[gull-annonces] Résumé SecurityFocus Newsletter #306

[Marc SCHAEFER]

Clam Anti-Virus clamav Cabinet File Parsing Remote Denial Of Service 
Vulnerability
BugTraq ID: 14089
Remote: Yes
Date Published: 2005-06-29
Relevant URL: http://www.securityfocus.com/bid/14089
Summary:
A remote denial of service vulnerability affects clamav.  This issue is due 
to a failure of the application to properly handle malicious Cab file 
content.

An attacker may leverage this issue to crash the Clam Anti-Virus daemon, 
potentially leaving an affected computer open to infection by malicious code.

Clam Anti-Virus clamav MS-Expand File Parsing Remote Denial Of Service 
Vulnerability
BugTraq ID: 14090
Remote: Yes
Date Published: 2005-06-29
Relevant URL: http://www.securityfocus.com/bid/14090
Summary:
A remote denial of service vulnerability affects clamav.  This issue is due 
to a failure of the application to properly handle MS-Expand files.

An attacker may leverage this issue to cause the Clam Anti-Virus daemon to 
cease functioning correctly, leaving an affected computer open to infection 
by malicious code.

Cisco IOS AAA RADIUS Authentication Bypass Vulnerability
BugTraq ID: 14092
Remote: Yes
Date Published: 2005-06-29
Relevant URL: http://www.securityfocus.com/bid/14092
Summary:
Cisco IOS Remote Authentication Dial In User Service (RADIUS) is prone to a 
remote authentication bypass vulnerability. 
The issue manifests when Cisco IOS is configured to employ AAA RADIUS 
authentication and is configured to use 'none' as a fallback method.

A remote attacker may exploit this issue to bypass authentication and gain 
unauthorized access to the affected service.

[ firmware ]

FreeBSD IPFW Address Table Lookup Atomicity Error Firewall Rule Bypass 
Vulnerability
BugTraq ID: 14102
Remote: Yes
Date Published: 2005-06-29
Relevant URL: http://www.securityfocus.com/bid/14102
Summary:
FreeBSD IPFW is prone to an atomicity error that might result in erroneous 
lookup table matching under certain circumstances. Reports indicate the 
issue exists on SMP (Symmetric Multi-Processor) based platforms, or on UP 
(Uni Processor) platforms that have a system kernel configured with 
'PREEMPTION' functionality enabled. (Note: This is not a default 
configuration).

This issue may be leveraged to aid in attacks launched against target 
computers that are protected by the affected firewall.

FreeBSD TCP Stack Established Connection Denial of Service Vulnerability
BugTraq ID: 14104
Remote: Yes
Date Published: 2005-06-29
Relevant URL: http://www.securityfocus.com/bid/14104
Summary:
FreeBSD TCP stack is affected by a remote denial of service vulnerability.

This issue arises when an affected computer with an established connection 
receives a TCP packet with the SYN flag set and accepts it.

A successful attack can deny service for a target connection. 

All FreeBSD releases are vulnerable to this issue.

Apache HTTP Request Smuggling Vulnerability
BugTraq ID: 14106
Remote: Yes
Date Published: 2005-06-30
Relevant URL: http://www.securityfocus.com/bid/14106
Summary:
Apache is prone to an HTTP request smuggling attack.

A specially crafted request with a 'Transfer-Encoding: chunked' header and a 
'Content-Length' can cause the server to forward a reassembled request with 
the original 'Content-Length' header.  Due to this, the malicious request 
may piggyback with the valid HTTP request.

It is possible that this attack may result in cache poisoning, cross-site 
scripting, session hijacking and other attacks. 
This issue was originally described in BID 13873 (Multiple Vendor Multiple 
HTTP Request Smuggling Vulnerabilities).  Due to the availability of more 
details and vendor confirmation, it is being assigned a new BID.

NetBSD CLCS / EMUXKI Audio Driver Local Denial of Service Vulnerability
BugTraq ID: 14122
Remote: No
Date Published: 2005-06-30
Relevant URL: http://www.securityfocus.com/bid/14122
Summary:
NetBSD has reported a local denial of service condition due to a 
kernel-level bug in the clcs and emuxki audio drivers.  NetBSD versions 1.6 
to 2.0.2 are affected.  
Local users with access to the audio device can cause a kernel failure on 
systems with specific hardware.  The devices associated with the drivers are:

CS4280/4281, SB Live, or SB PC 512 

This is a vulnerability on multi-user systems where local users have access 
to the audio device.  In anticipation of systems where users do not, 
multimedia applications may be installed with setuid permissions.  These may 
provide channels of attack if they themselves have vulnerabilities of their 
own.

OpenLDAP TLS Plaintext Password Vulnerability
BugTraq ID: 14125
Remote: Yes
Date Published: 2005-07-01
Relevant URL: http://www.securityfocus.com/bid/14125
Summary:
OpenLDAP is affected by a password disclosure vulnerability when used with 
TLS.

This issue arises when a connection to a slave is established using TLS and 
the client is referred to a master.  TLS is not used with this connection, 
which can allow an attacker to sniff network traffic and obtain user 
credentials.

OpenLDAP 2.1.25 is known to be vulnerable at the moment.  Other versions may 
be affected as well.

PADL Software PAM_LDAP TLS Plaintext Password Vulnerability
BugTraq ID: 14126
Remote: Yes
Date Published: 2005-07-01
Relevant URL: http://www.securityfocus.com/bid/14126
Summary:
PAM_LDAP is affected by a password disclosure vulnerability when used with 
TLS.

This issue arises when a connection to a slave is established using TLS and 
the client is referred to a master.  TLS is not used with this connection, 
which can allow an attacker to sniff network traffic and obtain user 
credentials.

PAM_LDAP build 166 is known to be vulnerable at the moment. Other versions 
may be affected as well.

osTicket Multiple Input Validation Vulnerabilities
BugTraq ID: 14127
Remote: Yes
Date Published: 2005-07-01
Relevant URL: http://www.securityfocus.com/bid/14127
Summary:
osTicket is affected by multiple input validation vulnerabilities.  These 
issues arise due to insufficient sanitization of user-supplied data.

The following specific issues were identified:

The application is prone to an SQL injection vulnerability.  Successful 
exploitation could result in a compromise of the application, disclosure or 
modification of data, or may permit an attacker to exploit vulnerabilities 
in the underlying database implementation.

osTicket is also prone to a local file include vulnerability.  An attacker 
may leverage this issue to execute arbitrary server-side script code that 
resides on an affected computer with the privileges of the Web server 
process. This may potentially facilitate unauthorized access. 
osTicket 1.3.1 beta and prior versions are affected.