|
|
Foreword
The FortiGuard Global Threat Research Team has released new security content to cover multiple vulnerabilities. The FortiGuard Team has observed 41 active exploitations of these vulnerabilities to date.
For more information, visit the FortiGuard Center at www.fortiguardcenter.com.
Threat Remediation
Fortinet provides coverage for the vulnerabilities described below as of the 2.816 IPS Definitions database update. A brief description of each vulnerability is provided as follows, in order of severity.
Critical ( 7 )
| Adobe.Photoshop.Style.Layer.Code.Execution Event ID: 23036 |
Release Date: May 20, 2010 IPS Definitions DB Version: 2.812 |
|
Description: This indicates an attempt to exploit a remote code-execution vulnerability in Adobe Photoshop. The vulnerability is caused by an error that occurs when parsing a crafted .ASL .ABR or .GRD file. A remote attacker may exploit this to execute arbitrary code. Affected Products: Adobe Photoshop CS4 version 11.0.1 and earlier for Windows and Macintosh Reference IDs: |
| Apple.Safari.HTML.Image.Element.Handling.Use.After.Free Event ID: 22920 |
Release Date: May 20, 2010 IPS Definitions DB Version: 2.812 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Apple Safari. The vulnerability is caused by a use-after-free error when the vulnerable software handles a specially crafted HTML image element. It allows a remote attacker to execute arbitrary code. Affected Products: Apple Safari 4.0.4 for Windows Apple Safari 4.0.4 Apple Safari 4.0.3 for Windows Apple Safari 4.0.3 Apple Safari 4.0.2 for Windows Apple Safari 4.0.2 Apple Safari 4.0.1 Apple Safari 4 for Windows Apple Safari 4 Beta Apple Safari 4 Reference IDs: |
| Apple.Safari.Parent.Close.Code.Execution Event ID: 22936 |
Release Date: May 27, 2010 IPS Definitions DB Version: 2.814 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Apple Safari. The vulnerability is caused by an error when the vulnerable software handles a malicious JavaScript. It allows a remote attacker to execute arbitrary code via sending a crafted web page that entices the user to close some popup windows. Affected Products: Apple Safari 4.x Reference IDs: |
| Apple.Safari.Right-to-Left.Text.Rendering.Use.After.Free Event ID: 22919 |
Release Date: May 20, 2010 IPS Definitions DB Version: 2.812 |
|
Description: This indicates an attack attempt against a memory-corruption vulnerability in Apple Safari. The vulnerability is caused by a user-after-free error when the vulnerable software handles a specially crafted HTML element containing right-to-left displayed text. It allows a remote attacker to execute arbitrary code. Affected Products: Apple Safari 4.0.4 for Windows Apple Safari 4.0.4 Apple Safari 4.0.3 for Windows Apple Safari 4.0.3 Apple Safari 4.0.2 for Windows Apple Safari 4.0.2 Apple Safari 4.0.1 Apple Safari 4 for Windows Apple Safari 4 Beta Apple Safari 4 Reference IDs: |
| Crystal.Reports.Path.Traversal Event ID: 12741 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attempt to exploit an input validation vulnerability in Business Objects' Crystal Reports. Crystal Reports is a reporting and data presentation solution from Business Objects. The web presentation component renders the requested report into HTML documents delivered to the end user through a web server. It is reported that a directory traversal vulnerability in the software allows an attacker to retrieve and delete files, allowing for information disclosure and denial of service attacks. Affected Products: Crystal Reports and Enterprise versions 9 and 10 are vulnerable. Reference IDs: |
| MS.SMB.Client.Transaction.Code.Execution Event ID: 20904 |
Release Date: May 25, 2010 IPS Definitions DB Version: 2.813 |
|
Description: This indicates an attack attempt against a code-execution vulnerability in Microsoft SMB Client. The vulnerability is caused by an error when the vulnerable software handles a malicious SMB response. It allows a remote attacker to execute arbitrary code via sending a crafted SMB response. Affected Products: Windows 7 for 32-bit Systems Windows 7 for x64-based Systems Windows Server 2008 R2 for x64-based Systems* Windows Server 2008 R2 for Itanium-based Systems Reference IDs: |
| Novell.ZENworks.Server.UploadServlet.Code.Execution Event ID: 21403 |
Release Date: May 27, 2010 IPS Definitions DB Version: 2.814 |
|
Description: This indicates an attack attempt to exploit a code-execution vulnerability in Novell ZENworks. The vulnerability is caused by an error when the ZENworks Server handles a malicious file uploading request passed to UploadServlet. It allows a remote attacker to upload arbitrary files and execute arbitrary code via sending a crafted HTTP POST request. Affected Products: Novell ZENworks 10 Reference IDs: |
High ( 7 )
| Cisco.IOS.Firewall.Authentication.Proxy.Buffer.Overflow Event ID: 23033 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in Cisco IOS Firewall Authentication Proxy. The vulnerability is caused by an error when the vulnerable software handles a specially crafted user authentication credential. It allows a remote attacker to cause a denial of service and possibly execute arbitrary code. Affected Products: Cisco IOS 12.2ZH Cisco IOS 12.2ZL Cisco IOS 12.3 Cisco IOS 12.3T Cisco IOS 12.4 Cisco IOS 12.4T Reference IDs: |
| Jboss.Java.Class.DeploymentFileRepository.Directory.Traversal Event ID: 22981 |
Release Date: May 25, 2010 IPS Definitions DB Version: 2.813 |
|
Description: This indicates a possible attack against a directory-traversal vulnerability in the DeploymentFileRepository class in JBoss Application Server which, if well exploited, could allow remote authenticated users to read or modify or delete arbitrary files. Affected Products: JBoss Application Server 3.2.4 through 4.0.5 Reference IDs: |
| Liquid.XML.Studio.LtXmlComHelp8.DLL.ActiveX.OpenFile.Access Event ID: 22910 |
Release Date: May 27, 2010 IPS Definitions DB Version: 2.814 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the Liquid XML Studio software. The vulnerability is caused by an error when the vulnerable software handles a specially crafted web page. It allows a remote attacker to execute arbitrary code. Affected Products: Liquid Technologies LtXmlComHelp8 ActiveX Control 8.061970 and previous versions Liquid XML Studio 8.061970 and previous versions Reference IDs: |
| MS.IE.AxDebugger.Document.1.ActiveX.Control.Access Event ID: 23029 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a buffer-overflow vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error in the "AxDebugger.Document.1" ActiveX control. It may allow remote attackers to execute arbitrary code in the context of the application using the affected ActiveX control. Failed exploit attempts will likely cause the program to crash, resulting in a denial-of-service condition. Affected Products: Microsoft Internet Explorer |
| RealNetworks.AgentX.Stack.Overflow Event ID: 22929 |
Release Date: May 25, 2010 IPS Definitions DB Version: 2.813 |
|
Description: This indicates an attack attempt against a stack-based buffer overflow vulnerability in AgentX++, which could allow remote attackers to execute arbitrary code. Affected Products: RealNetworks Helix Server Helix Mobile Server 11.x through 13.x Reference IDs: |
| Trojan.Downloading Event ID: 22862 |
Release Date: May 25, 2010 IPS Definitions DB Version: 2.813 |
|
Description: This indicates detection of an attempt by an infected computer to download a trojan from certain web sites. Affected Products: Any Windows platform |
| ZipScan.Archive.Path.Buffer.Overflow Event ID: 22983 |
Release Date: May 25, 2010 IPS Definitions DB Version: 2.813 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in ZipScan. The vulnerability is caused by an error when the vulnerable software handles a malicious .zip file. It allows a remote attacker to execute arbitrary code via sending a crafted .zip file. Affected Products: ZipScan 2.x Reference IDs: |
Medium ( 11 )
| Cisco.Linksys.WRH54G.HTTP.Interface.DoS Event ID: 23038 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in the HTTP service on the Cisco Linksys WRH54G. The vulnerability is caused by an error when the vulnerable software handles a specially crafted URI. It allows a remote attacker to cause a denial of service. Affected Products: Linksys WRH54G 1.01.03 and prior versions Reference IDs: |
| Colloquy.INVITE.Request.Remote.Format.String Event ID: 23065 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt against a format-string vulnerability in Colloquy. The vulnerability is caused by an error when the vulnerable software handles a specially crafted INVITE request. It allows a remote attacker to cause a denial of service. Affected Products: Colloquy Colloquy 2.1 (3545) Reference IDs: |
| Exim.Verification.Header.Buffer.Overflow Event ID: 13335 |
Release Date: May 20, 2010 IPS Definitions DB Version: 2.812 |
|
Description: Exim has a stack-based buffer overflow. A remote attacker can execute arbitrary code on the system of the service with the system privilege via malicious e-mail. It is dependent on setting ?verify = header_syntax? in the exim.conf configuration file, which is not the default setting. Affected Products: Exim 3.35, and other versions before 4 Reference IDs: |
| Linux.Kernel.Sctp_rcv_ootb.Remote.DoS Event ID: 22915 |
Release Date: May 27, 2010 IPS Definitions DB Version: 2.814 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Linux kernel. The vulnerability is caused by an error when the vulnerable software handles a specially crafted Stream Control Transmission Protocol (SCTP) request. It allows a remote attacker to cause an infinite loop, resulting in denial of service. Affected Products: Linux kernel 2.6.23 -rc2 and previous versions Reference IDs: |
| MS.IE.DirectAnimation.DAUserData.ActiveX.Control.Acess Event ID: 23067 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer. The vulnerability is located in the "DirectAnimation.DAUserData" ActiveX control through misuse of the "Data" property. It may allow remote attackers to crash the application using the affected ActiveX control. Affected Products: Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Reference IDs: |
| MS.IE.HtmlDlgSafeHelper.ActiveX.Control.BlockFormats.Access Event ID: 23066 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer. The vulnerability is located in the "HtmlDlgSafeHelper.HtmlDlgSafeHelper.1" ActiveX control through misuse of the "BlockFormats" property. It may allow remote attackers to crash the application using the affected ActiveX control. Affected Products: Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 |
| MS.IE.Internet.PopupMenu.RemoveItem.DoS Event ID: 23030 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates a possible attack against a denial-of-services vulnerability in Microsoft Internet Explorer, which could be exploited by downloading a malicious web page. Affected Products: Microsoft Internet Explorer, versions unclear. |
| MS.IE.Microsoft.ISCatAdm.ActiveX.Control.Access Event ID: 23062 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error in the "Microsoft.ISCatAdm" ActiveX control. It may allow remote attackers to crash the application using the affected ActiveX control. Affected Products: Microsoft Internet Explorer 6.0 Reference IDs: |
| MS.IE.TSUserEX.DLL.ActiveX.Control.Access Event ID: 23068 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer. The vulnerability is caused by an error in the "tsuserex.dll" ActiveX control. It may allow remote attackers to crash the application using the affected ActiveX control. Affected Products: Microsoft Internet Explorer 6.0 SP1 Reference IDs: |
| MS.IE6.NMSA.ASFSourceMediaDescription.ActiveX.Control.Access Event ID: 23059 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt to exploit a denial-of-service vulnerability in Microsoft Internet Explorer. The vulnerability is located in the "NMSA.ASFSourceMediaDescription.1" ActiveX control through misuse of the "dispValue" property. It may allow remote attackers to crash the application using the affected ActiveX control. Affected Products: Microsoft Internet Explorer 6.0 SP1 Microsoft Internet Explorer 6.0 Reference IDs: |
| MS.Windows.Explorer.WMF.File.Handling.DoS Event ID: 23032 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt against a denial-of-service vulnerability in Microsoft Windows Explorer. The vulnerability is caused by an error when the vulnerable software handles a specially crafted WMF file. It allows a remote attacker to cause a denial of service (crash). Affected Products: Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter Edition Reference IDs: |
Low ( 2 )
| Apple.Safari.File.URL.DoS Event ID: 23034 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates a possible attack against a NULL-pointer-dereference vulnerability in Apple Safari which could lead to a denial of service. Affected Products: Apple Safari 3.1.1 Reference IDs: |
| IMAP.APPEND.Command.Buffer.Overflow Event ID: 23061 |
Release Date: Jun 03, 2010 IPS Definitions DB Version: 2.816 |
|
Description: This indicates an attack attempt against a buffer-overflow vulnerability in the IMAP service in NetWin Surgemail. The vulnerability is caused by an error when the vulnerable software handles a specially crafted overly long argument to the APPEND command. It allows a remote attacker to cause a denial of service (crash) and possibly execute arbitrary code. Affected Products: NetWin SurgeMail 3.9e Reference IDs: |
Top of Section
Enhanced Coverage
The FortiGuard Threat Research team updates security content as new vectors of exploitation are discovered. The table below details the security content enhanced with this release.
Critical ( 28 )
High ( 22 )
| Event Name | Revision Notes |
|---|---|
| Adobe.Shockwave.Player.Parsing.Dir.File.Buffer.Overflow | Previous name: "Adobe.Shockware.Player.Parsing.Dir... |
| Cisco.WebEx.Atucfobj.NewObject.Method.ActiveX.Access | Previous name: "WebEx.Meeting.Manager.Atucfobj.New... |
| EbCrypt.ActiveX.Control.SaveToFile.Arbitrary.File.Overwrite | Detection Enhanced |
| FTP.Command.DELE.Overflow | Previous name: "Overflow.DELE" |
| FTP.User.ADMw0rm | Previous name: "ADMw0rm" |
| MS.IIS.Escape.Command | Previous name: "Escape.Command" |
| Novell.GroupWise.Accept.Language.Buffer.Overflow | Previous name: "Novell.Groupwise.Accept.Language.B... |
| Novell.GroupWise.WebAccess.Base64.Decoding.Buffer.Overflow | Previous name: "Novell.Groupwise.WebAccess.Base64.... |
| Novell.ZENworks.Management.Remote.Overflow | Previous name: "ZENworks.Management.Remote.Overflo... |
| Nullsoft.Winamp.MP4.File.Parsing.Buffer.Overflow | Previous name: "Winamp.MP4.File.Parsing.Buffer.Ove... |
| Oracle.Java.Soundbank.Resource.Name.Buffer.Overflow | Detection Enhanced |
| Oracle.Reports.Servlet.Command.Execution | Previous name: "Oracle.Reports.Servlet.Command.Exe... |
| Oracle9i.PLSQL.Buffer.Overflow | Previous name: "Oracle9i.PLSQL.BufferOverflow" |
| RealNetworks.AgentX.Stack.Overflow | Detection Enhanced |
| RealNetworks.RealPlayer.SMIL.Buffer.Overflow | Previous name: "RealPlayer.SMIL.BufferOverflow" |
| Skype.Buffer.Overflow | Previous name: "Skype.BufferOverflow" |
| Squid.Proxy.WCCP.RecvFrom.Buffer.Overflow | Detection Enhanced |
| Subversion.WebDAV.REPORT.Query.Buffer.Overflow | Previous name: "Subversion.WebDav.REPORT.Query.Buf... |
| Sun.Application.Server.Error.Message.XSS | Previous name: "SUN.Application.Server.Error.Messa... |
| Sun.Solaris.Print.Operand.Buffer.Overflow | Previous name: "SUN.Solaris.Print.Operand.Buffer.O... |
| Sun.Solaris.X86.NLPS.Buffer.Overflow | Previous name: "Solaris.X86.NLPS.Buffer.Overflow" |
| Veritas.Backup.Exec.Registry.Access | Previous name: "VERITAS.Backup.Exec.Registry.Acces... |
Medium ( 16 )
| Event Name | Revision Notes |
|---|---|
| FTP.Command.RETR.Conversion | Previous name: "RETR.Conversion" |
| FTP.GET.File.ID.DIZ | Previous name: "File.ID.DIZ" |
| FTP.ISS.Password | Previous name: "Pass.ISS" |
| IBM.Lotus.Domino.Web.Server.DoS | Default_action updated to 'pass' Detection Enhanced |
| OpenX.PHP.Upload.Code.Execution | Group updated to 'applications3' Detection Enhanced |
| RealNetworks.RealPlayer.ParseWallClockValue.Buffer.Overflow | Previous name: "RealPlayer.ParseWallClockValue.Fun... |
| RealNetworks.RealPlayer.RealMedia.Security.Bypass | Default_action updated to 'pass' Previous name: "RealPlayer.RealMedia.Security.Bypa... |
| RealNetworks.RealPlayer.Remoc3260.dll.Insecure.Method.Access | Previous name: "RealPlayer.Remoc3260.dll.Insecure.... |
| Sun.Solaris.lpd.Remote.Command.Execution | Previous name: "Solaris.lpd.Remote.Command.Executi... |
| Telnet.Authentication.Bypass | Previous name: "TELNET.Authentication.Bypass" |
| TFTP.GET.Admin.Dll | Previous name: "GET.Admin.dll" |
| TFTP.GET.Passwd | Previous name: "TFPT.Command.GET.passwd.File.Trans... |
| TFTP.GET.Shadow | Previous name: "GET.shadow" |
| TrackerCam.PHP.Argument.Buffer.Overflow | Previous name: "TrackerCam.PHP.Argument.BufferOver... |
| Trend.Micro.OfficeScan.Unauthenticated.Usage | Previous name: "TrendMicro.OfficeScan.Unauthentica... |
| Trend.Micro.VirusWall.FtpSave.dll.Access | Previous name: "TrendMicro.VirusWall.FtpSave.dll.A... |
Low ( 11 )
| Event Name | Revision Notes |
|---|---|
| FTP.ADMhack.Password | Previous name: "Pass.ADM" |
| FTP.LIST.Directory.Traversal | Previous name: "LIST.DirectoryTraversal" |
| FTP.RETR.2xBSDot | Previous name: "RNFR.2xBSDot" |
| FTP.RETR.PASSWD | Previous name: "RETR.PASSWD" |
| IBM.WebSphere.Net.Commerce.DoS | Previous name: "IBM.Websphere.Net.Commerce.DoS" |
| McAfee.FreeScan.Info.Disclosure | Previous name: "Mcafee.FreeScan.Info.Disclosure" |
| MS.IE.CCRP.BrowseDialog.DoS | Detection Enhanced |
| Oracle.9i.Application.Server.Web.Cache.Administration.DoS | Detection Enhanced |
| SilverPlatter.WebSPIRS.Directory.Traversal | Previous name: "SilverPlatter.WebSPIRS.DirectoryTr... |
| Sun.Solaris.Kodak.KCMS.Directory.Traversal | Previous name: "SUN.Solaris.Kodak.KCMS.Directory.T... |
| Sun.Solaris.LPD.Arbitrary.File.Delete | Previous name: "SUN.Solaris.LPD.Arbitrary.File.Del... |
Info ( 4 )
| Event Name | Revision Notes |
|---|---|
| FTP.authorized_keys.File.Transfer | Previous name: "Command.AuthorizedKeys" |
| FTP.Command.CWD | Previous name: "WAREZ.CWD" |
| FTP.Command.MKD | Previous name: "WAREZ.MKD" |
| Oracle9i.PLSQL.Directory.Traversal | Previous name: "Oracle9i.PLSQL.DirectoryTraversal" Severity updated to 'info' Severity updated to 'medium' |
Top of Section
Active Exploitation
The FortiGuard Threat Research team uses globally distributed probes to monitor exploit activity. Vulnerabilities can be classified as active and given a magnitude level. The magnitude level is the rate of activity across the probes. The value of the magnitude is set to low, medium or high.
The table below lists the vulnerabilities discussed in this bulletin (specifically new and enhanced detection) and their corresponding exploit activity magnitude. The data below is as of this writing.
Critical ( 5 of 17 )
High ( 2 of 10 )
Medium ( 2 of 13 )
Low ( 0 of 4 )
| Event Name | Active Exploitation Observed | Magnitude |
|---|---|---|
| Apple.Safari.File.URL.DoS | No | n/a |
| IMAP.APPEND.Command.Buffer.Overflow | No | n/a |
| MS.IE.CCRP.BrowseDialog.DoS | No | n/a |
| Oracle.9i.Application.Server.Web.Cache.Administration.DoS | No | n/a |
Top of Section
Document History
| Revision Date | Version Number | |
|---|---|---|
| Monday, June 07, 2010 | 1 | Initial Documentation. |
About Fortinet ( www.fortinet.com )
Fortinet is the pioneer and leading provider of ASIC-accelerated unified threat management, or UTM, security systems, which are used by enterprises and service providers to increase their security while reducing total operating costs. Fortinet solutions were built from the ground up to integrate multiple levels of security protection--including firewall, antivirus, intrusion prevention, VPN, spyware prevention and anti-spam -- designed to help customers protect against network and content level threats. Leveraging a custom ASIC and unified interface, Fortinet solutions offer advanced security functionality that scales from remote office to chassis-based solutions with integrated management and reporting. Fortinet solutions have won multiple awards around the world and are the only security products that are certified in six programs by ICSA Labs: (Firewall, Antivirus, IPSec, SSL, Network IPS, and Anti-Spyware). Fortinet is privately held and based in Sunnyvale, California.
Disclaimer
Although Fortinet has attempted to provide accurate information in these materials, Fortinet assumes no legal responsibility for the accuracy or completeness of the information. Please note that no Fortinet statements herein constitute or contain any guarantee, warranty or legally binding representation. All materials contained in this publication are subject to change without notice, and Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Top of page
