Red Hat Enterprise Linux 5 Information Assurance Vulnerabilities

Version: 1

Release: 3

26 Apr 2013

Shawns table info


_____________________________________________________________
Group ID (Vulid): V-5751
Group Title: 1999-0003
Rule ID: SV-5751r1_rule
Severity: CAT I
Rule Version (STIG-ID): 1999-0003
Rule Title: Remote FTP Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
To determine the version of ftpd, issue the following command:

# strings /usr/sbin/in.ftpd | grep –I version

The version must be 2.6.0, or later, or this is a finding.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5753
Group Title: 1999-A-0006
Rule ID: SV-5753r1_rule
Severity: CAT I
Rule Version (STIG-ID): 1999-A-0006
Rule Title: Statd and Automountd Vulnerabilities


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5777
Group Title: 2000-A-0001
Rule ID: SV-5777r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2000-A-0001
Rule Title: Cross-Site Scripting Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Windows 2000 - Verify that Windows 2000 Service Pack 2 or greater has been installed:
(Using START -> Run, execute “winver.exe”.)

Check Content: 
Windows XP - Verify that ISM.DLL is at version 5.0.2195.2363

Check Content: 
Cisco - Cisco PIX running versions up to and including 4.2(5), 4.4(4), 5.0(3), and 5.1(1) that provide access to FTP services.


Check Content: 
UNIX - If a web browser is installed, view the advanced options and ensure to disable any scripting such as javascript. Web server software such as Apache and the Sun Java web server and associated web pages should be reviewed for dynamic content that may become vulnerable to malicious scripting by the web server administrator and web site developers.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: 4.4(4.201), 5.1(0.210), 5.0(3.201), 4.4(4.202), 5.1(1.208)
If you permit internal clients to make arbitrary FTP connections outbound, you may be vulnerable this IAVA. See Cisco Advisory;. Cisco Secure PIX Firewall FTP Vulnerabilities; Reference: CERT Advisory CA-2000-02
  _____________________________________________________________

Group ID (Vulid): V-5780
Group Title: 2000-B-0001
Rule ID: SV-5780r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2000-B-0001
Rule Title: Bind NXT Buffer Overflow


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS


Check Content: 
After determining the binary is not a trojan, perform the following as a non-privileged user to determine the version of BIND.
      # named –v
Or
      # /usr/sbin/named -v

If the version of BIND is not greater than 8.2.1, this is a finding.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Downgraded
Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS
  _____________________________________________________________

Group ID (Vulid): V-5782
Group Title: 2000-B-0003
Rule ID: SV-5782r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2000-B-0003
Rule Title: Multiple Buffer Overflows in Kerberos Authenticated Services


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Use the command:
      #       find /etc –name krb5.conf

to look for the presence of a Kerberos 5 configuration file on the system. If the file is found, look for the presence of the default domain and v4_instance_convert configuration variables in the [realms] section of the file. If these two variables are present and configured then this is a finding as Kerberos is working in Version IV compatibility mode. If /etc/krb4.conf exists this is also a finding without the applied patches. Upgrade to version 5-1.0.X and apply the patch provided by MIT. Only the patches for the krb_rd_req() vulnerability need to be applied to version 4 to address the issues described in this advisory.


Check Content: 
Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Disable
Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS

Fix Text: Obtain the latest Kerberos dis (Manual) - Obtain the latest Kerberos distribution from the Kerberos information site at http://web.mit.edu/network/kerberos-form.html.

  _____________________________________________________________

Group ID (Vulid): V-5784
Group Title: 2000-B-0005
Rule ID: SV-5784r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2000-B-0005
Rule Title: Input Validation Problem in rpc.statd


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 

Perform procedures in Appendix F, Patch Control, to check for the following patches:

Debian                   nfs-common_0.1.9.1-1.deb

Redhat                   nfs-utils-0.1.9.1-1.i386.rpm


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Affected Systems: Redhat Linux (Manual) - Affected Systems: Redhat Linux systems running the rpc.statd service Do one or more of the following: (1) Install the appropriate vendor patches; (2) Upgrade to the newest version of rpc.statd, (OS dependent) (3) Disable the rpc.statd daemon. Proceed with caution--disabling this process will interfere with NFS file sharing functions. (4) Block unneeded ports at your firewall. This will not remedy the rpc.statd vulnerability but prevents outsiders from exploiting it. Recommend blocking Port 111 and the port that rpc.statd is running on, which varies by OS. Vendor patch information is provided below in the attached CERT/CC advisory. If neither an upgrade nor a patch can be applied, the DOD CERT recommends disabling all vulnerable rpc.statd services. While disabling rpc.statd functionality or blocking the associated ports minimizes exposure to the vulnerability, neither is a complete solution and may not mitigate against the risks involved with exposure to the rpc.statd vulnerability. An intruder or untrained user could re-enable the rpc.statd daemon later. Maintain contact with your LINUX vendor and update patches as required. Adequate defense in depth strategies will mitigate risk further--block 111 with a router or firewall in addition to patching vulnerable systems. Monitor port 111 network traffic very closely. Add host monitoring software on critical systems. Report unusual activity through your CND Service Provider. Affected Operating Systems and Patch Information: Debian: http://www.debian.org/security/2000/20000719a RedHat: http://www.redhat.com/support/errata/RHSA-2000-043-03.html
  _____________________________________________________________

Group ID (Vulid): V-5791
Group Title: 2000-T-0006
Rule ID: SV-5791r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2000-T-0006
Rule Title: Frame Domain Cverification, Unauthorized Cookie Access and Malformed Component Attribute Vulnerabilities


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Check that IE has been upgraded to IE v 6.0, SP1

Check Content: 
Ensure that IE v5.5, SP2 has been applied by checking in the IE Help-About function.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5799
Group Title: 2001-A-0001
Rule ID: SV-5799r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-A-0001
Rule Title: Multiple Vulnerabilities in BIND


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To examine the version number of named perform the following command:
      #       find / -name named
      #       find / -name in.named

After determining the binary is not a trojan, perform the following as an non-privileged user:
      # what in.named/named | grep –i version
      #       strings in.named/named | grep –i version
      #       named –v
      #       named –d0

Users of BIND 4.9.x or 8.2.2 must upgrade to BIND 8.2.3 or later, or BIND 9.1 or later.
Because BIND 4 is no longer actively maintained, users must upgrade to either BIND 8.2.3 or later, or BIND 9.1 or later


Check Content: 
Upgrade to ISC BIND version 8.2.3
ftp://ftp.isc.org/isc/bind/src/


Check Content: 
Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.

Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS
  _____________________________________________________________

Group ID (Vulid): V-5803
Group Title: 2001-A-0007
Rule ID: SV-5803r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-A-0007
Rule Title: iPlanet Web Servers Expose Sensitive Data via Buffer Overflow.


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Use the following steps to determine the version number:

1. Navigate to the following directory:
server-root/bin/https/bin

2. After determining the binary is not a trojan, run the ns-httpd program as a non-privileged user with the "-v" parameter.
      #       ./ns-httpd –v


Check Content: 
Ensure the iPlanet Web Server has been upgraded to version 4.1sp7 or later.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
  _____________________________________________________________

Group ID (Vulid): V-5804
Group Title: 2001-A-0009
Rule ID: SV-5804r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-A-0009
Rule Title: Gauntlet Firewall for Unix and WebShield CSMAP and smap/smapd Buffer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5805
Group Title: 2001-A-0011
Rule ID: SV-5805r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-A-0011
Rule Title: Format String Vulnerability in CDE ToolTalk


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Perform procedures in Appendix F, Patch Control, to check if the following patches or package versions have been loaded:

Solaris             2.5.1                   104489-15      
Solaris             2.5.1_x86             105496-12      
Solaris             2.6                   105802-19      
Solaris             2.6x86                   105803-21      
Solaris             2.7                   107893-21
Solaris             2.7x86                   107894-20
Solaris             2.8                   110286-14
Solaris             2.8x86                   110287-14

HP-UX       10.10                   PHSS_26488
HP-UX       10.20                   PHSS_29201
HP-UX       10.24                   PHSS_29201
HP-UX       10.30                   PHSS_16151      
HP-UX       11.00                   PHSS_32539
HP-UX       11.11                   PHSS_33325


IRIX       6.5 and above             SG0004416

AIX       4.3                   IY24387
AIX       5.1                   IY23846


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: The following information is f (Manual) - The following information is for IAVA 2001-A-0011 down to the line of asterisks. Apply the Sun Patches listed below (No other vendor has yet submitted patch information): FOR SunOS SYSTEM PATCHID --------- --------- SunOS 5.8 110284-04 5.8_x86 110287-04 5.7 107893-15 5.7_x86 107894-14 5.6 105802-16 5.6_x86 105803-18 5.5.1 104489-14 5.5.1_x86 105496-12 5.5 104428-12 5.5_x86 105495-10 End of latest information for Sun. ****************************************************** The following vendors have supplied patch information for CA-98-08a: Vendor OS Version Patch ID Sun Solaris 2.5 104428-07 Solaris 2.5_x86 105495-05 Solaris 2.5.1 104489-08 Solaris 2.5.1_x86 105496-06 Solaris 2.6 105802-07 Solaris 2.6x86 105803-09 Silicon Graphics SGI 5.3 3510 SGI 6.2 6.5.2 3511 SGI 6.5.3 Not Vulnerable Hewlett Packard All for the HP 9000 Series 7/800 HP-UX 10.10 PHSS_16150 HP-UX 10.20 PHSS_16147 HP-UX 10.24 PHSS_16197 HP-UX 10.30 PHSS_16151 HP-UX 11.0 PHSS_16148 IBM AIX APAR 4.1.X IX81440 APAR 4.2.X IX81441 APAR 4.3.X IX81442 TriTeal Upgrade to TED 4.4 Xi Graphics ftp://ftp.xig.com/pub/updates/cde/1.2.3/C1203.002.tar.gz ftp://ftp.xig.com/pub/updates/cde/1.2.3/C1203.002.txt Users of Maximum CDE v1.2.3 are urged to install this update.   _____________________________________________________________

Group ID (Vulid): V-5807
Group Title: 2001-A-0013
Rule ID: SV-5807r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-A-0013
Rule Title: SSH CRC32 Remote Integer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To get the version, perform the following command(s):

      #       telnet localhost 22
Or
      #       strings (ssh or sshd) | grep –I version
Or ,after determining the binary is not a trojan, perform the following as an non-privileged user:
      # ssh –V

-       OpenSSH 3.4 (required by IAVA0080)
-       SSH Communications Security SSH       3.0.1 (required by IAVA0125)
-       SOLARIS 9 Integrated OpenSSH                   113273-11
-       SOLARIS 9_x86 Integrated OpenSSH       114858-08


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5811
Group Title: 2001-B-0003
Rule ID: SV-5811r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-B-0003
Rule Title: %U Encoding Intrusion Detection System Bypass Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Verify that RealSecure X-Press update (XPU) 3.2 has been installed on Network Sensor.

For Server Sensor 5.5, insure that RealSecure X-Press update (XPU) 3.2 has been installed.

For Server Sensor 6.0, insure that version 6.0.1 or later has been installed.

Check Content: 
Cisco Secure Intrusion Detection System, formerly known as NetRanger, Sensor component & Cisco Catalyst 6000 Intrusion Detection System Module


Check Content: 
To determine the version of snort, after determining the binary is not a trojan, issue the following command as a non-privileged user:

# snort -V

If the version of snort is not at least 1.8.1, this is a finding.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: NetRanger replaced with Cisco Secure IDS (upgrade to new hardware and software) & Cisco Catalyst 6000 IDS Is EOL (end of life as of 2003)
  _____________________________________________________________

Group ID (Vulid): V-5812
Group Title: 2001-B-0004
Rule ID: SV-5812r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2001-B-0004
Rule Title: WU-FTPd Remote Code Execution Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable systems are: Caldera thru 3.1, Cobalt QUBE 1.0, Connectiva thru 7.0,Debian thru 2.2, Mandrake thru 8.1, Red Hat thru 7.2, SuSE thru 7.3, immunix thru 7.0, and any other system using WU-FTPD or derivatives of it. To correct the vulnerability, upgrade to the latest version from the vendor or from Washington University. Version 2.6.2 will be the target version. To find the version of the installed daemon, perform strings /usr/sbin/in.ftpd | grep –I version or log into the server using the ftp command, and, when connected, use the ver command to illicit the version from the daemon. If the version displayed shows something similar the following: Version 2.6.0per2(1) followed by a date, it is wu-ftpd. The version must be 2.6.2, or greater, or this is a finding. Wu-ftpd is found, primarily, on Linux systems and the IAVA is specific to Linux.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
  _____________________________________________________________

Group ID (Vulid): V-5816
Group Title: 2001-T-0004
Rule ID: SV-5816r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2001-T-0004
Rule Title: MySQLd Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
After determining the binary is not a trojan, perform the following command as a non-privileged user to determine the version:

      #       mysql –V

The version should be at least 3.23.38.



Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-5820
Group Title: 2001-T-0008
Rule ID: SV-5820r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2001-T-0008
Rule Title: Buffer Overflow in telnetd


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Perform procedures in Appendix F, Patch Control, to check for the following patches:

Solaris             2.6                   106049-05
Solaris             2.6x86                   106050-05      
Solaris             2.7                   107475-05
Solaris             2.7x86                   107476-05
Solaris             2.8                   110668-05
Solaris             2.8x86                   110669-05

HP-UX             10.01             PHNE_24820
HP-UX             10.10             PHNE_24820
HP-UX             10.20             PHNE_24821
HP-UX             SIS 10.20             PHNE_24822
HP-UX             10.24             PHNE_25217

AIX             4.3.3                   IY22029
AIX             5.1                   IY22021

IRIX             6.5                   SG0004354



Check Content: 
"The following Cisco Catalyst Switches and software versions are vulnerable:
• Catalyst 6000 series; 5.5(13), 6.3(4), 7.1(2)
• Catalyst 5000 series; 5.5(13), 6.3(4), 7.1(2)
• Catalyst 4000 series; 5.5(13), 6.3(4), 7.1(2)
• Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series code base
• Catalyst 2901, 2902, 2926[T,F,GS,GL], 2948 - use Catalyst 5000 series code base "


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Apply the applicable patch or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.

Fix Text: "• Catalyst 6000 series; 5.5(13), 6.3(4), 7.1(2)
• Catalyst 5000 series; 4.5(13a), 5.5(13), 6.3(4)
• Catalyst 4000 series; 5.5(13), 6.3(4), 7.1(2)
"
"The following Cisco Catalyst switches are not vulnerable:
• Catalyst 8500 series
• Catalyst 4800 series
• Catalyst 4200 series
• Catalyst 3900 series
• Catalyst 3550 series
• Catalyst 3500 XL series
• Catalyst 4840G
• Catalyst 4908G-l3
• Catalyst 2948G-l3
• Catalyst 2950
• Catalyst 2900 XL
• Catalyst 2900 LRE XL
• Catalyst 2820
• Catalyst 1900
No other Cisco product is currently known to be affected by this vulnerability."
  _____________________________________________________________

Group ID (Vulid): V-5825
Group Title: 2001-T-0015
Rule ID: SV-5825r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2001-T-0015
Rule Title: Multiple Vulnerabilities in lpd Daemon


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Perform procedures in Appendix F, Patch Control, to check for the following patches:

Solaris 2.6                         106235-10      
Solaris 2.6x86                   106236-10      
Solaris 2.7                         107115-10      
Solaris 2.7x86                   107116-10      
Solaris 2.8                         109320-05      
Solaris 2.8x86                   109321-05      

HP-UX 10.01                   PHCO_25107
HP-UX 10.10             PHCO_25108
HP-UX 10.20             PHCO_25109
HP-UX 11.00             PHCO_25110
HP-UX 11.11             PHCO_25111
HP-UX 11.20             PHCO_24868

IRIX 6.2 – 6.5.2                   Patch not available
IRIX 6.5.3.1.1                   Patch not available

AIX 4.3                         IY23037
AIX 5.1                         IY23041

Linux ALL                   lpr package of version 0.48 or greater


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Apply the applicable patch or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.
  _____________________________________________________________

Group ID (Vulid): V-5826
Group Title: 2001-T-0017
Rule ID: SV-5826r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2001-T-0017
Rule Title: OpenSSH UseLogin Multiple Vulnerabilities


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 

To get the version, perform the following command(s):

      #       telnet localhost 22
Or
      #       strings (ssh or sshd) | grep –I version
Or after determining the binary is not a trojan, perform the following as a non-privileged user:
      # ssh –V

Upgrade to OpenSSH 3.0.2 or later.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
  _____________________________________________________________

Group ID (Vulid): V-5827
Group Title: 2001-T-0018
Rule ID: SV-5827r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2001-T-0018
Rule Title: Short Password Vulnerability in SSH Communications Security


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
This check only applies to SSH by Communications Security.
To get the version, perform the following command:

      #       telnet localhost 22
Or
      #       strings (ssh or sshd) | grep –i version
Or

Upgrade to SSH Secure Shell 3.0.1 or later.

.


Check Content: 
Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.

Fix Text: Not applicable to CISCO IOS, CATOS, PIX, SN5420 - request sent to JTF to have removed in VMS
  _____________________________________________________________

Group ID (Vulid): V-5863
Group Title: 2002-T-0016
Rule ID: SV-5863r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2002-T-0016
Rule Title: Multiple Vendor kadmind Remote Buffer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
      The version for Kerberos can be checked with:
     
      #       strings libkrb5.so | grep –i brand

      The version must be 1.2.5-7 or higher.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Upgrade to, at the least, the required software release or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
  _____________________________________________________________

Group ID (Vulid): V-5877
Group Title: 2003-B-0001
Rule ID: SV-5877r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2003-B-0001
Rule Title: Multiple Buffer Overflow Vulnerabilities in Various DNS Resolver Libraries


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To examine the version number of named perform the following command(s):

# find / -name named
# find / -name in.named
# what in.named/named | grep -i version
# strings in.named/named | grep -i version
Or after determining the binary is not a trojan, perform the following as a non-privileged user:
# /usr/sbin/named -v

Verify the following patches are installed:

Solaris

Solaris 2.5.1 103663-19
Solaris 2.5.1_x86 103664-19
Solaris 2.6 105755-12
Solaris 2.6_x86 105756-12
Solaris 7 106938-06
Solaris 7_x86 106939-06
Solaris 8 109326-09
Solaris 8_x86 109327-09
Solaris 9 112970-02

HP-UX

HP-UX 10.10 PHNE_27792
HP-UX 10.20 PHNE_27792
HP-UX 11.0 PHNE_27793
HP-UX 11.04 PHNE_28415
HP-UX 11.11 PHNE_27794

AIX

AIX 4.3 ISC BIND 8.2.2 p5 glibc 2.1.1-2.1.6
AIX 4.3.1 ISC BIND 8.2.2 p5
AIX 4.3.2 ISC BIND 8.2.2 p5
AIX 4.3.3 ISC BIND 8.2.2 p5
AIX 5.1 glibc 2.1.1-2.1.6

Red Hat glibc-2.1.3-24.rpm bind-9.2.1-0.6x.3.rpm

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Apply the applicable patch, upgrade to, at the least, the required software release, or remove the binary to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT I finding may be downgraded to a CAT II.
  _____________________________________________________________

Group ID (Vulid): V-5879
Group Title: 2003-B-0003
Rule ID: SV-5879r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2003-B-0003
Rule Title: Sendmail Memory Corruption Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To determine the version of sendmail, use the following command:

# grep ^DZ /etc/mail/sendmail.cf

Systems using sendmail below version 8.12.9, or are not patched, are affected.
Upgrade to 8.12.9 or verify the following patches are installed:

Solaris

Solaris 2.6 105395-09
Solaris 2.6_x86 105396-09
Solaris 7 107684-09
Solaris 7_x86 107685-09
Solaris 8 110615-09
Solaris 8_x86 110616-09
Solaris 9 113575-04
Solaris 9_x86 114137-03

HP-UX

If a fix has been installed the following command will list a 'version.c"" line:

# what /usr/sbin/sendmail | grep JAGae58098

Install HPSecurityBul246.depot with swinstall for all versions.

Red Hat

Red Hat Linux 6.2 sendmail-8.11.6-1.62.3.i386.rpm
Red Hat Linux 7.0 sendmail-8.11.6-25.70.i386.rpm
Red Hat Linux 7.1 sendmail-8.11.6-25.71.i386.rpm
Red Hat Linux 7.2 sendmail-8.11.6-25.72.i386.rpm
Red Hat Linux 7.3 sendmail-8.11.6-25.73.i386.rpm
Red Hat Linux 8.0 sendmail-8.12.8-5.80.i386.rpm
Red Hat Linux 9 sendmail-8.12.8-5.90.i386.rpm

AIX

AIX 4.3.3 IY42629
AIX 5.1.0 IY42630
AIX 5.2.0 IY42631

SuSE

SuSE-7.1 sendmail-8.11.2-45.i386.rpm
SuSE-7.2 sendmail-8.11.3-108.i386.rpm
SuSE-7.3 sendmail-8.11.6-164.i386.rpm
SuSE-8.0 sendmail-8.12.3-75.i386.rpm
SuSE-8.1 sendmail-8.12.6-109.i586.rpm

IRIX

All Version patch #5045

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Upgrade to version 8.12.9 or o (Manual) - Upgrade to version 8.12.9 or obtain vendor patches that address the vulnerability.   _____________________________________________________________

Group ID (Vulid): V-5886
Group Title: 2003-T-0007
Rule ID: SV-5886r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2003-T-0007
Rule Title: Sun RPC XDR Library Integer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Use the procedures in Appendix F, Patch Control, to check if the following patches have been loaded:

Solaris            
5.6             105401-44
            5.6_x86       105402-44
            5.7             106942-27
            5.7_x86       106943-27
            5.8             108993-18
            5.8_x86       108994-18
            5.9             113319-11
            5.9_x86       113719-04

HP-UX            
B.10.20       PHCO_26158 or PHCO_31920
B.10.24       PHCO_27882 or PHNE_30377 or PHNE_30660 or PHNE_31096
B.11.00P       PHNE_28567 or PHNE_28982 or PHNE_29210 or PHNE_29785 or PHNE_29882 or PHNE_30377 or PHNE_30660 or PHNE_31096
B.11.11       PHNE_28568 or PHNE_28983 or PHNE_29211 or PHNE_29783 or PHNE_29883 or PHNE_30378 or PHNE_30380 or PHNE_30661

Red Hat      
6.2             glibc-2.1.3-29.i386.rpm
            7.0             glibc-2.2.4-18.7.0.9.i386.rpm
            7.1             glibc-2.2.4-32.i386.rpm
            7.2             glibc-2.2.4-32.i386.rpm
            7.3             glibc-2.2.5-43.i386.rpm
8.0       glibc-2.3.2-4.80.i386.rpm
9.0       krb5-libs-1.2.7-14.i386.rpm

SuSE
7.1       glibc-2.2-26.i386.rpm
7.2       glibc-2.2.2-68.i386.rpm
7.3       glibc-2.2.4-78.i386.rpm
8.0             glibc-2.2.5-177.i386.rpm
8.1             glibc-2.2.5-177.i686.rpm

           
IRIX            
6.5.15m       4986
            6.5.15f             4987
            6.5.16m       4988
            6.5.16f             4989
            6.5.17m       4990
            6.5.17f             4991
            6.5.18m       5014
            6.5.18f             5015
            6.5.19m       4992
            6.5.19f             4993


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: -       Apply the applicable patch or remove the binary/application to remediate this finding.
-       Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.
  _____________________________________________________________

Group ID (Vulid): V-5896
Group Title: 2003-T-0015
Rule ID: SV-5896r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2003-T-0015
Rule Title: Multiple Vendor PDF Hyperlinks Arbitrary Command Execution Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 

-       Solaris
The dhcpd binary should be:       /usr/lib/inet/in.dhcpd
# strings <dhcpd_binary> | grep "Internet Software Consortium”

-       HP-UX
The dhcpd binary should be: /usr/lbin/dhcpserverd
# strings <dhcpd_binary> | grep "Internet Software Consortium”

-       AIX
The dhcpd binary should be: /usr/sbin/dhcpsd
      # strings <dhcpd_binary> | grep "Internet Software Consortium”

-       IRIX
The dhcpd binary should be: /usr/sbin/dhcpd
# strings <dhcpd_binary> | grep "Internet Software Consortium”

-       Linux
The dhcpd binary should be: /usr/sbin/dhcpd
      # strings <dhcpd_binary> | grep "Internet Software Consortium”

If the string "Internet Software Consortium” is found, confirm the version is 3.0.1 rc14 or later.

# <dhcpd_binary> | more


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Apply vendor patches, Upgrade (Manual) - Apply vendor patches, Upgrade to DHCPD 3.0.1rc14.

  _____________________________________________________________

Group ID (Vulid): V-5904
Group Title: 2003-T-0020
Rule ID: SV-5904r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2003-T-0020
Rule Title: OpenSSH Buffer Mismanagement and Multiple Portable OpenSSH PAM Vulnerabilities


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
If Secure Shell is running, verify it is OpenSSH. If it is OpenSSH, check the version by locating the ssh command and after determining the binary is not a trojan, perform the following command as a non-privileged user:

                  #       ./ssh -V

Sun versions:             OpenSSH:
           
            1.0                               3.1.6
            1.0.1                         3.7.1
            1.0.2                         3.9p1

      The command will return the version. If it is less than 3.7.1, this is a finding.


Check Content: 
"• Cisco Catalyst Switching Software (CatOS)
All K9 (crypto) images in 6.x, 7.x, and 8.x release trains are affected by these vulnerabilities.
The following Cisco Catalyst Switches are vulnerable:
Catalyst 6000 series
Catalyst 5000 series
Catalyst 4000 series
Catalyst 2948G, 2980G, 2980G-A, 4912G - use Catalyst 4000 series code base
• Cisco Secure Intrusion Detection System (NetRanger) devices running 3.0(1) through 4.1(1):
IDS-42xx appliances
NM-CIDS
WS-SVS-IDSM2
• Cisco Network Analysis Modules (NAM) for the Cisco Catalyst 6000 and 6500 Series switches and Cisco 7600 Series routers. The following devices that have applied the K9 crypto patch and have SSH enabled are vulnerable:
WS-X6380-NAM, running software version 2.1(2) or 3.1(1a)
WS-SVC-NAM-1, running software version 2.2(1a) or 3.1(1a)
WS-SVC-NAM-2, running software version 2.2(1a) or 3.1(1a)
• CiscoWorks 1105 Hosting Solution Engine (HSE)
• CiscoWorks 1105 Wireless LAN Solution Engine (WLSE)
• Cisco Content Service CSS 11000 Switch series
• Cisco Application & Content Networking Software (ACNS)
• BTS 10200 Softswitch
• Cisco GSS 4480 Global Site Selector
• Cisco SN 5428 Storage Router
• Cisco PGW 2200 Softswitch (formerly known as Cisco VSC 3000 and as Cisco SC 2200)
• Cisco has not released code with SSH for the SN5420 storage router.
"


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: "• CatOS:
Catalyst 4000/5000/6000 series switches 6.4(7) 7.6(3a) for Catalyst 4000 series switches due out on September 30, 2003
Catalyst 6000 series switches 7.6(3a)
Catalyst 6000 series switches 8.1(3)
Catalyst 4000 series switches 8.2(1)GLX
Catalyst 6000 series switches 8.2(1)
• Cisco Secure Intrusion Detection System (NetRanger) appliance; 3.1(5), 4.1(2
• Cisco Network Analysis Modules (NAM); Patch required, contact Cisco.
• CiscoWorks 1105 Hosting Solution Engine (HSE); 1.7.2
• CiscoWorks 1105 Wireless LAN Solution Engine (WLSE); Contact Cisco.
• Cisco Content Service CSS11000 Switch series; 5.0.3.10s, 6.10.1.8s, 7.10.3.11s and 7.20.1.10s.
• Cisco Application & Content Networking Software (ACNS)- 5.1, 5.0.7
• BTS 10200 Softswitch; Contact Cisco.
• Cisco GSS 4480 Global Site Selector; 1.1(0) code.
• Cisco SN 5428 Storage Router; 3.4.1.
• Cisco PGW 2200 Softswitch; 1.0(2).
""• The following products, which incorporate a SSH server, have been confirmed to be not vulnerable:
Cisco IOS, both SSH version 1.5 and SSH version 2.0
Cisco Secure Intrusion Detection System Catalyst Module (IDSM)—model number WS-X6381-IDS
Cisco PIX Firewall
Cisco Catalyst 6000 Firewall Service Module (FWSM)
Cisco VPN 3000 Concentrators and Cisco VPN 5000 Concentrators
Cisco MDS 9000 Series Multilayer Switches
CatOS releases 2.x, 3.x, 4.x and 5.x are not vulnerable as they do not have SSH support.
• Cisco has not released code with SSH for the SN5420 storage router."


Fix Text: Upgrade to OpenSSH version 3.7 (Manual) - Upgrade to OpenSSH version 3.7.1, at a minimum, or install patches furnished by OpenSSH.org.
  _____________________________________________________________

Group ID (Vulid): V-5906
Group Title: 2003-B-0005
Rule ID: SV-5906r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2003-B-0005
Rule Title: Sendmail Prescan Variant Remote Buffer Overrun Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Verify the following patches are installed:

Solaris 7.0 107684-11 or later
Solaris 7.0_x86 107685-11 or later
Solaris 8.0 110615-11 or later
Solaris 8.0_x86 110616-11 or later
Solaris 9.0 113575-05 or later
Solaris 9.0_x86 114137-04 or later

HPUX:

# /usr/sbin/sendmail -d0.1 &lt; /dev/null | grep -i version

The display will show the sendmail version number.

Download and install the appropriate file for the operating system revision and sendmail version.

HP-UX B.11.00:
SMAIL-811.INETSVCS-SMAIL Install sendmail.811.11.00.r4 file
InternetSrvcs.INETSVCS-RUN Install sendmail.893.11.00.r4 file

HP-UX B.11.04:
InternetSrvcs.INETSVCS-RUN Install sendmail.893.11.00.r4 file


HP-UX B.11.11:
SMAIL-811.INETSVCS-SMAIL Install sendmail.811.11.11.r4 file
InternetSrvcs.INETSVCS-RUN Install sendmail.893.11.11.r4 file

HP-UX B.11.22:

Install sendmail.811.11.22.r5 file


AIX 4.3.3 IY48659
AIX 5.1.0 IY48658
AIX 5.2.0 IY48657

Linux
ftp://updates.Red Hat.com/7.1/en/os/i386/sendmail-8.11.6-27.71.i386.rpm
ftp://updates.Red Hat.com/7.2/en/os/i386/sendmail-8.11.6-27.72.i386.rpm
ftp://updates.Red Hat.com/7.3/en/os/i386/sendmail-8.11.6-27.73.i386.rpm
ftp://updates.Red Hat.com/8.0/en/os/i386/sendmail-8.12.8-9.80.i386.rpm
ftp://updates.Red Hat.com/9/en/os/i386/sendmail-8.12.8-9.90.i386.rpm

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Apply Vendor patches. (Manual) - Apply Vendor patches.   _____________________________________________________________

Group ID (Vulid): V-5916
Group Title: 2003-T-0024
Rule ID: SV-5916r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2003-T-0024
Rule Title: RSync Daemon Mode Undisclosed Remote Heap Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
First, determine if the system is running rsyncd by performing:
           
      #       netstat –a | egrep “843|rsync”

If rsync is running on the system then:

      # grep chroot /etc/rsyncd.conf

If it is not there, or it is set to no, this is a finding. Obtain patches from the vendor in accordance with the IAVA.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Do not use unnecessary network (Manual) - Do not use unnecessary network services. If rsync must be used, ensure the latest vendor patches have been applied. If the rsync daemon is used, in addition to installing the latest vendor patches, ensure it is run in a chrooted environment by including the entry use chroot=yes in the rsyncd.conf file.
  _____________________________________________________________

Group ID (Vulid): V-5923
Group Title: 2004-A-0002
Rule ID: SV-5923r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2004-A-0002
Rule Title: Multiple Vulnerabilities in Check Point Firewall


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 

To determine the version number of the Check Point that your are running, after determining the binary is not a trojan, use the following command as non-privileged user:

#       $FWDIR/bin/fw ver

where $FWDIR is the directory where Check Point is installed.

System Administrators who use the HTTP Security Servers of Check Point Firewall-1 must download and apply the following update:

http://www.checkpoint.com/techsupport/downloads/bin/firewall1/security_server_hotfix_cpsc.zip

System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0 and FP1 must upgrade to the latest non-vulnerable version provided below:
http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html


Check Content: 
N/A - Checkpoint - request sent to JTF to have removed in VMS


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: VPN-1: Upgrade to the latest non-vulnerable version.


Fix Text: N/A - Checkpoint - request sent to JTF to have removed in VMS

Fix Text: HTTP: System Administrators w (Manual) - HTTP: System Administrators who use the HTTP Security Servers of Check Point Firewall-1 must download and apply the following update: http://www.checkpoint.com/techsupport/downloads/bin/firewall1/security_server_hotfix_cpsc.zip VPN-1: System Administrators who use VPN capabilities on VPN-1/FireWall-1 4.1 SP5a and prior, Next Generation FP0 and FP1 must upgrade to the latest non-vulnerable version provided below: http://www.checkpoint.com/techsupport/ng_application_intelligence/r55_updates.html
  _____________________________________________________________

Group ID (Vulid): V-5925
Group Title: 2004-T-0003
Rule ID: SV-5925r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2004-T-0003
Rule Title: Apache-SSL Client Certificate Forging Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
After determining the binary is not a trojan, check the version as a non-privileged user:

      #       httpd -v      
     
      The version should be at least 1.3.29+1.53.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)
Fix Text: Upgrade to Apache-SSL Upgrade (Manual) - Upgrade to Apache-SSL Upgrade apache_1.3.29+ssl_1.53 at URL: www.apache-ssl.org/#Download
  _____________________________________________________________

Group ID (Vulid): V-5928
Group Title: 2004-T-0005
Rule ID: SV-5928r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2004-T-0005
Rule Title: Oracle9i Lite Mobile Server Multiple Vulnerabilities


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Check that the Oracle9i Lite has been updated to version 5.0.2.10.0 or higher.

Check Content: 
Use the Oracle opatch utility to list the installed patches with the opatch lsinventory - detail command. Patch 3369291 must be installed. If the patch is not installed, then this a finding.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-6015
Group Title: 2005-B-0007
Rule ID: SV-6015r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2005-B-0007
Rule Title: Symantec UPX Parsing Engine Remote Heap Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Verify that Symantec AntiVirus Corporate Edition v 8.0 is at version 8.0.1.501 or above.
Verify that Symantec AntiVirus Corporate Edition v 8.1 is at version 8.1.1.366 or above.

Check Content: 
Ask the system administrator if any of the products listed in the vulnerable systems are installed on the system. Ask the administrator if the most current product update which is available from https://www.jtfgno.mil has been installed. This is a finding if the most recent software has not been installed.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-6016
Group Title: 2005-B-0008
Rule ID: SV-6016r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2005-B-0008
Rule Title: Trend Micro VSAPI ARJ Handling Heap Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Verify that VASPI scan engine “VsapiNT.sys” is at version 7.501 or higher.

Check Content: 
Ask the system administrator if any of the Trend Micro security products are installed on the machine. If any of the products are installed, ask the system administrator if an appropriate vendor patch has been installed as identified at https://www.jtfgno.mil. If the specific patch listed in the IAVA has not been installed, then this is a finding.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-6018
Group Title: 2005-T-0007
Rule ID: SV-6018r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2005-T-0007
Rule Title: Multiple Vulnerabilities in Computer Associates Products


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To verify that the patch has been installed, check the lic98rmt.exe file is greater than 1.4.6.

Note the following default license install directories:C:\CA_LIC or C:\Program Files\CA\SharedComponents\CA_LIC

Check Content: 
(Unix-Manual) The default installation directories are /opt/CA/ca_lic or /opt/CA/SharedComponents/ca_lic. Run lic98version from a command prompt to print out the version number and/or write it to lic98version.log.

Or

Run strings licrmt | grep BUILD from a command prompt. The following string format will be returned: "LICAGENT BUILD INFO = /x.x.x/Apr 16 2003/17:13:35", Where x.x.x is the file version. The vulnerability exists if this file version is between v1.0.15 thru v1.4.6.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-6021
Group Title: 2005-T-0010
Rule ID: SV-6021r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2005-T-0010
Rule Title: Multiple Vulnerabilities in Sybase Software


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Upgrade or apply a patch as specified by the vendor.

Vulnerable Software
Sybase Adaptive Server Enterprise 11.5.0, 11.5.1, 11.9.2, 12.0.0, 12.0.1, 12.5.0, 12.5.2, 12.5.3

The vendor has released ASE 12.5.3 ESD#1 to address these issues.
Sybase Upgrade ASE 12.5.3 ESD#1
http://downloads.sybase.com/


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11646
Group Title: 2005-T-0013
Rule ID: SV-12143r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2005-T-0013
Rule Title: Computer Associates BrighStor ARCserve Backup UniversalAgent Remote Buffer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Verify that the software has been upgraded of patched.

No information is available on checking for patches. Interview the SA to determine if patches have been applied.

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11680
Group Title: 2005-T-0031
Rule ID: SV-12177r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2005-T-0031
Rule Title: Multiple Vulnerabilities in Computer Associates Message Queuing (CAM/CAFT)


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: VIVM-1

Check Content: 
Simply running camstat will return the version information in the top line of the output on any platform. The camstat command is located in the bin subfolder of the installation directory.
The /etc/catngcampath text file holds the CAM install location
The version should be at least CAM 1.07 Build 220_13 or CAM 1.11 Build 29_13 depending on the installation major release number.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11684
Group Title: 2005-T-0035
Rule ID: SV-12181r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2005-T-0035
Rule Title: Check Point SecurePlatform NGX Firewall Rules Bypass Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11703
Group Title: 2005-A-0037
Rule ID: SV-12200r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2005-A-0037
Rule Title: VERITAS NetBackup Java User-Interface Remote Format String Vulnerability


Vulnerability Discussion: <blockquote>
<p><font size="3" face="Times New Roman">VERITAS NetBackup is a network enabled high performance, network backup and restore application designed for workgroup environments.&nbsp; VERITAS NetBackup is used within the DoD to back-up servers and workstations.&nbsp; There is a new vulnerability in VERITAS NetBackup.&nbsp; The severity of this vulnerability ranges from Denial of Service (DoS) to complete system compromise.&nbsp; Successful exploit of this vulnerability would allow the intruder to execute arbitrary code on a vulnerable system potentially leading to a complete system compromise.&nbsp; VERITAS has released several patches for different versions of the affected software.</font></p>
<p><font size="3" face="Times New Roman">The JTF-GNO has received reports of&nbsp; increased scanning on TCP port 13772 in regards to this vulnerability.&nbsp; An exploit has been released and is known to be circulating in the wild but there have been no reported system compromises within DoD.&nbsp; Situation Awareness Report (SAR) 2005-SA-0023 has been released on the SIPRNet in regard to this vulnerability.&nbsp; This SAR contains details on additional DoD wide mitigation actions and recommendations.&nbsp;&nbsp;</font></p></blockquote>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<strong>While the only way to fully mitigate this security vulnerability is to properly patch NetBackup, there are temporary mitigations.</strong> - <div id="DETAILS0" class="bodytext">
<div class="Normal">
<p><font face="Times New Roman">It is strongly recommended that System Administrators review their requirements for the use of port 13772 across their network and enclave boundaries. If the use of this port is not operationally essential, serious consideration should be given to blocking this port, on a temporary or permanent basis, at firewalls and/or routers. This will limit potential intruders opportunities to exploit vulnerable systems running VERITAS software. However, port blocking should only be considered an additional mitigating factor and is not a permanent substitute for the correct patching of vulnerable systems.<br><br>If the following temporary mitigations are used, it needs to be <b>WELL DOCUMENTED</b> internally to ensure all operators and administrators involved with the NetBackup systems are aware of why the workaround is in place. &nbsp;This is to prevent any administrators from inadvertently reversing the changes, leaving the unpatched machine again exposed to attack. <br><br><b>How to disable Java:</b><br>Edit the <b>services</b> file (and </font><tt><span class="FIXEDFONT"><b><font face="Times New Roman">inetd.conf</font></b></span></tt><font face="Times New Roman"><b> </b>file on UNIX machines) and re-name<b> bpjava-msvc</b> on all effected machines until change control is available and the machine can be patched. &nbsp;<br><br><i>For UNIX:</i><br>- Comment out the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> line in the<b> /etc/services </b>file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc &nbsp; &nbsp; 13722/tcp &nbsp; &nbsp; &nbsp; bpjava-msvc </font></span></tt><font face="Times New Roman"><br>- Comment out the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> line in the <b>/etc/inetd.conf</b> file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc &nbsp; &nbsp; stream &nbsp;tcp &nbsp; &nbsp; nowait &nbsp;root &nbsp; /usr/openv/netbackup/bin/bpjava-msvc bpjava-msvc -transient </font></span></tt><font face="Times New Roman"><br>- Rename </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> to </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.vulnerable </font></span></tt><font face="Times New Roman">or delete </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman">. <br>- Finally, restart the<b> inetd</b> daemon<br><br><i>For Windows:</i><br>- Rename </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe</font></span></tt><font face="Times New Roman"> to </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe.vulnerable</font></span></tt><font face="Times New Roman"> or </font><tt><span class="FIXEDFONT"><font face="Times New Roman">d</font></span></tt><font face="Times New Roman">elete </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc.exe. </font></span></tt><font face="Times New Roman"><br>- If the Remote Java Console was installed, uninstall it until such time as the machine can be patched. <br>- Comment out </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bpjava-msvc</font></span></tt><font face="Times New Roman"> in the <b>&lt;%SystemRoot%&gt;\system32\drivers\etc\services</b> file<br></font><tt><span class="FIXEDFONT"><font face="Times New Roman">&nbsp; &nbsp; # bpjava-msvc 13722/tcp</font></span></tt><font face="Times New Roman"><br>- Restart the NetBackup services. <br><br><b>PLEASE NOTE</b> -- On both Windows and UNIX servers, after disabling Java and restarting the daemons/services, confirm there are no Java sessions running, and if there are, terminate them. &nbsp;<br>&nbsp;</font></p></div>
<div class="Normal"><font face="Times New Roman">After implementing the above workaround, attempts to execute NetBackup Java functions on a machine utilizing this workaround will result in the following error: "NetBackup Status Code: 505<br>Message: Can not connect to the NB-Java authentication service on (host) on the configured port - (port_number).." <br><br><i>Alternative Management Utilities:</i></font></div>
<ul>
<li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">Install the NetBackup server software on Windows and administer using the Windows Administrative Console, to administer NetBackup. &nbsp;Attempts to launch the Java GUI will result in the same error message shown in workaround 2. </font>
</li><li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">Use the <b>bpadm</b> utility. This utility has a menu interface that an administrator can use to configure NetBackup and monitor its operations.<b> bpadm</b> requires root privileges. This interface can be used from any character-based terminal (or terminal emulation window) for which the administrator has a termcap or terminfo definition. &nbsp;Refer to the VERITAS NetBackup (tm) Commands for UNIX or Windows manuals for more information concerning this option. </font>
</li><li style="MARGIN-TOP: 0pt; TEXT-INDENT: 0pt; MARGIN-BOTTOM: 0pt; MARGIN-LEFT: 10pt" class="Normal"><font face="Times New Roman">For customers still using releases prior to NetBackup 4.5, use the Motif administrative GUI to administer NetBackup (found in the </font><tt><span class="FIXEDFONT"><font face="Times New Roman">bin</font></span></tt><font face="Times New Roman"> directory: &nbsp;<b>/usr/openv/netbackup/bin</b> ). &nbsp;This GUI was retired in NetBackup 4.5. &nbsp;</font> </li></ul></div>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11709
Group Title: 2005-A-0041
Rule ID: SV-12206r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2005-A-0041
Rule Title: VERITAS NetBackup Volume Manager Daemon Buffer Overflow Vulnerability


Vulnerability Discussion: Refer to the NetDefense website

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Check that each product has been updated to version indicated or higher.

NetBackup Enterprise Server/Server 5.0 Maintenance Pack 6 (MP6)
NetBackup Enterprise Server/Server 5.1 Maintenance Pack 4 (MP4)


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11724
Group Title: 2006-A-0008
Rule ID: SV-12221r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2006-A-0008
Rule Title: Computer Associates (CA) iTechnology iGateway Service Vulnerability


Vulnerability Discussion: 
            A new vulnerability has been discovered in the Computer Associates (CA) iTechnology iGateway component.
            The CA iTechnology iGateway component is present in multiple Computer Associates products including BrightStor, eTrust, and Unicenter.
            iTechnology is an integration technology, which provides standard web service interfaces to third-party products. The CA iTechnology
            iGateway component contains a heap overflow condition, which may allow a remote intruder to execute arbitrary code with elevated
            privileges. This vulnerability exists due to the applications improper handling of boundary checks. This vulnerability affects IBM AIX,
            HP-UX, Linux, Solaris, and Windows platforms. If successfully exploited an intruder would be able to execute remote code on Windows
            platforms or cause a DoS condition against other platforms. The JTF-GNO has not received any reported DoD incidents in regard to this
            vulnerability. JTF-GNO blocks TCP port 5250
     


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11750
Group Title: 2006-T-0008
Rule ID: SV-12247r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2006-T-0008
Rule Title: HP Color LaserJet 2500/4600 Toolbox Directory Traversal Vulnerability


Vulnerability Discussion: Refer to the NetDefense website


Check Content: 
Verify that the patch has been installed by questioning the SA responsible for the system.

No other information is available.


Fix Text: Apply fix as specified on the JTF-GNO NETDefense web site (www.cert.mil)   _____________________________________________________________

Group ID (Vulid): V-11756
Group Title: 2006-A-0023
Rule ID: SV-12253r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2006-A-0023
Rule Title: Multiple Vulnerabilities in Macromedia Flash


Vulnerability Discussion: Two new vulnerabilities have been identified affecting Adobe Macromedia Flash. Macromedia Flash is a widely distributed application used to create simple motion graphics, video and animation for interactive websites. This application uses plug-in technology which adds a specific feature or service to a larger system such as Macromedia Flash. There are two buffer overflow vulnerabilities that could potentially allow an intruder to execute remote code or cause a Denial of Service (DoS) condition. If remote code execution were successful, the intruder could gain full system access. These vulnerabilities require user interaction.

The JTF-GNO has not received any reports of DoD incidents in regard to these vulnerabilities. However, a public exploit is currently available. Flash Player Vulnerability CVE-2006-0024
Macromedia Flash versions 8.0.22.0 and earlier are susceptible to multiple unspecified vulnerabilities. The most likely attack vector would be via a website. An intruder would have to create a malicious SWF file that includes executable machine code and replacement memory addresses. The intruder could host this malicious file on a webserver, or send the file to a vulnerable user via email. The Flash Player would likely play the malicious SWF file automatically when the vulnerable system either opens the email or visits the website, depending to file-type associations. If successful, the intruder-supplied executable code would run in the security context of the currently logged in user. If the execution of arbitrary code was unsuccessful, a denial of service condition could occur.
Flash Player Vulnerability CVE-2005-2628
A Flash plug-in is vulnerable to an input-validation error for a critical array index value that can be exploited to execute arbitrary code. The application fails to accurately validate the input on this index value (computed using fields from the SWF file), an intruder could specify a function pointer beyond the array bounds. Even though the application code places limits on the value of the index field, these limits are inefficient because the index can be offset beyond the array boundary regardless of the limit already set. An intruder would have to create a malicious SWF file with specific data fields that would result in a correct index value that masks the malicious code. The intruder would have to place shellcode and a pointer to the shellcode in a location that would appear at the correct offset from the array, in the heap memory space of the targeted process. The vulnerable system would then have to download and execute the SWF file. This process could happen automatically on many systems if users visit a website hosting the SWF file. If successful, the intruder could take complete control of the affected system.
In both vulnerabilities, the intruder would have to entice the user to visit the malicious website, click on the link provided in an email, or open the attachment attached in an email to attempt to compromise a system.


Mitigations: 
Temporary Mitigation

Mitigation Control: 
Temporary Mitigation for CVE-2006-0024 and CVE-2005-2628

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer for Windows XP SP2

You can help protect against this vulnerability by temporarily preventing the Flash Player ActiveX control from running in Internet Explorer. On Windows XP SP2 use the Internet Explorer Manage Add-ons feature to disable the ActiveX control.

1. Start Internet Explorer.

2. On the Tools menu, click Manage Add-ons.

3. Locate and click on “Shockwave Flash Object”.

4. To disable the add-on, click Disable, and then click OK.

Note: If you cannot locate the ActiveX control then use the drop-down box to switch from “Add-ons currently being used in Internet Explorer” to “Add-ons that have been used by Internet Explorer” and follow steps 3 and 4. If the ActiveX control is not present in this list you either have not used the ActiveX control before or it is not present on your system. See the workaround “Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer” for additional information.

For more information on the Internet Explorer Manage Add-ons feature in Windows XP SP2, see Microsoft Knowledge Base Article 883256.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to use the Internet Explorer Manage Add-ons feature to enable the ActiveX control.

Temporarily prevent the Flash Player ActiveX control from running in Internet Explorer

Temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer by setting the kill bit for the control.

Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file that temporarily prevents attempts to instantiate the Flash Player ActiveX control in Internet Explorer. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{1171A62F-05D2-11D1-83FC-00A0C9089C5A}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"=dword:00000400

Close Internet Explorer, and reopen it for the changes to take effect.

For detailed steps about stopping a control from running in Internet Explorer, see Microsoft Knowledge Base Article 240797. Follow these steps and create a Compatibility Flags value in the registry to prevent the Flash Player ActiveX control from running in Internet Explorer.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the kill bits for the Flash Player ActiveX control remove the registry keys added to temporarily prevent attempts to instantiate the Flash Player ActiveX control in Internet Explorer.

Modify the Access Control List on the Flash Player ActiveX control to temporarily prevent it from running in Internet Explorer

To modify the Access Control List (ACL) on the Flash Player ActiveX control to be more restrictive, follow these steps:

1. Click Start, click Run, type "cmd" (without the quotation marks), and then click OK.

2. Type the following commands at a command prompt. Make a note of the current files ACL’s, including inheritance settings. You may need this list if you have to undo these modifications:

cacls %windir%\system32\Macromed\Flash\flash.ocx
cacls %windir%\system32\Macromed\Flash\swflash.ocx

3. Type the following command at a command prompt to deny the ‘everyone’ group access to this file:

echo y|cacls %windir%\system32\Macromed\Flash\flash.ocx /d everyone
echo y|cacls %windir%\system32\Macromed\Flash\swflash.ocx /d everyone

4. Close Internet Explorer, and reopen it for the changes to take effect.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To regain functionality you need to undo the modifications to the Access Control List on the ActiveX control you have on your system.

Un-register the Flash Player ActiveX Control

To un-register the Flash Player ActiveX control, follow these steps:

1. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.

2. A dialog box confirms that the un-registration process has succeeded. Click OK to close the dialog box.

3. Click Start, click Run, type "regsvr32.exe /u %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.

4. A dialog box confirms that the unregistration process has succeeded. Click OK to close the dialog box.

5. Close Internet Explorer, and reopen it for the changes to take effect.

Impact: Applications and Web sites that require the Flash Player ActiveX control may no longer function correctly. If you implement this workaround it would affect any Flash Player ActiveX control you have installed on your system.

To reregister the Flash Player ActiveX control, follow these steps:

1. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\flash.ocx" (without the quotation marks), and then click OK.

2. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.

3. Click Start, click Run, type "regsvr32.exe %windir%\system32\Macromed\Flash\swflash.ocx" (without the quotation marks), and then click OK.

4. A dialog box confirms that the registration process has succeeded. Click OK to close the dialog box.

5. Close Internet Explorer, and reopen it for the changes to take effect.

Restrict access to the Macromedia Flash folder by using a Software Restriction Policy

To restrict access to the Macromedia Flash folder (%windir%\system32\Macromed\Flash\) on Windows XP and later versions you can create a Software Restriction Policy. To create this policy, use a registry script or create a Group Policy setting to block the loading of the Flash Player ActiveX control.

For more information about Group Policy, visit the following Microsoft Web sites:

• Step-by-Step Guide to Understanding the Group Policy Feature Set

• Windows 2000 Group Policy

• Group Policy in Windows Server 2003

Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Change Keys and Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

We recommend that you back up the registry before you edit it.

Use the following text to create a .reg file to restrict access to the Macromedia Flash folder. You can copy the following text, paste it into a text editor such as Notepad, and then save the file with the .reg file name extension. Run the .reg file on the vulnerable client.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers]
"TransparentEnabled"=dword:00000002

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers\0\Paths\{2742f840-c2d8-4eb3-a486-0a9d0879f29f}]
"LastModified"=hex(b):10,c3,8a,19,c6,e3,c5,01
"Description"="Block Macromedia Flash"
"SaferFlags"=dword:00000000
"ItemData"=hex(2):25,00,77,00,69,00,6e,00,64,00,69,00,72,00,25,00,5c,00,73,00,\
79,00,73,00,74,00,65,00,6d,00,33,00,32,00,5c,00,6d,00,61,00,63,00,72,00,6f,\
00,6d,00,65,00,64,00,5c,00,66,00,6c,00,61,00,73,00,68,00,5c,00,2a,00,00,00

Change your Internet Explorer settings to prompt before running ActiveX controls or disable ActiveX controls in the Internet security zone and in the Local intranet security zone

You can help protect against this vulnerability by changing your Internet Explorer settings to prompt before running ActiveX controls. To do this, follow these steps:

1. In Internet Explorer, click Internet Options on the Tools menu.

2. Click the Security tab.

3. Click Internet, and then click Custom Level.

4. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

5. Click Local intranet, and then click Custom Level.

6. Under Settings, in the ActiveX controls and plug-ins section, under Run ActiveX controls and plug-ins, click Prompt or Disable, and then click OK.

7. Click OK two times to return to Internet Explorer.

Impact: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Restrict Web sites to only your trusted Web sites.

After you set Internet Explorer to require a prompt before it runs ActiveX controls and Active Scripting in the Internet zone and in the Local intranet zone, you can add sites that you trust to Internet Explorer's Trusted sites zone. This will allow you to continue to use trusted Web sites exactly as you do today, while helping to protect you from this attack on untrusted sites. We recommend that you add only sites that you trust to the Trusted sites zone.

To do this, follow these steps:

1. In Internet Explorer, click Tools, click Internet Options, and then click the Security tab.

2. In the Select a Web content zone to specify its current security settings box, click Trusted Sites, and then click Sites.

3. If you want to add sites that do not require an encrypted channel, click to clear the Require server verification (https:) for all sites in this zone check box.

4. In the Add this Web site to the zone box, type the URL of a site that you trust, and then click Add.

5. Repeat these steps for each site that you want to add to the zone.

6. Click OK two times to accept the changes and return to Internet Explorer.

Add any sites that you trust not to take malicious action on your computer. Two in particular that you may want to add are "*.windowsupdate.microsoft.com" and "*.update.microsoft.com" (without the quotation marks). This is the site that will host the update, and it requires an ActiveX control to install the update.

Set Internet and Local intranet security zone settings to “High” to prompt before running ActiveX controls in these zones

You can help protect against this vulnerability by changing your settings for the Internet security zone to prompt before running ActiveX controls. You can do this by setting your browser security to High.

To raise the browsing security level in Microsoft Internet Explorer, follow these steps:

1. On the Internet Explorer Tools menu, click Internet Options.

2. In the Internet Options dialog box, click the Security tab, and then click the Internet icon.

3. Under Security level for this zone, move the slider to High. This sets the security level for all Web sites you visit to High.

Note: If no slider is visible, click Default Level, and then move the slider to High.

Note: Setting the level to High may cause some Web sites to work incorrectly. If you have difficulty using a Web site after you change this setting, and you are sure the site is safe to use, you can add that site to your list of trusted sites. This will allow the site to work correctly even with the security setting set to High.

Impact: There are side effects to prompting before running ActiveX controls. Many Web sites that are on the Internet or on an intranet use ActiveX to provide additional functionality. For example, an online e-commerce site or banking site may use ActiveX controls to provide menus, ordering forms, or even account statements. Prompting before running ActiveX controls is a global setting that affects all Internet and intranet sites. You will be prompted frequently when you enable this workaround. For each prompt, if you feel you trust the site that you are visiting, click Yes to run ActiveX controls. If you do not want to be prompted for all these sites, use the following method:

Remove the Flash Player from your system

If you want to remove Flash Player, refer to the Adobe Flash Player Support FAQ for instructions.

To regain functionality you need install the Flash Player ActiveX control from the Adobe Web site.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Upgrade or apply a patch as specified by the vendor.
Upgrade Flash Player to version 8.0.24.0 or 7.0.63.0

Verify that Flash Player has been updated to the appropriate version by checking the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Macromedia\Flashplayer\CurrentVersion

Windows XP has a Microsoft Patch that can be verified by checking that the following file is at the version indicated or later:
Geninst.exe - 6.0.2800.1544


Fix Text: Apply appropriate vendor patch or upgrade.   _____________________________________________________________

Group ID (Vulid): V-11805
Group Title: 2006-T-0013
Rule ID: SV-12303r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2006-T-0013
Rule Title: RealVNC Remote Authentication Bypass Vulnerability


Vulnerability Discussion: A new vulnerability exists in RealVNC (Virtual Network Computing). RealVNC is an application that allows users to access computers remotely. This vulnerability exists due to the application's failure to validate the proper requested authentication method provided by a remote user. This vulnerability could allow a remote intruder to gain full control of the VNC server session.

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
- <p>&nbsp;</p>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows

Verify that the VNC 4.1.x has been upgraded to version 4.1.2
Verify that the VNC 4.2 has been upgraded to version 4.2.3

Search for the following file and check the version number:

Winvnc4.exe





Check Content: 
To determine if the vnc software is installed on a UNIX perform the following command:

# find / -name vncserver -print

If the software is found, after determining the binary is not a trojan, perform the following as a non-privileged user to retrieve the version information:

# vncserver -help

This will display the version on the first line returned. If the version is not at least 4.2.3, this is a finding.

  _____________________________________________________________

Group ID (Vulid): V-13605
Group Title: 2007-A-0013
Rule ID: SV-14179r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2007-A-0013
Rule Title: Trend Micro Antivirus UPX Compressed PE File Buffer Overflow Vulnerability


Vulnerability Discussion: <FONT size=2>A new vulnerability has been discovered in several Trend Micro AntiVirus products. The Trend Micro AntiVirus suite is widely used to provide antivirus capabilities to desktop, server, and gateway systems. This vulnerability exists due to the scan engine failing to properly validate data. This could allow an attacker to execute malicious code with elevated privileges, which could result in complete compromise of the affected system. Failed exploitation attempts could result in a Denial of Service condition. This vulnerability affects all Trend Micro products and versions <BR>utilizing the Scan Engine and Pattern File technology. <BR><BR>Client software is not provided as part of the Trend Micro DoD Enterprise Solution.</FONT><BR><BR>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Upgrade to pattern file 4.245.00 or later.


Check Content: 
Unix - Solaris

Determine the version of the Trend Micro software

#/opt/trend/imss/script/vscan.sh /opt/trend/imss/temp anyexistfile | grep VSAP

Upgrade to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-14480
Group Title: 2007-A-0038
Rule ID: SV-15098r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2007-A-0038
Rule Title: Symantec AntiVirus Malformed CAB and RAR Compression Remote Vulnerabilities


Vulnerability Discussion: Symantec has reported two vulnerabilities associated with the Symantec Antivirus Engine's Decomposer component. This component is used to decompose certain types of archive content while scanning for malicious code. The Symantec AntiVirus scan engine is implemented in numerous antivirus products from Symantec including Norton AntiVirus, Mail Security, Web Security and others. To exploit these vulnerabilities, the attacker could create a maliciously-crafted file, then have a vulnerable system scan the file. In order to have an affected system scan the malicious file, the attacker could email the file to an email gateway or specific email addresses, or host the malicious file on a web site and entice a user to open the file. Exploitation of these vulnerabilities may occur without user interaction on systems configured to automatically scan email content, such as email gateways. The successful exploitation of these vulnerabilities would result in the execution of arbitrary code with full administrative rights or a denial of service of the system.

The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits publicly or privately available.
The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits publicly or privately available.
CAB Parsing Heap Overflow Vulnerability (CVE-2007-0447):
This vulnerability exists due to a boundary error within Symantec Decomposer component while handling/scanning multiple maliciously formatted CAB archives. The vulnerability exists because the parsing routine implicitly trusts certain user-supplied values that can result in an exploitable heap corruption. A malicious .CAB file could be crafted to exploit the vulnerability and may consist of arbitrary code, replacement memory addresses, and possibly NOP instructions.

RAR File Parsing DoS Vulnerability (CVE-2007-3699):
This vulnerability is due to an input validation error within the Symantec Decomposer component while handling RAR archives. The specific vulnerability resides in a forged PACK_SIZE field of a RAR file header. By setting this field to a specific value an infinite loop denial of service condition will occur when the scanner processes the file. When the affected applications process a malicious .RAR file, the system either crashes or enters into an infinite loop, denying service to legitimate users.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Verify that the vendor upgrade has been applied. Versions should be updated as specified below:

Symantec AntiVirus Corporate Edition - Version 10.x TO 10.1 MR5 MP1 (build 10.1.5.5010)


Symantec AntiVirus Corporate Edition - Version 8.x, 9.x TO 9.0 MR6-MP1 (build 9.0.6.1100)


Symantec Client Security - Version 3.x TO 3.1 MR5 MP1 (build 3.1.5.5010)


Symantec Client Security - Version 1.x, 2.x TO 2.0 MR6-MP1 (build 2.0.6.1100)


Symantec Mail Security - Version 8200 TO 5.0.0.24


Symantec Mail Security for Microsoft Exchange - Version 4.6.7 and earlier TO 4.6.8.120


Symantec Mail Security for Microsoft Exchange - Version 5.0.4 and earlier TO 5.0.5 and higher


Symantec Mail Security for Microsoft Exchange - Version 6.0.0 TO 6.0.1 or later


Symantec Scan Engine - Version 5.0.1 and earlier TO 5.1.4.24


Symantec Antivirus Scan Engine - Version 4.1.8 and earlier TO 4.3.18.43


Symantec Antivirus Scan Engine - Version 4.3.12 and earlier TO 4.3.17 or later


Symantec Web Security - Version 3.0.1.76 and earlier TO 3.0.1.85


Symantec Web Security for Microsoft ISA 2004 - Version 5.0 TO 5.0.3


Symantec Mail Security for SMTP - Version 5.0.0 Windows - apply patch 179


Symantec Mail Security for SMTP - Version 5.0.1 - apply patch 181


Symantec Mail Security for SMTP - Version 4.1.15 and earlier TO 4.1.16


Symantec Brightmail AntiSpam - Version 4.x, 5.5, 6.0.x TO 6.0.5


Symantec Mail Security for Domino NT - Version 4.1.5 and earlier TO 4.1.9.37


Symantec Mail Security for Domino NT - Version 5.1.2.28 and earlier TO 5.1.4.32


Symantec Gateway Security 1600 Series - Version 3.0.1 TO Update F


Symantec Gateway Security 5000 Series - Version 3.0.1 TO Update F


Symantec Gateway Security 5400 Series - Version 2.0.1 TO 3.0.1 Update F


Check Content: 
Determine the version of the Symantec software
Review content here:
http://www.symantec.com/avcenter/security/Content/2007.07.11f.html

[editor's note: there is a large list of impacted products and their associated version numbers, this did not format well to this spreadsheet, instead please review the content listed at the URL above]

Upgrade or patch to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-14842
Group Title: 2007-T-0033
Rule ID: SV-15610r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2007-T-0033
Rule Title: Hewlett-Packard Openview Multiple Remote Buffer Overflow Vulnerabilities


Vulnerability Discussion: Hewlett-Packard (HP) has reported a new vulnerability affecting multiple HP Openview products. HP Openview is a suite of software applications which allow large-scale system and network management of an organization's IT assets. Successful exploitation of this vulnerability would allow an attacker to execute remote code with administrative rights. To exploit this vulnerability, an attacker would have to send specific maliciously-crafted packets to an affected system.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to this vulnerability.
HP OpenView is a network-management application available for multiple operating platforms. OVTrace Shared Trace Service is used to log the actions of OpenView components for debugging potential problems. HP OpenView applications are prone to a remote stack-based buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied input. The 'ovtrcsvc.exe' service on TCP port 5053 and the 'OVTrace.exe' service on TCP port 5051 are affected by this vulnerability. The vulnerability may be triggered by sending malformed data to various opcode handlers, including 0x1a and 0x0f. Attackers can exploit this vulnerability to execute arbitrary code with superuser privileges.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Apply appropriate hotfix or upgrade to a non-vulnerable version. See vendor bulletins for details. Interview the SA to determine if affected products are installed and have been patched.

Affected Products:
HP OpenView Internet Service (OVIS) v6.00, v6.10, v6.11 (Japanese), v6.20
running HP OpenView Cross Platform Component (XPL) vB.60.81.00, vB.60.90.00,
and vB.61.90.000 on Windows

HP OpenView Performance Manager (OVPM) 5.x and 6.x running on Windows (2000, 2003 and Windows XP).

HP OpenView Performance Agent (OVPA) 4.5 and 4.6 running on Windows (2000, 2003 and XP).

HP OpenView Reporter 3.7 running on Windows (2000, 2003, XP).

HP OpenView OVO Agents OVO8.x HTTPS agents on Windows.

HP OpenView Operations Manager for Windows (OVOW) v7.5 with the OpenView
Operations (OVO) add on module for OpenView Operations-Business Availability
Center (OVO-BAC) integration running Shared Trace Service.

HP OpenView Quality Manager (OV SQM) v1.2 SP1, v1.3, v1.40 running HP
OpenView Cross Platform Component (XPL) 2.60.041, 2.61.060 and 2.61.110 on
Windows

HP OpenView Network Node Manager (OV NNM) v6.41, v7.01, v7.50, v7.51 running
XPL earlier than 03.10.040 on Windows NT, Windows 2000, Windows XP

HP OpenView Business Process Insight (OVBPI), HP Business Process Insight
(HPBPI) , HP OpenView Service Desk Process Insight (SDPI), and HP Service
Desk Process Insight (HPSDPI) versions 1.0, 1.1x, 2.0x and 2.10x on Windows
running Shared Trace Service from the HP OpenView Cross Platform Component
prior to v3.10.040.

HP OpenView Dashboard v2.01 running HP OpenView Cross Platform Component
(XPL) vB.60.90.00 and vB.61.90.000 on Windows.

HP OpenView Performance Insight (OVPI) v5.0, v5.1, v5.1.1, v5.1.2, v5.2
running HP OpenView Cross Platform Component (XPL) earlier than v3.10.040 on
Windows

HP Security Advisories

HP OpenView Internet Service (OVIS) Running Share (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01106515

HP OpenView Performance Manager (OVPM) Running Sh (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109171

HP OpenView Performance Agent (OVPA) Running Shar (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109584

HP OpenView Reporter Running Shared Trace Service (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01109617

HP OpenView Operations (OVO) Agents Running Share (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110576

HP OpenView Operations Manager for Windows (OVOW) (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01110627

HP OpenView Service Quality Manager (OV SQM) Runn (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01111851

HP OpenView Network Node Manager (OV NNM) Running (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01112038

HP OpenView Business Process Insight and Related (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114023

HP OpenView Dashboard Running Shared Trace Servic (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01114156

HP OpenView Performance Insight (OVPI) Running Sh (HP) HP
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01115068



Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP OpenView Internet Service (OVIS) v6.00, v6.10, v6.11 (Japanese), v6.20 running HP OpenView Cross Platform Component (XPL) vB.60.81.00, vB.60.90.00, and vB.61.90.000 on HP-UX, Linux, Solaris, and Windows

HP OpenView Performance Manager (OVPM) 5.x and 6.x running on HP-UX PA-RISC and IPF (B.11.11,B.11.23), Solaris (5.7, 5.8, 5.9), Windows (2000, 2003 and Windows XP).

HP OpenView Performance Agent (OVPA) 4.5 and 4.6 running on AIX (5L,5.1,5.2(Power3,4),5.3), HP Tru64 UNIX (5.1A,5.1B), HP-UX (B.11.11,B.11.23), Linux: Debian Linux (3.0 and later), Redhat Linux (AS/ES/WS 2.1 and later), SuSE (9.0 and later), Turbo Linux (8.x and later), Solaris (5.7, 5.8, 5.9,10), Windows (2000,2003 and XP).

HP OpenView Reporter 3.7 running on Windows (2000, 2003, XP).

HP OpenView OVO Agents OVO8.x HTTPS agents on AIX, HP-UX (IA and PA), Solaris, and Windows.

HP OpenView Operations Manager for Windows (OVOW) v7.5 with the OpenView Operations (OVO) add on module for OpenView Operations-Business Availability Center (OVO-BAC) integration running Shared Trace Service.

HP OpenView Quality Manager (OV SQM) v1.2 SP1, v1.3, v1.40 running HP OpenView Cross Platform Component (XPL) 2.60.041, 2.61.060 and 2.61.110 on HP-UX and Windows

HP OpenView Network Node Manager (OV NNM) v6.41, v7.01, v7.50, v7.51 running XPL earlier than 03.10.040 on HP-UX, Solaris, Windows NT, Windows 2000, Windows XP, and Linux

HP OpenView Business Process Insight (OVBPI), HP Business Process Insight (HPBPI) , HP OpenView Service Desk Process Insight (SDPI), and HP Service Desk Process Insight (HPSDPI) versions 1.0, 1.1x, 2.0x and 2.10x on Windows running Shared Trace Service from the HP OpenView Cross Platform Component prior to v3.10.040.

HP OpenView Dashboard v2.01 running HP OpenView Cross Platform Component (XPL) vB.60.90.00 and vB.61.90.000 on Windows, Solaris and HP-UX.

HP OpenView Performance Insight (OVPI) v5.0, v5.1, v5.1.1, v5.1.2, v5.2 running HP OpenView Cross Platform Component (XPL) earlier than v3.10.040 on HP-UX Precision Architecture (PA), HP-UX Itanium (IA), Linux, Solaris, and Windows


Interview the SA to determine if patch has been installed.
  _____________________________________________________________

Group ID (Vulid): V-15376
Group Title: 2007-B-0035
Rule ID: SV-16196r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2007-B-0035
Rule Title: Multiple RealPlayer Remote Code Execution Vulnerabilities


Vulnerability Discussion: Real Networks has reported multiple vulnerabilities affecting RealPlayer and HelixPlayer, which are applications that allow users to play various media formats on Linux, Mac, and Windows platforms. Successfully exploiting any of these vulnerabilities will allow an attacker to execute arbitrary code within the context of the application, some of which include invoking the ActiveX control (typically Microsoft Internet Explorer). Failed exploit attempts will result in a denial-of-service condition. To exploit these vulnerabilities, an attacker would have to entice a user of an affected system to view a webpage which hosts a maliciously crafted file.
At this time, there is a proof of concept for one of these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities.
RealPlayer File Parsing Routines Multiple Vulnerabilities (CVE-2007-5080, CVE-2007-5081, CVE-2007-2264, CVE-2007-4599):
RealPlayer is prone to multiple memory-corruption vulnerabilities caused by errors in the file-parsing functions. To exploit these vulnerabilities, a remote attacker would create a maliciously crafted MOV, MP3, RM, RAM, or PLS file, and then entice an unsuspecting user to open the malicious file using a vulnerable application. When the application processes the data, the attacker-supplied code runs within the affected application or causes a denial of service situation.

RealPlayer SWF File Processing Remote Code Execution Vulnerability (CVE-2007-2263):
RealPlayer is prone to a buffer-overflow vulnerability because it fails to perform adequate boundary checks on user-supplied data. This particular problem occurs in the SWF rendering ActiveX control, because the ActiveX control fails to handle malformed record headers. The ActiveX control for this vulnerability is identified by the following CLSID {CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}. To exploit this vulnerability, an attacker would create a maliciously crafted file and host it on a webpage. The attacker would then entice an unsuspecting victim to visit this webpage using the affected ActiveX control. When the page is processed, memory becomes corrupted and the attacker-supplied code runs in the context of the application. The successful exploitation of this vulnerability would allow an attacker to execute arbitrary code within the context of the application that invoked the ActiveX control (typically Internet Explorer). Failed exploit attempts will result in a denial-of-service condition.

RealPlayer/HelixPlayer ParseWallClockValue Function Buffer Overflow Vulnerability (CVE-2007-3410):
RealPlayer and HelixPlayer are prone to a buffer-overflow vulnerability because the applications fail to bounds-check user-supplied data before copying it into an insufficiently sized buffer. This problem occurs in the 'parseWallClockValue()' function when parsing 'HH:mm:ss.f' time format. The ActiveX control associated with RealPlayer is identified with the following CLSID:{CFCDAA03-8BE4-11cf-B84B-0020AFBBCCFA}. To exploit this vulnerability, an attacker would construct a maliciously crafted SMIL file, which can be hosted on a webpage. The attacker would then entice an unsuspecting user to visit a webpage with an application using the affected ActiveX control. When the page is processed, memory becomes corrupted and the attacker-supplied code runs in the context of the application using the ActiveX control (typically Internet Explorer). Failed exploit attempts likely result in denial-of-service conditions. A proof-of-concept exists for this vulnerability.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor.

Check the applications version number by using the Help, About menu.

Vulnerable versions:

RealOne Player v1, v2
RealPlayer 8
RealPlayer 10
RealPlayer 10.5 (6.0.12.1040-6.0.12.1578, 6.0.12.1698, 6.0.12.1741)
RealPlayer Enterprise


Check Content: 
Linux only :
Linux RealPlayer 10 (10.0.5 - 10.0.8)
Helix Player (10.0.5 - 10.0.8)

Ask the SA if RealPlayer or Helix is installed and if so, verify the Player version.

  _____________________________________________________________

Group ID (Vulid): V-15755
Group Title: 2008-B-0020
Rule ID: SV-16694r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-B-0020
Rule Title: Multiple Symantec Decomposer Denial of Service Vulnerabilities


Vulnerability Discussion: Symantec has reported one denial of service vulnerability and one buffer overflow vulnerability that could allow arbitrary code execution associated with the Symantec Antivirus Engines Decomposer component. This component is used to decompose certain types of archive content while scanning for malicious code. The Symantec AntiVirus scan engine is implemented in numerous antivirus products from Symantec including Norton AntiVirus, Mail Security, Web Security and others. To exploit these vulnerabilities an attacker would send a maliciously-crafted file to an affected system and entice an unsuspecting user to open the file. When the affected application scans the file, memory becomes corrupted and executes remote arbitrary code. Exploitation of these vulnerabilities may occur without user interaction on systems configured to automatically scan email content, such as email gateways. The successful exploitation of these vulnerabilities would result in the execution of arbitrary code in the context of the current user and failed exploits could result in a denial of service.

The JTF-GNO has not received any reports of DoD incidents related to these vulnerabilities. At this time, there are no known exploits available.
Symantec Scan Engine 5.1.2 RAR File Denial of Service Vulnerability (CVE-2008-0308)
Remote exploitation of a Denial of Service vulnerability in Symantec Scan Engine version 5.1.2 could allow an unauthenticated attacker to create a denial of service (DoS) condition. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a malformed RAR file, the service will consume massive amounts of memory. This can result in a denial of service condition for the application and operating system.

Symantec Scan Engine 5.1.2 RAR File Buffer Overflow Vulnerability (CVE-2008-0309)
Remote exploitation of a stack based buffer overflow vulnerability in Symantec Scan Engine version 5.1.2 could allow an unauthenticated attacker to execute arbitrary code with the privileges of the scan engine process. Symantec Scan Engine listens on TCP port 1344 to accept files for scanning using the Internet Content Adaptation Protocol (ICAP). If the service is sent a specially malformed RAR file, a stack-based buffer overflow will occur and cause a denial of service condition.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Apply Symantec patch or upgrade to a non-vulnerable version.

Download and apply the appropriate patches from the JTF-GNO AntiVirus website:
https://www.jtfgno.mil/antivirus/symantec.htm

Affected Products

Symantec AntiVirus for Network Attached Storage
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine for Caching
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine for Clearswift
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine for Messaging
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine for MS ISA
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec AntiVirus Scan Engine for MS SharePoint
Versions 4.3.16.39 and earlier - All Builds - Update to 4.3.18.43

Symantec Mail Security for Microsoft Exchange
Versions 4.6.5.12 and earlier - All Builds - Update to 4.6.8.120
Versions 5.0.4.363 and earlier - All Builds - Update to 5.0.6.368

Symantec Scan Engine
Versions 5.1.4.24 and earlier - All Builds - Update to 5.1.6.31

Note: Only currently supported Symantec Products are being updated.
Customers using unsupported versions are encouraged to upgrade to a supported version.


Check Content: 
Determine the version of the Symantec software

Affected Products:
Symantec AntiVirus for Network Attached Storage 4.3.16.39 & earlier
Symantec AntiVirus Scan Engine 4.3.16.39 and earlier
Symantec AntiVirus Scan Engine for Caching 4.3.16.39 & earlier
Symantec AntiVirus Scan Engine for Clearswift 4.3.16.39 & earlier
Symantec AntiVirus Scan Engine for Messaging 4.3.16.39 & earlier
Symantec AntiVirus Scan Engine for MS ISA 4.3.16.39 & earlier
Symantec AntiVirus Scan Engine for MS SharePoint 4.3.16.39 & earlier
Symantec AntiVirus/Filtering for Domino MPE (AIX, Linux, Solaris) below 3.2.2
Symantec Mail Security for Microsoft Exchange 4.6.5.12 and earlier
Symantec Mail Security for Microsoft Exchange 5.0.4.363.and earlier
Symantec Scan Engine 5.1.4.24 and earlier

Upgrade or patch to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-15935
Group Title: 2008-T-0010
Rule ID: SV-16877r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2008-T-0010
Rule Title: CA BrightStor ARCserve Backup ListCtrl ActiveX Control Buffer Overflow Vulnerability


Vulnerability Discussion: Computer Associates has reported an ActiveX control vulnerability affecting BrightStor ARCserve Backup for Laptops and Desktops. BrightStor ARCserve is a backup and data retention tool that integrates with other BrightStor Data Availability and BrightStor Storage Management solutions. The products provide backup and restore protection for multiple operating systems and applications. To exploit this vulnerability, an attacker would host a website and entice an unsuspecting user to visit the malicious HTML page that triggers the buffer overflow. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code on an affected system with the privileges of the current user.

At this time, there are known exploits associated with this vulnerability circulating in the wild, but the JTF-GNO is not aware of any DoD related incidents. A stack-based buffer overflow vulnerability exists in the ListCtrl ActiveX Control (ListCtrl.ocx), as used in multiple CA products including BrightStor ARCserve Backup R11.5, Desktop Management Suite r11.1 through r11.2, and Unicenter products r11.1 through r11.2. The vendor has recommended the following steps to determine if the user's system (Windows) is affected:
1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.
2. Right click on the file and select Properties.
3. Select the Version tab.
4. If the file version is earlier than indicated in the security notes table, the installation is vulnerable.

This vulnerability allows an remote attackers to execute arbitrary code or cause a denial of service (crash) via a long argument to the AddColumn method.


Mitigations: 
CA BrightStor workaround

Mitigation Control: 
Computer Associates has tested the following temporary mitigating strategy. While this strategy will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

As a temporary workaround solution, disable the ListCtrl ActiveX control in the registry by setting the kill bit on CLSID {BF6EFFF3-4558-4C4C-ADAF-A87891C5F3A3}. Disabling the control may prevent the GUI from functioning correctly. Refer to Microsoft KB article 240797 (http://support.microsoft.com/kb/240797) for information on how to disable an ActiveX control.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor.

1. Using Windows Explorer, locate the file "ListCtrl.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.

2. Right click on the file and select Properties.

3. Select the Version tab.

4. If the file version is earlier than indicated below, the installation is vulnerable.

Product:
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1)
File Name: ListCtrl.ocx
File Version: 11.1.8124.0

Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2
File Name: ListCtrl.ocx
File Version: 11.2.1000.16

Product:
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a
File Name: ListCtrl.ocx
File Version: 11.2.1000.16

Product:
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5
File Name: ListCtrl.ocx
File Version: 11.2.1000.16


Check Content: 
Vulnerable Systems:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)

Remediation Guidelines:

-Apply the following (or greater) vendor patch/hotfix:

BrightStor ARCserve Backup for Laptops and Desktops r11.5
QO96102

CA Desktop Management Suite for Windows r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.1 (GA, a, C1)
QO96088

CA Desktop Management Suite for Windows r11.2a
Unicenter Desktop Management Bundle r11.2a
Unicenter Asset Management r11.2a
Unicenter Software Delivery r11.2a
Unicenter Remote Control r11.2a
QO96092

CA Desktop Management Suite for Windows r11.2
Unicenter Desktop Management Bundle r11.2
Unicenter Asset Management r11.2
Unicenter Software Delivery r11.2
Unicenter Remote Control r11.2
QO96091

CA Desktop Management Suite for Windows r11.2 C1
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Asset Management r11.2 C1
Unicenter Software Delivery r11.2 C1
Unicenter Remote Control r11.2 C1
QO96090

-OR Upgrade to non-vulnerable release if/when available.

-Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.



  _____________________________________________________________

Group ID (Vulid): V-15964
Group Title: 2008-B-0039
Rule ID: SV-16906r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-B-0039
Rule Title: Symantec Mail Security Buffer Overflow Vulnerabilities


Vulnerability Discussion: Multiple vulnerabilities have been discovered in the Autonomy KeyView module shipped with the Symantec Mail Security products. Autonomy KeyView is a component used in multiple applications. It adds high-speed filtering, the ability to export documents to web-ready HTML or valid XML, and high-fidelity viewing capabilities. To exploit these vulnerabilities, an attacker constructs a malicious file attachment designed to exploit one of these vulnerabilities. The attacker then sends an email with the malicious file to a user of an affected system. If successful exploited, an attacker could causing a Denial of Service condition or compromise the affected system.

At this time, there are no known exploits available for this vulnerability and JTF-GNO is not aware of any DoD incidents related to this vulnerability. Multiple heap-based buffer overflow vulnerability (CVE-2007-5399) - Multiple heap-based buffer overflows in emlsr.dll in the EML reader in Autonomy (formerly Verity) KeyView 10.3.0.0, as used by IBM Lotus Notes, allow remote attackers to execute arbitrary code via a long (1) To, (2) Cc, (3) Bcc, (4) From, (5) Date, (6) Subject, (7) Priority, (8) Importance, or (9) X-MSMail-Priority header; (10) a long string at the beginning of an RFC2047 encoded-word in a header; (11) a long text string in an RFC2047 encoded-word in a header; or (12) a long Subject header, related to creation of an associated filename.

Multiple buffer overflow vulnerabilities in kpagrdr.dll (CVE-2007-5405) - Multiple buffer overflows in kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, allow remote attackers to execute arbitrary code via a .ag file with (1) a long ENCODING attribute in a *BEGIN tag, (2) a long token, or (3) the initial *BEGIN tag.

Applix Presents reader vulnerability (CVE-2007-5406) - kpagrdr.dll 2.0.0.2 and 10.3.0.0 in the Applix Presents reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, does not properly parse long tokens, which allows remote attackers to cause a denial of service (CPU and memory consumption) via a crafted .ag file.

Multiple stack-based buffer overflow vulnerabilities in foliosr.dll (CVE-2007-6020) - Multiple stack-based buffer overflows in foliosr.dll in the Folio Flat File speed reader in Autonomy (formerly Verity) KeyView 10.3.0.0, as used by IBM Lotus Notes, Symantec Mail Security, and activePDF DocConverter, allow remote attackers to execute arbitrary code via a long attribute value in a (1) DI, (2) FD, (3) FT, (4) JD, (5) JL, (6) LE, (7) OB, (8) OD, (9) OL, (10) PN, (11) PS, (12) PW, (13) RD, (14) QL, or (15) TS tag in a .fff file.

Multiple buffer overflows vulnerabilities in htmsr.dll (CVE-2008-0066) - Multiple buffer overflows in htmsr.dll in the HTML speed reader in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allow remote attackers to execute arbitrary code via an HTML document with (1) "large chunks of data," or a long URL in the (2) BACKGROUND attribute of a BODY element or (3) SRC attribute of an IMG element.

Buffer overflow vulnerabilities in kvdocve.dll (CVE-2008-1101) - Buffer overflow in kvdocve.dll in the KeyView document viewing engine in Autonomy (formerly Verity) KeyView, as used by IBM Lotus Notes 7.0.2 and 7.0.3, allows remote attackers to execute arbitrary code via a long pathname, as demonstrated by a long SRC attribute of an IMG element in an HTML document.


Mitigations: 
Symantec Workarounds

Mitigation Control: 
Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.
Workaround for Symantec Mail Security for Domino
Installations of SMS for Domino 7.5 that are not utilizing the Content Filtering capabilities of the product are not susceptible. SMS for Domino 7.5 would be susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for Symantec Mail Security for Domino

Select the Content Filtering tab to display the list of current enabled rules
Click on the checkmark to the left of any rules that utilize attachment content filtering, changing it to a red X, and disabling the rule

Workaround for Symantec Mail Security for SMTP and Symantec Mail Security Appliance
Installations of SMS for SMTP and SMS Appliance that are not utilizing the Content Filtering capabilities of the product are not susceptible to this issue. SMS for SMTP and Appliance would be susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for SMS for SMTP and SMS Appliance:

Log into the Management Console and select the Settings tab
Select Scanning from the Email Scanning group in the Navigation List
To disable, uncheck the option Enable searching of non-plain text attachments for words in dictionaries
Workaround for Symantec Mail Security for Microsoft Exchange
Installations of SMS for Microsoft Exchange 5.x that are not utilizing the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange 5.x is susceptible only if the attachment content scanning option is enabled.

Administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.

To disable the content filtering rules for SMS for Microsoft Exchange:
Select the Policies tab and then choose Content Filtering to display the list of currently enabled rules
Ensure that all rules using attachment content are disabled


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor.

Apply appropriate vendor patch or upgrade to non-vulnerable version
Symantec Mail Security for Domino 7.5 - Upgrade to 7.5.3.25

Symantec Mail Security for SMTP 5.0.0 - Upgrade to 5.0.1 patch level 189

Symantec Mail Security for SMTP 5.0.1 - Patch level 189

Symantec Mail Security for Microsoft Exchange 5.0 - Customers currently using SMSMSE 5.x builds should either wait for 5.0.10 to be released next month and disable content filtering until that build is available OR upgrade to SIFMSMSE version 6.0.5.

Symantec Mail Security Appliance 5.0.x - Update to 5.0.0-36 or later

Note: Symantec Mail Security Appliance 5.0.x is not covered under the DoD-wide contract

JTF-GNO Antivirus Patch Repository
Symantec Software Updates
https://www.jtfgno.mil/antivirus/symantec.htm

  _____________________________________________________________

Group ID (Vulid): V-15995
Group Title: 2008-T-0017
Rule ID: SV-16939r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2008-T-0017
Rule Title: CA Products DSM gui_cm_ctrls ActiveX Control Code Execution


Vulnerability Discussion: Computer Associates has reported a remote code execution vulnerability affecting various CA products that implement the distributed systems management (DSM) gui_cm_ctrls ActiveX control. The products provide backup and restore protection for multiple operating systems and applications. To exploit this vulnerability, an attacker would create and distribute a malicious webpage either by hosting it on a website or by sending it via email. Once an unsuspecting user is enticed to visit the malicious site, the attacker's code is run in the context of the user running the affected application. The successful exploitation of this vulnerability could lead to the compromise of the application and possibly the underlying computer and failed attacks will result in a denial-of-service condition.

At this time, there are no known exploits associated with this vulnerability, and the JTF-GNO is not aware of any DoD related incidents.
This remote code-execution vulnerability is due to an input validation error associated with the distributed systems management (DSM) "gui_cm_ctrls" ActiveX control (gui_cm_ctrls.ocx). Specifically, this control function does not sufficiently verify function arguments. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to compromise the application and possibly the underlying computer by means of executing arbitrary code in the context of the user running the affected application.


Mitigations: 
CA workaround

Mitigation Control: 
Computer Associates has tested the following temporary mitigating strategy. While this strategy will not permanently correct the underlying vulnerability, it may be used to help block known attack vectors until fix actions can be completed.

As a temporary workaround solution, disable the gui_cm_ctrls ActiveX control in the registry by setting the kill bit on CLSID {E6239EB3-E0B0-46DA-A215-CFA9B3B740C5}. Disabling the control may prevent the GUI from functioning correctly.

Refer to Microsoft KB article 240797 (http://support.microsoft.com/kb/240797) for information on how to disable an ActiveX control.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor.

See the vendor bulletin for additional information.

1. Using Windows Explorer, locate the file "gui_cm_ctrls.ocx". By default, the file is in the "C:\Program Files\CA\DSM\bin\" directory.

2. Right click on the file and select Properties.

3. Select the Version tab.

4. If the file version is earlier than indicated below, the installation is vulnerable.

Product:
CA Desktop Management Suite for Windows r11.1 (GA, a, C1),
Unicenter Desktop Management Bundle r11.1 (GA, a, C1),
Unicenter Asset Management r11.1 (GA, a, C1),
Unicenter Software Delivery r11.1 (GA, a, C1),
Unicenter Remote Control r11.1 (GA, a, C1),
CA Desktop and Server Management r11.1 (GA, a, C1)
File Name: gui_cm_ctrls.ocx File
Version: 11.1.8124.2517

Product:
CA Desktop Management Suite for Windows r11.2,
Unicenter Desktop Management Bundle r11.2,
Unicenter Asset Management r11.2,
Unicenter Software Delivery r11.2,
Unicenter Remote Control r11.2,
CA Desktop and Server Management r11.2
File Name: gui_cm_ctrls.ocx
File Version: 11.2.2.4332

Product:
CA Desktop Management Suite for Windows r11.2a,
Unicenter Desktop Management Bundle r11.2a,
Unicenter Asset Management r11.2a,
Unicenter Software Delivery r11.2a,
Unicenter Remote Control r11.2a,
CA Desktop and Server Management r11.2a
File Name: gui_cm_ctrls.ocx
File Version: 11.2.3.1896

Product:
CA Desktop Management Suite for Windows r11.2 C1,
Unicenter Desktop Management Bundle r11.2 C1,
Unicenter Asset Management r11.2 C1,
Unicenter Software Delivery r11.2 C1,
Unicenter Remote Control r11.2 C1,
BrightStor ARCserve Backup for Laptops and Desktops r11.5,
CA Desktop and Server Management r11.2 C1
File Name: gui_cm_ctrls.ocx
File Version: 11.2.1000.17

Product:
CA Desktop Management Suite for Windows r11.2 C2,
Unicenter Desktop Management Bundle r11.2 C2,
Unicenter Asset Management r11.2 C2,
Unicenter Software Delivery r11.2 C2,
Unicenter Remote Control r11.2 C2,
CA Desktop and Server Management r11.2 C2
File Name: gui_cm_ctrls.ocx
File Version: 11.2.2000.4


Check Content: 
Vulnerable Systems:
BrightStor ARCServe Backup for Laptops and Desktops r11.5
CA Desktop Management Suite r11.2 C2
CA Desktop Management Suite r11.2 C1
CA Desktop Management Suite r11.2a
CA Desktop Management Suite r11.2
CA Desktop Management Suite r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Desktop Management Bundle r11.2a
Unicenter Desktop Management Bundle r11.2
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.2 C2
Unicenter Asset Management r11.2 C1
Unicenter Asset Management r11.2a
Unicenter Asset Management r11.2
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.2 C2
Unicenter Software Delivery r11.2 C1
Unicenter Software Delivery r11.2a
Unicenter Software Delivery r11.2
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.2 C2
Unicenter Remote Control r11.2 C1
Unicenter Remote Control r11.2a
Unicenter Remote Control r11.2
Unicenter Remote Control r11.1 (GA, a, C1)
CA Desktop and Server Management r11.2 C2
CA Desktop and Server Management r11.2 C1
CA Desktop and Server Management r11.2a
CA Desktop and Server Management r11.2
CA Desktop and Server Management r11.1 (GA, a, C1)

Note: For BrightStor ARCserve Backup for Laptops & Desktops, only the server
installation is affected. Client installations are not affected.
For CA Desktop Management Suite, Unicenter Desktop Management Bundle,
Unicenter Asset Management, Unicenter Software Delivery and Unicenter
Remote Control, only the Managers and DSM Explorers are affected.
Scalability Servers and Agents are not affected.

Remediation Guidelines:

-Apply the following (or greater) vendor patch/hotfix:

Vendor Patch Repository
BrightStor ARCserve Backup for Laptops and Desktops r11.5
QI96333

CA Desktop Management Suite for Windows r11.1 (GA, a, C1)
Unicenter Desktop Management Bundle r11.1 (GA, a, C1)
Unicenter Asset Management r11.1 (GA, a, C1)
Unicenter Software Delivery r11.1 (GA, a, C1)
Unicenter Remote Control r11.1 (GA, a, C1)
QO96283

CA Desktop Management Suite for Windows r11.2a
Unicenter Desktop Management Bundle r11.2a
Unicenter Asset Management r11.2a
Unicenter Software Delivery r11.2a
Unicenter Remote Control r11.2a
QO96286

CA Desktop Management Suite for Windows r11.2
Unicenter Desktop Management Bundle r11.2
Unicenter Asset Management r11.2
Unicenter Software Delivery r11.2
Unicenter Remote Control r11.2
QO96285

CA Desktop Management Suite for Windows r11.2 C1
Unicenter Desktop Management Bundle r11.2 C1
Unicenter Asset Management r11.2 C1
Unicenter Software Delivery r11.2 C1
Unicenter Remote Control r11.2 C1
QO96284

CA Desktop Management Suite for Windows r11.2 C2
Unicenter Desktop Management Bundle r11.2 C2
Unicenter Asset Management r11.2 C2
Unicenter Software Delivery r11.2 C2
Unicenter Remote Control r11.2 C2
QO99084

CA Desktop and Server Management r11.2 C2
QO99080

CA Desktop and Server Management r11.2 C1
QO96288

CA Desktop and Server Management r11.2a
QO96290

CA Desktop and Server Management r11.2
QO96289

CA Desktop and Server Management r11.1 (GA, a, C1)
QO96287

-OR Upgrade to non-vulnerable release if/when available.

-Or, the vulnerable binary may be renamed and the permissions modified to 000 to downgrade the finding, for example a CAT II finding may be downgraded to a CAT III.


  _____________________________________________________________

Group ID (Vulid): V-16022
Group Title: 2008-B-0043
Rule ID: SV-16978r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-B-0043
Rule Title: Multiple CA ARCserve Backup Remote Vulnerabilities


Vulnerability Discussion: Computer Associates has addressed vulnerabilities affecting BrightStor ARCserve Backup on various platforms to include Windows, Linux and Solaris. BrightStor ARCserve is a backup and data retention tool that integrates with other BrightStor Data Availability and BrightStor Storage Management solutions. The products provide backup and restore protection for multiple operating systems and applications. To exploit these vulnerabilities, an attacker would create and send a maliciously crafted data file to an affected system. The successful exploitation of the most serious of these vulnerabilities would allow an unauthenticated remote attacker to gain system level privileges resulting in the compromise of a vulnerable system. Failed attempts would cause a denial-of-service condition.

At this time, there are no known exploits associated with these vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. "caloggerd" Directory Traversal Vulnerability (CVE-2008-2241):
Directory traversal vulnerability in caloggerd in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allows an unauthenticated remote attacker to append arbitrary data to arbitrary files via directory traversal sequences in unspecified input fields, which are used in log messages. This vulnerability is due to insufficient path verification by the logging service, caloggerd.
Note: This vulnerability can be leveraged for code execution in many installation environments by writing to a startup file or configuration file.

"xdr" Function Buffer Overflow Vulnerabilities (CVE-2008-2242):
Multiple buffer overflows in xdr functions in the server in CA BrightStor ARCServe Backup 11.0, 11.1, and 11.5 allow remote attackers to execute arbitrary code. This is due to insufficient bounds checking by multiple xdr functions.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor.
See the IAVM notice and vendor bulletin for additional information.

Affected Products:
CA ARCserve Backup r11.5 (formerly BrightStor ARCserve Backup r11.5)
CA ARCserve Backup r11.1 (formerly BrightStor ARCserve Backup r11.1)
CA ARCserve Backup r11.0 (formerly BrightStor ARCserve Backup r11.0)
CA Server Protection Suite r2
CA Business Protection Suite r2
CA Business Protection Suite for Microsoft Small Business Server Standard Edition r2
CA Business Protection Suite for Microsoft Small Business Server Premium Edition r2

1. Search the file "caloggerd.exe". By default, in the "C:\Program Files\CA\BrightStor ARCserve Backup" directory
2. Right click on the file and select Properties.
3. Select the General tab.
4. If the file timestamp is earlier than indicated in the below table, the installation is vulnerable.

caloggerd.exe
Version 11.5 - 05/18/2007 10:55:48 / 299008 bytes
Version 11.1 - 05/18/2007 11:30:52 / 286720 bytes


  _____________________________________________________________

Group ID (Vulid): V-16023
Group Title: 2008-A-0034
Rule ID: SV-16979r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-A-0034
Rule Title: IBM Lotus Sametime Multiplexer Buffer Overflow Vulnerability


Vulnerability Discussion: IBM has addressed a remote buffer overflow vulnerability affecting IBM Lotus Sametime. IBM Lotus Sametime is a platform for Unified Communications and Collaboration (UC) which offers integrated, enterprise instant messaging, VoIP, video chats and Web conferencing capabilities with security features. Both the client and server applications can be used on Linux, AIX, Solaris, and Windows operating systems. To exploit this vulnerability, a remote attacker would construct and send a maliciously crafted HTTP request to a vulnerable system. The successful exploitation of this vulnerability would allow a remote attacker execute remote code in the context of the affected system resulting in a stack based buffer overflow. Failed exploit attempts would likely result in a denial of service condition.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
IBM Lotus Sametime 7.5.1
IBM Lotus Sametime 8.0

Note: System administrators are recommended to refer to the Detailed System requirements - Sametime 8.0.1 to determine software version affected by this vulnerability.
http://www-1.ibm.com/support/docview.wss?rs=477&uid=swg27012109

See Fixes section for appropriate actions.

Check Content: 
Unix

Determine the version of the Sametime software

#/unisphere/srx3000/srx/version/pkgversion -ps

Upgrade to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-16025
Group Title: 2008-B-0045
Rule ID: SV-16981r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2008-B-0045
Rule Title: Multiple Sun Java System Application Server and Web Server Vulnerabilities


Vulnerability Discussion: Sun Microsystems has identified vulnerabilities affecting Sun Java System Web Server and Sun Java System Web Proxy Server. These servers support Sun, Linux, Windows, HP-UX and AIX operating systems. The Sun Java Web Server is an enterprise-level web server. The Sun Java Application Server is an enterprise-level application server and is hosted by the Sun Java Web Server. To exploit these vulnerabilities, an attacker would bypass access validation on an affected page or entice a user to follow a maliciously crafted URI link hosted on a website or sent via email. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to gain unauthorized access to sensitive information or execute arbitrary code in context of the affected site and steal cookie-based authentication credentials, hijack sessions or cause a loss of data privacy.

At this time, there are no known exploits available and the JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. JSP Information Disclosure (CVE-2008-2120):
Unspecified vulnerability in Sun Java System Application Server 7 2004Q2 before Update 6, Web Server 6.1 before SP8, and Web Server 7.0 before Update 1 allows remote attackers to obtain source code of JSP files via unknown vectors.

To determine the version of Sun Java System Application Server on a system, the following command can be run:
$ <AS_install>/bin/asadmin version --verbose
(Where <AS-install> is the installation directory of the Application Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).


Search Module Cross-site Scripting (XSS) Vulnerability (CVE-2008-2166):
Cross-site scripting (XSS) vulnerability in the search module in Sun Java System Web Server 6.1 before SP9 and 7.0 before Update 2 allows remote attackers to inject arbitrary web script or HTML via unknown parameters in index.jsp.

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).

Advanced Search Mechanism Cross-Site Scripting (CSS or XSS) Vulnerability:
A Cross-Site Scripting (CSS or XSS) vulnerability in the Sun Java System Web Server's advanced search mechanism may may allow an unprivileged remote user the ability to execute arbitrary JavaScript commands in a client user's web browser. This may allow the remote user to steal cookie information, hijack sessions, or cause a loss of data privacy.

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).


Mitigations: 
Sun Java Workaround

Mitigation Control: 
Sun has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Sun Advisory 1-66-231467-1
To work around the described issue, edit the default search web application file named index.jsp which is located at /lib/webapps/search/index.jsp to remove the line containing the text out.println(s);.

Sun Advisory 1-66-236481-1
The following file can be edited to workaround this issue:

install root/bin/https/webapps/search/advanced.jsp

by removing the following lines:

input type=hidden name=next value=%=rquest.getParameter(next)%
out.println(s);


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor.
See the IAVM notice and vendor bulletin for additional information.

Note: System administrators are recommended to refer to the appropriate Sun Microsystems Alert to determine software version affected by this vulnerabilities.

To determine the version of Sun Java System Application Server on a system, the following command can be run:
$ <AS_install>/bin/asadmin version --verbose (Where <AS-install> is the installation directory of the Application Server).

To determine the version of Sun Java System Web Server 6.1 on a system, the following command can be run:
$ <WS-install>/https-<host>/start -version (Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

To determine the version of Sun Java System Web Server 7.0 on a system, the following command can be run:
$ <WS-install>/bin/wadm --version (Where <WS-install> is the installation directory of the Web Server).

Upgrade to the following versions or later
Sun Java System Application Server 7 2004Q2 with Update 6 or later
Sun Java System Web Server 6.1 with Service Pack 9 or later
Sun Java System Web Server 6.1 with patch 121524-05 or later
Sun Java System Web Server 7.0 with Update 3 or later
Sun Java System Web Server 7.0 with patch 125441-12 or later


Check Content: 
After determining the binary is not a trojan, determine the version of Sun Java System Application Server on a system, by performing the following command as a non-privileged user:
# <AS_install>/bin/asadmin version --verbose
(Where <AS-install> is the installation directory of the Application Server).

After determining the binary is not a trojan, determine the version of Sun Java System Web Server 6.1 on a system, by performing the following command as a non-privileged user:
# <WS-install>/https-<host>/start -version
(Where <WS-install> is the installation directory of the Web Server and <host> should be the actual host name on which the Web Server is installed).

After determining the binary is not a trojan, determine the version of Sun Java System Web Server 7.0 on a system, by performing the following command as a non-privileged user:
# <WS-install>/bin/wadm --version
(Where <WS-install> is the installation directory of the Web Server).

  _____________________________________________________________

Group ID (Vulid): V-16039
Group Title: 2008-A-0038
Rule ID: SV-16996r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-A-0038
Rule Title: Multiple Security Vulnerabilities in Sun Java ASP


Vulnerability Discussion: Sun Microsystems has addressed multiple security vulnerabilities in the Sun Java Active Server Pages (ASP) Server. ASP is a server-side script engine that is used for dynamically-generated web pages. To exploit these vulnerabilities, a remote attacker would create and send malicious requests to a vulnerable server. The successful exploitation of these vulnerabilities would allow a local or remote unprivileged user to execute arbitrary code with the privileges of the root user or with the privileges of the user running the Sun Java ASP Server. These vulnerabilities may also allow a remote unprivileged user to gain unauthorized access to data, create arbitrary files on an affected system and bypass authentication mechanisms on the ASP application server.

At this time, there are no known exploits associated with these vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. Sun Java System Active Server Pages File Creation Vulnerability - CVE-2008-2401: The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to append to arbitrary new or existing files via the first argument to a certain file that is included by multiple unspecified ASP applications. To exploit this vulnerability, a remote attacker would create and send a malicious request to an affected application via TCP port 5100. When the application processes the request, an arbitrary file is created or arbitrary data is appended to the file. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code with superuser privileges. Note: Port 5100 is not blocked

Sun Java System Active Server Pages Information Disclosure Vulnerability - CVE-2008-2402: The Admin Server in Sun Java Active Server Pages (ASP) Server before 4.0.3 stores sensitive information under the web root with insufficient access control, which allows remote attackers to read password hashes and configuration data via direct requests for unspecified documents. To exploit this vulnerability, a remote attacker would create and submit a malicious request to TCP port 5100 of a vulnerable server. When the server processes the request, the requested file is returned to the attacker. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to gain access to sensitive information that could be used in further attacks. Note: Port 5100 is not blocked.

Sun Java System Active Server Pages Multiple Directory Traversal Vulnerabilities - CVE-2008-2403: Multiple directory traversal vulnerabilities in unspecified ASP applications in Sun Java Active Server Pages (ASP) Server before 4.0.3 allow remote attackers to read or delete arbitrary files via a .. (dot dot) in the Path parameter to the MapPath method. To exploit this vulnerability, a remote attacker would create and send a malicious HTTP GET request via TCP port 5100 to a vulnerable application through the vulnerable parameter. The requested file is returned to the attacker if the webserver process has read access to the file. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker the ability to access files that may contain sensitive information. Note: Port 5100 is not blocked.

Sun Java System Active Server Pages Buffer Overflow Vulnerability - CVE-2008-2404: Stack-based buffer overflow in the request handling implementation in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary code via an unspecified string field. To exploit this vulnerability, an attacker would create and submit a malicious request to an affected server. The attacker's code is executed when the server processes the request. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to cause the complete compromise of the affected server and possibly the underlying computer. Failed attacks will likely cause denial-of-service conditions.

Sun Java System Active Server Pages Multiple Command Injection Vulnerabilities - CVE-2008-2405: Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to execute arbitrary commands via shell metacharacters in HTTP requests to unspecified ASP applications. To exploit this vulnerability, a remote attacker would create and send a malicious HTTP request to an affected application. The successful exploitation would enable an unauthenticated remote attacker to cause a complete remote compromise as the attacker-specified commands will run with superuser privileges when the application processes the input.

Sun Java System Active Server Pages Authorization Bypass Vulnerability - CVE-2008-2406: The administration application server in Sun Java Active Server Pages (ASP) Server before 4.0.3 allows remote attackers to bypass authentication via direct requests on TCP port 5102. To exploit this vulnerability, an unauthenticated remote attacker would connect to and send a malicious request to an affected server via TCP port 5102. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to gain unauthorized access to the affected application. Note: Port 5102 is not blocked.


Mitigations: 
Sun Java Workaround

Mitigation Control: 
Sun Microsystems has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Workaround

To work around the issues described in CVE-2008-2401, CVE-2008-2402, CVE-2008-2403 and CVE-2008-2406 on the SPARC, Linux, HP-UX and AIX platforms, disable the Admin Server on the Sun Java ASP Server. Sun Java ASP Server on the Windows platform is not affected by the issues described in these CVEs.

The Admin Server may be disabled as the root user by using the following command:
# /opt/casp/admtool -e
There is no workaround to the issues described in CVE-2008-2404 and CVE-2008-2405.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor.

Vulnerable Applications
Sun Java ASP Server 4.0.2 or earlier

The version of Sun Java ASP Server installed may be determined by verifying the following key in the Windows system registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\ChiliSoft\ChiliAsp\Install]
"CaspVersion"="4.0.3"

Vendor Patch Repository (requires account)
Sun Java ASP Server 4.0.3

https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_SMI-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=SJASP-4.0.3-OTH-G-TP@CDS-CDS_SMI

  _____________________________________________________________

Group ID (Vulid): V-16046
Group Title: 2008-T-0026
Rule ID: SV-17025r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-T-0026
Rule Title: SNMP Remote Authentication Bypass Vulnerability


Vulnerability Discussion: Net-SNMP has addressed a remote authentication bypass vulnerability concerning the way Simple Network Management Protocol version 3 (SNMPv3) handles specially crafted packets. SNMP is a standardized protocol used for remotely monitoring and managing network devices. To exploit this vulnerability, a remote attacker would create and send a malicious SNMPv3 packet with 1-byte Hash Message Authentication Code (HMAC) code to an affected system. When the affected system processes the malicious SNMPv3 packet, it will allow an attacker with a valid username to gain unauthorized access to the system. The attacker is successfully validated and granted authentication because the application fails to properly check the number HMAC bytes. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to access sensitive information on a device or allow an attacker to make configuration changes to a vulnerable device that is based on the SNMP configuration.

At this time, there is an available exploit code associated with this vulnerability; the JTF-GNO is not aware of any DoD related incidents. System Administrators are required to refer to the appropriate security advisory or third-party vendor security notice to determine their systems vulnerability.

SNMPv3 HMAC Verification Vulnerability (CVE-2008-0960):
SNMP can be configured to utilize version 3, which is the current standard version of SNMP. SNMPv3 incorporates security features such as authentication and privacy control among other features. Authentication for SNMPv3 is done using keyed-Hash Message Authentication Code (HMAC), a message authentication code calculated using a cryptographic hash function in combination with a secret key. Implementations of SNMPv3 may allow a shortened HMAC code in the authenticator field to authenticate to an agent or a trap daemon using a minimum HMAC of 1 byte.

Note: The Cisco Advisory notes that SNMP requests and traps are transported over User Datagram Protocol (UDP) and are received at the assigned destination port numbers 161 and 162, respectively. These ports are blocked.


Mitigations: 
SNMP mitigation

Mitigation Control: 
Net-SNMP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

1) Install one of the updated packages immediately which will fix the problems. If you do that, you need not take any of the other steps below.

If you are using Net-SNMP through a third party distribution such as your operating system vendor they should be release updates for their systems ASAP as well (likely today for most of them).

2) If this is impossible to do quickly and immediately you can do any of the following to help:

a) Put firewalls in front of your SNMP ports. This is generally recommended anyway, since allowing external access to any server that doesnt need to be accessible across the entire Internet
is always good practice.

b) Utilize encryption in addition to authentication. Turning on *and requiring* DES or AES support for your SNMPv3 users will at least make attacking a system more difficult. Cryptographically speaking, encryption is not a good form of authentication but in this case it will be better than not using it even if you dont need to protect your SNMPv3 packets from disclosure. Make sure you change your VACM authorization settings to require that encryption be used. For example, in the rwuser or rouser config tokens add priv to the end. For example:

Change from:
rwuser wes
rouser joe

Change to:
rwuser wes priv
rouser joe priv

c) Decrease what an authenticated packet can do. If you do not need SNMP SETs to be supported on your network, you con turn them off by disallowing them. For example:

Change from:
rwuser wes priv

Change to:
rouser wes priv
^

d) Detect illegal authentication attempts by turn on authentication notifications. If you are using SNMP notifications (traps and informs) in your network of SNMP agents, adding the following
line to your snmpd.conf file will make the agent send a trap or inform when someone fails to authenticate properly to the agent. Because an attacker trying to exploit this issue will
not succeed every time you should get notifications that devices are being targeted:

authtrapenable 1

(You will also need to define trap destinations if you have not already)


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Unix

Determine the location of the snmpget binary

#find / -name snmpget

Determine the version of the SNMP software

use the binary found by the find command with the --version option (example. #/usr/local/bin/snmpget --version)

Upgrade to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-16170
Group Title: 2008-A-0045
Rule ID: SV-17159r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-A-0045
Rule Title: DNS Protocol Cache Poisoning Vulnerability


Vulnerability Discussion: A Domain Name System (DNS) Protocol cache poisoning vulnerability has been identified affecting various applications and platforms (i.e., ISC BIND, Cisco, Juniper, Linux). The DNS is responsible for translating host names to IP addresses (and vice versa) and is critical for the normal operation of internet-connected systems. DNS cache poisoning (sometimes referred to as cache pollution) is an attack technique that allows an attacker to introduce forged DNS information into the cache of a caching nameserver. To exploit this vulnerability, a remote attacker would capture DNS requests and collect the transaction IDs from a vulnerable system. Ultimately, this collected information would enable the attacker to predict further transaction IDs and UDP source ports which would be used for spoofing DNS replies to queries sent by the vulnerable system. The successful exploitation of this vulnerability would enable an unauthenticated remote attacker to redirect network traffic to arbitrary IP addresses specified by the attacker.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to this vulnerability. DNS Spoofing Vulnerability - CVE-2008-1447: The DNS protocol, as implemented in (1) BIND 8 and 9 before 9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and other implementations allow remote attackers to spoof DNS traffic via certain cache poisoning techniques against recursive resolvers, related to insufficient randomness of DNS transaction IDs and source ports, aka "DNS Insufficient Socket Entropy Vulnerability."


Mitigations: 
US-CERT Mitigation for DNS

Mitigation Control: 
US-CERT (http://www.kb.cert.org/vuls/id/800113) has recommended the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Restrict access:
Administrators, particularly those who are unable to apply a patch, can limit exposure to this vulnerability by restricting sources that can ask for recursion. Note that restricting access will still allow attackers with access to authorized hosts to exploit this vulnerability. Securing an Internet Name Server (http://www.cert.org/archive/pdf/dns.pdf) contains instructions for restricting recursion in ISC BIND.

Filter traffic at network perimeters:
Because the ability to spoof IP addresses is necessary to conduct these attacks, administrators should filter spoofed addresses at the network perimeter. IETF Request for Comments (RFC) documents RFC 2827 (http://tools.ietf.org/html/rfc2827), RFC 3704 (http://tools.ietf.org/html/rfc3704), and RFC 3013 (http://tools.ietf.org/html/rfc3013) describe best current practices (BCPs) for implementing this defense. It is important to understand your networks configuration and service requirements before deciding what changes are appropriate.

Run a local DNS cache:
In lieu of strong port randomization characteristics in a stub resolver, administrators can protect their systems by using local caching full-service resolvers, both on the client systems and on servers that are topologically close on the network to the client systems, in conjunction with the network segmentation and filtering strategies mentioned above.

Disable recursion:
Disable recursion on any nameserver responding to DNS requests made by untrusted systems. Securing an Internet Name Server contains instructions for disabling recursion in various versions of ISCs BIND.

Implement source port randomization:
Vendors that implement DNS software are encouraged to review IETF Internet Draft, Measures for making DNS more resilient against forged answers, (http://tools.ietf.org/html/draft-ietf-dnsext-forgery-resilience) for additional information about implementing mitigations in their products. This document is a work in progress and may change prior to its publication as an RFC, if it is approved.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows- Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications
ISC BIND 8 (all versions)
ISC BIND 9 (all versions)

Verify that the ISC Bind has been upgraded to the following:
ISC Bind 9.x to 9.3.5-P1 or 9.4.2-P1 or higher.

ISC Bind should appear as a Service if installed

Open a command prompt
Change directory to %systemroot%\system32\dns\bin
Enter “named -f -v”
Bind version number will be displayed


HP Storage Management Appliance 2.1
HP Storage Management Appliance I
HP Storage Management Appliance II
HP Storage Management Appliance III
HP recommends that customers install the security update as provided via Microsoft Windows update MS08-037 IAVM 2008-A-0044.


Cisco products:
- Cisco Network Registrar
All Cisco Network Registrar versions are affected, and DNS services are enabled by default. The DNS server on CNR is enabled via the command-line interface (CLI) commands server dns enable start-on-reboot or dns enable start-on-reboot or via the web management interface in the Servers page by selecting the appropriate "Start," "Stop," or "Reload" button.
- Cisco Global Site Selector Used in Combination with Cisco Network Registrar
The Cisco Global Site Selector (GSS) is affected when it is used in combination with Cisco Network Registrar software to provide a more complete DNS solution. Fixed software would come in the form of an update of the Cisco Network Registrar software rather than an update of the GSS software.

Avaya Messaging Application Server (all versions)
Avaya recommends that customers install the security update as provided via Microsoft Windows update MS08-037 IAVM 2008-A-0044.



Check Content: 
After determining the binary is not a trojan, execute the following command as a non-privileged user to check the version of BIND.

# /usr/sbin/named -v


  _____________________________________________________________

Group ID (Vulid): V-17144
Group Title: 2008-T-0046
Rule ID: SV-18148r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2008-T-0046
Rule Title: Red Hat OpenSSH Vulnerability


Vulnerability Discussion: Red Hat has identified a vulnerability affecting OpenSSH running on Red Hat operating systems. OpenSSH is a free implementation of the Secure Shell protocol suite. To exploit this vulnerability, a remote attacker would entice an unsuspecting victim to download and install a maliciously crafted OpenSSH package from a compromised Red Hat repository server. Successful exploitation would allow the attacker to gain superuser privileges and take complete control of the affected system. At this time, there are known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD related incidents.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:
Red Hat Desktop (v. 4)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux AS (v. 4)
Red Hat Enterprise Linux AS (v. 4.5.z)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux ES (v. 4)
Red Hat Enterprise Linux ES (v. 4.5.z)
Red Hat Enterprise Linux WS (v. 4)

Compliance Checking:
Determine if openssh is installed:

      # rpm -qa |grep openssh

For RHEL5, systems the affected versions are less than 4.3p2-26.el5_2.1.
For RHEL4 systems, the affected versions are less than 3.9p1-11.el4_7

If the output of the preceding command returns affirmative information of openssh being installed:
      # rpm -qi openssh-clients |grep -i key

Verify the signature id is 5326810137017186
  _____________________________________________________________

Group ID (Vulid): V-17350
Group Title: 2008-T-0049
Rule ID: SV-18400r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-T-0049
Rule Title: Multiple Vulnerabilities in RedHat Fedora Directory Server


Vulnerability Discussion: RedHat has reported multiple vulnerabilities in RedHat Fedora Directory Server. Red Hat Directory Server is an Lightweight Directory Access Protocol (LDAP)-based server that centralizes application settings, user profiles, group data, policies, and access control information into an operating system-independent and network-based registry. To exploit these vulnerabilities, a remote attacker would send a malicious request to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise an affected system or cause a denial of service condition.

At this time, there are no known exploits available; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. Directory Server: adminutil / CGI heap overflow vulnerability - CVE-2008-2932:
Heap-based buffer overflow in Red Hat adminutil 1.1.6 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via % (percent) encoded HTTP input to unspecified CGI scripts in Fedora Directory Server. NOTE: this vulnerability exists because of an incorrect fix for CVE-2008-2929.

Cross-site scripting (XSS) vulnerabilities - CVE-2008-2929:
Multiple cross-site scripting (XSS) vulnerabilities in the adminutil library in the Directory Server Administration Express and Directory Server Gateway (DSGW) web interface in Red Hat Directory Server 7.1 before SP7 and 8 EL4 and EL5, and Fedora Directory Server, allow remote attackers to inject arbitrary web script or HTML via input values that use % (percent) escaping.

Buffer overflows vulnerabilities - CVE-2008-2928:
Multiple buffer overflows in the adminutil library in CGI applications in Red Hat Directory Server 7.1 before SP7 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted Accept-Language HTTP header.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
# rpm -q --changelog adminutil | grep 2928

Fix Text: Update adminutils to the most recent stable version .   _____________________________________________________________

Group ID (Vulid): V-17737
Group Title: 2008-T-0054
Rule ID: SV-18915r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2008-T-0054
Rule Title: Cisco Unity Remote Administration Authentication Bypass Vulnerability


Vulnerability Discussion: Cisco had addressed a vulnerability affecting Cisco Unity servers. Cisco Unity is a voice and unified messaging platform. Cisco Unity can be configured to interoperate with Microsoft Exchange or IBM Lotus Domino enabling users to access e-mail, voice, and fax messages from a single inbox. To exploit this vulnerability, an unauthenticated remote attacker would implement the authentication page to a vulnerable device. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to gaining access to administrative privileges of the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD incidents related to this vulnerability. Authentication Bypass Vulnerability - (CVE-2008-3814)
An unspecified vulnerability exists in Cisco Unity 4.x before 4.0ES161, 5.x before 5.0ES53, and 7.x before 7.0ES8, when using anonymous authentication. The successful exploitation of this vulnerability would allow an unauthenticated remote attacker to bypass authentication and read or modify system configuration parameters via unknown vectors.

Note: Per DoD APL, DoD implementations should be using Windows Authentication, not Anonymous Authentication.

This vulnerability is documented in Cisco Bug ID CSCsr86943 (registered customers only)


Mitigations: 
Cisco Unity

Mitigation Control: 
Temporary Mitigation Strategies
Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.
Integrated Windows authentication is not affected by this vulnerability and may be used as an alternative to Anonymous Authentication.

Details on authentication mechanisms and how to configure them can be found in the Installation Guide for Cisco Unity in the Setting Up Authentication for the Cisco Unity Administrator section.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Affected Cisco Products
Cisco Unity versions, 4.x, 5.x and 7.x

Upgrade to the following:      
Cisco Unity software version 4.0ES161 for the 4.2(1) ES release
Cisco Unity software version 5.0ES53 for the 5.0(1) ES release
Cisco Unity software version 7.0ES8 for the 7.0(2) ES release

Interview the SA as to whether any of these products are installed.

  _____________________________________________________________

Group ID (Vulid): V-17978
Group Title: 2009-B-0001
Rule ID: SV-19499r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-B-0001
Rule Title: Adobe Flash Player for Linux Remote Code Execution Vulnerability


Vulnerability Discussion: Adobe has addressed a vulnerability associated with Flash Player which affects Linux platforms only. Adobe Flash Player is a multimedia application for Microsoft Windows, Mac, and Linux Operating Systems. To exploit this vulnerability, a remote attacker would entice a user to view/access a maliciously crafted Flash/SWF file hosted on a web site or sent via email. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code and compromise an affected system.

At this time, there is exploit code available for this vulnerability; JTF-GNO is not aware of any DoD related incidents. Malicious SWF file vulnerability - (CVE-2008-5499)
A critical vulnerability has been identified in Adobe Flash Player for Linux 10.0.12.36, Adobe Flash Player for Linux 9.0.151.0 and earlier that could allow an attacker who successfully exploits this potential vulnerability to take control of the affected system. A specially formed SWF must be loaded in Flash Player for Linux by the user for an attacker to exploit this potential vulnerability.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Determine if the flashplayer is installed by searching for:

/usr/lib/firefox/plugins/libflashplayer.so
/usr/lib/mozilla/plugins/libflasherplayer.so
/opt/Netscape/plugins/libflashplayer.so
      $HOME/.netscape/plugins/libflashplayer.so
/opt/mozilla/plugins/libflashplayer.so
      $HOME/.konqplugs/libflashplayer.so

If any of the files above are found, open a browser to determine the version. Enter about:plugins into the URL to display the version information. If the version is not greater than 10.0.15.3, this is a finding.

  _____________________________________________________________

Group ID (Vulid): V-18223
Group Title: 2009-T-0007
Rule ID: SV-19758r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-T-0007
Rule Title: Multiple Sun Java System Access Manager Vulnerabilities


Vulnerability Discussion: Sun Microsystems has addressed two security vulnerabilities affecting the Sun Java System Access Manager, formerly known as the Sun Java System Identity Server. The System Access Manager is used to manage the secure access to web applications on many OS platforms (i.e., Solaris, Windows, Linux, and HP-UX). To exploit these vulnerabilities, a remote attacker (i.e., having either the necessary privileges to access the administration console, or having 'sub-realm' administrator access) would locate a vulnerable system and exploit the respective security vulnerability. If successfully exploited, the most serious of these vulnerabilities would allow an authenticated remote attacker to elevate their privileges and completely compromise a vulnerable system.

At this time, there are no known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Sub-Realm Administrators Privilege Escalation Security Vulnerability (CVE-2009-0169):
Sun Java System Access Manager 7.1 allows remote authenticated sub-realm administrators to gain privileges, as demonstrated by creating the amadmin account in the sub-realm, and then logging in as amadmin in the root realm.

Password Revelation Security Vulnerability (CVE-2009-0170):
Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows remote authenticated users with console privileges to discover passwords, and obtain unspecified other "access to resources," by visiting the Configuration Items component in the console.

"guessed" Username Security Vulnerability:
Sun Java System Access Manager 6.3 2005Q1, 7 2005Q4, and 7.1 allows a remote unprivileged user to determine the existence of "guessed" usernames, which could be used for additional brute force attacks.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications:
Sun Java System Access Manager 7.1 without patch 126359-02
Sun Java System Access Manager 7 2005Q4 without patch 124296-08

To determine the version of Sun Java System Access Manager, the following command can be run:

$ <access-manager-install-dir>/bin/amadmin --version
Sun Java System Access Manager 7.1
(where <access-manager-install-dir> is the installation directory of the Sun Java System Access Manager).


Check Content: 
To determine if Sun Java System Access Manager is installed, the following command can be run on a Solaris system:

# pkginfo -l SUNWamsvc

To determine the version of Access Manager on a Solaris system, the following command can be run:
# pkgparam SUNWamsvc VERSION

After determining the binary is not a trojan, determine the version of Sun Java System Access Manager on other systems, by performing the following command as a non-privileged user:
# &lt;access-manager-install-dir&gt;/bin/amadmin -version

Verify the patches listed in the preceding vulnerable systems are installed.
  _____________________________________________________________

Group ID (Vulid): V-18273
Group Title: 2009-T-0009
Rule ID: SV-19808r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-T-0009
Rule Title: Sun Java System Application Server Information Disclosure Vulnerability


Vulnerability Discussion: Sun Microsystems has addressed an information disclosure vulnerability within the Sun Java System Application Servers WEB-INF and META-INF directories. The Sun Java System Application Server is a platform for delivering server-side Java applications and Web services on various operating system platforms (Windows, Sun, Linux). To exploit this vulnerability, a remote attacker would create and submit a request to a targeted system's WEB-INF and META-INF directories. If successfully exploited, this vulnerability would allow a remote attacker to read the Web Application configuration files in WEB-INF and META-INF directories resulting in the disclosure of sensitive information.

At this time, there are no known exploits available for this vulnerability; JTF-GNO is not aware of any DoD related incidents. Sun Java Application Server Information Disclosure Vulnerability (CVE-2009-0278):
A vulnerability exists in Sun Java System Application Server (AS) 8.1 and 8.2 which enables a remote attacker to read the Web Application configuration files in the WEB-INF or META-INF directory via a malformed request. The remote attacker could use this information disclosure for additional attacks.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

To determine the version of Sun Java System Application Server on a system, the following command can be run:

$ <AS_install>/bin/asadmin -version (Where <AS-install> is the installation directory of the Application Server).

Vulnerable Applications:
Sun Java System Application Server 8.1
Sun Java System Application Server 8.1 without patch 119172-28 (Enterprise Ed. file-based)
Sun Java System Application Server 8.1 without patch 119176-28 (Platform Ed. file-based)
Sun Java System Application Server 8.1 without patch 122848-20 (Enterprise Ed. package-based)

Sun Java System Application Server 8.2
Sun Java System Application Server 8.2 without patch 124678-08 (Enterprise Ed. file-based)
Sun Java System Application Server 8.2 without patch 124682-08 (Platform Ed. file-based)
Sun Java System Application Server 8.2 without patch 124684-10 (Enterprise Ed. package-based)

Note: Application Server versions prior to 8.1 or later than 8.2 are not affected by this issue.



Check Content: 
After determining the binary is not a trojan, determine the version of Sun Java System Application server, by performing the following command as a non-privileged user:
# &lt;AS_INSTALL&gt;/bin/asadmin version --verbose

Where &lt;AS_INSTALL&gt; is the installation directory of the Application Server

Verify one of the patches listed in the preceding vulnerable systems has been installed.
  _____________________________________________________________

Group ID (Vulid): V-18393
Group Title: 2009-T-0010
Rule ID: SV-19928r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-T-0010
Rule Title: HP LaserJet Printers Directory Traversal Vulnerability


Vulnerability Discussion: Hewlett Packard (HP) has reported a security vulnerability with certain HP LaserJet printers. To exploit this vulnerability a remote attacker would send a specially crafted URI that contains directory-traversal strings to an affected device. If successfully exploited, this vulnerability would allow a remote attacker to gain unauthorized access to sensitive information.

At this time, there are known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.
Directory traversal vulnerability (CVE-2008-4419):
Directory traversal vulnerability in the HP JetDirect web administration interface in the HP-ChaiSOE 1.0 embedded web server on the LaserJet 9040mfp, LaserJet 9050mfp, and Color LaserJet 9500mfp before firmware 08.110.9; LaserJet 4345mfp and 9200C Digital Sender before firmware 09.120.9; Color LaserJet 4730mfp before firmware 46.200.9; LaserJet 2410, LaserJet 2420, and LaserJet 2430 before firmware 20080819 SPCL112A; LaserJet 4250 and LaserJet 4350 before firmware 20080819 SPCL015A; and LaserJet 9040 and LaserJet 9050 before firmware 20080819 SPCL110A allows remote attackers to read arbitrary files via directory traversal sequences in the URI.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Systems:
HP LaserJet 2410 with firmware prior to 20080819 SPCL112A
HP LaserJet 2420 with firmware prior to 20080819 SPCL112A
HP LaserJet 2430 with firmware prior to 20080819 SPCL112A
HP LaserJet 4250 with firmware prior to 20080819 SPCL015A
HP LaserJet 4350 with firmware prior to 20080819 SPCL015A
HP LaserJet 9040 with firmware prior to 20080819 SPCL110A
HP LaserJet 9050 with firmware prior to 20080819 SPCL110A
HP LaserJet 4345mfp with firmware prior to 09.120.9
HP Color LaserJet 4730mfp with firmware prior to 46.200.9
HP LaserJet 9040mfp with firmware prior to 08.110.9
HP LaserJet 9050mfp with firmware prior to 08.110.9
HP 9200C Digital Sender with firmware prior to 09.120.9
HP Color LaserJet 9500mfp with firmware prior to 08.110.9

Print a configuration page from the printer to determine firmware version. See printer documentation for instructions.


Check Content: 
This is not a linux vulnerability directly. Check the list of affected HP Laserjet printers and printout a test page to obtain the firmware version.

Fix Text: Upgrade the firmware on the affected printer.   _____________________________________________________________

Group ID (Vulid): V-18499
Group Title: 2009-A-0017
Rule ID: SV-20034r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-A-0017
Rule Title: Multiple Vulnerabilities in Adobe Flash Player


Vulnerability Discussion: Adobe has addressed multiple vulnerabilities associated with Flash Player. Adobe Flash Player is a multimedia application for Microsoft Windows, Mac, and Linux Operating Systems. To exploit these vulnerabilities, a remote attacker would entice a user to view/access a maliciously crafted Flash/SWF file hosted on a web site or sent via email. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to compromise the affected application.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications:
Flash Player 10.0.12.36 and earlier
Flash Player 10.0.12.36 and earlier - network distribution
Flash Player 10.0.15.3 and earlier for Linux
Flash Player 9 prior to 9.0.159.0
AIR 1.5 (upgrade to 1.5.1)
Flash CS4 Professional
Flash CS3 Professional
Flex 3

Note: Adobe recommends users upgrade to the latest version of Flash Player
10. For users who cannot update to Flash Player 10, Adobe has developed a
patched version of Flash Player 9, Flash Player 9.0.159.0.

Check the following registry key to determine the version of Flashplayer:
HKLM\Software\Macromedia\Flashplayer
Value: CurrentVersion

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008) expose the version column by right clicking somewhere in the column headers, selecting More… and selecting Version.

  _____________________________________________________________

Group ID (Vulid): V-18500
Group Title: 2009-T-0014
Rule ID: SV-20035r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-T-0014
Rule Title: Symantec Veritas NetBackup Communication Setup Remote Privilege Escalation Vulnerability


Vulnerability Discussion: Symantec has reported a vulnerability affecting Symantec Veritas Netbackup. Symantec Veritas Netbackup is an enterprise level backup and recovery suite available for various operating systems. To exploit this vulnerability, an attacker would create and send malicious code to a vulnerable application. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code in the context of the vulnerable application. Failed attempts may result in memory corruption or a denial-of-service condition.

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<SPAN class=style6><STRONG><FONT size=2>Symantec has tested the following temporary mitigating strategies.&nbsp; While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</FONT></STRONG></SPAN> - <P><SPAN class=BodyText><SPAN class=style4><B><SPAN class=style13><FONT size=2>Mitigations/Workarounds</FONT></SPAN></B><SPAN class=style13><BR><FONT size=2>Symantec Security Response has released an IPS/IDS signature, Signature ID 23283, to detect and block attempts to exploit this issue. Signature is available through normal update channels. </FONT></SPAN></SPAN></SPAN></P>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-18637
Group Title: 2009-T-0019
Rule ID: SV-20203r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-T-0019
Rule Title: IBM DB2 Content Manager eClient Unspecified Security Vulnerability


Vulnerability Discussion: IBM has reported a vulnerability in DB2 Content Manager. DB2 is a relational database management system produced by IBM capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. Due to limited information during the release of this notice, exploit information is not available. This notice will be modified if additional information related to this vulnerability changes.

At this time, there are no known exploits associated with this vulnerability; the JTF-GNO is not aware of any DoD related incidents.
IBM DB2 Content Manager eClient Vulnerability - (CVE-2009-1231)
Unspecified vulnerability in the eClient in IBM DB2 Content Manager 8.4.1 before 8.4.1.1 has unknown impact and attack vectors.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications:
IBM DB2 Content Manager 8.4.1

To determine the Content Manager Version
1. Open up a command prompt.
2. Enter %IBMCMROOT%/bin/cmlevel


Check Content: 
Determine the db2 installed version and fixpack by viewing the output from:
            # db2level
The version should display 8.4.1.1.


  _____________________________________________________________

Group ID (Vulid): V-18638
Group Title: 2009-B-0015
Rule ID: SV-20204r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-B-0015
Rule Title: Multiple Vulnerabilities in VMware


Vulnerability Discussion: VMware has reported multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. Attack vectors vary depending on the specific vulnerability being leveraged. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, exfiltrate sensitive data, gain elevated privileges and/or cause a denial of service condition on an affected system.

At this time, there are no known exploits available for these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to this vulnerability. VMWare-authd Denial of Service Vulnerability (CVE-2009-0177):
vmwarebase.dll, as used in the vmware-authd service (aka vmware-authd.exe), in VMware Workstation 6.5.1 build 126130, 6.5.1 and earlier; VMware Player 2.5.1 build 126130, 2.5.1 and earlier; VMware ACE 2.5.1 and earlier; VMware Server 2.0.x before 2.0.1 build 156745; and VMware Fusion before 2.0.2 build 147997 allows remote attackers to cause a denial of service (daemon crash) via a long (1) USER or (2) PASS command.

VI Client Password Exfiltration Vulnerability (CVE-2009-0518):
VI Client in VMware VirtualCenter before 2.5 Update 4, VMware ESXi 3.5 before Update 4, and VMware ESX 3.5 before Update 4 retains the VirtualCenter Server password in process memory, which might allow local users to obtain this password.

ACE Shared Folders Vulnerability (CVE-2009-0908):
Unspecified vulnerability in the ACE shared folders implementation in the VMware Host Guest File System (HGFS) shared folders feature in VMware ACE 2.5.1 and earlier allows attackers to enable a disabled shared folder.

VNcn Codec Buffer Overflow Vulnerability (CVE-2009-0909):
Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-435.

VNcn Codec Buffer Overflow Vulnerability (CVE-2009-0910):
Heap-based buffer overflow in the VNnc Codec in VMware Workstation 6.5.x before 6.5.2 build 156735, VMware Player 2.5.x before 2.5.2 build 156735, VMware ACE 2.5.x before 2.5.2 build 156735, and VMware Server 2.0.x before 2.0.1 build 156745 allows remote attackers to execute arbitrary code via a crafted web page or video file, aka ZDI-CVE-436.

ioctl Denial of Service Vulnerability (CVE-2009-1146):
Unspecified vulnerability in an ioctl in hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 allows local users to cause a denial of service via unknown vectors, a different vulnerability than CVE-2008-3761.

vmci.sys Privilege Escalation Vulnerability (CVE-2009-1147):
Unspecified vulnerability in vmci.sys in the Virtual Machine Communication Interface (VMCI) in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 2.0.x before 2.0.1 build 156745 allows local users to gain privileges via unknown vectors.

hcmon.sys Denial of Service Vulnerability (CVE-2008-3761):
hcmon.sys in VMware Workstation 6.5.1 and earlier, VMware Player 2.5.1 and earlier, VMware ACE 2.5.1 and earlier, and VMware Server 1.0.x before 1.0.9 build 156507 and 2.0.x before 2.0.1 build 156745 uses the METHOD_NEITHER communication method for IOCTLs, which allows local users to cause a denial of service via a crafted IOCTL request.

Guest Virtual Device Driver Denial of Service Vulnerability (CVE-2008-4916):
Unspecified vulnerability in a guest virtual device driver in VMware Workstation before 5.5.9 build 126128, and 6.5.1 and earlier 6.x versions; VMware Player before 1.0.9 build 126128, and 2.5.1 and earlier 2.x versions; VMware ACE before 1.0.8 build 125922, and 2.5.1 and earlier 2.x versions; VMware Server 1.x before 1.0.8 build 126538 and 2.0.x before 2.0.1 build 156745; VMware Fusion before 2.0.1; VMware ESXi 3.5; and VMware ESX 3.0.2, 3.0.3, and 3.5 allows guest OS users to cause a denial of service (host OS crash) via unknown vectors.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.
     
VMWare Vulnerable Applications:
Workstation 6.5.x before 6.5.2 build 156735
Workstation 6.0.x
Workstation 5.5.x
Player 2.5.x before 2.5.2 build 156735
Player 2.0.x
Player 1.0.x before 1.0.9 build 126128
ACE 2.5.x before 2.5.2 build 156735
ACE 2.0.x upgrade to at least 2.5.1
ACE 1.x before 1.0.8 build 125922
Server 2.x before 2.0.1 build 156745
Server 1.x before 1.0.9 build 156507

Note: General Support for Workstation version 5.x ended on 2009-03-19. Users
should plan to upgrade to the latest Workstation version 6.x release.

View the About “Product” from the menu to view version and build numbers.


Check Content: 
ESX 3.5 without patch ESX350-200811401-SG and ESX350-200903201-UG (these patches are included in ESX 3.5 update 4
ESX 3.0.3 without patch ESX303-200811401-BG
ESX 3.0.2 without patch ESX-1006980

To check for the patches:

      #       esxupdate query <patch_name>

  _____________________________________________________________

Group ID (Vulid): V-18969
Group Title: 2009-B-0018
Rule ID: SV-20775r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-B-0018
Rule Title: Multiple Vulnerabilities in HP OpenView Network Node Manager


Vulnerability Discussion: Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP OpenView Network Node Manager (OV NNM). HP OpenView is a suite of software applications which allow large-scale system and network management of an organization's IT assets. To exploit these vulnerabilities, a remote attacker would create and send a malicious request to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise the the affected system.

At this time, there are no known exploits associated with this vulnerabilities and the JTF-GNO is not aware of any DoD related incidents. HP Network Node Manager Vulnerability - (CVE-2009-0720):
Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.

HP Network Node Manager ovalarmsrv Integer overflow Vulnerability - (CVE-2008-2438):
A potential vulnerability has been identified with HP OpenView Network Node Manager. The vulnerability could be exploited remotely to execute arbitrary code. Ovalarmsrv integer overflow in HP OpenView Network Node Manager 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a specially crafted command sent to port 2954/TCP.

Note: At the time of this release, technical details related to this vulnerability were limited and the CVE identified above has not been addressed.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Affected Products:
HP OpenView Network Node Manager 7.01
HP OpenView Network Node Manager 7.51
HP OpenView Network Node Manager 7.53

OV NNM 7.01 is resolved with Intermediate Patch 12
OV NNM 7.51 upgrade to 7.53 and install patches
OV NNM 7.53 is resolved with patch NNM_01197 or subsequent

Interview the SA to determine if patch has been installed.


Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

HP-UX, Linux, Solaris, Windows:
HP OpenView Network Node Manager 7.01
HP OpenView Network Node Manager 7.51
HP OpenView Network Node Manager 7.53

Interview the SA to determine if patch has been installed.
  _____________________________________________________________

Group ID (Vulid): V-18983
Group Title: 2009-T-0024
Rule ID: SV-20789r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-T-0024
Rule Title: Multiple Vulnerabilities in Linux Kernel


Vulnerability Discussion: Linux has addressed multiple vulnerabilities affecting the Linux kernel. To exploit these vulnerabilities, an attacker would craft and send malicious network data to an affected system. If successfully exploited, these vulnerabilities would result in the complete compromise of an affected system. Failed exploit attempts will result in a denial-of-service condition.

At this time, at least one of these vulnerabilities can be exploited using readily available tools; the JTF-GNO is not aware of any DoD related incidents. Linux Kernel Integer Overflow Vulnerability - (CVE-2009-1265):
Integer overflow in rose_sendmsg (sys/net/af_rose.c) in the Linux kernel 2.6.24.4, and other versions before 2.6.30-rc1, might allow remote attackers to obtain sensitive information via a large length value, which causes "garbage" memory to be sent.

Linux Kernel CIFS 'decode_unicode_ssetup()' Remote Buffer Overflow Vulnerability:
The Linux Kernel is prone to a remote buffer-overflow vulnerability because the software fails to perform adequate boundary checks on user-supplied data.

Linux Kernel 'CAP_FS_SET' Incomplete Capabilities List Access Validation Vulnerability:
The Linux Kernel is prone to an unauthorized-access vulnerability because of an error in the definition of the 'CAP_FS_SET' capabilities mask. This issue has been demonstrated to impact the NFS and VFS filesystems


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Red Hat Enterprise Linux 3 is vulnerable to CVE-2009-1265. RHEL4 and 5 are not. However, this IAVA does cover more than one CVE. A response from the Red Hat Knowledge base indicates RHEL3 will not be patched and it will always be a finding on this system. RHEL 4 does not appear to have any fixes, so this will be a finding. Execute uname -a to determine the kernel version. RHEL5 does have a kernel update for the CIFS vulnerability. If the kernel version is less than 0:2.6.18-128.1.14.el5, this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-19156
Group Title: 2009-T-0025
Rule ID: SV-20969r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-T-0025
Rule Title: McAfee Products Archive Files Scan Evasion Vulnerability


Vulnerability Discussion: McAfee has released a security bulletin addressing a vulnerability in McAfee products. To exploit this vulnerability, an attacker would create a malicious archive file to bypass the scanner on a gateway. If successfully exploited, this vulnerability would allow an attacker to send a malicious archive file via email which the vulnerable application would fail to detect.

At this time, a proof of concept exists for this vulnerability but the exploits are not publicly available; JTF-GNO is not aware of any DoD incidents related to this vulnerability. Archive Handling Security Bypass Vulnerability - (CVE-2009-1348):
The AV engine before DAT 5600 in McAfee VirusScan, Total Protection, Internet Security, SecurityShield for Microsoft ISA Server, Security for Microsoft Sharepoint, Security for Email Servers, Email Gateway, and Active Virus Defense allows remote attackers to bypass virus detection via an invalid Headflags field in a malformed RAR archive, an invalid Packsize field in a malformed RAR archive, or an invalid Filelength field in a malformed ZIP archive. This could allow malware to bypass a scanner on a gateway.

Note: Users utilizing on-access scanning on endpoint devices should not be affected, as the scanner will see the files after the archive is opened. An attack, even if it is successful at bypassing the gateway, will have no lasting effect on the endpoint running an on-access scanner. The Windows Desktop Application STIG VR31 requires every machine to have an updated anti-virus program installed and active for on-access and on-demand virus detection.


Mitigations: 
McAfee workaround

Mitigation Control: 
McAfee has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Workaround for McAfee Products:
All users should enable On-Access-Scanning on all endpoint devices. This is the default setting after installation. By using On-Access-Scanning, endpoints will catch any threats that may pass on gateway devices. McAfee has long supported a defense-in-depth strategy that includes running antivirus software on multiple points of your network, including gateways, file servers, and especially endpoints.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Apply McAfee patch or upgrade to a non-vulnerable version.

Vulnerable applications
All McAfee software that uses DATs

Fix Action: Update .DAT files to DAT 5600 or later.

Note: System administrators should review the McAfee Security Advisory to determine affected applications/systems and appropriate fix actions.

  _____________________________________________________________

Group ID (Vulid): V-19888
Group Title: 2009-B-0038
Rule ID: SV-22051r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-B-0038
Rule Title: Multiple Vulnerabilities in Adobe JRun


Vulnerability Discussion: Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe JRun. JRun is a Java 2 Platform Enterprise Edition application server. To exploit these vulnerabilities, a remote attacker would create a malicious URI and entice a user to follow the link or submit the URI to an affected system. Successful exploitation of these vulnerabilities would facilitate unauthorized information disclosure and remote code execution resulting in the compromise of an affected system.

At this time, there are known exploits available for these vulnerabilities; JTF-GNO is not aware of any DOD incidents related to these vulnerabilities. Directory Traversal Vulnerability - (CVE-2009-1873):
An update for JRun resolves a management console directory traversal vulnerability that could potentially lead to information disclosure.

Cross-Site Scripting Vulnerability - (CVE-2009-1874):
An update for JRun resolves multiple management console cross-site scripting vulnerabilities that could potentially lead to code execution.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
JRun 4.0

Perform the following to determine the JRun version:
Open a command prompt
Change to the Jrun bin directory, typically at \JRun\bin on Windows
Type one of the commands below:
Jrun -info
Jrun -version


Check Content: 
To check the version, after determining the binary is not a trojan, as a non-privileged user:

      #       jrun -version

Ask the SA or web server administrator if the hotfix for CVE-2009-1874 has been applied.

  _____________________________________________________________

Group ID (Vulid): V-19906
Group Title: 2009-B-0042
Rule ID: SV-22076r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-B-0042
Rule Title: Autonomy KeyView Buffer Overflow Vulnerability in Symantec Mail Security and IBM Lotus Notes


Vulnerability Discussion: Symantec and IBM released security advisories addressing a vulnerability in the Autonomy KeyView module. Autonomy KeyView is a commercial Software Development Kit (SDK) that provides file format parsing libraries. Autonomy KeyView is utilized in third-party vendors products and is shipped with the vulnerable Symantec and IBM products addressed in this notice. To exploit this vulnerability, an attacker would entice a user of an affected system to view a maliciously crafted Excel document sent via email. Successful exploitation would result in execution of arbitrary code in the context of the affected application. Failed exploit attempts would result in a denial of service condition. At this time, there are known exploits available for this vulnerability; JTF-GNO is not aware of any DoD incidents related to this vulnerability.

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<B>The vendors has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B> - <DIV class=cbMrgnBtmMD><SPAN class=style5><U>Symantec Temporary Mitigation:</U></SPAN><SPAN class=style4><BR></SPAN><SPAN class=style3>Symantec Security Response has released a Bloodhound detection, Bloodhound.Exploit.243, to detect and block attempts to exploit this issue. Detections are available through LiveUpdate or from the Symantec Security Response download site, <A href="http://www.symantec.com/business/security_response/definitions.jsp">http://www.symantec.com/business/security_response/definitions.jsp</A>. <BR></SPAN><BR><U><SPAN class=style6>Temporary Workaround for Symantec Mail Security for Domino:</SPAN><BR></U><SPAN class=style3>Installations of SMS for Domino 7.5 and 8.0 that do not utilize the Content Filtering capabilities of the product are not susceptible to this issue. SMS for Domino 7.5 and 8.0 would be susceptible only if the attachment content scanning option is enabled. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. <BR><BR>To disable the content filtering rules for Symantec Mail Security for Domino:
<P>- Select the "Content Filtering" tab to display the list of current enabled rules <BR>- Click on the checkmark to the left of any rules that utilize <U>attachment content</U> filtering, changing it to a red "<SPAN style="COLOR: red">X</SPAN>", and disabling the rule </SPAN></P><SPAN class=style6><U>Temporary Workaround for Symantec Mail Security for Microsoft Exchange</U></SPAN>:<BR><SPAN class=style3>Installations of SMS for Microsoft Exchange 5.x that do not utilize the Content Filtering capabilities of the product are not susceptible. SMS for Microsoft Exchange 5.x is susceptible only if the attachment content scanning option is enabled. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed.
<P>To disable the content filtering rules for SMS for Microsoft Exchange: </P>
<P>- Select the "Policies" tab and then choose "Content Filtering" to display the list of currently enabled rules <BR>- Ensure that all rules using attachment content are "disabled" <BR></SPAN></P></DIV>
<DIV class=cbMrgnBtmMD><U><SPAN class=style6>Temporary Workaround for Symantec Mail Security for SMTP and Symantec Mail Security/Brightmail Gateway Appliance:</SPAN><BR></U><SPAN class=style3>Risk from this vulnerability is limited on installations of SMS for SMTP and SMS Appliance in which the attachment content scanning option is enabled.However, installations that do not utilize the Content Filtering capabilities of the product <U>are not</U> susceptible to this issue. <BR><BR>As an interim workaround, administrators unable to upgrade to the recommended solution may disable content filtering rules that contain parameters that specify scanning of attachment content. The rules do not need to be deleted, only disabled until the updated release is installed. <BR><BR>To disable the content filtering rules for SMS for SMTP and SMS Appliance 5.x:
<P>Log into the management console and navigate to: <BR><BR>- Settings &gt;&gt; Email Scanning &gt;&gt; Scanning <BR>- Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving <BR>- Disable any Compliance policies with a condition "If the Attachment content . . ." </P>To disable the content filtering rules for SMS/SBM Gateway Appliance after 5.x:
<P>- Log into the management console and navigate to the SMTP Scanning Settings screen <BR>- Disable the item "Enable searching of non-plain text attachments for words in dictionaries", by deselecting the checkbox, and saving <BR>- Disable any Compliance policies with a condition: <BR>&nbsp;&nbsp;&nbsp;&nbsp; "If any part of the message matches" (or "does not match") a regular expression, pattern or Record Resource.<BR>&nbsp;&nbsp;&nbsp;&nbsp; "If text in Attachment content part of the message . . . " <BR><BR></P></DIV>
<P><STRONG><U><SPAN class=style4>IBM Temporary Mitigation </SPAN><SPAN style="FONT-SIZE: 12pt" class=style4><FONT size=2>For Notes 8.5.x, 8.0x, and 7.x:</FONT></SPAN><BR></U></STRONG>Disable the affected file viewer by following one of the options below:<BR><STRONG><BR></STRONG><SPAN class=style4><U>Delete the keyview.ini file in the Notes program directory:</U></SPAN><STRONG><BR></STRONG>This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."<STRONG><BR><BR></STRONG><SPAN class=style4><U>Delete or rename the affected DLL file</U></SPAN>:<STRONG><BR></STRONG>In this case the affected DLL file is <B>xlssr.dll</B>. When a user tries to view a Microsoft Excel file, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. <BR><STRONG><BR></STRONG><SPAN class=style4><U>Comment out lines in keyview.ini that reference affected DLL file:</U></SPAN><STRONG><BR></STRONG>To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."<STRONG><BR><BR></STRONG>Example:<STRONG><BR></STRONG>[KVWKBVE] --&gt; this is the section of the keyview.ini<BR>;188=xlssr.dll ---&gt; this would be the result of the Excel dll commented out </P>
<P><SPAN style="FONT-SIZE: 12pt"><FONT size=2><U><SPAN class=style4>IBM Mitigation For Notes 5.x and 6.x:</SPAN><BR></U><SPAN class=style3>Disable the affected file viewer by following one of the options below:<BR><BR><U><SPAN class=style4>Delete the keyview.ini file in the Notes program directory:</SPAN><BR></U>This disables ALL viewers. When a user clicks View (for any file attachment), a dialog box will display with the message "Unable to locate the viewer configuration file."<BR><BR><SPAN class=style4><U>Delete or rename the affected DLL file</U></SPAN>:<BR>In this case the affected DLL file is <B>xlssr.dll</B>. When a user tries to view a Microsoft Excel file, a dialog box will display with the message "The viewer display window could not be initialized." All other file types work without returning the error message. <BR><BR><U><SPAN class=style4>Comment out lines in keyview.ini that reference affected DLL file:</SPAN><BR></U>To comment a line, you precede it with a semi-colon (;). When a user tries to view the specific file type, a dialog box will display with the message "The viewer display window could not be initialized."<BR><BR>Example:<BR>[KVWKBVE] --&gt; this is the section of the keyview.ini<BR>;188=xlssr.dll ---&gt; this would be the result of the Excel dll commented out </SPAN></FONT></SPAN></SPAN></P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable applications/systems:
Symantec Mail Security for Domino 7.5.6
Symantec Mail Security for Domino 7.5.5.32
Symantec Mail Security for Domino 7.5.4.29
Symantec Mail Security for Domino 8.0
Symantec Mail Security for Domino 7.5.3.25
Symantec Mail Security for Microsoft Exchange 6.0.8
Symantec Mail Security for Microsoft Exchange 6.0.7
Symantec Mail Security for Microsoft Exchange 6.0.6
Symantec Mail Security for Microsoft Exchange 5.0.12
Symantec Mail Security for Microsoft Exchange 5.0.11
Symantec Mail Security for Microsoft Exchange 5.0.10
Symantec Mail Security for SMTP 5.0.X
Symantec BrightMail Appliance 5.0.X
Symantec BrightMail Appliance 8.0
Symantec BrightMail Appliance 8.0.1
Symantec Mail Security Appliance 5.0.X
Symantec Data Loss Prevention Enforce/Detection Servers 7.2
Symantec Data Loss Prevention Enforce/Detection Servers for Windows 8.1.1
Symantec Data Loss Prevention Enforce/Detection Servers for Windows 9.0.1
Symantec Data Loss Prevention Enforce/Detection Servers for Linux 8.1.1
Symantec Data Loss Prevention Enforce/Detection Servers for Linux 9.0.1
Symantec Data Loss Prevention Endpoint Agents 8.1.1
Symantec Data Loss Prevention Endpoint Agents 9.0.1
IBM Lotus Notes 6.5
IBM Lotus Notes 7.0
IBM Lotus Notes 8.0
IBM Lotus Notes 8.5
Autonomy Keyview Viewer SDK 10.4
Autonomy Keyview Viewer SDK 10.3
Autonomy Keyview Viewer SDK 9
Autonomy Keyview Viewer SDK 8
Autonomy Keyview Viewer SDK 7
Autonomy Keyview Viewer SDK 10
Autonomy Keyview Filter SDK 10.4
Autonomy Keyview Filter SDK 10.3
Autonomy Keyview Filter SDK 9
Autonomy Keyview Filter SDK 8
Autonomy Keyview Filter SDK 7
Autonomy Keyview Filter SDK 10
Autonomy Keyview Export SDK 10.4
Autonomy Keyview Export SDK 10.3
Autonomy Keyview Export SDK 9
Autonomy Keyview Export SDK 8
Autonomy Keyview Export SDK 7
Autonomy Keyview Export SDK 10

Note: For affected IBM products, this issue was determined to impact Windows-based Notes clients; it does not impact Lotus Domino servers.

Additional information is not available to determine vulnerability status. System administrators should review the appropriate vendor security advisory (see references/vendor patch repository section) to determine affected applications/systems and appropriate fix actions.

Vendor Patch Repository

Symantec Security Advisory (SYM09-010)
http://www.symantec.com/business/security_response/securityupdates

IBM Security Alert
http://www-01.ibm.com/support/docview.wss?uid=swg21396492

Autonomy Customer Support (requires account)
https://customers.autonomy.com/


Check Content: 
To determine the version of Lotus Domino perform the following command:

      #       /opt/lotus/bin/server -v

  _____________________________________________________________

Group ID (Vulid): V-19911
Group Title: 2009-T-0049
Rule ID: SV-22082r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-T-0049
Rule Title: Multiple Vulnerabilities in libxml2


Vulnerability Discussion: Multiple vulnerabilities have been reported in libxml2. Libxml2 is free open-source software that provides XML parsing functions that are incorporated into various vendor's products. To exploit these vulnerabilities, a remote attacker would create a malicious XML file and entice a user of an affected system to process the file. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition on the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents.
Stack Consumption Denial of Service Vulnerability - (CVE-2009-2414):
Stack consumption vulnerability in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allows context-dependent attackers to cause a denial of service (application crash) via a large depth of element declarations in a DTD, related to a function recursion, as demonstrated by the Codenomicon XML fuzzing framework.

USe-After-Free Denial of Service Vulnerability - (CVE-2009-2416):
Multiple use-after-free vulnerabilities in libxml2 2.5.10, 2.6.16, 2.6.26, 2.6.27, and 2.6.32, and libxml 1.8.17, allow context-dependent attackers to cause a denial of service (application crash) via crafted Notation or Enumeration attribute types in an XML file, as demonstrated by the Codenomicon XML fuzzing framework.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable applications/systems:
libxml 1.8.17
libxml2 2.5.10
libxml2 2.6.16
libxml2 2.6.26
libxml2 2.6.27
libxml2 2.6.32

Note: Due to the large number of third party products affected by these vulnerabilities, systems administrators should validate their affected systems through the appropriate third party vendors.

Locate the libxml2 installation directory. Open the “readme.txt” file in a text editor to view the version number.


Check Content: 
For Redhat systems:
# rpm -q --changelog libxml2 | egrep ”2414|2416”

If the above command does produce any output, the rpm package has not been updated.

  _____________________________________________________________

Group ID (Vulid): V-21867
Group Title: 2009-A-0105
Rule ID: SV-24586r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-A-0105
Rule Title: Multiple Vulnerabilities in VMware Products


Vulnerability Discussion: VMware has reported multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would create a malicious symbolic link in the temporary directory that points to an arbitrary file on the affected system. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service on an affected system, or to gain escalated privileges, or to bypass certain security restrictions, or to disclose sensitive information, or possibly execute arbitrary code in the context of the user. At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-21885
Group Title: 2009-A-0109
Rule ID: SV-24708r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-A-0109
Rule Title: Snort 2.8.5 Remote Denial Of Service Vulnerability


Vulnerability Discussion: A design error vulnerability has been reported affecting Snort. Snort is an open source network Intrusion Detection System (IDS) written for Linux, Unix and Microsoft Windows platforms. To exploit this vulnerability, a remote attacker would send a maliciously crafted IPv6 packet to an affected system. If successfully exploited, the malicious IPv6 packet would be processed by the affected system resulting in a denial of service condition.

At this time, there are known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.
Snort IPv6 packets Denial of Service Vulnerability - (CVE-2009-3641):
Snort before 2.8.5.1, when the -v option is enabled, allows remote attackers to cause a denial of service (application crash) via a crafted IPv6 packet that uses the (1) TCP or (2) ICMP protocol.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Snort 2.8.5 and earlier

Open a command prompt
Change to the directory where “Snort.exe” is located (default is C:\Snort\Bin)
Enter “snort -V” (Capital “V”, this is case sensitive - do not use a lower case “v”)


Check Content: 
Vulnerable Versions:
Snort Project Snort 2.8.5

Check Content:
# snort -V

Update to Snort 2.8.5.1 or later
  _____________________________________________________________

Group ID (Vulid): V-22104
Group Title: 2009-A-0135
Rule ID: SV-25549r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-A-0135
Rule Title: Red Hat Local Privilege Escalation Vulnerability


Vulnerability Discussion: Red Hat has addressed a vulnerability affecting the acpid daemon on various Red Hat platforms. The 'acpid' daemon is an ACPI (Advanced Configuration and Power Interface) policy daemon for Linux. To exploit this vulnerability, an attacker would leverage weak permissions in the /var/log/acpid log file. If successfully exploited, this vulnerability would allow an attacker to elevate their privileges and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. acpid daemon Vulnerability - (CVE-2009-4033):
A certain Red Hat patch for acpid 1.0.4 effectively triggers a call to the open function with insufficient arguments, which might allow local users to leverage weak permissions on /var/log/acpid, and obtain sensitive information by reading this file, cause a denial of service by overwriting this file, or gain privileges by executing this file.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
#       rpm -qa |grep acpid |xargs rpm -q --changelog |grep 4033
  _____________________________________________________________

Group ID (Vulid): V-22105
Group Title: 2009-B-0065
Rule ID: SV-25550r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2009-B-0065
Rule Title: Multiple Vulnerabilities in HP OpenView Network Node Manager


Vulnerability Discussion: HP has addressed multiple vulnerabilities affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. To exploit these vulnerabilities, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to take complete control of the affected system. Failed attempts will result in a denial-of-service condition.

At this time, there are known exploits associated with some of these vulnerabilities; JTF-GNO is not aware of any DoD related incidents.
HP OpenView Network Node Manager Perl CGI Executables Remote Code Execution Vulnerability - (CVE-2009-3845):
The port-3443 HTTP server in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary commands via shell metacharacters in the hostname parameter to unspecified Perl scripts.

HP OpenView Network Node Manager 'ovlogin.exe' Multiple Remote Code Execution Vulnerabilities - (CVE-2009-3846):
Multiple heap-based buffer overflows in ovlogin.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via a long (1) userid or (2) passwd parameter.

HP OpenView Network Node Manager Remote Code Execution Vulnerability - (CVE-2009-3847):
Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via unknown vectors.

HP OpenView Network Node Manager 'nnmRptConfig.exe' Remote Code Execution Vulnerability - (CVE-2009-3848):
Stack-based buffer overflow in nnmRptConfig.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long Template parameter, related to the vsprintf function.

Hewlett-Packard OpenView Network Node Manager nnmRptConfig.exe Buffer Overflow Vulnerability - (CVE-2009-3849):
Multiple stack-based buffer overflows in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via (1) a long Template parameter to nnmRptConfig.exe, related to the strcat function; or (2) a long Oid parameter to snmp.exe.

HP OpenView Network Node Manager 'ovsessionmgr.exe ' Remote Heap Buffer Overflow Vulnerability - (CVE-2009-4176):
Multiple heap-based buffer overflows in ovsessionmgr.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allow remote attackers to execute arbitrary code via a long (1) userid or (2) passwd parameter to ovlogin.exe.

HP OpenView Network Node Manager webappmon.exe CGI Host Header Buffer Overflow Vulnerability - (CVE-2009-4177):
Buffer overflow in webappmon.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long HTTP Host header.

HP OpenView Network Node Manager OvWebHelp.exe CGI Topic Heap Overflow Vulnerability - (CVE-2009-4178):
Heap-based buffer overflow in OvWebHelp.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long Topic parameter.

HP OpenView Network Node Manager ovalarm.exe CGI Accept-Language Stack Overflow Vulnerability - (CVE-2009-4179):
Stack-based buffer overflow in ovalarm.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long HTTP Accept-Language header in an OVABverbose action.

HP OpenView Network Node Manager snmpviewer.exe CGI Host Header Stack Overflow Vulnerability - (CVE-2009-4180):
Stack-based buffer overflow in snmpviewer.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a long HTTP Host header.

HP OpenView Network Node Manager 'ovwebsnmpsrv.exe' Remote Stack Buffer Overflow Vulnerability - (CVE-2009-4181):
Stack-based buffer overflow in ovwebsnmpsrv.exe in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via vectors involving the sel and arg parameters to jovgraph.exe.

HP OpenView Network Node Manager Unspecified Stack Buffer Overflow Vulnerability - (CVE-2009-0898):
Stack-based buffer overflow in HP OpenView Network Node Manager (OV NNM) 7.01, 7.51, and 7.53 allows remote attackers to execute arbitrary code via a crafted HTTP request.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP OpenView Network Node Manager (OV NNM) v7.01
HP OpenView Network Node Manager (OV NNM) v7.51
HP OpenView Network Node Manager (OV NNM) v7.53
     
OV NNM 7.03 is resolved with patch NNM_01159 or subsequent
OV NNM 7.51 upgrade to 7.53 and install patches
OV NNM 7.53 is resolved with patch NNM_01201 or subsequent

Interview the SA to determine if patch has been installed.


Check Content: 
Verify the following patches have been loaded for OpenView:

OV NNM v7.53

Operating System                         Patch
HP-UX (IA)                               PHSS_40375 or subsequent
HP-UX (PA)                               PHSS_40374 or subsequent
Linux RedHatAS2.1                   LXOV_00101 or subsequent
Linux RedHat4AS-x86_64       LXOV_00102 or subsequent
Solaris                                     PSOV_03525 or subsequent

All other versions should upgrade to 7.53 and apply the patches listed above.
  _____________________________________________________________

Group ID (Vulid): V-22162
Group Title: 2009-A-0136
Rule ID: SV-25728r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2009-A-0136
Rule Title: DISA UNIX Security Readiness Review (SRR) Scripts Local Privilege Escalation Vulnerability


Vulnerability Discussion: A vulnerability has been identified in certain versions of the DISA UNIX Security Readiness Review (SRR) script. DISA SRR scripts are used to test products for Security Technical Implementation Guide (STIG) compliance. To exploit this vulnerability, an attacker would place a specially named malicious executable file on a UNIX asset. When the vulnerable SRR script is run on that UNIX asset, the malicious file will be executed with root level privileges resulting in the complete compromise of the affected system.

Running the vulnerable UNIX SRR script will result in exploitation if a malicious file sufficient to exploit this vulnerability is present; JTF-GNO is not aware of any DoD related incidents. Security Readiness Review (SRR) script Vulnerability - (CVE-2009-4211):
The U.S. Defense Information Systems Agency (DISA) Security Readiness Review (SRR) script for the Solaris x86 platform executes files in arbitrary directories as root for filenames equal to (1) java, (2) openssl, (3) php, (4) snort, (5) tshark, (6) vncserver, or (7) wireshark, which allows local users to gain privileges via a Trojan horse program.


Mitigations: 
DISA mitigation

Mitigation Control: 
Do NOT run any UNIX SRR script prior to the December 18, 2009 release.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
# find / -name Start-SRR -depth print

Verify the SRR scripts' parent directory contains no scripts older than February of 2010.

  _____________________________________________________________

Group ID (Vulid): V-22180
Group Title: 2010-A-0001
Rule ID: SV-25821r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0001
Rule Title: Multiple Vulnerabilities in Linux Kernel


Vulnerability Discussion: Linux has addressed multiple vulnerabilities affecting the Linux kernel. To exploit these vulnerabilities, an attacker would interact with the vulnerable environment in a manner sufficient to escalate privileges or send malicious packets to the affected system. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Linux Kernel Local Privilege Escalation Vulnerability - (CVE-2009-3080):
Array index error in the gdth_read_event function in drivers/scsi/gdth.c in the Linux kernel before 2.6.32-rc8 allows local users to cause a denial of service or possibly gain privileges via a negative event index in an IOCTL request.

Linux Kernel Local Privilege Escalation Vulnerability - (CVE-2009-4131):
The EXT4_IOC_MOVE_EXT (aka move extents) ioctl implementation in the ext4 filesystem in the Linux kernel before 2.6.32-git6 allows local users to overwrite arbitrary files via a crafted request, related to insufficient checks for file permissions.

Linux Kernel Integer Overflow Vulnerability - (CVE-2009-4307):
The ext4_fill_flex_info function in fs/ext4/super.c in the Linux kernel before 2.6.32-git6 allows user-assisted remote attackers to cause a denial of service (divide-by-zero error and panic) via a malformed ext4 filesystem containing a super block with a large FLEX_BG group size (aka s_log_groups_per_flex value).

Linux Kernel Denial of Service Vulnerability - (CVE-2009-4308):
The ext4_decode_error function in fs/ext4/super.c in the ext4 filesystem in the Linux kernel before 2.6.32 allows user-assisted remote attackers to cause a denial of service (NULL pointer dereference), and possibly have unspecified other impact, via a crafted read-only filesystem that lacks a journal.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-22181
Group Title: 2010-B-0002
Rule ID: SV-25822r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0002
Rule Title: Multiple Remote Vulnerabilities in Sun Java System Directory Server


Vulnerability Discussion: Sun Microsystems has reported multiple vulnerabilities affecting Sun Java System Directory Server. The Sun Java System Directory Server is an LDAP (Lightweight Directory Access Protocol) protocol-level gateway server distributed with Sun Directory Server Enterprise Edition. These servers support Solaris 8, 9, and 10 SPARC and x86 Platforms, Linux, Windows, and HP-UX operating systems. To exploit these vulnerabilities, a remote attacker would create malicious crafted scripts and execute data into the website. If successfully exploited, these vulnerabilities would allow a remote attacker to gain unauthorized administrative access to the affected server.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD incidents related to these vulnerabilities. Sun Java System Directory Server Enterprise Edition improper handling of client connection Vulnerability - (CVE-2009-4440):
A vulnerability in Directory Proxy Server (DPS) in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 does not properly handle multiple client connections within a short time window, which allows remote attackers to hijack the backend connection of an authenticated user, and obtain the privileges of this user, by making a client connection in opportunistic circumstances, related to "long binds," aka Bug Ids 6828462 and 6823593.

Sun Java System Directory Server Enterprise Edition Denial of Service Vulnerability - (CVE-2009-4441):
A vulnerability in Directory Proxy Server (DPS) in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 does not enable the SO_KEEPALIVE socket option, which makes it easier for remote attackers to cause a denial of service (connection slot exhaustion) via multiple connections, aka Bug Id 6782659.

Sun Java System Directory Server Enterprise Edition max-client-connections Vulnerability - (CVE-2009-4442):
A vulnerability in Directory Proxy Server (DPS) in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 does not properly implement the max-client-connections configuration setting, which allows remote attackers to cause a denial of service (connection slot exhaustion) by making multiple connections and performing no operations on these connections, aka Bug Id 6648665.

Sun Java System Directory Server Enterprise Edition persistent search Vulnerability - (CVE-2009-4443):
Unspecified vulnerability in the psearch (aka persistent search) functionality in Directory Proxy Server (DPS) in Sun Java System Directory Server Enterprise Edition 6.0 through 6.3.1 allows remote attackers to cause a denial of service (psearch outage) by using a crafted psearch client to send requests that trigger a psearch thread loop, aka Bug Id 6855978.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Directory Server Enterprise Edition 6.0
Directory Server Enterprise Edition 6.1
Directory Server Enterprise Edition 6.2
Directory Server Enterprise Edition 6.3
Directory Server Enterprise Edition 6.3.1 without patch 141958-01

Search for the file dpadm.exe
Navigate to its location and type ‘dpadm -V’ at a command prompt
     
Upgrade to Sun Java Directory Server Enterprise Edition 6.3.1 and apply appropriate patch.


Check Content: 
Vulnerable Systems:

Directory Server Enterprise Edition 6.0
Directory Server Enterprise Edition 6.1
Directory Server Enterprise Edition 6.2
Directory Server Enterprise Edition 6.3
Directory Server Enterprise Edition 6.3.1 without patch 141958-01

Check Content:

To determine the version of Sun Java System Directory Server, issue the following command:

#dpadm -V

If the version number returned is not an approved version this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-22182
Group Title: 2010-A-0002
Rule ID: SV-25823r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0002
Rule Title: Sendmail SSL Certificate Validation Vulnerability


Vulnerability Discussion: The Sendmail Consortium has released an update to address a vulnerability affecting Sendmail. Sendmail is the most commonly used Simple Mail Transfer Protocol (SMTP) Server in Unix environments and is packaged with many Unix implementations including Sun Solaris, Hewlett-Packard HP-UX, IBM AIX and RedHat Linux. To exploit this vulnerability, an attacker would present a maliciously crafted certificate to a vulnerable system. If successfully exploited, this vulnerability would allow an attacker to perform man-in-the-middle attacks or impersonate trusted servers resulting in the compromise of affected systems.

At this time, there are known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.

Null Character Certificate Validation Vulnerability (CVE-2009-4565):
Sendmail before 8.14.4 does not properly handle a '\0' character in a Common Name (CN) field of an X.509 certificate, which (1) allows man-in-the-middle attackers to spoof arbitrary SSL-based SMTP servers via a crafted server certificate issued by a legitimate Certification Authority, and (2) allows remote attackers to bypass intended access restrictions via a crafted client certificate issued by a legitimate Certification Authority.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Unix - Solaris

Determine the version of the Sendmail software

#telnet localhost 25
sendmail should greet you with its welcome message and tell you the version of its binary and config file. Enter QUIT to leave this mode. If this command does not return any version information then

#sendmail -d0.4 -bv root
should tell you its version and some basic settings.

Upgrade to non-vulnerable version of affected product.
  _____________________________________________________________

Group ID (Vulid): V-22631
Group Title: 2010-A-0015
Rule ID: SV-26341r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0015
Rule Title: Multiple Vulnerabilities in Red Hat Linux Kernel


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities affecting the Linux kernel. Red Hat Network is a complete systems management platform for Linux that's built on open standards and uses a simple, Internet-based graphical interface. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a manner sufficient to escalate privileges. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Rewrite Attack Vulnerability - (CVE-2006-6304)
The RHSA-2009:0225 update introduced a rewrite attack flaw in the do_coredump() function. A local attacker able to guess the file name a process is going to dump its core to, prior to the process crashing, could use this flaw to append data to the dumped core file. This issue only affects systems that have "/proc/sys/fs/suid_dumpable" set to 2 (the default value is 0).

Information Disclosure Vulnerability - (CVE-2009-2910)
An information leak was found in the Linux kernel. On AMD64 systems, 32-bit processes could access and read certain 64-bit registers by temporarily switching themselves to 64-bit mode.

Array Index Error Vulnerability (CVE-2009-3080)
An array index error was found in the gdth driver. A local user could send a specially-crafted IOCTL request that would cause a denial of service or, possibly, privilege escalation.

N-Port Virtualization Vulnerability - (CVE-2009-3556)
The RHBA-2008:0314 update introduced N_Port ID Virtualization (NPIV) support in the qla2xxx driver, resulting in two new sysfs pseudo files, "/sys/class/scsi_host/[a qla2xxx host]/vport_create" and "vport_delete". These two files were world-writable by default, allowing a local user to change SCSI host attributes. This flaw only affects systems using the qla2xxx driver and NPIV capable hardware.

megaraid_sas Driver Permissions Vulnerability - (CVE-2009-3889, CVE-2009-3939)
Permission issues were found in the megaraid_sas driver. The "dbg_lvl" and "poll_mode_io" files on the sysfs file system ("/sys/") had world-writable permissions. This could allow local, unprivileged users to change the behavior of the driver.

Buffer Overflow Vulnerability - (CVE-2009-4020):
A buffer overflow flaw was found in the hfs_bnode_read() function in the HFS file system implementation. This could lead to a denial of service if a user browsed a specially-crafted HFS file system, for example, by running "ls".

FUSE implementation Vulnerability - (CVE-2009-4021):
A flaw was found in the FUSE implementation. When a system is low on memory, fuse_put_request() could dereference an invalid pointer, possibly leading to a local denial of service or privilege escalation.

NULL pointer dereference Vulnerability - (CVE-2009-4138):
A NULL pointer dereference flaw was found in the firewire-ohci driver used for OHCI compliant IEEE 1394 controllers. A local, unprivileged user with access to /dev/fw* files could issue certain IOCTL calls, causing a denial of service or privilege escalation. The FireWire modules are blacklisted by default, and if enabled, only root has access to the files noted above by default.

fasync_helper() Implementation Vulnerability - (CVE-2009-4141):
A deficiency issue was discovered in the fasync_helper() implementation. This could allow a local, unprivileged user to leverage a use-after-free of locked, asynchronous file descriptors to cause a denial of service or privilege escalation.

Multiple Routing Implementation Vulnerabilities - (CVE-2009-4272)
The RHSA-2009:1243 update introduced two flaws in the routing implementation. If an attacker was able to cause a large enough number of collisions in the routing hash table (via specially-crafted packets) for the emergency route flush to trigger, a deadlock could occur. Secondly, if the kernel routing cache was disabled, an uninitialized pointer would be left behind after a route lookup, leading to a kernel panic.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To determine if the kernel patch has been applied perform the following command:

#       rpm -qa |grep kernel |xargs rpm -q --changelog |grep 4272

4272 is the CVE identifier that shows this vulnerability has been addressed.

  _____________________________________________________________

Group ID (Vulid): V-22670
Group Title: 2010-A-0022
Rule ID: SV-26982r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-A-0022
Rule Title: Multiple HelixPlayer Vulnerabilities in Red Hat Enterprise Linux 4


Vulnerability Discussion: Red Hat has released a security advisory addressing multiple vulnerabilities affecting the Red Hat implementation of HelixPlayer. HelixPlayer is a media player available for Linux, BSD, and Solaris platforms. To exploit these vulnerabilities, a remote attacker would leverage various tactics, techniques and procedures (TTP) against affected systems. If successfully exploited, these vulnerabilities would result in the compromise of affected systems.

At this time, there are known exploits associated with at least one of these vulnerabilities; the JTF-GNO is not aware of any DoD related incidents. HelixPlayer Heap Overflow Vulnerability - (CVE-2009-4242 / CVE-2009-4245):
Multiple buffer and integer overflow flaws were found in the way HelixPlayer processed Graphics Interchange Format (GIF) files. An attacker could create a specially-crafted GIF file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened.

HelixPlayer ASM RuleBook Array Overflow Vulnerability - (CVE-2009-4247 / CVE-2010-0417):
Multiple buffer overflow flaws were discovered in the way HelixPlayer handled RuleBook structures in media files and RTSP streams. Specially-crafted input could cause HelixPlayer to crash or, potentially, execute arbitrary code.

HelixPlayer rtsp set_parameter buffer overflow Vulnerability - (CVE-2009-4248):
A buffer overflow flaw was found in the way HelixPlayer handled the Real Time Streaming Protocol (RTSP) SET_PARAMETER directive. A malicious RTSP server could use this flaw to crash HelixPlayer or, potentially, execute arbitrary code.

HelixPlayer SMIL Parsing Heap Overflow Vulnerability - (CVE-2009-4257):
A buffer overflow flaw was found in the way HelixPlayer processed Synchronized Multimedia Integration Language (SMIL) files. An attacker could create a specially-crafted SMIL file which would cause HelixPlayer to crash or, potentially, execute arbitrary code when opened.

HelixPlayer URL Un-escaping Vulnerability - (CVE-2010-0416):
A buffer overflow flaw was found in the way HelixPlayer performed URL un-escaping. A specially-crafted URL string could cause HelixPlayer to crash or, potentially, execute arbitrary code.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
To determine if the patch has been applied perform the following command:

#       rpm -qa |grep helixplayer |xargs rpm -q --changelog |grep 0417

0417 is the CVE identifier that shows this vulnerability has been addressed.

  _____________________________________________________________

Group ID (Vulid): V-22671
Group Title: 2010-B-0009
Rule ID: SV-26983r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0009
Rule Title: Adobe Products XML Processing Information Disclosure Vulnerability


Vulnerability Discussion: Adobe has released a security bulletin addressing a vulnerability in multiple Adobe products. To exploit this vulnerability, a remote attacker would create and send a malicious request to the affected application.If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to obtain sensitive information and compromise the affected application .

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. Adobe Products XML Processing Vulnerability - (CVE-2009-3960):
The vulnerability is caused due to an error when processing incoming requests and can be exploited to disclose files via XML external entity references and injected tags.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Adobe BlazeDS version 3.2 and prior
Adobe LiveCycle versions 9.0, 8.2.1, and 8.0.1
Adobe LiveCycle Data Services versions 3.0, 2.6.1, and 2.5.1
Adobe Flex Data Services version 2.0.1
Adobe ColdFusion versions 9.0, 8.0.1, 8.0, and 7.0.2

View installed programs or the applications Help/About feature for versions.


Check Content: 
-       Refer to the Adobe Products Security Advisory APSB10-05 for details.
  _____________________________________________________________

Group ID (Vulid): V-22672
Group Title: 2010-B-0010
Rule ID: SV-27002r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0010
Rule Title: HP Network Node Manager Arbitrary Command Execution Vulnerability


Vulnerability Discussion: HP has addressed a vulnerability affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. To exploit this vulnerability, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, this vulnerability would allow a remote attacker to compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents.
HP OpenView Network Node Manager Remote Execution of Arbitrary Commands Vulnerability - (CVE-2010-0445):
Unspecified vulnerability in HP Network Node Manager (NNM) 8.10, 8.11, 8.12, and 8.13 allows remote attackers to execute arbitrary commands via unknown vectors.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Affected Products:
HP OpenView Network Node Manager 8.10
HP OpenView Network Node Manager 8.11
HP OpenView Network Node Manager 8.12
HP OpenView Network Node Manager 8.13

Required patch - NNM810W_00006 or subsequent

Interview the SA to determine if patch has been installed.


Check Content: 
Verify the following patches have been loaded for OpenView:

HP-UX: PHSS_40368 or subsequent
Linux RedHat4AS: NNM810L_00006 or subsequent
Solaris: NNM810S_00006 or subsequent

  _____________________________________________________________

Group ID (Vulid): V-22697
Group Title: 2010-B-0016
Rule ID: SV-27230r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0016
Rule Title: Multiple Vulnerabilities in Cisco Security Agent


Vulnerability Discussion: Cisco has released an advisory addressing multiple vulnerabilities in Cisco Security Agent. Cisco Security Agent is a security software agent that provides threat protection for server and desktop computing systems and comes pre-installed in various Cisco products. To exploit these vulnerabilities, an attacker would interact with a vulnerable system in a malicious manner. Successful exploitation of these vulnerabilities would result in the compromise of affected systems.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents.
Management Center for Cisco Security Agents Directory Traversal Vulnerability - (CVE-2010-0146):
The Management Center for Cisco Security Agents is affected by a directory traversal vulnerability that may allow an authenticated attacker to view and download arbitrary files from the server that is hosting the Management Center for Cisco Security Agents. Cisco Security Agent release 6.0 is affected by the directory traversal vulnerability.
This vulnerability is documented in Cisco Bug ID CSCtd73275 ( registered customers only).

Management Center for Cisco Security Agents SQL Injection Vulnerability - (CVE-2010-0147):
The Management Center for Cisco Security Agents is also affected by a SQL injection vulnerability that may allow an authenticated attacker to execute SQL statements that can cause the Management Center for Cisco Security Agents to become unstable or modify its configuration. These configuration changes may result in modifications to the security policies of the endpoints. Additionally, an attacker may create, delete, or modify management user accounts that are found in the Management Center for Cisco Security Agents. Cisco Security Agent releases 5.1, 5.2 and 6.0 are affected by the SQL injection vulnerability.

This vulnerability is documented in Cisco Bug ID CSCtd73290 ( registered customers only).

Cisco Security Agent Denial of service vulnerability - (CVE-2010-0148):
Cisco Security Agent is affected by a DoS vulnerability that could allow an unauthenticated attacker to cause a system to crash by sending a series of TCP packets. Cisco Security Agent release 5.2 is affected by the DoS vulnerability.

This vulnerability is documented in Cisco Bug ID CSCtb89870 ( registered customers only).

Note: The Windows and Sun Solaris versions of the Cisco Security Agent are not affected by the DoS vulnerability.



Mitigations: 
Cisco mitigations

Mitigation Control: 
Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

Additional mitigations that can be deployed on Cisco devices within the network are available in the Cisco Applied Intelligence companion document for this Advisory:
http://www.cisco.com/warp/public/707/cisco-amb-20100217-csa.shtml


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:

Cisco Security Agent 5.1 prior to 5.1.0.117
Cisco Security Agent 5.2 prior to 5.2.0.296
Cisco Security Agent 6.0 prior to 6.0.1.132

Note: The Sun Solaris versions of the Cisco Security Agent are not affected by the DoS vulnerability.

Determine if the CSA agent is installed via an rpm OR tar file by:

      # rpm -qa | grep -i “^CSAagent”

                  OR

      # find / -depth -print | grep -i CSAagent

If found, determine the CSAagent version via use of the rpm or strings command and if it is not greater than or equal to the above listed versions, this is a finding.

  _____________________________________________________________

Group ID (Vulid): V-22704
Group Title: 2010-A-0037
Rule ID: SV-27405r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0037
Rule Title: Multiple Vulnerabilities in Linux Kernel


Vulnerability Discussion: Multiple vulnerabilities have been identified that affect the Linux kernel. The Linux kernel is an operating system kernel used by Linux based operating systems. To exploit these vulnerabilities, an attacker would send malicious data to an affected system or interact with a vulnerable system in a malicious manner. If successfully exploited, these vulnerabilities would lead to elevation of privileges or cause a denial of service condition resulting in the compromise of an affected system.

At this time, there are known exploits associated with at least one of these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. Linux Kernel Buffer Overflow Vulnerability - (CVE-2010-0297):
Buffer overflow in the usb_host_handle_control function in the USB passthrough handling implementation in usb-linux.c in QEMU before 0.11.1 allows guest OS users to cause a denial of service (guest OS crash or hang) or possibly execute arbitrary code on the host OS via a crafted USB packet.

Linux Kernel x86 emulator Vulnerability - (CVE-2010-0298):
The x86 emulator in KVM 83 does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) in determining the memory access available to CPL3 code, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, a related issue to CVE-2010-0306.

Linux Kernel x86 emulator SMP Vulnerability - (CVE-2010-0306):
The x86 emulator in KVM 83, when a guest is configured for Symmetric Multiprocessing (SMP), does not use the Current Privilege Level (CPL) and I/O Privilege Level (IOPL) to restrict instruction execution, which allows guest OS users to cause a denial of service (guest OS crash) or gain privileges on the guest OS by leveraging access to a (1) IO port or (2) MMIO region, and replacing an instruction in between emulator entry and instruction fetch, a related issue to CVE-2010-0298.

Linux Kernel PIT Denial of Service Vulnerability - (CVE-2006-0309):
The pit_ioport_read function in the Programmable Interval Timer (PIT) emulation in i8254.c in KVM 83 does not properly use the pit_state data structure, which allows guest OS users to cause a denial of service (host OS crash or hang) by attempting to read the /dev/port file.

Linux Kernel 'devtmpfs' Insecure Root Directory Permission Vulnerability - (CVE-2010-0299):
openSUSE 11.2 installs the devtmpfs root directory with insecure permissions (1777), which allows local users to gain privileges via unspecified vectors.

Note: The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for devtmpfs, and therefore are not affected by CVE-2010-0299. See the CVE-2010-0299 Red Hat Bugzilla entry for more information.

Linux Kernel x86 emulator loaded segment selector Vulnerability - (CVE-2010-0419):
A flaw was found in the way the x86 emulator loaded segment selectors (used for memory segmentation and protection) into segment registers. In some guest system configurations, an unprivileged guest user could leverage this flaw to crash the guest or possibly escalate their privileges within the guest.




Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Check the kernel version with:

      # uname -a

Using the kernel version from above, view CVE compliance with:

      # rpm -q --changelog kernel-<kernel version> | grep <see CVE List below>

CVE List: CVE-2010-0297, CVE-2010-0298, CVE-2010-0306, CVE-2010-0309, CVE-2010-0299, CVE-2010-0419

Note: The Linux kernel as shipped with Red Hat Enterprise Linux 3, 4, 5 and Red Hat Enterprise MRG did not include support for devtmpfs, and therefore are not affected by CVE-2010-0299.

If the version is not at least 2.6.30.4 or the applicable corrected version of the operating system vendor’s kernel then this is a finding.

  _____________________________________________________________

Group ID (Vulid): V-23715
Group Title: 2010-A-0040
Rule ID: SV-28573r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0040
Rule Title: McAfee LinuxShield Vulnerability


Vulnerability Discussion: McAfee has released a security bulletin addressing a vulnerability in McAfee products. McAfee LinuxShield is an antivirus application available for the Linux platforms. To exploit this vulnerability, an attacker with access to the LinuxShield client system would be able to log into the statistics server and execute commands as the LinuxShield Admin. If successfully exploited, this vulnerability would allow an attacker to compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; JTF-GNO is not aware of any DoD related incidents. McAfee LinuxShield "nailsd" Authentication Vulnerability:
This issue involves improper authentication from a LinuxShield client to the LinuxShield statistics server. Current editions allow any user locally on the LinuxShield client system to log into the statistics server and execute commands as the LinuxShield Admin user. The potential results include disabling of the LinuxShield service and potential code execution.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Check for installed app and version with:

      # rpm -qa | grep “LinuxShield-“

If installed, must be at least version 1.5.1 with hotfix HF550192 applied.

  _____________________________________________________________

Group ID (Vulid): V-23855
Group Title: 2010-B-0026
Rule ID: SV-28809r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0026
Rule Title: HP-UX Configuration Security Bypass Vulnerability


Vulnerability Discussion: Hewlett-Packard has reported a security vulnerability affecting HP-UX running Network File System (NFS). NFS allows a user on a client computer to access files over a network in a manner similar to how local storage is accessed. This vulnerability can be exploited by a remote attacker via unknown vectors. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to bypass security restrictions and compromise an affected system. Vulnerability (CVE-2010-0145):

A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX. The vulnerability could result in the inadvertent enabling of NFS.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
HP-UX B.11.31 without ONCplus_B.11.31.09.depot or later.

Compliance Checking:
Determine the HP-UX OS revision:

# uname -r

If the version is listed in the preceding vulnerable systems, this is a finding.


  _____________________________________________________________

Group ID (Vulid): V-23906
Group Title: 2010-B-0028
Rule ID: SV-28862r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0028
Rule Title: Multiple Vulnerabilities in VMware WebAccess


Vulnerability Discussion: VMware has reported multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to comprise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. WebAccess Context Data Cross-site Scripting Vulnerability - (CVE-2009-2277):
A cross-site scripting vulnerability in WebAccess allows for disclosure of sensitive information. The flaw is due to insufficient verification of certain parameters which may lead to redirection of a user's requests. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link and the attacker has control of a server on the same network as the system where WebAccess is being used.

WebAccess URL Forwarding Vulnerability - (CVE-2010-0686):
The WebAccess component doesn't sufficiently validate user supplied input and allows for forwarding of an incoming request to another destination. The destination will not be able to see the true origin of the request URL but instead will see the address of the machine that runs WebAccess. An attacker could use the forwarding vulnerability to direct traffic at servers while disguising the source location. The security issue is limited to URL forwarding. This vulnerability doesn't allow for a so-called cross-site scripting attack and doesn't allow for stealing of the user cookies.

WebAccess Virtual Machine Name Cross-site Scripting Vulnerability - (CVE-2010-1137):
A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to insufficient checking on the names of virtual machines. In order to exploit the issue, the attacker must have control over the naming of a virtual machine and must have the user list this Virtual Machine in WebAccess.

WebAccess JSON Cross-site Scripting Vulnerability - (CVE-2010-1193):
A cross-site scripting vulnerability allows for execution of JavaScript in the Web browser's security context for WebAccess. The flaw is due to incorrect parsing of JSON error messages. This vulnerability can only be exploited if the attacker tricks the WebAccess user into clicking a malicious link.


Mitigations: 
VMware Temporary Mitigation

Mitigation Control: 
Workarounds
System administrator should review the VMware Security Advisory to determine the appropriate workaround


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.
     
Vulnerable Applications/Systems:
Virtual Center 2.0.2 with WebAccess
Virtual Center 2.5 with WebAccess
VMware Server 1.0.10
VMware Server 2.0.2 with WebAccess

View the About “Product” from the menu to view version numbers.

  _____________________________________________________________

Group ID (Vulid): V-23997
Group Title: 2010-A-0066
Rule ID: SV-28953r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0066
Rule Title: Multiple Vulnerabilities in VMware Products


Vulnerability Discussion: VMware has released the security advisory, addressing multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute the arbitrary code or to compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. VMware VMnc Codec Heap Overflow Vulnerabilities - (CVE-2009-1564 and CVE-2009-1565):
Vulnerabilities in the decoder allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec.

Libpng 1-bit Interlaced Images Information Disclosure Vulnerability - (CVE-2009-2042):
The libpng libraries through 1.2.35 contain an uninitialized- memory-read bug that may have security implications.

VMware Player and Workstation 'vmware-authd' Remote Denial of Service Vulnerability - (CVE-2009-3707):
A vulnerability in vmware-authd could cause a denial of service condition on Windows-based hosts. The denial of service is limited to a crash of authd.

VMware Remote Console 'connect' Method Remote Format String Vulnerability - (CVE-2009-3732):
VMware Remote Console (VMrc) contains a format string vulnerability. Exploitation of this issue may lead to arbitrary code execution on the system where VMrc is installed.

VMware Hosted Products 'vmware-vmx' Virtual Network Stack Information Disclosure Vulnerability - (CVE-2010-1138):
A vulnerability in the virtual networking stack of VMware hosted products could allow host information disclosure. A guest operating system could send memory from the host vmware-vmx process to the virtual network adapter and potentially to the host's physical Ethernet wire.

VMware 'vmrun' Local Privilege Escalation Vulnerability - (CVE-2010-1139):
A format string vulnerability in vmrun could allow arbitrary code execution. If a vmrun command is issued and processes are listed, code could be executed in the context of the user listing the processes.

VMware Hosted Products USB Service Local Privilege Escalation Vulnerability - (CVE-2010-1140):
A vulnerability in the USB service allows for a privilege escalation. A local attacker on the host of a Windows-based Operating System where VMware Workstation or VMware Player is installed could plant a malicious executable on the host and elevate their privileges.

VMware Hosted Products VMware Tools Library Reference Remote Code Execution Vulnerability - (CVE-2010-1141):
A vulnerability in the way VMware libraries are referenced allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.

VMware Hosted Products VMware Tools Local Privilege Escalation Vulnerability - (CVE-2010-1142):
A vulnerability in the way VMware executables are loaded allows for arbitrary code execution in the context of the logged on user. This vulnerability is present only on Windows Guest Operating Systems.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.
     
Vulnerable Applications/Systems:
VMware Workstation 7.0
VMware Workstation 6.5.3 and earlier
VMware Player 3.0
VMware Player 2.5.3 and earlier
VMware ACE 2.6
VMware ACE 2.5.3 and earlier
VMware Server 2.0.2 and earlier
VMware Fusion 3.0
VMware Fusion 2.0.6 and earlier
VMware VIX API for Windows 1.6.x

View the About “Product” from the menu to view version and build numbers.

  _____________________________________________________________

Group ID (Vulid): V-24008
Group Title: 2010-A-0067
Rule ID: SV-29061r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-A-0067
Rule Title: Multiple TANDBERG Video Communication Server Vulnerabilities


Vulnerability Discussion: TANDBERG has released a security bulletin addressing multiple vulnerabilities in Video Communication Server (VCS). The Video Communication Server (VCS) is an integral part of the TANDBERG Total Solution video communications network. To exploit these vulnerabilities, an attacker would send interact with an affected system in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain access to sensitive information and conduct man-in-the-middle attacks. At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. CVE-2009-4509:
The administrative web console on the TANDBERG Video Communication Server (VCS) before X4.3 uses predictable session cookies in (1) tandberg/web/lib/secure.php and (2) tandberg/web/user/lib/secure.php, which makes it easier for remote attackers to bypass authentication, and execute arbitrary code by loading a custom software update, via a crafted "Cookie: tandberg_login=" HTTP header.


CVE-2009-4510:
The SSH service on the TANDBERG Video Communication Server (VCS) before X5.1 uses a fixed DSA key, which makes it easier for remote attackers to conduct man-in-the-middle attacks and spoof arbitrary servers via crafted SSH packets.


CVE-2009-4511:
Multiple directory traversal vulnerabilities in the web administration interface on the TANDBERG Video Communication Server (VCS) before X5.1 allow remote authenticated users to read arbitrary files via a .. (dot dot) in the page parameter to (1) helppage.php or (2) user/helppage.php.



Mitigations: 
TANDBERG mitigations

Mitigation Control: 
Mitigation (CVE-2010-4509)
Upgrade to firmware version x4.3.0 (or newer) as soon as possible. If this is
not immediately possible, temporary mitigation could be achieved by changing
the $this-secret constant in the following files to something unpredictable:
/tandberg/web/lib/secure.php
/tandberg/web/user/lib/secure.php

Mitigation (CVE-2010-4510)
Immediately replace the current SSH host key with a new one. This may
be accomplished through one of several methods. One approach is to
simply log in to the device locally and use the ssh-keygen utility to
replace the keys stored in /tandberg/sshkeys/. Consult TANDBERG
documentation for other methods.
After replacing the SSH host keys, it is recommended that the VCS
firmware be upgraded to X5.1.1 as soon as possible. NOTE: Upgrading or
downgrading to versions prior to X5.1.1 will cause any custom SSH host
keys to be overwritten. Version X5.1.1 and later should preserve any
custom host keys previously installed. As a precaution, after upgrading
or downgrading VCS firmwares, verify that the host key has not changed back
to the publicly known one with fingerprint:
49:53:bf:94:2a:d7:0c:3f:48:29:f7:5b:5d:de:89:b8


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:
Tandberg Video Communication Server 4.2.1
Tandberg Video Communication Server 4.3.0

Targeted to LINUX-only. Determine the version if the SA confirms that it is installed. If the version is listed in the preceding vulnerable systems, this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-24163
Group Title: 2010-B-0037
Rule ID: SV-29801r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0037
Rule Title: Multiple Vulnerabilities in HP OpenView Network Node Manager


Vulnerability Discussion: HP has addressed a vulnerability affecting HP OpenView Network Node Manager. HP OpenView Network Node Manager (OV NNM) is a fault-management application for IP networks. To exploit these vulnerabilities, an attacker would create and send malicious data to a vulnerable system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code and compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1550):
The specific flaw exists within the ovet_demandpoll.exe process. This process can be started by invoking the webappmon.exe CGI application through the webserver. The process calls vnsprintf() directly with the contents of the 'sel' POST variable. By providing a malicious value this format string vulnerability can be leveraged by remote attackers to execute arbitrary code under the context of the ovet_demandpoll.exe process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1551):
The specific flaw exists within the Network Monitor (netmon.exe) daemon. This process can be started by invoking the webappmon.exe CGI application through the webserver. When the _OVParseLLA function defined within ov.dll is called from netmon.exe it directly copies the value of the 'sel' POST variable into a fixed-length stack buffer with a call to strcpy(). This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1552):
The specific flaw exists within the snmpviewer.exe CGI. The doLoad function in this process calls sprintf() with a %s format specifier and unsanitized user input retrieved from two separate POST variables (act and app). By providing large enough strings a remote attacker can cause a stack-based buffer overflow and eventually execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1553):
The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid MaxAge parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1554):
The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid iCount POST parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.

HP OpenView Network Node Manager Remote Execution Vulnerability - (CVE-2010-1555):
The specific flaw exists within the getnnmdata.exe CGI. If this CGI is requested with an invalid Hostname parameter a sprintf() call is made to log the error. However, no length check is performed on the variable contents before copying in to a fixed-length stack buffer. This can be leveraged by remote attackers to execute arbitrary code under the context of the webserver process.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Affected Products:
HP OpenView Network Node Manager (OV NNM) v7.01
HP OpenView Network Node Manager (OV NNM) v7.51
HP OpenView Network Node Manager (OV NNM) v7.53

OV NNM v7.01 – Windows patch NNM_1202 or subsequent
OV NNM v7.53 – Windows patch NNM_1203 or subsequent
OV NNM v7.51 – upgrade to v7.53 and apply patch

Interview the SA to determine if patch has been installed.


Check Content: 
Vulnerable Systems:

HP OpenView Network Node Manager (OV NNM) v7.01 running on HP-UX, Linux, Solaris.
HP OpenView Network Node Manager (OV NNM) v7.51 running on HP-UX, Linux, Solaris.
HP OpenView Network Node Manager (OV NNM) v7.53 running on HP-UX, Linux, Solaris.

If the HP OpenView Network Node Manager is installed, determine the version with the rpm (LINUX), swlist (HP) or strings (Solaris) command(s) and if the version is not greater than the above listed version(s), this is a finding.

  _____________________________________________________________

Group ID (Vulid): V-24203
Group Title: 2010-B-0042
Rule ID: SV-29845r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0042
Rule Title: Multiple Vulnerabilities in JBoss Enterprise Application Platform


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities affecting the JBoss Enterprise Application Platform. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a malicious manner. If successfully exploited, these vulnerabilities would allow a remote attacker to bypass security restrictions and gain unauthorized access to sensitive information.

At this time, there are no known exploits associated with these vulnerabilities; JTF-GNO is not aware of any DoD related incidents. JMX-Console Web Application Vulnerability - (CVE-2010-0738):
The JMX-Console web application in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to send requests to this application's GET handler by using a different method.


Web Console Information Disclosure Vulnerability - (CVE-2010-1428):
The Web Console (aka web-console) in JBossAs in Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 performs access control only for the GET and POST methods, which allows remote attackers to obtain sensitive information via an unspecified request that uses a different method.


Information Disclosure Vulnerability - (CVE-2010-1429):
Red Hat JBoss Enterprise Application Platform (aka JBoss EAP or JBEAP) 4.2 before 4.2.0.CP09 and 4.3 before 4.3.0.CP08 allows remote attackers to obtain sensitive information about "deployed web contexts" via a request to the status servlet, as demonstrated by a full=true query string. NOTE: this issue exists because of a CVE-2008-3273 regression.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:

Red Hat JBoss Enterprise Application Platform 4.2.0 EL4
Red Hat JBoss Enterprise Application Platform 4.2.0 EL5
Red Hat JBoss Enterprise Application Platform 4.3.0 EL4
Red Hat JBoss Enterprise Application Platform 4.3.0 EL5

Determine if jboss is installed via::

      # rpm -qa | grep “^jboss”

      Note: This vulnerability applies only to RedHat.

If found, determine the version via use of the rpm and/or strings command and if it is not greater than the above listed versions, this is a finding.


  _____________________________________________________________

Group ID (Vulid): V-24858
Group Title: 2010-B-0054
Rule ID: SV-30585r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0054
Rule Title: Multiple Vulnerabilities in VMware Studio


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities in VMware Studio. VMware Studio is an application that allows users to create, configure, and deploy VMware virtual applications and appliances. To exploit these vulnerabilities, an attacker would send malicious requests to an affected system or interact with the interactive access on a virtual machine in a malicious manner. If successfully exploited, these vulnerabilities would allow an attacker to execute the arbitrary code and compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. incidents. VMware Studio 2.0 Remote Command Execution Vulnerability - (CVE-2010-2667):
VMware Studio is a development tool to create and manage virtual appliances. VMware Studio itself is a virtual appliance. A vulnerability in the Virtual Appliance Management Infrastructure (VAMI) allows for remote command execution in Studio 2.0 or in virtual appliances created with Studio 2.0. Exploitation of the issue requires authentication to Studio or to the virtual appliance. Studio is by default shipped with the root user account and no other user accounts. For this reason, exploitation of the vulnerability would not yield any gain for an attacker since the attacker would need to know the credentials of the root user account in order to launch an attack. If an attacker knows the credentials of the root user, the attacker will have other avenues to compromise Studio. In case another user account with limited privileges has been added to Studio, the exploitation of the issue may lead to remote command execution by the attacker. The attacker would still need to know the credentials of the additional user account in order to launch an attack.

VMware Studio 2.0 local privilege escalation vulnerability - (CVE-2010-2427):
VMware Studio is a development tool to create and manage virtual appliances. VMware Studio itself is a virtual appliance. A vulnerability in the way temporary files are written may lead to a privilege escalation in Studio 2.0. Exploitation of the issue requires authentication to the system running Studio. Virtual appliances created with Studio 2.0 are not affected. Studio is by default shipped with the root user account and no other user accounts. For this reason, exploitation of the vulnerability would not yield any gain for an attacker since the attacker would need to know the credentials of the root user account in order to launch an attack. If an attacker knows the credentials of the root user, the attacker will have other avenues to compromise Studio.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.
     
Vulnerable Applications/Systems:
VMware Studio 2.0

View the About “Product” from the menu to view version and build numbers.

  _____________________________________________________________

Group ID (Vulid): V-25026
Group Title: 2010-B-0057
Rule ID: SV-30805r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0057
Rule Title: Citrix Online Plug-in and ICA Client Remote Code Execution Vulnerabilities


Vulnerability Discussion: <P>Citrix has released two security bulletins addressing vulnerabilities in Citrix Online Plug-Ins and ICA Clients. Citrix Online Plug-Ins and ICA Clients provide users with access to Citrix products like XenApp and XenDesktop servers. To exploit these vulnerabilities, an attacker would entice a user to access a malicious or compromised website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code on the client device in the context of the logged in user. </P>
<P>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. </P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-25098
Group Title: 2010-B-0067
Rule ID: SV-31007r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0067
Rule Title: Cisco Wireless Control System (WCS) SQL Injection Vulnerability


Vulnerability Discussion: Cisco has released an advisory addressing a vulnerability affecting the Cisco Wireless Control System (WCS). Cisco WCS enables an administrator to configure and monitor one or more Wireless LAN Controllers (WLC) and associated access points. To exploit this vulnerability, a remote attacker would execute a SQL injection attack. If successfully exploited, a remote attacker would allow an authenticated attacker to modify system configuration, create/modify/delete users or modify the configuration of wireless devices managed by WCS.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
SQL Injection Vulnerability - (CVE-2010-2826):
A SQL injection vulnerability in Cisco Wireless Control System (WCS) 6.0.x before 6.0.196.0 allows remote authenticated users to execute arbitrary SQL commands via vectors related to the ORDER BY clause of the Client List screens.

This vulnerability is documented in Cisco bug ID CSCtf37019 ( registered customers only)


Mitigations: 
Cisco Temporary Mitigation Strategies

Mitigation Control: 
Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Mitigation techniques that can be deployed on Cisco devices within the network are available in the Cisco Applied Mitigation Bulletin companion document for this advisory: http://www.cisco.com/warp/public/707/cisco-amb-20100811-wcs.shtml.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:
Cisco WCS 6.0.x prior to 6.0.196.0
Note: Cisco WCS software release 7.0 is not affected by this vulnerability. Cisco WCS version 7.0.164.0
(which is the first 7.0 version) already contains the fix for this vulnerability. Cisco WCS software releases
prior to 6.0 are not affected by this vulnerability.

The version of WCS software installed on a particular device can be found via the Cisco WCS HTTP management interface. Choose Help > About the Software to obtain the software version. If the installed version does not meet the criteria of the “Vulnerable Systems” section above, this is a finding.


  _____________________________________________________________

Group ID (Vulid): V-25184
Group Title: 2010-B-0075
Rule ID: SV-31201r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0075
Rule Title: Multiple Vulnerabilities in VxWorks


Vulnerability Discussion: Multiple vulnerabilities have bee report in VxWorks. VxWorks is a real-time operating system that can be used in embedded systems. This vulnerability can be exploited by remote attackers utilizing various tactics, techniques and procedures (TTP). If successfully exploited, attackers may leverage this issue to bypass system security and compromise the affected system

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.
VxWorks Security-Bypass Vulnerability - (CVE-2010-2965):
VxWorks is vulnerable to a security-bypass vulnerability because it runs a system-level debugger (WDB agent) on UDP port 17185 without any requirement for authentication. A remote attacker can exploit this vulnerability to read/write memory, call functions, and manage tasks. The VxWorks WDB target agent is a target-resident, run-time facility that is required for connecting host tools to a VxWorks target system during development. WDB is a selectable component in the VxWorks configuration and is enabled by default. The WDB debug agent access is not secured and does provide a security hole in a deployed system.

VxWorks Password Hashing Algorithm Vulnerabilities - (CVE-2010-2966, CVE-2010-2967, CVE-2010-2968):
The hashing algorithm that is used in the standard authentication API for VxWorks is susceptible to collisions. An attacker can brute force a password by guessing a string that produces the same hash as a legitimate password. An attacker with a known username and access to a service (telnet, rlogin or FTP) that uses the standard authentication API (loginDefaultEncrypt (), part of loginLib) can brute force the password in a relatively short period of time. Since the hashing algorithm is susceptible to collisions, the actual password does not have to be found, just a string that produces the same hash.


Mitigations: 
VxWorks workarounds

Mitigation Control: 
Wind River has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

VxWorks Security-Bypass Vulnerability
Disable debug agent

Vendors should remove the WDB target debug agent in their VxWorks based products by removing the INCLUDE_WDB INCLUDE_DEBUG components from their VxWorks Image.
Restrict access
Appropriate firewall rules should be implemented to restrict access to the debug service (17185/udp) to only trusted sources until vendors have released patches to disable it.

VxWorks Password Hashing Algorithm Vulnerability
Vendors which use VxWorks in their products should not use the default hashing algorithm in standard authentication API (loginDefaultEncrypt()). A trusted authentication API should be used instead. It can be installed by means of the loginEncryptInstall() loginLib hook.

In addition, and so as to avoid registration of the default target/password credentials at init time, the LOGIN_USER_NAME and LOGIN_USER_PASSWORD project parameters/#defines should be set to empty strings (so that no user is registered using the default encryption routine). Only after the new encryption routine is registered should new users be added to the system.

loginEncryptInstall allows the user to install a custom encryption routine. The custom routine rtn must be of the following form:

STATUS encryptRoutine
(
char *password, /* string to encrypt */
char *encryptedPassword /* resulting encryption */
)

The encryptedPassword string length should be no more than :
+ VxWorks 6.4 and below: 80 characters
+ VxWorks 6.5 and above: 128 characters

When a custom encryption routine is installed, a host version of this routine must be written to replace the tool vxencrypt in host/hostOs/bin.

Appendix #1 shows example code making use of loginEncryptInstall() to set a custom encryption routine. Depending on the VxWorks version used, either SHA-512 or SHA-256 are used.

DISCLAIMER: The following example code was provided by Wind River Systems. It is for demonstration purposes only and should not be used as is.

APPENDIX #1
/* Sample loginEncryptInstallCode() */

/* includes */

#include vxWorks.h
#include errnoLib.h /* for errnoGet API */
#include fcntl.h /* for open API */
#include stdio.h /* for sprintf API */
#include string.h /* for string handling */
#include unistd.h /* for close API */
#include loginLib.h /* library under test */
#include sysSymTbl.h /* for sySymTbl variable */

/* globals */
/*
* SHA-512 and SHA-256 digests corresponding to the vincent string.
* VxWorks 6.4 and below use SHA-256 because of the 80 chars
* loginEncryptInstall() digest limit, while post 6.5 versions use SHA-512.
*/

#if ((_WRS_VXWORKS_MAJOR == 6) (_WRS_VXWORKS_MINOR 4))
char * cryptSha = 38256fbe4e80d9ffd355409f36238ae18e62c668208c259e60
ca323ab47cf55b8656e88e56593d531b250aae2c35376b387d
83ade5e3e8b6c042133b97030fa4;
char * shaIdent = SHA-512;
#else
char * cryptSha = 65c3f75641b22925c737ca657b126cd68c39e423349d43031c
f9a3b9a18cee1f;
char * shaIdent = SHA-256;
#endif

/* locals */

LOCAL STATUS fixed_sha (char* password, char* encryptedpassword);

/*******************************************************************************
*
* loginEncryptInstallExample - register and use a custom encryption routine
*
* RETURNS: N/A
*/

STATUS loginEncryptInstallExample (void)
{
char* name = vincent;
char* passwd = vincent;
STATUS status = ERROR;

/* Register our new encryption routine */

loginEncryptInstall (fixed_sha, 0);
printf (Registered %s encryption routine.\n, shaIdent);

/* Add a new user using this encryption routine */

if (loginUserAdd (name, cryptSha) != OK)
{
printf (Unable to add new user to system using %s encryption
routine [errno = %#x].\n, shaIdent, errnoGet ());

return ERROR;
}
else
{
/* Launch the verification process */

if (loginUserVerify (name, passwd) != OK)
{
printf (Successfully registered and added a new user
with custom encryption routine but password
check failed [errno = %#x].\n, errnoGet ());

goto cleanup;
}
else
{
printf (Successfully used custom encryption routine
(routine registration, user creation and
verification).\n);
}
}

status = OK;

cleanup:

/* Remove user and module; unregister routine */

if (loginUserDelete (name, passwd) != OK)
{
printf (There was a problem while trying to delete the
newly added user during cleanup [errno = %#x].\n,
errnoGet ());
status = ERROR;
}

loginEncryptInstall ((FUNCPTR) loginDefaultEncrypt, 0);
return status;
}

/******************************************************************************
* fixed_sha - returns a fixed SHA digest
*
* RETURNS: Always OK
*/

LOCAL STATUS fixed_sha
(
char* password,
char* encryptedpassword
)
{
/*
* IMPORTANT : This test routine should be replaced by a real SHA
* generator. Because of the fixed digest, the current version does not
* perform actual user validation (i.e all passwords are accepted for user
* vincent).
*/

strcpy (encryptedpassword, cryptSha);
return OK;
}

Restrict access
Appropriate firewall rules should be implemented to restrict access to any services that use the standard authentication API.

Disable services
Services such as FTP or telnet should be disabled if not needed.

Monitor access
IDS signatures should be implemented to detect brute force attacks to services that use the standard authentication API.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
All versions of VxWorks

Note: System administrators should refer to the Vendor Security Advisory to determine affected applications/system and appropriate fix actions.

  _____________________________________________________________

Group ID (Vulid): V-25410
Group Title: 2010-B-0085
Rule ID: SV-31595r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0085
Rule Title: Linux Kernel Privilege Escalation Vulnerability


Vulnerability Discussion: A privilege escalation vulnerability has been identified in the Linux kernel. The Linux kernel is an operating system kernel used by Linux based operating systems. To exploit this vulnerability, an attacker would interact with an affected system in a malicious manner to exploit this vulnerability. If successfully exploited, this vulnerability would allow escalation of privileges resulting in the compromise of an affected systems.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. 64-bit Compatibility Mode Stack Pointer Underflow - (CVE-2010-3081):
The compat_alloc_user_space() function in the Linux kernel 32/64-bit compatibility layer implementation was missing sanity checks. This function could be abused in other areas of the Linux kernel if its length argument can be controlled from user-space. On 64-bit systems, a local, unprivileged user could use this flaw to escalate their privileges.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:

Linux Kernel 2.6.X releases prior to 20 September 2010
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
Red Hat Enterprise Linux EUS (v. 5.4.z server)

Per Mitre.org, note that CVE-2010-3081 covers the following: Linux kernels before 2.6.36-rc4-git2 on 64-bit platforms do not properly allocate the userspace memory required for the 32-bit compatibility layer.

Compliance Checking:

Check the 64-bit platform kernel version with:
      # uname –a

Find kernel packages with:
      # rpm –qa | grep kernel
Then check the changelog for the CVE via:
      # rpm –q –changelog < package(s) from the above command>

Also, the version of the currently executing kernel should be available in the file “/proc/version”.

If the version is not at least the applicable corrected version of the operating system vendor’s kernel then this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-25411
Group Title: 2010-B-0083
Rule ID: SV-31596r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0083
Rule Title: Bzip2 Remote Integer Overflow Vulnerability


Vulnerability Discussion: The Bzip organization has addressed a vulnerability affecting the bzip2 application. bzip2 is a free open source data compressor commonly used in Linux and Unix operating systems. To exploit this vulnerability, a remote attacker send a malicious request to a vulnerable application. If successfully exploited, this vulnerability would allow an unauthenticated remote attacker to execute arbitrary code in the context of the current user or cause a denial-of-service condition.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
bzip2 "BZ_decompress" Integer Overflow Vulnerability - (CVE-2010-0405):
The vulnerability is caused due to an integer overflow in the "BZ2_decompress()" function in decompress.c and can be exploited to cause a crash or potentially execute arbitrary code.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:

bzip2 1.0.5 and earlier

Linux ONLY:

# rpm -q --changelog bzip2 | grep CVE-2010-0405

  _____________________________________________________________

Group ID (Vulid): V-25412
Group Title: 2010-B-0086
Rule ID: SV-31597r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0086
Rule Title: Tandberg MXP Series Remote Denial of Service Vulnerability


Vulnerability Discussion: TANDBERG has addressed a vulnerability in the MPX series Video Conferencing Device . The Video Conferencing Device is a set of interactive telecommunication technologies that allow two or more locations to interact using video and audio transmissions simultaneously. To exploit this vulnerability, an attacker would send malicious SNMP packets with spoofed source IP addresses to the affected system. If successfully exploited, this vulnerability would allow an attacker to deny service to legitimate user resulting in a denial of service conditions.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
TANDBERG MXP Series Endpoint SNMP Denial of Service Vulnerability:
The vulnerability exists due to improper packet handling in the implementation of SNMP by the software. If the source IP of the requestor is spoofed, the affected firmware erroneously sends an SNMP packet response to itself. An unauthenticated, remote attacker could exploit this vulnerability by submitting crafted SNMP packets with spoofed source IP addresses to the affected device. Processing such packets could result in a loop within the software until the memory resources are consumed. A successful exploit could cause the affected device to stop responding, resulting in a DoS condition.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Vulnerable Systems:
TANDBERG MXP endpoints running software versions prior to 9.0

Targeted to endpoints running LINUX-only. Request that the SA determine whether or not this product is installed and if so, the version. If the version is not greater than or equal to the version listed in the preceding vulnerable systems, this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-25529
Group Title: 2010-A-0151
Rule ID: SV-31737r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-A-0151
Rule Title: Multiple vulnerabilities in Oracle VM


Vulnerability Discussion: <P>Oracle has released their quarterly Critical Patch Update Advisory for October 2010 addressing multiple vulnerabilities in Oracle VM. These vulnerabilities are not remotely exploitable without authentication. If successfully exploited, this vulnerability would allow a remote attacker to completely compromise the affected system.</P>
<P>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.</P>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<P>&nbsp;</P> -

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-25619
Group Title: 2010-B-0098
Rule ID: SV-31851r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0098
Rule Title: Intel Xeon Baseboard Management Component (BMC) Privilege Escalation Vulnerability


Vulnerability Discussion: Intel has released a security advisory addressing a privilege escalation vulnerability in Intel Xeon Baseboard Management Component (BMC) firmware. To exploit this vulnerability, a remote attacker would utilize various tactics, techniques and procedures (TTP). If successfully exploited, this vulnerability would allow a remote attacker the ability to deny service to legitimate users, escalate privileges and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
Baseboard Management Component Privilege Escalation Vulnerability:
Under certain circumstances a privilege escalation issue is present in the Baseboard Management Component (BMC) firmware for Intel Xeon 5500, 5600 Series products. A knowledgeable remote malicious attacker could leverage this issue to deny service to legitimate users. This issue was found during internal validation testing and Intel has not received any reports of it being exploited externally.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Intel Xeon 5500 Series BMC Firmware
Intel Xeon 5600 Series BMC Firmware

There are multiple ways of telling what your current version of BMC firmware. You can use any one of the following methods:

Reboot or power cycle the system. During POST after video comes up press F2 to go into Setup. After you are in setup use the right or left arrow keys to select the Server Management tab. Then use the down arrow to highlight System Information and then press enter.

Use the sysconfig utility that comes with the Intel® Deployment Assistant CD that came with your system. Command to run: sysconfig /i

BMC                                     Fix included in this version or higher
Intel Xeon 5500 Series BMC Firmware       00.53 or higher
Intel Xeon 5600 Series BMC Firmware       00.53 or higher


Check Content: 
Vulnerable Systems:
Intel Xeon 5500 Series BMC Firmware before 00.53
Intel Xeon 5600 Series BMC Firmware before 00.53

The lshw command is a tool to extract detailed information on the hardware configuration of the machine running Linux. It can report exact memory configuration, firmware version, main board configuration, CPU version and speed, cache configuration, bus speed, etc. For Solaris, prtdiag or psrinfo should provide similarly formatted information.

Check for the XEON BMC version by perform the following:

# lshw | more

OR for Solaris:

# prtdiag -v
# psrinfo -v

If applicable (IE: XEON BMC), and the version does not meet the minimum requirements and/or exceed the above version(s) listed in the “Vulnerable Systems” section, this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-25835
Group Title: 2010-A-0168
Rule ID: SV-32170r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-A-0168
Rule Title: Multiple Vulnerabilities in VMware Products


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities in various VMware products. VMware products provide enterprise level virtualization. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or elevate privileges from a host OS.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.
VMware VMnc Codec frame decompression Remote Code Execution Vulnerability - (CVE-2010-4294):
A function in the decoder frame decompression routine implicitly trusts a size value. An attacker can utilize this to miscalculate a destination pointer, leading to the corruption of a heap buffer, and could allow for execution of arbitrary code with the privileges of the user running an application utilizing the vulnerable codec. For an attack to be successful the user must be tricked into visiting a malicious web page or opening a malicious video file on a system that has the vulnerable version of the VMnc codec installed.

VMware Workstation, Player and Fusion vmware-mount Race Condition Vulnerability - (CVE-2010-4295):
Race condition in the mounting process in vmware-mount in VMware Workstation 7.x before 7.1.2 build 301548 on Linux, VMware Player 3.1.x before 3.1.2 build 301548 on Linux, VMware Server 2.0.2 on Linux, and VMware Fusion 3.1.x before 3.1.2 build 332101 allows host OS users to gain privileges via vectors involving temporary files.
Note: VMware Workstation and Player running on Microsoft Windows are not affected.

VMware Workstation, Player and Fusion vmware-mount Privilege Escalation Vulnerability - (CVE-2010-4296):
vmware-mount in VMware Workstation 7.x before 7.1.2 build 301548 on Linux, VMware Player 3.1.x before 3.1.2 build 301548 on Linux, VMware Server 2.0.2 on Linux, and VMware Fusion 3.1.x before 3.1.2 build 332101 does not properly load libraries, which allows host OS users to gain privileges via vectors involving shared object files.
Note: VMware Workstation and Player running on Microsoft Windows are not affected.

VMware Tools Command Injection Vulnerability - (CVE-2010-4297):
The VMware Tools update functionality in VMware Workstation 6.5.x before 6.5.5 build 328052 and 7.x before 7.1.2 build 301548; VMware Player 2.5.x before 2.5.5 build 328052 and 3.1.x before 3.1.2 build 301548; VMware Server 2.0.2; VMware Fusion 2.x before 2.0.8 build 328035 and 3.1.x before 3.1.2 build 332101; VMware ESXi 3.5, 4.0, and 4.1; and VMware ESX 3.0.3, 3.5, 4.0, and 4.1 allows host OS users to gain privileges on the guest OS via unspecified vectors, related to a "command injection" issue.
Note: The issue can only be exploited if VMware Tools is not fully up-to-date. Windows-based virtual machines are not affected.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows - See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
VMware Workstation 7.1.1 and earlier
VMware Workstation 6.5.4 and earlier
VMware Player 3.1.1 and earlier
VMware Player 2.5.4 and earlier

View the About “Product” from the menu to view version and build numbers.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista and later). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

  _____________________________________________________________

Group ID (Vulid): V-25839
Group Title: 2010-B-0105
Rule ID: SV-32174r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0105
Rule Title: Multiple Vulnerabilities in JBoss Enterprise Application Platform


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities affecting the JBoss Enterprise Application Platform. To exploit these vulnerabilities, an attacker would send malicious packets to the affected system or interact with the vulnerable environment in a malicious manner. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code on the affected system and cause denial of service conditions.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.
JBoss Drools Input Sanitization Vulnerability - (CVE-2010-3708):
An input sanitization vulnerability was found in the way JBoss Drools implemented certain rule base serialization. If a remote attacker supplied specially-crafted input to a JBoss Seam based application that accepts serialized input, it could lead to arbitrary code execution with the privileges of the JBoss server process.

JMX-Console Cross-Site Request Forgery (CSRF) Vulnerability - (CVE-2010-3878):
A Cross-Site Request Forgery (CSRF) vulnerability was found in the JMX Console. A remote attacker could use this vulnerability to deploy a WAR file of their choosing on the target server, if they are able to trick a user, who is logged into the JMX Console as the admin user, into visiting a specially-crafted web page.

JBoss Remoting Denial of Service Vulnerability - (CVE-2010-3862):
A vulnerability was found in the JBoss Remoting component. A remote attacker could use specially-crafted input to cause the JBoss Remoting listeners to become unresponsive, resulting in a denial of service condition for services communicating via JBoss Remoting sockets.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
JBoss Enterprise Application Platform 4.3.0 EL4
JBoss Enterprise Application Platform 4.3.0 EL5

Interview the SA to determine version.


Check Content: 
Vulnerable Systems:

JBoss Enterprise Application Platform 4.3.0 EL4
JBoss Enterprise Application Platform 4.3.0 EL5


Compliance Checking:

Determine if jboss is installed via:

      # rpm –qa | grep “^jboss”

OR

      # pkginfo

  _____________________________________________________________

Group ID (Vulid): V-25856
Group Title: 2010-B-0112
Rule ID: SV-32196r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2010-B-0112
Rule Title: Citrix Web Interface Cross-Site Scripting Vulnerability


Vulnerability Discussion: <P>Citrix has reported a cross scripting vulnerability affecting certain versions of Citrix Web Interface. The Web Interface is an application deployment system that provides users with access to applications through a standard Web browser. To exploit this vulnerability, an attacker would entice a user to follow a malicious URI sent via email or hosted on a webpage. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code in the user's browser in the context of the affected system and gain access to sensitive information.</P>
<P>At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents</P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Citrix Web Interface all version 5.x up to and including version 5.3.

The version can be checked by looking at the folder name: \Program Files\Citrix\Web Interface\<Version Number>

Note: System administrators should refer to the Citrix Security Advisory to determine affected applications/system and appropriate fix actions.


Check Content: 
Vulnerable Systems:

Citrix Web Interface all version 5.x up to and including version 5.3


Compliance Checking:

Determine if any Citrix users have been placed in the /etc/passwd file:
      # grep “^ctx” /etc/passwd

And

Search the system for a web interface configuration file WebInterface.conf, Webinterface.conf or webinterface.conf.

      # find / -type f -name <web interface configuration file>

If the configuration file is found, examine the Version Key:
      # grep -i “Version=” <configuration

  _____________________________________________________________

Group ID (Vulid): V-25866
Group Title: 2010-B-0118
Rule ID: SV-32213r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2010-B-0118
Rule Title: HP StorageWorks Unauthorized Access Vulnerability


Vulnerability Discussion: <P>Hewlett Packard has released a customer advisory addressing a vulnerability in HP StorageWorks Systems. HP StorageWorks is a storage array solution. To exploit this vulnerability, an attacker would take advantage of a hidden default administrator account for malicious purposes. Successful exploitation of this vulnerability would result in the complete compromise of affected systems. </P>
<P>At this time, the default admin account name and password are publicly disclosed; USCYBERCOM is not aware of any DoD related incidents. </P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-25868
Group Title: 2011-B-0001
Rule ID: SV-32223r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0001
Rule Title: HP Multiple LaserJet Printers Information Disclosure Vulnerability


Vulnerability Discussion: Hewlett-Packard has released a security bulletin addressing a vulnerability affecting various HP LaserJet printers. To exploit this vulnerability, an attacker would send a malicious URI request to an affected system. If successfully exploited, this vulnerability would allow an attacker to gain access to sensitive information.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP LaserJet Printers PJL Directory Traversal Vulnerability - (CVE-2010-4107):
A potential security vulnerability has been identified with HP LaserJet MFP printers, HP Color LaserJet MFP printers, and certain HP LaserJet printers. The vulnerability could be exploited remotely to gain unauthorized access to files.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP LaserJet MFP printers (all models with Printer Job Language (PJL) support)
HP Color LaserJet MFP printers (all models with Printer Job Language (PJL) support)
HP LaserJet 4100 series
HP LaserJet 4200 series
HP LaserJet 4300 series
HP LaserJet 5100 series
HP LaserJet 8150 series
HP LaserJet 9000 series

Note: System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions. Implementation of the recommended mitigation will constitute compliance with this IAVB.

Vendor Recommended Mitigation
Files within the printer can be accessed using the Printer Job Language (PJL) interface to exploit a directory traversal vulnerability.
The vulnerability can be avoided by either one of the following actions:
? disable file system access via the PJL interface
? set a PJL password


Check Content: 
Vulnerable Systems:

HP LaserJet MFP printers (all models with Printer Job Language (PJL) support)
HP Color LaserJet MFP printers (all models with Printer Job Language (PJL) support)
HP LaserJet 4100 series
HP LaserJet 4200 series
HP LaserJet 4300 series
HP LaserJet 5100 series
HP LaserJet 8150 series
HP LaserJet 9000 series


Compliance Checking:

This “is not” currently an HP-UX/UNIX vulnerability but it is an HP print/printer vulnerability. For HP-UX, this is not applicable. However it can be determined what, if any, printers are enabled/spooled using the HP-SMH or the command-line command:

      # lpstat


  _____________________________________________________________

Group ID (Vulid): V-25869
Group Title: 2011-B-0002
Rule ID: SV-32224r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0002
Rule Title: IBM WebSphere Service Registry and Repository Vulnerability


Vulnerability Discussion: IBM has addressed a vulnerability affecting IBM WebSphere Service Registry and Repository. The IBM WebSphere Service Registry and Repository is a platform that can communicate with IBM Rational Asset Manager on any of its supported platforms to include Sun Solaris, HP-UX, Linux , Microsoft, and IBM AIX platforms To exploit this vulnerability, a remote attacker would use various tactics, techniques and procedures to compromise the affected system. If successfully exploited, this vulnerability would allow a remote attacker to compromise the confidentiality, integrity and/or availability of affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
IBM WebSphere Service Registry and Repository Vulnerability - (CVE-2011-2644):
WebSphere Service Registry and Repository could allow a remote attacker to bypass authentication restrictions, caused by improper validation in the EJB access control. By using the API, an attacker could exploit this vulnerability to bypass authentication and gain access to governance activities on the vulnerable governance EJB.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
IBM WebSphere Service Registry and Repository 7.0

Fix Action: Apply the latest Fix Pack (7.0.0.1 or later) or APAR IZ72563 (when available)

Note: System administrators should refer to the IBM Internet Security Systems Advisory in the "References section" above to determine affected applications/system and appropriate fix actions.

Check installed applications for affected products.



Check Content: 
Vulnerable Systems:

IBM WebSphere Service Registry and Repository 7.0


Compliance Checking:

After determining the binary is not a Trojan, to determine the version of IBM Websphere Application Server, perform one of the following commands:

      #       versionInfo
Or
      #       genVersionReport

Generates the versionReport.html report file in the bin directory on Linux and UNIX-based platforms. The report includes the list of components, fixes, and fix packs.

If the application version does not meet the minimum requirements and/or exceed the above version(s) listed in the “Vulnerable Systems” section, this is a finding.



  _____________________________________________________________

Group ID (Vulid): V-26050
Group Title: 2011-B-0013
Rule ID: SV-32702r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0013
Rule Title: Multiple Vulnerabilities in IBM DB2


Vulnerability Discussion: IBM has addressed multiple vulnerabilities in IBM DB2. IBM DB2 is a relational database management system produced by IBM capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. To exploit this vulnerability, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, cause a denial of service condition or escalate privileges on the affected system.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-26076
Group Title: 2011-B-0022
Rule ID: SV-32732r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0022
Rule Title: Multiple Vulnerabilities in IDA Pro


Vulnerability Discussion: IDA Pro has addressed multiple vulnerabilities affecting IDA Pro. IDA Pro is a debugger and disassembler available for multiple operating platforms. To exploit these vulnerabilities, the attacker would send a malicious Mach-0 file to an affected system and entice a user to access the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the affected application.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Macho-O input file loader Vulnerability
A specially crafted Macho-O file could cause a buffer overflow, resulting in a crash or potential code execution.

Conversion of string encodings Vulnerability
The bug could be triggered because of inconsistencies in the handling of UTF8 sequences by the user interface (idag/idaq; discovered in-house).

COFF/EPOC/EXPLOAD input file loaders Vulnerability
Memory allocation was subject to an integer overflow bug. Also, PSX/GEOS loaders had the same bug (discovered in-house).

An 'out-of-memory' exception in the Mach-O input file loader Vulnerability
We do not think that it is exploitable but added more checks to avoid it.

Potential vulnerability in the PEF input file loader


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
IDA Pro versions 5.7
IDA Pro versions 6.0

-If applicable View Help, About from the application’s menu to determine version

OR

-Ask the SA if the application is installed and if so, have the SA verify the full version information.

OR

-After determining the binary is not a Trojan, perform the following as a non-privileged user to determine the version:

#idag -v OR
#idag -V OR
#idag -version OR
#idag -VERSION

Check Content: 
Vulnerable Systems:

IDA Pro versions 5.7
IDA Pro versions 6.0


Compliance Checking:

After determining the binary is not a trojan, perform the following as a non-privileged user to determine the version:

      # idag -v             OR
      # idag -V             OR
      # idag -version       OR
      # idag -VERSION


  _____________________________________________________________

Group ID (Vulid): V-26077
Group Title: 2011-B-0021
Rule ID: SV-32733r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0021
Rule Title: Multiple Vulnerabilities in IBM Tivoli Access Manager


Vulnerability Discussion: IBM has reported multiple vulnerabilities in IBM Tivoli Access Manager. IBM Tivoli Access Manager is an authentication and authorization solution for corporate web services, operating systems, and existing applications. Tivoli Access Manager runs on various operating system platforms such as Unix (AIX, Solaris, HP-UX), Linux and Microsoft Windows. To exploit these vulnerabilities, an attacker would submit a URI that contains directory-traversal characters to point to an arbitrary file on the web server which would return unauthorized sensitive information to the attacker. If successfully exploited, these vulnerabilities would allow an attacker to deny service to legitimate users, gain unauthorized access to sensitive information and execute arbitrary code resulting in the compromise of the affected systems

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Directory traversal vulnerability (CVE-2011-0494):
Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 5.1 before 5.1.0.39-TIV-AWS-IF0040, 6.0 before 6.0.0.25-TIV-AWS-IF0026, 6.1.0 before 6.1.0.5-TIV-AWS-IF0006, and 6.1.1 before 6.1.1-TIV-AWS-FP0001 has unspecified impact and attack vectors. NOTE: this might overlap CVE-2010-4622.

Directory traversal vulnerability (CVE-2011-4622):
Directory traversal vulnerability in WebSEAL in IBM Tivoli Access Manager for e-business 6.1.1 before 6.1.1-TIV-AWS-FP0001 on AIX allows remote attackers to read arbitrary files via a %uff0e%uff0e (encoded dot dot) in a URI.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Access Manager 5.1
Access Manager 6.0
Access Manager 6.1
Access Manager 6.1.1

Note: System administrators should refer to the IBM Advisories to determine affected applications/system and appropriate fix actions.

Check Content: 
Vulnerable Systems:
Access Manager 5.1
Access Manager 6.0
Access Manager 6.1
Access Manager 6.1.1


Compliance Checking:

List the current version of Tivoli Access Manager components installed on the system. This command is located in the /opt/PolicyDirector/sbin/ (default installation) directory on UNIX systems. See example output directly below:


      # pdversion

IBM Tivoli Access Manager Runtime 5.1.0.0
IBM Tivoli Access Manager Policy Server 5.1.0.0
IBM Tivoli Access Manager Web Portal Manager Not Installed
IBM Tivoli Access Manager Application Developer Kit 5.1.0.0
IBM Tivoli Access Manager Authorization Server 5.1.0.0
      IBM Tivoli Access Manager Java Runtime Environment Not Installed

  _____________________________________________________________

Group ID (Vulid): V-27639
Group Title: 2011-B-0060
Rule ID: SV-35278r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0060
Rule Title: Apache Portable Runtime Denial of Service Vulnerability


Vulnerability Discussion: Apache has addressed a denial of service vulnerability in Apache Portable Runtime (APR) and Apache Portable Runtime Utility. Apache APR is a library of utility functions used by several applications, including the Apache HTTP server. To exploit this vulnerability, a remote attacker would submit a malicious request in the form of a crafted URI. Successful exploitation of this vulnerability would result in a denial of service condition on affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
Apache Denial of Service Vulnerability - (CVE-2011-1928):
The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Apache Portable Runtime (APR) prior to 1.4.5
Apache Portable Runtime Utility (APR-util) prior to 1.3.12

Upgrade to non-vulnerable version of affected product.

Note: System administrators should refer to the Apache Release Announcement to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-28308
Group Title: 2011-A-0072
Rule ID: SV-36036r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-A-0072
Rule Title: IBM Tivoli Management Framework Remote Code Execution Vulnerability


Vulnerability Discussion: IBM has addressed a remote code execution vulnerability in the IBM Tivoli Management Framework. IBM Tivoli Management Framework is the foundation for a suite of management applications that facilitates enterprise network and system management. To exploit this vulnerability, a remote attacker would send a malicious request to a vulnerable IBM Tivoli Endpoint. If successfully exploited, this vulnerability would allow an attacker to compromise of affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. IBM Tivoli Endpoint Buffer Overflow Vulnerability - (CVE-2011-1220):
Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field. The specific flaw exists within the lcfd.exe process which listens by default on TCP port 9495. To reach this page remotely authentication is required. However, by abusing a built-in account an attacker can access the restricted pages. While parsing requests to one of these, the process blindly copies the contents of a POST variable to a 256 byte stack buffer. This can be leveraged by a remote attacker to execute arbitrary code under the context of the SYSTEM user.


Mitigations: 
IBM workaround

Mitigation Control: 
IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POAM to help block known attack vectors until required compliance actions can be completed.

Workaround
In case it is not possible to apply the patch quickly, you can work around the issue by disabling the function to change the configuration from a web browser. Use either of the following values for the http_disable configuration option on the endpoint:

1 Anyone can use a browser to view the configuration data, but no one can use a browser to reconfigure the endpoint.
2 No one can use a browser to view or reconfigure the endpoint.

Follow these steps to change the http_disable configuration option on the endpoint:

1. Run the wep command:
wep endpoint_label set_config http_disable=1 (or 2)

2. Restart the endpoint


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
IBM Tivoli Management Framework 3.7.1
IBM Tivoli Management Framework 4.1
IBM Tivoli Management Framework 4.1.1
IBM Tivoli Management Framework 4.3.1

Check the application’s version number by using commands:

wep

or

wepstatus

Update to Supported version of IBM Tivoli Management Framework and apply appropriate patches

Note: System administrators should refer to the IBM Security Advisory to determine affected applications/system and appropriate fix actions.

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Note: System administrators should refer to the IBM Advisories to determine affected applications/system and appropriate fix actions.

Vulnerable Systems:

IBM Tivoli Management Framework 3.7.1
IBM Tivoli Management Framework 4.1
IBM Tivoli Management Framework 4.1.1
IBM Tivoli Management Framework 4.3.1

Check Content:

To determine the version of Tivoli Storage Manager using the graphical user interface click on Help and choose About TSM

In case it is not possible to apply the patch quickly, you can work around the issue by disabling the function to change the configuration from a web browser. Use either of the following values for the http_disable configuration option on the endpoint:

"1" Anyone can use a browser to view the configuration data, but no one can use a browser to reconfigure the endpoint.
"2" No one can use a browser to view or reconfigure the endpoint.

Follow these steps to change the http_disable configuration option on the endpoint:

1. Run the wep command:
wep endpoint_label set_config http_disable=1 (or 2)

2. Restart the endpoint
  _____________________________________________________________

Group ID (Vulid): V-28311
Group Title: 2011-A-0075
Rule ID: SV-36039r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-A-0075
Rule Title: Multiple Vulnerabilities in VMware Products


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities affecting various VMware products. To exploit these vulnerabilities, attackers would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.

At this time, there are known exploits associated with some of the identified vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. e1000 Driver Packet Filter Bypass Vulnerability - (CVE-2009-4536):
There is an issue in the Service Console e1000 Linux driver for Intel PRO/1000 adapters that allows a remote attacker to bypass packet filters

SCSI Driver Denial of Service / Possible Privilege Escalation Vulnerability - (CVE-2009-3080):
A local attacker can achieve a denial of service and possibly a privilege escalation via a vulnerability in the Linux SCSI drivers.

IPv4 Remote Denial of Service Vulnerability - (CVE-2010-1188):
An remote attacker can achieve a denial of service via an issue in the kernel IPv4 code.

Kernel Memory Management Arbitrary Code Execution Vulnerability - (CVE-2010-2240):
A context-dependent attacker can execute arbitrary code via a vulnerability in a kernel memory handling function.

Mount.vmhgfs Privilege Escalation Vulnerability - (CVE-2011-2145):
Privilege escalation via a procedural error that allows an attacker with access to the guest operating system to gain write access to an arbitrary file in the Guest filesystem. This issue only affects Solaris and FreeBSD Guest Operating Systems.

Mount.vmhgfs Information Disclosure Vulnerability - (CVE-2011-2146):
Mount.vmhgfs Information Disclosure Information disclosure via a vulnerability that allows an attacker with access to the Guest to determine if a path exists in the Host filesystem and whether it is a file or directory regardless of permissions.

Mount.vmhgfs Privilege Escalation Vulnerability - (CVE-2011-1787):
Privilege escalation via a race condition that allows an attacker with access to the guest to mount on arbitrary directories in the Guest filesystem and achieve privilege escalation if they can control the contents of the mounted directory.

VI Client Memory Corruption Vulnerability - (CVE-2011-2217):
VI Client COM objects can be instantiated in Internet Explorer which may cause memory corruption. An attacker who succeeded in making the VI Client user visit a malicious Web site could execute code on the user's system within the security context of that user.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice 2011-A-0075 or VMware Security Advisory for additional information.

Vulnerable Applications/Systems:
VMware Workstation prior to 7.1.4
VMware Player prior to 3.1.4
VMware Fusion prior to 3.1.3

ESXi 4.1 without patch ESXi410-201104001
ESXi 4.0 without patch ESXi400-201104001
ESX 4.1 without patch ESXi410-201104001
ESX 4.0 without patch ESX400-201104001
ESXi 3.5 without patch ESXe350-201105401-O-SG

ESX 3.5 without the following patches:
ESX350-201105401-SG
ESX350-201105404-SG
ESX350-201105406-SG

VI Clients bundled with VMware Infrastructure 3:
VI Client 2.0.2 prior to Build 230598
VI Client 2.5 prior Build 204931
  _____________________________________________________________

Group ID (Vulid): V-28599
Group Title: 2011-B-0069
Rule ID: SV-36383r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0069
Rule Title: HP OpenView Storage Data Protector Remote Code Execution Vulnerability


Vulnerability Discussion: Hewlett Packard has addressed a vulnerability affecting HP OpenView Storage Data Protector. HP OpenView Storage Data Protector is a commercial data-management product for backup and recovery operations. To exploit this vulnerability, a remote attacker would utilize various tactics, techniques and procedures (TTP). If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP OpenView Storage Data Protector Unspecified Code Execution Vulnerability - (CVE-2011-1864):
An unspecified vulnerability in HP OpenView Storage Data Protector 6.0, 6.10, and 6.11 allows remote attackers to execute arbitrary code via unknown vectors


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP-UX, Solaris, Linux and Windows Platforms:
HP OpenView Storage Data Protector 6.0
HP OpenView Storage Data Protector 6.10
HP OpenView Storage Data Protector 6.11

Note: System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-28950
Group Title: 2011-B-0071
Rule ID: SV-36941r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0071
Rule Title: Multiple Vulnerabilities in Adobe LiveCycle and BlazeDS


Vulnerability Discussion: Adobe has released a security bulletin addressing multiple vulnerabilities in LiveCycle and BlazeDS. To exploit these vulnerabilities, a remote attacker would create a malicious document and entice a user of an affected system to access the document. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise an affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Adobe LiveCycle and BlazeDS Deserialization Vulnerability - (CVE-2011-2092):
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of classes during deserialization of (1) AMF and (2) AMFX data, which allows attackers to have an unspecified impact via unknown vectors, related to a "deserialization vulnerability."

Adobe LiveCycle and BlazeDS Denial of Service Vulnerability - (CVE-2011-2093):
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and earlier, and BlazeDS 4.0.1 and earlier do not properly handle object graphs, which allows attackers to cause a denial of service via unspecified vectors, related to a "complex object graph vulnerability."


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
LiveCycle Data Services 3.1 and earlier versions for Windows, Macintosh and UNIX
LiveCycle Data Services 2.6.1 and earlier versions for Windows, Macintosh and UNIX
LiveCycle Data Services 2.5.1 and earlier versions for Windows, Macintosh and UNIX
LiveCycle 9.0.0.2 and earlier versions for Windows, Linux and UNIX
LiveCycle 8.2.1.3 and earlier versions for Windows, Linux and UNIX
LiveCycle 8.0.1.3 and earlier versions for Windows, Linux and UNIX
BlazeDS 4.0.1 and earlier versions

Check the application’s version number by using the Help, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-29345
Group Title: 2011-B-0077
Rule ID: SV-38008r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0077
Rule Title: MIT Kerberos Remote Privilege Escalation Vulnerability


Vulnerability Discussion: Massachusetts Institute of Technology (MIT) has addressed a vulnerability affecting MIT Kerberos 5 (krb5) in the FTP daemon. Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. An authenticated remote user can gain unauthorized read or write access to files whose group owner is the initial effective group ID of
the FTP daemon process. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access to the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. MIT Kerberos krb5-appl FTP Daemon EGID Remote Privilege Escalation Vulnerability - (CVE-2011-1526):
The vulnerability results from two interacting flaws: omission of required autoconf tests, causing krb5_setegid() to always fail, and the FTP daemon's failure to check for the successful execution of krb5_setegid().

The FTP daemon calls the portability macro krb5_setegid() from k5-util.h, which is intended to wrap or emulate the POSIX interface setegid(). The definition of the macro depends on macros that the autoconf configure script defines (based on tests of the target platform environment) when it runs. When the krb5 application programs moved out of the main krb5 source tree, the new configure script inadvertently omitted the necessary autoconf tests for setegid() and related legacy interfaces. If no setegid() equivalent appears to exist on the system, k5-util.h defines krb5_setegid() to always fail with errno EPERM. Since the relevant autoconf tests never execute, k5-util.h will always define krb5_setegid() to fail.

The FTP daemon does not check the return value of krb5_setegid(), so it silently fails to set its effective GID, allowing users to gain unauthorized access using the effective GID that the daemon process started with.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-29528
Group Title: 2011-B-0086
Rule ID: SV-38762r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0086
Rule Title: Multiple Vulnerabilities in Red Hat JBoss Products


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities affecting JBoss products that use JBoss Seam 2 framework. The JBoss Seam 2 framework is an application framework for building web applications in Java. To exploit these vulnerabilities, an attacker would send a malicious web link to an affected application that uses the JBoss Seam framework. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code resulting in the complete compromise of affected systems.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

JBoss Seam Expression Language (EL) Remote Code Execution Vulnerability - (CVE-2011-2196):
JBoss Seam 2 did not block access to all malicious JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this vulnerability to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework. Note: this vulnerability exists because of an incomplete fix for CVE-2011-1484.

JBoss Seam Expression Language (EL) Remote Code Execution Vulnerability - (CVE-2011-1484):
A vulnerability was found that JBoss Seam 2 did not properly block access to JBoss Expression Language (EL) constructs in page exception handling, allowing arbitrary Java methods to be executed. A remote attacker could use this vulnerability to execute arbitrary code via a specially-crafted URL provided to certain applications based on the JBoss Seam 2 framework.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-29565
Group Title: 2011-B-0089
Rule ID: SV-39057r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0089
Rule Title: Multiple Vulnerabilities in Sybase Products


Vulnerability Discussion: Sybase has addressed multiple vulnerabilities affecting Sybase products. To exploit these vulnerabilities, an attacker would utilize various tactics, techniques and procedures. If successfully exploited, these vulnerabilities would allow an attacker to compromise the affected system.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Sybase Malformed TDS Vulnerability:
An array indexing vulnerability within Sybase Backup and Monitor when handling certain login packets can be exploited to corrupt memory. The specific flaw exists within the way Sybase Backup and Monitor servers handle certain data in the login packets. Malformed packets can cause the service in question to lookup a function pointer outside a predefined function pointer array. It is possible to set this function pointer to an address where user controlled data exists and this will result in code execution under the rights of the user running the Monitor Server.

Sybase Login packet Vulnerability:
A vulnerability within Sybase Backup and Monitor server when handling certain login packets can be exploited to write a NULL byte to an arbitrary memory location on the stack. The specific flaw exists within the way Sybase Backup and Monitor servers handles certain data in the login packets. Malformed packets can cause the service in question to write a NULL byte on the stack which can be leveraged by a remote attacker to execute code under the context of the running service.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice or vendor bulletin for additional information.

Vulnerable Applications/Systems:
Open Server 15.5 and earlier
Adaptive Server Enterprise (ASE) prior to 15.0.3 ESD#4 ONE-Off
Adaptive Server Enterprise (ASE) prior to 15.0.3 CE ONE-Off
Adaptive Server Enterprise (ASE) prior to 15.5 ESD#4
Adaptive Server Enterprise (ASE) prior to 15.5 CE ESD#4
Replication Server prior to 15.1-15.5 ESD#2 ONE-Off
Replication Server prior to 15.6 ESD#1
ECDA prior to 15.0 ESD#6
MFC/DC prior to 15.0 ESD#6
RAP - The Trading Edition prior to R4.1
OpenSwitch prior to15.1 ESD#5
EAServer prior to 6.3.1 ESD#3

Note: System administrators should refer to the Sybase Security Advisory to determine affected applications/system and appropriate fix actions.

Check Content: 
Vulnerable Versions:
Open Server 15.5 and earlier
Adaptive Server Enterprise (ASE) prior to 15.0.3 ESD#4 ONE-Off
Adaptive Server Enterprise (ASE) prior to 15.0.3 CE ONE-Off
Adaptive Server Enterprise (ASE) prior to 15.5 ESD#4
Adaptive Server Enterprise (ASE) prior to 15.5 CE ESD#4
Replication Server prior to 15.1 ESD#2 ONE-Off
Replication Server prior to 15.2 ESD#3 ONE-Off
Replication Server prior to 15.5 ESD#1 ONE-Off
Replication Server prior to 15.6 ESD#1
ECDA prior to 15.0 ESD#6
MFC/DC prior to 15.0 ESD#6
RAP - The Trading Edition prior to R4.1
OpenSwitch prior to15.1 ESD#5
EAServer prior to 6.3.1 ESD#3

Note: Within the ASE Bundle, only the supplemental servers are affected. That is Backup Server, Monitor Server, Historical Server, XP Server, and Job Scheduler. The ASE Server itself is not affected by this issue.

Fix Action: Update to the non-vulnerable versions.
  _____________________________________________________________

Group ID (Vulid): V-29566
Group Title: 2011-B-0090
Rule ID: SV-39058r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0090
Rule Title: Multiple Vulnerabilities in HP Network Automation


Vulnerability Discussion: Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP Network Automation running on Linux, Solaris, and Windows Platforms. HP Network Automation is an application for managing network data. To exploit these vulnerabilities, an attacker would send malicious requests to an affected application or entice a user to view malicious data sent via email or hosted on a website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise of affected systems.

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.
HP Network Automation Unspecified Cross Site Scripting Vulnerability - (CVE-2011-2402):
Certain unspecified vulnerability is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

HP Network Automation SQL Injection Vulnerability - (CVE-2011-2403):
Certain unspecified vulnerability is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice 2011-B-0090 or vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP Network Automation v7.2x
HP Network Automation v7.5x
HP Network Automation v7.6x
HP Network Automation v9.0
HP Network Automation v9.10

Apply HP patches and hotfix.

System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-29567
Group Title: 2011-B-0091
Rule ID: SV-39059r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0091
Rule Title: HP Operations Manager Arbitrary File Deletion Vulnerability


Vulnerability Discussion: Hewlett-Packard (HP) has addressed a vulnerability affecting HP OpenView Operations Manager. HP Operations Manager is an application for managing IT infrastructure. To exploit this vulnerability, an attacker would send malicious requests to an affected system. If successfully exploited, this vulnerability would allow a remote unauthenticated attacker to delete arbitrary files on the affected system.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.

HP Performance Agent and HP Operations Agent, Remote Arbitrary File Deletion - (CVE-2011-2608):
A potential security vulnerability has been identified in HP Performance Agent and HP Operations Agent. The vulnerability can be exploited by remote unauthenticated users to delete arbitrary files.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP Performance Agent v5.0, and v4.70
HP Operations Agent v11.0, v8.60.0xx, v8.60.5xx

Apply HP patches and hotfix.

System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-29569
Group Title: 2011-B-0092
Rule ID: SV-39061r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0092
Rule Title: HP OpenView Data Protector Denial of Service Vulnerability


Vulnerability Discussion: Hewlett Packard has addressed a vulnerability affecting HP OpenView Data Protector in the media management daemon (mmd). HP OpenView Data Protector is a commercial data-management product for backup and recovery operations. To exploit this vulnerability, an attacker would send a malicious request to the affected application. If successfully exploited, this vulnerability would allow a remote attacker to cause a denial of service condition.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. HP Data Protector Media Management Daemon (mmd) Denial of Service Vulnerability - (CVE-2011-2399):
A potential security vulnerability has been identified with HP Data Protector's Media Management Daemon (mmd). The vulnerability could be remotely exploited to create a Denial of Service (DoS).


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Media Management Daemon (mmd) running on HP-UX, Linux, Solaris and 32-bit Windows platforms.
HP Data Protector v6.0
HP Data Protector v6.10
HP Data Protector v6.11

Apply HP patches and hotfix.

System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Media Management Daemon (mmd) running on HP-UX, Linux, Solaris and 32-bit Windows platforms.
HP Data Protector v6.0
HP Data Protector v6.10
HP Data Protector v6.11


Interview the SA to determine if patch has been installed.
  _____________________________________________________________

Group ID (Vulid): V-29572
Group Title: 2011-B-0093
Rule ID: SV-39064r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0093
Rule Title: Multiple Vulnerabilities in HP SiteScope


Vulnerability Discussion: Hewlett-Packard (HP) has addressed multiple vulnerabilities affecting HP SiteScope. HP SiteScope is an agentless monitoring application for IT infrastructures. To exploit these vulnerabilities, an attacker would entice a user to view a malicious HTML file sent via email or hosted on a website. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise an affected system.

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. HP SiteScope Unspecified Cross Site Scripting Vulnerability - (CVE-2011-2400):
Certain unspecified vulnerability is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

HP SiteScope Unspecified Session Fixation Vulnerability - (CVE-2011-2401):
A vulnerability in the handling of sessions can be exploited to hijack another user's session by tricking the user into logging in after following a specially crafted link.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Linux, Solaris, and Windows Platforms:
HP SiteScope v9.x and earlier
HP SiteScope v10.x and earlier
HP SiteScope v11.x and earlier

Apply HP patches and hotfix.

System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-29735
Group Title: 2011-A-0109
Rule ID: SV-39268r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-A-0109
Rule Title: Adobe Flash Media Server Memory Corruption Remote Denial of Service Vulnerability


Vulnerability Discussion: Adobe has released a security bulletin addressing a vulnerability in Adobe Flash Media Server. To exploit this vulnerability, a remote attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition and compromise the affected systems.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
Adobe Flash Media Server Memory Corruption Remote Denial of Service Vulnerability - (CVE-2011-2132):
A critical vulnerability has been identified in Adobe Flash Media Server (FMS) 4.0.2 and earlier versions, and Adobe Flash Media Server (FMS) 3.5.6 and earlier versions for Windows and Linux. The vulnerability could allow an attacker, who successfully exploits the vulnerability, to cause a denial of service on the affected system.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Windows – Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Adobe Flash Media Server 4.0.2 and earlier versions for Windows and Linux
Adobe Flash Media Server 3.5.6 and earlier versions for Windows and Linux

Check the application’s version number:
Windows - Open "Flash Media Administration Console" from start->All Programs->Adobe->Flash Media Server. Click on Flash Media Server and login using your credentials. After login click on "Manage Servers" then click on "License", one will be able to see which version and which edition of Flash Media Server is installed.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-29948
Group Title: 2011-B-0108
Rule ID: SV-39513r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0108
Rule Title: Multiple Buffer Overflow Vulnerabilities in Symantec Veritas Enterprise Administrator Service


Vulnerability Discussion: Symantec has released a security advisory addressing buffer overflow vulnerabilities in various Symantec products. To
exploit these vulnerabilities, an attacker would create and send a malicious request to an affected system. If successfully exploited, these
vulnerabilities would allow the remote attacker to execute arbitrary code with system level privileges resulting in the compromise of affected
systems. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 

Symantec workaround
Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying
vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

WORKAROUND:
Until patches are available and/or applied, customers are advised to implement the following workaround to protect their installations:

Disable Veritas Enterprise Administrator (vxsvc) service via the following commands:

UNIX Platform
HP-UX
/sbin/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

Solaris
/etc/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

For startup scripts in Solaris Management Framework (SMF):

svcadm disable svc:/system/vxsvc
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

AIX
/etc/rc.d/rc2.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

Linux
/etc/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start


Windows platform

net stop vxob
sc config vxob start= disable
-


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
Veritas Storage Foundation for Windows
Version: 5.0, 5.0RP1, 5.0RP2, 5.1, 5.1SP1, 5.1SP2
Platform: Windows 2000, Windows 2003, Windows 2008

Veritas Storage Foundation for Windows High Availability (SFWHA)
Version: 5.0, 5.0RP1, 5.0RP2, 5.1, 5.1SP1, 5.1SP2
Platform: Windows 2000, Windows 2003, Windows 2008

Veritas Storage Foundation (SF)
Version: 3.5 (HP-UX only), 4.1 (HP-UX only), 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation for High Availability (SFHA)
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation for Oracle (SFO)
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation for DB2
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation for Sybase
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: Solaris

Veritas Storage Foundation for Real Application Cluster (SFRAC)
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation Cluster File System (SFCFS)
Version: 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Platform: All supported platforms

Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC)
Version: 5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 RU3, 5.0 RU4, 5.1, 5.1 SP1 RP1, 5.1 SP1 RP2
Platform: Linux

Veritas Dymanic Multi-Pathing (DMP)
Version: 5.1
Platform: Windows

Symantec NetBackup PureDisk
Version: 6.5.x, 6.6, 6.6.0.x, 6.6.1, 6.6.1.x
Platform: Linux

Note: Product versions prior to those listed above are NOT supported. Customers running legacy product versions should upgrade and apply available updates. Symantec FileStore (SFS) is not affected in the default configuration.

Check the application’s version number by using the Help & Support, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista/2008/Win 7). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Note: System administrators should refer to the Symantec Security Advisory to determine affected applications/system and appropriate fix actions.

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

Symantec Product Version
Platform

Veritas Storage Foundation for Windows
5.0, 5.0RP1, 5.0RP2, 5.1, 5.1SP1, 5.1SP2
Windows 2000, Windows 2003, Windows 2008

Veritas Storage Foundation for Windows High Availability (SFWHA)
5.0, 5.0RP1, 5.0RP2, 5.1, 5.1SP1, 5.1SP2
Windows 2000, Windows 2003, Windows 2008

Veritas Storage Foundation (SF)
3.5 (HP-UX only), 4.1 (HP-UX only), 5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation for High Availability (SFHA)
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation for Oracle (SFO)
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation for DB2
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation for Sybase
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
Solaris

Veritas Storage Foundation for Real Application Cluster (SFRAC)
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation Cluster File System (SFCFS)
5.0, 5.0.1, 5.0MP1, 5.0MP2, 5.0MP3, 5.1, 5.1SP1
All supported platforms

Veritas Storage Foundation Cluster File System Enterprise for Oracle RAC (SFCFSORAC)
5.0 MP2, 5.0 MP3, 5.0 MP4, 5.0 RU3, 5.0 RU4, 5.1, 5.1 SP1 RP1, 5.1 SP1 RP2
Linux

Veritas Dymanic Multi-Pathing (DMP)
5.1
Windows

Symantec NetBackup PureDisk
6.5.x, 6.6, 6.6.0.x, 6.6.1, 6.6.1.x
Linux

Check Content:

Temporary Mitigation Strategies
Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying
vulnerability, they may be used to help block known attack vectors until fix actions can be completed.

WORKAROUND:
Until patches are available and/or applied, customers are advised to implement the following workaround to protect their installations:

Disable Veritas Enterprise Administrator (vxsvc) service via the following commands:

UNIX Platform
HP-UX
/sbin/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

Solaris
/etc/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

For startup scripts in Solaris Management Framework (SMF):

svcadm disable svc:/system/vxsvc
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

AIX
/etc/rc.d/rc2.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start

Linux
/etc/init.d/isisd stop
mv /opt/VRTSob/bin/vxsvc /opt/VRTSob/bin/vxsvc.do_not_start
  _____________________________________________________________

Group ID (Vulid): V-30272
Group Title: 2011-B-0119
Rule ID: SV-39924r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0119
Rule Title: Multiple Red Hat JBoss Products Remote Denial of Service Vulnerability


Vulnerability Discussion: Red Hat has addressed a vulnerability in various JBoss products that use JBoss Web Services Native component. JBoss Web Services Native is a web service framework included as part of JBoss Enterprise Application Platform. It implements the JAX-WS specification. To exploit this vulnerability, an attacker would send a malicious request to an affected web service that uses JBoss Web Services Native component. If successfully exploited, this vulnerability would allow an attacker to cause excessive CPU and memory resources on the affected system, denying service to legitimate users.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
JBossWS Native Remote Denial of Service Vulnerability - (CVE-2011-1483):
A vulnerability was found that JBoss Web Services Native did not properly protect against recursive entity resolution when processing Document Type Definitions (DTD). A remote attacker could exploit this vulnerability by sending a specially-crafted HTTP POST request to a deployed web service, causing excessive CPU and memory consumption on the system hosting that service. If the attack is repeated to consume all available network sockets, the server will become unavailable. This vulnerability did not affect systems using JBoss Web Services CXF.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
JBoss Enterprise Application Platform 4.2.0.CP09
JBoss Enterprise Application Platform 4.2 for Red Hat Enterprise Linux 4
JBoss Enterprise Application Platform 4.2 for Red Hat Enterprise Linux 5

JBoss Enterprise Application Platform 4.3.0
JBoss Enterprise Application Platform 4.3 for Red Hat Enterprise Linux 4
JBoss Enterprise Application Platform 4.3 for Red Hat Enterprise Linux 5

JBoss Enterprise Application Platform 5.1.1
JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 4
JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 5
JBoss Enterprise Application Platform 5 for Red Hat Enterprise Linux 6

JBoss Enterprise Web Platform 5.1.1
JBoss Enterprise Web Platform 5 for Red Hat Enterprise Linux 4
JBoss Enterprise Web Platform 5 for Red Hat Enterprise Linux 5
JBoss Enterprise Web Platform 5 for Red Hat Enterprise Linux 6

JBoss Enterprise SOA Platform 4.2.CP05
JBoss Enterprise SOA Platform 4.3.CP05
JBoss Enterprise SOA Platform 5.1.0
JBoss Communications Platform 1.2.11
JBoss Communications Platform 5.1.1
JBoss Enterprise Portal Platform 4.3.CP06
JBoss Enterprise Portal Platform 5.1.1
JBoss Enterprise BRMS Platform 5.1.0

Interview the SA to determine version.

Check Content:

Compliance Checking:

Determine if jboss is installed via:

# rpm -qa | grep “^jboss”

OR

# pkginfo

This must return an approved version or this is a finding.

Note: Due to the number of platforms affected by this vulnerability system administrators should refer to the Red Hat security advisories in the reference section above to determine affected applications/system and appropriate fix actions. Before applying any update, make sure all previously-released errata relevant to your system have been applied.
  _____________________________________________________________

Group ID (Vulid): V-30423
Group Title: 2011-A-0143
Rule ID: SV-40132r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-A-0143
Rule Title: Oracle Linux Security Vulnerability


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for October 2011 addressing multiple vulnerabilities in Oracle Linux. This Critical Patch Update contains one new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. This Critical Patch Update contains one new security fix for Oracle Linux. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. This risk matrix only includes fixes for Oracle proprietary components of Oracle Linux. All other Oracle Linux fixes are announced in the El-errata Archives.



Oracle Linux Risk Matrix
CVE#
CVE-2011-2306

Component
Oracle Linux

Protocol
None

Sub-component
Oracle validated

Remote Exploit without Auth.?
No

CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)
Base Score
5.5

Access Vector
Network

Access Complexity
Low

Authentication
Single

Confidentiality
Partial

Integrity
Partial

Availability
None

Supported Versions Affected

4, 5

Notes






Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-30588
Group Title: 2011-A-0149
Rule ID: SV-40330r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-A-0149
Rule Title: Multiple Vulnerabilities in VMware vCenter Server 4.1 and vCenter Update Manager 4.1


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Server 4.1 and vCenter Update Manager 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.
<br><br>
At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-30610
Group Title: 2011-B-0138
Rule ID: SV-40374r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2011-B-0138
Rule Title: Multiple Vulnerabilities in HP OpenView Network Node Manager


Vulnerability Discussion: Hewlett Packard has addressed multiple vulnerabilities affecting HP OpenView Network Node Manager (OV NNM). HP OpenView Network Node Manager is a fault-management application for IP networks. To exploit these vulnerabilities, a remote attacker would send a malicious HTTP request to an affected system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code in the context of the affected application.

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. Hewlett-Packard OpenView Network Node Manager Unspecified Vulnerability - (CVE-2011-3165):
Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1208.

Hewlett-Packard OpenView Network Node Manager Unspecified Vulnerability - (CVE-2011-3166):
Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1209.

Hewlett-Packard OpenView Network Node Manager Unspecified Vulnerability - (CVE-2011-3167):
Unspecified vulnerability in HP OpenView Network Node Manager (OV NNM) 7.51 and 7.53 allows remote attackers to execute arbitrary code via unknown vectors, aka ZDI-CAN-1210.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP OpenView Network Node Manager 7.51
HP OpenView Network Node Manager 7.53

Note: System administrators should refer to the HP Security Bulletin in the reference section above to determine affected applications/system and appropriate fix actions. Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Check Content: 
Download and apply the appropriate patches from the vendor. See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
P-UX, Linux, Solaris, and Windows Platforms:
HP OpenView Network Node Manager 7.51
HP OpenView Network Node Manager 7.53

Interview the SA to determine if patch has been installed.
  _____________________________________________________________

Group ID (Vulid): V-30773
Group Title: 2011-B-0144
Rule ID: SV-40675r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2011-B-0144
Rule Title: Adobe Flex Cross Site Scripting Vulnerability


Vulnerability Discussion: Adobe has addressed a vulnerability in various versions of Adobe Flex SDK. Adobe Flex is a software development kit enabling development and deployment of cross-platform applications based on the Adobe Flash platform. To exploit this vulnerability, an attacker would entice a user to follow a malicious URI. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code in the context of the affected site.

At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. Adobe Flex SDK Cross Site Scripting Vulnerability - (CVE-2011-2461):
An important vulnerability has been identified in the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions on the Windows, Macintosh and Linux operating systems:

All Web-based (not AIR-based) Flex applications built using any release of Flex 3.x (including 3.0, 3.0.1, 3.1, 3.2, 3.3, 3.4, 3.4.1, 3.5, 3.5A and 3.6) may be vulnerable.

Web-based (not AIR-based) Flex applications built using any release of Flex 4.x (including 4.0, 4.1, 4.5 and 4.5.1) that were compiled using static linkage of the Flex libraries rather than RSL (runtime shared library) linkage are vulnerable.

Most Flex 4.x applications that were compiled in the default way (specifically, using RSL linkage) are not vulnerable; however, there are rare cases in which they may be vulnerable. To determine whether an application is vulnerable, customers should use the SWF patching tool described in the Adobe Technote.

This vulnerability could lead to cross-site scripting issues in Flex applications. Adobe recommends users of the Adobe Flex SDK 4.5.1 and earlier 4.x versions and 3.x versions update their software, verify whether any SWF files in their applications are vulnerable, and update any vulnerable SWF files using the instructions and tools provided in the Adobe Technote in the "Reference" section above.





Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Download and apply the appropriate patches from the vendor. See IAVM notice and vendor bulletin for additional information.

Applications/Systems:
Adobe Flex SDK 4.5.1 and earlier 4.x versions for Windows, Macintosh and Linux
Adobe Flex SDK 3.6 and earlier 3.x versions for Windows, Macintosh and Linux

Search for the file “Flex-sdk-description.xml”
Open the file in a text editor such as Notepad to view the version information.
  _____________________________________________________________

Group ID (Vulid): V-31005
Group Title: 2012-B-0005
Rule ID: SV-41052r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0005
Rule Title: HP Printers and Digital Senders Remote Firmware Update (RFU) Vulnerability


Vulnerability Discussion: Hewlett-Packard has addressed a vulnerability affecting various HP LaserJet printers and Digital Senders. To exploit this vulnerability, a remote attacker would send a malicious request to TCP port 9100 to update the HP device with malicious firmware. If successfully exploited, this vulnerability would allow a remote attacker to bypass security restrictions.

At this time, there are known exploit vectors associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
HP Printers and Digital Senders Remote Firmware Update Security Bypass Vulnerability - (CVE-2011-4161):
The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP LaserJet Enterprise 500 color M551
HP LaserJet Enterprise 600 M601
HP LaserJet Enterprise 600 M602
HP LaserJet Enterprise 600 M603
HP Color LaserJet CM1312 Multifunction Printer
HP LaserJet Pro CM1415 Color Multifunction Printer
HP Color LaserJet CP1510
HP LaserJet M1522 Multifunction Printer
HP LaserJet Pro CP1525 Color Printer
HP LaserJet Pro M1536 Multifunction Printer
HP Color LaserJet CP2025
HP LaserJet P2035
HP LaserJet P2055
HP Color LaserJet CM2320 Multifunction Printer
HP LaserJet M2727 Multifunction Printer
HP Color LaserJet 3000
HP LaserJet P3005
HP LaserJet Enterprise P3015
HP LaserJet M3027 Multifunction Printer
HP LaserJet M3035
HP Color LaserJet CP3505
HP Color LaserJet CP3525
HP Color LaserJet CM3530
HP Color LaserJet 3800
HP Color LaserJet CP4005
HP LaserJet P4014
HP LaserJet P4015
HP LaserJet 4240
HP LaserJet 4250
HP LaserJet 4345 Multifunction Printer
HP LaserJet 4350
HP LaserJet P4515
HP Color LaserJet Enterprise CP4520
HP Color LaserJet Enterprise CP4525
HP Color LaserJet Enterprise CM4540 Multifunction Printer
HP LaserJet Enterprise M4555 Multifunction Printer
HP Color LaserJet 4700
HP Color LaserJet 4730 Multifunction Printer
HP Color LaserJet CM4730 Multifunction Printer
HP LaserJet M5025 Multifunction Printer
HP LaserJet M5035
HP LaserJet 5200n
HP Color LaserJet Professional CP5225 Printer
HP Color LaserJet CP5525
HP Color LaserJet 5550
HP Color LaserJet CP6015
HP Color LaserJet CM6030
HP Color LaserJet CM6040
HP CM8060 Color Multifunction Printer with Edgeline
HP LaserJet 9040
HP LaserJet M9040 Multifunction Printer
HP LaserJet 9050
HP LaserJet M9050 Multifunction Printer
HP 9200c Digital Sender
HP 9250c Digital Sender
HP Color LaserJet 9500

Check the application’s version number by using the Help, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-31141
Group Title: 2012-B-0011
Rule ID: SV-41314r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0011
Rule Title: Red Hat JBoss Security Bypass Vulnerability


Vulnerability Discussion: Red Hat has addressed a vulnerability in various JBoss products. To exploit this vulnerability, an attacker would utilize various tactics, techniques, and procedures to compromise an affected system. If successfully exploited, this vulnerability would allow an attacker to bypass security restrictions and compromise the affected system.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
JBoss 'mod_cluster' Security Bypass Vulnerability - (CVE-2011-4608):
Part of the Native components for JBoss Enterprise Web Platform is mod_cluster, an Apache HTTP Server (httpd) based load balancer. Like mod_jk, it uses a communication channel to forward requests from httpd to an application server node. The mod_cluster allowed worker nodes to register on any virtual host (vhost), regardless of the security constraints applied to other vhosts. In a typical environment, there will be one vhost configured internally for worker nodes, and another configured externally for serving content. A remote attacker could use this flaw to register an attacker-controlled worker node via an external vhost that is not configured to apply security constraints, then use that worker node to serve malicious content, intercept credentials, and hijack user sessions.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
JBoss Enterprise Web Server 1.0 for RHEL 4 AS
JBoss Enterprise Web Server 1.0 for RHEL 5 Server
JBoss Enterprise Web Server 1.0 for RHEL 6 Server
JBoss Enterprise Web Server 1.0
JBoss Enterprise Application Platform 5 for RHEL 4 AS (mod_cluster-native)
JBoss Enterprise Application Platform 5 for RHEL 5 Server (mod_cluster-native)
JBoss Enterprise Application Platform 5 for RHEL 6 Server (mod_cluster-native)
JBoss Enterprise Application Platform 5.1
JBoss Enterprise Web Platform 5 for RHEL 4 AS (mod_cluster-native)
JBoss Enterprise Web Platform 5 for RHEL 5 Server (mod_cluster-native)
JBoss Enterprise Web Platform 5 for RHEL 6 Server (mod_cluster-native)
JBoss Enterprise Web Platform 5.1

Check the application’s version number by using the Help, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.

Check Content: 
Unix - Solaris

Determine the version of the adobe acrobat software

#java -version

If the jboss version is not the vendor's latest version, this is a finding.
  _____________________________________________________________

Group ID (Vulid): V-31244
Group Title: 2012-B-0012
Rule ID: SV-41469r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0012
Rule Title: HP Network Automation Remote Unauthorized Access Vulnerability


Vulnerability Discussion: Hewlett-Packard (HP) has addressed a vulnerability affecting HP Network Automation running on Linux, Solaris, and Windows platforms. HP Network Automation is an application for managing network data. To exploit this vulnerability, an attacker would utilize various tactics, techniques, and procedures to compromise an affected system. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access and compromise the affected application.

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.
HP Network Automation Running on Linux, Solaris, and Windows, Remote Unauthorized Access - (CVE-2011-4790):
A potential security vulnerability has been identified with HP Network Automation running on Linux, Solaris, and Windows. The vulnerability could be exploited remotely to gain unauthorized access.



Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See the IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
HP Network Automation v7.5x
HP Network Automation v7.6x
HP Network Automation v9.0
HP Network Automation v9.10

Note: System administrators should refer to the HP Security Bulletin to determine affected applications/system and appropriate fix actions.
  _____________________________________________________________

Group ID (Vulid): V-31830
Group Title: 2012-A-0034
Rule ID: SV-42119r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0034
Rule Title: Multiple Vulnerabilities in Cisco Unity Connection


Vulnerability Discussion: Cisco has released a security advisory addressing multiple vulnerabilities in Cisco Unity Connection. Cisco Unity Connection is a feature-rich voice messaging platform that runs on the same Linux-based Cisco Unified Communications Operating System that is used by Cisco Unified Communications Manager. To exploit these vulnerabilities, an attacker would send a sequence of TCP segments to an affected system or interact with an affected application. If successfully exploited, these vulnerabilities would allow an attacker to gain elevated privileges or cause a denial-of-service condition. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. VMS.Business.Tasks.IVAMService.Schemas.techOverviewType

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-31831
Group Title: 2012-B-0027
Rule ID: SV-42120r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0027
Rule Title: RSA SecurID Software Token Converter Buffer Overflow Vulnerability


Vulnerability Discussion: RSA has addressed a buffer overflow vulnerability in the RSA SecurID Software Token Convertor. RSA SecurID Software Token
      Converter is a command line utility that converts a software token file (SDTID file) from XML format to a Compressed Token Format. To exploit
      this vulnerability, an attacker would entice a user to open a malicious file sent via email or hosted on a website. If successfully exploited,
      this vulnerability would allow an attacker to execute arbitrary code, resulting in a denial of service condition. At this time, there are no
      known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:
RSA SecurID Software Token Converter prior to 2.6.1

Check the application’s version number by using the Help, About menu.

Alternately, check the version through the Support information link for the program in Add or Remove Programs or in Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-31892
Group Title: 2012-B-0030
Rule ID: SV-42181r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0030
Rule Title: Multiple Security Vulnerabilities in IBM DB2


Vulnerability Discussion: <SPAN class=style4>IBM has addressed multiple vulnerabilities in IBM DB2. <SPAN class=style2>IBM DB2 is a relational database management system produced by IBM capable of running on various platforms to include:&nbsp; AIX, HP-UX, Linux, Solaris and Windows. </SPAN>To exploit these vulnerabilities, an attacker would send&nbsp;a malicious request to an affected system.&nbsp; If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions, cause a denial of service condition or escalate privileges on the affected system.</SPAN><BR><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400"><FONT size=2><FONT size=3>At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents</FONT>.</FONT></SPAN></SPAN>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-31906
Group Title: 2012-B-0036
Rule ID: SV-42203r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0036
Rule Title: VMware vShield Manager Cross-site Request Forgery Vulnerability


Vulnerability Discussion: VMware has released a Security Advisory addressing a cross-site request forgery vulnerability in VMware vShield. VMware vShield is a single management framework for securing virtual datacenters and cloud environments at all levels. To exploit this vulnerability, an attacker would entice a user of an affected system to access a malicious link. If successfully exploited, this vulnerability would allow an attacker to hijack authentication of arbitrary users and compromise affected systems.At this time, there are known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. VMS.Business.Tasks.IVAMService.Schemas.techOverviewType

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-31972
Group Title: 2012-B-0038
Rule ID: SV-42269r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0038
Rule Title: Multiple Vulnerabilities in HP Onboard Administrator


Vulnerability Discussion: Hewlett Packard has released a security bulletin addressing multiple vulnerabilities in HP Onboard Administrator. HP Onboard Administrator is an application used for remote and local administration of HP BladeSystem infrastructures. To exploit these vulnerabilities, an attacker would utilize various TTP's (Tactics, Techniques and Procedures). If successfully exploited, these vulnerabilities would allow the attacker to gain access to sensitive data, bypass security restrictions, cause denial of service condition, or redirect a user to a malicious site. At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

HP Onboard Administrator (OA) v3.32 and earlier

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP Onboard Administrator (OA) v3.50 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-32005
Group Title: 2012-B-0043
Rule ID: SV-42305r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0043
Rule Title: Multiple Vulnerabilities in RealNetworks Helix Server and Helix Mobile Server


Vulnerability Discussion: RealNetworks has addressed multiple vulnerabilities affecting the RealNetworks Helix Server and Helix Mobile Server. Helix Server is a multiformat, cross-platform streaming server. To exploit these vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain access to sensitive information, conduct cross-site scripting attacks, cause a denial of service condition, and compromise the affected system. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
RealNetworks has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed. -
                  CVE-2012-1923 -Part 1 clear text passwords: The workaround is to initially change the permissions of the folder that contains authentication databases to be restricted to only administrators. This will encrypt the password for all newly stored passwords. Existing accounts must be updated with a new password to encrypt the password using Digest.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

RealNetworks Helix Server / Helix Mobile Version 14.x
     
Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Helix Server / Helix Mobile Server version 14.3 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-32041
Group Title: 2012-A-0070
Rule ID: SV-42357r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0070
Rule Title: Multiple Remote Memory Corruption Vulnerabilities in OpenSSL


Vulnerability Discussion: OpenSSL has addressed multiple vulnerabilities affecting various versions of OpenSSL. OpenSSL is an open-source implementation of SSL and TLS protocols used to encrypt transmission of data between web browsers and web servers. OpenSSL is designed to enable secure communications over an insecure network such as the Internet. To exploit these vulnerabilities, an attacker would establish a malicious server and entice the user to open the vulnerable application or use a man-in-the-middle attack to intercept traffic to a legitimate server. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the application using the vulnerable library. At this time, there is a proof-of-concept exploit associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
Unix

Determine the version of the OpenSSL software.

Procedure:

#openssl version

If the OpenSSL version is not at least 1.0.1a or the vendor's latest version, this is a finding.

Check Content: 
Windows

See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

OpenSSL 1.0.1 prior to 1.0.1a
OpenSSL 1.0.0 prior to 1.0.0i
OpenSSL 0.9.8 prior to 0.9.8v

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

OpenSSL 1.0.1a or later
OpenSSL 1.0.0i or later
OpenSSL 0.9.8w or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-32042
Group Title: 2012-B-0046
Rule ID: SV-42358r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0046
Rule Title: Multiple Security Vulnerabilities in Sourcefire Defense Center


Vulnerability Discussion: <FONT size=2><SPAN class=style4>Sourcefire has released a security bulletin addressing multiple security vulnerabilities in Defense Center.&nbsp; Sourcefire Defense Center is an interface for categorizing events, generating recurring reports, scheduling automated Snort rule updates, configuring policies, and displaying customizable dashboards.&nbsp; To exploit these vulnerabilities, an attacker would craft a malicious HTTP/HTML request or script code and send it to the target device.&nbsp; If exploited, the attacker could download configuration information, download arbitrary files, or gain excess database permissions and compromise the system.</SPAN><BR><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400">At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.</SPAN></SPAN></FONT>

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<B><FONT size=2>Sourcefire&nbsp;has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</FONT></B> - <P><SPAN style="FONT-WEIGHT: 400"><SPAN class=style5><SPAN class=style8><U><FONT size=2></FONT></U></SPAN></SPAN></SPAN>&nbsp;</P>
<P><SPAN style="FONT-WEIGHT: 400"><SPAN class=style5><SPAN class=style8><U><FONT size=2>Mitigation:</FONT></U></SPAN><STRONG><BR></STRONG><FONT size=2>Customers, who do not already restrict administrative access to the Defense Center or sensor UI and management ports through the built-in access lists, should restrict access to port 443 to only administrative users from trusted networks.</FONT></SPAN></SPAN></P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

Sourcefire 3D System Version 4.9.X / 4.10.X / 5.0.X

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Sourcefire Defense Center 4.9.1.9
Sourcefire Defense Center 4.10.1.5
Sourcefire Defense Center 4.10.2.3
Sourcefire Defense Center 5.0.1.1

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-32178
Group Title: 2012-B-0048
Rule ID: SV-42495r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0048
Rule Title: Multiple Vulnerabilities in HP Systems Insight Manager


Vulnerability Discussion: Hewlett Packard has released a security bulletin regarding multiple vulnerabilities in HP Insight Manager. HP Insight Manager
is a tool which assists administrators in managing HP servers. To exploit these vulnerabilities, an attacker would craft a malicious URI or
webpage and entice a user to access the page. If successfully exploited, the attacker would gain unauthorized-access, escalated privileges,
access to privileged information, bypass security restrictions, or redirect the user to a malicious site to aid in phishing attacks and
compromise the affected system. At this time, there are known exploits associated with some of these vulnerabilities; USCYBERCOM is not
aware of any DoD related incidents.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

HP System Insight Manager prior to v7.0      

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP System Insight Manager v7.0 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-32453
Group Title: 2012-B-0056
Rule ID: SV-42790r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0056
Rule Title: Multiple Vulnerabilities in HP System Management Homepage (SMH)


Vulnerability Discussion: Hewlett Packard (HP) has addressed multiple vulnerabilities affecting HP System Management Homepage (SMH). To exploit these
      vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs). If successfully exploited, these vulnerabilities
      would allow an attacker to execute arbitrary code, gain access to sensitive information, bypass security restrictions and/or cause a denial
      of service condition on affected systems. At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not
      aware of any DoD related incidents.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

HP System Management Homepage (SMH) prior to version v7.0

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

HP SMH v7.0 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33046
Group Title: 2012-A-0104
Rule ID: SV-43444r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0104
Rule Title: Multiple Vulnerabilities in Cisco AnyConnect Secure Mobility Client


Vulnerability Discussion: Cisco has identified multiple vulnerabilities associated with Cisco AnyConnect. Cisco AnyConnect Secure Mobility Client (previously known as the Cisco AnyConnect VPN Client) is a Virtual Private Network (VPN) client that can be installed and launched from within a web browser. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.
At this time, there is a known exploit associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33047
Group Title: 2012-B-0062
Rule ID: SV-43445r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0062
Rule Title: Cisco Application Control Engine (ACE) Security Bypass Vulnerability


Vulnerability Discussion: <SPAN class=style4><SPAN><SPAN class=style2>Cisco has addressed a security bypass vulnerability affecting the Cisco Application Control Engine (ACE) .&nbsp; The Cisco&nbsp;ACE&nbsp;is a load-balancing and application-delivery solution for data centers.&nbsp; To exploit this vulnerability, an attacker would create and send malicious packets to an affected system.&nbsp; If successfully exploited, this vulnerability would allow a remote attacker to compromise the affected system and change&nbsp;user security settings in a virtual instance on the ACE.</SPAN></SPAN><BR></SPAN><BR><SPAN style="FONT-WEIGHT: 400"><SPAN style="FONT-WEIGHT: 400">At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<BR></SPAN><BR></SPAN>

Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<B>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B> - <P>Configure a unique management IP address for each context on the Cisco ACE.&nbsp; A configuration reference is available at: <A href="https://sso.cisco.com/autho/forms/CDClogin.html">https://sso.cisco.com/autho/forms/CDClogin.html</A>&nbsp; (Login required)</P>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33048
Group Title: 2012-B-0063
Rule ID: SV-43446r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0063
Rule Title: Multiple Security Vulnerabilities in IBM DB2


Vulnerability Discussion: <P></FONT><SPAN class=style4><SPAN class=style4>IBM has addressed multiple vulnerabilities in IBM DB2. <SPAN class=style2>IBM DB2 is a relational database management system&nbsp;capable of running on various platforms to include:&nbsp; AIX, HP-UX, Linux, Solaris and Windows. </SPAN>To exploit these vulnerabilities, an attacker would send&nbsp;malicious data to an affected system.&nbsp; If successfully exploited, these vulnerabilities would allow an attacker to disclose sensitive information, gain elevated privileges, bypass security restrictions, or deny service to legitimate users.</P>
<P>At this time, there are known exploits associated with&nbsp;at least one&nbsp;of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.</SPAN><BR>&nbsp;</SPAN></P></SPAN>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<P><B>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</B></P> - <P>To exploit the vulnerability, the user would need to be able to connect to the database and execute an SQL statement. The exposure can be reduced by revoking CONNECT privilege from PUBLIC. Use the following command to revoke CONNECT privilege from PUBLIC:<BR><BR>REVOKE CONNECT ON DATABASE FROM PUBLIC<BR><BR>To obtain more information on the REVOKE database authority command, see the following:<BR><BR>DB2 V9.8:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r8/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r8/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR>DB2 V9.7:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r7/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR>DB2 V9.5:<BR><A href="http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html"><U>http://publib.boulder.ibm.com/infocenter/db2luw/v9r5/topic/com.ibm.db2.luw.sql.ref.doc/doc/r0000981.html</U></A><BR><BR><BR></P>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

IBM DB2 versions prior to 9.8 Fix Pack 5
IBM DB2 versions prior to 9.7 Fix Pack 6

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

DB2 V9.8 Fix Pack 5
DB2 V9.7 Fix Pack 6

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33316
Group Title: 2012-B-0068
Rule ID: SV-43735r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0068
Rule Title: Multiple Vulnerabilities in Symantec Message Filter


Vulnerability Discussion: <P><FONT size=3>Symantec has released a security advisory addressing multiple vulnerabilities in&nbsp;Symantec’s Message Filter management interface, the Brightmail Control Center.&nbsp; Symantec Message Filter&nbsp;is a security application deployed at the email gateway to help defend against spam, phishing, viruses and unwanted email.&nbsp; To exploit these vulnerabilities, an attacker would utilize various Tactics, Techniques and Procedures (TTPs).&nbsp; Successful exploitation would result in the complete compromise of affected systems.</FONT></P>
<P>At this time, there are known exploits associated with at least one of these vulnerabilities.&nbsp; USCYBERCOM is not aware of any DoD related incidents.</P>
<P>&nbsp;</P>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

Symantec Message Filter 6.3 and prior

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Upgrade to latest 6.3 release and apply smf_630_p231 patch or migrate to Symantec Messaging Gateway

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33398
Group Title: 2012-A-0124
Rule ID: SV-43817r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-A-0124
Rule Title: Symantec Backup Exec Arbitrary Code Execution Vulnerability


Vulnerability Discussion: Symantec has released a security advisory addressing a vulnerability affecting Symantec Backup Exec.  Symantec Backup Exec provides disk backup, tape backup and recovery support for Windows-based environments. To exploit this vulnerability, an attacker would place specifically-crafted files into a susceptible directory of the Granular Restore Library and entice a user to load a specifically formatted file from an alternate file location or network share.  If successfully exploited, this vulnerability would allow an attacker to execute unauthorized arbitrary code with user permissions and compromise the system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>As a part of normal best practices, Symantec strongly recommends:<br>

<ul>
<li>Restrict access to administration or management systems to privileged users. </li>
<li>Restrict remote access, if required, to trusted/authorized systems only. </li>
<li>Run under the principle of least privilege where possible to limit the impact of exploit by threats. </li>
<li>Keep all operating systems and applications updated with the latest vendor patches. </li>
<li>Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. </li>
<li>Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities </li><br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

Backup Exec System Recovery 2010 (all builds)

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Backup Exec System Recovery 2010 SP5

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33399
Group Title: 2012-B-0073
Rule ID: SV-43818r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0073
Rule Title: Multiple Vulnerabilities in Symantec Web Gateway


Vulnerability Discussion: Symantec has released a security advisory addressing multiple vulnerabilities in Symantec Web Gateway. Symantec Web Gateway is an antivirus and web content filtering suite. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures (TTPs). If successfully exploited, the attacker would gain the ability to remotely execute arbitrary code, bypass authentication services, change user passwords, execute arbitrary SQL commands, or gain access to the system from external connections and completely compromise the affected system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Symantec Security Response has released IPS signatures for web attacks against Symantec Web Gateway to help detect and block remote exploit attempts. Signatures are available through normal Symantec security updates.<br><br>

<br>As a part of normal best practices, Symantec strongly recommends:<br>

<ul>
<li>Restrict access to administration or management systems to privileged users. </li>
<li>Disable remote access if not required or restrict it to trusted/authorized systems only. </li>
<li>Where possible, limit exposure of application and web interfaces to trusted/internal networks only. </li>
<li>Keep all operating systems and applications updated with the latest vendor patches.</li>
<UL TYPE=*><LI>The Symantec Web Gateway software and any applications that are installed on the Symantec Web Gateway can ONLY be updated with authorized and tested versions distributed by Symantec</UL>
<li>Follow a multi-layered approach to security. Run both firewall and anti-malware applications, at a minimum, to provide multiple points of detection and protection to both inbound and outbound threats. </li>
<li>Deploy network and host-based intrusion detection systems to monitor network traffic for signs of anomalous or suspicious activity. This may aid in detection of attacks or malicious activity related to exploitation of latent vulnerabilities</li><br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33555
Group Title: 2012-B-0074
Rule ID: SV-43975r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0074
Rule Title: Multiple Cross-Site Scripting Vulnerabilities in HP Network Node Manager i (NNMi)


Vulnerability Discussion: Hewlett Packard has addressed multiple vulnerabilities affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit these vulnerabilities, a remote attacker would create a malicious URI and send an email to potential victims. If successfully exploited, these vulnerabilities would allow a remote attacker to perform a cross-site scripting attack and compromise the system.
<br><br>
At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Hewlett Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

HP-UX / Linux / Solaris / Windows
HP Network Node Manager I (NNMi) v8.x
HP Network Node Manager I (NNMi) v9.0x
HP Network Node Manager I (NNMi) v9.1x
HP Network Node Manager I (NNMi) v9.20

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

For NNMI v8.x, upgrade to v9.0x, or v9.1x, or v9.20 and apply the required patch and the hotfix listed in the table below.

NNMI Version/Required Patch/Hotfix
9.0x
Patch 5
Hotfix-NNMi-9.0xP5-UI-Security-20120801

NNMI Version/Required Patch/Hotfix
9.1x
Patch 3 or 4
Hotfix-NNMi-9.1xP4-UI-Security-20120801

NNMI Version/Required Patch/Hotfix
9.20
No Patch Required
Hotfix-NNMi-9.20-NmsAsShared-20120801

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33689
Group Title: 2012-B-0081
Rule ID: SV-44114r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0081
Rule Title: Multiple Vulnerabilities in Symantec Messaging Gateway


Vulnerability Discussion: Symantec has released a security advisory addressing multiple vulnerabilities in Symantec’s Messaging Gateway management console. Symantec Messaging Gateway is an appliance used to filter and scan content. To exploit these vulnerabilities, an attacker would interact with the affected application or entice user to access a malicious web link. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions, perform cross-site scripting attacks, and gain access to sensitive information. <br><br>

At this time, there are known exploits associated with these vulnerabilities. USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33691
Group Title: 2012-A-0140
Rule ID: SV-44116r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0140
Rule Title: McAfee Smartfilter Administration Remote Code Execution Vulnerability


Vulnerability Discussion: McAfee has released a security advisory addressing a remote code execution vulnerability in Smartfilter Administration. McAfee Smartfilter Administration is a web filtering application. To exploit this vulnerability, a remote attacker would send a malicious .war file without authentication. If successfully exploited, the attacker would gain access to execute arbitrary code and compromise the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>McAfee has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

SmartFilter Administration version 4.2.1 and earlier, including the Bess Edition

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

SmartFilter Administration 4.2.1.01 or later of either SmartFilter Administration OR SmartFilter Administration, Bess Edition

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33693
Group Title: 2012-A-0141
Rule ID: SV-44118r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0141
Rule Title: Websense Triton Remote Code Execution Vulnerability


Vulnerability Discussion: Websense has released details of a remote code execution vulnerability in Websense Triton. Websense Triton is a security management solution. To exploit this vulnerability, a remote attacker would send a malicious command to a vulnerable device. If successfully exploited, the attacker would be able to execute arbitrary commands with SYSTEM-level privileges resulting in the complete compromise of the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Websense has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

Windows / Linux
Websense Web Security Gateway Anywhere v7.6
Websense Web Security Gateway v7.6
Websense Web Security v7.6 / Filter v7.6

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

Websense Hotfix 24

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33792
Group Title: 2012-A-0146
Rule ID: SV-44217r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0146
Rule Title: Multiple Vulnerabilities in VMware vCenter Update Manager 4.1


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Update Manager 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

vCenter Update Manager 4.1 without Update 3


Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

vCenter Update Manager 4.1 Update 3

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33793
Group Title: 2012-A-0147
Rule ID: SV-44218r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0147
Rule Title: Multiple Vulnerabilities in VMware vCenter Server 4.1


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities affecting VMware vCenter Server 4.1. To exploit these vulnerabilities, an attacker would utilize various TTPs (Tactics, Techniques and Procedures). Successful exploitation of the most serious of these vulnerabilities would result in the complete compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

vCenter Server 4.1 without Update 3

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

vCenter Server 4.1 Update 3

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33809
Group Title: 2012-B-0092
Rule ID: SV-44262r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0092
Rule Title: ISC DHCP Denial of Service Vulnerability


Vulnerability Discussion: Internet Systems Consortium (ISC) has released a knowledge base report addressed a vulnerability affecting DHCP. ISC DHCP is open source software that implements the Dynamic Host Configuration Protocols for connection to a local network. To exploit this vulnerability, an remote attacker would send malicious packets to an affected DHCP server. If successfully exploited, this vulnerability would allow an attacker to cause a denial-of-service condition.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>ISC has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>ISC recommends setting a value for the default-lease-time option in the configuration file, and not reducing it once set.

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1

Check Content: 
See IAVM notice and vendor bulletin for additional information.

Vulnerable Applications/Systems:

ISC DHCP 4.1.x prior to 4.1-ESV-R7
ISC DHCP 4.2.x prior to 4.2.4-P2

Verify the application's version number by using Help, About or similar menu selections. Ensure the Application/System version is at least the version listed below.

ISC DHCP version 4.1-ESV-R7 or later
ISC DHCP version 4.2.4-P2 or later

Windows - Alternately, verify the version through the Support information link for the program in Add or Remove Programs or Programs and Features (Vista Forward). To expose the version column in Programs and Features right click somewhere in the column headers, select More and select Version.
  _____________________________________________________________

Group ID (Vulid): V-33969
Group Title: 2012-B-0095
Rule ID: SV-44422r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0095
Rule Title: IBM Tivoli Federated Identity Manager Validation Bypass Vulnerability


Vulnerability Discussion: IBM has addressed a vulnerability affecting Tivoli Federated Identity Manager. IBM Tivoli Federated Identity Manager provides web and federated single sign-on (SSO) capabilities for multiple applications. To exploit this vulnerability, an attacker would send malicious messages containing untrusted or invalid XML to an affected system. If successfully exploited, this vulnerability would allow an attacker to bypass security restrictions and compromise the affected system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33972
Group Title: 2012-B-0097
Rule ID: SV-44425r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0097
Rule Title: IBM Rational Business Developer Information Disclosure Vulnerability


Vulnerability Discussion: IBM has released a security bulletin addressing a vulnerability in Rational Business Developer. IBM Rational Business Developer allows developers to create web services. To exploit this vulnerability, an attacker would interact with an affected system in a manner to expose this security vulnerability. If successfully exploited, the remote attacker would gain unauthorized access to sensitive information and compromise the affected system.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>Do not deploy any web services until you upgrade to V8.0.1.4 or later.<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-33975
Group Title: 2012-A-0155
Rule ID: SV-44428r4_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0155
Rule Title: Cisco Unified Communications Manager Denial of Service Vulnerability


Vulnerability Discussion: Cisco has released a security advisory addressing a vulnerability in Cisco Unified Communications Manager (CUCM). CUCM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. To exploit this vulnerability, an attacker would send malicious SIP messages to an affected device. If successfully exploited, the attacker would cause a a critical service to fail, which will interrupt voice services and lead to a denial-of-service.<br><br>

At this time, there are no known exploits associated with these vulnerability; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>
A workaround exists for customers who do not require SIP in their environment. Cisco Unified Communication Manager versions 6.1(4), 7.1(2), and 8.0(1) introduced the ability to disable SIP processing. SIP processing is enabled by default. Use the following instructions to disable SIP processing:<br><br>

<b>Step 1:</b> Log in to the Cisco Unified CM Administration web interface. <br>
<b>Step 2:</b> Navigate to System > Service Parameters and choose the appropriate Cisco Unified Communications Manager server and the Cisco CallManager service. <br>
<b>Step 3:</b> Change the SIP Interoperability Enabled parameter to False and then click Save.<br><br>

<b>Note:</b> For a SIP processing change to take effect, the Cisco CallManager Service must be restarted. For information on how to restart the service, see the "Restarting the Cisco CallManager Service" section of the "Cisco Unified Communications Manager Administration Guide" at <a href="http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124">http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/admin/7_1_2/ccmcfg/b03dpi.html#wp1075124</a>.<br><br>

Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager and Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability" at the following location: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=26765">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=26765</a>.<br><br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34012
Group Title: 2012-B-0100
Rule ID: SV-44465r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0100
Rule Title: Multiple Adobe Products Code Signing Certificate Revocation


Vulnerability Discussion: Adobe has released a series of updates in preparation for the revocation of a compromised code signing certificate. The updates apply to various Adobe products and each will require different actions to ensure the affected software is updated with new digital certificates. Adobe is aware of at least two malicious utilities that were signed using the Adobe code signing certificate. As a result, Adobe is taking these actions to maintain trust in genuine Adobe software.<br><br>

At this time, Adobe is aware of malicious utilities signed by compromised code signing certificates. USCYBERCOM is unaware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b> Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Refer to <a href="http://helpx.adobe.com/x-productkb/global/certificate-updates.html"> Adobe Security Cerfiticate Updates</a> for any additional steps specific to necessary software platform.<br>
<br><b>Note:</b> Anitvirus vendors are working to ensure updated signatures can detect any malicious software signed with the compromised Adobe certificates. To ensure your network is protected, update your enterprise AV with the latest signatures as soon as possible.<br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34013
Group Title: 2012-B-0099
Rule ID: SV-44466r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0099
Rule Title: Adobe Enterprise Products Code Signing Certificate Revocation


Vulnerability Discussion: Adobe has released a series of updates in preparation for the revocation of a compromised code signing certificate. The updates apply to various Adobe Enterprise Products and each will require different actions to ensure the affected software is updated with new digital certificates. Adobe is aware of at least two malicious utilities that were signed using the Adobe code signing certificate. As a result, Adobe is taking these actions to maintain trust in genuine Adobe software.<br><br>
At this time, Adobe is aware of malicious utilities signed by the compromised code signing certificate; USCYBERCOM is unaware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Reference the <a href="http://helpx.adobe.com/x-productkb/global/guidance-administrators-certificate-revocation.html">Adobe Guidance for IT Administrators</a> guide for any additional steps to be taken specific to software platforms.<br>
<br>
<br><b>Note:</b> Anitvirus vendors are working to ensure updated signatures can detect any malicious software signed with the compromised Adobe certificates. To ensure your network is protected, update your enterprise AV with the latest signatures as soon as possible.<br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34176
Group Title: 2012-A-0165
Rule ID: SV-44630r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0165
Rule Title: Multiple Vulnerabilities in Adobe ColdFusion


Vulnerability Discussion: Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would leverage various Tactics, Techniques, and Procedures (TTP). If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems.
<br><br>
At this time, there are known exploits associated with Adobe ColdFusion vulnerabilities; USCYBERCOM is aware of DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>Refer to individual Adobe Security Bulletins and Advisories to determine specific mitgation strategies associated with identified vulnerabilities.<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34185
Group Title: 2012-B-0101
Rule ID: SV-44639r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0101
Rule Title: HP Network Node Manager i (NNMi) Information Disclosure Vulnerability


Vulnerability Discussion: Hewlett Packard has addressed an information disclosure vulnerability affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit this vulnerability, a remote attacker would create a malicious URI and send an email to potential victims. If successfully exploited, this vulnerability would allow a remote attacker to gain access to sensitive information and compromise the system. <br><br>

At this time, there are no known exploits with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Hewlett Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34341
Group Title: 2012-B-0105
Rule ID: SV-44891r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0105
Rule Title: Multiple Vulnerabilities in Cisco WebEx WRF Player


Vulnerability Discussion: Cisco has released a security advisory addressing multiple vulnerabilities in WebEx WRF Player. The Cisco WebEx WRF Player is an application used to play back WRF WebEx meeting recordings that have been recorded on a WebEx meeting site or on the computer of an online meeting attendee. To exploit these vulnerabilities, an attacker would craft malicious recording (WRF) files and send them directly to users via email or by directing a user to a malicious web page. If successfully exploited, the attacker would cause the Cisco WebEx WRF Player application to crash and, in some cases, allow a remote attacker to execute arbitrary code on the system with the privileges of the user who is running the Cisco WebEx WRF Player application.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34933
Group Title: 2012-B-0110
Rule ID: SV-46065r4_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0110
Rule Title: Multiple Vulnerabilities in Apache Tomcat


Vulnerability Discussion: Apache Software Foundation has addressed multiple vulnerabilities affecting various versions of Apache Tomcat. Apache Tomcat is an open source software implementation of the Java Servlet and JavaServer Pages technologies. To exploit these vulnerabilities, a remote attacker would create and send a malicious request to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions or cause a denial of service condition. <br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Apache has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34934
Group Title: 2012-B-0108
Rule ID: SV-46066r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0108
Rule Title: Cisco Prime Data Center Network Manager (DCNM) Remote Command Execution Vulnerability


Vulnerability Discussion: Cisco has released a security advisory addressing a vulnerability in Prime Data Center Network Manager (DCNM). Cisco Prime Data Center Network Manager, previously known as Cisco Data Center Network Manager, is a network management application that combines the management of Ethernet and storage networks into a single dashboard to help network and storage administrators manage and troubleshoot health and performance across different families of Cisco products that run Cisco NX-OS Software. To exploit this vulnerability, an attacker would send arbitrary commands via RMI services to a target system. If successfully exploited, the attacker would gain the ability to execute arbitrary commands on the affected system.<br><br>

At this time, there is a known exploit associated with the JBoss configuration which causes this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
Because RMI transactions start with a connection to the RMI registry port, which by default is TCP port 1099 or 9099 depending on the Cisco Prime DCNM version, allowing only legitimate devices to connect to the RMI registry port can mitigate this vulnerability.<br><br>

Additional mitigations that can be deployed on Cisco devices within the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Prime Data Center Network Manager Remote Command Execution Vulnerability", which is available at the following link: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27268">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27268</a>.<br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34959
Group Title: 2012-A-0188
Rule ID: SV-46191r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0188
Rule Title: Multiple Vulnerabilities in VMware Player


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities in VMware Player. To exploit these vulnerabilities, an attacker would create a malicious library file in a working directory and entice a user to access the file with an affected application. If successfully exploited, these vulnerabilities would allow an attacker to bypass security requirements and obtain access to sensitive information or execute arbitrary code and compromise the affected system.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-34960
Group Title: 2012-A-0187
Rule ID: SV-46192r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0187
Rule Title: Multiple Vulnerabilities in VMware Workstation


Vulnerability Discussion: VMware has released a security advisory addressing multiple vulnerabilities in Workstation. VMware Workstation is a virtual machine software suite, which allows users to set up multiple virtual machines (VMs) and use one or more of these virtual machines simultaneously with the hosting operating system . To exploit these vulnerabilities, an attacker would create a malicious data and sends a malicious email to a user enticing them to open the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or gain elevated privileges and compromise the affected system.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>VMware has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35030
Group Title: 2012-A-0192
Rule ID: SV-46290r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0192
Rule Title: Symantec Scan Engine Memory Corruption Vulnerability


Vulnerability Discussion: Symantec has released a security advisory addressing a vulnerability in Symantec Scan Engine (SSE). To exploit this vulnerability, an unauthorized attacker would create a malicious file containing machine code, replacement memory addresses, and/or NOP instructions, distribute it via email and entice a user to open it. If successfully exploited, this vulnerability would allow an unauthorized remote attacker to execute arbitrary code in the context of the application or cause a denial-of-service condition.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35031
Group Title: 2012-A-0191
Rule ID: SV-46291r4_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0191
Rule Title: Symantec Endpoint Protection Memory Corruption Vulnerability


Vulnerability Discussion: Symantec has released a security advisory addressing a vulnerability in Endpoint Protection products. To exploit this vulnerability, an unauthorized attacker would create a malicious file containing machine code, replacement memory addresses, and/or NOP instructions, distribute it via email and entice a user to open it. If successfully exploited, this vulnerability would allow an unauthorized remote attacker to execute arbitrary code in the context of the application or cause a denial-of-service condition.<br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br> Users should refer to the "Mitigations" section of the <a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121107_00">Symantec Security Advisory (SYM12-017)</a>.<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35033
Group Title: 2012-B-0116
Rule ID: SV-46293r3_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0116
Rule Title: Multiple Vulnerabilities in Splunk


Vulnerability Discussion: Splunk has released a security advisory addressing multiple vulnerabilities in various versions of Splunk. Splunk is enterprise software used to monitor, report and analyze machine data produced by applications, systems and infrastructure devices. To exploit these vulnerabilities, an attacker would craft a URI link and entice a user to access the malicious link sent via email or other form of distribution. If successfully exploited, these vulnerabilities would allow an attacker to execute a cross-site scripting attack and steal cookie-based authentication credentials or cause a denial-of-service on the affected system.<br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Splunk has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35051
Group Title: 2012-B-0118
Rule ID: SV-46315r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0118
Rule Title: Multiple Vulnerabilities in IBM DB2


Vulnerability Discussion: IBM has addressed multiple vulnerabilities in IBM DB2. IBM DB2 is a relational database management system capable of running on various platforms to include: AIX, HP-UX, Linux, Solaris and Windows. To exploit these vulnerabilities, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code or gain access to sensitive information.<br><br>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br><u>CVE-2012-4826 Mitigation:</u><br>
To prevent existing debuggable SQL/PSM stored procedures from being exploited, you need to search for debuggable SQL/PSM SP, then drop and recreate them without debug mode enabled. You can search for debuggable SQL/PSM SP with the following SELECT statement:<br><br>

SELECT ROUTINESCHEMA, ROUTINENAME FROM SYSCAT.ROUTINES WHERE DEBUG_MODE='ALLOW'<br><br>


To prevent the general user from creating their own debuggable SQL/PSM SP, you need to execute the following statement to prevent SQL/PSM SP from being deployed in debug mode:<br><br>

REVOKE EXECUTE ON PROCEDURE SYSPROC.PSMD_SET_COMPILEMODE FROM PUBLIC RESTRICT<br><br>

Grant EXECUTE privilege on SYSPROC.PSMD_SET_COMPILEMODE to only those uses that you trust.<br><br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35052
Group Title: 2012-B-0117
Rule ID: SV-46316r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0117
Rule Title: Multiple Vulnerabilities in Autonomy Keyview affecting Symantec Products


Vulnerability Discussion: Symantec has released a security advisory addressing multiple vulnerabilities in the Autonomy KeyView module affecting Symantec products. Autonomy KeyView is a commercial Software Development Kit (SDK) that provides file format parsing libraries. To exploit these vulnerabilities,an attacker would craft and send a malicious file via email and entice a user to open the file. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code, gain elevated privileges, or cause a denial-of-service condition resulting in the compromise the affected system. <br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Symantec has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
System administrators should refer to the "Workaround/Mitigations" portion of the <a href="http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20121120_00">Symantec Security Advisory</a> for specific workarounds.<br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35053
Group Title: 2012-B-0119
Rule ID: SV-46317r2_rule
Severity: CAT II
Rule Version (STIG-ID): 2012-B-0119
Rule Title: Multiple Vulnerabilities in McAfee Email Gateway


Vulnerability Discussion: McAfee has released a security advisory addressing multiple vulnerabilities in Email Gateway. McAfee Email Gateway consolidates inbound threat protection, outbound data loss prevention, encryption, advanced compliance, and administration into a single appliance. To exploit these vulnerabilities, an attacker creates and sends a malicious email with attachments to a user and convinces them to interact with the attachments. If successfully exploited, the attacker would gain the ability to cause a denial of service condition or perform cross-site scripting attacks on the affected system.<br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>McAfee has tested temporary mitigating strategies and listed them in the Security Bulletin. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35486
Group Title: 2012-B-0126
Rule ID: SV-46773r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0126
Rule Title: Adobe ColdFusion Security Bypass Vulnerability


Vulnerability Discussion: Adobe has released a security bulletin addressing a vulnerability in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit this vulnerability, an attacker would interact with an affected system in a malicious manner. If successfully exploited, this vulnerability would allow an attacker to bypass security restrictions in a shared hosting environment.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35495
Group Title: 2012-A-0197
Rule ID: SV-46782r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-A-0197
Rule Title: IBM Informix Dynamic Server Buffer Overflow Vulnerability


Vulnerability Discussion: IBM has released a security bulletin addressing a vulnerability in IBM Informix Dynamic Server. IBM Informix Dynamic Server is a relational database management system. To exploit this vulnerability, an unauthenticated attacker would connect to a database server and execute unspecified SQL statements. If successfully exploited, this vulnerability would allow an attacker to cause a buffer overflow that crashes the Informix database server or allows arbitrary code to be executed within the Informix database server process.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-35496
Group Title: 2012-B-0125
Rule ID: SV-46783r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2012-B-0125
Rule Title: HP Network Node Manager i Remote Unauthorized Access Vulnerability


Vulnerability Discussion: Hewlett Packard has addressed vulnerability affecting HP Network Node Manager i (NNMi). HP Network Node Manager i is a fault-management application for IP networks. To exploit this vulnerability, a remote attacker would gain access to a target system. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code and compromise the system.
<br><br>
At this time, there are no known exploits with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>HP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36508
Group Title: 2013-A-0013
Rule ID: SV-47932r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0013
Rule Title: Multiple Vulnerabilities in Oracle Enterprise Manager


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Enterprise Manager Grid Control. This Critical Patch Update contains 13 new security fixes for the Oracle Enterprise Manager Grid Control.  All vulnerabilities may be remotely exploitable without authentication.  If successfully exploited, the most serious of these vulnerabilities would allow a remote attacker to compromise a vulnerable Oracle Enterprise Manager. 
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36509
Group Title: 2013-A-0012
Rule ID: SV-47933r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0012
Rule Title: Multiple Vulnerabilities in Oracle E-Business Suite


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle E-Business Suite This Critical Patch Update contains nine (9) new security fixes for the Oracle E-Business Suite. Seven (7) of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36510
Group Title: 2013-A-0011
Rule ID: SV-47934r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0011
Rule Title: Multiple Vulnerabilities in Oracle Fusion Middleware


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Fusion Middleware. This Critical Patch Update contains 7 new security fixes for Oracle Fusion Middleware. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <BR><BR>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<BR>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36511
Group Title: 2013-A-0010
Rule ID: SV-47935r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0010
Rule Title: Multiple Vulnerabilities in Oracle Database


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing 6 vulnerabilities in Oracle Database Server. The Database Server vulnerability may not be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Additionally, this Critical Patch Update contains 5 new security fixes for the Oracle Database Mobile/Lite Server vulnerabilities, which may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. <BR><BR>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36512
Group Title: 2013-A-0014
Rule ID: SV-47936r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0014
Rule Title: Multiple Vulnerabilities in Sun Product Suites


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle Sun Products Suite. This Critical Patch Update contains 8 new security fixes for the Oracle Sun Products Suite. 1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. Additionally, this Critical Patch Update also contains 1 new security fixes for Oracle Virtualization. The vulnerability is not remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36514
Group Title: 2013-A-0015
Rule ID: SV-47938r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0015
Rule Title: Multiple Vulnerabilities in Oracle MySQL


Vulnerability Discussion: Oracle has released their quarterly Critical Patch Update Advisory for January 2013 addressing multiple vulnerabilities in Oracle MySQL. This Critical Patch Update contains 18 new security fixes for Oracle MySQL. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36516
Group Title: 2013-A-0017
Rule ID: SV-47940r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0017
Rule Title: Multiple Vulnerabilities in Adobe ColdFusion


Vulnerability Discussion: Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would send a malicious request to a computer running a vulnerable version of ColdFusion, allowing the attacker to bypass the security authentication controls on the target system. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems.
<br><br>
At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36577
Group Title: 2013-A-0019
Rule ID: SV-48001r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0019
Rule Title: Cisco Prime LAN Management Solution Command Execution Vulnerability


Vulnerability Discussion: Cisco has released a security advisory addressing a remote code execution vulnerability in the Cisco Prime LAN Management Solution (LMS) Virtual Appliance. The Cisco Prime LMS is an integrated suite of management functions that simplifies the configuration, administration, monitoring, and troubleshooting of a network. To exploit this vulnerability, an attacker would connect to an affected system and send a series of arbitrary commands. Successful exploitation of this vulnerability would allow an attacker to execute commands with the privilege of the root user resulting in the compromise of affected systems. <br><br>

At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.<br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>The workaround for this vulnerability requires the administrator to edit the securetty file stored in the /etc/ directory on the affected system and remove the rsh service command line.<br><br>

Mitigations that can be deployed on Cisco devices in a network are available in the Cisco Applied Intelligence companion document for this advisory: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27920">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=27920</a>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36637
Group Title: 2013-A-0025
Rule ID: SV-48176r1_rule
Severity: CAT II
Rule Version (STIG-ID): 2013-A-0025
Rule Title: Multiple Cross Site Scripting Vulnerabilities in Red Hat JBoss Enterprise Portal Platform


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities in JBoss Enterprise Portal Platform. To exploit these vulnerabilities, an attacker would convince a user of an affected system to access a malicious URL. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary web script execution and compromise the affected system.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents. <br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36639
Group Title: 2013-A-0027
Rule ID: SV-48178r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0027
Rule Title: Multiple Vulnerabilities in Juniper Networks Steel Belted Radius


Vulnerability Discussion: Juniper has released a PSN Bulletin addressing multiple vulnerabilities in the Steel-Belted Radius server. Steel-Belted Radius is a centralized identity management and and network access security appliance. To exploit these vulnerabilities, an attacker would locate a vulnerable server and attempt to interrupt the connection handshake process, inserting malformed packets. If successfully exploited, these vulnerabilities would result in an attacker to obtain sensitive information or cause a denial of service conditions.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Juniper has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36641
Group Title: 2013-A-0024
Rule ID: SV-48180r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0024
Rule Title: Multiple Vulnerabilities in Red Hat JBoss Enterprise Application Platform


Vulnerability Discussion: Red Hat has addressed multiple vulnerabilities in various JBoss products. To exploit these vulnerabilities, an attacker would utilize various tactics, techniques, and procedures (TTP) to compromise an affected system. If successfully exploited, these vulnerabilities would allow an attacker to bypass security restrictions and compromise the affected system. <BR><BR>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<BR>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36644
Group Title: 2013-B-0008
Rule ID: SV-48183r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0008
Rule Title: Multiple Vulnerabilities in IBM WebSphere Application Server


Vulnerability Discussion: IBM has addressed multiple vulnerabilities affecting IBM WebSphere Application Server. The IBM WebSphere Application Server is a web application server for various operating systems. To exploit these vulnerabilities, a remote attacker would send malicious requests to an affected system or entice a user to access a malicious link sent via email. If successfully exploited, these vulnerabilities would allow an attacker to gain access to sensitive information, inject malicious URL script into an affected web browser within the context of the hosting web site, execute arbitrary code within the context of the application, bypass security restrictions, or cause a denial-of-service condition. <br><br>

At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36785
Group Title: 2013-B-0011
Rule ID: SV-48496r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0011
Rule Title: Multiple Vulnerabilities in IBM Tivoli Storage Manager Client


Vulnerability Discussion: IBM has reported multiple vulnerabilities in IBM Tivoli Storage Manager. IBM Tivoli Storage Manager is a centralized, policy-based, enterprise class, data backup and recovery software suite capable of running on various platforms to include: AIX, HP-UX, Linux, Macintosh, NetWare, OS/400, z/OS, Solaris and Windows. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures. If successfully exploited, these vulnerabilities would allow an attacker to deny service to legitimate users, gain unauthorized access and execute arbitrary code resulting in the compromise of affected systems
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>IBM has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
<u>Workarounds:</u><br>
If using the traditional scheduler, set the SCHEDMODE option value to POLLING, which is the default value, in the client options file or on the command line
<br><br>
Configure the scheduler to be managed by Client Acceptor Daemon (CAD), by specifying 'MANAGEDSERVICES SCHEDULE' or 'MANAGEDSERVICES SCHEDULE WEBCLIENT' in the client options file


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36791
Group Title: 2013-B-0010
Rule ID: SV-48502r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0010
Rule Title: Multiple Vulnerabilities in Samba


Vulnerability Discussion: Samba has addressed multiple vulnerabilities affecting various versions of Samba in the Samba Web Administration Tool (SWAT). Samba is an open source suite of programs that provides Windows interoperability for Unix and Linux platforms. To exploit these vulnerabilities, a remote attacker would entice a user to access a malicious URL or web page. If successfully exploited, these vulnerabilities would allow a remote attacker to gain unauthorized access and compromise the affected system.<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Samba has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
<u>Workaround:</u>
<br><br>
Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36902
Group Title: 2013-A-0049
Rule ID: SV-48663r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0049
Rule Title: Multiple Vulnerabilities in Adobe Reader and Acrobat


Vulnerability Discussion: Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe Reader and Adobe Acrobat. Adobe Acrobat is a document exchange program which allows data files created on one software platform (Windows, Macintosh, UNIX, etc.) to be displayed and printed on another without loss of text formatting. Adobe Reader allows users to read and print PDF files in the browser window. To exploit these vulnerabilities, an attacker would entice a user to access a malicious PDF file hosted on a web page or sent via email. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code and compromise the affected system.
<br><br>
At this time, these vulnerabilities are being exploited in the wild; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-36904
Group Title: 2013-B-0014
Rule ID: SV-48665r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0014
Rule Title: Multiple Vulnerabilities in HP ArcSight Products


Vulnerability Discussion: Multiple vulnerabilities have been identified affecting various versions of the HP ArcSight Connector Appliance & HP ArcSight Logger. ArcSight Connector Appliances facilitate audit-quality log collection from all event-generating sources across the enterprise. ArcSight Logger is a log storage and search solution. To exploit these vulnerabilities, an attacker would leverage various tactics, techniques and procedures (TTP). If successfully exploited, these vulnerabilities would result in the compromise of affected devices.<br>
<br>
At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>HP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37061
Group Title: 2013-A-0051
Rule ID: SV-48822r3_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0051
Rule Title: Multiple Cross Site Scripting Vulnerabilities in Apache HTTP Server


Vulnerability Discussion: The Apache Software Foundation has addressed multiple vulnerabilities in Apache HTTP Server. Apache HTTP Server is an open source, commercial-grade web server application for various operating systems such as UNIX, Linux, and Microsoft windows. To exploit these vulnerabilities, a remote attacker would entice a user to access to a malicious link sent via email. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the affected browser and obtain access to sensitive information resulting in the compromise the affected system.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Apache Software Foundation has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37068
Group Title: 2013-A-0052
Rule ID: SV-48829r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0052
Rule Title: CKEditor Cross Site Scripting Vulnerability


Vulnerability Discussion: CKEditor has addressed a vulnerability in CKeditor. CKEditor (formerly FCKeditor) is an HTML text editor used in web pages. To exploit this vulnerability, a remote attacker would entice a user to follow a malicious URI sent via email. If successfully exploited, this vulnerability would allow a remote attacker to execute arbitrary code and compromise the affected system.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>CKEditor has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37261
Group Title: 2013-B-0020
Rule ID: SV-49022r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0020
Rule Title: Multiple Vulnerabilities in Wireshark


Vulnerability Discussion: Multiple vulnerabilities have been reported in various versions of Wireshark. Wireshark is a security enhancement software tool used to analyze and troubleshoot network traffic. To exploit these vulnerabilities, a remote attacker would use various tactics, techniques, and procedures (TTP). If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition.
<br><br>
At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Wireshark has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37263
Group Title: 2013-A-0057
Rule ID: SV-49024r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0057
Rule Title: Multiple Vulnerabilities in Oracle Java


Vulnerability Discussion: Oracle has released out of cycle updates to address multiple vulnerabilities in Oracle Java SE. This Critical Patch Update contains 2 new security fixes for Oracle Java SE. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

<br><br>

At this time, there are known exploits associated with at least one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Oracle has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>
None


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37409
Group Title: 2013-A-0061
Rule ID: SV-49171r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0061
Rule Title: Multiple Denial of Service Vulnerabilities in Cisco Unified Communications Manager


Vulnerability Discussion: Cisco has released a security advisory addressing multiple vulnerabilities in Cisco Unified Communications Manager (CUCM). CUCM is the call processing component of the Cisco IP Telephony solution that extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, VoIP gateways, and multimedia applications. To exploit these vulnerabilities, an attacker would send malformed packets on unused UDP ports to an affected device. If successfully exploited, the attacker would cause a a critical service to fail, which will interrupt voice services and lead to a denial-of-service.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>
Filtering traffic on TCP port 9004 from untrusted sources can provide a workaround for the LBM vulnerability.
<br><br>
Additional mitigations that can be deployed on Cisco devices in the network are available in the companion document "Identifying and Mitigating Exploitation of the Cisco Unified Communications Manager and Cisco IOS Software Session Initiation Protocol Denial of Service Vulnerability" at the following location: <a href="http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28034">http://tools.cisco.com/security/center/viewAMBAlert.x?alertId=28034</a>.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37413
Group Title: 2013-B-0024
Rule ID: SV-49175r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0024
Rule Title: Multiple HP LaserJet Pro Printers Information Disclosure Vulnerability


Vulnerability Discussion: Hewlett-Packard has released a security bulletin addressing a vulnerability affecting various HP LaserJet printers. To exploit this vulnerability, an attacker would remotely access an affected system. If successfully exploited, this vulnerability would allow an attacker to gain unauthorized access to sensitive information.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Hewlett-Packard has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37414
Group Title: 2013-B-0023
Rule ID: SV-49176r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0023
Rule Title: Stunnel Remote Buffer Overflow Vulnerability


Vulnerability Discussion: Stunnel has released an advisory to address a vulnerability in the Stunnel application. Stunnel is an application used to provide a universal TLS/SSL tunneling service. Stunnel uses OpenSSL libraries for cryptography. To exploit this vulnerability, an attacker would send a malicious request to the affected system. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise the affected system.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Stunnel has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
Disable the NTLM authentication.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37415
Group Title: 2013-B-0022
Rule ID: SV-49177r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0022
Rule Title: Multiple Vulnerabilities in PHP


Vulnerability Discussion: PHP has released an advisory to address multiple vulnerabilities in PHP. PHP is an HTML-embedded scripting language that gives web developers the ability to write dynamically generated pages. To exploit these vulnerabilities, an attacker would send malicious data to an affected system. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code, bypass security restrictions, or cause a denial of service condition.
<br> <br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>PHP has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None<br>

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37417
Group Title: 2013-B-0025
Rule ID: SV-49179r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0025
Rule Title: Cisco Unified Presence Server Denial of Service Vulnerability


Vulnerability Discussion: Cisco has addressed a vulnerability affecting Cisco Unified Presence Server (UPS). Cisco Unified Presence provide an open and extensible platform that facilitates the secure exchange of availability and instant messaging (IM) information. To exploit this vulnerability, an attacker would send malicious packets to a Session Initiation Protocol (SIP) port of an affected server. If successfully exploited, this vulnerability would allow an unauthenticated, remote attacker to cause a denial-of-service condition on an affected device<br>
<br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Cisco has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>
Filtering traffic from untrusted sources on TCP port 5060 can provide a workaround for this vulnerability.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37539
Group Title: 2013-B-0031
Rule ID: SV-49301r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0031
Rule Title: Multiple Security Vulnerabilities in Google Chrome


Vulnerability Discussion: Google has released a security bulletin addressing multiple vulnerabilities in the Chrome browser. Google Chrome is a multi-platform web browser. To exploit these vulnerabilities, an attacker would use various tactics, techniques, and procedures (TTPs). If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code in the context of the web browser, bypass security restrictions, and cause a denial-of-service condition on the target system.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Google has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37540
Group Title: 2013-B-0032
Rule ID: SV-49302r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0032
Rule Title: MIT Kerberos Denial of Service Vulnerabilities


Vulnerability Discussion: Massachusetts Institute of Technology (MIT) has addressed multiple vulnerabilities affecting MIT Kerberos 5 (krb5). Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. To exploit these vulnerabilities, an attacker would send a malicious request to an affected system. If successfully exploited, these vulnerabilities would allow an unauthenticated remote attacker to cause a denial of service condition on affected systems. <br>
<br>
At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Red Hat has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37600
Group Title: 2013-A-0068
Rule ID: SV-49362r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0068
Rule Title: Multiple Vulnerabilities in Mozilla Products


Vulnerability Discussion: The Mozilla Foundation has released multiple security advisories to address multiple vulnerabilities in various Mozilla products. To exploit these vulnerabilities, an attacker would use various tactics, techniques and procedures (TTP). If successfully exploited, these vulnerabilities allow an attacker to execute arbitrary code, gain escalated privileges, bypass security restrictions, conduct cross-site scripting attacks and cause denial of service conditions resulting in the compromise of affected systems.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>The Mozilla Foundation has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37603
Group Title: 2013-A-0070
Rule ID: SV-49365r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0070
Rule Title: Multiple Vulnerabilities in Asterisk Products


Vulnerability Discussion: Asterisk Project has released multiple security advisories addressing multiple vulnerabilities in multiple Asterisk products. Asterisk is an open source Private Branch Exchange (PBX), telephony engine and telephony applications toolkit. To exploit these vulnerabilities, an attacker would send a malicious request to an affected application. If successfully exploited, these vulnerabilities would allow a remote attacker to execute arbitrary code within the context of the affected application, gain access to sensitve information, and causing a denial of service condition.
<br><br>
At this time, there are known exploits associated with one of these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Asterisk Project has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37604
Group Title: 2013-A-0069
Rule ID: SV-49366r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0069
Rule Title: ISC BIND 9 Remote Denial of Service Vulnerability


Vulnerability Discussion: Internet System Consortium (ISC) has reported a vulnerability in Berkley Internet Name Domain (BIND). ISC BIND is a widely used implementation of DNS available for multiple operating system platforms. To exploit this vulnerability, the remote attacker sends a malicious query to an affected server. If successfully exploited, this vulnerability would cause the affected BIND server to exhaust memory resources resulting in a denial of service condition.
<br><br>
At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Internet System Consortium (ISC) has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>
Patched versions are available (see the "Solutions:" section below) or operators can prevent exploitation of this bug in any affected version of BIND 9 by compiling without regular expression support.
<br><br>
Compilation without regular expression support:
<br><br>
BIND 9.7 (all versions), BIND 9.8 (9.8.0 through 9.8.5b1), and BIND 9.9 (9.9.0 through 9.9.3b1) can be rendered completely safe from this bug by re-compiling the source with regular expression support disabled. In order to disable inclusion of regular expression support:
<br><br>
After configuring BIND features as desired using the configure script in the top level source directory, manually edit the "config.h" header file that was produced by the configure script. <br>
Locate the line that reads "#define HAVE_REGEX_H 1" and replace the contents of that line with "#undef HAVE_REGEX_H". <br>
Run "make clean" to remove any previously compiled object files from the BIND 9 source directory, then proceed to make and install BIND normally.


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37605
Group Title: 2013-A-0077
Rule ID: SV-49367r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0077
Rule Title: Multiple Vulnerabilities in OpenSSL


Vulnerability Discussion: OpenSSL has addressed multiple vulnerabilities affecting various versions of OpenSSL. OpenSSL is an open-source implementation of SSL and TLS protocols used to encrypt transmission of data between web browsers and web servers. OpenSSL is designed to enable secure communications over an insecure network such as the Internet. To exploit these vulnerabilities, an attacker would send a malicious packet to the affected application. If successfully exploited, these vulnerabilities would allow an attacker to cause a denial of service condition on the affected system.<br><br>

At this time, there are exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
The following temporary mitigation strategies can be used to mtigiate the vulnerabilities addressed in this directive. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br><u>CVE-2013-0169:</u><br>
this vulnerability is only partially mitigated when OpenSSL is used in conjuction with the OpenSSL FIPS Object Module and the FIPS mode of operation is enabled.<br><br>

<u>CVE-2012-2686:</u><br>
Anyone using an AES-NI platform for TLS 1.2 or TLS 1.1 on OpenSSL 1.0.1c is affected. Platforms which do not support AES-NI or versions of OpenSSL which do not implement TLS 1.2 or 1.1 (for example OpenSSL 0.9.8 and 1.0.0) are not affected.<br>


Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37606
Group Title: 2013-A-0074
Rule ID: SV-49368r1_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0074
Rule Title: Multiple Vulnerabilities in Adobe ColdFusion


Vulnerability Discussion: Adobe has released multiple security bulletins addressing vulnerabilities in ColdFusion. Adobe ColdFusion is an application development platform used for developing websites. To exploit these vulnerabilities, a remote attacker would send a malicious request to a computer running a vulnerable version of ColdFusion, allowing the attacker to bypass the security authentication controls on the target system. If successfully exploited, these vulnerabilities would allow a remote attacker to compromise affected systems.
<br><br>
At this time, there are known exploits associated with these vulnerabilities; USCYBERCOM is not aware of DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37607
Group Title: 2013-A-0075
Rule ID: SV-49369r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-A-0075
Rule Title: Multiple Vulnerabilities in Adobe Flash Player and AIR


Vulnerability Discussion: Adobe has released a security bulletin addressing multiple vulnerabilities in Adobe Flash Player and AIR. Adobe Flash Player is a multimedia application for Microsoft Windows, Macintosh, Linux and Solaris operating systems. To exploit these vulnerabilities, a remote attacker would entice a user to access a malicious web site or open a file with malicious content. If successfully exploited, these vulnerabilities would allow an attacker to execute arbitrary code resulting in the compromise of affected systems.<br><br>

At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.<br><br>


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>Adobe has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used as part of a POA&M to help block known attack vectors until required compliance actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________

Group ID (Vulid): V-37619
Group Title: 2013-B-0035
Rule ID: SV-49381r2_rule
Severity: CAT I
Rule Version (STIG-ID): 2013-B-0035
Rule Title: Multiple Vulnerabilities in PostgreSQL


Vulnerability Discussion: PostgreSQL has addressed multiple vulnerabilities affecting various version of the PostgreSQL object-relational database system. PostgreSQL is an open source database system. To exploit these vulnerabilities, an attacker would send a malicious request to an affected system or create a symbolic link in the temporary file directory. If successfully exploited, these vulnerabilities would allow an attacker to gain access to sensitive information, bypass security restrictions, execute arbitrary code in the context of the affected system or cause a denial-of-service condition.
<br><br>
At this time, there are no known exploits associated with these vulnerabilities; USCYBERCOM is not aware of any DoD related incidents.


Mitigations: 
IAVA Set Mitigation Control

Mitigation Control: 
<b>PostgreSQL has tested the following temporary mitigating strategies. While these strategies will not permanently correct the underlying vulnerability, they may be used to help block known attack vectors until fix actions can be completed.</b> - <br>None

Responsibility: System Administrator
IAControls: ECMT-1, ECMT-2, VIVM-1
  _____________________________________________________________



UNCLASSIFIED//FOR OFFICIAL USE ONLY