Patch Announcement: September 2009

Sunday, September 27, 2009

CERT-In Advisory CIAD-2009-44

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in PHP
http://www.cert-in.org.in/advisory/ciad-2009-44.htm
Original Issue Date: September 25, 2009

Severity Rating:High

System Affected

PHP versions prior to 5.2.11

Overview

Multiple vulnerabilities have been reported in PHP before 5.2.11 , which
could allow a remote attacker to bypass certain security restrictions,
disclose potentially sensitive information, cause denial of service
conditions, conduct spoofing attacks, execute an arbitrary code, or
potentially compromise an affected system.

Description

1. Certificate Validation Vulnerability (CVE-2009-3291)

This vulnerability is caused due to improper certificate validation. A
remote attacker could exploit this vulnerability via spoofing certificates.
Successful exploitation of this vulnerability could allow a remote attacker
to execute an arbitrary code.

2. 'exif ' Input Validation Vulnerability (CVE-2009-3292)

This vulnerability is caused due to missing sanity checks around exif
processing.

3. ' imagecolortransparent()' Input Validation Vulnerability
(CVE-2009-3293)

This vulnerability is caused due to an incorrect sanity check for the color
index in imagecolortransparent() function.

4. tsrm_win32.c ' popen()' Denial of Service Vulnerability
(CVE-2009-3294)

This vulnerability exists in the popen API function in TSRM/tsrm_win32.c in
PHP before 5.2.11, when running on certain Windows operating systems. A
context-dependent attacker could exploit this vulnerability to cause a
denial of service via a crafted (1) "e" or (2) "er" string in the second
argument
(aka mode argument).
Solution

Upgrade to PHP Version 5.2.11 or later
http://www.php.net/releases/5_2_11.php

Vendor Information

PHP
http://www.php.net/releases/5_2_11.php

References

PHP
http://www.php.net/releases/5_2_11.php

Secunia
http://secunia.com/advisories/36791

ISS X Force
http://xforce.iss.net/xforce/xfdb/53334

SecurityLab
http://en.securitylab.ru/nvd/385738.php

CVE Name
CVE-2009-3291
CVE-2009-3292
CVE-2009-3293
CVE-2009-3294

CWE Name
CWE-20
CWE-134
Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSr8T03WXeYNsoT30AQqGNwgAxqBf0vRCCrM7fr2R8PYSK2ohl9nt1FsV
BEBXGWcH6TSDBJ9QeayBZ/JFK2U5wM95d9+5ZG1C2N2oOdpLeCVNRSD9smO16vpa
H6jkSfvjOQp4bBdEGn95dkuTacYynkpf2CFhGg/XwFp3PhBLLURrf6VqA/uZnkWk
4OYc1ouGyoFV2am2tIPOuSLbKKGpjZ2XDdmCFs0SWW0VVb3UF73AG3DQYADj8YO0
bff7050JTIgKX31+PmVTqzAeF+vpchEolWpoyCw2oDaaSltdBXBM30CJqrGk8IFq
jGkziHUA+PNJ3eQSbQKY3fzqjLbEL4S4zhxtufNuVv55EHb4MTQLnw==
=L4Bf
-----END PGP SIGNATURE-----

Thursday, September 24, 2009

CVE Announce - September 24, 2009 (opt-in newsletter from the CVE Web site)

Welcome to the latest edition of the CVE-Announce e-newsletter.
This email newsletter is designed to bring recent news about CVE,
such as new versions, upcoming conferences, new Web site features,
etc. right to your emailbox. Common Vulnerabilities and Exposures
(CVE) is the standard for information security vulnerability
names. CVE content results from the collaborative efforts of the
CVE Editorial Board, which is comprised of leading representatives
from the information security community. Details on subscribing
(and unsubscribing) to the email newsletter are at the end. Please
feel free to pass this newsletter on to interested colleagues.

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 24, 2009
-------------------------------------------------------

Contents:

1. Feature Story
2. Compatible Product Updates
3. UPCOMING EVENT
4. Also in this Issue
5. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Editorial Board Updates

The following new members have been added to the CVE Editorial
Board:

* Art Manion, CERT/CC (Software Engineering Institute, Carnegie
Mellon University)
* Brian Martin, Open Source Vulnerability Database (OSVDB)
* Tim Keanini, nCircle Network Security, Inc.
* Carsten Eiram, Secunia

LINKS:

CERT/CC - http://www.cert.org

OSVDB - http://www.osvdb.org

nCircle - http://www.ncircle.com

Secunia - http://www.secunia.com

CVE Editorial Board -
http://cve.mitre.org/community/board/index.html

---------------------------------------------------------------
COMPATIBLE PRODUCTS UPDATE:

Information-technology Promotion Agency, Japan (IPA) has achieved
the second phase of the CVE Compatibility Process for three
products by submitting a CVE Compatibility Questionnaire for JVN
Vulnerability Countermeasure Information Database (JVN iPedia),
and a CVE Compatibility Questionnaire for Filtered Vulnerability
Countermeasure Information Tool (MyJVN). In addition, Japan
Computer Emergency Response Team Coordination Center (JPCERT/CC)
has achieved the second phase of the CVE Compatibility Process by
submitting a CVE Compatibility Questionnaire for Japan
Vulnerability Notes (JVN).

In Phase 2 of the compatibility process the organization's
completed compatibility requirements evaluation questionnaire is
posted on the CVE Web site while it is evaluated by MITRE as the
final step towards the product or service being registered as
"Officially CVE-Compatible."

For additional information and to review the complete list of all
products and services participating in the compatibility program,
visit the CVE-Compatible Products and Services section.

LINKS:

CVE Compatibility Questionnaire for JVN iPedia -
http://cve.mitre.org/compatible/questionnaires/106.html

CVE Compatibility Questionnaire for MyJVN -
http://cve.mitre.org/compatible/questionnaires/105.html

CVE Compatibility Questionnaire for JVN -
http://cve.mitre.org/compatible/questionnaires/104.html

CVE-Compatible Products and Services section -
http://cve.mitre.org/compatible/

---------------------------------------------------------------
UPCOMING EVENT:

Making Security Measurable Briefing and Booth at "IT Security
Automation Conference 2009," October 26-29

MITRE is scheduled to present a briefing about Making Security
Measurable (MSM) and host an MSM booth at the U.S. National
Institute of Standards and Technology's (NIST) "5th Annual IT
Security Automation Conference" on October 26-29, 2009 in
Baltimore, Maryland, USA. The CVE Team is also scheduled to
contribute to the CVE-related workshops.

Visit the CVE Calendar for information on this and other events.

LINKS:

IT Security Automation Conference 2009 -
http://www.nist.gov/public_affairs/confpage/091026.htm

SCAP - http://nvd.nist.gov/scap.cfm

Making Security Measurable - http://measurablesecurity.mitre.org

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* Making Security Measurable Main Topic of Article in "CrossTalk,
The Journal of Defense Engineering"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

Managing Editor: David Mann, Information Security Technical
Center. Writer: Bob Roberge. The MITRE Corporation (www.mitre.org)
maintains CVE and provides impartial technical guidance to the CVE
Editorial Board on all matters related to ongoing development of
CVE.

To unsubscribe from the CVE-Announce e-newsletter, open a new
email message and copy the following text to the BODY of the
message "SIGNOFF CVE-Announce-list", then send the message to:
listserv@lists.mitre.org. To subscribe, send an email message to
listserv@lists.mitre.org with the following text in the BODY of
the message: "SUBSCRIBE CVE-Announce-List".

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

Wednesday, September 23, 2009

US-CERT Cyber Security Tip ST04-011 -- Using Instant Messaging and Chat Rooms Safely

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cyber Security Tip ST04-011
Using Instant Messaging and Chat Rooms Safely

Although they offer a convenient way to communicate with other
people, there
are dangers associated with tools that allow real-time communication.

What are the differences between some of the tools used for real-time
communication?

* Instant messaging (IM) - Commonly used for recreation, instant
messaging
is also becoming more widely used within corporations for
communication
between employees. IM, regardless of the specific software you
choose,
provides an interface for individuals to communicate one-on-one.
* Chat rooms - Whether public or private, chat rooms are forums for
particular groups of people to interact. Many chat rooms are
based upon
a shared characteristic; for example, there are chat rooms for
people of
particular age groups or interests. Although most IM clients support
"chats" among multiple users, IM is traditionally one-to-one
while chats
are traditionally many-to-many.
* Bots - A "chat robot," or "bot," is software that can interact with
users through chat mechanisms, whether in IM or chat rooms. In some
cases, users may be able to obtain current weather reports, stock
status, or movie listings. In these instances, users are often aware
that they are not interacting with an actual human. However,
some users
may be fooled by more sophisticated bots into thinking the responses
they are receiving are from another person.

There are many software packages that incorporate one or more of these
capabilities. A number of different technologies might be supported,
including IM, Internet Relay Chat (IRC), or Jabber.

What are the dangers?

* Identities can be elusive or ambiguous - Not only is it sometimes
difficult to identify whether the "person" you are talking to is
human,
but human nature and behavior isn't predictable. People may lie
about
their identity, accounts may be compromised, users may forget to log
out, or an account may be shared by multiple people. All of
these things
make it difficult to know who you're really talking to during a
conversation.
* Users are especially susceptible to certain types of attack -
Trying to
convince someone to run a program or click on a link is a common
attack
method, but it can be especially effective through IM and chat
rooms. In
a setting where a user feels comfortable with the "person" he or
she is
talking to, a malicious piece of software or an attacker has a
better
chance of convincing someone to fall into the trap (see Avoiding
Social
Engineering and Phishing Attacks for more information).
* You don't know who else might be seeing the conversation - Online
interactions are easily saved, and if you're using a free commercial
service the exchanges may be archived on a server. You have no
control
over what happens to those logs. You also don't know if there's
someone
looking over the shoulder of the person you're talking to, or if an
attacker might be "sniffing" your conversation.
* The software you're using may contain vulnerabilities - Like any
other
software, chat software may have vulnerabilities that attackers can
exploit.
* Default security settings may be inappropriate - The default
security
settings in chat software tend to be relatively permissive to
make it
more open and "usable," and this can make you more susceptible to
attacks.

How can you use these tools safely?

* Evaluate your security settings - Check the default settings in your
software and adjust them if they are too permissive. Make sure to
disable automatic downloads. Some chat software offers the
ability to
limit interactions to only certain users, and you may want to take
advantage of these restrictions.
* Be conscious of what information you reveal - Be wary of revealing
personal information unless you know who you are really talking
to. You
should also be careful about discussing anything you or your
employer
might consider sensitive business information over public IM or chat
services (even if you are talking to someone you know in a
one-to-one
conversation).
* Try to verify the identity of the person you are talking to, if it
matters - In some forums and situations, the identity of the
"person"
you are talking to may not matter. However, if you need to have
a degree
of trust in that person, either because you are sharing certain
types of
information or being asked to take some action like following a
link or
running a program, make sure the "person" you are talking to is
actually
that person.
* Don't believe everything you read - The information or advice you
receive in a chat room or by IM may be false or, worse,
malicious. Try
to verify the information or instructions from outside sources
before
taking any action.
* Keep software up to date - This includes the chat software, your
browser, your operating system, your mail client, and,
especially, your
anti-virus software (see Understanding Patches and Understanding
Anti-Virus Software for more information).
_________________________________________________________________

Authors: Mindi McDowell, Allen Householder
_________________________________________________________________

Produced 2004 by US-CERT, a government organization.

Note: This tip was previously published and is being
re-distributed to increase awareness.

http//www.us-cert.gov/legal.html

This document can also be found at

http//www.us-cert.gov/cas/tips/ST04-011.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit
http://www.us-cert.gov/cas/signup.html.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSrqBtXIHljM+H4irAQIKwgf+O700HwxhTBJpzvbcvWF2YOfrgYFUKWoF
rmiCsK58cC0GoJ+HKJuQLKbcNeOY+iXNOuQXfL3Yv1/affyW0q5ziT05Kl+O7BXU
qRvFYBWUL4lTyqPtdRjplEkUTkJuvYgh9XpgzVap5sNB9rEZIB94OGNhG8Bhl2MA
5X17uhogtzoe0lz9Wqi9r3AdQW3QjtFWC24/ydQIzaakRMYkYQQaDfws0PgYS8DW
Oc+vYvw8eg7fF3NZac4SY8dcG57OuFGXLIOrT2Fwf5VuyIlDiLlRqXOva/OH4xlu
Z+Zob6L8GjwxJMNnIg5K+Q+FdMLox5/FiNBuVfmjAbqakseMFCZIew==
=kWwZ
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki
Website dedicated to Information Security.

Wednesday, September 16, 2009

US-CERT Cyber Security Bulletin SB09-257 -- Vulnerability Summary for the Week of September 7, 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Vulnerability Summary for the Week of September 7, 2009

This bulletin provides a summary of new vulnerabilities that have been
recorded by the National Institute of Standards and Technology (NIST)
National Vulnerability Database (NVD) the week of September 7, 2009. It is
available here:

http://www.us-cert.gov/cas/bulletins/SB09-257.html

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSq54z3IHljM+H4irAQLBRAf8DwsTTOHlMq3hc+D/53hNGatB+86GHJXk
tKd0RUsWxwrBf3onTpWbSiEyrLPChs+lLhvy687bhTJ6SiRqYhSluAjRMQuTo1Qr
6luuwvCr726m5qtujC+wxSuEZby6pSsqOJenr1NJp/0AFFPgDaPeqxi4FaJ/Z52s
3sjaLHCw8gV917gqWBydbGUo1NoQXyuUK+x2UaihVPlE/vRl4fbAqkcgVO8j6LtL
UAtE78mzJ35GQj/hYkMV0O8JJW9aJ42G8y9VGCdxHwalpuyXa4pmP4Kd+Cvugmu1
0vIFt7sR7PptAfz2Ag5B+HHxNnbOj6XCpV48lVh3TpqxI9ROP0mgcA==
=vKUR
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki
Website dedicated to Information Security.

Tuesday, September 15, 2009

CERT-In Vulnerability Note CIVN-2009-115

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco Nexus 5000 Series Switches Remote TCP Denial of Service Vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-115.htm
Original Issue Date: September 15, 2009
Severity Rating:High

Systems Affected

Cisco Nexus 5000 Series Switches running Cisco NX-OS Software versions
prior to 4.0(1a)N2(1)

Overview

A vulnerability has been reported in Cisco NX-OS Software that could allow
an unauthenticated, remote attacker to cause a denial of service (DoS)
condition.

Description

The vulnerability is due to an error when the affected device processes
certain TCP packets. An unauthenticated, remote attacker could force the
TCP connection to remain in a indefinitely long period. If enough TCP
connections are forced into a long-lived state, resources on a system under
attack may be consumed, preventing new TCP connections from being accepted.
resulting in denial of service (DoS) conditions.

Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml

References

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090908-tcp24.shtml
http://tools.cisco.com/security/center/viewAlert.x?alertId=18800

SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022847.html

CVE Name
CVE-2009-0627

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSrCFqHWXeYNsoT30AQoueAgAowKfm3k4vGVdXD/T/mGm5xB90Wz4eXTc
Fa+pTcB2v5fDLPjAJGP0sWdg9XplOoigHOWexf0w/6V0HCSPxN3jX7BigDSmxVnN
k4QJkkfH6oppUup24zGn0xYdoYa1btJ0HuqrFbGo/LcTzg3rhX8MBzaXPy1kTD/z
XKxhJqKUxXk8nxf2K8jFiRM+KStaMycqj4vRGxdNuMxgc4B/lVn6aCvOx3z3mWtt
tpYgsiDnFhF+QaQ1qCWvlf9UNLzURHidNOMb56ks2kBeREScPAfGJ/c8KBNh+pHP
V/wid1T8DNkTiWm2afDkMTXyuAsEnu6r37iosadCShEeHtM0fcsOUA==
=mAXD
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.

Monday, September 14, 2009

CERT-In Advisory CIAD-2009-43

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in Mozilla Firefox
http://www.cert-in.org.in/advisory/ciad-2009-43.htm
Original Issue Date: September 14, 2009

Severity Rating:High

System Affected

Mozilla Firefox versions prior to 3.5.3
Mozilla Firefox versions prior to 3.0.14

Overview

Multiple vulnerabilities have been reported in Mozilla Firefox, which could
allow a remote attacker to bypass certain security restrictions, disclose
potentially sensitive information, cause a denial of service conditions,
conduct spoofing attacks, execute an arbitrary code, or potentially
compromise an affected system.

Description

1. Multiple Memory corruption vulnerabilities in the    java_script engine
and Browser engine
    (CVE-2009-3069 , CVE-2009-3070 , CVE-2009-3071 ,
    CVE-2009-3072 , CVE-2009-3073 , CVE-2009-3074 ,
    CVE-2009-3075)

Multiple memory corruption vulnerabilities have been reported in Mozilla
Firefox due to improper handling of malformed data injava_script and
Browser engines. A remote attacker could exploit these vulnerabilities via
a specially crafted HTML file to trigger memory corruption error.
Successful exploitation of these vulnerabilities could allow a remote
attacker to cause denial of service condition or execute an arbitrary code.

Workarounds

Disablejava_script until a version containing these fixes can be installed.
2. Insufficient warning for PKCS11 module installation and removal
vulnerability (CVE-2009-3076)

This vulnerability is caused due to insufficient warning information
displayed in the dialog when adding or removing security modules via
pkcs11.addmodule or pkcs11.deletemodule in Mozilla Firefox. A remote
attacker could exploit this vulnerability by tricking a user to install a
malicious PKCS11 module and affect the cryptographic integrity of a
vulnerable browser.

Note : Firefox 3.5 releases are not affected by this issue.

3. TreeColumns Dangling Pointer Vulnerability (CVE-2009-3077)

This vulnerability is caused due to an error when processing operations
performed on the columns of a XUL tree element in Mozilla Firefox. A remote
attacker could exploit this vulnerability via a pointer owned by a column
of the XUL tree element to dereference the freed memory. Successful
exploitation of this vulnerability could allow a remote attacker to execute
an arbitrary code.

4. Location bar spoofing Vulnerability (CVE-2009-3078)

This vulnerability is caused due to an error when displaying certain
Unicode characters with a tall line-height in the location bar using the
default Windows font in Mozilla Firefox. A remote attacker could exploit
this vulnerability via Unicode characters having a tall line-height to
spoof the URL of a trusted site and also aid in other attacks .

5. Chrome privilege escalation with FeedWriter Vulnerability
(CVE-2009-3079)

This vulnerability is caused due to an error in the implementation of the
"BrowserFeedWriter" object in Mozilla Firefox. A remote attacker could
exploit this vulnerability via a specially craftedjava_script to execute an
arbitraryjava_script code with chrome privileges.

Workaround

Disablejava_script until a version containing this fix can be installed
Solution

Upgrade to Mozilla Firefox version 3.5.3 or 3.0.14
http://www.mozilla.com/firefox/

Vendor Information

Mozilla
http://www.mozilla.com/en-US/

References

Mozilla
http://www.mozilla.org/security/announce/2009/mfsa2009-47.html
http://www.mozilla.org/security/announce/2009/mfsa2009-48.html
http://www.mozilla.org/security/announce/2009/mfsa2009-49.html
http://www.mozilla.org/security/announce/2009/mfsa2009-50.html
http://www.mozilla.org/security/announce/2009/mfsa2009-51.html

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-065/

Secunia
http://secunia.com/advisories/36671/

SecurityFocus
http://www.securityfocus.com/bid/36343/info

SecurityTracker
http://securitytracker.com/alerts/2009/Sep/1022876.html
http://securitytracker.com/alerts/2009/Sep/1022877.html
http://securitytracker.com/alerts/2009/Sep/1022873.html
http://securitytracker.com/alerts/2009/Sep/1022875.html
http://securitytracker.com/alerts/2009/Sep/1022874.html

VUPEN
http://www.vupen.com/english/advisories/2009/2585

Juniper
http://www.juniper.net/security/auto/vulnerabilities/vuln36343.html

CVE Name
CVE-2009-3069
CVE-2009-3070
CVE-2009-3071
CVE-2009-3072
CVE-2009-3073
CVE-2009-3074
CVE-2009-3075
CVE-2009-3076
CVE-2009-3077
CVE-2009-3078
CVE-2009-3079

CWE Name
CWE-119
CWE-265
CWE-357
CWE-451
CWE-465

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSq41rHWXeYNsoT30AQr3Iwf/bM5dW0e/xQqwf6ijz4t+/2v1mX3m8Jxc
74mBXYV12LIxYnc31EX/ITideKnXu9ilTiYGDO2TEQL2t8+tt6FO/LUY/1dMUMK4
wbx5EK4dWHbkS+0oN2KwkBJ3rrNrnOGa7GWQS/ObFns1PPEWDAldeTmnqKTgy0Lc
IXZOawiydLfmZquG4lna3TBsJKcdlOGJt5s66i8r7BNWwb5mjrmvU4uRYfeIEN1X
OTD1CAJ+IHCcgydQO7xQeWgKBBsXkZ99CeLygmUEDyxbxnYI+oWUtdprrAMD3h5F
KTvu3muL5SptEEdBatb6oRzxi4dSmSLVOt755bnWdX1TQ9iul3A5YQ==
=ryom
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.

CERT-In Advisory CIAD-2009-42

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in Apple QuickTime
http://www.cert-in.org.in/advisory/ciad-2009-42.htm
Original Issue Date: September 14, 2009

Severity Rating:High

Software Affected

Apple QuickTime versions prior to 7.6.4
System Affected

Mac OS X v10.4.11
Mac OS X v10.5.8
Windows 7
Windows Vista and XP SP3

Overview

Multiple vulnerabilities have been reported in Apple QuickTime, which could
allow a remote attacker to execute arbitrary code, causes denial of service
condition and potentially compromise a vulnerable system.

Description

1. Memory Corruption Vulnerability (CVE-2009-2202)

A Memory corruption vulnerability has been reported due to an error in the
parsing of H.264 movie files in Apple QuickTime. A remote attacker could
exploit this vulnerability via a specially crafted H.264 media file to
trigger a memory corruption error.

2. Buffer Overflow Vulnerability (CVE-2009-2203)

A Buffer overflow vulnerability has been reported due to an error in the
parsing of MPEG-4 video files in Apple QuickTime. A remote attacker could
exploit this vulnerability via a specially crafted MPEG-4 video file to
trigger a buffer overflow error.

3. FlashPix Sector Size Overflow Vulnerability (CVE-2009-2798)

A Heap Buffer overflow vulnerability has been reported due to an integer
overflow error when processing the "SectorShift" and "cSectFat" fields of a
FlashPix file header in Apple QuickTime. A remote attacker could exploit
this vulnerability via a specially crafted FlashPix(".fpx") file to trigger
a Heap based buffer overflow error.

4. H.264 codec Heap Overflow Vulnerability (CVE-2009-2799)

A Heap Buffer overflow vulnerability has been reported due to a boundary
checking error when processing samples from a H.264 encoded MOV file in
Apple QuickTime. A remote attacker could exploit this vulnerability via a
specially crafted H.264 MOV file to trigger a Heap based buffer overflow
error.

Successful exploitation of these vulnerabilities could allow a remote
attacker to execute an arbitrary code with the privileges of the logged in
user or causes denial of service condition.

Solution

Upgrade to Apple QuickTime version 7.6.4
http://www.apple.com/support/downloads/

Vendor Information

Apple
http://support.apple.com/kb/HT3859
http://www.apple.com/quicktime/

References

Secunia
http://secunia.com/advisories/36627/

SecurityFocus
http://www.securityfocus.com/bid/36328

SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022865.html

VUPEN
http://www.vupen.com/english/advisories/2009/2584

CVE-Name
CVE-2009-2202
CVE-2009-2203
CVE-2009-2798
CVE-2009-2799

CWE Name
CWE-119
Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSq404XWXeYNsoT30AQpfmggAnJ2uMlhNvFTgGeygzsV4LQWgrJgpA9Eu
Wvtu4BdbDZp2Pz7Y3O1mMVi2RJ1WX8a8CVVkw9YgZN2sqNe+YHb4MOJeVsYdfaip
4I27EZ77jRoneQh3u6yFgLTQ79quzatcrhSSHcPlgh6nQ9CTwE4uRXe/bp9vOl8O
3V+VILsAVy0rIWDGi3n43jjuW2JyhseE/rwcXXF6P2Xum2dmcOYRMBhXgTb3fNu+
RPQPjYl3XDrv6HCaIrC66BWtbLgFaA9Ip4evRXrat9BNgbbZG2qw8ZhfYn/wDZWF
e9lsLWkWNo/9ZN76nvnOfSIrBan7pFJ5Cl1xDPn/xz9/WK2I6POYKA==
=oalZ
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.

CERT-In Monthly Security Bulletin August 2009

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Security Bulletin

CERT-In is regularly tracking various vulnerabilities in different
operating systems, application software, network devices and information
related to wide-spread circulating virus/worm & exploit codes.

In this month CERT-In issued Security advisories and vulnerability notes on
the vulnerabilities in various Microsoft products ,Oracle,Solaris,Various
Adobe Products.It covers the widely spreading malicious softwares and the
trends used for hacking/defacing webservers.

The Security Bulletin is available at CERT-In website
http://www.cert-in.org.in/knowledgebase/SecurityBulletin/cisb-Aug09.htm

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSq4z0HWXeYNsoT30AQr8OwgAhsfAp5+OQ1KFeY6Py+yDST+WR9tgTLtQ
qdUoDFtvLG8k3cmpsPBsTyxsIJ7VQ4N6w8YlqQNSkOiQpFBuDp6zgBsnck7Q89RS
o6ebwhq8NfutkABC0xEOn4Wu6WZCSN18wLZkWG9MBvlSdZbFnW7KfngwR8zVIXdn
Tbr1pbojMMUVXPFMV5AXzITSxfL7ZDsQ//otYlJjBZ8MujcBPaN/gJUqwE/dUF/J
vpNfO0O0HHdBX+s6XLoDtmCm3Hgwy8cxIwpTPOQ8EE+WyVoT0iLqjXU866Xh+wx7
zinvdPgSobtbYzKctx8tlLXhSZdcxIm8Fga4WR/3VFfBBctgBb43yw==
=A494
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.

Friday, September 11, 2009

US-CERT Cyber Security Tip ST04-010 -- Using Caution with Email Attachments

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System
Cyber Security Tip ST04-010

Using Caution with Email Attachments

While email attachments are a popular and convenient way to send
documents,
they are also a common source of viruses. Use caution when opening
attachments, even if they appear to have been sent by someone you know.

Why can email attachments be dangerous?

Some of the characteristics that make email attachments convenient and
popular are also the ones that make them a common tool for attackers:
* Email is easily circulated - Forwarding email is so simple that
viruses
can quickly infect many machines. Most viruses don't even
require users
to forward the emailâ€"they scan a users' computer for email
addresses and
automatically send the infected message to all of the addresses they
find. Attackers take advantage of the reality that most users will
automatically trust and open any message that comes from someone
they
know.
* Email programs try to address all users' needs - Almost any type
of file
can be attached to an email message, so attackers have more
freedom with
the types of viruses they can send.
* Email programs offer many "user-friendly" features - Some email
programs
have the option to automatically download email attachments, which
immediately exposes your computer to any viruses within the
attachments.

What steps can you take to protect yourself and others in your address book?

* Be wary of unsolicited attachments, even from people you know - Just
because an email message looks like it came from your mom,
grandma, or
boss doesn't mean that it did. Many viruses can "spoof" the return
address, making it look like the message came from someone else.
If you
can, check with the person who supposedly sent the message to
make sure
it's legitimate before opening any attachments. This includes email
messages that appear to be from your ISP or software vendor and
claim to
include patches or anti-virus software. ISPs and software
vendors do not
send patches or software in email.
* Keep software up to date - Install software patches so that
attackers
can't take advantage of known problems or vulnerabilities (see
Understanding Patches for more information). Many operating systems
offer automatic updates. If this option is available, you should
enable
it.
* Trust your instincts - If an email or email attachment seems
suspicious,
don't open it, even if your anti-virus software indicates that the
message is clean. Attackers are constantly releasing new
viruses, and
the anti-virus software might not have the signature. At the
very least,
contact the person who supposedly sent the message to make sure it's
legitimate before you open the attachment. However, especially
in the
case of forwards, even messages sent by a legitimate sender might
contain a virus. If something about the email or the attachment
makes
you uncomfortable, there may be a good reason. Don't let your
curiosity
put your computer at risk.
* Save and scan any attachments before opening them - If you have
to open
an attachment before you can verify the source, take the following
steps:
1. Be sure the signatures in your anti-virus software are up
to date
(see Understanding Anti-Virus Software for more information).
2. Save the file to your computer or a disk.
3. Manually scan the file using your anti-virus software.
4. If the file is clean and doesn't seem suspicious, go ahead
and open
it.
* Turn off the option to automatically download attachments - To
simplify
the process of reading email, many email programs offer the
feature to
automatically download attachments. Check your settings to see
if your
software offers the option, and make sure to disable it.
* Consider creating separate accounts on your computer - Most
operating
systems give you the option of creating multiple user accounts with
different privileges. Consider reading your email on an account with
restricted privileges. Some viruses need "administrator"
privileges to
infect a computer.
* Apply additional security practices - You may be able to filter
certain
types of attachments through your email software (see Reducing
Spam) or
a firewall (see Understanding Firewalls).
_________________________________________________________________

Both the National Cyber Security Alliance and US-CERT have
identified this
topic as one of the top tips for home users.
_________________________________________________________________

Authors: Mindi McDowell, Allen Householder
_________________________________________________________________

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSqpVl3IHljM+H4irAQI3SQf/ecGgCrnN5ugyj61/d3I4TgE7kGDk1G8v
zLlAQywOmJJkOYy/Jrbs/unqZIjLI1qsetnQD3CFvS/GqReCja7YC8wIZrCs85ZW
DTnU/Kq0kS3qT0u7SZivCPXxwMEo2cANIZpGucpw83jYHd8rjPAaTxmbtQ70P7xW
oeEBpsgvB1qIHLzy8JjWfT7VIeqK7uDaQr8ZRlZO0Sc8UT5uzHC8tI9/5VOaF8jy
GEujqDuEMqZlfprACLSwBQ/QGaoj2TQzqC/+OVzjoZMhjaCwazOFqinvgsxOA7QK
7DAfkPF2K79v9Fz39TCYa/t9O0M+jvFsoHF8r9D5ow3OcaAquqFbBg==
=okKD
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki
Website dedicated to Information Security.

CERT-In Vulnerability Note CIVN-2009-114

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Microsoft Windows SMB 2.0 "srv2.sys" remote code execution
vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-114.htm
Original Issue Date: September 10, 2009

Severity Rating:High

System Affected

*Windows Vista SP 2 and prior
*Windows Vista x64 Edition SP 2 and prior
*Windows Server 2008 for 32-bit Systems SP2 and prior
*Windows Server 2008 for 64-bit Systems SP2 and prior
*Windows Server 2008 for Itanium-based Systems SP 2 and prior

Overview

A zero day vulnerability has been reported in Microsoft Server Message
Block (SMB) implementation. Successful exploitation allows an attacker to
execute arbitrary code on affected systems with full administrative rights
or leads the operating system to stop responding (possibly a, B.S.O.D aka
Blue Screen of Death) and restart, without any authentication.

Description

Microsoft Server Message Block (SMB) is a Microsoft network file sharing
protocol used in Microsoft Windows.SMB 2.0 has been introduced since
Windows Vista.

The vulnerability is due to an array index error in the kernel driver
srv2.sys which allows remote attackers to cause a denial of service (system
crash) via an &(ampersand) character in a Process ID High header field in a
NEGOTIATE PROTOCOL REQUEST packet (The NEGOTIATE PROTOCOL REQUEST is the
first SMB query a client send to a SMB server, and it's used to identify
the SMB dialect that will be used for further communication), which
triggers an attempted dereference of an out-of-bounds memory location.

Successful exploitation leads code execution with SYSTEM-level privileges
and failed exploit attempts will leads to denial-of-service conditions.

NOTE:

File sharing must be enabled to exploit this vulnerability.
Windows 7 RTM, Windows Server 2008 R2, Windows XP and Windows 2000,Windows
Vista systems(if the network profile is set to "Public") are not affected.
Proof-of-concept code to exploit is publicly available.
Workaround

*Disable SMB v2
*Block TCP ports 139, 445 at the firewall
*For detailed steps and impact of applying these workarounds refer to
Microsoft security Advisory 975497

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/advisory/975497.mspx

References

Microsoft
http://www.microsoft.com/technet/security/advisory/975497.mspx
http://blogs.technet.com/msrc/archive/2009/09/08/microsoft-security
- - -advisory-975497-released.aspx
http://msdn.microsoft.com/en-us/library/aa365233
http://www.microsoft.com/security/pypc.aspx

SecurityFocus
http://www.securityfocus.com/bid/36299

Secunia
http://secunia.com/advisories/36623

Security Tracker
http://securitytracker.com/alerts/2009/Sep/1022848.html

ISC SANS
http://isc.sans.org/diary.html?storyid=7093

CVE Name
CVE-2009-3103

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSqoiDXWXeYNsoT30AQpM2ggAx6sx8yY/cF71ajsj3eAOgptgpoPRnkIe
LKAXcWHeY8sg0dN+yp6xwseskLiBnJvZUvEnJWT4qE8lZdDurOdnrLUK49d4Freb
wh/CCAWRG5VQcfFzhpgRj8n6FoDeX/m6O9m5w7d4BY1bzHWPR6LWjYjbEWcNz00H
YUfuOW8wolT3dEpG8Ygo/IDZkwv8emFqHdSDbl+U+PPGAReOe3k7UClOjOkWtpdA
k4Jas1iXoyYY+XkUjOCGggGM47ejijwMsS3e/NBnC5eeQdYpueCcUWpL/hXycrB0
ZsahS+nsvkNPijtie6njGdRNSi+UmpPlIo5wBVPMvQdYE+gtpW+flw==
=ybOT
-----END PGP SIGNATURE-----

--
For More Security Related Stuff visit http://wiki.secureit.in.A Wiki Website dedicated to Information Security.

CERT-In Advisory CIAD-2009-41

For More Security Related Stuff visit http://wiki.secureit.in

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in Microsoft JScript Scripting Engine,DHTML
Editing Component ActiveX Control,Windows Media Format, Windows TCP/IP
Implementation, Windows Wireless LAN AutoConfig Service.
http://www.cert-in.org.in/advisory/ciad-2009-41.htm
Original issue date: september 10, 2009

Systems Affected

*Windows 2000 SP4
*Microsoft Windows XP
*Windows XP Professional x64 Edition
*Windows Server 2003
*Windows Server 2003 x64 Edition
*Windows Server 2003 for Itanium-based Systems
*Windows Vista
*Windows Vista x64 Edition
*Windows Server 2008
*Windows Server 2008 x64-based Systems
*Windows Server 2008 for Itanium-based Systems

Components affected

Jscript 5.1, 5.6, 5.7, 5.8
Windows Media Format Runtime 9.0, 9.5, 11
Windows Media Services 9.1, 2008

Overview

Multiple vulnerabilities have been reported in various Microsoft products
and components such as Microsoft JScript Scripting Engine,DHTML Editing
Component ActiveX Control,Windows Media Format, Windows TCP/IP
Implementation, Windows Wireless LAN AutoConfig Service.

Description

The vulnerability notes released by CERT-In with reference to Microsoft
Security Bulletins are available at :

http://www.cert-in.org.in/advisory/ciad-2009-41.htm

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin
September 2009
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx

Vendor Information

Microsoft Corporation
http://www.microsoft.com/technet/security/bulletin/ms09-sep.mspx

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSqog4XWXeYNsoT30AQp9vQf/X8IecE9N5qeZqlDrNmdVcHSAu40de5Ql
3O+AKXU4mYgDGcfKfSPSfHrXLD71BnS0JNsqa10nZhzQquQtckg2+MEAXfzfaQlz
e+7bid6pPqzfTGFLmSR3m+9HU5i2VUg4s5ZVOr2BsLF2Z9O90cidoQSUzxeOb4Ew
7qxy2Vct9nxFDqJlsXaaoe4ndhP7mDzcPcsF29JEqQ/GrqNUbTdz7jn6RDjXPVeS
X4EIG97fsnWge814tNZyccKNuT8dWFdl8kRJwwJqBzS7ER7Y/AHJ8ToMmA+3mMuI
pZIWBCu2Pszxal5yg6qo6zuAvr5O9/xfE38xLQrfgmnRJQtCEjvFOQ==
=hELi
-----END PGP SIGNATURE-----

CERT-In Advisory CIAD-2009-40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Multiple Vulnerabilities in Opera
http://www.cert-in.org.in/advisory/ciad-2009-40.htm
Original Issue Date: September 07, 2009

Severity Rating:Medium

System Affected

Opera versions 9.x

Overview

Multiple vulnerabilities have been reported in Opera, which could be
exploited to bypass security restrictions and conduct spoofing attacks.

Description

1. Intermediate Certificate Spoofing Vulnerability
(CVE-2009-3046)

This vulnerability exists because Opera fails to check the revocation
status for intermediate certificates not served by the server. This may
cause sites using revoked intermediate certificates to be shown as secure.

2. URL Spoofing Vulnerability (CVE-2009-3047)

This vulnerability is caused by improper updation of domain name within the
collapsed address bar, which could cause the previous domain to be shown
instead of the domain of the present site.
This could be exploited by remote attackers to spoof URLs.

3. Limited Address Spoofing Vulnerability (CVE-2009-3049)

This vulnerability is due to certain Unicode characters are treated
incorrectly, which might cause International Domain Names (IDN) that use
them to be shown in the wrong format. Attackers could exploit this
vulnerability to perform limited address spoofing.

4. Security Bypass Vulnerability (CVE-2009-3044)

This vulnerability exists because the browser fails to properly validate
the domain name in a signed CA certificate. A remote attacker could exploit
this vulnerability by using a certificate which use a wild card immediately
before the top level domain, or nulls in the domain name, to be incorrectly
interpreted as secure.
Solution

Upgrade to Opera 10 or later
http://www.opera.com/download/

Vendor Information

Opera
http://www.opera.com/download/

References

Opera
http://www.opera.com/support/kb/view/929/
http://www.opera.com/support/kb/view/930/
http://www.opera.com/support/kb/view/932/
http://www.opera.com/support/kb/view/934/
http://www.opera.com/docs/changelogs/windows/1000/

ISS XFORCE
http://xforce.iss.net/xforce/xfdb/52965

VUPEN Security
http://www.vupen.com/english/advisories/2009/2500

SecurityFocus
http://www.securityfocus.com/bid/36202/

Secunia
http://secunia.com/advisories/36414/

SecurityTracker
http://www.securitytracker.com/alerts/2009/Sep/1022799.html

Juniper Networks
http://www.juniper.net/security/auto/vulnerabilities/vuln36202.html

CVE Name
CVE-2009-3044
CVE-2009-3046
CVE-2009-3047
CVE-2009-3049

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSqofVnWXeYNsoT30AQoojwf9Ffgmld9q9ikLEzgZBXZAT1eJLrDEhLtB
mm3hD7OMRCXDKPohCPXNlS/u2rQNXGWpDtBJAhjHFJWgzddDlVIQVIfMBMWG+NHQ
V6auv2VURbbU5pFLKYz3RBXOHqFgktSGrgr0QyCX94w3c/CbxbkQH5vrfAxtz8ZR
XdznZYrlEw6EGEnmr/19/1TCTcu/Pq/xoUM4aiZRPsQM7yHnoRxnq6F1hiFzF19Q
XJqf+MObfTWcNv2jeIZiu8VF5m+c5ahqHmjLNK3qcV3SeG7kQEkB0hryks+mPrdh
pcITb6TCC00mFtyvQkX8INe2ZV2z6BJzU2906mOeuGbAWaAQKAg7sA==
=xQSX
-----END PGP SIGNATURE-----

CERT-In Vulnerability Note CIVN-2009-106

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco IOS XR Software Border Gateway Protocol Vulnerabilities
http://www.cert-in.org.in/vulnerability/civn-2009-106.htm
Original Issue Date:August 31, 2009

Severity Rating:High

System Affected

Cisco IOS XR Software versions 3.4.0 and later
Cisco IOS XR Software versions 3.2.0 and later

Overview

Multiple vulnerabilities have been reported in Cisco IOS XR Software that
could allow a remote attacker to cause a DoS condition.

Description

1. Invalid BGP Update Remote Denial of Service Vulnerability
(CVE-2009-2055)

The vulnerability is due to an unspecified error in the handling of Border
Gateway Protocol (BGP) updates. An unauthenticated, remote attacker who
can send BGP updates to an affected system could send a crafted update and
cause the affected device to reset the BGP peering session, resulting in a
DoS condition.
Workaround

It is advised to configure peering neighbors to filter the invalid updates
on their outbound path. For more details refer Cisco Security Advisory
2. BGP Long Update Message Processing Denial of Service Vulnerability
(CVE-2009-1154)

This vulnerability exists due to improper handling of overly long
parameters within BGP update messages. An unauthenticated, remote attacker
could exploit this vulnerability by sending a malicious network request to
the vulnerable system. If successful, the attacker could cause a DoS
condition.
Workaround

Consider limiting the number of Autonomous System (AS) numbers within the
AS Path Attribute as described in the Cisco advisory
3. Border Gateway Protocol Configuration Denial of Service
(CVE-2009-2056)

The issue is due to an error in the handling of certain configurations. If
an affected version of Cisco IOS XR Software is configured to prepend a
very large number of Autonomous System (AS) Numbers to the AS path and when
the device constructs a border gateway protocol (BGP) update, the BGP
process will crash, resulting in a DoS condition.
Workaround

Configure the number of AS Numbers allowed to prepend an AS path to a
reasonable number.
Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090818
- - -bgp.shtml

References

CISCO
http://www.cisco.com/en/US/products/products_security_
advisory09186a0080af150f.shtml
http://tools.cisco.com/security/center/viewAlert.x?
alertId=18866
http://tools.cisco.com/security/center/viewAlert.x?
alertId=18906
http://tools.cisco.com/security/center/viewAlert.x?
alertId=18907

Security Tracker
http://securitytracker.com/alerts/2009/Aug/1022756.html
http://securitytracker.com/alerts/2009/Aug/1022739.html

CVE Name
CVE-2009-2055
CVE-2009-1154
CVE-2009-2056

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSqoa6nWXeYNsoT30AQqQrggAnIrzIbgM3Q7JaTlJM9hyrePfmfQaxsXg
sfIe4L1fjNP24Rt1VvZPq5P6ZEjosm3/n3a2xZ9P1Yzcw8kBMqhOBTGL5hmPIcBS
uiCqeEoovzLKS0/G2TW3gZK39KgSn/w4IcanYNRdfmJaP47stLIQEqyxkz4BSRmT
b42A4ntPkZYUJ8u5lI2O/xk6YpHyK3ofEMK8+rMC/0opjFo+UaI8KC54StW7ljU9
7jmfHlN435Scyp0ml7W5vdQCWDEGsgb5Xa2YHys2euCH4IEH2LFXnYaro1RLg+x7
ufHrv1C0Hd8lfKtXBXDxLzXqSnATdF0EZk3y1LSWPpto/hZ7YzegnQ==
=99R9
-----END PGP SIGNATURE-----

Tuesday, September 8, 2009

CVE Announce - September 8, 2009 (opt-in newsletter from the CVE Web site)

Comments: cve@mitre.org

-------------------------------------------------------
CVE-Announce e-newsletter/September 8, 2009
-------------------------------------------------------

Contents:

1. Feature Story
2. Also in this Issue
3. Details/Credits + Subscribing and Unsubscribing

FEATURE STORY:

CVE Included as Topic at "IT Security Automation Conference 2009",
October 26-29

CVE will be included as a topic at the U.S. National Institute of
Standards and Technology's (NIST) "5th Annual IT Security
Automation Conference" on October 26-29, 2008 in Baltimore,
Maryland, USA. The CVE Team is also scheduled to contribute to the
CVE-related workshops.

NIST's Security Content Automation Protocol (SCAP) employs
existing community standards to enable "automated vulnerability
management, measurement, and policy compliance evaluation (e.g.,
FISMA compliance)," and CVE is one of the six open standards SCAP
uses for enumerating, evaluating, and measuring the impact of
software problems and reporting results. The other five standards
are Open Vulnerability and Assessment Language (OVAL), a standard
XML for security testing procedures and reporting; Common
Configuration Enumeration (CCE), standard identifiers and a
dictionary for system security configuration issues; Common
Platform Enumeration (CPE), standard identifiers and a dictionary
for platform and product naming; Extensible Configuration
Checklist Description Format (XCCDF), a standard for specifying
checklists and reporting results; and Common Vulnerability Scoring
System (CVSS), a standard for conveying and scoring the impact of
vulnerabilities.

Visit the CVE Calendar for information on this and other events.

LINKS:

IT Security Automation Conference 2009 -
http://www.nist.gov/public_affairs/confpage/091026.htm

SCAP - http://nvd.nist.gov/scap.cfm

CVE Calendar - http://cve.mitre.org/news/calendar.html

---------------------------------------------------------------
ALSO IN THIS ISSUE:

* MITRE Presents Making Security Measurable Briefing at "GFIRST5:
The 5 Pillars of Cyber Security"

Read these stories and more news at http://cve.mitre.org/news

---------------------------------------------------------------
Details/Credits + Subscribing and Unsubscribing

For more information about CVE, visit the CVE Web site at
http://cve.mitre.org or send an email to cve@mitre.org. Learn more
about Making Security Measurable at
http://measurablesecurity.mitre.org.

CERT-In Vulnerability Note CIVN-2009-108

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Linux Kernel sock_sendpage() Local Privilege Escalation Vulnerability
http://www.cert-in.org.in/vulnerability/civn-2009-108.htm
Original Issue Date: September 07, 2009

Severity Rating:High

System Affected

Linux Kernel versions prior to 2.4.37.5
Linux Kernel versions prior to 2.6.30.5
Linux Kernel versions prior to 2.6.31-rc6

Overview

A vulnerability has been reported in Linux kernel, which could be exploited
by local attackers to gain elevated privileges.

Description

This vulnerability is caused by a NULL pointer dereference error due to
improper initialization of all function pointers for socket operations in
"proto_ops" structures in Linux kernel . A Local attacker could exploit
this vulnerability by using the "sock_sendpage()" function to invoke a
vulnerable socket operation. Successful exploitation of this vulnerability
could allow a local attacker to execute arbitrary code with elevated kernel
privileges.

Solution

Upgrade to Linux Kernel version 2.4.37.5 or 2.6.30.5 or 2.6.31-rc6
http://www.kernel.org/

Vendor Information

kernel.org
http://www.kernel.org/

References

kernel.org
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.30.5
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.31-rc6
http://www.kernel.org/pub/linux/kernel/v2.4/ChangeLog-2.4.37.5

GIT
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h
=e694958388c50148389b0e9b9e9e8945cf0f1b98

Secunia
http://secunia.com/advisories/36289/3/

SecurityFocus
http://www.securityfocus.com/bid/36038

SecurityTracker
http://securitytracker.com/alerts/2009/Aug/1022732.html

VUPEN
http://www.vupen.com/english/advisories/2009/2272

CVE Name
CVE-2009-2692
Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSqUKd3WXeYNsoT30AQr9HQf/Yz8Vp+BDxGrvqswBn+YCQhHoC7DCwwY0
DgzLJuPiiNESxwvxMr+6yeeYvu/Pxa6t9T/huEw9iGEej1kFruLbxyU7TUQW9LBX
rg79BkGxZGC4fHYrQm/iBl0xlA1hhojqt4HhcosteUPzYTuh505HbToGVj5dy7oD
LsPAndm2X9clDgEAHGtRi7hiHWcXlrP5pDjNOwr6A0h6vvLoSL5nmrGNAc6uuEy8
B5yK9CscDw48Z9GGr++6g6pK0BDGEXV4PJuzSTk3doRYH92sshUbcqjAbLMEZbeJ
QYWy/I1dqX3j27Hba2u0gBPFiPehRJrPRPVAL/2pC3LhJqEz+rS5Bg==
=AyJF
-----END PGP SIGNATURE-----

Wednesday, September 2, 2009

CERT-In Vulnerability Note CIVN-2009-107

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Microsoft IIS FTP Buffer Overflow Vulnerability
http://172.17.10.50/vulnerability/civn-2009-107.htm

Original Issue Date: September 01, 2009

Severity Rating : Medium

System Affected

Microsoft Internet Information Server (IIS) 5.0
Microsoft Internet Information Server (IIS) 6.0

Overview

A vulnerability has been identified in Microsoft Internet Information
Server (IIS), which could be exploited by a remote, authenticated attacker
to execute arbitrary code on a vulnerable system.

Description

This issue is caused by a buffer overflow error in the FTP service when
processing an NLST (NAME LIST) command on a specially-named directory. This
could allow a remote, authenticated attacker with write access, to crash an
affected server or execute arbitrary code with SYSTEM privileges by using
the Anonymous account or another account that is available to the attacker.

Workaround

Disable anonymous write access to IIS FTP server

References

US-CERT
http://www.kb.cert.org/vuls/id/276653

VUPEN Security
http://www.vupen.com/english/advisories/2009/2481
Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSp4TeHWXeYNsoT30AQrF5QgAiC0uf+knx/0xUVLoA+qL4B325ij3F/ag
rAMwIOtTEo3cBn73PgaowC9B2HBiQ5V4QLxjP/ShBI7VT6KTRbfE82h1xpkdJGqV
Bx7xi6FIVw4cUg5gh4qJ4Qzt7p8RT/sRx9/9rqjz6IpzaK3W4kSE3AGYPch92AX+
YEN3lR5KRniPaN51LpHD0Ih5H8/IDS2wfrIAMxx+/zkGVpSXfmLlomuUvMze/6t+
J584Xe+52tApccRzkXb9SH8czj/8Osx0WUjZ9HOqbeHG7VhCBdBGxTnrWQuTHuOv
QdG6P8GVDDPXAr6ml8DIMiAIZ/rtsM01BPQo5IjIP1C7xZgiio8mwQ==
=/k3Y
-----END PGP SIGNATURE-----

Tuesday, September 1, 2009

Virus Alert : Virus Induc

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Virus Induc
http://172.17.10.50/virus/Virus_Induc.htm
Original issue date: August 31, 2009
It has been observed that a virus named Induc is spreading. It infects
software built with the Delphi programming language at compilation time.

The malware first checks to see if the Delphi version is between 4 to 7,
then replaces $DELPHI_DIR$\source\rtl\sys\SysConsts.pas by its own
malicious code. The malware then deletes SysConsts.pas file.

The malware saves a clean copy of SysConsts.dcu as SysConst.bak and adds a
call to its own init function at the entry point of the SysConsts.dcu
library. Hence any Delphi program that is compiled by the infected Delphi
compiler will get infected. Each new build (using SysConst.dcu –
practically all) of any Delphi project on an infected machine produces an
infected file.

Software companies specializing in developing applications with Delphi are
at higher risk of infection.

A sample malicious code snippet after compiling a program with an infected
version of SysConsts.dcu file is as shown below: ( Source: F-Secure )

Upon execution the Virus performs the following actions:

Copies SysConst.pas to \Lib and writes its code to it.
Creates a backup of SysConst.dcu, calling it SysConst.bak
Compiles \Lib\SysConst.pas giving an infected version of SysConst.dcu.
Deletes the modified .pas file.
Users are advised to implement the following countermeasures:

Search for the malicious files created by the Virus and delete the same.
The developers/vendors of software using Delphi may check infection of
their compilers to prevent creation of more infected programs
Maintain up-to-date Antivirus and Antispyware.
Apply up-to-date patches and fixes on the operating system and application
software.

References

http://www.viruslist.com/en/weblog?weblogid=208187826
http://www.f-secure.com/weblog/archives/00001752.html
http://blog.avast.com/2009/08/19/win32induc-new-concept
- -of-file-infector/
http://www.sophos.com/blogs/gc/g/2009/08/19/w32induca-
spread-delphi-software-houses/
http://www.securityfocus.com/brief/999

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSpu5LXWXeYNsoT30AQqrhgf/cCxybfvwLcEX7aHrlTHhuapulv8qQ4XP
6OdTSvzBUvD+YrYQyzqr97OwxpexjHGdYI4141YyD51kbeeYo/wXS3NMtBSYjrb8
usUmQsJm8Jpayv1GGIn9eTZNRExoku59UMe6UWLb1ja2L1bByJ64iURdYjtemfAW
bZ2Bzx0prORhQb1GenOdozYsK4mSiJPvAWHP76Sgqr2uS2ZlMTiFvMGDFwVcZKkI
B8XxnScE/+xPPlP5fmiiiJ2pqowBdbzFKwo/w9ri8qPki4W/wEeG4IjT7pIIeZgh
R4sxlerM2KriClTm58fP9Uf0Uzwqes2R7bYJNUHzi5lILyTPQCUlhw==
=IO3i
-----END PGP SIGNATURE-----

CERT-In Vulnerability Note CIVN-2009-106

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Cisco IOS XR Software Border Gateway Protocol Vulnerabilities
http://www.cert-in.org.in/vulnerability/civn-2009-106.htm
Original Issue Date:August 31, 2009

Severity Rating:High

System Affected

Cisco IOS XR Software versions 3.4.0 and later
Cisco IOS XR Software versions 3.2.0 and later

Overview

Multiple vulnerabilities have been reported in Cisco IOS XR Software that
could allow a remote attacker to cause a DoS condition.

Description

1. Invalid BGP Update Remote Denial of Service Vulnerability
(CVE-2009-2055)

Configure the number of AS Numbers allowed to prepend an AS path to a
reasonable number.
Solution

Apply appropriate fixed versions as mentioned in CISCO Security Advisory.
http://www.cisco.com/warp/public/707/cisco-sa-20090818-bgp.shtml

Vendor Information

CISCO
http://www.cisco.com/warp/public/707/cisco-sa-20090818
- -bgp.shtml

References

Security Tracker
http://securitytracker.com/alerts/2009/Aug/1022756.html
http://securitytracker.com/alerts/2009/Aug/1022739.html

CVE Name
CVE-2009-2055
CVE-2009-1154
CVE-2009-2056

Disclaimer

The information provided herein is on "as is" basis, without warranty of
any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Note: Please do not reply to this e-mail. For further queries contact
CERT-In Information Desk. Email: info@cert-in.org.in

-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.8.3 (Build 4028)
Charset: utf-8

wsBVAwUBSpzv/HWXeYNsoT30AQoBwAgAnc/tYl9cDXZhBNVCHhkdwAkfSxE4qMZf
U57bheY75tuMpQqk+uRl/H6pJVYdADUVhctj9upETgQsMRGGiqLBEJ5Lcv4qQaVH
AfHLoUKFdJIY6L9O03dSItUr2iBFSgziiqzAkwz5tHEEHPJ0UeAAwdcDWCfU7Txo
NeYj7dzfIq1721ZDpiXvGraGm6I804Y/dmlje8kLyl4QcrJda1IeaBWSTmLEaQ2k
eMXDmqCu/JlC/w6kITDBvXa9Ut5+cJTRtfFx+n9c+aW4tBMCocBKTC+pL+BpBM0w
H8xlC4XgH+reWiPavNo/fEDlPg59FX9Fs4S0iTiLoXJaXr5nohs7og==
=Hklk
-----END PGP SIGNATURE-----

Patch Announcement

Sunday, September 27, 2009

CERT-In Advisory CIAD-2009-44

Thursday, September 24, 2009

CVE Announce - September 24, 2009 (opt-in newsletter from the CVE Web site)

Wednesday, September 23, 2009

US-CERT Cyber Security Tip ST04-011 -- Using Instant Messaging and Chat Rooms Safely

Wednesday, September 16, 2009

US-CERT Cyber Security Bulletin SB09-257 -- Vulnerability Summary for the Week of September 7, 2009

Tuesday, September 15, 2009

CERT-In Vulnerability Note CIVN-2009-115

Monday, September 14, 2009

CERT-In Advisory CIAD-2009-43

CERT-In Advisory CIAD-2009-42

CERT-In Monthly Security Bulletin August 2009

Friday, September 11, 2009

US-CERT Cyber Security Tip ST04-010 -- Using Caution with Email Attachments

CERT-In Vulnerability Note CIVN-2009-114

CERT-In Advisory CIAD-2009-41

CERT-In Advisory CIAD-2009-40

CERT-In Vulnerability Note CIVN-2009-106

Tuesday, September 8, 2009

CVE Announce - September 8, 2009 (opt-in newsletter from the CVE Web site)

CERT-In Vulnerability Note CIVN-2009-108

Wednesday, September 2, 2009

CERT-In Vulnerability Note CIVN-2009-107

Tuesday, September 1, 2009

Virus Alert : Virus Induc

CERT-In Vulnerability Note CIVN-2009-106

Blog Archive

About Me