Vulnerabilities plague Sophos and McAfee products
Security holes have been found in products from Sophos and McAfee, the French Security Incident Response Team (FrSIRT) said in two advisories Wednesday.
The first advisory concerns a critical flaw in multiple Sophos Anti-Virus products, which attackers could exploit to launch malicious code. "This flaw is due to a heap overflow error when analyzing malformed files, which may be exploited by an unauthenticated remote attacker to execute arbitrary commands by sending an e-mail containing a specially crafted attachment to a vulnerable system," the advisory said.
This affects Sophos Anti-Virus versions prior to 3.96.0 on Windows, Unix, NetWare, OS/2 and OpenVMS; Sophos Anti-Virus versions prior to 4.5.4 on all platforms; and Sophos Anti-Virus Small Business Edition.
Users who upgrade to Sophos Anti-Virus versions 3.96.0 or 4.5.4 will be protected. Sophos is expected to have Anti-Virus Small Business Edition updated by Friday.
The second advisory concerns a vulnerability in the McAfee WebShield Appliance, which attackers could exploit to gain unauthorized access. "This flaw is due to a design error where it is possible to login to the user interface with a user name and default password which is not the 'Webshield' default," the advisory said. This affects McAfee WebShield e250 version 3.0. Users should upgrade to McAfee WebShield appliance version 3.0 HF244508, FrSIRT said.
Flaw found in Opera browser
Attackers could exploit a vulnerability in Opera to trick users into executing malicious files, Danish security firm Secunia said in an advisory.
"The vulnerability is caused due to an error in the handling of extended ASCII codes in the download dialog," the firm said. "This can be exploited to spoof the file extension in the file download dialog via a specially crafted 'Content-Disposition' HTTP header. Successful exploitation may result in users being tricked into executing a malicious file via the download dialog, but requires that the 'Arial Unicode MS' font (ARIALUNI.TTF) has been installed on the system."
Secunia noted that the "Arial Unicode MS" font is installed with various Microsoft Office distributions. The flaw was confirmed in version 8.01 and other versions may also be affected. Users are advised to upgrade to version 8.02.
Security hole in Lotus Domino
Attackers could obtain users' password hashes, change dates and other sensitive information by exploiting a security hole in IBM Lotus Domino. The problem, IBM said in an advisory, is that the Webmail component includes a user's password information in HTML hidden fields when the user's entry is viewed in the public address book. Attackers could access other users' password hashes, password change dates, and other sensitive information by viewing the HTML source code. This affects versions 5.0, 6.0, and 6.5. One solution is to reconfigure Domino so it will store users' passwords using salted hashes and not include users' password hashes in HTML hidden fields.
Vulnerability in SAP
Attackers can access sensitive information by exploiting a vulnerability in SAP, the British-based National Infrastructure Security Co-Ordination Centre [NISCC] warned in an advisory. SAP prior to version 6.40 Patch 11 is affected.
The vulnerability is related to how the Internet Graphics Server (IGS) validates document paths. The Internet Graphics Server (IGS) is a subcomponent of the SAP R/3 enterprise environment, which is also accessible over HTTP and contains minimal Web server functionality, the advisory said, adding, "By entering an HTTP document path that incorporates a directory traversal sequence to the IGS product, it is possible to access documents outside of the Web root with the privileges of the user that was used to start the IGS service." The solution is to update to version 6.40 Patch 11 or later.
Multiple flaws plague Ethereal
Attackers could exploit security holes in Ethereal open source network monitoring software to crash machines or run malicious code. An advisory on Ethereal.com said the flaws affect versions 0.8.5 up to and including 0.10.11.
"Several dissectors were susceptible to a format string overflow," the advisory said. Ethereal uses the zlib compression library and flaws have been discovered in zlib 1.2.1 and 1.2.2, the advisory noted. The Windows installer now ships with zlib 1.2.3, which fixes the vulnerabilities.
On vulnerable systems, the advisory said, "It may be possible to make Ethereal crash, use up available memory, or run arbitrary code by injecting a purposefully malformed packet onto the wire or by convincing someone to read a malformed packet trace file." Users are advised to upgrade to 0.10.12. "Due to the severity and scope of the defects that have been discovered, no workaround is available," the advisory said.
Programming error affects Ipsec
Attackers could exploit a flaw in IPsec to gain extra user privileges or access sensitive information, according to an advisory from The FreeBSD Project. FreeBSD 5.3 and 5.4 are affected.
"A programming error in the implementation of the AES-XCBC-MAC algorithm for authentication resulted in a constant key being used instead of the key specified by the system administrator," the advisory said. If the AES-XCBC-MAC algorithm is used for authentication in the absence of any encryption, an attacker may be able to forge packets that appear to originate from a different system and thereby succeed in establishing an IPsec session."
The advisory added, "If access to sensitive information or systems is controlled based on the identity of the source system, this may result in information disclosure or privilege escalation."
As a workaround, the advisory recommended the AES-XCBC-MAC algorithm not be used for authentication, or that it be used together with some form of IPsec encryption.
The advisory also outlines patches that are available.
Qualys offers free security scanning
Redwood Shores, Calif.-based security firm Qualys Inc. is offering a free network scanning service to help companies find and eliminate vulnerabilities listed in the SANS Top 20 second quarterly update.
"During the second quarter of 2005, more than 422 new security vulnerabilities were identified as targets for attack, an increase of 10.8% from the first quarter of 2005," the firm said in a statement. "Included in this list are new exposures in popular back-up products from Symantec/Veritas and Computer Associates as well as vulnerabilities in iTunes, RealPlayer, and Microsoft Internet Explorer." The full SANS report can be accessed here.