Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1429 Security Bulletin: Network Intrusion Prevention System is affected by curl and php5 vulnerabilities (CVE-2013-2174, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049) 21 August 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Security Network Intrusion Prevention System Publisher: IBM Operating System: Network Appliance Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Provide Misleading Information -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4049 CVE-2014-2497 CVE-2014-0139 CVE-2014-0138 CVE-2014-0015 CVE-2013-6420 CVE-2013-4248 CVE-2013-2174 Reference: ASB-2014.0083 ESB-2014.1331 ESB-2014.1327 ESB-2014.1057 ESB-2014.1008 ESB-2014.0991 ESB-2014.0889 ESB-2014.0835 ESB-2014.0495 ESB-2014.0244 ESB-2014.0129 ESB-2013.1788 ESB-2013.1784 ESB-2013.1672 ESB-2013.1359 ESB-2013.1156 ESB-2013.0982 ESB-2013.0887 ESB-2013.0878 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21680826 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Network Intrusion Prevention System is affected by curl and php5 vulnerabilities (CVE-2013-2174, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049) Security Bulletin Document information More support for: IBM Security Network Intrusion Prevention System Software version: 4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2 Operating system(s): Firmware Reference #: 1680826 Modified date: 2014-08-15 Summary Security vulnerabilities have been discovered in curl and php5 that are used in IBM Security Network Intrusion Prevention System. Vulnerability Details CVE-ID: CVE-2013-2174 DESCRIPTION: cURL/libcURL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the curl_easy_unescape() function in lib/escape.c. While decoding URL encoded strings to raw binary data, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. Affected Versions: cURL and libcurl 7.7 through 7.30.0 CVSS: CVSS Base Score: 6.8 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85180 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P) CVE-ID: CVE-2014-0015 DESCRIPTION: libcURL could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim. Affected Versions: cURL and libcurl 7.10.6 through 7.34.0 CVSS: CVSS Base Score: 5.0 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90841 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVE-ID: CVE-2014-0138 DESCRIPTION: cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the re-use of previously used connections when processing new requests. An attacker could exploit this vulnerability to hijack the privileges of a different user's session and launch further attacks on the system. Affected Versions: cURL and libcurl 7.10.6 before 7.36.0 CVSS: CVSS Base Score: 6.4 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92131 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P) CVE-ID: CVE-2014-0139 DESCRIPTION: cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by an error in the hostmatch() function when validating certificates containing an IP address with a wildcard match within the Common Name field. By sending a specially-crafted SSL certificate containing wildcard characters, a remote attacker could exploit this vulnerability to spoof the server and launch further attacks on the system. Affected Versions: cURL and libcurl 7.1 before 7.36.0 CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92130 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-ID: CVE-2013-4248 DESCRIPTION: PHP could allow a remote attacker to conduct spoofing attacks, caused by an error when handling certificates that contain hostnames with NULL bytes. By persuading a victim to visit a Web site containing a specially-crafted certificate, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to spoof SSL servers. Affected Versions: OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2 CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/86429 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) CVE-ID: CVE-2013-6420 DESCRIPTION: PHP could allow a remote attacker to execute arbitrary code on the system, caused by an error in the asn1_time_to_time_t() function when parsing X.509 certificates. An attacker could exploit this vulnerability using a specially-crafted X.509 certificate to corrupt memory and execute arbitrary code on the system. Affected Versions: PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7 CVSS: CVSS Base Score: 9.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/89602 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C) CVE-ID: CVE-2014-2497 DESCRIPTION: LibGD is vulnerable to a denial of service, caused by a NULL pointer dereference in the gdImageCreateFromXpm function. A remote attacker could exploit this vulnerability to cause the application to crash. Note: This vulnerability also affects PHP. Affected Versions: PHP 5.4.26 and earlier CVSS: CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91917 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) CVE-ID: CVE-2014-4049 DESCRIPTION: PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by when parsing DNS TXT record. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. Affected Versions: PHP 5.6.0beta4 and earlier CVSS: CVSS Base Score: 7.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/93769 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P) Affected Products and Versions Products: GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000 Firmware versions: 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3 Remediation/Fixes The following IBM Threat Fixpacks have the fixes for these vulnerabilities: IBM Security Network Intrusion Prevention System products at Firmware version 4.6.2 4.6.2.0-ISS-ProvG-AllModels-System-FP0001 IBM Security Network Intrusion Prevention System products at Firmware version 4.6.1 4.6.1.0-ISS-ProvG-AllModels-System-FP0005 IBM Security Network Intrusion Prevention System products at Firmware version 4.6 4.6.0.0-ISS-ProvG-AllModels-System-FP0003 IBM Security Network Intrusion Prevention System products at Firmware version 4.5 4.5.0.0-ISS-ProvG-AllModels-System-FP0005 IBM Security Network Intrusion Prevention System products at Firmware version 4.4 4.4.0.0-ISS-ProvG-AllModels-System-FP0005 IBM Security Network Intrusion Prevention System products at Firmware version 4.3 4.3.0.0-ISS-ProvG-AllModels-System-FP0003 References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU/V7mBLndAQH1ShLAQLs2g//UxWE4Shl2yLCSKikuPQDKq2I0c1IR2SY GIvvaWnmoxf2XtBES4EZjWB2jJqngpGlBlVu2rDkiFEd8kqsCUwWoXG2/0Fd9Nnn K1rdQZM1wZxyPVrdH4Kdvcj2I/Z3Bfxk2yLJBmDyVAA0Pj+oDPnXQKiTezK2rpmA njBNRQp1nqfsjQxD6tDDAjfGYfW4pEiqMfVSkJscyRxDSW3wkJNflbv9uEHPx6Ip pYPfAHzcUP0AzVWJiDYXOEkkHf9jehvn9DhdkTnwOfiFnI7lXCev5GrYS93WTFS1 0f+Tv2ZY7k3RBm6oR79yiVQ/5qPE+RBJ7cZ3PksfmxBRP3u9mPuQmLu2obvQgn2q F1ueIH7YcW42kr1/9lQE9mDl/SR+qC2tbfkHK1dLypTR7V0n0ddxF3nUJO73KPF3 3fBHMO5IiUG9L6RlfLXF/q+FKnpvvpf1sHgh56fj0U1Hg1rEhaNhhUdlvMHjWMfG Wf6MudolkFs6L3ofGsTc03//3vNlMfky0baVwMDNpHLOsTErj1Q0taGyE4HO/lr2 /9jqCMOJNnk0mK0Z0eRsOcNVfLv5ZK/78vQ2TNFdZmXxdve/Bz/tHkr6B6tFqzmR LMO3TEzIVkLP1qbPXM1p4vjXVZIPqhQY1PuWyPQ09n1+Y+tSDaDei75UIf2azq4d zfZqMAtwWIk= =JO0j -----END PGP SIGNATURE-----