[gull-annonces] Résumé SecurityFocus Newsletter #226

Marc SCHAEFER schaefer at alphanet.ch
Tue Dec 9 12:11:01 CET 2003 

OpenCA Signature Verification Vulnerabilities
BugTraq ID: 9123
Remote: Yes
Date Published: Nov 28 2003
Relevant URL: http://www.securityfocus.com/bid/9123
Summary:
Multiple flaws have been reported in OpenCA which cumulatively could cause
a revoked or expired certificate to be accepted.  This could present a
serious security risk in situations where digital signatures are used to
verify the authenticity of content or in access validation.

The following specific flaws have been reported by the vendor:

A function in the crypto-utils.lib that is used to determine the serial
for a PKCS#7 signature uses the interface of the OpenCA::PKCS7 module in
an incorrect manner.

The crypto-utils.lib library also uses all of the certificates which are
included in a signature to create a X.509 object for the signer's
certificate.  This reportedly results in an object that was created from
one of the certificates in the certificate chain.

The OpenCA::PKCS7 module uses an incorrect regular expression to detect
lines which are not associated with the parsing of the certificate chain.

OpenCA::PKCS7 also used an incorrect regular expression to parse the
serial in the certificate chain, causing uppercase letters like A, B, C,
D, E, and F to be ignored.

The result of these issues is that a malicious party in possession of a
revoked or expired certificate could possibly sign something that may
verify, which can be abused to establish a false sense of trust, leading
to a variety of other attacks.

Applied Watch Command Center Authentication Bypass Vulnerabi...
BugTraq ID: 9124
Remote: Yes
Date Published: Nov 28 2003
Relevant URL: http://www.securityfocus.com/bid/9124
Summary:
Applied Watch Command Center is an application used to command and control
Snort IDS.  The Command Center package is composed of an agent to grab
Snort logs, a server and a user console.

An access validation vulnerability has been identified in the system that
may allow an attacker to bypass authentication to add attacker supplied
IDS alerts and add user new accounts.

It has been reported that this flaw may allow a remote attacker on a
network running the vulnerable software to bypass authentication on
Applied Watch Command Center console in order to add new user accounts.
Another consequence of this issue allows an attacker to add IDS alerts to
all sensors on a vulnerable network.  This attack may allow a malicious
person to confuse an administrator by generating false negatives,
therefore subverting identification.

Although it has not yet been confirmed, it has been speculated that the
problem lies in the protocol implementation. Specifically, a vulnerable
Command Center may erroneously assume that a remote host transmitting
specific protocol data has already been authenticated, and allow the host
to carry out various privileged actions.

Successful exploitation of these issues may allow an attacker to gain
unauthorized access to a vulnerable system or conceal intrusion attempts.
User accounts created by the attacker may be used to further compromise a
system.

Proof of concept exploits have been made available for this issue.

SuSE XScreenSaver Package Multiple Vulnerabilities
BugTraq ID: 9125
Remote: No
Date Published: Nov 28 2003
Relevant URL: http://www.securityfocus.com/bid/9125
Summary:
The xscreensaver program waits until the keyboard and mouse have been idle
for a configurable duration of time and then outputs graphics to the
screen. xscreensaver can be configured to lock the screen and will prompt
for authentication credentials to unlock the screen and peripherals.

SuSE have reported that xscreensaver packages shipped with SuSE Linux 9.0
are prone to multiple vulnerabilities. These issues include a crash when
xscreensaver is handling the verification of authentication credentials,
although unconfirmed it has been conjectured that this crash is likely due
to a memory corruption condition. SuSE has also reported that xscreensaver
is prone to several insecure temporary file creation vulnerabilities, an
attacker may exploit these issues to potentially elevate system
privileges.

SuSE fixes are pending for these issues and it is likely that more
technical information will be made available with the release of an
official advisory.  This BID will be updated appropriately at that time.

Apache mod_python Module Malformed Query Denial of Service V...
BugTraq ID: 9129
Remote: Yes
Date Published: Nov 29 2003
Relevant URL: http://www.securityfocus.com/bid/9129
Summary:
Apache's mod_python is a module which allows the web server to interpret
Python scripts. mod_python supports Apache 1.3.x and 2.x, and is available
for Windows, Linux and most Unix systems.

Apache has reported that some versions of mod_python may be prone to
denial of service attacks when handling malformed queries. The details
regarding this vulnerability are currently unknown, however the vendor has
stated that a remote user may be capable of crashing a vulnerable Apache
server.

This issue has been addressed in the 3.0.4 and 2.7.9 releases of the
module.

When further information regarding the technical details of this issue are
made available, this BID will be updated accordingly.

Surfboard Web Server File Disclosure Vulnerability
BugTraq ID: 9132
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9132
Summary:
Surfboard is a freely available web server implementation for Unix/Linux
variants.

Surfboard is reported to be prone to directory traversal attacks.  By
submitting directory traversal sequences in a web request, it is possible
to break out of the server root directory and browse the file system.  A
remote attacker may exploit this vulnerability to gain access to sensitive
server-readable files on the system hosting the software.

Successful exploitation could allow an attacker to gain access to
sensitive information that may be useful when launching further attacks
against a system hosting the vulnerable software.

MoinMoin Unspecified Cross-Site Scripting Vulnerability
BugTraq ID: 9135
Remote: Yes
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9135
Summary:
MoinMoin is a Wiki-type program written in Python.  It is available for
the Unix and Linux platforms, and is freely-available and open source.

Problems have been identified in the handling of some types of input by
MoinMoin.  Because of this, an attacker may be able to execute code in the
browser of target victims.

Specific details concerning the issue are not available.  Like any
cross-site scripting attack, this issue is conjectured to require the
click of a malicious link by a target victim, which in turn executes
script code in the security context of the site hosting the vulnerable
software.  This Bugtraq ID will be updated if more information is made
available.

Linux Kernel do_brk Function Boundary Condition Vulnerabilit...
BugTraq ID: 9138
Remote: No
Date Published: Dec 01 2003
Relevant URL: http://www.securityfocus.com/bid/9138
Summary:
do_brk() is a function called indirectly by a number of kernel procedures,
including the brk() system call and the ELF and a.out loading mechanisms.
The do_brk() function is used to shrink and expand anonymous
(uninitialized) heap memory for a given process.

On Linux systems, each process is granted limited access to a specific
range of virtual memory, ranging from 0 to that defined by the TASK_SIZE
variable. This range is further subdivided into logical sections; these
sections may also be referred to as virtual memory areas. The contents of
memory outside of this range is deemed inaccessible to userland and is
used to store the kernel code and its various data structures, this region
of memory is protected with page protection mechanisms.

A flaw has been discovered in the do_brk() function when handling
user-supplied addresses. By passing a specially formatted address, it may
be possible to gain access to an anonymous map of memory exceeding the
TASK_SIZE limit and extending into a region of protected memory used by
the kernel. As a result, an attacker may be capable of ultimately reading
or writing to almost arbitrary kernel memory, allowing for reliable
attacks against vulnerable systems. It has been reported that it is also
possible to reliably exploit this issue on systems running memory
protection mechanisms such as grsecurity.

It should be noted that the impact of these type of vulnerabilities are
exaggerated by the fact that they can be coupled with less severe remote
vulnerabilities to allow for effective remote root exploits, including
chroot() breaking and other facilities.

This issue was addressed in release 2.4.23-pre7 and 2.6.0-test6 of the
Linux kernel. All prior versions are believed to be vulnerable.

Cisco Aironet Access Point Wired Equivalent Privacy Key Disc...
BugTraq ID: 9143
Remote: Yes
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9143
Summary:
The Cisco Aironet appliance is a wireless LAN solution.

Cisco Aironet Access Points that are running Cisco IOS have been reported
prone to an information disclosure vulnerability that could lead to the
disclosure of wired equivalent privacy (WEP) keys.

The issue has been reported to exist if the 'snmp-server enable traps
wlan-wep' command has been set. The issue presents itself because when
this functionality is enabled the Cisco Aironet Access Point will send the
WEP key in a plain text format to the simple network management protocol
(SNMP) server. This will occur every time a WEP key is modified or the
Aironet Access Point is rebooted.

An attacker may exploit this issue by intercepting and disclosing wired
equivalent privacy keys that are in transit to the SNMP server.

It should be noted that dynamically configured WEP keys are not reported
to be affected by this vulnerability. The vendor has reported that a WEP
key is defined as dynamically configured if one of the supported
extensible authentication protocols(EAP) is used.

[ hardware, et de toute manière WEP ... ]

GnuPG External HKP Format String Vulnerability
BugTraq ID: 9144
Remote: Yes
Date Published: Dec 03 2003
Relevant URL: http://www.securityfocus.com/bid/9144
Summary:
GnuPG is prone to a remotely exploitable format string vulnerability in
the external HKP interface.  This is due to incorrect usage of fprintf()
in the gpgkeys_hkp.c, allowing format specifiers to be supplied by an
external source.  Format string vulnerabilities typically allow
attacker-supplied data to be written to an arbitrary location in memory,
allowing for execution of arbitrary code.  This issue could be exploited
by a malicious HKP keyserver while the software is retrieving a key.

It should be noted that the external HKP interface is not enabled by
default in the GnuPG 1.2 stable branch but has been enabled in the 1.3
development branch.

Linux Kernel Concurrent Threaded Function Calls Local Denial...
BugTraq ID: 9148
Remote: No
Date Published: Dec 02 2003
Relevant URL: http://www.securityfocus.com/bid/9148
Summary:
A local denial of service vulnerability has been discovered in the Linux
kernel. The problem is said to occur due to an incorrect error return if a
fork() operation was carried out concurrently with a threaded exit() call.
Although unconfirmed, it is likely that the erroneous error value returned
might cause the kernel to believe that no error actually occurred and
subsequently carry out some operation that would cause it to panic.

Successful exploitation of this issue could result in a malicious
unprivileged userland application crashing a vulnerable system,
effectively denying service to all other users.

The precise technical details regarding this issue are currently unknown,
however this BID will be updated has further analysis is carried out on
the problem.

The affected version information regarding this issue has not yet been
confirmed. Please see the Solutions information for further details.

Linksys WRT54G Router Blank HTTP GET Request Denial Of Servi...
BugTraq ID: 9152
Remote: Yes
Date Published: Dec 03 2003
Relevant URL: http://www.securityfocus.com/bid/9152
Summary:
The Linksys WRT54G, is a wireless router appliance, developed to meet
upcoming 54Mbps wireless networking standards. The router provides a web
server that is normally used to manage the router.

The Linksys WRT54G router has been reported prone to a denial of service
vulnerability while handling blank HTTP GET requests received on either
port 80 or port 8080. It has been reported that when the affected
appliance handles a request of this type the embedded web server will
halt, requiring the appliance to be power cycled in order to regain normal
functionality.

An attacker may exploit this condition to deny service to the affected
router.

It should be noted that while this vulnerability has been reported to
affect Linksys WRT54G appliances with firmware version 1.42.3 installed,
other firmware versions might also be affected.

[ hardware ]

RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerabi...
BugTraq ID: 9153
Remote: Yes
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9153
Summary:
The rsync program is used to synchronize files and directory structures
across a network. It is commonly used to maintain mirrors of ftp sites,
often through anonymous access to the rsync server. It is available for
Linux and other Unix operating systems.

rsync has been reported prone to an undisclosed heap overflow
vulnerability when running in daemon mode. The issue has been reported to
be remotely exploitable and will provide for an execution of arbitrary
code. It has been reported that exploitation of this issue is made easier
if the "use chroot = no" option is set in the rsyncd.conf configuration
file.

There have been reports that this issue is being exploited in conjunction
with the Linux Kernel do_brk function boundary condition vulnerability
described in BID 9138. Customers are advised to apply fixes that address
the issue described in BID 9138.

This BID will be updated as further information regarding this
vulnerability is disclosed.

This vulnerability has been reported to affect rsync version 2.5.6 and
earlier versions.

Linux Kernel 2.4 RTC Handling Routines Memory Disclosure Vul...
BugTraq ID: 9154
Remote: No
Date Published: Dec 04 2003
Relevant URL: http://www.securityfocus.com/bid/9154
Summary:
The Linux kernel 2.4 tree has been reported prone to a memory disclosure
vulnerability. The issue is reported to present itself in kernel real time
clock interface procedures, and may result in kernel memory stack data
being leaked into userland when the RTC is read.  It is likely that this
data will be random.

An attacker may exploit this condition to disclose potentially sensitive
data such as credentials that may aid in further attacks against the
affected system.

Few details regarding this vulnerability are currently known. This BID
will be updated as further details are disclosed.

It should be noted that although this vulnerability has been reported to
affect the 2.4 kernel tree, other versions might also be affected.

More information about the gull-annonces mailing list