[gull-annonces] Résumé: SecurityFocus Newsletter #218

Marc SCHAEFER schaefer at alphanet.ch
Wed Oct 15 09:11:02 CEST 2003


OpenSSL ASN.1 Parsing Vulnerabilities
BugTraq ID: 8732
Remote: Yes
Date Published: Sep 30 2003
Relevant URL: http://www.securityfocus.com/bid/8732
Summary:
Multiple vulnerabilities were reported in the ASN.1 parsing code in
OpenSSL.  OpenSSL does not directly implement ASN.1 but does use ASN.1
objects in X.509 certificates and various other cryptographic elements.
The following issues were reported:

Two flaws in the ASN.1 parser could lead to denial of service attacks.

The first bug may be exploited to cause an out of bounds read operation to
occur, most likely resulting in a denial of service.  This can be
triggered by a malformed or unusual ASN.1 tag value.  The second of the
described bugs occurs if an application is configured to ignore public key
decode errors (specifically the
X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY error).  This is reportedly
not a common configuration in production setups but some applications may
ignore decode errors for debugging reasons.  As a result, the impact and
exposure will vary depending on the targeted application and some
applications may be more vulnerable to attacks than others.  Remote
attackers can exploit this issue with a maliciously crafted SSL client
certificate.  CAN-2003-0543 and CAN-2003-0544 correspond to these two
denial of service issues.  The issues are reported to exist in SSLeay and
OpenSSL versions prior to 0.9.7c or 0.9.6k.

Another vulnerability related to ASN.1 parsing was reported in OpenSSL
0.9.7.  ASN.1 encodings that are rejected by the parser due to being
invalid may potentially trigger a memory management error.  In particular,
a double free may result due to an ASN.1 structure (ASN1_TYPE) being
deallocated incorrectly.  This reportedly could be leveraged to corrupt
stack memory.  In this manner, sensitive stack variables such as
instruction pointers could be overwritten with attacker-supplied values.
The issue could be exploited by remote attacks via a maliciously crafted
SSL client certificate.  This issue has been assigned CVE name
CAN-2003-0545.

An additional weakness was reported that may aid in exploitation of these
issues.  In some circumstances, a client may force a server to parse a
client certificate when one has not been specifically requested.  This
could even occur with server implementations that don't enable client
authentication.

Any applications which use the OpenSSL ASN.1 library to handle external
data may present an attack vector for these vulnerabilities.

These issues are pending further analysis and will be separated into
individual BIDs when analysis is complete.

It should be noted that only the k8, k9, and k91 images for Catalyst 6500
series switches and 7200 series Routers of the 12.2SX and 12.2SY release
trains are affected.

OpenSSL SSLv2 Client_Master_Key Remote Denial Of Service Vul...
BugTraq ID: 8746
Remote: Yes
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8746
Summary:
OpenSSL is an open source implementation of the SSL protocol.

OpenSSL SSLv2 has been reported prone to a remotely triggered denial of
service when processing a specially crafted malicious CLIENT_MASTER_KEY
message.

It has been reported that a remote attacker may use a maliciously crafted
CLIENT_MASTER_KEY message to influence the execution flow of a vulnerable
service implementing SSLv2 into a die() procedure. This will effectively
cause the affected process to abort, denying service to legitimate users.

An attacker may flood an affected service with malicious CLIENT_MASTER_KEY
messages, persistently denying service for legitimate users. Other attacks
may also be possible. The impact and exposure may vary depending on the
particular applications that use vulnerable OpenSSL libraries.

This vulnerability is not reported to be present in OpenSSL versions
greater than 0.9.6f of the 0.9.6 series of releases, because the use of
the die() procedure is no longer implemented.  It is not known whether the
0.9.7 series is also affected.

FreeBSD Kernel ProcFS Handler UIO_Offset Integer Overflow Vu...
BugTraq ID: 8748
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8748
Summary:
All versions of the FreeBSD kernel have been reported prone to an integer
overflow vulnerability. The issue presents itself in the procfs handling
procedures, and has been reported to be due to a lack of sufficient sanity
checks performed on 'uio' offset parameters.

It has been reported that a local attacker may exploit this condition
because it is possible to indirectly influence the value for the 'uio'
offset. Ultimately an  attacker may trigger an integer overflow or
underflow condition. This may result in a read attempt from non-resident
kernel memory, triggering a kernel panic and effectively denying service
to legitimate users. A local attacker may also exploit this issue to
disclose potentially sensitive data stored in regions of memory that would
otherwise be restricted.

This issue has been reported to be exploitable on systems that have procfs
enabled.

FreeBSD Kernel Readv() Integer Overflow Vulnerability
BugTraq ID: 8749
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8749
Summary:
A local vulnerability has been discovered within the FreeBSD kernel. The
problem occurs within the readv() system call, which is used to read data
and scatter it into an arbitrary number of buffers specified by an
argument.

When a file is accessed by a system call in FreeBSD, such as open() or
dup2(), the reference counter (f_count) for that file is incremented using
the fhold() function and when access is complete the counter is
decremented by fdrop().

It has been discovered that the readv() system call fails to call the
fdrop() function after a specific procedure had previously triggered a
call to fhold(). As a result, by triggering a large number of calls to
fhold() in a call to readv(), it may be possible to cause the f_count
integer value to wrap.

It has been reported that this integer overflow can be triggered by
supplying an overly large iovcnt variable in a call to readv(). As a
result, an attacker may potentially be capable of trigger kernel memory
corruption. This could ultimately result in a system panic or could
possibly be leveraged to elevate local privileges to that of the root
user.

FortiGate Firewall Web Filter Logs HTML Injection Vulnerabil...
BugTraq ID: 8750
Remote: Yes
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8750
Summary:
FortiGate are a series of commercial firewall appliances which run an
embedded operating system entitled FortiOS.

The FortiGate web interface is prone to an HTML injection vulnerability.
Denied requests are logged into a web filter log which is viewable through
the web administrative interface.  HTML and script code will not be
sanitized when these requests are logged.  To exploit this issue, the
attacker must construct for a resource that will be denied by the
firewall, based on the defined policies of the  targeted firewall.
Malicious could then be embedded in the request, which will be logged as
part of the request.

An attacker could exploit this to cause hostile code to be rendered in the
browser of an administrative user who views the logs.  This could result
in theft of cookie-based authentication credentials from the firewall
administrator, potentially allowing for firewall compromise.  Since the
attacker can control how the logs will be rendered to the administrator,
it is also possible to spoof or conceal log entries.

This issue reportedly exists in FortiOS releases prior to 2.50MR4.

[ hardwae ]

Inter7 VPopMail Configuration File Insecure Default Permissi...
BugTraq ID: 8751
Remote: No
Date Published: Oct 02 2003
Relevant URL: http://www.securityfocus.com/bid/8751
Summary:
vpopmail is a freely available, open source virtual domain handling
software package.  It is available for the Unix and Linux operating
systems.

A problem has been identified in the default configuration of vpopmail.
Because of this, an attacker may be able to gain access to potentially
sensitive information.

The problem is in the creation of the configuration file.  When vpopmail
is compiled with MySQL support, authentication data is stored in the
/etc/vpopmail.conf file.  This file is created with world-readable
permissions, which may reveal sensitive information such as authentication
credentials for the database.  An attacker could use these credentials to
potentially gain access to the database as the vpopmail database user.

This problem has been reported on Gentoo Linux, but may affect other
operating systems.

Cisco CatOS Password Prompt Unauthorized Remote Command Exec...
BugTraq ID: 8752
Remote: Yes
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8752
Summary:
It has been alleged that it is possible for remote attackers to execute
arbitrary commands without proper authorization.  Reportedly it is
possible to execute shell commands from the password prompt on a device
running a vulnerable version of CatOS.  The attacker must be able to
connect to a vulnerable device via telnet, though it has not been ruled
out that other remote administrative services such as SSH do not also
present attack vectors.

The discoverer of this vulnerability has stated that it is possible to
exploit this issue by submitting a shell command to the password prompt,
followed by a space and a question mark.

Symantec has not been able to confirm the existence of the vulnerability,
which if of a very serious nature.  However, the author of the report
insists that the issue is legitimate.  This BID will be updated or retired
based on any follow-up information that becomes available.

This issue has been reported in CatOS versions 5.4(2) and 5.5(2) on Cisco
Catalyst 6509 switches.  Other devices and CatOS versions may also be
similarly affected.

Cisco has replied to this issue stating that it cannot be used to execute
commands, retrieve information from the device, or reveal information
about traffic processed by the device.  Details are available to
registered Cisco users at:
http://www.cisco.com/pcgi-bin/Support/Bugtool/onebug.pl?bugid=CSCdr87435

Since this issue cannot be exploited to compromise any security properties
on the device, this BID will be retired.

[ hardware ]

Cisco PIX ICMP Echo Request Network Address Translation Pool...
BugTraq ID: 8754
Remote: Yes
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8754
Summary:
A problem has been reported in Cisco PIX network firewalls when global IP
address pools are exposed to ICMP traffic.  This may result in a denial of
service to network resources.

The problem is in the handling of ICMP echo requests.  When a pool of
addresses is dedicated to the task of network address translation, the
Cisco PIX behavior dictates that traffic received for a specific address
means that the address is in use.

However, ICMP echo traffic floods for addresses in the Network Address
Translation (NAT) pool keeps the addresses in an active state, whether or
not the addresses are actually in use.  Because of this, it is possible
for a remote system to flood the host with requests for addresses in the
pool, exhausting the pool of NAT addresses, and preventing traffic from
crossing the PIX to external points.

[ hardware ]

Cisco LEAP Password Disclosure Weakness
BugTraq ID: 8755
Remote: Yes
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8755
Summary:
Cisco LEAP is a mutual authentication algorithm based on Extensible
Authentication Protocol (EAP).  LEAP is used with wireless networks and
relies on user's logon password for authentication.

Weaknesses in the Cisco LEAP protocol been reported to exist in the
software that may allow a remote attacker to gain access to user passwords
shared by the client and the network.  This problem may allow an attacker
to brute force user passwords by employing dictionary attacks.

Successful exploitation of this weakness may allow a remote attacker to
steal authentication information, potentially allowing for unauthorized
network access.

[ hardware ]

Sun Cobalt RaQ Message.CGI Cross-Site Scripting Vulnerabilit...
BugTraq ID: 8757
Remote: Yes
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8757
Summary:
RaQ is a server appliance originally developed by Cobalt. It is now
distributed and maintained by Sun Microsystems.

A problem with message.cgi script used by Cobalt RaQ appliances could lead
to cross-site scripting.  This could result in attacks attempting to steal
authentication information.

The problem is in the handling of input by the message.cgi script.  Due to
insufficient sanitizing of input, it is possible to render arbitrary
script code through the vulnerable script on Cobalt RaQ systems.  The
attacker must pass the malicious input through the info variable.

[ hardware ]

Conectiva Vixie-Cron Package Potential Denial Of Service Vul...
BugTraq ID: 8759
Remote: No
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8759
Summary:
Vixie cron is an implementation of the popular UNIX program that runs
user-specified programs at periodic scheduled times.

The Conectiva Vixie-Cron package has been reported prone to a potential
denial of service vulnerability. The issue was introduced in a previous
Vixie-Cron package update that was designed to address the vulnerability
described in BID 2687. This package was found to introduce a problem
whilst using cron.allow and cron.deny, to control access to the crontab
application. It has been reported that if these files contain more than
one user the crontab program will fail.

A local attacker, who has the ability to write data into cron.allow and
cron.deny files, may instigate an efficient denial of service against the
crontab program.

Conectiva has addressed this issue by releasing an updated package; all
users are advised to apply the applicable packages as soon as possible.

Netscreen ScreenOS DHCP Packet Buffer Padding Information Le...
BugTraq ID: 8762
Remote: Yes
Date Published: Oct 03 2003
Relevant URL: http://www.securityfocus.com/bid/8762
Summary:
NetScreen is a line of Internet security appliances integrating firewall,
VPN and traffic management features. ScreenOS is the software used to
manage and configure the firewall. NetScreen supports Microsoft Windows
95, 98, ME, NT and 2000 clients.

A vulnerability has been discovered in Netscreen ScreenOS when the
associated device is acting as a DHCP server. Appliances that are not
hosting DHCP services are not affected by this issue.

The problem specifically lies in that fact that the application fails to
re-initialize or zero out a specific memory buffer prior to using the
memory to generate DHCP response packets. It has been discovered that this
buffer may have previously been used to store HTTP management session
information.

An attacker could exploit this issue by making a DHCP request and
recording the sensitive data located within the packet. This could
ultimately expose encoded authentication credentials to the attacker that
could be used to launch further attacks against the appliance.

[ hardware ]

Conexant AccessRunner DSL Console Authentication Bypass Vuln...
BugTraq ID: 8765
Remote: Unknown
Date Published: Oct 04 2003
Relevant URL: http://www.securityfocus.com/bid/8765
Summary:
The Conexant AccessRunner DSL Console is the interface for administering
and configuring the DSL device.

The Conexant AccessRunner DSL Console is vulnerable to an authentication
bypass issue.

Reportedly, when the device prompts a user for a password, an attacker can
bypass the authentication by simply entering an invalid password.  When
the screen displaying the incorrect password message is displayed, the
attacker simply has to press the 'Enter' key to gain access to the
console.

** The discoverer of this issue has reported that it may not be present in
some devices.  There is currently no known reason for why some devices are
vulnerable while others are not.  This record will be updated if and when
further details become available.

[ hardware ]

JBoss HSQLDB Remote Command Injection Vulnerability
BugTraq ID: 8773
Remote: Yes
Date Published: Oct 06 2003
Relevant URL: http://www.securityfocus.com/bid/8773
Summary:
JBoss is a freely available, open source Java Application server. It is
distributed and maintained by JBoss Group and is available for a number of
platforms including Microsoft Windows and Unix/Linux variants.

A remote command injection vulnerability has been reported in JBoss.  The
issue is reportedly exposed via the HSQLDB component, which is a SQL
database server that manages JMS connections.  A number of unspecified
flaws cause this condition, including programming errors in the sun.*
classes, logic errors in the org.apache.* classes of the JDK and the
default configuration settings.  As a result, it is possible to pass
commands to the HSQLDB component via the port it listens on.  It should be
noted that the port may vary between versions, by default it is 1701/TCP
for version 3.2.1 and 1476/TCP for 3.0.8.

It has been reported that this issue could be exploited to mount a number
of attacks, including execution of database commands, denial of service
attacks, log manipulation, information disclosure and execution of
operating system commands on some supported platforms.

This issue is reported to exist with JBoss 3.2.1/3.0.8 on any Java
1.4.x-enabled platforms.  Other versions may be similarly affected.

The consequences may vary depending on the capabilities of the underlying
operating system, but it is believed that this could be exploited to
execute arbitrary operating system commands on Windows 2000 and XP
systems.

SuSE Linux SuSEWM Configuration File Insecure Temporary File...
BugTraq ID: 8778
Remote: No
Date Published: Oct 06 2003
Relevant URL: http://www.securityfocus.com/bid/8778
Summary:
SuSEConfig is a component of the SuSE Linux operating system.  It is
designed to be a standardized configuration tool to SuSE operating
systems.

A problem exists in the SuSEWM configuration file used by SuSEConfig.
Because of this, it may be possible for a local attacker to gain elevated
privileges.

The problem is in the handling of temporary files.  When the configuration
file is executed by SuSEConfig, the predictable temporary file
/tmp/susewm.$$ is created, where $$ signifies an arbitrary value.
Improper file creation checks make it possible for an attacker to
symbolically link a predicted file name to a sensitive system file.  Upon
execution of SuSEConfig, the contents of the file at the end of the
symbolic link will be modified.

The reported impact is privilege escalation, though the method through
which this is gained is unclear.  This BID will be further updated as more
information becomes available.

SuSE Linux JavaRunt Configuration File Insecure Temporary Fi...
BugTraq ID: 8779
Remote: No
Date Published: Oct 06 2003
Relevant URL: http://www.securityfocus.com/bid/8779
Summary:
SuSEConfig is a component of the SuSE Linux operating system.  It is
designed to be a standardized configuration tool to SuSE operating
systems.

A problem exists in the JavaRunt configuration file used by SuSEConfig.
Because of this, it may be possible for a local attacker to gain elevated
privileges.

The problem is in the handling of temporary files.  When the configuration
file is executed by SuSEConfig, the predictable temporary file
/tmp/.java_wrapper is created.  Improper file creation checks make it
possible for an attacker to symbolically link the predicted file name to a
sensitive system file.  Upon execution of SuSEConfig, the contents of the
file at the end of the symbolic link will be corrupted, potentially with
attacker-supplied data.  Exploitation could permit privilege escalation.

The reported impact is privilege escalation, though the method through
which this is gained is unclear.  This BID will be further updated as more
information becomes available.

SLocate User-Supplied Database Heap Overflow Vulnerability
BugTraq ID: 8780
Remote: No
Date Published: Oct 06 2003
Relevant URL: http://www.securityfocus.com/bid/8780
Summary:
slocate is the Secure Locate program. It is available for various UNIX and
Linux operating systems, and is maintained by public domain.

It has been reported that a vulnerability exists in the handling of
user-supplied databases by slocate.  Because of this, an attacker may be
able to gain elevated privileges.

The problem is a heap-based off-by-one condition.  Because of this, it is
possible for an attacker to potentially overwrite memory management
structures with attacker-supplied values.  This could allow an attacker to
execute code with the privileges of the slocate program, typically
installed with setgid privileges of the slocate group.

This problem may be related to the issue identified in Bugtraq ID 7629.




More information about the gull-annonces mailing list