Vulnerability Summary for the Week of February 1, 2010
Released
Feb 09, 2010
Document ID
SB10-040
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
Vulnerability Severity:
High Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| debian -- lintian | Multiple format string vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to have an unspecified impact via vectors involving (1) check scripts and (2) the Lintian::Schedule module. | 2010-02-02 | 7.5 | CVE-2009-4014 BID |
| debian -- lintian | Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allows remote attackers to execute arbitrary commands via shell metacharacters in filename arguments. | 2010-02-02 | 7.5 | CVE-2009-4015 BID |
| enanocms -- enanocms | SQL injection vulnerability in the comment submission interface (includes/comment.php) in Enano CMS before 1.0.6pl1 allows remote attackers to execute arbitrary SQL commands via unspecified parameters. | 2010-02-02 | 7.5 | CVE-2010-0471 CONFIRM |
| files2links -- f2l_3000_appliance | SQL injection vulnerability in Files2Links F2L 3000 appliance 4.0.0, and possibly other versions and models, allows remote attackers to execute arbitrary SQL commands via unspecified parameters to the login page. | 2010-02-02 | 7.5 | CVE-2010-0469 XF SECUNIA MISC OSVDB FULLDISC |
| geopp -- geo++_gncaster | The HTTP Authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier uses the same nonce for all authentication, which allows remote attackers to hijack web sessions or bypass authentication via a replay attack. | 2010-02-04 | 7.5 | CVE-2010-0554 XF BUGTRAQ MISC SECUNIA OSVDB |
| maildrop -- maildrop | main.C in maildrop 2.3.0 and earlier, when run by root with the -d option, uses the gid of root for execution of the .mailfilter file in a user's home directory, which allows local users to gain privileges via a crafted file. | 2010-02-04 | 7.2 | CVE-2010-0301 CONFIRM XF DEBIAN CONFIRM SECTRACK SECUNIA SECUNIA MLIST MLIST MLIST MLIST CONFIRM |
| microsoft -- ie microsoft -- windows_2000 microsoft -- windows_server_2003 microsoft -- windows_server_2008 microsoft -- windows_vista microsoft -- windows_xp | Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving the product's use of text/html as the default content type for files that are encountered after a redirection, aka the URLMON sniffing vulnerability, a variant of CVE-2009-1140 and related to CVE-2008-1448. | 2010-02-04 | 9.3 | CVE-2010-0555 BID BID BUGTRAQ MISC MISC MISC MISC |
| microsoft -- ie microsoft -- windows_2000 microsoft -- windows_server_2003 microsoft -- windows_server_2008 microsoft -- windows_vista microsoft -- windows_xp | Microsoft Internet Explorer 5.01 SP4, 6, 6 SP1, 7, and 8 does not prevent rendering of non-HTML local files as HTML documents, which allows remote attackers to bypass intended access restrictions and read arbitrary files via vectors involving JavaScript exploit code that constructs a reference to a file://127.0.0.1 URL, aka the dynamic OBJECT tag vulnerability, as demonstrated by obtaining the data from an index.dat file, a variant of CVE-2009-1140 and related to CVE-2008-1448. | 2010-02-04 | 9.3 | CVE-2010-0255 BID BID BUGTRAQ CONFIRM MISC MISC CONFIRM |
| viewvc -- viewvc | query.py in the query interface in ViewVC before 1.1.3 does not reject configurations that specify an unsupported authorizer for a root, which might allow remote attackers to bypass intended access restrictions via a query. | 2010-01-29 | 7.5 | CVE-2010-0005 CONFIRM |
| wireshark -- wireshark | Multiple buffer overflows in the LWRES dissector in Wireshark 0.9.15 through 1.0.10 and 1.2.0 through 1.2.5 allow remote attackers to cause a denial of service (crash) via a malformed packet, as demonstrated using a stack-based buffer overflow to the dissect_getaddrsbyname_request function. | 2010-02-03 | 7.5 | CVE-2010-0304 VUPEN |
| xerox -- workcentre_5632 xerox -- workcentre_5638 xerox -- workcentre_5645 xerox -- workcentre_5655 xerox -- workcentre_5665 xerox -- workcentre_5675 xerox -- workcentre_5687 | Multiple unspecified vulnerabilities in the Network Controller and Web Server in Xerox WorkCentre 5632, 5638, 5645, 5655, 5665, 5675, and 5687 allow remote attackers to (1) access mailboxes via unknown vectors that bypass Scan to Mailbox authorization or (2) read device configuration information via via unknown vectors that bypass web server authorization. | 2010-02-04 | 7.8 | CVE-2010-0548 CONFIRM |
| xerox -- workcentre_6400_net_controller xerox -- workcentre_6400_system_software | Unspecified vulnerability in the Network Controller in Xerox WorkCentre 6400 System Software 060.070.109.11407 through 060.070.109.29510, and Net Controller 060.079.11410 through 060.079.29310, allows remote attackers to access "directory structure" via a crafted PostScript file, aka "Unauthorized Directory Structure Access Vulnerability." | 2010-02-04 | 7.8 | CVE-2010-0549 CONFIRM |
Medium Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| adobe -- coldfusion | The default configuration of Adobe ColdFusion 9.0 does not restrict access to collections that have been created by the Solr Service, which allows remote attackers to obtain collection metadata, search information, and index data via a request to an unspecified URL. | 2010-02-03 | 5.0 | CVE-2010-0185 XF VUPEN SECTRACK BID CONFIRM SECUNIA OSVDB CONFIRM |
| apache -- http_server | Integer overflow in the ap_proxy_send_fb function in proxy/proxy_util.c in mod_proxy in the Apache HTTP Server before 1.3.42 on 64-bit platforms allows remote origin servers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a large chunk size that triggers a heap-based buffer overflow. | 2010-02-02 | 6.8 | CVE-2010-0010 XF VUPEN BID BUGTRAQ MISC SECUNIA MISC CONFIRM MISC FULLDISC |
| apple -- iphone_os | Recovery Mode in Apple iPhone OS 1.0 through 3.1.2, and iPhone OS for iPod touch 1.1 through 3.1.2, allows physically proximate attackers to bypass device locking, and read or modify arbitrary data, via a USB control message that triggers memory corruption. | 2010-02-03 | 4.6 | CVE-2010-0038 BID CONFIRM APPLE |
| asterisk -- asterisk | Asterisk Open Source 1.6.0.x before 1.6.0.22, 1.6.1.x before 1.6.1.14, and 1.6.2.x before 1.6.2.2, and Business Edition C.3 before C.3.3.2, allows remote attackers to cause a denial of service (daemon crash) via an SIP T.38 negotiation with an SDP FaxMaxDatagram field that is (1) missing, (2) modified to contain a negative number, or (3) modified to contain a large number. | 2010-02-04 | 5.0 | CVE-2010-0441 CONFIRM CONFIRM |
| chillcreations -- com_ccnewsletter | Directory traversal vulnerability in the ccNewsletter (com_ccnewsletter) component 1.0.5 for Joomla! allows remote attackers to read arbitrary files via a .. (dot dot) in the controller parameter in a ccnewsletter action to index.php. | 2010-02-02 | 5.0 | CVE-2010-0467 XF BID MISC MISC CONFIRM SECUNIA |
| cisco -- secure_desktop | Cross-site scripting (XSS) vulnerability in +CSCOT+/translation in Cisco Secure Desktop 3.4.2048, and other versions before 3.5; as used in Cisco ASA appliance before 8.2(1), 8.1(2.7), and 8.0(5); allows remote attackers to inject arbitrary web script or HTML via a crafted POST parameter, which is not properly handled by an eval statement in binary/mainv.js that writes to start.html. | 2010-02-03 | 4.3 | CVE-2010-0440 CONFIRM |
| comtrend -- ct-507it_adsl_router | Cross-site scripting (XSS) vulnerability in scvrtsrv.cmd in Comtrend CT-507IT ADSL Router allows remote attackers to inject arbitrary web script or HTML via the srvName parameter. | 2010-02-02 | 4.3 | CVE-2010-0470 BID SECUNIA MISC |
| debian -- lintian | Multiple directory traversal vulnerabilities in Lintian 1.23.x through 1.23.28, 1.24.x through 1.24.2.1, and 2.x before 2.3.2 allow remote attackers to overwrite arbitrary files or obtain sensitive information via vectors involving (1) control field names, (2) control field values, and (3) control files of patch systems. | 2010-02-02 | 6.4 | CVE-2009-4013 BID |
| dinko_korunic -- hybserv2 | mystring.c in hybserv in IRCD-Hybrid (aka Hybrid2 IRC Services) 1.9.2 through 1.9.4 allows remote attackers to cause a denial of service (daemon crash) via a ":help " private message to the MemoServ service. | 2010-02-04 | 5.0 | CVE-2010-0303 CONFIRM |
| freebit -- serversman | FreeBit ServersMan 3.1.5 on Apple iPhone OS 3.1.2, and iPhone OS for iPod touch, allows remote attackers to cause a denial of service (daemon crash) via a HEAD request for the / URI. | 2010-02-03 | 5.0 | CVE-2010-0496 XF SECUNIA FULLDISC |
| geopp -- geo++_gncaster | admin.htm in Geo++ GNCASTER 1.4.0.7 and earlier does not properly enforce HTTP Digest Authentication, which allows remote authenticated users to use HTTP Basic Authentication, bypassing intended server policy. | 2010-02-04 | 4.0 | CVE-2010-0550 XF BUGTRAQ MISC SECUNIA OSVDB |
| geopp -- geo++_gncaster | HTTP authentication implementation in Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to read authentication headers of other users via a large request with an incorrect authentication attempt, which includes sensitive memory in the response. NOTE: this is referred to as a "memory leak" by some sources, but is better characterized as "memory disclosure." | 2010-02-04 | 5.0 | CVE-2010-0551 XF BUGTRAQ MISC SECUNIA OSVDB |
| geopp -- geo++_gncaster | Geo++ GNCASTER 1.4.0.7 and earlier allows remote attackers to cause a denial of service (application crash) and possibly execute arbitrary code via multiple requests for a non-existent file using a long URI. | 2010-02-04 | 5.0 | CVE-2010-0552 XF BUGTRAQ MISC SECUNIA OSVDB |
| geopp -- geo++_gncaster | Geo++ GNCASTER 1.4.0.7 and earlier allows remote authenticated users to cause a denial of service (application crash) and possibly execute arbitrary code via a long NMEA data sentence. | 2010-02-04 | 6.5 | CVE-2010-0553 XF BUGTRAQ MISC SECUNIA OSVDB |
| gnu -- gzip | The huft_build function in inflate.c in gzip before 1.3.13 creates a hufts (aka huffman) table that is too small, which allows remote attackers to cause a denial of service (application crash or infinite loop) or possibly execute arbitrary code via a crafted archive. NOTE: this issue is caused by a CVE-2006-4334 regression. | 2010-01-29 | 6.8 | CVE-2009-2624 CONFIRM VUPEN UBUNTU MANDRIVA DEBIAN SECUNIA SECUNIA SECUNIA SUSE CONFIRM CONFIRM MLIST |
| gnu -- gzip | Integer underflow in the unlzw function in unlzw.c in gzip before 1.4 on 64-bit platforms allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted archive that uses LZW compression, leading to an array index error. | 2010-01-29 | 6.8 | CVE-2010-0001 CONFIRM VUPEN UBUNTU REDHAT OSVDB MANDRIVA MANDRIVA DEBIAN SECTRACK SECUNIA SECUNIA SECUNIA SECUNIA CONFIRM SUSE CONFIRM |
| horde -- imp | Horde IMP 4.3.6 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. | 2010-01-29 | 5.0 | CVE-2010-0463 CONFIRM |
| hp -- enterprise_cluster_master_toolkit | Unspecified vulnerability in HP Enterprise Cluster Master Toolkit (ECMT) B.05.00 on HP-UX B.11.23 (11i v2) and HP-UX B.11.31 (11i v3) allows local users to gain access to an Oracle or Sybase database via unknown vectors. | 2010-02-03 | 6.2 | CVE-2009-4184 VUPEN SECTRACK BID SECUNIA HP HP |
| hp -- openvms_rms | Unspecified vulnerability in Record Management Services (RMS) before VMS83A_RMS-V1100 for HP OpenVMS on the Alpha platform allows local users to gain privileges via unknown vectors. | 2010-02-04 | 6.8 | CVE-2010-0443 VUPEN HP HP |
| ibm -- db2 | kuddb2 in Tivoli Monitoring for DB2, as distributed in IBM DB2 9.7 FP1 on Linux, allows remote attackers to cause a denial of service (daemon crash) via a certain byte sequence. | 2010-02-02 | 5.0 | CVE-2010-0472 BID MISC |
| ibm -- websphere_service_registry_and_repository | IBM WebSphere Service Registry and Repository (WSRR) 6.3.0 before FP2 does not have the intended configuration properties, which allows remote authenticated users to obtain unspecified data access via a property query. | 2010-02-04 | 5.5 | CVE-2009-2750 CONFIRM |
| ircd-hybrid -- ircd-hybrid ircd-ratbox -- ircd-ratbox oftc -- oftc-hybrid | Integer underflow in the clean_string function in irc_string.c in (1) IRCD-hybrid 7.2.2 and 7.2.3, (2) ircd-ratbox before 2.2.9, and (3) oftc-hybrid before 1.6.8, when flatten_links is disabled, allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a LINKS command. | 2010-02-04 | 6.8 | CVE-2009-4016 DEBIAN CONFIRM |
| ircd-ratbox -- ircd-ratbox | cache.c in ircd-ratbox before 2.2.9 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a HELP command. | 2010-02-04 | 5.0 | CVE-2010-0300 DEBIAN CONFIRM SECUNIA SECUNIA MLIST |
| lighttpd -- lighttpd | lighttpd before 1.4.26, and 1.5.x, allocates a buffer for each read operation that occurs for a request, which allows remote attackers to cause a denial of service (memory consumption) by breaking a request into small pieces that are sent at a slow rate. | 2010-02-03 | 5.0 | CVE-2010-0295 BID CONFIRM CONFIRM CONFIRM |
| mozilla -- seamonkey mozilla -- thunderbird | Mozilla Necko, as used in Thunderbird 3.0.1, SeaMonkey, and other applications, performs DNS prefetching even when the app type is APP_TYPE_MAIL or APP_TYPE_EDITOR, which makes it easier for remote attackers to determine the network location of the application's user by logging DNS requests, as demonstrated by DNS requests triggered by reading text/plain e-mail messages in Thunderbird. | 2010-01-29 | 5.0 | CVE-2009-4629 MISC CONFIRM |
| mozilla -- bugzilla | Bugzilla 3.3.1 through 3.4.4, 3.5.1, and 3.5.2 does not allow group restrictions to be preserved throughout the process of moving a bug to a different product category, which allows remote attackers to obtain sensitive information via a request for a bug in opportunistic circumstances. | 2010-02-03 | 5.0 | CVE-2009-3387 VUPEN |
| mozilla -- bugzilla | Bugzilla before 3.0.11, 3.2.x before 3.2.6, 3.4.x before 3.4.5, and 3.5.x before 3.5.3 does not block access to files and directories that are used by custom installations, which allows remote attackers to obtain sensitive information via requests for (1) CVS/, (2) contrib/, (3) docs/en/xml/, (4) t/, or (5) old-params.txt. | 2010-02-03 | 4.3 | CVE-2009-3989 CONFIRM CONFIRM VUPEN |
| paperthin -- commonspot_content_server | Cross-site scripting (XSS) vulnerability in utilities/longproc.cfm in PaperThin CommonSpot Content Server allows remote attackers to inject arbitrary web script or HTML via the url parameter. | 2010-02-02 | 4.3 | CVE-2010-0468 XF BID BUGTRAQ FULLDISC |
| postgresql -- postgresql | The bitsubstr function in backend/utils/adt/varbit.c in PostgreSQL 8.0.23, 8.1.11, and 8.3.8 allows remote authenticated users to cause a denial of service (daemon crash) or have unspecified other impact via vectors involving a negative integer in the third argument, as demonstrated by a SELECT statement that contains a call to the substring function for a bit string, related to an "overflow." | 2010-02-02 | 6.5 | CVE-2010-0442 CONFIRM CONFIRM XF BID MLIST SECTRACK MISC CONFIRM CONFIRM MISC MLIST MLIST |
| process-one -- ejabberd | ejabberd_c2s.erl in ejabberd before 2.1.3 allows remote attackers to cause a denial of service (daemon crash) via a large number of c2s (aka client2server) messages that trigger a queue overload. | 2010-02-03 | 5.0 | CVE-2010-0305 MLIST MLIST |
| roundcube -- roundcube_webmail | Roundcube 0.3.1 and earlier does not request that the web browser avoid DNS prefetching of domain names contained in e-mail messages, which makes it easier for remote attackers to determine the network location of the webmail user by logging DNS requests. | 2010-01-29 | 5.0 | CVE-2010-0464 CONFIRM |
| squid-cache -- squid | lib/rfc1035.c in Squid 2.x, 3.0 through 3.0.STABLE22, and 3.1 through 3.1.0.15 allows remote attackers to cause a denial of service (assertion failure) via a crafted DNS packet that only contains a header. | 2010-02-03 | 4.0 | CVE-2010-0308 MISC |
| sun -- opensolaris sun -- solaris | The ucode_ioctl function in intel/io/ucode_drv.c in Sun Solaris 10 and OpenSolaris snv_69 through snv_133, when running on x86 architectures, allows local users to cause a denial of service (panic) via a request with a 0 size value to the UCODE_GET_VERSION IOCTL, which triggers a NULL pointer dereference in the ucode_get_rev function, related to retrieval of the microcode revision. | 2010-02-03 | 4.9 | CVE-2010-0453 VUPEN CONFIRM |
| symantec -- altiris_notification_server | The web console in Symantec Altiris Notification Server 6.0.x before 6.0 SP3 R12 uses a hardcoded key that can decrypt SQL Server credentials and certain discovery credentials, and stores this key on the Notification Server machine, which allows local users to obtain sensitive information and possibly execute arbitrary code by decrypting and using these credentials. | 2010-02-02 | 4.3 | CVE-2009-3035 CONFIRM |
| viewvc -- viewvc | ViewVC before 1.1.3 composes the root listing view without using the authorizer for each root, which might allow remote attackers to discover private root names by reading this view. | 2010-01-29 | 5.0 | CVE-2010-0004 FEDORA FEDORA MLIST MLIST MLIST CONFIRM CONFIRM CONFIRM SUSE |
Low Vulnerabilities
| Primary Vendor -- Product | Description | Published | CVSS Score | Source & Patch Info |
|---|---|---|---|---|
| samba -- samba | client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier does not verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string. | 2010-02-04 | 2.1 | CVE-2010-0547 CONFIRM |
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.