Date: 25 July 2012
References: ASB-2012.0103 ESB-2012.0966
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0702
Microsoft Security Advisory (2737111) Vulnerabilities in Microsoft Exchange
and FAST Search Server 2010 for SharePoint Parsing Could
Allow Remote Code Execution
25 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Microsoft Exchange Server
FAST Search Server 2010 for SharePoint
Publisher: Microsoft
Operating System: Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Mitigation
CVE Names: CVE-2012-3110 CVE-2012-3109 CVE-2012-3108
CVE-2012-3107 CVE-2012-3106 CVE-2012-1773
CVE-2012-1772 CVE-2012-1771 CVE-2012-1770
CVE-2012-1769 CVE-2012-1768 CVE-2012-1767
CVE-2012-1766
Reference: ASB-2012.0103
Original Bulletin:
http://technet.microsoft.com/en-us/security/advisory/2737111
Comment: While Microsoft has not yet provided a patch to correct these issues,
two workarounds have been provided in this advisory.
- --------------------------BEGIN INCLUDED TEXT--------------------
Microsoft Security Advisory (2737111)
Vulnerabilities in Microsoft Exchange and FAST Search Server 2010 for
SharePoint Parsing Could Allow Remote Code Execution
Published: Tuesday, July 24, 2012
Version: 1.0
General Information
Executive Summary
Microsoft is investigating new public reports of vulnerabilities in third-party
code, Oracle Outside In libraries, that affect Microsoft Exchange Server 2007,
Microsoft Exchange Server 2010, and FAST Search Server 2010 for SharePoint,
which ship that component. Customers that apply the workarounds described in
this advisory are not exposed to the vulnerabilities described in Oracle
Critical Patch Update Advisory - July 2012.
The vulnerabilities exist due to the way that files are parsed by the third-
party, Oracle Outside In libraries. In the most severe case of Microsoft
Exchange Server 2007 and Microsoft Exchange Server 2010, it is possible under
certain conditions for the vulnerabilities to allow an attacker to take control
of the server process that is parsing a specially crafted file. An attacker
could then install programs; view, change, or delete data; or take any other
action that the server process has access to do.
Upon completion of this investigation, Microsoft will take the appropriate
action to help protect our customers.
Mitigating Factors:
* The transcoding service in Exchange that uses the Oracle Outside In libraries
is running in LocalService account.
* Microsoft SharePoint Server is only affected by this issue when FAST Search
with Advanced Filter Pack is enabled. By default, Advanced Filter Pack in FAST
is disabled. When Advanced Filter Pack is enabled, the component that uses the
Oracle Outside In libraries is running with a restricted token.
Recommendation. Please see the Suggested Actions section of this advisory for
more information.
Advisory Details
Issue References
For more information about this issue, see the following references:
References Identification
Oracle Advisory Oracle Critical Patch Update Advisory - July 2012
CERT Reference VU#118913
CVE Reference CVE-2012-1766
CVE-2012-1767
CVE-2012-1768
CVE-2012-1769
CVE-2012-1770
CVE-2012-1771
CVE-2012-1772
CVE-2012-1773
CVE-2012-3106
CVE-2012-3107
CVE-2012-3108
CVE-2012-3109
CVE-2012-3110
Affected Software
Microsoft Exchange Server 2007 Service Pack 3
Microsoft Exchange Server 2010 Service Pack 1
Microsoft Exchange Server 2010 Service Pack 2
Microsoft SharePoint Server 2010 Service Pack 1[1]
FAST Search Server 2010 for SharePoint
[1]Microsoft SharePoint Server is only affected by this issue when FAST Search
with Advanced Filter Pack is enabled. By default, Advanced Filter Pack in FAST
is disabled. When Advanced Filter Pack is enabled, the component that uses the
Oracle Outside In libraries is running with a restricted token.
Suggested Actions
Apply Workarounds
Workarounds refer to a setting or configuration change that does not correct
the underlying issue but would help block known attack vectors before a
security update is available. See the next section, Workarounds, for more
information.
Workarounds
Disable transcoding service
1. Log in to the Exchange Management Shell as an Exchange Organization
Administrator.
2. Issue the following PowerShell command:
Get-OwaVirtualDirectory | where {$_.OwaVersion -eq 'Exchange2007'
-or $_.OwaVersion -eq 'Exchange2010'} | Set-OwaVirtualDirectory
-WebReadyDocumentViewingOnPublicComputersEnabled:$False
-WebReadyDocumentViewingOnPrivateComputersEnabled:$False
Impact of workaround. OWA users may not be able to preview the content of
email attachments.
Disable the Advanced Filter Pack
On the FAST Search Server 2010 for SharePoint administration server (or
single server), perform these steps:
1. On the Start menu, click All Programs.
2. Click Microsoft FAST Search Server 2010 for SharePoint.
3. Right-click Microsoft FAST Search Server 2010 for SharePoint shell
and select Run as administrator.
4. At the command prompt, browse to installer\scripts under the
installation folder.
5. Type the following command:
.\AdvancedFilterPack.ps1 -disable
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUA+Yve4yVqjM2NGpAQILsg//YkMe/PAroF1ZDe7e7PEva2vmyHTST9AF
+fG1TjLgb+Ies6nYiw9vXZ174WvPPmCi+TKrN09EYcBzvUXgaVElkEphnCt8dgy/
EBwNkSibwWjrnBal2pYtswESLWGFsJvW77/hK2MVptlZGBorCNXY7fVXFbdEXQPc
GpssZymPjX0aQgbeoA7eU3++swe/pDvrdH7lcMShJnZ5llbHkmGvlrF1fg1+HEHE
T4zBIOe5BaHeZnHOCVrJ+09xRW/QAb9dvEGAQjo7FPglApMmgWpZqoRTckcMYdNm
PoQGBsGCJJiXFNPQv4PRdFVuR1RlZE8aH+4Tis1o6CoQQGug5K7H1dkpwgNvZ2UO
uRGNTmTvra9lH8+D0OAK+fEHX7OCZvQYF/xwd7GjCASJNzrnKFSGLHY/biJ7iDTq
XeNBj0dzbeT/98P3z9HVEVThIcIvKt1Giv62P8Ou8zkpQwpfFFxjGS0q8MUQK5Vw
c35NzC4P99VOFYrVDAJE+NbnFcbH2IWD2N28Foe6LReUQ3nvyfmzeBiBtdg2pJk0
uPXdkIori2oO7kY2FxyaUZ3Ovo7feDhA6t7JVQtpWi9E4ciH1pNsROU3rah6F3EF
ICPCARPdZNuedJ40JMrjm04Gh2UpG/ueD64757X3UT7XS9c1fKJnxveJr7rw3Ht5
Tqo5zoDHdqo=
=Ki0A
-----END PGP SIGNATURE-----
|