The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability announce CVE-2007-5273 CVE-2007-5274 CVE-2007-5275

Java JRE, Flash: bypassing DNS pinning

Synthesis of the vulnerability

An attacker can create a HTML page calling a plugin and bypassing the DNS pinning protection included in web browsers.
Severity of this threat: 1/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/10/2007.
Références of this weakness: 103078, 6569621, 6609269, APSB07-20, CVE-2007-5273, CVE-2007-5274, CVE-2007-5275, CVE-2007-5375, RHSA-2007:1126-01, SUSE-SA:2008:025, VIGILANCE-VUL-7238, VMSA-2008-00010.3.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A "DNS rebinding" attack has the objective to force the web browser to connect to a server different than the one which provided the HTML document. This vulnerability for example permits to scan ports or to obtain information without going through the firewall.

This attack uses the following method:
 - Attacker setups a DNS server for his "attacker.dom" domain. This server answers that IP address of www.attacker.dom is 1.2.3.4, with a TTL of 10 seconds.
 - Attacker setups a web server to host a HTML page containing a script creating a connection to the originating server.
 - Attacker invites victim to connect to his web server.
 - When the HTML page is displayed, the script tries to access to the server: as the TTL expired, the web browser sends a new DNS query. However, this time, attacker's DNS server indicates the IP address of www.attacker.dom is 192.168.1.1.
 - Script thus connects to the 192.168.1.1 address which is an internal address.

To protect against this attack, web browsers implement "DNS pinning" which consists in storing IP addresses in the cache whatever the duration indicated by the TTL. However, cache of plugins is different than cache of web browser, which permits to bypass this protection.

An attack can be created on the JVM by using LiveConnect, an Applet with an HTTP proxy or Relative Paths. [severity:1/4; 103078, 6569621, 6609269, CVE-2007-5273, CVE-2007-5274, CVE-2007-5375]

An attack can be created on the Flash plugin which also uses a separate cache. [severity:1/4; CVE-2007-5275]
Full Vigil@nce bulletin... (Free trial)

This cybersecurity threat impacts software or systems such as Flash Player, Windows (platform) ~ not comprehensive, NLD, OES, Java Oracle, Solaris, Trusted Solaris, RHEL, SLES, Unix (platform) ~ not comprehensive, ESX.

Our Vigil@nce team determined that the severity of this computer threat note is low.

The trust level is of type confirmed by the editor, with an origin of internet server.

This bulletin is about 2 vulnerabilities.

An attacker with a expert ability can exploit this security threat.

Solutions for this threat

Flash Player: version 9.0.115.0.
Version 9.0.115.0 is corrected:
  http://www.adobe.com/shockwave/download/download.cgi?P1_Prod_Version=ShockwaveFlash
An update is also available for Flash Player 7:
  http://kb.adobe.com/selfservice/viewContent.do?externalId=d9c2fe33&sliceId=2
An update is also available for other versions:
  http://kb.adobe.com/selfservice/viewContent.do?externalId=tn_14266&sliceId=1

Java JDK/JRE 6: version 6 Update 3.
Version 6 Update 3 is corrected:
  http://java.sun.com/javase/downloads/index.jsp
For Solaris :
  * Java SE 6: patch 125136-04
  * Java SE 6 64bit: patch 125137-04
  * Java SE 6_x86: patch 125138-04
  * Java SE 6_x86 64 bit: patch 125139-04
Previous versions have to be uninstalled.

Java JDK/JRE 5: version 5 Update 13.
Version 5 Update 13 is corrected:
  http://java.sun.com/javase/downloads/index_jdk5.jsp
For Solaris :
  Sparc :
    32 bits : patch 118666-14
    64 bits : patch 118667-14
  x86 :
    32 bits : patch 118668-14
    64 bits : patch 118669-14
Previous versions have to be uninstalled.

Java SDK/JRE 1.4.2: version 1.4.2_16.
Version 1.4.2_16 is corrected:
  http://java.sun.com/j2se/1.4.2/download.html
Previous versions have to be uninstalled.

Java SDK/JRE 1.3.1: version 1.3.1_21.
Version 1.3.1_21 is corrected:
  http://java.sun.com/j2se/1.3/download.html
Previous versions have to be uninstalled.

RHEL 3, 4, 5 Extras: new flash-plugin packages.
New packages are available:
Red Hat Enterprise Linux version 3 Extras: flash-plugin-9.0.115.0-1.el3
Red Hat Enterprise Linux version 4 Extras: flash-plugin-9.0.115.0-1.el4
RHEL version 5 Supplementary : flash-plugin-9.0.115.0-1.el5

SUSE: new IBM Java packages.
New packages are available:
   SUSE Linux Enterprise Desktop 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
   SUSE Linux Enterprise Server 10 SP1
     http://support.novell.com/techcenter/psdb/9f8f419846f676b0d132660a92bb01ed.html
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   SLE SDK 10 SP1
     http://support.novell.com/techcenter/psdb/54032eb4df3ad36ed54d5c9772c9b3a5.html
   Open Enterprise Server
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   Novell Linux POS 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html
   SUSE SLES 9
     http://support.novell.com/techcenter/psdb/833adf8244bc08c2125b1b37b2407112.html
     http://support.novell.com/techcenter/psdb/60ee4b5cee653c4418c0dec544b13d34.html

VMware ESX: patch for Tomcat and Java JRE.
A patch is available:
VMware ESX 3.5 patch ESX350-200806404-SG
http://download3.vmware.com/software/esx/ESX350-200806404-SG.zip
md5sum: 669e97880a21cce13eb7e9051f403162
http://kb.vmware.com/kb/1005219
ESX 3.0.3 patch ESX303-200808407-SG
http://download3.vmware.com/software/vi/ESX303-200808407-SG.zip
md5sum: 083cee0475a8f73e511199800e8c3af4
http://kb.vmware.com/kb/1006358
ESX 3.0.2 patch ESX-1006360
http://download3.vmware.com/software/vi/ESX-1006360.tgz
md5sum: 5d2d629b6c4b1894571742569ae2e2da
http://kb.vmware.com/kb/1006360
ESX 3.0.1 patch ESX-1006359
http://download3.vmware.com/software/vi/ESX-1006359.tgz
md5sum: 2224d6e27b86f3155ce9d5895f1f191a
http://kb.vmware.com/kb/1006359
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability announce. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.