[Full-disclosure] SUSE Security Announcement: openSSL protocol downgrade attack (SUSE-SA:2005:061)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 __ SUSE Security Announcement Package:openssl Announcement ID:SUSE-SA:2005:061 Date: Wed, 19 Oct 2005 12:00:00 + Affected Products: SUSE LINUX 10.0 SuSE Linux 9.0 SUSE LINUX 9.1 SUSE LINUX 9.2 SUSE LINUX 9.3 SuSE Linux Desktop 1.0 SuSE Linux Enterprise Server 8 SUSE Linux Enterprise Server 9 UnitedLinux 1.0 Novell Linux Desktop 9 Open Enterprise Server Vulnerability Type: protocol downgrade attack Severity (1-10):7 SUSE Default Package: yes Cross-References: CAN-2005-2969 Content of This Advisory: 1) Security Vulnerability Resolved: openssl protocol downgrading attack Problem Description 2) Solution or Work-Around 3) Special Instructions and Notes 4) Package Location and Checksums 5) Pending Vulnerabilities, Solutions, and Work-Arounds: See SUSE Security Summary Report. 6) Authenticity Verification and Additional Information __ 1) Problem Description and Brief Discussion The openssl cryptographic libraries have been updated to fix a protocol downgrading attack which allows a man-in-the-middle attacker to force the usage of SSLv2. This happens due to the work-around code of SSL_OP_MSIE_SSLV2_RSA_PADDING which is included in SSL_OP_ALL (which is commonly used in applications). (CAN-2005-2969) Additionally this update adds the Geotrusts Equifax Root1 CA certificate to allow correct certification against Novell Inc. websites and services. The same CA is already included in Mozilla, KDE, and curl, which use separate certificate stores. 2) Solution or Work-Around Please install the updated packages. A work-around would be to disable SSL v2 support in the applications. 3) Special Instructions and Notes Restart all services using SSL communication. 4) Package Location and Checksums The preferred method for installing security updates is to use the YaST Online Update (YOU) tool. YOU detects which updates are required and automatically performs the necessary steps to verify and install them. Alternatively, download the update packages for your distribution manually and verify their integrity by the methods listed in Section 6 of this announcement. Then install the packages using the command rpm -Fhv file.rpm to apply the update, replacing file.rpm with the filename of the downloaded RPM package. x86 Platform: SUSE LINUX 10.0: ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-0.9.7g-2.2.i586.rpm e3327b60cd67e05c69fbad39787dccc9 ftp://ftp.suse.com/pub/suse/i386/update/10.0/rpm/i586/openssl-devel-0.9.7g-2.2.i586.rpm 24865cb7cc369352f0be0f6681c0337e SUSE LINUX 9.3: ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-0.9.7e-3.2.i586.rpm 83537e24205a2add698e1b3bdabd47da ftp://ftp.suse.com/pub/suse/i386/update/9.3/rpm/i586/openssl-devel-0.9.7e-3.2.i586.rpm 24b05ddf75b1b1c1630f489c73009782 SUSE LINUX 9.2: ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-0.9.7d-25.2.i586.rpm eb5845c52c418f6c4dd54922854f282f ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/openssl-devel-0.9.7d-25.2.i586.rpm 3489d04736d818da68ef83d148aa SUSE LINUX 9.1: ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssl-0.9.7d-15.15.3.i586.rpm 44fa57fcbdf8f3889bacb9cff6b1a09f ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/openssl-devel-0.9.7d-15.15.3.i586.rpm 1faa73fc6dac13b05e40f5714f88b226 ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/openssl-32bit-9.1-200510151708.i586.rpm d4b72038c4552fcba9fa11b554af2eac ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/i586/openssl-devel-32bit-9.1-200510151708.i586.rpm 6b4b1eeaa0592fd7a92816ceb4658494 SuSE Linux 9.0: ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-0.9.7b-135.i586.rpm cf17f027255eabe00df743ead5052f1a ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/openssl-devel-0.9.7b-135.i586.rpm 9ffd642f59150064dbb04644990d22b8 ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/i586/openssl-32bit-9.0-5.i586.rpm b411a2e07c627174edf3e59c36e2afea
[Full-disclosure] paros proxy v3.2.5 and below blank sa password
Title:Paros proxy 3.2.5 and below blank sa database password Summary: Paros is an intercepting HTTP/HTTPS proxy for use in security testing web applications. Paros version 3.2.5 and below may contain a flaw where a remote attacker can connect to a database port opened on the machine running Paros, without supplying any credentials. The problem stems from use of a blank sa password on the open-source database (HSQLDB) which is integrated with Paros. The database server (which is written in Java) contains functionality for executing arbitrary Java statements. This is how HSQLDB provides Stored Procedure functionality. Impact of successful exploitation: The issue may result in disclosure of confidential data, and possible execution of commands on the victim machine. A remote attacker may find credentials for web applications, valid session IDs, and confidential data downloaded from the website being tested with Paros. This information is is present in the database. Additionally, the possibility of executing Java statements on the database server may mean that an attacker can gain access to files or execute command at the OS level (by performing the Java equivalent of a system() call). This has not been investigated fully, but appears possible. History: The overall time-to-correction was EXCEEDINGLY fast: October 3rd 2005:Problem discovered / reported October 7th 2005:Issue re-reported via sourceforge, as mail appeared lost in transit October 7th 2005:Paros developer releases updated version where DB listes on localhost only Countermeasures: Upgrade to version 3.2.6. Firewall the host running Paros. Demonstration: To demonstrate this, first start Paros on the victim host (here, 192.168.0.1). On the attacking host, ensure HSQLDB is installed, and add the following lines to the file $HOME/sqltool.rc on the attacking host: # connect to victimhost as sa, victimhost has IP 192.168.0.1 urlid victimhost-sa url: jbdc:hsqldb:hsql://192.168.0.1 username sa password To connect using the victimhost-sa block above run: java -jar $HSQLDB_HOME/jsqldb.jar victimhost-sa At this point, it is possible to pull data from the tables in the database (browsing state, history, credentials). The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states it is possible to execute Java statements by writing them in the format java.lang.Math.sqrt(2.0). Andrew Christensen FortConsult ApS Tranevej 16-18 2400 København NV tlf. (+45) 7020 7525 www.fortconsult.net FortConsult er som de første i Skandinavien blevet certificeret af VISA og MasterCard til at udføre sikkerhedsgennemgange af virksomheders kritiske betalingssystemer. FortConsult is the only Scandinavian firm certified by VISA to perform security audits on critical card-payment systems. smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Cisco Security Advisory:Cisco 11500 Content Services Switch SSL Malformed Client Certificate Vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Cisco Security Advisory: Cisco 11500 Content Services Switch SSL Malformed Client Certificate Vulnerability == Document ID: 67919 Revision 1.0 For Public Release 2005 October 19 1600 UTC (GMT) +- Contents Summary Affected Products Details Impact Software Versions and Fixes Obtaining Fixed Software Workarounds Exploitation and Public Announcements Status of This Notice: FINAL Distribution Revision History Cisco Security Procedures + Summary === Cisco CSS 11500 Series Content Services Switches (CSS) configured with Secure Socket Layer (SSL) termination services are vulnerable to a Denial of Service (DoS) attack when processing malformed client certificates. Cisco has made free software available to address this vulnerability. There are workarounds available to mitigate the effects of the vulnerability. This advisory is posted at http://www.cisco.com/warp/public/707/cisco-sa-20051019-css.shtml Affected Products = Vulnerable Products +-- Cisco CSS 11500 Series Content Services Switches running the following versions of the Cisco WebNS operating system: * 7.1 * 7.2 * 7.3 * 7.4 * 7.5 The version of Cisco WebNS running on a CSS can be determined by running the following command: # show version Products Confirmed Not Vulnerable + Cisco CSS 11000 Series Content Services Switches No other Cisco products are currently known to be affected by these vulnerabilities. Details === The Cisco CSS 11500 Content Service Switch is load balancing device designed to provide robust, scalable network services (Layer 4-7) for data centers. The Cisco CSS 11500 performs an analysis of protocol headers and directs requests to an appropriate resource based on configurable policies. With integrated SSL modules, a Cisco CSS 11500 can simplify the management of digital cerfiticates and provide SSL acceleration services to optimize performance. A Cisco CSS 11500 may reload due to a memory corruption issue when presented with a malformed digital client certificate during the negotiation of a SSL session. This condition is present even if the CSS did not request a client certificate during SSL session negotiations. This vulnerability is only present if a CSS is configured to support SSL termination services. SSL termination services are not configured by default. Users can determine if SSL termination services are configured on a CSS by performing the following steps. * View the current running configuration: # show running-config * In the Services section of the configuration, users can find enabled SSL termination services. An example of an enabled SSL termination service called ssl-serv1 will look similar to the following. The type command with the option ssl-accel or ssl-accel-backend indicates that the service is associated with a SSL module, and the active command signifies that a SSL termination service is enabled. service ssl-serv1 type ssl-accel slot 3 keepalive type none add ssl-proxy-list ssl list1 active The vulnerability is documented in the following Cisco Bug ID: * CSCee64771 ( registered customers only) -- CSS running SSL may crash with malformed client certificates Impact == Successful exploitation of the vulnerability may result in the immediate reload of the device. Repeated exploitation could result in a sustained DoS attack. Software Versions and Fixes === When considering software upgrades, consult http://www.cisco.com/en/US/products/ products_security_advisories_listing.html and any subsequent advisories to determine exposure and a complete upgrade solution. In all cases, customers should exercise caution to be certain the devices to be upgraded contain sufficient memory and that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, contact the Cisco Technical Assistance Center (TAC) for assistance. ++ |Train| Fixed Releases | |-+--| | 7.3 | 7.30.4.02 and| | | later| |-+--| | 7.4 | 7.40.2.02 and| | | later| |-+--| | 7.5 | 7.50.1.03 and| | | later| ++ Customers running Cisco WebNS 7.10
[Full-disclosure] Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update October 2005
Integrigy Security Advisory __ Vulnerabilities in Oracle E-Business Suite 11i Oracle Critical Patch Update - October 2005 October 18, 2005 __ Summary: Oracle today released its fourth Critical Patch Update (October 2005). The patches contained in the Critical Patch Update will correct numerous security bugs in the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. Some of the vulnerabilities in the Critical Patch Update are high risk and a few can be exploited remotely using a web browser. Almost all the security bugs fixed in this Critical Patch Update are exploitable in Oracle E-Business Suite environments and the appropriate patches should be applied as soon as possible. Patches for the Oracle Database, Oracle Application Server, Oracle Developer 6i, and Oracle E-Business Suite 11i must be applied -- almost all implementations will have to apply at least 12 patches. Customers with Internet-facing implementations of the Oracle E-Business Suite are at most risk and should consider applying these patches quickly. The Oracle E-Business Suite patches involved with this Critical Patch Update are much more complex as compared to the previous CPUs and will require additional functional testing in our opinion. In addition, the Oracle E-Business Suite security patches are not cumulative, therefore, all the patches specified in this CPU and previous CPUs must be applied. Integrigy has released additional guidance to help our clients in determining the relevance and priority of these patches for their Oracle E-Business Suite implementations. The Integrigy analysis for the this Critical Patch Update is available at -- http://www.integrigy.com/analysis.htm __ For more information or questions regarding this security advisory, please contact us at [EMAIL PROTECTED] Integrigy has included checks for these vulnerabilities in AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend, an application intrusion prevention system for Oracle Applications. Credit: Some of the vulnerabilities fixed in the Critical Patch Update October 2005 were discovered and reported to Oracle by Stephen Kost of Integrigy Corporation. __ About Integrigy Corporation (www.integrigy.com) Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. AppDefend is an intrusion prevention system for Oracle Applications and blocks common types of attacks against application servers. Integrigy Consulting offers security assessment services for leading ERP and CRM applications. For more information, visit www.integrigy.com. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] RE: CAID 33485 - Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability
Advisory has been updated to announce availability of iGateway updates for all platforms. Title: Computer Associates iGateway debug mode HTTP GET request buffer overflow vulnerability (v1.1) CA Vulnerability ID: 33485 Discovery Date: 2005-10-06 CA Advisory Date v1.0: 2005-10-14 (initial release) CA Advisory Date v1.1: 2005-10-19 (iGateway updates available) Discovered By: EMendoza Impact: Remote attacker can execute arbitrary code with SYSTEM privileges. Summary: The Computer Associates iGateway common component, which is included with several CA products for UNIX/Linux/Windows platforms, contains a buffer overflow vulnerability that could allow remote attackers to execute arbitrary code on Windows platforms, or cause iGateway component failure (denial of service) on UNIX and Linux. The vulnerability is due to improper bounds checking on HTTP GET requests by the iGateway component when debug mode is enabled. Mitigating Factors: The potential for exploitation of this vulnerability is very low for the following reasons. 1) A non-standard install of the iGateway component is required to expose this vulnerability. Typically, the embedded iGateway component is part of a non-interactive installation process. Consequently, most systems (those that utilize the default installation procedure) are not at risk. 2) If a non-standard install WAS performed, the iGateway component is still unlikely to be vulnerable to this exploit, because the flaw is only exposed if the component has been manually configured to run with diagnostic debug tracing enabled. Configuring the component to run in debug mode requires administrative access to configuration files that reside on the machine, and also requires that the iGateway service be stopped and restarted by someone with administrative service privileges. Configuring the iGateway service to operate in debug mode is typically performed only at the direction of Computer Associates support personnel who are working with a customer to troubleshoot potential support issues. Severity: Computer Associates has given this vulnerability a Medium risk rating. Affected Technologies: Please note that the iGateway component is not a product, but rather a component that is included with multiple products. The iGateway component is included in the following Computer Associates products, which are consequently potentially vulnerable. Note that iGateway component versions less than 4.0.050615 are vulnerable to this issue. Business Services Optimization (BSO) Products: Advantage Data Transformer (ADT) R2.2 Harvest Change Manager R7.1 BrightStor Products: BrightStor ARCserve Backup r11.5 BrightStor ARCserve Backup r11.1 BrightStor ARCserve Backup for Windows r11 BrightStor Enterprise Backup 10.5 BrightStor ARCserve Backup v9.01 BrightStor ARCserve Backup Laptop Desktop r11.1 BrightStor ARCserve Backup Laptop Desktop r11 BrightStor Process Automation Manager r11.1 BrightStor SAN Manager r11.1 BrightStor SAN Manager r11.5 BrightStor Storage Resource Manager r11.5 BrightStor Storage Resource Manager r11.1 BrightStor Storage Resource Manager 6.4 BrightStor Storage Resource Manager 6.3 BrightStor Portal 11.1 Note to BrightStor Storage Resource Manager and BrightStor Portal users: In addition to the application servers where these products are installed, all hosts that have iSponsors deployed to them for managing applications like Veritas Volume Manager and Tivoli TSM are also affected by this vulnerability. eTrust Products: eTrust Audit 1.5 SP2 (iRecorders and ARIES) eTrust Audit 1.5 SP3 (iRecorders and ARIES) eTrust Audit 8.0 (iRecorders and ARIES) eTrust Admin 8.0 eTrust Admin 8.1 eTrust Identity Minder 8.0 eTrust Secure Content Manager (SCM) R8 eTrust Web Service Security R8 eTrust Integrated Threat Management (ITM) R8 Unicenter Products: Unicenter CA Web Services Distributed Management R11 Unicenter AutoSys JM R11 Unicenter Management for WebLogic / Management for WebSphere R11 Unicenter Service Delivery R11 Unicenter Service Level Management (USLM) R11 Unicenter Application Performance Monitor R11 Unicenter Service Desk R11 Unicenter Service Desk Knowledge Tools R11 Unicenter Service Fulfillment 2.2 Unicenter Service Fulfillment R11 Unicenter Asset Portfolio Management R11 Unicenter Service Matrix Analysis R11 Unicenter Service Catalog/Fulfillment/Accounting R11 Unicetner MQ Management R11 Unicenter Application Server Managmenr R11 Unicenter Web Server Management R11 Unicenter Exchange Management R11 Status and Recommendation: iGateway updates that address this vulnerability are available for all affected platforms (Win32, Sun, AIX, HP-UX, Linux). Download the appropriate update(s), dated 10/17/2005 or later, at the link below. ftp://ftp.ca.com/pub/iTech/downloads/ If you cannot install the update at this time, then we strongly recommend that you utilize the procedural solution below. As an immediate and completely effective
[Full-disclosure] [SECURITY] [DSA 866-1] New Mozilla packages fix several vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- Debian Security Advisory DSA 866-1 [EMAIL PROTECTED] http://www.debian.org/security/ Martin Schulze October 20th, 2005 http://www.debian.org/security/faq - -- Package: mozilla Vulnerability : several Problem type : remote Debian-specific: no CVE IDs: CAN-2005-2871 CAN-2005-2701 CAN-2005-2702 CAN-2005-2703 CAN-2005-2704 CAN-2005-2705 CAN-2005-2706 CAN-2005-2707 CAN-2005-2968 Debian Bug : 327366 329778 Several security-related problems have been discovered in Mozilla and derived programs. The Common Vulnerabilities and Exposures project identifies the following problems: CAN-2005-2871 Tom Ferris discovered a bug in the IDN hostname handling of Mozilla that allows remote attackers to cause a denial of service and possibly execute arbitrary code via a hostname with dashes. CAN-2005-2701 A buffer overflow allows remote attackers to execute arbitrary code via an XBM image file that ends in a large number of spaces instead of the expected end tag. CAN-2005-2702 Mats Palmgren discovered a buffer overflow in the Unicode string parser that allowas a specially crafted unicode sequences to overflow a buffer and cause arbitrary code to be executed. CAN-2005-2703 Remote attackers could spoof HTTP headers of XML HTTP requests via XMLHttpRequest and possibly use the client to exploit vulnerabilities in servers or proxies. CAN-2005-2704 Remote attackers could spoof DOM objects via an XBL control that implements an internal XPCOM interface. CAN-2005-2705 Georgi Guninski discovered an integer overflow in the JavaScript engine that might allow remote attackers to execute arbitrary code. CAN-2005-2706 Remote attackers could execute Javascript code with chrome privileges via an about: page such as about:mozilla. CAN-2005-2707 Remote attackers could spawn windows without user interface components such as the address and status bar that could be used to conduct spoofing or phishing attacks. CAN-2005-2968 Peter Zelezny discovered that shell metacharacters are not properly escaped when they are passed to a shell script and allow the execution of arbitrary commands, e.g. when a malicious URL is automatically copied from another program into Mozilla as default browser. For the stable distribution (sarge) these problems have been fixed in version 1.7.8-1sarge3. For the unstable distribution (sid) these problems have been fixed in version 1.7.12-1. We recommend that you upgrade your mozilla package. Upgrade Instructions - wget url will fetch the file for you dpkg -i file.deb will install the referenced file. If you are using the apt-get package manager, use the line for sources.list as given below: apt-get update will update the internal database apt-get upgrade will install corrected packages You may use an automated update by adding the resources from the footer to the proper configuration. Debian GNU/Linux 3.1 alias sarge - Source archives: http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge3.dsc Size/MD5 checksum: 1123 8bcf5da1d244d5793c6848126887cb6e http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge3.diff.gz Size/MD5 checksum: 410904 c6a4dc4aa262b71eb3e2f927ccba5be0 http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8.orig.tar.gz Size/MD5 checksum: 30589520 13c0f0331617748426679e8f2e9f537a Alpha architecture: http://security.debian.org/pool/updates/main/m/mozilla/libnspr-dev_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 168068 0f0d0d688c3ab7cc560f8fd9d6c25d42 http://security.debian.org/pool/updates/main/m/mozilla/libnspr4_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 141750 2ae997e1246b9b1622206b501bea6600 http://security.debian.org/pool/updates/main/m/mozilla/libnss-dev_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 184954 4abf2c0225afacf0aa1e1ba3dd800f4b http://security.debian.org/pool/updates/main/m/mozilla/libnss3_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 851320 2322e9672808b8dbd61ce546c34ae48d http://security.debian.org/pool/updates/main/m/mozilla/mozilla_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 1034 ccbb5b52c82a76d6068fb1e566cfc0e8 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-browser_1.7.8-1sarge3_alpha.deb Size/MD5 checksum: 11473888 416d49672810722e9d6a4744ba720801 http://security.debian.org/pool/updates/main/m/mozilla/mozilla-calendar_1.7.8-1sarge3_alpha.deb Size/MD5