Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.1601 Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) and IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) 11 November 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Sametime Enterprise Meeting Server IBM Sametime WebPlayer Publisher: IBM Operating System: Linux variants AIX Windows OS X Impact/Access: Access Privileged Data -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-3986 CVE-2013-3985 CVE-2013-3045 CVE-2013-3044 CVE-2013-0537 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21654355 http://www-01.ibm.com/support/docview.wss?uid=swg21654041 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server (CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) Flash (Alert) Document information IBM Sametime Enterprise Meeting Server Software version: 8.5.2, 8.5.2.1 Operating system(s): AIX, Linux, Mac OS X, Windows Reference #: 1654355 Modified date: 2013-11-08 Abstract The security bulletin addresses various vulnerabilities found in the Sametime Enterprise Meeting Server regarding spoofing and domain cookies. Content VULNERABILITY DETAILS CVE ID: CVE-2013-3044 DESCRIPTION A user with permission to join a Sametime meeting can spoof messages from a user or post anonymous messages into the chat session. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84815 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE ID: CVE-2013-3045 DESCRIPTION A malicious user may use this ability to share a malicious link with other users through the Library function. CVSS Base Score: 2.6 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84816 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVE ID: CVE-2013-0537 DESCRIPTION A user with permission to join a Sametime meeting can send spoofed links from any user to all members of the current meeting. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84840 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE ID: CVE-2013-3985 DESCRIPTION The Domain variable used to restrict application cookies is not tightly set and may result in exposed session variables . CVSS Base Score: 2.9 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84968 CVSS Environmental Score*: Undefined CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N) AFFECTED PRODUCTS IBM Lotus Sametime Enterprise Meeting server versions 8.5.2 and 8.5.2.1 FIX The fix for CVEs CVE-2013-3044, CVE-2013-3045 and CVE-2013-0537 is provided at this Fix Central link: 8521-ST-Meetings-IF-RHOK-9D2NLF CVE-2013-3985 can be addressed via the configuration instructions in this document: " Implementing single sign-on to minimize web user authentications." INSTALLATION INSTRUCTIONS This fix should be installed by following the same documented instructions that apply to installing the Sametime 8.5.2 IFR1 Hotfix: "Installing a meeting server on AIX, Linux, Solaris, or Windows" "Updating Sametime 8.5.2 on AIX, Linux, Solaris, or Windows" "Installing Sametime 8.5.2 Interim Feature Release 1" "Installing Sametime 8.5.2 Interim Feature Release 1 on servers running on WebSphere Application Server" WORKAROUND(S) & MITIGATIONS(S) None available. Please apply the fix. REFERENCES CVE-2013-3044 http://xforce.iss.net/xforce/xfdb/84815 CVE-2013-3045 http://xforce.iss.net/xforce/xfdb/84816 CVE-2013-0537 http://xforce.iss.net/xforce/xfdb/84840 CVE-2013-3985 http://xforce.iss.net/xforce/xfdb/84968 RELATED INFORMATION Complete CVSS Guide CVSS Online Calculator V2 IBM Product Security Incident Response Program IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT The vulnerability was reported to IBM by Chris John Riley - R-IT CERT. CHANGE HISTORY: 7 November 2013: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - ------------------------------------------------------------------------------ Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service (CVE-2013-3986) Flash (Alert) Document information IBM Sametime Audio/Voice chat Software version: 8.5.2, 8.5.2.1 Operating system(s): Mac OS X, Windows Reference #: 1654041 Modified date: 2013-11-07 Abstract An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. Content VULNERABILITY DETAILS CVE ID: CVE-2013-3986 DESCRIPTION An attacker participating in a Sametime Audio Visual (AV) session may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) session of other users. CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84969 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P) AFFECTED PRODUCTS IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1 FIX The fix can be downloaded from here: 8521-ST-Meida-IF-AUDT-9D6GKQ INSTALLATION INSTRUCTION Server side instructions: 1. Login to the machine where the Sametime Proxy Server is installed. 2. Navigate to the path --> $WAS_INSTALL_PATH\profiles\<Proxy Server Profile Name>\installedApps\<Cell Name>\SametimeProxy.ear\stwebav.war. 3. Back up the original "stwebsoftphone.CAB" and "stwebsoftphone.zip" by copying them to some other location. 4. Copy the two new files from Fix Central (link above in the "Fix" section of this document) to the location mentioned above in these steps. (Note that: "stwebsoftphone.CAB" is for Windows and "stwebsoftphone.zip" is for MAC). 5. Open VersionInfo.properties and Set the "Softphone=8.5.2.19 6. Restart the Sametime Proxy Server. Client side instructions: Uninstalling the plugin Follow the instructions that apply to your operating system and browser to uninstall the Sametime web audio-visual plugin. Internet Explorer on Microsoft™ Windows™ Internet Explorer 6: 1. Open Explorer and navigate to the folder %WINDIR%\Downloaded Program Files. 2. Remove the entry “IBM Lotus® Sametime WebPlayer†Control. Internet Explorer 7 and 8: 1. Launch Internet Explorer and navigate to Tools -> Manage Add-ons. 2. Select Show All Add-ons. 3. Double-click IBM Lotus Sametime WebPlayer and click Remove. Mozilla Firefox on Microsoft Windows and Mac OSX 1. Launch Firefox and navigate to Tools -> Add-ons. 2. Open the Extensions Tab 3. Select IBM Lotus Sametime WebPlayer. 4. Click Uninstall. Clean up folders that are no longer needed: Windows XP: Delete the folders: %PROGRAMFILES%\IBM\Lotus\Sametime WebPlayer\ and %APPDATA%\IBM\Lotus\Sametime WebPlayer\ . Windows 7: Delete the folder: %USERPROFILE%\AppData\LocalLow\ IBM\Lotus\Sametime WebPlayer\. Mac OSX: Delete the folder: $HOME/Library/ApplicationSupport/IBM/Lotus/Sametime WebPlayer/. After uninstall, click the Meeting Server URL and install the web AV plug-in and proceed with the call. For more details refer to: " Installing and uninstalling the Sametime web audio-visual plugin automatically from a browser" WORKAROUND(S) & MITIGATION(S) None available. Please apply the fix. REFERENCES CVE-2013-3986 http://xforce.iss.net/xforce/xfdb/84969 RELATED INFORMATION Complete CVSS Guide CVSS Online Calculator V2 IBM Product Security Incident Response Program IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog ACKNOWLEDGEMENT The vulnerability was reported to IBM by Chris John Riley - R-IT CERT. CHANGE HISTORY - 7 November 2013: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUoBtzhLndAQH1ShLAQLcpxAAlduUeRqPC0BM/LfK+aZpJI4EMjGK5HeS PGuhLrErXYcYqgdkPw0eaPjioMHW+UWjYSF60f7Zq9GIZghYo+1999DIO6V3OGXC omXflwUanJTVX8yQjEXVPKQey0Ca00LgnP/pnykDcnLDSwKjhXWI+ubXX0lYiEFp hIhcrvGJ0sznIE9TE/4sZIxUtSG7SjoGKlj70OS42F7WgM4qcorjHaAt6GiVkhQJ +uAkhY6yarGW06RIl/6CNDMaWaUmutD7hqcFTKv7K5iou8y0XG4LfPOLErH+llmf YaoLZ1zAEPAszLp3Y3801vjU+a2iy2Xo1/i0sWPkmFOFJsHN+e43cgNsddXVYZ/k M+CKQyn4n3A2i+nx5OVEVywRyzQ5ZCm+8eDMfgSDyl60MY8YYCeWSpPKCThictNu Th/t8nWu8bi9QupPENU8nTcVSjiQdQEriuQJ2rho0Vyf0a96A7oyKwOjpZqL2OK/ jZ7ODOxwgCfVnxSRoWtJ4//qzIZYAZbgm0dBC67GKrFueOx50myKYyT8Ktz8uNmw PQQgXezWvMsTaEzPsZs4oIPQr/MZ5HjSKir3QL1fKFknGkoNXp4Zce5/glFjgVch 7ah5C8DTlrmTFdfA0CASXAsqeGBjZnZxK6w7Fs2EUOqb2Y4Sd3HR9/aeWMPLgfnw nLC/qTsMXa8= =+4As -----END PGP SIGNATURE-----