You are on page 1of 329

Contents

Qualys as a mitigation recommendation tool (Knowledge Base) ........................................................... 21 Adobe Flash Vulnerabilities .................................................................................................................... 23 Adobe Flash Player Multiple Vulnerabilities (QID 116536) ................................................................ 23 Adobe Reader Vulnerabilities ................................................................................................................. 24 Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (QID 116027)........................... 24 Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116386) ...................................................... 24 Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116437) ...................................................... 25 Apache Vulnerabilities ............................................................................................................................ 27 Discovery of Unix Account Names Vulnerability (QID 5001) .............................................................. 27 "test-cgi" CGI Vulnerability (QID 10015) ............................................................................................. 27 Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities (QID 12260)................................. 28 Apache Axis2/Java "modules" Cross-Site Scripting (XSS) Vulnerability (QID 12370).......................... 29 Apache Axis2 Default Administrative Access (QID 12499) ................................................................. 29 Apache HTTP Server APR "apr_fnmatch()" Denial of Service Vulnerability (QID 12500) ................... 30 Apache HTTP Server Mod_Proxy Denial of Service Vulnerability (QID 62057) .................................. 30 Apache CGI Source Code Viewing Vulnerability (QID 86054) ............................................................. 31 Apache Webserver /server-status Information Disclosure Vulnerability (QID 86410) ...................... 31 Apache 2.x HTTP Server Linefeed Memory Allocation Denial of Service Vulnerability (QID 86482) . 32 Apache 2.x Web Server File Descriptor Leakage Vulnerability (QID 86483)....................................... 32 Apache Basic Authentication Module Valid User Login Denial of Service Vulnerability (QID 86532) 33 Miscellaneous Apache Vulnerabilities (2.0.46 and earlier) (QID 86562) ............................................ 33 Apache HTTP Server Buffer Overflow Vulnerabilities In mod_alias And mod_rewrite (QID 86600) . 34 Apache2 MOD_CGI STDERR Denial of Service Vulnerability (QID 86636) .......................................... 34 Apache Web Server Type-Map Recursive Loop Denial of Service Vulnerability (QID 86637) ............ 35 Apache 2.0.49 And Earlier Miscellaneous Vulnerabilities (QID 86643) .............................................. 35 Multiple Apache Web Server Vulnerabilities prior to version 2.0.51 (QID 86678)............................. 36 Multiple Apache 1.3.32 and Earlier Web Server Local Buffer Overflow Vulnerabilities (QID 86680) 36 Apache 2.0.35-2.0.52 Memory Consumption Denial of Service and mod_ssl SSLCipherSuite Bypass (QID 86683) ......................................................................................................................................... 37 Apache CGI Byterange Request Denial of Service Vulnerability (QID 86713) .................................... 37 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 1

Apache Tomcat Simultaneous Directory Listing Denial of Service Vulnerability (QID 86724) ........... 38 Apache MPM Worker.C Denial of Service Vulnerability (QID 86726) ................................................ 39 Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability (QID 86727) ...................................... 40 Apache Web Server fails to sanitize Escape Sequence Injection into its Access Logs (QID 86744) .... 41 Apache Web Server fails to sanitize Escape Sequence Injection into its Error Logs (QID 86745) ...... 41 Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability (QID 86746) ................................. 42 Apache Tomcat JK Web Server Connector Security Bypass Vulnerability (QID 86764)...................... 42 Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting (XSS) Weakness (QID 86771) ................................................................................................................................................. 43 Apache mod_ssl Denial of Service Vulnerability (QID 86773) ............................................................ 44 Apache Tomcat Information Disclosure Vulnerability (QID 86775).................................................... 44 Apache Tomcat Absolute Path Traversal Vulnerability (QID 86776) .................................................. 45 Apache Tomcat Accept-Language Cross-Site Scripting (XSS) Vulnerability (QID 86777) .................... 46 Apache Tomcat SingleSignOn Remote Information Disclosure Vulnerability (QID 86779) ................ 47 Apache Tomcat 4, 5 and 6 Examples Web Application Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 86781) ................................................................................................................. 47 Apache Tomcat Multiple Cross-Site Scripting (XSS) Vulnerabilities in Manager and Host Manager Web Applications (QID 86782)............................................................................................................ 48 Apache Tomcat 4.1 Cross-Site Scripting (XSS) Vulnerability (QID 86783) .......................................... 49 Apache Tomcat 4 and 5 Cross-Site Scripting (XSS) Vulnerability in Calendar Application in JSP Examples (QID 86785) ......................................................................................................................... 49 Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting (XSS) Vulnerability (QID 86786) 50 Apache 2.2 Multiple Vulnerabilities (QID 86788) ............................................................................... 51 Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability (QID 86789) ............................................................................................................................................................ 52 Apache Tomcat 4 Denial of Service Vulnerability (QID 86790)........................................................... 52 Apache Tomcat 4 Information Disclosure Vulnerability (QID 86791) ................................................. 52 Apache Tomcat 6 Information Disclosure Vulnerability (QID 86792) ................................................. 53 Apache Tomcat Session Hi-jacking Vulnerability (QID 86794)............................................................ 53 Apache mod_ssl Certificate Revocation List Off-By-One Buffer Overflow Vulnerability (QID 86801) 54 Apache Tomcat 5 and 6 Host Manager Web Application Cross-Site Scripting (XSS) Vulnerability (QID 86803) ................................................................................................................................................. 54 Apache Tomcat 4, 5 and 6 Multiple Vulnerabilities (QID 86804) ....................................................... 55 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 2

Apache Tomcat RequestDispatcher Information Disclosure Vulnerability (QID 86808) .................... 56 Apache 1.3, 2.0 and 2.2 HTTP Server Multiple Vulnerabilities (QID 86809) ....................................... 57 Apache 2.0 HTTP Server PCRE Integer Overflow Vulnerability (QID 86812) ...................................... 58 Apache 2.0 HTTP Server mod_ssl Stack Buffer Overflow Vulnerability (QID 86814) ......................... 58 Apache HTTP Server Expect Header Cross-Site Scripting (XSS) (QID 86821) ...................................... 59 Apache Tomcat "RemoteFilterValve" Security Bypass Vulnerability (QID 86823) ............................. 60 Apache HTTP Server AllowOverride Options Security Bypass (QID 86840)........................................ 60 Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (QID 86842) ..... 61 Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day (QID 86847) ...................... 62 Apache Tomcat Multiple Vulnerabilities (QID 86851) ........................................................................ 63 APR-util Library Integer Overflow Vulnerabilities (QID 86852) .......................................................... 64 Apache mod_proxy_ftp FTP Command Injection Vulnerability (QID 86855) ..................................... 65 Apache Tomcat Installer Insecure Password Vulnerability (QID 86857) ............................................ 66 Apache Tomcat Directory Traversal Weaknesses and Security Issue (QID 86865) ............................ 66 Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (QID 86868)......... 68 Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities (QID 86873)......................................... 68 Apache httpd "mod_proxy_http" Timeout Handling Information Disclosure Vulnerability (QID 86901) ................................................................................................................................................. 69 Apache HTTP Server 2.2.15 mod_cache and mod_dav Undisclosed DoS Vulnerability (QID 86908) 69 Apache Tomcat SecurityManager Security Bypass Vulnerability (QID 86939) ................................... 70 Apache Tomcat HTTP NIO / APR Connector sendfile Input Validation Error Information Disclosure Vulnerability (QID 86950) ................................................................................................................... 70 Apache 1.3 and 2.0 Web Server Multiple Vulnerabilities (QID 115731) ............................................ 71 Sun Solaris Cross-Site Scripting Issues in Apache 1.3 and 2.0 "mod_imap" and "mod_status" Modules (QID 115798) ........................................................................................................................ 72 Red Hat Security Update for Apache (QID 116444) ............................................................................ 73 Sun Solaris Apache 1.3 "mod_jk" Module Unauthorized Access Vulnerability (QID 116491)............ 73 Solaris Apache 1.3 "mod_perl" Module Component "Status.pm" Unauthorized Data Access Vulnerability (QID 116945) ................................................................................................................. 74 ATT WinVNC Vulnerabilities .................................................................................................................... 74 ATT WinVNC Server Buffer Overflow and Weak Authentication Vulnerabilities (QID 38022) ........... 74 AWStats Vulnerabilities .......................................................................................................................... 75 AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (QID 12210)..................... 75 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 3

AWStats Referrer Arbitrary Command Execution Vulnerability (QID 12175) .................................... 76 BEA WebLogic Vulnerabilities ................................................................................................................. 76 BEA WebLogic Multiple Vulnerabilities (QID 86734) .......................................................................... 76 BEA WebLogic Multiple Vulnerabilities (2007) (QID 86766) ............................................................... 77 BIND Vulnerabilities ................................................................................................................................ 78 ISC BIND Remote Cache Poisoning Vulnerability (QID 15053) ........................................................... 78 Red Hat Bind Security Update (QID 115514) ...................................................................................... 79 Red Hat Update for bind (QID 116124)............................................................................................... 79 ISC BIND Dynamic Update Denial of Service Vulnerability (QID 15055) ............................................. 80 Caucho Resin Vulnerabilities................................................................................................................... 81 Caucho Resin Data Handling Cross-Site Scripting (XSS) Vulnerability (QID 86890) ............................ 81 Cisco Vulnerabilities ................................................................................................................................ 82 SSH1 Session Key Retrieval Vulnerability (QID 38029) ....................................................................... 82 Cisco Secure ACS Management Interface (QID 38192) ...................................................................... 83 Management Interfaces Accessible On Cisco Device Vulnerability (QID 38250) ............................... 84 Cisco IOS Malformed SNMP Message-Handling Vulnerability (QID 38254) ....................................... 84 Multiple Vulnerabilities in Cisco Secure ACS (QID 38306) .................................................................. 85 Cisco IOS Telnet Service Remote Denial of Service Vulnerability (QID 38308)................................... 86 Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow (QID 38471) . 87 Cisco Secure ACS Authentication Bypass Vulnerability (QID 38550) .................................................. 88 Cisco IOS HTTP %% Vulnerability (QID 43003) .................................................................................... 88 Cisco Router Online Help Vulnerability (QID 43004) .......................................................................... 89 Cisco Router/Switch Default Password Vulnerability (QID 43021) ..................................................... 89 Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability (QID 43051) ................................. 90 Cisco IOS 2GB HTTP GET Buffer Overflow Vulnerability (QID 43054) ................................................. 91 Cisco Internet Operating System SNMP Message Processing Denial of Service Vulnerability (QID 43056) ................................................................................................................................................. 91 Cisco VPN 3000 Concentrator Denial of Service Vulnerability (QID 43077) ....................................... 92 Cisco IOS System Timers Heap Buffer Overflow Vulnerability (QID 43094) ....................................... 92 Cisco IOS Secure Shell Server Memory Leak Denial of Service Vulnerability (QID 43098) ................. 93 Cisco IOS EIGRP Announcement ARP Denial of Service Vulnerability (QID 43100) ............................ 94 Cisco IOS ICMP Redirect Routing Table Modification Vulnerability (QID 43101) ............................... 95 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 4

Cisco IOS Service Assurance Agent Malformed Packet Denial of Service Vulnerability (QID 43102). 95 Cisco VPN 3000 Concentrator Malformed HTTP Packet Remote Denial of Service Vulnerability (QID 43106) ................................................................................................................................................. 96 Cisco Internet Key Exchange (IKE) Denial of Service Vulnerability (QID 43116) ................................. 96 Multiple Cisco IOS TCP/IP Vulnerabilities (QID 43128) ....................................................................... 97 Cisco IOS and Unified Communications Manager Multiple Voice Vulnerabilities (QID 43131) ......... 97 Cisco IOS TCP Listener Memory Leak Can Cause Denial of Service (QID 43133) ................................ 97 Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak Vulnerability (QID 43135) .............. 98 Cisco IOS SSL Packets Multiple Vulnerabilities (QID 43139) ............................................................... 98 Cisco IOS GRE Decapsulation Vulnerability (QID 43140) .................................................................... 98 Cisco IOS Software Multiple Multicast Vulnerabilities (QID 43146) ................................................... 99 Cisco IOS MPLS VPN May Leak Information (QID 43150) ................................................................... 99 Cisco IOS Multiple Cross-Site Scripting Vulnerabilities (QID 43151)................................................... 99 Cisco IOS Software Multiple Features IP Sockets Vulnerability (QID 43153) ................................... 101 Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability (QID 43155) .................... 102 Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability (QID 43156) ................ 103 Cisco IOS Software Secure Copy Privilege Escalation Vulnerability (QID 43157) ............................. 104 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (QID 43158) ........... 104 Cisco IOS Software TCP State Manipulation Denial of Service Vulnerabilities (QID 43162) ............. 105 Cisco IOS Software Tunnels Vulnerability (QID 43172)..................................................................... 106 Cisco IOS IPv6 Routing Header Vulnerability (QID 43173) ................................................................ 107 Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability (QID 43180) ..................... 108 Cisco Industrial Ethernet 3000 Series Switches Hard Coded SNMP Community Names Vulnerability (QID 43187) ....................................................................................................................................... 109 Cisco IOS TCP State Manipulation Denial of Service Vulnerabilities (QID 43197) ............................ 110 Cisco IOS VLAN Trunking Protocol Vulnerability (QID 43204) .......................................................... 110 Cisco IOS Multiple Vulnerabilities (QID 43207)................................................................................. 111 TCP Sequence Number Approximation Based Denial of Service (82054) ........................................ 112 Cisco IOS HTTP Service HTML Injection Vulnerability (QID 12220) .................................................. 114 Common Desktop Environment (CDE) Vulnerabilities.......................................................................... 115 Common Desktop Environment Dtlogin Unspecified Remote Double Free Vulnerability (QID 38261) .......................................................................................................................................................... 115 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 5

Multiple Vendor CDE ToolTalk Database Server Null Write Vulnerability (QID 68507) ................... 115 CUPS Vulnerabilities .............................................................................................................................. 116 CUPS UDP Packet Remote Denial of Service Vulnerability (QID 38405) ........................................... 116 CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability (QID 38591).................................... 116 CVS Vulnerabilities ................................................................................................................................ 117 CVS Server Piped Checkout Access Validation Vulnerability (QID 38269) ........................................ 117 CVS Unspecified Buffer Overflow and Memory Access Vulnerabilities (QID 38481) ....................... 117 DameWare Vulnerabilities .................................................................................................................... 118 DameWare Mini Remote Control Server Detected (QID 38255) ...................................................... 118 DNS Vulnerabilities ............................................................................................................................... 119 DNS Zone Transfer (QID 15018) ........................................................................................................ 119 Finger Vulnerabilities ............................................................................................................................ 119 "Finger 0@" Information about Logged Users Disclosure Vulnerability (QID 31000) ...................... 119 Finger Daemon Accepts Forwarding of Requests (QID 31002)......................................................... 120 Finger Service Discloses Logged Users (QID 31003) ......................................................................... 120 Firefox Vulnerabilities ........................................................................................................................... 120 Mozilla Firefox Remote Code Execution by Overflowing CSS Reference Counter (QID 115836) ..... 120 Mozilla Firefox Unspecified Arbitrary File Access Weakness - Zero Day (QID 115841) .................... 121 Mozilla Firefox and SeaMonkey Multiple Vulnerabilities (QID 115851) ........................................... 121 Mozilla Firefox URI Splitting Security Bypass Vulnerability (QID 115860) ........................................ 121 Mozilla Firefox User Interface Dispatcher Null Pointer Dereference Denial of Service Vulnerability Zero Day (QID 115966)...................................................................................................................... 122 Mozilla Firefox, Seamonkey and Thunderbird Multiple Vulnerabilities (QID 116044) ..................... 122 Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities (QID 116184).............. 123 Mozilla Firefox Nested "window.print()" Denial of Service Vulnerability (QID 116262) .................. 124 Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities (QID 116263) ........................... 125 Mozilla Firefox Fix Two Vulnerabilities (QID 116328) ....................................................................... 126 Firefox Security Update (QID 116539) .............................................................................................. 127 Sun Solaris Thunderbird Related to SSL Certificates Arbitrary Code Execution Vulnerabilities (QID 116836) ............................................................................................................................................. 128 Sun Solaris Thunderbird Multiple Vulnerabilities (QID 116428)....................................................... 129 FTP Vulnerabilities ................................................................................................................................ 129 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 6

World Readable and Writeable Directory on Anonymous FTP (QID 27005) .................................... 129 FTP Generic ../ File Disclosure Vulnerability (QID 27166) ................................................................. 130 FTP Backdoor Allows Administrator Privileges (QID 27279) ............................................................. 130 GoAhead Webserver Vulnerabilities..................................................................................................... 131 GoAhead WebServer /aux Denial of Service Vulnerability (QID 86122)........................................... 131 Gnome Evolution iCalendar Multiple Buffer Overflow Vulnerabilities (QID 115818) .......................... 131 GnuPG Vulnerabilities ........................................................................................................................... 131 GnuPG Parse_Comment Remote Buffer Overflow Vulnerability (QID 115432) ............................... 131 GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability (QID 115405) .................................. 132 ICMP Vulnerabilities.............................................................................................................................. 132 Host Responds to One ICMP Request Multiple Times (Smurf Variant) (QID 82002)........................ 132 HP HTTP Server Vulnerabilities ............................................................................................................. 133 HP HTTP Server Remote Unspecified Buffer Overflow Vulnerability (QID 86772) ........................... 133 HP System Management....................................................................................................................... 133 HP System Management Homepage Code Execution and Denial of Service (QID 86846) ............... 133 HP System Management Homepage Cross-Site Scripting and Denial of Service Vulnerabilities (QID 86880) ............................................................................................................................................... 134 HP System Management Homepage Cross-Site Scripting (XSS) Vulnerability (QID 86869) ............. 134 HP System Management Homepage Multiple Vulnerabilities (QID 86938) ..................................... 135 HP System Management Homepage Multiple Vulnerabilities (QID 86849) ..................................... 135 HP System Management Homepage Remote Cross-Site Scripting Vulnerability (QID 86951)......... 136 HP System Management Homepage TLS/SSL Vulnerability (QID 86887) ......................................... 136 HP Openview Vulnerabilities ................................................................................................................ 137 HP Openview NNM Embedded Database Present (QID 38210) ....................................................... 137 IBM DB2 Vulnerabilities ........................................................................................................................ 137 IBM DB2 Universal Database Known Default Password Vulnerability (QID 19008) ......................... 137 IBM DB2 Listener Detected (QID 19207) .......................................................................................... 138 IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities (QID 19209) ..................... 138 IBM HTTP Vulnerabilities ...................................................................................................................... 138 IBM HTTP Server "apr_fnmatch()" Denial of Service Vulnerabilities (QID 86952) ........................... 138 IBM HTTP Server Multiple Vulnerabilities (QID 86875) .................................................................... 139 IETF RADIUS Vulnerabilities .................................................................................................................. 139 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 7

IETF RADIUS Dictionary Attack Vulnerability (QID 38120) ................................................................ 139 IP Vulnerabilities ................................................................................................................................... 140 IP Spoofing (QID 34009) .................................................................................................................... 140 IP Forwarding Enabled (QID 115284) ................................................................................................ 140 ISC BIND Vulnerabilities ........................................................................................................................ 141 ISC BIND 9 Remote Denial of Service (DoS1 bug) Vulnerability (QID 15021) ................................... 141 ISC BIND Pre 9.2.2 Multiple Possible Vulnerabilities (QID 15031) .................................................... 141 ISC BIND Multiple Remote Denial of Service Vulnerabilities (QID 15052) ........................................ 142 ISC BIND 9 Cache Poisoning Vulnerability (QID 15054) .................................................................... 142 ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability (QID 15057) .......................................................................................................................................................... 142 Java Vulnerabilities ............................................................................................................................... 143 Java Runtime Environment Multiple Privilege Escalation Vulnerabilities (QID 115435) .................. 143 Red Hat IBMJava2 Security Update (QID 115846) ............................................................................ 144 Red Hat Update for IBMJava2 (QID 116314) .................................................................................... 145 Sun Java JDK JRE Multiple Vulnerabilities (QID 116345) .................................................................. 146 Security Vulnerability in the JRE With Parsing XML Data May Allow a Remote Client to Create a Denial of Service (QID 116556) ......................................................................................................... 148 Sun Java Transport Layer and Secure Sockets Layer 3.0 Security Vulnerability (QID 116804) ......... 149 JBoss Vulnerabilities.............................................................................................................................. 149 JBoss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12476) .......................................................................................................................................................... 149 JBoss JMX Console is Accessible to Unauthenticated Remote Users (QID 12481) ........................... 149 JBoss Web Console is Accessible to Unauthenticated Remote Users (QID 12482) .......................... 150 JBoss EJBInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12483) .................. 150 JBoss JMX Console and Web Console Unrestricted Access Vulnerability (QID 86768) .................... 150 JBoss Application Server Web Console and JMX Management Console Authentication Bypass Vulnerability (QID 86882) ................................................................................................................. 150 JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure (QID 86883) ............................................................................................................................................... 151 K Desktop Environment (KDE) Vulnerabilities ...................................................................................... 151 kdelibs, kdebase Security Update (QID 115387) .............................................................................. 151 Red Hat kdelibs Security Update (QID 115437) ................................................................................ 152 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 8

KCMS ..................................................................................................................................................... 153 KCMS Directory Traversal Vulnerability (QID 68533) ....................................................................... 153 Kerberos Vulnerabilities ........................................................................................................................ 153 Red Hat krb5 Security Update (QID 115534) .................................................................................... 153 Red Hat krb5 Security Update (QID 115757) .................................................................................... 154 Solaris Kerberos PAM Module Privilege Escalation Vulnerability (QID 116327) .............................. 154 Sun Solaris Kerberos "Mech" Libraries Denial of Service Vulnerability (QID 116475)...................... 155 Linux ...................................................................................................................................................... 156 Linux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities (QID 115292) ............. 156 Macromedia JRun Vulnerabilities ......................................................................................................... 156 Privilege Escalation Vulnerability in Macromedia JRun and ColdFusion (QID 12226) ...................... 156 Macromedia JRun Multiple Vulnerabilities (QID 86735) .................................................................. 157 Microsoft IIS .......................................................................................................................................... 157 Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020) (QID 86837) .... 157 Microsoft SQL Server Vulnerabilities .................................................................................................... 158 Multiple MS-SQL-7 threats - (I) (QID 19058)..................................................................................... 158 Multiple MS-SQL-7 threats - (II) (QID 19059).................................................................................... 160 Microsoft SQL Server 2000 Latest Patch Not Installed (QID 19090) ................................................. 161 Microsoft SQL Server Query Method Enables Cached Administrator Connection to be Reused (MS01-032) (QID 19093) ................................................................................................................... 162 Microsoft SQL Server 2000 Service Pack 1 Not Installed (QID 19094).............................................. 162 Microsoft SQL Server 2000 Service Pack 2 Not Installed (QID 19096).............................................. 162 Microsoft SQL Server Cumulative Patch Not Installed (MS02-034) (QID 19097) ............................. 162 Microsoft SQL Server 2000 Service Pack 3 Not Installed (QID 19099).............................................. 163 Microsoft SQL Server 2000 Service Pack 4 Missing (QID 19124) ...................................................... 163 Microsoft SQL Server Multiple Vulnerabilities (MS03-031) (QID 90086) ......................................... 163 Microsoft Windows Platform Vulnerabilities ....................................................................................... 164 Lysias Lidik Webserver Directory Traversal Vulnerability (QID 10635) ............................................ 164 Microsoft Windows XP Remote Desktop Plaintext Username Vulnerability (QID 38094) ............... 165 Microsoft Remote Procedure Call Service Denial of Service Vulnerability (MS01-041) (QID 68500) .......................................................................................................................................................... 165 Microsoft Windows 2000 RPC DCOM Interface Denial of Service Vulnerability (QID 68517) .......... 165 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 9

Microsoft Windows DCOM RPCSS Service Vulnerabilities (QID 68522) ........................................... 166 Multiple Microsoft Windows RPC/DCOM Vulnerabilities (QID 68528) ............................................ 166 Microsoft Windows 9x/NT 4.0 NetBIOS over TCP/IP Resource Exhaustion Vulnerability (MS00-091) (QID 70012) ....................................................................................................................................... 167 Microsoft Windows 9x/NT/2000 MS-DOS Device Name DoS Vulnerability (QID 70020)................. 167 Microsoft Messenger Service Detected (QID 70027) ....................................................................... 168 Microsoft Messenger Service Buffer Overrun Vulnerability (MS03-043) (QID 70032) .................... 168 Enabled DCOM (QID 90042) ............................................................................................................. 169 Microsoft Windows NetBIOS Name Service Reply Information Leakage Weakness (QID 90067) ... 169 Microsoft Windows ASN.1 Library Integer Handling Vulnerability (QID 90103) .............................. 170 Multiple Microsoft Windows Vulnerabilities (MS04-011) (QID 90108)............................................ 170 Microsoft Windows Task Scheduler Code Execution (QID 90134) ................................................... 171 Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (QID 90244)......... 172 Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure (QID 90250) ............ 173 Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) (QID 90336) ...... 173 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067) (QID 90464) .......................................................................................................................................................... 174 Microsoft SMB Remote Code Execution Vulnerability (MS09-001) (QID 90477) ............................. 174 Microsoft WINS Remote Code Execution Vulnerabilities (QID 90516) ............................................. 175 Microsoft Server Message Block (SMBv2) Remote Code Execution Vulnerability (QID 90527)....... 176 Built-in Guest Account Not Renamed at Windows Target System (QID 105228) ............................ 177 EOL/Obsolete Operating System: Microsoft Windows 2000 Detected (QID 105359) ..................... 177 Microsoft WINS Remote Code Execution Vulnerability (MS11-035) (QID 119248) ......................... 177 MySQL ................................................................................................................................................... 178 MySQL Security Invoker Privilege Escalation Vulnerability (QID 19217) .......................................... 178 MySQL Access Validation and Denial of Service Vulnerabilities (QID 19220)................................... 178 MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial of Service Vulnerability (QID 19224) ................................................................................................................. 179 MySQL yaSSL Multiple Vulnerabilities (QID 19228) .......................................................................... 180 MYSQL MyISAM Table Security Bypass Vulnerability (QID 19234)................................................... 180 MySQL Server RENAME TABLE System Table Overwrite Vulnerability (QID 19254) ........................ 181 MYSQL Multiple Vulnerabilities (5.0.51a) (QID 19255) .................................................................... 182 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 10

MySQL IF Query Denial of Service Vulnerability (QID 19256)........................................................... 182 MySQL Empty Bit-String Literal Denial of Service Vulnerability (QID 19258) ................................... 183 MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability (QID 19264) 184 MySQL Single-Row Subselect and INFORMATION_SCHEMA Denial of Service Vulnerability (QID 19265) ............................................................................................................................................... 184 MySQL Multiple Remote Denial of Service Vulnerabilities (QID 19508) .......................................... 185 MySQL "sql/sql_table.cc" CREATE TABLE Security Bypass Vulnerability (QID 19531)...................... 185 MySQL Multiple Vulnerabilities (QID 19560) .................................................................................... 186 MySQL BINLOG Filename Path Privilege Escalation Vulnerability (QID 19573)................................ 187 MySQL Prepared-Statement Mode "EXPLAIN" Denial of Service Vulnerability (QID 19600) ........... 187 NetScreen.............................................................................................................................................. 188 NetScreen ScreenOS Port Scan Denial of Service Vulnerability (QID 43082) ................................... 188 NFS Vulnerabilities ................................................................................................................................ 188 NFS Exported Filesystems List Vulnerability (QID 66002) ................................................................. 188 NFS Exported Directories Mountable by Unauthorized Users (QID 66003) ..................................... 189 NFS-Utils Xlog Remote Buffer Overrun Vulnerability (QID 68521) ................................................... 189 OpenRadius Vulnerabilities ................................................................................................................... 190 OpenRADIUS Divide By Zero Denial of Service Vulnerability (QID 38122) ....................................... 190 OpenSSH Vulnerabilities ....................................................................................................................... 190 OpenSSH Channel Code Off-By-One Vulnerability (QID 38088) ....................................................... 190 OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability (QID 38113)........... 191 OpenSSH UseLogin Environment Variable Passing Vulnerability (QID 38118) ................................. 192 OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability (QID 38198)........................... 192 OpenSSH PAMAuthenticationViaKbdInt Buffer Overflow Vulnerability (QID 38202) ...................... 193 OpenSSH Multiple Memory Management Vulnerabilities (QID 38217) ........................................... 194 OpenSSH Signal Handling Vulnerability (QID 38560) ........................................................................ 195 OpenSSH Plaintext Recovery Attack Against SSH Vulnerability (QID 42339) ................................... 195 OpenSSH X11 Hijacking Attack Vulnerability (QID 42340) ................................................................ 196 OpenSSH Local SCP Shell Command Execution Vulnerability (QID 115317) .................................... 197 OpenSSL Vulnerabilities ........................................................................................................................ 198 OpenSSL Denial of Service Vulnerabilities (QID 38257) .................................................................... 198 OpenSSL PKCS Padding RSA Signature Forgery Vulnerability (QID 38557)....................................... 200 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 11

OpenSSL Multiple Vulnerabilities (QID 38561) ................................................................................. 200 OpenSSL "SSL_get_shared_ciphers()" Off-By-One Buffer Overflow (QID 38595) ............................ 201 OpenSSL TLS Connection Record Handling Denial of Service Vulnerability (QID 42032) ................. 201 OpenSSL Two Vulnerabilities (OpenSSL Advisory 1-June-2010) (QID 42335) ................................... 202 OpenSSL "ssl3_get_key_exchange()" Use-After-Free Vulnerability (QID 42345) ............................. 202 OpenSSL TLS Server Extension Parsing Race Condition Vulnerability (QID 42354) .......................... 203 OpenSSL ClientHello Handshake Messages Denial of Service Vulnerability (QID 42361) ................ 204 OpenSSL Ciphersuite Downgrade Security Vulnerability (QID 42362) ............................................. 204 Red Hat and Solaris Update for openssl Vulnerability (QID 116118) ............................................... 205 Sun Solaris OpenSSL Denial of Service Vulnerability (QID 116458) .................................................. 206 Operating System Detected .................................................................................................................. 207 Operating System Detected (45017) ................................................................................................ 207 Operating Systems Detected on Redirected TCP Open Ports (82038) ............................................. 208 Oracle Vulnerabilities ............................................................................................................................ 208 Oracle Listener Log File Can Be Renamed Without Authentication (QID 19005) ............................. 209 Oracle Database Link Buffer Overflow Vulnerability (QID 19076) .................................................... 209 Oracle Database Server EXTPROC Buffer Overflow Vulnerability (QID 19080) ................................ 210 Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities (QID 19084) ..... 210 Oracle Database Server April 2005 Critical Patch Update Missing (QID 19114) .............................. 211 Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability (QID 19120) .......................................................................................................................................................... 212 Oracle Database Server October 2005 Critical Patch Update Missing (QID 19144) ......................... 212 Oracle Database Server January 2006 Security Update Missing (QID 19197) .................................. 212 Oracle Database Server April 2006 Critical Patch Update Missing (QID 19203) .............................. 213 Oracle Database Server July 2006 Critical Patch Update Missing (QID 19210) ................................ 213 Oracle Database Server October 2006 Security Update Missing (QID 19211) ................................. 213 Oracle Database Server January 2007 Security Update Missing (QID 19215) .................................. 214 Oracle Database Server April 2007 Security Update Missing (QID 19216)....................................... 214 Oracle Database Server July 2007 Security Update Missing (QID 19219) ........................................ 215 Oracle Database Server October 2007 Security Update Missing (QID 19223) ................................. 215 Oracle Database Server January 2008 Security Update Missing (QID 19227) .................................. 216 Oracle Database Server July 2005 Security Update Missing (QID 19230) ........................................ 216 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 12

Oracle Database Server April 2008 Security Update Missing (QID 19232)....................................... 216 Oracle Database Server July 2008 Security Update Multiple Vulnerabilities (QID 19238)............... 217 Oracle Database Server October 2008 Security Update Missing (QID 19260) ................................. 218 Oracle Database Server January 2009 Security Update Missing (QID 19267) .................................. 218 Oracle Database Server April 2009 Security Update Missing (QID 19463)....................................... 219 Oracle Database Server July 2009 Security Update Missing (QID 19484) ........................................ 220 Oracle Database Server October 2009 Security Update Missing (QID 19498) ................................. 220 Oracle Database Server January 2010 Security Update Missing (QID 19524) .................................. 221 Oracle Database Server April 2010 Security Update Missing (QID 19548)....................................... 222 Oracle Database Server July 2010 Security Update Missing (QID 19565) ........................................ 222 Oracle Database Server October 2010 Security Update Missing (QID 19589) ................................. 223 EOL/Obsolete Software: Oracle Database 9i Detected (QID 19602) ................................................ 224 EOL/Obsolete Software: Oracle Database 10g Release 1 Detected (QID 19603) ............................. 224 EOL/Obsolete Software: Oracle Database 10.2.0.1 Detected (QID 19605) ...................................... 224 Oracle Database Server January 2011 Security Update Missing (QID 19608) .................................. 224 Oracle Database Server April 2011 Security Update Missing (QID 19616)....................................... 225 Oracle Database Server July 2011 Security Update Missing (QID 19633) ........................................ 225 EOL/Obsolete Software : Oracle Database 11.1.0.6 Detected (QID 105362) ................................... 226 EOL/Obsolete Software : Oracle Database 10.2.0.3 Detected (QID 105363) ................................... 226 PHP Vulnerabilities................................................................................................................................ 227 PHP cURL Open_Basedir Restriction Bypass (QID 12188) ................................................................ 227 PHP Safedir Restriction Bypass Vulnerabilities (QID 12201)............................................................. 227 PHP Update 4.4.1 and 5.1.0 Not Installed (QID 12205) .................................................................... 227 PHP MB_Send_Mail TO Argument Header Injection Vulnerability (QID 12219) .............................. 228 PHP Multiple Buffer Overflow Vulnerabilities (QID 12233) .............................................................. 228 PHP Multiple Vulnerabilities May 2008 (QID 12249) ........................................................................ 229 PHP PHP_Binary Heap Information Leak Vulnerability (QID 12251) ................................................ 229 PHP msg_receive() Memory Allocation Integer Overflow Vulnerability (QID 12252) ...................... 230 PHP ext/filter Space Trimming Buffer Underflow Vulnerability (QID 12253) ................................... 230 PHP "rfc822_write_address()" Function Buffer Overflow Vulnerability (QID 12254) ...................... 230 PHP "safe_mode" Multiple Security Bypass Vulnerabilities (QID 12255)......................................... 230 PHP update 5.2.5 Not Installed (QID 12257) .................................................................................... 231 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 13

PHP Update 5.2.6 Not Installed (QID 12258) .................................................................................... 231 PHP Multiple Vulnerabilities (QID 12259) ......................................................................................... 232 PHP ZipArchive::extractTo() ".zip" Files Directory Traversal Vulnerability (QID 12267)................... 232 PHP Python Extension "safe_mode" Restriction Bypass Vulnerability (QID 12269) ........................ 233 PHP "mbstring" Extension Buffer Overflow Vulnerability (QID 12270) ............................................ 233 PHP 'popen()' Function Buffer Overflow Vulnerability (QID 12271) ................................................. 234 PHP "dba_replace()" File Corruption Vulnerability (QID 12272) ...................................................... 234 PHP "mbstring.func_overload" Webserver Denial of Service Vulnerability (QID 12273) ................ 234 PHP 5.2.8 and Prior Versions Multiple Vulnerabilities (QID 12276) ................................................. 235 PHP cURL "safe_mode" and "open_basedir" Restriction Bypass Vulnerability (QID 12281) ........... 235 PHP Versions Prior to 5.2.12 Multiple Vulnerabilities (QID 12318) .................................................. 236 PHP "spl_object_storage_attach" Use-After-Free Vulnerability (QID 12378) .................................. 236 phpMyAdmin Backtrace Cross-Site Scripting Vulnerability (QID 12409) ......................................... 237 phpMyAdmin Database Search Cross-Site Scripting Vulnerability (QID 12456) .............................. 237 PhpMyAdmin Multiple Vulnerabilities (QID 12473) ......................................................................... 237 PHP Buffer Overflow Vulnerability (QID 12514) ............................................................................... 238 PHP "proc_open()" Environment Parameter Safe Mode Restriction-Bypass Vulnerability (QID 116092) ............................................................................................................................................. 238 PHP Multiple Buffer Overflow Vulnerabilities (QID 116063) ............................................................ 239 POP3 Server Allows Plain Text Authentication Vulnerability (QID 74224) ........................................... 239 Ports ...................................................................................................................................................... 240 Hidden RPC Services (QID 11) ........................................................................................................... 240 Potential TCP Backdoor (QID 1004) .................................................................................................. 240 Ident Service (Potential Bot/Zombie) Detected (QID 1164) ............................................................. 241 FireWall-1 Administration Ports (34002) .......................................................................................... 241 UDP Test-Services (QID 38002) ......................................................................................................... 241 Python expat Module UTF-8 Denial of Service Vulnerability (QID 116581) ......................................... 242 Quate CMS Vulnerabilities .................................................................................................................... 242 Quate CMS Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 12262) .................................... 242 Radius Vulnerabilities............................................................................................................................ 243 Multiple Vendor Radius Short Vendor-Length Field Denial of Service Vulnerability (QID 38119) ... 243 Red Hat Vulnerabilities ......................................................................................................................... 244 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 14

Red Hat XFree86 Security Update (QID 115400) .............................................................................. 244 Red Hat XFree86 Security Update (QID 115411) .............................................................................. 244 Red Hat PHP Security Update (QID 115429) ..................................................................................... 245 Red Hat PHP Security Update (QID 115517) ..................................................................................... 245 Red Hat gnupg Security Update (QID 115524) ................................................................................. 246 Red Hat gzip Security Update (QID 115418) ..................................................................................... 246 Red Hat qt Security Update (QID 115450) ........................................................................................ 247 Red Hat texinfo Security Update (QID 115456) ................................................................................ 247 Red Hat tar Security Update Not Installed (QID 115482) ................................................................. 248 Red Hat unzip Security Update (QID 115759)................................................................................... 248 Red Hat libtiff Security Update (QID 115915) ................................................................................... 248 Red Hat Update for Lynx (QID 116015) ............................................................................................ 249 Red Hat and Solaris libxml2 Security Update (QID 116048) ............................................................. 249 Red Hat Update for gnome-vfs and gnome-vfs2 (QID 116135) ........................................................ 250 Red Hat cvs Security Update (QID 116352) ...................................................................................... 251 Remote Vulnerabilities.......................................................................................................................... 251 Remote Login Service Open (QID 38019) ......................................................................................... 251 Remote Shell Service Open (QID 38020) .......................................................................................... 251 Remote Execution Service Open (QID 38021) .................................................................................. 252 Unauthenticated Root Access Allowed via rlogin (QID 38134)......................................................... 253 RPC Mountd Allows Remote Anonymous File System Root Mount (QID 68520)............................. 253 PAM r-commands Are Not Disabled (QID 105131)........................................................................... 253 Rex Deamon Vulnerabilities .................................................................................................................. 254 Checking Presence of the rpc rex deamon (QID 66031) ................................................................... 254 Routing Information Protocol Version 2 (RIPv2) Without Authentication (QID 38181) ....................... 254 Rsync Vulnerabilities ............................................................................................................................. 255 RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability (QID 38237) .................. 255 Rsync Sanitize_path Function Module Path Escaping Vulnerability (QID 38303) ............................ 255 Samba Vulnerabilities ........................................................................................................................... 256 Remote User List Disclosure Using NetBIOS (QID 45003)................................................................. 256 Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) ............ 257 Samba Security Update (QID 115555) .............................................................................................. 258 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 15

Samba "domain logons" remote code execution (QID 115822) ....................................................... 259 NetBIOS Shared Folder List Available (QID 70001) ........................................................................... 259 Null Session/Password NetBIOS Access (QID 70003) ....................................................................... 260 Samba Remote Arbitrary File Access Vulnerability (QID 70040) ...................................................... 261 Samba Directory Access Control List Remote Integer Overflow Vulnerability (QID 70045)............. 262 Samba NMBD Logon Request Remote Buffer Overflow Vulnerability (QID 70046) ......................... 263 Samba Security Bypass and Format String Vulnerabilities (QID 70051) ........................................... 264 Samba "mount.cifs" Race Condition Security Issue (QID 70054) ..................................................... 264 Samba Multiple Remote Denial of Service Vulnerabilities (QID 70057) ........................................... 264 Samba chain_reply() Memory Corruption Vulnerability (QID 70058) .............................................. 265 Samba FD_SET Memory Corruption Vulnerability (QID 70061) ....................................................... 265 Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) ............ 266 Sendmail Vulnerabilities ....................................................................................................................... 267 Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability (QID 50080) .............................. 267 Sendmail ETRN Command Denial of Service Vulnerability (QID 74040)........................................... 267 Sendmail Debugger Arbitrary Code Execution Vulnerability (QID 74088) ....................................... 267 Sendmail Queue Processing Data Loss/Denial of Service Vulnerability (QID 74089) ....................... 268 Sendmail Unsafe Signal Handling Race Condition Vulnerability (QID 74091) .................................. 269 Sendmail File Locking Denial of Service Vulnerability (QID 74108) .................................................. 269 Sendmail Header Processing Buffer Overflow Vulnerability (QID 74135) ........................................ 269 Sendmail Address Prescan Possible Memory Corruption Vulnerability (QID 74136) ....................... 270 Sendmail check_relay Access Bypassing Vulnerability (QID 74141) ................................................. 270 Sendmail Asynchronous Signal Handling Remote Code Execution Vulnerability (QID 74212) ........ 271 Sendmail Malformed MIME Message Denial of Service (QID 74215) .............................................. 271 Sendmail Long Header Denial of Service Vulnerability (QID 74220) ................................................ 272 Sendmail SSL Certificate NULL Character Spoofing Vulnerability (QID 74240) ................................ 272 SMTP Vulnerabilities ............................................................................................................................. 272 Mail Server Accepts Plaintext Credentials (QID 74147) .................................................................... 272 SNMP Vulnerabilities ............................................................................................................................ 273 Possible Mail Relay (QID 74037) ....................................................................................................... 273 Readable SNMP Information (QID 78030) ........................................................................................ 273 Writeable SNMP Information (QID 78031) ....................................................................................... 274 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 16

Multiple Vendor SNMP Request and Trap Handling Vulnerabilities (QID 78035) ............................ 274 SNMP Agent Stopped Responding (QID 78040) ............................................................................... 275 View-based Access Control MIB SNMP Walk Read-Write Password Revealing Vulnerability (QID 78042) ............................................................................................................................................... 275 Source Port Pass Firewall Vulnerabilities .............................................................................................. 276 TCP Source Port Pass Firewall (QID 34000)....................................................................................... 276 UDP Source Port Pass Firewall (QID 34020)...................................................................................... 276 SSH Vulnerabilities ................................................................................................................................ 276 SSH Protocol Version 1 Supported (QID 38304) ............................................................................... 276 SSH Weak Cipher Used (QID 38523) ................................................................................................. 277 SSL Server Vulnerabilities...................................................................................................................... 277 SSL Server Has SSLv2 Enabled Vulnerability (QID 38139) ................................................................. 277 SSL Server Supports Weak Encryption Vulnerability (QID 38140) .................................................... 279 SSL Server May Be Forced to Use Weak Encryption Vulnerability (QID 38141) ............................... 281 SSL Server Allows Anonymous Authentication Vulnerability (QID 38142) ....................................... 282 SSL Server Allows Cleartext Communication Vulnerability (QID 38143) .......................................... 283 Squid Proxy Vulnerabilities ................................................................................................................... 284 Squid Proxy SSLConnectTimeout Remote Denial of Service Vulnerability (QID 62048) ................... 284 Squid Proxy Aborted Requests Remote Denial of Service Vulnerability (QID 62049) ...................... 284 Squid Cache Update Denial of Service Vulnerability (QID 62056) .................................................... 285 Squid Proxy Header Parsing Remote Denial of Service (QID 62066) ................................................ 285 statd ...................................................................................................................................................... 285 statd and automountd RPC Service Remote Command Execution Vulnerability (QID 66011) ........ 285 Statd Format Bug Vulnerability (QID 66040) .................................................................................... 286 Sudo Vulnerabilities .............................................................................................................................. 286 Sudo Python Environment Variable Handling Security Bypass Vulnerability (QID 115313) ............. 286 Sudo Perl Environment Variable Handling Security Bypass Vulnerability (QID 115314) .................. 287 Sun Java Web Console Vulnerabilities .................................................................................................. 287 Sun Java Web Console Remote Information Disclosure Vulnerability (QID 86830) ......................... 287 Sun Java Web Console May Allow Unauthorized Redirection (QID 86843) ..................................... 288 Sun Java Web Console helpwindow.jsp Cross-Site Scripting (XSS) (QID 86844) .............................. 288

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 17

Sun Java Web Console navigator.jsp Cross-Site Scripting (XSS) (QID 86845) and Sun Java Web Console masthead.jsp Cross-Site Scripting (QID 86848)................................................................... 289 Sun Solaris Vulnerabilities ..................................................................................................................... 290 Sun Solaris FTPd glob() Expansion LIST Heap Overflow Vulnerability (QID 27068) .......................... 290 Solaris 10 and Solaris 11 (SolarisExpress) Remote Access Telnet Daemon Flaw (QID 38574) ......... 290 ToolTalk Buffer Overflow Vulnerability (QID 66004) ........................................................................ 291 ypupdated RPC Daemon Remote Command Execution Vulnerability (QID 66015) ......................... 291 cmsd RPC Daemon Over TCP Might Indicate a Break-in (QID 66037) .............................................. 292 Sun Solaris snmpXdmid Buffer Overflow Vulnerability (QID 66049) ................................................ 292 Sun Solaris RWall Daemon Syslog Format String Vulnerability (QID 66052) .................................... 293 RWall Spoofing (QID 66017) ............................................................................................................. 294 Sun Solaris Tooltalk Database Server Multiple Vulnerabilities (QID 68510) .................................... 294 Sun Solaris RPC AUTH_DES Privilege Escalation Vulnerability (QID 68514) ..................................... 294 Sun Solaris mibiisa Remote Buffer Overflow Vulnerability (QID 78038) .......................................... 295 Sun Solaris rpc.ypupdated May Allow Execution of Arbitrary Code Vulnerability (QID 116076) ..... 295 Sun Solaris SSH May Expose Some Plain Text from Encrypted Traffic (QID 116250) ....................... 295 Solaris NFSv4 Server Kernel Module Denial of Service Vulnerability (QID 116272) ......................... 296 Sun Solaris "keysock" Kernel Module Local Denial of Service Vulnerability (QID 116303) .............. 296 Sun Solaris Crypto Pseudo Device Driver Denial of Service Vulnerability (QID 116304) .................. 297 Sun Solaris dircmp Shell Script File Overwriting Vulnerability (QID 116340) ................................... 297 Sun Solaris IPv6 Implementation Denial of Service Vulnerability (QID 116366) .............................. 298 Solaris IKE Packet Handling may Lead to a Crash of in.iked Vulnerability (QID 116404).................. 298 Sun Solaris GSS-API Library Code Execution Vulnerability (QID 116432) ......................................... 299 Sun Solaris libpng Multiple Vulnerabilities (QID 116448) ................................................................. 299 Solaris DTrace Handlers Denial of Service Vulnerability (QID 116454) ............................................ 300 Sun Solaris Security Vulnerability in GnuTLS Library Certificate Chain Validation (QID 116460) ..... 300 Sun Solaris Ghostscript Multiple Vulnerabilities (QID 116480) ........................................................ 301 Sun Solaris auditconfig Command Privilege Escalation Vulnerability (QID 116497) ........................ 302 Sun Solaris Kernel Denial of Service Vulnerability (QID 116500) ...................................................... 302 Sun Solaris Network File System Unauthorized Network Access Vulnerability (QID 116501) ......... 302 Sun Solaris NFSv4 Kernel Module Denial of Service Vulnerability (QID 116514) ............................. 303 Sun Solaris SCTP Packet Processing Denial of Service Vulnerability (QID 116516) .......................... 303 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 18

Sun Solaris Auditing Extended File Attributes Denial of Service Vulnerability (QID 116533)........... 304 Sun Solaris and AIX BIND Dynamic Update Denial of Service Vulnerability (QID 116538) ............... 304 Sun Solaris "sockfs" Kernel Module Remote Denial of Service Vulnerability (QID 116587)............. 305 Sun Solaris libtiff Image Conversion Tools Integer Overflow Vulnerability (QID 116591) ................ 305 Sun Solaris "w" Utility Privilege escalation Vulnerability (QID 116610) ........................................... 306 Sun Solaris IP Module and STREAMS Framework Denial of Service Vulnerability (QID 116623) ..... 306 Sun Solaris Sockets Direct Protocol (SDP) Driver "sdp(7D)" Remote Denial of Service Vulnerability (QID 116675) ..................................................................................................................................... 306 Sun Solaris Trusted Extensions Missing Libraries Privilege Escalation Vulnerability (QID 116796) . 307 Solaris PostgreSQL Privilege Escalation or Man-in-the-Middle on SSL Connections (QID 116841) . 307 Solaris GNOME PDF Rendering Libraries Denial of Service or Arbitrary Code Execution Vulnerabilities (QID 117018) ............................................................................................................. 308 Sun Solaris and Red Hat bzip2 Command May Lead to Denial of Service (QID 115953)...................... 308 TFTP....................................................................................................................................................... 309 TFTP Daemon Theft of '/etc/passwd' file (QID 38064) ..................................................................... 309 TFTP Server Directory Traversal Vulnerability (QID 38065) .............................................................. 309 Veritas NetBackup Vulnerabilities ........................................................................................................ 310 Veritas NetBackup Java User-Interface Remote Format String Vulnerability (QID 38482) .............. 310 VNC Vulnerabilities ............................................................................................................................... 310 VNC Server Weak Password Encryption Vulnerability (QID 38023) ................................................. 310 Null Authentication VNC Server Access (QID 38161)........................................................................ 311 Web Server Vulnerabilities ................................................................................................................... 311 Web Server Vulnerable to Cross Site Scripting (XSS) (QID 10788).................................................... 311 Session-Fixation Social Engineered Session Hijacking (QID 12074) .................................................. 312 CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability (QID 62026)......... 313 Web Server/ Web Application Vulnerable to Cross-Site Scripting (XSS) Attacks (QID 86175) ......... 313 Listing of Scripts in the scripts Directory (QID 86333) ...................................................................... 314 Generic Web Server Directory Traversal Vulnerability (QID 86375) ................................................ 314 Web Server Stopped Responding (QID 86476) ................................................................................. 314 Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities (QID 86705) ............................ 315 Web Server Vulnerable to Redirection Page Cross-Site Scripting (XSS) Attacks (QID 86714) .......... 316 Web Server Uses Plain-Text Form Based Authentication (QID 86728) ............................................ 317 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 19

Webmin / Usermin Vulnerabilities ....................................................................................................... 317 Webmin / Usermin Authentication Bypass Vulnerability (QID 10658)............................................. 317 Webmin / Usermin Login Cross Site Scripting Vulnerability (QID 10659) ........................................ 317 Webmin Environment Variable Information Disclosure Vulnerability (QID 86156) ......................... 318 Wind River VxWorks WDB Debugging Service Security Bypass Vulnerability (QID 42346) .................. 318 WINS Vulnerabilities ............................................................................................................................. 319 WINS Domain Controller Spoofing Vulnerability - Zero Day (QID 70007) ........................................ 319 NetBIOS Name Conflict Vulnerability (QID 70008) ........................................................................... 320 NetBIOS Release Vulnerability (QID 70009)...................................................................................... 321 WordPress Vulnerabilities..................................................................................................................... 321 WordPress Publish Posts Remote Security Bypass Vulnerability (QID 12497) ................................. 321 WU-FTPD Vulnerabilities....................................................................................................................... 322 WU-FTPD FB_RealPath Off-By-One Buffer Overflow Vulnerability (QID 27200) .............................. 322 Unauthenticated Access to FTP Server Allowed (QID 27210)........................................................... 322 WU-FTPD Restricted-gid Unauthorized Access Vulnerability (QID 27274) ....................................... 322 WU-FTPD SockPrintf() Remote Stack-based Buffer Overrun Vulnerability (QID 27275) .................. 323 WU-FTPD S/Key Remote Buffer Overrun Vulnerability (QID 27276) ................................................ 324 X Vulnerabilities .................................................................................................................................... 324 X Display Manager Control Protocol (XDMCP) Detected (QID 38147) ............................................. 324 X-Window Sniffing (QID 95001) ........................................................................................................ 325 Registration of Bogus RPC Programs (QID 66023) ................................................................................ 326 Appendices................................................................................................................................................ 326 Regarding Cross-Site Scripting (XSS) Vulnerability Detection ............................................................... 326 Red Hat Updates ................................................................................................................................... 327 Security Vulnerability Assessment minimum software versions .......................................................... 327

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 20

Qualys as a mitigation recommendation tool (Knowledge Base)


Many vendor and bugtraq references are missing. For example, "Apache Tomcat 5 and 6 Host Manager Web Application Cross-Site Scripting (XSS) Vulnerability (QID 86803)": CVE-2008-1947 lacks the vendor reference (http://tomcat.apache.org/security-5.html#Apache_Tomcat_5.x_vulnerabilities, fixed in 5.5.27) and bugtraq ID (29502, 31681). One, and sometimes two, security bulletins are mentioned when describing a Red Hat vulnerability, when four or more bulletins are necessary to describe the Red Hat response. This is publication attempts to fill in those blanks. Mitigation recommendations are not updated. For example, "Sun Java Web Console helpwindow.jsp Cross-Site Scripting (QID 86844)": Qualys reports that no vendor patch is available at this time, and offers no CVE to track. The CVE is CVE-2009-2283. The patch is Sun Solaris patch 136987-03. This suggests that once the vulnerability is added to the database, it is not reviewed. Mitigation measures suggested by the database will become obsolete. Another example: Notes about "Microsoft Windows Task Scheduler Code Execution (MS04-022) (QID 90134)" mention "This update resolves a newly-discovered, privately reported vulnerability." Other notes indicate that the vendor has made no patch available. These remarks should be ignored. The customer must determine if a patch or other remediation measure is available. Vulnerabilities in Open Source software are usually mitigated by the vendor using a code fix and recompiling, producing their own (earlier) remediated version number. This is "backporting" the patch. Detecting vulnerabilities in Open Systems software (such as Apache and OpenSSH) by using version number is complicated. You should be advised to use the vendor-supplied patch (such as the Red Hat update to address the vulnerability) and not advised to the install the generally available upgrade version. Vendors will typically backport the software change. For example, "OpenSSH Multiple Memory Management Vulnerabilities (QID 38217)" Qualys recommends OpenSSH 3.7.1. This would not be possible when the platform is Cisco CatOS. (CatOS 8.5(8) and 8.6(4) include the patch.) When the platform is Red Hat Enterprise Linux 2.1, the patch is included in OpenSSH_3.1p1-14 (backported). When the platform is Red Hat EL 3, no released version is vulnerable (patch backported to OpenSSH_3.6.1p2). Checking for version OpenSSH 3.7.1 is insufficient to determine in the system is vulnerable. Another example, "Sendmail Long Header Denial of Service Vulnerability (QID 74220)": Find CVE-2006-4434 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4434 For Red Hat information, start at https://www.redhat.com/security/data/cve/ and search for the CVE ID. Red Hat EL 3 Red Hat EL 4 Red Hat EL 5 Page 21

Vulnerability Remediation Synopsis version 0.4Russ Klanke

For Solaris information, start at http://blogs.oracle.com/sunsecurity/ and search for the CVE ID. Solaris 5.10 Generic_141414-07 Solaris 8 Solaris 9 o SPARC Platform o X86 Platform Solaris 10 o SPARC Platform o X86 Platform

Solaris articles are available with an Oracle ID and support account or archived at download.oracle.com/sunalerts. For example, you may not be able to access Oracle ID 1000292.1 at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1000292.1, but you should be able to read it at http://download.oracle.com/sunalerts/1000292.1.html. Linux 2.6, Linux 2.6.9 and other variants are not sufficiently specific to determine the vendor build. Qualys does detect some more granular Linux versions, but I have not yet learned the distribution that these versions map to. When Qualys detects Linux 2.6.9, can I assume that it is Red Hat EL 4? How about Linux 2.6.18-194; can I assume that this is Red Hat EL 5? Qualys does not reuse some of its detection results. For example, Qualys may report the result: Detected service telnet and os CISCO IOS 11.3-12.4

However, if the vulnerability "Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow (QID 38471)" is detected, Qualys may detect the operating system as: Cisco IOS Version 12.2(31)SGA4 Cisco IOS Version 12.2(40)SE2 Cisco IOS Version 12.2(53)SE2

This operating system information is sufficiently detailed to determine that other vulnerabilities have been mitigated. Qualys does not parse Cisco version numbers when determining if a vulnerability has been mitigated. While their version numbers are complicated (such as "12.2(31)SGA4"), simplifying the version number as "12.2" is not accurate.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 22

Adobe Flash Vulnerabilities


Adobe Flash Player Multiple Vulnerabilities (QID 116536) CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870, APSB0910, APSA09-04, APSA09-03, Oracle ID 1020856.1, MS09-034, 973882, MS09-035 Adobe reports of multiple vulnerabilities that exist in versions 9 and 10 of Flash Player for Windows, Macintosh and Linux operating systems. A vulnerability exists in Flash Player on Windows operating systems for use with Internet Explorer. It leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). A vulnerability in Flash Player for Windows, Macintosh and Linux operating systems can be exploited by supplying a malicious Flash (".swf") file or by embedding a malicious Flash application in a PDF file.

Successful exploitation of this vulnerability could allow an attacker to take control of the affected system. Successful exploits may also allow an attacker to execute arbitrary code in the context of the user running the affected application. Affected Versions: Flash Player Version 9.0.159.0 and earlier Flash Player Version 10.0.22.87 and earlier Adobe AIR Version 1.5.1 and earlier

Install vendor update or upgrade to Adobe Flash Player 9.0.246.0 or 10.0.32.18 (or later) or Adobe AIR 1.5.2 (or later). Refer to Adobe Security Advisories APSA09-04 and APSA09-03 and Adobe Security Bulletin APSB09-10 for additional details on the vulnerabilities and patch instructions for Flash Player. For Solaris, refer to security advisory Oracle ID 1020856.1 to obtain additional details about this vulnerability. Workaround: Users should consider installing Microsoft patches for Microsoft Security Bulletin MS09034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035. This vulnerability is confirmed by detecting "SUNWflash-player-plugin is installed" and "125332-07 is missing".

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 23

Adobe Reader Vulnerabilities


Adobe Acrobat is a family of computer programs developed by Adobe Systems, designed to view, create, manipulate and manage files in Adobe's Portable Document Format (PDF). Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (QID 116027) CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, CVE-2008-4816, CVE2008-4814, CVE-2008-4815, APSB08-19, Oracle ID 1019937.1 The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" Javascript function and can be exploited to cause a stack-based buffer overflow via a specially crafted PDF. Successful exploitation may allow execution of arbitrary code when viewing a malicious PDF file. Adobe Reader, when used as a browser plugin, may give remote users the ability to execute arbitrary code within the browser with the permissions of the local user. Install vendor update or upgrade Adobe Acrobat or Reader to 8.1.3 or later. Refer to security bulletin APSB08-19 for additional information. For Sun Solaris, see to Oracle ID 1019937.1 to obtain patch details. This vulnerability is confirmed by detecting "SUNWacroread is installed" and "121104-06 is missing." Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116386) CVE-2009-0193, CVE-2009-0658, CVE-2009-0927, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062, Sun Alert ID 256788, Oracle ID 1020358.1 The following security vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions: A buffer overflow flaw exists in Adobe Acrobat and Reader. A maliciously created PDF is used to exploit a vulnerability in a non-JavaScript function call. However, it also uses some JavaScript to implement a heap spray to cause successful code execution. The specially crafted PDF contains JavaScript that is used to fill the heap with shell code which allows arbitrary code to be executed with the privileges of the user running the application. (CVE-2009-0658) A heap based buffer overflow vulnerability allows remote attackers to execute arbitrary code via a PDF file containing a JBIG2 stream with a size inconsistency related to an unspecified table. (CVE-2009-0928) A stack based buffer overflow vulnerability is caused when processing a specially crafted argument passed to the JavaScript "getIcon()" method of a Collab object. This issue can be exploited by a remote attacker to execute arbitrary code by tricking a user into opening a specially crafted PDF file. (CVE-2009-0927) Unspecified vulnerabilities in Acrobat Reader that can be exploited by remote attackers to execute arbitrary code via attack vectors related to JBIG2 and input validation. (CVE-2009-0193, CVE-2009-1061, CVE-2009-1062) Page 24

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Successful exploitation may allow remote unprivileged users to execute arbitrary code or crash the Adobe Reader application, thereby causing a denial of service. These vulnerabilities may be exploited via specially crafted PDF files. Solaris 10 on SPARC platform is vulnerable to the above issues. Solaris 8, Solaris 9, Solaris 10 on the x86 platform and OpenSolaris do not ship with Adobe Reader and therefore are not affected by this issue. Refer to security advisory Oracle ID 1020358.1 to obtain additional details about this vulnerability. Workaround: Disable JavaScript in Adobe Acrobat or Reader to prevent a potential exploit. JavaScript can be disabled as follows: Launch Acrobat or Adobe Reader. Select "Edit", "Preferences". Select the JavaScript Category. Uncheck the "Enable Acrobat JavaScript" option and click OK.

Note: Disabling JavaScript prevents some exploits from resulting in code execution; however disabling JavaScript still makes exploitation possible, and if successful this may result in crashing the application. Workaround: Prevent PDF documents from being opened automatically by the Web browser. Open Adobe Acrobat Reader. Open the Edit menu. Choose the preferences option. Choose the Internet section. Un-check the "Display PDF in browser" check box.

Workaround: Prevent the Web browser from opening PDF documents. Due to a variation in web browsers, changing the default action for PDF documents varies, but should be something like: Open Web browser. Open the Tools menu. Choose the Options option. Select Applications tab. Select the PDF file type from the list and change its action from opening it in the browser to another option (save them to the computer or open them in Adobe Reader).

This vulnerability is confirmed by detecting "8.1.2_SU1". Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116437) CVE-2008-5519, CVE-2009-1493, Sun Alert ID 259028, Oracle ID 1020468.1

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 25

The following security vulnerabilities exist in Adobe Reader Versions 9.1 and earlier for Solaris 10. These flaws can be exploited by enticing unsuspecting users into opening malicious PDF files to crash the application or execute arbitrary code. An error when processing calls to the "getAnnots()" JavaScript method can be exploited to corrupt memory via a specially crafted PDF file that contains an annotation and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. (CVE-2009-1492) An error when processing calls to the "customDictionaryOpen()" JavaScript method can be exploited to corrupt memory via a specially crafted PDF file that triggers a call to this method with a long string in the second argument. (CVE-2009-1493) Successful exploitation may allow remote unprivileged users to execute arbitrary code or crash the Adobe Reader application, thereby causing a denial of service. These vulnerabilities may be exploited via specially crafted PDF files.

Solaris 10 on SPARC platform is vulnerable to the above issues. Solaris 8, Solaris 9, Solaris 10 on the x86 platform and OpenSolaris do not ship Adobe Reader and therefore are not affected by this issue. There are no vendor supplied patches available at this time; however IDR141813-01, an Interim Security Relief (ISR) for Solaris 10 is available. Refer to security advisory Oracle ID 1020468.1 to obtain additional details about this vulnerability. Workaround: Disable JavaScript in Adobe Acrobat or Reader to prevent a potential exploit. JavaScript can be disabled as follows: Launch Acrobat or Adobe Reader. Select "Edit", "Preferences". Select the JavaScript Category. Uncheck the "Enable Acrobat JavaScript" option and click OK.

Note: Disabling JavaScript prevents some exploits from resulting in code execution; however disabling JavaScript still makes exploitation possible, and if successful this may result in crashing the application. Workaround: Prevent PDF documents from being opened automatically by the Web browser. Open Adobe Acrobat Reader. Open the Edit menu. Choose the preferences option. Choose the Internet section. Un-check the "Display PDF in browser" check box.

Workaround: Prevent the Web browser from opening PDF documents. Due to a variation in web browsers, changing the default action for PDF documents varies, but should be something like: Open Web browser. Page 26

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Open the Tools menu. Choose the Options option. Select Applications tab. Select the PDF file type from the list and change its action from opening it in the browser to another option (save them to the computer or open them in Adobe Reader).

This vulnerability is confirmed by detecting "8.1.2_SU1".

Apache Vulnerabilities
The Apache HTTP Server is a freely available Web server. Discovery of Unix Account Names Vulnerability (QID 5001) CVE-2001-1013, ISS X-Force 7129, Bugtraq ID 3335 When a request for a user is made (http://ipaddress/~user), certain servers (such as Apache Versions 1.3.12 and 1.3.9) return a different reply depending on whether the account user exists on the host or not. If a request is made for an account that exists on the host, a 403 error is returned. If a request is made for a non-existent account, then a 404 error is returned. Unauthorized remote users can implement brute force attacks on the Web server to guess a valid account name on the server. Even though they may be successful in obtaining a valid account, they will still have to guess the password. However, if user passwords are weak, some services may also be brute forced. Resolution: Disable the default-enabled "UserDir" directive. To do so, add the following line to the httpd.conf file: UserDir Disabled Apache Versions 1.3.9 and 1.3.12 are vulnerable. Other Web servers may also be vulnerable. There are currently no patches available. (ISS X-Force 7129: "No remedy available as of July 9, 2011.") We strongly advise you to upgrade to a later version of Apache. No Red Hat version is vulnerable. This vulnerability is confirmed by exploiting the vulnerability (the existence of some standard account names was confirmed). "test-cgi" CGI Vulnerability (QID 10015) CVE-1999-0070, Bugtraq ID 2003 There is a vulnerability in the /cgi-bin/test-cgi CGI script. Unauthorized remote users can compromise the security of this Web server. They can also list CGIs present on the server, and then see if vulnerable CGIs were renamed instead of being removed. They can also see if there are custom made CGIs on this server. Updated versions of Apache correct bugs related to this CGI by quoting all star characters (*) with a backslash (\) before passing them to the CGI. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 27

Install vendor update or upgrade to Apache 1.0.6 or later. No Red Hat version is vulnerable. Workaround: Delete this sample script. Removing the test.cgi scripts solves the problem with no loss of functionality of the server. The script is usually installed in the /cgi-bin/test-cgi file in the Web server main directory. Note: Some patched versions of this script trap users trying to exploit it, providing early attack warnings. Booby-trapped versions are hard to distinguish from vulnerable versions of test-cgi. This vulnerability is confirmed by exploiting the vulnerability (the CGI script was run). Note: Qualys sometimes reports this vulnerability when detecting the CGI script on Apache, even though the version of Apache is not vulnerable. Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities (QID 12260) CVE-2007-6388, CVE-2007-5000, CVE-2008-0005, RHSA-2008-0004, RHSA-2008-0005, RHSA-2008-0006, RHSA-2008-0007, RHSA-2008-0008 Apache HTTP Server modules "mod_status", "mod_imagemap", "mod_imap" and "mod_proxy_ftp" contain multiple cross-site scripting vulnerabilities. These vulnerabilities arise from the application failing to properly sanitize user input. Successful exploitation will allow an attacker to launch arbitrary code in a user's browser or steal cookie-based authentication credentials. Install vendor update or upgrade to the latest version of Apache. For Red Hat (CVE-2007-6388, CVE-2007-5000, CVE-2008-0005):

Red Hat Enterprise Linux 2.1 (apache) RHSA-2008:0004 1.3.27-14.ent Red Hat Enterprise Linux 3 (httpd) RHSA-2008:0005 httpd-2.0.46-70 (superseded by RHSA2009:1579 httpd-2.0.46-77) Red Hat Enterprise Linux 4 (httpd) RHSA-2008:0006 httpd-2.0.52-38.ent.2 (superseded by RHSA2011:1392 httpd-2.0.52-49)

For Sun Solaris see "Sun Solaris Cross-Site Scripting Issues in Apache 1.3 and 2.0 "mod_imap" and "mod_status" Modules (QID 115798)". This vulnerability is suggested when "Apache", "Apache/1.3.29 (Unix) JRun/4.0 mod_perl/1.25", "Apache/1.3.33 (Unix) mod_perl/1.29 PHP/4.3.10 mod_ssl/2.8.22 OpenSSL/0.9.7e", "Apache/1.3.33 (Unix) mod_ssl/2.8.22 OpenSSL/0.9.6m", "Apache/1.3.33 (Win32) mod_ssl/2.8.22 OpenSSL/0.9.7e", "Apache/1.3.34 (Unix) mod_perl/1.29 mod_ssl/2.8.25 OpenSSL/0.9.7h", "Apache/1.3.36 (Unix) mod_jk/1.2.15", "Apache/1.3.36 (Unix) mod_jk/1.2.18 mod_ssl/2.8.27 OpenSSL/0.9.7f", "Apache/1.3.36 (Unix) mod_perl/1.29 ApacheJserv/1.1.2", "Apache/1.3.37 (Unix) mod_ssl/2.8.28 OpenSSL/0.9.7l", "Apache/1.3.39 (Unix) mod_jk/1.2.15 mod_perl/1.29", "Apache/2.0.39 (Unix) mod_ssl/2.0.39 OpenSSL/0.9.7c", "Apache/2.0.52 (Fedora)", "Apache/2.0.52 (Unix) mod_ssl/2.0.52 OpenSSL/0.9.7b Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 28

mod_jk2/2.0.2", "Apache/2.0.54 (Unix) mod_ssl/2.0.54 OpenSSL/0.9.6m PHP/5.0.5", "Apache/2.0.58 (Unix) mod_ssl/2.0.58 OpenSSL/0.9.7d DAV/2", "Apache/2.0.59 HP-UX_Apache-based_Web_Server", "Apache/2.0.59 (Unix)", "Apache/2.0.59 (Unix) mod_jk/1.2.0", "Apache/2.0.59 (Unix) mod_ssl/2.0.59 OpenSSL/0.9.8d", "Apache/2.0.59 (Unix) PHP/5.2.6", "Apache/2.2.0 (Unix) DAV/2", "Apache/2.2.0 (Unix) mod_ssl/2.2.0 OpenSSL/0.9.8a DAV/2", "Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.8a DAV/2", "Apache/2.2.2 (Unix) mod_ssl/2.2.2 OpenSSL/0.9.8d DAV/2", "Apache/2.2.3 (CentOS)", "Apache/2.2.3 (Oracle)", "Apache/2.2.3 (Unix) PHP/5.1.6", "Apache/2.2.3 (Unix) PHP/5.2.0", "Apache/2.2.3 (Unix) PHP/5.2.5", "Apache/2.2.6 (Unix) mod_ssl/2.2.6 OpenSSL/0.9.8j DAV/2 PHP/5.2.5", "IBM_HTTP_SERVER/1.3.28.1 Apache/1.3.28 (Win32)",or "IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 (Unix)" is detected, or when "Red Hat 2.4" is detected with: Package Installed version Required version apache 1.3.27-8.ent 1.3.27-14.ent apache-devel 1.3.27-8.ent 1.3.27-14.ent Apache Axis2/Java "modules" Cross-Site Scripting (XSS) Vulnerability (QID 12370) CVE-2010-2103 Apache Axis2 is a Web Services/SOAP/WSDL engine. A vulnerability has been discovered in Apache Axis2/Java, which can be exploited by malicious users to conduct cross-site scripting attacks. Input passed via the "modules" parameter in "axis2/axis2-admin/engagingglobally" is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a logged in administrator's browser session in the context of an affected site. The vulnerability is confirmed in Version 1.5.1. Other versions may also be affected. As of July 9, 2011 there were no vendor supplied patches available. Workaround: Filter malicious characters and character sequences in a proxy. This vulnerability is confirmed through the URL https://ipaddress:8443/axis2/ axis2admin/engagingglobally?submit=%2bEngage%2b&modules=<script>alert('qualysXSS')</script> using the "admin" username and "axis2" password. Apache Axis2 Default Administrative Access (QID 12499) Apache Axis2 is a Web Services/SOAP/WSDL engine. The instance of Axis2 on the target allows administrative access with default credentials of username "admin" and password as "axis2". A remote attacker could exploit this to take control of the Axis2 server. Change the password for the "admin" account. This can be done by changing parameters in axis2.xml as required. Refer to Apache Axis2 Web Administrator's Guide for further information. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 29

This vulnerability is confirmed by logging into the Axis2 administration console (https://ipaddress:8443/axis2/) using the default password for the "admin" account, "axis2". Apache HTTP Server APR "apr_fnmatch()" Denial of Service Vulnerability (QID 12500) CVE-2011-0419, Apache2.2.18 The vulnerability is caused by an infinite recursion error within the "apr_fnmatch()" function when processing certain patterns. This can be exploited to cause a stack overflow via a specially crafted request containing wildcard characters (e.g. "*"). This vulnerability can be exploited by malicious people to cause a denial of service. Install vendor update or upgrade to Apache Version 2.2.18 (or later). For Red Hat (CVE-2011-0419): Red Hat Enterprise Linux version 4 (apr) RHSA-2011:0507 apr-0.9.4-25.el4 (superseded by RHSA2011:0844 apr-0.9.4-26.el4) Red Hat Enterprise Linux version 5 (apr) RHSA-2011:0507 apr-1.2.7-11.el5_6.4 (superseded by RHSA-2011:0844 apr-1.2.7-11.el5_6.5) Red Hat Enterprise Linux version 6 (apr) RHSA-2011:0507 apr-1.3.9-3.el6_0.1 (superseded by RHSA-2011:0844 apr-1.3.9-3.el6_1.2) JBoss Enterprise Web Server 1.0 RHSA-2011:0896 JBoss Enterprise Web Server 1.0 for RHEL 4 AS RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 5 Server RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 6 Server RHSA-2011:0897

This vulnerability is suggested by "Detected on port 443 - Apache/2.2.2 (Fedora)". Apache HTTP Server Mod_Proxy Denial of Service Vulnerability (QID 62057) CVE-2007-3847, Apache httpd 2.0 Vulnerabilities, Apache httpd 2.2 Vulnerabilities A flaw was found in the Apache HTTP Server mod_proxy module. This vulnerability may lead to a denial of service if using a threaded Multi-Processing Module. When a reverse proxy is configured, a remote attacker can send a carefully crafted request that would cause the Apache child process handling that request to crash. When a forward proxy is configured, a similar crash may result when a user visits a malicious site using the proxy. Affected Versions: Apache Versions 2.0.35 through 2.0.59 Apache Versions 2.2.0 through 2.2.4.

Install vendor update or upgrade to Apache Version 2.0.60 or 2.2.5 (or later). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 30

For Red Hat (CVE-2007-3847): Red Hat Enterprise Linux version 3 (httpd) RHSA-2008:0005 httpd-2.0.46-70.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2007:0747 httpd-2.0.52-38.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Enterprise Linux version 5 (httpd) RHSA-2007:0746 httpd-2.2.3-11.el5 (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (httpd) RHSA-2007:0911 Red Hat Application Stack v2 for Enterprise Linux (v.5) (httpd) RHSA-2007:0911 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Detected on port 443 - Apache/2.2.2 (Fedora)". Apache CGI Source Code Viewing Vulnerability (QID 86054) CVE-2000-0868, Bugtraq ID 1658 If the Apache configuration file (/etc/httpd/httpd.conf) contains the following Alias entry, then all files in /cgi-bin/ can be accessed via URLs of the format http://target/cgi-bin-sdb: Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ Because the path does not contain the string /cgi-bin/, improper permissions are assigned, and the file is sent to the client instead of being executed on the server. Basically, the existence of the cgi-bin-sdb alias makes it possible for malicious users to view the source code of CGI scripts stored in /cgi-bin/. SuSE Linux Versions 6.3 and 6.4 (prior versions may also be vulnerable) install Apache Web server (Version 1.3.12 in Version 6.4 of SuSE) with this kind of configuration file. If successfully exploited, malicious users can view the source code of CGI scripts stored in /cgi-bin/. Workaround: You can comment out the offending entry in the Apache configuration file (/etc/httpd/httpd.conf) with a pound sign (). See below: Alias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ Alternatively, you can change this line so that CGI scripts can be executed, but not read. To do so, change the line to the following, and then stop and restart the server. ScriptAlias /cgi-bin-sdb/ /usr/local/httpd/cgi-bin/ Updates are available for SuSE Linux. Contact your vendor for upgrade or patch information. How this vulnerability is suggested is unknown. Apache Webserver /server-status Information Disclosure Vulnerability (QID 86410) OSVDB 561 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 31

Requesting the URI /server-status discloses information about the status of your Apache Web server. A malicious user can gain access to sensitive status information about your Apache Web server. Workaround: If you need this feature, then limit access to the administrator's machine. Edit the <Location /server-status> in httpd.conf to only allow access from trusted IP addresses. Workaround: If you don't need this feature, comment out the following lines in your httpd.conf file: <Location /server-info> SetHandler server-status </Location> This vulnerability is confirmed by exploiting the vulnerability (GET /server-status was successful). Note: Qualys provides no reference to a vulnerability. Apache 2.x HTTP Server Linefeed Memory Allocation Denial of Service Vulnerability (QID 86482) CVE-2003-0132, RHSA-2003-139, Bugtraq ID 7254 Apache HTTP server, version 2.0 through 2.0.44, has a problem in handling large chunks of consecutive linefeed characters. The HTTP server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. An attacker can exploit this vulnerability to remotely exhaust system resources of the vulnerable Apache HTTP server thereby causing a Denial of Service Install vendor patch for CVE-2003-0132 or upgrade to Apache Version 2.0.45 (or later). For Red Hat (CVE-2003-0132): no Enterprise version is vulnerable. Apache 2.x Web Server File Descriptor Leakage Vulnerability (QID 86483) CVE-2003-0132, Bugtraq ID 7255, RHSA-2003:139, Apache 2.0.45 released with security fixes A vulnerability has been reported for Apache Web servers that could result in the disclosure of sensitive information. The vulnerability occurs due to file descriptors being improperly inherited by child processes. Specifically, the HTTPd service fails to properly close error logs when it forks to execute CGI scripts. The vulnerability exists in the 'mod_log_config.c' source file where the apr_file_inherit_set() function was being improperly called. Exploitation of this vulnerability may result in attackers being able to access sensitive log information. It may also be possible to exploit this issue to cause a denial of service. Install vendor update or upgrade Apache to 2.0.45 (or later). SECURITY: Eliminated leaks of several file descriptors to child processes, such as CGI scripts. This fix depends on the latest APR library release 0.9.2, which is distributed with the httpd source tarball for Apache 2.0.45. PR 17206 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 32

For Red Hat (CVE-2003-0132): No Enterprise Linux version is vulnerable. This vulnerability is suggested by "Apache/2.0.39 (Unix) mod_ssl/2.0.39 OpenSSL/0.9.7c" or similar version information. Note: Qualys does not include a CVE ID or RHSA ID. Apache Basic Authentication Module Valid User Login Denial of Service Vulnerability (QID 86532) CVE-2003-0189, RHSA-2003:186, Bugtraq ID 7725 It has been reported that Apache Version 2.0 does not properly use specific thread-safe functions. Because of this, an attacker may be able to create a circumstance that prevents users from logging into restricted areas with valid user credentials. This issue is reported to affect Apache Versions 2.0.40 through 2.0.45. The problem is in the use of crypt and derivative functions. Platforms without a crypt_r function and without a thread-safe crypt function are vulnerable to an unspecified issue that can cause the failure of authentication credentials until the vulnerable server is restarted. An attacker may exploit this vulnerability to deny access to legitimate users. Install vendor update or upgrade to Apache Version 2.0.46 (or later). For Red Hat (CVE-2003-0189): No Enterprise Linux version is vulnerable. This vulnerability is suggested by "Detected on port 80 - Apache/2.0.39 (Unix) mod_ssl/2.0.39 OpenSSL/0.9.7c". Miscellaneous Apache Vulnerabilities (2.0.46 and earlier) (QID 86562) CVE-2003-0192, CVE-2003-0253, CVE-2003-0254 A number of vulnerabilities have been discovered in Apache Version 2.0.46 and earlier: Certain sequences of per-directory renegotiations and the SSLCipherSuite directive being used to upgrade from a weak ciphersuite to a strong one could result in the weak ciphersuite being used in place of the strong one. (CVE-2003-0192) Certain errors returned by accept() on rarely accessed ports could cause temporal denial of service, due to a bug in the prefork MPM. (CVE-2003-0253) Denial of service may occur when the target host is IPv6 and the FTP proxy server cannot create an IPv6 socket. (CVE-2003-0254)

Depending on the vulnerability exploited, an attacker may potentially cause a denial of service condition or reduce cipher strength.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 33

Apache HTTP Server Buffer Overflow Vulnerabilities In mod_alias And mod_rewrite (QID 86600) CVE-2003-0542, CVE-2003-0789, Bugtraq ID 8911 Apache HTTP Server versions prior to 1.3.29 and 2.0.48 contain a vulnerability in certain modules, allowing a local attacker to trigger a buffer overflow on the system. The vulnerability exists in the modules "mod_alias" and "mod_rewrite". These modules improperly handle regular expressions containing more than nine capturing parentheses. A local attacker could create a specially-crafted configuration file with such expressions to be used by the modules. Buffer overflow conditions may be exploited to cause a denial of service (DoS) on the server. It is not known whether this vulnerability may be exploited to execute arbitrary code. Install vendor update or upgrade to Apache Version 1.3.29 or 2.0.48 (or later). For Red Hat (CVE-2003-0542, CVE-2003-0789): Red Hat Enterprise Linux 3 (httpd) RHSA-2004:015 httpd-2.0.46-26.ent (superseded by RHSA2009:1579 httpd-2.0.46-77.ent) Red Hat Linux 7.1 RHSA-2003:405 Red Hat Linux 7.2 RHSA-2003:405 Red Hat Linux 7.3 RHSA-2003:405 Red Hat Linux 8.0 RHSA-2003:320 Red Hat Linux 9 RHSA-2003:320 Red Hat Linux Advanced Workstation 2.1 RHSA-2003:360 Red Hat Stronghold 4 RHSA-2004:139 Stronghold 4 for Red Hat Enterprise Linux RHSA-2005:816

This vulnerability is suggested by "Detected on port 443 - Apache/2.0.46 (Red Hat)". Apache2 MOD_CGI STDERR Denial of Service Vulnerability (QID 86636) CVE-2002-1850, Bugtraq ID 8725 Apache2 MOD_CGI STDERR Denial Of Service Vulnerability: The vulnerability presents itself when a CGI script outputs excessive data to STDERR. If this condition occurs, the execution of the script will pause indefinitely due to a locked write() call in mod_cgi. The consequences of successful exploitation vary from information disclosure to a denial of service condition. Vulnerable Versions: Install vendor update or upgrade Apache to 1.3.31 (or later) or 2.0.48 (or later). For Red Hat (CVE-2002-1850): Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 34

This vulnerability is suggested by "Apache/2.0.46 (Red Hat)". Apache Web Server Type-Map Recursive Loop Denial of Service Vulnerability (QID 86637) Apache httpd Release 2.0 Changes, Bugtraq ID 8138 Apache content negotiation functionality has been reported prone to a denial of service vulnerability. The issue may present itself, if an attacker has the ability to create a malicious type-map file. The attacker may craft the type-map file in a manner sufficient to cause the vulnerable server to fall into an infinite loop. Successful exploitation of this issue causes the Apache server to exponentially consume resources, effectively denying service to other legitimate system users. Install vendor update or upgrade Apache to 1.3.28 (or later) or 2.0.47 (or later). For Red Hat (): This vulnerability is suggested by "Detected on port 80 - Apache/2.0.46 (Red Hat)". Apache 2.0.49 And Earlier Miscellaneous Vulnerabilities (QID 86643) CVE-2004-0174, CVE-2003-0020, CVE-2004-0113, CVE-2004-0493, Bugtraq ID 9921 A number of security issues exist in Apache versions 2.0.49 and earlier. The ap_get_mime_headers_core function in Apache httpd 2.0.49 allows remote attackers to cause a denial of service (memory exhaustion), and possibly an integer signedness error leading to a heap-based buffer overflow on 64 bit systems, via long header lines with large numbers of space or tab characters. (CVE-2004-0493) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. (CVE-2004-0174) A remote attacker may exploit this vulnerability to deny service to the affected Apache server. mod_ssl has been reported to be prone to a remote denial of service vulnerability. The issue is reported to exist in the ssl_io_filter_disable() function that is contained in the ssl_engine_io.c source file. It has been reported that the issue is as a result of a memory leak and will present itself when standard HTTP requests are handled on the SSL port of an Apache server that has mod_ssl installed. (CVE-2004-0113) A remote attacker may exploit this vulnerability to deny service to the affected Apache server. This issue is reported to affect mod_ssl that is shipped with Apache HTTPd Versions 2.0.35 to 2.0.48. Escape arbitrary data before writing into the errorlog. Apache does not filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. (CVE-2003-0020) Install vendor update or upgrade Apache to 2.0.5 (or later).

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 35

For Red Hat (CVE-2004-0174, CVE-2003-0020, CVE-2004-0113, CVE-2004-0493): This vulnerability is suggested by "Detected on port 80 - Apache/2.0.46 (Red Hat)" or similar version information. Multiple Apache Web Server Vulnerabilities prior to version 2.0.51 (QID 86678) CVE-2004-0751, CVE-2004-0786, CVE-2004-0747, CVE-2004-0748, CVE-2004-0809, Bugtraq 11154 There is an input validation issue in IPv6 literal address parsing which can result in a negative length parameter being passed to memcpy. A buffer overflow in configuration file parsing makes it possible for a local user to gain the privileges of a httpd child, if the server can be forced to parse a carefully crafted ".htaccess" file. A segfault in "mod_ssl" can be triggered by a malicious remote server, if proxying to SSL servers has been configured. A potential infinite loop in "mod_ssl" can be triggered given particular timing of a connection abort. A segfault in "mod_dav_fs" can be remotely triggered by an indirect lock refresh request.

An attacker may get control of the server. Note: Qualys does not report the version of Apache Web Server found. Multiple Apache 1.3.32 and Earlier Web Server Local Buffer Overflow Vulnerabilities (QID 86680) CVE-2004-0940, CVE-2004-0492 Multiple local buffer overflow vulnerabilities have been reported for Apache Web Server. A potential buffer overflow with escaped characters in the SSI tag string is reported. The vulnerability is caused due to a boundary error in the "get_tag()" function of the "mod_include" module. This issue can be exploited to cause a buffer overflow when a specially crafted document with malformed server-side includes is requested through an HTTP session. Heap-based buffer overflow in "proxy_util.c" for "mod_proxy" in Apache allows remote attackers to cause a denial of service (process crash) and possibly execute arbitrary code via a negative Content-Length HTTP header field, which causes a large amount of data to be copied. A local attacker may control the process execution and may get unauthorized access.

Install vendor update for CVE-2004-0940 and CVE-2004-0492 or upgrade Apache Web Server to 1.3.33 (or later). For Red Hat (CVE-2004-0940): Red Hat Enterprise Linux 2.1 RHSA-2004:600 apache-1.3.27-9.ent (superseded by RHSA2008:0004 1.3.27-14.ent)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 36

For Red Hat (CVE-2004-0492): Red Hat Enterprise Linux 3 (httpd) RHSA-2004:562 httpd-2.0.46-44.ent (superseded by RHSA2009:1579 httpd-2.0.46-77.ent)

Apache 2.0.35-2.0.52 Memory Consumption Denial of Service and mod_ssl SSLCipherSuite Bypass (QID 86683) CVE-2004-0942, CVE-2004-0885, CVE-2004-1834, RHSA-2004-562, Bugtraq ID 11360, 9933 Apache Web server is reported vulnerable to a memory consumption denial of service issue and a mod_ssl SSLCipherSuite bypass issue. The field length limit is not enforced for certain malicious requests. This issue allows a remote attacker, who is able to send large amounts of data to a server, to cause Apache children to consume proportional amounts of memory, leading to a denial of service. Another issue has been discovered in the mod_ssl module when configured with the "SSLCipherSuite" directive in directory or location context. If a particular location context has been configured to require a specific set of cipher suites, then a client will be able to access that location using any cipher suite allowed by the virtual host configuration. An attacker may crash or degrade the performance of the Apache Web server. Affected Versions: Apache Versions 2.0.35 to 2.0.52

Install vendor update or upgrade to Apache version 2.0.53 (or later). For Red Hat (CVE-2004-0942, CVE-2004-0885, CVE-2004-1834): Red Hat Enterprise Linux 2.1 RHSA-2004:600 apache-1.3.27-9.ent (superseded by RHSA2008:0004 apache-1.3.27-14.ent) Red Hat Enterprise Linux 3 (httpd) RHSA-2004:562 httpd-2.0.46-44.ent (superseded by RHSA2009:1579 httpd-2.0.46-77.ent) Red Hat Stronghold 4 RHSA-2004:653 Stronghold 4 for Red Hat Enterprise Linux RHSA-2005:816 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Red Hat Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is suggested by "Detected on port 80 - Apache/2.0.52 (Fedora)" or similar version information. Apache CGI Byterange Request Denial of Service Vulnerability (QID 86713) CVE-2005-2728, CVE-2005-2700, RHSA-2005:608, Bugtraq ID 14660 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 37

Apache is prone to a denial of service when handling large CGI byterange requests. This may also be triggered by ProxyRequests. The problem occurs because Apache does not free memory used in these requests, allowing multiple requests to consume all memory and swap space. Restarting the service would allow the server to resume normal operations. Attackers could cause a complete denial of service on the Apache Web server rendering it useless. Affected Versions: Apache Versions 2.0 through 2.0.54 Apache Versions 2.1 through 2.1.5

Install vendor update or upgrade Apache Version 2.0.x to 2.0.55 (or later) or upgrade Apache Version 2.1.x to 2.1.5 (or later). For Red Hat (CVE-2005-2728, CVE-2005-2700): Red Hat Enterprise Linux version 2.1 (mod_ssl) RHSA-2005:773 mod_ssl-2.8.12-8 Red Hat Enterprise Linux version 3 (httpd) RHSA-2005:608 httpd-2.0.46-46.3.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2005:608 httpd-2.0.52-12.2.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Stronghold 4 RHSA-2005:882 Stronghold 4 for Red Hat Enterprise Linux RHSA-2005:816

For other vendors, see Security Focus BID 14460 solution tab. Workaround: Disable range requests: Header unset Accept-Ranges RequestHeader unset Range This vulnerability is suggested by "Apache/2.0.52 (Fedora)". Apache Tomcat Simultaneous Directory Listing Denial of Service Vulnerability (QID 86724) CVE-2005-3510, Bugtraq ID 15325 A remote denial of service vulnerability affects Apache Tomcat. This issue is due to a failure of the application to efficiently handle multiple directory listing requests. The problem presents itself when an attacker submits multiple simultaneous HTTP requests to an affected server. If these requests result in a large directory listing being generated, excessive CPU and memory resources may be consumed. Reportedly, by sending approximately 100 simultaneous requests, attackers may cause the Java processes on the server to consume excessive CPU or memory resources. Once this issue has been triggered, the application fails to serve further requests to legitimate users until the Tomcat processes

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 38

have been restarted. An attacker may leverage this issue to trigger a denial of service condition in the affected software. Vulnerable Versions: Apache Tomcat 5.5.0 to 5.5.11

Install vendor update or upgrade Apache Tomcat to 5.5.12 (or later). For Red Hat (CVE-2005-3510): Red Hat Application Server v2 4AS RHSA-2006:0161 Red Hat Application Server 3AS (tomcat5) RHSA-2007:0340 Red Hat Network Satellite Server v 4.0 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.0 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.1 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.1 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

Workaround: Disable directory listing. Apache Tomcat 5.5.13 (or later), 5.0.31 (or later) and 4.1.32 (or later) have directory listing disabled by default. This vulnerability is suggested by "Apache Tomcat/5.5.16". This example indicates that the vulnerability has been mitigated. Apache MPM Worker.C Denial of Service Vulnerability (QID 86726) CVE-2005-2970, CVE-2005-3352, CVE-2005-3357, RHSA-2006-0159, Bugtraq ID 15762 Note: CVE-2005-3357 is also "Apache mod_ssl Denial of Service Vulnerability (QID 86773)." Apache is prone to a memory leak, causing a denial of service vulnerability. A flaw in the "worker.c" multi-processing module code may allow an attacker to consume excessive memory resources by issuing and aborting service requests. The Apache service will eventually fail, denying service to legitimate users. Install vendor update or upgrade Apache to 2.0.55 (or later). For Red Hat (CVE-2005-2970, CVE-2005-3352, CVE-2005-3357):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 39

Red Hat Enterprise Linux version 2.1 (apache) RHSA-2006:0158 apache-1.3.27-10.ent (superseded by RHSA-2008:0004 apache-1.3.27-14.ent) Red Hat Enterprise Linux version 3 (httpd) RHSA-2006:0159 httpd-2.0.46-56.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2006:0159 httpd-2.0.52-22.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Stronghold 4 RHSA-2005:882 Stronghold 4 for Red Hat Enterprise Linux (stronghold-apache) RHSA-2006:0692 Red Hat Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Red Hat Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523

This vulnerability is suggested by "Apache/2.0.52 (Fedora)". Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability (QID 86727) CVE-2005-3352, RHSA-2006:0158, Bugtraq ID 15834 mod_imap is an Apache module for server-side imagemap processing. mod_imap is prone to a cross-site scripting vulnerability. This issue is due to a failure in the module to properly sanitize user-supplied input. This issue occurs when using the "Referer" directive with image maps. An attacker may leverage this issue to have arbitrary script code executed in the browser of an unsuspecting user in the context of the affected site. This may facilitate the theft of cookie-based authentication credentials as well as other attacks. Install vendor update or upgrade to Apache version 1.3.35 (or later) or Apache version 2.0.56 (or later). For further information, please refer to the Apache httpd 1.3 Vulnerabilities list and the Apache httpd 2.0 Vulnerabilities list. For Red Hat (CVE-2005-3352): Red Hat Enterprise Linux version 2.1 (apache) RHSA-2006:0158 apache-1.3.27-10.ent (superseded by RHSA-2008:0004 apache-1.3.27-14) Red Hat Enterprise Linux version 3 (httpd) RHSA-2006:0159 httpd-2.0.46-56.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2006:0159 httpd-2.0.52-22.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Red Hat Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 Red Hat Stronghold 4 RHSA-2005:882 Stronghold 4 for Red Hat Enterprise Linux (stronghold-apache) RHSA-2006:0692

This vulnerability is suggested by "Apache/1.3.29 (Unix) JRun/4.0 mod_perl/1.25".

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 40

Apache Web Server fails to sanitize Escape Sequence Injection into its Access Logs (QID 86744) CVE-2003-0083 Apache does not filter or correctly handle terminal escape sequence injection into its access logs. Apache 1.3 prior to Version 1.3.31 and Apache 2.0 prior to Version 2.0.48 are vulnerable. Attackers can insert escape sequences into Apache Access Log files. When viewed with certain vulnerable terminal emulators, these escape sequences could trick system administrators and other users into executing malicious commands. Vulnerable Versions: Apache 1.3 to 1.3.24 Apache 2.0 to 2.0.45

Install vendor update or upgrade Apache to 1.3.31 (or later) or 2.0.48 (or later). For Red Hat (CVE-2003-0083): Stronghold 4 for Red Hat Enterprise Linux RHSA-2003:083 Red Hat Stronghold 3 RHSA-2003:104 Red Hat Stronghold 4 RHSA-2003:116 Red Hat Linux 8.0 RHSA-2003:139 Red Hat Linux 9 RHSA-2003:139

This vulnerability is suggested by "Detected on port 80 - Apache/2.0.39 (Unix) mod_ssl/2.0.39 OpenSSL/0.9.7c". Apache Web Server fails to sanitize Escape Sequence Injection into its Error Logs (QID 86745) CVE-2003-0020, Bugtraq ID 9930 Apache does not filter or correctly handle terminal escape sequence injection into its error logs. Attackers can insert escape sequences into Apache Error Log files. When viewed with certain vulnerable terminal emulators, these escape sequences could trick system administrators and other users into executing malicious commands. Affected Versions: Install vendor update or upgrade Apache to 1.3.31 (or later) or 2.0.48 (or later). For Red Hat (CVE-2003-0020): Red Hat Stronghold 4 RHSA-2003:082 Page 41

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Stronghold 4 for Red Hat Enterprise Linux RHSA-2003:083 Red Hat Stronghold 3 RHSA-2003:104 Red Hat Linux 8.0 RHSA-2003:139 Red Hat Linux 9 RHSA-2003:139 Red Hat Linux 7.1 RHSA-2003:243 Red Hat Linux 7.2 RHSA-2003:243 Red Hat Linux 7.3 RHSA-2003:243 Red Hat Linux Advanced Workstation 2.1 RHSA-2003:244

This vulnerability is suggested by "Detected on port 80 - Apache/1.3.29 (Unix) JRun/4.0 mod_perl/1.25". Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability (QID 86746) CVE-2006-3747, Apache 2.0, US-CERT Advisory, Bugtraq ID 19204 Apache's mod_rewrite is a rule-based rewriting engine which rewrites requested URLs for the Apache Web server. The mod_rewrite module is exposed to an off-by-one buffer-overflow condition. Specifically, this issue presents itself on a system with the active configuration "RewriteEngine on". However "RewriteEngine on" is typically not enabled by default in Apache HTTPD implementations. A remote attacker can exploit certain rewrite rules to crash the HTTPD server and potentially cause arbitrary code execution. Affected Versions: 1.3 branch from 1.3.28 to 1.3.36 2.0 branch from 2.0.46 to 2.0.59 2.2 branch from 2.2.0 to 2.2.3

Install vendor update or upgrade Apache. For Red Hat (CVE-2006-3747): "The Red Hat Security Response Team analyzed Red Hat Enterprise Linux 3 and Red Hat Enterprise Linux 4 binaries for all architectures as shipped by Red Hat and determined that these versions cannot be exploited. This issue does not affect the version of Apache httpd as supplied with Red Hat Enterprise Linux 2.1."

This vulnerability is suggested by "Detected on port 80 - Apache/2.2.2 (Fedora)". Apache Tomcat JK Web Server Connector Security Bypass Vulnerability (QID 86764) CVE-2007-1860, Apache Tomcat Connector News Apache Tomcat JK Web Server Connector is prone to a vulnerability which when exploited can bypass certain security restrictions. The security issue is caused due to an error within the handling of double encoded ".." in URLs. This vulnerability can be exploited to bypass certain restrictions and may allow access to pages on the AJP backend. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 42

Affected Versions: Apache Tomcat JK Web Server Connector versions prior to 1.2.23

Install vendor update or upgrade to Apache Tomcat JK Web Server Connector Version 1.2.23 (or later). For Red Hat (CVE-2007-1860): Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mod_jk) RHSA-2007:0379 Red Hat Application Server v2 4AS (mod_jk) RHSA-2007:0380 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is suggested by "Apache/2.0.59 (Unix) mod_jk/1.2.0". Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting (XSS) Weakness (QID 86771) CVE-2007-6203, RHBA-2009:0185, Bugtraq ID 26663 Apache HTTP servers are prone to a cross-site scripting weakness. The issue occurs when the application fails to sanitize a specially crafted HTTP request method that results in a 413 HTTP error. 413 errors occur when a request entity's data-stream is too large for the server to handle. When a 413 error is encountered, the server returns a page describing what happened. When the error page is displayed, attacker script code will be rendered on the Web page in the context of the application. An attacker may exploit this issue to steal cookie-based authentication credentials and launch other attacks. The link below has more information on the attack: http://www.securityfocus.com/archive/1/archive/1/484410/100/0/threaded Workaround: Disable Apache's default 413 error messages with the ErrorDocument directive. Changing the ErrorDocument directive solves the problem with no loss of functionality of the server. Workaround: Display a default error message returned to the client to one which does not call the procedure which is subject to the vulnerability. Edit the httpd.conf file and restart the Apache server. Uncomment the line: ErrorDocument 413 /error/HTTP_REQUEST_ENTITY_TOO_LARGE.html.var Modify to: ErrorDocument 413 "Error 413 - Request Entity Too Large" Use one of these mitigation methods or install vendor patch or upgrade to Apache 2.2.8 or later. Red Hat CVE-2007-6203: "Red Hat does not consider this issue to be a vulnerability. In order to exploit this for cross-site scripting, the attacker would have to get the victim to supply an arbitrary malformed Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 43

HTTP method to a target site. However, this has been fixed in Red Hat Enterprise Linux 5 via RHBA2009:0185 as a bug fix." Red Hat Enterprise Linux 5 RHBA-2009:0185 httpd-2.2.3-22.el5

This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). Apache mod_ssl Denial of Service Vulnerability (QID 86773) CVE-2005-3357, Bugtraq ID 16152 A NULL pointer dereference flaw in mod_ssl exists affects server configurations where an SSL virtual host is configured with access control and a custom 400 error document. A remote attacker can exploit this vulnerability by sending a carefully crafted request which would lead to a crash. Affected Versions: Apache Versions 2.0 thorough 2.0.55

Install vendor update or upgrade Apache to 2.0.56 (or later). For Red Hat (CVE-2005-3357): Red Hat Enterprise Linux version 3 (httpd) RHSA-2006:0159 httpd-2.0.46-56.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2006:0159 httpd-2.0.52-22.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent)

This vulnerability is suggested by "Apache/2.0.52 (Fedora)". Apache Tomcat Information Disclosure Vulnerability (QID 86775) CVE-2007-3382, CVE-2007-3385, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 25316 Apache Tomcat is prone to multiple information disclosure vulnerabilities because it fails to adequately sanitize user-supplied data. Apache Tomcat treats single quotes as delimiters in cookies and does not handle the " sequence in a cookie value, which might cause sensitive session IDs to be leaked and allow remote attackers to conduct session hijacking attacks. Vulnerable Versions: Apache Tomcat versions 3.3 to 3.3.2 Apache Tomcat versions 4.1.0 to 4.1.36 Apache Tomcat versions 5.0.0 to 5.0.30 Apache Tomcat versions 5.5.0 to 5.5.24 Page 44

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Apache Tomcat versions 6.0.0 to 6.0.13

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-3382, CVE-2007-3385): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2007:0871 tomcat5-5.5.23-0jpp.3.0.2.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Application Server v2 4AS (tomcat5) RHSA-2007:0876 Red Hat Application Stack v1 for Enterprise Linux AS (v.4) RHSA-2007:0950 Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2007:0950 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2008:0195 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.0 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.0 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.1 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.1 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2007:1069 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is suggested by "Apache Tomcat/5.5.7". Apache Tomcat Absolute Path Traversal Vulnerability (QID 86776) CVE-2007-5461, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x Absolute path traversal vulnerability exists in Apache Tomcat which results in information disclosure. This vulnerability allows remote authenticated users to read arbitrary files via a WebDAV write request that specifies an entity with a SYSTEM tag. Vulnerable Versions: Apache Tomcat Versions 4.0.0 through 4.0.6 Apache Tomcat Version 4.1.0 Apache Tomcat Version 5.0.0 Apache Tomcat Versions 5.5.0 through 5.5.25 Apache Tomcat Versions 6.0.0 through 6.0.14

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-5461): Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 45

Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2008:0042 tomcat5-5.5.23-0jpp.3.0.3.el5_1 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS RHSA-2008:0151 Red Hat Application Stack v1 for Enterprise Linux AS (v.4) RHSA-2008:0158 Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2008:0158 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2008:0195 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server RHSA-2008:0213 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) RHSA-2008:0630 Red Hat Application Server v2 4AS (tomcat5) RHSA-2008:0862 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.7". Apache Tomcat Accept-Language Cross-Site Scripting (XSS) Vulnerability (QID 86777) CVE-2007-1358, Apache Tomcat 4, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x A cross-site scripting vulnerability exists in Apache Tomcat. Specifically, Web pages that display the Accept-Language header value sent by the client are susceptible to a cross-site scripting attack if they assume the Accept-Language header value conforms to RFC 2616. This vulnerability allows remote attackers to inject arbitrary Web script or HTML via crafted "AcceptLanguage headers that do not conform to RFC 2616. Vulnerable Versions: Apache Tomcat Versions 4.0.0 through 4.0.6 Apache Tomcat Versions 4.1.0 through 4.1.34

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-1358): Red Hat Application Server v2 4AS RHSA-2007:0326 Red Hat Enterprise Linux version 5 RHSA-2007:0327 jakarta-commons-modeler-1.18jpp.1.0.2.el5 (superseded by RHBA-2007:0545 jakarta-commons-modeler-1.1-8jpp.3.el5) and tomcat5-5.5.23-0jpp.1.0.3.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Developer Suite v.3 (AS v.4) RHSA-2007:0328 Red Hat Application Stack v1 for Enterprise Linux AS (v.4) RHSA-2007:0360 Red Hat Application Server v2 4AS (tomcat5) RHSA-2007:0876 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Page 46

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) RHSA-2008:0630 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.7" (versions 4.0.5, 4.1.24, 4.1.27, 4.1.29, 5.0.30, 5.5.7, 5.5.9, 5.5.16, 5.5.20, 6.0.2). Unlike other cross-site scripting vulnerabilities, this vulnerability is not demonstrated. Note: Qualys does not provide information about vulnerable versions. The 5.x and 6.x versions are not vulnerable. Apache Tomcat SingleSignOn Remote Information Disclosure Vulnerability (QID 86779) CVE-2008-0128, Apache Tomcat Security 5.x, Bugtraq ID 27365 Apache Tomcat is prone to a remote information disclosure vulnerability because the application fails to properly restrict access to sensitive information. Remote attackers can exploit this issue to obtain confidential user-authentication credentials. The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie. Vulnerable Versions: Apache Tomcat 5.0.0 to 5.0.SVN Apache Tomcat 5.5.0 to 5.5.20

Install vendor update or upgrade Apache Tomcat to 5.5.21 (or later). For Red Hat (CVE-2008-0128): Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) RHSA-2008:0630 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.16". Note: Qualys provides no version information, and scant information about the threat. Apache Tomcat 4, 5 and 6 Examples Web Application Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 86781) CVE-2007-2449, Apache Tomcat 4, Apache Tomcat 5, Apache Tomcat 6 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 47

A Cross-Site Scripting (XSS) vulnerability exists in the Examples Application of Apache Tomcat 4, 5 and 6 as the application did not escape user provided data before including it in the output. This may allow remote attackers to inject arbitrary web script or HTML resulting into arbitrary code execution. Workaround: Remove the Examples Application from Apache Tomcat. Removing the Examples Application solves the problem with no loss of functionality of the server. Install vendor update for CVE-2007-2449 or upgrade Apache Tomcat. For Red Hat (CVE-2007-2449): Red Hat Enterprise Linux 5 (tomcat5) RHSA-2007:0569 tomcat5-5.5.23-0jpp.1.0.4.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Application Server v2 4AS (tomcat5) RHSA-2007:0876 Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Network Satellite Server 5.1 (RHEL v.4 AS) RHSA-2008:0630

This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). Apache Tomcat Multiple Cross-Site Scripting (XSS) Vulnerabilities in Manager and Host Manager Web Applications (QID 86782) CVE-2007-2450, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 24475 Multiple cross-site scripting (XSS) vulnerabilities in the (1) Manager and (2) Host Manager web applications in Apache Tomcat 4.0.0 through 4.0.6, 4.1.0 through 4.1.36, 5.0.0 through 5.0.30, 5.5.0 through 5.5.24, and 6.0.0 through 6.0.13 allow remote authenticated users to inject arbitrary web script or HTML via a parameter name to manager/html/upload, and other unspecified vectors. Vulnerable Versions: Apache Tomcat versions 4.0.0 to 4.0.6. Apache Tomcat versions 4.1.0 to 4.1.36. Apache Tomcat versions 5.0.0 to 5.0.30. Apache Tomcat versions 5.5.0 to 5.5.24. Apache Tomcat versions 6.0.0 to 6.0.13.

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-2450):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 48

Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2007:0569 tomcat5-5.5.23-0jpp.1.0.4.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Application Server v2 4AS (tomcat5) RHSA-2007:0876 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is suggested by "Apache Tomcat/5.5.7". Unlike other cross-site scripting vulnerabilities, this vulnerability is not demonstrated. Apache Tomcat 4.1 Cross-Site Scripting (XSS) Vulnerability (QID 86783) CVE-2002-1567, Apache Tomcat 4 A cross-site scripting vulnerability exists in Apache Tomcat Version 4.1. This vulnerability allows remote attackers to execute arbitrary web script and steal cookies via a URL with encoded newlines followed by a request to a .jsp file whose name contains the script. Install vendor update for CVE-2002-1567 or upgrade Apache Tomcat to 4.1.29 (or later). For Red Hat (CVE-2002-1567): Red Hat Enterprise Linux 2.1 RHSA-2002:167 glibc-2.2.4-29.1 (superseded by RHEA-2006:0279 glibc-2.2.4-32.25) Red Hat Enterprise Linux 2.1 RHSA-2002:173 krb5-1.2.2-14 (superseded by RHSA-2009:0410 krb5-1.2.2-49)

For Sun Solaris (account required). This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). A request for "http://ipaddress/<script>alert(document.domain)</script>test.jsp" returns "The requested resource (/&lt;script&gt;alert(document.domain)&lt;/script&gt;test.jsp) is not available." Similarly, "http://example.com:8080/666%0a%0a>alert("asdf");</script>666.jsp" runs the alert on the client machine. Apache Tomcat 4 and 5 Cross-Site Scripting (XSS) Vulnerability in Calendar Application in JSP Examples (QID 86785) CVE-2006-7196, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Bugtraq ID 25531 The calendar application included as part of the JSP examples in Tomcat Versions 4 and 5 is susceptible to a cross-site scripting attack, as it does not sanitize user-provided data before including it in the returned page. This vulnerability allows remote attackers to inject arbitrary Web script or HTML using the time field (the time parameter of cal2.jsp). Vulnerable versions: Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 49

Apache Tomcat 4.0.0 through 4.0.6 Apache Tomcat 4.1.0 through 4.1.31 Apache Tomcat 5.0.0 through 5.0.30 Apache Tomcat 5.5.0 through 5.5.15

Workaround: Remove the JSP examples. Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2006-7196): Red Hat Application Server v2 4AS RHSA-2007:0326 Red Hat Application Server 3AS (tomcat5) RHSA-2007:0340 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Red Hat Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Red Hat Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is demonstrated by exploiting the vulnerability. That is, an appointment for the current date, but time of "a<script>alert(document.domain)</script>" is created. This embedded script is an example of a cross-site scripting vulnerability. Note: Qualys provides no information about vulnerable versions. Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting (XSS) Vulnerability (QID 86786) CVE-2007-3386, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 25314 Cross-site scripting vulnerability exists in the Host Manager Servlet for Apache Tomcat 6 and 5. This vulnerability allows remote attackers to inject arbitrary HTML and Web script using specially crafted requests, as shown using the aliases parameter to an add action in the Host Manager Servlet. Vulnerable Versions: Apache Tomcat versions 5.5.0 to 5.5.24. Apache Tomcat versions 6.0.0 to 6.0.13.

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-3386): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2007:0871 tomcat5-5.5.23-0jpp.3.0.2.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Application Server v2 4AS (tomcat5) RHSA-2007:0876

This vulnerability is suggested by "Apache Tomcat/5.5.7". Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 50

Apache 2.2 Multiple Vulnerabilities (QID 86788) CVE-2007-6420, CVE-2008-2364, Apache httpd 2.2 Vulnerabilities, Bugtraq ID 29653 Two vulnerabilities have been reported in Apache versions prior to 2.2.9: The mod_proxy_balancer provides an administrative interface that could be vulnerable to CrossSite Request Forgery (CSRF) attacks. A flaw was found in the handling of excessive interim responses from an origin server when using mod_proxy_http.

A remote attacker could cause a denial of service (DoS) condition, high memory usage, and conduct Cross-Site Request Forgery (CSRF) attacks on a vulnerable system. Install vendor update or upgrade Apache to 2.2.9 (or later). For CentOS: Refer to CentOS Advisories CESA-2008:0967 for CentOS 3 x86_64 httpd, CentOS 5 i386 httpd and CentOS 5 x86_64 httpd to obtain additional information and patch details. For Red Hat (CVE-2007-6420, CVE-2008-2364): Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2008:0966 o httpd-2.2.10-1.el5s2 (superseded by RHSA-2011:1369 httpd-2.2.13-3.el5s2) o mysql-connector-odbc-3.51.26r1127-1.el5s2 (superseded by RHSA-2009:1067 mysqlconnector-odbc-3.51.27r695-1.el5s2) o perl-DBD-MySQL-4.008-2.el5s2 (superseded by RHSA-2009:1461 perl-DBD-MySQL4.012-1.el5s2) o perl-DBD-Pg-1.49-4.el5s2 (superseded by RHSA-2009:1067 perl-DBD-Pg-1.49-5.el5s2) o perl-DBI-1.607-3.el5s2 (superseded by RHSA-2009:1461 perl-DBI-1.609-1.el5s2) o php-pear-1.7.2-2.el5s2 (superseded by RHSA-2009:1461 php-pear-1.8.1-2.el5s2) o postgresql-8.2.11-1.el5s2 (superseded by RHSA-2009:1461 postgresql-jdbc-8.2.5101jpp.el5s2) o postgresqlclient81-8.1.14-1.el5s2 (superseded by RHSA-2009:1067 postgresqlclient818.1.17-1.el5s2) Red Hat Enterprise Linux version 3 (httpd) RHSA-2008:0967 httpd-2.0.46-71.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2008:0967 httpd-2.0.52-41.ent.2 (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent.src) Red Hat Enterprise Linux version 5 (httpd) RHSA-2008:0967 httpd-2.2.3-11.el5_2.4 (superseded by RHSA-2011:1392 httpd-2.2.3-53.el5_7.3) Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache/2.2.2 (Fedora)" or similar version information.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 51

Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability (QID 86789) CVE-2005-2090, Bugtraq ID 13873 This vulnerability exists in Apache Tomcat Versions 4, 5 and 6 when the server doesn't reject multiple content length header requests. When these kinds of requests are processed by firewalls, caches, proxies and Tomcat, they may result in Web cache poisoning, XSS attack and information disclosure. Install vendor patch for CVE-2005-2090 or upgrade to Apache Tomcat 5.5.23 (or later). Red Hat (CVE-2005-2090): Red Hat Enterprise Linux 5 RHSA-2007:0327 tomcat5-5.5.23-0jpp.1.0.3.el5 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7)

This vulnerability is confirmed by exploiting the vulnerability. Note: Qualys does not include the vendor (Red Hat) patch information. Apache Tomcat 4 Denial of Service Vulnerability (QID 86790) CVE-2003-0866, Apache Tomcat Security 4.x, Bugtraq ID 8824 A denial of service vulnerability exists in Apache Tomcat 4. This vulnerability occurs due to malformed HTTP requests. The request processing thread will become unresponsive. A sequence of such requests will cause all request processing threads, and Tomcat as a whole, to become unresponsive resulting in a denial of service condition. Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2003-0866): No version of Red Hat Enterprise Linux is vulnerable.

This vulnerability is suggested by "Apache Tomcat/4.0.5". Apache Tomcat 4 Information Disclosure Vulnerability (QID 86791) CVE-2002-1394, Apache Tomcat Security 4.x, Bugtraq ID 6562 An information disclosure vulnerability exists in Apache Tomcat 4. This vulnerability can be exploited using a specially-crafted URL with the invoker servlet and the default servlet of Apache Tomcat 4. If successfully exploited, this can enable an attacker to obtain the source of JSP pages or bypass certain restrictions. Vulnerable versions: Apache Tomcat 4.0.5 and earlier. Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2002-1394): Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 52

Stronghold 4 for Red Hat Enterprise Linux RHSA-2003:075 Red Hat Stronghold 4 RHSA-2003:082

This vulnerability is suggested by "Apache Tomcat/4.0.5". Apache Tomcat 6 Information Disclosure Vulnerability (QID 86792) CVE-2008-0002, Apache Tomcat Security 6.x, Bugtraq ID 27703 An information disclosure vulnerability exists in Apache Tomcat 6.0.0 through 6.0.15 as it processes parameters in the context of the wrong request. An exception may occur during parameter processing, which could allow remote attackers to obtain sensitive information. Vulnerable Versions: Apache Tomcat Versions 6.0.0 through 6.0.15

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2008-0002):

JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS RHSA-2008:0151 Red Hat Application Stack v1 for Enterprise Linux AS (v.4) RHSA-2008:0158 Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2008:0158 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server RHSA-2008:0213

This vulnerability is suggested by "Apache Tomcat/6.0.14". Apache Tomcat Session Hi-jacking Vulnerability (QID 86794) CVE-2007-5333, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 27706 Apache Tomcat versions 4, 5 and 6 do not properly handle double quote characters and %5C (encoded backslash) sequences in cookie values. As a result, this might cause sensitive information, such as session IDs, to be leaked to remote attackers and enable session hijacking attacks. This vulnerability could result in leaking of sensitive information, such as session IDs. Vulnerable Versions: Apache Tomcat versions 4.1.0 to 4.1.36. Apache Tomcat versions 5.5.0 to 5.5.25. Apache Tomcat versions 6.0.0 to 6.0.14.

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2007-5333):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 53

Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2009:1164 tomcat5-5.5.23-0jpp.7.el5_3.2 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) JBoss Enterprise Web Server 1.0 for RHEL 4 AS (tomcat5) RHSA-2009:1454 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (tomcat5) RHSA-2009:1454 Red Hat Application Server v2 4AS (tomcat5) RHSA-2009:1562 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2009:1563 Red Hat Network Satellite Server 5.2 (RHEL v.4 AS) (tomcat5) RHSA-2009:1616 Red Hat Network Satellite Server 5.3 (RHEL v.4) (tomcat5) RHSA-2009:1616 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.7". Apache mod_ssl Certificate Revocation List Off-By-One Buffer Overflow Vulnerability (QID 86801) CVE-2005-1268, RHSA-2005:0582, Apache httpd2.0 The mod_ssl module provides strong cryptography for the Apache Web servers. There is a vulnerability in the mod_ssl Certificate Revocation List (CRL) verification callback that allows for potential memory corruption when a malicious CRL is handled. A remote attacker could cause a denial of service and arbitrary code execution may be possible. Affected Versions: Apache httpd 2.0 Versions 2.0.35 through 2.0.54

Install vendor update or upgrade Apache to 2.0.55 (or later). For Red Hat (CVE-2005-1268): Red Hat Enterprise Linux version 3 (httpd) RHSA-2005:582 httpd-2.0.46-46.2.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux version 4 (httpd) RHSA-2005:582 httpd-2.0.52-12.1.ent (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent)

This vulnerability is suggested by "Apache/2.0.52 (Fedora)". Apache Tomcat 5 and 6 Host Manager Web Application Cross-Site Scripting (XSS) Vulnerability (QID 86803) CVE-2008-1947, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x The Host Manager Web application does not escape user-provided data before including it in the output. This issue may be mitigated by logging out or closing the browser of the application. Successful exploitation results in cross-site scripting.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 54

Vulnerable Versions: Apache Tomcat Versions 6.0.0 through 6.0.16 Apache Tomcat Versions 5.5.9 through 5.5.26

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2008-1947): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2008:0648 tomcat5-5.5.23-0jpp.7.el5_2.1 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Application Server v2 4AS (tomcat5) RHSA-2008:0862 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2008:0864 Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007

This vulnerability is suggested by "Apache Tomcat/5.5.26" (versions 5.5.9, 5.5.16, 5.5.20, 5.5.23, 5.5.26, 6.0.2, and 6.0.14). Unlike other cross-site scripting vulnerabilities, this vulnerability is not demonstrated. Apache Tomcat 4, 5 and 6 Multiple Vulnerabilities (QID 86804) CVE-2008-1232, CVE-2008-2370, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x Two vulnerabilities exist in Apache Tomcat. This first issue allows remote attackers to inject arbitrary Web script or HTMLFirst due to an incorrect handling of HttpServletResponse.sendError method. The second issue can be exploited when a RequestDispatcher is used to perform path normalization before removing the query string from the URI.

These vulnerabilities result in cross-site scripting (XSS), directory traversal and information disclosure. Vulnerable Versions: Apache Tomcat Versions 4.1.0 through 4.1.37 Apache Tomcat Versions 5.5.0 through 5.5.26 Apache Tomcat Versions 6.0.0 through 6.0.16

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2008-1232, CVE-2008-2370): JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jbossweb) RHSA-2008:0877 Page 55

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Application Server v2 4AS (tomcat5) RHSA-2008:0862 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2008:0864 Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2008:0648 tomcat5-5.5.23-0jpp.7.el5_2.1 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007

This vulnerability is suggested by "Apache Tomcat/5.5.26". Apache Tomcat RequestDispatcher Information Disclosure Vulnerability (QID 86808) CVE-2008-2370, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 30494 Apache Tomcat is prone to a remote information disclosure vulnerability. When using a RequestDispatcher the target path was normalized before the query string was removed. A request that includes a specially-crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Remote attackers can exploit this issue to obtain the contents of sensitive files stored on the server. The information obtained may lead to further attacks. Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when a RequestDispatcher is used, performs path normalization before removing the query string from the URI, which allows remote attackers to conduct directory traversal attacks and read arbitrary files via a .. (dot dot) in a request parameter. Vulnerable Versions: Apache Tomcat versions 4.1.0 to 4.1.37. Apache Tomcat versions 5.5.0 to 5.5.26. Apache Tomcat versions 6.0.0 to 6.0.16.

Install vendor update or upgrade Apache Tomcat to 4.1.40, Apache Tomcat 5.5.SVN or 6.0.18. For Red Hat (CVE-2008-2370): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2008:0648 tomcat5-5.5.23-0jpp.7.el5_2.1 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Application Server v2 4AS (tomcat5) RHSA-2008:0862 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2008:0864 JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS (jbossweb) RHSA-2008:0877 JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server (jbossweb) RHSA-2008:0877 Page 56

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.26". Apache 1.3, 2.0 and 2.2 HTTP Server Multiple Vulnerabilities (QID 86809) CVE-2006-5752, CVE-2007-1863, CVE-2007-3304, RHSA-2007-0556, RHSA-2007-0534, RHSA-2007-0533 Multiple vulnerabilities exist in Apache HTTP server exist: Allow remote attackers to inject arbitrary web script or HTML. This error exists in mod_status.c in the mod_status module when ExtendedStatus is enabled and a public server-status page is used. Allow service crash. This error exists in cache_util.c in the mod_cache module when caching is enabled and a threaded Multi-Processing Module is used. Child processing handler crash via a request with some Cache-Control headers without a value.

These errors may result in cross-site scripting and denial of service conditions. Affected Versions: Apache Versions 1.3 to 1.3.38 Apache Versions 2.0 to 2.0.61 Apache Versions 2.2 to 2.2.6

Install vendor update or upgrade Apache. For Red Hat (CVE-2006-5752, CVE-2007-1863, CVE-2007-3304): Application Stack v1 for Enterprise Linux AS (v.4) (httpd) RHSA-2007:0557 Certificate System 7.3 for 4AS RHSA-2010:0602 Red Hat Enterprise Linux 2.1 (apache) RHSA-2007:0532 apache-1.3.27-12.ent (superseded by RHSA-2008:0004 apache-1.3.27-14.ent) Red Hat Enterprise Linux 3 (httpd) RHSA-2007:0533 httpd-2.0.46-67.ent (superseded by RHSA2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux 3 (httpd) RHSA-2007:0662 httpd-2.0.46-68.ent (superseded by RHSA2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux 4 (httpd) RHSA-2007:0534 httpd-2.0.52-32.2.ent (superseded by RHSA2011:1392 httpd-2.0.52-49.ent) Red Hat Enterprise Linux 4 (httpd) RHSA-2007:0662 httpd-2.0.52-32.3.ent (superseded by RHSA2011:1392 httpd-2.0.52-49.ent) Red Hat Enterprise Linux 5 (httpd) RHSA-2007:0556 httpd-2.2.3-7.el5 (superseded by RHSA2011:1392 httpd-2.2.3-53.el5_7.3) Page 57

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 Network Proxy v 5.0 (RHEL v.4 AS) RHSA-2008:0263 Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261 Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524

This vulnerability is suggested by "Detected on port 443 - Apache/2.2.2 (Fedora)" or similar version information. Apache 2.0 HTTP Server PCRE Integer Overflow Vulnerability (QID 86812) CVE-2005-2491, Apache httpd 2.0 Vulnerabilities, RHSA-2005-358, RHSA-2005-761, RHSA-2006-0197, Bugtraq ID 14620 An integer overflow flaw exists in PCRE which is a Perl-compatible regular expression library included within Apache httpd server. This allows attackers to execute arbitrary code using specially crafted regular expressions, which may result in a heap-based buffer overflow. Affected Versions: Apache 2.0.35 through 2.0.54

Install vendor update for (CVE-2005-2491) or upgrade to the latest version of Apache. For Red Hat (CVE-2005-2491): Red Hat Enterprise Linux 2.1 (pcre) RHSA-2005:761 pcre-3.4-2.2 (superseded by RHSA2007:1065 pcre-3.4-2.4) Red Hat Enterprise Linux 2.1 (python) RHSA-2006:0197 python-1.5.2-43.72.1 (superseded by RHSA-2007:1077 python-1.5.2-43.72.2) Red Hat Enterprise Linux 3 (pcre) RHSA-2005:761 pcre-3.9-10.2 (superseded by RHSA-2007:1063 pcre-3.9-10.4) Red Hat Enterprise Linux 3 (python) RHSA-2006:0197 python-2.2.3-6.2 (superseded by RHSA2009:1178 python-2.2.3-6.11) Red Hat Enterprise Linux 4 (pcre) RHSA-2005:761 pcre-4.5-3.2.RHEL4 (superseded by RHSA2007:1068 pcre-4.5-4.el4_6.6) Red Hat Enterprise Linux 4 (python) RHSA-2006:0197 python-2.3.4-14.2 (superseded by RHSA2011:0491 python-2.3.4-14.10.el4) Red Hat Enterprise Linux 4 RHSA-2005-358 exim-4.43-1.RHEL4.5 (superseded by RHSA2011:0153 exim-4.43-1.RHEL4.5.el4_8.3)

Apache 2.0 HTTP Server mod_ssl Stack Buffer Overflow Vulnerability (QID 86814) CVE-2004-0488, Apache httpd 2.0 Vulnerabilities, RHSA-2004-342, RHSA-2004-245

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 58

A stack-based buffer overflow exists in the ssl_util_uuencode_binary function in ssl_util.c of Apache mod_ssl. When mod_ssl is configured to trust the issuing CA, it may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN field. Affected Versions: Apache HTTP Server Versions 1.3.0 to 1.3.31 Apache HTTP Server Versions 2.0.35 to 2.0.49

Install vendor update or upgrade Apache. For Red Hat (CVE-2004-0488): Red Hat Enterprise Linux 2.1 RHSA-2004:245 apache-1.3.27-8.ent (superseded by RHSA2008:0004 apache-1.3.27-14.ent) mod_ssl-2.8.12-4 (superseded by RHSA-2005:773 mod_ssl2.8.12-8) Red Hat Enterprise Linux 3 (httpd) RHSA-2004:342 httpd-2.0.46-32.ent.3 (superseded by RHSA2009:1579 httpd-2.0.46-77.ent) Stronghold 4 RHSA-2004:405 Stronghold 4 for Red Hat Enterprise Linux RHSA-2005:816 Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523

This vulnerability is suggested by "Detected on port 80 - Apache/2.0.39 (Unix) mod_ssl/2.0.39 OpenSSL/0.9.7c" or similar version information. Apache HTTP Server Expect Header Cross-Site Scripting (XSS) (QID 86821) CVE-2006-3918, Apache 1.3 A cross-site scripting vulnerability exists in Apache HTTP Server. This issue occurs because input passed to the "Expect:" header is not properly sanitized before being returned to the users. This flaw can be exploited to execute arbitrary HTML and script code via a specially crafted Flash file. An attacker can exploit this vulnerability to perform a cross-site scripting attack or steal cookie-based authentication credentials and launch other attacks. Affected Versions: Apache HTTP Server Versions 1.3 before 1.3.35 Apache HTTP Server Versions 2.0 before 2.0.58 Apache HTTP Server Versions 2.2 before 2.2.2

Install vendor patch for CVE-2006-3918 or upgrade to Apache 1.3.35, 2.0.58, or 2.2.2 or later. Red Hat (CVE-2006-3918):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 59

Red Hat Enterprise Linux 2.1 RHSA-2006:0618 apache-1.3.27-11 (superseded by RHSA2008:0004 apache-1.3.27-14.ent) Red Hat Enterprise Linux 3 RHSA-2006:0619 httpd-2.0.46-61 (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux 4 RHSA-2006:0619 httpd-2.0.52-28 (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent)

This vulnerability might be confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). In other cases the vulnerability is suspected due to the version of Apache that was detected. Many vendors implement patches for vulnerabilities, and on open systems software they will typically back-port the patch. This makes version numbering reliable only if you identify the vendor and compare the detected version with the vendors numbering scheme. In one case, the detected operating system was "Dell Remote Access Controller." This may not be accurate. Whichever operating system is involved, the vendor must be contacted to determine if they are vulnerable to CVE-2006-3918 (do they even support expect headers? the exploit is described at http://www.securityfocus.com/archive/1/433280) and learn if they have an upgrade or patch. Apache Tomcat "RemoteFilterValve" Security Bypass Vulnerability (QID 86823) CVE-2008-3271, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Bugtraq ID 31698 Apache Tomcat is prone to a security bypass vulnerability related to extensions of "RemoteFilterValve". Tomcat uses Valve components to process remote requests. An issue exists with valves derived from the "RemoteFilterValve" class. Specifically, compiled regular expressions may be saved and shared between process threads. In particular this issue has been reported in the "RemoteAddrValve" extension; other valve extensions may also be vulnerable. Successful exploitation may allow attackers to bypass certain access filters based on these extensions. Affected Products: Tomcat 4.1.0 - 4.1.32 Tomcat 5.5.0

Install vendor update or upgrade Apache Tomcat. For Red Hat (CVE-2008-3271): Red Hat Network Satellite Server 5.0 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2008:1007

This vulnerability is suggested by "Apache Tomcat/4.1.27". Apache HTTP Server AllowOverride Options Security Bypass (QID 86840) CVE-2009-1195, CVE-2008-1678, Apache Revision 772997, RHSA-2009:1075 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 60

Apache HTTP Server is prone to a security issue that exists in the handling of the "Options" and "AllowOverride" directives. This flaw can be exploited by local users to execute commands from a Server-Side-Include script when processing "AllowOverride" directives and certain "Options" arguments in ".htaccess" files. (CVE-2009-1195) A denial of service vulnerability exists due to improper handling of compression structures between mod_ssl and OpenSSL. This can be exploited to cause a system crash if too many connections are opened in a short period of time, causing all system memory and swap space to be consumed by httpd. If this vulnerability is successfully exploited, it can allow malicious, local users to bypass certain security restrictions and cause denial of service conditions. Apache HTTP Server 2.2.11 and earlier 2.2 versions are affected. Apache SVN (CVE-2009-1195): This issue has been fixed in the SVN repository. Refer to Apache Revision 772997 to obtain additional details on this vulnerability. For Red Hat Linux (CVE-2009-1195, CVE-2008-1678): JBoss Enterprise Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2009:1160 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (httpd) RHSA-2009:1155 Red Hat Application Stack v2 for Enterprise Linux (v.5) (httpd) RHSA-2009:1156 Red Hat Enterprise Linux version 5 (httpd) RHSA-2009:1075 httpd-2.2.3-22.el5_3.1 (superseded by RHSA-2011:1392)

This vulnerability is suggested by "Apache/2.2.2 (Fedora)". Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (QID 86842) CVE-2009-0033, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 35193 Tomcat is prone to a denial of service vulnerability because it fails to correctly process specially crafted requests with invalid headers. If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case, this connector is member of a "mod_jk" load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. Attackers can exploit this issue to deny service to legitimate users. Vulnerable Versions: Apache Tomcat versions 4.1.0 to 4.1.39. Apache Tomcat versions 5.5.0 to 5.5.27. Apache Tomcat versions 6.0.0 to 6.0.18. Page 61

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Install vendor update or upgrade Apache Tomcat to 5.5.29 (or later) or 6.0.20 (or later). For Red Hat (CVE-2009-0033): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2009:1164 tomcat5-5.5.23-0jpp.7.el5_3.2 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) JBoss Enterprise Web Server 1.0 for RHEL 4 AS (tomcat5) RHSA-2009:1454 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (tomcat5) RHSA-2009:1454 JBoss Enterprise Web Server 1.0 for RHEL 4 AS (tomcat6) RHSA-2009:1506 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (tomcat6) RHSA-2009:1506 Red Hat Application Server v2 4AS (tomcat5) RHSA-2009:1562 Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2009:1563 Red Hat Network Satellite Server 5.2 (RHEL v.4 AS) (tomcat5) RHSA-2009:1616 Red Hat Network Satellite Server 5.3 (RHEL v.4) (tomcat5) RHSA-2009:1616 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2009:1617 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Apache Tomcat/5.5.26". Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day (QID 86847) CVE-2007-6750 Apache is vulnerable to a denial of service due to holding a connection open for partial HTTP requests. A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site. Denial of service tools and scripts such as Slowloris takes advantage of this vulnerability. Apache Versions 1.x and 2.x are vulnerable. Workarounds: Reverse proxies, load balancers and iptables can help to prevent this attack from occurring. Adjusting the TimeOut Directive can prevent this attack from occurring. The mod_reqtimeout module was introduced in Apache 2.2.15 to provide tools for mitigation against these forms of attack.

Refer to Cert Blog and Slowloris and Mitigations for Apache for further information. Install vendor update or upgrade Apache to 2.2.15 (or later). For Red Hat (CVE-2007-6750): "This issue affects the version of httpd package as shipped with Red Hat Enterprise Linux 4. This issue is mitigated by the use of mod_reqtimeout module shipped with the http package in Red Hat Enterprise Linux 5 and 6." Page 62

Vulnerability Remediation Synopsis version 0.4Russ Klanke

This vulnerability is suggested by "Detected on port 80 - Apache/2.2.2 (Fedora)". Note: Qualys does not provide a CVE ID, and reports that there are no vendor-supplied patches available at this time. Apache Tomcat Multiple Vulnerabilities (QID 86851) CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, CVE-2009-0781, Apache Tomcat Security 4.x, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x Apache Tomcat is prone to the following vulnerabilities: When using a RequestDispatcher obtained from the Request, the target path is not normalized before the query string is removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. (CVE-2008-5515) A denial of service vulnerability exists because it fails to correctly process specially crafted requests with invalid headers. If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case, this connector is member of a "mod_jk" load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behavior can be used for a denial of service attack using a carefully crafted request. (CVE-2009-0033) An error in certain authentication classes can be exploited to potentially enumerate existing usernames via specially crafted URL-encoded passwords and brute force attacks. (CVE-20090580) It is possible for a Web application to replace the XML parser used by Tomcat to process web.xml and tld files. In certain circumstances this may be exploited by a malicious Web application to view or alter the web.xml and tld files of other Web applications. (CVE-2009-0783) A cross-site scripting vulnerability exists in "jsp/cal/cal2.jsp" (calendar application) in the examples Web application due to invalid HTML which renders the XSS filtering protection ineffective. (CVE-2009-0781)

Successful exploitation can allow malicious users to disclose sensitive information, conduct cross-site scripting attacks or manipulate certain data to cause a denial of service. Affected Versions: Apache Tomcat versions 4.1.0 to 4.1.39. Apache Tomcat versions 5.5.0 to 5.5.27. Apache Tomcat versions 6.0.0 to 6.0.18.

Install vendor update or upgrade Apache Tomcat to 4.1.40, Apache Tomcat 5.5.SVN or 6.0.20. For Red Hat (CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0783, CVE-2009-0781):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 63

Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2009:1164 tomcat5-5.5.23-0jpp.7.el5_3.2 (superseded by RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7) Red Hat Developer Suite v.3 (AS v.4) (tomcat5) RHSA-2009:1563 JBoss Enterprise Application Platform 4.2.0 for RHEL 5 Server RHSA-2009:1143 JBoss Enterprise Application Platform 4.2.0 for RHEL 4 AS RHSA-2009:1144 JBoss Enterprise Application Platform 4.3.0 for RHEL 5 Server RHSA-2009:1145 JBoss Enterprise Application Platform 4.3.0 for RHEL 4 AS RHSA-2009:1146 JBoss Enterprise Web Server 1.0 for RHEL 4 AS (tomcat5) RHSA-2009:1454 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (tomcat5) RHSA-2009:1454 JBoss Enterprise Web Server 1.0 for RHEL 4 AS (tomcat6) RHSA-2009:1506 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (tomcat6) RHSA-2009:1506 Red Hat Network Satellite Server 5.1 (RHEL v.4 AS) (tomcat5) RHSA-2009:1617 Red Hat Network Satellite Server 5.2 (RHEL v.4 AS) (tomcat5) RHSA-2009:1616 Red Hat Network Satellite Server 5.3 (RHEL v.4) (tomcat5) RHSA-2009:1616 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 Red Hat Application Server v2 4AS (tomcat5) RHSA-2009:1562

This vulnerability is suggested by "Apache Tomcat/5.5.26". APR-util Library Integer Overflow Vulnerabilities (QID 86852) CVE-2009-2412, FEDORA-2009-8360, FEDORA-2009-8336, FEDORA-2009-8318 and FEDORA-2009-8349 Apache 2.2.13 Apache APR (Apache Portable Runtime) are libraries for API development. "APR-util" is a library of utility functions used by several software applications, including the Apache HTTP server. Multiple integer overflows in the Apache Portable Runtime (APR) library and the Apache Portable Utility library (aka APR-util) 0.9.x and 1.3.x allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via vectors that trigger crafted calls to the 1) allocator_alloc or 2) apr_palloc function in memory/unix/apr_pools.c in APR; or crafted calls to the 3) apr_rmm_malloc, 4) apr_rmm_calloc, or 5) apr_rmm_realloc function in misc/apr_rmm.c in APR-util; leading to buffer overflows. Successful exploits may allow remote attackers to cause denial of service conditions and compromise a vulnerable system. The vulnerabilities are reported in Apache Versions prior to 2.2.13. Install vendor patch or update to Apache Version 2.2.13 to fix this issue. For Red Hat (CVE-2009-2412): Red Hat Enterprise Linux version 3 (httpd) RHSA-2009:1205 httpd-2.0.46-75.ent (superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Page 64

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux version 4 RHSA-2009:1204 apr-0.9.4-24.9.el4_8.2 (superseded by RHSA-2011:0844 apr-0.9.4-26.el4) apr-util-0.9.4-22.el4_8.2 (superseded by RHSA-2010:0950 apr-util-0.9.4-22.el4_8.3) Red Hat Enterprise Linux version 5 RHSA-2009:1204 apr-1.2.7-11.el5_3.1 (superseded by RHSA2011:0844 apr-1.2.7-11.el5_6.5) apr-util-1.2.7-7.el5_3.2 (superseded by RHSA-2010:0950 aprutil-1.2.7-11.el5_5.2) JBoss Enterprise Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2009:1462 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

For Fedora, updates to fix this issue are available for Fedora Versions 10 and 11. See security advisories FEDORA-2009-8360, FEDORA-2009-8336, FEDORA-2009-8318 and FEDORA-2009-8349 to address the issue and obtain patch details. Fedora has issued updates for the "apr-util" package to fix this vulnerability. Updates can be installed using the yum utility which can be downloaded from the Fedora Web site. This vulnerability is suggested by results like "port 80 - Apache/2.2.2 (Fedora)". Apache mod_proxy_ftp FTP Command Injection Vulnerability (QID 86855) CVE-2009-3095, Apache Changes 2.2.14 Apache mod_proxy_ftp is a module for the Apache Web server to handle FTP proxy requests. A vulnerability exists in the Apache "mod_proxy_ftp" module, which is caused due to an input validation error in the module. This can be exploited to pass arbitrary FTP commands to the FTP server via a specially crafted "Authorization" header in a request to the Apache server. Successful exploitation of this vulnerability can allow an attacker to bypass certain security restrictions. Affected Versions: Apache Versions 1.3.0 through 1.3.41 Apache Versions 2.0.0 through 2.0.63 Apache Versions 2.2.0 through 2.2.13

Other versions may also be affected. Workaround: Restrict network access to the proxy server to trusted users only. Install vendor update or upgrade to Apache version 2.2.14 (or later). For Red Hat (CVE-2009-3095): Red Hat Enterprise Linux version 3 (httpd) RHSA-2009:1579 httpd-2.0.46-77.ent Red Hat Enterprise Linux version 4 (httpd) RHSA-2009:1580 httpd-2.0.52-41.ent.6 (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 65

Red Hat Enterprise Linux version 5 (httpd) RHSA-2009:1579 httpd-2.2.3-31.el5_4.2 (superseded by RHSA-2011:1392 httpd-2.2.3-53.el5_7.3) Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2009:1461 JBoss Enterprise Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2010:0011 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (httpd) RHSA-2010:0011 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602

This vulnerability is suggested by "Detected on port 80 - Apache/2.2.2 (Fedora)". Apache Tomcat Installer Insecure Password Vulnerability (QID 86857) CVE-2009-3548, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Bugtraq ID 36954 Tomcat is prone to an insecure password vulnerability in the installer. The administrative password defaults to a blank password during the install process. Successfully exploiting this issue may allow attackers to obtain administrative access to the application. Workarounds: Install the application via the ".zip" or ".tar.gz" distributions instead of using the Windows installer method. Remove the "admin" user from "tomcat-users.xml" after the Windows installer has completed. Edit the "tomcat-users.xml" file to provide the "admin" user with a strong password after the Windows installer has completed.

Affected Versions: Unsupported versions in the 3.x, 4.x, 4.1.x, and 5.0.x branches may be affected. Apache Tomcat versions 5.5.0 to 5.5.28. Apache Tomcat versions 6.0.0 to 6.0.20.

Install vendor update or upgrade Apache Tomcat to 5.5.29 (or later) or 6.0.24 (or later). For Red Hat (CVE-2009-3548): No Red Hat Enterprise Linux version is vulnerable (the Windows installer method is not used).

This vulnerability is demonstrated using default username ("admin") and default password ("admin"). Apache Tomcat Directory Traversal Weaknesses and Security Issue (QID 86865) CVE-2009-2693, CVE-2009-2901, CVE-2009-2902, CVE-2009-3548, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x Apache Tomcat is exposed to following issues:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 66

In case of a failed undeploy, some auto-deployed files may remain with improper access restrictions, potentially leading to the disclosure of sensitive information. The application does not properly sanitize the file name of WAR files, which can be exploited to delete files within the host's work directory by deploying WAR files with directory traversal sequences in the file name. The application does not properly sanitize the file names of files contained in a WAR file, which can be exploited to create arbitrary files outside of the Web root via a specially crafted WAR file. The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password.

The issues can be exploited by malicious users to manipulate certain data and to gain access to potentially sensitive information. Apache 5.x workaround Vulnerable Versions: Apache Tomcat Versions 5.5.0 through 5.5.28 Apache Tomcat Versions 6.0.0 through 6.0.20

Install vendor update or upgrade Apache Tomcat to version 5.5.29 or 6.0.24. For Red Hat (CVE-2009-2693, CVE-2009-2902):

JBoss Enterprise Web Server 1.0 for RHEL 4 AS RHSA-2010:0119 JBoss Enterprise Web Server 1.0 for RHEL 5 Server RHSA-2010:0119 Red Hat Application Server v2 4AS (tomcat5) RHSA-2010:0582 Red Hat Certificate System 7.3 for 4AS (tomcat5) RHSA-2010:0693 Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2010:0580

For Red Hat (CVE-2009-2901): Red Hat is aware of this issue and is tracking it via the following bug. This issue did not affect Tomcat versions running on Linux or Solaris systems. This issue is fixed in the tomcat5 and tomcat6 packages released with JBoss Enterprise Web Server 1.0.1 for Windows.

For Red Hat (CVE-2009-3548): This is a Windows Installer-related vulnerability.

This vulnerability is suggested by "Apache Tomcat/5.5.26".

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 67

Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (QID 86868) CVE-2010-0010, Apache Changes 1.3.42, Bugtraq 37966 The Apache HTTP Server is a freely-available Web server. The Apache mod_proxy module implements an HTTP proxy and cache for the Apache Web server. The Apache mod_proxy module is prone to a remote integer-overflow vulnerability because it fails to properly handle type conversions on 64-bit platforms when processing chunk-encoded HTTP responses. This vulnerability is caused by an error in the "ap_proxy_send_fb()" function in the "modules/proxy/proxy_util.c" source file. This error can be triggered when processing chunk-encoded HTTP responses received from other Web servers; other vectors may also exist. An attacker can exploit this issue to execute arbitrary code. Successful exploits will compromise affected computers. Failed exploit attempts will result in a denial of service. Apache 1.3.41 on 64-bit platforms is affected. Other versions may also be affected. Install vendor update or upgrade to Apache 1.3.42 (or later). This vulnerability is suggested by "Detected on port 80 - Apache/1.3.41 (Unix) mod_jk/1.2.15 mod_perl/1.30" or similar version information. Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities (QID 86873) CVE-2010-0408, CVE-2010-0425, CVE-2010-0434, Apache 2.2.15 Apache HTTP Server is exposed to following vulnerabilities: The "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the backend server into an error state until the retry timeout expired by sending specially crafted requests. When triggered, the mod_isapi module will unload the selected ISAPI module before the request processing is completed. This results in an orphaned callback pointer (also known as a dangling pointer). This vulnerability (CVE-2010-0425) affects Microsoft Windows based hosts only. An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module (MPM) is used.

Successfully exploiting these issues might allow a remote attacker exposure to sensitive information or cause denial of service. Install vendor patch or update to version 2.2.15 to resolve this issue. Refer to Apache Revisions 917870 and 917875 to obtain additional patch details.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 68

For Red Hat (CVE-2010-0408, CVE-2010-0425, CVE-2010-0434): JBoss Enterprise Web Server 1.0 for RHEL 4 AS (httpd22) RHSA-2010:0396 JBoss Enterprise Web Server 1.0 for RHEL 5 Server (httpd) RHSA-2010:0396 Red Hat Certificate System 7.3 for 4AS RHSA-2010:0602 Red Hat Enterprise Linux version 4 (httpd) RHSA-2010:0175 httpd-2.0.52-41.ent.7 (superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Enterprise Linux version 5 (httpd) RHSA-2010:0168 httpd-2.2.3-31.el5_4.4 (superseded by RHSA-2011:1392 httpd-2.2.3-53.el5_7.3)

This vulnerability is suggested by "Detected on port 443 - Apache/2.2.2 (Fedora)". Apache httpd "mod_proxy_http" Timeout Handling Information Disclosure Vulnerability (QID 86901) CVE-2010-1452 An undisclosed vulnerability exists in Apache mod_cache and mod_dav, which could allow an attacker to cause a denial of service. To exploit this issue, an attacker would need to locate an Apache Web server running mod_cache and mod_dav. Affected Versions: Apache 2.2.15 Install vendor update or upgrade to Apache Version 2.2.16 (or later). For Red Hat (CVE-2010-1452): Red Hat Enterprise Linux version 5 (httpd) RHSA-2010:0659 httpd-2.2.3-43.el5_5.3 (superseded by RHSA-2011:1392 httpd-2.2.3-53.el5_7.3) JBoss Enterprise Web Server 1.0 RHSA-2011:0896 JBoss Enterprise Web Server 1.0 for RHEL 4 AS RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 5 Server RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 6 Server RHSA-2011:0897

This vulnerability is suggested by "Detected on port 80 - Apache/2.2.15 (Fedora)". Apache HTTP Server 2.2.15 mod_cache and mod_dav Undisclosed DoS Vulnerability (QID 86908) CVE-2010-1452 An undisclosed vulnerability exists in Apache mod_cache and mod_dav, which could allow an attacker to cause a denial of service. To exploit this issue, an attacker would need to locate an Apache Web server running mod_cache and mod_dav. By exploiting this vulnerability, an attacker can cause a denial of service. Apache Version 2.2.15 is affected. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 69

Install vendor update or upgrade to Apache Version 2.2.16 (or later). For Red Hat (CVE-2010-1452): Red Hat Enterprise Linux version 5 (httpd) RHSA-2010:0659 httpd-2.2.3-43.el5_5.3 (superseded by RHSA-2011:1392 httpd-2.2.3-53.el5_7.3) JBoss Enterprise Web Server 1.0 RHSA-2011:0896 JBoss Enterprise Web Server 1.0 for RHEL 4 AS RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 5 Server RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 6 Server RHSA-2011:0897

This vulnerability is suggested by "Apache/2.2.15 (Fedora)". Apache Tomcat SecurityManager Security Bypass Vulnerability (QID 86939) CVE-2010-3718, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Apache Tomcat Security 7.x, Bugtraq ID 46177 Apache Tomcat is prone to a security bypass vulnerability. When Apache Tomcat is running within a SecurityManager, the ServletContext attribute is not set to read-only, which allows local web applications to read or write files outside of the intended working directory. Vulnerable Versions: Apache Tomcat versions 5.5.x, 6.0.x and 7.0.0 through 7.0.3.

Install vendor update or upgrade Apache Tomcat to 5.5.30, 6.0.30 or 7.0.4 (or later). For Red Hat (CVE-2010-3718): Red Hat Enterprise Linux version 5 (tomcat5) RHSA-2011:1845 tomcat5-5.5.23-0jpp.22.el5_7 Red Hat Enterprise Linux version 6 (tomcat6) RHSA-2011:0791 tomcat6-6.0.24-33.el6 (superseded by RHSA-2011:1780 tomcat6-6.0.24-35.el6_1) JBoss Enterprise Web Server 1.0 RHSA-2011:0896 JBoss Enterprise Web Server 1.0 for RHEL 4 AS RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 5 Server RHSA-2011:0897 JBoss Enterprise Web Server 1.0 for RHEL 6 Server RHSA-2011:0897

If this vulnerability is successfully exploited, attackers can bypass certain security restrictions and gain access to arbitrary files and directories in the context of the web server. This vulnerability is suggested by "Apache Tomcat/5.5.26". Apache Tomcat HTTP NIO / APR Connector sendfile Input Validation Error Information Disclosure Vulnerability (QID 86950) CVE-2011-2526, Apache Tomcat Security 5.x, Apache Tomcat Security 6.x, Apache Tomcat Security 7.x

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 70

An input validation error vulnerability exists in various versions of Tomcat. Specifically, when Tomcat is configured to use either the HTTP NIO or APR connectors and the security manager is running, certain setting request attributes are not validated and could enable untrusted applications to disclose normally restricted file system content. By exploiting this vulnerability, attackers can discover potentially sensitive information on the targeted host. Vulnerable Versions: Apache Tomcat versions 5.5.0 to 5.5.33 Apache Tomcat versions 6.0.0 to 6.0.32 Apache Tomcat versions 7.0.0 to 7.0.18

Install vendor update or upgrade Apache Tomcat to version 5.5.34, 6.0.33 or 7.0.19. For Red Hat (CVE-2011-2526): Red Hat Enterprise Linux version 6 (tomcat6) RHSA-2011:1780

Workarounds: Undeploy untrusted Web applications Switch to the HTTP BIO connector (which does not support sendfile) Disable sendfile by setting useSendfile="false" on the connector

This vulnerability is suggested by "Apache Tomcat/5.5.26". Apache 1.3 and 2.0 Web Server Multiple Vulnerabilities (QID 115731) CVE-2006-5752, CVE-2007-3304, RHSA-2007-0556, RHSA-2007-0534, RHSA-2007-0533, Apache1.3, Apache2.0, Apache2.2, RHSA-2007-0532, Bugtraq ID 24645, 24215 Apache Web Server is prone to the following vulnerabilities: Cross-site scripting (XSS) vulnerability in mod_status.c in the mod_status module in Apache HTTP Server (httpd), when ExtendedStatus is enabled and a public server-status page is used, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors involving charsets with browsers that perform "charset detection" when the content-type is not specified. This may allow a local or remote unprivileged user to inject arbitrary web script or HTML. This may allow an unprivileged user to bypass access control and gain access to unauthorized data. Apache httpd 1.3.37, 2.0.59, and 2.2.4 with the Prefork MPM module, allows local users to cause a denial of service by modifying the worker_score and process_score arrays to reference an arbitrary process ID, which is sent a SIGUSR1 signal from the master process, aka "SIGUSR1 killer." This may allow a local user to send signals to an arbitrary process resulting in a denial of service. Page 71

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Install the vendor updates for CVE-2007-3304 and CVE-2006-5752 or upgrade to the latest Apache version. For Solaris Apache packages: Sun has released patches to address this vulnerability in Apache bundled with Solaris Systems. Refer to Oracle ID 1000027.1 for patch details. For Red Hat (CVE-2006-5752, CVE-2007-3304): Red Hat Enterprise Linux 2.1 (apache) RHSA-2007:0532 apache-1.3.27-12.ent (superseded by RHSA-2008:0004 apache-1.3.27-14) Red Hat Enterprise Linux 3 (httpd) RHSA-2007:0533 httpd-2.0.46-67, RHSA-2007:0662 httpd2.0.46-68.ent (both superseded by RHSA-2009:1579 httpd-2.0.46-77.ent) Red Hat Enterprise Linux 4 (httpd) RHSA-2007:0534 httpd-2.0.52-32.2, RHSA-2007:0662 httpd2.0.52-32.3.ent (both superseded by RHSA-2011:1392 httpd-2.0.52-49.ent) Red Hat Enterprise Linux 5 (httpd) RHSA-2007:0556 httpd-2.2.3-7.el5 (superseded by RHSA2011:1392 httpd-2.2.3-53.el5_7.3) Network Proxy v 4.2 (RHEL v.3 AS) RHSA-2008:0523 Network Proxy v 4.2 (RHEL v.4 AS) RHSA-2008:0523 Network Proxy v 5.0 (RHEL v.4 AS) RHSA-2008:0263 Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Network Satellite Server v 5.0 (RHEL v.4 AS) RHSA-2008:0261 Application Stack v1 for Enterprise Linux AS (v.4) (httpd) RHSA-2007:0557 Certificate System 7.3 for 4AS RHSA-2010:0602

Sun Solaris Cross-Site Scripting Issues in Apache 1.3 and 2.0 "mod_imap" and "mod_status" Modules (QID 115798) CVE-2007-5000, CVE-2007-6388, Sun Alert ID 233623, Oracle ID 1019040.1 Two security issues exists in the Apache HTTP server which affect the Apache 2.0 Web server bundled with Solaris 10 and the Apache 1.3 Web server bundled with Solaris 8, Solaris 9 and Solaris 10. The first issue, a cross-site scripting issue, is found in the "mod_imap" Apache server module, and the second issue in the "mod_status" Apache server module. Exploitation may allow a local or remote unprivileged user to inject arbitrary Web script or HTML, allowing the unprivileged user to bypass access control and gain access to unauthorized data. Sun has released patches to address this issue. Refer to Oracle ID 1019040.1 for patch details. For Red Hat see "Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities (QID 12260)".

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 72

This vulnerability is confirmed by detecting Red Hat 2.4 with: Package Installed version Required version apache 1.3.27-8.ent 1.3.27-14.ent apache-devel 1.3.27-8.ent 1.3.27-14.ent Red Hat Security Update for Apache (QID 116444) CVE-2005-2970, CVE-2005-3352, CVE-2005-3357, RHSA-2006-0158, RHSA-2006-0159, Bugtraq ID 15762, 15834, 16152 The following vulnerabilities were identified in the Apache HTTP Server: A cross-site scripting vulnerability exists in the "mod_imap" module of Apache httpd when using the Referer directive with image maps. This can be exploited to inject arbitrary Web script or HTML via specially crafted image maps. (CVE-2005-3352) A denial of service vulnerability exists due to a memory leak in the worker MPM. This flaw could allow remote attackers to cause a memory consumption via aborted connections, which prevents the memory for the transaction pool from being reused for other connections. (CVE2005-2970) A denial of service vulnerability exists in "mod_ssl" in Apache, when configured with an SSL vhost with access control and a custom error 400 error page. This can be exploited to cause an application to crash via a non-SSL request to an SSL port, which triggers a NULL pointer dereference. (CVE-2005-3357)

If this vulnerability is successfully exploited, it will allow attackers to steal sensitive information and cause denial of service conditions. For Red Hat (CVE-2005-2970, CVE-2005-3352, CVE-2005-3357): Red Hat Enterprise Linux 2.1 (apache) RHSA-2006:0158 apache-1.3.27-10 (superseded by RHSA2008:0004 1.3.27-14.ent) Red Hat Enterprise Linux 3 (httpd) RHSA-2006:0159 httpd-2.0.46-56 (superseded by RHSA2009:1579 httpd-2.0.46-77) Red Hat Enterprise Linux 4 (httpd) RHSA-2006:0159 httpd-2.0.52-22 (superseded by RHSA2011:1392 httpd-2.0.52-49)

Sun Solaris Apache 1.3 "mod_jk" Module Unauthorized Access Vulnerability (QID 116491) CVE-2008-5519, Sun Alert ID 262468, Oracle ID 1020661.1 A vulnerability exists in the Tomcat Connector (mod_jk) module for Apache HTTP server. An attacker can exploit this flaw via an arbitrary request from an HTTP client that includes a Content-Length header but no POST data or a rapid series of requests, related to non-compliance with the AJP protocol's requirements for requests containing Content-Length headers. This issue may allow a remote unprivileged user to bypass access control and gain access to unauthorized data. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 73

This issue affects the Apache 1.3 Web server bundled with Solaris 9 and 10. The vendor has released updates to resolve this issue. Refer to Oracle ID 1020661.1 to obtain patch information. This vulnerability is confirmed by detecting "122911-12 exists" And "SUNWapchr is installed" and "122911-16 is missing." Solaris Apache 1.3 "mod_perl" Module Component "Status.pm" Unauthorized Data Access Vulnerability (QID 116945) CVE-2009-0796, Solaris Alert ID 274110, Oracle ID 1021709.1 "mod_perl" is an optional module for Apache that embeds a Perl interpreter into the Apache Web Server. A cross-site scripting vulnerability in the Apache 1.3 HTTP server "mod_perl" module's perl status utility may allow an unprivileged remote user to inject arbitrary web script or HTML while accessing a crafted URL to perl status utility.

This can result in various impacts including the theft of sensitive information such as cookie information, access to user credentials or the hijacking of sessions. Solaris 8, 9 and 10 for the SPARC and x86 platforms are affected. Refer to Oracle ID 1021709.1 to address this issue and obtain patch information. Install patch 12291128. This vulnerability is confirmed by detecting "122911-18 is missing."

ATT WinVNC Vulnerabilities


ATT WinVNC Server Buffer Overflow and Weak Authentication Vulnerabilities (QID 38022) CVE-2001-0168, Bugtraq ID 2306, US-CERT Vulnerability Note VU#598581 WinVNC is a freely available software package designed to give remote desktop access to servers using the client/server. It is distributed and maintained by AT&T. The WinVNC server contains a problem that could allow remote users to arbitrarily execute code. The problem is due to the handling of HTTP requests when a non-zero debug level has been set. HTTP requests are placed into a buffer of 1024 bytes, and when the Windows registry key DebugLevel is set to a value greater than 0, the HTTP request is logged using the method ReallyPrint(), which contains a fixed buffer of 1024 bytes. It's possible to send a specially crafted HTTP request to the WinVNC server, which will overwrite variables on the stack, including the return address. A second problem with the software package may allow unauthorized access to machines using the service. It's possible for a system, which is in a position to control data between the client and the Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 74

server, to gain unauthorized access to a VNC connection. This is achieved by using means such as TCP session hijacking, which exploits a weakness in the challenge and response system between the client and the server. When a connection between a server and a client is negotiated, it's possible for an intermediate system to gain access to the session by intercepting and exchanging data necessary to authenticate with the VNC server. First, the intermediate system initiates a connection with the server, waits for the client to initiate a connection with the server, and by using techniques of intercepting and injecting data, forces the client to accept the key for the session between the server and the intermediate system. The client authenticates the key and attempts to return it to the server. The intermediate system will intercept the key on its return, and use it for its own session. This attack fulfills the authentication requirements of the server, and allows the connection from the intermediate system, denying the connection from the client. By exploiting this vulnerability, a malicious user can execute arbitrary code with privileges of the WinVNC server process, and potentially gain access to the local system. Vulnerable versions: AT&T WinVNC Server 3.3.3 r7 The newest version of VNC is available at http://www.realvnc.com/download.html. A workaround is to tunnel your VNC traffic. This vulnerability is suggested by detecting "RFB 003.003". RFC 6143 "The Remote Framebuffer Protocol" explains that the RFB protocol has evolved through three published versions: 3.3, 3.7, and 3.8. "RFB 003.003" is part of the handshake. The US-CERT Vulnerability Note VU#598581 shows how to patch the vulnerability, which would not change the version number.

AWStats Vulnerabilities
AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (QID 12210) AWStats Changelog, Bugtraq ID 10950 AWStats is a CGI log analyzer that generates statistical reports based on HTTP, SMTP and FTP logs. It is written in Perl and is freely available for Unix, Linux and Microsoft Windows. AWStats Versions 6.3 and earlier are affected by Rawlog Plugin input validation vulnerability. The issue is reported to exist because user-supplied "logfile" URI data passed to the "awstats.pl" script is not sanitized. An attacker may exploit this condition to execute commands remotely or disclose contents of Web server readable files. Install vendor update or upgrade to AWStats Version 6.4 (or later) from the AWStats' Web site. Not Vulnerable: AWStats 6.5.0 build 1.857 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 75

Why the vulnerability was suggested is not indicated. AWStats Referrer Arbitrary Command Execution Vulnerability (QID 12175) CVE-2005-1527, AWStats Changelog, Bugtraq ID 14525 AWStats Versions 6.3 and earlier are affected by an arbitrary command execution vulnerability. The application stores the referrer of users visiting the Web site, however the application fails to sanitize the "url" parameter of "ShowInfoURL" before storing it. An attacker can exploit this vulnerability and supply malicious Perl code as the referrer value. That value is later used when generating a new report. When a user visits the generated referrer statistics report, the injected code will execute with the permissions of the Web server process. Note that this vulnerability is only possible if the affected application has at least one URLPlugin enabled. Successful exploitation of this vulnerability permits an attacker to execute arbitrary Perl code on the system hosting the affected application in the security context of the Web server process. This may aid in further attacks against the underlying system. Install vendor update or upgrade to AWStats Version 6.4 (or later) from the AWStats' Web site. Not Vulnerable: AWStats 6.5.0 build 1.857 Why the vulnerability was suggested is not indicated.

BEA WebLogic Vulnerabilities


BEA WebLogic Multiple Vulnerabilities (QID 86734) CVE-2006-0421, Bugtraq ID 16358 WebLogic Server, WebLogic Portal and WebLogic Express are enterprise application server products distributed by BEA Systems. By design, BEA WebLogic Server and WebLogic Express 7.0 and 6.1, when creating multiple domains from the same WebLogic instance on the same machine, allows administrators of any created domain to access other created domains, which could allow administrators to gain privileges that were not intended. BEA has released 10 advisories identifying various vulnerabilities affecting BEA WebLogic Server, WebLogic Portal and WebLogic Express. The following specific issues were disclosed: BEA06-119.00 - Console applies incorrect JNDI policies. BEA06-118.00 - Server's SSL identity not properly protected from applications. BEA06-117.00 - Using a connection filter can cause the server to slow down. BEA06-116.00 - Non-active security provider appears active. Page 76

Vulnerability Remediation Synopsis version 0.4Russ Klanke

BEA06-115.00 - A patch is available to enforce access to only specific resources. BEA06-114.00 - Application code installed on a server may be able to decrypt passwords. BEA06-113.00 - Changed passwords may show up in audit log. BEA06-112.00 - An application's deployment descriptor source is visible. BEA06-111.00 - The server log may be remotely viewable. BEA06-110.00 - Cleartext database password in the config.xml file. BEA06-109.00 - Multiple MBean vulnerabilities. BEA06-108.00 - Documentation is available describing securing multiple-domains managed from one instance of the WebLogic Server Administration Console.

These issues present remote and local threats and may facilitate attacks affecting the integrity, confidentiality, and availability of vulnerable computers. The vendor has released updates to address these issues. Consult the referenced advisories for details on obtaining the appropriate updates. BEA has replaced advisory BEA06-114.00 with BEA06-114.01 to report that Service Pack 5 is not vulnerable to the issue described in the advisory. Please see the references for more information. BEA has replaced advisory BEA06-110.00 with BEA08-110.01. BEA Systems Weblogic Server 9.0: BEA Systems CR241234_900.jar BEA Systems WebLogic Server for Win32 9.0 BEA Systems CR241234_900.jar BEA Systems WebLogic Express 6.1 SP 7 BEA Systems CR198548_61sp7-v2.jar BEA Systems WebLogic Server for Win32 6.1 SP 7 BEA Systems CR198548_61sp7-v2.jar BEA Systems Weblogic Server 6.1 SP 7 BEA Systems CR198548_61sp7-v2.jar BEA Systems Weblogic Server 7.0 SP 6 BEA Systems CR198548_70sp6-v2.jar BEA Systems CR241234_700sp6.jar BEA Systems WebLogic Express 7.0 SP 6 BEA Systems CR198548_70sp6-v2.jar BEA Systems CR241234_700sp6.jar BEA Systems WebLogic Server for Win32 7.0 SP 6 BEA Systems CR198548_70sp6-v2.jar BEA Systems CR241234_700sp6.jar BEA Systems Weblogic Server 8.1 SP 5 BEA Systems CR241234_810sp5.jar BEA Systems WebLogic Server for Win32 8.1 SP 5 BEA Systems CR241234_810sp5.jar

This vulnerability is suggested by detecting "WebLogic 9.x". BEA WebLogic Multiple Vulnerabilities (2007) (QID 86766) CVE-2007-0408, CVE-2007-0409, CVE-2007-0410, CVE-2007-0411, CVE-2007-0412, CVE-2007-0413, CVE2007-0414, CVE-2007-0415, CVE-2007-0416, CVE-2007-0417, CVE-2007-0418, CVE-2007-0419, CVE2007-0420, CVE-2007-0421, CVE-2007-0422, CVE-2007-0423, CVE-2007-0424, CVE-2007-0425, CVE2007-0426, CVE-2006-4339, CVE-2007-2694, CVE-2007-2695, CVE-2007-2696, CVE-2007-2697, CVE2007-2698, CVE-2007-2699, CVE-2007-2700, CVE-2007-2701, CVE-2007-2702, CVE-2007-2703, CVEVulnerability Remediation Synopsis version 0.4Russ Klanke Page 77

2007-2704, CVE-2007-2705, BEA07-166.00, BEA07-167.00, BEA07-168.00, BEA07-169.00, BEA08-80.04, BEA07-137.00, BEA07-138.00, BEA07-139.00, BEA07-147.00, BEA07-148.01, BEA07-150.00, BEA07155.00, BEA07-159.01, BEA07-160.00, BEA07-161.00, BEA07-163.00, BEA07-164.01, BEA07-165.00, BEA08-159.01 BEA has released updates for Weblogic Express and Weblogic Server. The updates address multiple vulnerabilities that can sacrifice availability, integrity and confidentiality of the vulnerable system. When these issues are exploited, the following consequences can occur: Passwords stored in the JDBCDataSourceFactory MBean Properties attribute are not encrypted. Denial of service due to an error in thread management. Denial of service due to error in handling socket connections. Information disclosure using specially crafted HTTP requests. Unauthorized access to certain resources due to an error in enforcing access controls.

Refer to security advisories BEA07-147.00, BEA07-148.01, BEA07-150.00, BEA07-155.00, BEA08-80.04, BEA08-159.01, BEA07-160.00, BEA07-161.00, BEA07-163.00, BEA07-164.01, BEA07-165.00, BEA07168.00, BEA07-169.00, BEA07-166.00, BEA07-167.00, BEA07-137.00, BEA07-138.00 and BEA07-139.00 to address the issues and obtain more information. Check BEA's Web site for updates. This issue is addressed in the following releases: SPARC o o o Intel o o o

Solaris 2.5.1 with patch 103640-41 or later Solaris 2.6 with patches 105401-38 and 105564-05 or later Solaris 7 with patch 106942-21 or later Solaris 2.5.1 with patch 103641-41 or later Solaris 2.6 with patches 105402-38 and 105565-05 or later Solaris 7 with patch 106943-21 or later

This vulnerability is suggested when "detected service rpc and os SOLARIS 7-10".

BIND Vulnerabilities
ISC BIND Remote Cache Poisoning Vulnerability (QID 15053) CVE-2007-2926, CVE-2007-2930, Bugtraq ID 25037 A remote DNS cache poisoning vulnerability affects BIND Version 9 because it fails to use secure DNS transaction IDs. Specifically, the transaction IDs for DNS requests are easily predictable. The internal state of the pseudo random number generator (PRNG) that the software utilizes to create transaction IDs can be determined by remote attackers. Exploitation of the vulnerability allows remote attackers to Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 78

spoof DNS server replies, poisoning the server's cache. An attacker may leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, site impersonation, and denial of service attacks. Install vendor update to upgrade to BIND Version BIND 8.4.7-P1, 9.2.8-P1, 9.3.4-P1, 9.4.1-P1 or 9.5.0a6. For Red Hat (CVE-2007-2926): Red Hat Enterprise Linux 2.1 (RHSA-2007:0740) bind-9.2.1-9.el2 (superseded by RHSA2009:0020 bind-9.2.1-11.el2) Red Hat Enterprise Linux 3 (RHSA-2007:0740) bind-9.2.4-21.el3 (superseded by RHSA-2009:1181 bind-9.2.4-25.el3) Red Hat Enterprise Linux 4 (RHSA-2007:0740) bind-9.2.4-27.0.1.el4 (superseded by RHSA2011:1496 bind-9.2.4-38.el4) Red Hat Enterprise Linux 5 (RHSA-2007:0740) bind-9.3.3-9.0.1.el5 (superseded by RHSA2011:1458 bind-9.3.6-16.P1.el5_7.1)

For Red Hat (CVE-2007-2930): Not Vulnerable: This issue did not affect the versions of bind as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5. Red Hat Bind Security Update (QID 115514) CVE-2007-0494, RHSA-2007:0044 ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. A flaw was found in the way BIND processes certain DNS query responses. On servers that have enabled DNSSEC validation, this could allow a remote attacker to cause a denial of service. A remote attacker can cause denial of service attack on the vulnerable machine. For Red Hat (CVE-2007-0494): Red Hat Enterprise Linux 2.1 (bind) RHSA-2007:0044 bind-9.2.1-8.EL2 (superseded by RHSA2009:0020 bind-9.2.1-11.el2) Red Hat Enterprise Linux 3 (bind) RHSA-2007:0044 bind-9.2.4-20.EL3 (superseded by RHSA2009:1181 bind-9.2.4-25.el3) Red Hat Enterprise Linux 4 (bind) RHSA-2007:0044 bind-9.2.4-24.EL4 (superseded by RHSA2011:1496 bind-9.2.4-38.el4) Red Hat Enterprise Linux 5 (bind) RHSA-2007:0057 bind-9.3.3-8.el5 (superseded by RHSA2011:1458 bind-9.3.6-16.P1.el5_7.1)

Red Hat Update for bind (QID 116124) CVE-2009-0025, RHSA-2009-0020

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 79

BIND (Berkeley Internet Name Domain or named) is an implementation of the DNS (Domain Name System) server on the Internet, especially on Unix-like systems. A vulnerability exists in the way BIND checks the return value of the OpenSSL "DSA_do_verify" function when validating the signature using the DNSKEY algorithms DSA and NSEC3DSA. This can be exploited by attackers to send spoofed responses from malicious zones to bypass certificate validation. Updated BIND packages are available for Red Hat Enterprise Linux Versions 2.1, 3, 4, and 5. For Red Hat Enterprise Linux Version 3, the update fixes a flaw that caused BIND to exit with an assertion failure. Successful exploitation of this vulnerability allows remote attackers to bypass validation of the certificate chain by using malformed signatures and cause spoofing attacks. Workaround: Disable the affected algorithms in "named.conf" so that responses from malicious zones signed with only DSA and/or NSEC3DSA keys are treated as insecure. For BIND Versions 9.3, 9.4 and 9.5, disable the DSA algorithm. For BIND Version 9.6, disable the DSA and NSEC3DSA algorithms. For Red Hat (CVE-2009-0025): Red Hat Enterprise Linux 2.1 (bind) RHSA-2009:0020 bind-9.2.1-11.el2 Red Hat Enterprise Linux 3 (bind) RHSA-2009:0020 bind-9.2.4-23.el3 (superseded by RHSA2009:1181 bind-9.2.4-25.el3) Red Hat Enterprise Linux 4 (bind) RHSA-2009:0020 bind-9.2.4-30.el4_7.1 (superseded by RHSA2011:1496 bind-9.2.4-38.el4) Red Hat Enterprise Linux 5 (bind) RHSA-2009:0020 bind-9.3.4-6.0.3.P1.el5_2 (superseded by RHSA-2011:1458 bind-9.3.6-16.P1.el5_7.1)

ISC BIND Dynamic Update Denial of Service Vulnerability (QID 15055) CVE-2009-0696, BIND Dynamic Update DoS, Bugtraq ID 35848 The Berkeley Internet Name Domain (BIND) is a Domain Name System (DNS) implementation from Internet Systems Consortium (ISC). BIND is prone to a denial of service vulnerability which can cause it to crash when processing a specially-crafted dynamic update packet. Attackers require the RNDC (Remote Name Daemon Control) key to exploit this issue. Successful exploitation of this vulnerability allows a remote, unauthenticated attacker to launch a denial of service by causing BIND to crash. Versions prior to BIND 9.4.3-P3, 9.5.1-P3, and 9.6.1-P3 are vulnerable. Install vendor update or upgrade BIND to one of 9.4.3-P3, 9.5.1-P3 or 9.6.1-P1 to resolve this vulnerability. The updates are available at the ISC BIND Download site. For Red Hat (CVE-2009-0696): Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 80

Red Hat Enterprise Linux 3 RHSA-2009:1181 bind-9.2.4-25 Red Hat Enterprise Linux 4 RHSA-2009:1180 bind-9.2.4-30.el4_8.4 (superseded by RHSA2011:1496 bind-9.2.4-38.el4) Red Hat Enterprise Linux 5 RHSA-2009:1179 bind-9.3.4-10.P1.el5_3.3 (superseded by RHSA2011:1458 bind-9.3.6-16.P1.el5_7.1)

For Solaris (CVE-2009-0696): SUNALERT:264828, SUNALERT:1020788 Workaround: Some sites may have firewalls that can be configured with packet filtering techniques to prevent "nsupdate" messages from reaching their nameservers. This vulnerability is confirmed by "SUNWbind is installed, 119783-12 is missing." This is the correct patch number for SPARC Platform Solaris 10.

Caucho Resin Vulnerabilities


Caucho Resin Data Handling Cross-Site Scripting (XSS) Vulnerability (QID 86890) CVE-2010-2032, Bugtraq ID 40251 Caucho Resin is a software product is a Web server and Java application server from Caucho Technology. Multiple vulnerabilities have been identified in Caucho Resin, which could be exploited to conduct crosssite scripting attacks. These issues are caused by input validation errors in the administrative interface when processing the "digest_username" and "digest_realm" parameters. These issues could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site. Affected Products: Caucho Resin Versions 3.x Caucho Resin Versions 4.x

Successfully attack can cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site. Vulnerable Versions: Caucho Technology Resin Professional 3.1.5 Workaround: Edit the source code to ensure that input is properly sanitized. This vulnerability is suggested by detecting "Resin/3.1.9". Unlike other cross-site scripting vulnerabilities, the vulnerability is not confirmed by exploiting the vulnerability. See the Bugtraq posting for a sample exploit.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 81

Cisco Vulnerabilities
In many cases, the Cisco IOS version is not accurate enough to know if the device is vulnerable. Therefore, the first task is to log in and run a "show version" command. Record the version number. Use the version number to determine if the device is vulnerable. It is possible to limit the exposure of Cisco devices using access control lists (ACLs) to permit only known, trusted hosts to connect to the device. Caveat: ACLs that permit communication to ports from trusted IP addresses do not protect against vulnerabilities which do not require a TCP three-way handshake, since it is possible to spoof the IP address of the sender. Cisco Infrastructure Access Lists (iACLs) may be deployed to block traffic destined to network infrastructure. See the white paper "Protecting Your Core: Infrastructure Protection Access Control Lists" (registration required). A brief example appears in cisco-sa-20090325-ip. Receive ACLs (rACL) protect a device from harmful traffic before the traffic can impact the route processor. See the white paper GSR: Receive Access Control Lists (registration required). A brief example appears in cisco-sa-20090325-ip. Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device. See the white papers "Control Plane Policing Implementation Best Practices" and "Cisco IOS Software Releases 12.2 S - Control Plane Policing". A brief example appears in cisco-sa-20090325-ip. Cisco Transit Access Control Lists (TACL) may be deployed to block SSH traffic destined to network infrastructure. Further information can be found at the following location: http://www.cisco.com/en/US/customer/tech/tk648/tk361/technologies_white_paper09186a00801afc7 6.shtml (registration required) Cisco has provided the following example for how to use access control lists to restrict access to the HTTP server: ip http access-class <ACCESS-list number> access-list <ACCESS-list number> permit host <AUTHORIZED host 1> access-list <ACCESS-list number> permit host <AUTHORIZED host 2> ..... access-list <ACCESS-list number> deny any Additional mitigations that can be deployed on Cisco devices within the network are described in "Cisco Applied Mitigation Bulletin". General hardening information is at "Cisco Guide to Harden Cisco IOS Devices". How Qualys scans Cisco IOS devices is described at Configuration Scanning of Cisco IOS. SSH1 Session Key Retrieval Vulnerability (QID 38029) CVE-2001-0361, cisco-sa-20010627-ssh, Bugtraq ID 2344 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 82

SSH Version 1 is the original implementation of the IETF specified SSH protocol. There are various implementations of the protocol produced by SSH Communications, Cisco Systems, and the OpenSSH project. There are currently two versions of the SSH 1 protocol available, Version 1.3 and Version 1.5. The problems described in this vulnerability apply to Version 1.5. However, Version 1.3 should also be suspect. RSA-PKCS1_1.5 is the RSA Public Key Exchange algorithm used by SSH.com's SSH1 package. Public key encryption is used between the client and the server during the authentication phase while a symmetric key is being established. All traffic passing between the client and the server is encrypted. In some implementations, the key exchange protocol used in the SSH 1 server may enable a malicious user to recover the key used for the encryption. The design of the key exchange protocol dictates that a new RSA host key should be regenerated once every hour. It is possible for a malicious user to sniff the traffic between the client and the server. When an SSH connection starts, the user can begin logging the encrypted traffic. Upon logging the encrypted session key between the two hosts, it's possible to launch a Bleichenbacher attack in parallel to the current session. By logging the packets exchanged during the initial key negotiation of the server, it's possible to capture crucial parts of the session key, which would greatly enhance the chances of decrypting the session key as an SSH client. The design of the SSH server allows a user to launch multiple simultaneous client connections, which coupled with the gathered parts and guessed parts of the key, could be exploited to use the fatal() function of the ssh1 daemon as an oracle to verify the encrypted session key. This vulnerability makes it possible for a malicious user to obtain the session key, and potentially decrypt sensitive traffic between the client and the server. CatOS 6.1(2.13), 6.2(0.111) and 6.3(0.7)PAN are patched. David A. Dittrich's Analysis of SSH crc32 compensation attack detector exploit says SSH-1.5-1.2.26 is vulnerable. SSH.com recommends that all users of the SSH1 protocol package upgrade to a revision using the SSH2 protocol with version 1 compatibility. SSH2 is available from the SSH Secure Shell Download Page (http://www.ssh.com/products/ssh/download.html). This vulnerability is confirmed by detecting "SSH-1.5-1.2.26". Cisco Secure ACS Management Interface (QID 38192) CVE-2003-0210, Bugtraq ID 5026 Cisco Secure ACS is an authentication, authorization, and accounting software package distributed by Cisco Systems. It is available for multiple operating systems. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Windows 2000 SP 3-4, Apache/1.3.33 (Win32) mod_ssl/2.8.22 OpenSSL/0.9.7e". Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 83

Management Interfaces Accessible On Cisco Device Vulnerability (QID 38250) The target is determined to be a Cisco device, which uses protocols such as HTTP, TELNET, rlogin, FTP, and SNMP for configuration management. These services can be accessed publicly, and are an invitation for malicious users to break in. Malicious users can exploit this vulnerability to deploy a range of known attacks against accessible services. Brute force attacks such as password guessing and Denial Of Service are also possible. Consider taking the following precautionary measures: Disable services that are not needed. Consider putting access controls on these services. Access controls can be put together using the features in the device (if available) or using an external firewall. Use secure services like (HTTPS, SSH ) instead of HTTP or TELNET if possible. Do not use default passwords and replace them with hard to guess passwords. Change passwords frequently.

The port string mentioned with this vulnerability should identify the service in question. Recommendation use ACLs to restrict the hosts that talk SNMP with your system to a defined list of IP addresses (such as the HP OVO servers). See "Readable SNMP Information (QID 78030)" and "Readable SNMP Information (QID 78031)". 80/tcp http require strong authentication to the web server and enforce a password change policy. 23/tcp telnet if SSH is an option, use it instead of telnet. Configuring Secure Shell If SSH is not an option, consider ACLs. 22/tcp ssh Why does Qualys consider SSH on a Cisco device a vulnerability? There can be poor implementations of SSH (such as SSH v1, no password required, and no encryption required), but these are separate vulnerabilities. It is a tempting target, but SSH on a Cisco device should not be considered a vulnerability. Since Qualys was able to identify the port, we can assume that the service is installed and ACLs which would prevent access are not in place. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service http and os CISCO IOS VERSION 12.2(53)SE2". Cisco IOS Malformed SNMP Message-Handling Vulnerability (QID 38254) CVE-2002-0012, CVE-2002-0013, cisco-sa-20020212-snmp-msgs IOS is the router operating system maintained and distributed by Cisco Systems. Simple Network Management Protocol (SNMP) defines a standard mechanism for remote management and monitoring of devices in an Internet Protocol (IP) network. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 84 Port 161/udp Service snmp

There are three fundamental categories of SNMP messages: "get" requests to request information, "set" requests which modify the configuration of the remote device, and "trap" messages which provide a notification or monitoring function. SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the assigned destination port numbers 161 and 162, respectively. This vulnerability is the result of insufficient checking of SNMP messages as they are received and processed by an affected system. Malformed SNMP messages received by affected systems can cause various parsing and processing functions to fail, which results in a system crash and reload (or reboot) in most circumstances." The exploitation of this vulnerability could cause the device to crash, resulting in a denial of service condition. Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable) Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP

Note: Qualys does not refer to the Cisco response. Multiple Vulnerabilities in Cisco Secure ACS (QID 38306) cisco-sa-20040825-acs Cisco Secure Access Control Server for Windows (ACS Windows) and Cisco Secure Access Control Server Solution Engine (ACS Solution Engine) provide authentication, authorization, and accounting (AAA) services to network devices such as a network access server, Cisco PIX and a router. Multiple vulnerabilities were reported by Cisco for these products. These products are vulnerable: Versions 3.2(3) and earlier are vulnerable to CSCef05950 (registered customers only) and CSCed81716 (registered customers only). Version 3.2(2) build 15 is vulnerable to CSCeb60017 (registered customers only). Version 3.2 is vulnerable to CSCec90317 (registered customers only) and CSCec66913 (registered customers only).

CSCed81716 is only applicable to the ACS Solution Engine. Successfully authenticate to your ACS box to determine your software revision. After you perform the authentication, the first screen displays the current ACS version in this formatCiscoSecure ACS Release 3.2(3) Build 11. ACS versions may also be displayed as 003.002(003.011), where "011" is the build number referenced on the ACS graphical user interface (GUI). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 85

Cisco Secure ACS for UNIX is not affected by these vulnerabilities. No other Cisco products are currently known to be affected by these vulnerabilities. Cisco IOS Telnet Service Remote Denial of Service Vulnerability (QID 38308) CVE-2004-1464, cisco-sa-20040827-telnet, Bugtraq ID 11060 Cisco devices use Telnet, RSH, SSH, and HTTP for remote management. Reverse telnet allows users to establish connections to other devices after connecting to one device through an asynchronous serial connection. The Cisco IOS telnet service is prone to a remote denial of service vulnerability. A malicious user can trigger this vulnerability by sending a specially-crafted TCP packet to a telnet or reverse telnet port of a Cisco device running IOS. If successful, this could result in a denial of service condition affecting telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and HTTP services on the device. Reportedly, the affected device stops responding to further connection attempts for the vulnerable services after processing the specially-crafted TCP packet sent by the malicious user. Services that were established before the attack as well as other functionality of the device are not affected by this issue. Device management may still be carried out through SNMP. The malicious user must complete a full 3-way TCP handshake to successfully carry out this attack. This requirement increases the complexity of using a spoofed IP address. Cisco devices running IOS with a telnet or reverse telnet service are affected by this vulnerability. The telnet service employs TCP port 23, and Cisco devices running a reverse telnet server may employ ports in the ranges of 2001 to 2999, 3001 to 3099, 6001 to 6999, and 7001 to 7099. If successfully exploited, this vulnerability could result in a denial of service condition affecting telnet, reverse telnet, Remote Shell (RSH), Secure Shell (SSH), and HTTP services on the device. The vulnerability matrix in the security advisory "Cisco Security Advisory: Cisco Telnet Denial of Service Vulnerability " (cisco-sa-20040827-telnet) explains which versions are vulnerable. When Qualys detects that the operating system is "Cisco IOS 11-15," it is reported as "confirmed vulnerable". However, this is too vague to be confirmed vulnerable; many Cisco IOS versions in this range are not vulnerable. It should be "potentially vulnerable" and more accurate version information will be required to determine if the system is vulnerable. When Qualys detects that the operating system is "Cisco IOS Version 12.2(25)SEB4", it is reported as "confirmed vulnerable." This is not correct. "12.2(25)SEB4" is a version with the fix. When Qualys does not report a detected operating system, this is reported as a "potential vulnerability."

As a workaround, Cisco recommends that users disable telnet in support of SSH. More information on enabling SSH in a Cisco device can be obtained from the following Cisco article: Configuring Secure Shell.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 86

Telnet service may be disabled by configuring the following VTY lines on a device: Router(config) line vty 0 4 Router(config-line) transport input ssh Cisco also recommends creating a VTY access class to limit access to the device. More information can be obtained from the following location: VTY configuration page. Additionally, all telnet traffic may be blocked from entering the network by configuring Interface Access Lists. More information may be found in the referenced Cisco advisory. Cisco IOS 11-15 Cisco IOS 12.1-12.2 Cisco IOS 12.2(18)SXF6 (not vulnerable) Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.3(20) (not vulnerable) Cisco IOS 12.4(25a) (not vulnerable)

Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service telnet and os CISCO IOS VERSION 12.2(25)SEB4". Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow (QID 38471) CVE-2005-2841, cisco-sa-20050907-auth_proxy, Bugtraq ID 14770 The Cisco IOS Firewall Authentication Proxy for FTP and/or Telnet Sessions feature in specific versions of Cisco IOS software is vulnerable to a remotely-exploitable buffer overflow condition. Devices that do not support or are not configured for Firewall Authentication Proxy for FTP and/or Telnet Services are not affected. Devices configured with only Authentication Proxy for HTTP and/or HTTPS are not affected. Devices that are running the following release trains of Cisco IOS are affected if Firewall Authentication Proxy for FTP and/or Telnet Sessions is configured and applied to an active interface. 12.2SG, 12.2SEC, 12.2SXF, 12.2SH, 12.2ZF and 12.2ZL based trains 12.3 based trains 12.3T based trains 12.4 based trains 12.4T based trains

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 87

This vulnerability may be exploited to cause a denial of service condition and/or to execute arbitrary code. Refer to this Cisco security advisory (document ID 66269) for more information on this vulnerability and the patch that addresses this issue. This vulnerability is suggested by "Detected service telnet and os CISCO IOS 12.1-12.2", "Detected service telnet and os CISCO IOS VERSION 12.2(31)SGA4", "Detected service telnet and os CISCO IOS VERSION 12.2(40)SE2" and "Detected service telnet and os CISCO IOS VERSION 12.2(53)SE2". Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco Secure ACS Authentication Bypass Vulnerability (QID 38550) CVE-2006-3226, cisco-sr-20060623-acs, Bugtraq ID 18621 Cisco Secure ACS (Access Control Server) is an authentication, authorization, and accounting software package distributed by Cisco Systems. Cisco Secure ACS is exposed to an authentication bypass issue because it fails to authenticate Webbased users. This issue allows remote attackers to gain administrative access to the Web-based administrative interface of the affected application. See cisco-sr-20060623-acs for workarounds and upgrade information. Cisco Secure ACS for Unix (CSU) Version 2.3.6, Cisco Secure ACS for Windows (ACS) Versions 4.x, and Cisco Secure ACS Solution Engine (ACSE) Versions 4.x and are affected. Windows 2000 SP 3-4 Windows 2000 SP 3-4, Apache/1.3.33 (Win32) mod_ssl/2.8.22 OpenSSL/0.9.7e

Cisco IOS HTTP %% Vulnerability (QID 43003) CVE-2000-0380, ioshttpserverquery-pub, Bugtraq ID 1154 Cisco IOS Versions 11.3 and 12.0 contain a denial of service vulnerability on a variety of different router hardware. If the router is configured to have a Web server running (for configuration or other information) via an "ip http server" command, or in the configuration by requesting http://<ROUTER-ip>/%% , then a malicious user can cause the router to crash. Some routers will automatically reboot, while other routers will require a power cycling to start routing packets again.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 88

Workaround: Disable the Web server on the router. The Web server can be disabled by running the following command while in global configuration mode: no ip http server Workaround: Add ACL's to prevent access to this port, except for specific hosts. This vulnerability is suggested by detecting "Cisco HTTP Server" or "cisco-IOS". Cisco IOS 11-15 Cisco IOS 12.1-12.2 Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco Router Online Help Vulnerability (QID 43004) CVE-2000-0345, Bugtraq ID 1161 It seems that you have hardware with Cisco IOS Versions 11.2 or 12.0. If this is not the case, then you can safely ignore this warning. Multiple Cisco routers (under certain revisions of IOS) leak privileged information through their online help systems. In essence, this vulnerability allows users with access to the router at a low privilege level (users without access to the 'enable' password) to be able to view information through the help system that should only be available to 'enabled' users. Among other things, the information leaked includes access lists. The help system does not list these items as being available via the 'show' commands; however, it still executes them. By exploiting this vulnerability, a malicious user can gather sensitive information about your network, which may assist in further attacks. Cisco IOS 11-15 Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco Router/Switch Default Password Vulnerability (QID 43021) CVE-1999-0508 Some Cisco routers/switches come with a default NULL password or unset password. If the password is not changed, remote users can access sensitive information about the device. Also, it's possible for configuration changes to be made, leading to a full compromise. By exploiting this vulnerability, your device can be fully compromised and sensitive information can be obtained by a remote attacker Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 89

Please change your router/switch password immediately. Check Cisco's Web site (http://www.cisco.com) for further information. This vulnerability is confirmed using the Username <BLANK> and password "cisco" to run a "show version" command. Cisco Catalyst IOS 12.1(22)EA4 Cisco IOS 11-15 Cisco IOS 12.2(25)SEB4

Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability (QID 43051) CVE-2003-0567, cisco-sa-20030717-blocked, Bugtraq ID 8211 A denial of service vulnerability has been reported to exist in all hardware platforms that run Cisco IOS Versions 11.x through 12.2 in an IPV4 network environment. Appliances in an IPV6 only environment are reported to be not vulnerable. This issue may be triggered by IPV4 packets with specially crafted headers. The issue presents itself when the affected device handles a malicious sequence of IPV4 packets, which are designed in a manner sufficient to trigger the vulnerability. When the affected device handles this sequence, the device may incorrectly flag the input queue on an interface as full. This will have the effect of causing a denial of service, as the device is no longer able to service legitimate requests. It is reportedly possible to trigger this condition with a small number of spoofed packets. A power cycling of the affected device is required to regain normal functionality. As a result of this vulnerability being exploited, the device will not be able to service legitimate requests. A power cycling of the affected device is required to regain normal functionality. As a workaround, the vendor recommends that all IOS devices that process IPv4 traffic should be configured in a manner sufficient to block traffic directed to the router from all unauthorized sources. This may be achieved with the use of Access Control Lists (ACLs). Protocol Reference: Port Protocol 53 SWIPE 55 IP Mobility 77 Sun ND 103 Protocol Independent Multicast PIM Protocols supported: 53 55 77 The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20030717-blocked) explains which versions are vulnerable. "Cisco IOS 11-15" is insufficient to determine if the device is vulnerable. Cisco IOS 11-15 Page 90

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable) Cisco IOS 12.2(18)SXF6 (not vulnerable) Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco IOS 2GB HTTP GET Buffer Overflow Vulnerability (QID 43054) CVE-2003-0647, cisco-030730-ios-2gb-get, Bugtraq ID 8373 The HTTP server on Cisco IOS devices is prone to a buffer overrun that can be triggered by sending 2GB of data. Such a request will cause memory on the device to be corrupted with data from the request. This issue may be exploited only if the HTTP server is enabled. This vulnerability may be exploited to execute arbitrary code on a vulnerable device or cause a denial of services. The vulnerability matrix in the Cisco Security Advisory (cisco-030730-ios-2gb-get) explains which versions are vulnerable. This vulnerability cannot be considered "confirmed" when the http service is detected and os is "CISCO IOS 11-15". 12.1(20)E (2003-Sep-29) and 12.2(19) (2003-Aug-25) or later are remediated. Cisco IOS 11-15 Cisco IOS 12.1-12.2 Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable) Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco Internet Operating System SNMP Message Processing Denial of Service Vulnerability (QID 43056) CVE-2004-0714, cisco-sa-20040420-snmp, Bugtraq ID 10186 It has been reported that the Cisco Internet Operating System (IOS) is affected by a remote SNMP message processing denial of service vulnerability. This is caused by a design error that causes memory corruption in the affected system under certain circumstances. The problem presents itself when the affected system attempts to process solicited SNMP messages received on UDP port 161, 162 or a random port between 49152 and 59152 (and potentially greater than 59152). Under some circumstances, the affected device can experience memory corruption and reload, denying service to legitimate users. Though memory corruption is involved, it is not known whether code execution is possible. This issue may be leveraged to cause a denial of service condition on the affected device.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 91

Messages using the SNMP version 1 and 2 protocols may mitigate this issue through the use of community strings and community string ACLs. For SNMP version 3, any solicited message will trigger the condition. Cisco Internetwork Operating System (IOS) Software release trains 12.0S, 12.1E, 12.2, 12.2S, 12.3, 12.3B and 12.3T may contain a vulnerability in processing SNMP requests which, if exploited, could cause the device to reload. Cisco has released upgraded software that corrects this issue. Check Cisco Security Advisory cisco-sa-20040420-snmp for details. The following workarounds have been suggested by the vendor. For more information and details on implementing the workarounds, please see the referenced advisory. 1. 2. 3. 4. 5. Disable SNMP on devices running the vulnerable operating system. Access control lists (ACLs) should be used to deny traffic to the vulnerable ports. Block individual ports on affected devices. Implement Receive ACLs (rACLs). Implement Infrastructure ACLs (iACLs).

Why this vulnerability is suggested was not disclosed. Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Note: Qualys indicates "This has not been confirmed by Cisco", but offers the vendor's patch and workarounds. Qualys does not indicate which versions are affected. Cisco VPN 3000 Concentrator Denial of Service Vulnerability (QID 43077) CVE-2006-0483, cisco-sa-20060126-vpn, Bugtraq ID 16394 Cisco VPN 3000 Concentrator is vulnerable to a denial of service attack. When an unauthenticated remote user connects to the device's Web interface (TCP port 443 over SSL) and sends specially crafted HTTP requests, the device crashes with a loss of all established VPN connections. The device automatically restarts itself in approximately one minute. This vulnerability can be exploited by an unauthenticated remote attacker to cause a denial of service condition. Note: It appears that whenever Qualys detects "Cisco VPN 3000 Concentrator" it will report this potential vulnerability. Cisco IOS System Timers Heap Buffer Overflow Vulnerability (QID 43094) CVE-2005-3481, cisco-sa-20051102-timers, Bugtraq ID 15275

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 92

Cisco IOS is prone to heap-based buffer overflow exploitation. Cisco has released an advisory (cisco-sa20051102-timers) stating that IOS upgrades are available to address the possibility of exploitation of heap-based buffer overflow vulnerabilities. In the referenced advisory, Cisco describes countermeasures they have implemented in IOS. The specific countermeasures against heap-based buffer overflows include integrity checks for system timers. Successful exploitation of heap-based buffer overflow vulnerabilities could completely compromise devices running affected versions of Cisco IOS. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20051102-timers) explains which versions are vulnerable. The detected version (Cisco IOS Version 12.1(22)EA4) is the Rebuild version which includes this fix. Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable)

Cisco IOS Secure Shell Server Memory Leak Denial of Service Vulnerability (QID 43098) CVE-2005-1021, cisco-sa-20050406-ssh, Bugtraq ID 13042 A denial of service vulnerability has been reported in the Cisco IOS Secure Shell Server implementation. This issue is exposed when the IOS device attempts to authenticate clients against a TACACS+ server through SSHv1/SSHv2. This condition is the result of a memory leak that may be triggered by remote clients under some circumstances. This condition occurs when a client attempts to authenticate with an invalid username/password. Cisco has indicated that with SSHv2 this could occur even if a client had already successfully authenticated with the username/password. This vulnerability could cause Transmission Control Blocks (TCBs) in the CLOSEWAIT state with foreign TCP port 49 (representing a connection to the TACACS+ server) to persist. Each of these connections is a memory leak. If the memory leak is triggered repeatedly, this could exhaust resources on the device, resulting in a reload of the device and persistent denial of service. This issue is not present when authentication is performed through a RADIUS server or local user database. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20050406-ssh) explains which versions are vulnerable. Cisco IOS Version 11-15 Cisco IOS Version 11.3-12.4 Cisco IOS Version 12.1-12.2 Cisco IOS Version 12.2(18)SXD (not vulnerable) Cisco IOS Version 12.2(18)SXF6 (not vulnerable) Cisco IOS Version 12.2(25)SE (not vulnerable). Cisco IOS Version 12.2(31)SGA4 (not vulnerable) Cisco IOS Version 12.3(20) (not vulnerable) Page 93

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Cisco IOS Version 12.4(25a) (not vulnerable)

Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service ssh and os CISCO IOS 12.1-12.2". Cisco IOS EIGRP Announcement ARP Denial of Service Vulnerability (QID 43100) CVE-2002-2208, Cisco Response 29600, cisco-sr-20051220-eigrp, CSCsc15285, Bugtraq ID 6443 A problem in IOS may make it possible for users to deny service to legitimate users of network resources. A vulnerability has been reported in the handling of Enhanced Interior Gateway Routing Protocol (EIGRP), Cisco's proprietary version of IGRP. EIGRP works by routers announcing their presence via multicast. When router discovery occurs, routers exchange network information via unicast transfer. A system sending spoofed EIGRP announcements may cause a denial of service to all routers and systems on a given network segment. Due to improper limits in the attempt to discover routers, a neighbor announcement received by routers on a given network segment will result in an address resolution protocol (ARP) storm, filling network capacity while routers attempt to contact the announcing neighbor. Additionally, resources on the router such as CPU will also become bound while the router attempts to reach the announcing neighbor. It should be noted that it is also possible to exploit this vulnerability on systems that accept EIGRP announcements via unicast. This vulnerability can make it possible for an attacker on a network to deny service to the local network segment, as well as bordering network segments. Workaround: Apply MD5 authentication that will permit the receipt of EIGRP packets only from authorized hosts. You can find an example of how to configure MD5 authentication for EIGRP here. Workaround: If you are using EIGRP in the unicast mode then you can mitigate this issue by placing appropriate ACL which will block all EIGRP packets from illegitimate hosts. A later bulletin (cisco-sr-20051220-eigrp) suggests that that the workarounds are the only advice Cisco offers. This vulnerability is suggested by detecting "OS Version: Cisco IOS Version 12.2(25)SEB4", "OS Version: Cisco IOS Version 12.2(31)SGA4", "OS Version: Cisco IOS Version 12.2(40)SE2" or "OS Version: Cisco IOS Version 12.2(53)SE2". Cisco Catalyst IOS 12.1(22)EA4 Cisco IOS 12.2(25)SEB4 Cisco IOS 12.2(31)SGA4 Cisco IOS 12.2(40)SE2 Cisco IOS 12.2(53)SE2

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 94

Cisco IOS ICMP Redirect Routing Table Modification Vulnerability (QID 43101) CVE-2003-1398, 40720, Bugtraq ID 6823 It has been reported that it is possible to make arbitrary remote modifications to the Cisco IOS routing table. If IP routing is disabled on a vulnerable router, the router will accept malicious ICMP redirect packets and modify its routing table accordingly. ICMP redirect messages are normally sent to indicate inefficient routing, a new route or a routing change. This vulnerability requires that IP routing be explicitly disabled on the system using an affected version of Cisco IOS, thus making the router a host on the network. An attacker may specify a default gateway on the local network that does not exist, and this would effectively deny service to any destination that is outside the local subnet. An attacker may also intercept network data by making routing table modifications to redirect network communications through the attacker's machine. Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable) Cisco IOS 12.2(25)SEB4 (not vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco IOS Service Assurance Agent Malformed Packet Denial of Service Vulnerability (QID 43102) CVE-2003-0305, cisco-sa-20030515-saa, Bugtraq ID 7607 A problem in Cisco routers could lead to availability and reliability issues. It has been reported that Cisco IOS is vulnerable to an issue in handling Service Assurance Agent (SAA, previously called Response Time Reporter, or RTR) packets. Because of this, a remote user may be able to cause the router to become unstable and crash. The Service Assurance Agent (SAA) is a configurable network monitoring tool. It works by sending ICMP packets from one host to another, and recording the results in a Management Information Base (MIB) that is reachable via SNMP. It can also be configured to generate SNMP traps on specific events. When a malformed RTR packet is sent to a router using the service, the router becomes unstable. It has been reported that the malformed packet can reliably cause the router to crash. This could lead to a denial of service to legitimate users of network resources, and could potentially be prolonged to act as an extended denial of service. Due to the design of the ICMP protocol, this vulnerability could be exploited anonymously using forged packet headers. Note: The Service Assurance Agent feature is not enabled by default, and systems not using this feature are not vulnerable.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 95

The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20030515-saa) explains which versions are vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable)

Cisco VPN 3000 Concentrator Malformed HTTP Packet Remote Denial of Service Vulnerability (QID 43106) CVE-2006-0483, cisco-sa-20060126-vpn, Bugtraq ID 16394 Cisco VPN 3000 Concentrator products provide Virtual Private Network (VPN) services to remote users. Cisco VPN 3000 Concentrator is prone to a remote denial of service vulnerability. This issue presents itself when a vulnerable device handles a specially-crafted HTTP packet. A successful attack can cause the device to restart. A persistent denial of service condition can be caused by repeated attacks. It should be noted that vulnerable devices are not affected by transit traffic. Affected Versions: Cisco VPN 3000 series concentrator software Versions 4.7.0 through 4.7.2.A

Cisco advisory 68869 (cisco-sa-20060126-vpn) provides a fix. Refer to this advisory for upgrades and further information. Cisco fixes may be obtained by customers through the regular update channels. Note: It appears that whenever Qualys detects "Cisco VPN 3000 Concentrator" it will report this potential vulnerability. Cisco Internet Key Exchange (IKE) Denial of Service Vulnerability (QID 43116) CVE-2006-3906, cisco-sr-20060726-ike, Bugtraq ID 19176 Cisco Internet Key Exchange (IKE) is exposed to a denial of service issue. This issue affects devices implementing IKE Version 1, and is due to resource exhaustion when handling a high rate of IKE requests. An attack of 10 packets per second at 122 bytes each is sufficient to cause denial of service conditions. Cisco is tracking these issues with the following Bug IDs: CSCse70811 for Cisco IOS software CSCse89808 for Cisco VPN 3000 Concentrators CSCsb51032 for Cisco PIX firewalls

A successful attack may lead to denial of service to legitimate users. Cisco IOS 11-15 Cisco IOS 12.4(25a) Page 96

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Multiple Cisco IOS TCP/IP Vulnerabilities (QID 43128) CVE-2007-0480, cisco-sa-20070124-crafted-ip-option, cisco-sa-20070124-crafted-tcp, Bugtraq ID 22211 Remotely exploitable TCP/IP vulnerabilities exist in Cisco routers and switches running Cisco IOS and Cisco IOS XR software of particular versions. The vulnerabilities may be exploited after processing specially crafted IP or TCP packets. Successful exploitation of these vulnerabilities could result in a denial of service condition, or allow for arbitrary code execution. Workaround: In networks where IPv4 is not needed but enabled, disabling IPv4 processing on an IOS device will eliminate exposure to these vulnerabilities. The vulnerability matrix in the Cisco Security Advisory (advisory) explains which versions are vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS Version 12.1(22)EA8 (or later) is required.

Cisco IOS and Unified Communications Manager Multiple Voice Vulnerabilities (QID 43131) CVE-2007-4294, cisco-sa-20070808-IOS-voice, Bugtraq ID 25239 Cisco IOS and Cisco Unified Communications Manager are vulnerable to multiple denial of service and code execution issues. These issues arise because the application fails to handle malformed SIP packets. These vulnerabilities affect devices running Cisco IOS that have voice services enabled. The successful exploitation of these vulnerabilities could lead to a denial of service condition or the execution of arbitrary code on a vulnerable device. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20070808-IOS-voice) explains which versions are vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS Version 12.1(22)EA10 (or later) is required.

Cisco IOS TCP Listener Memory Leak Can Cause Denial of Service (QID 43133) CVE-2007-0479, cisco-sa-20070124-crafted-tcp, Bugtraq ID 22208 Cisco IOS is vulnerable to a denial of service issue. The vulnerability exists in the Transmission Control Protocol (TCP) listener of the Cisco IOS. Successful exploitation of this vulnerability could result in a denial of service condition. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20070124-crafted-tcp) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA8 (or later) and 12.2(25)SEE1 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 97

Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak Vulnerability (QID 43135) CVE-2008-1156, cisco-sa-20080326-mvpn MVPN architecture introduces an additional set of protocols and procedures that help enable a service provider to support multicast traffic in an MPLS VPN. A vulnerability exists in the implementation of MVPN. An attacker can exploit this issue by knowing or guessing the Border Gateway Protocol (BGP) peering IP address of a remote PE router and the address of the multicast group that is used in other MPLS VPNs. This vulnerability allows an attacker to send specially crafted Multicast Distribution Tree (MDT) Data Join messages which can be sent in unicast or multicast. These messages can cause the creation of extra multicast states on the core routers. The vulnerability can also allow leaking of multicast traffic from different MPLS VPNs. It is possible to receive multicast traffic from VPNs that are not connected to the same Provider Edge (PE) router. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20080326-mvpn) explains which versions are vulnerable. Cisco IOS Version 12.2SEE (or later) is not vulnerable. Cisco IOS 12.2(25)SEB4 (vulnerable)

Cisco IOS SSL Packets Multiple Vulnerabilities (QID 43139) CVE-2007-2813, cisco-sa-20070522-SSL, Bugtraq ID 24097 Multiple vulnerabilities exist in the implementation of SSL packets which lie in the processing of ClientHello, ChangeCipherSpec and Finished messages. In order to trigger these vulnerabilities, a malicious client must send malformed packets during the SSL protocol exchange with the vulnerable device. Successful exploitation of these vulnerabilities may lead to a sustained denial of service. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20070522-SSL) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA9 (or later) and 12.2(25)SEE3 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable)

Cisco IOS GRE Decapsulation Vulnerability (QID 43140) CVE-2006-4650, cisco-sr-20060906-gre Cisco IOS is exposed to a vulnerability which can be exploited by malicious people to bypass certain security restrictions. This vulnerability is due to an error within the handling of GRE packets with source routing information because the offset field is not verified before being used to decapsulate a packet. The vulnerability affects Cisco IOS 12.0, 12.1, and 12.2 based trains when configured with GRE IP or GRE IP multipoint tunnels.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 98

This vulnerability can be exploited to bypass certain security restrictions. Cisco Catalyst IOS 12.1(22)EA4 Cisco IOS 12.2(25)SEB4 Cisco IOS 12.2(53)SE2

Cisco IOS Software Multiple Multicast Vulnerabilities (QID 43146) CVE-2008-3808, CVE-2008-3809, cisco-sa-20080924-multicast Two crafted Protocol Independent Multicast (PIM) packet vulnerabilities exist in Cisco IOS Software. Devices that run Cisco IOS Software and are configured for PIM are affected by these issues. Successful exploitation may cause a reload of the affected device. Repeated exploitation could result in a sustained denial of service condition. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20080924-multicast) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA10 (or later) and 12.2SEE (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable)

Cisco IOS MPLS VPN May Leak Information (QID 43150) CVE-2008-3803, cisco-sa-20080924-vpn Devices running Cisco IOS versions 12.0S, 12.2, 12.3 or 12.4 and configured for Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs) or VPN Routing and Forwarding Lite (VRF Lite) and using Border Gateway Protocol (BGP) between Customer Edge (CE) and Provider Edge (PE) devices may permit information to propagate between VPNs. This issue is triggered by a logic error when processing extended communities on the PE device and cannot be deterministically exploited by an attacker. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20080924-vpn) explains which versions are vulnerable. Cisco IOS Version 12.2(31)SGA8 (or later) is not vulnerable. Cisco IOS 12.2(31)SGA4 (vulnerable)

Cisco IOS Multiple Cross-Site Scripting Vulnerabilities (QID 43151) CVE-2008-3821, CVE-2009-0470, CVE-2009-0471, cisco-sr-20090114-http, Bugtraq IDs 33625, 33620 Cisco IOS (Internetwork Operating System) is the software used on Cisco Systems routers, firewall and switches. The Cisco IOS HTTP server is vulnerable to the following cross-site scripting issues and a cross-site request forgery (CSRF) issue:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 99

The Cisco IOS HTTP server fails to sanitize special characters in the URL string sent to an unspecified parameter allowing an attacker to inject arbitrary web script or HTML (CVE-20083821). This vulnerability is documented in the Cisco bug IDs: CSCsi13344 and CSCsx49573. The Cisco IOS HTTP server fails to sanitize special characters in the URL string sent via the ping parameter allowing an attacker to inject arbitrary web script or HTML (CVE-2008-3821). This vulnerability is documented in the Cisco bug ID: CSCsr72301. A cross-site scripting vulnerability in the Cisco IOS HTTP server allows an attacker to inject arbitrary web script or HTML via the PATH_INFO to the default URI under "level/15/exec/-/" or "exec/" (CVE-2009-0470) This vulnerability is documented in the Cisco bug ID: CSCsv05154. The Cisco IOS HTTP server enabled with HTTP based IOS EXEC Server is vulnerable to cross-site request forgery attack that allows arbitrary code execution via the hostname command with a "level/15/configure/-/hostname" request (CVE-2009-0471). This vulnerability is documented in the Cisco bug ID: CSCsv05154.

Affected Systems: All Cisco products that run Cisco IOS Software Versions 11.0 through 12.4 with the HTTP server enabled for HTTP-based IOS EXEC Server. Successful exploitation of these vulnerabilities may allow malicious users to execute commands on the device through the Web interface under the privileges of an already logged-in user. An attacker can steal cookie-based authentication credentials which may aid in further attacks. Workarounds: If the device does not act as a web server, disable the HTTP Server. The server can be disabled by issuing the following commands in configure mode: no ip http server no ip http secure-server If an installation does not require the use of the HTTP WEB_EXEC Service, disable it via the following commands in configure mode: no ip http active-session-modules WEB_EXEC no ip http secure-active-session-modules WEB_EXEC Allow only trusted hosts to access the HTTP server by applying access lists to the server. Filter malicious characters and character sequences in a proxy.

There is no vendor supplied patch available at this time. However, Cisco is currently patching the Cisco bug IDs into Cisco IOS software. Information on the latest versions with fixed releases can be found at Cisco Bug Toolkit (account required). Refer to the vendor advisory Cisco IOS Cross-Site Scripting Vulnerabilities (cisco-sr-20090114-http) to obtain additional information. This vulnerability is "Detected on TCP port 80." Cisco IOS 11-15 Page 100

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Cisco IOS 12.1-12.2 Cisco IOS 12.2(25)SEB4 Cisco IOS 12.2(31)SGA4 Cisco IOS 12.2(40)SE2 Cisco IOS 12.2(53)SE2

Cisco IOS Software Multiple Features IP Sockets Vulnerability (QID 43153) CVE-2009-0630, cisco-sa-20090325-ip A vulnerability exists in the handling of IP sockets that can cause devices to be vulnerable to a denial of service attack when any of the following features of Cisco IOS Software and Cisco IOS XE Software are enabled: Cisco Unified Communications Manager Express SIP Gateway Signaling Support Over Transport Layer Security (TLS) Transport Secure Signaling and Media Encryption Blocks Extensible Exchange Protocol (BEEP) Network Admission Control HTTP Authentication Proxy Per-user URL Redirect for EAPoUDP, Dot1x, and MAC Authentication Bypass Distributed Director with HTTP Redirects DNS (TCP mode only)

This vulnerability can be exploited by a remote attacker by sending specially-crafted TCP/IP packets to multiple TCP ports to prevent accepting new connections or sessions, exhaust memory, cause high CPU load, or to cause a reload of an affected device. For successful exploitation of this vulnerability, the TCP three-way handshake must be completed to the associated TCP port number for any of the features listed above. Successful exploitation of the vulnerability may result in the any of the following occurring: The configured feature may stop accepting new connections or sessions. The memory of the device may be consumed. The device may experience prolonged high CPU utilization. The device may reload.

Workarounds: Use Infrastructure Access Control Lists (iACLs) to block traffic at the border of networks. Use Receive ACL (rACL) to protect the device from harmful traffic before the traffic can impact the route processor. Receive ACLs are designed to only protect the device on which it is configured. Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device. Page 101

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Further information and examples on configuring iACLs, rACLs and CoPP can be found at the advisory cisco-sa-20090325-ip. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090325-ip) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA13 (or later), 12.2SEE (or later) and 12.2(31)SGA9 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability (QID 43155) CVE-2009-0631, cisco-sa-20090325-udp Cisco IOS Software is affected by a denial of service vulnerability when multiple features of Cisco IOS software are enabled. The vulnerability is caused due to an error in the way that Cisco IOS handles UDP packets, which can be exploited to block an interface of an affected device by sending a specially crafted UDP packets. Devices running Cisco IOS and Cisco IOS XE with any of the following features are affected: IP Service Level Agreements (SLA) Responder Session Initiation Protocol (SIP) Media Gateway Control Protocol (MGCP)

Successful exploitation of this vulnerability allows attackers to block an interface on the device, silently dropping any received traffic, which results in denial of service. Workarounds: 1. Disable affected listening ports. Once disabled, confirm that the listening UDP port has been closed by entering the CLI command "show udp" or "show ip socket". Note: When applying this workaround to devices that are processing MGCP or H.323 calls, the device will not allow stopping SIP processing while active calls are being processed. 2. Use Infrastructure Access Control Lists (iACLs) to block traffic at the border of networks. Note: Because the features in this vulnerability utilize UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. 3. Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 102

Note: Because the features in this vulnerability utilize UDP as a transport, it is possible to spoof the sender's IP address, which may defeat ACLs that permit communication to these ports from trusted IP addresses. 4. Use Cisco IOS Embedded Event Manager (EEM) policy to detect blocked interface queues. EEM can alert administrators of blocked interfaces with email, a syslog message, or a Simple Network Management Protocol (SNMP) trap. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090325-udp) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA13 (or later), 12.2SEE (or later) and 12.2(31)SGA9 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability (QID 43156) CVE-2009-0629, cisco-sa-20090325-tcp Cisco IOS is prone to multiple denial of service vulnerabilities that are caused due to an error in the handling of TCP packets. These issues can be exploited by a remote attacker to reload an affected device via a sequence of specially crafted TCP packets. Cisco IOS and Cisco IOS XE devices configured to use any of the following features are affected: Airline Product Set (ALPS) Serial Tunnel Code (STUN) and Block Serial Tunnel Code (BSTUN) Native Client Interface Architecture support (NCIA) Data-link switching (DLSw) Remote Source-Route Bridging (RSRB) Point to Point Tunneling Protocol (PPTP) X.25 for Record Boundary Preservation (RBP) X.25 over TCP (XOT) X.25 Routing

For successful exploitation of this vulnerability, the TCP three-way handshake must be completed to the associated TCP port number for any of the features listed above. Successful exploitation of this vulnerability will cause the device to reload. Repeated attempts to exploit could result in a sustained denial of service condition. Workarounds:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 103

1. Use Infrastructure Access Control Lists (iACLs) to block traffic at the border of networks. 2. Use Receive ACL (rACL) to protect the device from harmful traffic before the traffic can impact the route processor. Receive ACLs are designed to only protect the device on which it is configured. 3. Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device. Further information and examples on configuring iACLs, rACLs and CoPP can be found at the advisory cisco-sa-20090325-tcp. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090325-tcp) explains which versions are vulnerable. Cisco IOS Versions 12.2SEE (or later) and 12.2(31)SGA9 (or later) are not vulnerable. Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software Secure Copy Privilege Escalation Vulnerability (QID 43157) CVE-2009-0637, cisco-sa-20090325-scp SCP (Secure Copy Protocol) allows the transfer of files between systems in an encrypted form. SCP relies on the Secure Shell (SSH) protocol. The server side of the SCP implementation in Cisco IOS software contains a vulnerability that allows authenticated users with an attached command-line interface (CLI) view to transfer files to and from a Cisco IOS device that is configured to be a SCP server, regardless of user permissions defined via the CLI view configuration. An attacker could exploit this vulnerability to view or modify any file on the device, and elevate privileges via crafted SCP commands to write to the device's configuration. (CVE-2009-0637) The vulnerability can only be exploited in the Secure Copy (SCP) implementation in Cisco IOS devices when the SCP server and Role-Based CLI Access features are enabled. Successful exploitation of the vulnerability may allow valid but unauthorized users to retrieve or write to any file on the device's file system, including the device's saved configuration and Cisco IOS image files. This configuration file may include passwords or other sensitive information. Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (QID 43158) CVE-2009-0636, cisco-sa-20090325-sip SIP (Session Initiation Protocol) is a signaling protocol that is used to manage voice and video calls across IP networks such as the Internet. SIP is responsible for handling all aspects of call setup and termination.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 104

A denial of service vulnerability exists in the SIP implementation in Cisco IOS Software. This vulnerability is triggered by processing a specific and valid SIP message. A remote attacker can exploit this vulnerability to cause the device to crash. Successful exploitation of this vulnerability will result in a reload of the device. The issue could be repeatedly exploited to cause an extended denial of service condition. Cisco IOS devices with SIP voice services enabled are affected. Workarounds: 1. For devices that do not require SIP to be enabled, the simplest and most effective workaround is to disable SIP processing on the device. On some Cisco IOS software versions, SIP can be disabled using the following commands: sip-ua no transport udp no transport tcp Note: When applying this workaround to devices that are processing Media Gateway Control Protocol (MGCP) or H.323 calls, the device will not stop SIP processing while active calls are being processed. 2. For devices that need to offer SIP services it is possible to use Control Plane Policing (CoPP) to block SIP traffic to the device from untrusted sources. Note: Because SIP can use UDP as a transport protocol, it is possible to easily spoof the IP address of the sender, which may defeat access control lists that permit communication to these ports from trusted IP addresses. Further information and examples on disabling SIP and configuring CoPP to block SIP traffic can be found at the advisory cisco-sa-20090325-sip. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090325-sip) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA13 (or later), 12.2SEE (or later) and 12.2(31)SGA9 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software TCP State Manipulation Denial of Service Vulnerabilities (QID 43162) CVE-2008-4609, CVE-2009-0627, cisco-sa-20090908-tcp24

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 105

Multiple Cisco products are affected by denial of service vulnerabilities that manipulate the state of Transmission Control Protocol (TCP) connections. By manipulating the state of a TCP connection, an attacker could force the TCP connection to remain in a long-lived state, possibly indefinitely. If enough TCP connections are forced into a long-lived or indefinite state, resources on a system under attack may be consumed, preventing new TCP connections from being accepted. In some cases, a system reboot may be necessary to recover normal system operation. To exploit these vulnerabilities, an attacker must be able to complete a TCP three-way handshake with a vulnerable system. Network devices are not directly impacted by TCP state manipulation denial of service attacks transiting a device; however, network devices that maintain the state of TCP connections may be impacted. Note: It is recommended to provide authentication credentials in order to run the scan. Successful exploitation of the TCP state manipulation vulnerabilities may result in a denial of service condition where new TCP connections are not accepted on an affected system. Repeated exploitation may result in a sustained denial of service condition. Cisco has guidelines for mitigation against the TCP state manipulation vulnerabilities for Cisco IOS Software, CatOS Software, ASA and PIX Software and Nexus Software. Please refer to Workaround Section at cisco-sa-20090908-tcp24 for detailed guidelines. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090908-tcp24) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA13 and 12.2(50)SE3 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS Software Tunnels Vulnerability (QID 43172) CVE-2009-2872, CVE-2009-2873, cisco-sa-20090923-tunnels A tunnel protocol encapsulates a wide variety of protocol packet types inside IP tunnels, creating a virtual point-to-point link between internetworking devices over an IP network. Devices that are running Cisco IOS Software and configured for GRE, IPinIP, Generic Packet Tunneling in IPv6 or IPv6 over IP tunnels tunnels and Cisco Express Forwarding may reload upon switching a specially crafted malformed packets. The Cisco IOS Point to Point Tunneling Protocol (PPTP) feature creates GRE tunnels that are transparent to the user. Therefore systems configured for PPTP are also vulnerable. Successful exploitation of the vulnerability may result in the reload of an affected system, causing a denial of service.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 106

Disabling Cisco Express Forwarding will mitigate this vulnerability. It can be disabled in the following two ways: 1. Disable Cisco Express Forwarding Globally by using the global configuration commands: no ip cef no ipv6 cef 2. Disable Cisco Express Forwarding on all Tunnel Interfaces configured on an affected device as shown in the following example: interface Tunnel [interface-ID] no ip route-cache cef Disabling Cisco Express Forwarding may have significant performance impact and is not recommended by Cisco. Refer to the advisory for additional details on the workarounds. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090923-tunnels) explains which versions are vulnerable. Cisco IOS Versions up to and including 12.1(4)EA1c are not vulnerable. Cisco IOS Versions 12.1(22)EA11 and later are not vulnerable. Cisco IOS Version 12.2(31)SGA11 (or later) is not vulnerable. Cisco IOS Version 12.2(52)SE (or later) is not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS IPv6 Routing Header Vulnerability (QID 43173) CVE-2007-0481, cisco-sa-20070124-IOS-IPv6, Bugtraq ID 22210 IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to replace Internet Protocol Version 4 (IPv4). A vulnerability exists in the processing of IPv6 packets. Processing a specially crafted IPv6 Type 0 Routing header can crash a device running Cisco IOS software. Successful exploitation of the vulnerability can corrupt some memory structures and cause the affected device to crash, and there is also the potential to execute an arbitrary code. In the event of a successful remote code execution, device integrity will be completely compromised. Note: This vulnerability does not affect IPv6 Type 2 Routing header which is used in mobile IPv6. Note: IPv6 is not enabled by default in Cisco IOS. The workaround consists of filtering packets that contain Type 0 Routing header(s). Special attention must be paid not to filter packets with Type 2 Routing headers as that would break Mobile IPv6 deployment.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 107

For IOS releases before 12.3(4)T the workaround is to use ACLs to filter all packets that contain Routing headers. This method cannot distinguish between Type 0 and Type 2 Routing headers so it is not suitable if Mobile IPv6 is deployed. If Mobile IPv6 is deployed: There is no workaround if you are running a Cisco IOS release prior to 12.2(15)T. Starting from the IOS release 12.2(15)T a new command ipv6 source-route was introduced. If applied, it will block any IPv6 packet with Type 0 Routing Headers. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20070124-IOS-IPv6) explains which versions are vulnerable. Cisco IOS Version 12.2(25)SEE1 (or later) is not vulnerable. Cisco IOS 12.2(25)SEB4 (vulnerable)

If Mobile IPv6 is not deployed:

Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability (QID 43180) CVE-2010-0576, cisco-sa-20100324-ldp, Bugtraq ID 38938 A device running Cisco IOS Software, Cisco IOS XE Software, or Cisco IOS XR Software is vulnerable to a remote denial of service condition if it is configured for Multiprotocol Label Switching (MPLS) and has support for Label Distribution Protocol (LDP). The vulnerability is caused due to an error when processing Label Distribution Protocol (LDP) UDP packets and can be exploited to cause a device reload or restart the "mpls_ldp" Cisco IOS XR process. A system is vulnerable if configured with either LDP or Tag Distribution Protocol (TDP). Successful exploitation of this vulnerability on a device running a vulnerable version of Cisco IOS Software or Cisco IOS XE Software will cause the affected device to reload. Exploitation on a router running a vulnerable version of Cisco IOS XR Software will result in a restart of the mpls_ldp process. The issue could be repeatedly exploited to cause an extended denial of service condition. Workarounds: Use Infrastructure Access Control Lists (iACLs) to block traffic at the border of networks. Use Receive ACL (rACL) to protect the device from harmful traffic before the traffic can impact the route processor. Receive ACLs are designed to only protect the device on which it is configured. Control Plane Policing (CoPP) can be used to block the affected features TCP traffic access to the device.

The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20100324-ldp) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA14, 12.2(50)SE4 and 12.2(53)SE2 are not vulnerable.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 108

"Releases up to and including 12.1(6)EA2c are not vulnerable. Releases 12.1(8)EA1c and later are not vulnerable." Therefore Cisco IOS Versions 12.1(22)EA4 is not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (not vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Cisco Industrial Ethernet 3000 Series Switches Hard Coded SNMP Community Names Vulnerability (QID 43187) CVE-2010-1574, cisco-sa-20100707-snmp, Bugtraq ID 41436 The Cisco Industrial Ethernet 3000 Series is a family of switches that provide a rugged, easy to use, secure infrastructure for harsh environments. Cisco Industrial Ethernet 3000 Series switches running Cisco IOS Software releases 12.2(52)SE or 12.2(52)SE1, contain a vulnerability where well known SNMP community names are hard coded for both read and write access. The hard coded community names are "public" and "private". Successful exploitation of the vulnerability could result in an attacker obtaining full control of the device. Workaround, Manually Remove SNMP Community Names: Log in to the device, and enter configuration mode. Enter the following configuration commands: no snmp-server community public RO no snmp-server community private RW Workaround, Automatically Remove SNMP Community Names: By creating an Embedded Event Manager (EEM) policy, it is possible to automatically remove the hard coded SNMP community names each time the device is reloaded. The following example shows an EEM policy that runs each time the device is reloaded and removes the hard coded SNMP community names. event manager applet cisco-sa-20100707-snmp event timer countdown time 30 action 10 cli command "enable" action 20 cli command "configure terminal" action 30 cli command "no snmp-server community public RO" action 40 cli command "no snmp-server community private RW" action 50 cli command "end" action 60 cli command "disable" action 70 syslog msg "Hard-coded SNMP community names as per Cisco Security Advisory ciscosa-20100707-snmp removed"

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 109

Saving the configuration will update the start-up configuration files; however the hard-coded community names will be reinserted to the running configuration when the device reloads. This workaround must be applied each time the device is reloaded. Workaround: If SNMP management is not required on the Cisco Industrial Ethernet 3000, then dropping all SNMP traffic to the device is a sufficient workaround. Cisco has released an advisory detailing various solutions available to fix this issue. Refer to Cisco Security Advisory cisco-sa-20100707-snmp for additional information on obtaining the fixes. Cisco IOS Versions 12.2(52)SE and 12.2(52)SE1 are vulnerable. Cisco IOS 12.2(53)SE2 (not vulnerable)

Note: Qualys omits the Bugtraq ID. Cisco IOS TCP State Manipulation Denial of Service Vulnerabilities (QID 43197) CVE-2009-0627, CVE-2008-4609, cisco-sa-20090908-tcp24 Multiple Cisco products are affected by denial of service vulnerabilities in the TCP protocol. By manipulating the state of TCP connections, an attacker could force a system that is under attack to maintain TCP connections for long periods of time, or indefinitely in some cases. With a sufficient number of open TCP connections, the attacker may be able to cause a system to consume internal buffer and memory resources, resulting in new TCP connections being denied access to a targeted port or an entire system. Successful exploitation results in a denial of service. Network devices are not directly impacted by TCP state manipulation denial of service attacks transiting a device. However, network devices that maintain the state of TCP connections may be impacted. The vulnerability matrix in the Cisco Security Advisory (cisco-sa-20090908-tcp24) explains which versions are vulnerable. Cisco IOS Versions 12.1(22)EA13 and 12.2(50)SE3 (or later) are not vulnerable. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable)

Cisco IOS VLAN Trunking Protocol Vulnerability (QID 43204) CVE-2008-4963, cisco-sr-20081105-vtp The VLAN Trunking Protocol (VTP) is a Layer 2 messaging protocol that maintains VLAN configuration consistency by managing the addition deletion, and renaming of VLANs on a network wide basis. Cisco's VTP protocol implementation in some versions of Cisco IOS may be vulnerable to a denial of service attack via a specially crafted VTP packet sent from the local network segment when operating in

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 110

either server or client VTP mode. When the device receives the specially crafted VTP packet, the switch may crash. Successful exploitation results in a denial of service. Products affected by this vulnerability: Devices running affected versions of Cisco IOS or CatOS that have VTP Operating Mode as either "server" or "client". Devices running affected versions of Cisco IOS with Ethernet Switch Modules for Cisco 1800/2600/2800/3600/3700/3800 Series Routers that have VTP Operating Mode as either "server" or "client".

Products not affected by this vulnerability: Devices configured with VTP operating mode as "transparent". Devices configured with VTP version 3 (CatOS only) Devices configured with VTP operating mode as "off" (CatOS only)

Cisco has released an advisory detailing various solutions available to fix this issue. Refer to Cisco Security Advisory cisco-sr-20081105-vtp for additional information on obtaining the fixes. This vulnerability is suggested when any of the following are suggested: Cisco IOS 12.2(31)SGA4, Catalyst 4500 L3 Switch Software (cat4500-IPBASEK9-M), Version 12.2(31)SGA4, RELEASE SOFTWARE (fc1) Cisco IOS 12.2(25)SEB4, C3560 Software (C3560-IPBASE-M), Version 12.2(25)SEB4, RELEASE SOFTWARE (fc1) Cisco IOS 12.2(25)SEB4

Cisco IOS Multiple Vulnerabilities (QID 43207) CVE-2009-5038, CVE-2009-5040, CVE-2010-4671, CVE-2010-4683, CVE-2010-4685, CVE-2010-4686, Cisco 15_01_XA Release Notes, Bugtraq ID 45764 Cisco IOS is prone to the following vulnerabilities: An error when processing certain IRC traffic can be exploited to cause a device reload by accessing an IRC channel within 36 hours of a reload. An error in the Communication Manager Express (CME) component when handling an SNR number change menu from an extension mobility phone can be exploited to crash the device. A memory leak when processing UDP SIP REGISTER packets can be exploited to exhaust memory resources via a specially crafted SIP packet. An error in the PKI implementation does not clear the public key cache for the peers when the certificate map is changed. This can be exploited to reconnect and bypass the certificate ban.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 111

A memory fragmentation error in the CME component when handling SIP TRUNK traffic can be exploited to exhaust memory resources via specially crafted SIP packets. An error when handling multiple IPv6 router advertisements can be exploited to cause a device to reload by flooding it with random IPv6 router advertisements.

Note: Successful exploitation of this vulnerability requires that the interface is configured with "ipv6 address autoconf" enabled and the attacker is directly connected to the device. Cisco IOS Versions prior to 15.0(1)XA5 are affected. This issue has been resolved in Cisco IOS Version 15.0(1)XA5. Refer to Cisco 15_01_XA Release Notes for additional information. Cisco Catalyst IOS 12.1(22)EA4 (vulnerable) Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (vulnerable) Cisco IOS 12.2(40)SE2 (vulnerable) Cisco IOS 12.2(53)SE2 (vulnerable)

TCP Sequence Number Approximation Based Denial of Service (82054) CVE-2004-0230, Cisco CSCed32349, Fixed In - 6.4(13), 6.4(12.3), 7.6(8.6), 8.3(2.8), 8.3(3.4), 8.4(0.47COC, 8.4(0.91)COC, 8.4(1.2)GLX, 8.4(2.1)GLX, 8.6(0.1)TAL, 8.6(0.21)TAL, Bugtraq ID 10183 TCP provides stateful communications between hosts on a network. TCP sessions are established by a three-way handshake and use random 32-bit sequence and acknowledgement numbers to ensure the validity of traffic. A vulnerability was reported that may permit TCP sequence numbers to be more easily approximated by remote attackers. This issue affects products released by multiple vendors. The cause of the vulnerability is that affected implementations will accept TCP sequence numbers within a certain range, known as the acknowledgement range, of the expected sequence number for a packet in the session. This is determined by the TCP window size, which is negotiated during the three-way handshake for the session. Larger TCP window sizes may be set to allow for more throughput, but the larger the TCP window size, the more probable it is to guess a TCP sequence number that falls within an acceptable range. It was initially thought that guessing an acceptable sequence number was relatively difficult for most implementations given random distribution, making this type of attack impractical. However, some implementations may make it easier to successfully approximate an acceptable TCP sequence number, making these attacks possible with a number of protocols and implementations. This is further compounded by the fact that some implementations may support the use of the TCP Window Scale Option, as described in RFC 1323, to extend the TCP window size to a maximum value of 1 billion. This vulnerability will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial of service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP address and TCP port. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 112

There are a few factors that may present viable target implementations, such as those which depend on long-lived TCP connections, those that have known or easily guessed IP address endpoints and those implementations with easily guessed TCP source ports. It has been noted that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack, due to the use of long-lived TCP sessions and the possibility that some implementations may use the TCP Window Scale Option. As a result, this issue is likely to affect a number of routing platforms. Another factor to consider is the relative difficulty of injecting packets into TCP sessions, as a number of receiving implementations will reassemble packets in order, dropping any duplicates. This may make some implementations more resistant to attacks than others. It should be noted that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further. Successful exploitation of this issue could lead to denial of service attacks on the TCP based services of target hosts. Other consequences may also result, such as man-in-the-middle attacks. The TCP Sequence Number DOS vulnerability is fixed in either the 8.5(8) code or the 8.6(4). Vendor Reference Cisco CSCed32349, Fixed In - 6.4(13), 6.4(12.3), 7.6(8.6), 8.3(2.8), 8.3(3.4), 8.4(0.47COC, 8.4(0.91)COC, 8.4(1.2)GLX, 8.4(2.1)GLX, 8.6(0.1)TAL, 8.6(0.21)TAL Please first check the results section below for the port number on which this vulnerability was detected. If that port number is known to be used for port-forwarding, then it is the backend host that is really vulnerable. Various implementations and products including Check Point, Cisco, Cray Inc, Hitachi, Internet Initiative Japan, Inc (IIJ), Juniper Networks, NEC, Polycom, and Yamaha are currently undergoing review. Contact the vendors to obtain more information about affected products and fixes. NISCC Advisory 236929 Vulnerability Issues in TCP details the vendor patch status as of the time of the advisory, and identifies resolutions and workarounds. Refer to US-CERT Vulnerability Note VU415294 and OSVDB Article 4030 to obtain a list of vendors affected by this issue and a note on resolutions (if any) provided by the vendor. For Microsoft: Refer to MS05-019 and MS06-064 for further details. For SGI IRIX: Refer to SGI Security Advisory 20040905-01-P. For SCO UnixWare 7.1.3 and 7.1.1: Refer to SCO Security Advisory SCOSA-2005.14. For Solaris (Sun Microsystems): The vendor has acknowledged the vulnerability; however a patch is not available. Refer to Sun Microsystems, Inc. Information for VU415294 to obtain additional details. Also, refer to TA04-111A for detailed mitigating strategies against these attacks.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 113

For NetBSD: Refer to NetBSD-SA2004-006 For Cisco: Refer to cisco-sa-20040420-tcp-ios.shtml. For Red Hat Linux: CVE-2004-0230 There is no fix available. Red Hat does not have any plans for action regarding this issue. Workaround: The following BGP-specific workaround information has been provided. For BGP implementations that support it, the TCP MD5 Signature Option should be enabled. Passwords that the MD5 checksum is applied to should be set to strong values and changed on a regular basis. Secure BGP configuration instructions have been provided for Cisco and Juniper at these locations: Secure Cisco IOS BGP Template JUNOS Secure BGP Template

This vulnernability was confirmed by exploiting the vulnerability: Tested on port 111 with an injected SYN/RST offset by 16 bytes. Tested on port 22 with an injected SYN/RST offset by 16 bytes.

Cisco IOS HTTP Service HTML Injection Vulnerability (QID 12220) CVE-2005-3921, cisco-sa-20051201-http, Bugtraq ID 15602 Cisco IOS includes an HTTP service that provides router management services. This service was introduced in IOS releases 11.0 and later. The Cisco IOS HTTP service is reportedly prone to an HTML injection vulnerability. This issue arises due to insufficient sanitization of user-supplied data. Reports indicate that an attacker can submit malicious HTML and script code through the "dump" and "packet" fields of the scripts "/level/15/exec/-/buffers/assigned" and "/level/15/exec/-/buffers/all". This code may be executed in the browser of an administrator when they attempt to view the contents of memory buffers through the vulnerable scripts of the HTTP service. This issue may potentially allow for the theft of authentication credentials. An attacker could also exploit this issue to control how a site is rendered to the user or administrator. Other attacks are also possible. This vulnerability is suggested by "Detected on TCP port 80" or "Detected on TCP port 443." Cisco IOS 11-15 Cisco IOS 12.1-12.2 Cisco IOS 12.2(25)SEB4 (vulnerable) Cisco IOS 12.2(31)SGA4 (not vulnerable) Page 114

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Cisco IOS 12.2(40)SE2 (not vulnerable) Cisco IOS 12.2(53)SE2 (not vulnerable)

Common Desktop Environment (CDE) Vulnerabilities


Common Desktop Environment Dtlogin Unspecified Remote Double Free Vulnerability (QID 38261) CVE-2004-0368, HPSBUX01038, Sun Alert ID 57539, AIX Dtlogin Advisory, Bugtraq ID 9958 The dtlogin application is implemented with the Common Desktop Environment (CDE) that implements the X-Display Manager Control Protocol (XDMCP). The dtlogin process makes it possible for users to log into remote computers using a CDE graphical user interface. CDE is implemented on many Unix and Unix like systems and is a popular window manager. It has been reported that a double free vulnerability exists in the dtlogin process of CDE. This issue presents itself due to the free() function being called on the same allocated chunk of memory more than once. This problem occurs prior to any authorization. An attacker may be able to leverage this issue to gain unauthorized remote access on a system running the affected software. The attacker must be able to interact with the dtlogin process in such a way as to overwrite previously freed heap memory with malicious data prior to the second call to free(). Ultimately an attacker may be able to control the data handled by the free() function, which could lead to the corruption of an arbitrary location in memory. This may allow the attacker to control the execution flow of the affected process. OS-specific patch required. SPARC Platform o Solaris 7 without patch 107180-31 o Solaris 8 without patch 108919-21 o Solaris 9 without patch 112807-09 x86 Platform o Solaris 7 wthout patch 107181-31 o Solaris 8 without patch 108920-21 o Solaris 9 without patch 114210-08

This vulnerability is suspected when "service xdmcp and os Solaris 9-11" are reported. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Solaris 9", "HP-UX 11". Multiple Vendor CDE ToolTalk Database Server Null Write Vulnerability (QID 68507) CVE-2002-0677, Bugtraq ID 5082

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 115

CDE ships with a daemon called the ToolTalk database server. The ToolTalk database server allows for programs designed for use in CDE to communicate with each other. It is enabled by default on most systems shipped with CDE. The ToolTalk database server is vulnerable to a condition that may allow NULL words to be written to arbitrary locations in memory. The vulnerability is due to an input validation error in the _TT_ISCLOSE procedure, used by ToolTalk clients to close open ToolTalk databases. The _TT_ISCLOSE RPC accepts a file descriptor as a parameter. This integer value is used as an index for writing to structures in server memory. There are no checks to restrict the range of the index value. Consequently, malicious file descriptor values supplied by remote clients may cause writes to occur far beyond the table in memory. The only value written is a NULL word, limiting the consequences. It should be noted that the only authentication required is client-supplied AUTH_UNIX credentials. AUTH_UNIX credentials may be trivially spoofed by attackers. Exploitation of this vulnerability could allow for complex attacks, potentially resulting in remote deletion and creation of arbitrary files, or code/command execution. Qualys reports TCP Port 32775 or 32776 or 61467. The "cmsd" RPC service is used for managing the calendar and schedule. Confirm that it is cmsd listening on port 61467/TCP. Disable the service if it is not used. If the service is necessary, install vendor patch for CVE-1999-0696, CVE-1999-0320. Please contact your vendor for patch information. This vulnerability is suggested by TCP Port 32795.

CUPS Vulnerabilities
CUPS UDP Packet Remote Denial of Service Vulnerability (QID 38405) CVE-2004-0558, RHSA-2004:449, Bugtraq 11183 CUPS is prone to an unspecified, remotely exploitable denial of service vulnerability. It is reported that this issue can be exploited by remote users to render a server unresponsive. Successful exploitation requires that the attacker can access port 631, which is used by the Internet Printing Protocol (IPP). This would deny access to the CUPS service by legitimate users. Additional reports indicate it's possible to trigger this issue with a UDP packet and thereby disrupt browsing through CUPS. This vulnerability is suspected by detecting service Internet Printing Protocol (IPP) on 631/udp. CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability (QID 38591) CVE-2007-4351, Bugtraq 26268 CUPS, Common Unix Printing System, is a widely used set of printing utilities for Unix-based systems. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 116

CUPS is prone to a remote buffer overflow vulnerability, because it fails to properly bounds check usersupplied data before copying it to an insufficiently sized memory buffer. Attackers can exploit this issue to execute arbitrary code within the context of the affected application. Failed exploit attempts will result in a denial of service. CUPS Version 1.3.3 is reported to be vulnerable. Other versions may be affected as well.

CVS Vulnerabilities
CVS Server Piped Checkout Access Validation Vulnerability (QID 38269) CVE-2004-0405, Bugtraq ID 10140 CVS is the Concurrent Versions System, which is a freely available, open-source, version management package. It is available for Unix and Linux systems. CVS server has been reported prone to an access validation vulnerability. Reportedly the CVS server does not sufficiently validate piped checkouts. The CVS server may honor a request for a piped checkout for a path that resides outside of the cvsroot ($CVSROOT). A remote attacker may then checkout contents of RCS archive files that exist anywhere on the CVS server. This may permit an attacker to gain access to potentially sensitive information contained in files that the attacker should not be privy to. Information harvested in this manner may be used to aid in further attacks against the target server. Qualys reports "Detected service cvspserver and os SOLARIS 10". Is CVS 1.11 or later installed? CVS Unspecified Buffer Overflow and Memory Access Vulnerabilities (QID 38481) CVE-2005-0753, Bugtraq ID 13217 CVS is the concurrent versions system. CVS is a freely available, open source software development package for Unix, Linux, and Microsoft Windows. CVS is prone to unspecified buffer overflow and memory access vulnerabilities. It is conjectured that the issues may be leveraged by a remote authenticated user to disclose regions of the CVS process memory, and to corrupt CVS process memory. The two issues combined may lead to a remote attacker reliably executing arbitrary code in the context of the vulnerable process, although this is not confirmed. A remote authenticated attacker may take control of the system. Install vendor update or upgrade to CVS Version 1.11.20 (or greater).

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 117

For Red Hat (CVE-2005-0753): Red Hat Enterprise Linux 2.1 (cvs) RHSA-2005:387 cvs-1.11.1p1-18 (superseded by RHSA2005:756 cvs-1.11.1p1-19) Red Hat Enterprise Linux 3 (cvs) RHSA-2005:387 cvs-1.11.2-27 (superseded by RHSA-2005:756 cvs-1.11.2-28) Red Hat Enterprise Linux 4 (cvs) RHSA-2005:387 cvs-1.11.17-7.RHEL4 (superseded by RHBA2009:0971 cvs-1.11.17-11.el4)

DameWare Vulnerabilities
DameWare Mini Remote Control Server Detected (QID 38255) CVE-2003-1030, Bugtraq 9213 DameWare Mini Remote Control Server is a remote administration tool distributed and maintained by DameWare Development. The host is running this server, and there are a number of issues related to the running of this service. First, the service allows remote users to control the host. Administrators should check that this service is legitimate and that strong authentication checks are in place to prevent the misuse of the service. Second, the service reveals the operating system version and service pack level to unauthenticated users. This information could be useful to an attacker in planning further attacks against the host. Versions of the server prior to 3.70 are vulnerable to a 'Shatter' attack which may be exploited by local users to gain elevated privileges on the system. Third, a problem has been identified in the handling of pre-authentication packets in versions of the server prior to 3.73.0.0. Exploitation of this issue may allow a remote attacker to gain unauthorized access to hosts using the vulnerable software. Specifically, the problem is in the handling of packets containing the pre-authentication information required by DameWare to authenticate remote administrators. The vulnerability exists when all this information is passed to a function containing a vulnerable strcpy-like routine. By placing custom, maliciously crafted data in these variables and sending them in a packet to the remote host, it's possible to trigger a potentially exploitable buffer overflow. Attackers may gather information on the host using this service, and may be able to control this host if they are able to acquire authentication credentials. If the server is running a version older than 3.73, attackers may be able to exploit the service to execute arbitrary code on the vulnerable system. Install vendor update or upgrade to DameWare Mini Remote Control Server 3.73.0.0 (or later). This vulnerability is reported when "SSH-2.0-3.2.0 SSH Secure Shell OpenVMS V5.5 VMS_sftp_version 3" is detected on "HP OpenVMS 8.x" (for example). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 118

DNS Vulnerabilities
DNS Zone Transfer (QID 15018) CVE-1999-0532 The DNS server is a hierarchical database used to translate host names into IP addresses and IP addresses into host names. A domain is usually handled by a single DNS server. However, several servers can be installed for the purposes of load balancing or as backups. Where several servers are in use, one is called the "master" (or the primary server) and the others are called "slaves" (or secondary servers). The zone transfer feature is used to synchronize the domain (also called a zone) from the master server to the slaves. A zone transfer can be achieved by sending a single request to the name server. All information on the requested domain is then transferred, including host names, IP addresses, mail servers, etc. When implementing an attack, unauthorized users usually start by obtaining a company's domain name. Then, they try to gather a large number of IP addresses or host names. The more domain IP addresses they have, the better chance they have of compromising a host in your domain. The Zone transfer feature should be restricted so that DNS servers can only perform a zone transfer with other DNS servers in the same domain. If you use a single DNS server, simply disable zone transfer to prevent unauthorized users from exploiting this feature from a remote system. Microsoft DNS Service users should consult their manuals. BIND users should consult the Internet Software Consortium's Web site (http://www.isc.org/). This vulnerability is confirmed by exploiting the vulnerability (performing a zone transfer).

Finger Vulnerabilities
The finger service is present on these systems. The finger service discloses which users are logged on, and provides some information about those users. Remove this service from your system. On Unix systems, it is usually located in the /etc/inetd.conf configuration file. On other systems, check the inetd configuration file. "Finger 0@" Information about Logged Users Disclosure Vulnerability (QID 31000) CVE-1999-0197 The finger service discloses which users are logged on, and provides information about those users. On some Operating Systems, the "0" acts as a wildcard and provides logins for almost all accounts existing on the server. Aggressive intruders often exploit this service to get user login names on a system. This makes the system vulnerable to other attacks, especially if users have weak passwords. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 119

This vulnerability is confirmed by enumerating accounts. Finger Daemon Accepts Forwarding of Requests (QID 31002) CVE-1999-0106 On older versions, the finger daemon accepts forwarding. This could allow unauthorized users to proxy "finger" requests to other servers via your server. Additionally, a denial of service can be implemented on networks using NIS (Network Information Service). This is done by executing a finger command containing hundreds of nested '@' characters. This generates a lot of traffic in the network and consumes a lot of the NIS master server's CPU. If successfully exploited, unauthorized users can use your finger service to anonymously scan other hosts that have finger enabled, or cause a denial of service on networks using NIS. This vulnerability is confirmed by detecting the finger service. Finger Service Discloses Logged Users (QID 31003) CVE-1999-0259, CVE-1999-0612 Unauthorized users often exploit the finger service to obtain the user's login name. This service potentially makes the system vulnerable, especially if some users have weak passwords. This vulnerability is confirmed by enumerating logged-on users.

Firefox Vulnerabilities
Mozilla Firefox Remote Code Execution by Overflowing CSS Reference Counter (QID 115836) CVE-2008-2785, MFSA 2008-34, Bugtraq ID 29802 Mozilla Firefox is prone to an unspecified remote code execution vulnerability caused by an Mozilla's internal CSSValue array data structure. The vulnerability is caused by an insufficiently sized variable being used as a reference counter for CSS objects. By creating a very large number of references to a common CSS object, this counter could be overflowed which could cause a crash when the browser attempts to free the CSS object while still in use. An attacker can exploit this issue to execute arbitrary code within the context of the affected application. Firefox versions earlier than 3.0.1 and 2.0.0.16 are affected by this issue. These vulnerabilities are fixed in Mozilla Firefox Version 3.0.1 and 2.0.0.16 or later. The vendor has released advisories for each of the vulnerabilities. Refer to the following Mozilla Foundation security advisories for further details: MFSA 2008-34. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 120

Mozilla Firefox Unspecified Arbitrary File Access Weakness - Zero Day (QID 115841) Bugtraq ID 29905 Mozilla Firefox is prone to a weakness that may allow attackers to gain access to arbitrary files. This vulnerability is related to Apple Safari and Microsoft Windows Client-side Code Execution Vulnerability (CVE-2008-2540) (QID 115816). An attacker can exploit this issue to gain access to arbitrary files on the affected computer. Successfully exploiting this issue may lead to other attacks. There were no vendor-supplied patches available when these notes were written. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Mozilla Firefox and SeaMonkey Multiple Vulnerabilities (QID 115851) CVE-2008-2798, CVE-2008-2799, CVE-2008-2800, CVE-2008-2801, CVE-2008-2802, CVE-2008-2803, CVE2008-2805, CVE-2008-2806, CVE-2008-2807, CVE-2008-2808, CVE-2008-2809, CVE-2008-2810, CVE2008-2811, Firefox Security Advisories, Bugtraq ID 30038 The Mozilla Foundation has released multiple security advisories specifying various vulnerabilities in Firefox versions prior to 2.0.0.15 and SeaMonkey versions prior to 1.1.10. Exploiting these issues can allow attackers to: steal authentication credentials obtain potentially sensitive information violate the same-origin policy execute scripts with elevated privileges upload arbitrary files to affected computers cause denial of service execute arbitrary code

Update to the latest version of Firefox or SeaMonkey. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Mozilla Firefox URI Splitting Security Bypass Vulnerability (QID 115860) CVE-2008-2933, Bugtraq ID 30242 A security bypass vulnerability exists in Mozilla Firefox due to a design error. Successful exploitation would enable a remote attacker to bypass certain security restrictions and launch restricted URIs. Upgrade to the latest version of Firefox. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 121

This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Mozilla Firefox User Interface Dispatcher Null Pointer Dereference Denial of Service Vulnerability - Zero Day (QID 115966) CVE-2008-4324, Bugtraq ID 31476 Mozilla Firefox is prone to a remote denial of service vulnerability. Successful exploitation may allow attackers to crash the affected browser, resulting in denial of service conditions. There are currently no vendor supplied patches available at this time. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Mozilla Firefox, Seamonkey and Thunderbird Multiple Vulnerabilities (QID 116044) CVE-2008-0017, CVE-2008-5015, CVE-2008-5016, CVE-2008-5017, CVE-2008-5018, CVE-2008-5019, CVE2008-5021, CVE-2008-5022, CVE-2008-5023, CVE-2008-5024, CVE-2008-5012, CVE-2008-5014, CVE2008-4582, CVE-2008-5013, MFSA2008-50, MFSA2008-51, MFSA2008-52, MFSA2008-53, MFSA2008-54, MFSA2008-55, MFSA2008-56, MFSA2008-57, MFSA2008-58, MFSA2008-47, MFSA2008-48, MFSA200849 Multiple vulnerabilities exist within Mozilla Firefox: An error when processing "file:" URIs can be exploited to execute arbitrary JavaScript code with chrome privileges by tricking a user into opening a malicious local file in a tab previously opened for a "chrome:" document or a privileged "about:" URI. Various errors in the layout engine can be exploited to cause memory corruption and potentially execute arbitrary code. An error in the browser engine can be exploited to cause a crash. An error in the JavaScript engine can be exploited to cause a memory corruption and potentially execute arbitrary code. An error in the browser's restore feature can be exploited to violate the same-origin policy. An error in the processing of the "http-index-format" MIME type can be exploited to execute arbitrary code. An error in the DOM constructing code can be exploited to dereference uninitialized memory and potentially execute arbitrary code. An error in "nsXMLHttpRequest::NotifyEventListeners()" can be exploited to bypass certain security restrictions. An error can be exploited to manipulate signed JAR files and execute arbitrary JavaScript code in the context of another site. An error exists when parsing E4X documents can be exploited to inject arbitrary XML code.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 122

These vulnerabilities can be exploited by malicious people to disclose sensitive information, bypass certain security restrictions, or compromise a user's system. Upgrade to the latest version of Firefox or SeaMonkey. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org" and "Thunderbird 2.0.0.14, Copyright (c) 1998-2008 mozilla.org". Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities (QID 116184) CVE-2009-0352, CVE-2009-0353, CVE-2009-0354, CVE-2009-0355, CVE-2009-0356, CVE-2009-0357, CVE2009-0358, MFSA 2009-01, MFSA 2009-02, MFSA 2009-03, MFSA 2009-04, MFSA 2009-05, MFSA 200906, RHSA-2009-0256, RHSA-2009-0257, SUSE-SA:2009:009, Bugtraq ID 33598 Firefox is a Web browser application. Thunderbird is a standalone mail and newsgroup client. SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. The following security vulnerabilities have been reported in Mozilla Firefox, Thunderbird, and SeaMonkey: Multiple memory corruption vulnerabilities exist in the JavaScript engines and layout engines. These exploits can cause the application to crash or cause arbitrary code execution. These issues affect Firefox, Thunderbird, and SeaMonkey. (CVE-2009-0352 and CVE-2009-0353) A vulnerability in Firefox 3.x releases can be exploited to violate the same origin policy. The problem occurs in the chrome XBL method when used in conjunction with "window.eval". An attacker can exploit this issue to execute JavaScript in the context of another website. (CVE2009-0354) An information disclosure vulnerability in Firefox allows the form input control type of a closed tab to be changed when it is re-opened. An attacker can trick an unsuspecting user into reopening a specific closed-tab to change the input type to "file" and run scripts to steal the contents of the user's local file, which may help in further attacks. (CVE-2009-0355) A privilege escalation vulnerability exists due to a fix for an earlier vulnerability (MFSA 2008-47). If an attacker can trick a user into using a specific ".desktop" shortcut file to open a malicious HTML file locally, the attacker may be able to execute arbitrary code with chrome privileges. This issue affects Firefox and SeaMonkey. (CVE-2009-0356) A security bypass vulnerability occurs because cookies marked "HTTPOnly" are readable by JavaScript through the "XMLHttpRequest.getResponseHeader" and "XMLHttpRequest.getAllResponseHeaders" APIs. An attacker can exploit this vulnerability to bypass the "HTTPOnly" flag security restrictions to gain access to "document.cookie". This issue affects Firefox and SeaMonkey. (CVE-2009-0357) An information disclosure vulnerability occurs because the "Cache-Control: no-store" and "Cache-Control: no-cache" HTTP directives are being ignored by Firefox. This results in Page 123

Vulnerability Remediation Synopsis version 0.4Russ Klanke

potentially sensitive information being stored by the browser, allowing other local users access to the cached data. Information obtained may aid in further attacks. (CVE-2009-0358) If these vulnerabilities are successfully exploited, it can cause the application to crash or cause arbitrary code execution with elevated privileges. Successful exploitation may also allow unauthorized disclosure of information which can aid in further attacks. Workaround: CVE-2009-0352, CVE-2009-0353: Disable JavaScript until a version containing the fixes is installed. To resolve these vulnerabilities, upgrade to the latest supported version of Mozilla products (Thunderbird 2.0.0.21, SeaMonkey 1.1.15 and Firefox 3.0.6) in order to obtain patches. Refer to the following Mozilla Foundation security advisories for further details: MFSA 2009-01, MFSA 2009-02, MFSA 2009-03, MFSA 2009-04, MFSA 2009-05, MFSA 2009-06. Refer to the following SuSe security advisory SUSE-SA:2009:009. For Red Hat (CVE-2009-0352, CVE-2009-0353, CVE-2009-0354, CVE-2009-0355, CVE-2009-0356, CVE2009-0357, CVE-2009-0358): Red Hat Enterprise Linux 2.1 (seamonkey) RHSA-2009:0257 seamonkey-1.0.9-0.27.el2 (superseded by RHSA-2009:0437 seamonkey-1.0.9-0.33.el2) Red Hat Enterprise Linux 3 (seamonkey) RHSA-2009:0257 seamonkey-1.0.9-0.32.el3 (superseded by RHSA-2010:0810 seamonkey-1.0.9-0.62.el3) Red Hat Enterprise Linux 4 (firefox) RHSA-2009:0256 firefox-3.0.6-1.el4 and nss-3.12.2.0-3.el4 (superseded by RHSA-2011:1437 and RHSA-2011:1444 nss-3.12.10-6.el4) Red Hat Enterprise Linux 4 (seamonkey) RHSA-2009:0257 seamonkey-1.0.9-35.el4 (superseded by RHSA-2011:1440 seamonkey-1.0.9-77.el4) Red Hat Enterprise Linux 4 (thunderbird) RHSA-2009:0258 thunderbird-1.5.0.12-19.el4 (superseded by RHSA-2011:1438 thunderbird-1.5.0.12-45.el4) Red Hat Enterprise Linux 5 (firefox) RHSA-2009:0256 firefox-3.0.6-1.el5 and xulrunner-1.9.0.61.el5 (superseded by RHSA-2011:1437 firefox-3.6.24-3.el5_7 and xulrunner-1.9.2.24-2.el5_7) RHEL Optional Productivity Applications version 5 (thunderbird) RHSA-2009:0258 thunderbird2.0.0.21-1.el5 (superseded by RHSA-2011:1438 thunderbird-2.0.0.24-27.el5_7)

This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org" and "Thunderbird 2.0.0.14, Copyright (c) 1998-2008 mozilla.org." Mozilla Firefox Nested "window.print()" Denial of Service Vulnerability (QID 116262) CVE-2009-0821, Bugtraq ID 33969 Mozilla Firefox is a browser available for multiple platforms.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 124

The browser is prone to a remote denial of service vulnerability that occurs when the browser parses a malicious Web page containing nested "window.print()" JavaScript functions. An attacker can exploit this issue by enticing an unsuspecting user to visit a malicious site. If this vulnerability is successfully exploited, it allows attackers to cause the affected browser to crash denying service to legitimate users. Firefox Version 2.0.0.20 is vulnerable; other versions may also be affected. There are no vendor-supplied patches available at this time. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities (QID 116263) CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0775, CVE-2009-0776, CVE2009-0777, CVE-2009-0040, MFSA 2009-07, MFSA 2009-08, MFSA 2009-09, MFSA 2009-10, MFSA 200911, RHSA-2009-0315, Bugtraq ID 33990 Firefox is a Web browser application, Thunderbird is a standalone mail and newsgroup client and SeaMonkey is an open source Web browser, email and newsgroup client, IRC chat client, and HTML editor. The Mozilla Foundation has released multiple advisories regarding security vulnerabilities in Firefox, Thunderbird, and SeaMonkey. The following issues have been reported: Multiple memory corruption vulnerabilities affect the layout engine in Firefox, Thunderbird, and SeaMonkey. An attacker can exploit these issues to execute arbitrary code and cause the affected application to crash. (CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, and CVE-20090774) A denial of service vulnerability affecting the garbage collection service is caused due to improper memory management of a set of cloned XUL DOM elements which were linked as a parent and child. This can be exploited to cause arbitrary code execution when the browser attempts to access a destroyed object.(CVE-2009-0775) A cross-domain information disclosure vulnerability affects the nsIRDFService. An attacker can exploit this issue to steal arbitrary XML data from another domain (CVE-2009-0776) A vulnerability allows an attacker to spoof the location bar. The problem occurs because certain invisible control characters are being decoded, resulting in fewer visible characters being displayed in the location bar. (CVE-2009-0777) Vulnerabilities in PNG libraries used by Mozilla can be exploited by to crash a browser and potentially execute arbitrary code on the user's computer via a crafted PNG file that free ups an uninitialized pointer in the "png_read_png" function, "pCAL" chunk handling, or setup of 16-bit gamma tables. (CVE-2009-0040)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 125

If these vulnerabilities are successfully exploited, it allows attackers to execute arbitrary code in the context of the browser, cause denial of service, steal arbitrary XML data from another domain and spoof the location bar to conduct phishing attacks. Workaround: CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0776: Disable JavaScript until a version containing the fixes is installed. The vendor has released advisories and updates to fix these vulnerabilities. Refer to the following Mozilla Foundation security advisories for further details: MFSA 2009-07, MFSA 2009-08, MFSA 2009-09, MFSA 2009-10, MFSA 2009-11. For Red Hat (CVE-2009-0771, CVE-2009-0772, CVE-2009-0773, CVE-2009-0774, CVE-2009-0775, CVE2009-0776, CVE-2009-0777, CVE-2009-0040): Red Hat Enterprise Linux 2.1 (libpng) RHSA-2009:0333 libpng-1.0.14-12 Red Hat Enterprise Linux 2.1 (seamonkey) RHSA-2009:0325 seamonkey-1.0.9-0.30.el2 (superseded by RHSA-2009:0437 seamonkey-1.0.9-0.33.el2) Red Hat Enterprise Linux 3 RHSA-2009:0340 libpng-1.2.2-29 (superseded by RHSA-2010:0534 libpng-1.2.2-30) Red Hat Enterprise Linux 3 (seamonkey) RHSA-2009:0325 seamonkey-1.0.9-0.34.el3 (superseded by RHSA-2010:0810 seamonkey-1.0.9-0.62.el3) Red Hat Enterprise Linux 4 RHSA-2009:0333 libpng-1.2.7-3.el4_7.2 and libpng10-1.0.163.el4_7.3 (superseded by RHSA-2011:1103 libpng-1.2.7-8.el4 and libpng10-1.0.16-9.el4) Red Hat Enterprise Linux 4 (firefox) RHSA-2009:0315 firefox-3.0.7-1.el4 (superseded by RHSA2011:1437 firefox-3.6.24-3.el4) Red Hat Enterprise Linux 4 (seamonkey) RHSA-2009:0325 seamonkey-1.0.9-38.el4 (superseded by RHSA-2011:1440 seamonkey-1.0.9-77.el4) Red Hat Enterprise Linux 4 (thunderbird) RHSA-2009:0258 thunderbird-1.5.0.12-19.el4 (superseded by RHSA-2011:1438 thunderbird-1.5.0.12-45.el4) Red Hat Enterprise Linux 5 (firefox) RHSA-2009:0315 firefox-3.0.7-1.el5 and xulrunner-1.9.0.71.el5 (superseded by RHSA-2011:1437 firefox-3.6.24-3.el5_7 and xulrunner-1.9.2.24-2.el5_7) Red Hat Enterprise Linux 5 (libpng) RHSA-2009:0333 libpng-1.2.10-7.1.el5_3.2 (superseded by RHSA-2011:1104 libpng-1.2.10-7.1.el5_7.5) RHEL Optional Productivity Applications version 5 (thunderbird) RHSA-2009:0258 thunderbird2.0.0.21-1.el5 (superseded by RHSA-2011:1438 thunderbird-2.0.0.24-27.el5_7) This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org" and "Thunderbird 2.0.0.14, Copyright (c) 1998-2008 mozilla.org" Mozilla Firefox Fix Two Vulnerabilities (QID 116328) CVE-2009-1044, CVE-2009-1169, SUSE-SA:2009:022, RHSA-2009-0397, MFSA 2009-12, MFSA 2009-13 Firefox is a Web browser application. The following vulnerabilities exist in Mozilla Firefox: A memory corruption and denial of service vulnerability in the "txMozillaXSLTProcessor::TransformToDoc" function in Mozilla Firefox Version 3.0.7 is caused due to the improper handling of errors encountered when transforming an XML document. This Page 126

Vulnerability Remediation Synopsis version 0.4Russ Klanke

can be exploited to trigger the handling of a temporary, corrupted stack variable as an evaluation context object via specially crafted XSLT code. (CVE-2009-1169) An error in the processing of the XUL tree method "_moveToEdgeShift()" can be exploited to trigger garbage collection routines on objects, which are still in use. This can cause the browser to crash when attempting to access a previously destroyed object. (CVE-2009-1044)

If these vulnerabilities are successfully exploited, it allows attackers to crash the browser to cause a denial of service attack or compromise a user's system. Exploitation can also result in arbitrary code execution. Mozilla Firefox Versions 3.0.7 and earlier are vulnerable. The vendor has released advisories and updates to fix these vulnerabilities. Update to Firefox Version 3.0.8 (or later). Refer to the Mozilla Foundation security advisories MFSA 2009-12 and MFSA 2009-13 for additional information. For Red Hat (CVE-2009-1044, CVE-2009-1169): Red Hat Enterprise Linux 2.1 (seamonkey) RHSA-2009:0398 seamonkey-1.0.9-0.32.el2 (superseded by RHSA-2009:0437 seamonkey-1.0.9-0.33.el2) Red Hat Enterprise Linux 3 (seamonkey) RHSA-2009:0398 seamonkey-1.0.9-0.36.el3 (superseded by RHSA-2010:0810 seamonkey-1.0.9-0.62.el3) Red Hat Enterprise Linux 4 (seamonkey) RHSA-2009:0398 seamonkey-1.0.9-40.el4 (superseded by RHSA-2011:1440 seamonkey-1.0.9-77.el4) Red Hat Enterprise Linux 4 (firefox) RHSA-2009:0397 firefox-3.0.7-3.el4 (superseded by RHSA2011:1437 firefox-3.6.24-3.el4) Red Hat Enterprise Linux 5 (xulrunner) RHSA-2009:0397 xulrunner-1.9.0.7-3.el5 (superseded by RHSA-2011:1437 xulrunner-1.9.2.24-2.el5_7)

For Suse refer to security advisory SUSE-SA:2009:022. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Firefox Security Update (QID 116539) CVE-2009-2408, CVE-2009-2404, MFSA 2009-42, MFSA 2009-43 Firefox is a Web browser application. The following security vulnerabilities have been reported in Mozilla Firefox: Mozilla Firefox before 3.5 and NSS before 3.12.3 do not properly handle a 'DESCRIPTION' character in a domain name in the subject's Common Name (CN) field of an X.509 certificate,

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 127

which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2408) A heap based buffer overflow vulnerability exists in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. (CVE-2009-2404)

Versions prior to Mozilla Firefox 3.5 are vulnerable. If this vulnerability is successfully exploited, it could allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority or compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. These vulnerabilities are fixed in Mozilla Firefox Version 3.5 or later. The vendor has released advisories for each of the vulnerabilities. Refer to the following Mozilla Foundation security advisories for further details: MFSA 2009-42, MFSA 2009-43. This vulnerability is confirmed by detecting "Mozilla Firefox 2.0.0.14, Copyright (c) 1998 - 2008 mozilla.org". Sun Solaris Thunderbird Related to SSL Certificates Arbitrary Code Execution Vulnerabilities (QID 116836) CVE-2009-2408, CVE-2009-2404, Sun Alert ID 269468, Oracle ID 1021030.1 Firefox is a Web browser application. The following security vulnerabilities have been reported in Mozilla Firefox: Mozilla Firefox does not properly handle a "\ 0" character in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority. (CVE-2009-2408) A heap based buffer overflow vulnerability exists in the code that handles regular expressions in certificate names. This vulnerability could be used to compromise the browser and run arbitrary code by presenting a specially crafted certificate to the client. (CVE-2009-2404) This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can also be used to cause a complete denial of service and could render the resource completely unavailable.

Solaris 10 for the SPARC and x86 platforms is affected. Refer to Oracle ID 1021030.1 to address this issue and obtain patch information. This vulnerability is confirmed by detecting "SUNWthunderbird is installed" and "125541-06 is missing."

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 128

Sun Solaris Thunderbird Multiple Vulnerabilities (QID 116428) CVE-2008-5500, CVE-2008-5503, CVE-2008-5506, CVE-2008-5507, CVE-2008-5508, CVE-2008-5510, CVE2008-5511, CVE-2008-5512, Sun Alert ID 258748, Oracle ID 1020452.1 Thunderbird is a standalone mail and newsgroup client. The following vulnerabilities are reported in Mozilla Thunderbird versions prior to 2.0.0.19. Several exploits exist in the processing of malformed HTML mail content that could cause arbitrary code execution or result in a denial of service. (CVE-2008-5500, CVE-2008-5511, CVE2008-5512) If JavaScript is enabled, multiple errors can be exploited to trick a Thunderbird user into surrendering sensitive information, and executing arbitrary JavaScript code. (CVE-2008-5503, CVE-2008-5506, CVE-2008-5507) A flaw that does not properly parse URLs with leading whitespace or control characters allows remote attackers to misrepresent URLs and launch phishing attacks. (CVE-2008-5508) The CSS parser ignores the escaped null character (forward slash "\" followed by 0), which might allow remote attackers to bypass protection mechanisms such as sanitization routines. (CVE2008-5510)

The vulnerabilities can be exploited by malicious people to bypass certain security restrictions, disclose sensitive information, conduct cross-site scripting attacks, or potentially compromise a user's system. OpenSolaris and Solaris 10 for the SPARC and x86 platforms are vulnerable. Workaround: Disable JavaScript on affected systems. To disable JavaScript in Mozilla Thunderbird, the following steps may be used: Open the "Preferences" dialog from the Edit menu. Select the "Advanced" tab Select the "General" tab. Click on the "Config Editor" button. In the "about:config" dialog that opens up, there will be a Filter box. Type "javascript.allow.mailnews" in the Filter box. Double click the property and set its value to "false".

Sun has released updates to address this issue. Refer to Oracle ID 1020452.1 for patch details. This vulnerability is confirmed by detecting "SUNWthunderbird is installed" and "125541-04 is missing."

FTP Vulnerabilities
World Readable and Writeable Directory on Anonymous FTP (QID 27005) CVE-1999-0527

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 129

The FTP server contains a directory with dangerous permissions. This directory is world writeable and world readable. If this is an incoming directory, users should not be able to list its contents. Unauthorized users can write to your FTP server. This FTP directory can be used as a pirate software repository or for adult picture exchanges. You also run the risk of receiving virus or Trojan programs. Do not run unknown files from this area. Unless they are required, remove the directories. Otherwise, make sure that no hidden directories are used for illegal purposes. These hidden directories may be named with control characters or begin with a dot (.), making it harder to detect and remove them. Frequently monitor your FTP server directories. You can schedule a repetitive task with the cron command under Unix, which will execute the following command every week: <DL> <DD>find ~ftp/ -print</DD></DL> This will regularly inform you of all files in this area, and advise you whether or not they are writeable and readable. This vulnerability is confirmed by exploiting the vulnerability. Accounts "ftp" and "anonymous" are used without a password. FTP Generic ../ File Disclosure Vulnerability (QID 27166) This vulnerability allows remote FTP clients to read and possibly write any file on your system. The FTP client sends a malicious request with ../ characters, causing the FTP server to break from the FTP root directory allowing access to any file outside the FTP root directory. Malicious users can read and possibly write any file on your system. Upgrade or change your FTP server. This vulnerability is confirmed by exploiting the vulnerability (reading the hosts file). FTP Backdoor Allows Administrator Privileges (QID 27279) A hacker utility, backdoor or Trojan Horse is installed on a system which allows users to access the FTP server with administrator privileges. This backdoor changes the FTP server behavior. An FTP client connects to the FTP server as below: USER [username]\r\n PASS [password]\r\n The backdoor changes the behavior where [username] and [password] are not needed: USER \r\n PASS \r\n Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 130

Unauthorized users do not require a password, technical knowledge or specific attack programs to login to your FTP server with Administrator privileges. Any FTP client program can be used by unauthorized users to obtain access. Install an upgrade to your FTP service software. Or if the FTP service is not required on this host, shut it down. Then, test the host to verify that the vulnerability was eliminated. This vulnerability is confirmed by exploiting the vulnerability.

GoAhead Webserver Vulnerabilities


GoAhead WebServer /aux Denial of Service Vulnerability (QID 86122) CVE-2001-0385, Bugtraq ID 2607 GoAhead WebServer contains a problem that makes it possible for remote users to deny service to legitimate users of the service. Few details on the nature of this problem are available. Upon accessing the GoAhead WebServer remotely, it is possible for a user to crash the Web server process. After receiving a request for the /aux directory, the GoAhead WebServer becomes unstable. The Web server process dies, requiring a watchdog process or manual restart to resume normal operation.

Gnome Evolution iCalendar Multiple Buffer Overflow Vulnerabilities (QID 115818)


CVE-2008-1108, CVE-2008-1109, Solaris 10, Bugtraq ID 29527 Gnome Evolution is prone to multiple buffer overflow vulnerabilities because it fails to adequately bounds check user-supplied input before copying it to insufficiently sized buffers. The vulnerabilities arise when the application handles the iCalendar attachments. Successful exploitation of these issues will allow an attacker to execute arbitrary code in the context of the application. Failed exploit attempts will likely crash the application. Install vendor update or upgrade to the latest version of GNOME Evolution. For Solaris 10: CVE-2008-1108, CVE-2008-1109 vulnerabilities in Gnome Evolution This vulnerability is confirmed by detecting "Gnome evolution 1.4.6.301c", not by Solaris patch number (119117-52) for SPARC Solaris 10.

GnuPG Vulnerabilities
GnuPG Parse_Comment Remote Buffer Overflow Vulnerability (QID 115432) CVE-2006-3746, GnuPG 1.4.5, Bugtraq ID 19110 GnuPG is an implementation of the OpenPGP standard as defined by RFC2440. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 131

The parse_comment code in GnuPG (gpg) Versions 1.44 and earlier is vulnerable to a denial of service. A remote attacker can exploit this issue to cause a denial of service condition and possibly overwrite memory. Install vendor update or upgrade GNuPG to version 1.4.5 or later. For Red Hat (CVE-2006-3746): Red Hat Enterprise Linux 2.1 (gnupg) RHSA-2006:0615 gnupg-1.0.7-18 (superseded by RHSA2007:0106 gnupg-1.0.7-21) Red Hat Enterprise Linux 3 (gnupg) RHSA-2006:0615 gnupg-1.2.1-17 (superseded by RHSA2007:0106 gnupg-1.2.1-20) El 4 (gnupg) RHSA-2006:0615 gnupg-1.2.6-6 (superseded by RHBA-2010:0447 gnupg-1.2.69.el4_8.1)

GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability (QID 115405) CVE-2006-3082, Bugtraq ID 18554 GnuPG is an implementation of the OpenPGP standard as defined by RFC2440. The parse-packet.c code in GnuPG (gpg) Versions 1.43, 1.9.20 and earlier is vulnerable to a denial of service. A remote attacker can exploit this issue to cause denial of service conditions and possibly overwrite memory. Install vendor update or upgrade GNuPG to version 1.4.5 or later or 1.9.22 or later. For Red Hat (CVE-2006-3082): Red Hat Enterprise Linux 2.1 (gnupg) RHSA-2006:0571 gnupg-1.0.7-17 Red Hat Enterprise Linux 3 (gnupg) RHSA-2006:0571 gnupg-1.2.1-16 Red Hat Enterprise Linux 4 (gnupg) RHSA-2006:0571 gnupg-1.2.6-5

ICMP Vulnerabilities
Host Responds to One ICMP Request Multiple Times (Smurf Variant) (QID 82002) CVE-1999-0513, Bugtraq ID 147 We have detected that a host belonging to the same class C (whose IP address is given in the report) responds to an ICMP echo request with two or more replies. If a malicious user sends an ICMP echo-request packet to your network broadcast address, then numerous ICMP echo-reply packets will be generated (since all live hosts on the class C network will reply). By spoofing the source address of the ICMP packet (i.e., a victim IP), a malicious user can flood the victim IP without difficulty by using the network as an amplifier (the destination IP would be your broadcast address). Since the source IP address was spoofed, it's difficult to trace the malicious user.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 132

Typically, the malicious user would retain a huge list of network amplifiers in order to flood a single server. This amount of traffic can cause a server to lose connectivity to the Internet or possibly crash. We strongly advise that you prevent unauthorized users from reaching broadcast address. To do so, filter these IP broadcast addresses on your router or firewall (IP layer protocol). Note, that there could be several broadcast addresses if you're using sub-netting on your network. This vulnerability is detected when the target IP responds to one ICMP echo request more than once. Note that there is no remediation step which can be applied to the device; no patch or configuration change. A mitigation measure (blocking the forwarding of ICMP broadcasts) should be applied at the gateway device (router).

HP HTTP Server Vulnerabilities


HP HTTP Server Remote Unspecified Buffer Overflow Vulnerability (QID 86772) CVE-2005-4823, Bugtraq ID 12566 HP HTTP Server is prone to a remote unspecified buffer overflow vulnerability. The vulnerability may be exploited by a remote attacker to corrupt process memory and ultimately have arbitrarily supplied code executed in the context of the vulnerable process. Upgrade to HP HTTP Server Version 5.96 or later. Refer to HP's Technical Support Web site for upgrade options. This vulnerability is suggested when "CompaqHTTPServer/5.5", "CompaqHTTPServer/5.7", "CompaqHTTPServer/5.91" or "CompaqHTTPServer/5.94" is detected.

HP System Management
HP System Management Homepage Code Execution and Denial of Service (QID 86846) CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-3747, CVE-2006-4339, CVE-2006-4343, SHM advisory c01118771 The HP System Management Homepage is a Web-based interface. The following security vulnerabilities have been identified for the HP System Management Homepage (SMH) for Linux and Windows: An error in the processing of certain invalid ASN.1 structures can be exploited to cause an infinite loop and consume system memory in an application using OpenSSL. (CVE-2006-2937) Certain types of public keys take overly long time to process when using RSA signature verification and can be exploited to cause a crash in an application using OpenSSL via parasitic public keys with large "public exponent" or "public modulus" values in X.509 certificates. (CVE2006-2940) Page 133

Vulnerability Remediation Synopsis version 0.4Russ Klanke

A buffer overflow in "SSL_get_shared_ciphers()" function can be exploited by sending a list of ciphers to an application using the vulnerable function. (CVE-2006-3738) An off-by-one error in the ldap scheme handling in the Rewrite module (mod_rewrite) can be exploited to crash the Web server via crafted URLs that are not properly handled using certain rewrite rules. (CVE-2006-3747) An error exists within the verification of certain signatures which can be exploited to forge a PKCS 1 signature signed by an RSA key if that key with exponent 3 is used. (CVE-2006-4339) An error in the "get_server_hello" function in the SSLv2 client code can be exploited to cause the client to crash via unknown vectors that trigger a null pointer dereference. (CVE-2006-4343)

This affects HP System Management Homepage (SMH) Versions prior to 2.1.7 running on Linux and Windows. If this vulnerability is successfully exploited, it can allow remote attackers to cause execution of arbitrary code and denial of service. HP System Management Homepage Cross-Site Scripting and Denial of Service Vulnerabilities (QID 86880) CVE-2010-1034, CVE-2008-1468, CVE-2008-4226, CVE-2008-5557, CVE-2008-5814, CVE-2009-1377, CVE2009-1378, CVE-2009-1379, CVE-2009-1386, CVE-2009-1387, c02029444, Bugtraq ID 39632 HP System Management Homepage is a Web-based application used to predict, diagnose, and respond to potential and actual system failures for a single server. Potential security vulnerabilities have been identified with HP System Management Homepage (SMH) for Linux and Windows. Affected Versions: HP System Management Homepage for Windows all versions prior to 6.0 HP System Management Homepage for Linux (x86) all versions prior to 6.0 HP System Management Homepage for Linux (AMD64/EM64T) all versions prior to 6.0

These vulnerabilities could be exploited remotely to allow cross-site scripting, denial of service, execution of arbitrary code, and unauthorized access. HP System Management Homepage Cross-Site Scripting (XSS) Vulnerability (QID 86869) 0586 HP System Management Homepage, also known as Systems Insight Manager, is a Web-based application for managing individual ProLiant and Integrity servers. The application is prone to a cross-site scripting vulnerability because it fails to sufficiently sanitize usersupplied input to the "servercert" parameter. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 134

An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and to steal cookie-based authentication credentials. Authentication is required to exploit this vulnerability. Upgrade to version 6.0.0.96 (or later). This vulnerability is suggested when "CompaqHTTPServer/9.9 HP System Management Homepage/3.0.2.77 httpd/2.2.6+" is detected. Note: Qualys reports "There is no exploitability information for this vulnerability", even though they refer to 0586, which includes a proof of concept. Note: Qualys does not indicate what version is not vulnerable. HP System Management Homepage Multiple Vulnerabilities (QID 86938) CVE-2010-1917, CVE-2010-2531, CVE-2010-2939, CVE-2010-2950, CVE-2010-3709, CVE-2010-4008, CVE2010-4156, CVE-2011-1540, CVE-2011-1541, SHM advisory c02735910 A potential security vulnerability has been identified with HP System Management Homepage for Linux and Windows. Affected Versions: HP System Management Homepage for Linux (x86) prior to v6.3 HP System Management Homepage for Linux (AMD64/EM64T) prior to v6.3 HP System Management Homepage for Windows prior to v6.3

These vulnerabilities could be exploited remotely resulting in unauthorized access, execution of arbitrary code and denial of service. Upgrade to Version 6.3 (or later). This vulnerability is suggested when "CompaqHTTPServer/9.9 HP System Management Homepage/6.1.0.103" is detected. HP System Management Homepage Multiple Vulnerabilities (QID 86849) CVE-2008-5077, CVE-2008-5814, SHM advisory c01743291 The HP System Management Homepage is a Web-based interface. The following security vulnerabilities have been identified HP System Management Homepage (SMH) for Linux and Windows running PHP and OpenSSL: A flaw exists in the way OpenSSL checks for verification of certificates which allows spoofing attacks to be conducted. Several functions inside OpenSSL fail to properly check the return value from the EVP_VerifyFinal function when validating the signature of DSA and ECDSA keys. This Page 135

Vulnerability Remediation Synopsis version 0.4Russ Klanke

allows malicious users to bypass certificate validation using a malformed SSL/TLS signature. (CVE-2008-5077) A cross-site scripting flaw exists in OpenSSL in the way PHP reports errors for invalid cookies. If the PHP interpreter has "display_errors" enabled, a remote attacker can exploit this flaw by setting a specially-crafted cookie on a victim's system to inject arbitrary HTML into an error message generated by PHP. (CVE-2008-5814)

If this vulnerability is successfully exploited, it can allow remote attackers to conduct cross-site scripting and spoofing attacks. HP System Management Homepage (SMH) prior to Version 3.0.1.73 running on Linux, and Windows 2003 and 2008 are affected by these issues. Upgrade to HP System Management Homepage (SMH) 3.0.1.73 (or later). This vulnerability is reported when "CompaqHTTPServer/9.9 HP System Management Homepage/2.1.12.200" is detected. HP System Management Homepage Remote Cross-Site Scripting Vulnerability (QID 86951) CVE-2009-4185, SHM advisory c02000727 A potential security vulnerability has been identified with HP System Management Homepage for Linux and Windows. This vulnerability could be exploited remotely to allow cross-site scripting and unauthorized access. Affected Versions: HP System Management Homepage for Windows versions prior to 6.0.0.96 are affected. HP System Management Homepage for Linux versions prior to 6.0.0-95 are affected.

This vulnerability is reported when "CompaqHTTPServer/9.9 HP System Management Homepage/2.0.2.109" is detected. HP System Management Homepage TLS/SSL Vulnerability (QID 86887) CVE-2009-3555, SHM advisory c02171256 The HP System Management Homepage is a Web-based interface. The following TLS/SSL vulnerabilities have been identified in HP System Management Homepage for Linux and Windows: A vulnerability caused by an error in the TLS protocol while handling session re-negotiations, which can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle attacks. Page 136

Vulnerability Remediation Synopsis version 0.4Russ Klanke

A vulnerability caused by the library not properly verifying the return value of the "bn_wexpand()" function.

These vulnerabilities could be exploited remotely to allow unauthorized information disclosure, unauthorized data modification or cause a denial of service. Affected Versions: HP System Management Homepage for Windows all versions prior to 6.1 HP System Management Homepage for Linux (x86) all versions prior to 6.1 HP System Management Homepage for Linux (AMD64/EM64T) all versions prior to 6.1

Update to Version 6.1.0.102 for Windows and to Version 6.1.0-103 for Linux to resolve these vulnerabilities. This vulnerability is reported when "CompaqHTTPServer/9.9 HP System Management Homepage/2.0.2.109" is detected.

HP Openview Vulnerabilities
HP Openview NNM Embedded Database Present (QID 38210) The ovdbrun process for HP Openview Network Node Manager Embedded Database is running on the host. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service hpovdb and os SOLARIS 9-11".

IBM DB2 Vulnerabilities


IBM DB2 Universal Database Known Default Password Vulnerability (QID 19008) CVE-2001-0051, Bugtraq ID 2068 IBM DB2 Universal Database, a distributed database application, contains a default username and password, which enables unauthorized users to access the database. These are: DB2 Universal Database for Windows NT DB2 Universal Database for Linux Username db2admin db2inst1, db2as, db2fenc1 Password db2admin ibmdb2 During the installation of DB2, the administrator is not prompted to change the default passwords. Therefore, unauthorized users can access the database if they know the default username and password. Note: Qualys does not test the default password. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 137

Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "IBM_DB2_Universal_Database and os SOLARIS 10". IBM DB2 Listener Detected (QID 19207) IBM DB2 TCP listener was detected on the host. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service IBM_DB2_Universal_Database and os SOLARIS 9-11". IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities (QID 19209) CVE-2006-3068, CVE-2006-3067, CVE-2006-3066, IBM IY76767, IBM IY79204, IBM IY82725, IBM IY84096, Bugtraq ID 18428 IBM DB2 Universal Database Server is vulnerable to multiple denial of service issues. The following specific issues were identified: A buffer overflow condition occurs because of bad connect requests. Specifically, a malicious "CONNECT" or "ATTACH" request sent to a DB2 server may cause the application to crash. A problem with the "column list" when an incorrect delimiter is used can cause the process stack to be overwritten with the column list. This immediately results in a crash. A corruption occurs on a downlevel client that can cause incorrect information to be sent to the server. The server fails to handle the information properly and memory can be overwritten, resulting in a crash. A malformed SQL statement with an excessively large value supplied as part of the "IN" clause may trigger a crash in the application. Attackers may exploit these vulnerabilities to cause a denial of service on the vulnerable host.

These issues affect DB2 versions prior to 8 FixPak 10 also known as Version 8.2 FixPak 3. This vulnerability is suggested when "IBM_DB2_Universal_Database and os SOLARIS 9-11" is detected. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "IBM_DB2_Universal_Database and os SOLARIS 9-11".

IBM HTTP Vulnerabilities


IBM HTTP Server "apr_fnmatch()" Denial of Service Vulnerabilities (QID 86952) CVE-2011-0419, CVE-2011-1928, swg1PM38826 IBM HTTP Server powered by Apache is based on the Apache HTTP Server available for multiple platforms. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 138

IBM HTTP Server is prone to following vulnerabilities: A stack overflow vulnerability via a specially crafted request containing wildcard characters, is caused by an infinite recursion error within the "apr_fnmatch()" function when processing certain patterns. A denial of server vulnerability is caused by an error in the "apr_fnmatch()" function when processing certain patterns

Successfully exploiting these vulnerabilities might allow a remote attacker to cause a denial of service. Affected Versions: IBM HTTP Server versions prior to 6.1.0.39, 7.0.0.19 and 8.0.0.1

This vulnerability is suggested when "Detected on port 8008 - IBM_HTTP_Server/6.1.0.27 Apache/2.0.47 (Unix)". IBM HTTP Server Multiple Vulnerabilities (QID 86875) CVE-2010-0408, CVE-2010-0434, IBM HTTP Server Multiple vulnerabilities have been reported in IBM HTTP Server: The "ap_proxy_ajp_request()" function in modules/proxy/mod_proxy_ajp.c of the mod_proxy_ajp module returns the "HTTP_INTERNAL_SERVER_ERROR" error code when processing certain malformed requests. This can be exploited to put the back end server into an error state until the retry timeout expired by sending specially crafted requests. An error exists within the header handling when processing subrequests, which can lead to sensitive information from a request being handled by the wrong thread if a multi-threaded Multi-Processing Module is used.

These vulnerabilities have been reported in version 6.0, 6.1 and 7.0 running on WebSphere Application Server Community Edition. Successful exploitation allows malicious people to disclose potentially sensitive information and cause a denial of service.

IETF RADIUS Vulnerabilities


IETF RADIUS Dictionary Attack Vulnerability (QID 38120) Bugtraq ID 3532 The RADIUS Authentication protocol is a standard used for remote authentication of users. It is commonly used by ISPs to authenticate dial-up users, although it has wider applications. Communication with a RADIUS server is conducted through a pair of request/response UDP packets. Some level of authentication is provided by use of a shared secret between the RADIUS client and server, often implemented as a 16 character typable password. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 139

When an authentication request packet is constructed, it must contain the authenticating user's account and password. Additionally, it contains a random 128-bit value called the 'Request Authenticator'. In order to avoid transmitting the user password in clear text, the password is encrypted with a block cipher. The block cipher is, in some sense, intialized with the value of the shared secret concatenated with the value of the Request Authenticator. The intial 16-byte block is encrypted through the following formula: BLOCK = MD5(Shared_Secret + Request_Authenticator) XOR Password As a result, any attacker able to watch network traffic for a request made with a known password may trivially isolate the result of the MD5 hash and the value of the Request Authenticator. At this point, a dictionary attack may be launched against the shared secret. An attacker with the ability to monitor network traffic may be able to launch dictionary attacks against user passwords.

IP Vulnerabilities
IP Spoofing (QID 34009) The filtering device doesn't block spoofed IP packets. Packets going to the external firewall interface with internal network IP addresses seem to be accepted. An attacker can send packets that appear to be coming from trusted internal IP addresses in order to fool some services based on UDP protocol, such as most RPC portmappers. Note that the detection of this vulnerability is based on the values of the "Identification" filed in the IP packets originated from the target host. The detection is therefore most reliable when the target host is not handling a lot of network traffic from sources other than the scanner. Combined with a TCP sequence prediction vulnerability, an attacker may be able to establish a blind TCP connection that seems to originate from a trusted internal IP address. An attacker can use this to bypass IP-based authentication, which is sometimes used in services like rlogin, bgp, cisco tftp, etc. Change your firewall policy to deny packets coming on the external interface with a source IP from the internal network. You should also deny packets on the external interface with a source IP that is nonroutable, such as 10.0.0.1 or 127.0.0.1. The vulnerability is confirmed by exploiting the vulnerability. IP Forwarding Enabled (QID 115284) CVE-1999-0511 If this machine is not a router or a firewall, then IP forwarding should not be activated. If this machine is not intended to be a router, then it may allow a malicious user to access your internal network. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 140

Disable IP fowarding by following the appropriate instructions below: On Windows 2000 and Windows NT, set the value of the following registry key to zero: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\IPEnableRouter On Linux, insert this line in your startup script: sysctl -w net.ipv4.ip_forward=0 On Solaris, HP-UX B11.11 and B11.00, insert this line in your startup script: ndd -set /dev/ip ip_forwarding 0 On Mac OS X, insert this line in your startup script: sysctl -w net.inet.ip.forwarding=0

This vulnerability is determined by detecting that IP forwarding is enabled.

ISC BIND Vulnerabilities


ISC BIND 9 Remote Denial of Service (DoS1 bug) Vulnerability (QID 15021) CVE-2002-0400, Bugtrag ID 4936 BIND is a server program that implements the Domain Name Service (DNS) protocol. It is widely used on the Internet, and by most of the DNS servers. A vulnerability has been reported in some versions of BIND 9. Under some circumstances, the name server named may fail an internal consistency check. Once this occurs, the server will no longer respond to additional DNS requests. It is possible for a remote malicious user to reliably exploit this vulnerability. This may result in a denial of service attack against legitimate users of the service. A restart may be required in order to regain normal functionality. By exploiting this vulnerability, a malicious user can initiate a denial of service attack. ISC BIND Pre 9.2.2 Multiple Possible Vulnerabilities (QID 15031) ISC BIND is a server program that implements the Domain Name Service protocol. It is widely used on the Internet. ISC released BIND Version 9.2.2, which includes fixes for multiple security issues. It is not clear whether these are new issues or old issues. The following note appears on the BIND security Web page: ISC has discovered or has been notified of several bugs which can result in vulnerabilities of varying levels of severity in BIND as distributed by ISC. Upgrading to BIND version 9.2.2 is strongly recommended. If you cannot upgrade, BIND 8.3.4, 8.2.7, and 4.9.11 are also available. It is possible that this may only refer to known documented vulnerabilities. However, this release may also include fixes for new issues but this is not yet confirmed. The consequences were known when these notes were written. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 141

ISC BIND Multiple Remote Denial of Service Vulnerabilities (QID 15052) CVE-2006-4095, CVE-2006-4096, BIND Vulnerability Matrix, RHBA-2006-0288, RHBA-2006-0287, Bugtraq ID 19859 ISC BIND is prone to multiple denial of service vulnerabilities. The following specific issues have been disclosed. A denial of service vulnerability affects the SIG query processing. For recursive servers, this issue triggers denial of service conditions when more than one Resource Record Set (RRset) is returned for a SIG record query. For authoritative servers serving a RFC 2535 DNS Security Extensions (DNSSEC) zone, this issue will cause a crash when the nameserver tries to construct a reponse to a SIG query where there is more than one RRset. This issue can be minimized for recursive servers by restricting which sources can ask for recursion. A denial of service vulnerability affects the ISC BIND recursive query handling code. An INSIST failure may occur when a response to multiple recursive queries fails to be delivered due to clients no longer being in the recursion queue. Exposure to this issue can be mitigated by restricting which sources can ask for recursion.

An attacker can exploit these issues to cause denial of service conditions, effectively denying service to legitimate users. ISC BIND 9 Cache Poisoning Vulnerability (QID 15054) CVE-2008-1447, RHSA-2008-0533, Sun Alert ID 239392, US-CERT VU800113, Bugtraq ID 30131 A remote DNS cache poisoning vulnerability affects BIND Version 9 due to properties inherent to the DNS protocol that lead to practical DNS cache poisoning attacks. Successful attacks can lead to misdirected Web traffic and email rerouting. ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability (QID 15057) CVE-2010-0097, CVE-2009-4022, BIND 9 DNSSEC Validation Code Vulnerability, BIND 9 Cache Update from Additional Section (Updated), Bugtraq ID 37865 ISC BIND (Berkley Internet Domain Name) is an implementation of DNS protocols. It is prone to the following vulnerabilities: A remote DNS cache-poisoning vulnerability affects BIND 9. This issue occurs because the software may improperly cache "bogus" NXDOMAIN query responses for records proven by NSEC or NSEC3 to exist. These cached responses may then be returned in response to subsequent DNSSEC queries. (CVE-20100097) A vulnerability is caused due to BIND caching CNAME or DNAME records of a response without proper DNSSEC verification when processing recursive client requests with checking disabled (CD) or internally triggered queries for missing records for recursive name resolution. Successful exploitation requires that Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 142

recursive queries are enabled and that the nameserver performs DNSSEC validation for its clients. Authoritative-only nameservers are not affected. (CVE-2009-4022) Versions prior to the following are vulnerable: BIND 9.4.3-P5 BIND 9.5.2-P2 BIND 9.6.1-P3

An attacker may be able to add fake NXDOMAIN records to a resolver's cache. Attackers may also leverage this issue to manipulate cache data, potentially facilitating man-in-the-middle, siteimpersonation, or denial of service attacks.

Java Vulnerabilities
Java Runtime Environment Multiple Privilege Escalation Vulnerabilities (QID 115435) CVE-2005-3904, CVE-2005-3905, CVE-2005-3906, CVE-2006-0617, CVE-2006-0616, CVE-2006-0615, CVE2006-0614, Sun Alert ID 102171, Sun Alert ID 102050 (SunSolve ID 230789), Sun Alert ID 102017, Sun Alert ID 102003 (SunSolve ID 201372), Bugtraq ID 15615 The Java Runtime Environment (JRE) is the virtual Java platform on which all Java applications are run. JRE is susceptible to various privilege escalation vulnerabilities. These issues can allow remote Java applications to read/write local files and execute arbitrary applications in the context of an affected user. The target system is affected by one or more of the following issues: Three security vulnerabilities with the use of "reflection" APIs in the JRE may (independently) allow an untrusted applet to elevate its privileges. For example, an untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A vulnerability with the Java Management Extensions (JMX) implementation included with the JRE may allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. A vulnerability in the JRE may allow an untrusted applet to elevate its privileges. For example, an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Seven vulnerabilities with the use of "reflection" APIs in the JRE may independently allow an untrusted applet to elevate its privileges. For example an applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Page 143

Vulnerability Remediation Synopsis version 0.4Russ Klanke

An untrusted applet may grant itself permissions to read and write local files or execute local applications that are accessible to the user running the untrusted applet. Sun has issued the following fixes: SDK and JRE 1.3.1_17 and later SDK and JRE 1.4.2_09 and later JDK and JRE 5.0 Update 4 and later

Note: Some of the vulnerabilities were fixed in earlier versions. Please refer to the following Sun advisories for additional details: Oracle ID 1001045.1 Oracle ID 1000822.1 Oracle ID 1018933.1 Oracle ID 1000543.1

IBM Patches: IBM has issued fixes to resolve this vulnerability. Please update to the following for AIX, Windows and Linux platforms: IBM SDK 1.4.2 Service Release 3 (SR3) and later IBM SDK 1.3.1 Service Release 9 (SR9) and later

Refer to IBM ADVISORY to obtain additional information on the vulnerability and patch details. java -fullversion java full version "J2RE 1.3.1 IBM build cxia32131-20031021" Red Hat IBMJava2 Security Update (QID 115846) CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3922, RHSA-2008-0133 Note: CVE-2007-3004 should not be referred, as it is a rejected candidate and a duplicate of CVE-20072788. A buffer overflow issue exists in the Java Runtime Environment image-handling code. An untrusted applet or application could use this flaw to elevate its privileges and potentially execute arbitrary code as the user running the Java virtual machine. For Red Hat (CVE-2007-2788, CVE-2007-2789, CVE-2007-3004, CVE-2007-3005, CVE-2007-3922): Red Hat Enterprise Linux 2.1 RHSA-2008:0133 IBMJava2-JRE-1.3.1-17 Red Hat Enterprise Linux 3 Extras (java-1.4.2-bea) RHSA-2008:0100 java-1.4.2-bea-1.4.2.161jpp.1.el3 (superseded by RHSA-2008:0243 java-1.4.2-bea-1.4.2.16-1jpp.2.el3) Page 144

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux 3 Extras (java-1.4.2-ibm) RHSA-2007:0817 Red Hat Enterprise Linux 4 Extras RHSA-2007:1086 Red Hat Enterprise Linux 4 Extras (java-1.4.2-ibm) RHSA-2007:0817 Red Hat Enterprise Linux 4 Extras (java-1.5.0-ibm) RHSA-2007:0829 Red Hat Enterprise Linux 4 Extras (java-1.5.0-sun) RHSA-2007:0818 Red Hat Enterprise Linux Supplementary (v. 5) (java-1.4.2-bea) RHSA-2008:0100 Red Hat Enterprise Linux Supplementary (v. 5) (java-1.4.2-ibm) RHSA-2007:0817 Red Hat Enterprise Linux Supplementary (v. 5) (java-1.5.0-bea) RHSA-2007:0956 Red Hat Enterprise Linux Supplementary (v. 5) (java-1.5.0-ibm) RHSA-2007:0829 Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0524 Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0524 Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0261

Red Hat Update for IBMJava2 (QID 116314) CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6737, CVE-2007-0243, RHSA-2007-0072 The IBM Java Version 1.3.1 release includes the IBM Java 2 Runtime Environment and the IBM Java 2 Software Development Kit. The following vulnerabilities exist in Java Version 1.3.1: Multiple vulnerabilities the Java Runtime Environment (JRE) allows attackers to use untrusted applets to access data in other applets. (CVE-2006-6736, CVE-2006-6737) Buffer overflow vulnerabilities in Java Runtime Environment, Sun Java Development Kit (JDK) and Java System Development Kit (SDK) allow attackers to develop Java applets that read, write, or execute local files and applications via: (CVE-2006-6731) o integer overflows in the "Java_sun_awt_image_ImagingLib_convolveBI", "awt_parseRaster", and "awt_parseColorModel" functions; o stack overflow in the "Java_sun_awt_image_ImagingLib_lookupByteRaster" function; o certain negative values in the "Java_sun_font_SunLayoutEngine_nativeLayout" function. Buffer overflow in Sun JDK and Java Runtime Environment (JRE) 5.0 Update 9 and earlier, SDK and JRE 1.4.2_12 and earlier, and SDK and JRE 1.3.1_18 and earlier allows applets to gain privileges via a GIF image with a block with a 0 width field, which triggers memory corruption. (CVE-2007-0243) A signature forging attack on the PKCS 1 v1.5 signatures where an RSA key with exponent 3 is used, can be exploited by an attacker to forge a PKCS 1 v1.5 signature that would be incorrectly verified by implementations that do not check for excess data in the RSA exponentiation result of the signature. (CVE-2006-4339)

If this vulnerability is successfully exploited, it could allow an untrusted applet to elevate its privileges, possibly reading and writing local files or executing local applications.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 145

IBMJava2-JRE and IBMJava2-SDK packages that fix these security issues are available for Red Hat Enterprise Linux Version 2.1. IBM's 1.3.1 SR10a Java release resolves this issue. Upgrade to the latest packages which contain a patch. For Red Hat (CVE-2006-4339, CVE-2006-6731, CVE-2006-6736, CVE-2006-6737, CVE-2007-0243): Red Hat Enterprise Linux 5 is not vulnerable to the CVE-2006-4339 issue as it contains a backported patch. Red Hat Enterprise Linux 2.1 RHSA-2006:0661 openssl-0.9.6b-43, RHSA-2007:0072 IBMJava2JRE-1.3.1-12 (superseded by RHSA-2008:0133 IBMJava2-JRE-1.3.1-17) Red Hat Enterprise Linux 3 RHSA-2006:0661 openssl-0.9.7a-33.18 and openssl096b-0.9.6b-16.43 (superseded by RHSA-2010:0163 openssl-0.9.7a-33.26 and RHSA-2010:0173-2 openssl096b0.9.6b-16.50) Red Hat Enterprise Linux 3 Extras (java-1.4.2-ibm) RHSA-2007:0062, RHSA-2007:0166 Red Hat Enterprise Linux 4 RHSA-2006:0661 Red Hat Enterprise Linux 4 Extras (java-1.4.2-ibm) RHSA-2007:0062, RHSA-2007:0166 Red Hat Enterprise Linux 4 Extras (java-1.5.0-ibm) RHSA-2007:0073, RHSA-2007:0167 Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.4.2-ibm) RHSA-2007:0166 Red Hat Enterprise Linux Server Supplementary (v. 5) (java-1.5.0-bea) RHSA-2007:0956 Red Hat Enterprise Linux Supplementary (v. 5) (java-1.5.0-ibm) RHSA-2007:0167 Network Satellite Server 5.0 (RHEL v.4 AS) RHSA-2008:0264, RHSA-2008:0261 Network Satellite Server 5.1 (RHEL v.4 AS) RHSA-2008:0629 Network Satellite Server v 4.2 (RHEL v.3 AS) RHSA-2008:0525, RHSA-2008:0524 Network Satellite Server v 4.2 (RHEL v.4 AS) RHSA-2008:0525, RHSA-2008:0524

Sun Java JDK JRE Multiple Vulnerabilities (QID 116345) CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE2009-1100, CVE-2009-1101, CVE-2009-1102, Sun Alert ID 254569, Sun Alert ID 254570, Sun Alert ID 254608, Sun Alert ID 254611, Sun Alert ID 254610, Sun Alert ID 254571, Sun Alert ID 254609, Oracle ID 1020224.1, Oracle ID 1020225.1, Oracle ID 1020228.1, Oracle ID 1020231.1, Oracle ID 1020230.1, Oracle ID 1020226.1, Oracle ID 1020229.1 The following vulnerabilities have been reported in Sun Java Runtime Environment (JRE) and Java Software Development Kit (JDK): A denial of service vulnerability in LdapCtx in the LDAP service in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) fails to close the connection when initialization fails, allowing remote attackers to cause the LDAP service to hang. (CVE-2009-1093) An unspecified vulnerability in the LDAP client implementation allows remote LDAP servers to execute arbitrary code on an LDAP client via unknown vectors related to serialized data. (CVE2009-1094)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 146

Integer and buffer overflow vulnerabilities in the Java Runtime Environment (JRE) with unpacking applets and Java Web Start applications using the "unpack200" JAR unpacking utility allows remote attackers to access files or execute arbitrary code via a JAR file with crafted Pack200 headers. (CVE-2009-1095, CVE-2009-1096) Multiple buffer overflows in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) can trigger an integer overflow during memory allocation during display on the splash screen. This flaw can be exploited by remote attackers to access files or execute arbitrary code via a crafted PNG image and a crafted GIF image. (CVE-2009-1097) A buffer overflow vulnerability in the Java Runtime Environment with processing GIF images may allow an untrusted applet or Java Web Start application to escalate privileges. (CVE-20091098) Two security vulnerabilities in the Java Runtime Environment (JRE) with storing and processing temporary font files allow remote attackers to consume disk space via vectors related to temporary font files. (CVE-2009-1100) A security vulnerability in the lightweight HTTP server implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) may allow a remote unprivileged user to create a denial of service condition on a JAX-WS service endpoint that runs on the JRE. (CVE-2009-1101) A vulnerability in the Virtual Machine in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) with code generation may allow an untrusted applet to elevate its privileges. (CVE-2009-1102)

If this vulnerability is successfully exploited, it allows attackers to bypass certain security restrictions, cause a denial of service or compromise a user's system. Platforms affected and links to updates: Versions prior to JDK and JRE 6 Update 13 Versions prior to JDK and JRE 5.0 Update 18 Versions prior to SDK and JRE 1.4.2_20 Versions prior to SDK and JRE 1.3.1_25 (for customers with Solaris 8 and Vintage Support Offering support contracts)

Please refer to the following Sun advisories for additional details: Oracle ID 1020224.1 Oracle ID 1020225.1 Oracle ID 1020228.1 Oracle ID 1020231.1 Oracle ID 1020230.1 Oracle ID 1020226.1 Oracle ID 1020229.1

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 147

This vulnerability is confirmed by detecting "java version java version "1.6.0_12" and "Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)" Security Vulnerability in the JRE With Parsing XML Data May Allow a Remote Client to Create a Denial of Service (QID 116556) CVE-2009-2625, Sun Alert ID 263489, Oracle ID 1020713.1 The Java Runtime Environment is the virtual Java platform on which all Java applications are run. It is provided for a number of platforms, including Microsoft Windows, Unix and Unix variants. A security vulnerability exists in Apache Xerces2 Java, as used in Sun Java Runtime Environment, which allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input.

This issue can occur in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux: JDK and JRE 6 Update 14 and earlier JDK and JRE 5.0 Update 19 and earlier

Successful exploitation of this vulnerability may allow a remote client to create a denial of service on the system that the JRE runs on. This issue is addressed in the following Java SE and Java SE for Business releases for Windows, Solaris, and Linux: JDK and JRE 6 Update 15 or later JDK and JRE 5.0 Update 20 or later

JDK 6 Update 15 is available for Solaris in the following patches: Java SE 6 Update 15 (as delivered in patch 125136-16) Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit)) Java SE 6_x86 Update 15 (as delivered in patch 125138-16) Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK 5 Update 20 is available for Solaris in the following patches: J2SE 5.0 Update 18 (as delivered in patch 118666-21) J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit)) J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21) J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business Releases is available at Java for Business. Refer to Oracle ID 1020713.1 to obtain additional details on this vulnerability. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 148

This vulnerability is confirmed by detecting "java version java version "1.6.0_12" Java(TM) SE Runtime Environment (build 1.6.0_12-b04) Java HotSpot(TM) Server VM (build 11.2-b01, mixed mode)" Sun Java Transport Layer and Secure Sockets Layer 3.0 Security Vulnerability (QID 116804) CVE-2009-3555, Sun Alert ID 273350, Oracle ID 1021671.1 A security vulnerability exists in the Transport Layer Security (TLS) and Secure Sockets Layer 3.0 (SSLv3) protocols in the handling of session re-negotiations affects applications utilizing Network Security Services (NSS). This vulnerability does not allow one to decrypt the intercepted network communication. This issue may allow a remote unauthenticated user with the ability to intercept and control network traffic to perform a man-in-the-middle (MITM) attack to inject arbitrary plain text at the beginning of an application protocol stream, thus compromising the integrity of the communication. Refer to Oracle ID 1021671.1 to address this issue and obtain patch information. Patch 119213-27. This vulnerability is confirmed by detecting "SUNWjss is installed 119213-21 is missing."

JBoss Vulnerabilities
JBoss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12476) JBoss allows for using adaptors for accessing MBean services over any supported protocols. For HTTP, the JBoss AS provides the HttpAdaptor. This Invoker accepts HTTP POST requests which contain a serialized JMX invocation in the data section (the objects belong to the JBoss AS Java class MarshalledInvocation). After deserialization the object is forwarded to the target MBean. Using this functionality an attacker can invoke the BSHDeployer MBean to create a local file and later call MainDeployer to deploy the locally created file. In a default installation, the HttpAdaptor is not activated. However, the HttpAdaptor's JMX Invoker is running and publicly available at the URL http://localhost:port/invoker/JMXInvokerServlet. Successfully exploiting this security issue might allow a remote attacker to access the HttpAdaptor JMXInvokerServlet and deploy WAR files. JBoss JMX Console is Accessible to Unauthenticated Remote Users (QID 12481) The JMX Console allows direct interaction with a JBoss Application Server (JBoss AS) components using a Web browser. It allows for easy administration of the JBoss AS, as it gives a complete overview of all MBeans registered with the MBean Server. MBean attributes and methods can be used directly, as long as no complex data types are necessary as parameter values.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 149

In default installations, JMX Console is not secured and can give easy access to system critical JBoss AS components. Successfully exploiting this security issue might allow a remote attacker to gain sensitive information or deploy WAR files. JBoss Web Console is Accessible to Unauthenticated Remote Users (QID 12482) JBoss Web Console is like the JMX Console that allows direct interaction with a JBoss Application Server (JBoss AS) components using a Web browser. JBoss Web Console provides an extended view of the JBoss AS components showing the components in a tree structure. In default installations, Web Console is not secured and can give easy access to system critical JBoss AS components. Successfully exploiting this security issue might allow a remote attacker to gain sensitive information or deploy WAR files. Workaround: Restrict unauthenticated access to the Web Console. This vulnerability is confirmed by exploiting the vulnerability. JBoss EJBInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12483) JBoss allows for using adapters for accessing MBean services over any supported protocols. For HTTP, the JBoss AS provides the HttpAdaptor. In default installations, EJBInvokerServlet is not secured and can give easy access to system critical JBoss AS components. The EBJInvokerServlet is publicly available at the URL http://localhost:port/invoker/EJBInvokerServlet Successfully exploiting this security issue might allow a remote attacker to access the EBJInvokerServlet and deploy WAR files. JBoss JMX Console and Web Console Unrestricted Access Vulnerability (QID 86768) CVE-2007-1036, SecureTheJmxConsole JBoss JMX Console and Web Console are vulnerable to information disclosure. JBoss may allow unauthenticated access to JMX Console and Web Console servlets. A remote attacker can exploit this vulnerability by gaining access to sensitive information. Refer to SecureTheJmxConsole for information on securing the JMX Console and Web Console. This vulnerability is confirmed by exploiting the vulnerability. JBoss Application Server Web Console and JMX Management Console Authentication Bypass Vulnerability (QID 86882) CVE-2010-1428, Bug 585899, Bugtraq ID 39710

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 150

JBoss Enterprise Application Platform is the market leading platform for innovative and scalable Java applications that integrate the JBoss Application Server, with JBoss Hibernate and JBoss Seam into a complete, simple enterprise solution. JBoss EAP is prone to the following vulnerability: Unauthenticated access to the JBoss Application Server Web Console(/web-console), JMX Console is blocked by default. However, it was found that this block was incomplete, and only blocked GET and POST HTTP verbs. A remote attacker could use this flaw to gain access to sensitive information. This release contains a Web Console with an updated configuration that now blocks all unauthenticated access to it by default. (CVE-2010-1428)

JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 are affected with this issue. Successful exploitation allows attackers to bypass the authentication and allows unauthorized disclosure of information. JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure (QID 86883) CVE-2008-3273, CVE-2010-1429, Bug 585900, Bugtraq ID 39710 JBoss Enterprise Application Platform is a platform for Java applications, integrating the JBoss Application Server, with JBoss Hibernate and JBoss Seam into an enterprise solution. JBoss EAP is prone to the following vulnerability: The RHSA-2008:0827 update fixed an issue (CVE-2008-3273) where unauthenticated users were able to access the status servlet; however, a bug fix included in the RHSA-2009:0348 update re-introduced the issue. A remote attacker could use this flaw to acquire details about deployed Web contexts. (CVE-20101429) JBoss Enterprise Application Platform 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 are affected with this issue. Successful exploitation allows unauthorized disclosure of information. The vendor has released patches to resolve this issue. Refer to Red Hat security advisory Bug 585900 to address this issue and obtain further details.

K Desktop Environment (KDE) Vulnerabilities


kdelibs, kdebase Security Update (QID 115387) CVE-2004-0746, RHSA-2004-412, Bugtraq ID 11186

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 151

Konqueror is exposed to a cross-domain cookie injection vulnerability. The issue presents itself due to a design error in Konqueror browser that allows cookies to be incorrectly sent to other domains. It is reported that under normal circumstances cookies are only sent to the host that issued them, however an attacker can bypass this behavior by using the optional "domain" attribute. For example, if an attacker from www.example.co.uk sets a cookie with the "domain" attribute in the following manner: domain=.co.uk This will send the cookie to all computers in the following domain: .co.uk An attacker can entice a user to follow a link to the attacker's malicious site, and when the user visits the attacker's site followed by the legitimate site the attacker may hijack the user's session. For Red Hat (CVE-2004-0746): Red Hat Enterprise Linux 2.1 RHSA-2004:412 kdebase-2.2.2-12 and kdelibs-2.2.2-13 (superseded by RHSA-2005:009 kdebase-2.2.2-15 and RHSA-2006:0720 kdelibs-2.2.2-21.EL2) Red Hat Enterprise Linux 3 RHSA-2004:412 kdebase-3.1.3-5.4 and kdelibs-3.1.3-6.6 (superseded by RHSA-2007:0494 kdebase-3.1.3-5.16 and RHSA-2009:1128 kdelibs-3.1.3-6.13)

Note: Qualys includes CVE-2004-0867; however, this is a Firefox vulnerability. Red Hat kdelibs Security Update (QID 115437) CVE-2006-4811, RHSA-2006:0720, Bugtraq ID 20599 The kdelibs package provides libraries for the K Desktop Environment (KDE). Qt is a GUI software toolkit for the X Window System. kdelibs packages on Red Hat systems are exposed to an integer overflow flow issue. The KDE khtml library uses Qt in such a way that untrusted parameters could be passed to Qt, triggering the overflow. An attacker could for example create a malicious Web page that when viewed by an unsuspecting user in the Konqueror browser would cause Konqueror to crash or possibly execute arbitrary code with the privileges of the user. For Red Hat (CVE-2006-4811): Red Hat Enterprise Linux 2.1 (kdelibs) RHSA-2006:0720 kdelibs-2.2.2-21.EL2 Red Hat Enterprise Linux 2.1 (qt) RHSA-2006:0725 qt-2.3.1-12.EL2 Red Hat Enterprise Linux 3 (kdelibs) RHSA-2006:0720 kdelibs-3.1.3-6.12 (superseded by RHSA2009:1128 kdelibs-3.1.3-6.13)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 152

Red Hat Enterprise Linux 3 (qt) RHSA-2006:0725 qt-3.1.2-14.RHEL3 (superseded by RHSA2007:0883 qt-3.1.2-17.RHEL3) Red Hat Enterprise Linux 4 (kdelibs) RHSA-2006:0720 kdelibs-3.3.1-6.RHEL4 (superseded by RHSA-2011:1385 kdelibs-3.3.1-18.el4) Red Hat Enterprise Linux 4 (qt) RHSA-2006:0725 qt-3.3.3-10.RHEL4 (superseded by RHBA2009:0026 qt-3.3.3-16.el4)

KCMS
KCMS Directory Traversal Vulnerability (QID 68533) CVE-2003-0027, Sun Alert ID 50104, Bugtraq ID 6665 The Kodak Color Management System (KCMS) is an image and video management Application Programming Interface (API) for Unix, Linux, and Windows. It is distributed and maintained by Kodak. A problem could make it possible for a remote user to gain unauthorized remote access to arbitrary files. It has been reported that a problem exists in the Kodak Color Management System (KCMS) due to the insecure handling of input. It may be possible for a remote user to gain access to arbitrary files on a vulnerable host. This could allow remote information gathering, leakage of sensitive information, and potentially privilege elevation. The problem occurs in the KCS_OPEN_PROFILE. By exploiting a vulnerable system running the kcms_server process, it's possible for a remote user to download any file for which the kcms_server has read access. As the kcms_server process is typically executed as root, this could be any file on the target system. Note that an attacker must use the TT_ISBUILD procedure call of ToolTalk to exploit this issue. This vulnerability can be exploited remotely to read arbitrary files on a vulnerable system. This vulnerability is suggested by detecting Solaris 9-11 and TCP Port 32772 (or 32782 or 32803 or 45275 or 64053).

Kerberos Vulnerabilities
Kerberos is a network authentication system which allows clients and servers to authenticate to each other. Red Hat krb5 Security Update (QID 115534) CVE-2007-0956, CVE-2007-0957, CVE-2007-1216, RHSA-2007:0095 A flaw was found in the username handling of the MIT krb5 telnet daemon. Kerberos KDC and the kadmin server daemon are vulnerable to buffer overflows. Also a double free flaw exists in the GSSAPI library used by the kadmin server daemon which could lead to denial of service. A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 153

For Red Hat (CVE-2007-0956, CVE-2007-0957, CVE-2007-1216): Red Hat Enterprise Linux 2.1 (krb5) RHSA-2007:0095 krb5-1.2.2-44 (superseded by RHSA2009:0410 krb5-1.2.2-49) Red Hat Enterprise Linux 3 (krb5) RHSA-2007:0095 krb5-1.2.7-61 (superseded by RHSA2010:0423 krb5-1.2.7-72) Red Hat Enterprise Linux 4 (krb5) RHSA-2007:0095 krb5-1.3.4-46 (superseded by RHSA2011:1851 krb5-1.3.4-65.el4) Red Hat Enterprise Linux 5 (krb5) RHSA-2007:0095 krb5-1.5-23 (superseded by RHSA-2011:1851 krb5-1.6.1-63.el5_7)

Red Hat krb5 Security Update (QID 115757) CVE-2008-0062, CVE-2008-0063, CVE-2008-0948, CVE-2007-5971, RHSA-2008-0180, RHSA-2008-0181 Several security vulnerabilities exist in Red Hat Kerberos network authentication system. A flaw exists in the way the MIT Kerberos Authentication Service and Key Distribution Center server (krb5kdc) handle Kerberos v4 protocol packets. An error in the GSSAPI library used by MIT Kerberos could possibly cause a crash of the application using the GSSAPI library.

These security vulnerabilities could lead to denial of service conditions, information disclosure and arbitrary code execution. Red Hat (CVE-2008-0062, CVE-2008-0063, CVE-2008-0948, CVE-2007-5971): Red Hat Enterprise Linux 2.1 (krb5) RHSA-2008:0181 krb5-1.2.2-48 (superseded by RHSA2009:0410 krb5-1.2.2-49) Red Hat Enterprise Linux 3 (krb5) RHSA-2008:0181 krb5-1.2.7-68 (superseded by RHSA2010:0423 krb5-1.2.7-72) Red Hat Enterprise Linux 4 (krb5) RHSA-2008:0180 krb5-1.3.4-54.el4_6.1 (superseded by RHSA2011:1851 krb5-1.3.4-65.el4) Red Hat Enterprise Linux 5 (krb5) RHSA-2008:0164 krb5-1.6.1-17.el5_1.1 (superseded by RHSA2011:1851 krb5-1.6.1-63.el5_7)

Solaris Kerberos PAM Module Privilege Escalation Vulnerability (QID 116327) CVE-2009-0360, CVE-2009-0361, Sun Alert ID 252767, Oracle ID 1020129.1 The Kerberos V5 service module for PAM, /usr/lib/security/pam_krb5.so.1, provides functionality for all four PAM modules: authentication, account management, session management,and password management. The following vulnerabilities have been identified in the Solaris Kerberos PAM Module:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 154

A privilege escalation vulnerability exists in "pam-krb5", when linked against MIT Kerberos because it fails to initialize Kerberos libraries for setuid use. This can be exploited to bypass authentication checks in setuid applications that use PAM for authentication by specifying the Kerberos configuration via environment variables. (CVE-2009-0360) A file overwrite vulnerability exists in "pam-krb5", as used by "libpam-heimdal" and su in Solaris 10 because it does not properly handle calls to "pam_setcred" when running setuid. This can be exploited by local users to overwrite and change the ownership of arbitrary files by setting the "KRB5CCNAME" environment variable, and then launching a setuid application that performs certain "pam_setcred" operations. (CVE-2009-0361)

Successful exploitation may allow a user supplied Kerberos configuration file to be used to specify realm and KDC server information, thereby allowing certain remote unprivileged users or applications to gain elevated privileges. OpenSolaris, Sun Solaris 9, 10 for SPARC and x86 platforms and Sun Enterprise Authentication Mechanism 1.0.1 for Solaris 8 are vulnerable. Sun has released patches to address this issue. Refer to Oracle ID 1020129.1 to obtain patch details. This vulnerability is confirmed by "SUNWcslr is installed 138371-06 is missing." Sun Solaris Kerberos "Mech" Libraries Denial of Service Vulnerability (QID 116475) CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-0847, Sun Alert ID 256728, Oracle ID 1020355.1 Kerberos is a network authentication system. The following security vulnerabilities exist in the Solaris Kerberos mech_krb5 library and the mech_spnego library. The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5, when PK-INIT is used, allows remote attackers to crash the application via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic. (CVE-2009-0847) An input validation flaw was found in the "asn1_decode_generaltime" function in ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. (CVE-2009-0846) A input validation flaw exists in the "spnego_gss_accept_sec_context" function in "lib/gssapi/spnego/spnego_mech.c". A remote attacker could use this flaw to crash any network service utilizing the MIT Kerberos GSS-API library via invalid ContextFlags data in the reqFlags field in a negTokenInit token. (CVE-2009-0845) An error in the "get_input_token" function in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism allows remote attackers to cause a denial of service and possibly obtain sensitive information via a crafted length value that triggers a buffer overread. (CVE-2009-0844)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 155

Successful exploitation may allow remote unprivileged users to cause certain Kerberos applications and daemons, including the Kerberos administration daemon to crash. Sun has released patches to address this issue for Solaris 10. Refer to Oracle ID 1020355.1 to obtain patch information. Interim Security Relief (ISR) is available for Solaris 8 and 9. Workaround: Disable Kerberos on the affected systems by moving the "/etc/krb5/krb5.conf" file as follows: mv /etc/krb5/krb5.conf /etc/krb5/krb5.conf.SAVE This vulnerability is confirmed by "SUNWcslr is installed 140074-08 is missing."

Linux
Linux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities (QID 115292) CVE-2005-3119, CVE-2005-3181, Bugtraq 15076 Two local denial of service vulnerabilities affect the Linux kernel. These issues are due to a design flaw that creates memory leaks. These vulnerabilities may be exploited by local users to consume excessive kernel resources, likely triggering a kernel crash and denying service to legitimate users. Memory leak in the request_key_auth_destroy function in request_key_auth in Linux kernel 2.6.10 up to 2.6.13 allows local users to cause a denial of service (memory consumption) via a large number of authorization token keys. (CVE-2005-3119) The audit system in Linux kernel 2.6.6, and other versions before 2.6.13.4, when CONFIG_AUDITSYSCALL is enabled, uses an incorrect function to free names_cache memory, which prevents the memory from being tracked by AUDITSYSCALL code and leads to a memory leak that allows attackers to cause a denial of service (memory consumption). (CVE-2005-3181)

For Lantronix SLC48 Console Server: For Red Hat (CVE-2005-3119, CVE-2005-3181): Red Hat Enterprise Linux version 4 RHSA-2005:808 kernel-2.6.9-22.0.1.EL (superseded by RHSARHBA-2011:1796 kernel-2.6.9-103.EL).

This vulnerability is detected through OS checks.

Macromedia JRun Vulnerabilities


Privilege Escalation Vulnerability in Macromedia JRun and ColdFusion (QID 12226) CVE-2005-2306, MPSB05-05 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 156

Under high load, JRun may generate two sessions with the same authentication token. JRun Version 4.0 and ColdFusion Versions 6.1 and 7.0 are vulnerable. While this cannot be controlled by an attacker and it occurs very rarely, successful exploitation of this issue may cause two authenticated users to share information from a single user session. Macromedia JRun Multiple Vulnerabilities (QID 86735) CVE-2005-4473, Bugtraq ID 15905 Macromedia JRun is a J2EE application server that is available for Microsoft Windows, Unix, and Linux variants. Macromedia JRun is affected by multiple security vulnerabilities. The following issues were reported: Multiple vulnerabilities let remote users gain unauthorized access to Web application source code. A denial of service vulnerability in the JRun Web Server component.

Successful exploitation could potentially expose sensitive information embedded in application source code that may be useful to the attacker. Exploitation could be triggered if the attacker submits a malformed URI to the server. Also, a remote attacker could exploit these issues by submitting a long URI to the server.

Microsoft IIS
Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020) (QID 86837) CVE-2009-1535, CVE-2009-1122, MS09-020, Bugtraq ID 34993 Internet Information Services (IIS) is a set of Internet-based services for servers created by Microsoft for use with Microsoft Windows. Web-based Distributed Authoring and Versioning (WebDAV) is a set of extensions to the Hypertext Transfer Protocol (HTTP) that allows users to edit and manage files on remote Web servers. IIS is prone to the following vulnerabilities: A security vulnerability exists within the WebDAV functionality of Internet Information Server (IIS) because the Web server fails to properly handle unicode tokens when parsing the URI and sending back data. An attacker can exploit this issue to access password protected resources via specially crafted HTTP GET or PROPFIND requests that contain Unicode-encoded characters with a "Translate: f" header. (CVE-2009-1535) An elevation of privilege vulnerability exists in the way that the WebDAV extension for IIS handles HTTP requests. An attacker could exploit this vulnerability by creating a specially crafted anonymous HTTP request to gain access to a location that should require authentication. (CVE2009-1122) Page 157

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Microsoft Internet Information Services (IIS) Version 5.0, 5.1, and 6.0 with WebDAV is vulnerable. Note: By default WebDAV is not enabled on Windows Server 2003 systems running IIS 6.0. Unless WebDAV has been enabled by an administrator on these systems, the vulnerability is not exposed. Windows XP Embedded Systems:- For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): The June 2009 Security Updates Are Now Available on the ECE (KB970483) Successful exploitation of this vulnerability allows an attacker to bypass authentication of password protected folders. An attacker could list, download or upload any protected files on the target.

Microsoft SQL Server Vulnerabilities


Multiple MS-SQL-7 threats - (I) (QID 19058) CVE-2000-1081, CVE-2001-0542, CVE-2002-0056, CVE-2002-0154, MS00-092 We can remotely detect the presence of Microsoft's SQL Server, but cannot remotely detect if a patch or service pack has already been applied. Verify that you have applied the appropriate patch and/or service pack. The following threats are present in MS-SQL-7: Microsoft SQL Server/Data Engine various xp_ Buffer Overflow Vulnerabilities . The API Srv_paraminfo() function is implemented by Extended Stored Procedures (XPs). XPs are DLL files that perform high-level functions. When called, they invoke a function called Srv_paraminfo(), which parses the input parameters. Srv_paraminfo() does not check the length of the parameter string that an XP passes to it. The following XPs are affected: xp_displayparamstmt, xp_enumresultset, xp_showcolv, xp_updatecolvbm, xp_peekqueue, xp_printstatements, xp_proxiedmetadata and xp_SetSQLSecurity. This vulnerability can only be exploited by users who can successfully log on to the SQL server. By exploiting this vulnerability, it may be possible for malicious users to execute arbitrary code on the host running a vulnerable version of SQL Server. The malicious user would need to overwrite the return address of the calling function with the address of attacker-supplied shell code in memory. This shell code would be executed under the context of the account that the SQL Server service was configured to run under. The account must have a minimum of SYSTEM privileges. Microsoft SQL Server Multiple Overflow and Format String Vulnerabilities. SQL Server provides built-in functions for the formatting of error messages based on C-style format specifiers. These built-in functions are accessible to all users. Providing maliciously crafted input to these functions results in exploitable error conditions in the SQL Server process. To mount this attack, the malicious user must have permission to execute SQL queries either directly or by leveraging SQL Command Injection flaws. Page 158

Vulnerability Remediation Synopsis version 0.4Russ Klanke

By exploiting this vulnerability, it may be possible for malicious users to execute arbitrary code on a host running a vulnerable version of Microsoft's SQL Server. Microsoft SQL Server Provider Name Buffer Overflow Vulnerability. SQL Server does not perform proper bounds checking of the provider arguments to the OpenDataSource and OpenRowset functions. These functions may be used by an ordinary user to reference OLE DB data sources. As a result, it is possible to cause a buffer overflow condition to occur by providing an excessively long string as a provider name in a query. Successful exploitation of this vulnerability could allow a malicious user to execute arbitrary code with the privileges of the database. There is a possibility that this issue may be exploited remotely, either via distributed SQL queries or potentially via an SQL injection attack. Microsoft SQL Server xp_dirtree Buffer Overflow Vulnerability. A vulnerability has been reported in the xp_dirtree function. If an extremely large parameter is passed to the stored procedure xp_dirtree, a buffer overflow condition will occur. This issue may be related to an older known problem with unsafe usage of the Srv_paraminfo() function call. If an extremely large parameter is passed to a vulnerable stored procedure, a buffer overflow condition will occur. Depending on the data supplied, this may cause a denial of service condition, or result in the execution of arbitrary code as the SQL Server process. Microsoft SQL Server Administrator Cached Connection Vulnerability. Query methods are SQL Server commands used to request information from the database. A flaw exists in the handling of specially structured ad hoc queries, which could enable a normal user to gain administrative privileges. In order to gain access to information in the database, a user must make a connection to the server. Once access to the database is no longer required, the user logging off will terminate the connection. However, by design, SQL Server will store the connection used by the user in cache for a certain amount of time. This is done to improve the server's performance. Next time that particular user logs in, SQL Server can reinstate the cached connection rather than creating a new one. By exploiting this vulnerability, logged-in users can gain administrative privileges to the database. Microsoft SQL Server 7.0 NULL Data DoS Vulnerability . SQL Server will crash if it receives a TDS header with three or more NULL bytes as data. The crash will generate an event in the log with ID 17055 "fatal exception EXCEPTION_ACCESS VIOLATION". If this vulnerability is exploited, the SQL server will crash. Microsoft SQL Server 7.0 Stored Procedure Vulnerability . It is possible for users without the proper permissions to run stored procedure code. This includes a full range of tasks, such as modifying, viewing, or deleting entries in the database. This can be accomplished by executing a stored procedure owned by the SA account, which is referenced from a temporary stored Page 159

Vulnerability Remediation Synopsis version 0.4Russ Klanke

procedure. SQL Server does not properly check the execute permissions on stored procedures referenced by temporary stored procedures. Users must be authenticated on the SQL server and have access to the referring database in order to perform this exploit. By exploiting this vulnerability, it's possible for users without the proper permissions to run database stored procedure code. Note: This would appear as a potential vulnerability for MSSQL versions 8, 9 and above for an unauthenticated scan. MSSQL versions 8,9 and above are not vulnerable for these issues. Qualys reports "No results available". What version of SQL Server is installed? (8, 9 not vulnerable) Multiple MS-SQL-7 threats - (II) (QID 19059) CVE-2000-0202, CVE-2002-0643, CVE-2002-0721 We can remotely detect the presence of Microsoft's SQL Server, but cannot remotely detect if a patch or service pack has already been applied. Verify that you have applied the appropriate patch and/or service pack. The following threats are present in MS-SQL-7: Microsoft SQL Server Non-Validated Query Vulnerability. SQL Server 7.0 and Data Engine (SQLcompatible add-on for Access 2000 and Visual Studio 6.0) will accept SQL queries that can lead to a compromise of the database or the underlying operating system. It's possible for any SQLauthenticated user to pass commands through SQL SELECT statements, which will be run at the privilege level of the database owner or administrator. The successful exploitation of this vulnerability could lead to a compromise of the database or underlying operating system. Microsoft SQL Server Installation Password Caching Vulnerability . During the initial installation of Microsoft SQL Server 7 (including MSDE 1.0) or the installation of service packs, information is gathered and stored in a special file that can later be used to automate other MS-SQL Server installations. This file, setup.iss, may contain passwords supplied during the installation process. In addition, the log file documenting the installation process will also contain any passwords entered. The passwords are first encrypted and then stored. The Microsoft released bulletin notes that the encryption may potentially be weak. During the installation process, passwords may be stored in either of the following two cases: If the SQL Server is being set up in "Mixed Mode", a password for the SQL Server administrator (the "sa" account) must be supplied. o Whether in Mixed Mode or Windows Authentication Mode, a User ID and password can optionally be supplied for the purpose of starting up SQL Server service accounts.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 160

Contributing to the vulnerability (in versions of SQL Server 7.0), this file is stored on the server in a location that can be viewed by anyone with rights to log on interactively.

If exploited by a malicious user, passwords stored in setup.iss, which are supplied during the installation process, may be stolen. Microsoft SQL Agent Jobs Privilege Elevation Vulnerability. SQL Server uses an Agent, which is responsible for restarting the SQL Server service, replication, and running scheduled jobs. Some of the jobs supplied by Microsoft as stored procedures on the SQL Server contain weak permissions. The following procedures are affected: sp_add_job, sp_add_jobstep, sp_add_jobserver, and sp_start_job. The Agent typically runs in the security context of the SQL Server Service Account. Under normal circumstances, when a T-SQL job is submitted to the Agent, it will drop its privilege level by performing the following command: SETUSER N'guest' WITH NORESET By exploiting this vulnerability, a malicious user would be able to execute other extended stored procedures, such as xp_cmdshell, on the SQL Server with the security context of the SQL Server Service Account. Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability. Some of the extended stored procedures supplied by Microsoft contain weak permissions. The extended stored procedures typically connect to the database in the security context of the SQL Server Service Account. Users with low privileges could pass certain arguments to the vulnerable extended stored procedures, allowing them to perform actions on the database in the security context of the SQL Server Service Account. The vulnerability could also be exploited by an attacker visiting a Web site that uses one of these extended stored procedures as part of a search engine for the database. The database-driven Web application would need to be prone to existing input validation vulnerabilities for this type of exploitation to occur. If this vulnerability is exploited, a user with low privileges may perform actions on the database in the security context of the SQL Server Service Account. Note: This would appear as a potential for MSSQL versions 8, 9 and above for an unauthenticated scan. MSSQL versions 8,9 and above are not vulnerable for these issues. Qualys reports "No results available". What version of SQL Server is installed? (8, 9 not vulnerable) Microsoft SQL Server 2000 Latest Patch Not Installed (QID 19090) KB884525 Same as " Microsoft SQL Server 2000 Service Pack 4 Missing (QID 19124)".

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 161

The latest Microsoft SQL security hotfixes are not installed. This check makes sure that Service Pack 4 is installed. The version detected (such as 8.0.296 or 8.0.765) is shown in the result section of the vulnerability report. Apply the latest service packs and hotfixes available for download from the Microsoft SQL Server Support Center. Microsoft SQL Server Query Method Enables Cached Administrator Connection to be Reused (MS01-032) (QID 19093) CVE-2001-0344, MS01-032 When a client connection to a SQL Server is terminated, it remains cached for a short period of time for performance reasons. One SQL query method contains a flaw that has the effect of making it possible for one user's query to reuse a cached connection that belonged to the sa account. Successful exploitation of this vulnerability enables an attacker to execute the query using the administrator's security context. This would give the attacker the ability to take any desired action on the database. Also, it gives the attacker the ability to run extended stored procedures, with the opportunity to run code of their choice and assume de facto control of the server itself. Microsoft SQL Server 2000 Service Pack 1 Not Installed (QID 19094) The host is missing SQL Server 2000 Service Pack 1. Microsoft SQL Server Service Pack 1 contains several security fixes. Microsoft SQL Server 2000 Service Pack 2 Not Installed (QID 19096) Microsoft SQL Server 2000 Service Pack 2 not installed on the host. SQL Server 2000 Service Pack 2 fixes several security holes which can be exploited by malicious users. Microsoft SQL Server Cumulative Patch Not Installed (MS02-034) (QID 19097) CVE-2002-0624, CVE-2002-0641, CVE-2002-0642, MS02-034 This is a cumulative patch that includes the functionality of all previously released patches for SQL Server 2000. In addition, it eliminates three newly discovered vulnerabilities affecting SQL Server 2000 and MSDE 2000 (but not any previous versions of SQL Server or MSDE), which are described below. A buffer overrun vulnerability in a procedure used to encrypt SQL Server credential information. An attacker who was able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself depending on the account that the SQL Server runs as. A buffer overrun vulnerability in a procedure that relates to the bulk inserting of data in SQL Server tables. An attacker who is able to successfully exploit this vulnerability could gain significant control over the database and possibly the server itself.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 162

A privilege elevation vulnerability that results because of incorrect permissions on the Registry key that stores the SQL Server service account information. An attacker who is able to successfully exploit this vulnerability could gain greater privileges on the system than had been granted by the system administrator - potentially even the same rights as the operating system. These vulnerabilities can be exploited by a malicious attacker to gain control over the database and possibly the server itself. Microsoft SQL Server 2000 Service Pack 3 Not Installed (QID 19099) Microsoft SQL Server 2000 Service Pack 3 is not installed on the host. Microsoft SQL Server 2000 Service Pack 3 fixes several security holes, which may be exploited by malicious users. Refer to the Microsoft Service Packs for SQL Server Downloads page for instructions on downloading and installing the service pack. Microsoft SQL Server 2000 Service Pack 4 Missing (QID 19124) KB884525 Same as "Microsoft SQL Server 2000 Latest Patch Not Installed (QID 19090)". The Microsoft SQL Server / MSDE 2000 host is missing Service Pack 4. SQL Server 2000 Service Pack 4 includes all security hotfixes released after the release of Service Pack 3. Read Microsoft article KB290211 for details on obtaining the latest service pack. Microsoft SQL Server Multiple Vulnerabilities (MS03-031) (QID 90086) CVE-2003-0230, CVE-2003-0231, CVE-2003-0232, MS03-031, Bugtraq ID 8275 Included in Microsoft SQL Server Service Pack 4. Multiple vulnerabilities are present on the Microsoft SQL Server installed on the target, including the following: LPC port request buffer overflow vulnerability, Named Pipe denial of service vulnerability, and Named Pipe hijacking vulnerability. Local Procedure Calls (LPC) provide a mechanism for interprocess communications on some Microsoft platforms. Each LPC utilizes a collection of communication ports to allow for information exchange between the client and the server. Microsoft SQL Server is prone to a buffer overflow in the mechanism that accepts LPC port requests. If a specifically malformed message is received by the LPC port, stack memory may be overwritten due to insufficient bounds checking. Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a Named Pipe denial of service attack. Any local or remote user, who can authenticate and is part of the Everyone Group, may trigger a denial of service condition in an affected SQL Server. It has been reported that if a remote attacker sends an unusually large request to a named pipe, the SQL Server will become unresponsive. Microsoft SQL Server and the Microsoft Data Engine have been reported prone to a privilege escalation vulnerability via named pipes. A named pipe is a conduit for interprocess communication that is identified by a specific name; it is used to pass information between a pipe server and its clients. It has been reported that a named pipe, used to control certain connection attempts to the SQL server, is Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 163

prone to a vulnerability that may provide escalation of privileges. The issue presents itself within the checking routines for the affected pipe. Under certain circumstances, specifically during the authentication procedure, a local attacker may seize control of the named pipe. Successful exploitation of the LPC Port request buffer overrun vulnerability would allow an attacker to execute code with the privilege level of the SQL Server process. Under most conditions, exploitation would only allow an attacker to gain full access to the SQL database. However, if the SQL Server is running as Administrator or Local System, exploitation would allow for full system compromise. It's important to note that an attacker must be authenticated to the SQL Server in order to exploit this vulnerability. The impact of the denial of service vulnerability may vary between service packs and versions. It has been reported that on SQL Server 2000 without Service Pack 3 installed, the service will crash and must be restarted to restore normal operations. However, on SQL Server 2000 with Service Pack 3 applied, this is not the case. The service does not appear to crash but does not process requests received postattack. It has also been reported that it's not possible to stop the affected service, and the system will require a reboot to restore normal operations. If the Named Pipe hijacking vulnerability is successfully exploited, the attacker may thereby inherit the permissions of the user who is attempting to connect to the SQL server via the compromised pipe. Microsoft has released patches to address the issue. Check Microsoft Security Bulletin MS03-031 for the latest information on these vulnerabilities.

Microsoft Windows Platform Vulnerabilities


Lysias Lidik Webserver Directory Traversal Vulnerability (QID 10635) CVE-2002-0784, Bugtraq ID 4691 Lysias Lidik Webserver is a small Web server that is available for Microsoft Windows systems. The current version of Lidik is a beta version. The current version of Lysias Lidik Webserver has a vulnerability that allows for remote directory traversal. The Web server does not parse ".../" character sequences from the URL. By exploiting this issue, a remote attacker may be able to view and download any file on the Web server by entering a specially-crafted request. The attacker is not able to view directories with a space in the directory name by including the space in the URL. Such directories may be accessed by using the DOS 8.3 filename format. Entering http://localhost/.../...//Progra~1/ as the URL will allow the attacker to browse the "Program Files" directory. This vulnerability can be exploited to view the contents of arbitrary directories on the vulnerable Web server. This information can be used to mount further attacks on the vulnerable host. There are no solutions available at this time. This vulnerability is confirmed by exploiting the vulnerability (the "Axeda Agent Web Server/1.1" server is detected and the boot loader file is read).

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 164

Microsoft Windows XP Remote Desktop Plaintext Username Vulnerability (QID 38094) CVE-2001-1571, Bugtraq ID 3720 When a connection is initiated, Microsoft Windows XP Remote Desktop transmits user account names in plaintext over the network. The account name sent is not necessarily the user account name on the remote machine; it is the most recent user account used by the Remote Desktop client. A malicious user could use a sniffer to capture traffic over the network and discover the user account names, especially when repeated connections are being made to a particular machine from Remote Desktop clients. If this vulnerability is successfully exploited, a malicious user may be able to obtain user account names. Shutdown this service if you do not use it. Since no patch is available, block or restrict access to port 3389/tcp (used by Remote Desktop). Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service win_remote_desktop and os WINDOWS XP SERVICE PACK 2-3". Microsoft Remote Procedure Call Service Denial of Service Vulnerability (MS01-041) (QID 68500) CVE-2001-0509, Bugtraq ID 3104 DCE/RPC is a proprietary protocol developed by Microsoft, and serves the same purpose as Unix RPC (Remote Procedure Call). It allows a computer to remotely call procedures on another machine. Like Unix RPC, Microsoft RPC makes use of an Interface Definition Language, which is used to generate a skeleton program (for the server side) and a stub program (for the client side). The skeleton program makes sure that procedure arguments are properly typed before passing them to the procedure implementation. The implementation checks that the argument values are correct (for example, an integer may have the right type but have a value outside the allowed range). Many RPC implementers fail to perform this check correctly. Therefore, an attacker that sends garbage (i.e. zero filled packets) to an RPC port, may cause unpredictable behavior of the associated RPC service. It seems that Windows RPC is enabled on this machine. By exploiting this vulnerability an attacker can either perform a Denial of Service attack by causing the system or key services to crash or may run arbitrary code on the compromised host. Microsoft Windows 2000 RPC DCOM Interface Denial of Service Vulnerability (QID 68517) CVE-2003-0605, MS03-039, Bugtraq ID 8234 Microsoft Windows uses Remote Procedure Calls (RPC) for client-server communications in a distributed computing environment (DCE). TCP Ports 135 and 445 are typically used for DCE endpoint resolution.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 165

A vulnerability in the Windows DCE-RPC stack may allow a remote, malicious user to disable RPC services. If a specifically malformed packet is sent to the DCOM __RemoteGetClassObject interface on a vulnerable system, the RPC service may fail. Because other services may depend on the RPC service, the loss of this interface may impact other components on the system, possibly causing them to fail as well. Once RPC services are disabled, it may be possible for local users to gain elevated privileges by hijacking orphaned pipes left by the RPC process. If the system is configured to support DCOM over HTTP, this vulnerability may also be exploited through TCP port 593 or HTTP ports. This vulnerability may be exploited to cause a denial of service condition on the host. Privilege elevation is also a possibility. When Qualys reports "No results available" is MS03-039 patch installed? Microsoft Windows DCOM RPCSS Service Vulnerabilities (QID 68522) CVE-2003-0715, CVE-2003-0528, CVE-2003-0605, CVE-2003-0995, MS03-039 Microsoft Windows provides a DCOM (Distributed Component Object Model) interface to the RPC (Remote Procedure Call) protocol. Two buffer overrun vulnerabilities and a Denial of Service vulnerability were reported in the Microsoft Windows DCOM RPCSS service. This service is used for DCOM activation and listens on UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445, and 593. Additionally, it can listen on ports 80 and 443 if CIS or RPC over HTTP is enabled. These vulnerabilities result from incorrect handling of malformed messages. Note: this vulnerability differs from the vulnerability publicized in Microsoft Bulletin MS03-026. Exploitation of this vulnerability could result in the execution of malicious instructions with Local System privileges on an affected system. Also, an attacker could cause the RPCSS service to hang and become unresponsive. Multiple Microsoft Windows RPC/DCOM Vulnerabilities (QID 68528) CVE-2003-0813, CVE-2004-0116, CVE-2003-0807, CVE-2004-0124, MS04-012 A security update for multiple vulnerabilities on Microsoft Windows systems is available for download from Microsoft security bulletin MS04-012. The four vulnerabilities addressed in the security update include: RPC Runtime Library Remote Code Execution Vulnerability (CVE-2003-0813) (Windows 2000, XP, 2003 are affected) RPCSS Service Denial Of Service Vulnerability (CVE-2004-0116) (Windows 2000, XP, 2003 are affected)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 166

COM Internet Services (CIS) RPC over HTTP Denial Of Service Vulnerability (CVE-2003-0807) (Windows NT, 2000, 2003 are affected) Object Identity Information Disclosure Vulnerability (CVE-2004-0124) (Windows NT, 2000, XP, 2003 are affected)

An attacker who successfully exploits the most severe of these vulnerabilities could take complete control of the affected system. An attacker could then take multiple actions on the affected system including installing programs, viewing data, changing data, deleting data, and creating new accounts that have full privileges. This vulnerability is determined by testing for the MS03-039 patch. Microsoft Windows 9x/NT 4.0 NetBIOS over TCP/IP Resource Exhaustion Vulnerability (MS00-091) (QID 70012) CVE-2000-1039, MS00-091, Bugtraq ID 2022 Microsoft's implementation NetBIOS is vulnerable to a remotely exploitable denial of service attack. A malicious user can carry out this attack by initiating several connections and then closing them. This leaves the target TCP sockets in a FINWAIT_1 state. Although the sockets will eventually time out and be freed, a malicious user can continuously initiate and close new connections, using up any freed network resources. The result may be a denial of useful NetBIOS services until the attack stops. This type of attack is well known as simple resource exhaustion, but has become an issue with new tools that enable attackers to launch more effective resource exhaustion attacks. Microsoft has released fixes to patch this vulnerability in NT Version 4.0sp6. This vulnerability affects many Operating Systems aside from Microsoft Windows; however, Microsoft is the only vendor so far to issue a patch and workaround. By exploiting this vulnerability, a malicious user, with access to the NBT port, can exhaust the system of network resources and cause it to cease functioning. When Qualys reports "No results available," is the MS00-091 patch installed? Microsoft Windows 9x/NT/2000 MS-DOS Device Name DoS Vulnerability (QID 70020) CVE-2000-0168, Bugtraq ID 1043 Due to an inherent fault within Microsoft Windows 9x/NT/2000, local and remote users can crash the system by simply requesting any permutation of a path and filename referring to a reserved DOS device name in the manner of device\device. The following device names have been known to render a system unstable (note, this is not a complete list): CON, NUL, AUX, PRN, CLOCK$, COMx, LPT1, and CONFIG$. This vulnerability is exploitable in a number of ways. Local users are able to crash the system by attempting to open a file of device\device. They could do this from within Microsoft Word, the Run dialog box, or at a command prompt.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 167

Remote users can crash the system through any service where they must specify paths on the target, such as via FTP, Web services, NetBIOS shares, etc. Malicious Web masters may exploit this vulnerability by creating a link that will invoke devices locally on the Web user's machine. In addition, many archiving programs will allow special devices to be called out of context. Some archives have been known to drop device name files to an unspecified location on the disk. This issue does not affect the majority of virus scanners. As a result, malicious users are able to crash a Windows system locally or remotely. The host must be restarted to regain normal functionality. Some FTP servers running on a patched version of Windows 98 are still reported to be vulnerable. Note: Contrary to the Qualys remarks, Windows 2000 (or later) is not vulnerable. Microsoft Messenger Service Detected (QID 70027) Microsoft Messenger Service was detected on this host. Microsoft Messenger Service may allow attackers to pop up message windows on the host, which may result in workflow disruptions and may make it difficult for a user to access other windows on the host. Microsoft Messenger Service Buffer Overrun Vulnerability (MS03-043) (QID 70032) CVE-2003-0717, MS03-043, Bugtraq ID 8826 Microsoft Messenger Service is a Windows service that is responsible for sending and receiving "net send" messages. The service also handles any messages that are sent via the Alerter service between client and server systems. The Microsoft Messenger Service is not related to MSN Messenger. Microsoft Messenger Service is prone to a remotely exploitable buffer overrun vulnerability. The source of the vulnerability is insufficient bounds checking of messages before they are passed to an internal buffer. A message malformed in a particular way can potentially overrun adjacent regions of memory with attacker-supplied values. Exploitation of this vulnerability could result in a denial of service or in execution of malicious code in Local System context, potentially allowing for full system compromise. The Microsoft Messenger Service is exposed via NetBIOS (ports 137-139) and RPC (port 135). Microsoft has released patches to address this issue in Microsoft Security Bulletin MS03-043. There is no Windows XP version of the MS03-049 security update. The Windows XP security updates was released as part of the Security Bulletin MS03-043. Workaround: In Microsoft Security Bulletin MS03-043, Microsoft released instructions on how to disable the Windows Messenger Service. Note that disabling the service may have some side effects, such as the

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 168

system not being able to receive Alerter services messages or some services related to the Windows Messenger Service not starting. Workaround: Access to port 135 can be blocked using the Internet Connection Firewall (ICF) for Windows XP and Windows 2003 Server systems. The default settings for ICF block this traffic. Enabled DCOM (QID 90042) The Distributed Component Object Model (DCOM) is a protocol that enables software components to communicate directly over a network. The Distributed Component Object Model (DCOM) is enabled on this system. Buffer overflow vulnerabilities have been discovered previously in the DCOM implementation in most versions of Windows. Microsoft has issued several advisories and patches (MS03-026, MS03-039, MS08067 to address several DCOM and RPC vulnerabilities. Gimmiv.A malware has also been reported to exploit a vulnerability in RPC DCOM. DCOM enabled attracts Internet worms and permits your system to be remotely compromised by malicious hackers. Refer to Microsoft article Best Practices for Mitigating RPC and DCOM Vulnerabilities to obtain information on vulnerabilities in DCOM and ways to mitigate those vulnerabilities. Information on disabling DCOM can be found at the Microsoft Technet article called How to Disable DCOM Support in Windows. This vulnerability is detected through MSRPC. Microsoft Windows NetBIOS Name Service Reply Information Leakage Weakness (QID 90067) CVE-2003-0661, MS03-034, Bugtraq ID 8532 A weakness has been reported in NetBIOS on Microsoft Windows operating systems that may enable remote attackers to gain access to potentially sensitive information. In particular, the NetBIOS Name Service may leak random memory contents when replying to NetBT Name Service requests. The source of this issue is a flaw in how NetBT pads datagrams. A larger buffer is allocated than is needed when NetBIOS is generating a Name Service reply, and this buffer is not adequately initialized before the reply is generated. As a result, the reply may contain random fragments of system memory, some of which could potentially contain sensitive information. It is reported that the amount of padding that is required to cause minute amounts of memory to be disclosed will normally be 15 bytes or less. This amount will be derived from a previous memory operation. The expected behavior is for the datagram padding to be blank. This vulnerability may be exploited to obtain sensitive information about the host. Microsoft has released a patch to address this issue. The patch and current information on this vulnerability can be obtained from Microsoft Security Bulletin MS03-034. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 169

If you do not want to apply the patch, a workaround is to restrict access to UDP port 137. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service netbios_ns and os Windows 2000 Service Pack 3-4". Microsoft Windows ASN.1 Library Integer Handling Vulnerability (QID 90103) CVE-2003-0818, MS04-007, Bugtraq ID 9626 Microsoft Windows Abstract Syntax Notation 1 (ASN.1) Library (MSASN1.dll) is shipped as a part of the Microsoft Windows Operating System. The MSASN1 library provides an application programmer's interface into Microsoft ASN.1 encoding/decoding and processing functions. The library MSASN1.dll has been reported to be prone to an integer handling vulnerability. The issue is reported to exist because an integer value that is contained as a part of ASN.1 based communications (certificates) is interpreted as an unsigned integer type. Therefore, potentially malicious values for this integer, for example a signed value of -1(0xffffffff), may trigger unexpected behavior. Because this integer value is trusted, assumed to be unsigned, and conjectured to be further employed in potentially sensitive computations (most likely boundary checking procedures), memory corruption may result. Note that because ASN.1 data will likely be encoded, for example Kerberos, SSL, IPSec or Base64 encoded, the malicious integer values may be obfuscated and as a result may not be easily detectable. An attacker may potentially leverage this condition to corrupt sensitive process memory with attackercontrolled addresses. This may ultimately result in the execution of arbitrary instructions. Code execution would occur in the context of the application that is linked to the vulnerable library. This vulnerability is detected through CIFS over TCP (CVE-2003-0818). Multiple Microsoft Windows Vulnerabilities (MS04-011) (QID 90108) CVE-2003-0533, CVE-2003-0663, CVE-2003-0719, CVE-2003-0806, CVE-2003-0906, CVE-2003-0907, CVE2003-0908, CVE-2003-0909, CVE-2003-0910, CVE-2004-0117, CVE-2004-0118, CVE-2004-0119, CVE2004-0120, CVE-2004-0123, MS04-011 A security update for multiple vulnerabilities on Microsoft Windows systems is available for download from Microsoft security bulletin MS04-011. The 14 vulnerabilities addressed in the security update include: LSASS Remote Code Execution Vulnerability (CVE-2003-0533, Windows 2000, XP, 2003 are affected) LDAP Denial Of Service Vulnerability (CVE-2003-0663, Windows NT, 2000, XP are affected) PCT Remote Code Execution Vulnerability (CVE-2003-0719, Windows NT, 2000, XP, 2003 are affected) Winlogon Remote Code Execution Vulnerability (CVE-2003-0806, Windows NT, 2000, XP are affected) Page 170

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Metafile Remote Code Execution Vulnerability (CVE-2003-0906, Windows NT, 2000, XP are affected) Help and Support Center Remote Code Execution Vulnerability (CVE-2003-0907, Windows XP, 2003 are affected) Utility Manager Privilege Elevation Vulnerability (CVE-2003-0908, Windows 2000 is affected) Windows Management Privilege Elevation Vulnerability (CVE-2003-0909, Windows XP is affected) Local Descriptor Table Privilege Elevation Vulnerability (CVE-2003-0910, Windows NT, 2000 are affected) H.323 Remote Code Execution Vulnerability (CVE-2004-0117, Windows 98, 98 SE, ME, 2000, XP, 2003 are affected) Virtual DOS Machine Privilege Elevation Vulnerability (CVE-2004-0118, Windows NT, 2000 are affected) Negotiate SSP Remote Code Execution Vulnerability (CVE-2004-0119, Windows 2000, XP, 2003 are affected) SSL Denial Of Service Vulnerability (CVE-2004-0120, Windows 2000, XP, 2003 are affected) ASN.1 Double Free Remote Code Execution Vulnerability (CVE-2004-0123, Windows NT, 2000, XP, 2003 are affected)

An attacker who successfully exploits the most severe of these vulnerabilities could take complete control of an affected system. The attacker may take many actions including installing programs, viewing data, changing data, deleting data, and creating new accounts that have full privileges. This vulnerability is confirmed by detection through CIFS over TCP (CVE-2003-0818) or through CIFS over TCP (CVE-2004-0123). Microsoft Windows Task Scheduler Code Execution (QID 90134) CVE-2004-0212, MS04-022 The security update for the Windows Task Scheduler code execution vulnerability (841873) as mentioned in the Microsoft Security Bulletin MS04-022 is not installed. This update resolves a newly-discovered, privately reported vulnerability. A remote code execution vulnerability exists in the Task Scheduler because of an unchecked buffer. The vulnerability is documented in the vulnerability details section of this bulletin. If a user is logged on with administrative privileges, a malicious user who successfully exploits this vulnerability could take complete control of an affected system, including installing programs, viewing, changing, or deleting data, or creating new accounts with full privileges. In most cases, the RPC scheduler runs on ports 1025 to 1050. It may run on higher ports in some cases. Malicious users who successfully exploit this vulnerability could take complete control of an affected system. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 171

This vulnerability is confirmed when MS04-022 RPC Test Succeeded. Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (QID 90244) CVE-2005-0048, CVE-2004-0790, CVE-2004-1060, CVE-2004-0230, CVE-2005-0688, CVE-2004-0791, MS05-019 Microsoft Security Update MS05-019 was not found on the host. This update resolves the issues described below. IP Validation Vulnerability: A remote code execution vulnerability allows an attacker to send a specially crafted IP message to an affected system. An attacker who successfully exploits this vulnerability could cause the affected system to remotely execute code. However, attempts to exploit this vulnerability would most likely result in a denial of service. (CVE-2005-0048) ICMP Connection Reset Vulnerability: A denial of service vulnerability allows an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system. An attacker who successfully exploits this vulnerability could cause the affected system to reset existing TCP connections. (CVE-2004-0790) ICMP Path MTU Vulnerability: A denial of service vulnerability allows an attacker to send a specially crafted Internet Control Message Protocol (ICMP) message to an affected system, which could cause network performance to degrade and potentially stop the affected system from responding to requests. (CVE-2004-1060) TCP Connection Reset Vulnerability: A denial of service vulnerability allows an attacker to send a specially crafted TCP message to an affected system. An attacker who successfully exploits this vulnerability could cause the affected system to reset existing TCP connections. (CVE-20040230) Spoofed Connection Request Vulnerability: A denial of service vulnerability allows an attacker to send a specially crafted TCP/IP message to an affected system. An attacker who successfully exploited this vulnerability could cause the affected system to stop responding. (CVE-20050688)

An attacker who successfully exploits the most severe of these vulnerabilities could take complete control of an affected system. The attacker could then install programs, view/edit sensitive data, and create new accounts with full user rights. An attacker who successfully exploits the most severe of these vulnerabilities would most likely cause the affected system to stop responding. Windows XP Embedded Systems: For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): June Security Updates for Embedded (KB893066) April Security Updates for Embedded (KB893066). This vulnerability is suspected by: Tested on port (22, 80, 111, 135, or 443) with ICMP Destination Unreachable Type 3, Codes 2, 3, & 4 Hard Errors (with a TCP Sequence Offset of 16 Bytes). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 172

Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure (QID 90250) CVE-2005-1794, Bugtraq ID 13818 Microsoft Windows Remote Desktop Protocol is affected by a private key disclosure vulnerability. When an RDP client initiates a session with an RDP server, the server responds with a server certificate containing an RSA public key and its digital signature. The client decrypts the signature using the server's public key and compares the result with the hash of the new public key received from the server to verify the identity of the server. The vulnerability presents itself because a private key that is used to sign the Terminal Server public key is hardcoded in "mstlsapi.dll". A subroutine of the "TLSInit" API dynamically creates, uses and deallocates this key. Successful exploitation can allow the attacker to disclose the key and calculate a valid signature to carry out man in the middle attacks. An attacker could therefore cause the client to connect to a server under their control and send the client a public key to which they possess the private key. There are no vendor-supplied solutions available at this time. Workarounds: As there is no patch, this vulnerability should be mitigated by using some semblance of network filtering (e.g., firewalling RDP off from the open Internet). For Windows Server 2003, the security of Terminal Server can be enhanced by configuring Terminal Services connections to use Transport Layer Security (TLS) 1.0 for server authentication, and to encrypt terminal server communications. Please refer to cc782610 to obtain additional details.

Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service win_remote_desktop and os WINDOWS 2003". Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) (QID 90336) CVE-2006-3439, MS06-040, Bugtraq ID 19409 An unchecked buffer in the Server service is responsible for a remote code execution vulnerability. Any anonymous user who can deliver a specially crafted message to the affected system could try to exploit this vulnerability. The Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 173

An attacker who successfully exploits this vulnerability could take complete control of the affected system. Detected through CIFS over TCP (CVE-2006-3439) (using browser pipe) Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067) (QID 90464) CVE-2008-4250, MS08-067, Bugtraq ID 31874 Same list as "Microsoft SMB Remote Code Execution Vulnerability (MS09-001) (QID 90477)". The Microsoft Windows Server service provides RPC support, file print support and named pipe sharing over the network. The Server service allows the sharing of local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for RPC. The Server service is vulnerable to remote code execution issue, due to the service not properly handling specially-crafted RPC requests. Any anonymous user who can deliver a specially-crafted message to the affected system could try to exploit this vulnerability. An attacker who successfully exploits this vulnerability could take complete control of the affected system. Refer to Microsoft Security Bulletin MS08-067 for further details and patch download links. Windows XP Embedded Systems: For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): December 2008 Updates are Available (including for XPe SP3 and Standard) (KB958644) October 2008 Security Updates Include a Bonus (KB958644). This vulnerability is detected through MSRPC. Microsoft SMB Remote Code Execution Vulnerability (MS09-001) (QID 90477) CVE-2008-4834, CVE-2008-4835, CVE-2008-4114, MS09-001 The Server Message Block (SMB) Protocol is a network file sharing protocol used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server. The following remote code execution and denial of service vulnerabilities have been identified in Microsoft SMB protocol which occur when processing specially crafted SMB packets. A vulnerability exists in the way SMB allocates space for a transaction structure and later tries to clear more memory than it should when a TRANS request is processed, allowing an attacker to take control of the system. (CVE-2008-4834) A flaw exists in the way SMB allocates and clears a data structure relating to the OPEN2 command. SMB protocol software insufficiently validates the buffer size before writing to it,

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 174

allowing attackers to take complete control of the system and allowing remote execution of code. (CVE-2008-4835) A denial of service vulnerability exists due to the way "srv.sys" handles malformed SMB WRITE_ANDX packets sent to an interface that uses a Named Pipe as endpoint. This flaw allows remote attackers to send a specially-crafted network message to a computer running the Server service causing it to stop responding. (CVE-2008-4114)

Attempts to exploit any of the above listed vulnerabilities do not require authentication. Microsoft has rated the issues as critical for Windows 2000, Windows XP, and Windows Server 2003, and moderate for Windows Vista, and Windows Server 2008. An attacker who successfully exploits this vulnerability could install programs; view, change, or delete data; or create new accounts with full user rights. Successful exploitation also results in denial of service which causes the affected system to crash and stop responding. Workaround: TCP ports 139 and 445 should be blocked at the firewall to protect systems behind the firewall from attempts to exploit this vulnerability. Note: Blocking the ports can cause several windows services or applications using those ports to stop functioning. Refer to Microsoft Security Bulletin MS09-001 for further details and patch download links. Windows XP Embedded Systems: For additional information regarding security updates for embedded systems, refer to the following MSDN blog(s): February Security Updates are Now Available (KB958687), January 2009 Security Updates for Runtimes Are Available (KB958687). Expect systems on which this vulnerability is detected to also report "Microsoft Windows Server Service Could Allow Remote Code Execution (QID 90464)". This vulnerability is detected through a null session. Microsoft WINS Remote Code Execution Vulnerabilities (QID 90516) CVE-2009-1923, CVE-2009-1924, MS09-039 Windows Internet Name Service (WINS) is a protocol designed specifically to support NetBIOS over TCP/IP (NetBT). A remote code execution vulnerability exists in the Windows Internet Name Service (WINS) due to a buffer overflow caused by incorrect calculation of buffer length when processing specially crafted WINS network packets. An attacker could exploit this vulnerability by sending a specially crafted WINS replication packet to an affected system running the WINS service. (CVE-20091923) A remote code execution vulnerability exists in the default configuration of the Windows Internet Name Service (WINS) due to insufficient validation of data structures within specially Page 175

Vulnerability Remediation Synopsis version 0.4Russ Klanke

crafted WINS network packets received from a trusted WINS replication partner. (CVE-20091924) Successful exploitation of this vulnerability allows remote code execution. An attacker could gain complete control over the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Microsoft has released a security update that addresses these vulnerabilities by correcting the manner in which the WINS service calculates buffer length and introducing proper data validations on received packets on the WINS server. Workaround: Block TCP port 42 and UDP port 42 at the firewall to prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. Note: Blocking the ports can cause several windows services or applications using those ports to stop functioning. Refer to Microsoft Security Bulletin MS09-039 for further details and links to patches. Expect systems on which this vulnerability is detected to also report "Microsoft WINS Remote Code Execution Vulnerability (QID 119248)". MS11-035 supersedes MS09-039. This vulnerability is confirmed by looking for the MS09-039 patch. Microsoft Server Message Block (SMBv2) Remote Code Execution Vulnerability (QID 90527) CVE-2009-2526, CVE-2009-2532, CVE-2009-3103, MS09-050 The Microsoft Server Message Block (SMBv2) Protocol is a network file sharing protocol used to provide shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network. It is a client-server implementation and consists of a set of data packets, each containing a request sent by the client or a response sent by the server. A remote code execution and denial of service vulnerability has been identified in the Microsoft SMB implementation because it does not appropriately parse SMB negotiation requests. An attacker can exploit this issue by sending specially crafted SMB packets. Affected Software: Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 176

Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Successful exploitation of this vulnerability could allow an attacker to take complete control of an affected system. Most attempts to exploit this vulnerability will cause an affected system to stop responding and restart. Built-in Guest Account Not Renamed at Windows Target System (QID 105228) The built-in Guest account is not renamed at the target Microsoft Windows system. Knowing a valid username allows for substantially easier bruteforcing attacks. Rename the Guest account. This vulnerability is detected by finding the Guest account. EOL/Obsolete Operating System: Microsoft Windows 2000 Detected (QID 105359) Windows 2000 End of Life The host is running Windows 2000. Microsoft ended support for Windows Server 2000 on July 13, 2010 and provides no further support for this operating system. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version. Microsoft WINS Remote Code Execution Vulnerability (MS11-035) (QID 119248) CVE-2011-1248, MS11-035 Windows Internet Name Service (WINS) is a protocol designed specifically to support NetBIOS over TCP/IP (NetBT). A remote code execution vulnerability exists in WINS due to insufficient validations for the data structures within specially crafted WINS network packets sent to the WINS service. Successful exploitation of this vulnerability allows remote code execution. An attacker could gain complete control over the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts. Microsoft has released a security update to resolve the vulnerability by correcting a logic error that occurs when buffers are passed as parameters. This security update is rated Critical for servers running supported editions of Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed. Note: Non Local detection (Remote check) will work only on 2003 Operating systems.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 177

Workaround: Block TCP port 42 and UDP port 42 at your firewall. Refer to Microsoft Security Bulletin MS11-035 for further details and links to patches. This vulnerability is confirmed as "Detected through WINS Service".

MySQL
MySQL Security Invoker Privilege Escalation Vulnerability (QID 19217) CVE-2007-2692, Bugtraq ID 24011 MySQL is an open-source relational database project. It is available for Microsoft Windows, Linux and Unix systems. MySQL is prone to a privilege escalation vulnerability because it fails to adequately restore database access privileges during certain routines. The mysql_change_db function in MySQL 5.0.x before 5.0.40 and 5.1.x before 5.1.18 does not restore THD::db_access privileges when returning from SQL SECURITY INVOKER stored routines, which allows remote authenticated users to gain privileges. A remote, authenticated attacker can exploit this issue to gain elevated privileges on an affected database. Install vendor update or upgrade to MySQL 5.1.18 (or later) or 5.0.40 (or later). Red Hat (CVE-2007-2692):

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mysql) RHSA-2007:0894 mysql-5.0.441.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) Red Hat Enterprise Linux version 5 (mysql) RHSA-2008:0364 mysql-5.0.45-7.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not indicate which versions are vulnerable. Note: Qualys does not provide details regarding Red Hat. MySQL Access Validation and Denial of Service Vulnerabilities (QID 19220) CVE-2007-3782, CVE-2007-3781, CVE-2007-3780, Bugtraq ID 25017 MySQL is an open source SQL database application available for multiple operating platforms. MySQL is prone to multiple remote vulnerabilities. These issues include: A denial of service vulnerability. This issue occurs in the connection protocol. Specifically, the application fails to handle specially crafted password packets.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 178

An access validation vulnerability. Specifically, the "CREATE TABLE LIKE" statement does not require any privileges in order to be executed. This may allow an attacker to create arbitrary MySQL tables. An attacker can exploit these issues to crash the affected application denying service to legitimate users, and allows an unprivileged user to create arbitrary MySQL tables.

This issue affects MySQL 5 versions prior to 5.0.45. Install vendor update or upgrade to MySQL 5.0.45 (or later). Red Hat (CVE-2007-3782, CVE-2007-3781, CVE-2007-3780): Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=248553 Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mysql) RHSA-2007:0894 mysql-5.0.441.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) Red Hat Enterprise Linux version 5 (mysql) RHSA-2008:0364 mysql-5.0.45-7.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial of Service Vulnerability (QID 19224) CVE-2007-5925, Bugtraq ID 26353 MySQL is a freely available SQL database for multiple platforms. MySQL is prone to a remote denial of service vulnerability because it fails to properly handle unexpected conditions. The database server crashes when trying to process an SQL query using the "CONTAINS" argument along with the "FULLTEXT" index in the InnoDB engine. This issue allows remote attackers to crash affected database servers, denying service to legitimate users. This issue affects MySQL Versions 5.1.23 and prior. Install vendor update or upgrade to MySQL version 5.1.23 (or later). Red Hat (CVE-2007-5925):

Red Hat Enterprise Linux version 4 (mysql) RHSA-2007:1155 mysql-4.1.20-3.RHEL4.1.el4_6.1 (superseded by RHSA-2010:0824 mysql-4.1.22-2.el4_8.4) Red Hat Enterprise Linux version 5 (mysql) RHSA-2007:1155 mysql-5.0.22-2.2.el5_1.1 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1) Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mysql) RHSA-2007:1157 mysql-5.0.442.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) Page 179

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Application Stack v2 for Enterprise Linux (v.5) (mysql) RHSA-2007:1157 mysql-5.0.443.el5s2 (superseded by RHSA-2009:1461 mysql-5.0.84-2.el5s2)

Note: Qualys does not provide details regarding Red Hat. MySQL yaSSL Multiple Vulnerabilities (QID 19228) CVE-2008-0226, Bugtraq ID 27140 MySQL has a few vulnerabilities which can be exploited by malicious people to cause a denial of service and to compromise a vulnerable system. The vulnerabilities are caused due to the use of vulnerable yaSSL code. Multiple buffer overflows in yaSSL 1.7.5 and earlier, as used in MySQL and possibly other products, allow remote attackers to execute arbitrary code via (1) the ProcessOldClientHello function in handshake.cpp or (2) "input_buffer& operator>>" in yassl_imp.cpp. Successful exploitation of the vulnerabilities could lead to denial of service conditions. Red Hat (CVE-2008-0226): Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.

Note: Qualys does not provide details regarding Red Hat. MYSQL MyISAM Table Security Bypass Vulnerability (QID 19234) CVE-2008-2079, MYSQL 6.0.5 ChangeLog, MYSQL 5.1.24 ChangeLog, MYSQL 5.0.60 ChangeLog, MYSQL 4.1.24 ChangeLog, Bugtraq ID 29106 A security bypass vulnerability exists in MYSQL versions 4.1.x before 4.1.24, versions 5.0.x before 5.0.60, versions 5.1.x before 5.1.24, and versions 6.0.x before 6.0.5. This issue is due to an error in the MyISAM table. This vulnerability allows local users to bypass certain privilege checks by calling CREATE TABLE on a MyISAM table with modified DATA DIRECTORY and INDEX DIRECTORY options to overwrite existing table files in the MySQL data directory. Install vendor update or upgrade to MySQL 6.0.5 (or later), 5.1.24 (or later), 5.0.60 (or later) or 4.1.24 (or later). Red Hat (CVE-2008-2079): This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3. Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2008:0505 mysql-5.0.50sp1a2.el5s2 (superseded by RHSA-2009:1461 mysql-5.0.84-2.el5s2)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 180

Red Hat Application Stack v1 for Enterprise Linux AS (v.4) RHSA-2008:0510 mysql-5.0.50sp1a2.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) Red Hat Enterprise Linux version 4 (mysql) RHSA-2008:0768 mysql-4.1.22-2.el4 (superseded by RHSA-2010:0824 mysql-4.1.22-2.el4_8.4) Red Hat Enterprise Linux version 5 (mysql) RHSA-2009:1289 mysql-5.0.77-3.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. MySQL Server RENAME TABLE System Table Overwrite Vulnerability (QID 19254) CVE-2007-5969, CVE-2007-5925, MySQL5-0-51 Changelog, RHSA-2007:1155, Bugtraq ID 26765 MySQL is a freely available SQL database for multiple platforms. MySQL is prone to a local denial of service vulnerability because the database server fails to properly handle unexpected symbolic links. This issue is exposed when tables are configured with explicit "DATA DIRECTORY" or "INDEX DIRECTORY" options. These options are used to specify paths for data and index files for tables. An attacker can replace the specified paths with symbolic links in order to cause the MySQL database to overwrite system table information. To exploit this issue, attackers require local access and filesystem privileges granting the ability to replace the specified paths with symbolic links. Exploiting this issue allows attackers with local access to affected computers to overwrite MySQL system tables. Further attacks against the MySQL database and potentially the underlying operating system may be possible. MySQL Community Server 5.0.x before 5.0.51, Enterprise Server 5.0.x before 5.0.52, Server 5.1.x before 5.1.23, and Server 6.0.x before 6.0.4, when a table relies on symlinks created through explicit DATA DIRECTORY and INDEX DIRECTORY options, allows remote authenticated users to overwrite system table information and gain privileges via a RENAME TABLE statement that changes the symlink to point to an existing file. Install vendor update or upgrade to MySQL Community Server 5.0.51 (or later), Enterprise Server 5.0.52 (or later), Server 5.1.23 (or later) or Server 6.0.4 (or later). Red Hat (CVE-2007-5969):

Red Hat Enterprise Linux version 4 (mysql) RHSA-2007:1155 mysql-4.1.20-3.RHEL4.1.el4_6.1 (superseded by RHSA-2010:0824 mysql-4.1.22-2.el4_8.4) Red Hat Enterprise Linux version 5 (mysql) RHSA-2007:1155 mysql-5.0.22-2.2.el5_1.1 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1) Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mysql) RHSA-2007:1157 mysql-4.1.203.RHEL4.1.el4_6.1 (superseded by RHSA-2010:0824 mysql-4.1.22-2.el4_8.4)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 181

Red Hat Application Stack v2 for Enterprise Linux (v.5) (mysql) RHSA-2007:1157 mysql-5.0.222.2.el5_1.1 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. Note: Qualys oversimplifies the vulnerable MySQL versions. MYSQL Multiple Vulnerabilities (5.0.51a) (QID 19255) CVE-2007-6303, CVE-2007-6304, CVE-2008-0226, CVE-2008-0227, RHSA-2007-1157, MySQL 5.0.51a Changelog MYSQL is exposed to a vulnerability which can be exploited to gain elevated privileges, cause denial of service conditions and potentially compromise a system. These vulnerabilities are caused due to the use of vulnerable yaSSL code. The exploit requires a server with yaSSL enabled and TCP/IP connections enabled but does not require valid MySQL account credentials. Malicious users can exploit these vulnerabilities to gain elevated privileges or to cause denial of service conditions. Install vendor update or upgrade to MySQL 5.0.51a (or later). Red Hat (CVE-2007-6303, CVE-2007-6304, CVE-2008-0226, CVE-2008-0227): CVE-2007-6303: (See QID 19560) This issue did not affect the MySQL packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, or 5. CVE-2007-6303: (See QID 19560) Red Hat Application Stack v1 for Enterprise Linux ES (v.4) mysql-5.0.44-2.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) CVE-2007-6304: The MySQL versions as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 do not support federated storage engine. The MySQL package as shipped in Red Hat Enterprise Linux 5, Red Hat Application Stack v1, and Red Hat Application Stack v2 are not compiled with support for federated storage engine. CVE-2008-0226: Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support. CVE-2008-0227: Not vulnerable. This issue did not affect versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as they are not built with yaSSL support.

Note: Qualys does not provide details regarding Red Hat. MySQL IF Query Denial of Service Vulnerability (QID 19256) CVE-2007-2583

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 182

MySQL is exposed to a vulnerability which can be exploited by malicious users to cause a denial of service condition. The vulnerability is caused due to an error when handling specially-crafted IF queries, which can be exploited to crash the server. Malicious users can exploit this vulnerability to cause denial of service conditions. This vulnerability is present in versions prior to 5.0.40. Install vendor update or upgrade to MySQL 5.0.40 (or later). Red Hat (CVE-2007-2583): This issue did not affect mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4. Red Hat Enterprise Linux version 5 (mysql) RHSA-2008:0364 mysql-5.0.45-7.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. MySQL Empty Bit-String Literal Denial of Service Vulnerability (QID 19258) CVE-2008-3963, MySQL 5.0.66a Changelog, MySQL 5.1.26 Changelog, MySQL 6.0.6 Changelog A vulnerability has been reported in MySQL, which can be exploited by malicious users to cause denial of service. The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement. These MySQL versions are vulnerable: Version 5.0 before 5.0.66 Version 5.1 before 5.1.26 Version 6.0 before 6.0.6

Attackers can cause a denial of service. Install vendor update or upgrade to MySQL 6.0.6 (or later) or MySQL 5.1.26 (or later), or 5.0.66 (or later). Red Hat (CVE-2008-3963): This issue did not affect MySQL as supplied with Red Hat Enterprise Linux 3 or 4. Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2009:1067 mysql-5.0.79-2.el5s2 (superseded by RHSA-2009:1461 mysql-5.0.84-2.el5s2) Red Hat Enterprise Linux version 5 (mysql) RHSA-2009:1289 mysql-5.0.77-3.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 183

MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability (QID 19264) CVE-2008-4456, MySQL Bug #27884, Bugtraq ID 31486 MySQL is prone to an HTML injection vulnerability because the application's command-line client fails to properly sanitize user-supplied input before using it in dynamically generated content. Attacker-supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. Install vendor update or upgrade to MySQL 6.0.6 (or later) or MySQL 5.1.26 (or later), or 5.0.66 (or later). Red Hat (CVE-2008-4456): Red Hat is aware of this issue and is tracking it via the bug CVE-2008-4456. The Red Hat Security Response Team has rated this issue as having low security impact, future MySQL package updates may address this flaw for Red Hat Enterprise Linux 3, and Red Hat Application Stack 2. Red Hat Enterprise Linux version 4 (mysql) RHSA-2010:0110 mysql-4.1.22-2.el4_8.3 (superseded by RHSA-2010:0824 mysql-4.1.22-2.el4_8.4) Red Hat Application Stack v2 for Enterprise Linux (v.5) RHSA-2009:1461 mysql-5.0.84-2.el5s2 Red Hat Enterprise Linux version 5 (mysql) RHSA-2009:1289 mysql-5.0.77-3.el5 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Qualys detects 5.1.31-lo. The patch may have been pushed into this version. Review the Vendor Reference for vulnerability demonstration. Note: Qualys does not provide details regarding Red Hat. MySQL Single-Row Subselect and INFORMATION_SCHEMA Denial of Service Vulnerability (QID 19265) CVE-2006-7232, CVE-2007-1420 MySQL is exposed to the following vulnerabilities: A vulnerability is caused due to a NULL-pointer dereference error within the " ilesort()" function when processing certain single-row subselect queries sorted using the "ORDER BY" clause. A vulnerability is caused due to a NULL-pointer dereference error when processing certain queries related to INFORMATION_SCHEMA and derived tables.

These vulnerabilities can be exploited by malicious users to crash the service via a specially crafted SQL query. Install vendor update or upgrade to MySQL version 5.0.37 (or later). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 184

Red Hat (CVE-2006-7232, CVE-2007-1420): This issue did not affect the MySQL packages as shipped in Red Hat Enterprise Linux 2.1, 3, and 4 as they did not support INFORMATION_SCHEMA, introduced in MySQL version 5. Red Hat Enterprise Linux version 5 (mysql) RHSA-2008:0364 mysql-5.0.45-7.el5 (RHSA2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. MySQL Multiple Remote Denial of Service Vulnerabilities (QID 19508) CVE-2009-4019, MySQL 5.0.88 Changelog, MySQL 5.1.41 Changelog, Bugtraq ID 37297 MySQL is an open source SQL database available for multiple operating systems. MySQL is prone to the following remote denial of service vulnerabilities: An error related to the handling of certain SELECT statements containing subqueries. A failure to preserve unspecified "null_value" flags when executing statements that use the "GeomFromWKB" function. The attacker can exploit these issues to crash the application, denying access to legitimate users.

Versions prior to MySQL 5.0.88 and 5.1.41 are vulnerable. Install vendor update or upgrade to MySQL 5.1.41 (or later) or 5.0.88 (or later). Red Hat (CVE-2009-4019): Red Hat Enterprise Linux version 5 (mysql) RHSA-2010:0109 mysql-5.0.77-4.el5_4.2 (superseded by RHSA-2012:0127 mysql-5.0.95-1.el5_7.1)

Note: Qualys does not provide details regarding Red Hat. MySQL "sql/sql_table.cc" CREATE TABLE Security Bypass Vulnerability (QID 19531) CVE-2008-7247 MySQL is an open-source SQL database application available for multiple operating platforms. MySQL is prone to a security-bypass vulnerability because it allows attackers to bypass certain checks when creating a table with certain "DATA DIRECTORY" and "INDEX DIRECTORY" options that are within the MySQL home data directory. This issue occurs when the data home directory contains a symbolic link to a different filesystem. The following are vulnerable: MySQL 5.0.x through 5.0.88 MySQL 5.1.x through 5.1.41 MySQL 6.0 (prior to 6.0.9) Page 185

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Successful exploits will allow attackers to bypass certain security restrictions. Install vendor update or upgrade to MySQL 6.0.9 (or later) or 5.1.41 (or later) or 5.0.88 (or later). Red Hat (CVE-2008-7247): Not vulnerable. This issue did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Note: Qualys does not provide details regarding Red Hat. MySQL Multiple Vulnerabilities (QID 19560) CVE-2007-6303, CVE-2010-1849, CVE-2010-1850, MYSQL 5.1.47 ChangeLog MySQL is an open source SQL database application available for multiple operating platforms. MySQL is prone to the following vulnerabilities: An error occurs when processing the table name argument of a COM_FIELD_LIST command packet. This can be exploited to bypass privilege checks and read or delete content from a database table on the system by passing a specially crafted table name argument to COM_FIELD_LIST. An unspecified error in the processing of packets can be exploited to cause a locked server state if a packet larger than the maximum size of one packet is received. A boundary error when processing COM_FIELD_LIST command packets can be exploited to cause buffer overflow by passing an overly long table name argument to COM_FIELD_LIST.

Successful exploitation allows malicious users to bypass certain security restrictions or potentially compromise a vulnerable system and cause a denial of service. MySQL 5.1.x Versions prior to 5.1.47 are affected with this issue. Install vendor update or upgrade to MySQL 5.1.47 (or later). Red Hat (CVE-2007-6303, CVE-2010-1849, CVE-2010-1850): CVE-2007-6303: See QID 19255 CVE-2010-1849: The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw in mysql. CVE-2010-1850: These issues did not affect the versions of mysql as shipped with Red Hat Enterprise Linux 3, or 4. CVE-2010-1850: Red Hat Application Stack v1 for Enterprise Linux AS (v.4) (mysql) RHSA2007:1157 mysql-5.0.44-2.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1) CVE-2010-1850: Red Hat Application Stack v2 for Enterprise Linux (v.5) (mysql) RHSA-2007:1157 mysql-5.0.44-2.el4s1.1 (superseded by RHEA-2008:0975 mysql-5.0.60sp1-1.el4s1.1)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 186

Note: Qualys does not provide details regarding Red Hat. MySQL BINLOG Filename Path Privilege Escalation Vulnerability (QID 19573) CVE-2007-6313, MySQL 5.1.23 Changelog MySQL is an open source SQL database application available for multiple operating platforms. A remote authenticated user can invoke the BINLOG statement with a specially crafted binlog filename to potentially gain elevated privileges. Successful exploitation allows remote authorized users to execute arbitrary BINLOG statements. MySQL Server 5.1.x before 5.1.23 and 6.0.x before 6.0.4 are affected. Install vendor update or upgrade to MySQL Server 6.0.4 (or later) or 5.1.23 (or later). Red Hat (CVE-2007-6313): Not vulnerable. This issue did not affect the versions of MySQL as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5.

Note: Qualys does not provide details regarding Red Hat. MySQL Prepared-Statement Mode "EXPLAIN" Denial of Service Vulnerability (QID 19600) MySQL 5.1.52 ChangeLog MySQL is an open source SQL database application available for multiple operating platforms. MySQL is prone to a vulnerability caused by an error in the prepared-statement mode when processing "EXPLAIN" for a "SELECT" from a derived table, which can be exploited to cause a crash. If this vulnerability is successfully exploited, an attacker can cause a denial of service. MySQL versions prior to 5.1.52 are affected. Install vendor update or upgrade to MySQL 5.1.52. Red Hat (no CVE): Red Hat is aware of this issue and is tracking it via the bug 717703. Red Hat Enterprise Linux 4 is affected. Red Hat Enterprise Linux 5 RHSA-2012:0127 mysql-5.0.95-1.el5_7.1 Red Hat Enterprise Linux 6 is not vulnerable.

Note: Qualys does not provide details regarding Red Hat.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 187

NetScreen
NetScreen ScreenOS Port Scan Denial of Service Vulnerability (QID 43082) CVE-2002-0234, Bugtraq ID 4015 NetScreen is a line of Internet security appliances integrating firewall, VPN and traffic management features. ScreenOS is the software used to manage and configure the firewall. NetScreen supports Microsoft Windows 95, 98, ME, NT and 2000 clients. An issue has been reported in NetScreen ScreenOS which could cause the system to stop responding. If a user within the trusted network attempts to do a port scan on an external system, ScreenOS could fail. This is due to the number of concurrent sessions allowed per user. It is possible to exploit this issue with a port scanner that does not properly release sessions. A restart of the service may be required in order to gain normal functionality. Attackers can leverage this vulnerability to deny service to other legitimate users. The vendor recommends all customers to upgrade to the latest version of NetScreen ScreenOS supported by their hardware, and then to enable one or all of the following features to minimize the likelihood of being affected by this issue. 1. Use the feature called "Source IP Session Thresholding" which limits the concurrent number of sessions allowed per user. This feature was implemented as a CLI command in 2.6.1r2, and is incorporated into the WebUI of ScreenOS 3.0. The command is below: set firewall session-threshold source-ip-based [num] 2. In ScreenOS 3.0.0 and later, the administrator can manually clear all active sessions to destination IP addresses. This command can be used to recover from a port scan without waiting for all sessions to time out or without restarting the device. The command is below: clear session dst-ip [ip_address] 3. In ScreenOS 3.1.0, the administrator can enable firewall protection, including port scan protection. Check Juniper Networks' Web site for the latest updates. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service http and os NETSCREEN".

NFS Vulnerabilities
NFS Exported Filesystems List Vulnerability (QID 66002) This system is running a Network File System (NFS) server that enables a remote host to access and share files and directories. The current configuration of this system gives both authorized and unauthorized users the list of exported disks and authorized hosts.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 188

This list discloses information about your internal organization and network architecture. It provides information about where data is stored, whether the server is heavily secured, and lists hosts that can be attacked. The list also contains a source of valuable information, which can be used in a spoofing attack. If the NFS server is not required on this system, then shutdown and disable the "mountd" and "nfsd" RPC services. If the NFS server is required on this system, then the solution is not as simple. Since the server's clients need to be able to access the export list, this service cannot be shutdown. Access can be restricted to hosts on the local network or hosts that are authorized clients of this server. Use either a packet filter at the system level (local packet filter) or a centralized packet filter on the firewall. Note, however, that using a firewall in front of your network will not secure the service itself, but will limit the risk to internal attacks. This vulnerability is confirmed by exploiting the vulnerability. NFS Exported Directories Mountable by Unauthorized Users (QID 66003) CVE-1999-0169 This system is running a Network File System (NFS) server that enables unauthorized users to access this host from a remote system to share files and directories. The current configuration does not use any access control when exporting files and directories. Unauthorized users can exploit this misconfiguration to access the shared filesystems outlined below. A remote attacker could read/write files to the system with root-level permissions on NFS servers that fail to properly check the UID. If unauthorized users can access sensitive files, such as "/etc/passwd" or "/.profile", then they may be able to compromise the system. With this said, some systems, such as Solaris systems, report filesystems as exported to "everyone", when they are in fact heavily restricted. NFS-Utils Xlog Remote Buffer Overrun Vulnerability (QID 68521) CVE-2003-0252, RHSA-2003-207, Bugtraq ID 8179 nfs-utils provides various NFS tools, including a daemon for handling RPC requests. It is available for Unix and Linux variants. A remote buffer overrun vulnerability has been reported in xlog, which is a logging facility for nfs-utils. It is possible to exploit this issue via mountd. This vulnerability is an off-by-one boundary condition error in the xlog.c source file, which contains code for handling logging of RPC requests. Specifically, the xlog() function is prone to this issue when a buffer equal to or longer than 1023 bytes is supplied, causing one byte of memory to be overrun with attackersupplied data. The issue could also occur in other nfs-utils components that call xlog with externally-supplied data. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 189

It has been reported that successful exploitation of this issue will most likely result in a denial of service. There is a likelihood that this issue can be exploited to run arbitrary code in the context of mountd, which runs as root. Red Hat (CVE-2003-0252): Red Hat Enterprise Linux 2 RHSA-2003:207 nfs-utils-0.3.3-7.21AS (superseded by RHSA-2005:014 nfs-utils-0.3.3-11)

Note: Qualys does not report the version of nfs-utils found. nfs-utils 1.0.4 or later may be installed. Note: Qualys does not provide details regarding Red Hat.

OpenRadius Vulnerabilities
OpenRADIUS Divide By Zero Denial of Service Vulnerability (QID 38122) Bugtraq ID 5103 OpenRADIUS is a RADIUS server implementation for Linux and Unix based operating systems, distributed as an open-source project. A possible denial of service vulnerability has been announced in some versions of OpenRADIUS. Reportedly, it is possible for the OpenRADIUS server to crash when a divide by zero condition occurs processing a behavior rule. Division by zero is undefined, and generally results in an error condition. A remote attacker able to exploit this condition on a specific server may be able to create a denial of service condition, where normal users are denied access to the RADIUS server. A restart of the server will be required in order to regain normal functionality. Note: Qualys reports "Detected service radius and os Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP". What is the version of OpenRADIUS installed? 0.9.4 or later is required.

OpenSSH Vulnerabilities
OpenSSH Channel Code Off-By-One Vulnerability (QID 38088) CVE-2002-0083, RHSA-2002:043, Bugtraq ID 4241 OpenSSH is a freely available implementation of the SSH client-server protocol. It is distributed and maintained by the OpenSSH team. OpenSSH includes client and server software, and supports SSH and SFTP. It was initially developed for OpenBSD, but is also widely used for Linux, Solaris, and other Unix operating systems. A vulnerability has been announced in some versions of OpenSSH. An off-by-one error exists in the channel code. It has been reported that a local user can exploit this vulnerability by connecting to a vulnerable server (valid credentials are required). Additionally, a malicious server may attack a vulnerable OpenSSH client. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 190

The successful exploitation of this vulnerability could allow a malicious user to execute arbitrary code on the vulnerable system. If a client program is exploited, this will result in code being executed as the vulnerable user, and may result in local access to the affected machine. If the server process is subverted, code will run as the root user. OpenSSH 3.1 introduced a patch. The operating system detected is "Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP", which could indicate Red Hat. RHSA-2002-043 predates Red Hat AS. A fix was introduced in Red Hat Linux 7.x in 2002. There is no indication that this fix did not migrate to the AS series. Note: Qualys does not provide details regarding Red Hat. OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability (QID 38113) CVE-2002-0639, Bugtraq ID 5093 OpenSSH is a freely available implementation of the SSH client-server protocol. It is distributed and maintained by the OpenSSH team. OpenSSH includes client and server software, and supports SSH and SFTP. It was initially developed for OpenBSD, but is also widely used for Linux, Solaris, and other Unix operating systems. A vulnerability exists within the "challenge-response" authentication mechanism in the OpenSSH daemon (sshd). This mechanism, part of the SSH2 protocol, verifies a user's identity by generating a challenge and forcing the user to supply a number of responses. OpenSSH supports the SKEY and BSD_AUTH authentication options. These are compile-time options. At least one of these options must be enabled before the OpenSSH binaries are compiled for the vulnerable condition to be present. OpenBSD 3.0 and later is distributed with BSD_AUTH enabled. The SKEY and BSD_AUTH options are not enabled by default in many distributions. However, if these options are explicitly enabled, that build of OpenSSH may be vulnerable. Note: Systems running with "ChallengeResponseAuthentication no" are not affected. It is possible for a remote user to send a specially-crafted reply that triggers an overflow. This can result in a remote denial of service attack on the OpenSSH daemon or a complete compromise. The OpenSSH daemon runs with superuser privileges, so remote attackers can gain superuser access by exploiting this vulnerability. Install vendor update or upgrade to OpenSSH 3.4 (or later) and enable Privilege Separation in the SSHd daemon. Red Hat (CVE-2002-0639): Not vulnerable. This issue did not affect the versions of OpenSSH as shipped with Red Hat Enterprise Linux 3 or later. Page 191

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Note: Qualys does not provide details regarding Red Hat. OpenSSH UseLogin Environment Variable Passing Vulnerability (QID 38118) CVE-2001-0872, Bugtraq ID 3614 OpenSSH is a freely available implementation of the SSH client-server protocol. It is distributed and maintained by the OpenSSH team. OpenSSH includes client and server software, and supports SSH and SFTP. It was initially developed for OpenBSD, but is also widely used for Linux, Solaris, and other Unix operating systems. A problem has been discovered in OpenSSH that could allow local users to gain elevated privileges. OpenSSH allows for certain environment variables to be set when users log in with specific keys. When the server is configured to use 'login' via the 'UseLogin' config flag, these environment variables are set for the 'login' process. This behavior could be exploited by a local malicious user to load arbitrary shared libraries for 'login' via LD_PRELOAD, resulting in the execution of arbitrary code with elevated privileges. If the 'UseLogin' flag is set, local users can gain root privileges. UseLogin is not enabled by default. Install vendor update or upgrade to OpenSSH Version 3.0.2 (or later). Red Hat (CVE-2001-0872): No Enterprise edition is vulnerable.

This vulnerability is reported when "SSH-2.0-OpenSSH_2.9p2" is detected. Note: Qualys does not provide details regarding Red Hat. OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability (QID 38198) CVE-2003-0386, Bugtraq ID 7831 OpenSSH is a freely available implementation of the SSH client-server protocol. It is distributed and maintained by the OpenSSH team. A vulnerability has been reported for OpenSSH that may allow unauthorized access to an OpenSSH server's login mechanism. The vulnerability exists in the way OpenSSH restricts access. It's possible to configure OpenSSH to restrict access based on certain hostname or IP address patterns. When a connection is made to an OpenSSH server, a reverse DNS lookup is made to verify the hostname. Access to the login mechanism is then granted based on the lookup response. An attacker who controls a malicious DNS server may be capable of spoofing a PTR record to mimic the hostname of an authorized user. Furthermore, by using a record containing an IP address of a trusted host, it may also be possible to bypass the access control.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 192

An attacker can exploit this vulnerability to access the login mechanism of a restricted OpenSSH server. Note that if a target OpenSSH server is configured to carry out key-based authentication, an attacker may be capable of gaining remote access. For this to occur, an attacker must possess a key (such as an RSA key) of a trusted OpenSSH user. Enable "VerifyReverseMapping" on the sshd server. Install vendor update or upgrade to OpenSSH 3.6.2 (or later). Red Hat (CVE-2003-0386):

Red Hat Enterprise Linux version 2.1 (openssh) RHSA-2006:0698 openssh-3.1p1-21 Red Hat Enterprise Linux version 3 (openssh) RHSA-2006:0298 openssh-3.6.1p2-33.30.9 (superseded by RHBA-2007:0462 openssh-3.6.1p2-33.30.14)

Note: Qualys does not provide details regarding Red Hat. OpenSSH PAMAuthenticationViaKbdInt Buffer Overflow Vulnerability (QID 38202) CVE-2002-0640, RHSA-2002:127, Bugtraq ID 5093 OpenSSH is a freely available implementation of the SSH client-server protocol. It is distributed and maintained by the OpenSSH team. OpenSSH includes client and server software, and supports SSH and SFTP. It was initially developed for OpenBSD, but is also widely used for Linux, Solaris, and other Unix operating systems. Buffer overflow in sshd in OpenSSH 2.3.1 through 3.3 may allow remote attackers to execute arbitrary code via a large number of responses during challenge response authentication when OpenBSD is using PAM modules with interactive keyboard authentication ("PAMAuthenticationViaKbdInt yes" in the sshd configuration file). OpenSSH has a buffer overflow vulnerability involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. This vulnerability may be exploited to execute arbitrary code on the vulnerable machine. Note: Systems running with "PAMAuthenticationViaKbdInt no" are not affected. Install vendor update or upgrade to OpenSSH Version 3.4 (or later) or disable PAMAuthenticationViaKbdInt. Red Hat (CVE-2002-0640): "PAMAuthenticationViaKbdInt" is not enabled by default. Page 193

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux AS (Advanced Server) version 2.1 RHSA-2002:131

Note: Qualys does not provide details regarding Red Hat. OpenSSH Multiple Memory Management Vulnerabilities (QID 38217) CVE-2003-0693, CVE-2003-0695, CVE-2003-0682, OpenSSH Advisory, Bugtraq ID 8628 Multiple memory management errors have been reported in OpenSSH. These issues exist in the "buffer.c" source file, and may potentially be exploited to execute arbitrary code with the privileges of OpenSSH. The problem appears to be buffer size accounting and related issues, and could result in corruption of heap memory with attacker-supplied values. An attacker could exploit this vulnerability to launch a denial of service attack on the SSH service, or to execute arbitrary privileged code on the target. Install vendor patch for CVE-2003-0693, CVE-2003-0695, CVE-2003-0682 or update to OpenSSH 3.7.1p1 or later. OpenSSH 5.2 or later is recommended. Cisco CatOS 8.5(8) or 8.6(4) code is patched Vendor Reference Cisco CSCec33092, Fixed-In , 6.4(6.5), 7.6(3.10), 8.1(2.1), 7.6(3a), 8.2(0.42)GLX, 8.2(0.56)DEL

Red Hat (CVE-2003-0693): Red Hat Enterprise Linux 2.1 RHSA-2003:280 openssh-3.1p1-14 (superseded by RHSA-2006:0698 openssh-3.1p1-21) Red Hat Enterprise Linux 3 fixed as a backported patch. The source RPM contains the patch openssh-3.6.1p2-owl-realloc.diff which resolved this flaw before Red Hat Enterprise Linux 3 GA. This flaw does not affect any subsequent versions of Red Hat Enterprise Linux.

Many vendors backport the patches to packages based on earlier versions of openssh. The following packages have been reported to address this issue: Solaris 9 SPARC: patch 113273-04 or later Solaris 9 x86: patch 114858-03 or later AIX-5.2 opensshi-aix52 3.6.1p2_52 AIX-5.1 opensshi-aix51 3.6.1p2_51 HP-UX B.11.22 T1471AA_A.03.61.002_HP-UX_B.11.22_IA.depot HP-UX B.11.11 T1471AA_A.03.61.002_HP-UX_B.11.11_32+64.depot HP-UX B.11.00 T1471AA_A.03.61.002_HP-UX_B.11.00_32+64.depot fedora: openssh-3.6.1p2-19 mandrake: openssh-3.6.1p2-1.1 debian: openssh-krb5_3.4p1 Page 194

Vulnerability Remediation Synopsis version 0.4Russ Klanke

suse-8.2: openssh-3.5p1-106 suse-8.1, 8-0: openssh-3.4p1-214 Mac OS X 10.2.8

Note: Qualys does not provide details regarding Red Hat. OpenSSH Signal Handling Vulnerability (QID 38560) CVE-2006-5051, CVE-2006-4924, Bugtraq ID 20241 OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. The following security vulnerabilities have been identified in OpenSSH: A signal handler race condition in OpenSSH before Version 4.4 can be exploited to cause a crash, and possibly execute arbitrary code if GSSAPI authentication is enabled, via unspecified vectors that lead to a double-free. (CVE-2006-5051) A denial of service vulnerability exists in sshd in OpenSSH before Version 4.4, when using the SSH protocol Version 1, because it does not properly handle duplicate incoming blocks. This can be exploited by a remote attacker to cause sshd to consume a large quantity of CPU resources. (CVE-2006-4924)

If this vulnerability is successfully exploited, it can crash the OpenSSH server and potentially allow execution of arbitrary code. Install vendor patches for CVE-2006-5051 and CVE-2006-4924 or update to OpenSSH 4.4 (or later). 5.2 or later is recommended. Red Hat (CVE-2006-5051, CVE-2006-4924): Red Hat Enterprise Linux version 2.1 (openssh) RHSA-2006:0698 openssh-3.1p1-21 Red Hat Enterprise Linux version 3 (openssh) RHSA-2006:0697 openssh-3.6.1p2-33.30.12 (superseded by RHBA-2007:0462 openssh-3.6.1p2-33.30.14) Red Hat Enterprise Linux version 4 (openssh) RHSA-2006:0697 openssh-3.9p1-8.RHEL4.17 (superseded by RHEA-2010:0511 openssh-3.9p1-11.el4_8.1) Red Hat Enterprise Linux version 5 is not vulnerable to this issue as it contains a backported patch.

Note: Qualys does not provide details regarding Red Hat. OpenSSH Plaintext Recovery Attack Against SSH Vulnerability (QID 42339) CVE-2008-5161, CPNI-957037, openssh-5.2 release note, OpenSSH Security Advisory: cbc.adv OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 195

OpenSSH is prone to a plain text recovery attack. The issue is in the SSH protocol specification itself and exists in Secure Shell (SSH) software when used with CBC-mode ciphers. This issue can be exploited by a remote unprivileged user to gain access to some of the plain text information from intercepted SSH network traffic, which would otherwise be encrypted. Vulnerable versions: SSH Tectia Client and Server and Connector 4.0 through 4.4.11, 5.0 through 5.2.4, and 5.3 through 5.3.8; Client and Server and ConnectSecure 6.0 through 6.0.4; Server for Linux on IBM System z 6.0.4; Server for IBM z/OS 5.5.1 and earlier, 6.0.0, and 6.0.1; and Client 4.0-J through 4.3.3-J and 4.0-K through 4.3.10-K OpenSSH 4.7p1 and possibly other versions, when using a block cipher algorithm in Cipher Block Chaining (CBC) mode, makes it easier for remote attackers to recover certain plaintext data from an arbitrary block of ciphertext in an SSH session via unknown vectors.

OpenSSH 5.2: changes the default cipher order to prefer the AES CTR modes and the revised "arcfour256" mode to CBC mode ciphers that are susceptible to CPNI-957037 "Plaintext Recovery Attack Against SSH". adds countermeasures to mitigate CPNI-957037-style attacks against the SSH protocol's use of CBC-mode ciphers. Upon detection of an invalid packet length or Message Authentication Code, ssh/sshd will continue reading up to the maximum supported packet length rather than immediately terminating the connection. This eliminates most of the known differences in behaviour that leaked information about the plaintext of injected data which formed the basis of this attack. We believe that these attacks are rendered infeasible by these changes.

Install vendor update or upgrade to OpenSSH 5.2 (or later). Red Hat (CVE-2008-5161):

Red Hat Enterprise Linux version 5 (openssh) RHSA-2009:1287 openssh-4.3p2-36.el5 (superseded by RHBA-2012:0237 openssh-4.3p2-82.el5)

Note: Qualys does not provide details regarding Red Hat. OpenSSH X11 Hijacking Attack Vulnerability (QID 42340) CVE-2008-1483, openssh-5.0 release note OpenSSH is a set of computer programs providing encrypted communication sessions over a computer network using the SSH protocol. OpenSSH is prone to a vulnerability that allows attackers to hijack forwarded X connections. Successfully exploiting this issue may allow an attacker run arbitrary shell commands. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 196

OpenSSH versions prior to 5.0 are vulnerable. Successfully exploiting this issue may allow an attacker run arbitrary shell commands with the privileges of the user running the affected application. Is GSSAPI authentication configured, and is GSSAPIDelegateCredentials enabled? If no, you are not vulnerable. Install vendor patch or update to OpenSSH 5.0 (or later). 5.2 or later is recommended. Red Hat (CVE-2008-1483, Red Hat Bugzilla CVE-2008-1483): Red Hat Enterprise Linux 3: no patch available. Red Hat Enterprise Linux 4: RHSA-2005:0527 openssh-3.9p1-8.RHEL4.9 (superseded by RHEA2010:0511 openssh-3.9p1-11.el4_8.1) Red Hat Enterprise Linux 5: no version is vulnerable.

Note: Qualys does not provide details regarding Red Hat. OpenSSH Local SCP Shell Command Execution Vulnerability (QID 115317) CVE-2006-0225, Vmware-9986131-Patch, Vmware-3069097-Patch, OpenSSH, FEDORA-2006-056, Bugtraq ID 16369 OpenSSH is a freely available, open source implementation of the Secure Shell protocol. It is available for multiple platforms, including Unix, Linux and Microsoft. SCP is a secure copy application that is a part of OpenSSH. It is used to copy files from one computer to another over an SSH connection. If SCP is given all-local paths to copy, it acts like the system "cp" command. OpenSSH is susceptible to a local SCP shell command execution vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input prior to utilizing it in a "system()" function call. If SCP is used in an all-local fashion, without any hostnames, it utilizes the "system()" function to execute a local copy operation. By utilizing the "system()" function, a shell is spawned to process the arguments. If filenames are created that contain shell metacharacters, they will be processed by the shell during the "system()" function call. Attackers can create files with names that contain shell metacharacters along with commands to be executed. If a local user then utilizes SCP to copy these files (likely during bulk copy operations involving wildcards), then the attacker-supplied commands will be executed with the privileges of the user running SCP. This issue reportedly affects OpenSSH Version 4.2. Other versions may also be affected. This issue can allow local attackers to execute arbitrary shell commands with the privileges of users executing a vulnerable version of SCP.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 197

Install vendor patch for CVE-2006-0225 or update to OpenSSH 4.3 (or later). 5.2 or later is recommended. You can confirm if this vulnerability is present on your computer as follows. On a Unix prompt, type these commands: touch foo\ bar mkdir "any_directory" scp foo\ bar "any_directory" If the output is: cp: cannot stat `foo': No such file or directory cp: cannot stat `bar': No such file or directory then your OpenSSH is vulnerable. Red Hat (CVE-2006-0225):

Red Hat Enterprise Linux version 2.1 (openssh) RHSA-2006:0698 openssh-3.1p1-21 Red Hat Enterprise Linux version 3 (openssh) RHSA-2006:0298 3.6.1p2-33.30.9 (superseded by RHBA-2007:0462 openssh-3.6.1p2-33.30.14) Red Hat Enterprise Linux version 4 (openssh) RHSA-2006:0044 openssh-3.9p1-8.RHEL4.12 (superseded by RHEA-2010:0511 openssh-3.9p1-11.el4_8.1)

Vmware: ESX 3.0.1 9986131 ESX 3.0.0 3069097

Note: Qualys does not provide details regarding Red Hat.

OpenSSL Vulnerabilities
OpenSSL Denial of Service Vulnerabilities (QID 38257) CVE-2004-0079, CVE-2004-0112, CVE-2004-0081, RHSA-2004:120, Bugtraq ID 9899 Two security vulnerabilities have been reported to affect OpenSSL. The first vulnerability is a NULL pointer assignment that can be triggered by attackers during SSL/TSL handshake exchanges. The vulnerability is in the function do_change_cipher_spec(). It is possible for a malicious host to craft handshake messages to exploit this vulnerability and crash vulnerable systems. This may be due to an attempt by the target application to write to or read from a NULL pointer. OpenSSL Versions 0.9.6c to 0.9.6l and 0.9.7a to 0.9.7c are affected by this issue.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 198

The second vulnerability is also exploited during the SSL/TLS handshake, though only when Kerberos ciphersuites are in use. Attackers exploiting this vulnerability could initiate a handshake exchange with the target designed to trigger this vulnerability. The consequence of doing so would be an out-of-bounds read (an attempt to read an invalid memory region), ultimately resulting in a crash. The vendor reported that this vulnerability may not be a threat to many as it is only present when Kerberos ciphersuites are in use, which is an uncommon configuration. OpenSSL Versions 0.9.7a, 0.9.7b and 0.9.7c are affected by this issue. Both of these remotely exploitable vulnerabilities could result in a denial of service condition in applications that use OpenSSL. Install vendor update or update to the OpenSSL 0.9.7d (or 0.9.6m) release. Any application dynamically linked to OpenSSL libraries should be restarted after applying fixes. Applications that are statically linked to OpenSSL libraries should be recompiled after upgrading OpenSSL. Cisco released an advisory detailing affected Cisco products. This advisory includes fix information and a release schedule for pending fixes. SuSE released advisory SuSE-SA:2004:007 to address these issues. Red Hat (CVE-2004-0079, CVE-2004-0112, CVE-2004-0081):

Red Hat Linux 9 (openssl) RHSA-2004:121 openssl-0.9.7a-20.2 Red Hat Stronghold 4 RHSA-2004:139 Red Hat Enterprise Linux version 2.1 RHSA-2005:829 openssl-0.9.6b-42.src (superseded by RHSA-2009:0004 openssl-0.9.6b-49) Red Hat Enterprise Linux version 3 RHSA-2004:120 openssl-0.9.7a-33.4 (superseded by RHSA2010:0163 openssl-0.9.7a-33.26) Red Hat Enterprise Linux version 3 (openssl096b) RHSA-2005:830 openssl096b-0.9.6b-16.42 (superseded by RHSA-2010:0173 openssl096b-0.9.6b-16.50) Red Hat Enterprise Linux version 4 (openssl096b) RHSA-2005:830 openssl096b-0.9.6b-22.42 (superseded by RHSA-2010:0173 openssl096b-0.9.6b-22.46.el4_8.1) Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Guardian Digital released advisory ESA-20040317-003 to address these issues. Sun Microsystems released Oracle ID 1001267 to announce that Solaris platforms are not affected by this issue. Note: Qualys states "Red Hat released advisory RHSA-2004:120-12 for Red Hat Linux Enterprise releases." This is a misleading oversimplification of the Red Hat response. Note: Qualys does not provide details regarding Red Hat. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 199

OpenSSL PKCS Padding RSA Signature Forgery Vulnerability (QID 38557) CVE-2006-4339, Advisory, Oracle ID 1000472.1, Oracle ID 1000931.1, RHSA-2006-0661, Bugtraq ID 19849 OpenSSL is susceptible to a vulnerability that may allow an RSA signature to be forged. It is possible to forge a PKCS 1 v1.5 signature when an RSA key with exponent 3 is used. This issue presents itself when a Certificate Authority uses an RSA key with exponent 3 and X.509 certificates are in use. CAs may incorrectly verify certificates if they do not check for excess data in the RSA exponentiation signature results. All applications that depend on OpenSSL to verify X.509 certificates are potentially vulnerable. Alternative uses of PKCS 12 v1.5 are affected as well, including applications that depend on OpenSSL for SSL or TLS. The attacker may use this issue to forge a signature on a digital certificate signed by the RSA key and take advantage of trust relationships which depend on these credentials, possibly posing as a trusted party and signing a certificate or key. All versions of OpenSSL prior to and including Versions 0.9.7j and 0.9.8b are affected by this vulnerability. The vendor has released new versions of OpenSSL to address this issue. For Red Hat (CVE-2006-4339): Red Hat Enterprise Linux 2.1: RHSA-2006:0661 openssl-0.9.6b-43 (outdated by RHSA-2009:0004 openssl-0.9.6b-49)

Users of Red Hat Enterprise Linux 2.1 may need to use the command "up2date openssl openssl095a openssl096" to install these updated packages on their systems. This is due to a conflict between Galeon and the recent Seamonkey update. We will provide updated Galeon packages to fix this conflict in a future erratum. For Sun Solaris: Refer to Oracle ID 1000472.1 and Oracle ID 1000931.1. OpenSSL Multiple Vulnerabilities (QID 38561) CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343, SUSE-SA:2006:058, RHSA-2006:069512, FEDORA-2006-1004, FEDORA-2006-1373, OpenSSL Advisory, Bugtraq ID 20246 OpenSSL is known to have the following vulnerabilities: An error in the processing of certain invalid ASN.1 structures can be exploited to cause an infinite loop and consume system memory in an application using OpenSSL to process ASN.1 data from untrusted sources. Certain types of public keys take an overly long time to process in an application using OpenSSL to process ASN.1 data from untrusted sources. An error in the "SSL_get_shared_ciphers()" function can be exploited to cause a buffer overflow by sending a list of ciphers to an application using the vulnerable function.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 200

An error in the SSLv2 client code can be exploited by a malicious server to crash a vulnerable client using OpenSSL to create an SSLv2 connection to the server.

Successful exploitation of these vulnerabilities could result in the execution of arbitrary code or a service crash. OpenSSL released an advisory to address these issues. Refer to SUSE advisory SUSE-SA:2006:058 for updates and patch information. Refer to Fedora advisory FEDORA-2006-1373 and FEDORA-2006-1004. Red Hat (CVE-2006-2937, CVE-2006-2940, CVE-2006-3738, CVE-2006-4343): Refer to Red Hat security advisory RHSA-2006:0695-12.

OpenSSL "SSL_get_shared_ciphers()" Off-By-One Buffer Overflow (QID 38595) CVE-2007-5135, CVE-2007-3108, RHSA-2007-0813, OpenSSL advisory, Solaris 10, Bugtraq ID 25831 OpenSSL is a widely-used open source implementation of the SSL v2/v3 and TLS v1 protocols. Off-by-one error in the SSL_get_shared_ciphers function may allow remote attackers to execute arbitrary code via a crafted packet that triggers a one-byte buffer underflow. Remote attackers could potentially execute arbitrary commands or cause a denial of service. The vendor released OpenSSL Version 0.9.8 f to address this issue. Update to the latest version of OpenSSL. Refer to this OpenSSL advisory for more information. Red Hat (CVE-2007-5135, CVE-2007-3108): For Red Hat advisory, please refer to this RHSA-2007:0813-2.

For Solaris advisory, please refer to Solaris 10. OpenSSL TLS Connection Record Handling Denial of Service Vulnerability (QID 42032) CVE-2010-0740, OpenSSL Advisory 24-March-2010 OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. A vulnerability has been identified in OpenSSL, which is caused by an error in the "ssl3_get_record()" [ssl/s3_pkt.c] function when processing malformed records during TLS connections. This vulnerability could be exploited by attackers to crash a vulnerable client or server. OpenSSL Versions 0.9.8f through 0.9.8m are affected by this issue.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 201

Successful exploitation could allow remote attackers to cause a denial of service. Install vendor update or upgrade to OpenSSL 0.9.8n. Red Hat (CVE-2010-0740): Not vulnerable. This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Qualys reports "Detected on port 443 - Apache/2.2.14 (Unix) mod_ssl/2.2.14 OpenSSL/0.9.8l mod_jk/1.2.26". OpenSSL Two Vulnerabilities (OpenSSL Advisory 1-June-2010) (QID 42335) CVE-2010-0742, CVE-2010-1633, OpenSSL Advisory 1-June-2010 OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. OpenSSL is prone to the following vulnerabilities: An error when handling Cryptographic Message Syntax structures can be exploited to potentially execute arbitrary code. An uninitialized buffer is returned instead of an error code when the verification recovery process fails. This can be exploited to potentially bypass key validation in applications using "EVP_PKEY_verify_recover()". This issue can be exploited to compromise an application using the library or to conduct spoofing attacks. OpenSSL Versions prior to 0.9.8o and 1.0.0a are vulnerable. Refer to OpenSSL Advisory 1-June-2010 to obtain additional details about the vulnerability. Install vendor update or upgrade to OpenSSL Version 0.9.8o or 1.0.0a to resolve these issues. Red Hat (CVE-2010-0742, CVE-2010-1633): Not vulnerable. These issues did not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux 3, 4, or 5.

Note: Qualys does not provide details regarding Red Hat. OpenSSL "ssl3_get_key_exchange()" Use-After-Free Vulnerability (QID 42345) CVE-2010-2939, OpenSSL, Bugtraq ID 42306 OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 202

A vulnerability has been identified in OpenSSL, which could be exploited by attackers to cause a denial of service or compromise a vulnerable system. This issue is caused by a use-after-free error in the "ssl3_get_key_exchange()" [ssl\s3_clnt.c] function when processing malformed SSL data, which could be exploited by attackers to crash an affected application or execute arbitrary code by tricking a user into opening a specially crafted certificate or connecting to a malicious server. The vulnerability could be exploited by attackers to crash an affected application or execute arbitrary code. OpenSSL versions 1.0.0a and prior are affected. OpenSSL has fixed this issue in a development version, 0.9.8p. Red Hat (CVE-2010-2939): This issue did not affect the versions of openssl as shipped with Red Hat Enterprise Linux 3, 4, or 5 as they did not include support for ECDH.

No information found about CVE-2010-2939 and Solaris. Note: Qualys does not provide details regarding Red Hat. OpenSSL TLS Server Extension Parsing Race Condition Vulnerability (QID 42354) CVE-2010-3864, OpenSSL Security Advisory 20101116 OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. OpenSSL is prone to a vulnerability that is caused due to a race condition within the TLS extension parsing code, which can be exploited to cause a heap-based buffer overflow. Successful exploitation requires that the server is multi-threaded and uses the internal caching mechanism of OpenSSL. Multi-processed servers or servers with disabled internal caching session (Apache HTTP server, Stunnel) are not affected. Successful exploitation could lead to a denial of service and potentially compromise an application using the OpenSSL library. Affected Versions: OpenSSL Versions 0.9.8f through 0.9.8o OpenSSL Versions 1.0.0 OpenSSL Version 1.0.0a

Install vendor update or upgrade to OpenSSL 1.0.0c (or OpenSSL 0.9.8p). Red Hat (CVE-2010-3864):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 203

This issue does not affect the versions of OpenSSL as shipped with Red Hat Enterprise Linux versions before Enterprise Linux 6. Red Hat Enterprise Linux version 6 (openssl) RHSA-2010:0888 openssl-1.0.0-4.el6_0.1 (superseded by RHSA-2012:0059 openssl-1.0.0-20.el6_2.1)

Note: Qualys does not provide details regarding Red Hat. OpenSSL ClientHello Handshake Messages Denial of Service Vulnerability (QID 42361) CVE-2011-0014, OpenSSL Security Advisory 20110208, Bugtraq ID 46264 OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. OpenSSL is prone to an issue that is caused by an error when a server calls "SSL_CTX_set_tlsext_status_cb()" on the server's SSL_CTX while handling malformed "ClientHello" handshake messages, which could be exploited by attackers to read the contents of memory or crash an affected server, creating a denial of service. Affected Versions: OpenSSL versions 0.9.8h through 0.9.8q OpenSSL versions 1.0.0 through 1.0.0c

Applications are only affected if they act as a server and call SSL_CTX_set_tlsext_status_cb on the server's SSL_CTX. This includes Apache httpd >= 2.3.3, if configured with "SSLUseStapling On". An attacker may be able to cause a crash (denial of service) by triggering invalid memory accesses. Install vendor update or update to the OpenSSL 1.0.0d (or 0.9.8r) or later release. Red Hat (CVE-2011-0014):

Red Hat Enterprise Linux version 6 (openssl) RHSA-2011:0677 openssl-1.0.0-10.el6 (superseded by RHSA-2012:0059 openssl-1.0.0-20.el6_2.1)

Note: Qualys does not provide details regarding Red Hat. OpenSSL Ciphersuite Downgrade Security Vulnerability (QID 42362) CVE-2010-4180, OpenSSL Security Advisory 20101202, cve_2010_4180_affects_openssl OpenSSL is an open source implementation of the SSL and TLS protocols. It is commonly found on Linux and Unix systems. OpenSSL when SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG is enabled, does not properly prevent modification of the ciphersuite in the session cache, which allows remote attackers to force the

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 204

downgrade to an unintended cipher via vectors involving sniffing network traffic to discover a session identifier. Exploitation allows remote attackers to force the downgrade to an unintended cipher. Affected Versions: OpenSSL versions 0.9.8h through 0.9.8p OpenSSL versions 1.0.0 through 1.0.0b

Install vendor update or OpenSSL 0.9.8 should update to OpenSSL 0.9.8q, OpenSSL 1.0.x should update to OpenSSL 1.0.0c. Red Hat (CVE-2010-4180):

Red Hat Enterprise Linux version 4 (openssl) RHSA-2010:0977 openssl-0.9.7a-43.17.el4_8.6 (superseded by RHSA-2012:0086 openssl-0.9.7a-43.18.el4) Red Hat Enterprise Linux version 5 (openssl) RHSA-2010:0978 openssl-0.9.8e-12.el5_5.7 (superseded by RHSA-2012:0060 openssl-0.9.8e-20.el5_7.1) Red Hat Enterprise Linux version 6 (openssl) RHSA-2010:0979 openssl-1.0.0-4.el6_0.2 (superseded by RHSA-2012:0059 openssl-1.0.0-20.el6_2.1) JBoss Enterprise Web Server 1.0 RHSA-2011:0896 JBoss Enterprise Web Server 1.0.2 update

Solaris 10: cve_2010_4180_affects_openssl SPARC: 146857-01 143559-07 X86: 146859-01

Note: Qualys does not provide details regarding Red Hat. Red Hat and Solaris Update for openssl Vulnerability (QID 116118) CVE-2008-5077, RHSA-2009-0004, Oracle ID 1020011.1 OpenSSL is an open source implementation of the SSL protocol which is used by a number of other projects, including but not restricted to Apache, Sendmail and Bind. It is commonly found on Linux and Unix systems. A flaw exists in the way OpenSSL checks for verification of certificates which allows spoofing attacks to be conducted. Several functions inside OpenSSL fail to properly check the return value from the EVP_VerifyFinal function when validating the signature of DSA and ECDSA keys. This allows malicious users to bypass certificate validation using a malformed SSL/TLS signature. An attacker with access to a malicious server can launch a "man in the middle" attack bypassing certificate validation and conduct phishing attacks or impersonate legitimate sites using the existing utilities.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 205

This vulnerability may allow a remote user who is in control of a rogue server or who can use a "man-inthe-middle attack" to masquerade as a valid, legitimate server using malformed SSL certificates. Releases prior to OpenSSL Version 0.9.8j acting as an SSL/TLS client when connecting to a server whose certificate contains a DSA or ECDSA key are vulnerable. Workaround: Clients using OpenSSL to verify DSA or ECDSA certificates on the server should be upgraded or should stop using DSA/ECDSA certificates. Note: Unless existing certificates using DSA/ECDSA signatures are revoked and clients check for revocation, impersonation attacks are possible until the certificate expires. Install vendor update or upgrade OpenSSL. Note: For the update to take effect, all running OpenSSL client applications must be restarted, or the system rebooted. For Red Hat (CVE-2008-5077): Red Hat Enterprise Linux 2.1 RHSA-2009:0004 openssl-0.9.6b-49 Red Hat Enterprise Linux 3 RHSA-2009:0004 openssl-0.9.7a-33.25.src.rpm and openssl096b0.9.6b-16.49.src.rpm (superseded by RHSA-2010:0163 openssl-0.9.7a-33.26 and RHSA2010:0173 openssl096b-0.9.6b-16.50) Red Hat Enterprise Linux 4 RHSA-2009:0004 openssl-0.9.7a-43.17.el4_7.2.src.rpm and openssl096b-0.9.6b-22.46.el4_7.src.rpm (superseded by RHSA-2010:0977 openssl-0.9.7a43.17.el4_8.6 and RHSA-2010:0173 openssl096b-0.9.6b-22.46.el4_8.1) Red Hat Enterprise Linux 5 RHSA-2009:0004 openssl-0.9.8b-10.el5_2.1.src.rpm and openssl097a0.9.7a-9.el5_2.1.src.rpm (superseded by RHBA-2011:1010 openssl-0.9.8e-20.el5 and RHSA2010:0164 openssl097a-0.9.7a-9.el5_4.2)

For Solaris: Sun has released patches to address this issue. Refer to Oracle ID 1020011.1 to obtain patch details.

This vulnerability is confirmed by "139500-02 is missing." Sun Solaris OpenSSL Denial of Service Vulnerability (QID 116458) CVE-2009-0590, Sun Alert ID 258048, Oracle ID 1020423.1 OpenSSL is an open source implementation of the SSL protocol that is used by a number of other projects, including but not restricted to Apache, Sendmail, and Bind. It is commonly found on Linux and UNIX systems. OpenSSL is prone to a denial of service vulnerability that affects the "ASN1_STRING_print_ex()" function when used to print a "BMPString" or "UniversalString". An illegal encoded string length value can trigger

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 206

a crash by causing an invalid memory access. Successful exploitation may allow a local or remote unprivileged user to cause denial of service or bypass certain security checks. OpenSolaris based upon builds snv_01 through snv_112 and Solaris 10 are impacted by this issue. Sun has released patches to address this issue. Refer to Oracle ID 1020423.1 to obtain patch details. This vulnerability is confirmed by "SUNWcry is installed 141742-01 is missing. SUNWcry is installed 141742-04 is missing."

Operating System Detected


Operating System Detected (45017) Several different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report. TCP/IP Fingerprint : The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below. Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxytype firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned. NetBIOS : Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB). PHP Info : PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information. SNMP : The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system.

Minimize Fingerprinting by adding an ACL to define what devices have SNMP access to the device.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 207

Note: Qualys may report this Informational Message ("Operating System Detected") and report that it was unable to detect an operating system. The information in the results section of the vulnerability report can be used to provide the missing operating system information. Operating Systems Detected on Redirected TCP Open Ports (82038) A redirected TCP open port is a port that is not native to the host scanned. It may belong to another host that is either closer to or further away from the scanner. The service detected one or more redirected TCP open ports and finger-printed the operating systems these ports belong to. When a redirected TCP open port is detected, it may be difficult for the service to determine whether the port is native to the host. Ports displayed as "redirected" may actually be native and vice versa. Qualys may report that the detected OS is: Solaris 10, and report Redirected Port 5634 with OS "Solaris 9-11". Solaris 10, and report Redirected Ports 395 and 389 with OS "Solaris 9-11". (not detected) and Redirected Ports 22, 443, 161 with OS "F5 Networks Big-IP". This appears to be a load balancer.

Oracle Vulnerabilities
Qualys reports results like: TNSLSNR for Solaris: Version 9.2.0.6.0 Production (and other 9.2.0.6.0 components)

Oracle9i Database Release 2, versions 9.2.0.6 and 9.2.0.7 are vulnerable. Critical Patch Update - January 2006 release notes (http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html) indicates a patch is available, but does not suggest how you could determine if the patch was applied. The scanner goes no further to determine if the software is vulnerable. The answer is to use opatch. $ cd $ORACLE_HOME/OPatch

$ opatch lsinventory Invoking OPatch 10.2.0.1.0

Oracle interim Patch Installer version 10.2.0.1.0 Copyright (c) 2005, Oracle Corporation. All rights reserved.. ... Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 208

Installed Top-level Products (1):

Oracle Database 10g

10.2.0.1.0

There are 1 products installed in this Oracle Home. Oracle Listener Log File Can Be Renamed Without Authentication (QID 19005) Oracle Enterprise Server ships with a server program called listener, which is used for remote database access. The default configuration of listener, which accepts remote commands from listener controllers, does not require a password for authentication of remote connections. Due to this condition, unauthorized clients can connect to the listener and send it certain commands. Two such commands are 'SET TRC_FILE' and 'SET LOG_FILE', which allows the connecting client to tell the listener server what log files to use. Unfortunately, the remote client can set these filenames to whatever the Oracle user account can write to (or create new files). When an existing file name is used, it will be corrupted with Oracle log messages. By exploiting this vulnerability, malicious users can rename the listener's log file to a new file or an existing file. In the latter case, the existing file will be corrupted. Note that the existing file name does not need to have the ".log" extension in order to be corrupted. Please set a password to the listener to prevent unauthorized remote access to it. Alternatively, you may completely disable the runtime modification of listeners configuration parameters by adding "ADMIN_RESTRICTIONS_[name of listener]=ON" in listener.ora (where listener is the name of the listener). Note that if you are running versions 7.3.4, 8.0.6, 8.1.6, you will first need to install a patch from http://metalink.oracle.com (generic bug number of 1361722) before doing this. Note: Changing any of the settings above require the listener to be restarted. This vulnerability is detected by exploiting the vulnerability. Oracle Database Link Buffer Overflow Vulnerability (QID 19076) CVE-2003-0222, Bugtraq ID 7453 Oracle is a commercial database product that is available for a number of platforms, including Microsoft Windows as well as Unix and Linux variants. A classic stack-based buffer overflow vulnerability in the Oracle database server can be set up for exploitation by providing an overly long parameter for a connect string with the "CREATE DATABASE LINK" query. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 209

The overflow can be triggered, overwriting the saved return address on the stack. This allows an attacker to gain control of the Oracle process' path of execution, and permits the execution of arbitrary, user-supplied code in the security context of the account running the Oracle database server. On Unixbased systems, this account is typically the "oracle" user, which allows a full compromise of the data. And on Windows, this account is the local SYSTEM user, which allows a full compromise of the data and the operating system. Successful exploitation of this vulnerability allows a malicous user to gain control of the Oracle process' path of execution, and permits the execution of arbitrary, user-supplied code. Oracle Database Server EXTPROC Buffer Overflow Vulnerability (QID 19080) CVE-2003-0634, Bugtraq ID 8267 Oracle has announced the existence of a vulnerability in the Oracle Database Server. It has been reported that a buffer overflow condition may occur in the EXTPROC executable when run with specially-crafted input. It's possible to trigger memory corruption by passing excessive data to the executable. This issue likely occurs due to insufficient bounds checking of user-supplied input. Note: A malicious user must be authenticated to the Oracle Database server using an account with the "CREATE LIBRARY" or "CREATE ANY LIBRARY" privilege." Successful exploitation of this vulnerability may allow a malicous user to execute commands. By overwriting a stored return address or other sensitive values within the Oracle Database Server process, a malicious user may trick the program into running embedded instructions with the privileges of the target process. Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities (QID 19084) CVE-2003-1208, 333953.1 (alternate source), Bugtraq ID 9587 Oracle is a commercial database product, which is available for a number of platforms including Microsoft Windows, as well as Unix and Linux variants. The host is running an Oracle database that is prone to multiple buffer overflow vulnerabilities when processing certain parameters and functions. Specifically the TIME_ZONE parameter lacks sufficient boundary checks. Therefore an excessive value assigned to TIME_ZONE may potentially overrun the bounds of a buffer in stack-based memory. This may result in the corruption of memory adjacent to the affected buffer, and ultimately may provide for arbitrary code execution. Additionally the NUMTOYMINTERVAL function has been reported prone to a buffer overflow vulnerability. The issue presents itself due to a lack of sufficient boundary checks performed on char_expr parameters passed as an argument to the function. Again this issue may be exploited by passing excessive data as the second argument to a NUMTOYMINTERVAL statement call. The NUMTODSINTERVAL function has also been reported prone to a buffer overflow vulnerability. The issue again presents itself due to a lack of sufficient boundary checks performed on char_expr Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 210

parameters passed as an argument to the function. This issue may be exploited in a similar manner to the NUMTOYMINTERVAL issue, by passing excessive data as the second argument to a NUMTODSINTERVAL statement call. Finally the FROM_TZ function has been reported prone to a buffer overflow vulnerability. The issue will present itself when excessive data is passed as the third parameter of a properly formatted FROM_TZ statement call. These vulnerabilities may be exploited to execute arbitrary code with elevated privileges. Affected Versions: Oracle 9 prior to Version 9.2.0.3

Qualys reports results like: TNSLSNR for Solaris: Version 9.2.0.1.0 Production

Access to support articles, such as http://metalink.oracle.com/metalink/plsql/showdoc?db=NOT&id=333953.1.html, requires an Oracle account and Customer Support Identifier (CSI) from the support contract. A public copy was found at http://www.novell.com/support/viewContent.do?externalId=3725334&sliceId=1. Use opatch to check for 2617419. Oracle Database Server April 2005 Critical Patch Update Missing (QID 19114) CPU Apr 2005, Bugtraq ID 13139 Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities. Oracle has released a Critical Patch Update (Aprl 2005) to address these issues in various supported applications and platforms. Other non-supported versions may be affected. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are required to leverage some issues; however others do not require any authorization. The version of the Oracle server detected indicates that it is a candidate for applying the security update. The service was unable to confirm if the patch was applied. The consequences vary on the security threat which is addressed. For more information, refer to the Oracle documentation link in the solution field.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 211

Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability (QID 19120) CVE-2005-1383, Bugtraq ID 13418 Oracle HTTP Server (OHS) of Oracle Application Server is prone to an access restriction bypass vulnerability. It is possible to configure a list of forbidden URIs in OHS. This is accomplished using "mod_access". A URI that is listed is not supposed to be accessible to certain clients, depending on the configuration. However, reports indicate that the Oracle Webcache client may be used to access URIs regardless of the restrictions outlined in OHS "mod_access". A remote attacker that has access to the Oracle Webcache service may exploit this vulnerability to bypass OHS "mod_access" restrictions and access potentially sensitive URI's. Oracle Database Server October 2005 Critical Patch Update Missing (QID 19144) CVE-2005-0873, 333953.1, CPU Oct 2005 Oracle Critical Patch Update (October 2005) for Database Server is not installed. The consequences due to successful exploitation differ for each vulnerability addressed in the critical update. Please refer to the Oracle security bulletin CPU Oct 2005 for more details. Affected Versions: Oracle Database Server 10g Release 1, Versions 10.1.0.3, 10.1.0.4 Oracle9i Database Server Release 2, Versions 9.2.0.5, 9.2.0.6, 9.2.0.7 Oracle8i Database Server Release 3, Version 8.1.7.4

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server January 2006 Security Update Missing (QID 19197) CVE-2006-0548, CVE-2006-0549, CVE-2006-0551, CVE-2006-0547, CVE-2006-0272, CVE-2006-0286, CVE2006-0285, CVE-2006-0284, CVE-2006-0283, CVE-2006-0282, CVE-2006-0271, CVE-2006-0270, CVE2006-0269, CVE-2006-0268, CVE-2006-0267, CVE-2006-0266, CVE-2006-0265, CVE-2006-0264, CVE2006-0263, CVE-2006-0262, CVE-2006-0261, CVE-2006-0260, CVE-2006-0259, CVE-2006-0258, CVE2006-0257, CVE-2006-0256, CVE-2006-0291, CVE-2006-0290, CVE-2006-0287, CVE-2006-0552, CVE2006-0586, 343382.1, Bugtraq ID 16287 Oracle released a critical patch update advisory for January 2006 to address multiple critical vulnerabilities for supported releases of Oracle Database server. Affected versions include the following: Oracle Database 10g Release 2, version 10.2.0.1 Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.4.2 and 10.1.0.5 Oracle9i Database Release 2, versions 9.2.0.6 and 9.2.0.7 Page 212

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.1.5 FIPS Oracle8i Database Release 3, version 8.1.7.4 Oracle 8 Database Release 8.0.6, version 8.0.6.3

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2006 Critical Patch Update Missing (QID 19203) CVE-2006-0435, CVE-2006-1874, CVE-2006-1868, CVE-2006-1871, CVE-2006-1872, CVE-2006-1873, CPU April 2006 Oracle released Critical Patch Update advisory for April 2006 to address multiple critical vulnerabilities for supported releases of Oracle Database server. Affected versions include the following: Oracle Database 10g Release 2, Versions 10.2.0.1, 10.2.0.2 Oracle Database 10g Release 1, Versions 10.1.0.4, 10.1.0.5, 10.1.0.4.2 Oracle9i Database Release 1, Versions 9.0.1.4, 9.0.1.5 Oracle9i Database Release 2, Versions 9.2.0.6, 9.2.0.7 Oracle8i Database Release 3, Version 8.1.7.4 Oracle 8 Database Release 8.0.6, Version 8.0.6.3

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2006 Critical Patch Update Missing (QID 19210) CVE-2006-3698, CPU July 2006, Bugtraq ID 19054 Oracle released a critical patch update advisory for July 2006 to address multiple critical vulnerabilities for supported releases of Oracle Database server. Affected versions include the following: Oracle Database 10g Release 2, Versions 10.2.0.1, 10.2.0.2 Oracle Database 10g Release 1, Versions 10.1.0.4, 10.1.0.5 Oracle9i Database Release 2, Versions 9.2.0.6, 9.2.0.7 Oracle8i Database Release 3, Version 8.1.7.4

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server October 2006 Security Update Missing (QID 19211) CVE-2006-5332, CVE-2006-5333, CVE-2006-5334, CVE-2006-5335, CVE-2006-5336, CVE-2006-5339, CVE2006-5340, CVE-2006-5341, CVE-2006-5342, CVE-2006-5343, CVE-2006-5344, CVE-2006-5345, CPU Oct 2006, Bugtraq ID 20588

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 213

Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for October 2006 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. A remote attacker can gain complete control of the vulnerable machine. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server January 2007 Security Update Missing (QID 19215) CVE-2007-0272, CPU Jan 2007 Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for January 2007 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. The issues identified by the vendor affect all security properties of the Oracle products, and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. A remote attacker can gain complete control of the vulnerable machine. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2007 Security Update Missing (QID 19216) CVE-2007-2113, CVE-2007-2118, CPU Apr 2007 Oracle has released Critical Patch Update advisory for April 2007 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. The issues identified by the vendor affect all security properties of the Oracle products, and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 214

other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. A remote attacker can gain complete control of the vulnerable machine. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2007 Security Update Missing (QID 19219) CVE-2007-3855, CVE-2007-3865, CVE-2007-3866, CVE-2007-3867, CPU Jul 2007, Bugtraq ID 24887 Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for July 2007 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. The issues identified by the vendor affect all security properties of the Oracle products, and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. A remote attacker could gain control of the host. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server October 2007 Security Update Missing (QID 19223) CVE-2007-5506, CPU Oct 2007, Bugtraq ID 26103, 26101, 26108 Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for October 2007 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. The issues identified by the vendor affect all security properties of the Oracle products, and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise. A remote attacker could gain control of the host.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 215

Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server January 2008 Security Update Missing (QID 19227) CVE-2008-0339, CVE-2008-0340, CVE-2008-0341, CVE-2008-0342, CVE-2008-0343, CVE-2008-0344, CVE2008-0345, CVE-2008-0346, CVE-2008-0347, CVE-2008-0348, CVE-2008-0349, CPU Jan 2008 Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for January 2008 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. Eight new security fixes for the Oracle Database are addressed. A remote attacker could gain control of the host. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2005 Security Update Missing (QID 19230) CPU Jul 2005 Oracle Database is affected by multiple vulnerabilities. Oracle has released a Critical Patch Update advisory for July 2005 to address these vulnerabilities. This Critical Patch Update addresses vulnerabilities for supported releases. A remote attacker could affect the confidentiality, integrity and availability of data on the target system. Affected Versions: Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4 Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6 Oracle8i Database Server Release 3, version 8.1.7.4

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2008 Security Update Missing (QID 19232) CVE-2008-1811, CVE-2008-1812, CVE-2008-1813, CVE-2008-1814, CVE-2008-1815, CVE-2008-1816, CVE2008-1817, CVE-2008-1818, CVE-2008-1819, CVE-2008-1820, CVE-2008-1821, CVE-2008-1822, CVEVulnerability Remediation Synopsis version 0.4Russ Klanke Page 216

2008-1823, CVE-2008-1824, CVE-2008-1825, CVE-2008-1826, CVE-2008-1827, CVE-2008-1828, CVE2008-1829, CVE-2008-1830, CVE-2008-1831, CPU Apr 2008 Oracle released Critical Patch Update advisory for April 2008 to address 17 security vulnerabilities. Oracle Database components affected are: Advanced Queuing Audit Authentication Change Data Capture Core RDBMS Data Pump Export Oracle Application Express Oracle Net Services Oracle Secure Enterprise Search or Ultrsearch Oracle Spatial Query Optimizer

A remote attacker could gain control of the host. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2008 Security Update Multiple Vulnerabilities (QID 19238) CVE-2008-2607, CVE-2008-2613, CVE-2008-2592, CVE-2008-2604, CVE-2008-2591, CVE-2008-2600, CVE2008-2602, CVE-2008-2605, CVE-2008-2611, CVE-2008-2608, CVE-2008-2590, CVE-2008-2603, CVE2008-2587, CPU Jul 2008 Oracle released a Critical Patch Update advisory for July 2008 to address 45 security vulnerabilities. These are the Oracle database components affected: Oracle Application Server Oracle Audit Vault Oracle Beehive Oracle Collaboration Suite Oracle Database Oracle Developer Suite Page 217

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Oracle Enterprise Manager Oracle HTTP Server Oracle Secure Enterprise Search Oracle Workflow Cartridge

A remote attacker could gain control of the host. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server October 2008 Security Update Missing (QID 19260) CVE-2008-3989, CVE-2008-2624, CVE-2008-3995, CVE-2008-3996, CVE-2008-3992, CVE-2008-3976, CVE2008-3982, CVE-2008-3983, CVE-2008-3984, CVE-2008-3994, CVE-2008-3980, CVE-2008-4005, CVE2008-2625, CVE-2008-3990, CVE-2008-3991, CPU Oct 2008 Oracle released a Critical Patch Update advisory for October 2008 to address 45 security vulnerabilities. These are the Oracle database components affected: Oracle Application Server Infrastructure Oracle Application Server Metadata Repository Oracle Audit Vault Embedded Database Oracle Beehive Oracle Collaboration Suite Information Store Oracle Database Oracle E-Business Suite Oracle Management Repository Oracle Secure Enterprise Search Embedded Database

A remote attacker could gain control of the host. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server January 2009 Security Update Missing (QID 19267) CVE-2008-2623, CVE-2008-4014, CVE-2008-4017, CVE-2008-5438, CVE-2008-5446, CVE-2008-5450, CVE2008-5454, CVE-2008-5458, CVE-2008-5457, CVE-2008-5459, CVE-2008-5460, CVE-2008-5461, CVE2008-5462, CVE-2008-3973, CVE-2008-3974, CVE-2008-3978, CVE-2008-3979, CVE-2008-3997, CVEVulnerability Remediation Synopsis version 0.4Russ Klanke Page 218

2008-3999, CVE-2008-4015, CVE-2008-5436, CVE-2008-5437, CVE-2008-5439, CVE-2008-5447, CVE2008-4016, CVE-2008-3981, CVE-2008-4006, CVE-2008-5441, CVE-2008-5442, CVE-2008-5443, CVE2008-5444, CVE-2008-5445, CVE-2008-5448, CVE-2008-5449, CVE-2008-4007, CVE-2008-5451, CPU Jan 2009 Oracle released a Critical Patch Update advisory for January 2009 that address 41 security vulnerabilities. These are the Oracle database components affected: Oracle Database Oracle Secure Backup Oracle TimesTen In-Memory Database Oracle Application Server Oracle Collaboration Suite Oracle E-Business Suite Release Oracle Enterprise Manager Grid Control PeopleSoft Enterprise HRMS JD Edwards Tools Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle WebLogic Portal (formerly BEA WebLogic Portal)

These vulnerabilities can lead to escalation of privileges. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2009 Security Update Missing (QID 19463) CVE-2009-0979, CVE-2009-0985, CVE-2009-0972, CVE-2009-0977, CVE-2009-0992, CVE-2009-0984, CVE2009-0980, CVE-2009-0975, CVE-2009-0978, CVE-2009-0986, CVE-2009-0973, CVE-2009-0991, CVE2009-0981, CVE-2009-0997, CVE-2009-0988, CPU Apr 2009, Bugtraq ID 34461 Oracle released Critical Patch Update advisory for April 2009 that addresses 16 security vulnerabilities. These are the Oracle database components affected: Resource Manager Core RDBMS Workspace Manager Advanced Queing Database Vault Page 219

Vulnerability Remediation Synopsis version 0.4Russ Klanke

SQLX Functions Cluster Ready Services Listener Application Express Password Policy

A remote attacker could affect the confidentiality and integrity of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2009 Security Update Missing (QID 19484) CVE-2009-1020, CVE-2009-1019, CVE-2009-1963, CVE-2009-1021, CVE-2009-1966, CVE-2009-1967, CVE2009-0987, CVE-2009-1973, CVE-2009-1970, CVE-2009-1968, CVE-2009-1015, CVE-2009-1969, CPU Jul 2009 Oracle released a Critical Patch Update advisory for July 2009 that addresses 16 security vulnerabilities. These are the Oracle database components affected: Oracle Net HTTP

A remote attacker could affect the confidentiality and integrity of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server October 2009 Security Update Missing (QID 19498) CVE-2009-1972, CVE-2009-1971, CVE-2009-1991, CVE-2009-1995, CVE-2009-2000, CVE-2009-1997, CVE2009-1965, CVE-2009-1964, CVE-2009-1018, CVE-2009-1993, CVE-2009-2001, CVE-2009-1994, CVE2009-1007, CVE-2009-1985, CVE-2009-1979, CVE-2009-1992, CPU Oct 2009 Oracle released a Critical Patch Update advisory for October 2009 that addresses 16 security vulnerabilities. These are the Oracle database components affected: Advanced Queuing Page 220

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Application Express Authentication CORE RDBMS Data Mining Net Foundation Layer Network Authentication Oracle Spatial Oracle Text PL/SQL RDBMS Data Pump RDBMS Security Workspace Manager

A remote attacker could affect the confidentiality and integrity of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server January 2010 Security Update Missing (QID 19524) CVE-2010-0071, CVE-2009-3415, CVE-2010-0076, CVE-2009-3411, CVE-2009-3414, CVE-2009-1996, CVE2009-3410, CVE-2009-3413, CVE-2009-3412, CPU Jan 2010 Oracle released a Critical Patch Update advisory for January 2010 that addresses 9 security vulnerabilities. These are the Oracle database components affected: Listener Oracle OLAP Application Express, Application Builder Oracle Data Pump Oracle Spatial Logical Standby RDBMS Unzip

A remote attacker could affect the confidentiality, integrity and availability of data on the target system. Affected Versions: Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 221

TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2010 Security Update Missing (QID 19548) CVE-2010-0853, CVE-2010-0860, CVE-2010-0866, CVE-2010-0852, CVE-2010-0867, CVE-2010-0851, CVE2010-0870, CVE-2010-0854, CPU Apr 2010 Oracle released Critical Patch Update advisory for April 2010 that addresses 7 security vulnerabilities. The following Oracle database components are affected: Oracle Internet Directory Core RDBMS JavaVM XML DB Change Data Capture Audit

Successful exploitation allows attackers to execute arbitrary code. None of these vulnerabilities may be remotely exploitable without authentication; that is, none may be exploited over a network without the need for a username and password. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2010 Security Update Missing (QID 19565) CVE-2010-0911, CVE-2010-0903, CVE-2010-0902, CVE-2010-0892, CVE-2010-0900, CVE-2010-0901, CPU Jul 2010 Oracle released a Critical Patch Update advisory for July 2010 that addresses several security vulnerabilities. The following Oracle database components are affected: Application Express Export Listener Net Foundation Layer Network Layer Oracle OLAP

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 222

Successful exploitation allows an attacker to execute arbitrary code and conduct privilege escalation attacks. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server October 2010 Security Update Missing (QID 19589) CVE-2009-2949, CVE-2009-2950, CVE-2009-3301, CVE-2009-3302, CVE-2009-3555, CVE-2010-0395, CVE2010-1321, CVE-2010-2388, CVE-2010-2389, CVE-2010-2390, CVE-2010-2391, CVE-2010-2395, CVE2010-2396, CVE-2010-2404, CVE-2010-2405, CVE-2010-2406, CVE-2010-2407, CVE-2010-2408, CVE2010-2409, CVE-2010-2410, CVE-2010-2411, CVE-2010-2412, CVE-2010-2413, CVE-2010-2414, CVE2010-2415, CVE-2010-2416, CVE-2010-2417, CVE-2010-2418, CVE-2010-2419, CVE-2010-3500, CVE2010-3501, CVE-2010-3502, CVE-2010-3503, CVE-2010-3504, CVE-2010-3506, CVE-2010-3507, CVE2010-3508, CVE-2010-3509, CVE-2010-3511, CVE-2010-3512, CVE-2010-3513, CVE-2010-3514, CVE2010-3515, CVE-2010-3516, CVE-2010-3517, CVE-2010-3518, CVE-2010-3519, CVE-2010-3520, CVE2010-3521, CVE-2010-3522, CVE-2010-3523, CVE-2010-3524, CVE-2010-3525, CVE-2010-3526, CVE2010-3527, CVE-2010-3528, CVE-2010-3529, CVE-2010-3530, CVE-2010-3531, CVE-2010-3532, CVE2010-3533, CVE-2010-3534, CVE-2010-3535, CVE-2010-3536, CVE-2010-3537, CVE-2010-3538, CVE2010-3539, CVE-2010-3540, CVE-2010-3542, CVE-2010-3544, CVE-2010-3545, CVE-2010-3546, CVE2010-3547, CVE-2010-3564, CVE-2010-3575, CVE-2010-3576, CVE-2010-3577, CVE-2010-3578, CVE2010-3579, CVE-2010-3580, CVE-2010-3581, CVE-2010-3582, CVE-2010-3583, CVE-2010-3584, CVE2010-3585, CPU Oct 2010 Oracle released a Critical Patch Update advisory for October 2010 that addresses several security vulnerabilities. The following Oracle database components are affected: EM Console Java Virtual Machine Change Data Capture OLAP Change Data Capture Job Queue XDK Core RDBMS Perl

Successful exploitation allows an attacker to execute arbitrary code and conduct privilege escalation attacks. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 223

Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? EOL/Obsolete Software: Oracle Database 9i Detected (QID 19602) The host has Oracle Database 9i installed. Premier support for the 9i Database ended in July 2007; the extended support ended in July 2010. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version. EOL/Obsolete Software: Oracle Database 10g Release 1 Detected (QID 19603) The host has Oracle Database 10g Release 1 installed. Premier support for 10g Release 1 ended in January 2009. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version. EOL/Obsolete Software: Oracle Database 10.2.0.1 Detected (QID 19605) The host has Oracle Database 10.2.0.1 installed. Premier support for Database 10.2.0.1 ended in April 2007. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version. Oracle Database Server January 2011 Security Update Missing (QID 19608) CVE-2010-3600, CVE-2010-4421, CVE-2010-3590, CVE-2010-4413, CVE-2010-4420, CPU Jan 2011 Oracle released a Critical Patch Update advisory for January 2011 that addresses several security vulnerabilities. The following Oracle database components are affected: Client System Analyzer Database Vault Oracle Spatial Scheduler Agent

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 224

A remote attacker could affect the confidentiality, integrity and availability of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server April 2011 Security Update Missing (QID 19616) CVE-2011-0792, CVE-2011-0799, CVE-2009-3555, CVE-2011-0787, CVE-2011-0806, CVE-2011-0785, CVE2011-0805, CVE-2011-0793, CVE-2011-0804, CPU Apr 2011 Oracle released a Critical Patch Update advisory for April 2011 that addresses several security vulnerabilities. The following Oracle database components are affected: Oracle Warehouse Builder Database Vault Oracle Security Service Network Foundation Application Service Level Management Oracle Help UIX

A remote attacker could affect the confidentiality, integrity and availability of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? Oracle Database Server July 2011 Security Update Missing (QID 19633) CVE-2011-2239, CVE-2011-2253, CVE-2011-0882, CVE-2011-2257, CVE-2011-2248, CVE-2011-0870, CVE2011-0848, CVE-2011-0852, CVE-2011-0822, CVE-2011-0835, CVE-2011-0880, CVE-2011-0838, CVE2011-2244, CVE-2011-0832, CVE-2011-2232, CVE-2011-0816, CVE-2011-0875, CVE-2011-0831, CVE2011-2230, CVE-2011-0811, CVE-2011-0881, CVE-2011-0876, CVE-2011-0830, CVE-2011-0877, CVE2011-0879, CVE-2011-2231, CVE-2011-2238, CVE-2011-2243, CVE-2011-2240, CVE-2011-2242, CPU Jul 2011 Oracle released a Critical Patch Update advisory for July 2011 that addresses several security vulnerabilities.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 225

The following Oracle database components are affected: Core RDBMS Content Management Database Target Type Menus SQL Performance Advisories/UIs Schema Management Security Framework Security Management Streams, AQ and Replication Mgmt XML Developer Kit CMDB Metadata and Instance APIs EMCTL Enterprise Config Management Enterprise Manager Console Event Management Instance Management XML Developer Kit Database Vault Oracle Universal Installer

A remote attacker could affect the confidentiality, integrity and availability of data on the target system. Affected Versions: TNSLSNR version (for example) was found, but the patch status is unknown. What does "opatch lsinventory" report? EOL/Obsolete Software : Oracle Database 11.1.0.6 Detected (QID 105362) The host has Oracle Database 11.1.0.6 installed. Oracle ended Critical Patch update for Oracle Database 11.1.0.6 on July 14, 2009. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version. EOL/Obsolete Software : Oracle Database 10.2.0.3 Detected (QID 105363) The host has Oracle Database 10.2.0.3 installed. Premier support for 10.2.0.3 Database ended in February 2009.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 226

The last Critical Patch Update for 10.2.0.3 on HP Tru64 and Windows Itanium was CPU Apr 2009. Only Critical Patch Update for 10.2.0.3 on IBM z/OS continued. The system is at high risk of being exposed to security vulnerabilities. Since the vendor no longer provides updates, obsolete software is more vulnerable to viruses and other attacks. Upgrade to a vendor-supported version.

PHP Vulnerabilities
PHP cURL Open_Basedir Restriction Bypass (QID 12188) Bugtraq ID 11557 cURL is a non-interactive Web client. It is available for a number of operating systems, including Unix/Linux variants. PHP4 has a cURL module to allow its use in PHP scripts. It is reported that cURL allows malicious users to bypass "open_basedir" restrictions in PHP scripts. This issue is due to a failure of the cURL module to properly enforce PHP's "open_basedir" restriction. "open_basedir" is a configuration directive in PHP that is designed to enforce a restriction on the directory that PHP scripts are allowed to open, read, or write files from. For example, setting the "open_basedir" variable to "/var/www", then requesting PHP scripts to open files outside of "/var/www" results in an error. Users with the ability to create or modify PHP scripts on a server computer hosting the vulnerable software can reportedly exploit this vulnerability to bypass the "open_basedir" restriction, and access arbitrary files with the privileges of the Web server. This may aid them in further attacks. PHP Safedir Restriction Bypass Vulnerabilities (QID 12201) CVE-2005-3054, Bugtraq ID 15119 PHP is a general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. The "safedir" directory restriction is a feature to limit access to a specific base directory. PHP is prone to multiple vulnerabilities that permit an attacker to bypass the "safedir" directory restriction. The "imagegif()", "imagepng()" and "imagejpeg()" functions, as part of the GD extension, permit an attacker to specify a full directory path to a local file. The "curl_init()" function is susceptible to directory traversal attacks. Information obtained may aid in further attacks against the affected system; other attacks are also possible. A local attacker can exploit this vulnerability to execute arbitrary files located on the vulnerable system and retrieve the contents of arbitrary files, all in the security context of the Web server process. PHP Update 4.4.1 and 5.1.0 Not Installed (QID 12205) CVE-2005-3388, PHP 4.4.1, PHP 5.1.0, Bugtraq ID 15248 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 227

PHP is reported to be vulnerable to cross-site scripting attacks, bypass certain security restrictions, and potentially compromise a vulnerable system. An error where the "GLOBALS" array is not properly protected can be exploited to define global variables by sending a "multipart/form-data" POST request with a specially-crafted file upload field, or via a script calling the PHP function "extract()" or "import_request_variables()". An error in the handling of an unexpected termination in the "parse_str()" PHP function can be exploited to enable the "register_globals" directive for the current execution by, for example, triggering a memory_limit request shutdown in a script calling "parse_str()". Some unspecified input passed to the "phpinfo()" PHP function isn't properly sanitized before being returned to the user. This can be exploited via a script calling "phpinfo()" to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. An integer overflow error in pcrelib may be exploited to cause memory corruption via a script calling a PHP function using the PCRE library where the regular expression can be controlled by the attacker.

Successful exploitation may allow execution of arbitrary code. Install vendor patch or upgrade PHP 4.x to version 4.4.1 (or later) or PHP 5.x to 5.1.0 (or later). For Red Hat (CVE-2005-3388): Red Hat Enterprise Linux 2.1: RHSA-2005:838 upgrades to version php-4.1.2-2.3 Red Hat Enterprise Linux 3: RHSA-2005:831 upgrades to version php-4.3.9-3.9 Red Hat Enterprise Linux 4: RHSA-2005:831 upgrades to version php-4.3.9-3.9

PHP MB_Send_Mail TO Argument Header Injection Vulnerability (QID 12219) CVE-2005-3883, Proposed 5.1 Release Announcement, Bugtraq ID 15571 PHP is susceptible to a header injection vulnerability when sending email. This issue is due to a failure of the application to properly sanitize user-supplied input of the "to" argument to the "mb_send_mail()" function. This argument may contain newline characters, allowing attackers to add arbitrary email headers to the resulting email message. The results of this vary depending on the meaning of the injected headers. This may allow attackers to utilize vulnerable Web applications as an anonymous email proxy. PHP Multiple Buffer Overflow Vulnerabilities (QID 12233) CVE-2006-5465, USN-375-1, Bugtraq ID 20879 Some vulnerabilities have been reported in PHP, which are caused due to boundary errors in the "htmlentities()" and "htmlspecialchars()" functions. A PHP application that uses these functions to process user-supplied input can be exploited to cause buffer overflows by passing specially-crafted data to the affected application.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 228

These issues can be exploited by malicious people to cause a denial of service, or potentially compromise a vulnerable system. Install vendor patch or upgrade to PHP version 5.2.0 (or later). PHP Multiple Vulnerabilities May 2008 (QID 12249) CVE-2008-0599, CVE-2008-2050, CVE-2008-2051, RHSA-2008:0545, PHP 5.2.6, RHSA-2008-0544, RHSA2008-0546, Bugtraq ID 29009 PHP versions before 5.2.6 are prone to multiple security vulnerabilities, including: An unspecified error in the FastCGI SAPI An error in the processing of multibyte characters within the "escapeshellcmd()" and "escapeshellarg()" functions A vulnerability due to an error during path translation in cgi_main.c An error in cURL A boundary error in PCRE Successful exploits could allow an attacker to bypass security restrictions, cause a denial of service, and potentially execute code.

Install vendor update or upgrade to PHP Version 5.2.6 or greater. (Same recommendation as "PHP Update 5.2.6 Not Installed (QID 12258)".) For Red Hat: CVE-2008-0599, Not vulnerable. This issue did not affect the versions of PHP as shipped with Red Hat Enterprise Linux 2.1, 3, 4, or 5, and Red Hat Application Stack v1. For Red Hat Application Stack v2, issue was addressed via RHSA-2008-0505 (Red Hat Application Stack v2.1 security and enhancement update). CVE-2008-2050, Not Vulnerable: This issue does not affect the version of PHP shipped in Red Hat Enterprise Linux 2.1, 3, or 4. We do not consider this issue to be a security flaw for Red Hat Enterprise Linux 5 since no trust boundary is crossed. CVE-2008-2051: o Red Hat Enterprise Linux 2.1 RHSA-2008:0546 upgrades to version php-4.1.2-2.20 o Red Hat Enterprise Linux 3 RHSA-2008:0544 upgrades to php-4.3.9-3.22.12 o Red Hat Enterprise Linux 4 RHSA-2008:0545 upgrades to php-4.3.9-3.22.12 o Red Hat Enterprise Linux 5 RHSA-2008:0544 upgrades to php-4.3.9-3.22.12

PHP PHP_Binary Heap Information Leak Vulnerability (QID 12251) CVE-2007-1380, Bugtraq ID 22805 The PHP "php_binary" serialization handler is prone to a heap-information leak. A local attacker can exploit this issue to obtain sensitive information (such as heap offsets and canaries) that may aid in other attacks. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 229

PHP msg_receive() Memory Allocation Integer Overflow Vulnerability (QID 12252) CVE-2007-1890, Bugtraq ID 23236 PHP is exposed to an integer overflow vulnerability because it fails to ensure that integer values aren't overrun. Attackers may exploit this issue to cause a buffer overflow and to corrupt process memory. PHP ext/filter Space Trimming Buffer Underflow Vulnerability (QID 12253) CVE-2007-1453, Bugtraq ID 22922 PHP is a computer scripting language, originally designed for producing dynamic Web pages. Attackers may exploit this issue to allow remote code execution. PHP Version 5.2.0 comes with a new memory manager which fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. PHP "rfc822_write_address()" Function Buffer Overflow Vulnerability (QID 12254) CVE-2008-2829, Php 5.2.7, Bugtraq ID 29829 PHP is prone to a buffer overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. php_imap.c in PHP 5.2.5, 5.2.6, 4.x, and other versions, uses obsolete API calls that allow contextdependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long IMAP request, which triggers an "rfc822.c legacy routine buffer overflow" error message, related to the rfc822_write_address function. (CVE-2008-2829). Exploitation of this issue may allow an attacker to execute arbitrary machine code in the context of the affected Web server. Failed attempts will likely cause a denial of service condition on the Web server. Affected Versions: PHP version 5.2.6 and earlier.

PHP "safe_mode" Multiple Security Bypass Vulnerabilities (QID 12255) CVE-2008-2666, CVE-2008-2665, Php 5.2.7, Bugtraq ID 29796, 29797 PHP is prone to multiple "safe_mode" restriction bypass vulnerabilities. Multiple directory traversal vulnerabilities in PHP 5.2.6 and earlier allow context-dependent attackers to bypass safe_mode restrictions by creating a subdirectory named http: and then placing ../ (dot dot slash) sequences in an http URL argument to the (1) chdir or (2) ftok function. (CVE-2008-2666). Directory traversal vulnerability in the posix_access function in PHP 5.2.6 and earlier allows remote attackers to bypass safe_mode restrictions via a .. (dot dot) in an http URL, which results in the URL Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 230

being canonicalized to a local filename after the safe_mode check has successfully run. (CVE-20082665). Successful exploitation would allow an attacker to determine the presence of files in unauthorized locations. Exploiting these issues allows attackers to obtain sensitive data that could be used in other attacks. Affected Versions: PHP version 5.2.6 and earlier.

PHP update 5.2.5 Not Installed (QID 12257) CVE-2007-4887, CVE-2007-4783, CVE-2007-4840, PHP 5.2.5 PHP is exposed to the following vulnerabilities. Various errors exist in the "htmlentities" and "htmlspecialchars" functions where partial multibyte sequences are not accepted. Various boundary errors exist in the "fnmatch()", "setlocale()", and "glob()" functions and can be exploited to cause buffer overflows. An error in the processing of the "mail.force_extra_parameters" directive within an ".htaccess" file which can be exploited to bypass the "safe_mode" directive. An error in the handling of variables can be exploited to overwrite values set in httpd.conf via the "ini_set()" function.

These vulnerabilities can be exploited by malicious people to bypass security restrictions. PHP Update 5.2.6 Not Installed (QID 12258) CVE-2008-0599*, CVE-2008-2050*, CVE-2008-2051*, CVE-2008-2107, CVE-2008-2108, PHP 5.2.6, Bugtraq ID 29009 * Discussed in "PHP Multiple Vulnerabilities May 2008 (QID 12249)" PHP is exposed to the following vulnerabilities. An unspecified error in the FastCGI SAPI can be exploited to cause a stack-based buffer overflow. An error in the processing of multibyte characters within the "escapeshellcmd()" and "escapeshellarg()" functions can be exploited to escape the inserted backslash or quote characters via certain multibyte characters. A vulnerability is caused due to an error during path translation in cgi_main.c. An error in cURL can be exploited to bypass the "safe_mode" directive. A boundary error in PCRE can potentially be exploited by malicious people to cause a denial of service or compromise a vulnerable system.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 231

These vulnerabilities can be exploited by malicious users to bypass certain security restrictions, and potentially to cause a denial of service or to compromise a vulnerable system. Install vendor update or upgrade to PHP Version 5.2.6 or greater. This is the same recommendation as "PHP Multiple Vulnerabilities May 2008 (QID 12249).)". For Red Hat: CVE-2008-0599, CVE-2008-2050, and CVE-2008-2051 are discussed in "PHP Multiple Vulnerabilities May 2008 (QID 12249)." CVE-2008-2107: o Red Hat Enterprise Linux 2.1 RHSA-2008:0546 upgrades to version php-4.1.2-2.20 same as "PHP Multiple Vulnerabilities May 2008 (QID 12249)." CVE-2008-2108: o Red Hat Enterprise Linux 2.1 RHSA-2008:0546 upgrades to version php-4.1.2-2.20 same as "PHP Multiple Vulnerabilities May 2008 (QID 12249)."

PHP Multiple Vulnerabilities (QID 12259) CVE-2007-0905, CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE2007-0988, CVE-2007-1286, CVE-2007-1375, CVE-2007-1383, CVE-2007-1376, CVE-2007-1452, CVE2007-1454, CVE-2007-1824, CVE-2007-1825, CVE-2007-1884, CVE-2007-1887, CVE-2007-1888, CVE2007-1889, CVE-2007-1885, CVE-2007-1886, PHP 5.2.1, PHP 4.4.5, Bugtraq ID 23233 Several vulnerabilities have been reported in PHP. Affected Versions: PHP 5.2.0 and prior PHP 4.4.4 and prior

These vulnerabilities can be exploited by malicious people to disclose potentially sensitive information, bypass certain security restrictions, cause a denial of service, and potentially compromise a vulnerable system. PHP ZipArchive::extractTo() ".zip" Files Directory Traversal Vulnerability (QID 12267) CVE-2008-5658, Bugtraq ID 32625 PHP is an open-source scripting language used for Web development. The application is prone to a directory traversal vulnerability because the application fails to adequately sanitize user-supplied input. Specifically, the issue exists in the "ZipArchive::extractTo()" function when extracting a ".zip" archive file containing filenames with directory traversal strings. A successful attack may allow an attacker to create or overwrite arbitrary files on the system. This may allow execution of arbitrary script code in the context of the Web server. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 232

Affected Versions: PHP Versions 5.2.6 and prior.

PHP Python Extension "safe_mode" Restriction Bypass Vulnerability (QID 12269) Bugtraq ID 32902 PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP is prone to a "safe_mode" restriction bypass vulnerability when the python extension in enabled. Specifically, this is caused by "safe_mode" failing to properly restrict python code embedded within PHP code. Successful exploits could allow an attacker to execute arbitrary code. Affected Versions: PHP "mbstring" Extension Buffer Overflow Vulnerability (QID 12270) CVE-2008-5557 PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. The "mbstring" extension provides functions for the manipulation of Unicode strings. PHP is prone to a heap-based buffer overflow vulnerability because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. The vulnerability occurs in "mbstring" extension. Specifically, the issue presents itself when decoding strings that contain HTML entities into Unicode strings. It is possible to bypass bound-checking for the heap buffers due to a flaw in a way the decoder handles error conditions. This functionality is used in various "mbstring" functions. Some of the vectors to transfer malicious input include: "mb_convert_encoding()" "mb_check_encoding()" "mb_convert_variables()" "mb_parse_str()"

An attacker can exploit this issue to run arbitrary machine code in the context of the affected webserver. Failed exploit attempts will likely crash the Web server, denying service to legitimate users. Affected Versions: PHP Versions 4.3.0 through 5.2.6.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 233

PHP 'popen()' Function Buffer Overflow Vulnerability (QID 12271) CVE-2009-3294, PHP 5.2.11 Release Notes, PHP 5.3.1 Release Notes, Bugtraq ID 33216 PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. The "popen" function opens a pipe to the program specified in the command parameter. PHP is prone to a buffer overflow vulnerability that occurs in the "popen" function because it fails to perform adequate boundary checks before copying user-supplied data to insufficiently sized memory buffers. This issue can be exploited by passing a large string to the "mode" argument of the function. If this vulnerability is successfully exploited, a malicious user can execute arbitrary machine code in the context of the affected Web server. Failed attempts cause denial of service attacks by crashing the Web server. Affected Versions: PHP Version 5.2.x prior to 5.2.11 PHP Version 5.3.x prior to 5.3.1

PHP "dba_replace()" File Corruption Vulnerability (QID 12272) CVE-2008-7068 PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. The "dba_replace" function allows replacing or insertion of entries. PHP is prone to a database file corruption vulnerability that is caused due to improper input validation. The problem occurs when performing actions on a Berkely DB style database with the "dba_replace()" function. Specifically, the function does not filter strings keys and/or values failing to properly validate the "key" before performing actions on the database. An attacker that can control the "key" value can cause the database to be truncated or cause arbitrary destruction of files. If this vulnerability is successfully exploited, attackers can cause corruption of the database files resulting in loss of data. Successful attempts may also lead to denial of service for legitimate users. Affected Versions: PHP Version 5.2.6 and prior.

PHP "mbstring.func_overload" Webserver Denial of Service Vulnerability (QID 12273) Bugtraq ID 33542 The "mbstring.func_overload" PHP directive in php.ini is used to overload a set of single byte functions. A denial of service vulnerability exists in PHP because the global scope for "mbstring_func.overload" directive related to unicode text operations is not set appropriately when it is used in a virtual server. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 234

When "mbstring.func_overload" is set to 7 in a .htaccess file, it causes the setting to be set globally for the Web server breaking most unicode text operations and hampering other sites hosted by the Web server. If this vulnerability is successfully exploited, it will allow malicious users to crash the affected Web server causing a denial of service. Affected Versions: PHP Version 5.2.5 and prior.

PHP 5.2.8 and Prior Versions Multiple Vulnerabilities (QID 12276) CVE-2009-1271, CVE-2009-1272, PHP 5.2.9 Release Notes, Bugtraq 33927 PHP is a general-purpose scripting language that is especially suited for Web development and can be embedded into HTML. The following security issues have been identified: A denial of service issue occurs when the application tries to extract zip archives that contain files or directory entry names with a relative path. An unspecified security issue affects the application when an empty string is parsed. A denial of service issue occurs in the application when a maliciously crafted string is provided as an input to the "json_decode()" function. A security issue occurs in the "imagerotate()" function because the background color is not validated correctly with a non truecolor image.

Exploiting some of these issues depends on the configuration of the application employing the vulnerable PHP version. To exploit some of these issues, an attacker may need to have local access; for other issues, the attacker can use a browser. Exploitation can lead to a denial of service condition. Affected Versions: PHP Version 5.2.8 and prior.

PHP cURL "safe_mode" and "open_basedir" Restriction Bypass Vulnerability (QID 12281) Bugtraq ID 34475 PHP is a scripting language that is suited for Web development and can be embedded into HTML. PHP is prone to a security vulnerability that allows an attacker to bypass restrictions because of improper checking of arguments to cURL functions "safe_mode" and "open_basedir". An attacker can exploit this flaw by prefixing a file location with "file:/" in combination with a specially crafted virtual tree to bypass access restrictions to view files without authorization.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 235

This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the "safe_mode" and "open_basedir" restrictions are used to isolate the users from each other. Successful exploitation of this vulnerability could allow disclosure of sensitive information by exposing files that are not normally accessible. Affected Versions: PHP Version 5.2.9 and prior.

PHP Versions Prior to 5.2.12 Multiple Vulnerabilities (QID 12318) CVE-2009-3557, CVE-2009-3558, CVE-2009-4017, CVE-2009-4142, CVE-2009-4143, PHP 5.2.12 Release Notes PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. The following vulnerabilities exist in PHP: An error in "tempnam()" can be exploited to bypass the "safe_mode" feature. An error in "posix_mkfifo()" can be exploited to bypass the "open_basedir" feature. An error within the processing of form-based file uploads can be exploited to cause a DoS by sending specially crafted requests. Errors related to a insufficient protection of $_SESSION against interrupt corruption and a weak "session.save_path" check have unknown impacts. The "htmlspecialchars()" function does not properly sanitize certain input, which can be exploited to conduct cross-site scripting attacks.

Successfully exploiting these issue may allow remote attackers to bypass certain security restrictions or to conduct cross-site scripting attacks and cause a denial of service. Affected Versions: PHP version 5.2.x prior to 5.2.12 PHP version 5.3.x prior to 5.3.1

PHP "spl_object_storage_attach" Use-After-Free Vulnerability (QID 12378) CVE-2010-2225, PHP 5.3.3 Release Notes, PHP 5.2.14 Release Notes PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. PHP is prone to a vulnerability that is caused by a use-after-free error within the "spl_object_storage_attach()" function, which can be exploited by inserting the same object twice.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 236

If this vulnerability is successfully exploited, attackers can get potentially sensitive information and compromise a vulnerable system. Affected Versions: PHP version 5.2.x prior to 5.2.14 PHP version 5.3.x prior to 5.3.3

phpMyAdmin Backtrace Cross-Site Scripting Vulnerability (QID 12409) CVE-2010-3056, PMASA-2010-6 phpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the Internet. phpMyAdmin is prone to a cross-site scripting vulnerability because certain unspecified input is not properly sanitized before being returned to the user via debug messages in a backtrace. This can be exploited to execute arbitrary HTML and script code in a user's browser session in the context of an affected site. Successful exploitation allows attackers to conduct cross-site scripting attacks. Affected Versions: phpMyAdmin 3.3.6 and prior.

phpMyAdmin Database Search Cross-Site Scripting Vulnerability (QID 12456) CVE-2010-4329, PMASA-2010-8 PhpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the Internet. PhpMyAdmin is prone to cross-site scripting vulnerability because certain input passed to the database search script is not properly sanitized before being returned to the user. Successful exploitation allows malicious people to conduct cross-site scripting attacks. Affected Versions: PhpMyAdmin Versions prior to 2.11.11.1 PhpMyAdmin Versions 3.x prior to 3.3.8.1

PhpMyAdmin Multiple Vulnerabilities (QID 12473) CVE-2010-4480, CVE-2010-4481, PMASA-2010-9, PMASA-2010-10 PhpMyAdmin is a free software tool written in PHP intended to handle the administration of MySQL over the Internet. PhpMyAdmin is prone to the following vulnerabilities:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 237

phpMyAdmin fails to validate BBcode tags in user input of error.php (CVE-2010-4480) Unauthenticated user is able to display phpinfo output if phpMyAdmin was enabled to show it. (CVE-2010-4481)

The vulnerability allows remote attackers to conduct cross-site scripting attacks via a crafted BBcode tag containing @ characters and to bypass authentication and obtain sensitive information via a direct request to phpinfo.php, which calls the phpinfo function Affected Versions: phpMyAdmin prior to 3.4.0-beta1.

PHP Buffer Overflow Vulnerability (QID 12514) CVE-2011-1938 PHP is a general purpose scripting language that is especially suited for Web development and can be embedded in HTML. Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. By exploiting this vulnerability, context-dependent attackers can execute arbitrary code via a long pathname for a UNIX socket. Affected Versions: PHP 5.3.3 through 5.3.6.

PHP "proc_open()" Environment Parameter Safe Mode Restriction-Bypass Vulnerability (QID 116092) Bugtraq ID 32717 PHP is a general purpose scripting language that is especially suited for Web development and can be embedded into HTML. PHP is prone to a "safe_mode" restriction bypass vulnerability. Specifically, this issue is caused by the "env" parameter to the "proc_open()" function overriding the "safe_mode_exec_dir" directive. A malicious PHP script may exploit this issue to load arbitrary shared libraries via the "LD_PRELOAD" environment variable, bypassing "safe_mode_exec_dir" restrictions. An attacker able to place shared library code in a readable location may exploit this issue to execute this code through a malicious PHP script. This vulnerability would be an issue in shared-hosting configurations where multiple users can create and execute arbitrary PHP script code, with the "safe_mode" restrictions assumed to isolate the users from each other. Affected Versions: Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 238

PHP Version 5.2.8 on Linux.

PHP Multiple Buffer Overflow Vulnerabilities (QID 116063) CVE-2008-5624, CVE-2008-5625, CVE-2008-3658, CVE-2008-3659, CVE-2008-2666, CVE-2008-2665, CVE2008-3660, CVE-2008-2829, PHP 4.4.9, PHP 5.2.8, Bugtraq ID 30649 PHP is prone to multiple buffer overflow vulnerabilities. The system is vulnerable to the following issues: A buffer overflow in the imageloadfont function in ext/gd/gd.c (CVE-2008-3658) A buffer overflow inside memnstr function(CVE-2008-3659) Multiple directory traversal vulnerabilites(CVE-2008-2665,CVE-2008-2666) A denial of service when multiple dots preceding the extension (CVE-2008-3660) An IMAP toolkit crash: rfc822.c legacy routine buffer overflow (CVE-2008-2829) Allows attackers to bypass safe_mode restrictions (CVE-2008-5624) Allows attackers to write to arbitrary files by placing a 'php_value error_log' entry in a .htaccess file. (CVE-2008-5625)

Exploiting this vulnerability may result in a compromise of the underlying system. Failed attempts may lead to denial of service. Affected Versions: PHP Version 4.x prior to 4.4.9. PHP Version 5.x prior to 5.2.8.

POP3 Server Allows Plain Text Authentication Vulnerability (QID 74224)


Post Office Protocol version 3 (POP3) is an application layer internet standard protocol to retrieve e-mail from a remote server. Use of the PASS command sends passwords in the clear over the network. Also, servers that answer ERR to the User command are giving potential attackers clues about which names are valid. Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as an open mail relay. POP3 supports several authentication methods to provide varying levels of protection. Contact your vendor for further configuration information. This vulnerability is confirmed by exploiting the vulnerability.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 239

Ports
Hidden RPC Services (QID 11) The Portmapper/Rpcbind listens on port 111 and stores an updated list of registered RPC services running on the server (RPC name, version and port number). It acts as a "gateway" for clients wanting to connect to any RPC daemon. When the portmapper/rpcbind is removed or firewalled, standard RPC client programs fail to obtain the portmapper list. However, by sending carefully crafted packets, it's possible to determine which RPC programs are listening on which port. This technique is known as direct RPC scanning. It's used to bypass portmapper/rpcbind in order to find RPC programs running on a port (TCP or UDP ports). On Linux servers, RPC services are typically listening on privileged ports (below 1024), whereas on Solaris, RPC services are on temporary ports (starting with port 32700). Unauthorized users can build a list of RPC services running on the host. If they discover vulnerable RPC services on the host, they then can exploit them. Firewalling the portmapper port or removing the portmapper service is not sufficient to prevent unauthorized users from accessing the RPC daemons. You should remove all RPC services that are not strictly required on this host. This vulnerability is confirmed by enumerating RPC services remotely, for example: Name status ttdbserver portmap/rpcbind nlockmgr status rpc.cmsd Program 100024 100083 100000 100021 100024 100068 Version 1 1 2-4 1-4 1 2-5 Protocol tcp tcp tcp tcp udp udp Port 32779 32795 111 4045 32772 32783

Potential TCP Backdoor (QID 1004) There are known backdoors that use specific port numbers. At least one of these ports was found open on this host. This may indicate the presence of a backdoor; however, it's also possible that this port is being used by a legitimate service, such as a Unix or Windows RPC. If a backdoor is present on your system, then unauthorized users can log in to your system undetected, execute unauthorized commands, and leave the host vulnerable to other unauthorized users. Malicious users may also use your host to access other hosts and perform a coordinated Denial of Service attack. Some well-known backdoors are "BackOrifice", "Netbus" and "Netspy". You should be able to find more information on these backdoors on the CERT Coordination Center's Web site (www.cert.org) (http://www.cert.org). There is no exploitability information for this vulnerability.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 240

If the tcp port 7000 is open, it may indicate the presence of a "VDO-Live" backdoor. If the tcp port 1045 is open, it may indicate the presence of a "Rasmin" backdoor. If the tcp port 33270 is open, it may indicate the presence of a "Trinity" backdoor.

The mitigation measure begins with explaining the ports. In fact, you should have all of your open ports documented. Investigate why the port is open. Ident Service (Potential Bot/Zombie) Detected (QID 1164) The host was found to have the ident service running on port 113. This service allows a remote server to connect back to the client's ident port and query for information about the ownership of the particular client port. Typically, the server uses this information for logging purposes. This service is commonly used by IRC servers to log clients while connecting to IRC channels. Further, attackers frequently use the concept of botnets connected to IRC channels to control a large number of compromised zombie hosts this way. To spoof bogus information to the IRC server, attackers typically install a fake ident service on the compromised host. The host could very well be such a compromised zombie, controlled by a remote attacker via an IRC botnet. Qualys reports "No results available" ident service running on port 113. Investigate why the port is open. Port 113 Service Ident

FireWall-1 Administration Ports (34002) Administration ports of "FireWall-1" were detected as "open" on this host. Unauthorized users can exploit this information to implement specific attacks against this machine. The presence of the firewall indicates that there is a network behind it. For this reason, unauthorized users will often start by checking for a firewall before implementing an attack. Contact your local vendor about silencing your firewall. A good solution would be to filter the TCP ports 257, 258, 259 and 900 on the external interface. This vulnerability is confirmed by detecting the following ports: Port 18183 18184 Service FireWall-1 Administration FireWall-1 Administration

UDP Test-Services (QID 38002) CVE-1999-0103 This system is running UDP services, which are generally used for networking testing purposes only. We recommend that no information be disclosed (even the current server time). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 241

Moreover, on older Operating Systems, echo and chargen, or other combinations of UDP services, can be used in tandem to flood the server. This can be accomplished with attacks like UDP bombs or UDP packet storms. By exploiting this vulnerability, unauthorized users can gather information about the server or cause a Denial of Service, depending on the TCP/IP stack being run. Disable all UDP services that are not required on the server. Port Service 7 Echo 9 Discard 13 Daytime 17 Quote of the day 19 Chargen 37 Time Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service chargen_udp and os Solaris 9-11".

Python expat Module UTF-8 Denial of Service Vulnerability (QID 116581)


CVE-2009-3720, CVE-2009-3560, Oracle ID 1021686.1, Bugtraq ID 35988 Python is a dynamic programming language. A vulnerability is reported in Python that is caused by the use of vulnerable expat code within the expat module. An error exists in the expat module when parsing certain UTF-8 sequences. An attacker can exploit this issue to crash an application using the library. Successful exploitation could allow an attacker to cause a denial of service. Affected Versions: Python Version 2.6.x series. Python Version 3.x series.

For Solaris, refer to Oracle ID 1021686.1 for further information. Install vendor update or upgrade to Python 3.1.1 or later to resolve this vulnerability. This vulnerability is confirmed by "2.4.4 (1, Jan 10 2007, 01:25:01) [C]".

Quate CMS Vulnerabilities


Quate CMS Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 12262) QuateCMS, Bugtraq 30570

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 242

Quate CMS is prone to multiple cross-site scripting vulnerabilities because it fails to adequately sanitize user-supplied input. An attacker may leverage these issues to have arbitrary script code execute in the browser of an unsuspecting user in the context of the affected site. This may help the attacker steal cookie-based authentication credentials and launch other attacks. Affected Versions: Quate CMS Version 0.3.4 is vulnerable. Other versions may also be affected.

This vulnerability is confirmed by exploiting the vulnerability. cms/admin/includes/themes/default/header.php?page_header=<script>alert(document.domai n)</script>

Radius Vulnerabilities
Multiple Vendor Radius Short Vendor-Length Field Denial of Service Vulnerability (QID 38119) CVE-2001-1377, Bugtraq ID 4230 RADIUS is the RFC 2865-specified Remote Authentication Dial In User Service. The protocol was developed and implemented by numerous vendors, and used on Microsoft Windows, Unix, and Linux operating systems. A problem with the protocol implementation could make it possible for remote users to deny service to legitimate users of the service. The problem is in the handling of short Vendor-Length fields. The specification of the RADIUS protocol allows for the use of vendor-specific options. These options may be designed for specific vendor implementations of the RADIUS protocol, and may not be compatible with implementations by other vendors. When a RADIUS packet is passed to a client or server, neither the client nor server validates the contents of the vendor-length field. When a RADIUS packet with a vendor-length specification of less than 2 is sent, the contents of the vendor-length field is interpreted as a negative number. This number may be passed to other functions of the RADIUS server or client, resulting in an unpredictable reaction, and a likely crash of the server or client. By exploiting this vulnerability, a remote user can supply a maliciously crafted RADIUS packet and deny service to legitimate users of the service. Affected Versions:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 243

Red Hat Vulnerabilities


Red Hat XFree86 Security Update (QID 115400) CVE-2006-3467, RHSA-2006:0635 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. It is exposed to a integer overflow issue. This is due to improper handling of PCF files. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the XFree86 server. Red Hat (CVE-2006-3467): Red Hat Enterprise Linux 2.1 (freetype) RHSA-2006:0500 freetype-2.0.3-8.rhel2_1.2 (superseded by RHSA-2009:1062 freetype-2.0.3-17.el21) Red Hat Enterprise Linux 2.1 (XFree86) RHSA-2006:0635 XFree86-4.1.0-76.EL (superseded by RHSA-2008:0512 XFree86-4.1.0-88.EL) Red Hat Enterprise Linux 3 (freetype) RHSA-2006:0500 freetype-2.1.4-4.0.rhel3.2 (superseded by RHSA-2010:0736 freetype-2.1.4-18.el3) Red Hat Enterprise Linux 3 (XFree86) RHSA-2006:0635 XFree86-4.3.0-111.EL (superseded by RHSA-2008:0502 XFree86-4.3.0-128.EL) Red Hat Enterprise Linux 4 (freetype) RHSA-2006:0500 freetype-2.1.9-1.rhel4.4 (superseded by RHSA-2011:1455 freetype-2.1.9-21.el4) Red Hat Enterprise Linux 4 (xorg-x11) RHSA-2006:0634 xorg-x11-6.8.2-1.EL.13.37 (superseded by RHSA-2011:1360 xorg-x11-6.8.2-1.EL.70)

Red Hat XFree86 Security Update (QID 115411) CVE-2006-3739, CVE-2006-3740, RHSA-2006:0666 XFree86 is an implementation of the X Window System, which provides the core functionality for the Linux graphical desktop. XFree86 server is exposed to a couple of integer overflows. A malicious authorized client could exploit this issue to cause a denial of service (crash) or potentially execute arbitrary code with root privileges on the vulnerable machine. Red Hat (CVE-2006-3739): Red Hat Enterprise Linux 2.1 RHSA-2006:0666 XFree86-4.1.0-77.EL (superseded by RHSA2008:0512 XFree86/4.1.0-88.EL) Red Hat Enterprise Linux 3 RHSA-2006:0666 XFree86-4.3.0-113.EL (superseded by RHSA2008:0502 XFree86/4.3.0-128.EL) Red Hat Enterprise Linux 4 RHSA-2006:0665 xorg-x11-6.8.2-1.EL.13.37.2 (superseded by RHSA2011:1360 xorg-x11-6.8.2-1.EL.70)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 244

Red Hat PHP Security Update (QID 115429) CVE-2006-4812, RHSA-2006:0708, Bugtraq ID 20349 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. PHP on Red Hat systems is exposed to an integer overflow issue due to improper handling of malformed PHP files. The integer overflow was discovered in the PHP memory handling routines. By successfully exploiting this vulnerability, a remote attacker sending a carefully-crafted request could execute arbitrary code as the "apache" user. For Red Hat (CVE-2006-4812): Red Hat Enterprise Linux 2.1 (php) RHSA-2006:0708 php-4.1.2-2.12 (superseded by RHSA2008:0546 php-4.1.2-2.20) Red Hat Enterprise Linux 3 php is not vulnerable. Red Hat Enterprise Linux 4 php is not vulnerable. Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Red Hat PHP Security Update (QID 115517) CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE-2007-0988, CVE2007-1380, CVE-2007-1701, CVE-2007-1825, RHSA-2007:0081 PHP is an HTML-embedded scripting language commonly used with the Apache HTTP Web server. It is exposed to multiple security issues. A number of buffer overflow flaws were found in the PHP session extension, the str_replace() function, and the imap_mail_compose() function. If very long strings are passed to the str_replace() function, an integer overflow could occur in memory allocation. If a script uses the imap_mail_compose() function to create a new MIME message based on an input body from an untrusted source, it could result in a heap overflow. An attacker with access to a PHP application affected by any these issues could trigger the flaws and possibly execute arbitrary code as the "apache" user. (CVE-2007-0906) When unserializing untrusted data on 64-bit platforms, the zend_hash_init() function could be forced into an infinite loop, consuming CPU resources for a limited time, until the script timeout alarm aborts execution of the script. (CVE-2007-0988) If the wddx extension is used to import WDDX data from an untrusted source, certain WDDX input packets could expose a random portion of heap memory. (CVE-2007-0908) If the odbc_result_all() function is used to display data from a database, and the database table contents are under an attacker's control, a format string vulnerability is possible which could allow arbitrary code execution. (CVE-2007-0909) A one byte memory read always occurs before the beginning of a buffer. This could be triggered, for example, by any use of the header() function in a script. However it is unlikely that this would have any effect. (CVE-2007-0907)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 245

Several flaws in PHP could allow attackers to "clobber" certain super global variables via unspecified vectors. (CVE-2007-0910)

A remote attacker can execute arbitrary code on the victim machine. For Red Hat (CVE-2007-0906, CVE-2007-0907, CVE-2007-0908, CVE-2007-0909, CVE-2007-0910, CVE2007-0988, CVE-2007-1380, CVE-2007-1701, CVE-2007-1825): Red Hat Enterprise Linux 2.1 (php) RHSA-2007:0081 php-4.1.2-2.14 (superseded by RHSA2008:0546 php-4.1.2-2.20) Red Hat Enterprise Linux 3 (php) RHSA-2007:0076 php-4.3.2-39.ent (superseded by RHSA2010:0040 php-4.3.2-54.ent) Red Hat Enterprise Linux 4 (php) RHSA-2007:0076 php-4.3.9-3.22.3 (superseded by RHSA2010:0919 php-4.3.9-3.31) Red Hat Enterprise Linux 5 (php) RHSA-2007:0082 php-5.1.6-7.el5 (superseded by RHSA2010:0919 php-5.1.6-27.el5_5.3)

Red Hat gnupg Security Update (QID 115524) CVE-2007-1263, RHSA-2007:0106 GnuPG is a utility for encrypting data and creating digital signatures. GnuPG is prone to a vulnerability involving incorrect verification of signatures and encryption. An attacker could add arbitrary content to a signed message in such a way that a receiver of the message would not be able to distinguish between the properly signed parts of a message and the forged, unsigned parts. For Red Hat (CVE-2007-1263): Red Hat Enterprise Linux 2.1 (gnupg) RHSA-2007:0106 gnupg-1.0.7-21 Red Hat Enterprise Linux 3 (gnupg) RHSA-2007:0106 gnupg-1.2.1-20 Red Hat Enterprise Linux 4 (gnupg) RHSA-2007:0106 gnupg-1.2.6-9 Red Hat Enterprise Linux 5 (gnupg) RHSA-2007:0107 gnupg-1.4.5-13

Red Hat gzip Security Update (QID 115418) CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338, RHSA-2006:0667 The gzip package contains the GNU gzip data compression program. gzip is exposed to a denial of service issue. This is due to improper handling of a malformed archive. By enticing an unsuspecting user into clicking a malicious link, an attacker is able to cause the gzip executable to hang or crash. For Red Hat (CVE-2006-4334, CVE-2006-4335, CVE-2006-4336, CVE-2006-4337, CVE-2006-4338): Red Hat Enterprise Linux 2.1 (gzip) RHSA-2006:0667 gzip-1.3-19.rhel2

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 246

Red Hat Enterprise Linux 3 (gzip) RHSA-2006:0667 gzip-1.3.3-13.rhel3 (superseded by RHSA2010:0061 gzip-1.3.3-15.rhel3) Red Hat Enterprise Linux 4 (gzip) RHSA-2006:0667 gzip-1.3.3-16.rhel4 (superseded by RHSA2010:0061 gzip-1.3.3-18.el4_8.1)

Red Hat qt Security Update (QID 115450) CVE-2006-4811, RHSA-2006:0725, Bugtraq ID 20599 Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System. An integer overflow flaw was found in the way Qt handled certain pixmap images. If an application linked against Qt created a pixmap image in a certain way, it could lead to a denial of service or possibly allow the execution of arbitrary code. These issues may permit attackers to execute arbitrary code, which can facilitate the compromise of an affected computer, or cause a denial of service condition to legitimate users of the application. For Red Hat (CVE-2006-4811): Red Hat Enterprise Linux 2.1 (kdelibs) RHSA-2006:0720 kdelibs-2.2.2-21.EL2 Red Hat Enterprise Linux 2.1 (qt) RHSA-2006:0725 qt-2.3.1-12.EL2 (superseded by RHSA2007:0883 qt-2.3.1-14.EL2) Red Hat Enterprise Linux 3 (kdelibs) RHSA-2006:0720 kdelibs-3.1.3-6.12 (superseded by RHSA2009:1128 kdelibs-3.1.3-6.13) Red Hat Enterprise Linux 3 (qt) RHSA-2006:0725 qt-3.1.2-14.RHEL3 (superseded by RHSA2007:0883 qt-3.1.2-17.RHEL3) Red Hat Enterprise Linux 4 (kdelibs) RHSA-2006:0720 kdelibs-3.3.1-6.RHEL4 (superseded by RHSA-2011:1385 kdelibs-3.3.1-18.el4) Red Hat Enterprise Linux 4 (qt) RHSA-2006:0725 qt-3.3.3-10.RHEL4 (superseded by RHBA2009:0026 qt-3.3.3-16.el4) Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Red Hat texinfo Security Update (QID 115456) CVE-2005-3011, CVE-2006-4810, RHSA-2006:0727 Texinfo is a documentation system that can produce both online information and printed output from a single source file. A buffer overflow flaw was found in Texinfo's "texindex" command. An attacker could construct a carefully crafted Texinfo file that could cause "texindex" to crash or possibly execute arbitrary code when opened. (CVE-2006-4810) A flaw was found in the way Texinfo's "texindex" command creates temporary files. A local user could leverage this flaw to overwrite files the user executing "texindex" has write access to. (CVE-2005-3011)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 247

A local attacker can execute arbitrary code on the vulnerable machine. For Red Hat (CVE-2005-3011): Red Hat Enterprise Linux 2.1 (texinfo) RHSA-2006:0727 texinfo-4.0b-3.el2.1 Red Hat Enterprise Linux 3 (texinfo) RHSA-2006:0727 texinfo-4.5-3.el3.1 Red Hat Enterprise Linux 4 (texinfo) RHSA-2006:0727 texinfo-4.7-5.el4.2

Red Hat tar Security Update Not Installed (QID 115482) CVE-2006-6097, RHSA-2006:0749 The GNU tar program saves many files together in one archive and can restore individual files (or all of the files) from that archive. A path traversal flaw exists in the way GNU tar extracts archives. A malicious user can create a tar archive that could write to arbitrary files, to which the user running GNU tar has write access. For Red Hat (CVE-2006-6097): Red Hat Enterprise Linux 2.1 (tar) RHSA-2006:0749 tar-1.13.25-6.AS21.1 Red Hat Enterprise Linux 3 (tar) RHSA-2006:0749 tar-1.13.25-15.RHEL3 (superseded by RHSA2010:0142 1.13.25-16.RHEL3) Red Hat Enterprise Linux 4 (tar) RHSA-2006:0749 tar-1.14-12.RHEL4 (superseded by RHSA2010:0141 tar-1.14-13.el4_8.1)

Red Hat unzip Security Update (QID 115759) CVE-2008-0888, RHSA-2008-0196 A security vulnerability exists in the unzip utility due to an invalid pointer error. This vulnerability could allow the attacker to execute arbitrary code when a user runs unzip on a specially-crafted file. For Red Hat (CVE-2008-0888): Red Hat Enterprise Linux 2.1 (unzip) RHSA-2008:0196 5.50-31.EL2.1 Red Hat Enterprise Linux 3 (unzip) RHSA-2008:0196 5.50-36.EL3

Red Hat libtiff Security Update (QID 115915) CVE-2008-2327, RHSA-2008-0863 Multiple uses of uninitialized values were discovered in libtiff's Lempel-Ziv-Welch (LZW) compression algorithm decoder. An attacker could create a carefully crafted LZW-encoded TIFF file that would cause an application linked with libtiff to crash, or possibly execute arbitrary code. For Red Hat (CVE-2008-2327): Red Hat Enterprise Linux 2.1 (libtiff) RHSA-2008:0863 libtiff-3.5.7-31.el2 Red Hat Enterprise Linux 3 (libtiff) RHSA-2008:0863 libtiff-3.5.7-31.el3 Page 248

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux 4 (libtiff) RHSA-2008:0848 libtiff-3.6.1-12.el4_7.2 (superseded by RHSA2011:0392 libtiff-3.6.1-18.el4) Red Hat Enterprise Linux 5 (libtiff) RHSA-2008:0847 libtiff-3.8.2-7.el5_2.2 (superseded by RHSA2011:0392 libtiff-3.8.2-7.el5_6.7)

Red Hat Update for Lynx (QID 116015) CVE-2006-7234, CVE-2008-4690, RHSA-2008-0965 Lynx is a text-based Web browser. An arbitrary command execution flaw was found in the Lynx "lynxcgi:" URI handler. It's possible for an attacker to create a Web page redirecting to a malicious URL which results in executing arbitrary code as the user running Lynx in the non-default "Advanced" user mode. (CVE-20084690) A flaw was found in a way Lynx handles ".mailcap" and ".mime.types" configuration files. Files in the browser's current working directory were opened before those in the user's home directory. A local attacker, able to convince a user to run Lynx in a directory under their control, could possibly execute arbitrary commands as the user running Lynx. (CVE-2006-7234)

These vulnerabilities can be exploited by malicious, local users to gain escalated privileges. For Red Hat (CVE-2006-7234, CVE-2008-4690): Red Hat Enterprise Linux 2.1 (lynx) RHSA-2008:0965 lynx-2.8.4-18.1.3 Red Hat Enterprise Linux 3 (lynx) RHSA-2008:0965 lynx-2.8.5-11.3 Red Hat Enterprise Linux 4 (lynx) RHSA-2008:0965 lynx-2.8.5-18.2.el4_7.1 Red Hat Enterprise Linux 5 (lynx) RHSA-2008:0965 lynx-2.8.5-28.1.el5_2.1

Red Hat and Solaris libxml2 Security Update (QID 116048) CVE-2008-4225, CVE-2008-4226, RHSA-2008-0988, Sun Alert ID 251406 (Oracle ID 1020044.1), Bugtraq ID 32331 libxml2 is a library for parsing and manipulating XML files. It includes support for reading, modifying, and writing XML and HTML files. An integer overflow flaw that can cause a heap-based buffer overflow exists in the libxml2 XML parser. Sun has acknowledged two vulnerabilities in libxml2 in Solaris: The first issue is an integer overflow in the xmlBufferResize() libxml2 function. The second issue is an integer overflow in the xmlSAX2Characters() libxml2 function.

Red Hat Advisory states: An integer overflow flaw causing a heap-based buffer overflow was found in the libxml2 XML parser. Page 249

Vulnerability Remediation Synopsis version 0.4Russ Klanke

A denial of service flaw was discovered in the libxml2 XML parser.

If an application links against libxml2 processes untrusted, malformed XML content, it could cause the application to crash or execute arbitrary code. If exploited by malicious people, it can cause a Denial of Service or potentially to compromise an application using the library. For Red Hat (CVE-2008-4225, CVE-2008-4226): Red Hat Enterprise Linux 2.1 (libxml2) RHSA-2008:0988 libxml2-2.4.19-12.ent Red Hat Enterprise Linux 3 (libxml2) RHSA-2008:0988 libxml2-2.5.10-14 (superseded by RHSA2009:1206 libxml2-2.5.10-15) Red Hat Enterprise Linux 4 (libxml2) RHSA-2008:0988 libxml2-2.6.16-12.6 (superseded by RHBA2010:0662 libxml2-2.6.16-12.8) Red Hat Enterprise Linux 5 (libxml2) RHSA-2008:0988 libxml2-2.6.26-2.1.2.7 (superseded by RHBA-2011:1416 libxml2-2.6.26-2.1.12.el5_7.1)

For Sun Solaris: To resolve this vulnerability, upgrade to the latest packages which contain a patch. Refer to Oracle ID 1020044.1 to address this issue and obtain patch details. Red Hat Update for gnome-vfs and gnome-vfs2 (QID 116135) CVE-2005-0706, RHSA-2009-0005 GNOME VFS is the GNOME virtual file system. It provides an abstraction layer for the reading, writing and execution of files. A buffer overflow vulnerability exists in GNOME VFS due to inadequate handling of data returned by CDDB servers. An attacker in control of a malicious CDDB server can influence the response to a CDDB query and cause the cddb lookup to return more matches than expected. A malicious user can then use this flaw to run arbitrary code. Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the victim's machine. This exploit can also cause a crash leading to denial of service. Updates to fix this issue are available for Red Hat Enterprise Linux 2.1, 3 and 4. For Red Hat (CVE-2005-0706): Red Hat Enterprise Linux 2.1 RHSA-2005:304 grip 2.96-1.3 RHSA-2009:0005 gnome-vfs-1.0.118.2 Red Hat Enterprise Linux 3 RHSA-2009:0005 gnome-vfs2-2.2.5-2E.3.3 Red Hat Enterprise Linux 4 RHSA-2009:0005 gnome-vfs2-2.8.2-8.7.el4_7.2 (superseded by RHBA2009:0982 gnome-vfs2-2.8.2-8.9.EL4)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 250

Red Hat cvs Security Update (QID 116352) CVE-2005-2693, RHSA-2005-756 CVS (Concurrent Version System) is a version control system. A security vulnerability exists in CVS because the "cvsbug" application creates temporary files in an insecure manner when saving temporary output to "/tmp". A local user could leverage this issue via a symlink attack to execute arbitrary instructions and create or overwrite arbitrary files with the privileges of the user running cvsbug. Successful exploitation allows local users to overwrite arbitrary files and execute arbitrary code via a symlink attack. For Red Hat (CVE-2005-2693): Red Hat Enterprise Linux 2.1 (cvs) RHSA-2005:756 cvs-1.11.1p1-19 Red Hat Enterprise Linux 3 (cvs) RHSA-2005:756 cvs-1.11.2-28 Red Hat Enterprise Linux 4 (cvs) RHSA-2005:756 cvs-1.11.17-8.RHEL4 (superseded by RHBA2009:0971 cvs-1.11.17-11.el4) Red Hat Enterprise Linux 5 is not vulnerable to this issue as it contains a backported patch.

Remote Vulnerabilities
Remote Login Service Open (QID 38019) CVE-1999-0651 The rlogin service is open. It's possible that this service is wrapped on your host. Wrapping provides a first level of security. If the service is wrapped, check that all hosts authorized by the TCP wrapper to connect to the rlogin service are secure. The security of your host depends on the security of hosts connecting to it. This can lead to severe problems since the rlogin service is vulnerable to both brute force and spoofing attacks. Remove the rlogin service. If a remote connection is required on this host, install Secure Shell or France Secure Shell (fsh) in France. This is an appliance with crypto regulation. You can download Secure Shell from the SSH Web site (www.ssh.com) (http://www.ssh.com/). If you cannot install one of these programs, then you should ensure that a TCP Wrapper is installed to restrict the hosts that can connect to this service. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service rlogin and os LINUX 2.4-2.6 / EMBEDDED DEVICE / F5 NETWORKS BIG-IP". Remote Shell Service Open (QID 38020) CVE-1999-0651

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 251

The "Remote Shell" (RSH) service, which uses TCP port number 514, was detected on this host. If this service is accessible from remote hosts, then the server's host can be compromised because of a problem in the service's trust in IP addresses. Malicious users heavily exploit the RSH service to log onto hosts in trust relationships. Remote users do not need a password to log into accounts that the ".rhosts" file has authorized them for. This can be done for all users with a general file called "/etc/hosts.equiv". Two plus signs (+ +) in an ".rhosts" file translates to "anybody can log into my account without having to supply a password". A line with a single plus sign (+) in the "/etc/hosts.equiv" file translates to "any user on any system that can connect to this machine can log into the same user name on this machine provided it exists on the local host". By exploiting this vulnerability, unauthorized users can impersonate a trusted machine to log in without a password. To impersonate a host, the unauthorized user has to set up a TCP Sequencing attack against this host. Such attacks are not common, but are, nevertheless, extremely dangerous. HP-UX, Windows and Linux (versions prior to the 2.0.35 kernel) are extremely vulnerable. Since host-based access controls are not very secure, you should choose a more secure access protocol. Some systems prevent this kind of attack more effectively than others because they are not sensitive to Sequence prediction (the key to TCP Sequencing attacks). Linux systems Version 2.0.36 and later, and Solaris Version 2.x have built-in protection. Install an upgrade of your rlogind server. Be sure to use a secure replacement for rlogin, such as Secure Shell (http://www.ssh.com/), or France Secure Shell (FSH) in France in appliance with crypto regulations. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service rsh/rexec and os SOLARIS 9-11". Remote Execution Service Open (QID 38021) CVE-1999-0618 The "Remote Execution" (rexec) service, which uses TCP port number 512, was detected on this host. This service is based on a login/password authentication procedure and allows remote users to execute commands on the system. rexec uses a protocol similar to the rshd/rlogind apart from the .rhosts and /etc/host.equiv authentication (where no password is required) If unauthorized users manage to obtain information about the login names of the users on your system (by using "finger", for example), then they can try to brute force accounts by testing login/password combinations. Compared to many telnet daemons that deny login as root, rexec allows remote users with the correct password to execute commands as root. We strongly advise that you remove the "rexec" service from your system. If an alternative is required, we recommend installing Secure Shell (SSH) which has the same features as the "r* services" daemon, Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 252

but also adds an encryption layer on top of the protocol to prevent eavesdropping and provide better authentication. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service rsh/rexec and os SOLARIS 9-11". Unauthenticated Root Access Allowed via rlogin (QID 38134) CVE-1999-0502 rlogin is a Unix software utility that allows users to log in on another host via a network, communicating usually via TCP port 513. Logged-in users can act as if they were physically present at the computer. RFC 1258, in which rLogin is defined, states that: "rlogin facility provides a remote-echoed, locally flowcontrolled virtual terminal with proper flushing of output." rlogin communicates with a daemon, rlogind, on the remote host. The target host allows unauthenticated root access using rlogin. Any remote user may exploit this to completely compromise the system. Immediately disable the service on the port which listed this vulnerability to avoid unauthenticated root access to the host. This vulnerability is detected by exploiting the vulnerability. RPC Mountd Allows Remote Anonymous File System Root Mount (QID 68520) The host allows the file system root "/" to be remotely and anonymously mounted. Successful exploitation of this vulnerability can lead to heavy information disclosure, which consequently can easily lead to system compromise. Configure the host's "mount" daemon to disallow root and other mount points with sensitive content that should not be publically accessible. Typically, the configuration file for the "rpc.mountd" daemon is "/etc/exports". No information about how this vulnerability was reported is available. PAM r-commands Are Not Disabled (QID 105131) A number of commands may be executed on remote hosts: rlogin, rsh, rcp and rcmd. These commands all spawn a shell on the remote host and allow the user to execute commands. Of course, the client needs to have an account on the host where the command is to be executed. Thus all these commands perform an authorization procedure. Usually, the client tells the user's login name to the server, which in turn requests a password that is validated in the usual way. Some of these commands are configured to allow remote access based upon the remote user's IP address. This is a security issue, if an attacker may control the remote machine. An attacker may control the machine if this person controls the remote authorized machine. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 253

Solaris: Remove the rhosts support from the /etc/pam.conf file. Linux: Remove the rhosts support from the /etc/pam.d/rlogin and /etc/pam.d/rsh files. This vulnerability is confirmed by exploiting the vulnerability. rlogin auth sufficient pam_rhosts_auth.so.1 rsh auth sufficient pam_rhosts_auth.so.1

Rex Deamon Vulnerabilities


Checking Presence of the rpc rex deamon (QID 66031) CVE-1999-0627, Bugtraq ID 37 The rex daemon is an RPC program that enables unauthorized remote users to execute commands without a password. Unauthorized users can execute commands as root from a remote system (no authentication is required). Running this RPC daemon on your server creates a severe vulnerability. Remove it from the list of RPC programs to be loaded at start up. On SunOS, this program is usually located in the "/etc/init.d/rpc" file. This vulnerability is suggested by detecting TCP Port 32776.

Routing Information Protocol Version 2 (RIPv2) Without Authentication (QID 38181)


RIP (Routing Information Protocol) is a widely-used protocol for managing router information within a self-contained network, such as a corporate local area network or an interconnected group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several internal gateway protocols (Interior Gateway Protocol). RIP is a distance vectors protocol to mathematically compare routes to identify the best path to any given destination address. RIP Version 2 (RIPv2) adds a "network mask" field and a "next hop address" field and "authentication" to the original RIP packet. Your RIP is not configured to use authentication. Routing information provided by RIP may be disclosed to any remote user who has access to this host/router. By exploiting this vulnerability, remote users with no authentication can retrieve routing information, break router connections to each other, cause route flapping and/or inject obsolete routes. Turn on MD5 based authentication in RIPv2 configuration. No information about how this vulnerability was reported is available.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 254

Rsync Vulnerabilities
RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability (QID 38237) CVE-2003-0962, RHSA-2003-398, Bugtraq ID 9153 The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. rsync is available for Linux and other Unix operating systems. rsync has been reported prone to an undisclosed heap overflow vulnerability when running in daemon mode. It has been reported that exploitation of this issue is easier if the "use chroot = no" option is set in the rsyncd.conf configuration file. There have been reports that this issue is being exploited in conjunction with the Linux Kernel do_brk function boundary condition vulnerability. Please note that the service does not report the software version in its banner, so a safe test that can reliably detect a vulnerable version from a non-vulnerable version was not possible. The scanner posts this detection based solely on the presence of the rsyncd service on the target box. This vulnerability has been reported to be remotely exploitable and will provide for execution of arbitrary code. Affected Versions: Rsync prior to 2.6.3.

Rsync Sanitize_path Function Module Path Escaping Vulnerability (QID 38303) CVE-2004-0426, Bugtraq ID 10938 The rsync program is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of ftp sites, often through anonymous access to the rsync server. It is available for Linux and other Unix systems. If an rsync server is installed as a daemon with a read/write enabled module without using the "chroot" option, it's possible that a remote attacker could read/write files outside of the configured module path. Rsync does not properly sanitize the paths when not running with chroot. The problem exists in the "sanitize_path" function. A remote user can craft a path that causes the "sanitize_path" function to generate an absolute file name instead of a relative name. The attacker can then read or write files on a computer. This would occur in the context of the vulnerable process. This issue could be exploited to execute arbitrary code by corrupting or placing arbitrary files on the system. Destruction of data could also result, possibly causing a denial of service condition. Other attacks could also occur, depending on the attacker's motives. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 255

Affected Versions: Rsync prior to 2.6.3.

Samba Vulnerabilities
Samba is a freely available file and printer sharing application, maintained and developed by the Samba Development Team. Samba supports file and printer sharing between Unix and Microsoft systems. Samba is a suite of software that provides file and print services for "SMB/CIFS" clients. It is available for multiple platforms. Remote User List Disclosure Using NetBIOS (QID 45003) CVE-2000-1200, Bugtraq ID 959 A null session connection to the IPC$ share was successful. NetBIOS access can be obtained with any authenticated account on this host. Therefore unauthorized users can steal the remote user list. This kind of attack is commonly exploited by users with weak passwords, such as the GUEST account. By exploiting this vulnerability, unauthorized users can launch brute force password attacks and other intrusive attacks based on collected information. Employee, customer, and partner information may be gathered. Spamming the user list is also possible. It is recommended that you disable null sessions. Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment. Read the Microsoft documents called How to Use the RestrictAnonymous Registry Value kb246261 and Restricting Anonymous Access for more information. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (kb257988) for more information regarding Pre-Windows 2000 Compatible Access. For Windows NT, setting this registry value limits only certain interfaces to this data. It is not possible to completely eliminate this vulnerability through a registry setting. There is another interesting Microsoft document called Local Policies about Windows security policies settings for local policies. Windows XP onwards Microsoft has added more granular control to the anonymous user access by adding couple of more DWORD registry values in the same key location as RestrictAnonymous, RestrictAnonymousSAM and EveryoneIncludesAnonymous. Set RestrictAnonymous = 1 to restrict share information access, RestrictAnonymousSAM = 1 to prevent enumeration of SAM accounts (User Accounts) and EveryoneIncludesAnonymous = 0 to prevent null-sessions from having any rights. Setting the RestrictAnonymous value to 1 restricts null session access to unauthenticated users to all server pipes and shares except those listed in the NullSessionPipes and NullSessionShares entries. Additionally Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 256

set HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters, NullSessionPipes and NullSessionShares, to a null string. Note: Changing the restrictanonymous setting to the highest security level for example restrictanonymous = 2 in Windows 2000 may disable older programs that make use of this account. It will also affect Windows NT 4.0 Domain Controllers from communicating with each other between trust relationships. For Samba servers there is no direct way of disabling null session access. A workaround is to specify a non exisiting UNIX account in global section of Samba config file. guest account = NON EXISTING USER. Adding the following setting ton smb.conf can help resolve the issue. restrict anonymous = 2 If possible, filter out Microsoft networking ports such as TCP ports 135, 137, 138, 139, and UDP ports 135, 137, 138. Note: This QID is posted when QualysGuard is able to enumerate the user-list of a target via the Net* API functions (in which case "Null Session/Password NetBIOS Access (QID 70003)" is posted as well), or when QualysGuard is able to "brute-force" known SIDs via LsarLookupSids (in which case only this vulnerability, "Remote User List Disclosure Using NetBIOS (QID 45003)," is posted). While both techniques use anonymous NetBIOS sessions, we are unaware of a system-level fix forLsarLookupSids, as Microsoft considers this to be requisite functionality. This vulnerability is confirmed by exploiting the vulnerability. Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) CVE-2008-1105, Samba CVE-2008-1105, RHSA-2008-0288, ESX350-200806218-UG, HP-UX Doc c01475657 A heap-based buffer overflow flaw exists in the way Samba clients handle over-sized packets. If a client connects to a malicious Samba server, it is possible to execute arbitrary code as the Samba client user. It is also possible for a remote user to send a specially crafted print request to a Samba server. Successful exploitation could result in the server executing the vulnerable client code, causing arbitrary code execution with the permissions of the Samba server. Affected Versions: Samba Versions 3.0.0 through 3.0.29.

Install vendor update or upgrade Samba to 3.0.30 (or later). Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 257

For Red Hat (CVE-2008-1105): Red Hat Enterprise Linux 2.1 RHSA-2008-0288 updates to samba-2.2.12-1.21as.9.3

For VMWare ESX Server: Install VMWare ESX Server Version 3.5 Patch ESX350-200806218-UG.

For HP-UX: Refer to HP-UX advisory c01475657.

This vulnerability is confirmed by detecting "Samba 3.0.14a based HP CIFS Server A.02.02". Samba Security Update (QID 115555) CVE-2007-2446, Samba CVE-2007-2446, RHSA-2007:0354 Samba is susceptible to the following vulnerabilities: A heap overflow vulnerability because of bugs in NDR parsing, which are used to decode MSRPC requests. (CVE-2007-2446) A remote code execution vulnerability because user input parameters are being passed directly to /bin/sh. (CVE-2007-2446)

A malicious attacker can send carefully crafted packets to the server, causing a heap overflow leading to remote code execution. For Red Hat (CVE-2007-2446): Red Hat Enterprise Linux 2.1 RHSA-2007:0354 samba-2.2.12-1.21as.6 (superseded by RHSA2008:0288 samba-2.2.12-1.21as.9.3) Red Hat Enterprise Linux 3 RHSA-2007:0354 samba-3.0.9-1.3E.13.2 (superseded by RHSA2010:0697 samba-3.0.9-1.3E.18) Red Hat Enterprise Linux 4 RHSA-2007:0354 samba-3.0.10-1.4E.12.2 (superseded by RHSA2011:1219 samba-3.0.33-0.34.el4) Red Hat Enterprise Linux 5 RHSA-2007:0354 samba-3.0.23c-2.el5.2.0.2 (superseded by RHSA2011:1219 samba-3.0.33-3.29.el5_7.4)

For HP-UX see HPSBUX02218. HP CIFS Server A.02.03.02 (or later). This vulnerability is confirmed by detecting "Samba 3.0.14a based HP CIFS Server A.02.02" or if Red Hat 2.4 is detected with: Package samba samba-client samba-common Installed version 2.2.10-1.21as.1 2.2.10-1.21as.1 2.2.10-1.21as.1 Required version 2.2.12-1.21as.6 2.2.12-1.21as.6 2.2.12-1.21as.6 Page 258

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Samba "domain logons" remote code execution (QID 115822) CVE-2007-6015, RHSA-2007-1114, Sun Alert ID 238251 (Oracle ID 1019295.1), Samba CVE-2007-6015, HP-UX doc c01475657 A stack-based buffer overflow security issue exists in the send_mailslot function in nmbd(8) in Samba Versions 3.0.0 through 3.0.27a when the "domain logons" option is enabled. This vulnerability may allow a remote unprivileged user the ability to execute arbitrary code as "root" user via a GETDC mailslot request composed of a long GETDC string following an offset username in a SAMLOGON logon request. Install vendor update or upgrade Samba; see Samba CVE-2007-6015. For Solaris see Oracle ID 1019295.1. For Red Hat (CVE-2007-6015): Red Hat Enterprise Linux 2.1 RHSA-2007-1114 samba-2.2.12-1.21as.8.2 (superseded by RHSA2008:0288 samba-2.2.12-1.21as.9.3) Red Hat Enterprise Linux 3 RHSA-2007-1114 samba-3.0.9-1.3E.14.3 (superseded by RHSA2010:0697 samba-3.0.9-1.3E.18) Red Hat Enterprise Linux 4 RHSA-2007-1114 samba-3.0.25b-1.el4_6.4 (superseded by RHSA2011:1219 samba-3.0.33-0.34.el4) Red Hat Enterprise Linux 5 RHSA-2007-1114 samba-3.0.25b-1.el5_1.4 (superseded by RHSA2011:1219 samba-3.0.33-3.29.el5_7.4)

For HP-UX see HP-UX doc c01475657. HP CIFS Server (Samba) vA.02.03.04 for HP-UX B.11.11, B.11.23, B.11.31. This vulnerability is confirmed by detecting (HP-UX 11) "Samba 3.0.14a based HP CIFS Server A.02.02" or (Red Hat 2.4): Package samba samba-client samba-common Installed version 2.2.10-1.21as.1 2.2.10-1.21as.1 2.2.10-1.21as.1 Required version 2.2.12-1.21as.8.2 2.2.12-1.21as.8.2 2.2.12-1.21as.8.2

NetBIOS Shared Folder List Available (QID 70001) Unauthorized remote users can list all file systems on this host that are accessible from a remote system. If successfully exploited, unauthorized users can use this information to brute force attack the shared resources and initiate file transfers with this server. Use the Microsoft Computer Management MMC snap-in to connect and review the shares. By default C$, Admin$, and IPC$ are shared on all Windows machines.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 259

Review the machine to ensure that users have not added any additional unauthorized shares, and that all exposed shares are valid. If no shares are needed, you can filter all Microsoft networking and Samba server ports (TCP ports 135, 137, 138, 139, 445 and UDP ports 135, 137, 138) at your firewall and disable null sessions to NetBIOS. Workaround: (Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.) Adding "restrict anonymous = 2" in smb.conf can help resolve the issue. This vulnerability is confirmed by enumerating exposed shares. Null Session/Password NetBIOS Access (QID 70003) CVE-1999-0519 Unauthorized users can connect to this NetBIOS service without a password. Unauthorized users may be able to exploit this vulnerability to obtain sensitive information about your system resources, such as a list of all accounts or shared resources on this host. For Windows hosts, unauthorized users may also be able to access the registry, and depending on the Windows version and registry permission settings, make modifications to the registry. Null NetBIOS sessions can be disabled using the following methods: For Windows NT, set the following registry key and restart your computer: HKLM\System\CurrentControlSet\Control\Lsa Name: RestrictAnonymous Type: REG_DWORD Value: 1 For Windows 2000, make the following change and restart your computer: 1. Start "Control Panel-->Administrative Tools-->Local Security Policy". 2. Open "Local Policies-->Security Options". 3. Make sure "Additional restrictions of anonymous connections" is set to "No access without explicit anonymous permissions". For Windows XP/2003, make the following change and restart your computer: 1. Start "Control Panel-->Administrative Tools-->Local Security Policy". 2. Open "Local Policies-->Security Options". 3. Make sure the following two policies are enabled: 1. Network Access: Do not allow anonymous enumeration of SAM accounts 2. Network Access: Do not allow anonymous enumeration of SAM accounts and shares 4. Disable Network Access: Let Everyone permissions apply to anonymous users.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 260

The above settings have no impact on domain controllers. If this vulnerability was discovered on a domain controller, please note that some of the recommended settings may not have any effect. Read the Microsoft article Description of Dcpromo Permissions Choices (kb257988) for more information regarding Pre-Windows 2000 Compatible Access. Please read the Microsoft documents called How to Use the RestrictAnonymous Registry Value (kb246261) and Restricting Anonymous Access for more information. For Samba, make the following settings in smb.conf: set "security" to "user" or "domain" or "server" as per your requirements. set "map_to_guest" to "Never" SECURITY = USER

This is the default security setting in Samba 2.2. With user-level security a client must first "log=on" with a valid username and password (which can be mapped using the username map parameter). Encrypted passwords can also be used in this security mode. Parameters such as user and guest only if set are then applied and may change the UNIX user to use on this connection, but only after the user has been successfully authenticated. SECURITY = SERVER In this mode Samba will try to validate the username/password by passing it to another SMB server, such as an NT box. If this fails it will revert to security = user, but note that if encrypted passwords have been negotiated then Samba cannot revert back to checking the UNIX password file, it must have a valid smbpasswd file to check users against. See the documentation file in the docs/ directory ENCRYPTION.txt for details on how to set this up. SECURITY = DOMAIN This mode will only work correctly if smbpasswd(8) has been used to add this machine into a Windows NT Domain. It expects the encrypted passwords parameter to be set to true. In this mode Samba will try to validate the username/password by passing it to a Windows NT Primary or Backup Domain Controller, in exactly the same way that a Windows NT Server would do. Workaround: (Before editing any configuration file in a production environment, the changes should be well tested in a rehearsal environment.) For Samba, make the following settings in smb.conf: Add "restrict anonymous = 2" to help resolve the issue. For Samba 3.0 and Active Directory, make the following settings in smb.conf: security = ADS This vulnerability is confirmed by exploiting the vulnerability. Samba Remote Arbitrary File Access Vulnerability (QID 70040) CVE-2004-0815, Samba CVE-2004-0815, Bugtraq ID 11281 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 261

Samba is affected by a remote arbitrary file access vulnerability. This issue is due to a failure of the application to properly validate user-supplied file names. The problem presents itself when Samba attempts to convert malformed DOS path names to path names of the Samba host's file system. Details are not available regarding the type of DOS path name that might leverage this issue, however it's likely that directory traversal sequences are at the root of this vulnerability. Note that this is not confirmed. An attacker may leverage this issue to gain access to files outside of a Samba share's path specified in the "smb.conf" file on a vulnerable computer. Information gained in this way may reveal sensitive information aiding in further attacks against the computer. Install vendor update or upgrade to the latest version of Samba. For Red Hat (CVE-2004-0815): Red Hat Enterprise Linux 2.1 RHSA-2004:498 updates to samba-2.2.12-1.21as

Workaround: Samba file shares with "wide links = no" (a non-default setting) in the service definition in "smb.conf" are not vulnerable to this attack. It is highly recommended that "wide links" be set to "no" if at all possible. This vulnerability is confirmed when Red Hat 2.4 is detected with: Package samba samba-client samba-common Installed version 2.2.10-1.21as.1 2.2.10-1.21as.1 2.2.10-1.21as.1 Required version 2.2.12-1.21as 2.2.12-1.21as 2.2.12-1.21as

Samba Directory Access Control List Remote Integer Overflow Vulnerability (QID 70045) CVE-2004-1154, Samba CVE-2007-4572, Bugtraq ID 11973 A remotely exploitable integer overflow vulnerability affects the directory access control list (DACL) processing functionality of Samba. This issue is due to a failure of the application to properly perform sanity checking on calculated data sizes prior to copying data into static process buffers. The problem presents itself while processing remote file requests. The Samba Daemon process (smbd) application requires various information on a file during a request, including the directory access control list (DACL). Specifically this issue arises when smbd attempts to process requests with excessively large DACLs. Apparently, the application multiplies the number of access control descriptors by the default size of each without performing any sanity checking. The default size of the access control descriptors is approximately 112 bytes. By providing more than 38347922 descriptors in the request and attacker can cause the multiplied size to overflow the designated integer variable, resulting in an insufficiently sized Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 262

buffer being created to store the excessive data. This facilitates attacker control of heap memory, and ultimately code execution with superuser privileges. An attacker with access to an SMB share may leverage this issue to overwrite the heap of the affected process, facilitating code execution with superuser privileges. Install vendor update for upgrade to the latest version of Samba. For Red Hat (CVE-2004-1154): Red Hat Enterprise Linux 2.1 RHSA-2004:681, RHSA-2005:020 updates to samba-2.2.12-1.21as.4 (superseded by RHSA-2008:0288 samba-2.2.12-1.21as.9.3)

This vulnerability is detected by (Red Hat 2.4): Package samba samba-client samba-common Installed version 2.2.10-1.21as.1 2.2.10-1.21as.1 2.2.10-1.21as.1 Required version 2.2.12-1.21as.4 2.2.12-1.21as.4 2.2.12-1.21as.4

Samba NMBD Logon Request Remote Buffer Overflow Vulnerability (QID 70046) CVE-2007-4572, Samba CVE-2007-4572, Bugtraq ID 26454 Samba is prone to a buffer overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue affects "nmbd" when processing a specially crafted "GETDC" logon server request. Attackers can exploit this issue to cause denial of service conditions. Due to the nature of this issue, remote code execution may be possible. Workaround: The vendor states that disabling the "domain logons" and "domain master" options in the "smb.conf" file will negate this issue. However, this will also disable all domain controller features. Samba.org released an advisory and patch to address this issue. Affected Versions: Samba Versions 3.0.0 through 3.0.26a are vulnerable.

For Red Hat (CVE-2007-4572): Red Hat Enterprise Linux 2.1: RHSA-2007:1013 updates to samba-2.2.12-1.21as.8.1

HP has released a patch to address this issue. Refer to HP's technical support document HPSBUX02341 (registration required) for further details. This vulnerability is confirmed when Red Hat 2.4 is detected with: Package samba Installed version Required version 2.2.10-1.21as.1 2.2.12-1.21as.8.1 Page 263

Vulnerability Remediation Synopsis version 0.4Russ Klanke

samba-client 2.2.10-1.21as.1 samba-common 2.2.10-1.21as.1

2.2.12-1.21as.8.1 2.2.12-1.21as.8.1

Samba Security Bypass and Format String Vulnerabilities (QID 70051) CVE-2009-1886, CVE-2009-1888, Samba-CVE-2009-1886, Samba-CVE-2009-1888, Bugtraq ID 35472 Samba is a freely available file and printer sharing application that allows users to share files and printers between operating systems on Unix and Windows platforms. Samba is prone to the following vulnerabilities: An uninitialized memory access error exists in smbd when denying attempts to modify a restricted access control list (ACL). This can be exploited to potentially modify the ACL of an already writable file without required permissions. Samba Versions 3.0.31 through 3.3.5 are affected with this issue. (CVE-2009-1888)

Successful exploitation of this vulnerability requires that the server would have to be configured with "dos filemode = yes" in the smb.conf. A format string error exists in the "smbclient" utility when processing file names received as command arguments. This can be exploited to potentially execute arbitrary code by tricking a user into issuing a "put" command having a malicious file name argument in "smbclient". Samba Versions 3.2.0 through 3.2.12 are affected with this issue. (CVE-2009-1886)

If this vulnerability is successfully exploited, it will allow attackers to bypass certain security restrictions and potentially compromise a user's system. Samba "mount.cifs" Race Condition Security Issue (QID 70054) CVE-2010-0787, Bugtraq ID 37992 Samba is a file and printer-sharing application that allows users to share files and printers between operating systems on Unix and Windows platforms. Samba is prone to a local privilege-escalation vulnerability in the "mount.cifs" utility. Specifically, when the application is installed as a setuid program, a race condition occurs when verifying user permissions. This issue can be exploited by replacing mountpoints with symlinks. Successful privilege escalation may require that the "mount.cifs" utility is suid root. This may cause the application to mount filesystems in arbitrary locations. Local attackers can exploit this issue to gain elevated privileges on affected computers. Samba Multiple Remote Denial of Service Vulnerabilities (QID 70057) CVE-2010-1635, CVE-2010-1642, Samba 3.4.8 Release Notes, Samba 3.5.2 Release Notes, Bugtraq ID 40097

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 264

Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is prone to multiple vulnerabilities that can cause smbd to crash. An attacker can exploit these issues to crash the application, denying service to legitimate users. Affected Versions: Versions prior to 3.4.8 and prior to 3.5.2 are vulnerable.

Samba chain_reply() Memory Corruption Vulnerability (QID 70058) CVE-2010-2063, Samba 3.3.13 Release Notes Samba is a freely available file and printer sharing application maintained and developed by the Samba Development Team. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is prone to a vulnerability in Samba's chain_reply() function, where an attacker could trigger a memory corruption by sending specially crafted SMB requests resulting in heap memory overwritten with attacker-supplied data, which can allow attackers to execute code remotely. An attacker can exploit these issues to execute arbitrary code with root privileges. Affected Versions: Samba Versions 3.0.0 through 3.3.12.

Note: Previously, this was an iDefense exclusive vulnerability with iDefense ID: 595299 Samba FD_SET Memory Corruption Vulnerability (QID 70061) CVE-2011-0719, Samba 3.5.7 Samba is a freely available file and printer sharing application. Samba allows users to share files and printers between operating systems on UNIX and Windows platforms. Samba is prone to a memory corruption vulnerability caused by missing range checks on file descriptors related to the "FD_SET" macro, which can be exploited to corrupt stack-based memory by performing a select on a specially crafted file descriptor set. Successful exploitation allows malicious local users to cause a denial of service and potentially gain escalated privileges. Affected Versions: Samba Versions 3.0.0 through 3.3.14. Samba Versions 3.4.0 through 3.4.11. Page 265

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Samba Versions 3.5.0 through 3.5.6.

Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) CVE-2008-1105, SAMBA CVE-2008-1105, RHSA-2008:0288, RHSA-2008:0289, RHSA-2008:0290, HP-UX doc c01475657, ESX350-200806218-UG A heap-based buffer overflow flaw exists in the way Samba clients handle over-sized packets. If a client connects to a malicious Samba server, it is possible to execute arbitrary code as the Samba client user. It is also possible for a remote user to send a specially crafted print request to a Samba server. Successful exploitation could result in the server executing the vulnerable client code, causing arbitrary code execution with the permissions of the Samba server. Affected Versions: Samba Versions 3.0.0 through 3.0.29.

Install vendor update or upgrade Samba to 3.0.30 (or later). For Red Hat (CVE-2008-1105): Red Hat Enterprise Linux version 2.1 (samba) RHSA-2008:0288 updates to samba-2.2.121.21as.9.3 Red Hat Enterprise Linux version 3 (samba) RHSA-2008:0288 updates to samba-3.0.9-1.3E.15 (superseded by RHSA-2010:0697 samba-3.0.9-1.3E.18) Red Hat Enterprise Linux version 4 (samba) RHSA-2008:0288 updates to samba-3.0.25b1.el4_6.5 (superseded by RHSA-2011:1219 samba-3.0.33-0.34.el4) Red Hat Enterprise Linux ES EUS (v. 4.5) (samba) RHSA-2008:0289 updates to samba-3.0.102.el4_5.3 Red Hat Enterprise Linux version 5 (samba) RHSA-2008:0290 updates to samba-3.0.28-1.el5_2.1 (superseded by RHBA-2009:0251 samba-3.0.28-1.el5_2.3)

For VMWare ESX Server Version 3.5 Patch see ESX350-200806218-UG. For HP-UX see HP-UX doc c01475657. This vulnerability is confirmed by detecting (HP-UX 11) "Samba 3.0.14a based HP CIFS Server A.02.02" or (Red Hat 2.4): Package samba samba-client samba-common Installed version 2.2.10-1.21as.1 2.2.10-1.21as.1 2.2.10-1.21as.1 Required version 2.2.12-1.21as.9.3 2.2.12-1.21as.9.3 2.2.12-1.21as.9.3

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 266

Sendmail Vulnerabilities
Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability (QID 50080) CVE-2003-0694, CVE-2003-0681, Sun Alert ID 56860, APAR IY48659, APAR IY48658, APAR IY48657, RHSA-2003-284, Bugtraq ID 8641 Sendmail is prone to a buffer overrun vulnerability in the prescan() function. The issue exists in the "parseaddr.c" source file, and could allow for corruption of stack or heap memory, depending on where in the code the function is called from. One possible attack vector is if the function is indirectly invoked via parseaddr(), although others may also exist. A "potential buffer overflow in ruleset parsing" for Sendmail 8.12.9, when using the nonstandard rulesets (1) recipient (2), final, or (3) mailer-specific envelope recipients, has unknown consequences. Successful exploitation of this vulnerability may permit remote attackers to execute arbitrary code via vulnerable versions of Sendmail. Code execution would occur with the privileges of the server. This can also cause a denial of service. Update to 8.12.10 or later or use (OS vendor) patch. Sendmail ETRN Command Denial of Service Vulnerability (QID 74040) CVE-1999-1109, Sendmail Security Advisory archive, Bugtraq ID 904 Sendmail is a widely used MTA, which is often shipped with Unix systems, and is maintained by the Sendmail Consortium. The sendmail SMTP server allows message queuing through the ETRN command. A low-bandwidth denial of service vulnerability exists in Sendmail. When a client connects to the sendmail smtpd and sends an ETRN command to the server, the server calls "fork()" and sleeps for 5 seconds. The parent process generates no output; only child-generated output is sent, so parent processes are not notified on send() or write() failures. This flaw can be exploited by a remote attacker by sending a long series of ETRN commands to the server, causing the parent process to hang since it repeats fork() and sleep(5) call sequences till end of ETRNs read into input buffer is reached. This causes memory and system resources to become completely exhausted and crashes the kernel. If successfully exploited, unauthorized users can implement a denial of service attack. Commands cannot be executed as a result of this vulnerability. It is possible to exhaust system resources and even cause a reboot of the server. Workaround: Set "MaxDaemonChildren" to a value around 15 in the sendmail.cf file. Install vendor update or upgrade to Sendmail Version 8.10.1 or later. Sendmail Debugger Arbitrary Code Execution Vulnerability (QID 74088) CVE-2001-0653, RHSA-2001-106, Bugtraq ID 3163

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 267

You are running a Sendmail version that contains the vulnerability described below, which is exploitable by a local user. If you have already installed a patch to remove this vulnerability, please ignore this warning. Sendmail is a widely used MTA, which is often shipped with Unix systems, and is maintained by the Sendmail Consortium. An input validation error exists in Sendmail's debugging functionality. The problem is the result of the use of signed integers in the program's tTflag() function, which is responsible for processing arguments supplied from the command line with the '-d' switch and writing the values to it's internal "trace vector". It's possible to cause a signed integer overflow by supplying a large numeric value for the 'category' part of the debugger arguments. The numeric value is used as an index for the trace vector. Before the vector is written to, a check is performed to ensure that the supplied index value is not greater than the size of the vector. However, because a signed integer comparison is used, it is possible to bypass the check by supplying the signed integer equivalent of a negative value. This may allow an attacker to write data to anywhere within a certain range of locations in process memory. Because the '-d' command line switch is processed before the program drops its elevated privileges, this could lead to a full system compromise. This vulnerability has been successfully exploited in a laboratory environment. If successfully exploited, a complete compromise of the system may occur. Install vendor update or upgrade to 8.11.6 (or later) or use patch (http://www.securityfocus.com/bid/3163/solution/). Sendmail Queue Processing Data Loss/Denial of Service Vulnerability (QID 74089) CVE-2001-0714, Bugtraq ID 3378 You are running a Sendmail version that contains the vulnerability described below, which is exploitable by a local user. If you have already applied the workaround to remove this vulnerability, please ignore this warning. Sendmail is a widely used MTA, which is often shipped with Unix systems, and is maintained by the Sendmail Consortium. A problem in the software has been discovered that could allow a malicious user to deny services to legitimate users of a Sendmail system. The problem is due to a programming error in the software. Sendmail allows regular users to force processing of the entire mail queue. When running 'sendmail', users can change key configuration variables, such as setting the message hop count to a value greater than the limit imposed by Sendmail. In doing so, mail in the queue will be dropped when it is processed. If this vulnerability is successfully exploited, a malicious user can cause a loss of data or a denial of service.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 268

Sendmail Unsafe Signal Handling Race Condition Vulnerability (QID 74091) CVE-2001-1349, Bugtraq ID 2794 In a recent paper, Michal Zalewski presented several methods of causing undesired or unexpected behavior in programs that make use of non-atomic or non-reentrant operations in signal handling functions. Due to the implications of this paper, the Sendmail MTA has been found to be susceptible to several possible race condition vulnerabilities. The problems lie in the signal handlers used for dealing with specific signals, such as SIGTERM or SIGINT. By generating a signal while a signal handling operation is already in progress, an attacker could interrupt a non-reentrant libc function and enter it again from the handler. Precise timing in such an attack could possibly result in heap corruption or interruption during privilege lowering. This set of vulnerabilities exists because of reentrant library function calls from signal handlers (malloc, free, syslog, operations on global buffers, etc). Conditions where these types of attacks may be possible are known to exist in Sendmail, which is installed in set-uid root and locally executable. Attacks against Sendmail are still theoretical. The program maintains its root privileges during runtime almost all of the time; no exploitable problems have yet been found with user signal delivery. It is only remotely possible that an exploitable condition exists in Sendmail. Precise timing in such an attack could possibly result in heap corruption or interruption during privilege lowering. Attacks utilizing this vulnerability against Sendmail are still only theoretical. Sendmail File Locking Denial of Service Vulnerability (QID 74108) CVE-2002-1827, Bugtraq ID 4822 Sendmail is an MTA (Mail Transport Agent) for Unix and Linux variants. There is a vulnerability in Sendmail that may lead to a denial of service condition. The vulnerability occurs when a malicious user acquires an exclusive lock on files that Sendmail requires for operation. Sendmail uses file locking for a variety of files including aliases, maps, statistics, and the pid file. If a user has access to these files, the user may be able to obtain exclusive locks on these files. If Sendmail, or its associated programs, is unable to obtain access to any critical files, it will cease to function properly. A malicious user may exploit this vulnerability to cause Sendmail to stop functioning. Sendmail Header Processing Buffer Overflow Vulnerability (QID 74135) CVE-2002-1337, Sun Alert ID 51181, APAR IY40500, APAR IY40501, APAR IY40502, RHSA-2003-074, Bugtraq ID 6991 Sendmail is a widely used MTA for Unix and Microsoft Windows systems. A remotely exploitable vulnerability has been discovered in Sendmail. The vulnerability is due to a buffer overflow condition in the SMTP header parsing component. Remote attackers may exploit this vulnerability by connecting to target SMTP servers and transmitting malformed SMTP data to them. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 269

The overflow condition occurs when Sendmail processes incoming e-mail messages with multiple addresses in a field such as "From:" or "CC:". One of the checks to ensure that the addresses are valid is flawed, resulting in a buffer overflow condition. This vulnerability may be exploited to gain root privileges on affected servers remotely. Affected Versions: Sendmail Versions 5.2 to 8.12.7.

Install vendor update or upgrade to 8.12.8 (or later) or apply available patches to prior versions of the 8.x tree. Sendmail Address Prescan Possible Memory Corruption Vulnerability (QID 74136) CVE-2003-0161, CA-2003-12, Bugtraq ID 7230 Sendmail is a freely available, open-source mail transport agent. It is maintained and distributed by the Sendmail Consortium. Sendmail is affected by a memory corruption condition that may or may not be remotely exploitable. The potentially exploitable flaw is present in the prescan() procedure, one that is used for processing email addresses in SMTP headers. This function is implemented in the source code file "parseaddr.c". This vulnerability is due to a logic error in the conversion of a char to an integer value. More information can be obtained from Cert Advisory CA-2003-12. This condition may be exploited by remote attackers to execute instructions on target systems. Install vendor update or upgrade to 8.12.9 (or later) or use patch CA-2003-12. Sendmail check_relay Access Bypassing Vulnerability (QID 74141) CVE-2002-2261, Bugtraq ID 6548 Sendmail is a freely available, open-source mail transport agent, which is maintained and distributed by the Sendmail Consortium. Sendmail is available for Unix and Linux systems. Sendmail uses a general map, which is activated by FEATURE(access_db). This is used by Sendmail to "accept", "reject" or "relay" mail from various hosts, among other actions. A vulnerability has been discovered in Sendmail that may allow attackers to bypass access restrictions for the check_relay ruleset. Due to this vulnerability, it's possible for atackers to use bogus DNS data to bypass the access restrictions imposed by the access_db FEATURE when used with the check_relay ruleset. An attacker may exploit this vulnerability to connect to a Sendmail server that would otherwise be inaccessible.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 270

Affected Versions: 8.9.0, 8.9.1, 8.9.2, 8.9.3 8.12.1, 8.12.2, 8.12.3, 8.12.4, 8.12.5, 8.12.6

Sendmail Asynchronous Signal Handling Remote Code Execution Vulnerability (QID 74212) CVE-2006-0058, Sendmail Security Advisory archive, RHSA-2006-0265, Bugtraq ID 17192 Sendmail is a widely-used MTA for Unix and Microsoft Windows systems. Sendmail is prone to a remote code execution vulnerability because of an unspecified race condition error. The vulnerability arises in the "sm_syslog()" function due to improper handling of setjmp/longjmp set of macros with asynchronous signals. Specifically, the issue presents itself when Sendmail processes specially-crafted mail data from clients and employs a signal handler to handle timeouts. The signal handler causes certain data elements to reside in an inconsistent state and an attacker can use the elements to write to stack or heap memory. Successful exploitation could allow remote attackers to execute arbitrary code with the privileges of the application, which typically runs as superuser. Affected Versions: Sendmail version 8.13.5 and prior.

Install vendor update or upgrade to Sendmail Version 8.13.6. Windows: This issue does not exist in Windows.

Red Hat (CVE-2006-0058): Red Hat Enterprise Linux 2.1 (RHSA-2006:0265) sendmail-8.12.11-4.21AS.8

Sendmail Malformed MIME Message Denial of Service (QID 74215) CVE-2006-1173, Sendmail Security Advisory archive, Bugtraq ID 18433 Sendmail is vulnerable to a denial of service issue due to a failure in the application to properly handle malformed multi-part MIME messages. The problem occurs because a malformed MIME structure can trigger a stack overflow because the recursion is not restricted in the "mime8to7()" function. An attacker can exploit this issue to crash the Sendmail process during delivery. Install vendor update or upgrade to Sendmail Version 8.13.7. Red Hat (CVE-2006-1173): Red Hat Enterprise Linux 2.1 (RHSA-2006:0515) sendmail-8.12.11-4.21AS.10 Red Hat Enterprise Linux 3 (RHSA-2006:0515) sendmail-8.12.11-4.RHEL3.6 Page 271

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux 4 (RHSA-2006:0515) sendmail-8.13.1-3.RHEL4.5 (superseded by RHSA2011:0262 sendmail-8.13.1-6.el4)

Sendmail Long Header Denial of Service Vulnerability (QID 74220) CVE-2006-4434, Sun Alert ID 102664, Bugtraq ID 19714 Sendmail is a widely used MTA for UNIX and Microsoft Windows systems. Sendmail is prone to a denial of service vulnerability. This issue occurs when the application tries to handle excessively long header lines. This could trigger a user-after-free bug. This issue was reported in OpenBSD's version of Sendmail. An attacker can exploit this issue to crash Sendmail causing a denial of service. Affected Versions: Sendmail SSL Certificate NULL Character Spoofing Vulnerability (QID 74240) CVE-2009-4565, Sendmail - 8.14.4 Sendmail is prone to a SSL certificate NULL character spoofing vulnerability. Some certificate authorities do not properly check the requests they are signing and hence allow spoofing via an embedded NUL in the CN entry. Some checks have been added to deal with "bogus" CNs. A man-in-the-middle attacker may be able to spoof arbitrary SSL SMTP servers. A workaround for a Linux resolver problem has been added to avoid core dumps. Affected Versions: Sendmail prior to 8.14.4.

Install vendor update to upgrade to 8.14.4 (or later).

SMTP Vulnerabilities
Mail Server Accepts Plaintext Credentials (QID 74147) Your Mail Server responds to the EHLO command which implies that it uses the ESMTP protocol. ESMTP uses the AUTH command which indicates an authentication mechanism to the server. If the server supports the requested authentication mechanism, it performs an authentication protocol exchange to authenticate and identify the user. Optionally, it also negotiates a security layer for subsequent protocol interactions. Your server accepts PLAIN or LOGIN as one of the AUTH parameters. The authentication credentials are transmitted in plaintext over the network and no encryption is performed. Malicious users could obtain mail server credentials by sniffing the traffic. This can allow unauthorized users to use the mail server as Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 272

an open mail relay. It may also lead to compromise of account credentials that can be used to access other mail services like POP3 and IMAP. Disable the plaintext authentication methods on your SMTP server for unencrypted (non-SSL/TLS) sessions. You may consider using more advanced challenge-based authentication methods like CRAMMD5 or DIGEST-MD5. Please contact your vendor for configuration information. Also check RFC 2554 and RFC 2487 for more details. This vulnerability is confirmed by exploiting the vulnerability.

SNMP Vulnerabilities
Possible Mail Relay (QID 74037) CVE-1999-0512, CVE-2002-1278, CVE-2003-0285 The Internet Electronic Mail exchange protocol (SMTP) is designed to work with relays. These days, there is less of a need for relaying functions and, in fact, relaying functions are highly vulnerable to attacks because they allow unauthorized users to connect once to a mail server for a single message. Then, the relaying server distributes the message to thousands of recipients. It is possible that mail relaying is allowed by the mail server on the host. More details about the specific relaying addresses that are accepted by the mail server are given in the Results section. Since a mail server that accepts a relaying address may be configured not to actually deliver the mail to that address. If this is the case, you may safely ignore this report. If mail relaying is indeed allowed, unauthorized Internet users can exploit your Mail server to send anonymous e-mail messages, send massive advertisement messages to unwilling recipients consume bandwidth or cause denial of service on your servers. Readable SNMP Information (QID 78030) CVE-1999-0517, CVE-1999-0186, CVE-1999-0254, CVE-1999-0516, CVE-1999-0472, CVE-2001-0514, CVE2002-0109 Unauthorized users can read all SNMP information because the access password is not secure. Read-access to all SNMP information can give unauthorized users an incredible amount of valuable information about your network. There are different types of attacks an unauthorized user can implement to retrieve sensitive information contained in the MIB. You can protect yourself against any of these attacks. The following is a list of possible attacks and how you can protect yourself (from highest to lowest risk):

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 273

Brute force of community names: Replace the default password (often "public" or "private") with a secure one. The password should be hard to guess, and should not be derived from the hostname of the machine or from its model name (e.g., "sun" or "ibm"). Eavesdropping of community names: SNMP Version 3 agents, as well as some of the SNMP Version 2 agents (not those named SNMPv2c for "community based SNMP version 2") include authentication using hashing functions, such as MD5. Eavesdropping of information retrieved by authorized users: Use the privacy function, such as DES-encryption, of the protocols described above. Replay of legitimate SNMP message by unauthorized users: The protocols described above provide a simple replay protection using a timestamp and a message sequence number.

Use ACLs to restrict the hosts that can talk SNMP with your system to a defined list of IP addresses (such as the OVO servers). Switch to a harder-to-guess "community name". (These measures would not be performed by the application team, but by the hardware / operating system team.) This vulnerability is confirmed by exploiting the vulnerability. Writeable SNMP Information (QID 78031) CVE-1999-0792, CVE-2000-0147, CVE-2001-0380, CVE-2001-1210, CVE-2002-0478, CVE-2000-0515, Bugtraq ID 973, 1327, 3758, 4330 Unauthorized users can modify all SNMP information because the access password is not secure. The system can be attacked in a number of ways--by route redirection, denial of service, complete loss of network service, reboots or crashes, and traffic monitoring. If SNMP access is not required on this system, then disallow it. Otherwise, use a secure un-guessable "community name", and restrict the hosts that talk SNMP with your system to a defined list of IP addresses. Use ACLs to restrict the hosts that can talk SNMP with your system to a defined list of IP addresses (such as the OVO servers). Switch to a harder-to-guess "community name". (These measures would not be performed by the application team, but by the hardware / operating system team.) This vulnerability is confirmed by exploiting the vulnerability. Multiple Vendor SNMP Request and Trap Handling Vulnerabilities (QID 78035) CVE-2002-0012, CVE-2002-0013, MS02-006, Bugtraq ID 4088 SNMP requests are messages sent from manager to agent systems. They typically poll the agent for current performance or configuration information, ask for the next SNMP object in a Management Information Base (MIB), or modify the configuration settings of the agent. SNMP traps are messages sent from agent to manager systems. They typically notify the manager that some event has occurred or otherwise provide information about the status of the agent. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 274

Multiple vulnerabilities have been discovered in the request and trap handling in a number of SNMP implementations. The vulnerabilities are known to exist in the process of decoding and interpreting SNMP request and trap messages. Possible consequences include causing a denial of service condition and allowing attackers to compromise target systems. These depend on the individual vulnerabilities in each affected product. No result returned. Do we see this potential vulnerability whenever SNMP is detected? SNMP Agent Stopped Responding (QID 78040) The SNMP agent has consistently stopped responding to SNMP requests, or is responding with malformed packets. This is not an expected behavior, and is an indication of either an error in configuration or a bug in the implementation of the SNMP agent. This condition prevents us from completing vulnerability assessment for the SNMP service. However, the vulnerabilities already found and the information already gathered will be reported. Has this been resolved since the scan was run? Check the status of the SNMP agent and take corrective actions. Check the status of the SNMP agent and take corrective actions. View-based Access Control MIB SNMP Walk Read-Write Password Revealing Vulnerability (QID 78042) CVE-2004-1775, ios-snmp-community-vulns-pub , Bugtraq ID 5030 By executing a viewing of parameters through a configuration variable enumeration, known commonly as a "walk," an attacker may recover the read-write password from the View Access Control MIB (VACM). The problem involves the design of the VACM. Cisco IOS and CatOS are known to be vulnerable to this issue. Cisco IOS and CatOS are network firmware developed and maintained by Cisco. Successful exploitation of this issue could allow a user with read-only access to the VACM to gain readwrite access. Cisco has provided a detailed workaround procedure as well as fixes for this and other related vulnerabilities in the ios-snmp-community-vulns-pub security advisory (document ID 13629). This vulnerability is confirmed by detecting: SNMPv1 SNMPv2 network-operator network-operator network-operator network-operator

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 275

Source Port Pass Firewall Vulnerabilities


TCP Source Port Pass Firewall (QID 34000) The firewall policy lets TCP packets with a specific source port (20/tcp) to pass through. Make sure that all your filtering rules are correct and strict enough. If the firewall intends to deny TCP connections to a specific port, it should be configured to block all TCP SYN packets going to this port, regardless of the source port. For each of these hosts, the host responded 4 times to 4 TCP SYN probes sent to destination port 1027 using source port 20. However, it did not respond at all to 4 TCP SYN probes sent to the same destination port using a random source port. UDP Source Port Pass Firewall (QID 34020) The firewall policy allow UDP packets with a specific source port (for example, port 53) to pass through while it blocks UDP packets to the same destination ports but with a random source port. This weakness may allow a malicious remote user to bypass the firewall policy and reach UDP ports that are supposed to be protected by the firewall. Make sure that all your filtering rules are correct and strict enough. If they are not, change the firewall rules to filter these requests with a particular source port. Qualys provides a list of up to 16 destination ports that can be reached by the UDP probes with a source port of 53. The UDP destination ports responded with either an ICMP (port closed) or a UDP (port open), but they did not respond when a random source port was used. In a default scan only port 53 is used as the source port. It is possible that the firewall also allows UDP packets with other well-known ports as source ports to go through.

SSH Vulnerabilities
SSH Protocol Version 1 Supported (QID 38304) CVE-2001-1473 SSH1 protocol was deprecated due to multiple vulnerabilities and design flaws. Among multiple vulnerabilities that exist in SSH protocol Version 1 are: a CRC32 compensation attack detector vulnerability (buffer overflow) an unauthorized session key recovery problem

Multiple vendors' implementations are vulnerable due to the fact that these are protocol design errors. Version 2 of the SSH protocol fixed these errors. Please refer to the following URLs for more information: http://www.ciac.org/ciac/bulletins/m-017.shtml Page 276

Vulnerability Remediation Synopsis version 0.4Russ Klanke

http://www.kb.cert.org/vuls/id/684820

The consequences of vulnerabilities present in SSH Version 1 include: SSH protected traffic compromise root shell access to the system running SSH server

Disable SSH1 support. See your vendor's Web site for information on how to disable SSH protocol Version 1 support. Some references are provided below: SSH Communications Security F-Secure OpenSSH

Note: Do not enable SSH Version 1 Fallback since systems with upgraded versions of SSH and with Fallback Version 1 enabled are still vulnerable. For Cisco, see Cisco IOS Security Configuration Guide, Release 12.2, Configuring Secure Shell. "Secure Shell (SSH) is an application and a protocol that provide a secure replacement to the Berkeley r-tools. The protocol secures the sessions using standard cryptographic mechanisms, and the application can be used similarly to the Berkeley rexec and rsh tools. There are currently two versions of SSH available: SSH Version 1 and SSH Version 2. Only SSH Version 1 is implemented in the Cisco IOS software." See also Secure Shell Version 2 Support: "Prior to configuring SSH, ensure that the required image is loaded on your router. The SSH server requires you to have a k9 (Triple Data Encryption Standard [3DES]) software image from Cisco IOS Release 12.3(4)T, 12.2(25)S, or 12.3(7)JA downloaded on to your router." This vulnerability is confirmed by asking the server if it supports SSH1. SSH Weak Cipher Used (QID 38523) SSH is used to secure communication between a user and a server. If weak ciphers are used by SSH to protect the session data, it is possible for a third party to record the network traffic, mount an offline bruteforcing attack, recover the session key and from there recover the content of the whole SSH session. It is perhaps also possible to recover usernames, passwords and other sensitive information. Where possible SSH should be configured to not use weak ciphers, such as DES. A more secure alternative is available in most cases e.g. 3DES, AES. This vulnerability is confirmed by detecting DES with a 64 bit key length.

SSL Server Vulnerabilities


SSL Server Has SSLv2 Enabled Vulnerability (QID 38139) The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 277

There are known flaws in the SSLv2 protocol. A man-in-the-middle attacker can force the communication to a less secure level and then attempt to break the weak encryption. The attacker can also truncate encrypted messages. These flaws have been fixed in SSLv3 (or TLSv1). Most servers (including all popular Web servers, mail servers, etc.) and clients (including Web-clients like IE, Netscape Navigator and Mozilla and mail clients) support both SSLv2 and SSLv3. However, SSLv2 is enabled by default for backward compatibility. The following link provides more information about this vulnerability: Analysis of the SSL 3.0 Protocol An attacker can exploit this vulnerability to read secure communications or maliciously modify messages. Disable SSLv2. Weblogic 10.3 I dont think Weblogic 10.3 is supposed to support SSLv2. It supports SSLv3 and TLSv1 only (by design). My first impression was that this is a false positive. But reviewing what Qualys provided, it reports "Established SSLv2 connection using RC4-MD5 cipher." Checking further, there appears to be a bug. The pertinent announcement is "Critical Patch Update Availability for WebLogic Server Plug-ins" (https://support.oracle.com/CSP/main/article?cmd=show&amp;type=NOT&amp;doctype=REFE RENCE&amp;id=1263333.1) I dont have an Oracle account. A copy of the announcement has been made available at http://robin4444.blogspot.com/2011/02/vulnerability.html An interesting test: Check sslv2 using the command utility s_client -connect ip:port -ssl2 Specifically: s_client -connect 5.198.29.110:443 ssl2 This is consistent with the article (https://forums.oracle.com/forums/thread.jspa?threadID=1981712) wherein the person reported that Weblogic was establishing an SSLv2 connection over any available cipher (including None and RC4-MD5). It is not supposed to work that way. To determine the actual list of ciphers available: $ openssl ciphers -v http://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 278

SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Apache/apache_ssl, httpd.conf or ssl.conf should have the following line: SSLNoV2 IIS: 187498 How to disable SSLv2 on IIS 245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll

This vulnerability is confirmed by establishing an SSLV2 connection. SSL Server Supports Weak Encryption Vulnerability (QID 38140) The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. SSL encryption ciphers are classified based on encryption key length as follows: HIGH - key length larger than 128 bits MEDIUM - key length equal to 128 bits LOW - key length smaller than 128 bits

Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. The following link provides more information about this vulnerability: Analysis of the SSL 3.0 protocol The key-exchange algorithm rollback attack serves to illustrate the dangers of a flexible ciphersuite negotiation algorithm. In the worst case it is possible to end up with "least common denominator security", where SSL is only as secure as the weakest key exchange algorithm (or weakest ciphersuite) supported. Note: This detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations. An attacker can exploit this vulnerability to decrypt secure communications without authorization. Disable support for LOW encryption ciphers. To determine the actual list of ciphers available: $ openssl ciphers -v

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 279

http://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS Apache Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM For Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Tomcat sslProtocol="SSLv3" ciphers="SSL_RSA_WITH_RC4_128_MD5,SSL_RSA_WITH_RC4_128_SHA,SSL_DHE_RSA_W ITH_3DES_EDE_CBC_SHA" IIS 245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll 187498 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services Security Guidance for IIS

Dell Remote Access Controller (DRAC) DRAC 4 [pdf] DRAC 5 [pdf] DRAC 6 [pdf]

Dell Remote Access Controller (DRAC): CIPHER SSLv3 WEAK CIPHERS EDH-RSA-DES-CBC-SHA EXP-EDH-RSA-DES-CBC-SHA DES-CBC-SHA EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 Red Hat Enterprise Linux AS 3: CIPHER KEYAUTHENTICATION MAC EXCHANGE DH DH(512) RSA RSA(512) RSA(512) RSA(512) RSA RSA RSA RSA RSA RSA SHA1 SHA1 SHA1 SHA1 MD5 MD5 ENCRYPTION GRADE (KEY-STRENGTH) DES(56) DES(40) DES(56) DES(40) RC2(40) RC4(40) LOW LOW LOW LOW LOW LOW

KEYAUTHENTICATION MAC EXCHANGE

ENCRYPTION (KEYSTRENGTH)

GRADE

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 280

SSLv3 WEAK CIPHERS EDH-RSA-DES-CBC-SHA DH RSA DES-CBC-SHA RSA RSA ADH-DES-CBC-SHA DH None TLSv1 WEAK CIPHERS EDH-RSA-DES-CBC-SHA DH RSA DES-CBC-SHA RSA RSA ADH-DES-CBC-SHA DH None This vulnerability is detected by enumerating ciphers.

SHA1 DES(56) SHA1 DES(56) SHA1 DES(56) SHA1 DES(56) SHA1 DES(56) SHA1 DES(56)

LOW LOW LOW LOW LOW LOW

SSL Server May Be Forced to Use Weak Encryption Vulnerability (QID 38141) The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. SSL encryption ciphers are classified based on the encryption key length as follows: HIGH - key length larger than 128 bits MEDIUM - key length equal to 128 bits LOW - key length smaller than 128 bits

During the SSL handshake, the SSL client and the SSL server negotiate which cipher to use for the session. The SSL server chooses a cipher from a list proposed by the SSL client. The list is sorted by preference with the first cipher in the list being the most preferred. This vulnerability is reported when the list of ciphers submitted by the client has a mixture of LOW, MEDIUM and HIGH ciphers with a LOW grade cipher listed first, and the SSL server chooses to use the LOW grade cipher even though it supports at least one MEDIUM or HIGH grade cipher in the list. Messages encrypted with LOW encryption ciphers are easy to decrypt. Commercial SSL servers should only support MEDIUM or HIGH strength ciphers to guarantee transaction security. SSL servers support a LOW grade cipher even though the client supports stronger ciphers. An attacker can exploit this vulnerability to decrypt secure communications without authorization. Disable support for LOW encryption ciphers. To determine the actual list of ciphers available: $ openssl ciphers -v http://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS Typically, for Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 281

If for some reason LOW grade cipher is needed, then using the SSLHonorCipherOrder directive will enforce the server's preference on cipher selection and will guarantee that weak ciphers will be used only if nothing else is available. IIS: 245030 How to Control the Ciphers for SSL and TLS on IIS

This vulnerability is confirmed by enumerating the supported ciphers. SSL Server Allows Anonymous Authentication Vulnerability (QID 38142) The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client usually authenticates the server using an algorithm like RSA or DSS. Some SSL ciphers allow SSL communication without authentication. Most common Web browsers like Microsoft Internet Explorer, Netscape and Mozilla do not use anonymous authentication ciphers by default. A vulnerability exists in SSL communications when clients are allowed to connect using no authentication algorithm. SSL client-server communication may use several different types of authentication: RSA, Diffie-Hellman, DSS or none. When 'none' is used, the communications are vulnerable to a man-in-the-middle attack. An attacker can exploit this vulnerability to impersonate your server to clients. Disable support for anonymous authentication. To determine the actual list of ciphers available: $ openssl ciphers -v http://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM IIS: 187498 How to disable PCT 1.0, SSL 2.0, SSL 3.0, or TLS 1.0 in Internet Information Services 245030 How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll 299520 How to Determine the Cipher Suite for the Server and Client 241447 How to restrict the use of certain ciphers in Internet Information Services 5.0 Page 282

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Wu-FTP: For Wu-FTP which supports TLS, the ciphers parameter in TLS configuration file should be set to -ALL +SSLv3 +TLSv1 For more details please consult the docs/HOWTO/ssl_and_tls_ftpd.HOWTO file provided by wu-ftpd distribution.

Additional reading: http://www.cisco.com/web/about/ac123/ac147/archived_issues/ipj_1-1/ssl.html http://httpd.apache.org/docs/2.0/mod/mod_ssl.htmlsslciphersuite http://www.megasecurity.org/Info/ssl_servers.html

This vulnerability is confirmed by enumerating the available ciphers. SSL Server Allows Cleartext Communication Vulnerability (QID 38143) The Secure Socket Layer (SSL) protocol allows for secure communication between a client and a server. The client-server communication is general encrypted using a symmetric cipher like RC2, RC4, DES or 3DES. However, some SSL ciphers allow communication without encryption. This vulnerability allows anyone who can sniff the traffic between the client and the server to see the communication. Note: This detection only checks for weak cipher support at the SSL layer. Some servers may implement additional protection at the data layer. For example, some SSL servers and SSL proxies (such as SSL accelerators) allow cipher negotiation to complete but send back an error message and abort further communication on the secure channel. This vulnerability may not be exploitable for such configurations. An attacker can exploit this vulnerability to read apparently secure communication. Disable ciphers which support cleartext communication. To determine the actual list of ciphers available: $ openssl ciphers -v http://www.openssl.org/docs/apps/ciphers.html#COMMAND_OPTIONS Apache/mod_ssl, httpd.conf or ssl.conf should have the following lines: SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:!aNULL:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM Apache/apache_ssl include the following line in the configuration file (httpsd.conf): SSLRequireCipher ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM IIS: 245030 How to Control the Ciphers for SSL and TLS on IIS Page 283

Vulnerability Remediation Synopsis version 0.4Russ Klanke

This vulnerability is confirmed by enumerating the available ciphers.

Squid Proxy Vulnerabilities


Squid Proxy SSLConnectTimeout Remote Denial of Service Vulnerability (QID 62048) CVE-2005-2796, Bugtraq ID 14731 Squid Proxy is a freely available, open-source, web proxy software package. It is designed for use on Unix and Linux platforms. A remote denial of service vulnerability affects the Squid Proxy. This issue is due to a failure of the application to properly handle exceptional network requests. This issue is due to improper handling of unspecified malformed requests in the "sslConnectTimeout()" function. During the handling of unspecified requests, Squid may attempt to access unallocated memory, causing a segmentation fault and a crash. A remote attacker may leverage this issue to crash the affected Squid Proxy, denying service to legitimate users. Install vendor update or upgrade to Squid-2.5.STABLE10 (or later). For Red Hat (CVE-2005-2796): Red Hat Enterprise Linux 2.1: RHSA-2005:766 squid-2.4.STABLE7-1.21as.10 (outdated by RHSA2008:0214 squid-2.4.STABLE7-1.21as.12)

This vulnerability is reported when Red Hat 2.4 is detected with: Package Installed version Required version squid 2.4.STABLE7-0.21as 2.4.STABLE7-1.21as.10 Squid Proxy Aborted Requests Remote Denial of Service Vulnerability (QID 62049) CVE-2005-2794, Bugtraq ID 14761 Squid Proxy is a freely-available, open-source, Web proxy software package. It is designed for use on Unix and Linux platforms. A remote denial of service vulnerability affects the Squid Proxy. This issue is due to a failure of the application to properly handle exceptional network requests. The problem affects the "storeBuffer()" function. The problem arises under certain circumstances while handling aborted requests. A remote user may leverage this issue to crash the affected Squid Proxy, denying service to legitimate users. Install vendor update or upgrade to Squid-2.5.STABLE10 (same as "Squid Proxy SSLConnectTimeout Remote Denial of Service Vulnerability (QID 62048)") (or later). For Red Hat, see "Squid Proxy SSLConnectTimeout Remote Denial of Service Vulnerability (QID 62048)." This vulnerability is reported when Red Hat 2.4 is detected with:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 284

Package Installed version Required version squid 2.4.STABLE7-0.21as 2.4.STABLE7-1.21as.10 Squid Cache Update Denial of Service Vulnerability (QID 62056) Squid Advisory A vulnerability has been reported in Squid, which can be exploited by malicious people to cause a denial of service. The vulnerability is caused due to a boundary error within the processing of cache update replies and can be exploited to crash an affected server. Malicious users can exploit this vulnerability and cause denial of service. Install vendor update or upgrade Squid. Squid 2.x versions prior to 2.6.STABLE17 are vulnerable. This vulnerability is confirmed by detecting the installed version. Squid Proxy Header Parsing Remote Denial of Service (QID 62066) CVE-2009-2855, 2541, Bugtraq ID 36091 Squid Proxy is a freely available, open source, Web proxy software package. It is designed for use on Unix and Linux platforms. A vulnerability exists in Squid's parsing of authentication headers such that a delimiter other than a comma could cause an infinite loop and consume all CPU cycles. (CVE-2009-2855) A successful exploit would result in a denial of service for Squid-proxied content. Affected Versions:

statd
statd and automountd RPC Service Remote Command Execution Vulnerability (QID 66011) CVE-1999-0493, HPSBUX9910-104, Bugtraq ID 450 The "statd" service is a common RPC service used as a Network status monitor. This service is not vulnerable in itself, but it can be used to relay requests to the "automount" program, which contains a vulnerability that enables unauthorized users to execute commands with Administrator privileges. Unauthorized users can exploit this vulnerability from a remote system and gain Administrator privileges on this host. Such attacks require specific attack programs, which are freely available on the Internet. Moreover, some attack scanners integrate this vulnerability. Unauthorized users can probably penetrate this host or crash the service quickly and repeatedly. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 285

Affected Versions: Solaris 2.3 to 2.6 (with default installations) Linux RedHat Versions 5.2 and 6.0 (the RPC service is not a default installation) HP-UX releases 10.20 and 11.00

Statd Format Bug Vulnerability (QID 66040) CVE-2000-0666, CVE-2000-0800, RHSA-2000-043, Bugtraq ID 1480 The rpc.statd program, which is part of the nfs-utils packages, is distributed with a number of popular Linux distributions. The rpc.statd server is an RPC server that implements the Network Status and Monitor RPC protocol. It's a component of the Network File System (NFS) architecture. rpc.statd contains a format string vulnerability when calling the syslog() function. This vulnerability allows remote users to execute code as root. The logging code in rpc.statd uses the syslog() function to pass user-supplied data as the format string. A malicious user can construct a format string that injects executable code into the process address space and overwrites a function's return address, forcing the program to execute the code. rpc.statd requires root privileges for opening it's network socket, but fails to drop these privileges later on. Therefore, code injected by the malicious user will execute with root privileges. Debian, Red Hat and Connectiva have all released advisories on this matter. Presumably, any Linux distribution that runs the statd process is vulnerable, unless already patched for the problem. If successfully exploited, unauthorized users can execute remote commands as root. Install vendor update or upgrade to nfs-utils 0.1.9.1 (or later). Red Hat (CVE-2000-0666, CVE-2000-0800): Note: Qualys does not report the version of nfs-utils found. nfs-utils 0.1.9.1 or later may be installed. Contact vendor for patch (CVE-2000-0666, CVE-2000-0800).

Sudo Vulnerabilities
Sudo is a widely used Linux/Unix utility that allows users to securely run commands as the superuser or other users. Sudo Python Environment Variable Handling Security Bypass Vulnerability (QID 115313) CVE-2006-0151, Sudo, Bugtraq ID 16184 Sudo is prone to a security bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the "PYTHONINSPECT" environment variable.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 286

A local attacker with the ability to run Python scripts can exploit this vulnerability to gain access to an interactive Python prompt. Attackers may then execute arbitrary code with elevated privileges, facilitating the complete compromise of affected computers. An attacker must have the ability to run Python scripts through Sudo to exploit this vulnerability. Sudo Perl Environment Variable Handling Security Bypass Vulnerability (QID 115314) CVE-2005-4158, Sudo, Bugtraq ID 15394 Sudo is prone to a security bypass vulnerability that could lead to arbitrary code execution. This issue is due to an error in the application when handling the "PERLLIB", "PERL5LIB" and "PERL5OPT" environment variables when tainting is ignored (-T flag). A local attacker with the ability to run Perl scripts can exploit this vulnerability to bypass the "PERLLIB" and "PERL5LIB" restrictions and specify arbitrary library files to be included and executed through manipulation of the "PERL5OPT" variable. An attacker must have the ability to run Perl scripts through Sudo to exploit this vulnerability.

Sun Java Web Console Vulnerabilities


Sun Java Web Console is a Web application which is used to administer Web-based Sun system management applications. To determine the version of Sun Java Web Console installed on a system, use either of the following measures: From the Web Console Login or Launch page, click the version link in the top left corner of the page. Run the command "smcwebserver -V".

Sun Java Web Console Remote Information Disclosure Vulnerability (QID 86830) CVE-2008-1286, Sun Alert ID 231526 (1018987.1), Bugtraq ID 28155 Sun Java Web Console is a Web application which is used to administer Web-based Sun system management applications. The application is prone to an information disclosure vulnerability that is caused due to an unspecified error in the Java Web Console. This issue allows a local or remote unprivileged user to determine whether files or directories exist access restricted directories on the target system. (CVE-2008-1286) If this vulnerability is successfully exploited, an attacker can read sensitive information in access restricted directories. Affected Versions:

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 287

Sun Java Web Console Versions 3.0.2, 3.0.3, and 3.0.4.

Install vendor update for CVE-2008-1286 or upgrade Sun Java Web Console. Sun Java Web Console May Allow Unauthorized Redirection (QID 86843) CVE-2008-5550, Sun Alert ID 243786 (1019686.1) Sun Java Web Console is a Web application which is used to administer Web-based Sun system management applications. The application is prone to an open redirect vulnerability in "console/faces/jsp/login/BeginLogin.jsp". This can be exploited using the "redirect_url" parameter in a specially-crafted URL to redirect a legitinate authenticated user to arbitrary Web sites. (CVE-2008-5550) Successful exploitation of this vulnerability allows a local or remote unprivileged user to redirect a properly authenticated user to arbitrary Web sites and conduct phishing attacks. Affected Versions: Sun Java Web Console Versions 3.0.2 through 3.0.5.

Install vendor update for CVE-2008-5550 or upgrade Sun Java Web Console. Sun Java Web Console helpwindow.jsp Cross-Site Scripting (XSS) (QID 86844) CVE-2009-2283, Advisory 1-66-262428-1 The application is prone to a cross-site scripting vulnerability due to an error in the "helpwindow.jsp" file. An attacker could exploit this issue to perform cross-site scripting attacks on unsuspecting users in the context of the affected application. This could allow an attacker to steal cookie-based authentication credentials, which could be used to launch other attacks. Affected Versions: SPARC Platform o Sun Java Web Console 3.0.2 (for Solaris 8) without patch 136987-03 o Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 (for Solaris 9) without patch 125950-19 o Solaris 10 without patch 125952-19 x86 Platform o Sun Java Web Console 3.0.2 (for Solaris 8) without patch 136986-03 o Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 (for Solaris 9) without patch 125951-19 o Solaris 10 without patch 125953-19 Linux o Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 without patch 125954-19 Windows o Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 bundled with JES without patch 12595519 Page 288

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 unbundled from JES without patch 127534-19

Install Sun Solaris patch indicated above. Advisory 1-66-262428-1 This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). URLs like these would run a script on the client machine: http://ipaddress/console/faces/com_sun_web_ui/help/helpwindow.jsp?helpFile=%22%20onloa d=%22alert('qualysxss');%22%3E&jspPath=/console/faces/com_sun_web_ui/help/&mastheadD escription=console&mastheadUrl=/com_sun_web_ui/images/SecondaryProductName.png&pag eTitle=Help&windowTitle=Help+-+Sun+Java(TM)+Web+Console Note: Qualys reports that no vendor patch is available at this time, and offers no CVE to track. The CVE is CVE-2009-2283. The patch is Sun Solaris patch 136987-03. This suggests that once the vulnerability is added to the database, Qualys does not review their recommendations for updates. In fact, mitigation measures suggested by the database will become obsolete. Sun Java Web Console navigator.jsp Cross-Site Scripting (XSS) (QID 86845) and Sun Java Web Console masthead.jsp Cross-Site Scripting (QID 86848) Patch-ID# 125952-20 Sun Java Web Console is prone to a cross-site scripting vulnerability due to an error in the "navigator.jsp" file and in the "masthead.jsp" file. An attacker could exploit these issues to perform cross-site scripting attacks on unsuspecting users in the context of the affected application. This could allow an attacker to steal cookie-based authentication credentials, which could be used to launch other attacks. Patch-ID# 125952-20 (May 14, 2010) announced a patch for Oracle Java Web Console 3.1 on Solaris SPARC as 136987, 125950, 125952, for Solaris x86 as 136986, 125951, 125953, for RHEL3.0, RHEL4.0 as 125954, for Windows Unbundled as 127534, Windows bundled with JES as 125955. This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). URLs like these would run a script on the client machine: http://ipaddress/console/cchelp2/Navigator?appName=<script>alert('qualysxss')</script>&first Load=true&helpFile=&pathPrefix=&windowTitle=Help+-+Sun+Java(TM)+Web+Console http://ipaddress/console/faces/com_sun_web_ui/help/masthead.jsp?closeButton=true&masth eadDescription=console&mastheadHeight=&mastheadUrl=/com_sun_web_ui/images/Secondar yProductName.png&mastheadWidth=&pageTitle=%22><script>alert(qualysxss)</script> Note: Qualys does not refer to the patch.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 289

Sun Solaris Vulnerabilities


Sun Solaris FTPd glob() Expansion LIST Heap Overflow Vulnerability (QID 27068) CVE-2001-0249, Bugtraq ID 2550 A buffer overflow occurs when the LIST command is issued with an argument that expands into an oversized string after being processed by glob() functions. When processing user input, the FTP daemon uses 'glob()' functions to expand wildcards and metacharacters in file paths, just as shells do. A good example of this is use of the tilde (~) character. The glob() function replaces this character in the file path with the path to the user's home directory. The output, an expanded path, is then used by the FTP daemon to construct a command string for the execution of '/bin/ls'. If the source string is too long, then a buffer overflow condition occurs when constructing the command string. This buffer overflow occurs in memory that is dynamically allocated. It may be possible for attackers to exploit this vulnerability and execute arbitrary code on the affected host. This could be accomplished by overwriting pointers in neighboring malloc headers. If exploited successfully, malloc could be tricked into writing arbitrary values to attacker-supplied locations in memory when free() is called on the targeted chunk. By overwriting something, such as a PLT entry or function return address on the stack, an attacker may be able to execute arbitrary code. To exploit this, the attacker must be able to create directories on the target host. In most cases, this limits exploitability to local users. On systems where anonymous FTP users can write to a directory, such as 'incoming/', remote exploitation may be a threat. The Solaris FTP daemon contains a heap-based buffer overflow condition. If successfully exploited, an attacker may be able to execute arbitrary code on the affected host. Note: Qualys does not confirm that unauthenticated FTP access is available. Solaris 10 and Solaris 11 (SolarisExpress) Remote Access Telnet Daemon Flaw (QID 38574) CVE-2007-0882, Sun Alert ID 102802, Bugtraq ID 22512 Solaris 10 and 11 hosts are vulnerable to a telnet daemon flaw. The telnet daemon passes switches directly to the login process which looks for a switch that allows root to login to any account without a password. If your telnet daemon is running as root it allows unauthenticated remote logins. Telnet poses a risk because data transferred between clients may not be encrypted. Telnet is also a frequent target for port scanners. An attacker can login with any account without a password.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 290

Note: Qualys reports telnet on Solaris, but does not indicate if a patched version was installed. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, ". ToolTalk Buffer Overflow Vulnerability (QID 66004) CVE-1999-0003, CA-1999-11, Sun Security Bulletin #00192, Bugtraq ID 122 The "ttdbserver" RPC service seems vulnerable to a buffer overflow attack. See CERT Advisory CA-199911. This vulnerability is often due to a default installation of the Operating System. If successfully exploited, unauthorized remote users can gain Administrator privileges on this host. Such attacks require specific attack programs, which are freely available on the Internet. The following platforms are often vulnerable: Silicon Graphics running IRIX Versions 5.3, 5.4, 6.2, 6.3 and 6.4 Hewlett Packard running HP-UX Versions 10.10, 10.20, 10.30 and 11.00 Sun Microsystems running Solaris Versions 2.6, 2.6_x86, 2.5.1, 2.5.1_x86, 2.5, 2.5_x86, 5.4, 5.4_x86, 2.3 and Sun OS Versions 4.1 and 4.1.3_U1 IBM running AIX Versions 4.1.X, 4.2.X and 4.3.X

Qualys reports results like: TCP Port 32771 TCP Port 32775 TCP Port 49157

Qualys may detect the operating system as: SNMPv3 agent from SNMP Research, Inc. SunOS NSHHIS001 5.10 Generic 118833-36 sun4v HP-UX 11

For Solaris: Please see Sun Security Bulletin #00192: CDE and OpenWindows

For HP-UX: HP-9000 Series 700/800 HP-UX releases 10.X and 11.0 systems with CDE patches previously recommended in HP Security Bulletins are not vulnerable to vulnerabilities #2, #3, and #4. All HP-UX 10.X and 11.0 systems running CDE are vulnerable to vulnerability #1. Patches are in progress.

ypupdated RPC Daemon Remote Command Execution Vulnerability (QID 66015) CA-1995-17 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 291

The RPC ypupdated daemon is a service used to modify NIS (Network Information Service) information from network-based clients using various authentication methods. Clients are able to modify NIS databases following valid authentication with rpc.ypupdated using Secure RPC. Even after an unsuccessful attempt, the rpc.ypupdated services execute the "make" command on the server. However, since the RPC ypupdated service does not perform a sanity check on arguments before executing this command, it's possible to execute arbitrary commands. If successfully exploited, unauthorized users can execute commands on the NIS master and slave servers from a remote system with privileges of the rpc.ypuypdated service (usually Administrator). Vulnerable platforms include: SunOS Version 4.1.x Irix Versions 3.x, 4.x, 5.0.x, 5.1.x and 5.2 (The RPC ypupdated daemon is not enabled by default on Irix Versions 5.3, 6.0.x and 6.1.) HP-UX Versions 10.01, 10.10 and 10.20 AIX Versions 3.2 and 4.1

Note: Qualys does not include the Cert vulnerability reference. cmsd RPC Daemon Over TCP Might Indicate a Break-in (QID 66037) CVE-1999-0696, CVE-1999-0320, Bugtraq 428 The "cmsd" RPC service is used for managing the calendar and schedule. It contains a widely exploited vulnerability that enables unauthorized users to gain access to servers. By default, "cmsd" listens on the UDP port, and rarely on the TCP port. Unauthorized users can force the "cmsd" service to bind to a TCP port by exploiting the "cmsd" buffer overflow. Then, they can try to exploit the RPC service listening on the TCP port to obtain a shell. Whether they obtain access or not, a new "cmsd" daemon will be listening on a TCP port (this new entry is registered in the portmapper list). If the "cmsd" RPC daemon is listening on a TCP port, then this could indicate that an unauthorized user attempted to exploit the buffer overflow vulnerability. If the attack was successful, then your system may have a trojan installed. If this service is not used, shut down the Calendar service of "cmsd". Otherwise, download a patch provided by your vendor (http://www.sun.com). You should verify that the host was not compromised. Note: Qualys reports a TCP port (such as 34730, 34953, 42532, 57458, 58308, 59560). Does Qualys detect the cmsd service? Sun Solaris snmpXdmid Buffer Overflow Vulnerability (QID 66049) CVE-2001-0236, Bugtraq ID 2417

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 292

Sun Microsystem's Solaris operating environment Versions 2.6, 7, and 8 ship with a service called 'snmpXdmid'. SNMP and DMI are commonly used remote network and system management protocols. They allow administrators to view and set the properties of network devices and hosts in a standardized manner. To bridge between the two different protocols, Sun Solaris ships with a daemon called 'snmpXdmid', the SNMP to DMI mapping daemon. This service is responsible for receiving DMI requests and translating them to SNMP and vice-versa. During its operation, snmpXdmid registers itself with RPC service 1000249, 'dmid'. Any received DMI events, or 'indications', are translated by snmpXdmid into SNMP traps. When a specific 'malformed' indication is received by the dmid service, a buffer overflow condition can be triggered. The specific details about how the 'indication' is malformed are not known at this time. The overflow occurs after snmpXdmid receives the indication and is translating it into an SNMP trap. It is likely that the overflow is stack-based and involves parts or all of a stack frame being overwritten with attacker-supplied data (from within the DMI request). Note: There are at least three exploits in active use on the Internet. It is likely possible to exploit this buffer overflow in a typical stack-overflow manner and execute arbitrary code on the target server. Since the service is initiated by root, any code executed by an attacker would run with super-user privileges. Qualys does not detect if the patch http://www.securityfocus.com/bid/2417/solution is installed. Sun Solaris RWall Daemon Syslog Format String Vulnerability (QID 66052) CVE-2002-0573, Bugtraq ID 4639 Solaris is the freely available, UNIX derivative operating system developed and distributed by Sun Microsystems. A problem with Solaris could allow a remote user to gain local access and elevated privileges. The problem is with the rwall daemon. The rwall daemon is a remote "wall" facility, designed to send system broadcast messages. It works by passing requests from system to system via RPC, and handling the starting of the rwall daemon with inetd. It should be noted that this vulnerability requires the functioning of inetd, as well as that of rwalld. Systems that have disabled rwalld from the inetd configuration, or have disabled inetd altogether, are not vulnerable to this issue. By exploiting this vulnerability, it's possible to execute arbitrary code on vulnerable systems. When malicious format strings are sent from one system to another, an insecure syslog call may make it possible for a remote attacker to exploit the call to execute arbitrary code. Additionally, the code may be executed as root. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 293

"rwall" is a service that enables one single user to broadcast a message to all users of a Unix host. Determine if the rwall service is what is listening on the detected port. If the service is not required, disable it. (See also RWALL Spoofing (QID 66017).) Determine if the patch (see PDF) is installed. Install, if missing. Qualys does not detect if the patch (SunOS 8.0 - 112846-01, or SunOS 8.0_x86 - 112847-01) is installed. RWall Spoofing (QID 66017) "rwall" is a service that enables one single user to broadcast a message to all users of a Unix host. This service can be used to impersonate a user and compromise the security of the host running this service. The vulnerability is caused by poor user authentication. Rwall can be used in some situations (notably on SunOS) to directly write data to any file on the system. "rwall" is a service that enables one single user to broadcast a message to all users of a Unix host. Determine if the rwall service is what is listening on the detected port. If the service is not required, disable it. Sun Solaris Tooltalk Database Server Multiple Vulnerabilities (QID 68510) CVE-2002-0678, CVE-2002-0677, Sun Alert ID 46022, Bugtraq ID 5598, 5082, 5083 Multiple Vulnerabilities have been discovered in the in the Common Desktop Environment (CDE) ToolTalk RPC database server (rpc.ttdbserverd) for Solaris operating system. A local or remote user may be able to delete arbitrary files, cause a denial of service, or possibly execute arbitrary code or commands with root privileges. Sun Solaris RPC AUTH_DES Privilege Escalation Vulnerability (QID 68514) CVE-2002-1584, Bugtraq ID 6484 Sun has reported a privilege escalation vulnerability for some versions of Solaris. The vulnerability occurs when certain RPC requests are made. Specifically, the vulnerability exists for some RPC requests that involve AUTH_DES authentication. This vulnerability can be exploited by local or remote attackers to obtain access to systems with elevated privileges. In some cases, it is possible for attackers to obtain root privileges. This vulnerability is reported to affect Sun Solaris Versions 2.5.1 to 7. This issue is addressed in the following releases: SPARC Intel Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 294 Solaris 2.5.1 with patch 103640-41 or later Solaris 2.6 with patches 105401-38 and 105564-05 or later Solaris 7 with patch 106942-21 or later

Solaris 2.5.1 with patch 103641-41 or later Solaris 2.6 with patches 105402-38 and 105565-05 or later Solaris 7 with patch 106943-21 or later

Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service rpc and os SOLARIS 7-10". Sun Solaris mibiisa Remote Buffer Overflow Vulnerability (QID 78038) CVE-2002-0797, Bugtraq ID 4933 The Solstice Enterprise Management subsystem includes an SNMP agent called mibiisa. Incoming SNMP messages appropriate for the agent based on system configuration are relayed by snmpdx to mibiisa. A buffer overflow vulnerability has been identified in mibiisa. The vulnerability is due to an unsafe memory copy operation. Packet fields of excessive length relayed to mibiisa may corrupt the process stack. An attacker may craft a request to overwrite the return address of the affected stack frame with an arbitrary value. This vulnerability may be exploited by local or remote attackers to execute instructions on the target host with root privileges. Successful compromise may result in attackers gaining complete control over the affected host. Disable the mibiisa service or install patch. The SMA (Systems Management Agent) is the default SNMP agent in Solaris. MIB-II subagent mibiisa does not run by default. Sun Solaris rpc.ypupdated May Allow Execution of Arbitrary Code Vulnerability (QID 116076) Sun Alert ID 238365, Oracle ID 1019305.1 A security vulnerability exists in the rpc.ypupdated(1M) daemon, when configured to run in the insecure mode via the "-i" option. Successful exploitation may allow local or remote unprivileged users to execute arbitrary code with root privileges. The vulnerability is reported in Sun Solaris 8, 9, 10 for both the SPARC and x86 platforms. Sun has released patches to address this issue. Refer to Oracle ID 1019305.1 for patch details. This vulnerability is confirmed by "SUNWypu is installed 139481-01 is missing." Sun Solaris SSH May Expose Some Plain Text from Encrypted Traffic (QID 116250) CVE-2008-5161, Sun Alert ID 247186, Oracle ID 1019833.1 The Secure Shell (SSH) is a network protocol that creates a secure channel between two networked devices in order to allow data to be exchanged. The secure channel can be created using Cipher Block Chaining (CBC) mode encryption. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 295

A security vulnerability exists in Solaris Secure Shell (SSH) software when used with CBC-mode ciphers and SSH protocol Version 2. This can be exploited by a remote unprivileged user to gain access to some of the plain text information from intercepted SSH network traffic which would otherwise be encrypted. If this vulnerability is successfully exploited, it allows a remote attacker to recover up to 32 bits of plaintext from an arbitrary block of ciphertext from a connection secured using the SSH protocol in the standard configuration. OpenSolaris and Sun Solaris 9, 10 for the SPARC and x86 platforms that have SSH software using CBC mode cipher to encrypt the traffic are vulnerable. Solaris 8 does not include the SSH software and is not impacted by this issue. Workaround: Disable the use of CBC mode ciphers since the issue only occurs when CBC mode ciphers are used. SSH can be done using Counter (CTR) mode encryption. This mode generates the keystream by encrypting successive values of a "counter" function. A final resolution is pending completion for Solaris 9. Updates to fix this issue are available for Solaris 10 and OpenSolaris. Refer to Oracle ID 1019833.1 to obtain patch details. This vulnerability is confirmed by "SUNWsshcu is installed 140774-02 is missing." Solaris NFSv4 Server Kernel Module Denial of Service Vulnerability (QID 116272) CVE-2009-0870, Sun Alert ID 252469, Oracle ID 1020111.1 A denial of service vulnerability exists in the NFSv4 Server kernel module that is caused due to an error in the module's "rfs4_op_readdir()" function. This issue can be exploited to cause the server to enter an infinite loop and hang if the "hsfs(7FS)" file system (CD-ROM, DVD media) is being shared on the server. If this vulnerability is successfully exploited, it will allow local unprivileged users to crash the affected NFSv4 server, denying access to legitimate users. OpenSolaris and Sun Solaris 10 for the SPARC and x86 platforms are vulnerable. Workaround: If the hsfs(7FS) file system is shared, the NFS server system can be configured not to use NFSv4 by setting "NFS_SERVER_VERSMAX=3" in "/etc/default/nfs". Sun has released patches to address this issue. Refer to Oracle ID 1020111.1 to obtain patch details. This vulnerability is confirmed by "SUNWnfsskr is installed 139462-02 is missing." Sun Solaris "keysock" Kernel Module Local Denial of Service Vulnerability (QID 116303) CVE-2009-0913, Sun Alert ID 253568, Oracle ID 1020172.1 A vulnerability exists in the Solaris "keysock" kernel module. The issue is caused due to an unspecified error within the "keysock_get_opt()" function of the module. This issue can be exploited to cause a system panic via unknown vectors related to PF_KEY socket, probably related to setting socket options. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 296

Successful exploitation requires privileges to create PF_KEY sockets. Successful exploitation may allow local users with sufficient privileges to create PF_KEY sockets to be able to cause a system panic thereby resulting in a denial of service to the system as a whole. The vulnerability is reported in OpenSolaris snv_01 through snv_108 and Sun Solaris 10 for both the SPARC and x86 platforms. Sun has released patches to address this issue. Refer to Oracle ID 1020172.1 to obtain patch details. This vulnerability is confirmed by "SUNWckr is installed 141008-01 is missing." Sun Solaris Crypto Pseudo Device Driver Denial of Service Vulnerability (QID 116304) CVE-2009-0838, Sun Alert ID 254088, Oracle ID 1020200.1 The Solaris crypto pseudo device driver is used for kernel-level cryptographic mechanisms. A denial of service vulnerability exists due to an unspecified error related to the "vmem_hash_delete()" function in the Solaris crypto pseudo device driver. The device driver does not properly free memory allowing local unprivileged users to cause a kernel panic via unspecified vectors. Successful exploitation may allow a local unprivileged user to panic the system causing a denial of service. The vulnerability is reported in OpenSolaris snv_88 through snv_102 and Sun Solaris 10 for both the SPARC and x86 platforms. Sun has released patches to address this issue. Refer to Oracle ID 1020200.1 to address this issue and obtain patch details. This vulnerability is confirmed by "SUNWckr is installed 139498-04 is missing." Sun Solaris dircmp Shell Script File Overwriting Vulnerability (QID 116340) CVE-2009-1207, Sun Alert ID 253468, Oracle ID 1020168.1 The "dircmp" command examines directories and generates various tabulated information about the contents of the directories. A race condition security vulnerability exists in the Solaris "/usr/bin/dircmp" command which can be exploited by malicious, local users to overwrite or create arbitrary files on the target system with the privileges of the user calling dircmp.

If this vulnerability is successfully exploited, it allows local users to overwrite arbitrary files by gaining privileges of the user calling the dircmp shell script and conduct privilege escalation attacks. OpenSolaris and Sun Solaris Versions 8, 9, 10 for the SPARC and x86 platforms are vulnerable. Sun has released patches to address this issue. Refer to Oracle ID 1020168.1 to obtain patch details. Patch 116340. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 297

This vulnerability is confirmed by "SUNWesu is installed 141014-01 is missing." Sun Solaris IPv6 Implementation Denial of Service Vulnerability (QID 116366) CVE-2009-0304, Sun Alert ID 251006, Oracle ID 1020022.1 A denial of service vulnerability exists in the Solaris IPv6 implementation due to a kernel error which results from insufficient validation when processing IPv6 packets. Remote attackers can exploit this flaw via a crafted IPv6 packet to panic a vulnerable system and causing a crash. Successful exploitation may allow a remote privileged user to panic the system using a crafted packet resulting in a denial of service condition. OpenSolaris builds snv_01 through snv_107 and Solaris 10 for the SPARC and x86 platforms are vulnerable. Workaround: Block malformed packets by using Solaris IP Filter (ipfilter) with the following rule: block in quick all with short Workaround: If an IPv6 interface is configured but not being used, disable the IPv6 interface to prevent this issue from occurring. To disable all IPv6 interfaces on a system, run the following command as root: ifconfig -a6 down Sun has released patches to address this issue. Refer to Oracle ID 1020022.1 to obtain patch details. This vulnerability is confirmed by "FJSVhea is installed 138888-08 is missing." Solaris IKE Packet Handling may Lead to a Crash of in.iked Vulnerability (QID 116404) CVE-2009-0267, Sun Alert ID 247406, Oracle ID 1019843.1, Bugtraq ID 33407 "libike" is a library for managing Internet Key Exchange (IKE) negotiations. The "in.iked" daemon performs automated key management for IPsec using the Internet Key Exchange (IKE) protocol. A denial of service vulnerability exists due to improper IKE packet handling in the "libike" library. By sending a specially-crafted IKE packet, a remote attacker could cause the "in.iked" daemon to crash.

Successful exploitation may allow a remote unprivileged user to crash the in.iked daemon. Solaris Versions 9, 10 and Opensolaris based upon build snv_01 through snv_99 for the SPARC and x86 platforms are vulnerable to this issue. Sun has released updates to address this issue. Refer to Oracle ID 1019843.1 for patch details. This vulnerability is confirmed by "SUNWcsl is installed 140196-01 is missing."

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 298

Sun Solaris GSS-API Library Code Execution Vulnerability (QID 116432) CVE-2006-6144, Sun Alert ID 201294, Oracle ID 1000976.1 A security vulnerability exists in third-party applications which utilize GSS-API and link to the Generic Security Services library libgss (3LIB). An error in the "mechglue" abstraction interface of the GSS-API library for Kerberos causes mechglue to free uninitialized pointers allowing remote attackers to cause a denial of service.

Successful exploitation may allow a local or remote unauthenticated user the ability to execute arbitrary code with the privileges of the application. Updates to resolve this vulnerability are available for Solaris 8 and 9. Sun has released updates to address this issue. Refer to Oracle ID 1000976.1 for patch details. This vulnerability is confirmed by "SUNWgss is installed 141719-01 is missing." Sun Solaris libpng Multiple Vulnerabilities (QID 116448) CVE-2007-5267, CVE-2008-3964, CVE-2007-5266, CVE-2007-5268, CVE-2007-5269, CVE-2008-1382, CVE2009-0040, Sun Alert ID 259989, Oracle ID 1020521.1 libpng is a library for reading and writing PNG files. libpng is prone to multiple vulnerabilities: A denial of service vulnerability exists due to an off-by-one error within the ICC profile chunk handling in the "png_set_iCCP" function in "pngset.c". This can be exploited to cause an application using the library to crash via a crafted PNG image. (CVE-2007-5266, CVE-2007-5267) Multiple issues are caused by off-by-one overflow errors in the "png_convert_to_rfc1123()" and "png_push_read_zTXt()" functions, which could allow attackers to crash an affected application. (CVE-2008-3964) Multiple errors exist within libpng, including a logical NOT instead of a bitwise NOT in "pngtrtran.c", an error in the 16bit cheap transparency extension, and an incorrect use of sizeof(). These can be exploited to crash an application using the library. (CVE-2007-5268) Certain chunk handlers allow attackers to cause a denial of service (crash) via crafted pCAL, sCAL, tEXt, iTXt, and ztXT chunking in PNG images, which trigger out-of-bounds read operations. (CVE-2007-5269) libpng allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG file with zero length "unknown" chunks, which trigger an access of uninitialized memory. (CVE-2008-1382) libpng allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PNG file that triggers a free of an uninitialized pointer in the "png_read_png" function, "pCAL" chunk handling, or setup of 16-bit gamma tables. (CVE-2009-0040) Page 299

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Successful exploitation may allow a local or remote unprivileged user to cause a denial of service of applications linked to libpng or potentially to execute arbitrary code with the privileges of the user running the application, when a user has loaded a specially crafted .png format file supplied by an untrusted user. OpenSolaris and Solaris 8, 9 and 10 for SPARC as well as x86 platforms are affected. A final resolution is pending completion for Solaris 8. Sun has released patches to address this issue for Solaris 9, 10 and OpenSolaris. Refer to Oracle ID 1020521.1 for patch details. Patch 137080-06. This vulnerability is confirmed by "SUNWpng is installed 137080-03 is missing." Solaris DTrace Handlers Denial of Service Vulnerability (QID 116454) CVE-2009-3720, Sun Alert ID 257708, Bugtraq ID 36169 DTrace is a dynamic tracing facility that is built into Solaris. It can be used to examine the behavior of user programs and the operating system. A denial of service vulnerability is caused due to multiple errors in the DTrace ioctl handlers. This flaw can be exploited by local users to trigger a system panic.

Successful exploitation may allow a local unprivileged user to cause a system panic, thereby leading to a denial of service. OpenSolaris based upon builds snv_01 through snv_113 and Solaris 10 are vulnerable to this issue. Workaround: Preventing unprivileged users from accessing the vulnerable devices. This can done by running the following commands as the "root" user: chmod o-rw /dev/dtrace/helper chmod o-rw /dev/dtrace/provider/fasttrap Sun has released patches to address this issue. Refer to Oracle ID 1020403.1 for patch details. This vulnerability is confirmed by "SUNWdtrp is installed 141765-01 is missing." Sun Solaris Security Vulnerability in GnuTLS Library Certificate Chain Validation (QID 116460) CVE-2008-4989, Sun Alert ID 260528, Oracle ID 1020547.1 The GnuTLS library provides support for cryptographic algorithms and for protocols such as Transport Layer Security (TLS). A security bypass vulnerability exists in GnuTLS which is caused due to an error in X.509 certificate chain validation if a self-signed certificate is configured as a trusted certificate.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 300

A malicious server could use this flaw to spoof its identity by tricking client applications using the GnuTLS library to trust certificate chains in which the last certificate is an arbitrary trusted, self-signed certificate. Successful exploitation may allow a remote unprivileged user to carry out man-in-the-middle type of attacks using forged serer certificates. OpenSolaris and Solaris 10 are vulnerable to this issue. Sun has released patches to address this issue. Refer to Oracle ID 1020547.1 to obtain patch details. This vulnerability is confirmed by "SUNWgnutls is installed 123938-02 is missing." Sun Solaris Ghostscript Multiple Vulnerabilities (QID 116480) CVE-2007-6725, CVE-2008-6679, CVE-2009-0196, CVE-2009-0583, CVE-2009-0584, CVE-2009-0792, Sun Alert ID 262288, Oracle ID 1020647.1 Ghostscript is a suite of software based on an interpreter for Adobe Systems' PostScript and Portable Document Format (PDF) page description languages. The following security vulnerabilities exist in Ghostscript bundled with Solaris 9 and 10: A buffer underflow vulnerability exists in the "cf_decode_2d" function of the CCITTFax decoding filter in Ghostscript. This flaw can be exploited to cause a crash or possibly execute arbitrary code via a crafted PDF file that would trigger the underflow. (CVE-2007-6725) A buffer overflow vulnerability in the "BaseFont writer" module in Ghostscript allows remote attacker to cause "ps2pdf" to crash and possibly execute arbitrary code via a crafted Postscript file. (CVE-2008-6679) A security vulnerability that is caused due to a boundary error in the "jbig2_decode_symbol_dict()" function in "jbig2dec" library while decoding JBIG2 symbol dictionary segments. This can be exploited to cause a heap-based buffer overflow via a specially crafted PDF file. (CVE-2009-0196) Multiple integer overflow flaws in Ghostscript's International Color Consortium Format library (icclib) can be exploited to cause an application crash or execute arbitrary code by tricking a user into processing specially crafted ICC data in an application using the library. (CVE-2009-0792) Multiple integer overflow flaws which could lead to heap-based buffer overflows, as well as multiple insufficient input validation flaws, were found in icclib. Using specially-crafted ICC profiles, an attacker could create a malicious PostScript or PDF file with embedded images which could cause Ghostscript to crash, or, execute arbitrary code when opened by an unsuspecting user. (CVE-2009-0583, CVE-2009-0584)

These issues may allow local or remote unprivileged users to cause denial of service conditions to applications using the Ghostscript interpreter, or lead to execution of arbitrary code with the privileges of the user running Ghostscript. The vendor has released patches to resolve this issue. Refer to Oracle ID 1020647.1 to obtain patch information. Patch 1222259-04. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 301

This vulnerability is confirmed by "SUNWgscr is installed 122259-02 is missing." Sun Solaris auditconfig Command Privilege Escalation Vulnerability (QID 116497) CVE-2009-2430, Sun Alert ID 262088, Oracle ID 1020636.1 "auditconfig" provides a command line interface to get and set kernel audit parameters. A security vulnerability exists in the Solaris auditconfig command that may allow execution of arbitrary commands with escalated privileges if a user has an assigned RBAC execution profile on a system with Solaris Auditing enabled. Successful exploitation may allow a local user with an RBAC execution profile to execute arbitrary commands with the privileges specified in the RBAC profile. OpenSolaris and Solaris Versions 8, 9 and 10 for the SPARC and x86 platforms are affected by this issue. Workaround: Remove references to the "auditconfig" command from the "exec_attr" database. Note: Users who have been assigned the relevant execution profile will no longer be granted privileged access to the auditconfig command. The vendor has released a patch to fix this issue. Refer to Oracle ID 1020636.1 to obtain patch information and additional details on applying the workaround. This vulnerability is confirmed by "SUNWckr is installed 140921-01 is missing." Sun Solaris Kernel Denial of Service Vulnerability (QID 116500) CVE-2009-2297, Sun Alert ID 262048, Oracle ID 1020634.1 UDP is a simple datagram protocol which is layered directly above the Internet Protocol ("IP") or the Internet Protocol Version 6 ("IPv6"). A patch regression in Solaris kernel "udp" may cause a panic at boot time via unspecified vectors involving the crgetlabel function, related to a "TX panic" when Solaris Trusted Extensions is enabled. This can cause the system to be unavailable. This issue may allow remote or local unprivileged users to panic the system, thereby causing a denial of service to the system as a whole. OpenSolaris based upon builds snv_90 through snv_108 and Solaris 10 for the SPARC and x86 platforms are affected by this issue. The vendor has issued an update to resolve this issue. Refer to Oracle ID 1020634.1 to obtain patch information. This vulnerability is confirmed by "FJSVhea is installed 138888-03 exists. FJSVmdb is installed 141414-02 is missing." Sun Solaris Network File System Unauthorized Network Access Vulnerability (QID 116501) CVE-2009-2296, Sun Alert ID 262668, Oracle ID 1020673.1

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 302

A security vulnerability exists in the Solaris NFSv4 Server Kernel Module because it does not appropriately implement the "nfs_portmon" tunable. This allows remote attackers to access shares, and read, create, and modify arbitrary files, via unspecified vectors. Successful exploitation may allow certain remote unprivileged users to gain unauthorized network access to share resources, thereby allowing those users to access (read and write) arbitrary files. OpenSolaris based upon builds snv_01 through snv_118 and Solaris 10 for the SPARC and x86 platforms are affected by this issue. Workaround: Configure the NFS server system to not use NFSv4 by setting "NFS_SERVER_VERSMAX=3" in "/etc/default/nfs". The vendor has issued an update to resolve this issue. Refer to Oracle ID 1020673.1 to obtain patch information. This vulnerability is confirmed by "SUNWnfsskr is installed 139991-03 is missing." Sun Solaris NFSv4 Kernel Module Denial of Service Vulnerability (QID 116514) CVE-2009-2488, Sun Alert ID 262788, Oracle ID 1020679.1 A security vulnerability exists in the Solaris NFSv4 kernel module that may allow a local unprivileged user to panic an NFSv4 client system. Successful exploitation may lead to denial of service. OpenSolaris based upon builds snv_102 through snv_119 and Solaris 10 for the SPARC and x86 platforms are affected by this issue. The vendor has released an update to fix this issue. Refer to Oracle ID 1020679.1 to obtain patch information. Workaround: Use NFSv3 instead of NFSv4. The NFS client system can be configured not to use NFSv4 by setting NFS_CLIENT_VERSMAX=3 in /etc/default/nfs." This vulnerability is confirmed by "SUNWhea is installed 139466-02 exists. SUNWhea is installed 14173303 is missing." Sun Solaris SCTP Packet Processing Denial of Service Vulnerability (QID 116516) CVE-2009-2486, Sun Alert ID 253608, Oracle ID 1020175.1 SCTP is a transport protocol layered above the Internet Protocol (IP), or the Internet Protocol Version 6 (IPv6). SCTP provides a session oriented, flow-controlled, two-way transmission of data. A security vulnerability exists in Solaris 10 SCTP packet processing that may allow a privileged remote user to panic the system. Successful exploitation may lead to denial of service. OpenSolaris based upon builds snv_01 through snv_119 and Solaris 10 for the SPARC and x86 platforms are affected by this issue. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 303

The vendor has released an update to resolve this issue. Refer to Oracle ID 1020175.1 to obtain patch information. This vulnerability is confirmed by "SUNWcslr is installed 141414-01 is missing." Sun Solaris Auditing Extended File Attributes Denial of Service Vulnerability (QID 116533) CVE-2009-2596, Sun Alert ID 264428, Oracle ID 1020765.1 A vulnerability exists in Solaris due to an unspecified error in Solaris Auditing when handling extended file attributes (fsattr). Successful exploitation requires that Solaris Auditing is enabled. Successful exploitation of this vulnerability may allow a local unprivileged user to be able to panic the system causing a denial of service. OpenSolaris based upon builds snv_01 through snv_120 and Solaris 9 and 10 for the SPARC and x86 platforms are affected by this issue. Refer to Oracle ID 1020765.1 to obtain patch information. This vulnerability is confirmed by "SUNWckr is installed 140921-01 is missing." Sun Solaris and AIX BIND Dynamic Update Denial of Service Vulnerability (QID 116538) CVE-2009-0696, BIND security advisory AIX, Sun Alert ID 264828, Oracle ID 1020788.1 The "named" utility is a Domain Name System (DNS) server, part of the BIND 9 (Berkeley Internet Name Domain) distribution from Internet Systems Consortium (ISC). AIX "named" is an implementation of BIND providing server functionality for the Domain Name System (DNS) Protocol. AIX currently ships and supports three versions of BIND: 4, 8, and 9. There is an error in the handling of dynamic update messages in BIND 9. "named" is prone to a denial of service vulnerability which can cause it to crash when processing a specially-crafted dynamic update packet. Successful exploitation may allow a remote unprivileged user to send a specially crafted dynamic update packet and crash the "named" daemon which is a type of denial of service. A crafted update packet from a remote user can cause a master server to assert and exit. OpenSolaris based upon builds snv_01 or later and Solaris Versions 8, 9 and 10 are affected by this issue. Refer to security advisory Oracle ID 1020788.1 to address this issue and obtain patch information. For AIX, Please refer to BIND security advisory AIX to obtain additional details about this vulnerability. This vulnerability is confirmed by "SUNWbind is installed 119783-12 is missing." Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 304

Sun Solaris "sockfs" Kernel Module Remote Denial of Service Vulnerability (QID 116587) Sun Alert ID 265888, Oracle ID 1020844.1, Bugtraq ID 36169 Solaris is a Unix-based operating system. Solaris is prone to a remote denial of service vulnerability because of an error in the 'sockfs' kernel module. A remote user can send a specially crafted HTTP request to exploit the flaw and trigger a system panic. For successful exploitation of this vulnerability, it is required that the system is configured to run as an HTTP server using the Solaris Network Cache Accelerator, with logging enabled. Successful exploitation of this vulnerability may allow attackers to cause a panic in a vulnerable Solaris Web server and the system as a whole, effectively denying service to legitimate users. The vulnerability is reported in Solaris 10 for both the SPARC and x86 platforms and OpenSolaris based upon builds snv_41 or later. The vendor has released patches to resolve this issue. Refer to security advisory Oracle ID 1020844.1 to obtain additional details about this vulnerability. Workaround: Disable logging of NCA by setting "status=disabled" in "/etc/nca/ncalogd.conf". A system reboot is required for the change to be effective. This vulnerability is confirmed by "118833-25 exists. SUNWckr is installed 141690-02 is missing." Sun Solaris libtiff Image Conversion Tools Integer Overflow Vulnerability (QID 116591) CVE-2009-2347, Sun Alert ID 265808, Oracle ID 1020841.1 The libtiff package contains a library of functions for manipulating TIFF (Tagged Image File Format) image format files. Multiple integer overflow vulnerabilities exist in the libtiff image conversion tools "tiff2rgba" and "rgb2ycbcr". An attacker can exploit this issue to execute arbitrary code via a TIFF image with large "width" and "height" values, which triggers a heap-based buffer overflow in the "cvt_whole_image" function in "tiff2rgba" and "tiffcvt" function in "rgb2ycbcr". Successful exploitation may allow a local or remote unprivileged user to execute arbitrary code via a TIFF image with large width and height values. OpenSolaris based upon builds snv_01 through snv_121 and GNOME 2.0 (for Solaris 8), Solaris 9 and Solaris 10 for the SPARC and x86 platforms are affected by this issue. A final resolution is pending completion for GNOME 2.0 (for Solaris 8) and Solaris 9. The vendor has released patches for Solaris 10 to resolve this issue. Refer to security advisory Oracle ID 1020841.1 to obtain additional details about this vulnerability. Patch 119900-13. This vulnerability is confirmed by "SUNWgnome-img-viewer-share is installed 119900-09 is missing." Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 305

Sun Solaris "w" Utility Privilege escalation Vulnerability (QID 116610) CVE-2009-3183, Sun Alert ID 266348, Oracle ID 1020866.1 The 'w' utility is a command-line tool that provides a summary of every currently logged-in user. The utility is exposed to a local privilege escalation vulnerability because it fails to properly boundscheck user-supplied data before copying it into an inadequately sized memory buffer. Successful exploitation may allow execution of arbitrary code with "root" privileges. The vulnerability is reported in OpenSolaris and Solaris 9 and 10 for both the SPARC and x86 platforms. A final resolution is pending completion for Solaris 8. The vendor has released patches for Solaris 9 and 10 to resolve this vulnerability. Refer to security advisory Oracle ID 1020866.1 to obtain additional details. Patch 142529-01. This vulnerability is confirmed by "SUNWcsu is installed 142286-01 is missing." Sun Solaris IP Module and STREAMS Framework Denial of Service Vulnerability (QID 116623) CVE-2009-3519, Sun Alert ID 263388, Oracle ID 1020706.1, Bugtraq ID 36562 IP is the internetwork datagram delivery protocol that is central to the Internet protocol family. The vulnerability exists in Solaris due to a memory leak in the Solaris IP module and STREAMS Framework, which can be exploited to cause the system to hang. The vulnerability can be exploited by malicious local users to cause a denial of service. The vulnerability is reported in OpenSolaris and Solaris 8, 9 and 10 for both the SPARC and x86 platforms. A final resolution is pending completion for Solaris 8. The vendor has released fixes for Solaris 9 and 10. Refer to security advisory Oracle ID 1020706.1 to obtain additional details. This vulnerability is confirmed by "FJSVmdb is installed 141414-09 is missing." Sun Solaris Sockets Direct Protocol (SDP) Driver "sdp(7D)" Remote Denial of Service Vulnerability (QID 116675) CVE-2009-3899, Sun Alert ID 264730, Oracle ID 1020780.1, Bugtraq ID 36904 A denial of service vulnerability exists in Solaris Sockets Direct Protocol (SDP) driver (sdp). This vulnerability may allow a local or remote unprivileged user to exhaust all kernel memory. Successful exploitation can allow an attacker to exhaust kernel memory, denying service to legitimate users. Note: No applications bundled with Solaris are affected by this issue however third-party applications which make use of SDP may be affected.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 306

Solaris 10 for the SPARC and x86 platforms is affected by this vulnerability. Refer to Oracle ID 1020780.1 to address this issue and obtain patch information. This vulnerability is confirmed by "SUNWtnetc is installed 127127-11 exists. SUNWipoib is installed 141444-09 is missing." Sun Solaris Trusted Extensions Missing Libraries Privilege Escalation Vulnerability (QID 116796) CVE-2010-0310, Sun Alert ID 275410, Oracle ID 1021773.1, Bugtraq ID 37754 A security vulnerability exists in Solaris Trusted Extensions because libraries were not delivered with the Trusted Extensions. This may allow a local privileged user to run arbitrary code with elevated privileges. This issue affected Solaris 10 for SPARC and x86 platforms. Successful exploits may allow a local attacker to gain superuser privileges. Refer to Oracle ID 1021773.1 to address this issue and obtain patch information. This vulnerability is confirmed by "SUNWgnome-base-libs is installed 143502-01 is missing." Solaris PostgreSQL Privilege Escalation or Man-in-the-Middle on SSL Connections (QID 116841) CVE-2009-4136, CVE-2009-4034, Sun Alert ID 274870, Oracle ID 1021746.1 Multiple security vulnerabilities have been identified in the PostgreSQL software shipped with Solaris. These vulnerabilities may allow a remote authenticated user with certain privileges to gain extra privileges via a table with a crafted index function. Further vulnerabilities may allow man-in-the-middle attacks on SSL based PostgreSQL servers by substituting malicious SSL certificates for trusted ones. This vulnerability could be exploited to gain partial access to sensitive information. Malicious users could also use this vulnerability to change partial contents or configuration on the system. Additionally this vulnerability can also be used to cause a limited denial of service in the form of interruptions in resource availability. Solaris 10 with PostgreSQL 8.1, 8.2 and 8.3 is vulnerable. Refer to Oracle ID 1021746.1 to address this issue and obtain patch information. Patch 123590-12. Workaround: To prevent the issue described in CVE-2009-4136 from being exploited, the database administrator can revoke the "create" privilege from users by running the following commands: REVOKE CREATE ON SCHEMA <schema> FROM <user> or Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 307

REVOKE CREATE ON TABLESPACE <tablespace> FROM <user> This vulnerability is confirmed by "SUNWpostgr-contrib is installed 123590-12 is missing." Solaris GNOME PDF Rendering Libraries Denial of Service or Arbitrary Code Execution Vulnerabilities (QID 117018) CVE-2009-3603, CVE-2009-3604, CVE-2009-3605, CVE-2009-3606, CVE-2009-3607, CVE-2009-3608, CVE2009-3609, Solaris Alert ID 274030, Oracle ID 1021706.1 Multiple integer overflow and improper memory allocation vulnerabilities have been identified in the Solaris GNOME PDF rendering libraries. These vulnerabilities may allow a local or remote unprivileged user to cause the Solaris GNOME PDF viewers (OpenSolaris and gpdf for Solaris 10) which are linked to these libraries to crash, resulting in a denial of service or arbitrary code execution with the privileges of the user running the application. This vulnerability could be exploited to gain complete access to sensitive information. Malicious users could also use this vulnerability to change all the contents or configuration on the system. Additionally this vulnerability can be used to cause a complete denial of service and could render the resource completely unavailable. Solaris 10 for the SPARC and x86 platforms is affected. Refer to Oracle ID 1021706.1 to address this issue and obtain patch information. Install patch 12073908. This vulnerability is confirmed by "120739-06 is missing."

Sun Solaris and Red Hat bzip2 Command May Lead to Denial of Service (QID 115953)
CVE-2008-1372, Sun Alert ID 241786 (Oracle ID 1019589.1), RHSA-2008:0893 A security vulnerability exists in the bzip2 command and libbz2 library shipped with Solaris. A buffer over-read flaw exists in the bzip2 decompression routine for Red Hat. This issue could cause an application linked against the libbz2 library to crash when decompressing malformed archives. Successful exploitation may allow a local or remote unprivileged user who provides a specially crafted bzip2 archive to cause a program crash. Sun has released patches to address this issue. Refer to Oracle ID 1019589.1 for patch details. Red Hat (CVE-2008-1372): Red Hat Enterprise Linux 2.1 RHSA-2008:0893 bzip2-1.0.1-5.EL2.1 Red Hat Enterprise Linux 3 RHSA-2008:0893 bzip2-1.0.2-12.EL3 (superseded by RHSA-2010:0703 bzip2-1.0.2-14.EL3) Page 308

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Red Hat Enterprise Linux 4 RHSA-2008:0893 bzip2-1.0.2-14.el4_7 (superseded by RHSA2010:0703 bzip2-1.0.2-16.el4_8) Red Hat Enterprise Linux 5 RHSA-2008:0893 bzip2-1.0.3-4.el5_2 (superseded by RHSA2010:0703 bzip2-1.0.3-6.el5_5)

This vulnerability is reported when Red Hat 2.4 is detected with: Package bzip2 bzip2-devel bzip2-libs Installed version 1.0.1-4 1.0.1-4 1.0.1-4 Required version 1.0.1-5.EL2.1 1.0.1-5.EL2.1 1.0.1-5.EL2.1

TFTP
TFTP Daemon Theft of '/etc/passwd' file (QID 38064) CVE-1999-0183 TFTP (Trivial File Transfer Protocol) is generally used to load a boot file from a server when a client does not have a disk to boot from. The TFTP protocol does not have any access control. Therefore, unauthorized users can connect to this daemon from a remote system and download or upload files without a password. Some older versions of this FTP protocol contain vulnerabilities that give unauthorized users direct access to all files on your filesystem. If the default working directory of the TFTP daemon is '/tftpboot', then unauthorized users can request that the server transfer the '/etc/passwd' or '../etc/passwd' files. This could lead to further attacks against the host. Be sure to use the latest version of the TFTP daemon, which should deny transfer of files that are not in the working directory of the TFTP daemon (/tftpboot). We strongly advise that you only make files in the /tftpboot directory accessible. This can usually be done by modifying the /usr/sbin/in.tftpd entry in your /etc/inetd.conf file to include '/tftpboot' as the first argument. For more information, see the man pages of the tftpd daemon. This vulnerability is confirmed by transferring the etc/passwd file. TFTP Server Directory Traversal Vulnerability (QID 38065) A TFTP server gives remote systems the ability to get or put files via the Trivial File Transfer Protocol (TFTP). Some TFTP servers do not validate input. It is possible for a remote user to connect to the TFTPD, and upon connecting, request a file in the directory above the TFTP root directory using the dot-dot notation (..). Upon doing so, a remote user may traverse the entire directory structure, and potentially download any file contained within the directory tree of the drive hosting the TFTP root directory. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 309

This problem is known for Cisco TFTP server and IBM Alphaworks TFTP server. By exploiting this vulnerability, a remote user may be able to traverse the entire directory structure, and potentially download any file contained within the directory tree of the drive hosting the TFTP root directory. Cisco TFTP server: Check Cisco's Software Download site for the latest updates.

Veritas NetBackup Vulnerabilities


Veritas NetBackup Java User-Interface Remote Format String Vulnerability (QID 38482) CVE-2005-2715, Veritas 279085, Bugtraq ID 15079 Veritas NetBackup is a network enabled backup solution from Symantec. It is available for various platforms. NetBackup Java user-interface is affected by a remote format string vulnerability. This issue presents itself because the application fails to properly sanitize user-supplied input prior to passing it as the format specifier to a formatted printing function. Specifically, the Java user-interface authentication service "bpjava-msvc" listening on port 13722, which runs on Veritas NetBackup servers and agents, is vulnerable to this issue. The vulnerability exists in the "COMMAND_LOGON_TO_MSERVER" command. An attacker can exploit this vulnerability by crafting a malicious request that contains format specifiers. A successful attack may result in crashing the server or lead to arbitrary code execution. This may facilitate unauthorized access or privilege escalation with SYSTEM or superuser privileges. Port Service 13722 bpjava-msvc Note: Perhaps port 13722 is open, and that was sufficient to determine that Veritas NetBackup is installed. There are patches for NetBackup DataCenter and NetBackup BusinessServer 4.5 and for NetBackup Enterprise Server and NetBackup Server 5.0, 5.1, and 6.0 are available from Veritas Support site (http://support.veritas.com/docs/279085), but Qualys provides no indication about the version installed.

VNC Vulnerabilities
VNC Server Weak Password Encryption Vulnerability (QID 38023) Bugtraq ID 854 VNC (Virtual network Computing) package is similar to XWindows in that it is a remote, graphical interface.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 310

The authentication system implemented by VNC has a weak encryption algorithm, which can be bruteforced easily. A static key is used, and all passwords are truncated to 8 characters. If the encrypted passwords are obtained, then it would be easy to decrypt them. In the NT version of VNC, passwords are 3DES encrypted with the key 23 82 107 6 35 78 88 7, and they are kept in the following registry keys: \HKEY_CURRENT_USER\Software\ORL\WinVNC3 \HKEY_USERS\.DEFAULT\Software\ORL\WinVNC3 VNC Versions 3.3.x are vulnerable. If this vulnerability is successfully exploited, a malicious user could gain remote access to the host. Null Authentication VNC Server Access (QID 38161) CVE-2002-2088, Bugtraq 4581 VNC (Virtual Network Computing) is similar to Xwindows in that it is a remote, graphical interface. It is freely available from multiple vendors (for example AT&T Cambridge). To create a session with VNC server, a primitive sort of authentication is implemented. There is an option to not use authentication at all, in which case anyone is allowed to connect to the VNC server. ClumpOS is an example of an installation which uses no authentication by default. ClumpOS is a CDbased Linux and Mosix distribution that is maintained and distributed by the Mosix project. ClumpOS does not prompt a user to set a password for VNC when installed. Instead, ClumpOS leaves the default password for VNC blank, which allows remote root access to the system. By exploiting this vulnerability, an unauthenticated user can have the same privileges as the privileges of the user who launched a VNC server. As a possible workaround, manually set a VNC password or remove the VNC server (if not needed).

Web Server Vulnerabilities


Web Server Vulnerable to Cross Site Scripting (XSS) (QID 10788) The Web server contains a cross-site scripting vulnerability that can be exploited when it is sent a specially formed request. It is vulnerable because the responses contain unsanitized requested URLs. By exploiting this vulnerability, malicious users can obtain sensitive information from legitimate users of the server. Please check with the vendor of the Web server for a possible patch against this issue. As a workaround, configure the Web server to return a customized error or redirection page that properly sanitizes requested URLs included in the response.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 311

This vulnerability is confirmed by exploiting the vulnerability, with attacks such as the following: http://ipaddress/PCI2/recipe_release/wwwroot/recipe/cat.php/>"><script>alert(document.do main)</script> http://ipaddress/PCI2/recipe_release/wwwroot/recipe/contact.php/>"><script>alert(document .domain)</script> http://ipaddress/PCI2/recipe_release/wwwroot/recipe/index.php/>"><script>alert(document.d omain)</script> http://ipaddress/PCI2/recipe_release/wwwroot/recipe/recipe_list.php/>"><script>alert(docum ent.domain)</script> http://ipaddress/PCI2/recipe_release/wwwroot/recipe/user_add.php/>"><script>alert(docume nt.domain)</script> http://ipaddress/recipe/cat.php/>"><script>alert(document.domain)</script> http://ipaddress /recipe/contact.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/index.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe_list.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/user_add.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe/cat.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe/contact.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe/index.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe/recipe_list.php/>"><script>alert(document.domain)</script> http://ipaddress/recipe/recipe/user_add.php/>"><script>alert(document.domain)</script> Session-Fixation Social Engineered Session Hijacking (QID 12074) Session Fixation description The scanner found a Web application on the target that uses cookies. The application seems to use cookies (likely, session IDs) in an insecure way. Specifically, the scanner created a web session with the target using a session ID specified by the scanner itself. The target application simply started a new session with this specified session ID. This issue is generally called "session-fixation" and is vulnerable to session-hijacking attacks. One scenario where this could be used to hijack an unsuspecting user's Web session is as follows. Assuming an online store, www.examplestore.com, has this security issue. If an attacker uses social engineering techniques to make a target user click on a link (in an email or on a malicious Web site) like http://www.examplestore.com/?PHPSESSID=12345, where PHPSESSID is the cookie used for identifying the session, the store will start a new session for the unsuspecting user with the session ID 12345. Then, since the attacker knows the session ID already, the attacker can simply hijack the session moments after the user has visited the store. By exploiting this vulnerability, an attacker could use the hijacked session for information gathering, invasion of privacy, property theft, or credit-card theft.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 312

For more information about the way session-fixation attacks can be performed and the possible consequences of such attacks, read this paper (http://www.acros.si/papers/session_fixation.pdf). CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability (QID 62026) The HTTP server or the HTTP proxy server accepts the "CONNECT" method. By exploiting this vulnerability, unauthorized Internet users may be able to connect to your entire internal network using the "CONNECT" method. This can also be used by attackers to create tunnels through proxies which support this method since such hops are difficult to traceback. Reconfigure your server to disable this method or restrict its access. This vulnerability is confirmed by exploiting the vulnerability. Web Server/ Web Application Vulnerable to Cross-Site Scripting (XSS) Attacks (QID 86175) The Web server/application does not filter script embedding from links displayed on a server's Web site. A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. The specified or embedded script is executed in the client's browser and treated as content originating from the target server returning the error message (even though the scripting may have originated from another site entirely). By exploiting this vulnerability, malicious scripts can be executed in the client's browser. Any Web application on the server may be affected by this vulnerability. To prevent cross-site scripting attacks from occurring, web developers should use static pages whenever possible and sanitize input / output. The following vendors provided patches at the web server level. See below for a list of patches for some specific Web servers. If this information does not apply to your Web server, contact your Web server vendor. If your web server does not support filtering please have your web developers resolve this issue at the application level. This issue is fixed in Sun ONE / iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server Enterprise Edition 4.1 Service Pack 13. For Microsoft IIS 4/5/5.1, apply the cumulative patch described in Microsoft Security Bulletin MS02-018. No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1. Lotus Domino had this issue with Domino R5 Web server. Check the Lotus advisory SPR JCHN4V2HUY. For IBM Websphere, please refer to websphere-faultactor-xss (30055). For Web Applications: If your Web application is vulnerable, please check with the web application vendor for further details. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 313

This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). URLs like these would run a script on the client machine: https://ipaddress/"><script>alert(document.domain)</script>:443/timeout.asp Listing of Scripts in the scripts Directory (QID 86333) The listing of files in your scripts directory is allowed. By browsing the scripts directory, unauthorized users can obtain a list of the CGI scripts present on your server. With this information, they can implement further attacks on vulnerable CGI scripts. Set a more restrictive rule on your server to prevent directory listing of the scripts directory. This vulnerability is detected by exploiting the vulnerability. Generic Web Server Directory Traversal Vulnerability (QID 86375) CVE-2003-0474, CVE-2000-0505, CVE-2003-0676 Using directory traversal techniques, a malicious user can access known files outside of the Web root. This is made possible through the use of "../", "..", "\../", ".../", or "..../", etc., sequences in an HTTP request. By exploiting this vulnerability, malicious users can retrieve any file on the filesystem, including system files. Check with the vendor of the Web server for a patch. This vulnerability is detected by exploiting the vulnerability. Web Server Stopped Responding (QID 86476) The Web server stopped responding to 3 consecutive connection attempts and/or more than 3 consecutive HTTP requests. Consequently, the service aborted testing for HTTP vulnerabilities. The vulnerabilities already detected are still posted. The service was unable to complete testing for HTTP vulnerabilities since the Web server stopped responding. Check the Web server status. If the Web server was crashed during the scan, please restart the server, report the incident to Customer Support and stop scanning the Web server until the issue is resolved. If the Web server is unable to process multiple concurrent HTTP requests, please lower the scan harshness level and launch another scan. If this vulnerability continues to be reported, please contact Customer Support. Has this been resolved since the scan was run? Check the status of the Web server and take corrective actions.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 314

When this vulnerability is reported, it will be accompanied by one of the following explanations: The web server did not respond for 4 consecutive HTTP requests. After these, the service was still unable to connect to the web server 2 minutes later. The web server did not respond for 4 consecutive HTTP requests. After these, the service was able to connect to the web server 2 minutes later, but the web server still did not respond to a simple HTTP GET request.

Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities (QID 86705) CVE-2005-2090, Bugtraq ID 13873 Multiple vendors are prone to a new class of attack named "HTTP Request Smuggling". This class of attack basically revolves around piggybacking an HTTP request inside of another HTTP request. Five attack vectors are identified for this class of vulnerability. These attack vectors are present due to a failure to abide by the HTTP/1.1 RFC. Other attack vectors are also likely possible. The following specific issues are reported: The HTTP/1.1 RFC states that multiple Content-Length values are not permitted in a valid HTTP header. Several Web servers will serve a response to an invalid request that contains multiple Content-Length values in an invalid HTTP header. This exposes these servers to HTTP Request Smuggling attacks. The following servers are reported to be affected: Jakarta Tomcat version 5.0.19, Tomcat version 4.1.24, Sun Microsystems SunONE Web Server 6.1 Service Pack 1. The HTTP/1.1 RFC states that HTTP requests must not include both a Content-Length field and a non-identity transfer-encoding field. Apache Web Servers will serve a response to an invalid request that does not abide by the aforementioned RFC statement. This exposes these servers to HTTP Request Smuggling attacks. The following server is reported to be affected: Apache version 2.0.45. The HTTP/1.1 RFC states that a line that starts with a carriage return does not match the format of an HTTP header. When a request is handled by Microsoft IIS and the HTTP header contains two HTTP headers separated by a carriage return, under some circumstances, IIS will interpret the carriage return as the start of a new HTTP request. This exposes the server to HTTP Request Smuggling attacks. Reports indicate that the following version is affected: Microsoft IIS 5.0. The HTTP/1.1 RFC states that a server should read and forward a message-body on any request. If the request method does not include defined semantics for an entity-body, then the messagebody should be ignored when handling the request. Reports indicate that the DeleGate caching server does not comply with this RFC statement and is thus vulnerable to HTTP Request Smuggling attacks. DeleGate assumes that a GET request does not have an associated body. It forwards GET requests that it receives without the associated body to the corresponding web server. The body of the initial request is then sent as a second request to the corresponding Web server. Reports indicate that the following version is affected: DeleGate version 8.9.2. The HTTP/1.1 RFC states that a header field can be folded onto multiple lines if the continuation line begins with a space or horizontal tab character. Reports indicate that Microsoft IIS does not abide to this RFC statement, and instead treats the aforementioned pattern as an end of Page 315

Vulnerability Remediation Synopsis version 0.4Russ Klanke

headers mark. Because of this, Microsoft IIS is exposed to HTTP Request Smuggling attacks. Reports indicate that the following version is affected: Microsoft IIS 5.0. In addition to the aforementioned failure to comply to HTTP/1.1 RFC specifications, a problem with Microsoft IIS 5.0 may also expose the server to HTTP Request Smuggling attacks. Reports indicate that Microsoft IIS 5.0 truncates requests that contain a body of greater than 48 KB in length. After 49152 bytes of a request body are handled, IIS terminates the request and starts to parse a new request. Reports indicate that the following version is affected: Microsoft IIS 5.0.

By leveraging failures to implement the HTTP/1.1 RFC properly, it is demonstrated that this class of attack may result in cache poisoning, cross-site scripting, session hijacking and other attacks. Web Server Vulnerable to Redirection Page Cross-Site Scripting (XSS) Attacks (QID 86714) The Web server/application does not filter script embedding from links displayed on a server's Web site. A malicious user can exploit this vulnerability to cause JavaScript commands or embedded scripts to be executed by any user who clicks on the hyperlink. Upon clicking the hyperlink, your Web server will generate an error message including the specified or embedded script. This script is executed in the client's browser and treated as content originating from the target server returning the error message, even though the scripting may have originated from another site entirely. By exploiting this vulnerability, malicious scripts could be executed in the client's browser that processes the content of an HTTP redirection page. Any Web server may be affected by this vulnerability. See below for a list of patches for some specific Web servers. If this information doesn't apply to your Web server, contact your Web server vendor. This issue is fixed in Sun ONE/iPlanet Web Server 4.1 Service Pack 12 and above. The latest service pack is available for download from Sun ONE Web Server Enterprise Edition 4.1 Service Pack 13. For Microsoft IIS Web server, apply the cumulative patch described in Microsoft Security Bulletin MS02018. No additional service packs are planned for Windows NT 4.0. IIS 5.0 fixes will be included in Windows 2000 Service Pack 3. IIS 5.1 fixes will be included in Windows XP Service Pack 1. Lotus Domino had this issue with Domino R5 Web server. Check Lotus advisory SPR JCHN4V2HUY). It is advised that you to upgrade to the latest version. This vulnerability is confirmed by exploiting the vulnerability (with the XSS detection caveat "Regarding Cross-Site Scripting Vulnerability Detection"). Something like: https://ipAddress/en-US/"><script>alert(document.domain)</script>.html

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 316

Web Server Uses Plain-Text Form Based Authentication (QID 86728) The Web server uses plain-text form based authentication. A web page exists on the target host which uses an HTML login form. This data is sent from the client to the server in plain-text. An attacker with access to the network traffic to and from the target host may be able to obtain login credentials for other users by sniffing the network traffic. Please contact the vendor of the hardware/software for a possible fix for the issue. For custom applications, ensure that data sent via HTML login forms is encrypted before being sent from the client to the host. This vulnerability is confirmed by exploiting the vulnerability.

Webmin / Usermin Vulnerabilities


Webmin / Usermin Authentication Bypass Vulnerability (QID 10658) CVE-2002-0757, Bugtraq ID 4700 Webmin is a Web-based interface for system administration of Unix and Linux operating systems. Usermin is a related product designed for user level tasks. It is possible to bypass authentication for a known user account in some versions of Webmin and Usermin. A remote malicious user may gain access as any known username without requiring the password for that account. Reportedly, both scripts communicate with another process during the authentication process. It's possible to include control characters in the authentication information passed between the processes. Under some circumstances, this ability allows a malicious user to authenticate as any known username. By default, Webmin defines the user "admin" with administrative privileges, and gives this user access to a command shell. Note: This vulnerability requires that the password timeout configuration option be set. No further technical details were available when these comments were written. By exploiting this vulnerability, a remote malicious user may gain access as any known username without requiring the password for that account. Upgrade to the latest version, which is available for download from Webmin's Web site. Note: No information is included about how this vulnerability was detected. Webmin / Usermin Login Cross Site Scripting Vulnerability (QID 10659) CVE-2002-0756, Bugtraq ID 4694 Webmin is a Web-based interface for system administration of Unix and Linux operating systems. Usermin is a related product designed for user level tasks. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 317

A cross-site scripting issue has been reported for the login process for both systems. Under some circumstances, user-supplied input is included in HTML content used to display an error message. If a malicious link to this page is constructed, JavaScript code may be injected into the page. The script will then execute within the context of the Webmin domain. Reportedly, this vulnerability can only be exploited if a user has not authenticated to the system. As a result, authentication data can not easily be acquired. However, information associated with other pages on the same domain may be freely accessed. If this vulnerability is successfully exploited, a malicious user could inject JavaScript code, which will execute within the context of the Webmin domain. Upgrade to Webmin 0.970 (or later) or Usermin 0.910 (or later), which is available for download from Webmin's Web site. Note: No information is included about how this vulnerability was detected. Webmin Environment Variable Information Disclosure Vulnerability (QID 86156) CVE-2001-1074, Bugtraq ID 2795 Note: If you have already patched Webmin, or if you don't have a version prior to 0.85, then you can safely ignore this warning. Webmin is a Web-based interface for system administration for Unix. Using any browser that supports tables and forms, you can setup user accounts, Apache, DNS, file sharing and so on. Webmin consists of a simple Web server, and a number of CGI programs which directly update system files like /etc/inetd.conf and /etc/passwd. The Web server and CGI programs are written in Perl Version 5, and use no external modules. This means that you only need a Perl binary to run Webmin. Versions of Webmin prior Version 0.85 fail to properly remove sensitive information from certain environment variables. One such environment variable, HTTP_AUTHORIZATION, contains Webmin's administrator login ID and password in MIME 64-encoded form. An attacker may trivially read and decode this information, and then exploit it (and other data, including host path and configuration information) to further compromise the host, potentially obtaining root privileges. Apply the following patch provided by the vendor: http://www.webmin.com/webmin/updates/ This vulnerability is assumed by detecting "Server: MiniServ/0.01".

Wind River VxWorks WDB Debugging Service Security Bypass Vulnerability (QID 42346)
CVE-2010-2965, Bugtraq ID 42158

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 318

VxWorks is a real-time operating system that can be used in embedded systems, including control system components. VxWorks WDB Debug Service(on port 17185) is enabled on by many embedded systems by default, which will provide full read and write access to the device's memory and allows functions to be called. An attacker could use this service to fully compromise the device. Embedded systems running VxWorks 5.x and 6.x are affected; other versions may also be affected. By exploiting this vulnerability, an attacker can use the debug service to fully compromise the device. There are no vendor-supplied patches available at this time. Workarounds: Disable debug agent. Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB and INCLUDE_DEBUG components from their VxWorks Image. Restrict access. Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

However these mitigations may differ for vendors utilizing VxWorks in their products, and the end-users of these products. Customers are suggested to query Wind River Support and refer to US-CERT Vulnerability Note (http://www.kb.cert.org/vuls/id/362332) This vulnerability is confirmed by exploiting the vulnerability. Port 17185 Service VxWorks WDB Debug Service

WINS Vulnerabilities
Disable the WINS Service. If this is not possible, block UDP ports 137 and 138 at the firewall. Port 137 138 Service WINS WINS

WINS Domain Controller Spoofing Vulnerability - Zero Day (QID 70007) CVE-1999-1593, Bugtraq ID 2221 Windows Internet Naming Service (WINS) ships with Microsoft Windows NT Server and is also supported by Samba server. WINS resolves IP addresses with network computer names in a client to server environment. A distributed database is updated with an IP address for every machine available on the network. Unfortunately, WINS does not properly verify the registration of Domain Controllers (DCs). It is possible for a user to modify the entries for a domain controller, causing the WINS service to redirect requests for the DC to another system. This can lead to a loss of network functionality for the Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 319

domain. The DC impersonator can also be set up to capture username and password hashes passed to it during login attempts. By exploiting this vulnerability, an unauthorized user can cause the WINS service to redirect requests for a domain controller to a different system, which could lead to a loss of network functionality. The user may also be able to retrieve username and password hashes. The following workaround was provided by David Byrne <dbyrne@tiaa-cref.org>: The best workaround I could think of is to use static entries for records that are sensitive (there are probably more besides 1Ch). Domain Controllers shouldn't be changed very often, so the management work would be minimal. The following workaround was provided by Paul L Schmehl <pauls@utdallas.edu>: MS's response was that because WINS uses NetBIOS, which has no security capabilities, there was no way to prevent that sort of hijacking. Their answer is Active Directory, Kerberos and DNS. This vulnerability is found through udp port 137. NetBIOS Name Conflict Vulnerability (QID 70008) CVE-2000-0673, MS00-047, Bugtraq ID 1514 A malicious user can send a NetBIOS Name Conflict message to the NetBIOS name service even when the receiving machine is not in the process of registering its NetBIOS name. As a result, the target will not attempt to use that name in any future network connection attempts, which could lead to intermittent connectivity problems, or the loss of all NetBIOS functionality. This is a design flaw problem in the NetBIOS protocol and the WINS dynamic name registration, which is present whenever WINS is supported. If successfully exploited, this vulnerability could lead to intermittent connectivity problems, or the loss of all NetBIOS functionality. The best workaround for Microsoft Windows and Samba Server is to block all incoming traffic from the Internet to UDP ports 137 and 138. For Windows platforms, Microsoft has released some patches to address this issue. Microsoft has released a patch (Hotfix 269239). After the patch is applied, conflict messages will only be responded to during the initial name registration process. For more information on this vulnerability and the patch, read Microsoft Security Bulletin (MS00-047). Hotfix 269239 mitigates the issue by generating log events for detected name conflicts. Note that while Hotfix 269239 provides notification when name conflicts occur, the system remains vulnerable. Microsoft acknowledges this problem in their documentation for Hotfix 269239. For Samba there were no vendor supplied patches available when these comments were written. Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 320

This vulnerability is found through udp port 137. NetBIOS Release Vulnerability (QID 70009) CVE-2000-0673, MS00-047, Bugtraq ID 1514, Nessus ID : 10482 A malicious user can send a NetBIOS Release message to a NetBIOS name service. This is the correct protocol behavior. If successfully exploited, the receiving machine is forced to place its name in conflict so that it will no longer be able to use it. Workaround: Microsoft Windows and Samba servers is should block all incoming traffic from the Internet to UDP ports 137 and 138. Microsoft has released a patch (Hotfix 269239), which adds a registry key that disables the NetBIOS name service from paying attention to these messages. For more information on this vulnerability and the patch, read Microsoft Security Bulletin (MS00-047). Hotfix 269239 mitigates the issue by generating log events for detected name conflicts. Note that while Hotfix 269239 provides notification when name conflicts occur, the system remains vulnerable. Microsoft acknowledges this problem in their documentation for Hotfix 269239. Windows 2003 inherently supports the registry value for ignoring Name release mentioned in the MS00047 document. Please refer the document MS00-047 for information on configuring this registry value. For Samba there are no vendor supplied patches available when these notes were written. This vulnerability is found through udp port 137.

WordPress Vulnerabilities
WordPress Publish Posts Remote Security Bypass Vulnerability (QID 12497) Wordpress 3.1.2 Release Notes A security issue has been reported in WordPress, caused by "wp-admin/press-this.php" script not properly checking a user's permissions before publishing posts, which can be exploited by users without the ""publish_posts"" permission. Successful exploitation requires "Contributor-level" privileges. The issue can be exploited by malicious users to bypass certain security restrictions. All WordPress versions prior to 3.1.2 are affected. This vulnerability is suspected when the following is detected: meta name='robots' content='noindex,nofollow' /

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 321

WU-FTPD Vulnerabilities
WU-FTPD FB_RealPath Off-By-One Buffer Overflow Vulnerability (QID 27200) CVE-2003-0466, Bugtraq ID 8315 wu-ftpd is an ftp server based on the BSD ftpd that is maintained by Washington University. wu-ftpd has been reported prone to an off-by-one buffer overflow vulnerability. The issue presents itself due to a lack of sufficient bounds checking performed by the "fb_realpath()" function on attackerinfluenced data. An attacker may exploit this condition when the length of data passed as an argument to an FTP command exceeds the assigned buffer size by one byte. The data is constructed from the current working directory and a supplied filename. This data may be passed via one of several FTP commands that harness the vulnerable function to the affected FTP server. Due to path length restrictions, this condition may be exploited only on wu-ftpd binaries that are compiled on the Version 2.0.x or 2.4.x kernel trees. Additionally, exploitability of this vulnerability will depend heavily on compiler optimizations, system architecture, and memory layout. If this vulnerability is successfully exploited, malicous users may corrupt one byte adjacent to reserved stack memory space. SuSE has released an advisory (SuSE-SA:2003:032) and fixes to address this issue. Instructions for obtaining and applying fixes can be found in the referenced advisory. Customers who are affected by this issue are advised to apply these fixes as soon as possible. Red Hat (CVE-2003-0466): (RHSA-2003:245) No enterprise version is vulnerable.

Note: I suspect that wu-2.6.2-5 indicates that the patches have been applied to WU-FTPD 2.6.2. Unauthenticated Access to FTP Server Allowed (QID 27210) Users can access the FTP server with any random user name and password. A remote user may exploit this vulnerability to obtain sensitive information. Restrict access to the FTP server by only granting authenticated users access. This vulnerability is confirmed by exploiting the vulnerability. WU-FTPD Restricted-gid Unauthorized Access Vulnerability (QID 27274) CVE-2004-0148, Bugtraq ID 9832 WU-FTPD is a widely used FTP server.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 322

A vulnerability has been identified in WU-FTPD that may allow an attacker to gain unauthorized access to a vulnerable server and could possibly lead to root compromise. This issue is related to the "restricted-gid" feature supported by WU-FTPD. This feature allows for an administrator to restrict FTP user access to certain directories. The vulnerability reportedly allows users to bypass those restrictions through modifying the permissions on their home directory so that they themselves can no longer access it. Under such circumstances, the server may grant the user unauthorized access to the root directory. This vulnerability may be exploited to gain unauthorized access to the root directory. Debian released advisory DSA 457-1 to address this issue. See the referenced advisory for more information. Red Hat (CVE-2004-0148): Red Hat Enterprise Linux version 2.1 (wu-ftpd) (RHSA-2004:096) wu-ftpd-2.6.1-22 (superseded by RHBA-2004:238 wu-ftpd-2.6.1-24)

This vulnerability is suggested when the operating system is "Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP" and the banner is "220 cpu0 FTP server (Version wu-2.6.2(1) Wed Apr 4 15:47:55 CDT 2007) ready". WU-FTPD SockPrintf() Remote Stack-based Buffer Overrun Vulnerability (QID 27275) CVE-2003-1327, Bugtraq ID 8668 WU-FTPD is an FTP server based on the BSD ftpd that is maintained by Washington University. WU-FTPD includes an option "MAIL_ADMIN", which allows the administrator to be e-mailed when a specific event occurs on the server. One such event may be the uploading of a remote file. A remote vulnerability has been discovered in WU-FTPD, when configured using the "MAIL_ADMIN" option to report file uploads, that could allow for the execution of arbitrary code. It should be noted that WU-FTPD servers running the default configuration are not affected by this vulnerability. The problem is present within the SockPrintf() function, located within the ftpd.c source file, and occurs because of insufficient bounds checking. When SockPrintf() is called, a number of formatted arguments are passed to the svprintf() function and are stored within the local stack buffer. Due to insufficient bounds checking prior to calling svprintf(), an attacker capable of influencing data passed to SockPrintf() may be capable of overrunning the 32768 byte buffer with malicious data. This issue may be exploitable through the store() function defined in ftpd.c, which invokes the SockPrintf() function using an uploaded filename as the "name" argument. If an attacker was somehow capable of influencing the size of the path used to store the uploaded file, possibly by creating nested directories, it may be possible to construct a "name" argument greater than 32768 bytes. This would Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 323

effectively result in the allocated stack buffer being overrun, and could ultimately allow for the corruption of sensitive stack variables such as a saved frame pointer or a return address. It should be noted that specific operating systems place a limit on the available size of filenames. For instance, Linux limits the size to 4096 bytes. Due to this limit, this bug may not be exploitable on certain systems. However, if the aforementioned nested directory creation is possible, exploitation may still be possible on systems that set smaller size limits. Successful exploitation of this vulnerability could result in the execution of arbitrary code with the privileges of the WU-FTPD server, typically root. Red Hat: Not vulnerable. Note: I suspect that wu-2.6.2-5 indicates that the patches have been applied to WU-FTPD 2.6.2. WU-FTPD S/Key Remote Buffer Overrun Vulnerability (QID 27276) CVE-2004-0185, Bugtraq ID 8893 A remotely exploitable buffer overrun vulnerability has been reported in WU-FTPD if support for S/Key authentication is enabled. The issue exists in the skey_challenge function in the ftpd.c source file. External data may be passed to an internal buffer without sufficient bounds checking during a sprintf() operation. It appears that this vulnerability may be exploited prior to authentication. This vulnerability could potentially be exploited to execute arbitrary code in the context of the FTP server. Vulnerable if support for S/Key authentication is enabled Disable support for S/Key authentication if it is not required. For Debian GNU/Linux 3.0 (woody): Upgrade to the latest wu-ftpd package (2.6.2-3woody4 or later), as listed in DSA-457-1. Red Hat (CVE-2004-0185): Red Hat Enterprise Linux version 2.1 (wu-ftpd) (RHSA-2004:096) wu-ftpd-2.6.1-22 (superseded by RHBA-2004:238 wu-ftpd-2.6.1-24)

This vulnerability is suggested when the operating system is "Linux 2.4-2.6 / Embedded Device / F5 Networks Big-IP" and the banner is "220 cpu0 FTP server (Version wu-2.6.2(1) Wed Apr 4 15:47:55 CDT 2007) ready".

X Vulnerabilities
X Display Manager Control Protocol (XDMCP) Detected (QID 38147) X Display Manager Control Protocol (XDMCP) is used to provide X display connections for X terminals.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 324

The host is running the XDMCP protocol. This protocol is insecure because the XDMCP data is not encrypted. By exploiting this vulnerability, an attacker with access to the XDMCP traffic can obtain the passwords of the XDMCP users. Disable the xdmcp service. If this is not possible, block UDP port 177 at the firewall. This vulnerability is discovered by detecting the xdmcp service. Note: Qualys will often report that the operating system could not be determined and then report the operating system when this vulnerability is reported. For example, "Detected service xdmcp and os Solaris 9-11". X-Window Sniffing (QID 95001) CVE-1999-0526, Vulnerability Note VU#704969 An X-Window server (also known as an "X11 server") was found on this host. This server is present on platforms with a Unix graphical user interface (GUI), such as X Terminals or graphical workstations. XWindow is known to be vulnerable. Unauthorized users can connect to the X-Window server from any address. Unauthorized users can connect to the X-Window server from a remote system and sniff a user's keystrokes. To do so, unauthorized users superimpose their screen image over the X-Window GUI. The commands entered by the unauthorized users are executed (instead of commands from the current users), which could lead to the X-Window server crashing. Execute the "xhost" command to ensure that the access list is valid. "xhost" limits access to authorized users. X-Window server access should be restricted to a short list of IP addresses. Note: Host-based access control is less restrictive than user-based access control. An even better solution would be to use "Magic Cookies" access control. With this, an administrator controls which users can connect to the X-Window server. Use the Xauthority facility X windows includes support for a security mechanism involving shared secrets between the X client and the X server. This mechanism usually involves storing the shared secret in a file named ".Xauthority" which needs to be accessible by both the client and server. In this configuration, the security of the X windows connection is equal to the file system security of the .Xauthority file. Xauthority secrets are, however, sent in plaintext, and may be sniffed by an attacker with access to the network. SSH users may enable host security for 127.0.0.1 For users tunneling X windows traffic over SSH, the allowed hosts list may contain 127.0.0.1 if the user is the only person using the computer where the X server resides. Since traffic over the network is encrypted, an attacker may not sniff or alter X windows connections.

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 325

Registration of Bogus RPC Programs (QID 66023)


Portmapper (Version 1) and rpcbind (Versions 3 and 4) keep a current list of RPC daemons running on the server. These programs listen on port 111 and provide information (such as the name, version and port number of RPC programs), so that remote clients can access these RPC services. Consequently, when an RPC program is launched, it registers itself in the portmapper list. By forging specially crafted RPC packets that appear to come from the "localhost" interface, unauthorized users can register or unregister RPC services on the server. This only adds an entry to the portmapper list but does not execute the corresponding RPC program on the server. If successfully exploited, a denial of service attack can be implemented on a client without too much difficulty, by removing entries of RPC programs in the portmapper list (e.g., by unregistering mountd or nfsd). If the server is running ypserv, and unauthorized users succeed in obtaining an account on the server, this vulnerability could lead to a root compromise on the ypbind clients. The nfsd service can be abused in a similar way. Some portmapper applications for Windows have also been found to be vulnerable to this issue. Note: Since the packet must be forged with a source address of 127.0.0.1 (localhost), you can eliminate this vulnerability by adding a new rule on your firewall (or router) that denies all spoofed packets with an internal source address. This vulnerability is confirmed by exploiting the vulnerability. Using a spoofed source IP address of 127.0.0.1, we have successfully registered and then unregistered a bogus RPC program (progid=123456 progver=666 port=666).

Appendices
Regarding Cross-Site Scripting (XSS) Vulnerability Detection
Cross-site scripting (XSS) vulnerabilites are detected based on expected response codes and pattern matching. For XSS tests, in some cases pattern matching can lead to false positives because they lack a proper context of the payload's relation to the DOM. The pattern matching confirms that the payload was reflected, but it doesn't mean the payload modified the DOM or escaped all enclosing characters in order to be an exploitable vulnerability. We have crafted the pattern matches to reduce as many false positives as possible. For manual verification: echo -e "<SCRIPT>alert(document.domain)</SCRIPT> / HTTP/1.1\r\nHost: qualys.com\r\nConnection: close\r\nContent-length: -1\r\n\r\n" | ...command... where the command is either of the following depending on whether you are connecting via HTTPS: nc -v host port Page 326

Vulnerability Remediation Synopsis version 0.4Russ Klanke

openssl s_client -connect host:port

For further information regarding Cross-Site Scripting, please refer to OWASP.

Red Hat Updates


Upgrade to the latest packages which contain a patch. These are available from the Red Hat Network (RHN). Steps on using the Red Hat Network (RHN) to apply packages are listed as follows: For Red Hat Enterprise Linux Versions 2.1, 3, and 4, the interactive Update Agent can be launched with the "up2date" command. For Red Hat Enterprise Linux Version 5, the graphical Update tool can be launched with the "pup" command. To install packages using the command-line interface, use the command "yum update". Install the latest php, Apache, bind (and so forth) updates from Red Hat.

Security Vulnerability Assessment minimum software versions


Where the vendor supplies an update instead of upgrading the software, use the vendor update. For example, Red Hat Linux includes many Open Systems software packages (such as Apache and OpenSSL). Red Hat will typically "backport" the software update (that is, apply the code correction to a previously released software version, recompile and release the result). It is not necessary (and you are discouraged from) acquiring the Open Systems package and installing it. Use the vendor-supplied update instead. The "minimum software version" listed here should be ignored. When you are installing a software package and multiple vulnerabilities are reported in a software package, each makes its own version recommendation. You want to know what the highest version number recommended is; that is, what is the minimum version number required for this project. What follows is a list of software versions that are minimum recommendations. You can assume "or higher" after each line. Note that in some cases I have left multiple minimum version numbers in place, reflecting multiple vendor support paths. I suspect this list can be simplified. This does not reflect patches to install for a specific vulnerability. This does not reflect configuration changes.

Minimum versions in the scope of this project, as well as current versions: Adobe AIR 1.5.2 current: 3.0 Adobe Flash Player 10.0.32.18 current: 11.0.1.152 Apache Tomcat 4.1.40, 5.5.34, 6.0.33, 7.0.19 current: 5.5.34, 6.0.33, 7.0.22 Apache Tomcat JK Web Server Connector 1.2.23 current: 1.2.32 Page 327

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Apache Web Server 1.3.42, 2.2.20 current: 2.2.21 AWStats 6.4 current: 6.9 BIND 8.4.7-P1, 9.4.3-P5, 9.5.2-P2, 9.6.1-P3, 9.7.0b3 current: 9.8.1 IBM HTTP Server 6.1.0.39, 7.0.0.19, 8.0.0.1 current: 6.1.0.39, 7.0.0.19, 8.0.0.1 Cistron RADIUS 1.6.6 current: 1.6.8 CVS 1.11.20 current: 1.11.23 DameWare 3.73 current: 7.5.9.0 GNuPG 1.4.5, 1.9.22 current: 1.4.11, 2.0.18 GoAhead WebServer 2.1.5 current: 2.5 HP HTTP Server 5.96 current: 5.96 HP System Management Homepage (SMH, Insight Manager) 6.3 (Linux or Windows, x86 or x64) current: 6.3.1 IBM Java SDK 1.3.1 SR11, 1.4.2 SR3 current: 1.6.1 Macromedia JRun 4.0 Updater 6 current: 4.0 Updater 6 Mediawiki 1.16.1 current: 1.17 Mozilla Firefox 3.5.1 current: 7.0.1 MySQL 6.0.9 current: perhaps 7.1.15a MySQL Community Server 5.0.51.a current: 5.5.16 nfs-utils 1.0.4 current: 1.2.5 OpenLDAP latest version current: 2.4.26 OpenRADIUS 0.9.4 current: 0.9.12c OpenSSH 5.2 current: 5.9 OpenSSL 0.9.8r, 1.0.0d current: OpenSSL 1.0.0e PHP 5.3.8 current: 5.3.8 Python 3.1.1 current: 3.2.2 rsync 2.6.3 current: 3.0.0 Samba 3.3.14, 3.4.9, 3.5.10 current: 3.6.0 Sendmail 8.14.4 current: 8.14.5 Squid 2.6.STABLE17, 3.0.STABLE24, 3.1.0.13 current: 2.7.STABLE9, 3.1.16 Sudo 1.6.8p12 current: 1.8.2 Sun ONE / iPlanet Web Server 4.1 Service Pack 12 current: 6.1 VMWare ESX Server 3.5 Patch ESX350-200806218-UG current: 4.1.0 Webmin 1.290, Usermin 1.220 current: Webmin 1.570, Usermin 1.490 WFTPD 2.4.1RC12 current: 3.3.0 Wordpress 3.1.2 current: 3.2.1

I suspect that any version information I suggest regarding Cisco, Oracle, Sun Java JRE and Solaris to be less than useful. Cisco IOS 12.2(12.05), 12.2(12.05)T, 12.2(12.05)S, 12.2(13.03)B, 15.0(1)XA5 current: 12.4(24)T Oracle 10.1.0.5, 10.2.0.4 Patch Set 1, 10.2.0.5 Page 328

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Oracle 9i Database Release 2 9.2.0.3 Oracle Database 11g Sun Java SDK and JRE 1.3.1_25 (Solaris 8 with Vintage Support Offering), Java SE for Business SDK and JRE 1.4.2_20, JDK and JRE 5.0 Update 20, JDK and JRE 6 Update 15 Sun Java Web Console 3.0.2 with patch 136986-02 (for Solaris 8, x86 Platform) Sun Java Web Console 3.0.2 with patch 136987-02 (for Solaris 8, SPARC Platform) Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 bundled with JES with patch 125955-18 (Windows platform) Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 unbundled from JES with patch 127534-18 (Windows platform) Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 with patch 125950-18 (for Solaris 9, SPARC platform) Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 with patch 125951-18 (for Solaris 9, x86 platform) Sun Java Web Console 3.0.2, 3.0.3, 3.0.4, 3.0.5 with patch 125954-18 (Linux) Solaris 2.5.1 with patch 103640-41 (SPARC platform) Solaris 2.5.1 with patch 103641-41 (x86 platform) Solaris 2.6 with patches 105401-38 and 105564-05 (SPARC platform) Solaris 2.6 with patches 105402-38 and 105565-05 (x86 platform) Solaris 7 with patch 106942-21 (SPARC platform) Solaris 7 with patch 106943-21 (x86 platform) Solaris 8 with patch 136987-01 (SPARC platform) or 136986-01 (x86 platform) Solaris 9 with patch 125950-07 (SPARC platform) or 125951-07 (x86 platform) Solaris 10 with patch 125952-18 (SPARC platform) or 125953-18 (x86 platform)

Vulnerability Remediation Synopsis version 0.4Russ Klanke

Page 329