiative Advisories
>
>
> Computer Associates Security Notice
>
> cnotice.asp
> SecurityFocus BIDs
>
>
>
>
> ****************************************************************
>
> (3) HIGH: Symantec Automated Support Tool ActiveX Control
> Remote Buffer Overflow
> Affected:
> The following products are known to include a vulnerable
> version of the
> ActiveX control. Other products may also be vulnerable.
> Symantec Norton SystemWorks versions 2005/2006
> Symantec Norton Internet Security versions 2005/2006
> Symantec Norton AntiVirus versions 2005/2006
> Symantec Automated Support Assistant
>
> Description: The Symantec Automated Support Tool ActiveX control, used
> by multiple Symantec products to provide diagnostic information for
> problem resolution, contains an exploitable buffer overflow.
> A specially
> crafted web page that instantiates this control could exploit this
> buffer overflow and execute arbitrary code with the privileges of the
> current user. Note that re-usable exploit code to leverage these flaws
> is publicly available. Flaws similar to these have been
> widely exploited
> in the past.
>
> Status: Symantec confirmed, updates available.
>
> Council Site Actions: Two of the responding council sites
> are using the
> affected software. The first site is already in the process
> of patching
> their systems. The second site has a few hundred
> installations, but on
> systems that are not supported by their central IT
> department. They have
> no immediate plans to respond because they have no realistic way to
> identify the affected user population.
>
> References:
> Symantec Security Advisory
>
> /2006.10.05.html
> Symantec Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> (5) MODERATE: Trend Micro OfficeScan ActiveX Format String
> Vulnerability
> Affected:
> The following products are known to include a vulnerable
> version of the
> ActiveX control. Other products may also be vulnerable.
> Trend Micro OfficeScan Corporate Edition version 7.3
>
> Description: Tend Micro OfficeScan Corporate Edition, a popular
> antivirus and anti-spyware suite, contains an exploitable
> format string
> vulnerability. By sending a specially-crafted string to the Remote
> Client Install search function of the ActiveX component, an attacker
> could exploit this vulnerability and potentially execute
> arbitrary code
> with the privileges of the OfficeScan process. Note that some
> technical
> details for this vulnerability have been publicly posted.
>
> Status: Trend Micro, confirmed, updates available.
>
> Council Site Actions: affected software and/or configuration
> are not in
> production or widespread use, or are not officially supported
> at any of
> the council sites. They reported that no action was necessary.
>
> Layered Defense Security Advisory
>
> Trend Micro Home Page
>
> SecurityFocus BID
>
>
> ****************************************************************
> ****************************************************************
>
> (7) LOW: Xerox Multiple Product Authentication Bypass and
> Code Injection
> Affected:
> Xerox WorkCentre and WorkCentre Pro models 232, 238, 245,
> 255, 265, and 275
>
> Description: Xerox WorkCentre and WorkCentre Pro multi-function
> copier/printers contain an exploitable authentication-bypass
> vulnerability. By sending a specially-crafted request to the
> administration web interface, an attacker could bypass the configured
> authentication systems and potentially gain complete control of the
> vulnerable system.
>
> Status: Xerox confirmed, updates available.
>
> Council Site Actions: Only one of the responding council
> sites is using
> the affected software/models. They sent the vulnerability information
> to their printer support group. They have a dozen or so
> Xerox systems,
> but they do not have accurate information about device ownership or
> location. They considered passing along the information by e-mail to
> departmental system administrators, but this is of limited
> value because
> many departments do not consider the device to be computing equipment,
> and the person who maintains the device does not maintain any
> (other)computer systems.
>
> References:
> Xerox Security Advisory
>
> SecurityFocus BID
>
>
> ****************************************************************
>
> CORRECTION: In the previous issue of @RISK, item 3 "OpenSSL
> ASN.1 Remote
> Buffer Overflow" was incorrect. The vulnerability described was not in
> the processing of ASN.1 data, but in the OpenSSL
> SSL_Get_Shared_Ciphers
> function. OpenSSL developers have stated that this function is not
> widely used.
>
> 06.40.1 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Trend Micro OfficeScan ATXCONSOLE.OCX ActiveX Control Format
> String
> Description: Trend Micro OfficeScan is an antivirus solution for
> Windows. It is prone to a remote format string vulnerability. This
> issue affects the "ATXCONSOLE.OCX" ActiveX control, which ships as
> part of the management console of OfficeScan. Trend Micro OfficeScan
> Corporate Edition version 7.3 is reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.40.6 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Trend Micro OfficeScan Client Removal and File Deletion
> Vulnerabilities
> Description: Trend Micro OfficeScan is prone to a denial of service
> via software removal, and arbitrary file deletion vulnerabilities. A
> successful exploit allows a remote attacker to forcibly remove the
> OfficeScan client or delete arbitrary files from an OfficeScan server.
> Trend Micro OfficeScan Corporate Edition version 7.3 and prior are
> reported vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.40.10 CVE: CVE-2006-2937
> Platform: Cross Platform
> Title: OpenSSL ASN.1 Structures Denial of Service
> Description: OpenSSL is prone to a denial of service vulnerability.
> This issue exists when the library parses certain unspecified "ASN.1"
> structures and fails to properly handle error conditions. This may
> result in an infinite loop consuming excessive systems resources.
> Ref:
> ______________________________________________________________________
>
> 06.40.11 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Unspecified Javascript Remote Code Execution
> Description: Mozilla Firefox is prone to an unspecified remote denial
> of service vulnerability that was initially reported to be a remote
> code execution vulnerability. Little information is available at this
> time. All known versions are reported to be vulnerable.
> Ref:
> ______________________________________________________________________
>
> 06.40.12 CVE: Not Available
> Platform: Cross Platform
> Title: McAfee EPolicy Orchestrator and ProtectionPilot HTTP Server
> Remote Buffer Overflow Vulnerability
> Description: The HTTP server component of McAfee ePolicy Orchestrator
> and ProtectionPilot is exposed to a remote stack buffer overflow issue
> that can lead to complete system compromise. McAfee ePolicy
> Orchestrator version 3.5.0 and ProtectionPilot version 1.1.0 are
> affected.
> Ref:
>
> epolicy_source
> ______________________________________________________________________
>
> 06.40.13 CVE: Not Available
> Platform: Cross Platform
> Title: Mozilla Firefox Multiple Unspecified Javascript Vulnerabilities
> Description: Mozilla Firefox is prone to multiple unspecified
> Javascript issues due to failure of the application to properly
> sanitize user-supplied input. Please see the attached advisory for
> details.
> Ref:
> ______________________________________________________________________
>
> 06.40.71 CVE: Not Available
> Platform: Network Device
> Title: Xerox Multiple Product Arbitrary Command Execution
> Description: Multiple Xerox products are vulnerable to an arbitrary
> command issue. These include ESS/Network Controller and MicroServer
> Web Server. This occurs because the device allows an attacker to
> inject commands through the tcp/ip hostname resulting in the execution
> of arbitrary commands.
> Ref:
> ______________________________________________________________________
>
> 06.40.72 CVE: Not Available
> Platform: Network Device
> Title: Linksys SPA921 VoIP Phone HTTP Server Denial of Service
> Vulnerabilities
> Description: Linksys SPA921 VoIP phones are susceptible to a denial of
> service vulnerability because the devices fail to properly handle
> large user supplied input values in HTTP traffic. A long username or
> password in a basic HTTP authentication field will also crash and
> reboot the phone.
> Ref:
> ______________________________________________________________________
>
> 06.40.74 CVE: Not Available
> Platform: Hardware
> Title: PolyCom IP-301 VoIP Desktop Phone HTTP Server Denial of Service
> Description: PolyCom IP-301 is a voice over IP (VoIP) desktop
> telephone. It is affected by multiple denial of service issues. Please
> see the attached advisory for details.
> Ref:
> ______________________________________________________________________
>
> 06.40.75 CVE: Not Available
> Platform: Hardware
> Title: GrandStream GXP-2000 VoIP Phone Denial of Service
> Description: GrandStream GXP-2000 is a voice over IP (VoIP) desktop
> telephone. It is exposed to a denial of service issue because the
> device fails to properly handle excessive amounts of UDP traffic.
> Firmware 1.1.0.5 is affected.
> Ref:
> ______________________________________________________________________
