|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 32 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.671 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 22 )
| Adobe.Products.SWF.Remote.Code.Execution Event ID: 17606 |
Release Date: Jul 28, 2009 IPS Definitions DB Version: 2.669 |
|
Description: This indicates an attack attempt against a vulnerability in Adobe Reader, Acrobat and Flash Player. The vulnerability is caused by an error when the vulnerable software handles a specially crafted SWF file or PDF file that could allow remote attackers to execute arbitrary code. Affected Products: Reader and Acrobat 9.1.2 Flash Player 9 and 10 Reference IDs: |
| AOL.IWinAmpActiveX.Class.ConvertFile.Method.Access Event ID: 17449 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in the AOL IWinAmpActiveX Class. This vulnerability is caused by an error in the "AmpX.dll" ActiveX control when processing malformed arguments passed to the affected method. It allows a remote attacker to execute arbitrary code via a crafted web page. Affected Products: AmpX.dll 2.4.0.6 Reference IDs: |
| CA.BrightStor.ARCserve.Backup.Message.Filedelete.RPC.Access Event ID: 15068 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a remote code-execution vulnerability in CA BrightStor ARCServe BackUp. This vulnerability is a result of privileged functions being available for arbitrary RPC users in the Message Engine RPC service. It allows remote attackers to execute arbitrary code. Affected Products: Computer Associates Server Protection Suite r2 Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2 Computer Associates Business Protection Suite for Microsoft SBS Pre ed r2 Computer Associates Business Protection Suite r2 Computer Associates BrightStor Enterprise Backup 10.5 Computer Associates BrightStor ARCServe Backup for Windows 11.0 Computer Associates BrightStor ARCServe Backup 11.1 Computer Associates BrightStor ARCServe Backup 9.01 Computer Associates BrightStor ARCServe Backup 11.5 Reference IDs: |
| CA.BrightStor.ARCserve.Backup.RPC.Code.Execution Event ID: 13784 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in Computer Associates BrightStor ARCserve Backup. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted RPC request. It allows a remote attacker to execute arbitrary code. Affected Products: CA BrightStor ARCserve Backup r11.5 CA BrightStor ARCserve Backup r11.1 CA BrightStor ARCserve Backup for Windows r11 CA BrightStor Enterprise Backup r10.5 CA BrightStor ARCserve Backup 9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Reference IDs: |
| CA.BrightStor.ARCserve.Backup.Tape.Engine.RPC.Code.Execution Event ID: 13783 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in CA BrightStor ARCserve Backup. The vulnerability is caused by improper bounds checking in the function whose opnum is 0xBF. By sending a specially crafted RPC request to the Tape Engine service, a remote attacker could overflow a buffer and execute arbitrary code on a vulnerable system. Affected Products: CA BrightStor ARCserve Backup r11.5 CA BrightStor ARCserve Backup r11.1 CA BrightStor ARCserve Backup for Windows r11 CA BrightStor Enterprise Backup r10.5 CA BrightStor ARCserve Backup 9.01 CA Server Protection Suite r2 CA Business Protection Suite r2 CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2 CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2 Reference IDs: |
| CA.BrightStor.ARCserve.Backup.Tape.Engine.RPC.Memory.Corruption Event ID: 14569 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in CA BrightStor ARCserve Backup. The vulnerability is caused by an error in tapeeng.dll while handling some malicious stub data. By sending a specially crafted RPC request to the Tape Engine, a remote attacker may overflow a buffer and execute arbitrary code on a vulnerable system. Affected Products: Computer Associates Server Protection Suite r2 Computer Associates Protection Suites r2 0 Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2 Computer Associates Business Protection Suite for Microsoft SBS Pre ed r2 Computer Associates Business Protection Suite r2 Computer Associates BrightStor Enterprise Backup 10.5 Computer Associates BrightStor ARCserve Backup for Windows (All) 11.5 Computer Associates BrightStor ARCServe Backup 11.1 Computer Associates BrightStor ARCServe Backup 9.01 Computer Associates BrightStor ARCServe Backup 11.5 Reference IDs: |
| CA.DBASVR.RPC.Server.Crafted.Pointer.Buffer.Overflow Event ID: 15251 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in CA BrightStor ARCServe BackUp and Enterprise Backup. There is a vulnerability in dbasvr in CA BrightStor ARCServe BackUp and Enterprise Backup. It may allow a remote attacker to gain control of vulnerable systems via specially crafted stub data. Affected Products: Computer Associates Server Protection Suite r2 Computer Associates Business Protection Suite for Microsoft SBS Std Ed r2 Computer Associates Business Protection Suite for Microsoft SBS Pre ed r2 Computer Associates Business Protection Suite r2 Computer Associates BrightStor Enterprise Backup 10.5 Computer Associates BrightStor ARCServe Backup for Windows 11.0 Computer Associates BrightStor ARCServe Backup 11.1 Computer Associates BrightStor ARCServe Backup 9.01 Computer Associates BrightStor ARCServe Backup 11.5 Reference IDs: |
| Helix.DNA.Server.DESCRIBE.Request.Handle.Buffer.Overflow Event ID: 14382 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against an integer overflow vulnerability in Helix DNA Server. The vulnerability is caused by an error when the vulnerable software handles DESCRIBE request. It allows a remote attacker to execute arbitrary code via sending a specially crafted DESCRIBE request with an overly long, invalid LoadTestPassword field. Affected Products: Real Networks Helix DNA Server 11.1 Real Networks Helix DNA Server 11.0 Reference IDs: |
| MS.ATL.Uninitialized.Object.Code.Execution Event ID: 17618 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against an ActiveX control that built upon on vulnerable Microsoft ATL. The vulnerable version of this ATL is shipped as official ATL release by Visual Studio prior to VS2008 SP1. Affected Products: Microsoft Visual Studio .NET 2003 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 Microsoft Visual Studio 2005 Service Pack 1 64-bit Hosted Visual C++ Tools Microsoft Visual Studio 2008 Microsoft Visual Studio 2008 Service Pack 1 Microsoft Visual C++ 2005 Service Pack 1 Redistributable Package Microsoft Visual C++ 2008 Redistributable Package Microsoft Visual C++ 2008 Service Pack 1 Redistributable Package Reference IDs: |
| MS.IE.CSS.cssText.Memory.Corruption Event ID: 17616 |
Release Date: Jul 29, 2009 IPS Definitions DB Version: 2.670 |
|
Description: This indicates an attack attempt towards a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by the software's inability to properly handle attempts to access an object that has been deleted. An attacker may exploit this to cause denial of service or remote code execution. Affected Products: Internet Explorer 5.01 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Reference IDs: |
| MS.IE.outerHTML.Memory.Corruption Event ID: 17614 |
Release Date: Jul 29, 2009 IPS Definitions DB Version: 2.670 |
|
Description: This indicates an attack attempt towards a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by the software's inability to properly handle attempts to access an object that has been deleted. An attacker may exploit this to cause denial of service or remote code execution. Affected Products: Internet Explorer 5.01 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Reference IDs: |
| MS.IE.Table.Operation.Memory.Corruption Event ID: 17615 |
Release Date: Jul 29, 2009 IPS Definitions DB Version: 2.670 |
|
Description: This indicates an attack attempt towards a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability exists in the way that Internet Explorer handles table operations in specific situations. An attacker may exploit this to cause denial of service or remote code execution. Affected Products: Internet Explorer 5.01 Internet Explorer 6 Internet Explorer 7 Internet Explorer 8 Reference IDs: |
| MS.NNTP.XPAT.Heap.Overflow Event ID: 12802 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a heap-overflow vulnerability in the NNTP component of Microsoft Windows Server. The vulnerability is due to an unchecked buffer in the vulnerable software. A remote attacker may exploit this to execute arbitrary code. Affected Products: The NNTP component of any unprotected Microsoft Windows NT Server 4.0, Microsoft Windows 2000 Server, or Microsoft Windows 2003 Server is vulnerable. Reference IDs: |
| MS.Outlook.Express.NNTP.Buffer.Overflow Event ID: 15051 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Microsoft Outlook Express and Microsoft Windows Mail. The vulnerability is caused by an error when the vulnerable software handles malformed NNTP response. It allows a remote attacker to to execute arbitrary code via sending a specially crafted web page. Affected Products: Microsoft Outlook Express 5.5 Service Pack 2 Microsoft Outlook Express 6 Microsoft Outlook Express 6 Service Pack 1 Microsoft Windows Mail Microsoft Windows 2000 Service Pack 4 Microsoft Windows XP Service Pack 2 Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 1 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 x64 Edition Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Server 2003 SP1 (Itanium) Microsoft Windows Server 2003 SP2 (Itanium) Microsoft Windows Vista Microsoft Windows Vista x64 Edition Microsoft Windows XP Professional x64 Edition Reference IDs: |
| MS.Windows.DHCP.Server.Client.Identifier.Buffer.Overflow Event ID: 13439 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-overflow vulnerability in Microsoft Windows NT Server and Terminal Server. The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition does not properly validate the length of certain messages. A remote attacker may send a malformed DHCP message to execute arbitrary code. Affected Products: Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 alpha Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT 4.0 SP6a alpha Microsoft Windows NT 4.0 SP6a Microsoft Windows NT 4.0 SP6 alpha Microsoft Windows NT 4.0 SP6 Microsoft Windows NT 4.0 SP5 alpha Microsoft Windows NT 4.0 SP5 Microsoft Windows NT 4.0 SP4 alpha Microsoft Windows NT 4.0 SP4 Microsoft Windows NT 4.0 SP3 alpha Microsoft Windows NT 4.0 SP3 alpha Microsoft Windows NT 4.0 SP3 Microsoft Windows NT 4.0 SP2 alpha Microsoft Windows NT 4.0 SP2 Microsoft Windows NT 4.0 SP1 alpha Microsoft Windows NT 4.0 SP1 Microsoft Windows NT 4.0 alpha Microsoft Windows NT 4.0 Reference IDs: |
| MS.Windows.Message.Queuing.RPC.Service.Code.Execution Event ID: 15936 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a remote unauthenticated vulnerability in the Microsoft Message Queuing RPC service. The vulnerability is caused by an error that occurs when the vulnerable service handles a malicious RPC request. It allows a remote attacker to execute arbitrary code in the context of the service. Affected Products: Microsoft Windows 2000 Service Pack 4 Reference IDs: |
| RTSP.Content-Type.Header.Buffer.Overflow Event ID: 15163 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in the Real Time Streaming Protocol (RTSP) used by Apple's QuickTime Streaming Server and QuickTime Player. The vulnerability is caused by an error in the way that QuickTime handles the RTSP Content-Type header. It allows a remote attacker to execute arbitrary code via a crafted web page. Affected Products: Apple QuickTime Player 7.3 Reference IDs:
|
| Symantec.Veritas.Backup.Exec.RPC.Heap.Buffer.Overflow Event ID: 14791 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a vulnerability in Symantec Veritas Backup Exec for Windows Server. The vulnerability is caused by a heap-based buffer overflow which can occur when the vulnerable software handles input sent to an RPC interface. By sending a crafted ncacn_ip_tcp request to TCP port 6106, remote attackers may be able to cause a denial of service or execute arbitrary code. Affected Products: Symantec Veritas Backup Exec for Windows Servers 11d Symantec Veritas Backup Exec for Windows Servers 10d Symantec Veritas Backup Exec for Windows Servers 10.0 Reference IDs: |
| Trend.ServerProtect.eng50.dll.Buffer.Overflow Event ID: 14936 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible attempt to exploit one of two vulnerabilities in Trend Micro ServerProtect for Windows. These vulnerabilities are a result of bounds checking errors in "RPCFN_ENG_AddTaskExportLogItem" and "RPCFN_ENG_TakeActionOnAFile", in eng50.dll. Successful exploitation may allow remote attackers to execute arbitrary code by sending excessively long strings in an RPC request. Affected Products: Trend Micro ServerProtect 5.58 Build 1176 for Windows and prior versions Reference IDs: |
| Trend.ServerProtect.Notification.dll.Buffer.Overflow Event ID: 14912 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt to exploit a boundary-checking error vulnerability in "NTF_SetPagerNotifyConfig" of Notification.dll in Trend Micro ServerProtect for Windows. It may allow a remote attacker to execute arbitrary code via malformed RPC requests. Affected Products: Trend Micro ServerProtect 5.58 Build 1176 for Windows and prior versions. Reference IDs: |
| Trend.ServerProtect.StRpcSrv.dll.Buffer.Overflow Event ID: 14937 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit one of three vulnerabilities in Trend Micro ServerProtect for Windows. These vulnerabilities are caused by boundary check errors in "RPCFN_CMON_SetSvcImpersonateUser", "RPCFN_ENG_NewManualScan" and "RPCFN_SetComputerName" in StRpcSrv.dll. A remote attacker may exploit this to execute arbitrary code. Affected Products: Trend Micro ServerProtect 5.58 Build 1176 for Windows and prior versions. Reference IDs: |
| TrendMicro.ServerProtect.RPC.Stcommon.dll.Buffer.Overflow Event ID: 15085 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-overflow vulnerability in Trend Micro ServerProtect. The vulnerability is caused by an error when the vulnerable software handles a crafted RPC request to the "spntSvc" service. It allows a remote attacker to execute arbitrary code. Affected Products: Trend Micro ServerProtect for Windows 5.58 Reference IDs: |
High ( 20 )
| Bopup.Communications.Server.Buffer.Overflow Event ID: 17547 |
Release Date: Jul 23, 2009 IPS Definitions DB Version: 2.667 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Bopup Communications Server 3.2.26.5460 which could lead to arbitrary code execution. Affected Products: Bopup Communications Server 3.2.26.5460 Reference IDs: |
| CA.BrightStor.ARCserve.Backup.Message.0x2F.RPC.Code.Execution Event ID: 13223 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a heap overflow vulnerability in CA multiple products. The vulnerability is caused by an error in ASCORE.dll when the vulnerable software handles a malicious request sent through RPC opcode 43 and 45. It allows a remote attacker to execute arbitrary code via sending a crafted RPC packet. Affected Products: Computer Associates Server Protection Suite r2 Computer Associates Business Protection Suite r2 Computer Associates BrightStor Enterprise Backup 10.5 Computer Associates BrightStor ARCServe Backup 11.5 Computer Associates BrightStor ARCServe Backup 9.01 Reference IDs: |
| CA.BrightStor.ARCServe.BackUp.Message.Engine.Command.Injection Event ID: 15755 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a remote command injection vulnerability in CA BrightStor ARCServe BackUp Message. By sending a specially crafted RPC request, a remote attacker could bypass the current directory execution path and execute arbitrary command on a vulnerable system. Affected Products: CA BrightStor ARCServe BackUp R11.5 Reference IDs: |
| CA.BrightStor.ARCServe.BackUp.Message.Stack.Overflow Event ID: 14608 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a remote stack-based buffer-overflow vulnerability in the RPC interface of CA BrightStor ARCServe BackUp. The vulnerability is due to the software's inability to properly sanitize user-supplied input before processing it. A remote attacker can execute arbitrary code on an affected system by exploiting this vulnerability. Affected Products: CA BrightStor ARCServe BackUp R11.5 Reference IDs: |
| CA.BrightStor.ARCserve.Tape.Engine.RPC.Buffer.Overflow Event ID: 13587 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnearability in Computer Associates BrightStor ARCserve Backup. The vulnerability is due to the software's inability to properly handle malformed data. A remote attacker could execute arbitrary code on the system with SYSTEM privileges via a specially crafted RPC request to the Tape Engine. Affected Products: CA BrightStor ARCserve Backup r11.5 CA BrightStor ARCserve Backup r11.1 CA BrightStor ARCserve Backup for Windows r11 CA BrightStor Enterprise Backup r10.5 CA BrightStor ARCserve Backup 9.01 Reference IDs: |
| Cerulean.Studios.Trillian.AIM.URI.Handler.Code.Execution Event ID: 15217 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-overflow vulnerability in Cerulean Studios Trillian. This vulnerability is caused by a boundary error in the AOL Instant Messenger (AIM) protocol handler in AIM.DLL. It allows remote attackers to execute arbitrary code via a malformed AIM: URI. Affected Products: Cerulean Studios Trillian 3.1.6.0. Reference IDs: |
| IBM.Tivoli.PMfOSD.HTTP.Request.Method.Buffer.Overflow Event ID: 15356 |
Release Date: Jul 23, 2009 IPS Definitions DB Version: 2.667 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in IBM Tivoli Provisioning Manager for OS Deployment. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to cause a denial of service or execute arbitrary code. Affected Products: IBM Tivoli Provisioning Manager for OS Deployment 5.1 3 IBM Tivoli Provisioning Manager for OS Deployment 5.1 .116 IBM Tivoli Provisioning Manager for OS Deployment 5.1 .116 IBM Tivoli Provisioning Manager for OS Deployment 5.1.0.2 Reference IDs: |
| InterNetNews.ARTpost.Control.Message.Buffer.Overflow Event ID: 14785 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in ISC INN. The vulnerability is caused by an error when the "ARTpost" function handles a malicious Control Message. It allows a remote attacker to execute arbitrary code. Affected Products: ISC INN version 2.4 .0 and prior. Reference IDs: |
| Mozilla.NSS.SSLv2.Client.Integer.Underflow Event ID: 14365 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-underflow vulnerability in the SSLv2 support in Mozilla Network Security Services (NSS). This vulnerability is due to a buffer-underflow error in the Network Security Services (NSS) when processing a certificate with a public key that is too small to encrypt the "Master Secret". This error also occurs when handling invalid parameters while negotiating an SSLv2 session. A remote attacker may exploit this to execute arbitrary code. Affected Products: Mozilla Thunderbird versions prior to 1.5.0.10 Reference IDs: |
| Mozilla.NSS.SSLv2.Server.Stack.Overflow Event ID: 14369 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-overflow vulnerability in the SSLv2 support in Mozilla Network Security Services (NSS). The vulnerability is caused by the software's inability to handle invalid parameters. A remote attacker may exploit this to execute arbitrary code. Affected Products: Mozilla Firefox versions prior to 2.0.0.2 Mozilla Firefox versions prior to 1.5.0.10 Mozilla SeaMonkey versions prior to 1.0.8 Network Security Services (NSS) versions prior to 3.11.5 Reference IDs: |
| MS.Exchange.Server.MAPI.Bind Event ID: 13229 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Microsoft Exchange Server. The vulnerability is due to the software's inability to properly handle malformed RPC request parameters. An attacker may exploit this to cause denial of service. Affected Products: Microsoft Exchange Server 2003 SP2 Microsoft Exchange Server 2003 SP1 Microsoft Exchange Server 2000 SP3 |
| MS.Outlook.Express.NNTP.LIST.Buffer.Overflow Event ID: 12072 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible attempt to exploit a stack based buffer overflow vulnerability in Microsoft Outlook Express. The vulnerability is due to the news reader's failure to validate "LIST" responses from NNTP servers. An attacker can convince a victim to visit a malicious web site and then exploit this vulnerability by sending a "LIST" response with a long string in the second field, causing a buffer overflow. As a result, the attacker can execute arbitrary code on the system using the currently logged in user's permissions. Affected Products: Microsoft Outlook Express 6.0 SP1 Microsoft Windows XP 64 bit Edition SP1 Microsoft Windows XP Home SP1 Microsoft Windows XP Professional SP1 Microsoft Outlook Express 6.0 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Datacenter Edition Itanium 0 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Enterprise Edition Itanium 0 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows XP Home Microsoft Windows XP Media Center Edition Microsoft Windows XP Professional Microsoft Windows XP Tablet PC Edition Microsoft Outlook Express 5.5 SP2 Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Professional SP4 Microsoft Windows 2000 Professional SP3 Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows ME Microsoft Outlook Express 5.5 SP1 Microsoft Outlook Express 5.5 Microsoft Internet Explorer 5.5 Microsoft Internet Explorer 5.0.1 for Windows NT 4.0 Microsoft Internet Explorer 5.0.1 for Windows 98 Microsoft Internet Explorer 5.0.1 for Windows 95 Microsoft Internet Explorer 5.0.1 for Windows 2000 Microsoft Internet Explorer 5.0.1 Microsoft Windows 2000 Professional Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows NT 4.0 Reference IDs: |
| MS.Windows.DHCP.Server.HostName.Buffer.Overflow Event ID: 13438 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible exploit of a buffer-overflow vulnerability in Microsoft Windows NT Server and Terminal Server. The DHCP Server service for Microsoft Windows NT 4.0 Server and Terminal Server Edition, with DHCP logging enabled, does not properly validate the length of certain messages, which allows remote attackers to cause a denial of service. Affected Products: Microsoft Windows NT Terminal Server 4.0 SP6 Microsoft Windows NT Terminal Server 4.0 SP5 Microsoft Windows NT Terminal Server 4.0 SP4 Microsoft Windows NT Terminal Server 4.0 SP3 Microsoft Windows NT Terminal Server 4.0 SP2 Microsoft Windows NT Terminal Server 4.0 SP1 Microsoft Windows NT Terminal Server 4.0 alpha Microsoft Windows NT Terminal Server 4.0 Microsoft Windows NT Server 4.0 SP6a Microsoft Windows NT Server 4.0 SP6 Microsoft Windows NT Server 4.0 SP5 Microsoft Windows NT Server 4.0 SP4 Microsoft Windows NT Server 4.0 SP3 Microsoft Windows NT Server 4.0 SP2 Microsoft Windows NT Server 4.0 SP1 Microsoft Windows NT Server 4.0 Microsoft Windows NT Enterprise Server 4.0 SP6a Microsoft Windows NT Enterprise Server 4.0 SP6 Microsoft Windows NT Enterprise Server 4.0 SP5 Microsoft Windows NT Enterprise Server 4.0 SP4 Microsoft Windows NT Enterprise Server 4.0 SP3 Microsoft Windows NT Enterprise Server 4.0 SP2 Microsoft Windows NT Enterprise Server 4.0 SP1 Microsoft Windows NT Enterprise Server 4.0 Microsoft Windows NT 4.0 SP6a alpha Microsoft Windows NT 4.0 SP6a Microsoft Windows NT 4.0 SP6 alpha Microsoft Windows NT 4.0 SP6 Microsoft Windows NT 4.0 SP5 alpha Microsoft Windows NT 4.0 SP5 Microsoft Windows NT 4.0 SP4 alpha Microsoft Windows NT 4.0 SP4 Microsoft Windows NT 4.0 SP3 alpha Microsoft Windows NT 4.0 SP3 alpha Microsoft Windows NT 4.0 SP3 Microsoft Windows NT 4.0 SP2 alpha Microsoft Windows NT 4.0 SP2 Microsoft Windows NT 4.0 SP1 alpha Microsoft Windows NT 4.0 SP1 Microsoft Windows NT 4.0 alpha Microsoft Windows NT 4.0 Reference IDs: |
| OpenBSD.DHCP.Remote.DoS Event ID: 15066 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against denial-of-service vulnerability in OpenBSD DHCP. The vulnerability is due to the software's inability to check the bounds of user-supplied input. A successful exploit causes corruption of a stack-based buffer and may allow remote attackers to cause a denial-of-service condition. Affected Products: OpenBSD 3.x OpenBSD 4.0 OpenBSD 4.1 OpenBSD 4.2 Reference IDs: |
| OpenSSL.ClientMasterkey.Overflow Event ID: 12519 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a buffer-overflow vulnerability in OpenSSL. Due to poor handling of the client key value during the negotiation of the SSLv2 protocol, a malicious client may be able to execute arbitrary code as the vulnerable server process, or possibly cause a denial-of-service (DoS) attack. Affected Products: OpenSSL 0.9.6d and earlier 0.9.7-beta2 and earlier Reference IDs: |
| Perdition.Imapd.str_vwrite.Format.String Event ID: 15240 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a format-string vulnerability in Perdition IMAP server. The vulnerability is due to the software's inability to properly sanitize user-supplied input. A remote attacker may exploit this to execute arbitrary code. Affected Products: Perdition IMAP server versions prior to 1.17.1 Reference IDs: |
| Roxio.CinePlayer.ActiveX.Buffer.Overflow Event ID: 17457 |
Release Date: Jul 23, 2009 IPS Definitions DB Version: 2.667 |
|
Description: This indicates an attack attempt against a stack-overflow vulnerability in SonicPlayer ActiveX control which is installed by Roxio CinePlayer The vulnerability is due to the ActiveX control's inability to handle overly long arguments passed to the affected method. Remote attackers may exploit this to execute arbitrary code. Affected Products: Roxio CinePlayer 3.2 Reference IDs: |
| Sun.Solaris.DHCP.Client.Remote.Code.Execution Event ID: 14766 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a vulnerability in the script '/lib/svc/method/net-svc' in Sun Solaris 10. It may allow remote attackers to execute arbitrary code via a DHCP response. Affected Products: Sun Solaris 10.0 _x86 Sun Solaris 10 Reference IDs: |
| Trend.Micro.ServerProtect.SPNTSVC.Buffer.Overflow Event ID: 14364 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against multiple stack-based buffer-overflow vulnerabilities in Trend Micro ServerProtect. The vulnerabilities are caused by the application's failure to properly sanitize user input before copying to a smaller sized buffer. Successful exploitation could allow remote attackers to execute arbitrary code on the system with SYSTEM privileges. Affected Products: Trend Micro ServerProtect for Windows version 5.58 Trend Micro ServerProtect for EMC version 5.58 Trend Micro ServerProtect for Network Appliance Filer version 5.61 Trend Micro ServerProtect for Network Appliance Filer version 5.62 Reference IDs: |
| Trend.ServerProtect.CAgRpcClient.and.RpcServerDispatch.Overflow Event ID: 14611 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a stack-based buffer-overflow vulnerability in Trend Micro ServerProtect. The vulnerability is caused by improper bounds checking in the TmRpcSrv.dll. By sending a specially crafted RPC request to the EarthAgent and SpntSvc daemon, a remote attacker could overflow a buffer and execute arbitrary code on a vulnerable system. Affected Products: Trend Micro ServerProtect for Windows version 5.58 and prior Reference IDs: |
Medium ( 4 )
| InterNetNews.ARTpost.NULL.Path.DoS Event ID: 14786 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in ISC INN. The vulnerability is caused by an error when the "ARTpost" function handles an NNTP message that includes a malicious path of Usenet servers. It allows a remote attacker to crash the vulnerable software via sending a crafted NNTP message. Affected Products: ISC INN version 2.4 .0 and prior. |
| MS.Windows.MSDTC.Heap.Overflow Event ID: 11896 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Distributed Transaction Coordinator (MSDTC). The vulnerability is caused by an error when the vulnerable software handles parameters passed to vulnerable functions in MSDTCPRX.DLL. It allows a remote attacker to execute arbitrary code via sending a crafted RPC request. Affected Products: Windows 2000 Server SP0 - SP4 (Remote Execution) Windows XP SP1 (local privilege elevation only) Windows 2003 Server (local privilege elevation only) Reference IDs:
|
| Oracle.BEA.WebLogic.Server.SSL.DoS Event ID: 14728 |
Release Date: Jul 23, 2009 IPS Definitions DB Version: 2.667 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Oracle BEA System's WebLogic products. The vulnerability is caused by an error when the vulnerable software handles a specially crafted SSL connection. It allows a remote attacker to cause a denial of service (network port comsumption). Affected Products: BEA WebLogic Server for Win32 8.1 SP 4 BEA WebLogic Server for Win32 8.1 SP 3 BEA WebLogic Server for Win32 8.1 SP 2 BEA WebLogic Server for Win32 8.1 SP 1 BEA WebLogic Server for Win32 8.1 BEA Weblogic Server 8.1 SP 4 BEA Weblogic Server 8.1 SP 3 BEA Weblogic Server 8.1 SP 2 BEA Weblogic Server 8.1 SP 1 BEA Weblogic Server 8.1 BEA WebLogic Express for Win32 8.1 SP 4 BEA WebLogic Express for Win32 8.1 SP 3 BEA WebLogic Express for Win32 8.1 SP 2 BEA WebLogic Express for Win32 8.1 SP 1 BEA WebLogic Express for Win32 8.1 BEA WebLogic Express 8.1 SP 4 BEA WebLogic Express 8.1 SP 3 BEA WebLogic Express 8.1 SP 2 BEA WebLogic Express 8.1 SP 1 BEA WebLogic Express 8.1 Reference IDs: |
| SSLv2.Null.Pointer.Dereference.Client.DoS Event ID: 15244 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attempt to exploit a null-pointer dereference vulnerability in OpenSSL. The vulnerability is caused by an error in the get_server_hello function, in the SSLv2 client code. It allows remote attackers to crash the SSL client. Affected Products: OpenSSL Project OpenSSL 0.9.8 c OpenSSL Project OpenSSL 0.9.8 b OpenSSL Project OpenSSL 0.9.8 a OpenSSL Project OpenSSL 0.9.8 OpenSSL Project OpenSSL 0.9.7 k OpenSSL Project OpenSSL 0.9.7 j OpenSSL Project OpenSSL 0.9.7 i OpenSSL Project OpenSSL 0.9.7 h OpenSSL Project OpenSSL 0.9.7 g OpenSSL Project OpenSSL 0.9.7 f OpenSSL Project OpenSSL 0.9.7 e OpenSSL Project OpenSSL 0.9.7 d OpenSSL Project OpenSSL 0.9.7 c OpenSSL Project OpenSSL 0.9.7 beta3 OpenSSL Project OpenSSL 0.9.7 beta2 OpenSSL Project OpenSSL 0.9.7 beta1 OpenSSL Project OpenSSL 0.9.7 b OpenSSL Project OpenSSL 0.9.7 a OpenSSL Project OpenSSL 0.9.7 OpenSSL Project OpenSSL 0.9.6 m OpenSSL Project OpenSSL 0.9.6 l OpenSSL Project OpenSSL 0.9.6 k OpenSSL Project OpenSSL 0.9.6 j OpenSSL Project OpenSSL 0.9.6 i OpenSSL Project OpenSSL 0.9.6 h OpenSSL Project OpenSSL 0.9.6 g OpenSSL Project OpenSSL 0.9.6 f OpenSSL Project OpenSSL 0.9.6 e OpenSSL Project OpenSSL 0.9.6 d OpenSSL Project OpenSSL 0.9.6 c OpenSSL Project OpenSSL 0.9.6 b-36.8 OpenSSL Project OpenSSL 0.9.6 b OpenSSL Project OpenSSL 0.9.6 a OpenSSL Project OpenSSL 0.9.6 OpenSSL Project OpenSSL 0.9.5 a OpenSSL Project OpenSSL 0.9.5 OpenSSL Project OpenSSL 0.9.4 OpenSSL Project OpenSSL 0.9.3 OpenSSL Project OpenSSL 0.9.2 b OpenSSL Project OpenSSL 0.9.1 c Reference IDs: |
Low ( 1 )
| DHCP.Discover.Flood Event ID: 14082 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates detection of a flood of DHCP discover packets that have been sent out. This may be an attack attempt to cause a denial of service on the target machine. Affected Products: Any DHCP server |
Info ( 7 )
| DNP3.Broadcast.Request.Authorized.Client Event ID: 11509 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates that a request packet was broadcasted to all devices on the network. An attacker can issue a request packet to a network of PLCs or other DNP3 servers to glean information of what devices are on the network. The Distributed Network Protocol (DNP3) is an industry standard for inter-operations between devices and is commonly found in SCADA systems. DNP3 enables data and command exchange between a server and a client device. The server sends commands and controls the operation of a client device. Affected Products: DNP3 servers and clients |
| DNP3.Function.Code.Scan Event ID: 15282 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible attempt by an attacker to determine what DNP3 function codes are available in the reconnaissance phase of an attack. DNP3 is a protocol commonly used in SCADA and DCS networks for process control. A function code is included in each request that determines the type of request, such as read, write, or administrative. If the DNP3 outstation does not support the function code it will respond with an error function code and bit 0 of the second Internal Indications (IIN) byte will be set to 1. It would be an unusual error for an authorized HMI or server to issue a function code request that is not supported. Some vendors support vendor specific function codes so the result of a function code scan could allow an attacker to identify the field equipment's vendor and model. Affected Products: DNP3 outstations, such as PLCs, RTUs and IEDs. |
| DNP3.Misc.Request.PLC Event ID: 11506 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates that an unauthorized DNP3 client issued a request other than a read or write request to a PLC or other field device. The Distributed Network Protocol (DNP3) is an industry standard for inter-operations between devices and is commonly found in SCADA systems. DNP3 enables data and command exchange between a sever and a client device. The server sends commands and controls the operation of a client device. Affected Products: DNP3 servers and clients |
| DNP3.Points.List.Scan Event ID: 15281 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible attempt by an attacker to determine what DNP3 data points are available in the reconnaissance phase of an attack. The DNP3 is a protocol commonly used in SCADA and DCS networks for process control. Read and write requests are issued to a DNP3 outstation to address points representing objects. The DNP3 application layer provides Internal Indications (IIN) for initiating error recovery. This signature looks for specific IIN bits that could be a result of malicious activity. If a read or write request is made to an address that is not configured in the DNP3 outstation, the outstation will respond with an error in the IIN. It would be an unlikely error for an authorized HMI or server to issue a read or write request to an address that is not configured. Affected Products: DNP3 outstations, such as PLCs, RTUs and IEDs. |
| DNP3.Stop.Application Event ID: 11507 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates a possible attempt by an attacker to shut down an application on a DNP3 server by spoofing the IP address of an authorized DNP3 client. The Distributed Network Protocol (DNP3) is an industry standard for inter-operations between devices and is commonly found in SCADA systems. DNP3 enables data and command exchange between a server and a client device. The server sends commands and controls the operation of a client device. Affected Products: DNP3 servers |
| DNP3.Warm.Restart Event ID: 11508 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates an attack attempt against a vulnerability in DNP3 SCADA system servers. SCADA systems are used to control public utilities and large-scale industrial processes. The vulnerability is in the WarmRestart command that is part of the DNP3 protocol. A remote attacker may be able to use the WarmRestart command to force a PLC (Programmable Logic Controller) to restart repeatedly, creating a denial of service or causing loss of state information. Affected Products: PLCs and other DNP3 servers |
| DNP3.Write.Request.PLC Event ID: 11505 |
Release Date: Jul 30, 2009 IPS Definitions DB Version: 2.671 |
|
Description: This indicates that an unauthorized client attempted to write information to a PLC or other field device. The Distributed Network Protocol (DNP3) is an industry standard for inter-operations between devices and is commonly found in SCADA systems. DNP3 enables data and command exchange between a sever and a client device. Attackers can use a write request to overwrite sensitive system information or insert incorrect data. Affected Products: DNP3 servers and clients |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 33 )
High ( 19 )
Medium ( 8 )
| Event Name | Revision Notes |
|---|---|
| CA.ARCserve.Backup.DB.Engine.DoS | Detection Enhanced |
| CA.ARCserve.Backup.Message.Engine.DoS | Detection Enhanced |
| CA.ARCserve.Backup.Tape.Engine.DoS | Detection Enhanced |
| ClamAV.Cli.Check.Jpeg.Exploit.Function.DoS | Status updated to 'enable Default_action updated to 'drop |
| IBM.DB2.Database.Server.CONNECT.Request.DoS | Detection Enhanced |
| Jive.Openfire.Jabber.Server.Authentication.Bypass | Default_action updated to 'drop |
| Pluck.Local.File.Inclusion | Detection Enhanced |
| Yahoo.Messenger.File.Transfer.Filename.Spoofing | Detection Enhanced |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| MIT.Kerberos.V5.KDC.TCP.Handling.DoS | Status updated to 'enable Severity updated to 'medium Default_action updated to 'drop |
Info ( 2 )
| Event Name | Revision Notes |
|---|---|
| MSN.Web.Messenger | Detection Enhanced Detection Enhanced |
| Stream.Media | Detection Enhanced |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 14 of 39 )
High ( 13 of 32 )
Medium ( 1 of 10 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| CA.ARCserve.Backup.DB.Engine.DoS | No | n/a |
| CA.ARCserve.Backup.Message.Engine.DoS | No | n/a |
| CA.ARCserve.Backup.Tape.Engine.DoS | No | n/a |
| IBM.DB2.Database.Server.CONNECT.Request.DoS | No | n/a |
| InterNetNews.ARTpost.NULL.Path.DoS | No | n/a |
| MS.Windows.MSDTC.Heap.Overflow | Yes | High |
| Oracle.BEA.WebLogic.Server.SSL.DoS | No | n/a |
| Pluck.Local.File.Inclusion | No | n/a |
| SSLv2.Null.Pointer.Dereference.Client.DoS | No | n/a |
| Yahoo.Messenger.File.Transfer.Filename.Spoofing | No | n/a |
Low ( 1 of 1 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| DHCP.Discover.Flood | Yes | Low |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, August 03, 2009 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
