Category Archives: Security

Security

Typo3

Captcha Bypass in extension "powermail" (powermail)

Release Date: April 10, 2014

Bulletin update: September 18, 2014 (added CVE)

Component Type: Third party extension. This extension is not a part of the TYPO3 default installation.

Affected Versions: powermail: Version 2.0.0 – 2.0.10

Vulnerability Type: Captcha Bypass

Severity: Low

Suggested CVSS v2.0: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:F/RL:O/RC:C (What’s that?)

CVE: CVE-2014-6288

Problem Description: The extension powermail offers the use of a captch validation to secure forms. It was possible to bypass the captcha validation and submit forms.

Important Note: Other field validators weren’t involved so any other validation worked as expected.

Solution: Updated version 2.0.11 is available from the TYPO3 extension manager and at http://typo3.org/extensions/repository/download/powermail/2.0.11/t3x/. Users of the extension are advised to update the extension as soon as possible as long as they use captchas in their forms.

Credits: Credits go to Jigal van Hemert who discovered and reported this issue.

General advice: Follow the recommendations that are given in the TYPO3 Security Guide. Please subscribe to the typo3-announce mailing list to receive future Security Bulletins via E-mail.

IBM

OpenSSL heartbeat information disclosure

A serious vulnerability in the popular open source cryptographic library OpenSSL has been disclosed and Proof-of-Concept (POC) exploit code is publicly available. This affects deployments using 1.0.1 and 1.0.2-beta releases with TLS heartbeat extension enabled. Successful exploitation allows an attacker to remotely read system memory contents without even needing to log on to the server. It is highly advised to update all the affected products as soon as a patch for the particular product is available and to proactively get updates from the affected vendors.

Wordpress

WordPress 3.8.2 Security Release

WordPress 3.8.2 is now available. This is an important security release for all previous versions and we strongly encourage you to update your sites immediately.

This releases fixes a weakness that could let an attacker force their way into your site by forging authentication cookies. This was discovered and fixed by Jon Cave of the WordPress security team.

It also contains a fix to prevent a user with the Contributor role from improperly publishing posts. Reported by edik.

This release also fixes nine bugs and contains three other security hardening changes:

  • Pass along additional information when processing pingbacks to help hosts identify potentially abusive requests.
  • Fix a low-impact SQL injection by trusted users. Reported by Tom Adams of dxw.
  • Prevent possible cross-domain scripting through Plupload, the third-party library WordPress uses for uploading files. Reported by Szymon Gruszecki.

We appreciated responsible disclosure of these security issues directly to our security team. For more information on all of the changes, see the release notes or consult the list of changes.

Download WordPress 3.8.2 or venture over to Dashboard → Updates and simply click “Update Now.”

Sites that support automatic background updates will be updated to WordPress 3.8.2 within 12 hours. If you are still on WordPress 3.7.1, you will be updated to 3.7.2, which contains the same security fixes as 3.8.2. We don’t support older versions, so please update to 3.8.2 for the latest and greatest.

Already testing WordPress 3.9? The first release candidate is now available (zip) and it contains these security fixes. Look for a full announcement later today; we expect to release 3.9 next week.

US-CERT

TA14-098A: OpenSSL 'Heartbleed' vulnerability (CVE-2014-0160)

Original release date: April 08, 2014

Systems Affected

  • OpenSSL 1.0.1 through 1.0.1f
  • OpenSSL 1.0.2-beta

Overview

A vulnerability in OpenSSL could allow a remote attacker to expose sensitive data, possibly including user authentication credentials and secret keys, through incorrect memory handling in the TLS heartbeat extension.

Description

OpenSSL versions 1.0.1 through 1.0.1f contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time. Note that an attacker can repeatedly leverage the vulnerability to retrieve as many 64k chunks of memory as are necessary to retrieve the intended secrets. The sensitive information that may be retrieved using this vulnerability include:

  • Primary key material (secret keys)
  • Secondary key material (user names and passwords used by vulnerable services)
  • Protected content (sensitive data used by vulnerable services)
  • Collateral (memory addresses and content that can be leveraged to bypass exploit mitigations)

Exploit code is publicly available for this vulnerability.  Additional details may be found in CERT/CC Vulnerability Note VU#720951.

Impact

This flaw allows a remote attacker to retrieve private memory of an application that uses the vulnerable OpenSSL library in chunks of 64k at a time.

Solution

OpenSSL 1.0.1g has been released to address this vulnerability.  Any keys generated with a vulnerable version of OpenSSL should be considered compromised and regenerated and deployed after the patch has been applied.

US-CERT recommends system administrators consider implementing Perfect Forward Secrecy to mitigate the damage that may be caused by future private key disclosures.

References

Revision History

  • Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Microsft

MS14-020 – Important: Vulnerability in Microsoft Publisher Could Allow Remote Code Execution – Important (2950145) – Version: 1.0

Severity Rating: Important
Revision Note: V1.0 (April 8, 2014): Bulletin published.
Summary: This security update resolves a privately reported vulnerability in Microsoft Office. The vulnerability could allow remote code execution if a user opens a specially crafted file in an affected version of Microsoft Publisher. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Microsft

MS14-017 – Critical: Vulnerabilities in Microsoft Word and Office Web Apps Could Allow Remote Code Execution (2949660) – Version: 1.0

Severity Rating: Critical
Revision Note: V1.0 (April 8, 2014): Bulletin published.
Summary: This security update resolves one publicly disclosed vulnerability and two privately reported vulnerabilities in Microsoft Office. The most severe of these vulnerabilities could allow remote code execution if a specially crafted file is opened or previewed in an affected version of Microsoft Office software. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

IBM

Microsoft Word RTF code execution

A vulnerability in Microsoft Word 2010 can allow Remote Code Execution if a user opens a malicious RTF file or previews / opens a malicious RTF email message in Microsoft Outlook while utilizing Microsoft Word as the email viewer (default for Outlook 2007, 2010 and 2013). X-Force is aware of this vulnerability being exploited in targeted attacks. A common attack vector to exploit such vulnerabilities is to send spear-phishing emails with a malicious document attached that lures the receiver to view the document thereby making them think it is from a trusted correspondent and in regards to something that is urgent or of high interest.

Apache

[Announcment] Apache HTTP Server 2.2.27 Released

                       Apache HTTP Server 2.2.27 Released

   The Apache Software Foundation and the Apache HTTP Server Project are
   pleased to announce the release of version 2.2.27 of the Apache HTTP
   Server ("Apache").  This version of Apache is principally a security
   and bug fix maintenance release.

   CVE-2014-0098 (cve.mitre.org)
     Segfaults with truncated cookie logging.
     mod_log_config: Prevent segfaults when logging truncated
     cookies. Clean up the cookie logging parser to recognize
     only the cookie=value pairs, not valueless cookies.

   CVE-2013-6438 (cve.mitre.org)
     mod_dav: Keep track of length of cdata properly when removing
     leading spaces. Eliminates a potential denial of service from
     specifically crafted DAV WRITE requests

   We consider the Apache HTTP Server 2.4 release to be the best version
   of Apache available, and encourage users of 2.2 and all prior
   versions to upgrade.  This 2.2 maintenance release is offered for
   those unable to upgrade at this time.  For further details, see:

     http://www.apache.org/dist/httpd/Announcement2.4.txt

   Apache HTTP Server 2.4 and 2.2.27 are available for download from:

     http://httpd.apache.org/download.cgi

   Please see the CHANGES_2.2 file, linked from the download page, for a
   full list of changes.  A condensed list, CHANGES_2.2.27 includes only
   those changes introduced since the prior 2.2 release.  A summary of
   all of the security vulnerabilities addressed in this and earlier
   releases is available:

     http://httpd.apache.org/security/vulnerabilities_22.html

   This release includes the Apache Portable Runtime (APR) version 1.5.0
   and APR Utility Library (APR-util) version 1.5.3, bundled with the
   tar and zip distributions.  The APR libraries libapr and libaprutil
   (and on Win32, libapriconv version 1.2.1) must all be updated to
   ensure binary compatibility and address many known security and
   platform bugs. APR version 1.5 and APR-util version 1.5 represent
   minor version upgrades from earlier httpd 2.2 source distributions.

   This release builds on and extends the Apache 2.0 API and is
   superceeded by the Apache 2.4 API.  Modules written for Apache 2.0
   or 2.4 will need to be recompiled in order to run with Apache 2.2,
   and most will require minimal or no source code changes.

   When upgrading or installing this version of Apache, please bear in
   mind that if you intend to use Apache with one of the threaded MPMs
   (other than the Prefork MPM), you must ensure that any modules you
   will be using (and the libraries they depend on) are thread-safe.
Apache

CVE-2014-0098

The log_cookie function in mod_log_config.c in the mod_log_config module in the Apache HTTP Server before 2.4.8 allows remote attackers to cause a denial of service (segmentation fault and daemon crash) via a crafted cookie that is not properly handled during truncation. (CVSS:5.0) (Last Update:2014-09-04)