The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of ISA

computer vulnerability CVE-2009-2631

Cisco, Juniper, Microsoft, Nortel, Stonesoft: vulnerability of SSL VPN

Synthesis of the vulnerability

A weakness in the conception of some Clientless SSL VPN products can be used by an attacker in order to obtain information from other web sites visited by the victim.
Impacted products: Avaya Ethernet Routing Switch, ASA, IVE OS, Juniper SA, ISA, Nortel ESM, Nortel VPN Router, StoneGate Firewall.
Severity: 3/4.
Consequences: client access/rights, data reading, data creation/edition.
Provenance: internet server.
Creation date: 09/12/2009.
Identifiers: 025367-01, 19500, 2009009920, 984744, BID-37152, CVE-2009-2631, KB15799, PSN-2009-11-580, VIGILANCE-VUL-9265, VU#261869.

Description of the vulnerability

Some VPN SSL products setup a SSL proxy where users connect with their web browser. Urls of visited web sites are then rewritten as:
  https://proxy-ssl/origin-site/page.html
So, they seem to be hosted on the https://proxy-ssl/ server.

Web browsers are conceived to partition JavaScript scripts on the domain where they come from. However, when a SSL proxy places different web sites under the same domain, this protection is bypassed, and a malicious JavaScript script can thus access to other web sites.

Some products update the source code of web pages on the fly, in order to replace JavaScript calls. However, an attacker can obfuscate his code so this change cannot be done.

A weakness in the conception of some Clientless SSL VPN products can therefore be used by an attacker in order to obtain information from other web sites visited by the victim.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2009-0562 CVE-2009-1136 CVE-2009-1534

Office Web Components: several vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Office Web Components ActiveX, in order to execute code on victim's computer.
Impacted products: BizTalk Server, ISA, Office, Access, Excel, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 12/08/2009.
Identifiers: 957638, BID-35642, BID-35990, BID-35991, BID-35992, CERTA-2009-AVI-331, CVE-2009-0562, CVE-2009-1136, CVE-2009-1534, CVE-2009-2496, MS09-043, VIGILANCE-VUL-8943, VU#545228, ZDI-09-054, ZDI-09-055, ZDI-09-056.

Description of the vulnerability

Microsoft Office Web Components are installed with Office, BizTalk, Visual Studio and ISA, and provide ActiveX to publish spreadsheets and charts on a web site.

An attacker can generate an error during memory allocation, after an ActiveX has been loaded and unloaded, leading to code execution. [severity:4/4; BID-35990, CERTA-2009-AVI-331, CVE-2009-0562, ZDI-09-055]

An attacker can generate a heap memory corruption in BorderAround(). [severity:4/4; BID-35991, CVE-2009-2496, ZDI-09-056]

An attacker can use invalid parameters in order to corrupt the memory in msDataSourceObject() (VIGILANCE-VUL-8854). [severity:4/4; BID-35642, CVE-2009-1136, VU#545228, ZDI-09-054]

An attacker can generate a buffer overflow. [severity:4/4; BID-35992, CVE-2009-1534]

An attacker can therefore create an HTML page containing one of these ActiveX in order to execute code on victim's computer.
Full Vigil@nce bulletin... (Free trial)

computer vulnerability bulletin CVE-2009-1135

ISA 2006: bypassing the Radius OTP authentication

Synthesis of the vulnerability

In some configurations, an attacker knowing a username can access to resources protected by ISA Server 2006.
Impacted products: ISA.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/07/2009.
Identifiers: 970953, BID-35631, CERTA-2009-AVI-276, CVE-2009-1135, MS09-031, VIGILANCE-VUL-8858.

Description of the vulnerability

A Microsoft Internet Security and Acceleration Server 2006 can be configured:
 - with a Forms-Based Authentication (FBA),
 - using a Radius OTP (One Time Password) server,
 - with a fallback HTTP Basic,
 - using a Kerberos Constrained Delegation.

In this configuration, an attacker knowing a valid username can request an HTTP Basic authentication. It will be granted with no authentication.

An attacker can therefore access to resources protected by ISA Server 2006. The attacker obtains victim's privileges.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-1136

Microsoft Office Web Components: memory corruption

Synthesis of the vulnerability

An attacker can invite the victim to see an HTML page in order to corrupt the memory of a Microsoft Office Web Components ActiveX, leading to code execution.
Impacted products: BizTalk Server, IE, ISA, Office, Access, Excel, Microsoft FrontPage, OneNote, Outlook, PowerPoint, Project, Publisher, Visio, Word, Visual Studio.
Severity: 4/4.
Consequences: user access/rights.
Provenance: document.
Creation date: 15/07/2009.
Identifiers: 957638, 973472, BID-35642, CVE-2009-1136, FGA-2009-27, MS09-043, VIGILANCE-VUL-8854, VU#545228.

Description of the vulnerability

Microsoft Office Web Components are installed with Office and ISA, and provide ActiveX to publish spreadsheets and charts on a web site.

The OWC10.Spreadsheet ActiveX displays an Excel spreadsheet. Its Evaluate() and msDataSourceObject() methods do not correctly validate number arrays, which corrupts the memory.

An attacker can therefore invite the victim to see an HTML page in order to corrupt the memory of a Microsoft Office Web Components ActiveX, leading to code execution.
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2009-0077 CVE-2009-0237

ISA, Forefront: two vulnerabilities

Synthesis of the vulnerability

An attacker can generate a denial of service and a Cross Site Scripting in ISA Server and Forefront Threat Management Gateway.
Impacted products: ISA.
Severity: 3/4.
Consequences: client access/rights, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/04/2009.
Identifiers: 961759, BID-34414, BID-34416, CERTA-2009-AVI-146, CVE-2009-0077, CVE-2009-0237, MS09-016, VIGILANCE-VUL-8634.

Description of the vulnerability

Two vulnerabilities impact ISA Server and Forefront Threat Management Gateway.

The Web proxy and Web listeners do not correctly manage the session closing. A TCP packet sequence thus generates a denial of service. [severity:3/4; BID-34414, CERTA-2009-AVI-146, CVE-2009-0077]

The authentication form can be used to create a Cross Site Scripting attack due to an error in cookieauth.dll. [severity:2/4; BID-34416, CVE-2009-0237]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-5133

IP Filter, ISA: DNS vulnerability with NAT

Synthesis of the vulnerability

When the address translation is enabled on the firewall, protections which are setup to correct VIGILANCE-VUL-7937 are not efficient.
Impacted products: ISA, OpenSolaris, Solaris, Unix (platform) ~ not comprehensive.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet server.
Creation date: 12/11/2008.
Identifiers: 245206, 6726575, 6730614, CVE-2008-5133, VIGILANCE-VUL-8237.

Description of the vulnerability

The solution for the VIGILANCE-VUL-7937 (DNS poisoning) vulnerability requires to use random port numbers.

However, when the DNS server is protected by a firewall with address translation, the DNS server is still vulnerable if the firewall uses predictable port numbers.

Two firewalls cause this regression:
 - IP Filter
 - Microsoft ISA Server
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2006-4695 CVE-2007-1201

Office, Visual, BizTalk, Commerce, ISA: vulnerabilities

Synthesis of the vulnerability

Two vulnerabilities of Microsoft Office, Visual Studio .NET, BizTalk Server, Commerce Server and Internet Security and Acceleration Server products can be used to execute code.
Impacted products: BizTalk Server, ISA, Office, Access, Excel, Outlook, PowerPoint, Publisher, Word, Visual Studio.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 12/03/2008.
Identifiers: 933103, BID-28135, BID-28136, CERTA-2008-AVI-127, CVE-2006-4695, CVE-2007-1201, MS08-017, VIGILANCE-VUL-7657, VU#654577.

Description of the vulnerability

Two vulnerabilities impact Microsoft Office Web Components 2000 (provided with Microsoft Office, Visual Studio .NET, BizTalk Server, Commerce Server and Internet Security and Acceleration Server).

An attacker can create a HTML page using a malicious uri in order to execute code in an ActiveX of Microsoft Office Web Components. [severity:3/4; BID-28135, CVE-2006-4695, VU#654577]

An attacker can create a HTML page using malicious data in order to execute code in an ActiveX of Microsoft Office Web Components. [severity:3/4; BID-28136, CVE-2007-1201]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2007-4991

Microsoft ISA Server 2004: obtaining visited IP addresses

Synthesis of the vulnerability

An attacker can obtain IP address of site previously visited via SOCKS4 proxy.
Impacted products: ISA.
Severity: 1/4.
Consequences: data reading.
Provenance: internet client.
Creation date: 21/09/2007.
Identifiers: BID-25753, CVE-2007-4991, VIGILANCE-VUL-7182, ZDI-07-053.

Description of the vulnerability

The ISA firewall supports SOCKS version 4 protocol used to tunnel connections : user connects to the SOCKS proxy, which connects to the remote server requested.

When the SOCKS proxy receives an empty packet, it returns a packet to the client. However, this packet contains the IP address of last remote server where a connection was established. Origin of this error may the related to the usage of an uninitialized memory area.

A non authenticated attacker can therefore progressively obtain the list of IP addresses requested by users.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert 5821

ISA: character insertion in logs via Host header

Synthesis of the vulnerability

An attacker can use a special encoding in Host header to insert characters in logs.
Impacted products: ISA.
Severity: 2/4.
Consequences: data creation/edition.
Provenance: internet client.
Creation date: 09/05/2006.
Identifiers: 042006-001-ISA-LM, VIGILANCE-VUL-5821.

Description of the vulnerability

Several web servers can be installed on the same computer. In this case, to indicate server requested by client, this latter adds a "Host" header. For example:
  GET url HTTP/version
  Host: servername

The Host header is logged by ISA Server. However, when this header contains "%xx" encoding, the associated characters are directly logged.

An attacker can for example insert a tabulation with %09 in order to bypass log analyzing tools.
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2005-1215 CVE-2005-1216

ISA : corruption de cache HTTP et contournement de filtre NetBIOS

Synthesis of the vulnerability

Un attaquant peut corrompre le cache HTTP ou accéder au firewall en utilisant le protocole NetBIOS.
Impacted products: ISA.
Severity: 2/4.
Consequences: data creation/edition, data flow.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 2.
Creation date: 15/06/2005.
Identifiers: BID-13954, BID-13955, BID-13956, CERTA-2005-AVI-215, CVE-2005-1215, CVE-2005-1216, MS05-034, V6-ISAHTTPNETBIOS, VIGILANCE-VUL-5012, VU#367077.

Description of the vulnerability

Deux vulnérabilités sont présentes dans le cache HTTP et les filtres NetBIOS de ISA.

Un attaquant du réseau peut créer une requête HTTP illicite conduisant à la corruption du cache. Cette vulnérabilité concerne les requêtes possédant plusieurs entêtes "Content-Length". L'attaquant peut alors retourner des informations illicites aux utilisateurs ou contourner certaines restrictions d'accès (CAN-2005-1215).

Un attaquant peut créer une connexion NetBIOS vers le firewall en utilisant le filtre prédéfini "NetBIOS (all)". Il peut alors se connecter sur les services NetBIOS disponibles (CAN-2005-1216).
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.