McAfee Foundstone Update

2006-NOV-14
MCAFEE FOUNDSTONE FSL UPDATE
To better protect your environment McAfee has created this FSL check update for the Foundstone
Product Suite. The following is a detailed summary of the new and updated checks included with this
release.

NEW CHECKS

4736 - Microsoft Kernel GDI Remap Vulnerability

Category: Windows Host Assessment -> Patches and Hotfixes
(CATEGORY REQUIRES CREDENTIALS)
Risk Level: High
Check Version: 1.1726
CVE: CVE-2006-5758

Description
A vulnerability is present in the Microsoft Windows Kernel that may allow for a privilege escalation
attack.

Observation
Microsoft Windows is an industry standard operating system. The Windows Kernel provides service
and driver support for applications running on the Windows operating system.

A vulnerability exists in the Windows Kernel that could allow a local attacker the ability to cause a
denial of service or execute arbitrary code. The local privilege escalation vulnerability is due to errors
in Kernel shared memory that could allow GDI object processes the ability to remap from read only to
writable. Successful exploitation could lead to complete compromise of the host.

4738 - (MS06-066) Microsoft Client Service for Netware Memory Corruption Vulnerability
(923980)

Risk Level: High
CVE: CVE-2006-4688

Description
A vulnerability exists in Microsoft Client Service for Netware that may allow for arbitrary code
execution.

Observation
Microsoft Client Services for Netware allows for communication with Netware network resources.

A vulnerability exists in Microsoft Client Service for Netware that may allow for code execution on a
vulnerable host. The flaw is due to an unchecked buffer within the client service. Successful
exploitation would necessitate that the attacker was authenticated with local access to the network.

4745 - (MS06-070) Microsoft Workstation Service Memory Corruption Vulnerability (924270)
Risk Level: High
CVE: CVE-2006-4691

Description
A vulnerability exists in Microsoft Windows that may allow for remote-code-execution attacks.

Observation
Microsoft Windows in an industry-standard operating system. The Workstation service locates and
routes remote access requests to the local filesystem or networking components.

A buffer-overflow vulnerability exists in Microsoft Windows that may allow for remote-code-execution
attacks. To exploit the vulnerability, a remote attacker would send a specially-crafted message to the
Workstation service. A successful attack would give the attacker full control of the vulnerable machine.

4734 - Cisco IOS Embedded Call Processing Solutions DoS Vulnerability
Category: General Vulnerability Assessment -> NonIntrusive -> Network
Risk Level: Medium

Description

A Denial-of-Service vulnerability exists in Cisco IOS which support ITS, CME or SRST.

Observation
Cisco's IOS Telephony Service (ITS), Cisco CallManager Express (CME) and Cisco's Survivable
Remote Site Telephony (SRST) are use to control IP Phones by using the Skinny Call Control
Protocol (SCCP).

Cisco IOS is vulnerable with these features enabled, and the device will be reloaded when processing
malformed SCCP packets. Repeated exploitation may cause a Denial-of-Service attack.

Vulnerable systems:

Cisco IOS 12.1Y base trains
Cisco IOS 12.2 - 12.3

For more information see:

Cisco Security Advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20050119-itscme.shtml

4735 - Cisco IOS Malformed OSPF Packet Causes Reload Vulnerability
Category: General Vulnerability Assessment -> NonIntrusive -> Network
Risk Level: Medium

Description
A Denial-of-Service vulnerability is existed in Cisco IOS with OSPF protocol support enabled.

Observation
Open Shortest Path First (OSPF) routing protocol is used to manage IP routing inside an Autonomous
System (AS).

When processing malformed OSPF packets, the system will reload and freeze for some minutes.
Repeated exploitation will cause Denial-of-Service attack. Use OSPF Authentication can reduce the
attack influence.

Vulnerable systems:

Cisco IOS 12.0S, 12.2, 12.3 release trains

For more information see:

Cisco Security Advisory:

http://www.cisco.com/warp/public/707/cisco-sa-20040818-ospf.shtml

4731 - Mozilla Suite Multiple Vulnerabilities
Category: Windows Host Assessment -> Miscellaneous
Risk Level: Medium
CVE: CVE-2006-5464

Description
The Mozilla Foundation released version 1.5.0.8 of both their popular Firefox web browser and
Thunderbird email clients today, and version 1.0.6 of Seamonkey. These versions address some
security issues covered in MFSA2006-65, MFSA2006-66 and MFSA2006-67.

Observation
If you have not already upgraded to the new Firefox 2.0 web browser, you should be sure to update to
Firefox 1.5.0.8.

MFSA2006-65
MFSA2006-66
MFSA2006-67

Risk Level: Medium
CVE: CVE-2006-5464

Description

Observation

Firefox 1.5.0.8.

MFSA2006-65
MFSA2006-66
MFSA2006-67

Risk Level: Medium
CVE: CVE-2006-5464

Description

Observation
Firefox 1.5.0.8.

MFSA2006-65
MFSA2006-66
MFSA2006-67

4740 - (MS06-068) Microsoft Agent Memory Corruption Vulnerability (920213)
Risk Level: Medium
CVE: CVE-2006-3445

Description
A vulnerability exists in Microsoft Windows that may allow for remote-code-execution attacks.

Observation

Microsoft Windows in an industry-standard operating system.

A vulnerability exists in Microsoft Windows that may allow for remote-code-execution attacks. The
vulnerability lies in the way Microsoft Agent handles ACF files. A malicious, specially-crafted ACF file
could corrupt system memory. A user would have to visit a malicious website or open an HTML email
for an attack to be successful.

4663 - (MS06-067) Microsoft DirectAnimation ActiveX Controls Memory Corruption
Vulnerability II (922760)
Risk Level: Medium
CVE: CVE-2006-4446

Description
A vulnerability exists in a Microsoft Internet Explorer that may allow for arbitrary code execution or a
denial of service attack.

Observation
Microsoft Internet Explorer is an industry standard web browser.

Microsoft Internet Explorer contains a flaw when processing a specially crafted COM object. The flaw
lies specifically in processing of daxctle.ocx objects that contain 0xffffffff as the beginning parameter.
The resulting heap overflow could allow for a remote denial of service or arbitrary code execution.

4664 - (MS06-067) Microsoft HTML Rendering Memory Corruption Vulnerability (922760)
Risk Level: Medium
CVE: CVE-2006-4687

Description
A vulnerability is present in Microsoft Internet Explorer that may allow for arbitrary code execution.

Observation

Microsoft Internet Explorer is an industry standard web browser.

A vulnerability exists in Internet Explorer that may allow for the remote execution of arbitrary code.
The flaw lies in processing of malicious HTML in crafted layout combinations. Code execution is at
the rights level of the victim's user account rights level. Successful exploitation can be accomplished
by coercing a victim to a website hosting the malicious document or through an email attachment
containing it.

4741 - (MS060-069) Microsoft Excel Macromedia Flash ActiveX Object Code Execution
(923789)
Risk Level: Medium
CVE: CVE-2006-3014

Description
A vulnerability in the Microsoft Windows XP SP2 supplied Macromedia Flash Player could allow for
arbitrary code execution.

Observation
Microsoft Windows XP SP2 includes a distribution of the Macromedia Flash player that allows
dynamic web content to be displayed.

A vulnerability exists in this distribution of Macromedia Flash player that may allow for arbitrary code
execution. This could successfully be exploited remotely when visiting a malicious website or opening
an email attachment. The flaw is due to processing a specially crafted Excel document with an
embedded ActiveX Shockwave object.

4742 - (MS060-069) Microsoft Macromedia Flash Player Long String SWF Buffer Overflow
(923789)
Risk Level: Medium
CVE: CVE-2006-3311

Description

Observation

an email attachment. The flaw is due to processing a specially crafted SWF movie with an unusually
long string within it.

4743 - (MS060-069) Microsoft Macromedia Flash Player Malformed SWF Improper Memory
Access (923789)
Risk Level: Medium
CVE: CVE-2006-3587

Description

Observation

an email attachment. The memory access flaw is due to processing a specially crafted SWF file.

4744 - (MS060-069) Microsoft Macromedia Flash Player Compressed SWF Denial of Service
(923789)
Risk Level: Medium
CVE: CVE-2006-3588

Description
A vulnerability in the Microsoft Windows XP SP2 supplied Macromedia Flash Player could allow for a
denial of service attack.

Observation

A vulnerability exists in this distribution of Macromedia Flash player that may allow for a denial of
service attack. This could successfully be exploited remotely when visiting a malicious website or
opening an email attachment. The flaw is due to processing a specially crafted compressed SWF file.

4737 - (MS060-069) Microsoft Macromedia Flash Player Unspecified allowScriptAccess
Bypass (923789)
Risk Level: Medium
CVE: CVE-2006-4640

Description
A vulnerability in the Microsoft Windows XP SP2 supplied Macromedia Flash Player could allow for a
security bypass.

Observation

A vulnerability exists in this distribution of Macromedia Flash player that may allow for a security
bypass. This could successfully be exploited remotely when visiting a malicious website or opening
an email attachment. The flaw lies in the ability to bypass the allowScriptAccess control.

4739 - (MS06-066) Microsoft Windows Netware Driver Denial of Service Vulnerability (923980)
Risk Level: Medium
CVE: CVE-2006-4689

Description
A vulnerability exists in Microsoft Client Service for Netware that may allow for a denial of service
attack.

Observation
Microsoft Client Services for Netware allows for communication with Netware network resources.

A vulnerability exists in Microsoft Client Service for Netware that may allow for a denial of service
attack. The flaw is due to an unchecked buffer within the client service. Successful exploitation would
necessitate that the attacker was authenticated with local access to the network.

ENHANCED CHECKS
The following checks have been updated. Enhancements may include optimizations, changes that
reflect new information on a vulnerability and anything else that improves upon an existing FSL check.

4612 - Mozilla Firefox 1.5.0.7 fixed multiple vulnerabilities
Risk Level: High
CVE: CVE-2006-4253

4613 - Mozilla Thunderbird 1.5.0.7 fixed multiple vulnerabilities
Risk Level: High
CVE: CVE-2006-4253

4729 - (MS06-071) Microsoft XML Core Services Remote Code Execution Vulnerability
(928088)
Risk Level: High
CVE: CVE-2006-5745

4616 - (MS06-067) Microsoft DirectAnimation ActiveX Controls Memory Corruption
Vulnerability I (922760)

Risk Level: High
CVE: CVE-2006-4777

3915 - Apache SSLVerifyClient Bypass Restrictions
Category: General Vulnerability Assessment -> NonIntrusive -> Web
Risk Level: Medium
CVE: CVE-2005-2700

3916 - Apache HTTP Request Smuggling
Risk Level: Medium
CVE: CVE-2005-2088

1249 - Apache Scoreboard Memory Segment Overwriting Denial-of-Service
Risk Level: Medium
CVE: CVE-2002-0839
ARMY IAVA: 2002-A-0008

2168 - Apache mod_ssl Wildcard DNS Cross-Site Scripting

Risk Level: Low
CVE: CVE-2002-1157

2976 - OpenSSL Klima-Pokorny-Rosa Attack

Risk Level: Low
CVE: CVE-2003-0131

1849 - Microsoft Windows Maximum Application Log Size Policy Enumeration
Category: Windows Host Assessment -> Security Policy/Options
Risk Level: Low

1850 - Microsoft Windows Maximum Security Log Size Policy Enumeration
Risk Level: Low

1851 - Microsoft Windows Maximum System Log Size Policy Enumeration
Risk Level: Low

70002 - http-helpers.fasl3.inc
Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category
Risk Level: Informational

70014 - netbios-helpers.fasl3.inc
Category: General Vulnerability Assessment -> NonIntrusive -> Invalid Category

4024 - Microsoft Windows Directory Service Access Audit Policy


HOW TO UPDATE
FS1000 APPLIANCE customers should follow the instructions for Enterprise/Professional customers,
below. In addition, we strongly urge all appliance customers to authorize and install any Windows
Update critical patches. The appliance will auto-download any critical updates but will wait for your
explicit authorization before installing.

FOUNDSTONE ENTERPRISE and PROFESSIONAL customers may obtain these new scripts using
the FSUpdate Utility by selecting "FoundScan Update" on the help menu. Make sure that you have a
valid FSUpdate username and password. The new vulnerability scripts will be automatically included
in your scans if you have selected that option by right-clicking the selected vulnerability category and
checking the "Run New Checks" checkbox.

MANAGED SERVICE CUSTOMERS already have the newest update applied to their environment.
The new vulnerability scripts will be automatically included when your scans are next scheduled,
provided the Run New Scripts option has been turned on.

MCAFEE TECHNICAL SUPPORT
PrimeSupport ServicePortal: https://mysupport.nai.com/login.asp
Multi-National Phone Support available here:
http://www.mcafeesecurity.com/us/contact/home.htm
PGP Key: http://www.foundstone.com/pgpkeys/techsupport.asc

This email may contain confidential and privileged material for the sole use of the intended recipient.
Any review or distribution by others is strictly prohibited. If you are not the intended recipient please
contact the sender and delete all copies.

Copyright 2004-2007 McAfee, Inc.
McAfee is a registered trademark of McAfee, Inc. and/or its affiliates.

McAfee Foundstone Update

More Related Content

What's hot

Viewers also liked

Similar to McAfee Foundstone Update

More from webhostingguy

McAfee Foundstone Update