The popular Sourceforge site has announced that they their servers have been breached. Until we learn more about the specifics, we should probably consider anything recently downloaded from Sourceforge as possibly compromised or tampered with.
* You are viewing the archive for January, 2011
If you run or participate in such a project, you might want to give the Fedora team’s writeup of a recent intrusion a read. Kudos to the Fedora team for their resilient process, their advanced preparation for such an event, and their willingness to share their experiences publicly. The link is below.
Citrix has released hotfixes for their Citrix Provisioning Services product to fix possible remotely exploitable security issue.
UPDATE 22 Feb 2011 – There is a commercial-grade exploit available for this now (in the Core Impact pentest product).
[version 5.6] http://support.citrix.com/article/CTX127149
[version 5.1 SP2] http://support.citrix.com/article/CTX127164
[version 5.1 SP1] http://support.citrix.com/article/CTX127155
[version 5.1] http://support.citrix.com/article/CTX127175
Oracle has released its January 2011 Critical Patch Update. The security patches affect the following products:
Oracle Database 11g Release 2, version 184.108.40.206
Oracle Database 11g Release 1, version 220.127.116.11
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Database 10g Release 1, version 10.1.0.5
Oracle Audit Vault 10g Release 2, version 10.2.3.2
Oracle Secure Backup 10g Release 3, version 10.3.0.2
Oracle Fusion Middleware, 11g Release 1, versions 18.104.22.168.0, 22.214.171.124.0
Oracle Application Server 10g Release 2, version 10.1.2.3.0
Oracle Beehive, versions 126.96.36.199, 188.8.131.52, 184.108.40.206, 220.127.116.11.1, 18.104.22.168
Oracle BI Publisher, versions 10.1.3.3.2, 10.1.3.4.0, 10.1.3.4.1, 22.214.171.124
Oracle Document Capture, versions 10.1.3.4, 10.1.3.5
Oracle GoldenGate Veridata, version 126.96.36.199
Oracle JRockit versions, R27.6.7 and earlier …
Avaya has reported that a security bypass vulnerability exists in 4.x versions of their Avaya Aura Application Enablement Services 4.x. No 5.x version is reported as affected. The fix according to Avaya is to upgrade to the latest version of 5.x.
Sielco Sistemi Winlog version 2.07.01A fixes an important security issue. The underlying bug is present in all versions of Sielco Sistemi WinLog Lite and WinLog Pro up to and including version 2.07.00.
UPDATE 24 Jan 2011 – A reliable expoit is now available in the White Phosporous (commercial) add-on for Immunity CANVAS.
[Updated Lite version] http://www.sielcosistemi.com/download/WinlogLite_Setup.exe
[Updated Pro version] http://www.sielcosistemi.com/download/Winlog_Setup_SF.exe
Virginia HB 2271 is a proposal to not require PI license for computer or digital forensic services. This legislation might be of interest to you if you or your organization provide (or want to provide) computer or digital forensic services in the State of Virginia (USA).
Update 21 Mar 2011 – The governor of Virginia signed this into law. The change goes into effect 01 July 2011.
IBM has released a fix for a potentially remotely exploitable buffer overflow bug in their IBM WebSphere MQ software. No exploit is publicly available as of this writing (13 Jan 2011).
The fixed versions are 188.8.131.52 WebSphere MQ 7.x and version 184.108.40.206 for WebSphere MQ 6.x.
IBM WebSphere Application Server versions 220.127.116.11 and 18.104.22.168 fix a cross site scripting vulnerability. An exploit is available.
Google Chrome 8.0.552.237 has been released for Windows, Mac, and Linux. The update includes fixes for 5 vulnerabilities, 2 of which are classified as high or critical.
Symantec has released a security update to fix a SQL injection vulnerability in their Symantec Web Gateway product. The bug is in the management interface GUI. An exploit is available. Symantec Web Gateway 22.214.171.1246 is not vulnerable.
Red Hat has released fixes for several security issues in their server and desktop OS products. Details are at the link below.
A remotely exploitable vulnerability has been reported in the Wellintech KingView SCADA system. At least Wellintech KingView version 6.5.3 is affected. Exploit code is available (first link below). As of this writing, no patch has been released.
UPDATE 19 Jan 2011 – Wellintech has released a patched library to address the problem.
Atlassian Crucible 2.4.4 and Fisheye 2.4.4 fix several vulnerabilities, including some that allow remote code execution. Exploits are available.
The following versions are vulnerable:
Atlassian Crucible 2.2.3
Atlassian Crucible 2.3.2
Atlassian Crucible 2.3.3
Atlassian Crucible 2.4.3
Atlassian Fisheye 2.2.3
Atlassian Fisheye 2.3.0
Atlassian Fisheye 2.3.1
Atlassian Fisheye 2.3.2
Atlassian Fisheye 2.3.3
Atlassian Fisheye 2.3.4
Atlassian Fisheye 2.3.5
Atlassian Fisheye 2.3.6
Atlassian Fisheye 2.3.7
Atlassian Fisheye 2.4.3
HP has released patches for several remote code execution issues affecting certain versions of their HP OpenView Network Node Manager software. OpenView Network Node Manager 7.51 and unpatched instances of 7.53 are vulnerable.
According to HP, you should upgrade to 7.53 and apply the following patches as applicable:
HP-UX (IA) – PHSS_41607 or subsequent
HP-UX (PA) – PHSS_41606 or subsequent
Linux RedHatAS2.1 – LXOV_00113 or subsequent
Linux RedHat4AS-x86_64 – LXOV_00114 or subsequent
Solaris – PSOV_03531 or subsequent
Windows – NNM_01208 or subsequent
HP Security Bulletin: HPSBMA02621 SSRT100352 rev.1
Cisco ASA 5500 Series Adaptive Security Appliance version 8.3(2) includes fixes for several security issues. Details are in the link below. Exploits are available.
Vulnerable versions include:
Cisco ASA 5500 Series Adaptive Security Appliance 7.0
Cisco ASA 5500 Series Adaptive Security Appliance 7.0.0
Cisco ASA 5500 Series Adaptive Security Appliance 7.0.4
Cisco ASA 5500 Series Adaptive Security Appliance 126.96.36.199
Cisco ASA 5500 Series Adaptive Security Appliance 7.0(8.10)
Cisco ASA 5500 Series Adaptive Security Appliance 7.0(8.11)
Cisco ASA 5500 Series Adaptive Security Appliance 7.1
Cisco ASA 5500 Series Adaptive Security Appliance 7.2
Cisco ASA 5500 Series Adaptive Security Appliance 7.2(4.44)
Cisco ASA 5500 Series Adaptive Security Appliance 7.2(4.45)
Cisco ASA 5500 …
Cisco ASA 5500 Series Adaptive Security Appliance version 8.2(3) includes fixes for several security issues. Details are in the link below. Exploits are available.
Cisco’s new IOS 15.0(1)XA1 release contains patches for a set of denial of service and security bypass vulnerabilities. Details are in the link below.
The following IOS versions are vulnerable:
Cisco IOS 15.0 M
Cisco IOS 15.0(1)M1
Cisco IOS 15.0(1)M2
Cisco IOS 15.0(1)M3
Cisco IOS 15.0(1)XA
Microsoft has released their January 2011 security updates. There are only two bulletins in this release.
It is important to bear in mind what is NOT in this January 2011 release. Microsoft has elected to not provide patches for two known vulnerabilities in Internet Explorer that are being exploited in the wild right now. One is CVE-2010-3971 (http://www.microsoft.com/technet/security/advisory/2490606.mspx) and the other is CVE-2010-3970 http://www.microsoft.com/technet/security/advisory/2488013.mspx. So if your IPS vendor provides detection you might want to consider getting the associated filters in place if possible.
One more final thought: Please consider if it is safe to deploy Outlook …
RIM has announced a remote buffer overflow vulnerability exists in their BlackBerry Attachment Service PDF Distiller. You should upgrade to one of the fixed versions listed in the references link below.
The following BES and BPS versions are affected:
BlackBerry Enterprise Server Express version 5.0.1 and 5.0.2 for Microsoft Exchange
BlackBerry Enterprise Server Express version 5.0.2 for IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.2 for Microsoft Exchange and IBM Lotus Domino
BlackBerry Enterprise Server versions 4.1.3 through 5.0.1 for Novell GroupWise
BlackBerry® Professional Software version 4.1.4 for Microsoft Exchange and IBM Lotus Domino
This vulnerability only affects Blackberry phones, not BES servers or Blackberry Desktop Software. Blackberry software versions below 6.0.0 are affected. Affected handsets should be upgraded to a fixed version (listed in the link below).
SAP has released fixes for security vulnerabilities for certain versions of their SAP Management Console software. The bugs fixed are one information disclosure problem and one vulnerability that leads to a denial of service condition.
The following SAP Management Console versions are vulnerable:
SAP KERNEL RELEASE 6.40
SAP KERNEL RELEASE 7.00
SAP KERNEL RELEASE 7.01
SAP KERNEL RELEASE 7.10
SAP KERNEL RELEASE 7.11
SAP KERNEL RELEASE 7.20
TIBCO has released fixes for vulnerabilities in their ActiveCatalog and Collaborative Information Manager products. TIBCO ActiveCatalog 1.0.0 and TIBCO Collaborative Information Manager 8.0.0 are vulnerable. TIBCO ActiveCatalog 1.0.1 and TIBCO Collaborative Information Manager 8.1.0 are not vulnerable. Most of the issues are related to insufficiently sanitized user input.
Next week’s January 2011 Microsoft patches will NOT include a fix for two of the known, currently exploited vulnerabilites in Internet Explorer. One is CVE-2010-3971 and the other is described at http://www.microsoft.com/technet/security/advisory/2488013.mspx. So if your IPS vendor provides detection you might want to consider getting the associated filters in place if possible.
From time to time the question comes up from law enforcement and other investigators: Can Blackberry passwords be bypassed or cracked? To the best of my knowledge the answer is yes, but only by certain authorized entities. Currently the process takes about a year (backlog) and there is a cost associated with doing so.
Who is authorized? As far as I know in the United States federal level law enforcement and the intelligence services can: CIA, NSA, and the FBI. There may be elements of the the US Department of Defense and the US military, but I …
Apple Mac OSX version 10.6.6 has been released. It includes a fix for one security issue. The majority of the changes center support for the new Apple App Store.
VMware has published one new and updated two prior security advisories. The details of each are at the links below. No remotely exploitable issues have been reported – they are either denial of service conditions or escalation or privilege.
I think the nightly 5 hours of training (OR 5 hours of Bsides content) is an attractive feature. This might end up better than Shmoocon. It seems to be priced similarly.
CA has confirmed that a remotely exploitable security issue exists in the Axis2 components of their ARCserve D2D product. CA ARCserve D2D r15 has been confirmed vulnerable.
Exploit code (instructions) exists for this. CA hasn’t provided a patch. The fix is to change the userName and password properties from their defaults (admin/axis2) to something secure in file “c:\program files\CA\ARCserve\D2D\TOMCAT\webapps\WebServiceImpl\WEB-INF\conf\axi22.xml”.
If you are thinking this sounds similar to the Axis2 vulnerability in SAP BusinessObjects described here, you are right – it is the same component in both products. If you have other systems that use Axis2, please review …