All posts by 007admin

Nagios

CVE-2013-4214

rss-newsfeed.php in Nagios Core 3.4.4, 3.5.1, and earlier, when MAGPIE_CACHE_ON is set to 1, allows local users to overwrite arbitrary files via a symlink attack on /tmp/magpie_cache. (CVSS:6.3) (Last Update:2014-03-05)

Drupal

SA-CORE-2013-003 – Drupal core – Multiple vulnerabilities

  • Advisory ID: DRUPAL-SA-CORE-2013-003
  • Project: Drupal core
  • Version: 6.x, 7.x
  • Date: 2013-November-20
  • Security risk: Highly critical
  • Exploitable from: Remote
  • Vulnerability: Multiple vulnerabilities

Description

Multiple vulnerabilities were fixed in the supported Drupal core versions 6 and 7.

Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation – Drupal 6 and 7)

Drupal’s form API has built-in cross-site request forgery (CSRF) validation, and also allows any module to perform its own validation on the form. In certain common cases, form validation functions may execute unsafe operations. Given that the CSRF protection is an especially important validation, the Drupal core form API has been changed in this release so that it now skips subsequent validation if the CSRF validation fails.

This vulnerability is mitigated by the fact that a form validation callback with potentially unsafe side effects must be active on the site, and none exist in core. However, issues were discovered in several popular contributed modules which allowed remote code execution that made it worthwhile to fix this issue in core. Other similar issues with varying impacts are likely to have existed in other contributed modules and custom modules and therefore will also be fixed by this Drupal core release.

Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation – Drupal 6 and 7)

Drupal core directly used the mt_rand() pseudorandom number generator for generating security related strings used in several core modules. It was found that brute force tools could determine the seeds making these strings predictable under certain circumstances.

This vulnerability has no mitigation; all Drupal sites are affected until the security update has been applied.

Code execution prevention (Files directory .htaccess for Apache – Drupal 6 and 7)

Drupal core attempts to add a “defense in depth” protection to prevent script execution by placing a .htaccess file into the files directories that stops execution of PHP scripts on the Apache web server. This protection is only necessary if there is a vulnerability on the site or on a server that allows users to upload malicious files. The configuration in the .htaccess file did not prevent code execution on certain Apache web server configurations. This release includes new configuration to prevent PHP execution on several additional common Apache configurations. If you are upgrading a site and the site is run by Apache you must fix the file manually, as described in the “Solution” section below.

This vulnerability is mitigated by the fact that it only relates to a defense in depth mechanism, and sites would only be vulnerable if they are hosted on a server which contains code that does not use protections similar to those found in Drupal’s file API to manage uploads in a safe manner.

Access bypass (Security token validation – Drupal 6 and 7)

The function drupal_valid_token() can return TRUE for invalid tokens if the caller does not make sure that the token is a string.

This vulnerability is mitigated by the fact that a contributed or custom module must invoke drupal_validate_token() with an argument that can be manipulated to not be a string by an attacker. There is currently no known core or contributed module that would suffer from this vulnerability.

Cross-site scripting (Image module – Drupal 7)

Image field descriptions are not properly sanitized before they are printed to HTML, thereby exposing a cross-site scripting vulnerability.

This vulnerability is mitigated by the fact that an attacker must have a permission to administer field descriptions, for example the “administer taxonomy” permission to edit fields on taxonomy terms.

Cross-site scripting (Color module – Drupal 7)

A cross-site scripting vulnerability was found in the Color module. A malicious attacker could trick an authenticated administrative user into visiting a page containing specific JavaScript that could lead to a reflected cross-site scripting attack via JavaScript execution in CSS.

This vulnerability is mitigated by the fact that it can only take place in older browsers, and in a restricted set of modern browsers, namely Opera through user interaction, and Internet Explorer under certain conditions.

Open redirect (Overlay module – Drupal 7)

The Overlay module displays administrative pages as a layer over the current page (using JavaScript), rather than replacing the page in the browser window. The Overlay module did not sufficiently validate URLs prior to displaying their contents, leading to an open redirect vulnerability.

This vulnerability is mitigated by the fact that it can only be used against site users who have the “Access the administrative overlay” permission.

CVE identifier(s) issued

  • Multiple vulnerabilities due to optimistic cross-site request forgery protection (Form API validation): CVE-2013-6385
  • Multiple vulnerabilities due to weakness in pseudorandom number generation using mt_rand() (Form API, OpenID and random password generation – Drupal 6 and 7): CVE-2013-6386
  • Code execution prevention (Files directory .htaccess for Apache – Drupal 6 and 7): No CVE; considered remediated through “security hardening”
  • Access bypass (Security token validation – Drupal 6 and 7): No CVE; considered remediated through “security hardening.”
  • Cross-site scripting (Image module – Drupal 7): CVE-2013-6387
  • Cross-site scripting (Color module – Drupal 7): CVE-2013-6388
  • Open redirect (Overlay module – Drupal 7): CVE-2013-6389

Versions affected

  • Drupal core 6.x versions prior to 6.29.
  • Drupal core 7.x versions prior to 7.24.

Solution

Install the latest version:

Also see the Drupal core project page.

Warning: Fixing the code execution prevention may require server configuration; please read:

To fix the code execution prevention vulnerability on existing Apache installations also requires changes to your site’s .htaccess files in the files directories. Until you do this, your site’s status report page at admin/reports/status will display error messages about the problem. Please note that if you are using a different web server such as Nginx the .htaccess files have no effect and you need to configure PHP execution protection yourself in the respective server configuration files.

To fix this issue, you must edit or replace the old .htaccess files manually. Copies of the .htaccess files are found in the site’s files directory and temporary files directory, and (for Drupal 7 only) the separate private files directory if your site is configured to use one. To find the location of these directories, consult the error messages at admin/reports/status, or visit the file system configuration page at admin/settings/file-system (Drupal 6) or admin/config/media/file-system (Drupal 7). Note that you should only make changes to the .htaccess files that are found in the directories specified on that page. Do not change the top-level .htaccess file (at the root of your Drupal installation).

Go onto your server, navigate to each directory, and replace or create the .htaccess file in this directory with the contents described below. Alternatively, you can remove the .htaccess file from each directory using SFTP or SSH and then visit the file system configuration page (admin/settings/file-system in Drupal 6 or admin/config/media/file-system in Drupal 7) and click the save button to have Drupal create the file automatically.

The recommended .htaccess file contents are as follows.

For Drupal 6:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 1.
<IfModule mod_php4.c>
  php_flag engine off
</IfModule>
# PHP 4, Apache 2.
<IfModule sapi_apache2.c>
  php_flag engine off
</IfModule>

For Drupal 7:

# Turn off all options we don't need.
Options None
Options +FollowSymLinks

# Set the catch-all handler to prevent scripts from being executed.
SetHandler Drupal_Security_Do_Not_Remove_See_SA_2006_006
<Files *>
  # Override the handler again if we're run later in the evaluation list.
  SetHandler Drupal_Security_Do_Not_Remove_See_SA_2013_003
</Files>

# If we know how to do it safely, disable the PHP engine entirely.
<IfModule mod_php5.c>
  php_flag engine off
</IfModule>

Additionally, the .htaccess of the temporary files directory and private files directory (if used) should include this command:

Deny from all

Reported by

Fixed by

Coordinated by

Contact and More Information

The Drupal security team can be reached at security at drupal.org or via the contact form at http://drupal.org/contact.

Learn more about the Drupal Security team and their policies, writing secure code for Drupal, and securing your site.

Drupal version: 
Drupal 6.x
Drupal 7.x
Lighttpd

CVE-2013-4560

Use-after-free vulnerability in lighttpd before 1.4.33 allows remote attackers to cause a denial of service (segmentation fault and crash) via unspecified vectors that trigger FAMMonitorDirectory failures. (CVSS:2.6) (Last Update:2014-01-23)

Lighttpd

CVE-2013-4559

lighttpd before 1.4.33 does not check the return value of the (1) setuid, (2) setgid, or (3) setgroups functions, which might cause lighttpd to run as root if it is restarted and allows remote attackers to gain privileges, as demonstrated by multiple calls to the clone function that cause setuid to fail when the user process limit is reached. (CVSS:7.6) (Last Update:2014-01-23)

Apache

[ANNOUNCEMENT] Apache HTTP Server (httpd) 2.2.26 Released

                      Apache HTTP Server 2.2.26 Released

  The Apache Software Foundation and the Apache HTTP Server Project are
  pleased to announce the release of version 2.2.26 of the Apache HTTP
  Server ("Apache").  This version of Apache is principally a bug fix
  maintenance release.

  We consider the Apache HTTP Server 2.4 release to be the best version
  of Apache available, and encourage users of 2.2 and all prior versions
  to upgrade.  This 2.2 maintenance release is offered for those unable
  to upgrade at this time.  For further details, see:

    http://www.apache.org/dist/httpd/Announcement2.4.txt

  Apache HTTP Server 2.4 and 2.2.26 are available for download from:

    http://httpd.apache.org/download.cgi

  Please see the CHANGES_2.2 file, linked from the download page, for a
  full list of changes.  A condensed list, CHANGES_2.2.26 includes only
  those changes introduced since the prior 2.2 release.  A summary of all 
  of the security vulnerabilities addressed in this and earlier releases 
  is available:

    http://httpd.apache.org/security/vulnerabilities_22.html

  This release includes the Apache Portable Runtime (APR) version 1.4.8
  and APR Utility Library (APR-util) version 1.5.2, bundled with the tar
  and zip distributions.  The APR libraries libapr and libaprutil (and
  on Win32, libapriconv version 1.2.1) must all be updated to ensure
  binary compatibility and address many known security and platform bugs.
  APR-util version 1.5 represents a minor version upgrade from earlier
  httpd 2.2 source distributions.

  This release builds on and extends the Apache 2.0 API and is superceeded
  by the Apache 2.4 API.  Modules written for Apache 2.0 or 2.4 will need
  to be recompiled in order to run with Apache 2.2, and most will require
  minimal or no source code changes.

  When upgrading or installing this version of Apache, please bear in mind
  that if you intend to use Apache with one of the threaded MPMs (other
  than the Prefork MPM), you must ensure that any modules you will be
  using (and the libraries they depend on) are thread-safe.
US-CERT

TA13-317A: Microsoft Updates for Multiple Vulnerabilities

Original release date: November 13, 2013 | Last revised: November 16, 2013

Systems Affected

  • Windows Operating System and Components
  • Microsoft Office
  • Internet Explorer

Overview

Select Microsoft software products contain multiple vulnerabilities. Microsoft has released updates to address these vulnerabilities.

Description

The Microsoft Security Bulletin Summary for November 2013 describes multiple vulnerabilities in Microsoft software. Microsoft has released updates to address these vulnerabilities. The November Security Bulletin includes a patch for the new “watering hole” campaign which utilizes a US-based website that specializes in domestic and international security policy.

Impact

These vulnerabilities could allow remote code execution, elevation of privilege, information disclosure or denial of service.

Solution

Apply Updates

Microsoft has provided updates for these vulnerabilities in the Microsoft Security Bulletin Summary for November 2013, which describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. In addition, administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). Home users are encouraged to enable automatic updates.

References

Revision History

  • November 13, 2013: Initial Release

This product is provided subject to this Notification and this Privacy & Use policy.

Debian

[BSA-086] Security update for strongswan

Updated strongswan packages for squeeze-backports and wheezy-backports
fix the following vulnerabilities:

- CVE-2013-2944: When using the openssl plugin for ECDSA based
  authentication, an empty, zeroed or otherwise invalid signature is
  handled as a legitimate one.

- CVE-2013-6075: DoS vulnerability and potential authorization bypass
  triggered by a crafted ID_DER_ASN1_DN ID payload.

- CVE-2013-6076: DoS vulnerability triggered by crafted IKEv1
  fragmentation payloads.

The squeeze-backports distribution was affected by CVE-2013-2944 and
CVE-2013-6075. These problems have been fixed in version
4.5.2-1.5+deb7u2~bpo60+1.

The wheezy-backports distribution was affected by CVE-2013-6075 and
CVE-2013-6076. These problems have been fixed in version
5.1.0-3~bpo70+1.
Debian

[BSA-085] Security Update for roundcube

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Package        : roundcube
Vulnerability  : design error
Problem type   : remote
Debian-specific: no
CVE ID         : CVE-2013-6172
Debian Bug     : 727668

It was discovered that roundcube, a skinnable AJAX based webmail
solution for IMAP servers, does not properly sanitize the _session
parameter in steps/utils/save_pref.inc during saving preferences. The
vulnerability can be exploited to overwrite configuration settings and
subsequently allowing random file access, manipulated SQL queries and
even code execution.

roundcube in the oldstable distribution (squeeze) is not affected by
this problem.

For backports for the oldstable distribution (squeeze-backports-sloppy),
this problem has been fixed in 0.9.5-1~bpo60+1.

For the stable distribution (wheezy), this problem has been fixed in
version 0.7.2-9+deb7u1.

For backports for the stable distribution (wheezy-backports),
this problem has been fixed in 0.9.5-1~bpo70+1.

For the unstable distribution (sid), this
Debian

[BSA-087] Security Update for openssh

Colin Watson uploaded new packages for openssh which fixed the following
security problems:

CVE-2013-4548
  A memory corruption vulnerability exists in the post-authentication
  sshd process when an AES-GCM cipher (aes128-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org or
  aes256-gcm-ZT/51Pfwho1BDgjK7y7TUQ< at >public.gmane.org) is selected during kex exchange.

  If exploited, this vulnerability might permit code execution with the
  privileges of the authenticated user and may therefore allow bypassing
  restricted shell/command configurations.

  https://security-tracker.debian.org/tracker/CVE-2013-4548

For the wheezy-backports distribution, this problem has been fixed in
version 1:6.4p1-1~bpo70+1.

For the testing (jessie) and unstable (sid) distributions, this problem
has been fixed in version 1:6.4p1-1.

Other distributions are not vulnerable.
Lighttpd

CVE-2013-4508

lighttpd before 1.4.34, when SNI is enabled, configures weak SSL ciphers, which makes it easier for remote attackers to hijack sessions by inserting packets into the client-server data stream or obtain sensitive information by sniffing the network. (CVSS:5.8) (Last Update:2014-01-23)