
        __________________________________________________________
 
                       The U.S. Department of Energy
                    Cyber Incident Response Capability
                  __   __   __       ___ __ __ ___    ___
                 |  \ |  | |_   __  /      |   |__|  /
                 |__/ |__| |__      \___ __|__ |   \ \___
        __________________________________________________________


                             INFORMATION BULLETIN

                   Gear Software CD DVD Filter Vulnerability
                     [US-CERT Vulnerability Note VU#146896]

October 15, 2008 21:00 GMT                                        Number T-017
______________________________________________________________________________
PROBLEM:       The Gear Software CD DVD Filter driver contains a privilege 
               escalation vulnerability, which can allow an attacker to gain 
               SYSTEM privileges. 
PLATFORM:      Gear Software 
DAMAGE:        SYSTEM privileges. 
SOLUTION:      Upgrade to the appropriate version. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker may be able to execute code 
ASSESSMENT:    with SYSTEM privileges. 
______________________________________________________________________________
CVSS 2 BASE SCORE: 3.5 
 TEMPORAL SCORE:   2.7 
 VECTOR:           (AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C) 
______________________________________________________________________________
LINKS: 
 DOE-CIRC BULLETIN:  http://doecirc.energy.gov/ciac/bulletins/t-017.shtml 
 ORIGINAL BULLETIN:  http://www.kb.cert.org/vuls/id/146896 
 ADDITIONAL LINK:    Symantec SYM08-017 
                     http://securityresponse.symantec.com/avcenter/security/
					          Content/2008.10.07a.html 
 CVE:                http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= 
                     CVE-2008-3636 
______________________________________________________________________________
[***** Start US-CERT Vulnerability Note VU#146896 *****]


Vulnerability Note VU#146896
Gear Software CD DVD Filter driver privilege escalation vulnerability
Overview
The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, 
which can allow an attacker to gain SYSTEM privileges. 


I. Description
Gear Software provides a driver called CD DVD Filter, which is provided by 
GEARAspiWDM.sys. This driver is used by multiple CD/DVD recording applications. 
The Gear Software CD DVD Filter driver allows unlimited calls to IoAttachDevice 
from a user-space application. By making multiple calls to IoAttachDevice, an 
attacker may be able to exploit an integer overflow in the Microsoft Windows kernel 
to execute code with SYSTEM privileges.


II. Impact
An attacker may be able to execute code with SYSTEM privileges.


III. Solution
Apply an update 
This issue is addressed in GEAR driver version 4.001.7, which provides GEARAspiWDM.sys 
version 2.0.7.5. This version of the CD DVD Filter driver limits the number of 
IoAttachDevice calls that can be made. Please check with your software vendor for 
updates that contains this fixed driver. If no update is available, the stand-alone 
driver from GEAR may be installed.

Apple iTunes users should install iTunes 8.0, as specified in the About the security 
content of iTunes 8.0 document.

Symantec customers using Norton 360, Norton Ghost, Norton Save and Restore, Backup 
Exec System Recovery, and Symantec LiveState Recovery should apply an update, as 
specified in the Symantec Security Advisory SYM08-017.


Systems Affected
Vendor Status Date Notified Date Updated 
Apple Computer, Inc. Vulnerable 2008-03-13 2008-10-07 
GEAR Software, Inc.  Vulnerable 2008-03-13 2008-10-07 
Symantec, Inc. Vulnerable 2008-03-13 2008-10-07 

References

http://www.wintercore.com/advisories/advisory_W021008.html
http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html
http://support.apple.com/kb/HT3025
http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html 

Credit
Thanks to Ruben Santamarta of Wintercore for reporting this vulnerability by way 
of the Microsoft Security Response Center. 

This document was written by Will Dormann. 

Other Information
Date Public: 2008-10-07 
Date First Published: 2008-10-07 
Date Last Updated: 2008-10-07 
CERT Advisory:   
CVE-ID(s): CVE-2008-3636 
NVD-ID(s): CVE-2008-3636 
US-CERT Technical Alerts:   
Metric: 5.67 
Document Revision: 13 



[***** End US-CERT Vulnerability Note VU#146896 *****]
_______________________________________________________________________________

DOE-CIRC wishes to acknowledge the contributions of US-CERT for the 
information contained in this bulletin.
_______________________________________________________________________________


DOE-CIRC provides the U.S. Department of Energy with incident response, 
reporting, and tracking, along with other computer security support. 
DOE-CIRC is a member of GFIRST, the Government Forum of Incident 
Responders and Security Teams and FIRST an international incident 
response and security organization. 

DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC
can be contacted at:
    Voice:    +1 866-941-2472 (7x24)
    FAX:      +1 702-932-0189
    STU-III:  Call the voice number.
    E-mail:   doecirc@doecirc.energy.gov

Previous DOE-CIRC notices, anti-virus software, and other information are
available from the DOE-CIRC Computer Security Archive.

   World Wide Web:      http://doecirc.energy.gov/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE and ESnet computing
communities receive DOE-CIRC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor any agency thereof, nor any of their employees, 
makes any warranty, express or implied, or assumes any legal
liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial product,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation, or favoring by the United States Government or
any agency thereof. The views and opinions of originators expressed
herein do not necessarily state or reflect those of the United States
Government or any agency thereof.

LAST 10 DOE-CIRC Bulletins

S-213: Nukedit 'email' Parameter Vulnerability
S-214: SurgeMail and WebMail 'Page' Command Vulnerability
S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities
S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability
S-217: Drupal Multiple HTML Vulnerabilities
S-218: gd Security Update
S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability
S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability
S-221: Learn2 STRunner ActiveX Control Vulnerabilities
S-222: Evolution Security Update