Security news roundup: February 17

Here's a collection of recent security vulnerabilities and alerts, which covers a serious vulnerability fixed in ClamAV, FreeBSD closing a couple of vulnerabilities, additional flaws discovered in Cisco IP telephony products, critical vulnerabilities found in Adobe Flash Media Server, and how Vista SP1 proves to be a low hurdle to pirates.

Here's a collection of recent security vulnerabilities and alerts, which covers a serious vulnerability fixed in ClamAV, FreeBSD closing a couple of vulnerabilities, additional flaws discovered in Cisco IP telephony products, critical vulnerabilities found in Adobe Flash Media Server, and how Vista SP1 proves to be a low hurdle to pirates.

  • Serious vulnerability fixed in ClamAV

An integer overflow vulnerability has been found in the popular open source ClamAV antivirus product. The flaw involves the code that's responsible for parsing and scanning PE files, and it can result in an exploitable memory corruption condition -- and remote exploitation.

The flaw was first uncovered by security researcher iDefense. Following is an excerpt from the public advisory:

The vulnerability exists within the code responsible for parsing and scanning PE files. While iterating through all sections contained in the PE file, several attacker controlled values are extracted from the file. On each iteration, arithmetic operations are performed without taking into consideration 32-bit integer wrap.

... Since insufficient integer overflow checks are present, an attacker can cause a heap overflow by causing a specially crafted Petite packed PE binary to be scanned.

The above vulnerability exists in ClamAV 0.92 and is fixed in version 0.92.1. However, according to the ClamAV team, the vulnerable module was already remotely disabled via a virus database update on January 11 or within days of initial notification of the problem.

If there are reasons that prevent an upgrade to version 0.92.1, you can disable the scanning of PE files as a workaround:

  • If using clamscan: Run clamscan with the '--no-pe' option.
  • If using clamdscan: Set the 'ScanPE' option in the clamd.conf file to 'no.'

You can visit the ClamAV download site here.

  • FreeBSD closes vulnerabilities

A network flaw that allowed a specially crafted network packet to crash a FreeBSD server, as well as a information disclosure flaw, has been fixed.

The problem resulted from an improper reference to a data structure used for the processing of IPSec packets, which can cause the dereferencing of a NULL point. A kernel panic will result upon receipt of a specially crafted packet if IPSec is compiled -- though not necessarily configured -- into the kernel.

There is no workaround other than upgrading your system to 5-STABLE or to 5.5-RELEASE-p19. Alternatively, you can patch your system and perform a kernel recompile. Instructions can be found here.

Another vulnerability allows a user process to send the contents of a local file over a socket, as long as a user has write, but not read, access to the file. This information disclosure vulnerability is a result of sendfile (2) system call not checking the file descriptor access flags before sending data from a file.

Again, there is no workaround for this other than to update to the latest version. This bug affects FreeBSD version 5 to 7.0. Instructions to resolve this flaw can be found here.

  • Vulnerabilities in CIsco IP telephony products

Cisco has published two security advisories relating to additional vulnerabilities discovered in its IP Phone and Unified Communications Manager products. The flaws allow attackers to conduct a wide range of nefarious deeds, ranging from code injection, denial-of-service attacks, or information disclosure.

heise Security has a summary of the issues:

[In some phones with SCCP and SIP support] a buffer overflow can occur when handling specially crafted DNS replies, allowing code to be injected. IP Phones that only use the Skinny Client Control Protocol (SCCP) might be able to execute arbitrary code if attackers send manipulated packets to the internal SSH server. Furthermore, the telephones may crash and reboot if they receive large ping packets, or while handling manipulated HTTP queries to the HTTP server integrated in the telephones.

Three flaws in the routines that handle the Session Initiation Protocol (SIP) can be exploited to execute arbitrary code. The IP Phones trip up when decoding manipulated IP messages with MIME-encoded content. Malicious code can also be executed when handling specially crafted packets containing a challenge/response message from a SIP proxy. If the preinstalled telnet server is enabled, registered users can escalate their privileges and execute arbitrary code by using commands of which no further details are provided.

If you use the Unified Messaging Server, know that there is a flaw that allows registered users to extract usernames and password hashes from the database. Registered users will have no problem downloading the latest firmware and updated versions of software from Cisco's Web site.

As usual, administrators are urged to update as soon as possible.

  • Critical vulnerabilities discovered in Adobe Flash Media Server

Vulnerabilities have been identified in Adobe Flash Media Server that could allow an attacker to take control of the affected system upon a successful exploit.

The attacker vector comes via TCP port 1935 or TCP port 19350 and is remotely exploitable. The vulnerability exist in the code responsible for parsing Real Time Message Protocol messages, which is a proprietary binary protocol developed by Adobe.

Adobe has categorized this as a critical issue, or the most severe of its four-tier rating. According to Adobe's definition, "A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware."

The flaw affects Adobe Flash Media Server 2.0.4 and earlier. System administrators are urged to install the Flash Media Server 2.0.5 update as soon as possible. You can read the original bulletin from Adobe here.

  • Vista SP1 poses low hurdle to pirates

Microsoft had earlier indicated that SP1 would offer better protection against pirates, as well as disable some of the current activation hacks circulating on the Internet.

However, according to this report from heise Security, a back door in Vista's activation method can still be exploited to enable systems without having to activate it online.

In fact, one of them still works with SP1:

... the crack installs a boot loader containing a few kilobytes on the system drive, and it runs before Vista's own one gets a chance. The loading program adds a PC manufacturer's licence information to the BIOS. Since this method doesn't use manipulated drivers, even Vista's x64 version, which accepts only signed drivers, can be fooled.

Once the manufacturer's data are in the BIOS, the cracker script can activate Vista with its own on-board resources by installing the appropriate manufacturer's certificate and the general code. These certificate files are openly available on the recovery media supplied with PCs that have Windows Vista preinstalled.

Some other Vista cracks have been disabled though the above one -- around since mid-2007, still works.  However, this can probably be rectified later -- if desired, via a Windows update.