> ********************************
> Widely Deployed Software
> ********************************
>
> **************************************************************
> ***********
>
> (2) CRITICAL: CA BrightStor ARCServe Backup Tape Engine and
> Portmapper Vulnerabilities
> Affected:
> BrightStor Products:
> BrightStor ARCserve Backup r11.5, r11.1, r11, r10.5, v9.01
> CA Protection Suites r2:
> CA Server and Business Protection Suites r2
> CA Business Protection Suite for Microsoft Small Business
> Server Standard Edition r2
> CA Business Protection Suite for Microsoft Small Business
> Server Premium Edition r2
>
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup services for Windows, NetWare, Linux and UNIX. The Tape
> Engine feature allows the backup products to use tape drives as a
> storage media. The Tape Engine process, which listens on port
> 6502/tcp,
> contains multiple vulnerabilities in the handling of RPC requests that
> can be exploited to either shut down the Tape Engine service
> or possibly
> execute arbitrary code with "SYSTEM" privileges. In addition, the
> portmapper service also contains a vulnerability that can be exploited
> to crash the service. The technical details have not yet been publicly
> posted.
>
> Status: CA has released patches for the affected products. A
> workaround
> is to block access to the port 6502/tcp and 111/udp at the network
> perimeter to prevent attacks originating from the Internet.
>
> Special Note: CA BrightStor products have been widely exploited during
> the past year. Hence, this patch should be applied on a
> priority basis.
>
> References:
> Computer Associates Advisory
>
d=101317
> SecurityFocus BID
>
>
> *******************************************************************
>
> (3) HIGH: McAfee ePolicy Orchestrator and ProtectionPilot
> Multiple Vulnerabilities
> Affected:
> McAfee ePolicy Orchestrator versions 3.5p6 and 3.6.1 and prior
> McAfee ProtectionPilot versions 1.1.1p3 and 1.5.0 and prior
>
> Description: McAfee ePolicy Orchestrator and ProtectionPilot contain
> multiple vulnerabilities in the "SiteManager" ActiveX component. A
> malicious web page that instantiates this component could
> exploit these
> vulnerabilities and execute arbitrary code with the privileges of the
> current user. Note that this component is generally only installed on
> the Orchestrator or ProtectionPilot server, or a system with the
> management console for one of these applications installed. Technical
> details for these vulnerabilities is publicly available, and reusable
> exploit code for ActiveX components could be easily adapted to target
> this component.
>
> Status: McAfee confirmed, updates available. Users can mitigate the
> impact of this vulnerability by disabling the vulnerable control via
> Microsoft's "kill bit" mechanism for CLSID
> "4124FDF6-B540-44C5-96B4-A380CEE9826A".
>
> Council Site Actions: Two of the reporting council sites are using the
> affected software. One site plans to deploy the patch during
> their next
> regularly scheduled maintenance cycle. The other site is still
> investigating their course of action. They may accept the risk due to
> the fact that their systems are in the process of being
> integrated into
> their parent company.
>
> References:
> McAfee Security Advisory
>
> Fortinet Security Research Team Posting
>
> 0162.html
> Microsoft Knowledge Base Article (details the "kill bit" mechanism")
>
> Product Home Pages
>
> anagement/epolicy_orchestrator.html
>
> tection_pilot.html
> SecurityFocus BIDs
>
>
> **************************************************************
> ***********
>
> (4) MODERATE: OpenBSD IPv6 Kernel Memory Corruption
> Affection:
> OpenBSD version 3.1 - 4.1, and possibly prior
>
> Description: OpenBSD, a derivative of the classical BSD
> operating system
> (itself descended from Unix) designed for high security, contains a
> kernel memory corruption vulnerability in its handling of
> IPv6 traffic.
> A specially-crafted IPv6 packet could exploit this memory corruption
> issue to execute arbitrary code with kernel privileges, effectively
> taking complete control of a vulnerable system. Note that, to
> successfully exploit this vulnerability, an attacker must be able to
> inject traffic onto the vulnerable system's local network. IPv6 is
> enabled by default in OpenBSD. Technical details and a working exploit
> are publicly available for this vulnerability.
>
> Status: OpenBSD confirmed, updates available.
>
> Council Site Actions: Two of the reporting council sites have
> responded
> to this item. One site has already patched their systems as part of
> their regular system maintenance. The other site has advised
> their users
> to update their systems on their own.
>
> References:
> OpenBSD Errata Entry (includes patch)
>
> Posting by Core Security Technologies (includes working exploit)
>
> SANS Internet Storm Center Handler's Diary Entry
>
> Slashdot Discussion
>
> Wikipedia Article on BSD
>
> Wikipedia Article on the term "Unix-Like"
>
> OpenBSD Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> ***********
>
> (5) LOW: Apache Tomcat Directory Traversal
> Affected:
> Apache Tomcat versions prior to 5.5.23 and 6.0.10
>
> Description: Apache Tomcat, a popular Java servlet container and
> application server, contains a directory traversal vulnerability. A
> specially-crafted request could allow an attacker to read arbitrary
> files below the configured document root of the Tomcat
> server. Note that
> the files must be readable by the Tomcat server process. A simple
> proof-of-concept is available.
>
> Status: Apache confirmed, updates available.
>
> Council Site Actions: Three of the reporting council sites are using
> the affect software and plan to respond on some level. The first site
> only has a few small installations of Tomcat and they have advised the
> developers to upgrade those systems manually.
>
> The second site has advised their user base to update. The third site
> is still investigating the best course of action - they have multiple
> Tomcat installations and a number of one-off solutions. They plan to
> research all Tomcat server locations.
>
> References:
> Posting by SEC Consult (includes proof-of-concept)
>
> 0167.html
> Product Home Page
>
> SecurityFocus BID
>
>
> **************************************************************
> *********
>
> Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
> Week 12 2007
>
> This list is compiled by Qualys ( www.qualys.com ) as part of that
> company's ongoing effort to ensure its vulnerability management web
> service tests for all known vulnerabilities that can be scanned. As of
> this week Qualys scans for 5402 unique vulnerabilities. For this
> special SANS community listing, Qualys also includes vulnerabilities
> that cannot be scanned remotely.
>
> 07.12.1 CVE: Not Available
> Platform: Other Microsoft Products
> Title: Microsoft Internet Explorer NavCancel.HTM Cross-Site Scripting
> Description: Microsoft Internet Explorer is exposed to a cross-site
> scripting issue because it fails to sufficiently sanitize
> user-supplied data. This issue arises when rendering the local
> "Navigation Canceled" resource page "res://ieframe.ddl/navcancel.htm".
> When page navigation is canceled, the intended URI path is appended to
> the local resource path following a "#" character. Microsoft Internet
> Explorer version 7.0 is affected.
> Ref:
> ______________________________________________________________________
>
> 07.12.5 CVE: Not Available
> Platform: Third Party Windows Apps
> Title: Orchestrator SiteManager.DLL ActiveX Control Remote Buffer
> Overflow Vulnerabilities
> Description: McAfee EPolicy Orchestrator is a suite of applications
> that provide anti-virus, anti-spyware, system firewalls, host IPS,
> content filtering and patch management.
> The application is exposed to multiple buffer overflow issues as
> software fails to perform sufficient bounds checking of user-supplied
> input before copying it to insufficiently sized memory buffers.
> McAfee ProtectionPilot versions 1.5 and earlier are affected.
> Ref:
>
KC&docType=kc&sliceId=SAL_Public&externalId=612496
> ______________________________________________________________________
>
> 07.12.12 CVE: Not Available
> Platform: Linux
> Title: Linux Kernel Netfilter NFNetLink_Log Multiple NULL Pointer
> Dereference Vulnerabilities
> Description: The Linux kernel is exposed to multiple NULL pointer
> dereference issues due to NULL pointer dereference problems in
> "nfnetlink_log". Linux kernel 2.6.20 and all earlier versions
> are affected.
> Ref:
> ______________________________________________________________________
>
> 07.12.17 CVE: CVE-2007-1365
> Platform: BSD
> Title: OpenBSD ICMP6 Packet MBuf Remote Denial of Service
> Description: OpenBSD is exposed to a remote denial of service issue
> when handling specially crafted ICMP6 packets. Specifically,
> this issue
> occurs in the "m_dup1()" function when copying the content from one
> "mbuf" structure to another "mbuf" structure.
> OpenBSD versions 3.9 and 4.0 are affected.
> Ref:
> ______________________________________________________________________
>
> 07.12.20 CVE: CVE-2007-1447, CVE-2007-1448
> Platform: Cross Platform
> Title: Computer Associates BrightStor ARCServe BackUp Tape Engine
> Multiple Vulnerabilities
> Description: Computer Associates BrightStor ARCserve Backup products
> provide backup and restore protection for various clients. The
> application is exposed to a memory corruption issue that
> arises when the
> application handles an RPC request containing specially crafted
> procedure arguments. A denial of service issue affecting the Tape
> Engine service presents itself due to an unspecified RPC function.
> See the reference below for a list of affected versions.
> Ref:
>
> ______________________________________________________________________
>
> 07.12.27 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Session Identifier Rejection Double Free Memory Corruption
> Description: PHP is exposed to a double free memory corruption issue.
> When a session identifier is rejected, a flag is set which causes the
> application to free a pointer to the previous session identifier and
> create a new identifier. The issue arises as this operation is not
> atomic and can be interrupted by exceptional conditions. PHP versions
> 5.2.0 and 5.2.1 are affected.
> Ref:
> ______________________________________________________________________
> ______________________________________________________________________
>
> 07.12.29 CVE: Not Available
> Platform: Cross Platform
> Title: Trend Micro Scan Engine UPX File Parsing Remote Denial of
> Service
> Description: The Trend Micro Scan Engine is available on various
> products shipped by the vendor. The application is exposed to a denial
> of service issue because it fails to properly handle compressed UPX
> files. Various products using the Trend Micro Antivirus Scan Engine
> versions 8 and above are affected.
> Ref:
>
> ______________________________________________________________________
>
> 07.12.30 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Session_Regenerate_ID Function Double Free Memory
> Corruption
> Description: PHP is exposed to a double free memory corruption issue
> which resides in the "session_regenerate_id()" function used to
> regenerate a new session identifier. The affected function fails to
> clear a previously freed pointer from the previous session before
> calling the session identifier generator. PHP versions 5 to 5.2.1 are
> affected. PHP version 4 is vulnerable only if successful remote
> exploits are proven.
> Ref:
> ______________________________________________________________________
>
> 07.12.31 CVE: Not Available
> Platform: Cross Platform
> Title: PHP Multiple Safe_Mode and Open_Basedir Restriction Bypass
> Vulnerabilities
> Description: PHP is a general purpose scripting language that is
> especially suited for web development and can be embedded into HTML.
> PHP versions 5.2.1 and prior are vulnerable to these issues. Please
> refer to the advisory for further details.
> Ref:
> ______________________________________________________________________
>
> 07.12.34 CVE: Not Available
> Platform: Cross Platform
> Title: Apache HTTP Server Tomcat Directory Traversal
> Description: Apache Tomcat is the servlet container used in the
> official Reference Implementation for the Java Servlet and JavaServer
> Pages technologies. The application is exposed to a directory
> traversal issue because it fails to sufficiently sanitize
> user-supplied input. Apache Tomcat versions in the 5.0 series
> prior to 5.5.22 and versions in the 6.0 series prior to 6.0.10 are
> affected.
> Ref:
> ______________________________________________________________________
>
> 07.12.36 CVE: Not Available
> Platform: Cross Platform
> Title: unrarlib URarLib_Get Function Buffer Overflow
> Description: unrarlib is a library for opening and reading RAR files.
> The library is exposed to a buffer overflow issue because it fails to
> perform proper bounds checking of user-supplied input before copying
> it to an insufficiently sized memory buffer. The problem occurs in the
> "urarlib_get()" function of "unrarlib.c". unrarlib version 0.4 is
> affected.
> Ref:
> ______________________________________________________________________
