vulnerability remediation synopsis
DESCRIPTION
Extended information about remediation measures for vulnerabilities detected by QualysGuardTRANSCRIPT
ContentsQualys as a mitigation recommendation tool (Knowledge Base) ........................................................... 21 Adobe Flash Vulnerabilities .................................................................................................................... 23 Adobe Flash Player Multiple Vulnerabilities (QID 116536) ................................................................ 23 Adobe Reader Vulnerabilities ................................................................................................................. 24 Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (QID 116027)........................... 24 Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116386) ...................................................... 24 Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116437) ...................................................... 25 Apache Vulnerabilities ............................................................................................................................ 27 Discovery of Unix Account Names Vulnerability (QID 5001) .............................................................. 27 "test-cgi" CGI Vulnerability (QID 10015) ............................................................................................. 27 Apache HTTP Server Multiple Cross-Site Scripting Vulnerabilities (QID 12260)................................. 28 Apache Axis2/Java "modules" Cross-Site Scripting (XSS) Vulnerability (QID 12370).......................... 29 Apache Axis2 Default Administrative Access (QID 12499) ................................................................. 29 Apache HTTP Server APR "apr_fnmatch()" Denial of Service Vulnerability (QID 12500) ................... 30 Apache HTTP Server Mod_Proxy Denial of Service Vulnerability (QID 62057) .................................. 30 Apache CGI Source Code Viewing Vulnerability (QID 86054) ............................................................. 31 Apache Webserver /server-status Information Disclosure Vulnerability (QID 86410) ...................... 31 Apache 2.x HTTP Server Linefeed Memory Allocation Denial of Service Vulnerability (QID 86482) . 32 Apache 2.x Web Server File Descriptor Leakage Vulnerability (QID 86483)....................................... 32 Apache Basic Authentication Module Valid User Login Denial of Service Vulnerability (QID 86532) 33 Miscellaneous Apache Vulnerabilities (2.0.46 and earlier) (QID 86562) ............................................ 33 Apache HTTP Server Buffer Overflow Vulnerabilities In mod_alias And mod_rewrite (QID 86600) . 34 Apache2 MOD_CGI STDERR Denial of Service Vulnerability (QID 86636) .......................................... 34 Apache Web Server Type-Map Recursive Loop Denial of Service Vulnerability (QID 86637) ............ 35 Apache 2.0.49 And Earlier Miscellaneous Vulnerabilities (QID 86643) .............................................. 35 Multiple Apache Web Server Vulnerabilities prior to version 2.0.51 (QID 86678)............................. 36 Multiple Apache 1.3.32 and Earlier Web Server Local Buffer Overflow Vulnerabilities (QID 86680) 36 Apache 2.0.35-2.0.52 Memory Consumption Denial of Service and mod_ssl SSLCipherSuite Bypass (QID 86683) ......................................................................................................................................... 37 Apache CGI Byterange Request Denial of Service Vulnerability (QID 86713) .................................... 37 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 1
Apache Tomcat Simultaneous Directory Listing Denial of Service Vulnerability (QID 86724) ........... 38 Apache MPM Worker.C Denial of Service Vulnerability (QID 86726) ................................................ 39 Apache Mod_IMAP Referer Cross-Site Scripting Vulnerability (QID 86727) ...................................... 40 Apache Web Server fails to sanitize Escape Sequence Injection into its Access Logs (QID 86744) .... 41 Apache Web Server fails to sanitize Escape Sequence Injection into its Error Logs (QID 86745) ...... 41 Apache Mod_Rewrite Off-By-One Buffer Overflow Vulnerability (QID 86746) ................................. 42 Apache Tomcat JK Web Server Connector Security Bypass Vulnerability (QID 86764)...................... 42 Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting (XSS) Weakness (QID 86771) ................................................................................................................................................. 43 Apache mod_ssl Denial of Service Vulnerability (QID 86773) ............................................................ 44 Apache Tomcat Information Disclosure Vulnerability (QID 86775).................................................... 44 Apache Tomcat Absolute Path Traversal Vulnerability (QID 86776) .................................................. 45 Apache Tomcat Accept-Language Cross-Site Scripting (XSS) Vulnerability (QID 86777) .................... 46 Apache Tomcat SingleSignOn Remote Information Disclosure Vulnerability (QID 86779) ................ 47 Apache Tomcat 4, 5 and 6 Examples Web Application Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 86781) ................................................................................................................. 47 Apache Tomcat Multiple Cross-Site Scripting (XSS) Vulnerabilities in Manager and Host Manager Web Applications (QID 86782)............................................................................................................ 48 Apache Tomcat 4.1 Cross-Site Scripting (XSS) Vulnerability (QID 86783) .......................................... 49 Apache Tomcat 4 and 5 Cross-Site Scripting (XSS) Vulnerability in Calendar Application in JSP Examples (QID 86785) ......................................................................................................................... 49 Apache Tomcat Servlet Host Manager Servlet Cross-Site Scripting (XSS) Vulnerability (QID 86786) 50 Apache 2.2 Multiple Vulnerabilities (QID 86788) ............................................................................... 51 Apache Tomcat Multiple Content Length Headers Information Disclosure Vulnerability (QID 86789) ............................................................................................................................................................ 52 Apache Tomcat 4 Denial of Service Vulnerability (QID 86790)........................................................... 52 Apache Tomcat 4 Information Disclosure Vulnerability (QID 86791) ................................................. 52 Apache Tomcat 6 Information Disclosure Vulnerability (QID 86792) ................................................. 53 Apache Tomcat Session Hi-jacking Vulnerability (QID 86794)............................................................ 53 Apache mod_ssl Certificate Revocation List Off-By-One Buffer Overflow Vulnerability (QID 86801) 54 Apache Tomcat 5 and 6 Host Manager Web Application Cross-Site Scripting (XSS) Vulnerability (QID 86803) ................................................................................................................................................. 54 Apache Tomcat 4, 5 and 6 Multiple Vulnerabilities (QID 86804) ....................................................... 55 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 2
Apache Tomcat RequestDispatcher Information Disclosure Vulnerability (QID 86808) .................... 56 Apache 1.3, 2.0 and 2.2 HTTP Server Multiple Vulnerabilities (QID 86809) ....................................... 57 Apache 2.0 HTTP Server PCRE Integer Overflow Vulnerability (QID 86812) ...................................... 58 Apache 2.0 HTTP Server mod_ssl Stack Buffer Overflow Vulnerability (QID 86814) ......................... 58 Apache HTTP Server Expect Header Cross-Site Scripting (XSS) (QID 86821) ...................................... 59 Apache Tomcat "RemoteFilterValve" Security Bypass Vulnerability (QID 86823) ............................. 60 Apache HTTP Server AllowOverride Options Security Bypass (QID 86840)........................................ 60 Apache Tomcat Java AJP Connector Invalid Header Denial of Service Vulnerability (QID 86842) ..... 61 Apache Partial HTTP Request Denial of Service Vulnerability - Zero Day (QID 86847) ...................... 62 Apache Tomcat Multiple Vulnerabilities (QID 86851) ........................................................................ 63 APR-util Library Integer Overflow Vulnerabilities (QID 86852) .......................................................... 64 Apache mod_proxy_ftp FTP Command Injection Vulnerability (QID 86855) ..................................... 65 Apache Tomcat Installer Insecure Password Vulnerability (QID 86857) ............................................ 66 Apache Tomcat Directory Traversal Weaknesses and Security Issue (QID 86865) ............................ 66 Apache 1.3 mod_proxy HTTP Chunked Encoding Integer Overflow Vulnerability (QID 86868)......... 68 Apache HTTP Server Prior to 2.2.15 Multiple Vulnerabilities (QID 86873)......................................... 68 Apache httpd "mod_proxy_http" Timeout Handling Information Disclosure Vulnerability (QID 86901) ................................................................................................................................................. 69 Apache HTTP Server 2.2.15 mod_cache and mod_dav Undisclosed DoS Vulnerability (QID 86908) 69 Apache Tomcat SecurityManager Security Bypass Vulnerability (QID 86939) ................................... 70 Apache Tomcat HTTP NIO / APR Connector sendfile Input Validation Error Information Disclosure Vulnerability (QID 86950) ................................................................................................................... 70 Apache 1.3 and 2.0 Web Server Multiple Vulnerabilities (QID 115731) ............................................ 71 Sun Solaris Cross-Site Scripting Issues in Apache 1.3 and 2.0 "mod_imap" and "mod_status" Modules (QID 115798) ........................................................................................................................ 72 Red Hat Security Update for Apache (QID 116444) ............................................................................ 73 Sun Solaris Apache 1.3 "mod_jk" Module Unauthorized Access Vulnerability (QID 116491)............ 73 Solaris Apache 1.3 "mod_perl" Module Component "Status.pm" Unauthorized Data Access Vulnerability (QID 116945) ................................................................................................................. 74 ATT WinVNC Vulnerabilities .................................................................................................................... 74 ATT WinVNC Server Buffer Overflow and Weak Authentication Vulnerabilities (QID 38022) ........... 74 AWStats Vulnerabilities .......................................................................................................................... 75 AWStats Rawlog Plugin Logfile Parameter Input Validation Vulnerability (QID 12210)..................... 75 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 3
AWStats Referrer Arbitrary Command Execution Vulnerability (QID 12175) .................................... 76 BEA WebLogic Vulnerabilities ................................................................................................................. 76 BEA WebLogic Multiple Vulnerabilities (QID 86734) .......................................................................... 76 BEA WebLogic Multiple Vulnerabilities (2007) (QID 86766) ............................................................... 77 BIND Vulnerabilities ................................................................................................................................ 78 ISC BIND Remote Cache Poisoning Vulnerability (QID 15053) ........................................................... 78 Red Hat Bind Security Update (QID 115514) ...................................................................................... 79 Red Hat Update for bind (QID 116124)............................................................................................... 79 ISC BIND Dynamic Update Denial of Service Vulnerability (QID 15055) ............................................. 80 Caucho Resin Vulnerabilities................................................................................................................... 81 Caucho Resin Data Handling Cross-Site Scripting (XSS) Vulnerability (QID 86890) ............................ 81 Cisco Vulnerabilities ................................................................................................................................ 82 SSH1 Session Key Retrieval Vulnerability (QID 38029) ....................................................................... 82 Cisco Secure ACS Management Interface (QID 38192) ...................................................................... 83 Management Interfaces Accessible On Cisco Device Vulnerability (QID 38250) ............................... 84 Cisco IOS Malformed SNMP Message-Handling Vulnerability (QID 38254) ....................................... 84 Multiple Vulnerabilities in Cisco Secure ACS (QID 38306) .................................................................. 85 Cisco IOS Telnet Service Remote Denial of Service Vulnerability (QID 38308)................................... 86 Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow (QID 38471) . 87 Cisco Secure ACS Authentication Bypass Vulnerability (QID 38550) .................................................. 88 Cisco IOS HTTP %% Vulnerability (QID 43003) .................................................................................... 88 Cisco Router Online Help Vulnerability (QID 43004) .......................................................................... 89 Cisco Router/Switch Default Password Vulnerability (QID 43021) ..................................................... 89 Cisco IOS Malformed IPV4 Packet Denial of Service Vulnerability (QID 43051) ................................. 90 Cisco IOS 2GB HTTP GET Buffer Overflow Vulnerability (QID 43054) ................................................. 91 Cisco Internet Operating System SNMP Message Processing Denial of Service Vulnerability (QID 43056) ................................................................................................................................................. 91 Cisco VPN 3000 Concentrator Denial of Service Vulnerability (QID 43077) ....................................... 92 Cisco IOS System Timers Heap Buffer Overflow Vulnerability (QID 43094) ....................................... 92 Cisco IOS Secure Shell Server Memory Leak Denial of Service Vulnerability (QID 43098) ................. 93 Cisco IOS EIGRP Announcement ARP Denial of Service Vulnerability (QID 43100) ............................ 94 Cisco IOS ICMP Redirect Routing Table Modification Vulnerability (QID 43101) ............................... 95 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 4
Cisco IOS Service Assurance Agent Malformed Packet Denial of Service Vulnerability (QID 43102). 95 Cisco VPN 3000 Concentrator Malformed HTTP Packet Remote Denial of Service Vulnerability (QID 43106) ................................................................................................................................................. 96 Cisco Internet Key Exchange (IKE) Denial of Service Vulnerability (QID 43116) ................................. 96 Multiple Cisco IOS TCP/IP Vulnerabilities (QID 43128) ....................................................................... 97 Cisco IOS and Unified Communications Manager Multiple Voice Vulnerabilities (QID 43131) ......... 97 Cisco IOS TCP Listener Memory Leak Can Cause Denial of Service (QID 43133) ................................ 97 Cisco IOS Multicast Virtual Private Network (MVPN) Data Leak Vulnerability (QID 43135) .............. 98 Cisco IOS SSL Packets Multiple Vulnerabilities (QID 43139) ............................................................... 98 Cisco IOS GRE Decapsulation Vulnerability (QID 43140) .................................................................... 98 Cisco IOS Software Multiple Multicast Vulnerabilities (QID 43146) ................................................... 99 Cisco IOS MPLS VPN May Leak Information (QID 43150) ................................................................... 99 Cisco IOS Multiple Cross-Site Scripting Vulnerabilities (QID 43151)................................................... 99 Cisco IOS Software Multiple Features IP Sockets Vulnerability (QID 43153) ................................... 101 Cisco IOS Software Multiple Features Crafted UDP Packet Vulnerability (QID 43155) .................... 102 Cisco IOS Software Multiple Features Crafted TCP Sequence Vulnerability (QID 43156) ................ 103 Cisco IOS Software Secure Copy Privilege Escalation Vulnerability (QID 43157) ............................. 104 Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability (QID 43158) ........... 104 Cisco IOS Software TCP State Manipulation Denial of Service Vulnerabilities (QID 43162) ............. 105 Cisco IOS Software Tunnels Vulnerability (QID 43172)..................................................................... 106 Cisco IOS IPv6 Routing Header Vulnerability (QID 43173) ................................................................ 107 Cisco IOS Software Multiprotocol Label Switching Packet Vulnerability (QID 43180) ..................... 108 Cisco Industrial Ethernet 3000 Series Switches Hard Coded SNMP Community Names Vulnerability (QID 43187) ....................................................................................................................................... 109 Cisco IOS TCP State Manipulation Denial of Service Vulnerabilities (QID 43197) ............................ 110 Cisco IOS VLAN Trunking Protocol Vulnerability (QID 43204) .......................................................... 110 Cisco IOS Multiple Vulnerabilities (QID 43207)................................................................................. 111 TCP Sequence Number Approximation Based Denial of Service (82054) ........................................ 112 Cisco IOS HTTP Service HTML Injection Vulnerability (QID 12220) .................................................. 114 Common Desktop Environment (CDE) Vulnerabilities.......................................................................... 115 Common Desktop Environment Dtlogin Unspecified Remote Double Free Vulnerability (QID 38261) .......................................................................................................................................................... 115 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 5
Multiple Vendor CDE ToolTalk Database Server Null Write Vulnerability (QID 68507) ................... 115 CUPS Vulnerabilities .............................................................................................................................. 116 CUPS UDP Packet Remote Denial of Service Vulnerability (QID 38405) ........................................... 116 CUPS IPP Tag Handling Remote Buffer Overflow Vulnerability (QID 38591).................................... 116 CVS Vulnerabilities ................................................................................................................................ 117 CVS Server Piped Checkout Access Validation Vulnerability (QID 38269) ........................................ 117 CVS Unspecified Buffer Overflow and Memory Access Vulnerabilities (QID 38481) ....................... 117 DameWare Vulnerabilities .................................................................................................................... 118 DameWare Mini Remote Control Server Detected (QID 38255) ...................................................... 118 DNS Vulnerabilities ............................................................................................................................... 119 DNS Zone Transfer (QID 15018) ........................................................................................................ 119 Finger Vulnerabilities ............................................................................................................................ 119 "Finger 0@" Information about Logged Users Disclosure Vulnerability (QID 31000) ...................... 119 Finger Daemon Accepts Forwarding of Requests (QID 31002)......................................................... 120 Finger Service Discloses Logged Users (QID 31003) ......................................................................... 120 Firefox Vulnerabilities ........................................................................................................................... 120 Mozilla Firefox Remote Code Execution by Overflowing CSS Reference Counter (QID 115836) ..... 120 Mozilla Firefox Unspecified Arbitrary File Access Weakness - Zero Day (QID 115841) .................... 121 Mozilla Firefox and SeaMonkey Multiple Vulnerabilities (QID 115851) ........................................... 121 Mozilla Firefox URI Splitting Security Bypass Vulnerability (QID 115860) ........................................ 121 Mozilla Firefox User Interface Dispatcher Null Pointer Dereference Denial of Service Vulnerability Zero Day (QID 115966)...................................................................................................................... 122 Mozilla Firefox, Seamonkey and Thunderbird Multiple Vulnerabilities (QID 116044) ..................... 122 Mozilla Firefox/Thunderbird/SeaMonkey Multiple Remote Vulnerabilities (QID 116184).............. 123 Mozilla Firefox Nested "window.print()" Denial of Service Vulnerability (QID 116262) .................. 124 Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities (QID 116263) ........................... 125 Mozilla Firefox Fix Two Vulnerabilities (QID 116328) ....................................................................... 126 Firefox Security Update (QID 116539) .............................................................................................. 127 Sun Solaris Thunderbird Related to SSL Certificates Arbitrary Code Execution Vulnerabilities (QID 116836) ............................................................................................................................................. 128 Sun Solaris Thunderbird Multiple Vulnerabilities (QID 116428)....................................................... 129 FTP Vulnerabilities ................................................................................................................................ 129 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 6
World Readable and Writeable Directory on Anonymous FTP (QID 27005) .................................... 129 FTP Generic ../ File Disclosure Vulnerability (QID 27166) ................................................................. 130 FTP Backdoor Allows Administrator Privileges (QID 27279) ............................................................. 130 GoAhead Webserver Vulnerabilities..................................................................................................... 131 GoAhead WebServer /aux Denial of Service Vulnerability (QID 86122)........................................... 131 Gnome Evolution iCalendar Multiple Buffer Overflow Vulnerabilities (QID 115818) .......................... 131 GnuPG Vulnerabilities ........................................................................................................................... 131 GnuPG Parse_Comment Remote Buffer Overflow Vulnerability (QID 115432) ............................... 131 GnuPG Parse_User_ID Remote Buffer Overflow Vulnerability (QID 115405) .................................. 132 ICMP Vulnerabilities.............................................................................................................................. 132 Host Responds to One ICMP Request Multiple Times (Smurf Variant) (QID 82002)........................ 132 HP HTTP Server Vulnerabilities ............................................................................................................. 133 HP HTTP Server Remote Unspecified Buffer Overflow Vulnerability (QID 86772) ........................... 133 HP System Management....................................................................................................................... 133 HP System Management Homepage Code Execution and Denial of Service (QID 86846) ............... 133 HP System Management Homepage Cross-Site Scripting and Denial of Service Vulnerabilities (QID 86880) ............................................................................................................................................... 134 HP System Management Homepage Cross-Site Scripting (XSS) Vulnerability (QID 86869) ............. 134 HP System Management Homepage Multiple Vulnerabilities (QID 86938) ..................................... 135 HP System Management Homepage Multiple Vulnerabilities (QID 86849) ..................................... 135 HP System Management Homepage Remote Cross-Site Scripting Vulnerability (QID 86951)......... 136 HP System Management Homepage TLS/SSL Vulnerability (QID 86887) ......................................... 136 HP Openview Vulnerabilities ................................................................................................................ 137 HP Openview NNM Embedded Database Present (QID 38210) ....................................................... 137 IBM DB2 Vulnerabilities ........................................................................................................................ 137 IBM DB2 Universal Database Known Default Password Vulnerability (QID 19008) ......................... 137 IBM DB2 Listener Detected (QID 19207) .......................................................................................... 138 IBM DB2 Universal Database Multiple Denial of Service Vulnerabilities (QID 19209) ..................... 138 IBM HTTP Vulnerabilities ...................................................................................................................... 138 IBM HTTP Server "apr_fnmatch()" Denial of Service Vulnerabilities (QID 86952) ........................... 138 IBM HTTP Server Multiple Vulnerabilities (QID 86875) .................................................................... 139 IETF RADIUS Vulnerabilities .................................................................................................................. 139 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 7
IETF RADIUS Dictionary Attack Vulnerability (QID 38120) ................................................................ 139 IP Vulnerabilities ................................................................................................................................... 140 IP Spoofing (QID 34009) .................................................................................................................... 140 IP Forwarding Enabled (QID 115284) ................................................................................................ 140 ISC BIND Vulnerabilities ........................................................................................................................ 141 ISC BIND 9 Remote Denial of Service (DoS1 bug) Vulnerability (QID 15021) ................................... 141 ISC BIND Pre 9.2.2 Multiple Possible Vulnerabilities (QID 15031) .................................................... 141 ISC BIND Multiple Remote Denial of Service Vulnerabilities (QID 15052) ........................................ 142 ISC BIND 9 Cache Poisoning Vulnerability (QID 15054) .................................................................... 142 ISC BIND 9 DNSSEC Bogus NXDOMAIN Response Remote Cache Poisoning Vulnerability (QID 15057) .......................................................................................................................................................... 142 Java Vulnerabilities ............................................................................................................................... 143 Java Runtime Environment Multiple Privilege Escalation Vulnerabilities (QID 115435) .................. 143 Red Hat IBMJava2 Security Update (QID 115846) ............................................................................ 144 Red Hat Update for IBMJava2 (QID 116314) .................................................................................... 145 Sun Java JDK JRE Multiple Vulnerabilities (QID 116345) .................................................................. 146 Security Vulnerability in the JRE With Parsing XML Data May Allow a Remote Client to Create a Denial of Service (QID 116556) ......................................................................................................... 148 Sun Java Transport Layer and Secure Sockets Layer 3.0 Security Vulnerability (QID 116804) ......... 149 JBoss Vulnerabilities.............................................................................................................................. 149 JBoss HttpAdaptor JMXInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12476) .......................................................................................................................................................... 149 JBoss JMX Console is Accessible to Unauthenticated Remote Users (QID 12481) ........................... 149 JBoss Web Console is Accessible to Unauthenticated Remote Users (QID 12482) .......................... 150 JBoss EJBInvokerServlet is Accessible to Unauthenticated Remote Users (QID 12483) .................. 150 JBoss JMX Console and Web Console Unrestricted Access Vulnerability (QID 86768) .................... 150 JBoss Application Server Web Console and JMX Management Console Authentication Bypass Vulnerability (QID 86882) ................................................................................................................. 150 JBoss Enterprise Application Platform Status Servlet Request Remote Information Disclosure (QID 86883) ............................................................................................................................................... 151 K Desktop Environment (KDE) Vulnerabilities ...................................................................................... 151 kdelibs, kdebase Security Update (QID 115387) .............................................................................. 151 Red Hat kdelibs Security Update (QID 115437) ................................................................................ 152 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 8
KCMS ..................................................................................................................................................... 153 KCMS Directory Traversal Vulnerability (QID 68533) ....................................................................... 153 Kerberos Vulnerabilities ........................................................................................................................ 153 Red Hat krb5 Security Update (QID 115534) .................................................................................... 153 Red Hat krb5 Security Update (QID 115757) .................................................................................... 154 Solaris Kerberos PAM Module Privilege Escalation Vulnerability (QID 116327) .............................. 154 Sun Solaris Kerberos "Mech" Libraries Denial of Service Vulnerability (QID 116475)...................... 155 Linux ...................................................................................................................................................... 156 Linux Kernel Multiple Memory Leak Local Denial of Service Vulnerabilities (QID 115292) ............. 156 Macromedia JRun Vulnerabilities ......................................................................................................... 156 Privilege Escalation Vulnerability in Macromedia JRun and ColdFusion (QID 12226) ...................... 156 Macromedia JRun Multiple Vulnerabilities (QID 86735) .................................................................. 157 Microsoft IIS .......................................................................................................................................... 157 Internet Information Services (IIS) Could Allow Elevation of Privilege (MS09-020) (QID 86837) .... 157 Microsoft SQL Server Vulnerabilities .................................................................................................... 158 Multiple MS-SQL-7 threats - (I) (QID 19058)..................................................................................... 158 Multiple MS-SQL-7 threats - (II) (QID 19059).................................................................................... 160 Microsoft SQL Server 2000 Latest Patch Not Installed (QID 19090) ................................................. 161 Microsoft SQL Server Query Method Enables Cached Administrator Connection to be Reused (MS01-032) (QID 19093) ................................................................................................................... 162 Microsoft SQL Server 2000 Service Pack 1 Not Installed (QID 19094).............................................. 162 Microsoft SQL Server 2000 Service Pack 2 Not Installed (QID 19096).............................................. 162 Microsoft SQL Server Cumulative Patch Not Installed (MS02-034) (QID 19097) ............................. 162 Microsoft SQL Server 2000 Service Pack 3 Not Installed (QID 19099).............................................. 163 Microsoft SQL Server 2000 Service Pack 4 Missing (QID 19124) ...................................................... 163 Microsoft SQL Server Multiple Vulnerabilities (MS03-031) (QID 90086) ......................................... 163 Microsoft Windows Platform Vulnerabilities ....................................................................................... 164 Lysias Lidik Webserver Directory Traversal Vulnerability (QID 10635) ............................................ 164 Microsoft Windows XP Remote Desktop Plaintext Username Vulnerability (QID 38094) ............... 165 Microsoft Remote Procedure Call Service Denial of Service Vulnerability (MS01-041) (QID 68500) .......................................................................................................................................................... 165 Microsoft Windows 2000 RPC DCOM Interface Denial of Service Vulnerability (QID 68517) .......... 165 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 9
Microsoft Windows DCOM RPCSS Service Vulnerabilities (QID 68522) ........................................... 166 Multiple Microsoft Windows RPC/DCOM Vulnerabilities (QID 68528) ............................................ 166 Microsoft Windows 9x/NT 4.0 NetBIOS over TCP/IP Resource Exhaustion Vulnerability (MS00-091) (QID 70012) ....................................................................................................................................... 167 Microsoft Windows 9x/NT/2000 MS-DOS Device Name DoS Vulnerability (QID 70020)................. 167 Microsoft Messenger Service Detected (QID 70027) ....................................................................... 168 Microsoft Messenger Service Buffer Overrun Vulnerability (MS03-043) (QID 70032) .................... 168 Enabled DCOM (QID 90042) ............................................................................................................. 169 Microsoft Windows NetBIOS Name Service Reply Information Leakage Weakness (QID 90067) ... 169 Microsoft Windows ASN.1 Library Integer Handling Vulnerability (QID 90103) .............................. 170 Multiple Microsoft Windows Vulnerabilities (MS04-011) (QID 90108)............................................ 170 Microsoft Windows Task Scheduler Code Execution (QID 90134) ................................................... 171 Windows TCP/IP Remote Code Execution and Denial of Service Vulnerabilities (QID 90244)......... 172 Microsoft Windows Remote Desktop Protocol Server Private Key Disclosure (QID 90250) ............ 173 Vulnerability in Server Service Could Allow Remote Code Execution (MS06-040) (QID 90336) ...... 173 Microsoft Windows Server Service Could Allow Remote Code Execution (MS08-067) (QID 90464) .......................................................................................................................................................... 174 Microsoft SMB Remote Code Execution Vulnerability (MS09-001) (QID 90477) ............................. 174 Microsoft WINS Remote Code Execution Vulnerabilities (QID 90516) ............................................. 175 Microsoft Server Message Block (SMBv2) Remote Code Execution Vulnerability (QID 90527)....... 176 Built-in Guest Account Not Renamed at Windows Target System (QID 105228) ............................ 177 EOL/Obsolete Operating System: Microsoft Windows 2000 Detected (QID 105359) ..................... 177 Microsoft WINS Remote Code Execution Vulnerability (MS11-035) (QID 119248) ......................... 177 MySQL ................................................................................................................................................... 178 MySQL Security Invoker Privilege Escalation Vulnerability (QID 19217) .......................................... 178 MySQL Access Validation and Denial of Service Vulnerabilities (QID 19220)................................... 178 MySQL Server InnoDB CONVERT_SEARCH_MODE_TO_INNOBASE Function Denial of Service Vulnerability (QID 19224) ................................................................................................................. 179 MySQL yaSSL Multiple Vulnerabilities (QID 19228) .......................................................................... 180 MYSQL MyISAM Table Security Bypass Vulnerability (QID 19234)................................................... 180 MySQL Server RENAME TABLE System Table Overwrite Vulnerability (QID 19254) ........................ 181 MYSQL Multiple Vulnerabilities (5.0.51a) (QID 19255) .................................................................... 182 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 10
MySQL IF Query Denial of Service Vulnerability (QID 19256)........................................................... 182 MySQL Empty Bit-String Literal Denial of Service Vulnerability (QID 19258) ................................... 183 MySQL Command Line Client HTML Special Characters HTML Injection Vulnerability (QID 19264) 184 MySQL Single-Row Subselect and INFORMATION_SCHEMA Denial of Service Vulnerability (QID 19265) ............................................................................................................................................... 184 MySQL Multiple Remote Denial of Service Vulnerabilities (QID 19508) .......................................... 185 MySQL "sql/sql_table.cc" CREATE TABLE Security Bypass Vulnerability (QID 19531)...................... 185 MySQL Multiple Vulnerabilities (QID 19560) .................................................................................... 186 MySQL BINLOG Filename Path Privilege Escalation Vulnerability (QID 19573)................................ 187 MySQL Prepared-Statement Mode "EXPLAIN" Denial of Service Vulnerability (QID 19600) ........... 187 NetScreen.............................................................................................................................................. 188 NetScreen ScreenOS Port Scan Denial of Service Vulnerability (QID 43082) ................................... 188 NFS Vulnerabilities ................................................................................................................................ 188 NFS Exported Filesystems List Vulnerability (QID 66002) ................................................................. 188 NFS Exported Directories Mountable by Unauthorized Users (QID 66003) ..................................... 189 NFS-Utils Xlog Remote Buffer Overrun Vulnerability (QID 68521) ................................................... 189 OpenRadius Vulnerabilities ................................................................................................................... 190 OpenRADIUS Divide By Zero Denial of Service Vulnerability (QID 38122) ....................................... 190 OpenSSH Vulnerabilities ....................................................................................................................... 190 OpenSSH Channel Code Off-By-One Vulnerability (QID 38088) ....................................................... 190 OpenSSH Challenge-Response Authentication Integer Overflow Vulnerability (QID 38113)........... 191 OpenSSH UseLogin Environment Variable Passing Vulnerability (QID 38118) ................................. 192 OpenSSH Reverse DNS Lookup Access Control Bypass Vulnerability (QID 38198)........................... 192 OpenSSH PAMAuthenticationViaKbdInt Buffer Overflow Vulnerability (QID 38202) ...................... 193 OpenSSH Multiple Memory Management Vulnerabilities (QID 38217) ........................................... 194 OpenSSH Signal Handling Vulnerability (QID 38560) ........................................................................ 195 OpenSSH Plaintext Recovery Attack Against SSH Vulnerability (QID 42339) ................................... 195 OpenSSH X11 Hijacking Attack Vulnerability (QID 42340) ................................................................ 196 OpenSSH Local SCP Shell Command Execution Vulnerability (QID 115317) .................................... 197 OpenSSL Vulnerabilities ........................................................................................................................ 198 OpenSSL Denial of Service Vulnerabilities (QID 38257) .................................................................... 198 OpenSSL PKCS Padding RSA Signature Forgery Vulnerability (QID 38557)....................................... 200 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 11
OpenSSL Multiple Vulnerabilities (QID 38561) ................................................................................. 200 OpenSSL "SSL_get_shared_ciphers()" Off-By-One Buffer Overflow (QID 38595) ............................ 201 OpenSSL TLS Connection Record Handling Denial of Service Vulnerability (QID 42032) ................. 201 OpenSSL Two Vulnerabilities (OpenSSL Advisory 1-June-2010) (QID 42335) ................................... 202 OpenSSL "ssl3_get_key_exchange()" Use-After-Free Vulnerability (QID 42345) ............................. 202 OpenSSL TLS Server Extension Parsing Race Condition Vulnerability (QID 42354) .......................... 203 OpenSSL ClientHello Handshake Messages Denial of Service Vulnerability (QID 42361) ................ 204 OpenSSL Ciphersuite Downgrade Security Vulnerability (QID 42362) ............................................. 204 Red Hat and Solaris Update for openssl Vulnerability (QID 116118) ............................................... 205 Sun Solaris OpenSSL Denial of Service Vulnerability (QID 116458) .................................................. 206 Operating System Detected .................................................................................................................. 207 Operating System Detected (45017) ................................................................................................ 207 Operating Systems Detected on Redirected TCP Open Ports (82038) ............................................. 208 Oracle Vulnerabilities ............................................................................................................................ 208 Oracle Listener Log File Can Be Renamed Without Authentication (QID 19005) ............................. 209 Oracle Database Link Buffer Overflow Vulnerability (QID 19076) .................................................... 209 Oracle Database Server EXTPROC Buffer Overflow Vulnerability (QID 19080) ................................ 210 Multiple Oracle Database Parameter/Statement Buffer Overflow Vulnerabilities (QID 19084) ..... 210 Oracle Database Server April 2005 Critical Patch Update Missing (QID 19114) .............................. 211 Oracle Application Server HTTP Service Mod_Access Restriction Bypass Vulnerability (QID 19120) .......................................................................................................................................................... 212 Oracle Database Server October 2005 Critical Patch Update Missing (QID 19144) ......................... 212 Oracle Database Server January 2006 Security Update Missing (QID 19197) .................................. 212 Oracle Database Server April 2006 Critical Patch Update Missing (QID 19203) .............................. 213 Oracle Database Server July 2006 Critical Patch Update Missing (QID 19210) ................................ 213 Oracle Database Server October 2006 Security Update Missing (QID 19211) ................................. 213 Oracle Database Server January 2007 Security Update Missing (QID 19215) .................................. 214 Oracle Database Server April 2007 Security Update Missing (QID 19216)....................................... 214 Oracle Database Server July 2007 Security Update Missing (QID 19219) ........................................ 215 Oracle Database Server October 2007 Security Update Missing (QID 19223) ................................. 215 Oracle Database Server January 2008 Security Update Missing (QID 19227) .................................. 216 Oracle Database Server July 2005 Security Update Missing (QID 19230) ........................................ 216 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 12
Oracle Database Server April 2008 Security Update Missing (QID 19232)....................................... 216 Oracle Database Server July 2008 Security Update Multiple Vulnerabilities (QID 19238)............... 217 Oracle Database Server October 2008 Security Update Missing (QID 19260) ................................. 218 Oracle Database Server January 2009 Security Update Missing (QID 19267) .................................. 218 Oracle Database Server April 2009 Security Update Missing (QID 19463)....................................... 219 Oracle Database Server July 2009 Security Update Missing (QID 19484) ........................................ 220 Oracle Database Server October 2009 Security Update Missing (QID 19498) ................................. 220 Oracle Database Server January 2010 Security Update Missing (QID 19524) .................................. 221 Oracle Database Server April 2010 Security Update Missing (QID 19548)....................................... 222 Oracle Database Server July 2010 Security Update Missing (QID 19565) ........................................ 222 Oracle Database Server October 2010 Security Update Missing (QID 19589) ................................. 223 EOL/Obsolete Software: Oracle Database 9i Detected (QID 19602) ................................................ 224 EOL/Obsolete Software: Oracle Database 10g Release 1 Detected (QID 19603) ............................. 224 EOL/Obsolete Software: Oracle Database 10.2.0.1 Detected (QID 19605) ...................................... 224 Oracle Database Server January 2011 Security Update Missing (QID 19608) .................................. 224 Oracle Database Server April 2011 Security Update Missing (QID 19616)....................................... 225 Oracle Database Server July 2011 Security Update Missing (QID 19633) ........................................ 225 EOL/Obsolete Software : Oracle Database 11.1.0.6 Detected (QID 105362) ................................... 226 EOL/Obsolete Software : Oracle Database 10.2.0.3 Detected (QID 105363) ................................... 226 PHP Vulnerabilities................................................................................................................................ 227 PHP cURL Open_Basedir Restriction Bypass (QID 12188) ................................................................ 227 PHP Safedir Restriction Bypass Vulnerabilities (QID 12201)............................................................. 227 PHP Update 4.4.1 and 5.1.0 Not Installed (QID 12205) .................................................................... 227 PHP MB_Send_Mail TO Argument Header Injection Vulnerability (QID 12219) .............................. 228 PHP Multiple Buffer Overflow Vulnerabilities (QID 12233) .............................................................. 228 PHP Multiple Vulnerabilities May 2008 (QID 12249) ........................................................................ 229 PHP PHP_Binary Heap Information Leak Vulnerability (QID 12251) ................................................ 229 PHP msg_receive() Memory Allocation Integer Overflow Vulnerability (QID 12252) ...................... 230 PHP ext/filter Space Trimming Buffer Underflow Vulnerability (QID 12253) ................................... 230 PHP "rfc822_write_address()" Function Buffer Overflow Vulnerability (QID 12254) ...................... 230 PHP "safe_mode" Multiple Security Bypass Vulnerabilities (QID 12255)......................................... 230 PHP update 5.2.5 Not Installed (QID 12257) .................................................................................... 231 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 13
PHP Update 5.2.6 Not Installed (QID 12258) .................................................................................... 231 PHP Multiple Vulnerabilities (QID 12259) ......................................................................................... 232 PHP ZipArchive::extractTo() ".zip" Files Directory Traversal Vulnerability (QID 12267)................... 232 PHP Python Extension "safe_mode" Restriction Bypass Vulnerability (QID 12269) ........................ 233 PHP "mbstring" Extension Buffer Overflow Vulnerability (QID 12270) ............................................ 233 PHP 'popen()' Function Buffer Overflow Vulnerability (QID 12271) ................................................. 234 PHP "dba_replace()" File Corruption Vulnerability (QID 12272) ...................................................... 234 PHP "mbstring.func_overload" Webserver Denial of Service Vulnerability (QID 12273) ................ 234 PHP 5.2.8 and Prior Versions Multiple Vulnerabilities (QID 12276) ................................................. 235 PHP cURL "safe_mode" and "open_basedir" Restriction Bypass Vulnerability (QID 12281) ........... 235 PHP Versions Prior to 5.2.12 Multiple Vulnerabilities (QID 12318) .................................................. 236 PHP "spl_object_storage_attach" Use-After-Free Vulnerability (QID 12378) .................................. 236 phpMyAdmin Backtrace Cross-Site Scripting Vulnerability (QID 12409) ......................................... 237 phpMyAdmin Database Search Cross-Site Scripting Vulnerability (QID 12456) .............................. 237 PhpMyAdmin Multiple Vulnerabilities (QID 12473) ......................................................................... 237 PHP Buffer Overflow Vulnerability (QID 12514) ............................................................................... 238 PHP "proc_open()" Environment Parameter Safe Mode Restriction-Bypass Vulnerability (QID 116092) ............................................................................................................................................. 238 PHP Multiple Buffer Overflow Vulnerabilities (QID 116063) ............................................................ 239 POP3 Server Allows Plain Text Authentication Vulnerability (QID 74224) ........................................... 239 Ports ...................................................................................................................................................... 240 Hidden RPC Services (QID 11) ........................................................................................................... 240 Potential TCP Backdoor (QID 1004) .................................................................................................. 240 Ident Service (Potential Bot/Zombie) Detected (QID 1164) ............................................................. 241 FireWall-1 Administration Ports (34002) .......................................................................................... 241 UDP Test-Services (QID 38002) ......................................................................................................... 241 Python expat Module UTF-8 Denial of Service Vulnerability (QID 116581) ......................................... 242 Quate CMS Vulnerabilities .................................................................................................................... 242 Quate CMS Multiple Cross-Site Scripting (XSS) Vulnerabilities (QID 12262) .................................... 242 Radius Vulnerabilities............................................................................................................................ 243 Multiple Vendor Radius Short Vendor-Length Field Denial of Service Vulnerability (QID 38119) ... 243 Red Hat Vulnerabilities ......................................................................................................................... 244 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 14
Red Hat XFree86 Security Update (QID 115400) .............................................................................. 244 Red Hat XFree86 Security Update (QID 115411) .............................................................................. 244 Red Hat PHP Security Update (QID 115429) ..................................................................................... 245 Red Hat PHP Security Update (QID 115517) ..................................................................................... 245 Red Hat gnupg Security Update (QID 115524) ................................................................................. 246 Red Hat gzip Security Update (QID 115418) ..................................................................................... 246 Red Hat qt Security Update (QID 115450) ........................................................................................ 247 Red Hat texinfo Security Update (QID 115456) ................................................................................ 247 Red Hat tar Security Update Not Installed (QID 115482) ................................................................. 248 Red Hat unzip Security Update (QID 115759)................................................................................... 248 Red Hat libtiff Security Update (QID 115915) ................................................................................... 248 Red Hat Update for Lynx (QID 116015) ............................................................................................ 249 Red Hat and Solaris libxml2 Security Update (QID 116048) ............................................................. 249 Red Hat Update for gnome-vfs and gnome-vfs2 (QID 116135) ........................................................ 250 Red Hat cvs Security Update (QID 116352) ...................................................................................... 251 Remote Vulnerabilities.......................................................................................................................... 251 Remote Login Service Open (QID 38019) ......................................................................................... 251 Remote Shell Service Open (QID 38020) .......................................................................................... 251 Remote Execution Service Open (QID 38021) .................................................................................. 252 Unauthenticated Root Access Allowed via rlogin (QID 38134)......................................................... 253 RPC Mountd Allows Remote Anonymous File System Root Mount (QID 68520)............................. 253 PAM r-commands Are Not Disabled (QID 105131)........................................................................... 253 Rex Deamon Vulnerabilities .................................................................................................................. 254 Checking Presence of the rpc rex deamon (QID 66031) ................................................................... 254 Routing Information Protocol Version 2 (RIPv2) Without Authentication (QID 38181) ....................... 254 Rsync Vulnerabilities ............................................................................................................................. 255 RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability (QID 38237) .................. 255 Rsync Sanitize_path Function Module Path Escaping Vulnerability (QID 38303) ............................ 255 Samba Vulnerabilities ........................................................................................................................... 256 Remote User List Disclosure Using NetBIOS (QID 45003)................................................................. 256 Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) ............ 257 Samba Security Update (QID 115555) .............................................................................................. 258 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 15
Samba "domain logons" remote code execution (QID 115822) ....................................................... 259 NetBIOS Shared Folder List Available (QID 70001) ........................................................................... 259 Null Session/Password NetBIOS Access (QID 70003) ....................................................................... 260 Samba Remote Arbitrary File Access Vulnerability (QID 70040) ...................................................... 261 Samba Directory Access Control List Remote Integer Overflow Vulnerability (QID 70045)............. 262 Samba NMBD Logon Request Remote Buffer Overflow Vulnerability (QID 70046) ......................... 263 Samba Security Bypass and Format String Vulnerabilities (QID 70051) ........................................... 264 Samba "mount.cifs" Race Condition Security Issue (QID 70054) ..................................................... 264 Samba Multiple Remote Denial of Service Vulnerabilities (QID 70057) ........................................... 264 Samba chain_reply() Memory Corruption Vulnerability (QID 70058) .............................................. 265 Samba FD_SET Memory Corruption Vulnerability (QID 70061) ....................................................... 265 Samba "receive_smb_raw()" Buffer Overflow and Remote Code Execution (QID 115825) ............ 266 Sendmail Vulnerabilities ....................................................................................................................... 267 Sendmail Prescan() Variant Remote Buffer Overrun Vulnerability (QID 50080) .............................. 267 Sendmail ETRN Command Denial of Service Vulnerability (QID 74040)........................................... 267 Sendmail Debugger Arbitrary Code Execution Vulnerability (QID 74088) ....................................... 267 Sendmail Queue Processing Data Loss/Denial of Service Vulnerability (QID 74089) ....................... 268 Sendmail Unsafe Signal Handling Race Condition Vulnerability (QID 74091) .................................. 269 Sendmail File Locking Denial of Service Vulnerability (QID 74108) .................................................. 269 Sendmail Header Processing Buffer Overflow Vulnerability (QID 74135) ........................................ 269 Sendmail Address Prescan Possible Memory Corruption Vulnerability (QID 74136) ....................... 270 Sendmail check_relay Access Bypassing Vulnerability (QID 74141) ................................................. 270 Sendmail Asynchronous Signal Handling Remote Code Execution Vulnerability (QID 74212) ........ 271 Sendmail Malformed MIME Message Denial of Service (QID 74215) .............................................. 271 Sendmail Long Header Denial of Service Vulnerability (QID 74220) ................................................ 272 Sendmail SSL Certificate NULL Character Spoofing Vulnerability (QID 74240) ................................ 272 SMTP Vulnerabilities ............................................................................................................................. 272 Mail Server Accepts Plaintext Credentials (QID 74147) .................................................................... 272 SNMP Vulnerabilities ............................................................................................................................ 273 Possible Mail Relay (QID 74037) ....................................................................................................... 273 Readable SNMP Information (QID 78030) ........................................................................................ 273 Writeable SNMP Information (QID 78031) ....................................................................................... 274 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 16
Multiple Vendor SNMP Request and Trap Handling Vulnerabilities (QID 78035) ............................ 274 SNMP Agent Stopped Responding (QID 78040) ............................................................................... 275 View-based Access Control MIB SNMP Walk Read-Write Password Revealing Vulnerability (QID 78042) ............................................................................................................................................... 275 Source Port Pass Firewall Vulnerabilities .............................................................................................. 276 TCP Source Port Pass Firewall (QID 34000)....................................................................................... 276 UDP Source Port Pass Firewall (QID 34020)...................................................................................... 276 SSH Vulnerabilities ................................................................................................................................ 276 SSH Protocol Version 1 Supported (QID 38304) ............................................................................... 276 SSH Weak Cipher Used (QID 38523) ................................................................................................. 277 SSL Server Vulnerabilities...................................................................................................................... 277 SSL Server Has SSLv2 Enabled Vulnerability (QID 38139) ................................................................. 277 SSL Server Supports Weak Encryption Vulnerability (QID 38140) .................................................... 279 SSL Server May Be Forced to Use Weak Encryption Vulnerability (QID 38141) ............................... 281 SSL Server Allows Anonymous Authentication Vulnerability (QID 38142) ....................................... 282 SSL Server Allows Cleartext Communication Vulnerability (QID 38143) .......................................... 283 Squid Proxy Vulnerabilities ................................................................................................................... 284 Squid Proxy SSLConnectTimeout Remote Denial of Service Vulnerability (QID 62048) ................... 284 Squid Proxy Aborted Requests Remote Denial of Service Vulnerability (QID 62049) ...................... 284 Squid Cache Update Denial of Service Vulnerability (QID 62056) .................................................... 285 Squid Proxy Header Parsing Remote Denial of Service (QID 62066) ................................................ 285 statd ...................................................................................................................................................... 285 statd and automountd RPC Service Remote Command Execution Vulnerability (QID 66011) ........ 285 Statd Format Bug Vulnerability (QID 66040) .................................................................................... 286 Sudo Vulnerabilities .............................................................................................................................. 286 Sudo Python Environment Variable Handling Security Bypass Vulnerability (QID 115313) ............. 286 Sudo Perl Environment Variable Handling Security Bypass Vulnerability (QID 115314) .................. 287 Sun Java Web Console Vulnerabilities .................................................................................................. 287 Sun Java Web Console Remote Information Disclosure Vulnerability (QID 86830) ......................... 287 Sun Java Web Console May Allow Unauthorized Redirection (QID 86843) ..................................... 288 Sun Java Web Console helpwindow.jsp Cross-Site Scripting (XSS) (QID 86844) .............................. 288
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Page 17
Sun Java Web Console navigator.jsp Cross-Site Scripting (XSS) (QID 86845) and Sun Java Web Console masthead.jsp Cross-Site Scripting (QID 86848)................................................................... 289 Sun Solaris Vulnerabilities ..................................................................................................................... 290 Sun Solaris FTPd glob() Expansion LIST Heap Overflow Vulnerability (QID 27068) .......................... 290 Solaris 10 and Solaris 11 (SolarisExpress) Remote Access Telnet Daemon Flaw (QID 38574) ......... 290 ToolTalk Buffer Overflow Vulnerability (QID 66004) ........................................................................ 291 ypupdated RPC Daemon Remote Command Execution Vulnerability (QID 66015) ......................... 291 cmsd RPC Daemon Over TCP Might Indicate a Break-in (QID 66037) .............................................. 292 Sun Solaris snmpXdmid Buffer Overflow Vulnerability (QID 66049) ................................................ 292 Sun Solaris RWall Daemon Syslog Format String Vulnerability (QID 66052) .................................... 293 RWall Spoofing (QID 66017) ............................................................................................................. 294 Sun Solaris Tooltalk Database Server Multiple Vulnerabilities (QID 68510) .................................... 294 Sun Solaris RPC AUTH_DES Privilege Escalation Vulnerability (QID 68514) ..................................... 294 Sun Solaris mibiisa Remote Buffer Overflow Vulnerability (QID 78038) .......................................... 295 Sun Solaris rpc.ypupdated May Allow Execution of Arbitrary Code Vulnerability (QID 116076) ..... 295 Sun Solaris SSH May Expose Some Plain Text from Encrypted Traffic (QID 116250) ....................... 295 Solaris NFSv4 Server Kernel Module Denial of Service Vulnerability (QID 116272) ......................... 296 Sun Solaris "keysock" Kernel Module Local Denial of Service Vulnerability (QID 116303) .............. 296 Sun Solaris Crypto Pseudo Device Driver Denial of Service Vulnerability (QID 116304) .................. 297 Sun Solaris dircmp Shell Script File Overwriting Vulnerability (QID 116340) ................................... 297 Sun Solaris IPv6 Implementation Denial of Service Vulnerability (QID 116366) .............................. 298 Solaris IKE Packet Handling may Lead to a Crash of in.iked Vulnerability (QID 116404).................. 298 Sun Solaris GSS-API Library Code Execution Vulnerability (QID 116432) ......................................... 299 Sun Solaris libpng Multiple Vulnerabilities (QID 116448) ................................................................. 299 Solaris DTrace Handlers Denial of Service Vulnerability (QID 116454) ............................................ 300 Sun Solaris Security Vulnerability in GnuTLS Library Certificate Chain Validation (QID 116460) ..... 300 Sun Solaris Ghostscript Multiple Vulnerabilities (QID 116480) ........................................................ 301 Sun Solaris auditconfig Command Privilege Escalation Vulnerability (QID 116497) ........................ 302 Sun Solaris Kernel Denial of Service Vulnerability (QID 116500) ...................................................... 302 Sun Solaris Network File System Unauthorized Network Access Vulnerability (QID 116501) ......... 302 Sun Solaris NFSv4 Kernel Module Denial of Service Vulnerability (QID 116514) ............................. 303 Sun Solaris SCTP Packet Processing Denial of Service Vulnerability (QID 116516) .......................... 303 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 18
Sun Solaris Auditing Extended File Attributes Denial of Service Vulnerability (QID 116533)........... 304 Sun Solaris and AIX BIND Dynamic Update Denial of Service Vulnerability (QID 116538) ............... 304 Sun Solaris "sockfs" Kernel Module Remote Denial of Service Vulnerability (QID 116587)............. 305 Sun Solaris libtiff Image Conversion Tools Integer Overflow Vulnerability (QID 116591) ................ 305 Sun Solaris "w" Utility Privilege escalation Vulnerability (QID 116610) ........................................... 306 Sun Solaris IP Module and STREAMS Framework Denial of Service Vulnerability (QID 116623) ..... 306 Sun Solaris Sockets Direct Protocol (SDP) Driver "sdp(7D)" Remote Denial of Service Vulnerability (QID 116675) ..................................................................................................................................... 306 Sun Solaris Trusted Extensions Missing Libraries Privilege Escalation Vulnerability (QID 116796) . 307 Solaris PostgreSQL Privilege Escalation or Man-in-the-Middle on SSL Connections (QID 116841) . 307 Solaris GNOME PDF Rendering Libraries Denial of Service or Arbitrary Code Execution Vulnerabilities (QID 117018) ............................................................................................................. 308 Sun Solaris and Red Hat bzip2 Command May Lead to Denial of Service (QID 115953)...................... 308 TFTP....................................................................................................................................................... 309 TFTP Daemon Theft of '/etc/passwd' file (QID 38064) ..................................................................... 309 TFTP Server Directory Traversal Vulnerability (QID 38065) .............................................................. 309 Veritas NetBackup Vulnerabilities ........................................................................................................ 310 Veritas NetBackup Java User-Interface Remote Format String Vulnerability (QID 38482) .............. 310 VNC Vulnerabilities ............................................................................................................................... 310 VNC Server Weak Password Encryption Vulnerability (QID 38023) ................................................. 310 Null Authentication VNC Server Access (QID 38161)........................................................................ 311 Web Server Vulnerabilities ................................................................................................................... 311 Web Server Vulnerable to Cross Site Scripting (XSS) (QID 10788).................................................... 311 Session-Fixation Social Engineered Session Hijacking (QID 12074) .................................................. 312 CONNECT Method Allowed in HTTP Server Or HTTP Proxy Server Vulnerability (QID 62026)......... 313 Web Server/ Web Application Vulnerable to Cross-Site Scripting (XSS) Attacks (QID 86175) ......... 313 Listing of Scripts in the scripts Directory (QID 86333) ...................................................................... 314 Generic Web Server Directory Traversal Vulnerability (QID 86375) ................................................ 314 Web Server Stopped Responding (QID 86476) ................................................................................. 314 Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities (QID 86705) ............................ 315 Web Server Vulnerable to Redirection Page Cross-Site Scripting (XSS) Attacks (QID 86714) .......... 316 Web Server Uses Plain-Text Form Based Authentication (QID 86728) ............................................ 317 Vulnerability Remediation Synopsis version 0.4Russ Klanke Page 19
Webmin / Usermin Vulnerabilities ....................................................................................................... 317 Webmin / Usermin Authentication Bypass Vulnerability (QID 10658)............................................. 317 Webmin / Usermin Login Cross Site Scripting Vulnerability (QID 10659) ........................................ 317 Webmin Environment Variable Information Disclosure Vulnerability (QID 86156) ......................... 318 Wind River VxWorks WDB Debugging Service Security Bypass Vulnerability (QID 42346) .................. 318 WINS Vulnerabilities ............................................................................................................................. 319 WINS Domain Controller Spoofing Vulnerability - Zero Day (QID 70007) ........................................ 319 NetBIOS Name Conflict Vulnerability (QID 70008) ........................................................................... 320 NetBIOS Release Vulnerability (QID 70009)...................................................................................... 321 WordPress Vulnerabilities..................................................................................................................... 321 WordPress Publish Posts Remote Security Bypass Vulnerability (QID 12497) ................................. 321 WU-FTPD Vulnerabilities....................................................................................................................... 322 WU-FTPD FB_RealPath Off-By-One Buffer Overflow Vulnerability (QID 27200) .............................. 322 Unauthenticated Access to FTP Server Allowed (QID 27210)........................................................... 322 WU-FTPD Restricted-gid Unauthorized Access Vulnerability (QID 27274) ....................................... 322 WU-FTPD SockPrintf() Remote Stack-based Buffer Overrun Vulnerability (QID 27275) .................. 323 WU-FTPD S/Key Remote Buffer Overrun Vulnerability (QID 27276) ................................................ 324 X Vulnerabilities .................................................................................................................................... 324 X Display Manager Control Protocol (XDMCP) Detected (QID 38147) ............................................. 324 X-Window Sniffing (QID 95001) ........................................................................................................ 325 Registration of Bogus RPC Programs (QID 66023) ................................................................................ 326 Appendices................................................................................................................................................ 326 Regarding Cross-Site Scripting (XSS) Vulnerability Detection ............................................................... 326 Red Hat Updates ................................................................................................................................... 327 Security Vulnerability Assessment minimum software versions .......................................................... 327
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Page 20
Qualys as a mitigation recommendation tool (Knowledge Base)Many vendor and bugtraq references are missing. For example, "Apache Tomcat 5 and 6 Host Manager Web Application Cross-Site Scripting (XSS) Vulnerability (QID 86803)": CVE-2008-1947 lacks the vendor reference (http://tomcat.apache.org/security-5.html#Apache_Tomcat_5.x_vulnerabilities, fixed in 5.5.27) and bugtraq ID (29502, 31681). One, and sometimes two, security bulletins are mentioned when describing a Red Hat vulnerability, when four or more bulletins are necessary to describe the Red Hat response. This is publication attempts to fill in those blanks. Mitigation recommendations are not updated. For example, "Sun Java Web Console helpwindow.jsp Cross-Site Scripting (QID 86844)": Qualys reports that no vendor patch is available at this time, and offers no CVE to track. The CVE is CVE-2009-2283. The patch is Sun Solaris patch 136987-03. This suggests that once the vulnerability is added to the database, it is not reviewed. Mitigation measures suggested by the database will become obsolete. Another example: Notes about "Microsoft Windows Task Scheduler Code Execution (MS04-022) (QID 90134)" mention "This update resolves a newly-discovered, privately reported vulnerability." Other notes indicate that the vendor has made no patch available. These remarks should be ignored. The customer must determine if a patch or other remediation measure is available. Vulnerabilities in Open Source software are usually mitigated by the vendor using a code fix and recompiling, producing their own (earlier) remediated version number. This is "backporting" the patch. Detecting vulnerabilities in Open Systems software (such as Apache and OpenSSH) by using version number is complicated. You should be advised to use the vendor-supplied patch (such as the Red Hat update to address the vulnerability) and not advised to the install the generally available upgrade version. Vendors will typically backport the software change. For example, "OpenSSH Multiple Memory Management Vulnerabilities (QID 38217)" Qualys recommends OpenSSH 3.7.1. This would not be possible when the platform is Cisco CatOS. (CatOS 8.5(8) and 8.6(4) include the patch.) When the platform is Red Hat Enterprise Linux 2.1, the patch is included in OpenSSH_3.1p1-14 (backported). When the platform is Red Hat EL 3, no released version is vulnerable (patch backported to OpenSSH_3.6.1p2). Checking for version OpenSSH 3.7.1 is insufficient to determine in the system is vulnerable. Another example, "Sendmail Long Header Denial of Service Vulnerability (QID 74220)": Find CVE-2006-4434 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4434 For Red Hat information, start at https://www.redhat.com/security/data/cve/ and search for the CVE ID. Red Hat EL 3 Red Hat EL 4 Red Hat EL 5 Page 21
Vulnerability Remediation Synopsis version 0.4Russ Klanke
For Solaris information, start at http://blogs.oracle.com/sunsecurity/ and search for the CVE ID. Solaris 5.10 Generic_141414-07 Solaris 8 Solaris 9 o SPARC Platform o X86 Platform Solaris 10 o SPARC Platform o X86 Platform
Solaris articles are available with an Oracle ID and support account or archived at download.oracle.com/sunalerts. For example, you may not be able to access Oracle ID 1000292.1 at https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&id=1000292.1, but you should be able to read it at http://download.oracle.com/sunalerts/1000292.1.html. Linux 2.6, Linux 2.6.9 and other variants are not sufficiently specific to determine the vendor build. Qualys does detect some more granular Linux versions, but I have not yet learned the distribution that these versions map to. When Qualys detects Linux 2.6.9, can I assume that it is Red Hat EL 4? How about Linux 2.6.18-194; can I assume that this is Red Hat EL 5? Qualys does not reuse some of its detection results. For example, Qualys may report the result: Detected service telnet and os CISCO IOS 11.3-12.4
However, if the vulnerability "Cisco IOS Firewall Authentication Proxy for FTP and Telnet Sessions Buffer Overflow (QID 38471)" is detected, Qualys may detect the operating system as: Cisco IOS Version 12.2(31)SGA4 Cisco IOS Version 12.2(40)SE2 Cisco IOS Version 12.2(53)SE2
This operating system information is sufficiently detailed to determine that other vulnerabilities have been mitigated. Qualys does not parse Cisco version numbers when determining if a vulnerability has been mitigated. While their version numbers are complicated (such as "12.2(31)SGA4"), simplifying the version number as "12.2" is not accurate.
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Page 22
Adobe Flash VulnerabilitiesAdobe Flash Player Multiple Vulnerabilities (QID 116536) CVE-2009-1862, CVE-2009-0901, CVE-2009-2395, CVE-2009-2493, CVE-2009-1863, CVE-2009-1864, CVE2009-1865, CVE-2009-1866, CVE-2009-1867, CVE-2009-1868, CVE-2009-1869, CVE-2009-1870, APSB0910, APSA09-04, APSA09-03, Oracle ID 1020856.1, MS09-034, 973882, MS09-035 Adobe reports of multiple vulnerabilities that exist in versions 9 and 10 of Flash Player for Windows, Macintosh and Linux operating systems. A vulnerability exists in Flash Player on Windows operating systems for use with Internet Explorer. It leverages a vulnerable version of the Microsoft Active Template Library (ATL) described in Microsoft Security Advisory (973882). A vulnerability in Flash Player for Windows, Macintosh and Linux operating systems can be exploited by supplying a malicious Flash (".swf") file or by embedding a malicious Flash application in a PDF file.
Successful exploitation of this vulnerability could allow an attacker to take control of the affected system. Successful exploits may also allow an attacker to execute arbitrary code in the context of the user running the affected application. Affected Versions: Flash Player Version 9.0.159.0 and earlier Flash Player Version 10.0.22.87 and earlier Adobe AIR Version 1.5.1 and earlier
Install vendor update or upgrade to Adobe Flash Player 9.0.246.0 or 10.0.32.18 (or later) or Adobe AIR 1.5.2 (or later). Refer to Adobe Security Advisories APSA09-04 and APSA09-03 and Adobe Security Bulletin APSB09-10 for additional details on the vulnerabilities and patch instructions for Flash Player. For Solaris, refer to security advisory Oracle ID 1020856.1 to obtain additional details about this vulnerability. Workaround: Users should consider installing Microsoft patches for Microsoft Security Bulletin MS09034. As a defense-in-depth measure, this Internet Explorer security update helps mitigate known attack vectors within Internet Explorer for those components and controls, such as Flash Player, that have been developed with vulnerable versions of ATL as described in Microsoft Security Advisory (973882) and Microsoft Security Bulletin MS09-035. This vulnerability is confirmed by detecting "SUNWflash-player-plugin is installed" and "125332-07 is missing".
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Page 23
Adobe Reader VulnerabilitiesAdobe Acrobat is a family of computer programs developed by Adobe Systems, designed to view, create, manipulate and manage files in Adobe's Portable Document Format (PDF). Adobe Acrobat/Reader "util.printf()" Buffer Overflow Vulnerability (QID 116027) CVE-2008-2992, CVE-2008-2549, CVE-2008-4812, CVE-2008-4813, CVE-2008-4817, CVE-2008-4816, CVE2008-4814, CVE-2008-4815, APSB08-19, Oracle ID 1019937.1 The vulnerability is caused due to a boundary error when parsing format strings containing a floating point specifier in the "util.printf()" Javascript function and can be exploited to cause a stack-based buffer overflow via a specially crafted PDF. Successful exploitation may allow execution of arbitrary code when viewing a malicious PDF file. Adobe Reader, when used as a browser plugin, may give remote users the ability to execute arbitrary code within the browser with the permissions of the local user. Install vendor update or upgrade Adobe Acrobat or Reader to 8.1.3 or later. Refer to security bulletin APSB08-19 for additional information. For Sun Solaris, see to Oracle ID 1019937.1 to obtain patch details. This vulnerability is confirmed by detecting "SUNWacroread is installed" and "121104-06 is missing." Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116386) CVE-2009-0193, CVE-2009-0658, CVE-2009-0927, CVE-2009-0928, CVE-2009-1061, CVE-2009-1062, Sun Alert ID 256788, Oracle ID 1020358.1 The following security vulnerabilities have been identified in Adobe Reader and Acrobat 9 and earlier versions: A buffer overflow flaw exists in Adobe Acrobat and Reader. A maliciously created PDF is used to exploit a vulnerability in a non-JavaScript function call. However, it also uses some JavaScript to implement a heap spray to cause successful code execution. The specially crafted PDF contains JavaScript that is used to fill the heap with shell code which allows arbitrary code to be executed with the privileges of the user running the application. (CVE-2009-0658) A heap based buffer overflow vulnerability allows remote attackers to execute arbitrary code via a PDF file containing a JBIG2 stream with a size inconsistency related to an unspecified table. (CVE-2009-0928) A stack based buffer overflow vulnerability is caused when processing a specially crafted argument passed to the JavaScript "getIcon()" method of a Collab object. This issue can be exploited by a remote attacker to execute arbitrary code by tricking a user into opening a specially crafted PDF file. (CVE-2009-0927) Unspecified vulnerabilities in Acrobat Reader that can be exploited by remote attackers to execute arbitrary code via attack vectors related to JBIG2 and input validation. (CVE-2009-0193, CVE-2009-1061, CVE-2009-1062) Page 24
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Successful exploitation may allow remote unprivileged users to execute arbitrary code or crash the Adobe Reader application, thereby causing a denial of service. These vulnerabilities may be exploited via specially crafted PDF files. Solaris 10 on SPARC platform is vulnerable to the above issues. Solaris 8, Solaris 9, Solaris 10 on the x86 platform and OpenSolaris do not ship with Adobe Reader and therefore are not affected by this issue. Refer to security advisory Oracle ID 1020358.1 to obtain additional details about this vulnerability. Workaround: Disable JavaScript in Adobe Acrobat or Reader to prevent a potential exploit. JavaScript can be disabled as follows: Launch Acrobat or Adobe Reader. Select "Edit", "Preferences". Select the JavaScript Category. Uncheck the "Enable Acrobat JavaScript" option and click OK.
Note: Disabling JavaScript prevents some exploits from resulting in code execution; however disabling JavaScript still makes exploitation possible, and if successful this may result in crashing the application. Workaround: Prevent PDF documents from being opened automatically by the Web browser. Open Adobe Acrobat Reader. Open the Edit menu. Choose the preferences option. Choose the Internet section. Un-check the "Display PDF in browser" check box.
Workaround: Prevent the Web browser from opening PDF documents. Due to a variation in web browsers, changing the default action for PDF documents varies, but should be something like: Open Web browser. Open the Tools menu. Choose the Options option. Select Applications tab. Select the PDF file type from the list and change its action from opening it in the browser to another option (save them to the computer or open them in Adobe Reader).
This vulnerability is confirmed by detecting "8.1.2_SU1". Sun Solaris Adobe Reader Multiple Vulnerabilities (QID 116437) CVE-2008-5519, CVE-2009-1493, Sun Alert ID 259028, Oracle ID 1020468.1
Vulnerability Remediation Synopsis version 0.4Russ Klanke
Page 25
The following security vulnerabilities exist in Adobe Reader Versions 9.1 and earlier for Solaris 10. These flaws can be exploited by enticing unsuspecting users into opening malicious PDF files to crash the application or execute arbitrary code. An error when processing calls to the "getAnnots()" JavaScript method can be exploited to corrupt memory via a specially crafted PDF file that contains an annotation and has an OpenAction entry with JavaScript code that calls this method with crafted integer arguments. (CVE-2009-1492) An error when processin