[gull-annonces] Résumé SecurityFocus Newsletter #301

Marc SCHAEFER schaefer at alphanet.ch
Fri May 27 10:52:02 CEST 2005 

Mozilla Firefox Install Method Remote Arbitrary Code Executi...
BugTraq ID: 13544
Remote: Yes
Date Published: May 07 2005
Relevant URL: http://www.securityfocus.com/bid/13544
Summary:
Mozilla Firefox is prone to a security vulnerability that could result
in the execution of arbitrary code without requiring user interaction.

Initial analysis of the vulnerability reveals that the vulnerability
relies on a three-stage attack that may lead to an arbitrary script
gaining 'UniversalXPConnect' privileges.

It was observed that this issue might be exploited remotely to take
arbitrary actions on the vulnerable computer in the context of the
user that is running the affected browser.

This vulnerability is reported in all versions of Mozilla Firefox
browsers up to 1.0.3.

To be exploitable, a Web site listed in a victim user's configuration
to allow extension installation must be susceptible to a cross-site
scripting vulnerability. By default, 'update.mozilla.org', and
'addon.mozilla.org' are both listed as trusted Web sites for extension
installation.

*Update: The cross-site scripting vulnerability that the publicly
available exploit relied on in the mozilla.org domain has been
fixed. This issue is no longer exploitable through this public attack
vector.

IETF IPSEC Protocol Encapsulating Security Payload Vulnerabi...
BugTraq ID: 13562
Remote: Yes
Date Published: May 09 2005
Relevant URL: http://www.securityfocus.com/bid/13562
Summary:
A vulnerability affects certain configurations of IPSec.

When IPSec is configured to employ Encapsulating Security Payload
(ESP) in tunnel mode with confidentiality only, where Authentication
Header (AH) is not being used to provide packet integrity protection,
certain attacks against the IPSec protocol are possible.

Reports indicate that these attacks may also potentially be possible
against IPSec when AH is in use, but only under certain unspecified
configurations.

The reported attacks take advantage of the fact that no ESP packet
payload integrity checks exist when ESP is configured in the
vulnerable aforementioned manner.

This issue may be leveraged by an attacker to reveal plaintext IP
datagrams and potentially sensitive information. Information harvested
in this manner may be used to aid in further attacks.

This BID will be updated as further information is made available.

Ethereal DISTCC Dissection Stack Buffer Overflow Vulnerabili...
BugTraq ID: 13567
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13567
Summary:
A remote buffer overflow vulnerability affects Ethereal. This issue is
due to a failure of the application to securely copy network-derived
data into sensitive process buffers.  The specific issue exists in the
DISTCC protocol dissector.

An attacker may exploit this issue to execute arbitrary code with the
privileges of the user that activated the vulnerable application. This
may facilitate unauthorized access or privilege escalation.

This vulnerability affects Ethereal versions 0.8.13 through to
0.10.10.

Note that this issue was originally disclosed in BID 13504.

gzip zgrep Arbitrary Command Execution Vulnerability
BugTraq ID: 13582
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13582
Summary:
zgrep is reportedly affected by an arbitrary command execution vulnerability.

An attacker may execute arbitrary commands through zgrep command arguments to potentially gain unauthorized access to the affected computer.  It should be noted that this issue only poses a security threat if the arguments originate from a malicious source.

zgrep 1.2.4 was reported vulnerable.  Other versions may be affected as well.

LibTIFF TIFFOpen Buffer Overflow Vulnerability
BugTraq ID: 13585
Remote: Yes
Date Published: May 10 2005
Relevant URL: http://www.securityfocus.com/bid/13585
Summary:

LibTIFF is prone to a buffer overflow vulnerability.  The issue occurs in the
TIFFOpen() function when malformed TIFF files are opened.  Successful
exploitation could lead to arbitrary code execution.

Linux Kernel ELF Core Dump Local Buffer Overflow Vulnerabili...
BugTraq ID: 13589
Remote: No
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13589
Summary:
The Linux kernel is susceptible to a local buffer overflow vulnerability
when attempting to create ELF core dumps. This issue is due to an integer
overflow flaw that results in a kernel buffer overflow during a
copy_from_user() call.

To exploit this vulnerability, a malicious user creates a malicious ELF
executable designed to create a negative 'len' variable in elf_core_dump().

This vulnerability may be exploited by local users to execute arbitrary machine
code in the context of the kernel, facilitating privilege escalation.

Gaim Remote URI Handling Buffer Overflow Vulnerability
BugTraq ID: 13590
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13590
Summary:
Gaim is susceptible to a remote buffer overflow vulnerability when handling
long URIs. This issue is due to a failure of the application to properly
bounds check user-supplied input data prior to copying it to a fixed-size
stack buffer.

Due to the multiple protocol support of Gaim, and the nature of the differing
IM protocols, only some of the IM networks are reported vulnerable. This is due
to message length limits imposed by the IM networks. Currently, the Jabber, and
SILC IM network protocols are known to be vulnerable. Other protocols may
also be affected.

This vulnerability allows remote attackers to execute arbitrary machine code in the context of the affected application.

Gaim versions prior to 1.3.0 are vulnerable to this issue.

Gaim Remote MSN Empty SLP Message Denial Of Service Vulnerab...
BugTraq ID: 13591
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13591
Summary:
Gaim is susceptible to a remote denial of service vulnerability in its MSN
protocol handling code.

This vulnerability allows remote attackers to crash affected clients,
denying service to them.

Gaim versions prior to 1.3.0 are vulnerable to this issue.

Squid Proxy Unspecified DNS Spoofing Vulnerability
BugTraq ID: 13592
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13592
Summary:
Squid Proxy is prone to an unspecified DNS spoofing vulnerability.  This
could allow malicious users to perform DNS spoofing attacks on Squid Proxy
clients on unprotected networks.

This issue affects Squid Proxy versions 2.5 and earlier.

Cisco Catalyst 6500/7600 Series Firewall Services Module ACL...
BugTraq ID: 13595
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13595
Summary:
Cisco FWSM (Firewall Services Module) is prone to a vulnerability that
may allow traffic that is explicitly filtered to bypass ACLs.  As a
result, unauthorized TCP traffic may bypass the firewall.

This issue only affects Cisco Catalyst 6500 Series Switches and Cisco
7600 series routers running FWSM version 2.3.1 or earlier when using
content filtering exceptions.

[ firmware ]

Neteyes NexusWay Border Gateway Multiple Remote Vulnerabilit...
BugTraq ID: 13596
Remote: Yes
Date Published: May 11 2005
Relevant URL: http://www.securityfocus.com/bid/13596
Summary:
NexusWay is reportedly affected by multiple remote vulnerabilities.
These issues can allow an unauthorized attacker to execute arbitrary
commands and gain administrative access to an affected device.

All versions of NexusWay are considered vulnerable at the moment.

Bugzilla Authentication Information Disclosure Vulnerability
BugTraq ID: 13605
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13605
Summary:
Bugzilla is prone to a vulnerability that could allow username and password
information to be disclosed in generated links.  Any user with access to the
server's Web logs could potentially gain access to the user's
authentication information.

Bugzilla Hidden Product Information Disclosure Vulnerability
BugTraq ID: 13606
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13606
Summary:
Bugzilla is prone to an information disclosure vulnerability due to
improper access validation.  This could allow a user to determine the
existence of a product in the Bugzilla database even if it should not be
visible to them.

Acrowave AAP-3100AR Wireless Router Authentication Bypass Vu...
BugTraq ID: 13613
Remote: Yes
Date Published: May 12 2005
Relevant URL: http://www.securityfocus.com/bid/13613
Summary:
Acrowave AAP-3100AR routers are susceptible to an authentication
bypass vulnerability.

This vulnerability allows remote attackers to gain administrative
access to affected devices.

Due to code reuse, it is likely that other devices are also vulnerable
to this issue.

[ firmware ]

More information about the gull-annonces mailing list