Sharpe Security Blog

Citrix has released an update to fix a potentially serious remotely exploitable security issue in their Citrix XenApp and XenDesktop products. (This might be what you are using in your VDI environment). As of 25 Feb 2011, we are not aware of any publicly available exploit.

The following products are affected:
- XenApp 5.0 for Windows Server 2003 x64
- XenApp 5.0 for Windows Server 2003 x86
- XenApp 6.0 for Windows Server 2008 R2
- XenApp Fundamentals 3.0
- XenApp Fundamentals 6.0 for Windows Server 2008 R2
- XenDesktop 4 x32
- XenDesktop 4 x64
- Feature Pack 1 for Presentation Server 4.5

References:
http://support.citrix.com/article/CTX128169

email: david … Continue Reading

ISC has released a fix for a denial of service condition for certain versions of BIND.

Which versions are affected?
BIND 9.8 is not vulnerable.
BIND 9.7.1 and 9.7.2 are vulnerable (earlier versions are not vulnerable). 9.7.3 includes the fix and is not vulnerable.
BIND 9.6.x, 9.6-ESV-Rx, or 9.4-ESV-R4 are not vulnerable
BIND 9.5 is not under support.

References:
http://www.isc.org/software/bind/advisories/cve-2011-0414

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Cisco has released a series of security updates for its Cisco ASA 5500 Series Adaptive Security Appliances. These updates address several security issues, including at east one that is reportedly remotely exploitable. Exploits exist for some of the vulnerabilities.

References:
http://www.cisco.com/en/US/products/products_security_advisory09186a0080b6e14d.shtml

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

WordPress version 3.1 contains mostly normal bugfixes and feature enhancements (over 800). I upgraded this blog already to the 3.1 release level and it seems to work fine.

References:
http://codex.wordpress.org/Version_3.1

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Two security updates were released for Ruby on 18 Feb 2011. Please refer to the references link below for details on both.

References:
http://www.ruby-lang.org/en/security/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Microsoft has released blockers for both IE 9 and Windows 7 SP1. These are useful in environments where you need to control when these new releases start appearing in production.

IE 9 blocker:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=a6169467-b793-4d17-837d-01776bf2bea4

Windows 7 Service Pack 1 blocker:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=d7c9a07a-5267-4bd6-87d0-e2a72099edb7

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Novell has provided patches for a remotely exploitable vulnerability in their ZENworks Configuration Management’s TFTPD service. The problem affects ZCM versions 10.3.1, 10.3.2, and 11.0. As of 17 Feb 2011, no public exploit code exists. Earlier versions of ZCM might need to be upgraded to a supported version to be patchable.

References:
http://www.novell.com/support/viewContent.do?externalId=7007896

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Cisco/Linksys has released an update that fixes a remotely exploitable security issue in their Linksys WAP610N product. Exploit code exists (see reference link below). Unauthenticated access to port 1111 on units running affected firmware versions is enough to compromise the box. This is a device for the SMB and consumer market that your employees or customers might have in their homes or offices.

Linksys WAP610N firmware versions 1.0.01 and 1.0.00 are known vulnerable. It is possible other firmware versions are vulnerable as well.

References:
http://www.securenetwork.it/ricerca/advisory/download/SN-2010-08.txt

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

21 vulnerabilities fixed this time around. If for some reason you cannot patch some or all of you Sun Java JRE instances in your organization, please consider putting IPS blocks in place at your network edges and/or in your client host IPS as outlined at http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/.

References:
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html
http://blog.sharpesecurity.com/2010/10/25/list-of-currently-exploited-sun-java-vulnerabilities/

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Cisco has released a patch for a remotely exploitable bug in their Cisco Security Agent software. As of 17 Feb 2011, no publicly available exploit code exists. There is a long list of affected versions listed in the reference article below.

References:
http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

IBM has released patches to address security bypass issues in their IBM FileNet P8 Content Manager and IBM FileNet P8 Business Process Manager software.

The following IBM FileNet P8 Content Manager and IBM FileNet P8 Business Process Manager versions are affected:
P8CE 5.0.0 at the GA base level
P8CE 4.5.1 at any level
P8CE 4.5.0 at any level
P8CE 4.0.1 at any level

References:
http://www-01.ibm.com/support/docview.wss?uid=swg21462438

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

If you are having trouble with machines bugchecking with stop codes 7F or 1000007F trap code 8 after applying the February 2011 Microsoft patches, then this article might be relevant.

Often 0x7F or 0x1000007F stop codes trap code 8 are due to overflowing a fixed size (12000 byte) kernel stack space resource. The lion’s share of variations of crashes related to MS11-011 (KB2393802) seem to fall in this bucket.

While you can measure total kernel stack space using MemInfo (http://www.winsiderss.com/tools/meminfo/meminfo.htm), to diagnose the problem to the root cause you need to break kernel stack space usage down by module. … Continue Reading

IBM has released a patch to plug a security bypass issue in their IBM FileNet Content Manager Rendition Engine software.

The following IBM FileNet P8 Rendition Engine versions are affected:
P8RE 4.5.1 at the GA base level
P8RE 4.5.0 at the GA base level
P8RE 4.0.1 at the GA base level, Interim Fix 001 level or Interim Fix 002 level

References:
http://www-01.ibm.com/support/docview.wss?uid=swg21462440

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

BACnet OPC Client version 1.0.25 fixes a remotely exploitable vulnreability in BACnet was reported back in September 2010. Exploit code is available for vulnerable versions. You might want to check with your building security people to see if you use BACnet in any of your facilities.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4740
http://www.us-cert.gov/control_systems/pdf/ICSA-10-264-01.pdf
http://www.scadaengine.com/software7.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

It looks like Symantec intends to force customers trying to stay on SAV10 past April 2012 to upgrade sooner than they might want to. Symantec today announced that a root certificate (SymRoot1) related to LiveUpdate will expire on 30 April 30 2011. If nothing was done SAV10 clients running SAV10 MR9 and lower would no longer be able to authenticate, download, or install new AV definitions or product updates.

To provide some relief, Symantec will make a change that will allow SAV10 MR9 and lower clients to continue to function properly with LiveUpdate through 04 July 2012. Note … Continue Reading

Interesting reading from recent Anonymous/HBGary Federal email dumps:

January 2009 question from a very senior leader from a known CIA front company directed to HBGary CEO:

Suppose someone wanted some expert, never-before-seen malware written as part of legitimate testing of a priority target, would you be someone to talk to?

Response from HBGary CEO:

Well, HBGary can write that kind of stuff – but I will be up front in saying that me personally would not be the one coding on it, although I might weigh in on a design. I’ve got my hands full w/ our product dev team so this kind of … Continue Reading

IBM has released a series of patches for their Lotus Notes and Domino products. Please note that one of the Domino vulnerabilities (Lotus Domino diiop overflow) is remotely exploitable and a commercial-grade exploit exists.

References:
http://www-01.ibm.com/support/docview.wss?uid=swg21461514

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Xerox has released a fix for a remotely exploitable vulnerability in the 7655, 7665, and 7675 models of their Xerox WorkCentre product.

References:
http://www.xerox.com/downloads/usa/en/c/cert_XRX11-001_v1.0.pdf

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Adobe has released a security update for their ColdFusion software. ColdFusion versions 8.0, 8.0.1, 9.0, and 9.0.1 for Windows, Macintosh and UNIX are affected according to Adobe.

References:
http://www.adobe.com/support/security/bulletins/apsb11-04.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Security updates have been released for Ruby on Rails 2.3.x and 3.x. Please refer to the links below for details.

References:
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/2d95a3cc23e03665
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/f02a48ede8315f81
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/362f1fbc1761b336
http://groups.google.com/group/rubyonrails-security/browse_thread/thread/b658902cf6bf4eed

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

7-Technologies has released a security patch for their Interactive Graphical SCADA System software. As of this writing (10 Feb 2011), no public exploit code exists.

References:
http://www.igss.com/download/licensed-versions.aspx
http://www.us-cert.gov/control_systems/pdf/ICSA-11-018-02.pdf

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Adobe has released Shockwave Player version 11.5.10.620 for Windows. The version number for the corresponding update for Apple OS X is 11.5.9.20. This update contains several security updates as outlined in the link below.

References:
http://www.adobe.com/support/security/bulletins/apsb11-01.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Adobe has released version 10.2.152.26 of their Flash player product for Windows, Apple Mac, Solaris, and Linux. This new version includes 9 fixes for vulnerabilities as outlined in the link below.

References:
http://www.adobe.com/support/security/bulletins/apsb11-02.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Adobe has released versions 8.2.6, 9.4.2 and 10.0.1 of their Adobe Reader and Adobe Acrobat software for Windows and Apple Mac. There are security-related bugfixes in these releases.

References:
http://www.adobe.com/support/security/bulletins/apsb11-03.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

Microsoft has released their February 2011 security updates. There are 12 bulletins in this release. Exploits exist for some of the bugs fixed.

MS11-003 replaces MS10-090 (in case you use Microsoft SCCM and were having problems with MS10-090 being misreported as being needed on versions of Internet Explorer not present on your endpoints). Hopefully the detection for MS11-003 will work better.

Also please note the non-security update affecting Windows Autorun/Autoplay KB971029.

References:
http://isc.sans.edu/diary.html?storyid=10375
https://www.microsoft.com/technet/security/bulletin/ms11-feb.mspx

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Google Chrome 9.0.597.94 has been released for Windows, Mac, and Linux. The update includes fixes for 5 vulnerabilities, 3 of which are classified as high or critical.

References:
http://sites.google.com/a/chromium.org/dev/Home/chromium-security
http://www.google.com/chrome/index.html?hl=en&brand=CHMA&utm_campaign=en&utm_source=en-ha-na-us-bk&utm_medium=ha

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

WordPress version 3.0.5 fixes several security issues. Exploit code is available for use against vulnerable WordPress installations. I upgraded this blog already to the 3.0.5 release level and it seems to work fine.

References:
http://codex.wordpress.org/Version_3.0.5

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter: twitter.com/patchmanagement

To ensure that you are running Apache Tomcat instances with all available security patches applied, you should be at either Apache Tomcast version 7.0.8, 6.0.32, or 5.5.32. There were some vulnerability alerts floating around this week from other vendors suggesting some slightly older versions lower versions were OK.

References:
[7.x] – http://tomcat.apache.org/security-7.html
[6.x] – http://tomcat.apache.org/security-6.html
[5.x] – http://tomcat.apache.org/security-5.html

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

HP has released patches for a remotely exploitable security vulnerability in their HP OpenView Performance Insight Server software. Versions 5.2, 5.3, 5.31, 5.4, 5.41 for Windows, HP-UX, Linux, and Solaris are affected.

References:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement

Cisco TANDBERG C Series and E/EX Series units running TC4.0.0 or lower have a problem where the root admin account is enabled and set with a blank password.

References:
http://www.cisco.com/en/US/products/ps11422/products_security_advisory09186a0080b69541.shtml

email: david @ sharpesecurity.com
website: www.sharpesecurity.com
Twitter: twitter.com/sharpesecurity
Twitter (free enterprise vulnerability alert feed): twitter.com/patchmanagement