Weekly Vulnerabilities Reports > September 21 to 27, 2009

Overview

3 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 1 high severity vulnerabilities. This weekly summary report vulnerabilities in 6 products from 5 vendors including Opensuse, Suse, Gnome, Qnap, and Zenas. Vulnerabilities are notably categorized as "Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)", "Incorrect Permission Assignment for Critical Resource", and "Improper Authentication".

  • 1 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 1 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 1 reported vulnerabilities are exploitable by an anonymous user.
  • Opensuse has the most reported vulnerabilities, with 1 reported vulnerabilities.
  • Zenas has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-09-25 CVE-2009-3421 Zenas Improper Authentication vulnerability in Zenas Pao-Bacheca Guestbook 2.1

login.php in Zenas PaoBacheca Guestbook 2.1, when register_globals is enabled, allows remote attackers to bypass authentication and gain administrative access by setting the login_ok parameter to 1.

9.8

1 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-09-22 CVE-2009-3289 Gnome
Opensuse
Suse
Incorrect Permission Assignment for Critical Resource vulnerability in multiple products

The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory.

7.8

1 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2009-09-21 CVE-2009-3278 Qnap Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) vulnerability in Qnap Ts-239 PRO Firmware and Ts-639 PRO Firmware

The QNAP TS-239 Pro and TS-639 Pro with firmware 2.1.7 0613, 3.1.0 0627, and 3.1.1 0815 use the rand library function to generate a certain recovery key, which makes it easier for local users to determine this key via a brute-force attack.

5.5

0 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS