__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overflow in ServerProtect [Trend Micro Solution ID: 1034290] February 22, 2007 18:00 GMT Number R-156 ______________________________________________________________________________ PROBLEM: A flaw in the “CMON_NetTestConnection()” routine in StCommon.dll may allow attackers to execute arbitrary codes on the application. PLATFORM: ServerProtect for Microsoft Windows - 5.57 ServerProtect for Network Appliance Filer - 5.60 ServerProtect for EMC Celerra - 5.57 DAMAGE: May allow attackers to execute arbitrary code on the application. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. May allow attackers to execute arbitrary ASSESSMENT: code on the application. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-156.shtml ORIGINAL BULLETIN: http://esupport.trendmicro.com/support/viewxml.do? ContentID=EN-1034290 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-1070 ______________________________________________________________________________ [***** Start Trend Micro Solution ID: 1034290 *****] [Vulnerability Response] Buffer overflow in ServerProtect Solution ID: 1034290 A recent system upgrade added a ‘1’ or ‘2’ to old solution IDs. You find these solutions by removing or retaining the extra '1' or '2'. Product: ServerProtect for Microsoft Windows - 5.58, ServerProtect for Network Appliance Filer - 5.61, ServerProtect for EMC Celerra - 5.58 Operating System: Windows 2000 Professional Edition - SP4, Windows 2000 Server - SP4, Windows Server 2003 Datacenter Edition, Windows Server 2003 Enterprise Edition, Windows Server 2003 Standard Edition Published: 2/19/07 9:41 PM Problem: A flaw in the “CMON_NetTestConnection()” routine in StCommon.dll may allow attackers to execute arbitrary codes on the application. This vulnerability affects the following products: • ServerProtect for Windows 5.58 • ServerProtect for EMC 5.58 • ServerProtect for Network Appliance Filer 5.61 • ServerProtect for Network Appliance Filer 5.62 Solution: To address this issue on ServerProtect for Windows 5.58, download Security Patch 1- Build 1171 (English). More security patches may be released on the following dates: 2/27/2007 ServerProtect for Windows 5.58 (Traditional Chinese) 3/05/2007 ServerProtect for Windows 5.58 (Simplified Chinese) 3/19/2007 ServerProtect for EMC 5.58 (English) 3/29/2007 ServerProtect for Network Appliance Filer 5.61 (English) We will soon post updates about the release dates for the security patches of the following products: • ServerProtect for Windows 5.58 (Japanese) • ServerProtect for Network Appliance Filer 5.61 (Japanese) • ServerProtect for Network Appliance Filer 5.62 (Japanese) [***** End Trend Micro Solution ID: 1034290 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Trend Micro for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-145: Aruba Mobility Controller Vulnerability R-146: Vulnerability in Snort DCE/RPC Preprocessor R-147: Multiple Vulnerabilities in Firewall Services Module R-148: Apple Security Update 2007-002 R-149: Buffer Overflow in OfficeScan Clients R-150: PHP Security Update R-151: GnomeMeeting Security Update R-152: KOffice Security Update R-153: Cisco Unified IP Conference Station and IP Phone Vulnerabilities R-154: Multiple Vulnerabilities in 802.1X Supplicant