__________________________________________________________ The U.S. Department of Energy Cyber Incident Response Capability __ __ __ ___ __ __ ___ ___ | \ | | |_ __ / | |__| / |__/ |__| |__ \___ __|__ | \ \___ __________________________________________________________ INFORMATION BULLETIN Gear Software CD DVD Filter Vulnerability [US-CERT Vulnerability Note VU#146896] October 15, 2008 21:00 GMT Number T-017 ______________________________________________________________________________ PROBLEM: The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, which can allow an attacker to gain SYSTEM privileges. PLATFORM: Gear Software DAMAGE: SYSTEM privileges. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker may be able to execute code ASSESSMENT: with SYSTEM privileges. ______________________________________________________________________________ CVSS 2 BASE SCORE: 3.5 TEMPORAL SCORE: 2.7 VECTOR: (AV:L/AC:H/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C) ______________________________________________________________________________ LINKS: DOE-CIRC BULLETIN: http://doecirc.energy.gov/ciac/bulletins/t-017.shtml ORIGINAL BULLETIN: http://www.kb.cert.org/vuls/id/146896 ADDITIONAL LINK: Symantec SYM08-017 http://securityresponse.symantec.com/avcenter/security/ Content/2008.10.07a.html CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2008-3636 ______________________________________________________________________________ [***** Start US-CERT Vulnerability Note VU#146896 *****] Vulnerability Note VU#146896 Gear Software CD DVD Filter driver privilege escalation vulnerability Overview The Gear Software CD DVD Filter driver contains a privilege escalation vulnerability, which can allow an attacker to gain SYSTEM privileges. I. Description Gear Software provides a driver called CD DVD Filter, which is provided by GEARAspiWDM.sys. This driver is used by multiple CD/DVD recording applications. The Gear Software CD DVD Filter driver allows unlimited calls to IoAttachDevice from a user-space application. By making multiple calls to IoAttachDevice, an attacker may be able to exploit an integer overflow in the Microsoft Windows kernel to execute code with SYSTEM privileges. II. Impact An attacker may be able to execute code with SYSTEM privileges. III. Solution Apply an update This issue is addressed in GEAR driver version 4.001.7, which provides GEARAspiWDM.sys version 2.0.7.5. This version of the CD DVD Filter driver limits the number of IoAttachDevice calls that can be made. Please check with your software vendor for updates that contains this fixed driver. If no update is available, the stand-alone driver from GEAR may be installed. Apple iTunes users should install iTunes 8.0, as specified in the About the security content of iTunes 8.0 document. Symantec customers using Norton 360, Norton Ghost, Norton Save and Restore, Backup Exec System Recovery, and Symantec LiveState Recovery should apply an update, as specified in the Symantec Security Advisory SYM08-017. Systems Affected Vendor Status Date Notified Date Updated Apple Computer, Inc. Vulnerable 2008-03-13 2008-10-07 GEAR Software, Inc. Vulnerable 2008-03-13 2008-10-07 Symantec, Inc. Vulnerable 2008-03-13 2008-10-07 References http://www.wintercore.com/advisories/advisory_W021008.html http://lists.apple.com/archives/security-announce//2008/Sep/msg00001.html http://support.apple.com/kb/HT3025 http://securityresponse.symantec.com/avcenter/security/Content/2008.10.07a.html Credit Thanks to Ruben Santamarta of Wintercore for reporting this vulnerability by way of the Microsoft Security Response Center. This document was written by Will Dormann. Other Information Date Public: 2008-10-07 Date First Published: 2008-10-07 Date Last Updated: 2008-10-07 CERT Advisory: CVE-ID(s): CVE-2008-3636 NVD-ID(s): CVE-2008-3636 US-CERT Technical Alerts: Metric: 5.67 Document Revision: 13 [***** End US-CERT Vulnerability Note VU#146896 *****] _______________________________________________________________________________ DOE-CIRC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ DOE-CIRC provides the U.S. Department of Energy with incident response, reporting, and tracking, along with other computer security support. DOE-CIRC is a member of GFIRST, the Government Forum of Incident Responders and Security Teams and FIRST an international incident response and security organization. DOE-CIRC services are available to DOE and DOE contractors. DOE-CIRC can be contacted at: Voice: +1 866-941-2472 (7x24) FAX: +1 702-932-0189 STU-III: Call the voice number. E-mail: doecirc@doecirc.energy.gov Previous DOE-CIRC notices, anti-virus software, and other information are available from the DOE-CIRC Computer Security Archive. World Wide Web: http://doecirc.energy.gov/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE and ESnet computing communities receive DOE-CIRC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with DOE-CIRC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor any agency thereof, nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial product, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government or any agency thereof. The views and opinions of originators expressed herein do not necessarily state or reflect those of the United States Government or any agency thereof. LAST 10 DOE-CIRC Bulletins S-213: Nukedit 'email' Parameter Vulnerability S-214: SurgeMail and WebMail 'Page' Command Vulnerability S-215: Symantec Backup Exec Scheduler ActiveX Control Multiple Vulnerabilities S-216: Juniper Networks Secure Access 2000 'rdremediate.cgi' Vulnerability S-217: Drupal Multiple HTML Vulnerabilities S-218: gd Security Update S-219: Juniper Networks Secure Access 2000 Web Root Path Vulnerability S-220: PHP-Nuke My_eGallery Module 'gid' Parameter Vulnerability S-221: Learn2 STRunner ActiveX Control Vulnerabilities S-222: Evolution Security Update