Monthly archives "February 2012"

libpng security vulnerability allows execution of arbitrary code

The libpng packages contain a library of functions for creating and manipulating PNG (Portable Network Graphics) image format files. A flaw was discovered in libpng that could result in libpng trying to free() random memory if certain, unlikely error conditions occurred. If a carefully-crafted PNG file was loaded by an application linked against libpng, it could cause the application to crash or, potentially, execute arbitrary code with the privileges of the user running the application. A flaw was discovered in the way libpng handled PNG images containing “unknown” chunks. If an application linked against libpng attempted to process a malformed, unknown chunk in a malicious PNG image, it could cause the application to crash.

Jueri Aedla discovered this integer overflow in the popular libpng PNG library. This affects all software and applications that depend on libpng. This includes several web browsers and several server side applications. All running applications using libpng or libpng10 must be restarted for the update to take effect.

Debian Advisory

Package : libpng
Vulnerability : integer overflow
Problem type : remote
Debian-specific: no
CVE ID : CVE-2011-3026
Description : Heap-buffer-overflow in png_decompress_chunk (MFSA 2012-11)

Red Hat Advisory

Package: libpng*
Advisory: RHSA-2012:0317-1
Type: Security Advisory
Severity: Important
Issued on: 2012-02-20
Last updated on: 2012-02-20

Ubuntu Security Advisory USN-1361-1: Linux kernel vulnerabilities

Ubuntu Security Notice USN-1361-1

13th February, 2012

linux vulnerabilities

A security issue affects these releases of Ubuntu and its
derivatives:

  • Ubuntu 10.10

Summary

Several security issues were fixed in the kernel.

Software description

  • linux
    – Linux kernel

Details

Han-Wen Nienhuys reported a flaw in the FUSE kernel module. A local user
who can mount a FUSE file system could cause a denial of service.
(CVE-2011-3353)

A flaw was found in KVM's Programmable Interval Timer (PIT). When a virtual
interrupt control is not available a local user could use this to cause a
denial of service by starting a timer. (CVE-2011-4622)

A flaw was discovered in the XFS filesystem. If a local user mounts a
specially crafted XFS image it could potential execute arbitrary code on
the system. (CVE-2012-0038)

Chen Haogang discovered an integer overflow that could result in memory
corruption. A local unprivileged user could use this to crash the system.
(CVE-2012-0044)

Update instructions

The problem can be corrected by updating your system to the following
package version:

Ubuntu 10.10:
linux-image-2.6.35-32-powerpc64-smp

2.6.35-32.65
linux-image-2.6.35-32-generic-pae

2.6.35-32.65
linux-image-2.6.35-32-versatile

2.6.35-32.65
linux-image-2.6.35-32-generic

2.6.35-32.65
linux-image-2.6.35-32-virtual

2.6.35-32.65
linux-image-2.6.35-32-powerpc-smp

2.6.35-32.65
linux-image-2.6.35-32-powerpc

2.6.35-32.65
linux-image-2.6.35-32-server

2.6.35-32.65
linux-image-2.6.35-32-omap

2.6.35-32.65

To update your system, please follow these instructions:
https://wiki.ubuntu.com/Security/Upgrades.

After a standard system update you need to reboot your computer to make
all the necessary changes.

References

CVE-2011-3353,

CVE-2011-4622,

CVE-2012-0038,

CVE-2012-0044

Ubuntu Security Advisory: PHP / Upgrades available

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 11.10
- Ubuntu 11.04
- Ubuntu 10.10
- Ubuntu 10.04 LTS
- Ubuntu 8.04 LTS

Summary:

USN 1358-1 introduced a regression in PHP.

Software Description:
- php5: HTML-embedded scripting language interpreter

Details:

USN 1358-1 fixed multiple vulnerabilities in PHP. The fix for
CVE-2012-0831 introduced a regression where the state of the
magic_quotes_gpc setting was not correctly reflected when calling
the ini_get() function.

Original advisory details:

It was discovered that PHP computed hash values for form parameters
without restricting the ability to trigger hash collisions predictably.
This could allow a remote attacker to cause a denial of service by
sending many crafted parameters. (CVE-2011-4885)

ATTENTION: this update changes previous PHP behavior by
limiting the number of external input variables to 1000.
This may be increased by adding a “max_input_vars”
directive to the php.ini configuration file. See

http://www.php.net/manual/en/info.configuration.php#ini.max-input-vars

for more information.

Stefan Esser discovered that the fix to address the predictable hash
collision issue, CVE-2011-4885, did not properly handle the situation
where the limit was reached. This could allow a remote attacker to
cause a denial of service or execute arbitrary code via a request
containing a large number of variables. (CVE-2012-0830)

It was discovered that PHP did not always check the return value of
the zend_strndup function. This could allow a remote attacker to
cause a denial of service. (CVE-2011-4153)

It was discovered that PHP did not properly enforce libxslt security
settings. This could allow a remote attacker to create arbitrary
files via a crafted XSLT stylesheet that uses the libxslt output
extension. (CVE-2012-0057)

It was discovered that PHP did not properly enforce that PDORow
objects could not be serialized and not be saved in a session. A
remote attacker could use this to cause a denial of service via an
application crash. (CVE-2012-0788)

It was discovered that PHP allowed the magic_quotes_gpc setting to
be disabled remotely. This could allow a remote attacker to bypass
restrictions that could prevent an SQL injection. (CVE-2012-0831)

USN 1126-1 addressed an issue where the /etc/cron.d/php5 cron job
for PHP allowed local users to delete arbitrary files via a symlink
attack on a directory under /var/lib/php5/. Emese Revfy discovered
that the fix had not been applied to PHP for Ubuntu 10.04 LTS. This
update corrects the issue. We apologize for the error. (CVE-2011-0441)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 11.10:
libapache2-mod-php5 5.3.6-13ubuntu3.6
php5 5.3.6-13ubuntu3.6
php5-cgi 5.3.6-13ubuntu3.6
php5-cli 5.3.6-13ubuntu3.6

Ubuntu 11.04:
libapache2-mod-php5 5.3.5-1ubuntu7.7
php5 5.3.5-1ubuntu7.7
php5-cgi 5.3.5-1ubuntu7.7
php5-cli 5.3.5-1ubuntu7.7

Ubuntu 10.10:
libapache2-mod-php5 5.3.3-1ubuntu9.10
php5 5.3.3-1ubuntu9.10
php5-cgi 5.3.3-1ubuntu9.10
php5-cli 5.3.3-1ubuntu9.10

Ubuntu 10.04 LTS:
libapache2-mod-php5 5.3.2-1ubuntu4.14
php5 5.3.2-1ubuntu4.14
php5-cgi 5.3.2-1ubuntu4.14
php5-cli 5.3.2-1ubuntu4.14

Ubuntu 8.04 LTS:
libapache2-mod-php5 5.2.4-2ubuntu5.23
php5 5.2.4-2ubuntu5.23
php5-cgi 5.2.4-2ubuntu5.23
php5-cli 5.2.4-2ubuntu5.23

In general, a standard system update will make all the necessary changes.

References:
http://www.ubuntu.com/usn/usn-1358-2
http://www.ubuntu.com/usn/usn-1358-1
https://launchpad.net/bugs/930115

RedHat Security Advisory: RHSA-2012:0107-1 Important: kernel security and bug fix update

Advisory: RHSA-2012:0107-1
Type: Security Advisory
Severity: Important
Issued on: 2012-02-09
Last updated on: 2012-02-09
Affected Products: Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2011-3638
CVE-2011-4086
CVE-2011-4127
CVE-2012-0028
CVE-2012-0207

Details

Updated kernel packages that fix multiple security issues and two bugs are
now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having
important security impact. Common Vulnerability Scoring System (CVSS) base
scores, which give detailed severity ratings, are available for each
vulnerability from the CVE links in the References section.

The kernel packages contain the Linux kernel, the core of any Linux
operating system.

This update fixes the following security issues:

* Using the SG_IO ioctl to issue SCSI requests to partitions or LVM volumes
resulted in the requests being passed to the underlying block device. If a
privileged user only had access to a single partition or LVM volume, they
could use this flaw to bypass those restrictions and gain read and write
access (and be able to issue other SCSI commands) to the entire block
device. Refer to Red Hat Knowledgebase article DOC-67874, linked to in the
References, for further details about this issue. (CVE-2011-4127,
Important)

* A flaw was found in the way the Linux kernel handled robust list pointers
of user-space held futexes across exec() calls. A local, unprivileged user
could use this flaw to cause a denial of service or, eventually, escalate
their privileges. (CVE-2012-0028, Important)

* A flaw was found in the Linux kernel in the way splitting two extents in
ext4_ext_convert_to_initialized() worked. A local, unprivileged user with
the ability to mount and unmount ext4 file systems could use this flaw to
cause a denial of service. (CVE-2011-3638, Moderate)

* A flaw was found in the way the Linux kernel's journal_unmap_buffer()
function handled buffer head states. On systems that have an ext4 file
system with a journal mounted, a local, unprivileged user could use this
flaw to cause a denial of service. (CVE-2011-4086, Moderate)

* A divide-by-zero flaw was found in the Linux kernel's igmp_heard_query()
function. An attacker able to send certain IGMP (Internet Group Management
Protocol) packets to a target system could use this flaw to cause a denial
of service. (CVE-2012-0207, Moderate)

Red Hat would like to thank Zheng Liu for reporting CVE-2011-3638, and
Simon McVittie for reporting CVE-2012-0207.

This update also fixes the following bugs:

* When a host was in recovery mode and a SCSI scan operation was initiated,
the scan operation failed and provided no error output. This bug has been
fixed and the SCSI layer now waits for recovery of the host to complete
scan operations for devices. (BZ#772162)

* SG_IO ioctls were not implemented correctly in the Red Hat Enterprise
Linux 5 virtio-blk driver. Sending an SG_IO ioctl request to a virtio-blk
disk caused the sending thread to enter an uninterruptible sleep state ("D"
state). With this update, SG_IO ioctls are rejected by the virtio-blk
driver: the ioctl system call will simply return an ENOTTY ("Inappropriate
ioctl for device") error and the thread will continue normally. (BZ#773322)

Users should upgrade to these updated packages, which contain backported
patches to correct these issues. The system must be rebooted for this
update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/kb/docs/DOC-11259

To install kernel packages manually, use "rpm -ivh [package]". Do not
use "rpm -Uvh" as that will remove the running kernel binaries from
your system. You may use "rpm -e" to remove old kernels after
determining that the new kernel functions properly on your system.

References

New PHP5 Vulnerability in php_register_variable_ex() – affects versions <= 5.3.9

Vulnerability ID:
CVE-2012-0830

Description:
“php_register_variable_ex()” Code Execution Vulnerability

Details:
A vulnerability has been reported in PHP, which can be exploited by malicious people to compromise a vulnerable system. The irony here is this vulnerability was introduced in a “fix” for another vulnerability (CVE-2011-4885).

The vulnerability is caused due to a logic error within the “php_register_variable_ex()” function (php_variables.c) when hashing form posts and updating a hash table, which can be exploited to execute arbitrary code.

The vulnerability is reported in version 5.3.9.

Solution:
Upgrade to PHP 5.3.10. If you need assistance with this, please contact us for a consultation.

References:

http://www.php.net/archive/2012.php#id2012-02-02-1

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0830

Apache – Multiple Vulnerabilities – affects 2.0.x-2.0.64 and 2.2.x-2.2.21

Several vulnerabilities have been found in the Apache HTTPD Server:

CVE-2011-3607:
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow.

CVE-2011-3368 CVE-2011-3639 CVE-2011-4317:
The Apache HTTP Server did not properly validate the request URI for proxied requests. In certain reverse proxy configurations using the ProxyPassMatch directive or using the RewriteRule directive with the [P] flag, a remote attacker could make the proxy connect to an arbitrary server. The could allow the attacker to access internal servers that are not otherwise accessible from the outside.

The three CVE ids denote slightly different variants of the same issue.

Note that, even with this issue fixed, it is the responsibility of the administrator to ensure that the regular expression replacement pattern for the target URI does not allow a client to append arbitrary strings to the host or port parts of the target URI. For example, the configuration

  ProxyPassMatch ^/mail(.*)  http://internal-host$1
is still insecure and should be replaced by one of the following configurations:

  ProxyPassMatch ^/mail(/.*)  http://internal-host$1
  ProxyPassMatch ^/mail/(.*)  http://internal-host/$1

CVE-2012-0031:
An apache2 child process could cause the parent process to crash during shutdown. This is a violation of the privilege separation between the apache2 processes and could potentially be used to worsen the impact of other vulnerabilities.

CVE-2012-0053:
The response message for error code 400 (bad request) could be used to expose “httpOnly” cookies. This could allow a remote attacker using cross site scripting to steal authentication cookies.

Read more:

DSA-2405 apache2 – http://goo.gl/WTSIu #debian

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3607

DSA-2384 cacti – multiple vulnerabilities

Several vulnerabilities have been discovered in Cacti, a graphing tool for monitoring data. Multiple cross site scripting issues allow remote attackers to inject arbitrary web script or HTML. An SQL injection vulnerability allows remote attackers to execute arbitrary SQL commands.

@debian_security:

DSA-2384 cacti – http://goo.gl/g86kW #debian

Potential Malicious Activity or DDoS with SSH – /bin/false is NOT security

Hacker Jordan Sissel wrote a very informative and interesting article about SSH security and the old-school practice of using /bin/false to restrict shell access. Many system administrators are under the incorrect assumption that simply changing an account’s shell to /bin/false renders the account unusable. This is a fallacy.

In addition, such a configuration could actually be exploited and used as a Denial of Service attack to crash your server.

“In summary: If you don’t want [hackers] to have access to your machines, then don’t allow [them] access — /bin/false is not security.”

Read Full Story Here

A known PHP Vulnerability which allows for file path injections getting more popular – affects PHP =<5.3.6

Vulnerability ID:
CVE-2011-2202

A known vulnerability discovered in 2011 affecting many PHP versions has been getting more use recently. As new variations of exploits emerge, even novice hackers are able to use it without much skill. The vulnerability itself is an input validation error which could allow anyone to remotely inject an arbitrary file into the filesystem which could then aid in further attack strategies.

Technical Details:
The rfc1867_post_handler function in main/rfc1867.c in PHP before 5.3.7 does not properly restrict filenames in multipart/form-data POST requests, which allows remote attackers to conduct absolute path traversal attacks, and possibly create or overwrite arbitrary files, via a crafted upload request, related to a “file path injection vulnerability.”

Vulnerable PHP Versions:
3.0, 3.0.1, 3.0.10, 3.0.11, 3.0.12, 3.0.13, 3.0.14, 3.0.15, 3.0.16, 3.0.17, 3.0.18, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6, 3.0.7, 3.0.8, 3.0.9, 4.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.0.7, 4.1, 4.1.1, 4.1.2, 4.2, 4.2.1, 4.2.2, 4.2.3, 4.3, 4.3.1, 4.3.10, 4.3.11, 4.3.2, 4.3.3, 4.3.4, 4.3.5, 4.3.6, 4.3.7, 4.3.8, 4.3.9, 4.4, 4.4.1, 4.4.2, 4.4.3, 4.4.4, 4.4.5, 4.4.6, 4.4.7, 4.4.8, 4.4.9, 5.0, 5.0.1, 5.0.2, 5.0.3, 5.0.4, 5.0.5, 5.1, 5.1.1, 5.1.2, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.2, 5.2.1, 5.2.10, 5.2.11, 5.2.12, 5.2.13, 5.2.14, 5.2.15, 5.2.17, 5.2.2, 5.2.3, 5.2.4, 5.2.5, 5.2.6, 5.2.7, 5.2.8, 5.2.9, 5.3, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 5.3.5, 5.3.5, 5.3.6

Solution:
Updated versions that are not vulnerable are available. We strongly recommend upgrading to a version greater than 5.3.7 immediately. Please contact us for a consultation if you would like us to secure your web server from this vulnerability.

References: