[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

UNIRAS Brief - 123/04 - 2 Macromedia Security Bulletins - Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS/Potential Security Risk with Macromedia E-Licensing Client Activation Code



 
-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------------------
   UNIRAS (UK Govt CERT) Briefing Notice - 123/04 dated 16.03.04  Time: 11:20  
  UNIRAS is part of NISCC (National Infrastructure Security Co-ordination Centre)
- ---------------------------------------------------------------------------------- 
  UNIRAS material is also available from its website at www.uniras.gov.uk and
         Information about NISCC is available from www.niscc.gov.uk
- ----------------------------------------------------------------------------------

Title
=====

Macromedia Security Bulletins:

1.	Security Patch available for ColdFusion MX and JRun 4.0 Web Services DoS.

2.	Potential Security Risk with Macromedia E-Licensing Client Activation Code.

Detail
====== 

1.	ColdFusion MX and JRun 4.0 web services may be vulnerable to a Denial-of-Service 
	attack from maliciously constructed SOAP requests. Customers with configurations 
	affected by this bulletin should follow the recommendations found in the bulletin. 

2.	Macintosh versions of the Macromedia installers and e-licensing client install a 
	service whose file permissions allow "other" users to write to the file. This may 
	allow one local user to obtain the permissions of another local user (including 
	an admin user). This leads to a threat typically classified as Privilege Escalation.

- ----------------------------------------------------------------------------------

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
1.


IMPORTANT:

A security issue that may affect ColdFusion MX and JRun 4.0 
customers has come to our attention recently. 

To learn about this new issue and what actions you can take 
to address it, please visit the Macromedia Security Zone:  
http://www.macromedia.com/security
 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  

MPSB04-04 Security Patch available for ColdFusion MX and 
JRun 4.0 Web Services DoS.  
 
Originally Posted: March 15, 2004

~~~~~~~ 

SUMMARY: 

ColdFusion MX and JRun 4.0 web services may be vulnerable 
to a Denial-of-Service attack from maliciously constructed 
SOAP requests. 

ColdFusion Version 5 and earlier versions and JRun 3.1 and 
earlier versions do not support web services and are not 
vulnerable. 

If using web services with ColdFusion MX or JRun 4.0, this 
fix should be applied if either: 
	
- - - the web services are available publicly 
- - - the web services may be accessed by a potential attacker 

NOTE: This fix is NOT required if ColdFusion MX or JRun 4.0 
is used only to consume web services provided by others. 
Also, the default ColdFusion MX and JRun 4.0 installations 
are not vulnerable because they do not contain any deployed 
web services. 

~~~~~~~ 

WHAT CUSTOMERS SHOULD DO: 

Customers with configurations affected by this bulletin 
should follow the recommendations found in the bulletin. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Reporting Security Issues 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~   

Macromedia is committed to addressing security issues and 
providing customers with information on how they can 
protect themselves. If you identify what you believe may 
be a security issue with a Macromedia product, please 
send an e-mail to secure@xxxxxxxxxxxxxxx We will work to 
appropriately address and communicate the issue. 

~~~~~~~ 

Receiving Security Bulletins: 

When Macromedia becomes aware of a security issue that we 
believe significantly affects our products or customers, 
we will notify customers when appropriate. Typically, this 
notification will be in the form of a security bulletin 
explaining the issue and the response. Macromedia customers 
who would like to receive notification of new security 
bulletins when they are released can sign up for our 
security notification service. 

For additional information on security issues at Macromedia, 
please visit the Security Zone at: 

http://www.macromedia.com/security 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
THE INFORMATION PROVIDED BY MACROMEDIA IN THIS BULLETIN 
IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. 
MACROMEDIA AND ITS SUPPLIERS DISCLAIM ALL WARRANTIES, 
WHETHER EXPRESS OR IMPLIED OR OTHERWISE, INCLUDING THE 
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A 
PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY OF 
NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED 
WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. 

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE 
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT 
LIMITATION, DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, 
SPECIAL, PUNITIVE, COVER, LOSS OF PROFITS, BUSINESS 
INTERRUPTION OR THE LIKE, OR LOSS OF BUSINESS DAMAGES, 
BASED ON ANY THEORY OF LIABILITY INCLUDING BREACH OF 
CONTRACT, BREACH OF WARRANTY, TORT(INCLUDING NEGLIGENCE), 
PRODUCT LIABILITY OR OTHERWISE, EVEN IF MACROMEDIA, INC. 
OR ITS SUPPLIERS OR THEIR REPRESENTATIVES HAVE BEEN 
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE 
ABOVE EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND 
YOU MAY ALSO HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE 
TO STATE. 

Macromedia reserves the right to update the information in 
this document with current information. 





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 
2.

Security Bulletin:  

Potential Security Risk with Macromedia E-Licensing Client 
Activation Code 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 

Summary: 

Macintosh versions of the Macromedia installers and 
e-licensing client install a service whose file permissions 
allow "other" users to write to the file. This may allow one 
local user to obtain the permissions of another local user 
(including an admin user). This leads to a threat typically 
classified as Privilege Escalation.

This potential vulnerability affects only products installed 
on machines with multiple users. Further, it does not appear 
to be a threat under typical installation of Macromedia 
products where the computer's only user is already considered 
the administrator.   

~~~~~~~ 

Solution: 

A patch can be downloaded from the Macromedia website to 
protect users of current versions of Macromedia products:   

http://www.macromedia.com/go/DMJL_AAAZ 

Alternatively, a work-around is described in the "Making 
the Changes" section of this bulletin. 

~~~~~~~ 

Affected Software Versions:  

All supported Macintosh versions of Macromedia MX 2004 
products as well as Contribute 2 may be affected. 

~~~~~~~ 

Severity Rating: 

Macromedia categorizes this issue as a Moderate update 
(see http://www.macromedia.com/go/DMJL_AABA) and recommends 
that administrators of systems supporting multiple users 
apply the patch located at: 

http://www.macromedia.com/go/DMJL_AABB 

~~~~~~~ 

Details:  

Macintosh OS X versions of the Macromedia installers and 
e-licensing client install the 'AuthenticationService' 
as an SUID service whose file permissions allow "other" 
users to write to the file. By default, these permissions 
allow the code in the service to be changed by any local 
user. In the event of modification by any non-admin user, 
the operating system removes the SUID property. 

The current behavior of Macromedia products using this 
service mitigates all known attack vectors. All current 
Macromedia products detect the file change, refuse to 
execute the modified service, and reinstall the original, 
unmodified binary. Therefore, a successful exploitation 
requires the attacker to cause another user to execute 
the service independent of any Macromedia product. 

If the AuthenticationService file is manually deleted, a 
reapplication of the patch may be required. 

~~~~~~~ 

Making the Changes:  

With an admin account and password, permissions on the 
file can be manually changed to resolve this problem. 

Activate a Terminal session and type in the following 
command. 

sudo chmod 4775 "/Library/Application Support/Macrovision/ 
AuthenticationService"  

Enter your admin user password at the prompt and then 
the command will run and set the permissions on the file.

NOTE: Back up your existing files before making changes. 
As always, test the changes in a nonproduction environment 
before applying the changes to production servers. 

~~~~~~~ 

Acknowledgements:  

Macromedia would like to thank Chris Irvine of Dark Horse 
Comics, Inc. for reporting this vulnerability and for 
working with us to help protect our customers' security. 

~~~~~~~ 

Reporting Security Issues: 
 
Macromedia is committed to addressing security issues and 
providing customers with the information on how they can 
protect themselves. If you identify what you believe may 
be a security issue with a Macromedia product, please 
send an e-mail to secure@xxxxxxxxxxxxxxx We will work to 
appropriately address and communicate the issue. 

~~~~~~~ 

Receiving Security Bulletins: 
 
When Macromedia becomes aware of a security issue that we 
believe significantly affects our products or customers, 
we will notify customers when appropriate. Typically this 
notification will be in the form of a security bulletin 
explaining the issue and the response. Macromedia customers 
who would like to receive notification of new security 
bulletins when they are released can sign up for our 
security notification service. 

For additional information on security issues at Macromedia, 
please visit: 

http://www.macromedia.com/security. 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
ANY INFORMATION, PATCHES, DOWNLOADS, WORKAROUNDS OR FIXES 
PROVIDED BY MACROMEDIA IN THIS BULLETIN ARE PROVIDED "AS IS" 
WITHOUT WARRANTY OF ANY KIND. MACROMEDIA AND ITS SUPPLIERS 
DISCLAIM ALL WARRANTIES, WHETHER EXPRESS OR IMPLIED OR 
OTHERWISE, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND 
FITNESS FOR A PARTICULAR PURPOSE. ALSO, THERE IS NO WARRANTY 
OF NON-INFRINGEMENT, TITLE OR QUIET ENJOYMENT. (USA ONLY) 
SOME STATES DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, 
SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU. 

IN NO EVENT SHALL MACROMEDIA, INC. OR ITS SUPPLIERS BE LIABLE 
FOR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, 
DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, PUNITIVE, 
COVER, LOSS OF PROFITS, BUSINESS INTERRUPTION OR THE LIKE, OR 
LOSS OF BUSINESS DAMAGES, BASED ON ANY THEORY OF LIABILITY 
INCLUDING BREACH OF CONTRACT, BREACH OF WARRANTY, TORT 
(INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR OTHERWISE, EVEN 
IF MACROMEDIA, INC. OR ITS SUPPLIERS OR THEIR REPRESENTATIVES 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. (USA 
ONLY) SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF 
LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE 
EXCLUSION OR LIMITATION MAY NOT APPLY TO YOU AND YOU MAY ALSO 
HAVE OTHER LEGAL RIGHTS THAT VARY FROM STATE TO STATE. 

Macromedia reserves the right, from time to time, to update 
the information in this document with current information.  

- ----------------------------------------------------------------------------------

For additional information or assistance, please contact the HELP Desk by 
telephone or Not Protectively Marked information may be sent via 
EMail to: uniras@xxxxxxxxxxxx

Office Hours:
Mon - Fri: 08:30 - 17:00 Hrs
Tel: +44 (0) 20 7821 1330 Ext 4511
Fax: +44 (0) 20 7821 1686

Outside of Office Hours:
On Call Duty Officer:
Tel: +44 (0) 20 7821 1330 and follow the prompts

- ----------------------------------------------------------------------------------
UNIRAS wishes to acknowledge the contributions of Macromedia for the information 
contained in this Briefing. 
- ----------------------------------------------------------------------------------
This Briefing contains the information released by the original author. Some 
of the information may have changed since it was released. If the vulnerability 
affects you, it may be prudent to retrieve the advisory from the canonical site 
to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade 
name, trademark manufacturer, or otherwise, does not constitute or imply 
its endorsement, recommendation, or favouring by UNIRAS or NISCC.  The views 
and opinions of authors expressed within this notice shall not be used for 
advertising or product endorsement purposes.

Neither UNIRAS or NISCC shall also accept responsibility for any errors 
or omissions contained within this briefing notice. In particular, they shall 
not be liable for any loss or damage whatsoever, arising from or in connection 
with the usage of information contained within this notice.

UNIRAS is a member of the Forum of Incident Response and Security Teams (FIRST) 
and has contacts with other international Incident Response Teams (IRTs) in 
order to foster cooperation and coordination in incident prevention, to prompt 
rapid reaction to incidents, and to promote information sharing amongst its 
members and the community at large. 
- ----------------------------------------------------------------------------------
<End of UNIRAS Briefing>

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0

iQCVAwUBQFbtOIpao72zK539AQE/rwQAgceH2XoPcLgt/alS1gB86izBIWd9FAT0
c8i7nacfeKSCo5wYYYHMBAXQHOv6RLSDk3ZFg8yTsDPJ1JNqkEOtNXSimrKyHUcL
Dd3Rn0x2T2pkTCRst8KAYiAYLzOl+jKqdp17zcKcK8sbPFLhU2mHLAUjOAjJ+wXh
gHtQ0MiyYWg=
=k825
-----END PGP SIGNATURE-----