Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.1429
Security Bulletin: Network Intrusion Prevention System is affected by curl
and php5 vulnerabilities (CVE-2013-2174, CVE-2014-0015, CVE-2014-0138,
CVE-2014-0139, CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049)
21 August 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Security Network Intrusion Prevention System
Publisher: IBM
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-4049 CVE-2014-2497 CVE-2014-0139
CVE-2014-0138 CVE-2014-0015 CVE-2013-6420
CVE-2013-4248 CVE-2013-2174
Reference: ASB-2014.0083
ESB-2014.1331
ESB-2014.1327
ESB-2014.1057
ESB-2014.1008
ESB-2014.0991
ESB-2014.0889
ESB-2014.0835
ESB-2014.0495
ESB-2014.0244
ESB-2014.0129
ESB-2013.1788
ESB-2013.1784
ESB-2013.1672
ESB-2013.1359
ESB-2013.1156
ESB-2013.0982
ESB-2013.0887
ESB-2013.0878
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21680826
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Network Intrusion Prevention System is affected by curl and
php5 vulnerabilities (CVE-2013-2174, CVE-2014-0015, CVE-2014-0138,
CVE-2014-0139, CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049)
Security Bulletin
Document information
More support for:
IBM Security Network Intrusion Prevention System
Software version:
4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2
Operating system(s):
Firmware
Reference #:
1680826
Modified date:
2014-08-15
Summary
Security vulnerabilities have been discovered in curl and php5 that are used
in IBM Security Network Intrusion Prevention System.
Vulnerability Details
CVE-ID: CVE-2013-2174
DESCRIPTION: cURL/libcURL is vulnerable to a heap-based buffer overflow,
caused by improper bounds checking by the curl_easy_unescape() function in
lib/escape.c. While decoding URL encoded strings to raw binary data, a remote
attacker could overflow a buffer and execute arbitrary code on the system or
cause the application to crash.
Affected Versions: cURL and libcurl 7.7 through 7.30.0
CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85180 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-ID: CVE-2014-0015
DESCRIPTION: libcURL could allow a remote attacker from within the local
network to bypass security restrictions, caused by the re-use of recently
authenticated connections. By sending a new NTLM-authenticated request, an
attacker could exploit this vulnerability to perform unauthorized actions with
the privileges of the victim.
Affected Versions: cURL and libcurl 7.10.6 through 7.34.0
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90841 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-0138
DESCRIPTION: cURL/libcURL could allow a remote attacker to bypass security
restrictions, caused by the re-use of previously used connections when
processing new requests. An attacker could exploit this vulnerability to
hijack the privileges of a different user's session and launch further attacks
on the system.
Affected Versions: cURL and libcurl 7.10.6 before 7.36.0
CVSS:
CVSS Base Score: 6.4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92131 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CVE-ID: CVE-2014-0139
DESCRIPTION: cURL/libcURL could allow a remote attacker to bypass security
restrictions, caused by an error in the hostmatch() function when validating
certificates containing an IP address with a wildcard match within the Common
Name field. By sending a specially-crafted SSL certificate containing wildcard
characters, a remote attacker could exploit this vulnerability to spoof the
server and launch further attacks on the system.
Affected Versions: cURL and libcurl 7.1 before 7.36.0
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92130 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2013-4248
DESCRIPTION: PHP could allow a remote attacker to conduct spoofing attacks,
caused by an error when handling certificates that contain hostnames with NULL
bytes. By persuading a victim to visit a Web site containing a
specially-crafted certificate, a remote attacker could exploit this
vulnerability using man-in-the-middle techniques to spoof SSL servers.
Affected Versions: OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86429 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2013-6420
DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on
the system, caused by an error in the asn1_time_to_time_t() function when
parsing X.509 certificates. An attacker could exploit this vulnerability using
a specially-crafted X.509 certificate to corrupt memory and execute arbitrary
code on the system.
Affected Versions: PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before
5.5.7
CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89602 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE-ID: CVE-2014-2497
DESCRIPTION: LibGD is vulnerable to a denial of service, caused by a NULL
pointer dereference in the gdImageCreateFromXpm function. A remote attacker
could exploit this vulnerability to cause the application to crash. Note: This
vulnerability also affects PHP.
Affected Versions: PHP 5.4.26 and earlier
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91917 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2014-4049
DESCRIPTION: PHP is vulnerable to a heap-based buffer overflow, caused by
improper bounds checking by when parsing DNS TXT record. By sending an overly
long string, a remote attacker could overflow a buffer and execute arbitrary
code on the system or cause the application to crash.
Affected Versions: PHP 5.6.0beta4 and earlier
CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93769 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
Products: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108,
GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800,
GV200, GV1000
Firmware versions: 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3
Remediation/Fixes
The following IBM Threat Fixpacks have the fixes for these vulnerabilities:
IBM Security Network Intrusion Prevention System products at Firmware
version 4.6.2
4.6.2.0-ISS-ProvG-AllModels-System-FP0001
IBM Security Network Intrusion Prevention System products at Firmware
version 4.6.1
4.6.1.0-ISS-ProvG-AllModels-System-FP0005
IBM Security Network Intrusion Prevention System products at Firmware
version 4.6
4.6.0.0-ISS-ProvG-AllModels-System-FP0003
IBM Security Network Intrusion Prevention System products at Firmware
version 4.5
4.5.0.0-ISS-ProvG-AllModels-System-FP0005
IBM Security Network Intrusion Prevention System products at Firmware
version 4.4
4.4.0.0-ISS-ProvG-AllModels-System-FP0005
IBM Security Network Intrusion Prevention System products at Firmware
version 4.3
4.3.0.0-ISS-ProvG-AllModels-System-FP0003
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin. Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU/V7mBLndAQH1ShLAQLs2g//UxWE4Shl2yLCSKikuPQDKq2I0c1IR2SY
GIvvaWnmoxf2XtBES4EZjWB2jJqngpGlBlVu2rDkiFEd8kqsCUwWoXG2/0Fd9Nnn
K1rdQZM1wZxyPVrdH4Kdvcj2I/Z3Bfxk2yLJBmDyVAA0Pj+oDPnXQKiTezK2rpmA
njBNRQp1nqfsjQxD6tDDAjfGYfW4pEiqMfVSkJscyRxDSW3wkJNflbv9uEHPx6Ip
pYPfAHzcUP0AzVWJiDYXOEkkHf9jehvn9DhdkTnwOfiFnI7lXCev5GrYS93WTFS1
0f+Tv2ZY7k3RBm6oR79yiVQ/5qPE+RBJ7cZ3PksfmxBRP3u9mPuQmLu2obvQgn2q
F1ueIH7YcW42kr1/9lQE9mDl/SR+qC2tbfkHK1dLypTR7V0n0ddxF3nUJO73KPF3
3fBHMO5IiUG9L6RlfLXF/q+FKnpvvpf1sHgh56fj0U1Hg1rEhaNhhUdlvMHjWMfG
Wf6MudolkFs6L3ofGsTc03//3vNlMfky0baVwMDNpHLOsTErj1Q0taGyE4HO/lr2
/9jqCMOJNnk0mK0Z0eRsOcNVfLv5ZK/78vQ2TNFdZmXxdve/Bz/tHkr6B6tFqzmR
LMO3TEzIVkLP1qbPXM1p4vjXVZIPqhQY1PuWyPQ09n1+Y+tSDaDei75UIf2azq4d
zfZqMAtwWIk=
=JO0j
-----END PGP SIGNATURE-----