Weekly Vulnerabilities Reports > September 27 to October 3, 2010

Overview

29 new vulnerabilities reported during this period, including 1 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 54 products from 27 vendors including Canonical, Linux, Suse, Debian, and Opensuse. Vulnerabilities are notably categorized as "Information Exposure", "Numeric Errors", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Path Traversal", and "Improper Authentication".

  • 15 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 8 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 28 reported vulnerabilities are exploitable by an anonymous user.
  • Canonical has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • Clamav has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

1 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-30 CVE-2010-3434 Clamav Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Clamav

Buffer overflow in the find_stream_bounds function in pdf.c in libclamav in ClamAV before 0.96.3 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document.

9.3

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-29 CVE-2010-3688 Netartmedia Path Traversal vulnerability in Netartmedia Websiteadmin

Directory traversal vulnerability in ADMIN/login.php in NetArtMEDIA WebSiteAdmin allows remote emote attackers to include and execute arbitrary local files via directory traversal sequences in the lng parameter.

7.5
2010-09-29 CVE-2010-3084 Linux
Canonical
Buffer Errors vulnerability in Linux Kernel

Buffer overflow in the niu_get_ethtool_tcam_all function in drivers/net/niu.c in the Linux kernel before 2.6.36-rc4 allows local users to cause a denial of service or possibly have unspecified other impact via the ETHTOOL_GRXCLSRLALL ethtool command.

7.2
2010-09-29 CVE-2010-2478 Linux
Canonical
Suse
Integer Overflow OR Wraparound vulnerability in multiple products

Integer overflow in the ethtool_get_rxnfc function in net/core/ethtool.c in the Linux kernel before 2.6.33.7 on 32-bit platforms allows local users to cause a denial of service or possibly have unspecified other impact via an ETHTOOL_GRXCLSRLALL ethtool command with a large info.rule_cnt value that triggers a buffer overflow, a different vulnerability than CVE-2010-3084.

7.2

18 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-29 CVE-2010-3380 Llnl Local Privilege Escalation vulnerability in SLURM 'slurm' and 'slurmdbd'

The (1) init.d/slurm and (2) init.d/slurmdbd scripts in SLURM before 2.1.14 place the .

6.9
2010-09-30 CVE-2010-3429 Ffmpeg
Mplayerhq
Code Injection vulnerability in multiple products

flicvideo.c in libavcodec 0.6 and earlier in FFmpeg, as used in MPlayer and other products, allows remote attackers to execute arbitrary code via a crafted flic file, related to an "arbitrary offset dereference vulnerability."

6.8
2010-09-28 CVE-2010-3087 Libtiff
Opensuse
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

LibTIFF before 3.9.2-5.2.1 in SUSE openSUSE 11.3 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted TIFF image.

6.8
2010-09-28 CVE-2010-2950 PHP USE of Externally-Controlled Format String vulnerability in PHP

Format string vulnerability in stream.c in the phar extension in PHP 5.3.x through 5.3.3 allows context-dependent attackers to obtain sensitive information (memory contents) and possibly execute arbitrary code via a crafted phar:// URI that is not properly handled by the phar_stream_flush function, leading to errors in the php_stream_wrapper_log_error function.

6.8
2010-09-30 CVE-2010-2537 Linux
Canonical
Suse
The btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 allows local users to overwrite an append-only file via a (1) BTRFS_IOC_CLONE or (2) BTRFS_IOC_CLONE_RANGE ioctl call that specifies this file as a donor.
6.6
2010-09-28 CVE-2010-3490 Sangoma Path Traversal vulnerability in Sangoma Freepbx

Directory traversal vulnerability in page.recordings.php in the System Recordings component in the configuration interface in FreePBX 2.8.0 and earlier allows remote authenticated administrators to create arbitrary files via a ..

6.5
2010-09-30 CVE-2010-2943 Linux
Canonical
Vmware
Avaya
Information Exposure vulnerability in multiple products

The xfs implementation in the Linux kernel before 2.6.35 does not look up inode allocation btrees before reading inode buffers, which allows remote authenticated users to read unlinked files, or read or overwrite disk blocks that are currently assigned to an active file but were previously assigned to an unlinked file, by accessing a stale NFS filehandle.

6.4
2010-09-28 CVE-2010-0405 Bzip
Libzip2
Numeric Errors vulnerability in multiple products

Integer overflow in the BZ2_decompress function in decompress.c in bzip2 and libbzip2 before 1.0.6 allows context-dependent attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted compressed file.

5.1
2010-09-29 CVE-2010-3687 Alex Kellner
Typo3
Security Bypass vulnerability in Powermail

Unspecified vulnerability in the powermail extension 1.5.3 and earlier for TYPO3 allows remote attackers to bypass validation have an unspecified impact by "[injecting] arbitrary values into validated fields," as demonstrated using the (1) Email and (2) URL fields.

5.0
2010-09-29 CVE-2010-3686 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not ensuring that fields are signed, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-29 CVE-2010-3685 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not checking for reuse of openid.response_nonce values, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-29 CVE-2010-3468 Blueriver Path Traversal vulnerability in Blueriver Mura CMS and Sava CMS

Directory traversal vulnerability in fileManager.cfc in Mura CMS 5.1 before 5.1.498 and 5.2 before 5.2.2809, and Sava CMS 5 through 5.2, allows remote attackers to read arbitrary files via a ..

5.0
2010-09-29 CVE-2010-3091 Drupal
Peter Wolanin
Improper Authentication vulnerability in multiple products

The OpenID module in Drupal 6.x before 6.18, and the OpenID module 5.x before 5.x-1.4 for Drupal, violates the OpenID 2.0 protocol by not verifying the openid.return_to value, which allows remote attackers to bypass authentication by leveraging an assertion from an OpenID provider.

5.0
2010-09-30 CVE-2010-3079 Linux
Canonical
Suse
Null Pointer Dereference vulnerability in multiple products

kernel/trace/ftrace.c in the Linux kernel before 2.6.35.5, when debugfs is enabled, does not properly handle interaction between mutex possession and llseek operations, which allows local users to cause a denial of service (NULL pointer dereference and outage of all function tracing files) via an lseek call on a file descriptor associated with the set_ftrace_filter file.

4.9
2010-09-30 CVE-2010-2538 Linux
Canonical
Suse
Information Exposure vulnerability in multiple products

Integer overflow in the btrfs_ioctl_clone function in fs/btrfs/ioctl.c in the Linux kernel before 2.6.35 might allow local users to obtain sensitive information via a BTRFS_IOC_CLONE_RANGE ioctl call.

4.9
2010-09-29 CVE-2010-2530 Netbsd
Apple
Freebsd
Numeric Errors vulnerability in multiple products

Multiple integer signedness errors in smb_subr.c in the netsmb module in the kernel in NetBSD 5.0.2 and earlier, FreeBSD, and Apple Mac OS X allow local users to cause a denial of service (panic) via a negative size value in a /dev/nsmb ioctl operation, as demonstrated by a (1) SMBIOC_LOOKUP or (2) SMBIOC_OPENSESSION ioctl call.

4.9
2010-09-29 CVE-2010-2453 Synology Cross-Site Scripting vulnerability in Synology DSM

Multiple cross-site scripting (XSS) vulnerabilities in Synology Disk Station 2.x before DSM3.0-1337 allow remote attackers to inject arbitrary web script or HTML by connecting to the FTP server and providing a crafted (1) USER or (2) PASS command, which is written by the FTP logging module to a web-interface log window, related to a "web commands injection" issue.

4.3
2010-09-28 CVE-2010-3070 Dietrich Ayala Cross-Site Scripting vulnerability in Dietrich Ayala Nusoap 0.9.5

Cross-site scripting (XSS) vulnerability in NuSOAP 0.9.5, as used in MantisBT and other products, allows remote attackers to inject arbitrary web script or HTML via the PATH_INFO to an arbitrary PHP script that uses NuSOAP classes.

4.3

7 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2010-09-30 CVE-2010-3298 Linux
Opensuse
Suse
Debian
Canonical
Information Exposure vulnerability in multiple products

The hso_get_count function in drivers/net/usb/hso.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a TIOCGICOUNT ioctl call.

2.1
2010-09-30 CVE-2010-3297 Linux
Opensuse
Suse
Debian
Canonical
Missing Initialization of Resource vulnerability in multiple products

The eql_g_master_cfg function in drivers/net/eql.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via an EQL_GETMASTRCFG ioctl call.

2.1
2010-09-30 CVE-2010-3296 Linux
Opensuse
Suse
Debian
Canonical
Information Exposure vulnerability in multiple products

The cxgb_extension_ioctl function in drivers/net/cxgb3/cxgb3_main.c in the Linux kernel before 2.6.36-rc5 does not properly initialize a certain structure member, which allows local users to obtain potentially sensitive information from kernel stack memory via a CHELSIO_GET_QSET_NUM ioctl call.

2.1
2010-09-29 CVE-2010-3684 Synology Credentials Management vulnerability in Synology DSM

The FTP authentication module in Synology Disk Station 2.x logs passwords to the web application interface in cases of incorrect login attempts, which allows local users to obtain sensitive information by reading a log, a different vulnerability than CVE-2010-2453.

2.1
2010-09-29 CVE-2010-2946 Linux
Canonical
Improper Input Validation vulnerability in Linux Kernel

fs/jfs/xattr.c in the Linux kernel before 2.6.35.2 does not properly handle a certain legacy format for storage of extended attributes, which might allow local users by bypass intended xattr namespace restrictions via an "os2." substring at the beginning of a name.

2.1
2010-09-28 CVE-2010-3277 Vmware Permissions, Privileges, and Access Controls vulnerability in VMWare Player and Workstation

The installer in VMware Workstation 7.x before 7.1.2 build 301548 and VMware Player 3.x before 3.1.2 build 301548 renders an index.htm file if present in the installation directory, which might allow local users to trigger unintended interpretation of web script or HTML by creating this file.

2.1
2010-09-29 CVE-2010-3310 Linux
Debian
Canonical
Numeric Errors vulnerability in Linux Kernel

Multiple integer signedness errors in net/rose/af_rose.c in the Linux kernel before 2.6.36-rc5-next-20100923 allow local users to cause a denial of service (heap memory corruption) or possibly have unspecified other impact via a rose_getname function call, related to the rose_bind and rose_connect functions.

1.9