Summary of Security Items from June 1 through June 7, 2005
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Information
in the US-CERT Cyber Security Bulletin is a compilation and includes information
published by outside sources, so the information should not be considered the
result of US-CERT analysis. Software vulnerabilities are categorized in the
appropriate section reflecting the operating system on which the vulnerability
was reported; however, this does not mean that the vulnerability only affects
the operating system reported since this information is obtained from
open-source information.
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans. Updates to vulnerabilities that
appeared in previous bulletins are listed in bold
text. The text in the Risk column appears in red for vulnerabilities
ranking High. The risks levels applied to
vulnerabilities in the Cyber Security Bulletin are based on how the "system" may
be impacted. The Recent Exploit/Technique table contains a "Workaround or Patch
Available" column that indicates whether a workaround or patch has been
published for the vulnerability which the script exploits.
name=vulns> face="Arial, Helvetica, sans-serif">Vulnerabilities
class=style46>The table belowsummarizes vulnerabilities that have been identified, even if they are not being
exploited. Complete details about patches or workarounds are available from the
source of the information or from the URL provided in the section. CVE numbers
are listed where applicable. Vulnerabilities that affect both
Windows and Unix Operating Systems are included in the Multiple
Operating Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
Note: Even though
a vulnerability may allow several malicious acts to be performed, only the
highest level risk will be defined in the Risk column.
- High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges. - Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file. - Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
name=unix>UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name / CVE Reference |
face="Arial, Helvetica, sans-serif">Risk |
face="Arial, Helvetica, sans-serif">Source |
GIPTables Firewall 1.0, 1.1 | A vulnerability has been reported due to the insecure creation of No workaround or patch available at time of publishing. There is no exploit code required. | Medium | Securiteam, June 6, 2005 | |
QuickTime Player 7.0 | A vulnerability has been reported in the QuickTime Web plugin because Quartz Composer compositions that are embedded in '.mov' files can access system information, which could let a remote malicious user obtain sensitive information. Upgrade available at: A Proof of Concept exploit has been published. | Medium | Security Tracker Alert, 1013961, May 12, 2005 Apple Security Advisory, APPLE-SA-2005-05-31, May 31, 2005 | |
bzip2 1.0.2 | A remote Denial of Service vulnerability has been reported when the Ubuntu: Mandriva: TurboLinux: Currently we are not aware of any exploits for this | Low | Ubuntu Security Notice, USN-127-1, May 17, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, Turbolinux Security Advisory , TLSA-2005-60, June 1, 2005 | |
bzip2 1.0.2 & prior | A vulnerability has been reported when an archive is extracted into a Ubuntu: Mandriva: Debian: TurboLinux: There is no exploit code required. | Medium | Security Focus, Ubuntu Security Notice, USN-127-1, May 17, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:091, May 19, Debian Security Advisory, DSA 730-1, May 27, 2005 Turbolinux Security Advisory , TLSA-2005-60, June 1, 2005 | |
Cyrus SASL 1.5.24, 1.5.27, 1.5.28, 2.1.9-2.1.18 | Several vulnerabilities exist: a buffer overflow vulnerability exists Fedora: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200410-05.xml"> Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> RedHat:
href="http://rhn.redhat.com/errata/RHSA-2004-546.html"> Trustix:
href="ftp://ftp.trustix.org/pub/trustix/updates/"> Debian:
href="http://security.debian.org/pool/updates/main/c/cyrus-sasl/"> Conectiva:
href="ftp://atualizacoes.conectiva.com.br/"> OpenPGK: FedoraLegacy: SUSE: Apple: Conectiva: Currently we are not aware of any exploits for these vulnerabilities. | High | Security Tracker Alert ID: 1011568, October 7, 2004 Debian Security Advisories DSA 563-2, 563-3, & 568-1, October 12, Conectiva Linux Security Announcement, CLA-2004:889, November 11, 2004 OpenPKG Security Advisory, OpenPKG Security Advisory, January 28, 2005 Fedora Legacy Update Advisory, FLSA:2137, February 17, 2005 SUSE Security Summary Report, SUSE-SR:2005:006, February 25, 2005 SUSE Security Announcement, SUSE-SA:2005:013, March 3, 2005 Mandrakelinux Security Update Advisory, MDKSA-2005:054, March 16, 2005 Apple Security Update, APPLE-SA-2005-03-21, March 21, 2005 Conectiva Security Advisory, CLSA-2005:959, June 2, 2005
| |
Ethereal 0.8.14, 0.8.15, 0.8.18, 0.8.19, 0.9-0.9.16, 0.10-0.10.9 | Multiple vulnerabilities were reported that affects more 50 different Upgrades available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-03.xml"> Mandriva: RedHat: Conectiva: SuSE: An exploit script has been published. | Ethereal Multiple Remote Protocol Dissector Vulnerabilities
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1456">CAN-2005-1456 | High
| Ethereal Security Advisory, enpa-sa-00019, May 4, 2005 Gentoo Linux Security Advisory, GLSA 200505-03, May 6, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:083, May 11, 2005 RedHat Security Advisory, RHSA-2005:427-05, May 24, 2005 Conectiva Security Advisory, CLSA-2005:963, June 6, 2005 SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005 |
Everybuddy 0.4.3 & prior | A vulnerability has been reported because the No workaround or patch available at time of publishing. There is no exploit code required. | Medium | Security Tracker Alert, 1014110, June 6, 2005 | |
FreeRADIUS 1.0.2 | Two vulnerabilities have been reported: a vulnerability was reported in the 'radius_xlat()' function call due to insufficient validation, which could let a remote malicious user execute arbitrary SQL code; and a buffer overflow vulnerability was reported in the 'sql_escape_func()' function, which could let a remote malicious user execute arbitrary code. Gentoo: SuSE: There is no exploit code required. | High | Security Tracker Alert ID: 1013909, May 6, 2005 Gentoo Linux Security Advisory, GLSA 200505-13, May 17, 2005 SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005 | |
FUSE 2.x | A vulnerability has been reported because certain memory is not correctly cleared before returned to users, which could let a malicious user obtain sensitive information. Update available at: A Proof of Concept exploit script has been published. | Medium | Secunia Advisory, SA15561, June 3, 2005 | |
gFTP 0.1, 0.2, 0.21, 1.0, 1.1-1.13, 2.0-2.0.17 | A Directory Traversal vulnerability exists due to insufficient Upgrades available at: Debian:
href="http://security.debian.org/pool/updates/main/g/gftp/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200502-27.xml"> SUSE: Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Conectiva: There is no exploit code required. | Medium | Security Focus, February 14, 2005 Debian Security Advisory, DSA 686-1, February 17, 2005 SUSE Security Summary Report, SUSE-SR:2005:005, February 18, 2005 Gentoo Linux Security Advisory, GLSA 200502-27, February 19, 2005 Mandrakelinux Security Update Advisory, MDKSA-2005:050, March 4, 2005 Conectiva Security Advisory, CLSA-2005:957, May 31, 2005 | |
gzip 1.2.4 a, 1.2.4, 1.3.3-1.3.5 | A Directory Traversal vulnerability has been reported due to an input Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-05.xml"> IPCop: Mandriva: TurboLinux: Proof of Concept exploit has been published. | Medium | Bugtraq, 396397, April 20, 2005 Ubuntu Security Notice, USN-116-1, May 4, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Security Focus,13290, May 11, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005 Turbolinux Security Advisory , TLSA-2005-59, June 1, | |
Mailutils 0.5, 0.6 | Multiple vulnerabilities have been reported that could let a remote A fixed version (0.6.90) is available at:
href="ftp://alpha.gnu.org/gnu/mailutils/mailutils-0.6.90.tar.gz"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-20.xml"> Debian: Proofs of Concept exploits have been published. | GNU Mailutils Buffer Overflow and Format String Bugs Let
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1520">CAN-2005-1520 | High | iDEFENSE Security Advisory 05.25.05 Gentoo Linux Security Advisory, GLSA 200505-20, May 27, 2005 Debian Security Advisory, DSA 732-1, June 3, 2005 |
gzip 1.2.4, 1.3.3 | A vulnerability has been reported when an archive is extracted into a Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-05.xml"> Mandriva: TurboLinux: There is no exploit code required. | Medium | Security Focus, Ubuntu Security Notice, USN-116-1, May 4, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, Gentoo Linux Security Advisory, GLSA 200505-05, May 9, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005 Turbolinux Security Advisory , TLSA-2005-59, June 1, 2005 | |
GnuTLS 1.2 prior to 1.2.3; 1.0 prior to 1.0.25 | A remote Denial of Service vulnerability has been reported due to insufficient validation of padding bytes in 'lib/gnutils_cipher.c.' Updates available at: Fedora: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-04.xml"> Mandriva: Ubuntu: RedHat: Currently we are not aware of any exploits for this | Low | Security Tracker Alert, 1013861, May 2, 2005 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200505-04, May 9, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:084, May 12, 2005 Ubuntu Security Notice, USN-126-1, May 13, 2005 RedHat Security Advisory, RHSA-2005:430-05, June 1, 2005 | |
zgrep 1.2.4 | A vulnerability has been reported in 'zgrep.in' due to insufficient A patch for 'zgrep.in' is available in the following bug report: Mandriva: TurboLinux: There is no exploit code required. | High | Security Tracker Alert, 1013928, May 10, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:092, May 19, 2005 Turbolinux Security Advisory , TLSA-2005-59, June 1, 2005 | |
HP-UX B.11.23, B.11.22, B.11.11, B.11.04, B.11.00 | A remote Denial of Service vulnerability has been reported in the Path Patches available at:
href="http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=B6834AA"> Revision 2: The binary files of HPSBUX01164 will resolve the Currently we are not aware of any exploits for this | Low | Hewlett Packard Company Security Advisory, HPSBUX01137, April 24, 2005 Hewlett Packard Company Security Advisory, HPSBUX01137: SSRT5954 rev.1, Hewlett Packard Company Security Advisory, HPSBUX01137: | |
libexif 0.6.9, 0.6.11 | A vulnerability exists in the 'EXIF' library due to insufficient validation of 'EXIF' tag structure, which could let a remote malicious user execute arbitrary code. Ubuntu: Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/"> Gentoo:
href="http://security.gentoo.org/glsa/glsa-200503-17.xml"> RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-300.html"> Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> Debian: SUSE: Peachtree:
href="http://peachtree.burdell.org/updates/"> Conectiva: Currently we are not aware of any exploits for this vulnerability. | High | Ubuntu Security Fedora Update Notifications, Gentoo Linux RedHat Security Advisory, Mandrakelinux Security Update Advisory, Debian Security Advisory, DSA 709-1, April 15, 2005 SUSE Security Summary Report, SUSE-SR:2005:011, April 15, 2005 Peachtree Linux Security Notice, PLSN-0006, April 22, 2005 Conectiva Security Advisory, CLSA-2005:960, June 2, 2005 | |
LibTIFF 3.4, 3.5.1-3.5.5, 3.5.7, 3.6 .0, 3.6.1, 3.7, 3.7.1 | A buffer overflow vulnerability has been reported in the 'TIFFOpen()' Patches available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-07.xml"> Ubuntu: SuSE: Currently we are not aware of any exploits for this | High | Gentoo Linux Security Advisory, GLSA 200505-07, May 10, 2005 Ubuntu Security Notice, USN-130-1, May 19, 2005 SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005 | |
Convert-UUlib 1.50 | A buffer overflow vulnerability has been reported in the Convert::UUlib module for Perl due to a boundary error, which could let a remote malicious user execute arbitrary code. Update available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200504-26.xml"> Debian: SuSE: Currently we are not aware of any exploits for this | High | Gentoo Linux Security Advisory, GLSA 200504-26, April 26, 2005 Secunia Advisory, SA15130, April 27, 2005 Debian Security Advisory, DSA 727-1, May 20, 2005 SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005 | |
Mortiforo prior to 0.9.1 | A vulnerability has been reported because a remote malicious user can access private forums without permission. Update available at: There is no exploit code required. | Medium | Security Tracker Alert, 1014120, June 7, 2005 | |
FreeBSD 5.4 & prior | A vulnerability was reported in FreeBSD when using Hyper-Threading Technology due to a design error, which could let a malicious user obtain sensitive information and possibly elevated privileges. Patches and updates available at: SCO: Ubuntu: RedHat: Sun: Mandriva: Currently we are not aware of any exploits for this | Medium | FreeBSD Security Advisory, FreeBSD-SA-05:09, May 13, 2005 SCO Security Advisory, SCOSA-2005.24, May 13, 2005 Ubuntu Security Notice, USN-131-1, May 23, 2005 RedHat Security Advisory, RHSA-2005:476-08, June 1, 2005 Sun(sm) Alert Notification, 101739, June 1, 2005 Mandriva Linux Security Update Advisory, MDKSA-2005:096, June | |
GNU Binutils 2.14, 2.15 ; Gentoo Linux | A vulnerability was reported in the GNU Binutils Binary File Descriptor Gentoo: Currently we are not aware of any exploits for this | High | Gentoo Linux Security Advisory, GLSA 200506-01, June 1, 2005 | |
Linux kernel 2.4 .0-test1-test12, 2.4-2.4.29, 2.6, 2.6-test1-test11, | Multiple vulnerabilities have been reported in the ISO9660 handling Fedora: Ubuntu: Fedora: RedHat: Conectiva: FedoraLegacy: Currently we are not aware of any exploits for these | High | Security Focus, Fedora Security Ubuntu Security Notice, USN-103-1, April 1, 2005 Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, | |
GNOME GdkPixbuf 0.22 | A remote Denial of Service vulnerability has been reported due to a Fedora: RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-344.html">
href="http://rhn.redhat.com/errata/RHSA-2005-343.html">http://rhn.redhat.com/ Ubuntu: SGI: Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> SGI: TurboLinux: Conectiva: Currently we are not aware of any exploits for this | Low | Fedora Update Notifications, RedHat Security Advisories, Ubuntu Security Notice, USN-108-1 April 05, 2005 SGI Security Advisory, 20050401-01-U, April 6, 2005 Mandrakelinux Security Update Advisory, MDKSA-2005:068 & 069, April SGI Security Advisory, 20050403-01-U, April 15, 2005 Turbolinux Security Advisory, TLSA-2005-57, May 16, 2005 Conectiva Security Advisory, CLSA-2005:958, June 1, 2005 | |
GNU Mailutils 0.6.90, 0.6, 0.5 | An SQL injection vulnerability has been reported due to insufficient Gentoo: There is no exploit code required. | High | Gentoo Linux Security Advisory, GLSA 200506-02, June 6, 2005 | |
GraphicsMagick GraphicsMagick 1.0, 1.0.6, 1.1, 1.1.3-1.1.6; ImageMagick | A remote Denial of Service vulnerability has been reported due to a Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-16.xml"> Ubuntu: Fedora: RedHat: Currently we are not aware of any exploits for this | Low | Gentoo Linux Security Advisory, GLSA 200505-16, May 21, 2005 Ubuntu Security Notice, USN-132-1, May 23, 2005 Fedora Update Notification, RedHat Security Advisory, RHSA-2005:480-03, June 2, 2005 | |
Linux Kernel 2.2, 2.4, 2.6 | Several buffer overflow vulnerabilities exist in 'drivers/char/moxa.c' Ubuntu: SUSE: FedoraLegacy: Currently we are not aware of any exploits for these | High | Security Tracker Alert, 1013273, February 23, 2005 SUSE Security Announcement, SUSE-SA:2005:018, March 24, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005 | |
Linux kernel 2.2.x, 2.4.x, 2.6.x | A buffer overflow vulnerability has been reported in the 'elf_core_dump()' function due to a signedness error, which could let a malicious user execute arbitrary code with ROOT privileges. Update available at:
href="http://kernel.org/"> Trustix: Ubuntu: RedHat: Avaya:
href="http://support.avaya.com/elmodocs2/security/ASA-2005-120_RHSA-2005-283_RHSA-2005-284_RHSA-2005-293_RHSA-2005-472.pdf"> An exploit script has been published. | High | Secunia Advisory, SA15341, May 12, 2005 Trustix Secure Linux Security Advisory, 2005-0022, May 13, 2005 Ubuntu Security Notice, USN-131-1, May 23, 2005 RedHat Security Advisory, RHSA-2005:472-05, May 25, 2005 Avaya Security Advisory, ASA-2005-120, June 3, 2005 | |
Linux Kernel 2.4.x, 2.6 prior to 2.6.11.11 | A vulnerability has been reported in the Linux kernel in the Radionet Updates available at: Currently we are not aware of any exploits for this | Linux Kernel Radionet Open Source Environment (ROSE) ndigis Input
| Not Specified | Security Tracker Alert, 1014115, June 7,2005 |
Linux kernel 2.4-2.4.29, 2.6 .10, 2.6-2.6.11 | A vulnerability has been reported in the 'bluez_sock_create()' function Patches available at: Fedora: SUSE: Trustix: Fedora: RedHat: RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-284.html">http://rhn.redhat.com/ Conectiva: FedoraLegacy: A Proof of Concept exploit script has been published. | High | Security Tracker SUSE Security Announcement, SUSE-SA:2005 Trustix Secure Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 RedHat Security Advisories, RHSA-2005:283-15 & RHSA-2005:284-11, Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005 | |
Linux Kernel 2.6 - 2.6.10 rc2 | The Linux kernel /proc filesystem is susceptible to an information disclosure vulnerability. This issue is due to a race-condition allowing unauthorized access to potentially sensitive process information. This vulnerability may allow malicious local users to gain access to potentially sensitive environment variables in other users processes. Ubuntu:
href="http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-doc-2.6.8.1_2.6.8.1-16.3_all.deb" Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> TurboLinux:
href="ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/"> RedHat: Avaya:
href="http://support.avaya.com/elmodocs2/security/ASA-2005-120_RHSA-2005-283_RHSA-2005-284_RHSA-2005-293_RHSA-2005-472.pdf"> FedoraLegacy: Currently we are not aware of any exploits for this | Multiple Vendors Linux Kernel PROC Filesystem Local href="http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-1058">CAN-2004-1058 | Medium | Ubuntu Security Notice USN-38-1 December 14, 2004 Mandrake Security Advisory, MDKSA-2005:022, January 26, 2005 Turbolinux Security Announcement, February 28, 2005 Avaya Security Advisory, ASA-2005-120, June 3, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005 |
Linux Kernel 2.6.10, 2.6 -test1-test11, 2.6-2.6.11 | A Denial of Service vulnerability has been reported in the Patches available at: Fedora: Trustix: Fedora: RedHat: Conectiva: FedoraLegacy: Currently we are not aware of any exploits for this | Low | Fedora Security Trustix Secure Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005 | |
Linux kernel 2.6.10, 2.6 -test9-CVS, 2.6 -test1-test11, 2.6, 2.6.1 | A remote Denial of Service vulnerability has been reported in the Ubuntu: Trustix:
href="http://http.trustix.org/pub/trustix/updates"> SUSE: Fedora: ALTLinux: Fedora: RedHat: RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-284.html">http://rhn.redhat.com/ Conectiva: Avaya:
href="http://support.avaya.com/elmodocs2/security/ASA-2005-120_RHSA-2005-283_RHSA-2005-284_RHSA-2005-293_RHSA-2005-472.pdf"> FedoraLegacy: Currently we are not aware of any exploits for this vulnerability. | Low | Ubuntu Security Notice, USN-95-1 March 15, 2005 Trustix Secure Linux Security Advisory, TSL-2005-0009, March 21, 2005 SUSE Security Announcement, SUSE-SA:2005:018, March 24, 2005 Fedora Security Update Notification, ALTLinux Security Advisory, March 29, 2005 Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 RedHat Security Advisories, RHSA-2005:283-15 & RHSA-2005:284-11, Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005 Avaya Security Advisory, ASA-2005-120, June 3, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 2005 | |
Linux kernel 2.6.10, 2.6 -test9-CVS, 2.6-test1- -test11, 2.6, | Multiple vulnerabilities exist: a vulnerability exists in the 'shmctl' RedHat:
href="https://rhn.redhat.com/errata/RHSA-2005-092.html"> Ubuntu:
href="http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/"> Conectiva:
href="ftp://atualizacoes.conectiva.com.br/1"> SUSE: Fedora: Conectiva: Fedora: RedHat: RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-284.html">http://rhn.redhat.com/ RedHat: Avaya:
href="http://support.avaya.com/elmodocs2/security/ASA-2005-120_RHSA-2005-283_RHSA-2005-284_RHSA-2005-293_RHSA-2005-472.pdf"> FedoraLegacy: Currently we are not aware of any exploits for these | Linux Kernel
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0177">
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0176">CAN-2005-0176 | Medium
| Ubuntu Security RedHat Security Advisory, SUSE Security Announcement, Fedora Security Conectiva Linux Security Announcement, Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 RedHat Security Advisories, RHSA-2005:283-15 & RHSA-2005:284-11, RedHat Security Advisory, RHSA-2005:472-05, May 25, 2005 Avaya Security Advisory, ASA-2005-120, June 3, 2005 FedoraLegacy: FLSA:152532, June 4, 2005 |
Linux kernel 2.6.10, 2.6, -test1-test 11, 2.6.1- 2.6.11; | A vulnerability has been reported in the EXT2 filesystem handling code, which could let malicious user obtain sensitive information. Patches available at: Fedora: Trustix: Fedora: RedHat: Conectiva: FedoraLegacy: Currently we are not aware of any exploits for this | Medium | Security Focus, Trustix Secure Fedora Update Notification RedHat Security Advisory, RHSA-2005:366-19, April 19, 2005 Conectiva Linux Security Announcement, CLA-2005:952, May 2, 2005 Fedora Legacy Update Advisory, FLSA:152532, June 4, 1005
| |
Linux Kernel versions except 2.6.9 | A race condition vulnerability exists in the Linux Kernel terminal This issue has been addressed in version 2.6.9 of Ubuntu:
href="http://security.ubuntu.com/ubuntu/pool/main/l/linux-source-2.6.8.1/linux-doc-2.6.8.1_2.6.8.1-16.3_all.deb" Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php"> FedoraLegacy:
href="http://download.fedoralegacy.org/redhat/"> TurboLinux:
href="ftp://ftp.turbolinux.co.jp/pub/TurboLinux/TurboLinux/"> SUSE: Avaya:
href="http://support.avaya.com/elmodocs2/security/ASA-2005-120_RHSA-2005-283_RHSA-2005-284_RHSA-2005-293_RHSA-2005-472.pdf"> Currently we are not aware of any exploits for this | Multiple Vendors Linux Kernel href="http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=CAN-2004-0814">CAN-2004-0814 | Low | Security Focus, December 14, 2004 Mandrake Security Advisory, MDKSA-2005:022, January 26, 2005 Fedora Legacy Update Advisory, FLSA:2336, February 24, 2005 Turbolinux Security Announcement , February 28, 2005 SUSE Security Announcement, SUSE-SA:2005:018, March 24, 2005 Avaya Security Advisory, ASA-2005-120, June 3, 2005 |
NASM NASM 0.98.35, 0.98.38; RedHat Advanced Workstation for the Itanium | A buffer overflow vulnerability has been reported in the RedHat:
href="http://rhn.redhat.com/errata/RHSA-2005-381.html"> Ubuntu: SGI: Mandriva: TurboLinux: Currently we are not aware of any exploits for this | High | RedHat Security Advisory, RHSA-2005:381-06, May 4, 2005 Ubuntu Security Notice, USN-128-1, May 17, 2005 Turbolinux Security Advisory , TLSA-2005-61, June 1, 2005 | |
Qpopper 4.x; Gentoo Linux | Several vulnerabilities have been reported: a vulnerability was reported because user supplied config and trace files are processed with elevated privileges, which could let a malicious user create/overwrite arbitrary files; and a vulnerability was reported due to an unspecified error which could let a malicious user create group or world-writable files. Upgrades available at: Gentoo:
href="http://security.gentoo.org/glsa/glsa-200505-17.xml"> Debian: SuSE: There is no exploit code required. | Medium | Gentoo Linux Security Advisory GLSA 200505-17, May 23, 2005 Secunia Advisory, SA15475, May 24, 2005 Debian Security Advisories, DSA 728-1 & 728-2, May 25 & 26, SUSE Security Summary Report, SUSE-SR:2005:014, June 7, 2005 | |
PostgreSQL 7.3 through 8.0.2 | Two vulnerabilities have been reported: a vulnerability was reported because a remote authenticated malicious user can invoke some client-to-server character set conversion functions and supply specially crafted argument values to potentially execute arbitrary commands; and a remote Denial of Service vulnerability was reported because the 'contrib/tsearch2' module incorrectly declares several functions as returning type 'internal.' Fix available at: Trustix:
href="http://http.trustix.org/pub/trustix/updates/"> Gentoo: Trustix: TurboLinux: RedHat: Currently we are not aware of any exploits for these | Low/ High (High if arbitrary code can be executed) | Security Tracker Alert, 1013868, May 3, 2005 Ubuntu Security Notice, USN-118-1, May 04, 2005 Trustix Secure Linux Security Advisory, TSLSA-2005-0018, May 6, 2005 Gentoo Linux Security Advisory, GLSA 200505-12, May 16, 2005 Trustix Secure Linux Bugfix Advisory, TSL-2005-0023, May 16, 2005 Turbolinux Security Advisory , TLSA-2005-62, June 1, 2005 RedHat Security Advisory, RHSA-2005:433-17, June 1, 2005 | |
Solaris 10.0 | A vulnerability has been reported in the C Library ('libc' and 'libproject') due to an unspecified error, which could let a malicious user obtain elevated privileges. Patch available at: Currently we are not aware of any exploits for this | Medium | Sun(sm) Alert Notification, 101740, June 3, 2005 | |
LutelWall 0.97 & prior | A vulnerability has been reported in the 'new_version_check()' function No workaround or patch available at time of publishing. There is no exploit code required. | High | Security Tracker Alert, 1014112, June 6, 2005 | |
Yapig 0.92b, 0.93u, 0.94u | Several vulnerabilities have been reported: a vulnerability was No workaround or patch available at time of publishing. Proofs of Concept exploits have been published. | YaPiG Multiple Vulnerabilities
href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1881">CAN-2005-1881 | High | SecWatch Advisory, June 4, 2005 |
[back to
top]
size=-2>
[back to
top]
size=-2>
name=Wireless>Wireless
The section below contains wireless vulnerabilities,
articles, and viruses/trojans identified during this reporting period.
- Bluetooth Security Review, Part 2:
Article that looks at Bluetooth viruses, several unpublished
vulnerabilities in Symbian based phones, and then discusses "Blue tag"
tracking, positioning, and privacy issues. Source: href="http://www.securityfocus.com/infocus/1836">http://www.securityfocus.com/infocus/1836. - Bluetooth Security Review, Part 1: An
introduction to Bluetooth and some of its security and privacy issues,
including how it is detected and some implementation issues from various
mobile phone vendors. Source: href="http://www.securityfocus.com/infocus/1830">http://www.securityfocus.com/infocus/1830
Wireless Vulnerabilities
- New hack cracks 'secure' Bluetooth
devices: A paper that describes a vulnerability that exists in the
device pairing process has been published. It describes a passive attack which
could let a remote malicious user find the PIN used during the pairing
process. Source: href="http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/">http://www.eng.tau.ac.il/~yash/shaked-wool-mobisys05/. - Linux Kernel Bluetooth Signed
Buffer Index vulnerability (For more information, see entry in
the Multiple Operating Systems Table) - Yamaha MusicCAST MCX-1000 wireless network
interface: The Yamaha MusicCAST MCX-1000 server wireless networking
interface is enabled by default, cannot be disabled, and operates in Access
Point mode, which could let a remote malicious user access the MusicCAST
wireless network and potentially any other network connected to the MusicCAST.
Source: US-CERT VU#758582.
[back to
top]
size=-2>
Recent
Exploit Scripts/Techniques
The table belowcontains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of |
class=tabletext>Bluetooth Security Review, Part 2Script name | Workaround or Patch Available | Script Description |
June 7, 2005 | portailphp-sql-inj.pl | No | Exploit for the PortailPHP ID Parameter SQL Injection vulnerability. |
June 7, 2005 | wordpress-sql-inj.pl | Yes | Exploit for the Wordpress Cat_ID Parameter SQL Injection vulnerability. |
June 6, 2005 | memfs.c | Yes | Proof of Concept exploit for the FUSE Information Disclosure vulnerability. |
June 6, 2005 | rakzero.zip | Yes | Exploit for the Rakkarsoft RakNet Remote Denial of Service vulnerability. |
June 6, 2005 | webapp-poc.sh.txt | Yes | Proof of Concept exploit for the Gentoo webapp-config Insecure Temporary File vulnerability. |
June 3, 2005 | crob_RMD_overflow.c | No | Proof of Concept exploit for the Crob FTP Server Remote RMD Command Stack Buffer Overflow vulnerability. |
June 2, 2005 | globalscapeftp_user_input.pm | Yes | Proofs of Concept exploits for the GlobalSCAPE Secure FTP Server Remote Buffer Overflow vulnerability. |
June 2, 2005 | Mezcal | NA | An HTTP/HTTPS brute forcing tool that allows the crafting of requests and insertion of dynamic variables on-the-fly. |
June 1, 2005 | ettercap-NG-0.7.3.tar.gz | N/A | A network sniffer/interceptor/logger for switched LANs that uses ARP poisoning and the man-in-the-middle technique to sniff all the connections between two hosts. |
June 1, 2005 | framework-2.4.tar.gz | N/A | The Metasploit Framework is an advanced open-source platform for developing, testing, and using exploit code. |
June 1, 2005 | MS05-021-PoC.pl | Yes | Exploit for the Microsoft Exchange Server Remote Code Execution Vulnerability. |
June 1, 2005 | ret-onto-ret_en.txt | N/A | Whitepaper that discusses how Linux 2.6.x vsyscalls may be used as powerful attack vectors. |
June 1, 2005 | spapromailExp.cpp | Yes | Proof of Concept exploit for the SPA-PRO Mail @Solomon IMAP Server Buffer Overflow Vulnerability. |
June 1, 2005 | vr-9.3c.tar.gz | N/A | A traceroute tool that displays a map of the path to the destination server by looking up the geographical location of each traceroute hop. |
June 1, 2005 | yersinia-0.5.4.tar.gz | N/A | Yersinia implements several attacks for the following protocols: Spanning Tree (STP), Cisco Discovery (CDP), Dynamic Host Configuration (DHCP), Hot Standby Router (HSRP), Dynamic Trunking (DTP), 802.1q and VLAN Trunking (VTP), helping a pen-tester with different tasks. |
face="Arial, Helvetica, sans-serif" size=-2>[back to
top]
name=trends>Trends
- Pharming for profits: According to a
workshop at the InBox e-mail security conference, an increase in pharming
attacks has produced a steep rise in cybercrime statistics. Hackers today are
committing fraud at alarming rates, using sophisticated, multilayered
"pharming" botnets that point to the need for new forms of authentication to
secure e-mail originators as well as Web site destinations. Analysis shows
that 54% of all malware is designed to harvest confidential information from
users, up from 44% in the second half of 2004 and 36% in the first half.
Source: href="http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,102179,00.html">http://www.computerworld.com/securitytopics/security/cybercrime/story/0,10801,102179,00.html. - Custom worms built for industrial
espionage: The industrial espionage ring broken by Israeli police
last week, where private investigators hired a programmer to custom create a
Trojan horse that was then planted on rivals' PCs, is only the most recent
evidence of a trend towards smart targeting by hackers. Source: href="http://www.securitypipeline.com/news/163702820">http://www.securitypipeline.com/news/163702820. - "Remarkably sophisticated" web attack
detailed: A new "remarkably sophisticated" attack that uses three
pieces of malware to turn PCs into zombies that can be sold to criminal groups
appeared on the Internet this week, security vendor Computer Associates
International Inc. said yesterday. A version of the Bagle worm downloader that
the company has dubbed Glieder is serving as a "beachhead" to install more
serious malware on computers, CA said. Demonstrating a new level of
coordination between Glieder and other attacks, infected computers can have
their antivirus and firewall software disabled and can be turned into remotely
controlled zombies used to mount large cyberattacks, CA said. Source: href="http://www.computerworld.com/securitytopics/security/story/0,10801,102214,00.html">http://www.computerworld.com/securitytopics/security/story/0,10801,102214,00.html.
name=viruses>Viruses/Trojans
Recent Threats
- Bagle: At least three new versions of the
Bagle e-mail worm are spreading quickly on the Internet, according to several
Internet security firms. About 80 variants of the original Bagle worm, which
first appeared in January 2004, have been released on the Internet. Damage
from the new Bagle variants should be minor as antivirus vendors are reacting
quickly to the attacks. The first two variants were tentatively dubbed
Bagle.CA and Bagle.CB, which would make them the 79th and 80th Bagle variants.
Source: href="http://www.computerworld.com/securitytopics/security/virus/story/0,10801,102143,00.html">http://www.computerworld.com/securitytopics/security/virus/story/0,10801,102143,00.html - Mytob: Dubbed "Mytob.bi," this variant of
Mytob scans the hard drive of an infected machine and sends copies of itself
to email addresses it finds in the Windows Address Book. The worm poses as a
message from an IT administrator, warning recipients that their email account
is about to be suspended, Trend Micro said. Source: href="http://www.techworld.com/security/news/index.cfm?NewsID=3772">http://www.techworld.com/security/news/index.cfm?NewsID=3772
Virus writers responsible for the recent rash of Mytob worm variants could be
working on creating a superworm, a security researcher also warned. The
HellBot group behind the Mytob worms writes programming instructions in its
code that mirror the way developers work, said Sophos PLC security consultant
Carole Theriault. "The only conclusion we can come up with is that they are
working on a big superworm," she said. Source: href="http://www.computerworld.com/securitytopics/security/virus/story/0,10801,102220,00.html">http://www.computerworld.com/securitytopics/security/virus/story/0,10801,102220,00.html
Top Ten Virus
Threats
A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported since last week), and approximate date first
found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trend | Date |
face="Arial, Helvetica, sans-serif">Description |
1 | Mytob.C | Win32 Worm | Increase | March 2004 | A mass-mailing worm with IRC backdoor functionality which can also infect computers vulnerable to the Windows LSASS (MS04-011) exploit. The worm will attempt to harvest email addresses from the local hard disk by scanning files. |
2 | Netsky-P | Win32 Worm | Slight Decrease | March 2004 | A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. The worm also tries to spread through various file-sharing programs by copying itself into various shared folders. |
3 | Netsky-Q | Win32 Worm | Slight Decrease | March 2004 | A mass-mailing worm that attempts to launch Denial of Service attacks against several web pages, deletes the entries belonging to several worms, and emits a sound through the internal speaker. |
4 | Zafi-D | Win32 Worm | Stable | December 2004 | A mass-mailing worm that sends itself to email addresses gathered from the infected computer. The worm may also attempt to lower security settings, terminate processes, and open a back door on the compromised computer. |
5 | Netsky-D | Win32 Worm | Stable | March 2004 | A simplified variant of the Netsky mass-mailing worm in that it does not contain many of the text strings that were present in NetSky.C and it does not copy itself to shared folders. Netsky.D spreads itself in e-mails as an executable attachment only. |
6 | Lovgate.w | Win32 Worm | Stable | April 2004 | A mass-mailing worm that propagates via by using MAPI as a reply to messages, by using an internal SMTP, by dropping copies of itself on network shares, and through peer-to-peer networks. Attempts to access all machines in the local area network face="Arial, Helvetica, sans-serif">. |
7 | Zafi-B | Win32 Worm | Stable | June 2004 | A mass-mailing worm that spreads via e-mail using several different languages, including English, Hungarian and Russian. When executed, the worm makes two copies of itself in the %System% directory with randomly generated file names face="Arial, Helvetica, sans-serif">. |
8 | Netsky-Z | Win32 Worm | Slight Decrease | April 2004 | A mass-mailing worm that is very close to previous variants. The worm spreads in e-mails, but does not spread to local network and P2P and does not uninstall Bagle worm. The worm has a backdoor that listens on port 665. |
9 | Netsky-B | Win32 Worm | Stable | February 2004 | A mass-mailing worm that uses its own SMTP engine to send itself to the email addresses it finds when scanning the hard drives and mapped drives. Also searches drives for certain folder names and then copies itself to those folders. |
10 | MyDoom-O | Win32 Worm | Stable | July 2004 | A mass-mailing worm that uses its own SMTP engine to generate email messages. It gathers its target email addresses from files with certain extension names. It also avoids sending email messages to email addresses that contain certain strings. |
Table Updated June 7, 2005
updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.