|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 13 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.775 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 9 )
| Bredolab.Botnet Event ID: 18179 |
Release Date: Mar 24, 2010 IPS Definitions DB Version: 2.774 |
|
Description: This indicates that the system might be infected by the Bredolab trojan. Affected Products: Any unprotected Windows system is vulnerable to the attack. |
| Energizer.DUO.USB.Charger.Backdoor.Unauthorized.Access Event ID: 18280 |
Release Date: Mar 23, 2010 IPS Definitions DB Version: 2.773 |
|
Description: This indicates that the system might be infected by the Energizer DUO USB Charger backdoor. Affected Products: Any unprotected Windows system is vulnerable to the attack. Reference IDs: |
| FG-VD-10-005-Adobe Event ID: 19360 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a Zero-Day vulnerability discovered by Fortinet's FortiGuard Labs. This signature should help mitigate the Zero-Day threat proactively - both prior to, and after an official fix is available from the vendor. Once this official fix is available, further details about our discovery will be made available in an advisory on our FortiGuard Center (http://www.fortiguard.com). This signature and description will also be updated at this point in time. Affected Products: This is a Zero-Day (unpatched) vulnerability that has been discovered by Fortinet's FortiGuard Labs. |
| HP.OpenView.Storage.Data.Protector.Cell.Manager.Buffer.Overflow Event ID: 18251 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in HP OpenView Data Protector Cell Manager. The vulnerability is caused by an error when the vulnerable software handles a specially crafted packet received on port 1530/TCP. It allows a remote attacker to execute arbitrary code. Affected Products: HP OpenView Storage Data Protector 5.5 HP OpenView Storage Data Protector 6.0 HP OpenView Storage Data Protector 5.1 Reference IDs: |
| HP.Power.Manager.FormExportDataLogs.Buffer.Overflow Event ID: 18221 |
Release Date: Mar 23, 2010 IPS Definitions DB Version: 2.773 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in HP Power Manager. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to inject and execute arbitrary code. Affected Products: HP Power Manager 4.2.9 HP Power Manager 4.2.7 HP Power Manager 4.0Build11 HP Power Manager 4.0Build10 HP Power Manager 0 Reference IDs: |
| IBM.Lotus.Domino.LDAP.Heap.Buffer.Overflow Event ID: 18253 |
Release Date: Mar 23, 2010 IPS Definitions DB Version: 2.773 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in IBM Lotus Domino Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted LDAP message. It allows a remote attacker to cause a denial of service or other impact. Affected Products: IBM Lotus Domino 7.0 IBM Lotus Domino 8.0 Reference IDs: |
| Novell.EDirectory.NDS.Verb.0x01.Integer.Overflow Event ID: 18245 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against an integer overflow vulnerability in Novell eDirectory. The vulnerability is caused by an error when the vulnerable software handles a specially crafted service requests (NDS Verb 0x1) with an overly large integer value that would be used in memory allocation. It allows a remote attacker to execute arbitrary code. Affected Products: Novell eDirectory version 8.7.3.10 ftf1 and previous versions Novell eDirectory version 8.8.5 ftf1 and previous versions Reference IDs: |
| RedHat.Piranha.Command.Execution Event ID: 12947 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a remote command execution vulnerability in Red Hat Piranha Virtual Server Package. A vulnerability has been reported in Piranha that may allow an attacker to execute shell commands on a vulnerable system. This is possible because the user input filters fail to properly sanitize the password field that is passed to "passwd.php3" CGI script. An attacker may include shell commands by supplying an injection string through the URL. Affected Products: RedHat piranha-gui-0.4.12-1.i386.rpm RedHat Linux 6.2 sparc RedHat Linux 6.2 i386 RedHat Linux 6.2 alpha Reference IDs: |
| Sun.Java.System.Web.Server.WEBDAV.Stack.Buffer.Overflow Event ID: 18249 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Sun Java System Web Server. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to execute arbitrary code. Affected Products: Sun Java System Web Server 7.0 Update 7 Sun Java System Web Server 7.0 Update 6 Sun Java System Web Server 7.0 Update 3 Sun Java System Web Server 7.0 Update 2 Sun Java System Web Server 7.0 Update 1 Reference IDs: |
High ( 14 )
| HP.Power.Manager.FormExportDataLogs.Directory.Traversal Event ID: 18222 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a directory traversal vulnerability in HP Power Manager. The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request. It allows a remote attacker to inject and execute arbitrary code. Affected Products: HP Power Manager 4.2.9 HP Power Manager 4.2.7 HP Power Manager 4.0Build11 HP Power Manager 4.0Build10 HP Power Manager 0 Reference IDs: |
| IBM.Informix.librpc.DLL.Remote.Code.Execution Event ID: 18254 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in IBM Informix. This issue is caused by an error when "librpc.dll" is parsing a malicious request packet from the client. It may allow remote attackers to execute arbitrary code on the vulnerable system. Affected Products: IBM Informix Reference IDs: |
| IBM.Portmapper.Service.librpc.DLL.Code.Execution Event ID: 18255 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in IBM Informix and EMC NetWorker. This issue is caused by an error when "librpc.dll" is parsing a malicious request packet from the client.It may allow remote attackers to execute arbitrary code on the vulnerable system. Affected Products: IBM Informix EMC NetWorker Reference IDs: |
| Jboss.Application.Server.Admin.Interface.Unauthorized.Access Event ID: 18235 |
Release Date: Mar 23, 2010 IPS Definitions DB Version: 2.773 |
|
Description: This indicates a possible attack against an unauthorized access vulnerability in JBoss Application Server whose default configuration would allow access to the administrative interface. Affected Products: JBoss Application Server Reference IDs: |
| Kerberos.KDC.Cross.Realm.Referral.DoS Event ID: 18089 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a denial of service vulnerability in MIT's Kerberos. The vulnerability is caused by a NULL pointer dereference error when the vulnerable software handles a specially crafted TGS request. It allows a remote attacker to cause a denial of service. Affected Products: MIT Kerberos 5 1.7 Reference IDs: |
| Linux.Kernel.NFS.MKNOD.Request.Security.Bypass Event ID: 18283 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a security bypass vulnerability in Linux Kernel. The vulnerability is caused by an error when the Linux kernel handles a specially crafted NFS request, MKNOD. Affected Products: Linux kernel 2.6.28 8 and previous versions Reference IDs: |
| MS.Office.PowerPoint.File.Path.Handling.Buffer.Overflow Event ID: 18187 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Microsoft Office PowerPoint. The vulnerability is caused by an error when the vulnerable software is handling a malformed ".ppt" file name. It may allow remote attackers to execute arbitrary code by sending a crafted PPT(.ppt) file. Affected Products: Microsoft Office PowerPoint 2002 Service Pack 3 Reference IDs: |
| Novell.iManager.eDirectory.Plugin.Remote.Code.Execution Event ID: 18107 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Novell iManager eDirectory plugin. The vulnerability is caused by an error when the vulnerable software handles specially crafted parameters. It allows a remote attacker to execute arbitrary code. Affected Products: Novell iManager 2.7.2 Novell iManager 2.7.1 Novell iManager 2.5 Novell iManager 2.0.2 Novell iManager 2.0 Novell iManager 1.5 Novell iManager 2.7.0 Novell iManager 2.6.0 Reference IDs: |
| Novell.NetStorage.xsrvd.Long.Pathname.Code.Execution Event ID: 18241 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a code execution vulnerability in Novell Netstorage xsrvd. The vulnerability is caused by an error when the vulnerable software handles a malicious long URI. It allows a remote attacker to execute arbitrary code via sending a crafted HTTP request. Affected Products: Novell NetStorage Novell NetWare 6.5 Support Pack 8 Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1 Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2 Reference IDs: |
| Opera.Content.Length.Header.Buffer.Overflow Event ID: 18266 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against an integer overflow vulnerability in Opera Web Browser. The vulnerability is caused by an error when the vulnerable software handles a malicious header property. It allows a remote attacker to execute arbitrary code via sending a crafted web request. Affected Products: Opera Web Browser 10.50 and older versions Reference IDs: |
| Orbital.Viewer.ORB.Buffer.Overflow Event ID: 18271 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Orbital Viewer. The vulnerability is caused by an error when the vulnerable software handles malcious .orb file. It allows a remote attacker to execute arbitrary code via sending a crafted .orb file. Affected Products: Orbital Viewer 1.04 and other versions may also be affected. Reference IDs: |
| ReGet.Deluxe.WJR.File.Buffer.Overflow Event ID: 18284 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in ReGet Deluxe. The vulnerability is caused by an error when the vulnerable software handles a malicious .WJR file. It allows a remote attacker to execute arbitrary code via sending a crafted .WJR file. Affected Products: ReGet Deluxe 5.2 build 330 and other versions Reference IDs: |
| SIP.IRC.Bot.Detection Event ID: 18262 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates detection of SIP VoIP-IRC bot. Affected Products: N/A Reference IDs: |
| TippingPoint.IPS.Reverse.DNS.Lookup.Format.String Event ID: 18259 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a format string vulnerability in TippingPoint IPS. This issue is caused by an error when the vulnerable device is parsing the "Domain name" field of "Answers" part in the DNS response packet. It may allow remote attackers to execute arbitrary code on the vulnerable system. Affected Products: TippingPoint IPS |
Medium ( 9 )
| ActSoft.DVD.Tools.Buffer.Overflow Event ID: 14387 |
Release Date: Mar 25, 2010 IPS Definitions DB Version: 2.775 |
|
Description: This indicates a possible exploit of a buffer overflow vulnerability in the ActSoft DVD-Tools ActiveX control (dvdtools.ocx). This flaw is due to the application's failure to properly bounds-check user supplied data before copying it into an insufficiently sized memory buffer. Affected Products: ActiveX Soft ActSoft DVD Tools 3.8.5 Reference IDs: |
| Asterisk.Remote.Unauthenticated.Heap.Overflow Event ID: 18238 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Asterisk. The vulnerability is caused by an error when the vulnerable software handles a malicious string. It allows a remote attacker to execute arbitrary code via sending a malicious request. Affected Products: Asterisk Asterisk 1.2.11 and earlier versions. Reference IDs: |
| Axigen.POP3.Service.Remote.Format.String Event ID: 18239 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a remote format string vulnerability in Axigen POP3 Service. The vulnerability is caused by an error when the vulnerable software handles a malicious strings. It allows a remote attacker to execute arbitrary code via sending a malicious request. Affected Products: Gecad Technologies Axigen Mail Server 2.0 -beta1 Reference IDs: |
| CGI.Webmail.Headers.Buffer.Overflow Event ID: 15481 |
Release Date: Mar 23, 2010 IPS Definitions DB Version: 2.773 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in NetWin SurgeMail . The vulnerability is caused by an error when the vulnerable software handles a specially crafted HTTP request with multiple long headers to webmail.exe. It allows a remote attacker to cause a denial of service and possibly execute arbitrary code. Affected Products: NetWin SurgeMail 3.0 c2 NetWin SurgeMail 3.0 a NetWin SurgeMail 2.2 g3 NetWin SurgeMail 2.2 g2 NetWin SurgeMail 2.2 c9 NetWin SurgeMail 2.2 c10 NetWin SurgeMail 2.2 a6 NetWin SurgeMail 2.1 c7 NetWin SurgeMail 2.1 a NetWin SurgeMail 2.0 g2 NetWin SurgeMail 2.0 e NetWin SurgeMail 2.0 c NetWin SurgeMail 2.0 a2 NetWin SurgeMail 1.9 b2 NetWin SurgeMail 1.9 NetWin SurgeMail 1.8 g3 NetWin SurgeMail 1.8 e NetWin SurgeMail 1.8 d NetWin SurgeMail 1.8 b3 NetWin SurgeMail 1.8 a NetWin SurgeMail 38k4 NetWin SurgeMail 3.8k NetWin SurgeMail 3.8i3 NetWin SurgeMail 3.8i2 NetWin SurgeMail 3.8i NetWin SurgeMail 3.8f3 NetWin SurgeMail 3.1s Reference IDs: |
| Coppermine.Photo.Gallery.ThumbNails.PHP.SQL.Injection Event ID: 18261 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt to exploit a SQL injection vulnerability in Coppermine Photo Gallery. The vulnerability is a result of the application's failure to properly sanitize user input before using it in a SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server. Affected Products: Coppermine Photo Gallery 1.3.1 Reference IDs: |
| IBM.DB2.Database.Server.SQL.REPEAT.Buffer.Overflow Event ID: 18250 |
Release Date: Mar 16, 2010 IPS Definitions DB Version: 2.771 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in IBM DB2 Database Server. The vulnerability is caused by an error when the REPEAT function handles a specially crafted SQL query. It allows a remote attacker to execute arbitrary code. Affected Products: IBM DB2 Universal Database 9.7.1 IBM DB2 Universal Database 9.7 Reference IDs: |
| MS.IIS.File.Fragment.Disclosure Event ID: 18265 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a fragment disclosure vulnerability in IIS. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URL. It allows a remote attacker to read the source code from executable web server programs by appending "%3F+.htr" to the requested URL. Affected Products: Microsoft IIS 5.0 Microsoft IIS 4.0 Reference IDs: |
| Rdesktop.Remote.Memory.Corruption Event ID: 18256 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a buffer overflow vulnerability in Rdesktop. The vulnerability is caused by an error when the vulnerable client handles a malicious request. It allows a remote attacker to execute arbitrary code via sending a crafted request. Affected Products: Rdesktop 1.5.0 and earlier versions Reference IDs: |
| TippingPoint.Web.Interface.Reverse.DNS.Lookup.XSS Event ID: 18258 |
Release Date: Mar 18, 2010 IPS Definitions DB Version: 2.772 |
|
Description: This indicates an attack attempt against a Cross Site Scripting vulnerability in TippingPoint Web Interface. This issue is caused by an error when the vulnerable device is parsing the "Domain name" field of the "Answers" part in the DNS response packet. It may allow remote attackers to inject arbitrary script code in the vulnerable system. Affected Products: TippingPoint Web Interface |
Low ( 1 )
| CGI.CHETCPASSWD.Shadow.File.Disclosure Event ID: 10825 |
Release Date: Mar 24, 2010 IPS Definitions DB Version: 2.774 |
|
Description: This indicates a malicious attacker tried to gain information through a vulnerability in chetcpasswd.cgi. If a malicious user sends an overly long URI string to chetcpasswd.cgi it is possible that the tail end of the local shadow file may be exposed. Affected Products: CHETCPASSWD 1.12 Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 47 )
High ( 43 )
Medium ( 21 )
Low ( 2 )
| Event Name | Revision Notes |
|---|---|
| Golden.FTPD.APPE.Stack.Overflow | Default_action updated to 'drop' |
| IBM.Tivoli.Directory.Server.LDAP.DoS | Default_action updated to 'drop' |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 5 of 25 )
High ( 2 of 30 )
Medium ( 4 of 13 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| ActSoft.DVD.Tools.Buffer.Overflow | No | n/a |
| Asterisk.Remote.Unauthenticated.Heap.Overflow | No | n/a |
| Axigen.POP3.Service.Remote.Format.String | No | n/a |
| CA.License.GETCONFIG.Buffer.Overflow | Yes | Low |
| CGI.Webmail.Headers.Buffer.Overflow | No | n/a |
| Coppermine.Photo.Gallery.ThumbNails.PHP.SQL.Injection | No | n/a |
| IBM.DB2.Database.Server.SQL.REPEAT.Buffer.Overflow | No | n/a |
| McAfee.NeoTrace.ActiveX.Control.Buffer.Overflow | No | n/a |
| MS.IIS.File.Fragment.Disclosure | No | n/a |
| MS.SMB.Server.servername.DoS | Yes | Medium |
| Novell.NetMail.WebAdmin.Username.Buffer.Overflow | Yes | Low |
| Rdesktop.Remote.Memory.Corruption | No | n/a |
| TippingPoint.Web.Interface.Reverse.DNS.Lookup.XSS | Yes | Low |
Low ( 1 of 1 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| CGI.CHETCPASSWD.Shadow.File.Disclosure | Yes | Low |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, March 29, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
