Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1095 Novell File Reporter contains multiple vulnerabilities 19 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Novell File Reporter Publisher: US-CERT Operating System: Windows SUSE Netware Impact/Access: Administrator Compromise -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Remote/Unauthenticated Create Arbitrary Files -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Mitigation CVE Names: CVE-2012-4959 CVE-2012-4958 CVE-2012-4957 CVE-2012-4956 Original Bulletin: http://www.kb.cert.org/vuls/id/273371 Comment: Proof of concept is publicly available for this vulnerability and there is no known fix. This US-CERT bulletin contains a suggested workaround. In addition, NFRAgent.exe uses port 3037/TCP therefore blocking this port on the Enterprise border is recommended. - --------------------------BEGIN INCLUDED TEXT-------------------- Vulnerability Note VU#273371 Novell File Reporter contains multiple vulnerabilities Original Release date: 16 Nov 2012 | Last revised: 16 Nov 2012 Overview Novell File Reporter 1.0.2 contains multiple vulnerabilities including a heap overflow, arbitrary file retrieval, and arbitrary file upload. Description The Rapid7 advisory states: CVE-2012-4956 - Heap Overflow When handling requests of name "SRS", the NFRAgent.exe fails to generate a response in a secure way, copying user controlled data into a fixed-length buffer in the heap without bounds checking. This vulnerability can result in remote code execution under the context of the SYSTEM account. CVE-2012-4957 - Arbitrary File Retrieval When handling requests on "/FSF/CMD" for records with NAME "SRS", OPERATION "4" and CMD "103" the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote files, specified with the tag "PATH", with SYSTEM privileges. CVE-2012-4958 - Arbitrary File Retrieval When handling requests on "/FSF/CMD" for records with NAME "FSFUI" and UICMD "126" the NFRAgent.exe allows a remote unauthenticated user to retrieve arbitrary remote text files, specified with the tag "FILE", with SYSTEM privileges. CVE-2012-4959 - Arbitrary File Upload When handling requests on "/FSF/CMD" for records with NAME "FSFUI" and UICMD "130" the NFRAgent.exe allows a remote unauthenticated user to upload files to the host, specified with the tag "FILE", with SYSTEM privileges. It allows to execute remote code with SYSTEM privileges. Additional details may be found in the Rapid7 blog post entitled "New 0day Exploits: Novell File Reporter Vulnerabilities". Impact A remote unauthenticated attacker may be able to execute code, retrieve arbitrary files, and upload arbitrary files to the host. Solution We are currently unaware of a practical solution to this problem. Please consider the following workaround. Restrict Access Deploy appropriate firewall rules so only trusted networks and hosts can communicate with the Novell File Reporter agent. Vendor Information (Learn More) Vendor Status Date Notified Date Updated Novell, Inc. Affected - 16 Nov 2012 If you are a vendor and your product is affected, let us know. CVSS Metrics (Learn More) Group Score Vector Base 7.8 AV:N/AC:M/Au:N/C:C/I:P/A:N Temporal 7.4 E:H/RL:W/RC:C Environmental 5.6 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND References https://community.rapid7.com/community/metasploit/blog/2012/11/16/nfr-agent-buffer-vulnerabilites-cve-2012-4959 Credit Thanks to Juan Vazquez for reporting this vulnerability. This document was written by Jared Allar. Other Information CVE IDs: CVE-2012-4956 CVE-2012-4957 CVE-2012-4958 CVE-2012-4959 Date Public: 16 Nov 2012 Date First Published: 16 Nov 2012 Date Last Updated: 16 Nov 2012 Document Revision: 14 Feedback If you have feedback, comments, or additional information about this vulnerability, please send us email. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUKm5ge4yVqjM2NGpAQISMxAArvPOkGtAxwYNbmnc0Hxy9r5zRM9nMPq5 KG/PXH2inK1AXb761XUeh984osUmaA/AWMNfKlcy0hVLRT0AqMJSyGzptUGeQtmB yYaz2OZYHiVJElY/gMK3bdigvHQG9SJqk61Y3xWXldFlu0sRK6Ow+KCGOW8VnEh7 e0f64F1K8dOXmTEc0Us4a3+vI53StdIvTC6nX8usCBYHO/9nGFIokYPydqdPVAGq lZa9xSFL8MOZnCGMd5VsxH2Hq7JW0Y01QpyxY/5RtVkhuuRVSxkk0JmINhIibDoL zXUhpsu6yKbXPI37qOamunBiX/rC21tmo07RLnzIi290CWolXOKQCr3BMKN+SWLc +07awdSXQH+aesT4whBCH0MZjQCPft/9jsm5EJvb6yeampbGpZQ2fBJMZhxmWcKC NuAj9NEbXRPehRin/GUvf56i640t0oZCUXPeVu+VW3pijeXypXZURSpT4h2OdmD8 zyp3LiMkzkNS+xsASpTzACdX9FgikYFRGh/l2o8AdqKFMCiFpWzMGrjK3fiilOmA GioPI5MIov3gnPLNHWZuMo82GMG0PeMGn8pmjLKMDlPLfZnMqm8kXsaCGowDhCLL FsWtnZxdyvXmJoDHkhpq5kTDgF3vP/sPIgvON5KzluLRZpE/vXWibWb21rOajpaV 2smCQ8yLJsc= =KqqT -----END PGP SIGNATURE-----