-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.1601
 Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server
(CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985) and IBM Lotus
           Sametime WebPlayer Denial-of-Service (CVE-2013-3986)
                             11 November 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Sametime Enterprise Meeting Server
                   IBM Sametime WebPlayer
Publisher:         IBM
Operating System:  Linux variants
                   AIX
                   Windows
                   OS X
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2013-3986 CVE-2013-3985 CVE-2013-3045
                   CVE-2013-3044 CVE-2013-0537 

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21654355
   http://www-01.ibm.com/support/docview.wss?uid=swg21654041

Comment: This bulletin contains two (2) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Vulnerabilities in Sametime Enterprise Meeting Server 
(CVE-2013-3044, CVE-2013-3045, CVE-2013-0537, CVE-2013-3985)

Flash (Alert)

Document information

IBM Sametime

Enterprise Meeting Server

Software version:
8.5.2, 8.5.2.1

Operating system(s):
AIX, Linux, Mac OS X, Windows

Reference #:
1654355

Modified date:
2013-11-08

Abstract

The security bulletin addresses various vulnerabilities found in the Sametime 
Enterprise Meeting Server regarding spoofing and domain cookies.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2013-3044

DESCRIPTION
A user with permission to join a Sametime meeting can spoof messages from a 
user or post anonymous messages into the chat session.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84815 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-3045

DESCRIPTION
A malicious user may use this ability to share a malicious link with other 
users through the Library function.

CVSS Base Score: 2.6
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84816 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-0537

DESCRIPTION
A user with permission to join a Sametime meeting can send spoofed links from 
any user to all members of the current meeting.

CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84840 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVE ID: CVE-2013-3985

DESCRIPTION
The Domain variable used to restrict application cookies is not tightly set 
and may result in exposed session variables .

CVSS Base Score: 2.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84968 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED PRODUCTS

IBM Lotus Sametime Enterprise Meeting server versions 8.5.2 and 8.5.2.1


FIX
The fix for CVEs CVE-2013-3044, CVE-2013-3045 and CVE-2013-0537 is provided at 
this Fix Central link: 8521-ST-Meetings-IF-RHOK-9D2NLF

CVE-2013-3985 can be addressed via the configuration instructions in this 
document: " Implementing single sign-on to minimize web user authentications."


INSTALLATION INSTRUCTIONS

This fix should be installed by following the same documented instructions 
that apply to installing the Sametime 8.5.2 IFR1 Hotfix:

    "Installing a meeting server on AIX, Linux, Solaris, or Windows"
    "Updating Sametime 8.5.2 on AIX, Linux, Solaris, or Windows"
    "Installing Sametime 8.5.2 Interim Feature Release 1"
    "Installing Sametime 8.5.2 Interim Feature Release 1 on servers running 
    on WebSphere Application Server"


WORKAROUND(S) & MITIGATIONS(S)
None available. Please apply the fix.


REFERENCES

    CVE-2013-3044
        http://xforce.iss.net/xforce/xfdb/84815
    CVE-2013-3045
        http://xforce.iss.net/xforce/xfdb/84816
    CVE-2013-0537
        http://xforce.iss.net/xforce/xfdb/84840
    CVE-2013-3985
        http://xforce.iss.net/xforce/xfdb/84968


RELATED INFORMATION

    Complete CVSS Guide
    CVSS Online Calculator V2
    IBM Product Security Incident Response Program
    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog


ACKNOWLEDGEMENT
The vulnerability was reported to IBM by Chris John Riley - R-IT CERT.


CHANGE HISTORY: 7 November 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- ------------------------------------------------------------------------------

Security Bulletin: IBM Lotus Sametime WebPlayer Denial-of-Service 
(CVE-2013-3986)

Flash (Alert)

Document information

IBM Sametime

Audio/Voice chat

Software version:
8.5.2, 8.5.2.1

Operating system(s):
Mac OS X, Windows

Reference #:
1654041

Modified date:
2013-11-07

Abstract

An attacker participating in a Sametime Audio Visual (AV) session may be able 
to crash the IBM Sametime WebPlayer extension (Firefox extension) session of 
other users.

Content

VULNERABILITY DETAILS
CVE ID: CVE-2013-3986


DESCRIPTION An attacker participating in a Sametime Audio Visual (AV) session 
may be able to crash the IBM Sametime WebPlayer extension (Firefox extension) 
session of other users.


CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84969 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


AFFECTED PRODUCTS IBM Lotus Sametime WebPlayer versions 8.5.2 and 8.5.2.1


FIX
The fix can be downloaded from here: 8521-ST-Meida-IF-AUDT-9D6GKQ


INSTALLATION INSTRUCTION

Server side instructions:

1. Login to the machine where the Sametime Proxy Server is installed.

2. Navigate to the path --> $WAS_INSTALL_PATH\profiles\<Proxy Server Profile 
Name>\installedApps\<Cell Name>\SametimeProxy.ear\stwebav.war.

3. Back up the original "stwebsoftphone.CAB" and "stwebsoftphone.zip" by 
copying them to some other location.

4. Copy the two new files from Fix Central (link above in the "Fix" section of 
this document) to the location mentioned above in these steps. (Note that: 
"stwebsoftphone.CAB" is for Windows and "stwebsoftphone.zip" is for MAC).

5. Open VersionInfo.properties and Set the "Softphone=8.5.2.19

6. Restart the Sametime Proxy Server.


Client side instructions:

Uninstalling the plugin

Follow the instructions that apply to your operating system and browser to 
uninstall the Sametime web audio-visual plugin.

Internet Explorer on Microsoft™ Windows™ 

 Internet Explorer 6: 
  1. Open Explorer and navigate to the folder %WINDIR%\Downloaded Program Files.
  2. Remove the entry “IBM Lotus® Sametime WebPlayer” Control.

 Internet Explorer 7 and 8: 
  1. Launch Internet Explorer and navigate to Tools -> Manage Add-ons.
  2. Select Show All Add-ons.
  3. Double-click IBM Lotus Sametime WebPlayer and click Remove.
  
Mozilla Firefox on Microsoft Windows and Mac OSX
  1. Launch Firefox and navigate to Tools -> Add-ons.
  2. Open the Extensions Tab
  3. Select IBM Lotus Sametime WebPlayer.
  4. Click Uninstall.

Clean up folders that are no longer needed:
 Windows XP: Delete the folders:
  %PROGRAMFILES%\IBM\Lotus\Sametime WebPlayer\ and %APPDATA%\IBM\Lotus\Sametime WebPlayer\ .

 Windows 7: Delete the folder:
  %USERPROFILE%\AppData\LocalLow\ IBM\Lotus\Sametime WebPlayer\.

 Mac OSX: Delete the folder:
  $HOME/Library/ApplicationSupport/IBM/Lotus/Sametime WebPlayer/.


After uninstall, click the Meeting Server URL and install the web AV plug-in 
and proceed with the call.

For more details refer to: " Installing and uninstalling the Sametime web 
audio-visual plugin automatically from a browser"

WORKAROUND(S) & MITIGATION(S)
None available. Please apply the fix.

REFERENCES

        CVE-2013-3986
        http://xforce.iss.net/xforce/xfdb/84969

RELATED INFORMATION

        Complete CVSS Guide
        CVSS Online Calculator V2
        IBM Product Security Incident Response Program
        IBM Secure Engineering Web Portal
        IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT

The vulnerability was reported to IBM by Chris John Riley - R-IT CERT.

CHANGE HISTORY - 7 November 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business 
Machines Corp., registered in many jurisdictions worldwide. Other product and 
service names might be trademarks of IBM or other companies. A current list of 
IBM trademarks is available on the Web at "Copyright and trademark 
information" at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUoBtzhLndAQH1ShLAQLcpxAAlduUeRqPC0BM/LfK+aZpJI4EMjGK5HeS
PGuhLrErXYcYqgdkPw0eaPjioMHW+UWjYSF60f7Zq9GIZghYo+1999DIO6V3OGXC
omXflwUanJTVX8yQjEXVPKQey0Ca00LgnP/pnykDcnLDSwKjhXWI+ubXX0lYiEFp
hIhcrvGJ0sznIE9TE/4sZIxUtSG7SjoGKlj70OS42F7WgM4qcorjHaAt6GiVkhQJ
+uAkhY6yarGW06RIl/6CNDMaWaUmutD7hqcFTKv7K5iou8y0XG4LfPOLErH+llmf
YaoLZ1zAEPAszLp3Y3801vjU+a2iy2Xo1/i0sWPkmFOFJsHN+e43cgNsddXVYZ/k
M+CKQyn4n3A2i+nx5OVEVywRyzQ5ZCm+8eDMfgSDyl60MY8YYCeWSpPKCThictNu
Th/t8nWu8bi9QupPENU8nTcVSjiQdQEriuQJ2rho0Vyf0a96A7oyKwOjpZqL2OK/
jZ7ODOxwgCfVnxSRoWtJ4//qzIZYAZbgm0dBC67GKrFueOx50myKYyT8Ktz8uNmw
PQQgXezWvMsTaEzPsZs4oIPQr/MZ5HjSKir3QL1fKFknGkoNXp4Zce5/glFjgVch
7ah5C8DTlrmTFdfA0CASXAsqeGBjZnZxK6w7Fs2EUOqb2Y4Sd3HR9/aeWMPLgfnw
nLC/qTsMXa8=
=+4As
-----END PGP SIGNATURE-----