Weekly Vulnerabilities Reports > July 5 to 11, 2004

Overview

36 new vulnerabilities reported during this period, including 5 critical vulnerabilities and 10 high severity vulnerabilities. This weekly summary report vulnerabilities in 47 products from 33 vendors including Microsoft, Apple, SGI, Linux, and Openbsd. Vulnerabilities are notably categorized as "Resource Management Errors", "Out-of-bounds Write", "Improper Input Validation", and "Argument Injection or Modification".

  • 28 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 36 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Debian has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

5 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-07-07 CVE-2004-0469 Checkpoint Remote Buffer Overflow vulnerability in Check Point VPN-1 ISAKMP

Buffer overflow in the ISAKMP functionality for Check Point VPN-1 and FireWall-1 NG products, before VPN-1/FireWall-1 R55 HFA-03, R54 HFA-410 and NG FP3 HFA-325, or VPN-1 SecuRemote/SecureClient R56, may allow remote attackers to execute arbitrary code during VPN tunnel negotiation.

10.0
2004-07-07 CVE-2004-0444 Symantec Buffer Overflow vulnerability in Symantec Client Firewall NetBIOS Name Service Response

Multiple vulnerabilities in SYMDNS.SYS for Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allow remote attackers to cause a denial of service or execute arbitrary code via (1) a manipulated length byte in the first-level decoding routine for NetBIOS Name Service (NBNS) that modifies an index variable and leads to a stack-based buffer overflow, (2) a heap-based corruption problem in an NBNS response that is missing certain RR fields, and (3) a stack-based buffer overflow in the DNS component via a Resource Record (RR) with a long canonical name (CNAME) field composed of many smaller components.

10.0
2004-07-07 CVE-2004-0434 Heimdal Project
Debian
Out-Of-Bounds Write vulnerability in multiple products

k5admind (kadmind) for Heimdal allows remote attackers to execute arbitrary code via a Kerberos 4 compatibility administration request whose framing length is less than 2, which leads to a heap-based buffer overflow.

10.0
2004-07-07 CVE-2004-0420 Microsoft Unspecified vulnerability in Microsoft IE and Internet Explorer

The Windows Shell application in Windows 98, Windows ME, Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 allows remote attackers to execute arbitrary code by spoofing the type of a file via a CLSID specifier in the filename, as demonstrated using Internet Explorer 6.0.2800.1106 on Windows XP.

10.0
2004-07-07 CVE-2004-0401 Free Software Foundation INC Unspecified vulnerability in Free Software Foundation Inc. Libtasn1

Unknown vulnerability in libtasn1 0.1.x before 0.1.2, and 0.2.x before 0.2.7, related to the DER parsing functions.

10.0

10 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-07-07 CVE-2004-0489 Apple Remote Security vulnerability in Apple mac OS X 10.3.3

Argument injection vulnerability in the SSH URI handler for Safari on Mac OS 10.3.3 and earlier allows remote attackers to (1) execute arbitrary code via the ProxyCommand option or (2) conduct port forwarding via the -R option.

7.6
2004-07-07 CVE-2004-0486 Apple Remote Code Execution vulnerability in Apple Mac OS X Help Protocol

HelpViewer in Mac OS X 10.3.3 and 10.2.8 processes scripts that it did not initiate, which can allow attackers to execute arbitrary code, an issue that was originally reported as a directory traversal vulnerability in the Safari web browser using the runscript parameter in a help: URI handler.

7.6
2004-07-07 CVE-2004-0488 Apache
MOD SSL
Mandrakesoft
Tinysofa
SGI
Openbsd
Trustix
Gentoo
Stack-based buffer overflow in the ssl_util_uuencode_binary function in ssl_util.c for Apache mod_ssl, when mod_ssl is configured to trust the issuing CA, may allow remote attackers to execute arbitrary code via a client certificate with a long subject DN.
7.5
2004-07-07 CVE-2004-0470 BEA Unspecified vulnerability in BEA Weblogic Server 7.0/8.1

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2, when editing weblogic.xml using WebLogic Builder or the SecurityRoleAssignmentMBean.toXML method, inadvertently removes security-role-assignment tags when weblogic.xml does not have a principal-name tag, which can remove intended access restrictions for the associated web application.

7.5
2004-07-07 CVE-2004-0411 KDE Improper Input Validation vulnerability in KDE Konqueror

The URI handlers in Konqueror for KDE 3.2.2 and earlier do not properly filter "-" characters that begin a hostname in a (1) telnet, (2) rlogin, (3) ssh, or (4) mailto URI, which allows remote attackers to manipulate the options that are passed to the associated programs, possibly to read arbitrary files or execute arbitrary code.

7.5
2004-07-07 CVE-2004-0400 University OF Cambridge Unspecified vulnerability in University of Cambridge Exim

Stack-based buffer overflow in Exim 4 before 4.33, when the headers_check_syntax option is enabled, allows remote attackers to cause a denial of service and possibly execute arbitrary code during the header check.

7.5
2004-07-07 CVE-2004-0399 University OF Cambridge Unspecified vulnerability in University of Cambridge Exim 3.35

Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.

7.5
2004-07-07 CVE-2004-0398 Cadaver
Neon
Openoffice
Subversion
Heap Overflow vulnerability in Neon WebDAV Client Library ne_rfc1036_parse Function

Heap-based buffer overflow in the ne_rfc1036_parse date parsing function for the neon library (libneon) 0.24.5 and earlier, as used by cadaver before 0.22, allows remote WebDAV servers to execute arbitrary code on the client.

7.5
2004-07-07 CVE-2004-0397 Subversion Buffer Overflow vulnerability in Subversion 1.0/1.0.1/1.0.2

Stack-based buffer overflow during the apr_time_t data conversion in Subversion 1.0.2 and earlier allows remote attackers to execute arbitrary code via a (1) DAV2 REPORT query or (2) get-dated-rev svn-protocol command.

7.5
2004-07-07 CVE-2004-0424 SGI
Linux
Slackware
Integer Overflow vulnerability in Linux Kernel Setsockopt MCAST_MSFILTER

Integer overflow in the ip_setsockopt function in Linux kernel 2.4.22 through 2.4.25 and 2.6.1 through 2.6.3 allows local users to cause a denial of service (crash) or execute arbitrary code via the MCAST_MSFILTER socket option.

7.2

12 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-07-07 CVE-2004-0475 Microsoft Unspecified vulnerability in Microsoft IE 6.0

The showHelp function in Internet Explorer 6 on Windows XP Pro allows remote attackers to execute arbitrary local .CHM files via a double backward slash ("\\") before the target CHM file, as demonstrated using an "ms-its" URL to ntshared.chm.

5.1
2004-07-07 CVE-2004-0474 Microsoft Unspecified vulnerability in Microsoft Windows XP

Help Center (HelpCtr.exe) may allow remote attackers to read or execute arbitrary files via an "http://" or "file://" argument to the topic parameter in an hcp:// URL.

5.1
2004-07-07 CVE-2004-0431 Apple Unspecified vulnerability in Apple Quicktime

Integer overflow in Apple QuickTime (QuickTime.qts) before 6.5.1 allows attackers to execute arbitrary code via a large "number of entries" field in the sample-to-chunk table data for a .mov movie file, which leads to a heap-based buffer overflow.

5.1
2004-07-07 CVE-2004-0430 Apple Unspecified vulnerability in Apple mac OS X and mac OS X Server

Stack-based buffer overflow in AppleFileServer for Mac OS X 10.3.3 and earlier allows remote attackers to execute arbitrary code via a LoginExt packet for a Cleartext Password User Authentication Method (UAM) request with a PathName argument that includes an AFPName type string that is longer than the associated length field.

5.1
2004-07-07 CVE-2004-0485 Apple Unspecified vulnerability in Apple mac OS X 10.2.8/10.3.3

The default protocol helper for the disk: URI on Mac OS X 10.3.3 and 10.2.8 allows remote attackers to write arbitrary files by causing a disk image file (.dmg) to be mounted as a disk volume.

5.0
2004-07-07 CVE-2004-0483 SGI Remote Denial of Service vulnerability in SGI Irix 6.5.24

Unknown vulnerability in rpc.mountd for SGI IRIX 6.5.24 allows remote attackers to cause a denial of service (infinite loop) via certain RPC requests.

5.0
2004-07-07 CVE-2004-0479 Microsoft Unspecified vulnerability in Microsoft IE 6

Internet Explorer 6 allows remote attackers to cause a denial of service (crash) via Javascript that creates a new popup window and disables the imagetoolbar functionality with a META tag, which triggers a null dereference.

5.0
2004-07-07 CVE-2004-0459 Ieee Remote Denial Of Service vulnerability in Multiple Vendor IEEE 802.11 Protocol

The Clear Channel Assessment (CCA) algorithm in the IEEE 802.11 wireless protocol, when using DSSS transmission encoding, allows remote attackers to cause a denial of service via a certain RF signal that causes a channel to appear busy (aka "jabber"), which prevents devices from transmitting data.

5.0
2004-07-07 CVE-2004-0437 South River Technologies Denial-Of-Service vulnerability in South River Technologies Titan FTP Server 3.01Build163

Titan FTP Server version 3.01 build 163, and possibly other versions before build 169, allows remote authenticated users to cause a denial of service (crash) by disconnecting from the system during a "LIST -L" command, which causes Titan to access an invalid socket.

5.0
2004-07-07 CVE-2004-0426 Andrew Tridgell Unspecified vulnerability in Andrew Tridgell Rsync

rsync before 2.6.1 does not properly sanitize paths when running a read/write daemon without using chroot, which allows remote attackers to write files outside of the module's path.

5.0
2004-07-07 CVE-2004-0482 Openbsd Integer Overflow vulnerability in Openbsd 3.4/3.5

Multiple integer overflows in (1) procfs_cmdline.c, (2) procfs_fpregs.c, (3) procfs_linux.c, (4) procfs_regs.c, (5) procfs_status.c, and (6) procfs_subr.c in procfs for OpenBSD 3.5 and earlier allow local users to read sensitive kernel memory and possibly perform other unauthorized activities.

4.6
2004-07-07 CVE-2004-0402 Xpcd
Mandrakesoft
Buffer Overflow vulnerability in XPCD XPCD-SVGA

Buffer overflow in xpcd-svga in xpcd before 2.08, and possibly other versions, may allow local users to execute arbitrary code.

4.6

9 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2004-07-07 CVE-2004-0484 Microsoft Unspecified vulnerability in Microsoft Internet Explorer 6.0.2900

mshtml.dll in Microsoft Internet Explorer 6.0.2800 allows remote attackers to cause a denial of service (crash) via a table containing a form that crosses multiple td elements, and whose "float: left" class is defined in a link to a CSS stylesheet after the end of the table, which may trigger a null dereference.

2.6
2004-07-07 CVE-2004-0478 Mozilla Resource Management Errors vulnerability in Mozilla

Unknown versions of Mozilla allow remote attackers to cause a denial of service (high CPU/RAM consumption) using Javascript with an infinite loop that continues to add input to a form, possibly as the result of inserting control characters, as demonstrated using an embedded ctrl-U.

2.6
2004-07-07 CVE-2004-0473 Opera Argument Injection or Modification vulnerability in Opera Browser

Argument injection vulnerability in Opera before 7.50 does not properly filter "-" characters that begin a hostname in a telnet URI, which allows remote attackers to insert options to the resulting command line and overwrite arbitrary files via (1) the "-f" option on Windows XP or (2) the "-n" option on Linux.

2.6
2004-07-07 CVE-2004-0445 Symantec Remote DNS Response Denial Of Service vulnerability in Symantec Client Firewall

The SYMDNS.SYS driver in Symantec Norton Internet Security and Professional 2002 through 2004, Norton Personal Firewall 2002 through 2004, Norton AntiSpam 2004, Client Firewall 5.01 and 5.1.1, and Client Security 1.0 through 2.0 allows remote attackers to cause a denial of service (CPU consumption from infinite loop) via a DNS response with a compressed name pointer that points to itself.

2.6
2004-07-07 CVE-2004-0471 BEA Denial of Service vulnerability in BEA Weblogic Server 7.0/8.1

BEA WebLogic Server and WebLogic Express 7.0 through SP5 and 8.1 through SP2 does not enforce site restrictions for starting and stopping servers for users in the Admin and Operator security roles, which allows unauthorized users to cause a denial of service (service shutdown).

2.1
2004-07-07 CVE-2004-0427 Linux Unspecified vulnerability in Linux Kernel 2.4.0/2.6.0

The do_fork function in Linux 2.4.x before 2.4.26, and 2.6.x before 2.6.6, does not properly decrement the mm_count counter when an error occurs after the mm_struct for a child process has been activated, which triggers a memory leak that allows local users to cause a denial of service (memory exhaustion) via the clone (CLONE_VM) system call.

2.1
2004-07-07 CVE-2004-0423 Ssmtp Local Security vulnerability in ssmtp

The log_event function in ssmtp 2.50.6 and earlier allows local users to overwrite arbitrary files via a symlink attack on the ssmtp.log temporary log file.

2.1
2004-07-07 CVE-2004-0422 GNU Unspecified vulnerability in GNU Flim 1.14.2

flim before 1.14.3 creates temporary files insecurely, which allows local users to overwrite arbitrary files of the Emacs user via a symlink attack.

2.1
2004-07-07 CVE-2004-0404 Psionic Unspecified vulnerability in Psionic Logcheck

logcheck before 1.1.1 allows local users to overwrite arbitrary files via a symlink attack on a temporary directory in /var/tmp.

1.2