Weekly Vulnerabilities Reports > May 31 to June 6, 2004

Overview

40 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 16 high severity vulnerabilities. This weekly summary report vulnerabilities in 36 products from 21 vendors including Microsoft, Linux, Oracle, Realnetworks, and CVS. Vulnerabilities are notably categorized as "NULL Pointer Dereference", and "Improper Restriction of Operations within the Bounds of a Memory Buffer".

  • 30 reported vulnerabilities are remotely exploitables.
  • 40 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 18 reported vulnerabilities.
  • Oracle has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-06-01 CVE-2004-0391 Cisco Unspecified vulnerability in Cisco products

Cisco Wireless LAN Solution Engine (WLSE) 2.0 through 2.5 and Hosting Solution Engine (HSE) 1.7 through 1.7.3 have a hardcoded username and password, which allows remote attackers to add new users, modify existing users, and change configuration.

10.0
2004-06-01 CVE-2004-0385 Oracle Unspecified vulnerability in Oracle Application Server web Cache and E-Business Suite

Heap-based buffer overflow in Oracle 9i Application Server Web Cache 9.0.4.0.0, 9.0.3.1.0, 9.0.2.3.0, and 9.0.0.4.0 allows remote attackers to execute arbitrary code via a long HTTP request method header to the Web Cache listener.

10.0

16 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-06-01 CVE-2004-0389 Realnetworks Denial of Service vulnerability in Realnetworks Helix Universal Server 9.0.1/9.0.2

RealNetworks Helix Universal Server 9.0.1 and 9.0.2 allows remote attackers to cause a denial of service (crash) via malformed requests that trigger a null dereference, as demonstrated using (1) GET_PARAMETER or (2) DESCRIBE requests.

7.8
2004-06-01 CVE-2003-0906 Microsoft Remote Buffer Overflow vulnerability in Microsoft Windows 2000, Windows NT and Windows XP

Buffer overflow in the rendering for (1) Windows Metafile (WMF) or (2) Enhanced Metafile (EMF) image formats in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1 allows remote attackers to execute arbitrary code via a malformed WMF or EMF image.

7.6
2004-06-01 CVE-2004-2044 Francisco Burzi
Oscommerce
Paul Laudanski
Trustix
PHP-Nuke 7.3, and other products that use the PHP-Nuke codebase such as the Nuke Cops betaNC PHP-Nuke Bundle, OSCNukeLite 3.1, and OSC2Nuke 7x do not properly use the eregi() PHP function with $_SERVER['PHP_SELF'] to identify the calling script, which allows remote attackers to directly access scripts, obtain path information via a PHP error message, and possibly gain access, as demonstrated using an HTTP request that contains the "admin.php" string.
7.5
2004-06-01 CVE-2004-0409 Xchat Unspecified vulnerability in Xchat

Stack-based buffer overflow in the Socks-5 proxy code for XChat 1.8.0 to 2.0.8, with socks5 traversal enabled, allows remote attackers to execute arbitrary code.

7.5
2004-06-01 CVE-2004-0197 Microsoft Remote Code Execution vulnerability in Microsoft JET 4.0

Buffer overflow in Microsoft Jet Database Engine 4.0 allows remote attackers to execute arbitrary code via a specially-crafted database query.

7.5
2004-06-01 CVE-2004-0155 Kame Unspecified vulnerability in Kame Racoon

The KAME IKE Daemon Racoon, when authenticating a peer during Phase 1, validates the X.509 certificate but does not verify the RSA signature authentication, which allows remote attackers to establish unauthorized IP connections or conduct man-in-the-middle attacks using a valid, trusted X.509 certificate.

7.5
2004-06-01 CVE-2004-0123 Microsoft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Microsoft products

Double free vulnerability in the ASN.1 library as used in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service and possibly execute arbitrary code.

7.5
2004-06-01 CVE-2004-0119 Microsoft Null Pointer Dereference vulnerability in Microsoft Windows 2000, Windows Server 2003 and Windows XP

The Negotiate Security Software Provider (SSP) interface in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service (crash from null dereference) or execute arbitrary code via a crafted SPNEGO NegTokenInit request during authentication protocol selection.

7.5
2004-06-01 CVE-2004-0117 Microsoft Unspecified vulnerability in Microsoft products

Unknown vulnerability in the H.323 protocol implementation in Windows 98, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code.

7.5
2004-06-01 CVE-2003-0806 Microsoft Remote Buffer Overflow vulnerability in Microsoft Windows 2000, Windows NT and Windows XP

Buffer overflow in the Windows logon process (winlogon) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, and XP SP1, when a member of a domain, allows remote attackers to execute arbitrary code.

7.5
2004-06-01 CVE-2003-0719 Microsoft Unspecified vulnerability in Microsoft products

Buffer overflow in the Private Communications Transport (PCT) protocol implementation in the Microsoft SSL library, as used in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via PCT 1.0 handshake packets.

7.5
2004-06-01 CVE-2003-0533 Microsoft Buffer Overrun vulnerability in Microsoft Windows LSASS

Stack-based buffer overflow in certain Active Directory service functions in LSASRV.DLL of the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows NT 4.0 SP6a, 2000 SP2 through SP4, XP SP1, Server 2003, NetMeeting, Windows 98, and Windows ME, allows remote attackers to execute arbitrary code via a packet that causes the DsRolerUpgradeDownlevelServer function to create long debug entries for the DCPROMO.LOG log file, as exploited by the Sasser worm.

7.5
2004-06-01 CVE-2004-0118 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows 2000 and Windows NT

The component for the Virtual DOS Machine (VDM) subsystem in Windows NT 4.0 and Windows 2000 does not properly validate system structures, which allows local users to access protected kernel memory and execute arbitrary code.

7.2
2004-06-01 CVE-2003-0910 Microsoft Local Descriptor Table Local Privilege Escalation vulnerability in Microsoft Windows 2000 and Windows NT

The NtSetLdtEntries function in the programming interface for the Local Descriptor Table (LDT) in Windows NT 4.0 and Windows 2000 allows local attackers to gain access to kernel memory and execute arbitrary code via an expand-down data segment descriptor descriptor that points to protected memory.

7.2
2004-06-01 CVE-2003-0909 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows Management

Windows XP allows local users to execute arbitrary programs by creating a task at an elevated privilege level through the eventtriggers.exe command-line tool or the Task Scheduler service, aka "Windows Management Vulnerability."

7.2
2004-06-01 CVE-2003-0908 Microsoft Local Privilege Escalation vulnerability in Microsoft Windows Utility Manager

The Utility Manager in Microsoft Windows 2000 executes winhlp32.exe with system privileges, which allows local users to execute arbitrary code via a "Shatter" style attack using a Windows message that accesses the context sensitive help button in the GUI, as demonstrated using the File Open dialog in the Help window, a different vulnerability than CVE-2004-0213.

7.2

15 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-06-01 CVE-2004-0387 Realnetworks Remote R3T File Stack Buffer Overflow vulnerability in RealNetworks RealOne Player/RealPlayer

Stack-based buffer overflow in the RT3 plugin, as used in RealPlayer 8, RealOne Player, RealOne Player 10 beta, and RealOne Player Enterprise, allows remote attackers to execute arbitrary code via a malformed .R3T file.

5.1
2004-06-01 CVE-2004-0179 Cadaver
Neon
Openoffice
Subversion
Multiple format string vulnerabilities in (1) neon 0.24.4 and earlier, and other products that use neon including (2) Cadaver, (3) Subversion, and (4) OpenOffice, allow remote malicious WebDAV servers to execute arbitrary code.
5.1
2004-06-01 CVE-2003-0907 Microsoft Unspecified vulnerability in Microsoft Windows 2003 Server and Windows XP

Help and Support Center in Microsoft Windows XP SP1 does not properly validate HCP URLs, which allows remote attackers to execute arbitrary code via quotation marks in an hcp:// URL, which are not quoted when constructing the argument list to HelpCtr.exe.

5.1
2004-06-01 CVE-2004-0405 CVS Unspecified vulnerability in CVS

CVS before 1.11 allows CVS clients to read arbitrary files via ..

5.0
2004-06-01 CVE-2004-0403 Kame Denial of Service vulnerability in KAME Racoon Malformed ISAKMP Packet

Racoon before 20040408a allows remote attackers to cause a denial of service (memory consumption) via an ISAKMP packet with a large length field.

5.0
2004-06-01 CVE-2004-0182 GNU Unspecified vulnerability in GNU Mailman

Mailman before 2.0.13 allows remote attackers to cause a denial of service (crash) via an email message with an empty subject field.

5.0
2004-06-01 CVE-2004-0177 Linux Unspecified vulnerability in Linux Kernel 2.4.0

The ext3 code in Linux 2.4.x before 2.4.26 does not properly initialize journal descriptor blocks, which causes an information leak in which in-memory data is written to the device for the ext3 file system, which allows privileged users to obtain portions of kernel memory by reading the raw device.

5.0
2004-06-01 CVE-2004-0156 Ssmtp Format String vulnerability in SSMTP Mail Transfer Agent

Format string vulnerabilities in the (1) die or (2) log_event functions for ssmtp before 2.50.6 allow remote mail relays to cause a denial of service and possibly execute arbitrary code.

5.0
2004-06-01 CVE-2004-0120 Microsoft Denial of Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

The Microsoft Secure Sockets Layer (SSL) library, as used in Windows 2000, Windows XP, and Windows Server 2003, allows remote attackers to cause a denial of service via malformed SSL messages.

5.0
2004-06-01 CVE-2004-0116 Microsoft Remote Denial Of Service vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

An Activation function in the RPCSS Service involved with DCOM activation for Microsoft Windows 2000, XP, and 2003 allows remote attackers to cause a denial of service (memory consumption) via an activation request with a large length field.

5.0
2004-06-01 CVE-2003-0807 Microsoft Remote Denial Of Service vulnerability in Microsoft Windows COM Internet Service/RPC Over HTTP

Buffer overflow in the COM Internet Services and in the RPC over HTTP Proxy components for Microsoft Windows NT Server 4.0, NT 4.0 Terminal Server Edition, 2000, XP, and Server 2003 allows remote attackers to cause a denial of service via a crafted request.

5.0
2004-06-01 CVE-2003-0663 Microsoft Denial Of Service vulnerability in Microsoft Windows 2000 Domain Controller LDAP

Unknown vulnerability in the Local Security Authority Subsystem Service (LSASS) in Windows 2000 domain controllers allows remote attackers to cause a denial of service via a crafted LDAP message.

5.0
2004-06-01 CVE-2002-0385 Vignette Information Disclosure vulnerability in Vignette Storyserver and Vignette

Vignette Story Server 4.1 and 6.0 allows remote attackers to obtain sensitive information via a request that contains a large number of '"' (double quote) and and '>' characters, which causes the TCL interpreter to crash and include stack data in the output.

5.0
2004-06-01 CVE-2004-0157 Xonix Unspecified vulnerability in Xonix

x11.c in xonix 1.4 and earlier uses the current working directory to find and execute the rmail program, which allows local users to execute arbitrary code by modifying the path to point to a malicious rmail program.

4.6
2004-06-01 CVE-2004-0109 Linux Buffer Overflow vulnerability in Linux Kernel 2.4.0/2.5.0/2.6.0

Buffer overflow in the ISO9660 file system component for Linux kernel 2.4.x, 2.5.x and 2.6.x, allows local users with physical access to overflow kernel memory and execute arbitrary code via a malformed CD containing a long symbolic link entry.

4.6

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-06-01 CVE-2004-0407 Macromedia Denial Of Service vulnerability in Macromedia Coldfusion 6.1

The HTML form upload capability in ColdFusion MX 6.1 does not reclaim disk space if an upload is interrupted, which allows remote attackers to cause a denial of service (disk consumption) by repeatedly uploading files and interrupting the uploads before they finish.

2.6
2004-06-01 CVE-2004-0180 CVS Unspecified vulnerability in CVS

The client for CVS before 1.11 allows a remote malicious CVS server to create arbitrary files using certain RCS diff files that use absolute pathnames during checkouts or updates, a different vulnerability than CVE-2004-0405.

2.6
2004-06-01 CVE-2004-0124 Microsoft Unspecified vulnerability in Microsoft products

The DCOM RPC interface for Microsoft Windows NT 4.0, 2000, XP, and Server 2003 allows remote attackers to cause network communications via an "alter context" call that contains additional data, aka the "Object Identity Vulnerability."

2.6
2004-06-01 CVE-2004-0388 Oracle Unspecified vulnerability in Oracle Mysql 5.0.33

The mysqld_multi script in MySQL allows local users to overwrite arbitrary files via a symlink attack.

2.1
2004-06-01 CVE-2004-0181 Linux Unspecified vulnerability in Linux Kernel 2.4.0

The JFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the JFS file system, which allows local users to obtain sensitive information by reading the raw device.

2.1
2004-06-01 CVE-2004-0178 Linux Unspecified vulnerability in Linux Kernel 2.4.0

The OSS code for the Sound Blaster (sb16) driver in Linux 2.4.x before 2.4.26, when operating in 16 bit mode, does not properly handle certain sample sizes, which allows local users to cause a denial of service (crash) via a sample with an odd number of bytes.

2.1
2004-06-01 CVE-2004-0133 Linux Unspecified vulnerability in Linux Kernel 2.4.0

The XFS file system code in Linux 2.4.x has an information leak in which in-memory data is written to the device for the XFS file system, which allows local users to obtain sensitive information by reading the raw device.

2.1