Ubuntu 8.04 LTS / 8.10 / 9.04 : mono vulnerabilities (USN-826-1)

Ubuntu Security Notice (C) 2009-2016 Canonical, Inc. / NASL script (C) 2009-2016 Tenable Network Security, Inc.


Synopsis :

The remote Ubuntu host is missing one or more security-related
patches.

Description :

It was discovered that the XML HMAC signature system did not correctly
check certain lengths. If an attacker sent a truncated HMAC, it could
bypass authentication, leading to potential privilege escalation.
(CVE-2009-0217)

It was discovered that Mono did not properly escape certain attributes
in the ASP.net class libraries which could result in browsers becoming
vulnerable to cross-site scripting attacks when processing the output.
With cross-site scripting vulnerabilities, if a user were tricked into
viewing server output during a crafted server request, a remote
attacker could exploit this to modify the contents, or steal
confidential data (such as passwords), within the same domain. This
issue only affected Ubuntu 8.04 LTS. (CVE-2008-3422)

It was discovered that Mono did not properly filter CRLF injections in
the query string. If a user were tricked into viewing server output
during a crafted server request, a remote attacker could exploit this
to modify the contents, steal confidential data (such as passwords),
or perform cross-site request forgeries. This issue only affected
Ubuntu 8.04 LTS. (CVE-2008-3906).

Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 4.3
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Family: Ubuntu Local Security Checks

Nessus Plugin ID: 40794 ()

Bugtraq ID: 35671

CVE ID: CVE-2008-3422
CVE-2008-3906
CVE-2009-0217