05.20.2009

VU#710316: NSD vulnerable to one-byte overflow

Vulnerability Note VU#710316

NSD vulnerable to one-byte overflow

Overview

A vulnerability exists in the way NSD processes certain types of packets that may lead to a one-byte buffer overflow.

I. Description

Name server daemon (NSD) is an open source name server developed by NLnet Labs. NSD contains an off-by-one error that can cause a one-byte buffer overflow when certain packets are processed. The vulnerability exits in the packet_read_query_section() function in packet.c in versions 3.x and in the process_query_section() function in query.c in versions 2.x.

Note that this issue affects NSD versions 2.0.0 through 3.2.1.

II. Impact

A remote, unauthenticated attacker may be able to cause the DNS software to crash resulting in a denial-of-service condition.

III. Solution

Apply patch



NLnet Labs has released NSD version 3.2.2 and patches for versions 3.2.1 and 2.3.7. More information and links to these patches can be found in NLnet Labs NSD Announcement.



Users are encouraged to check with their vendor to determine the appropriate patch or update to apply.


Systems Affected

VendorStatusDate NotifiedDate Updated
3com, Inc.Unknown2009-05-192009-05-19
ACCESSUnknown2009-05-192009-05-19
Alcatel-LucentUnknown2009-05-192009-05-19
Apple Computer, Inc.Not Vulnerable2009-05-192009-05-20
AT&TUnknown2009-05-192009-05-19
Avaya, Inc.Unknown2009-05-192009-05-19
Barracuda NetworksUnknown2009-05-192009-05-19
Belkin, Inc.Unknown2009-05-192009-05-19
Borderware TechnologiesUnknown2009-05-192009-05-19
BroUnknown2009-05-192009-05-19
Charlotte's Web NetworksUnknown2009-05-192009-05-19
Check Point Software TechnologiesUnknown2009-05-192009-05-19
Cisco Systems, Inc.Unknown2009-05-192009-05-19
ClavisterUnknown2009-05-192009-05-19
Computer AssociatesNot Vulnerable2009-05-192009-05-22
Computer Associates eTrust Security ManagementNot Vulnerable2009-05-192009-05-22
Conectiva Inc.Unknown2009-05-192009-05-19
Cray Inc.Not Vulnerable2009-05-192009-05-20
Debian GNU/LinuxVulnerable2009-05-192009-05-20
DragonFly BSD ProjectUnknown2009-05-192009-05-19
EMC CorporationUnknown2009-05-192009-05-19
Engarde Secure LinuxUnknown2009-05-192009-05-19
Enterasys NetworksUnknown2009-05-192009-05-19
EricssonNot Vulnerable2009-05-192009-05-20
eSoft, Inc.Unknown2009-05-192009-05-19
Extreme NetworksNot Vulnerable2009-05-192009-05-22
F5 Networks, Inc.Unknown2009-05-192009-05-19
Fedora ProjectUnknown2009-05-192009-05-19
Force10 Networks, Inc.Unknown2009-05-192009-05-19
Fortinet, Inc.Unknown2009-05-192009-05-19
Foundry Networks, Inc.Unknown2009-05-192009-05-19
FreeBSD, Inc.Unknown2009-05-192009-05-19
Gentoo LinuxNot Vulnerable2009-05-192009-05-22
Global Technology AssociatesUnknown2009-05-192009-05-19
Hewlett-Packard CompanyUnknown2009-05-192009-05-19
HitachiUnknown2009-05-192009-05-19
IBM CorporationUnknown2009-05-192009-05-19
IBM eServerUnknown2009-05-192009-05-19
Internet Security Systems, Inc.Unknown2009-05-192009-05-19
IntotoUnknown2009-05-192009-05-19
IP FilterUnknown2009-05-192009-05-19
Juniper Networks, Inc.Unknown2009-05-192009-05-19
Luminous NetworksUnknown2009-05-192009-05-19
m0n0wallUnknown2009-05-192009-05-19
Mandriva S. A.Unknown2009-05-192009-05-19
McAfeeUnknown2009-05-192009-05-19
MontaVista Software, Inc.Unknown2009-05-192009-05-19
Multitech, Inc.Unknown2009-05-192009-05-19
NEC CorporationUnknown2009-05-192009-05-19
NetAppUnknown2009-05-192009-05-19
NetBSDUnknown2009-05-192009-05-19
netfilterUnknown2009-05-192009-05-19
NLnet LabsUnknown2009-05-282009-05-28
NokiaUnknown2009-05-192009-05-19
Nortel Networks, Inc.Unknown2009-05-192009-05-19
Novell, Inc.Unknown2009-05-192009-05-19
OpenBSDUnknown2009-05-192009-05-19
Openwall GNU/*/LinuxUnknown2009-05-192009-05-19
PePLinkNot Vulnerable2009-05-192009-05-20
Process SoftwareUnknown2009-05-192009-05-19
Q1 LabsNot Vulnerable2009-05-192009-06-01
QNX, Software Systems, Inc.Unknown2009-05-192009-05-19
QuaggaUnknown2009-05-192009-05-19
RadWare, Inc.Unknown2009-05-192009-05-19
Red Hat, Inc.Not Vulnerable2009-05-192009-05-20
Redback Networks, Inc.Unknown2009-05-192009-05-19
SafeNetNot Vulnerable2009-05-192009-05-22
Secureworx, Inc.Unknown2009-05-192009-05-19
Silicon Graphics, Inc.Unknown2009-05-192009-05-19
Slackware Linux Inc.Unknown2009-05-192009-05-19
SmoothWallUnknown2009-05-192009-05-19
SnortUnknown2009-05-192009-05-19
Soapstone NetworksUnknown2009-05-192009-05-19
Sony CorporationUnknown2009-05-192009-05-19
SourcefireUnknown2009-05-192009-05-19
StonesoftUnknown2009-05-192009-05-19
Sun Microsystems, Inc.Not Vulnerable2009-05-192009-05-20
SUSE LinuxUnknown2009-05-192009-05-19
SymantecUnknown2009-05-192009-05-19
The SCO GroupNot Vulnerable2009-05-192009-05-20
TippingPoint, Technologies, Inc.Unknown2009-05-192009-05-19
TurbolinuxUnknown2009-05-192009-05-19
U4EA Technologies, Inc.Unknown2009-05-192009-05-19
UbuntuUnknown2009-05-192009-05-19
UnisysUnknown2009-05-192009-05-19
VyattaUnknown2009-05-192009-05-19
Watchguard Technologies, Inc.Unknown2009-05-192009-05-19
Wind River Systems, Inc.Unknown2009-05-192009-05-19
ZyXELUnknown2009-05-192009-05-19

References



http://www.nlnetlabs.nl/publications/NSD_vulnerability_announcement.html

Credit

This issue was reported in NLnet Labs NSD Announcement.

This document was written by Chris Taschner.

Other Information

Date Public:2009-05-18
Date First Published:2009-05-20
Date Last Updated:2009-06-01
CERT Advisory: 
CVE-ID(s): 
NVD-ID(s): 
US-CERT Technical Alerts: 
Metric:8.40
Document Revision:10
Tags: buffer overflow, nsd, one-byte, packet.c, packet_reqd_query_section, qname Categories: Forensics and Security
05.18.2009

VU#853097: ntpd autokey stack buffer overflow

Vulnerability Note VU#853097

ntpd autokey stack buffer overflow

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

I. Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

III. Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.





Disable autokey



This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Unknown2009-05-062009-05-06
Conectiva Inc.Unknown2009-05-062009-05-06
Cray Inc.Not Vulnerable2009-05-062009-05-08
Debian GNU/LinuxVulnerable2009-05-062009-05-11
DragonFly BSD ProjectNot Vulnerable2009-05-062009-05-07
EMC CorporationUnknown2009-05-062009-05-06
Engarde Secure LinuxUnknown2009-05-062009-05-06
F5 Networks, Inc.Unknown2009-05-062009-05-06
Fedora ProjectUnknown2009-05-062009-05-06
FreeBSD, Inc.Vulnerable2009-05-062009-05-15
FujitsuUnknown2009-05-062009-05-06
Gentoo LinuxVulnerable2009-05-072009-05-20
Hewlett-Packard CompanyUnknown2009-05-062009-05-06
HitachiUnknown2009-05-062009-05-06
IBM CorporationUnknown2009-05-062009-05-06
IBM Corporation (zseries)Unknown2009-05-062009-05-06
IBM eServerUnknown2009-05-062009-05-06
Ingrian Networks, Inc.Unknown2009-05-062009-05-06
Juniper Networks, Inc.Not Vulnerable2009-05-062009-05-15
Mandriva S. A.Unknown2009-05-062009-05-06
Microsoft CorporationNot Vulnerable2009-05-062009-05-07
MontaVista Software, Inc.Unknown2009-05-062009-05-06
NEC CorporationUnknown2009-05-062009-05-06
NokiaUnknown2009-05-062009-05-06
Novell, Inc.Unknown2009-05-062009-05-06
Openwall GNU/*/LinuxUnknown2009-05-062009-05-06
QNX, Software Systems, Inc.Unknown2009-05-062009-05-06
Red Hat, Inc.Vulnerable2009-05-062009-05-18
SafeNetNot Vulnerable2009-05-122009-05-15
Silicon Graphics, Inc.Unknown2009-05-062009-05-06
Slackware Linux Inc.Unknown2009-05-062009-05-06
Sony CorporationUnknown2009-05-062009-05-06
Sun Microsystems, Inc.Unknown2009-05-062009-05-13
SUSE LinuxVulnerable2009-05-062009-07-31
The SCO GroupNot Vulnerable2009-05-062009-05-12
TurbolinuxUnknown2009-05-062009-05-06
UbuntuVulnerable2009-05-062009-05-20
UnisysUnknown2009-05-062009-05-06
Wind River Systems, Inc.Unknown2009-05-062009-05-06

References



http://www.ntp.org/downloads.html

https://rhn.redhat.com/errata/RHSA-2009-1039.html

http://www.ubuntu.com/usn/usn-777-1

http://bugs.gentoo.org/show_bug.cgi?id=268962

http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/

Credit

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

Date Public:2009-05-18
Date First Published:2009-05-18
Date Last Updated:2009-07-31
CERT Advisory: 
CVE-ID(s):CVE-2009-1252
NVD-ID(s):CVE-2009-1252
US-CERT Technical Alerts: 
Metric:9.45
Document Revision:31
Tags: autokey, buffer overflow, ntpd, openssl, sprintf Categories: Forensics and Security
05.18.2009

VU#853097: ntpd autokey stack buffer overflow

Vulnerability Note VU#853097

ntpd autokey stack buffer overflow

Overview

ntpd contains a stack buffer overflow, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system or create a denial of service.

I. Description

NTP (Network Time Protocol) is a method by which client machines can synchronize the local date and time with a reference server. ntpd, which is the NTP daemon, contains a stack buffer overflow when it is compiled with OpenSSL support. The vulnerability is caused by the use of sprintf() in the crypto_recv() function in ntpd/ntp_crypto.c. The vulnerable code is reachable if ntpd is configured to use autokey. This vulnerable configuration is indicated by a crypto pw password line in the ntp.conf file, where password is the password that has been configured.

II. Impact

A remote, unauthenticated attacker may be able to execute arbitrary code with the privileges of the ntpd daemon.

III. Solution

Apply an update

This issue is addressed in ntp 4.2.4p7 and 4.2.5p74.





Disable autokey



This vulnerability can be mitigated by removing the crypto pw passwordline from the ntp.conf file.

Systems Affected

VendorStatusDate NotifiedDate Updated
Apple Computer, Inc.Unknown2009-05-062009-05-06
Conectiva Inc.Unknown2009-05-062009-05-06
Cray Inc.Not Vulnerable2009-05-062009-05-08
Debian GNU/LinuxVulnerable2009-05-062009-05-11
DragonFly BSD ProjectNot Vulnerable2009-05-062009-05-07
EMC CorporationUnknown2009-05-062009-05-06
Engarde Secure LinuxUnknown2009-05-062009-05-06
F5 Networks, Inc.Unknown2009-05-062009-05-06
Fedora ProjectUnknown2009-05-062009-05-06
FreeBSD, Inc.Vulnerable2009-05-062009-05-15
FujitsuUnknown2009-05-062009-05-06
Gentoo LinuxVulnerable2009-05-072009-05-20
Hewlett-Packard CompanyUnknown2009-05-062009-05-06
HitachiUnknown2009-05-062009-05-06
IBM CorporationUnknown2009-05-062009-05-06
IBM Corporation (zseries)Unknown2009-05-062009-05-06
IBM eServerUnknown2009-05-062009-05-06
Ingrian Networks, Inc.Unknown2009-05-062009-05-06
Juniper Networks, Inc.Not Vulnerable2009-05-062009-05-15
Mandriva S. A.Unknown2009-05-062009-05-06
Microsoft CorporationNot Vulnerable2009-05-062009-05-07
MontaVista Software, Inc.Unknown2009-05-062009-05-06
NEC CorporationUnknown2009-05-062009-05-06
NokiaUnknown2009-05-062009-05-06
Novell, Inc.Unknown2009-05-062009-05-06
Openwall GNU/*/LinuxUnknown2009-05-062009-05-06
QNX, Software Systems, Inc.Unknown2009-05-062009-05-06
Red Hat, Inc.Vulnerable2009-05-062009-05-18
SafeNetNot Vulnerable2009-05-122009-05-15
Silicon Graphics, Inc.Unknown2009-05-062009-05-06
Slackware Linux Inc.Unknown2009-05-062009-05-06
Sony CorporationUnknown2009-05-062009-05-06
Sun Microsystems, Inc.Unknown2009-05-062009-05-13
SUSE LinuxUnknown2009-05-062009-05-06
The SCO GroupNot Vulnerable2009-05-062009-05-12
TurbolinuxUnknown2009-05-062009-05-06
UbuntuVulnerable2009-05-062009-05-20
UnisysUnknown2009-05-062009-05-06
Wind River Systems, Inc.Unknown2009-05-062009-05-06

References



http://www.ntp.org/downloads.html

https://rhn.redhat.com/errata/RHSA-2009-1039.html

http://www.ubuntu.com/usn/usn-777-1

http://bugs.gentoo.org/show_bug.cgi?id=268962

http://xorl.wordpress.com/2009/06/10/freebsd-sa-0911-ntpd-remote-stack-based-buffer-overflows/

Credit

This vulnerability was reported by Harlan Stenn of the NTP Forum at ISC (ntpforum.isc.org), who in turn credits Chris Ries of CMU.

This document was written by Will Dormann.

Other Information

Date Public:2009-05-18
Date First Published:2009-05-18
Date Last Updated:2009-06-11
CERT Advisory: 
CVE-ID(s):CVE-2009-1252
NVD-ID(s):CVE-2009-1252
US-CERT Technical Alerts: 
Metric:9.45
Document Revision:30
Tags: autokey, buffer overflow, ntpd, openssl, sprintf Categories: Forensics and Security
03.19.2009

VU#276563: Autonomy KeyView SDK buffer overflow vulnerability

Vulnerability Note VU#276563

Autonomy KeyView SDK buffer overflow vulnerability

Overview

Autonomy KeyView SDK contains a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Autonomy KeyView SDK is a commercial software development kit (SDK) that includes file filtering libraries. A vulnerability exists in the way the SDK libraries process specially crafted WordPerfect documents. According to iDefense:

This vulnerability exists within the "wp6sr.dll," which implements the processing of WordPerfect documents. When processing certain records, data is copied from the file into a fixed-size stack buffer without ensuring that enough space is available. By overflowing the buffer, an attacker can overwrite control flow structures stored on the stack.



Note that this issue affects products that use Autonomy KeyView SDK. These include IBM Lotus Notes and Symantec products.

II. Impact

An unauthenticated attacker may be able to execute arbitrary code or cause a vulnerable system to crash.

III. Solution

Apply updates



Developers should contact Autonomy KeyView support for information on how to obtain updated software that addresses this issue.



IBM Lotus Notes has released an alert to address this issue.



Symantec has released SYM09-004 to address this issue.


Systems Affected

VendorStatusDate NotifiedDate Updated
AutonomyVulnerable2009-03-19
IBM CorporationVulnerable2009-03-19
SymantecVulnerable2009-03-19

References



http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=774

https://customers.autonomy.com/support/login.jsp?notLoggedIn=true&origURL=%2Fsecure%2Fdocs%2FUpdates%2FKeyview%2FFilter+SDK%2F10.4%2Fkv_update_nti40_10.4.zip.readme.html

http://www-01.ibm.com/support/docview.wss?uid=swg21377573

http://secunia.com/advisories/34307/

http://securityresponse.symantec.com/avcenter/security/Content/2009.03.17a.html

http://secunia.com/advisories/34318/

Credit

This issue was made public by iDefense.

This document was written by Chris Taschner.

Other Information

Date Public:2009-03-17
Date First Published:2009-03-19
Date Last Updated:2009-04-30
CERT Advisory: 
CVE-ID(s):CVE-2008-4564
NVD-ID(s):CVE-2008-4564
US-CERT Technical Alerts: 
Metric:6.00
Document Revision:9
Tags: buffer overflow, denial of service, dos, keyview module, symantec Categories: Forensics and Security
02.20.2009

VU#905281: Adobe Reader and Acrobat JBIG2 buffer overflow vulnerability

Vulnerability Note VU#905281

Adobe Reader and Acrobat JBIG2 buffer overflow vulnerability

Overview

Adobe Reader and Acrobat contain a buffer overflow vulnerability that may allow an attacker to execute arbitrary code.

I. Description

Adobe Acrobat Reader is software designed to view Portable Document Format (PDF) files. Adobe also distributes the Adobe Acrobat Plug-In to allow users to view PDF files inside of a web browser. Adobe Reader and Acrobat contain a buffer overflow vulnerability in the handling of JBIG2 streams.

Exploit code for this vulnerability is publicly available.

II. Impact

By convincing a user to open a malicious PDF file, an attacker may be able to execute code or cause a vulnerable PDF viewer to crash. The PDF could be emailed as an attachment or hosted on a website.

III. Solution

Apply an update

This issue is addressed in Adobe Reader and Acrobat versions 9.1, 8.1.4, and 7.1.1. More details are available in Adobe Security Bulletin APSB09-03 and APSB09-04.





Disable JavaScript in Adobe Reader and Acrobat



Disabling JavaScript may prevent this vulnerability from being exploited. Acrobat JavaScript can be disabled in the General preferences dialog (Edit -> Preferences -> JavaScript and un-check Enable Acrobat JavaScript). Note that this will not block the vulnerability. Adobe products still may crash when parsing specially crafted PDF documents. Disabling JavaScript will mitigate a common method used to achieve code execution with this vulnerability. Also note that when JavaScript is disabled in Adobe Reader, the software will prompt the user to enable JavaScript when it opens a document that uses the feature. So although JavaScript is a single click away, setting this preference can help mitigate exploits that use JavaScript. Some have reported that they have successfully achieved code execution without the use of JavaScript.



Some vendors ship JavaScript support in a separate package. Removing this package may remove JavaScript support in the Adobe PDF reader.



Prevent Internet Explorer from automatically opening PDF documents



The installer for Adobe Reader and Acrobat configures Internet Explorer to automatically open PDF files without any user interaction. This behavior can be reverted to the safer option of prompting the user by importing the following as a .REG file:
    Windows Registry Editor Version 5.00

    [HKEY_CLASSES_ROOT\AcroExch.Document.7]
    "EditFlags"=hex:00,00,00,00

Disable the displaying of PDF documents in the web browser



Preventing PDF documents from opening inside a web browser may mitigate this vulnerability. If this workaround is applied to updated versions of the Adobe reader, it may mitigate future vulnerabilities.



To prevent PDF documents from automatically being opened in a web browser:

  1. Open Adobe Acrobat Reader.
  2. Open the Edit menu.
  3. Choose the preferences option.
  4. Choose the Internet section.
  5. Un-check the "Display PDF in browser" check box.

Disable Adobe Acrobat Windows Shell integration



Adobe Acrobat and Reader integrates itself with the Windows shell. The file pdfshell.dll is used to configure Windows Explorer to launch Adobe components to render, preview, and obtain details from a PDF document, all without actually opening the PDF document itself. Windows Shell integration for Adobe Acrobat and Reader can be disabled by unregistering the pdfshell.dll by running the following command:

    regsvr32 /u "%CommonProgramFiles%\Adobe\Acrobat\ActiveX\pdfshell.dll"

Disable the Adobe Acrobat Indexing Service filter



Adobe Reader and Adobe Acrobat install an Indexing Service filter that is used to parse PDF files. These filters are provided by AcroRdIF.dll and AcroIF.dll, respectively. When an application that uses the Adobe IFilters indexes a malicious PDF document, the vulnerability may be triggered. This attack vector can be mitigated by unregistering the Adobe IFilter files.

Adobe Acrobat users should locate the Acrobat directory and run: regsvr32 /u AcroIF.dll

Adobe Reader users should locate the Adobe Reader directory and run: regsvr32 /u AcroRdIF.dll



Note: After disabling the Windows shell integration or the Indexing Service filter by unregistering the appropriate DLL, the Windows Installer MSI resiliency feature may trigger a "repair" of those features when an advertised shortcut for Adobe Reader is clicked. To prevent this from occurring, delete the Adobe Reader icon from the Windows start menu and then re-create a normal, non-advertised shortcut. More details are available in the CERT/CC Vulnerability Analysis Blog.



Do not access PDF documents from untrusted sources



Do not open unfamiliar or unexpected PDF documents, particularly those hosted on web sites or delivered as email attachments. Please see Cyber Security Tip ST04-010.

Systems Affected

VendorStatusDate NotifiedDate Updated
AdobeVulnerable2009-02-192009-03-11

References

http://www.us-cert.gov/cas/tips/ST04-010.html



http://www.cert.org/tech_tips/securing_browser/

http://www.cert.org/blogs/vuls/2009/03/windows_installer_application.html

http://www.adobe.com/support/security/advisories/apsa09-01.html

http://www.adobe.com/support/security/bulletins/apsb09-03.html

http://www.avertlabs.com/research/blog/index.php/2009/02/19/new-backdoor-attacks-using-pdf-documents/

http://jbig2.com/

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090219

http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20090221

http://vrt-sourcefire.blogspot.com/2009/02/homebrew-patch-for-adobe-acroreader-9.html

http://secunia.com/blog/44/

http://www.milw0rm.com/exploits/8090

Credit

Thanks to Adobe for information that was used in this report.

This document was written by Will Dormann and Ryan Giobbi.

Other Information

Date Public:2009-02-19
Date First Published:2009-02-20
Date Last Updated:2009-03-18
CERT Advisory: 
CVE-ID(s):CVE-2009-0658
NVD-ID(s):CVE-2009-0658
US-CERT Technical Alerts: 
Metric:32.91
Document Revision:95
Tags: adobe, buffer overflow, pdf, vulnerability Categories: Forensics and Security

:: Next >>

free blog themes / templates