|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 25 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.688 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 14 )
| FG-VD-09-007-Microsoft Event ID: 17704 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-011-Microsoft Event ID: 17590 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-020-Microsoft Event ID: 17591 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-024-Adobe Event ID: 17705 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| IBM.Tivoli.Storage.Manager.Client.Buffer.Overflow Event ID: 17564 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in IBM Tivoli Storage Manager Client. The vulnerability is caused by an error when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted request. Affected Products: IBM Tivoli Storage Manager (TSM) client 5.1.0.0 through 5.1.8.2, 5.2.0.0 through 5.2.5.3, 5.3.0.0 through 5.3.6.4, and 5.4.0.0 through 5.4.1.96, and the TSM Express client 5.3.3.0 through 5.3.6.4 Reference IDs: |
| Mozilla.Firefox.ConstructFrame.Memory.Corruption Event ID: 17686 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Mozilla Firefox. The vulnerability is caused by an error when the vulnerable software handles a specially crafted first letter frame. It allows a remote attacker to execute arbitrary code. Affected Products: Mozilla Firefox versions 3.5.0 and previous versions Reference IDs: |
| Mozilla.Network.Security.Services.Regexp.Buffer.Overflow Event ID: 17629 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Mozilla Network Security Services, a library of functionality used by applications such as Mozilla FireFox, Mozilla Thunderbird and others. The vulnerability is caused by an error when the vulnerable software handles a specially crafted X.509 certificate. It allows a remote attacker to execute arbitrary code. Affected Products: Network Security Services (NSS) 3.12.2 and previous versions Reference IDs: |
| MS.DHTML.Editing.Component.ActiveX.Control.Code.Execution Event ID: 17711 |
Release Date: Sep 09, 2009 IPS Definitions DB Version: 2.686 |
|
Description: This indicates an attack attempt against a remote code execution vulnerability in the DHTML Editing Component ActiveX Control. The vulnerability is caused by an error when the vulnerable component handles a specially crafted Web page. It allows a remote attacker to execute arbitrary code. Affected Products: Microsoft Windows XP Service Pack 2 Microsoft Windows XP Service Pack 3 Microsoft Windows XP Professional x64 Edition Service Pack 2 Microsoft Windows Server 2003 Service Pack 2 Microsoft Windows Server 2003 x64 Edition Service Pack 2 Microsoft Windows Server 2003 with SP2 for Itanium-based Systems Reference IDs: |
| MS.IIS.FTP.NLST.Remote.Code.Execution Event ID: 17697 |
Release Date: Sep 01, 2009 IPS Definitions DB Version: 2.683 |
|
Description: This indicates an attack attempt to exploit a buffer-overflow vulnerability in Microsoft windows IIS server. Microsoft IIS FTP service contains a buffer overflow in the NLST command. Remote attackers could exploit this to cause denial of service or execute arbitrary code on the IIS server. Affected Products: Microsoft Internet Information Services 5.0 Microsoft Internet Information Services 5.1 Microsoft Internet Information Services 6.0 Reference IDs:
|
| MS.JScript.Keyword.Override.Code.Execution Event ID: 17709 |
Release Date: Sep 09, 2009 IPS Definitions DB Version: 2.686 |
|
Description: This indicates an attack attempt against a code execution vulnerability in Microsoft Windows. The vulnerability is caused by an error when JavaScript engine handles a html including malicious JavaScript codes overriding keywords. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Microsoft Windows 2000 Service Pack 4 Windows XP Service Pack 2 Windows XP Service Pack 2 Windows XP Service Pack 3 Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows XP Professional x64 Edition Service Pack 2 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2 Reference IDs: |
| MS.Media.MP3.Memory.Corruption Event ID: 17716 |
Release Date: Sep 09, 2009 IPS Definitions DB Version: 2.686 |
|
Description: This indicates an attack attempt against a memory corruption vulnerability in Microsoft Media files. The vulnerability is caused by an error when the vulnerable software handles a malicious .mp3 file. It allows a remote attacker to execute arbitrary code via sending a crafted .mp3 file. Affected Products: Windows Media Format Runtime 9.0 when installed on Microsoft Windows 2000 Service Pack 4 Windows Media Format Runtime 9.0 on Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Media Format Runtime 9.5 and Windows Media Format Runtime 11 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 x64 Edition and Windows Media Format Runtime 11 when installed on Windows XP Professional x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 on Windows Server 2003 Service Pack 2 Windows Media Format Runtime 9.5 on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 x64 Edition when installed on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Format Runtime 11 on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Microsoft Media Foundation on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Media Format Runtime 11 on Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Microsoft Media Foundation on Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Media Format Runtime 11 on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** Microsoft Media Foundation on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** Windows Media Format Runtime 11 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** Microsoft Media Foundation on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** Reference IDs: |
| MS.SMB2.Negotiation.Handler.Code.Execution Event ID: 17717 |
Release Date: Sep 10, 2009 IPS Definitions DB Version: 2.687 |
|
Description: This indicates an attack attempt to exploit a memory corruption vulnerability in Microsoft Server Message Block (SMB). The vulnerability is caused by an error that occurs when Microsoft Server Message Block (SMB) Protocol 2.0 software handles a malformed NEGOTIATE PROTOCOL request. A remote attacker could exploit this vulnerability to execute arbitrary code. Affected Products: Windows Vista and Server 2008 Reference IDs: |
| MS.Windows.ASF.Invalid.Free.Code.Execution Event ID: 17715 |
Release Date: Sep 09, 2009 IPS Definitions DB Version: 2.686 |
|
Description: This indicates an attack attempt against a code execution vulnerability in Windows media file. The vulnerability is caused by an error when the vulnerable software handles a malicious .ASF file. It allows a remote attacker to execute arbitrary code via sending a crafted .ASF file. Affected Products: Windows Media Format Runtime 9.0 when installed on Microsoft Windows 2000 Service Pack 4 Windows Media Format Runtime 9.0 on Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Media Format Runtime 9.5 and Windows Media Format Runtime 11 when installed on Windows XP Service Pack 2 and Windows XP Service Pack 3 Windows Media Format Runtime 9.5 on Windows XP Professional x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 x64 Edition and Windows Media Format Runtime 11 when installed on Windows XP Professional x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 on Windows Server 2003 Service Pack 2 Windows Media Format Runtime 9.5 on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Format Runtime 9.5 x64 Edition when installed on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Format Runtime 11 on Windows Vista, Windows Vista Service Pack 1, and Windows Vista Service Pack 2 Windows Media Format Runtime 11 on Windows Vista x64 Edition, Windows Vista x64 Edition Service Pack 1, and Windows Vista x64 Edition Service Pack 2 Windows Media Format Runtime 11 on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2** Windows Media Format Runtime 11 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2** Windows Media Services 9.1 on Windows Server 2003 Service Pack 2 Windows Media Services 9.1 on Windows Server 2003 x64 Edition Service Pack 2 Windows Media Services 2008 on Windows Server 2008 for 32-bit Systems and Windows Server 2008 for 32-bit Systems Service Pack 2* Windows Media Services 2008 on Windows Server 2008 for x64-based Systems and Windows Server 2008 for x64-based Systems Service Pack 2* Reference IDs: |
| Trend.ServerProtect.Agent.service.Buffer.Overflow Event ID: 14938 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attempt to exploit a vulnerability in Trend Micro ServerProtect for Windows. The vulnerability is caused by a bounds-checking error in the "RPCFN_CopyAUSrc function" in EarthAgent.exe. It allows remote attackers to execute arbitrary code by sending overly long strings within an RPC request. Affected Products: Trend Micro ServerProtect 5.58 Build 1176 for Windows and prior. Reference IDs: |
High ( 15 )
| Adobe.Acrobat.Reader.EXE.Command.Execution Event ID: 17692 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a command execution vulnerability in Adobe Reader. The vulnerability is caused by an error when the vulnerable software handles a malicious PDF embedding Javascript execution command. It allows a remote attacker to execute arbitrary code on the victim's host. Affected Products: Adobe Reader 8.x Adobe Reader 9.x |
| Adobe.Reader.Acrobat.TrueType.Font.Handling.Memory.Corruption Event ID: 17454 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Adobe Reader and Acrobat. The vulnerability is caused by an error when the vulnerable software handles a specially crafted PDF file. It allows a remote attacker to execute arbitrary code. Affected Products: Adobe Reader 9.1.0 Adobe Acrobat Pro 9.1.0 Reference IDs: |
| DDWRT.HTTP.Daemon.Arbitrary.Command.Execution Event ID: 17600 |
Release Date: Sep 01, 2009 IPS Definitions DB Version: 2.683 |
|
Description: This indicates a possible attack toward a remote command-injection vulnerability in DD-WRT HTTP server. The vulnerability is due to the software's failure to adequately check user-supplied data in HTTP requests. Remote attackers may exploit this to execute arbitrary code. Affected Products: DD-WRT DD-WRT v24.sp1 DD-WRT DD-WRT v24-sp1 DD-WRT DD-WRT v24 Reference IDs: |
| FG-VD-08-028-Microsoft Event ID: 17593 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-005-Microsoft Event ID: 17592 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-006-Microsoft Event ID: 17597 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-015-Adobe Event ID: 17453 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-021-Microsoft Event ID: 17679 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-09-022-Microsoft Event ID: 17673 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| Libpurple.MSNSLP.Buffer.Overflow Event ID: 17683 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Pidgin. The vulnerability is caused by an error when the vulnerable software handles a malicious message. It allows a remote attacker to execute arbitrary code via sending crafted msn message. Affected Products: Gaim >= 0.79 Libpurple <= 2.5.8 (Pidgin <= 2.5.8 and Adium <= 1.3.5) Other Libpurple frontends such as Finch might be vulnerable as well. Reference IDs: |
| MS.IE.Javascript.SetAttribute.DoS Event ID: 17680 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error when the vulnerable software handles a malicious HTML that includes a misused SetAttribute function in Javascript. It allows a remote attacker to crash the vulnerable software via sending a crafted web page. Affected Products: Microsoft IE7 Microsoft IE6 Reference IDs: |
| MS.IIS.FTP.NLST.DoS Event ID: 17706 |
Release Date: Sep 09, 2009 IPS Definitions DB Version: 2.686 |
|
Description: This indicates an attack attempt to exploit a DoS vulnerability in Microsoft windows IIS server. The Microsoft IIS FTP service crashes due to stack exhaustion when handling crafted NLST command. Remote attackers could exploit this to cause denial of service on the IIS server. Affected Products: Microsoft Internet Information Services 5.0 Microsoft Internet Information Services 5.1 Microsoft Internet Information Services 6.0 Microsoft Internet Information Services 7.0 Reference IDs: |
| MS.Windows.DHCP.Client.Domain.Name.Too.Long Event ID: 12044 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt againts a buffer-overflow vulnerability in certain versions of Microsoft Windows. The vulnerability lies in the DHCP Client Service and is caused by the software's inability to properly validate user-supplied input before processing it. A remote attacker may expoit this to cause the execution of arbitrary code with SYSTEM level privileges. Affected Products: Microsoft Windows 2000 Advanced Server Microsoft Windows 2000 Advanced Server SP1-SP4 Microsoft Windows 2000 Server Microsoft Windows 2000 Server SP1-SP4 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Datacenter Server SP1-SP3 Microsoft Windows Server 2003 Microsoft Windows Server 2003 SP1-SP4 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows Server 2003 Datacenter Edition 64-bit Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Enterprise Edition 64-bit Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1 Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows XP Home Microsoft Windows XP Professional Microsoft Windows XP Home SP1-SP2 Microsoft Windows XP Professional SP1-SP2 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Tablet PC Edition SP1-SP2 Microsoft Windows XP Media Center Edition Microsoft Windows XP Media Center Edition SP1-SP2 Reference IDs: |
| Oracle.Database.Network.Foundation.Remote.Code.Execution Event ID: 17589 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a code execution vulnerability in Oracle Database. The vulnerability is caused by an error when the vulnerable software handles a malicious TNS packet. It allows a remote attacker to execute arbitrary code via sending crafted request. Affected Products: Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 Reference IDs: |
| SAP.Business.One.License.Manager.Buffer.Overflow Event ID: 17676 |
Release Date: Sep 01, 2009 IPS Definitions DB Version: 2.683 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in SAP Business One License Manager. The vulnerability is caused by an error when the vulnerable software handles a malicious packet sent to TCP port 30000. Affected Products: SAP Business One 2005 6.80.320 and later versions Reference IDs: |
Medium ( 11 )
| Adobe.JRun.Logviewer.Jsp.Directory.Traversal Event ID: 17682 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a directory traversal vulnerability in Adobe JRun. A vulnerability has been reported in Adobe JRun that may allow an attacker to gain knowledge of sensitive information on a vulnerable system. This is possible because the user input filters fail to properly sanitize the logfile parameter value that is passed to "logviewer.jsp". An attacker may read any file on the vulnerable server by sending a crafted http request. Affected Products: Adobe JRun version 4.0 Reference IDs: |
| FG-VD-08-022-Apple Event ID: 15798 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| FG-VD-08-023-Apple Event ID: 15799 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by the FortiGuard Global Security Research Team. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by the FortiGuard Global Security Research Team. |
| Firebird.SQL.Op_connect_request.DoS Event ID: 17690 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Firebird SQL. The vulnerability is caused by an error when the vulnerable software handles a specially crafted op_connect_request request. It allows a remote attacker to create a denial-of-service condition on the Firebird SQL service. Affected Products: Firebird SQL v1.5.5 Firebird SQL v2.0.1 Firebird SQL v2.0.5 Firebird SQL v2.1.1 Firebird SQL v2.1.2 Firebird SQL v2.1.3 RC1 Firebird SQL v2.5.0 Beta 1 Reference IDs: |
| Grandstream.GXV-3000.Phone.Remote.DoS Event ID: 17611 |
Release Date: Sep 01, 2009 IPS Definitions DB Version: 2.683 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Grandstream GXV3000 IP Video Phone. The vulnerability is caused by an error when the vulnerable device handles a certain SIP message sequence. It allows a remote attacker to obtain sensitive information or cause a denial of service. Affected Products: Grandstream GXV3000 IP Video Phone Reference IDs: |
| Oracle.BEA.Weblogic.Server.Console-help.Portal.XSS Event ID: 17687 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a cross-site scripting (XSS) vulnerability in BEA Weblogic Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted console-help.portal page. It allows a remote attacker to inject arbitrary HTML and JavaScript code. Affected Products: Oracle Weblogic Server 10.3 Reference IDs: |
| Oracle.Execute.Win32.OS.Commands Event ID: 17644 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against Oracle Database server that can allow attackers to execute Win32 OS commands by parsing a java class to a remote TNS service. Affected Products: Oracle Database 10g Oracle Database 9i Reference IDs: |
| PostNuke.PNphpBB2.ModName.File.Inclusion Event ID: 17572 |
Release Date: Aug 31, 2009 IPS Definitions DB Version: 2.682 |
|
Description: This indicates an attack attempt against a file include vulnerability in PostNuke PNphpBB2. The vulnerability is caused by an error when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: PNphpBB2 1.2i and earlier Reference IDs: |
| RTSP.SET_PARAMETERS.Request.DoS Event ID: 17685 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a denial of service (DoS) vulnerability in RealNetworks Helix Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted RTSP request. It allows a remote attacker to crash the affected server. Affected Products: Real Networks Helix Server 12.0.1 .215 Real Networks Helix Server 12.0.1 Real Networks Helix Server 12.0 Real Networks Helix Server 11.1.8 Real Networks Helix Server 11.1.7 Real Networks Helix Server 11.1.6 Real Networks Helix Server 11.1.4 Real Networks Helix Server 11.1.2 Real Networks Helix Mobile Server 12.0.1 .215 Real Networks Helix Mobile Server 12.0.1 Real Networks Helix Mobile Server 12.0 Real Networks Helix Mobile Server 11.1.8 Real Networks Helix Mobile Server 11.1.7 Real Networks Helix Mobile Server 11.1.6 Real Networks Helix Mobile Server 11.1.4 Real Networks Helix Mobile Server 11.1.2 Reference IDs: |
| RTSP.SETUP.Request.DoS Event ID: 17689 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in RealNetworks Helix Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted RTSP SETUP request. It allows a remote attacker to cause denial of service. Affected Products: Real Networks Helix Server 12.0.1 .215 Real Networks Helix Server 12.0.1 Real Networks Helix Server 12.0 Real Networks Helix Server 11.1.8 Real Networks Helix Server 11.1.7 Real Networks Helix Server 11.1.6 Real Networks Helix Server 11.1.4 Real Networks Helix Server 11.1.2 Real Networks Helix Mobile Server 12.0.1 .215 Real Networks Helix Mobile Server 12.0.1 Real Networks Helix Mobile Server 12.0 Real Networks Helix Mobile Server 11.1.8 Real Networks Helix Mobile Server 11.1.7 Real Networks Helix Mobile Server 11.1.6 Real Networks Helix Mobile Server 11.1.4 Real Networks Helix Mobile Server 11.1.2 Reference IDs: |
| Safari.File.Stealing Event ID: 17648 |
Release Date: Sep 03, 2009 IPS Definitions DB Version: 2.684 |
|
Description: This indicates an attack attempt against a file-stealing vulnerability in Safari. The vulnerability is caused by an error when the vulnerable software handles malicious local file URLs. It allows a remote attacker to steal files via sending a crafted web page. Affected Products: Apple Safari Prior to 3.2 Reference IDs: |
Low ( 3 )
| Apache.Tomcat.Jsecurity.Check.Information.Disclosure Event ID: 17481 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against an information disclosure vulnerability in Apache Tomcat. A vulnerability has been reported in Apache Tomcat that may allow an attacker to gain knowledge of sensitive information on a vulnerable system. This is possible because the user input filters fail to properly sanitize the j_password parameter value that is passed to "j_security_check". An attacker may read any file on the vulnerable server by sending a crafted http request. Affected Products: Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 5.5.27 Apache Software Foundation Tomcat 5.5.26 Apache Software Foundation Tomcat 5.5.25 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 5.5 Apache Software Foundation Tomcat 4.1.39 Apache Software Foundation Tomcat 4.1.38 Apache Software Foundation Tomcat 4.1.37 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.36 Apache Software Foundation Tomcat 4.1.35 Apache Software Foundation Tomcat 4.1.34 Apache Software Foundation Tomcat 4.1.34 Apache Software Foundation Tomcat 4.1.32 Apache Software Foundation Tomcat 4.1.31 Apache Software Foundation Tomcat 4.1.30 Apache Software Foundation Tomcat 4.1.29 Apache Software Foundation Tomcat 4.1.28 Apache Software Foundation Tomcat 4.1.24 Apache Software Foundation Tomcat 4.1.12 Apache Software Foundation Tomcat 4.1.10 Apache Software Foundation Tomcat 4.1.9 beta Apache Software Foundation Tomcat 4.1.3 beta Apache Software Foundation Tomcat 4.1.3 Apache Software Foundation Tomcat 4.1 Apache Software Foundation Tomcat 4.1 Reference IDs: |
| ISC.DHCP.Server.Client.Identifier.DoS Event ID: 13274 |
Release Date: Sep 08, 2009 IPS Definitions DB Version: 2.685 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in ISC DHCP (dhcpd) server 2.0pl5. The vulnerability is due to the software's inability to properly handle DHCPDISCOVER packets with a 32-byte client-identifier which it interprets as a corrupt UID. Remote attackers may exploit this to cause denial of service. Affected Products: ISC DHCP version 2.0pl5 and prior Reference IDs: |
| TCP.Window.Size.Zero.DoS Event ID: 17714 |
Release Date: Sep 11, 2009 IPS Definitions DB Version: 2.688 |
|
Description: This indicates a possible attack against a Denial of Services (DoS) vulnerability in the Microsoft Windows TCP stack. Affected Products: Windows 2000 Service Pack 4 Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP2 for Itanium-based Systems Windows Vista, its SP1 and its SP2 Windows Vista x64 Edition, its SP1 and its SP2. Windows Server 2008 for 32-bit Systems and its Service Pack 2 Windows Server 2008 for x64-based Systems and its SP2 Windows Server 2008 for Itanium-based Systems and its SP2 Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 26 )
High ( 17 )
Medium ( 8 )
| Event Name | Revision Notes |
|---|---|
| Apache.Mod_include.Buffer.Overflow | Default_action updated to 'drop |
| Apple.Safari.File.Stealing | Detection Enhanced Previous name: "Safari.File.Stealing" |
| Apple.Safari.XSL.File.Stealing | Detection Enhanced Previous name: "Safari.XSL.File.Stealing" |
| CA.ARCserve.Backup.Message.Engine.DoS | Detection Enhanced |
| FG-VD-08-003-HP | Status updated to 'enable Previous name: "HP.OpenView.Network.Node.Manager.o... |
| ISC.Bind.Remote.Dynamic.Update.Message.DoS | Detection Enhanced |
| Oracle.Database.PITRIG_DROPMETADATA.Procedure.Buffer.Overflow | Default_action updated to 'drop |
| Oracle.Win32.OS.Command.Execution | Previous name: "Oracle.Execute.Win32.OS.Commands" |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Oracle.Database.APEX.Password.Hash.Disclosure | Default_action updated to 'drop |
Info ( 1 )
| Event Name | Revision Notes |
|---|---|
| DNP3.Points.List.Scan | Detection Enhanced Detection Enhanced |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 8 of 25 )
High ( 12 of 28 )
Medium ( 2 of 15 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Adobe.JRun.Logviewer.Jsp.Directory.Traversal | No | n/a |
| Apple.Safari.File.Stealing | No | n/a |
| Apple.Safari.XSL.File.Stealing | No | n/a |
| CA.ARCserve.Backup.Message.Engine.DoS | No | n/a |
| FG-VD-08-022-Apple | Yes | Low |
| FG-VD-08-023-Apple | No | n/a |
| Firebird.SQL.Op_connect_request.DoS | No | n/a |
| Grandstream.GXV-3000.Phone.Remote.DoS | Yes | Low |
| ISC.Bind.Remote.Dynamic.Update.Message.DoS | No | n/a |
| Oracle.BEA.Weblogic.Server.Console-help.Portal.XSS | No | n/a |
| Oracle.Execute.Win32.OS.Commands | No | n/a |
| PostNuke.PNphpBB2.ModName.File.Inclusion | No | n/a |
| RTSP.SET_PARAMETERS.Request.DoS | No | n/a |
| RTSP.SETUP.Request.DoS | No | n/a |
| Safari.File.Stealing | No | n/a |
Low ( 1 of 3 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Apache.Tomcat.Jsecurity.Check.Information.Disclosure | No | n/a |
| ISC.DHCP.Server.Client.Identifier.DoS | Yes | Low |
| TCP.Window.Size.Zero.DoS | No | n/a |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, September 14, 2009 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
