VARIoT IoT vulnerabilities database
| VAR-200102-0116 | CVE-2001-1435 | Multiple Cisco products consume excessive CPU resources in response to large SSH packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
inetd in Compaq Tru64 UNIX 5.1 allows attackers to cause a denial of service (network connection loss) by causing one of the services handled by inetd to core dump during startup, which causes inetd to stop accepting connections to all of its services. Multiple Cisco networking products contain a denial-of-service vulnerability. The inetd service on Compaq's Tru64 UNIX is vulnerable to a denial-of-service. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.
This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).
As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.
**UPDATE**:
There have been reports suggesting that exploitation of this vulnerability may be widespread.
Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.
NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.
Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.
** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.
Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur.
Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext.
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
ISS X-Force has received reports that some individuals were unable to
verify the PGP signature on the Security Alert Summary distributed earlier
in the week. Due to this issue, X-Force is re-distributing the Security
Alert Summary. We apologize for any inconvience this may have caused.
Internet Security Systems Security Alert Summary
March 5, 2001
Volume 6 Number 4
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries as well as other Alerts and Advisories,
subscribe to the Internet Security Systems Alert mailing list at:
http://xforce.iss.net/maillists/index.php
This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php
_____
Contents
90 Reported Vulnerabilities
Risk Factor Key
_____
Date Reported: 2/27/01
Vulnerability: a1-server-dos
Platforms Affected: A1 Server
Risk Factor: Medium
Attack Type: Network Based
Brief Description: A1 Server denial of service
X-Force URL: http://xforce.iss.net/static/6161.php
_____
Date Reported: 2/27/01
Vulnerability: a1-server-directory-traversal
Platforms Affected: A1 Server
Risk Factor: Medium
Attack Type: Network Based
Brief Description: A1 Server directory traversal
X-Force URL: http://xforce.iss.net/static/6162.php
_____
Date Reported: 2/27/01
Vulnerability: webreflex-web-server-dos
Platforms Affected: WebReflex
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebReflex Web server denial of service
X-Force URL: http://xforce.iss.net/static/6163.php
_____
Date Reported: 2/26/01
Vulnerability: sudo-bo-elevate-privileges
Platforms Affected: Sudo
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Sudo buffer overflow could allow elevated user privileges
X-Force URL: http://xforce.iss.net/static/6153.php
_____
Date Reported: 2/26/01
Vulnerability: mygetright-skin-overwrite-file
Platforms Affected: My GetRight
Risk Factor: High
Attack Type: Network Based
Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files
X-Force URL: http://xforce.iss.net/static/6155.php
_____
Date Reported: 2/26/01
Vulnerability: mygetright-directory-traversal
Platforms Affected: My GetRight
Risk Factor: Medium
Attack Type: Network Based
Brief Description: My GetRight directory traversal
X-Force URL: http://xforce.iss.net/static/6156.php
_____
Date Reported: 2/26/01
Vulnerability: win2k-event-viewer-bo
Platforms Affected: Windows 2000
Risk Factor: once-only
Attack Type: Host Based
Brief Description: Windows 2000 event viewer buffer overflow
X-Force URL: http://xforce.iss.net/static/6160.php
_____
Date Reported: 2/26/01
Vulnerability: netscape-collabra-cpu-dos
Platforms Affected: Netscape
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netscape Collabra CPU denial of service
X-Force URL: http://xforce.iss.net/static/6159.php
_____
Date Reported: 2/26/01
Vulnerability: netscape-collabra-kernel-dos
Platforms Affected: Netscape
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netscape Collabra Server kernel denial of service
X-Force URL: http://xforce.iss.net/static/6158.php
_____
Date Reported: 2/23/01
Vulnerability: mercur-expn-bo
Platforms Affected: MERCUR
Risk Factor: High
Attack Type: Network Based
Brief Description: MERCUR Mailserver EXPN buffer overflow
X-Force URL: http://xforce.iss.net/static/6149.php
_____
Date Reported: 2/23/01
Vulnerability: sedum-http-dos
Platforms Affected: SEDUM
Risk Factor: Medium
Attack Type: Network Based
Brief Description: SEDUM HTTP server denial of service
X-Force URL: http://xforce.iss.net/static/6152.php
_____
Date Reported: 2/23/01
Vulnerability: tru64-inetd-dos
Platforms Affected: Tru64
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Tru64 UNIX inetd denial of service
X-Force URL: http://xforce.iss.net/static/6157.php
_____
Date Reported: 2/22/01
Vulnerability: outlook-vcard-bo
Platforms Affected: Microsoft Outlook
Risk Factor: High
Attack Type: Host Based
Brief Description: Outlook and Outlook Express vCards buffer overflow
X-Force URL: http://xforce.iss.net/static/6145.php
_____
Date Reported: 2/22/01
Vulnerability: ultimatebb-cookie-member-number
Platforms Affected: Ultimate Bulletin Board
Risk Factor: High
Attack Type: Network Based
Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number
X-Force URL: http://xforce.iss.net/static/6144.php
_____
Date Reported: 2/21/01
Vulnerability: ultimatebb-cookie-gain-privileges
Platforms Affected: Ultimate Bulletin Board
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information
X-Force URL: http://xforce.iss.net/static/6142.php
_____
Date Reported: 2/21/01
Vulnerability: sendmail-elevate-privileges
Platforms Affected: Sendmail
Risk Factor: High
Attack Type: Host Based
Brief Description: Sendmail -bt command could allow the elevation of privileges
X-Force URL: http://xforce.iss.net/static/6147.php
_____
Date Reported: 2/21/01
Vulnerability: jre-jdk-execute-commands
Platforms Affected: JRE/JDK
Risk Factor: High
Attack Type: Host Based
Brief Description: JRE/JDK could allow unauthorized execution of commands
X-Force URL: http://xforce.iss.net/static/6143.php
_____
Date Reported: 2/20/01
Vulnerability: licq-remote-port-dos
Platforms Affected: LICQ
Risk Factor: Medium
Attack Type: Network Based
Brief Description: LICQ remote denial of service
X-Force URL: http://xforce.iss.net/static/6134.php
_____
Date Reported: 2/20/01
Vulnerability: pgp4pine-expired-keys
Platforms Affected: pgp4pine
Risk Factor: Medium
Attack Type: Host Based
Brief Description: pgp4pine may transmit messages using expired public keys
X-Force URL: http://xforce.iss.net/static/6135.php
_____
Date Reported: 2/20/01
Vulnerability: chilisoft-asp-view-files
Platforms Affected: Chili!Soft ASP
Risk Factor: High
Attack Type: Network Based
Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information
X-Force URL: http://xforce.iss.net/static/6137.php
_____
Date Reported: 2/20/01
Vulnerability: win2k-domain-controller-dos
Platforms Affected: Windows 2000
Risk Factor: once-only
Attack Type: Network/Host Based
Brief Description: Windows 2000 domain controller denial of service
X-Force URL: http://xforce.iss.net/static/6136.php
_____
Date Reported: 2/19/01
Vulnerability: asx-remote-dos
Platforms Affected: ASX Switches
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ASX switches allow remote denial of service
X-Force URL: http://xforce.iss.net/static/6133.php
_____
Date Reported: 2/18/01
Vulnerability: http-cgi-mailnews-username
Platforms Affected: Mailnews.cgi
Risk Factor: High
Attack Type: Network Based
Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username
X-Force URL: http://xforce.iss.net/static/6139.php
_____
Date Reported: 2/17/01
Vulnerability: badblue-ext-reveal-path
Platforms Affected: BadBlue
Risk Factor: Low
Attack Type: Network Based
Brief Description: BadBlue ext.dll library reveals path
X-Force URL: http://xforce.iss.net/static/6130.php
_____
Date Reported: 2/17/01
Vulnerability: badblue-ext-dos
Platforms Affected: BadBlue
Risk Factor: Medium
Attack Type: Network Based
Brief Description: BadBlue ext.dll library denial of service
X-Force URL: http://xforce.iss.net/static/6131.php
_____
Date Reported: 2/17/01
Vulnerability: moby-netsuite-bo
Platforms Affected: Moby's NetSuite
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Moby's NetSuite Web server buffer overflow
X-Force URL: http://xforce.iss.net/static/6132.php
_____
Date Reported: 2/16/01
Vulnerability: webactive-directory-traversal
Platforms Affected: WEBactive
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: WEBactive HTTP Server directory traversal
X-Force URL: http://xforce.iss.net/static/6121.php
_____
Date Reported: 2/16/01
Vulnerability: esone-cgi-directory-traversal
Platforms Affected: ES.One store.cgi
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Thinking Arts ES.One store.cgi directory traversal
X-Force URL: http://xforce.iss.net/static/6124.php
_____
Date Reported: 2/16/01
Vulnerability: vshell-username-bo
Platforms Affected: VShell
Risk Factor: High
Attack Type: Network Based
Brief Description: VShell username buffer overflow
X-Force URL: http://xforce.iss.net/static/6146.php
_____
Date Reported: 2/16/01
Vulnerability: vshell-port-forwarding-rule
Platforms Affected: VShell
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: VShell uses weak port forwarding rule
X-Force URL: http://xforce.iss.net/static/6148.php
_____
Date Reported: 2/15/01
Vulnerability: pi3web-isapi-bo
Platforms Affected: Pi3Web
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Pi3Web ISAPI tstisapi.dll denial of service
X-Force URL: http://xforce.iss.net/static/6113.php
_____
Date Reported: 2/15/01
Vulnerability: pi3web-reveal-path
Platforms Affected: Pi3Web
Risk Factor: Low
Attack Type: Network Based
Brief Description: Pi3Web reveals physical path of server
X-Force URL: http://xforce.iss.net/static/6114.php
_____
Date Reported: 2/15/01
Vulnerability: bajie-execute-shell
Platforms Affected: Bajie HTTP JServer
Risk Factor: High
Attack Type: Network Based
Brief Description: Bajie HTTP JServer execute shell commands
X-Force URL: http://xforce.iss.net/static/6117.php
_____
Date Reported: 2/15/01
Vulnerability: bajie-directory-traversal
Platforms Affected: Bajie HTTP JServer
Risk Factor: High
Attack Type: Network Based
Brief Description: Bajie HTTP JServer directory traversal
X-Force URL: http://xforce.iss.net/static/6115.php
_____
Date Reported: 2/15/01
Vulnerability: resin-directory-traversal
Platforms Affected: Resin
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Resin Web server directory traversal
X-Force URL: http://xforce.iss.net/static/6118.php
_____
Date Reported: 2/15/01
Vulnerability: netware-mitm-recover-passwords
Platforms Affected: Netware
Risk Factor: Low
Attack Type: Network Based
Brief Description: Netware "man in the middle" attack password recovery
X-Force URL: http://xforce.iss.net/static/6116.php
_____
Date Reported: 2/14/01
Vulnerability: firebox-pptp-dos
Platforms Affected: WatchGuard Firebox II
Risk Factor: High
Attack Type: Network Based
Brief Description: WatchGuard Firebox II PPTP denial of service
X-Force URL: http://xforce.iss.net/static/6109.php
_____
Date Reported: 2/14/01
Vulnerability: hp-virtualvault-iws-dos
Platforms Affected: HP VirtualVault
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: HP VirtualVault iPlanet Web Server denial of service
X-Force URL: http://xforce.iss.net/static/6110.php
_____
Date Reported: 2/14/01
Vulnerability: kicq-execute-commands
Platforms Affected: KICQ
Risk Factor: High
Attack Type: Network Based
Brief Description: kicq could allow remote execution of commands
X-Force URL: http://xforce.iss.net/static/6112.php
_____
Date Reported: 2/14/01
Vulnerability: hp-text-editor-bo
Platforms Affected: HPUX
Risk Factor: Medium
Attack Type: Host Based
Brief Description: HP Text editors buffer overflow
X-Force URL: http://xforce.iss.net/static/6111.php
_____
Date Reported: 2/13/01
Vulnerability: sendtemp-pl-read-files
Platforms Affected: sendtemp.pl
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: sendtemp.pl could allow an attacker to read files on the server
X-Force URL: http://xforce.iss.net/static/6104.php
_____
Date Reported: 2/13/01
Vulnerability: analog-alias-bo
Platforms Affected: Analog ALIAS
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Analog ALIAS command buffer overflow
X-Force URL: http://xforce.iss.net/static/6105.php
_____
Date Reported: 2/13/01
Vulnerability: elm-long-string-bo
Platforms Affected: Elm
Risk Factor: Medium
Attack Type: Host Based
Brief Description: ELM -f command long string buffer overflow
X-Force URL: http://xforce.iss.net/static/6151.php
_____
Date Reported: 2/13/01
Vulnerability: winnt-pptp-dos
Platforms Affected: Windows NT
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Windows NT PPTP denial of service
X-Force URL: http://xforce.iss.net/static/6103.php
_____
Date Reported: 2/12/01
Vulnerability: startinnfeed-format-string
Platforms Affected: Inn
Risk Factor: High
Attack Type: Host Based
Brief Description: Inn 'startinnfeed' binary format string attack
X-Force URL: http://xforce.iss.net/static/6099.php
_____
Date Reported: 2/12/01
Vulnerability: his-auktion-cgi-url
Platforms Affected: HIS Auktion
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized
files or execute commands
X-Force URL: http://xforce.iss.net/static/6090.php
_____
Date Reported: 2/12/01
Vulnerability: wayboard-cgi-view-files
Platforms Affected: Way-BOARD
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6091.php
_____
Date Reported: 2/12/01
Vulnerability: muskat-empower-url-dir
Platforms Affected: Musket Empower
Risk Factor: Low
Attack Type: Network/Host Based
Brief Description: Musket Empower could allow attackers to gain access to the DB directory path
X-Force URL: http://xforce.iss.net/static/6093.php
_____
Date Reported: 2/12/01
Vulnerability: icq-icu-rtf-dos
Platforms Affected: LICQ
Gnome ICU
Risk Factor: Low
Attack Type: Network/Host Based
Brief Description: LICQ and Gnome ICU rtf file denial of service
X-Force URL: http://xforce.iss.net/static/6096.php
_____
Date Reported: 2/12/01
Vulnerability: commerce-cgi-view-files
Platforms Affected: Commerce.cgi
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Commerce.cgi could allow attackers to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6095.php
_____
Date Reported: 2/12/01
Vulnerability: roads-search-view-files
Platforms Affected: ROADS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program
X-Force URL: http://xforce.iss.net/static/6097.php
_____
Date Reported: 2/12/01
Vulnerability: webpage-cgi-view-info
Platforms Affected: WebPage.cgi
Risk Factor: Low
Attack Type: Network Based
Brief Description: WebPage.cgi allows attackers to view sensitive information
X-Force URL: http://xforce.iss.net/static/6100.php
_____
Date Reported: 2/12/01
Vulnerability: webspirs-cgi-view-files
Platforms Affected: WebSPIRS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6101.php
_____
Date Reported: 2/12/01
Vulnerability: webpals-library-cgi-url
Platforms Affected: WebPALS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebPALS Library System CGI script could allow attackers to view
unauthorized files or execute commands
X-Force URL: http://xforce.iss.net/static/6102.php
_____
Date Reported: 2/11/01
Vulnerability: cobol-apptrack-nolicense-permissions
Platforms Affected: MicroFocus Cobol
Risk Factor: High
Attack Type: Host Based
Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions
X-Force URL: http://xforce.iss.net/static/6092.php
_____
Date Reported: 2/11/01
Vulnerability: cobol-apptrack-nolicense-symlink
Platforms Affected: MicroFocus Cobol
Risk Factor: High
Attack Type: Host Based
Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense
X-Force URL: http://xforce.iss.net/static/6094.php
_____
Date Reported: 2/10/01
Vulnerability: vixie-crontab-bo
Platforms Affected: Vixie crontab
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Vixie crontab buffer overflow
X-Force URL: http://xforce.iss.net/static/6098.php
_____
Date Reported: 2/10/01
Vulnerability: novell-groupwise-bypass-policies
Platforms Affected: Novell GroupWise
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Novell Groupwise allows user to bypass policies and view files
X-Force URL: http://xforce.iss.net/static/6089.php
_____
Date Reported: 2/9/01
Vulnerability: infobot-calc-gain-access
Platforms Affected: Infobot
Risk Factor: High
Attack Type: Network Based
Brief Description: Infobot 'calc' command allows remote users to gain access
X-Force URL: http://xforce.iss.net/static/6078.php
_____
Date Reported: 2/8/01
Vulnerability: linux-sysctl-read-memory
Platforms Affected: Linux
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Linux kernel sysctl() read memory
X-Force URL: http://xforce.iss.net/static/6079.php
_____
Date Reported: 2/8/01
Vulnerability: openssh-bypass-authentication
Platforms Affected: OpenSSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication
X-Force URL: http://xforce.iss.net/static/6084.php
_____
Date Reported: 2/8/01
Vulnerability: lotus-notes-stored-forms
Platforms Affected: Lotus Notes
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Lotus Notes stored forms
X-Force URL: http://xforce.iss.net/static/6087.php
_____
Date Reported: 2/8/01
Vulnerability: linux-ptrace-modify-process
Platforms Affected: Linux
Risk Factor: High
Attack Type: Host Based
Brief Description: Linux kernel ptrace modify process
X-Force URL: http://xforce.iss.net/static/6080.php
_____
Date Reported: 2/8/01
Vulnerability: ssh-deattack-overwrite-memory
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten
X-Force URL: http://xforce.iss.net/static/6083.php
_____
Date Reported: 2/7/01
Vulnerability: dc20ctrl-port-bo
Platforms Affected: FreeBSD
Risk Factor: Medium
Attack Type: Host Based
Brief Description: FreeBSD dc20ctrl port buffer overflow
X-Force URL: http://xforce.iss.net/static/6077.php
_____
Date Reported: 2/7/01
Vulnerability: ja-xklock-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: ja-xklock buffer overflow
X-Force URL: http://xforce.iss.net/static/6073.php
_____
Date Reported: 2/7/01
Vulnerability: ja-elvis-elvrec-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: FreeBSD ja-elvis port buffer overflow
X-Force URL: http://xforce.iss.net/static/6074.php
_____
Date Reported: 2/7/01
Vulnerability: ko-helvis-elvrec-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: FreeBSD ko-helvis port buffer overflow
X-Force URL: http://xforce.iss.net/static/6075.php
_____
Date Reported: 2/7/01
Vulnerability: serverworx-directory-traversal
Platforms Affected: ServerWorx
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ServerWorx directory traversal
X-Force URL: http://xforce.iss.net/static/6081.php
_____
Date Reported: 2/7/01
Vulnerability: ntlm-ssp-elevate-privileges
Platforms Affected: NTLM
Risk Factor: High
Attack Type: Host Based
Brief Description: NTLM Security Support Provider could allow elevation of privileges
X-Force URL: http://xforce.iss.net/static/6076.php
_____
Date Reported: 2/7/01
Vulnerability: ssh-session-key-recovery
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH protocol 1.5 session key recovery
X-Force URL: http://xforce.iss.net/static/6082.php
_____
Date Reported: 2/6/01
Vulnerability: aolserver-directory-traversal
Platforms Affected: AOLserver
Risk Factor: Medium
Attack Type: Network Based
Brief Description: AOLserver directory traversal
X-Force URL: http://xforce.iss.net/static/6069.php
_____
Date Reported: 2/6/01
Vulnerability: chilisoft-asp-elevate-privileges
Platforms Affected: Chili!Soft
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Chili!Soft ASP could allow elevated privileges
X-Force URL: http://xforce.iss.net/static/6072.php
_____
Date Reported: 2/6/01
Vulnerability: win-udp-dos
Platforms Affected: Windows
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Windows UDP socket denial of service
X-Force URL: http://xforce.iss.net/static/6070.php
_____
Date Reported: 2/5/01
Vulnerability: ssh-daemon-failed-login
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH daemon failed login attempts are not logged
X-Force URL: http://xforce.iss.net/static/6071.php
_____
Date Reported: 2/5/01
Vulnerability: picserver-directory-traversal
Platforms Affected: PicServer
Risk Factor: Medium
Attack Type: Network Based
Brief Description: PicServer directory traversal
X-Force URL: http://xforce.iss.net/static/6065.php
_____
Date Reported: 2/5/01
Vulnerability: biblioweb-directory-traversal
Platforms Affected: BiblioWeb
Risk Factor: Medium
Attack Type: Network Based
Brief Description: BiblioWeb Server directory traversal
X-Force URL: http://xforce.iss.net/static/6066.php
_____
Date Reported: 2/5/01
Vulnerability: biblioweb-get-dos
Platforms Affected: BiblioWeb
Risk Factor: Low
Attack Type: Network Based
Brief Description: BiblioWeb Server GET request denial of service
X-Force URL: http://xforce.iss.net/static/6068.php
_____
Date Reported: 2/5/01
Vulnerability: ibm-netcommerce-reveal-information
Platforms Affected: IBM
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: IBM Net.Commerce could reveal sensitive information
X-Force URL: http://xforce.iss.net/static/6067.php
_____
Date Reported: 2/5/01
Vulnerability: win-dde-elevate-privileges
Platforms Affected: Windows DDE
Risk Factor: High
Attack Type: Host Based
Brief Description: Windows DDE can allow the elevation of privileges
X-Force URL: http://xforce.iss.net/static/6062.php
_____
Date Reported: 2/4/01
Vulnerability: hsweb-directory-browsing
Platforms Affected: HSWeb
Risk Factor: Low
Attack Type: Network Based
Brief Description: HSWeb Web Server allows attacker to browse directories
X-Force URL: http://xforce.iss.net/static/6061.php
_____
Date Reported: 2/4/01
Vulnerability: sedum-directory-traversal
Platforms Affected: SEDUM
Risk Factor: Medium
Attack Type: Network Based
Brief Description: SEDUM HTTP Server directory traversal
X-Force URL: http://xforce.iss.net/static/6063.php
_____
Date Reported: 2/4/01
Vulnerability: free-java-directory-traversal
Platforms Affected: Free Java
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Free Java Web Server directory traversal
X-Force URL: http://xforce.iss.net/static/6064.php
_____
Date Reported: 2/2/01
Vulnerability: goahead-directory-traversal
Platforms Affected: GoAhead
Risk Factor: High
Attack Type: Network Based
Brief Description: GoAhead Web Server directory traversal
X-Force URL: http://xforce.iss.net/static/6046.php
_____
Date Reported: 2/2/01
Vulnerability: gnuserv-tcp-cookie-overflow
Platforms Affected: Gnuserv
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Gnuserv TCP enabled cookie buffer overflow
X-Force URL: http://xforce.iss.net/static/6056.php
_____
Date Reported: 2/2/01
Vulnerability: xmail-ctrlserver-bo
Platforms Affected: Xmail CTRLServer
Risk Factor: High
Attack Type: Network Based
Brief Description: XMail CTRLServer buffer overflow
X-Force URL: http://xforce.iss.net/static/6060.php
_____
Date Reported: 2/2/01
Vulnerability: netscape-webpublisher-acl-permissions
Platforms Affected: Netscape Web Publisher
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netcape Web Publisher poor ACL permissions
X-Force URL: http://xforce.iss.net/static/6058.php
_____
Date Reported: 2/1/01
Vulnerability: cups-httpgets-dos
Platforms Affected: CUPS
Risk Factor: High
Attack Type: Host Based
Brief Description: CUPS httpGets() function denial of service
X-Force URL: http://xforce.iss.net/static/6043.php
_____
Date Reported: 2/1/01
Vulnerability: prospero-get-pin
Platforms Affected: Prospero
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Prospero GET request reveals PIN information
X-Force URL: http://xforce.iss.net/static/6044.php
_____
Date Reported: 2/1/01
Vulnerability: prospero-weak-permissions
Platforms Affected: Prospero
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Prospero uses weak permissions
X-Force URL: http://xforce.iss.net/static/6045.php
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
________
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider
protecting digital assets and ensuring the availability, confidentiality and
integrity of computer systems and information critical to e-business
success. ISS' security management solutions protect more than 5,000
customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10
largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe and Latin America. For more information, visit the ISS Web
site at www.iss.net or call 800-776-2362.
Copyright (c) 2001 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV
1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA
h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B
tT+ylKw4hn4=
=kfHg
-----END PGP SIGNATURE-----
| VAR-200102-0114 | CVE-2001-1439 | Hewlett Packard HP-UX text editors contain buffer overflow |
CVSS V2: 2.1 CVSS V3: - Severity: LOW |
Buffer overflow in the text editor functionality in HP-UX 10.01 through 11.04 on HP9000 Series 700 and Series 800 allows local users to cause a denial of service ("system availability") via text editors such as (1) e, (2) ex, (3) vi, (4) edit, (5) view, and (6) vedit. A buffer overflow in the text editor on certain Hewlett-Packard systems could compromise system availability. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. While addressing vulnerabilities described in http://www.cisco.com/warp/public/707/SSH-multiple-pub.html, a denial of service condition has been inadvertently introduced into firmware upgrades. Firmware for routers and switches (IOS), Catalyst 6000 switches running CatOS, Cisco PIX Firewall and Cisco 11000 Content Service Switch devices may be vulnerable.
Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets.
Repeated and concurrent attacks may result in a denial of device service. As many of these devices are critical infrastructure components, more serious network outages may occur.
Cisco has released upgrades that will eliminate this vulnerability. HP-UX is prone to a denial-of-service vulnerability
| VAR-200101-0122 | CVE-2001-1470 | Multiple Cisco products consume excessive CPU resources in response to large SSH packets |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
The IDEA cipher as implemented by SSH1 does not protect the final block of a message against modification, which allows remote attackers to modify the block without detection by changing its cyclic redundancy check (CRC) to match the modifications to the message. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory.
This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value).
As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory.
**UPDATE**:
There have been reports suggesting that exploitation of this vulnerability may be widespread.
Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available.
NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable.
Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH.
** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default.
Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur.
Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. SSH is prone to a denial-of-service vulnerability.
TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE-----
ISS X-Force has received reports that some individuals were unable to
verify the PGP signature on the Security Alert Summary distributed earlier
in the week. Due to this issue, X-Force is re-distributing the Security
Alert Summary. We apologize for any inconvience this may have caused.
Internet Security Systems Security Alert Summary
March 5, 2001
Volume 6 Number 4
X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To
receive these Alert Summaries as well as other Alerts and Advisories,
subscribe to the Internet Security Systems Alert mailing list at:
http://xforce.iss.net/maillists/index.php
This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php
_____
Contents
90 Reported Vulnerabilities
Risk Factor Key
_____
Date Reported: 2/27/01
Vulnerability: a1-server-dos
Platforms Affected: A1 Server
Risk Factor: Medium
Attack Type: Network Based
Brief Description: A1 Server denial of service
X-Force URL: http://xforce.iss.net/static/6161.php
_____
Date Reported: 2/27/01
Vulnerability: a1-server-directory-traversal
Platforms Affected: A1 Server
Risk Factor: Medium
Attack Type: Network Based
Brief Description: A1 Server directory traversal
X-Force URL: http://xforce.iss.net/static/6162.php
_____
Date Reported: 2/27/01
Vulnerability: webreflex-web-server-dos
Platforms Affected: WebReflex
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebReflex Web server denial of service
X-Force URL: http://xforce.iss.net/static/6163.php
_____
Date Reported: 2/26/01
Vulnerability: sudo-bo-elevate-privileges
Platforms Affected: Sudo
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Sudo buffer overflow could allow elevated user privileges
X-Force URL: http://xforce.iss.net/static/6153.php
_____
Date Reported: 2/26/01
Vulnerability: mygetright-skin-overwrite-file
Platforms Affected: My GetRight
Risk Factor: High
Attack Type: Network Based
Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files
X-Force URL: http://xforce.iss.net/static/6155.php
_____
Date Reported: 2/26/01
Vulnerability: mygetright-directory-traversal
Platforms Affected: My GetRight
Risk Factor: Medium
Attack Type: Network Based
Brief Description: My GetRight directory traversal
X-Force URL: http://xforce.iss.net/static/6156.php
_____
Date Reported: 2/26/01
Vulnerability: win2k-event-viewer-bo
Platforms Affected: Windows 2000
Risk Factor: once-only
Attack Type: Host Based
Brief Description: Windows 2000 event viewer buffer overflow
X-Force URL: http://xforce.iss.net/static/6160.php
_____
Date Reported: 2/26/01
Vulnerability: netscape-collabra-cpu-dos
Platforms Affected: Netscape
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netscape Collabra CPU denial of service
X-Force URL: http://xforce.iss.net/static/6159.php
_____
Date Reported: 2/26/01
Vulnerability: netscape-collabra-kernel-dos
Platforms Affected: Netscape
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netscape Collabra Server kernel denial of service
X-Force URL: http://xforce.iss.net/static/6158.php
_____
Date Reported: 2/23/01
Vulnerability: mercur-expn-bo
Platforms Affected: MERCUR
Risk Factor: High
Attack Type: Network Based
Brief Description: MERCUR Mailserver EXPN buffer overflow
X-Force URL: http://xforce.iss.net/static/6149.php
_____
Date Reported: 2/23/01
Vulnerability: sedum-http-dos
Platforms Affected: SEDUM
Risk Factor: Medium
Attack Type: Network Based
Brief Description: SEDUM HTTP server denial of service
X-Force URL: http://xforce.iss.net/static/6152.php
_____
Date Reported: 2/23/01
Vulnerability: tru64-inetd-dos
Platforms Affected: Tru64
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Tru64 UNIX inetd denial of service
X-Force URL: http://xforce.iss.net/static/6157.php
_____
Date Reported: 2/22/01
Vulnerability: outlook-vcard-bo
Platforms Affected: Microsoft Outlook
Risk Factor: High
Attack Type: Host Based
Brief Description: Outlook and Outlook Express vCards buffer overflow
X-Force URL: http://xforce.iss.net/static/6145.php
_____
Date Reported: 2/22/01
Vulnerability: ultimatebb-cookie-member-number
Platforms Affected: Ultimate Bulletin Board
Risk Factor: High
Attack Type: Network Based
Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number
X-Force URL: http://xforce.iss.net/static/6144.php
_____
Date Reported: 2/21/01
Vulnerability: ultimatebb-cookie-gain-privileges
Platforms Affected: Ultimate Bulletin Board
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information
X-Force URL: http://xforce.iss.net/static/6142.php
_____
Date Reported: 2/21/01
Vulnerability: sendmail-elevate-privileges
Platforms Affected: Sendmail
Risk Factor: High
Attack Type: Host Based
Brief Description: Sendmail -bt command could allow the elevation of privileges
X-Force URL: http://xforce.iss.net/static/6147.php
_____
Date Reported: 2/21/01
Vulnerability: jre-jdk-execute-commands
Platforms Affected: JRE/JDK
Risk Factor: High
Attack Type: Host Based
Brief Description: JRE/JDK could allow unauthorized execution of commands
X-Force URL: http://xforce.iss.net/static/6143.php
_____
Date Reported: 2/20/01
Vulnerability: licq-remote-port-dos
Platforms Affected: LICQ
Risk Factor: Medium
Attack Type: Network Based
Brief Description: LICQ remote denial of service
X-Force URL: http://xforce.iss.net/static/6134.php
_____
Date Reported: 2/20/01
Vulnerability: pgp4pine-expired-keys
Platforms Affected: pgp4pine
Risk Factor: Medium
Attack Type: Host Based
Brief Description: pgp4pine may transmit messages using expired public keys
X-Force URL: http://xforce.iss.net/static/6135.php
_____
Date Reported: 2/20/01
Vulnerability: chilisoft-asp-view-files
Platforms Affected: Chili!Soft ASP
Risk Factor: High
Attack Type: Network Based
Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information
X-Force URL: http://xforce.iss.net/static/6137.php
_____
Date Reported: 2/20/01
Vulnerability: win2k-domain-controller-dos
Platforms Affected: Windows 2000
Risk Factor: once-only
Attack Type: Network/Host Based
Brief Description: Windows 2000 domain controller denial of service
X-Force URL: http://xforce.iss.net/static/6136.php
_____
Date Reported: 2/19/01
Vulnerability: asx-remote-dos
Platforms Affected: ASX Switches
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ASX switches allow remote denial of service
X-Force URL: http://xforce.iss.net/static/6133.php
_____
Date Reported: 2/18/01
Vulnerability: http-cgi-mailnews-username
Platforms Affected: Mailnews.cgi
Risk Factor: High
Attack Type: Network Based
Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username
X-Force URL: http://xforce.iss.net/static/6139.php
_____
Date Reported: 2/17/01
Vulnerability: badblue-ext-reveal-path
Platforms Affected: BadBlue
Risk Factor: Low
Attack Type: Network Based
Brief Description: BadBlue ext.dll library reveals path
X-Force URL: http://xforce.iss.net/static/6130.php
_____
Date Reported: 2/17/01
Vulnerability: badblue-ext-dos
Platforms Affected: BadBlue
Risk Factor: Medium
Attack Type: Network Based
Brief Description: BadBlue ext.dll library denial of service
X-Force URL: http://xforce.iss.net/static/6131.php
_____
Date Reported: 2/17/01
Vulnerability: moby-netsuite-bo
Platforms Affected: Moby's NetSuite
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Moby's NetSuite Web server buffer overflow
X-Force URL: http://xforce.iss.net/static/6132.php
_____
Date Reported: 2/16/01
Vulnerability: webactive-directory-traversal
Platforms Affected: WEBactive
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: WEBactive HTTP Server directory traversal
X-Force URL: http://xforce.iss.net/static/6121.php
_____
Date Reported: 2/16/01
Vulnerability: esone-cgi-directory-traversal
Platforms Affected: ES.One store.cgi
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Thinking Arts ES.One store.cgi directory traversal
X-Force URL: http://xforce.iss.net/static/6124.php
_____
Date Reported: 2/16/01
Vulnerability: vshell-username-bo
Platforms Affected: VShell
Risk Factor: High
Attack Type: Network Based
Brief Description: VShell username buffer overflow
X-Force URL: http://xforce.iss.net/static/6146.php
_____
Date Reported: 2/16/01
Vulnerability: vshell-port-forwarding-rule
Platforms Affected: VShell
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: VShell uses weak port forwarding rule
X-Force URL: http://xforce.iss.net/static/6148.php
_____
Date Reported: 2/15/01
Vulnerability: pi3web-isapi-bo
Platforms Affected: Pi3Web
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Pi3Web ISAPI tstisapi.dll denial of service
X-Force URL: http://xforce.iss.net/static/6113.php
_____
Date Reported: 2/15/01
Vulnerability: pi3web-reveal-path
Platforms Affected: Pi3Web
Risk Factor: Low
Attack Type: Network Based
Brief Description: Pi3Web reveals physical path of server
X-Force URL: http://xforce.iss.net/static/6114.php
_____
Date Reported: 2/15/01
Vulnerability: bajie-execute-shell
Platforms Affected: Bajie HTTP JServer
Risk Factor: High
Attack Type: Network Based
Brief Description: Bajie HTTP JServer execute shell commands
X-Force URL: http://xforce.iss.net/static/6117.php
_____
Date Reported: 2/15/01
Vulnerability: bajie-directory-traversal
Platforms Affected: Bajie HTTP JServer
Risk Factor: High
Attack Type: Network Based
Brief Description: Bajie HTTP JServer directory traversal
X-Force URL: http://xforce.iss.net/static/6115.php
_____
Date Reported: 2/15/01
Vulnerability: resin-directory-traversal
Platforms Affected: Resin
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Resin Web server directory traversal
X-Force URL: http://xforce.iss.net/static/6118.php
_____
Date Reported: 2/15/01
Vulnerability: netware-mitm-recover-passwords
Platforms Affected: Netware
Risk Factor: Low
Attack Type: Network Based
Brief Description: Netware "man in the middle" attack password recovery
X-Force URL: http://xforce.iss.net/static/6116.php
_____
Date Reported: 2/14/01
Vulnerability: firebox-pptp-dos
Platforms Affected: WatchGuard Firebox II
Risk Factor: High
Attack Type: Network Based
Brief Description: WatchGuard Firebox II PPTP denial of service
X-Force URL: http://xforce.iss.net/static/6109.php
_____
Date Reported: 2/14/01
Vulnerability: hp-virtualvault-iws-dos
Platforms Affected: HP VirtualVault
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: HP VirtualVault iPlanet Web Server denial of service
X-Force URL: http://xforce.iss.net/static/6110.php
_____
Date Reported: 2/14/01
Vulnerability: kicq-execute-commands
Platforms Affected: KICQ
Risk Factor: High
Attack Type: Network Based
Brief Description: kicq could allow remote execution of commands
X-Force URL: http://xforce.iss.net/static/6112.php
_____
Date Reported: 2/14/01
Vulnerability: hp-text-editor-bo
Platforms Affected: HPUX
Risk Factor: Medium
Attack Type: Host Based
Brief Description: HP Text editors buffer overflow
X-Force URL: http://xforce.iss.net/static/6111.php
_____
Date Reported: 2/13/01
Vulnerability: sendtemp-pl-read-files
Platforms Affected: sendtemp.pl
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: sendtemp.pl could allow an attacker to read files on the server
X-Force URL: http://xforce.iss.net/static/6104.php
_____
Date Reported: 2/13/01
Vulnerability: analog-alias-bo
Platforms Affected: Analog ALIAS
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Analog ALIAS command buffer overflow
X-Force URL: http://xforce.iss.net/static/6105.php
_____
Date Reported: 2/13/01
Vulnerability: elm-long-string-bo
Platforms Affected: Elm
Risk Factor: Medium
Attack Type: Host Based
Brief Description: ELM -f command long string buffer overflow
X-Force URL: http://xforce.iss.net/static/6151.php
_____
Date Reported: 2/13/01
Vulnerability: winnt-pptp-dos
Platforms Affected: Windows NT
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Windows NT PPTP denial of service
X-Force URL: http://xforce.iss.net/static/6103.php
_____
Date Reported: 2/12/01
Vulnerability: startinnfeed-format-string
Platforms Affected: Inn
Risk Factor: High
Attack Type: Host Based
Brief Description: Inn 'startinnfeed' binary format string attack
X-Force URL: http://xforce.iss.net/static/6099.php
_____
Date Reported: 2/12/01
Vulnerability: his-auktion-cgi-url
Platforms Affected: HIS Auktion
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized
files or execute commands
X-Force URL: http://xforce.iss.net/static/6090.php
_____
Date Reported: 2/12/01
Vulnerability: wayboard-cgi-view-files
Platforms Affected: Way-BOARD
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6091.php
_____
Date Reported: 2/12/01
Vulnerability: muskat-empower-url-dir
Platforms Affected: Musket Empower
Risk Factor: Low
Attack Type: Network/Host Based
Brief Description: Musket Empower could allow attackers to gain access to the DB directory path
X-Force URL: http://xforce.iss.net/static/6093.php
_____
Date Reported: 2/12/01
Vulnerability: icq-icu-rtf-dos
Platforms Affected: LICQ
Gnome ICU
Risk Factor: Low
Attack Type: Network/Host Based
Brief Description: LICQ and Gnome ICU rtf file denial of service
X-Force URL: http://xforce.iss.net/static/6096.php
_____
Date Reported: 2/12/01
Vulnerability: commerce-cgi-view-files
Platforms Affected: Commerce.cgi
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Commerce.cgi could allow attackers to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6095.php
_____
Date Reported: 2/12/01
Vulnerability: roads-search-view-files
Platforms Affected: ROADS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program
X-Force URL: http://xforce.iss.net/static/6097.php
_____
Date Reported: 2/12/01
Vulnerability: webpage-cgi-view-info
Platforms Affected: WebPage.cgi
Risk Factor: Low
Attack Type: Network Based
Brief Description: WebPage.cgi allows attackers to view sensitive information
X-Force URL: http://xforce.iss.net/static/6100.php
_____
Date Reported: 2/12/01
Vulnerability: webspirs-cgi-view-files
Platforms Affected: WebSPIRS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files
X-Force URL: http://xforce.iss.net/static/6101.php
_____
Date Reported: 2/12/01
Vulnerability: webpals-library-cgi-url
Platforms Affected: WebPALS
Risk Factor: Medium
Attack Type: Network Based
Brief Description: WebPALS Library System CGI script could allow attackers to view
unauthorized files or execute commands
X-Force URL: http://xforce.iss.net/static/6102.php
_____
Date Reported: 2/11/01
Vulnerability: cobol-apptrack-nolicense-permissions
Platforms Affected: MicroFocus Cobol
Risk Factor: High
Attack Type: Host Based
Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions
X-Force URL: http://xforce.iss.net/static/6092.php
_____
Date Reported: 2/11/01
Vulnerability: cobol-apptrack-nolicense-symlink
Platforms Affected: MicroFocus Cobol
Risk Factor: High
Attack Type: Host Based
Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense
X-Force URL: http://xforce.iss.net/static/6094.php
_____
Date Reported: 2/10/01
Vulnerability: vixie-crontab-bo
Platforms Affected: Vixie crontab
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Vixie crontab buffer overflow
X-Force URL: http://xforce.iss.net/static/6098.php
_____
Date Reported: 2/10/01
Vulnerability: novell-groupwise-bypass-policies
Platforms Affected: Novell GroupWise
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Novell Groupwise allows user to bypass policies and view files
X-Force URL: http://xforce.iss.net/static/6089.php
_____
Date Reported: 2/9/01
Vulnerability: infobot-calc-gain-access
Platforms Affected: Infobot
Risk Factor: High
Attack Type: Network Based
Brief Description: Infobot 'calc' command allows remote users to gain access
X-Force URL: http://xforce.iss.net/static/6078.php
_____
Date Reported: 2/8/01
Vulnerability: linux-sysctl-read-memory
Platforms Affected: Linux
Risk Factor: Medium
Attack Type: Host Based
Brief Description: Linux kernel sysctl() read memory
X-Force URL: http://xforce.iss.net/static/6079.php
_____
Date Reported: 2/8/01
Vulnerability: openssh-bypass-authentication
Platforms Affected: OpenSSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication
X-Force URL: http://xforce.iss.net/static/6084.php
_____
Date Reported: 2/8/01
Vulnerability: lotus-notes-stored-forms
Platforms Affected: Lotus Notes
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Lotus Notes stored forms
X-Force URL: http://xforce.iss.net/static/6087.php
_____
Date Reported: 2/8/01
Vulnerability: linux-ptrace-modify-process
Platforms Affected: Linux
Risk Factor: High
Attack Type: Host Based
Brief Description: Linux kernel ptrace modify process
X-Force URL: http://xforce.iss.net/static/6080.php
_____
Date Reported: 2/8/01
Vulnerability: ssh-deattack-overwrite-memory
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten
X-Force URL: http://xforce.iss.net/static/6083.php
_____
Date Reported: 2/7/01
Vulnerability: dc20ctrl-port-bo
Platforms Affected: FreeBSD
Risk Factor: Medium
Attack Type: Host Based
Brief Description: FreeBSD dc20ctrl port buffer overflow
X-Force URL: http://xforce.iss.net/static/6077.php
_____
Date Reported: 2/7/01
Vulnerability: ja-xklock-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: ja-xklock buffer overflow
X-Force URL: http://xforce.iss.net/static/6073.php
_____
Date Reported: 2/7/01
Vulnerability: ja-elvis-elvrec-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: FreeBSD ja-elvis port buffer overflow
X-Force URL: http://xforce.iss.net/static/6074.php
_____
Date Reported: 2/7/01
Vulnerability: ko-helvis-elvrec-bo
Platforms Affected: FreeBSD
Risk Factor: High
Attack Type: Host Based
Brief Description: FreeBSD ko-helvis port buffer overflow
X-Force URL: http://xforce.iss.net/static/6075.php
_____
Date Reported: 2/7/01
Vulnerability: serverworx-directory-traversal
Platforms Affected: ServerWorx
Risk Factor: Medium
Attack Type: Network Based
Brief Description: ServerWorx directory traversal
X-Force URL: http://xforce.iss.net/static/6081.php
_____
Date Reported: 2/7/01
Vulnerability: ntlm-ssp-elevate-privileges
Platforms Affected: NTLM
Risk Factor: High
Attack Type: Host Based
Brief Description: NTLM Security Support Provider could allow elevation of privileges
X-Force URL: http://xforce.iss.net/static/6076.php
_____
Date Reported: 2/7/01
Vulnerability: ssh-session-key-recovery
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH protocol 1.5 session key recovery
X-Force URL: http://xforce.iss.net/static/6082.php
_____
Date Reported: 2/6/01
Vulnerability: aolserver-directory-traversal
Platforms Affected: AOLserver
Risk Factor: Medium
Attack Type: Network Based
Brief Description: AOLserver directory traversal
X-Force URL: http://xforce.iss.net/static/6069.php
_____
Date Reported: 2/6/01
Vulnerability: chilisoft-asp-elevate-privileges
Platforms Affected: Chili!Soft
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Chili!Soft ASP could allow elevated privileges
X-Force URL: http://xforce.iss.net/static/6072.php
_____
Date Reported: 2/6/01
Vulnerability: win-udp-dos
Platforms Affected: Windows
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: Windows UDP socket denial of service
X-Force URL: http://xforce.iss.net/static/6070.php
_____
Date Reported: 2/5/01
Vulnerability: ssh-daemon-failed-login
Platforms Affected: SSH
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: SSH daemon failed login attempts are not logged
X-Force URL: http://xforce.iss.net/static/6071.php
_____
Date Reported: 2/5/01
Vulnerability: picserver-directory-traversal
Platforms Affected: PicServer
Risk Factor: Medium
Attack Type: Network Based
Brief Description: PicServer directory traversal
X-Force URL: http://xforce.iss.net/static/6065.php
_____
Date Reported: 2/5/01
Vulnerability: biblioweb-directory-traversal
Platforms Affected: BiblioWeb
Risk Factor: Medium
Attack Type: Network Based
Brief Description: BiblioWeb Server directory traversal
X-Force URL: http://xforce.iss.net/static/6066.php
_____
Date Reported: 2/5/01
Vulnerability: biblioweb-get-dos
Platforms Affected: BiblioWeb
Risk Factor: Low
Attack Type: Network Based
Brief Description: BiblioWeb Server GET request denial of service
X-Force URL: http://xforce.iss.net/static/6068.php
_____
Date Reported: 2/5/01
Vulnerability: ibm-netcommerce-reveal-information
Platforms Affected: IBM
Risk Factor: Medium
Attack Type: Network/Host Based
Brief Description: IBM Net.Commerce could reveal sensitive information
X-Force URL: http://xforce.iss.net/static/6067.php
_____
Date Reported: 2/5/01
Vulnerability: win-dde-elevate-privileges
Platforms Affected: Windows DDE
Risk Factor: High
Attack Type: Host Based
Brief Description: Windows DDE can allow the elevation of privileges
X-Force URL: http://xforce.iss.net/static/6062.php
_____
Date Reported: 2/4/01
Vulnerability: hsweb-directory-browsing
Platforms Affected: HSWeb
Risk Factor: Low
Attack Type: Network Based
Brief Description: HSWeb Web Server allows attacker to browse directories
X-Force URL: http://xforce.iss.net/static/6061.php
_____
Date Reported: 2/4/01
Vulnerability: sedum-directory-traversal
Platforms Affected: SEDUM
Risk Factor: Medium
Attack Type: Network Based
Brief Description: SEDUM HTTP Server directory traversal
X-Force URL: http://xforce.iss.net/static/6063.php
_____
Date Reported: 2/4/01
Vulnerability: free-java-directory-traversal
Platforms Affected: Free Java
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Free Java Web Server directory traversal
X-Force URL: http://xforce.iss.net/static/6064.php
_____
Date Reported: 2/2/01
Vulnerability: goahead-directory-traversal
Platforms Affected: GoAhead
Risk Factor: High
Attack Type: Network Based
Brief Description: GoAhead Web Server directory traversal
X-Force URL: http://xforce.iss.net/static/6046.php
_____
Date Reported: 2/2/01
Vulnerability: gnuserv-tcp-cookie-overflow
Platforms Affected: Gnuserv
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Gnuserv TCP enabled cookie buffer overflow
X-Force URL: http://xforce.iss.net/static/6056.php
_____
Date Reported: 2/2/01
Vulnerability: xmail-ctrlserver-bo
Platforms Affected: Xmail CTRLServer
Risk Factor: High
Attack Type: Network Based
Brief Description: XMail CTRLServer buffer overflow
X-Force URL: http://xforce.iss.net/static/6060.php
_____
Date Reported: 2/2/01
Vulnerability: netscape-webpublisher-acl-permissions
Platforms Affected: Netscape Web Publisher
Risk Factor: Medium
Attack Type: Network Based
Brief Description: Netcape Web Publisher poor ACL permissions
X-Force URL: http://xforce.iss.net/static/6058.php
_____
Date Reported: 2/1/01
Vulnerability: cups-httpgets-dos
Platforms Affected: CUPS
Risk Factor: High
Attack Type: Host Based
Brief Description: CUPS httpGets() function denial of service
X-Force URL: http://xforce.iss.net/static/6043.php
_____
Date Reported: 2/1/01
Vulnerability: prospero-get-pin
Platforms Affected: Prospero
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Prospero GET request reveals PIN information
X-Force URL: http://xforce.iss.net/static/6044.php
_____
Date Reported: 2/1/01
Vulnerability: prospero-weak-permissions
Platforms Affected: Prospero
Risk Factor: High
Attack Type: Network/Host Based
Brief Description: Prospero uses weak permissions
X-Force URL: http://xforce.iss.net/static/6045.php
_____
Risk Factor Key:
High Any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium Any vulnerability that provides information that has a
high potential of giving system access to an intruder.
Example: A misconfigured TFTP or vulnerable NIS server
that allows an intruder to get the password file that
could contain an account with a guessable password.
Low Any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force methods.
________
ISS is a leading global provider of security management solutions for
e-business. By offering best-of-breed SAFEsuite(tm) security software,
comprehensive ePatrol(tm) monitoring services and industry-leading
expertise, ISS serves as its customers' trusted security provider
protecting digital assets and ensuring the availability, confidentiality and
integrity of computer systems and information critical to e-business
success. ISS' security management solutions protect more than 5,000
customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10
largest telecommunications companies and over 35 government agencies.
Founded in 1994, ISS is headquartered in Atlanta, GA, with additional
offices throughout North America and international operations in Asia,
Australia, Europe and Latin America. For more information, visit the ISS Web
site at www.iss.net or call 800-776-2362.
Copyright (c) 2001 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express consent
of the X-Force. If you wish to reprint the whole or any part of this Alert
in any other medium excluding electronic medium, please e-mail
xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at the
user's own risk.
X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to: X-Force xforce@iss.net
of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv
iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV
1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA
h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B
tT+ylKw4hn4=
=kfHg
-----END PGP SIGNATURE-----
| VAR-200505-0778 | CVE-2005-1609 | Multiple Cisco products consume excessive CPU resources in response to large SSH packets |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Unknown vulnerability in Sun StorEdge 6130 Arrays (SE6130) with serial numbers between 0451AWF00G and 0513AWF00J allows local users and remote attackers to delete data. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. While addressing vulnerabilities described in http://www.cisco.com/warp/public/707/SSH-multiple-pub.html, a denial of service condition has been inadvertently introduced into firmware upgrades. Firmware for routers and switches (IOS), Catalyst 6000 switches running CatOS, Cisco PIX Firewall and Cisco 11000 Content Service Switch devices may be vulnerable.
Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets.
Repeated and concurrent attacks may result in a denial of device service. As many of these devices are critical infrastructure components, more serious network outages may occur.
Cisco has released upgrades that will eliminate this vulnerability
| VAR-200012-0057 | CVE-2000-1054 | CiscoSecure ACS Server CSAdmin Module buffer overflow vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet. Depending on the data entered, CiscoSecure ACS for Windows NT can be made to crash or arbitrary code execution can be made possible if an unusually long packet is sent to port 2002.
If the application were to crash due to an oversized packet, the CSadmin Module would automatically restart after one minute in versions 2.3x and higher. Existing sessions would re-establish although they would need to be authenticated again. In prior versions, a restart is required in order to regain normal functionality
| VAR-200012-0058 | CVE-2000-1055 | CiscoSecure ACS Server Denial of service vulnerability |
CVSS V2: 10.0 CVSS V3: - Severity: HIGH |
Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet. If a remote attacker is capable of sniffing or injecting traffic in between a server running CiscoSecure ACS for Windows NT and a TACACS+ client, CiscoSecure ACS for Windows NT can be made to crash if an oversized TACACS+ packet is sent to it. CiscoSecure ACS Server 2.4(2) and earlier versions have a buffer overflow vulnerability
| VAR-200012-0059 | CVE-2000-1056 | CiscoSecure ACS Server Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords. There are certain Lightweight Directory Access Protocol (LDAP) servers that allow users to have undefined passwords. Vulnerabilities exist in CiscoSecure ACS Server 2.4(2) and earlier versions
| VAR-200012-0083 | CVE-2000-1022 | Cisco Secure PIX Firewall Vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. Like other firewalls, the Cisco PIX Firewall implements technology that reads the contents of packets passing through it for application-level filtering. In the case of SMTP, it can be configured so only certain smtp commands can be allowed through (for example, dropping extra functionality, such as HELP or commands that could be a security concern, like EXPN or VRFY). When recieving messages, it allows all text through between "data" and "<CR><LF><CR><LF>.<CR><LF>", as this is where the body of the message would normally go and there could be words in it that are smtp commands which shouldn't be filtered. Due to the nature of SMTP and flaws in exceptional condition handling of PIX, it is reportedly possible to evade the smtp command restrictions by tricking the firewall into thinking the body of the message is being sent when it isn't.
During communication with an smtp server, if the "data" command is sent before the more important information is sent, such as "rcpt to", the smtp server will return error 503, saying that rcpt was required. The firewall, however, thinks everything is alright and will let everything through until recieving "<CR><LF><CR><LF>.<CR><LF>". It is then possible for the attacker to do whatever he wishes on the email server. An old vulnerability that allowed for bypassing of SMTP content filtering has been re-introduced into PIX firmware. This vulnerability is archived in the SecurityFocus vulnerability database as Bugtraq ID: 1698
| VAR-200011-0055 | CVE-2000-0839 | WinCOM LPD Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
WinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515). If a user sends continuous LPD requests to the serivce on default port 515, the program will consume all available CPU usage. A restart of the service is required in order to gain normal functionality. WinCOM LPD 1.00.90 is vulnerable
| VAR-200009-0023 | CVE-2010-1141 | VMWare Tools Package Library Reference Code Execution Vulnerability |
CVSS V2: 8.5 CVSS V3: - Severity: HIGH |
VMware Tools in VMware Workstation 6.5.x before 6.5.4 build 246459; VMware Player 2.5.x before 2.5.4 build 246459; VMware ACE 2.5.x before 2.5.4 build 246459; VMware Server 2.x before 2.0.2 build 203138; VMware Fusion 2.x before 2.0.6 build 246742; VMware ESXi 3.5 and 4.0; and VMware ESX 2.5.5, 3.0.3, 3.5, and 4.0 does not properly access libraries, which allows user-assisted remote attackers to execute arbitrary code by tricking a Windows guest OS user into clicking on a file that is stored on a network share. Some applications for Microsoft Windows may use unsafe methods for determining how to load DLLs. As a result, these applications can be forced to load a DLL from an attacker-controlled source rather than a trusted location. Windows Program DLL There is an attackable vulnerability in reading. Dynamic link Library (DLL) Is a software component that is loaded at run time, not at program compile time. The program is LoadLibrary() And LoadLibraryEx() Using DLL Is read. Read DLL If no path is specified, specific directories are searched in order and found first. DLL Is loaded. Since this directory group includes the current directory of the process, the directory that can be operated by the attacker is set as the current directory. LoadLibrary() If is called, attack code may be executed. This issue can occur when browsing files located in directories that an attacker can manipulate. Read DLL The name depends on the program. DLL Read Windows The entire program may be affected. " Opera Software "and" Adobe Vulnerability information on " : Mitsui Bussan Secure Direction Co., Ltd. Takashi Yoshikawa MrA remote attacker could execute arbitrary code with the authority to execute the program. Attacker crafted DLL The USB Placing it on a drive or network drive may cause an attack. VMWare is a virtual PC software that allows two or more Windows, DOS, and LINUX systems to run simultaneously on a single machine. The VMWare Tools package used in VMWare products does not properly access the function library. When a program executes under Microsoft Windows, it may require additional code stored in DLL library files. A weakness exists in the algorithm used to locate these files.
The search algorithm used to locate DLL files specifies that the current working directory is checked before the System folders. If a trojaned DLL can be inserted into the system in an arbitrary location, and a predictable executable called with the same current working directory, the trojaned DLL may be loaded and executed. This may occur when a data file is accessed through the 'Run' function, or double clicked in Windows Explorer.
This has been reported to occur with the 'riched20.dll' and 'msi.dll' DLL files and some Microsoft Office applications, including WordPad.
This behavior has also been reported for files loaded from UNC shares, or directly from FTP servers.
An attacker can exploit this issue by enticing a user to open a malicious file from a network share. The issue can be exploited on Windows guest operating systems
Successful exploits will allow attackers to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial-of-service condition.
This issue affects the following products:
Workstation
Player
ACE
Server
Fusion
ESX
ESXi
NOTE: This issue was previously covered in BID 39345 (VMware Hosted Products VMSA-2010-0007 Multiple Remote and Local Vulnerabilities), but has been given its own record to better document it. -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- -------------------------------------------------------------------------
VMware Security Advisory
Advisory ID: VMSA-2010-0007
Synopsis: VMware hosted products, vCenter Server and ESX
patches resolve multiple security issues
Issue date: 2010-04-09
Updated on: 2010-04-09 (initial release of advisory)
CVE numbers: CVE-2010-1142 CVE-2010-1140 CVE-2009-2042
CVE-2009-1564 CVE-2009-1565 CVE-2009-3732
CVE-2009-3707 CVE-2010-1138 CVE-2010-1139
CVE-2010-1141
- -------------------------------------------------------------------------
1.
2.
Notes:
Effective May 2010, VMware's patch and update release program during
Extended Support will be continued with the condition that all
subsequent patch and update releases will be based on the latest
baseline release version as of May 2010 (i.e. ESX 3.0.3 Update 1,
ESX 3.5 Update 5, and VirtualCenter 2.5 Update 6). Refer to section
"End of Product Availability FAQs" at
http://www.vmware.com/support/policies/lifecycle/vi/faq.html for
details.
Extended support for ESX 2.5.5 ends on 2010-06-15. Users should plan
to upgrade to at least ESX 3.0.3 and preferably to the newest
release available.
Extended support for ESX 3.0.3 ends on 2011-12-10. Users should plan
to upgrade to at least ESX 3.5 and preferably to the newest release
available.
End of General Support for VMware Workstation 6.x is 2011-04-27,
users should plan to upgrade to the newest release available.
End of General Support for VMware Server 2.0 is 2011-06-30, users
should plan to upgrade to the newest release of either ESXi or
VMware Player.
Extended support for Virtual Center 2.0.2 is 2011-12-10, users
should plan to upgrade to the newest release of vCenter Server.
3. Problem Description
a. This file could be in any file format.
VMware would like to thank Jure Skofic and Mitja Kolsek of ACROS
Security (http://www.acrossecurity.com) for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1141 to this issue.
Steps needed to remediate this vulnerability:
Guest systems on VMware Workstation, Player, ACE, Server, Fusion
- Install the remediated version of Workstation, Player, ACE,
Server and Fusion.
- Upgrade tools in the virtual machine (virtual machine users
will be prompted to upgrade).
Guest systems on ESX 4.0, 3.5, 3.0.3, 2.5.5, ESXi 4.0, 3.5
- Install the relevant patches (see below for patch identifiers)
- Manually upgrade tools in the virtual machine (virtual machine
users will not be prompted to upgrade). Note the VI Client will
not show the VMware tools is out of date in the summary tab.
Please see http://tinyurl.com/27mpjo page 80 for details.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. See above for remediation
details. On most
recent versions of Windows (XP, Vista) the attacker would need to
have administrator privileges to plant the malicious executable in
the right location.
Steps needed to remediate this vulnerability: See section 3.a.
VMware would like to thank Mitja Kolsek of ACROS Security
(http://www.acrossecurity.com) for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1142 to this issue.
Refer to the previous table in section 3.a for what action
remediates the vulnerability (column 4) if a solution is
available. See above for remediation details.
c. Windows-based VMware Workstation and Player host privilege
escalation
A vulnerability in the USB service allows for a privilege
escalation. A local attacker on the host of a Windows-based
Operating System where VMware Workstation or VMware Player
is installed could plant a malicious executable on the host and
elevate their privileges.
In order for an attacker to exploit the vulnerability, the attacker
would need to be able to plant their malicious executable in a
certain location on the host machine. On most recent versions of
Windows (XP, Vista) the attacker would need to have administrator
privileges to plant the malicious executable in the right location.
VMware would like to thank Thierry Zoller for reporting this issue
to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2010-1140 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Workstation 7.0 Windows 7.0.1 build 227600 or later
Workstation 7.0 Linux not affected
Workstation 6.5.x any not affected
Player 3.0 Windows 3.0.1 build 227600 or later
Player 3.0 Linux not affected
Player 2.5.x any not affected
Ace any any not affected
Server 2.x any not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX any ESX not affected
d. Third party library update for libpng to version 1.2.37
The libpng libraries through 1.2.35 contain an uninitialized-
memory-read bug that may have security implications.
Specifically, 1-bit (2-color) interlaced images whose widths are
not divisible by 8 may result in several uninitialized bits at the
end of certain rows in certain interlace passes being returned to
the user. An application that failed to mask these out-of-bounds
pixels might display or process them, albeit presumably with benign
results in most cases.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-2042 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. VMware VMnc Codec heap overflow vulnerabilities
The VMware movie decoder contains the VMnc media codec that is
required to play back movies recorded with VMware Workstation,
VMware Player and VMware ACE, in any compatible media player. The
movie decoder is installed as part of VMware Workstation, VMware
Player and VMware ACE, or can be downloaded as a stand alone
package.
For an attack to be successful the user must be tricked into
visiting a malicious web page or opening a malicious video file on
a system that has the vulnerable version of the VMnc codec installed.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the names CVE-2009-1564 and CVE-2009-1565 to these
issues.
VMware would like to thank iDefense, Sebastien Renaud of VUPEN
Vulnerability Research Team (http://www.vupen.com) and Alin Rad Pop
of Secunia Research for reporting these issues to us.
To remediate the above issues either install the stand alone movie
decoder or update your product using the table below.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
Movie Decoder any Windows 6.5.4 Build 246459 or later
Workstation 7.x any not affected
Workstation 6.5.x Windows 6.5.4 build 246459 or later
Workstation 6.5.x Linux not affected
Player 3.x any not affected
Player 2.5.x Windows 2.5.4 build 246459 or later
Player 2.5.x Linux not affected
ACE any any not affected
Server 2.x Window not being addressed at this time
Server 2.x Linux not affected
Fusion any Mac OS/X not affected
ESXi any ESXi not affected
ESX any ESX not affected
f.
Exploitation of this issue may lead to arbitrary code execution on
the system where VMrc is installed. Code execution would be at the privilege level of the user.
VMrc is present on a system if the VMrc browser plug-in has been
installed. This plug-in is required when using the console feature in
WebAccess. Installation of the plug-in follows after visiting the
console tab in WebAccess and choosing "Install plug-in". The plug-
in can only be installed on Internet Explorer and Firefox.
Under the following two conditions your version of VMrc is likely
to be affected:
- the VMrc plug-in was obtained from vCenter 4.0 or from ESX 4.0
without patch ESX400-200911223-UG and
- VMrc is installed on a Windows-based system
The following steps allow you to determine if you have an affected
version of VMrc installed:
- Locate the VMrc executable vmware-vmrc.exe on your Windows-based
system
- Right click and go to Properties
- Go to the tab "Versions"
- Click "File Version" in the "Item Name" window
- If the "Value" window shows "e.x.p build-158248", the version of
VMrc is affected
Remediation of this issue on Windows-based systems requires the
following steps (Linux-based systems are not affected):
- Uninstall affected versions of VMrc from the systems where the
VMrc plug-in has been installed (use the Windows Add/Remove
Programs interface)
- Install vCenter 4.0 Update 1 or install the ESX 4.0 patch
ESX400-200911223-UG
- Login into vCenter 4.0 Update 1 or ESX 4.0 with patch
ESX400-200911223-UG using WebAccess on the system where the VMrc
needs to be re-installed
- Re-install VMrc by going to the console tab in WebAccess. The
Console tab is selectable after selecting a virtual machine.
Note: the VMrc plug-in for Firefox on Windows-based operating
systems is no longer compatible after the above remediation steps.
Users are advised to use the Internet Explorer VMrc plug-in.
VMware would like to thank Alexey Sintsov from Digital Security
Research Group for reporting this issue to us.
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2009-3732 to this issue.
g. Windows-based VMware authd remote denial of service
A vulnerability in vmware-authd could cause a denial of service
condition on Windows-based hosts. The denial of service is limited
to a crash of authd.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2009-3707 to this issue.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. Potential information leak via hosted networking stack
A vulnerability in the virtual networking stack of VMware hosted
products could allow host information disclosure.
A guest operating system could send memory from the host vmware-vmx
process to the virtual network adapter and potentially to the
host's physical Ethernet wire.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-1138 to this issue.
VMware would like to thank Johann MacDonagh for reporting this
issue to us.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available. Linux-based vmrun format string vulnerability
A format string vulnerability in vmrun could allow arbitrary code
execution.
If a vmrun command is issued and processes are listed, code could
be executed in the context of the user listing the processes.
The Common Vulnerabilities and Exposures Project (cve.mitre.org)
has assigned the name CVE-2010-1139 to this issue.
VMware would like to thank Thomas Toth-Steiner for reporting this
issue to us.
The following table lists what action remediates the vulnerability
(column 4) if a solution is available.
VMware Product Running Replace with/
Product Version on Apply Patch
============= ======== ======= =================
VirtualCenter any Windows not affected
VIX API any Windows not affected
VIX API 1.6.x Linux upgrade to VIX API 1.7 or later
VIX API 1.6.x Linux64 upgrade to VIX API 1.7 or later
Workstation 7.x any not affected
Workstation 6.5.x Windows not affected
Workstation 6.5.x Linux 6.5.4 build 246459 or later
Player 3.x any not affected
Player 2.5.x Windows not affected
Player 2.5.x Linux 2.5.4 build 246459 or later
Ace any Windows not affected
Server 2.x Windows not affected
Server 2.x Linux not being fixed at this time
Fusion 3.x Mac OS/X not affected
Fusion 2.x Mac OS/X 2.0.7 build 246742 or later
ESXi any any not affected
ESX any any not affected
4. Solution
Please review the patch/release notes for your product and version
and verify the md5sum and/or the sha1sum of your downloaded file.
VMware Workstation Movie Decoder stand alone 6.5.4
--------------------------------------------------
http://download3.vmware.com/software/wkst/VMware-moviedecoder-6.5.4-246459.exe
md5sum: ea2ac5907ae4c5c323147fe155443ab8
sha1sum: 5ca8d1fd45f6a7a6f38019b259c3e836ee4e8f29
VMware Workstation 7.0.1
------------------------
For Windows
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-WIN
Release notes:
http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html
Workstation for Windows 32-bit and 64-bit with VMware Tools
md5sum: fc8502a748de3b8f94c5c9571c1f17d2
sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206
Workstation for Windows 32-bit and 64-bit without VMware Tools
md5sum: 6a18ea3847cb727b03f7890f5643db79
sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984
For Linux
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-701-LX
Release notes:
http://downloads.vmware.com/support/ws7/doc/releasenotes_ws701.html
Workstation for Linux 32-bit with VMware Tools
md5sum: a896f7aaedde8799f21b52b89f5fc9ef
sha1sum: f6d0789afa7927ca154973a071603a0bd098e697
Workstation for Linux 32-bit without VMware Tools
md5sum: 59ecd27bdf3f59be3b4df8f04d1b3874
sha1sum: 22e1a475069fca5e8d2446bf14661fa6d894d34f
Workstation for Linux 64-bit with VMware Tools
md5sum: 808682eaa6b202fa29172821f7378768
sha1sum: a901c45a2a02678b0d1722e8f27152c3af12a7ac
Workstation for Linux 64-bit without VMware Tools
md5sum: 5116e27e7b13a76693402577bd9fda58
sha1sum: dbcd045a889b95ac14828b8106631b678354e30a
VMware Workstation 6.5.4
------------------------
For Windows
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-WIN
Release Notes:
http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html
Workstation for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 2dc393fcc4e78dcf2165098a4938699a
sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569
For Linux
http://downloads.vmware.com/download/download.do?downloadGroup=WKST-654-LX
Release Notes:
http://downloads.vmware.com/support/ws65/doc/releasenotes_ws654.html
Workstation for Linux 32-bit
Linux 32-bit .rpm
md5sum: 9efb43a604d50e541eb3be7081b8b198
sha1sum: 4240d664f85a11f47288d2279224b26bef92aa8b
Workstation for Linux 32-bit
Linux 32-bit .bundle
md5sum: 38760682ad3b2f6bfb4e40f424c95c2a
sha1sum: ec78099322b5fb2a737cd74a1978a5c07382dc8a
Workstation for Linux 64-bit
Linux 64-bit .rpm
md5sum: 24311492bc515e9bc98eff9b2e7d33a2
sha1sum: b4947ef09f740440e8a24fc2ba05c0a7c11b82f5
Workstation for Linux 64-bit
Linux 64-bit .bundle
md5sum: ed24296705ad48442549d9cb2b3c0d8d
sha1sum: 3c0f1efae0a64fa3a41be21b0bfc962f12e0e6d8
VMware Player 3.0.1
-------------------
http://downloads.vmware.com/tryvmware/?p=player&lp=default
Release notes:
http://downloads.vmware.com/support/player30/doc/releasenotes_player301.html
Player for Windows 32-bit and 64-bit
md5sum: 78c92c0242c9540f68a629d4ac49c516
sha1sum: 7fc255fcd1a6784458012314db1206ed922e92cf
Player for Linux 32-bit (.bundle)
md5sum: e7cd19d39c7bbd1aee582743d76a7863
sha1sum: cff76010f0429576288ea1e5a594cd47a2c64f4a
Player for Linux 64-bit (.bundle)
md5sum: 88b08537c6eea705883dc1755b97738c
sha1sum: 84f25370d24c03a18968a4f4c8e06cef3d21c2df
VMware VIX API for Windows 32-bit and 64-bit
md5sum: 2c46fc7e2516f331eb4dd23154d00a54
sha1sum: 85ceb1b718806c6870e3a918bcc772d1486ccdc9
VMware VIX API for 32-bit Linux
md5sum: 8b0994a26363246b5e954f97bd5a088d
sha1sum: af93da138a158ee6e05780a5c4042414735987b6
VMware VIX API for 64-bit Linux
md5sum: ef7b9890c52b1e333f2357760a7fff85
sha1sum: dfef8531356de78171e13c4c108ebaeb43eaa62d
VMware Player 2.5.4
-------------------
http://downloads.vmware.com/download/player/player_reg.html
Release notes:
http://downloads.vmware.com/support/player25/doc/releasenotes_player254.html
Player for Windows 32-bit and 64-bit (.exe)
md5sum: 531140a1eeed7d8b71f726b3d32a9174
sha1sum: 2500fa8af48452bd0e97040b80c569c3cb4f73e5
Player for Linux (.rpm)
md5sum: 1905f61af490f9760bef54450747e708
sha1sum: cf7444c0a6331439c5479a4158112a60eb0e6e8d
Player for Linux (.bundle)
md5sum: 74f539005687a4efce7971f7ef019af5
sha1sum: 4c4412c5807ecd00e66886e0e7c43ed61b62aab7
Player for Linux - 64-bit (.rpm)
md5sum: 013078d7f6adcdbcbaafbf5e0ae11a39
sha1sum: 7c434173a3fe446ebefce4803bfaa7ab67d1ff72
Player for Linux - 64-bit (.bundle)
md5sum: 175ce2f9656ff10a1327c0d48f80c65f
sha1sum: bf7acfdcb44bf345d58f79ad1bcb04816f262d22
VMware ACE 2.6.1
----------------
http://downloads.vmware.com/download/download.do?downloadGroup=ACE-261-WIN
Release notes:
http://downloads.vmware.com/support/ace26/doc/releasenotes_ace261.html
VMware Workstation for 32-bit and 64-bit Windows with tools
md5sum: fc8502a748de3b8f94c5c9571c1f17d2
sha1sum: 3de01b355b17363a92d80200ff5e7267b3bde206
VMware Workstation for Windows 32-bit and 64-bit without tools
md5sum: 6a18ea3847cb727b03f7890f5643db79
sha1sum: 260b019db4619b0d1d775e5c38cc46b6db250984
ACE Management Server Virtual Appliance
md5sum: e26d258c511572064e99774fbac9184c
sha1sum: 9363656b70caa11a31a6229451202d9f8203c1f5
ACE Management Server for Windows
md5sum: e970828f2a5a62ac108879033a70f4b6
sha1sum: eca89372eacc78c3130781d0d183715055d64798
ACE Management Server for SUSE Enterprise Linux 9
md5sum: 59b3ad5964daef2844e72fd1765590fc
sha1sum: 91048de7665f5dc466f06e2ebc4c08f08026a97f
ACE Management Server for Red Hat Enterprise Linux 4
md5sum: 6623f6a8a645402a1c8c351ec99a1889
sha1sum: a6d74ba072c5a513fcf8993edebaaf7f8225c05d
VMware ACE 2.5.4
----------------
http://downloads.vmware.com/download/download.do?downloadGroup=ACE-254-WIN
Release notes:
http://downloads.vmware.com/support/ace25/doc/releasenotes_ace254.html
VMware ACE for Windows 32-bit and 64-bit
Windows 32-bit and 64-bit .exe
md5sum: 2dc393fcc4e78dcf2165098a4938699a
sha1sum: acfff457860c8c53c637c01f74f8aaa72d1c9569
ACE Management Server Virtual Appliance
AMS Virtual Appliance .zip
md5sum: 3935f23d4a074e7a3429a1c80cfd2155
sha1sum: 5b09439a9c840d39ae49fbd7a79732ecd58c52a3
ACE Management Server for Windows
Windows .exe
md5sum: 1173bd7da6ed330a262ed4e2eff6562c
sha1sum: d9bce88a350aa957f3387f870af763875d4d9110
ACE Management Server for SUSE Enterprise Linux 9
SLES 9 .rpm
md5sum: 0bec2cf8d6ae3bb6976c9d8cc2573208
sha1sum: f3c6d9ee3357535b1540cedd9e86d723e2ed2134
ACE Management Server for Red Hat Enterprise Linux 4
RHEL 4 .rpm
md5sum: 17caa522af79cf1f6b2ebad16a4ac8a5
sha1sum: cdd6e2a4e3d7ad89f95e60f1af024bea7eaba0fe
VMware Server 2.0.2
-------------------
http://www.vmware.com/download/server/
Release notes:
http://www.vmware.com/support/server2/doc/releasenotes_vmserver202.html
VMware Server 2
Version 2.0.2 | 203138 - 10/26/09
507 MB EXE image VMware Server 2 for Windows Operating Systems. A
master installer file containing all Windows components of VMware
Server.
md5sum: a6430bcc16ff7b3a29bb8da1704fc38a
sha1sum: 39683e7333732cf879ff0b34f66e693dde0e340b
VIX API 1.6 for Windows
Version 2.0.2 | 203138 - 10/26/09
37 MB image
md5sum: 827e65e70803ec65ade62dd27a74407a
sha1sum: a14281bc055271a19be3c88026e92304bc3f0e22
For Linux
VMware Server 2 for Linux Operating Systems.
Version 2.0.2 | 203138 - 10/26/09
37 MB TAR image
md5sum: 95ddea5a0579a35887bd15b083ffea20
sha1sum: 14cf12063a7480f240ccd96178ad4258cb26a747
VMware Server 2 for Linux Operating Systems 64-bit version.
Version 2.0.2 | 203138 - 10/26/09
452 MB RPM image
md5sum: 35c8b176601133749e4055e0034f8be6
sha1sum: e8dc842d89899df5cd3e1136af76f19ca5ccbece
The core application needed to run VMware Server 2, 64-bit version.
Version 2.0.2 | 203138 - 10/26/09
451 MB TAR image
md5sum: cc7aef813008eeb7150c21547d431b39
sha1sum: b65d3d46dc947fc7995bda354c4947afabd23474
VMware Fusion 3.0.2
-------------------
http://downloads.vmware.com/download/download.do?downloadGroup=FUS-302
Release notes:
http://downloads.vmware.com/support/fusion3/doc/releasenotes_fusion_302.html
VMware Fusion 3.0.2 (for Intel-based Macs)
md5sum: aa17278a4a668eeb9f9467e4e3111ccc
sha1sum: 58c3d63705ac90839f7c1ae14264177e1fd56df3
VMware Fusion 3.0.2 Light for Mac (for Intel-based Macs)
md5sum: 052ecbbfc4f59a85e2d08b4bd3ef0896
sha1sum: 61e00487f4c649588099647d4a5f47ddf5b8ad01
VMware Fusion 2.0.7
-------------------
http://downloads.vmware.com/download/download.do?downloadGroup=FUS-207
Release notes:
http://downloads.vmware.com/support/fusion2/doc/releasenotes_fusion_207.html
VMware Fusion 2.0.7 (for Intel-based Macs)
md5sum: a293f5ce6ccc227760640753386e9da6
sha1sum: ddfda92f9baf30e536bc485e42325d173a1aa370
VMware Fusion 2.0.7 Light (for Intel-based Macs)
md5sum: d4772d118fb90323f598849e70c21189
sha1sum: 5c1df1597e77ebe0f0555749b281008ca5f2fb77
VIX API 1.7 Version: 1.7 | 2009-08-26 | 186713
----------------------------------------------
VIX API for Window 32-bit and 64-bit
Main installation file for Windows 32-bit and 64-bit host
md5sum:b494fc3092f07d0f29cc06a19fe61306
sha1sum:aa8638424cb7f25c1e42343134ac9f0bd2c2e0c9
VIX API for Linux 32-bit
md5sum:6b0ed8872d8b714363cddc68b6a77008
sha1sum:8a9b12a61641394b347488119a7120eaa47dc2a1
VIX API for Linux 64-bit
md5sum:d57aa9f98058d5a386c18e14cc05bf4d
sha1sum:3b7d4461ea257e795b322cc080f4ae29a230666b
VIX API Version: 1.8.1 | 2009-10-11 | 207905
---------------------------------------------
VIX API for Windows 32-bit and 64-bit
md5sum:4f21e4cb518767bc08045f5a39f5d41f
sha1sum:5b8275c549f9d9498bd2ed078557f1ce1986ac12
VIX API for Linux 32-bit
md5sum:f347e94d907c26754540d59956ee5d53
sha1sum:6ddc6c9371ba127d04bc83bd55988a6c83366907
VIX API for Linux 64-bit
md5sum:b8a3982072d0d42c0c37dd7eb49d686c
sha1sum:d044ac3dd42f806bc4ff48ddf584b5e3d82910c8
VIX API Version: 1.10 Beta | 01/28/10 | 222403
----------------------------------------------
VIX API for Windows 32-bit and 64-bit
md5sum:ac5b6e9197cb68c302bfac9ed683e3af
sha1sum:0d942e7409e88e684bdb65811e7be7f47d631a73
VIX API for Linux 32-bit
md5sum:07d1989d042e317eb9d2b3daf269dda7
sha1sum:1e3840d426d7dfff53fa7e1bd22b09b56cf2362c
VIX API for Linux 64-bit
md5sum:9b345008e0adec3c044988307294944b
sha1sum:7a54a893369c2227f7e8058430c40983168c6e0b
ESXi
----
ESXi 4.0 bulletin ESXi400-201002402-BG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-193-20100228-731251/ESXi400-201002001.zip
md5sum: e5aa2968d389594abdc59cbac7b0183d
sha1sum: bb50b3ad7934e3f9e24edc879b35e83b357343b2
http://kb.vmware.com/kb/1018404
ESXi 3.5
--------
ESXi 3.5 patch ESXe350-200912402-T-BG was first contained in
ESXe350-200912401-O-BG from December 2009.
The same patch, ESXe350-200912402-T-BG, is also contained in
ESXe350-201002401-O-SG from February 2010 ESXi 3.5 security update.
In latest non-security ESXi 3.5 update, ESXe350-201003402-T-BG is also
included in ESXe350-201003401-O-BG from March 2010.
ESXe350-201002401-O-SG (latest security update)
http://download3.vmware.com/software/vi/ESXe350-201002401-O-SG.zip
md5sum: 0c8d4d1c0e3c2aed9f785cf081225d83
http://kb.vmware.com/kb/1015047 (Vi Client)
http://kb.vmware.com/kb/1016665 (VM Tools)
http://kb.vmware.com/kb/1017685 (Firmware)
The three ESXi patches for Firmware "I", VMware Tools "T," and the
VI Client "C" are contained in a single offline "O" download file.
ESX
---
ESX 4.0 bulletin ESX400-201002401-BG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-192-20100228-732240/ESX400-201002001.zip
md5sum: de62cbccaffa4b2b6831617f18c1ccb4
sha1sum: 4083f191fa4acd6600c9a87e4852f9f5700e91ab
http://kb.vmware.com/kb/1018403
Note: ESX400-201002001 contains the bundle with the security fix,
ESX400-201002401-BG
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle ESX400-201002001 -b ESX400-201002401-BG
ESX 4.0 bulletin ESX400-200911223-UG
https://hostupdate.vmware.com/software/VUM/OFFLINE/release-166-20091202-254879/ESX-4.0.0-update01a.zip
md5sum: 99c1fcafbf0ca105ce73840d686e9914
sha1sum: aa8a23416271bc28b6b8f6bdbe00045e36314ebb
http://kb.vmware.com/kb/1014842
Note: ESX-4.0.0-update01a contains the bundle with the security fix,
ESX400-200911223-UG
To install an individual bulletin use esxupdate with the -b option.
esxupdate --bundle ESX-4.0.0-update01a -b ESX400-200911223-UG
ESX 3.5 patch ESX350-200912401-BG
http://download3.vmware.com/software/vi/ESX350-200912401-BG.zip
md5sum: f1d3589745b4ae933554785aef22bacc
sha1sum: d1e5a9209b165d43d75f076e556fc028bec4cc47
http://kb.vmware.com/kb/1016657
ESX 3.0.3 patch ESX303-201002203-UG
http://download3.vmware.com/software/vi/ESX303-201002203-UG.zip
md5sum: 49ee56b687707cbe6999836c315f081a
http://kb.vmware.com/kb/1018030
ESX 2.5.5 Upgrade Patch 15
http://download3.vmware.com/software/esx/esx-2.5.5-191611-upgrade.tar.gz
md5sum: c346fe510b6e51145570e03083f77357
sha1sum: ef6b19247825fb3fe2c55f8fda3cdd05ac7bb1f4
http://www.vmware.com/support/esx25/doc/esx-255-200910-patch.html
5. References
http://www.acrossecurity.com/advisories.htm
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1564
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1565
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2042
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3707
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3732
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1139
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1140
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1142
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1141
6. Change log
2010-04-09 VMSA-2010-0007
Initial security advisory after release of Workstation 6.5.4 and Fusion
2.0.7 on 2010-04-08.
- ------------------------------------------------------------------------
7. Contact
E-mail list for product security notifications and announcements:
http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce
This Security Advisory is posted to the following lists:
* security-announce at lists.vmware.com
* bugtraq at securityfocus.com
* full-disclosure at lists.grok.org.uk
E-mail: security at vmware.com
PGP key at: http://kb.vmware.com/kb/1055
VMware Security Center
http://www.vmware.com/security
VMware security response policy
http://www.vmware.com/support/policies/security_response.html
General support life cycle policy
http://www.vmware.com/support/policies/eos.html
VMware Infrastructure support life cycle policy
http://www.vmware.com/support/policies/eos_vi.html
Copyright 2010 VMware Inc. All rights reserved.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
iD8DBQFLvvM8S2KysvBH1xkRAgu/AJ9RrzlOq/5Ug0t8R4qoi/UwDVJDpACbBGgT
d58bjKG6Ic7m/TsoJP4M2tw=
=Q1zv
-----END PGP SIGNATURE-----
.
Background
==========
VMware Player, Server, and Workstation allow emulation of a complete PC
on a PC without the usual performance overhead of most emulators.
Affected packages
=================
-------------------------------------------------------------------
Package / Vulnerable / Unaffected
-------------------------------------------------------------------
1 app-emulation/vmware-player
<= 2.5.5.328052 Vulnerable!
2 app-emulation/vmware-workstation
<= 6.5.5.328052 Vulnerable!
3 app-emulation/vmware-server
<= 1.0.9.156507 Vulnerable!
-------------------------------------------------------------------
NOTE: Certain packages are still vulnerable. Users should migrate
to another package if one is available or wait for the
existing packages to be marked stable by their
architecture maintainers. Please review the CVE identifiers referenced below for
details.
Impact
======
Local users may be able to gain escalated privileges, cause a Denial of
Service, or gain sensitive information.
A remote attacker could entice a user to open a specially crafted file,
possibly resulting in the remote execution of arbitrary code, or a
Denial of Service. Remote attackers also may be able to spoof DNS
traffic, read arbitrary files, or inject arbitrary web script to the
VMware Server Console.
Furthermore, guest OS users may be able to execute arbitrary code on
the host OS, gain escalated privileges on the guest OS, or cause a
Denial of Service (crash the host OS).
Workaround
==========
There is no known workaround at this time.
Gentoo discontinued support for VMware Workstation. We recommend that users
unmerge VMware Server:
# emerge --unmerge "app-emulation/vmware-server"
References
==========
[ 1 ] CVE-2007-5269
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5269
[ 2 ] CVE-2007-5503
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5503
[ 3 ] CVE-2007-5671
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5671
[ 4 ] CVE-2008-0967
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0967
[ 5 ] CVE-2008-1340
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1340
[ 6 ] CVE-2008-1361
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1361
[ 7 ] CVE-2008-1362
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1362
[ 8 ] CVE-2008-1363
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1363
[ 9 ] CVE-2008-1364
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1364
[ 10 ] CVE-2008-1392
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1392
[ 11 ] CVE-2008-1447
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1447
[ 12 ] CVE-2008-1806
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1806
[ 13 ] CVE-2008-1807
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1807
[ 14 ] CVE-2008-1808
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-1808
[ 15 ] CVE-2008-2098
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2098
[ 16 ] CVE-2008-2100
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2100
[ 17 ] CVE-2008-2101
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-2101
[ 18 ] CVE-2008-4915
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4915
[ 19 ] CVE-2008-4916
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4916
[ 20 ] CVE-2008-4917
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-4917
[ 21 ] CVE-2009-0040
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0040
[ 22 ] CVE-2009-0909
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0909
[ 23 ] CVE-2009-0910
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-0910
[ 24 ] CVE-2009-1244
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1244
[ 25 ] CVE-2009-2267
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2267
[ 26 ] CVE-2009-3707
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3707
[ 27 ] CVE-2009-3732
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3732
[ 28 ] CVE-2009-3733
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3733
[ 29 ] CVE-2009-4811
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4811
[ 30 ] CVE-2010-1137
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1137
[ 31 ] CVE-2010-1138
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1138
[ 32 ] CVE-2010-1139
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1139
[ 33 ] CVE-2010-1140
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1140
[ 34 ] CVE-2010-1141
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1141
[ 35 ] CVE-2010-1142
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1142
[ 36 ] CVE-2010-1143
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1143
[ 37 ] CVE-2011-3868
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3868
Availability
============
This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:
http://security.gentoo.org/glsa/glsa-201209-25.xml
Concerns?
=========
Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users' machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
https://bugs.gentoo.org.
License
=======
Copyright 2012 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).
The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.
http://creativecommons.org/licenses/by-sa/2.5
| VAR-200011-0030 | CVE-2000-0882 | Intel Express Switch 500 Series Malformed ICMP Packet DoS Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash. The malformed packet can be sent locally or remotely and can be spoofed. In the event that the switch receives the malformed ICMP packet, it will continue to operate as a switch, however, it will lose all routing functionality and will not pick up on new connections
| VAR-200011-0006 | CVE-2000-0858 | Microsoft Windows"Invalid URL" Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability. IIS 4.0 is subject to a denial of service due to the mishandling of URL requests. This issue is a result of a flaw in Windows NT 4.0.
If a remote user requests a specifically malformed URL, an invalid memory request is made by inetinfo.exe. The end result is that all system resources are used until inetinfo.exe is eventually automatically shut down by NT. A restart of the service is required in order to gain normal functionality
| VAR-200010-0032 | CVE-2000-0780 | IPSWITCH IMail web Server vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. IPSWITCH ships a product titled IMail, an email server for usage on NT servers serving clients their mail via a web interface. To this end the IMail server provides a web server typically running on port 8383 for it's end users to access. Via this interface users may read and send mail, as well as mail with file attachments. Certain versions of IMail do not perform proper access validation however resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM.
It should be noted that once a user attachs the files in question the server deletes them
| VAR-200010-0016 | CVE-2000-0764 | Intel Express Switch Service Rejection Vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet. In order to regain functionality, the power must be disconnected and reconnected - the reset switch will not be operational. Vulnerabilities exist in the Intel Express 500 serial switch
| VAR-200010-0125 | CVE-2000-0745 | PHP-Nuke admin.php3 Privilege escalation vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here:
$aid = variable holding author name, pwd = author password
$result=mysql_query("select pwd from authors where aid='$aid'");
if(!$result) {
echo "Selection from database failed!";
exit;
} else {
list($pass)=mysql_fetch_row($result);
if($pass == $pwd) {
$admintest = 1;
}
}
First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions
| VAR-200010-0126 | CVE-2000-0746 | Microsoft IIS In shtml Vulnerable to cross-site scripting using malformed requests |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. Microsoft IIS Has text added shtml A vulnerability exists in which an executable script can be included in an error message when a request for a file in the format is received.An arbitrary script may be executed on the user's browser. If FrontPage Server Extensions 1.2 is installed on an IIS server, IIS may return content specified by a malicious third party back to a client through the use of specially formed links.
If additional text is appended to a request for shtml.dll, the server will generate an error including that text. This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual.
For example, consider a link off of a page from a hostile website:
<a href="http://TrustedServer/_vti_bin/shtml.dll/<script>Hostile Code Here</script>">http://TrustedServer</a>.
If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite.
Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches
| VAR-200011-0041 | CVE-2000-0825 | Ipswitch IMail Web service" HOST Denial of service vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail services. By default this web service resides on port 8181 or 8383. Sending an HTTP request with an extremely long "HOST" field multiple times can cause the system hosting the service to become unresponsive. Each long request "kills" a thread without freeing up the memory used by it. By repeating this request, the system's resources can be used up completely. Ipswitch Imail 6.0 is vulnerable
| VAR-200012-0098 | CVE-2000-1037 | Check Point Firewall-1 Session Agent Directory attack vulnerability |
CVSS V2: 7.5 CVSS V3: - Severity: HIGH |
Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack. A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password
| VAR-200010-0022 | CVE-2000-0770 | IIS Access restriction bypass vulnerability |
CVSS V2: 6.4 CVSS V3: - Severity: MEDIUM |
IIS 4.0 and 5.0 does not properly restrict access to certain types of files when their parent folders have less restrictive permissions, which could allow remote attackers to bypass access restrictions to some files, aka the "File Permission Canonicalization" vulnerability. Due to an error in canonicalization affecting CGI scripts and ISAPI extensions, incorrect permissions may be set for a given file on a web server following a malformed HTTP request. This will allow a user to perform actions on CGI or ISAPI-mapped files, including reading or executing, which would normally be denied. This does not apply to files in virtual folders.The correct file is located, but is concluded to be in a location different from its actual folder. Depending on the exact nature of the malformed URL, the file may inherit the permissions of any parent folder in the file's path
| VAR-200010-0080 | CVE-2000-0700 | Cisco Gigabit Switch Routers (GSR) Forward packet vulnerability |
CVSS V2: 5.0 CVSS V3: - Severity: MEDIUM |
Cisco Gigabit Switch Routers (GSR) with Fast Ethernet / Gigabit Ethernet cards, from IOS versions 11.2(15)GS1A up to 11.2(19)GS0.2 and some versions of 12.0, do not properly handle line card failures, which allows remote attackers to bypass ACLs or force the interface to stop forwarding packets. This could lead to exploitation of vulnerabilities that would normally have been protected by the access control lists. It may also be possible for an attacker to cause an interface on the target GSR to stop forwarding packets, resulting in a denial of service. The evasion of ACLs has to do with optimizations in handling of various packet types and occurs only on the affected interfaces. All versions of IOS greater than 11.2 on GSRs are assumed to be vulnerable