Security Bulletin: Network Intrusion Prevention System is affected by curl and php5 vulnerabilities (CVE-2013-2174, CVE-2014-0015, CVE-2014-0138, CVE-2014-0139, CVE-2013-4248, CVE-2013-6420, CVE-2014-2497, CVE-2014-4049)

Summary

Security vulnerabilities have been discovered in curl and php5 that are used in IBM Security Network Intrusion Prevention System.

Vulnerability Details

CVE-ID:CVE-2013-2174

**DESCRIPTION:**cURL/libcURL is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by the curl_easy_unescape() function in lib/escape.c. While decoding URL encoded strings to raw binary data, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Affected Versions: cURL and libcurl 7.7 through 7.30.0

CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85180 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE-ID:CVE-2014-0015

**DESCRIPTION:**libcURL could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim.
Affected Versions: cURL and libcurl 7.10.6 through 7.34.0

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90841 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVE-ID:CVE-2014-0138

**DESCRIPTION:**cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the re-use of previously used connections when processing new requests. An attacker could exploit this vulnerability to hijack the privileges of a different user’s session and launch further attacks on the system.
Affected Versions: cURL and libcurl 7.10.6 before 7.36.0

CVSS:
CVSS Base Score: 6.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92131 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:P)

CVE-ID:CVE-2014-0139

**DESCRIPTION:**cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by an error in the hostmatch() function when validating certificates containing an IP address with a wildcard match within the Common Name field. By sending a specially-crafted SSL certificate containing wildcard characters, a remote attacker could exploit this vulnerability to spoof the server and launch further attacks on the system.
Affected Versions: cURL and libcurl 7.1 before 7.36.0

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92130 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID:CVE-2013-4248

**DESCRIPTION:**PHP could allow a remote attacker to conduct spoofing attacks, caused by an error when handling certificates that contain hostnames with NULL bytes. By persuading a victim to visit a Web site containing a specially-crafted certificate, a remote attacker could exploit this vulnerability using man-in-the-middle techniques to spoof SSL servers.
Affected Versions: OpenSSL module in PHP before 5.4.18 and 5.5.x before 5.5.2

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86429 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE-ID:CVE-2013-6420

**DESCRIPTION:**PHP could allow a remote attacker to execute arbitrary code on the system, caused by an error in the asn1_time_to_time_t() function when parsing X.509 certificates. An attacker could exploit this vulnerability using a specially-crafted X.509 certificate to corrupt memory and execute arbitrary code on the system.
Affected Versions: PHP before 5.3.28, 5.4.x before 5.4.23, and 5.5.x before 5.5.7

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/89602 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVE-ID:CVE-2014-2497

**DESCRIPTION:**LibGD is vulnerable to a denial of service, caused by a NULL pointer dereference in the gdImageCreateFromXpm function. A remote attacker could exploit this vulnerability to cause the application to crash. Note: This vulnerability also affects PHP.
Affected Versions: PHP 5.4.26 and earlier

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91917 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVE-ID:CVE-2014-4049

**DESCRIPTION:**PHP is vulnerable to a heap-based buffer overflow, caused by improper bounds checking by when parsing DNS TXT record. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash.
Affected Versions: PHP 5.6.0beta4 and earlier

CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93769 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

**Products:**GX3002, GX4002, GX4004, GX4004-v2, GX5008, GX5008-v2, GX5108, GX5108-v2, GX5208, GX5208-v2, GX6116, GX7412, GX7412-10, GX7412-05, GX7800, GV200, GV1000
Firmware versions: 4.6.2, 4.6.1, 4.6, 4.5, 4.4, and 4.3

Remediation/Fixes

The following IBM Threat Fixpacks have the fixes for these vulnerabilities:

• _ IBM Security Network Intrusion Prevention System products at Firmware version 4.6.2___
  __4.6.2.0-ISS-ProvG-AllModels-System-FP0001

• IBM Security Network Intrusion Prevention System products at Firmware version 4.6.1_
  _4.6.1.0-ISS-ProvG-AllModels-System-FP0005

• IBM Security Network Intrusion Prevention System products at Firmware version 4.6_
  _4.6.0.0-ISS-ProvG-AllModels-System-FP0003

• IBM Security Network Intrusion Prevention System products at Firmware version 4.5_
  _4.5.0.0-ISS-ProvG-AllModels-System-FP0005

• IBM Security Network Intrusion Prevention System products at Firmware version 4.4_
  _4.4.0.0-ISS-ProvG-AllModels-System-FP0005

• IBM Security Network Intrusion Prevention System products at Firmware version 4.3_
  _4.3.0.0-ISS-ProvG-AllModels-System-FP0003