@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Internet Explorer Circular Memory References Use-after-free
• (2) MEDIUM: Microsoft Windows Graphics Rendering Engine Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.2.1 - Microsoft Windows "CreateSizedDIBSECTION()" Thumbnail View Stack Buffer Overflow

Other Microsoft Products

• 11.2.2 - Microsoft Internet Explorer "ReleaseInterface()" Remote Code Execution

Third Party Windows Apps

• 11.2.3 - Visan RocketLife audio.Record ActiveX Control Multiple Buffer Overflow Vulnerabilities
• 11.2.4 - ImgBurn "dwmapi.dll" DLL Loading Arbitrary Code Execution

Linux

• 11.2.5 - Linux Kernel "blk_rq_map_user_iov()" Local Denial of Service
• 11.2.6 - Linux Kernel SCTP Local Race Condition

Cross Platform

• 11.2.7 - GIMP Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities
• 11.2.8 - IBM Rational ClearQuest Back Reference Field Security
• 11.2.9 - Open Handset Alliance Android Zygote Privilege Escalation
• 11.2.10 - Apache Subversion Server Component Unspecified Remote Denial of Service
• 11.2.11 - IBM Tivoli Access Manager for e-business Remote Denial of Service
• 11.2.12 - Music Animation Machine MIDI Player "MAMX" File Remote Buffer Overflow
• 11.2.13 - PHP "zend_strtod()" Function Floating-Point Value Denial of Service
• 11.2.14 - cwbiff Remote Arbitrary Command Injection
• 11.2.15 - Adobe Flash Player local-with-filesystem Sandbox Security Bypass

Web Application - Cross Site Scripting

• 11.2.16 - Geeklog "configuration.php" Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.2.17 - Gallarific "gallery.php" SQL Injection
• 11.2.18 - Technote "category" Parameter SQL Injection
• 11.2.19 - Ariadne WCM Username Enumeration Weakness and SQL Injection Vulnerabilities

Web Application

• 11.2.20 - Amoeba Multiple Remote Vulnerabilities
• 11.2.21 - Sahana Agasti Multiple Remote File Include Vulnerabilities
• 11.2.22 - Piwik Multiple Unspecified Security Vulnerabilities
• 11.2.23 - SkaDate Multiple HTML Injection Vulnerabilities
• 11.2.24 - MyBB Prior to 1.4.12 Multiple Security Vulnerabilities
• 11.2.25 - Nucleus CMS Multiple Remote File Include Vulnerabilities

Network Device

• 11.2.26 - Linksys BEFSR41 Multiple HTML Injection Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 1, 2011

Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10765 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 11.2.1 - CVE: CVE-2010-3970
• Platform: Windows
• Title: Microsoft Windows "CreateSizedDIBSECTION()" Thumbnail View Stack Buffer Overflow
• Description: Microsoft Windows is exposed to a remote stack-based buffer overflow issue because the software fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "CreateSizedDIBSECTION()" function of the "shimgvw.dll" file when handling the thumbnails within ".MIC" files and various other office documents.
• Ref: http://www.microsoft.com/technet/security/advisory/2490606.mspx

• 11.2.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer "ReleaseInterface()" Remote Code Execution
• Description: Microsoft Internet Explorer is a browser for the Windows operating system. Microsoft Internet Explorer is exposed to a remote code execution issue that affects the "ReleaseInterface()" function of the "MSHTML.DLL" library file. Microsoft Internet Explorer version 8.0.7600.16385 is affected.
• Ref: http://lcamtuf.blogspot.com/2011/01/announcing-crossfuzz-potential-0-day-in.html

• 11.2.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Visan RocketLife audio.Record ActiveX Control Multiple Buffer Overflow Vulnerabilities
• Description: Visan RocketLife is web-based software for digital photos. The application is exposed to multiple stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied input. The vulnerabilities affect the "Resample()" and "ResampleDisp()" methods of the "ContentMan.dll" ActiveX control.
• Ref: http://www.securityfocus.com/bid/45645

• 11.2.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ImgBurn "dwmapi.dll" DLL Loading Arbitrary Code Execution
• Description: ImgBurn is a disc burning application. The application is exposed to an issue that lets attackers execute arbitrary code. The issue occurs because the application searches for the "dwmapi.dll" Dynamic Link Library file in the current working directory. ImgBurn version 2.4.0.0 is affected.
• Ref: http://blogs.technet.com/b/msrc/archive/2010/08/21/microsoft-security-advisory-2
  269637-released.aspx

• 11.2.5 - CVE: CVE-2010-4668
• Platform: Linux
• Title: Linux Kernel "blk_rq_map_user_iov()" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue that affects the "bik_rg_map_user_iov()" function of the "block/blk-map.c" source fie. Specifically, the kernel will panic when handling a zero-length I/O IOCTL request sent to an SCSI device.
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.37-rc7

• 11.2.6 - CVE: CVE-2010-4526
• Platform: Linux
• Title: Linux Kernel SCTP Local Race Condition
• Description: The Linux kernel is exposed to a local race condition issue that affects the SCTP subsystem. Specifically, ICMP protocol "unreachable" handling fails to check if a socket is locked. The "sctp_wait_for_connect()" function acquires the socket lock and releases the last reference count on the previous association.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-4526

• 11.2.7 - CVE: CVE-2010-4540, CVE-2010-4541, CVE-2010-4542, CVE-2010-4543
• Platform: Cross Platform
• Title: GIMP Multiple File Plugins Remote Stack Buffer Overflow Vulnerabilities
• Description: GIMP is a free image manipulation application for multiple operating systems. GIMP is exposed to multiple remote stack-based buffer overflow issues because it fails to perform adequate checks on user-supplied input. GIMP version 2.6.11 is affected.
• Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=608497

• 11.2.8 - CVE: CVE-2010-4602, CVE-2010-4603
• Platform: Cross Platform
• Title: IBM Rational ClearQuest Back Reference Field Security
• Description: IBM Rational ClearQuest is an application for managing software development. IBM Rational ClearQuest is exposed to a security issue related to back-reference field modification. Specifically, a "remove" operation is not detected. IBM Rational ClearQuest versions prior to 7.0.1.11, 7.1.1.4, and 7.1.2.1 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1PM22186

• 11.2.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Open Handset Alliance Android Zygote Privilege Escalation
• Description: Open Handset Alliance Android (previously Google Android) is a software stack and operating system for mobile phones. Open Handset Alliance Android is exposed to a privilege escalation issue that affects the Zygote/Dalvik virtual machine framework. Open Handset Alliance Android versions prior to 2.3 are affected. Ref: http://c-skills.blogspot.com/2010/12/zygote-trickery-743c-27c3-release.html

• 11.2.10 - CVE: CVE-2010-4539
• Platform: Cross Platform
• Title: Apache Subversion Server Component Unspecified Remote Denial of Service
• Description: Apache Subversion is an open source version control application. Apache Subversion is exposed to a remote denial of service issue that occurs in the server component. Apache Subversion versions prior to 1.6.15 are affected.
• Ref: http://svn.haxx.se/dev/archive-2010-11/0475.shtml

• 11.2.11 - CVE: CVE-2010-4623
• Platform: Cross Platform
• Title: IBM Tivoli Access Manager for e-business Remote Denial of Service
• Description: IBM Tivoli Access Manager for e-business provides central access control for multiple services and applications in an enterprise environment. The application is exposed to a remote denial of service issue due to excessive worker thread consumption through shift-reload actions. IBM Tivoli Access Manager for e-business version 6.1.1 is affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg24028829

• 11.2.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Music Animation Machine MIDI Player "MAMX" File Remote Buffer Overflow
• Description: Music Animation Machine MIDI Player is a multimedia player. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input.
• Ref: http://www.securityfocus.com/bid/45666

• 11.2.13 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "zend_strtod()" Function Floating-Point Value Denial of Service
• Description: PHP is an open source scripting language used for web development. PHP is exposed to a denial of service issue that presents itself when processing a certain double precision floating-point value in the "zend_strtod()" function. PHP version 5.3.3 is affected.
• Ref: http://www.exploringbinary.com/php-hangs-on-numeric-value-2-2250738585072011e-30
  8/

• 11.2.14 - CVE: Not Available
• Platform: Cross Platform
• Title: cwbiff Remote Arbitrary Command Injection
• Description: cwbiff is a mailbox query tool implemented in Perl. cwbiff is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data to the "Subject" and "From" fields. cwbiff version 0.2.0 is affected.
• Ref: http://fkurz.net/ham/cwbiff.html

• 11.2.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Flash Player local-with-filesystem Sandbox Security Bypass
• Description: Adobe Flash Player is a multimedia application. The application is exposed to a security bypass issue. Specifically, by using the "getURL" function with certain protocol handlers.
• Ref: http://xs-sniper.com/blog/2011/01/04/bypassing-flash%E2%80%99s-local-with-filesy
  stem-sandbox/

• 11.2.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Geeklog "configuration.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: Geeklog is a web application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input to the "conf_group", "subgroup", and "sub_group" parameters of the "admin/configuration.php" script. Geeklog versions prior to 1.7.1sr1 are affected.
• Ref: http://project.geeklog.net/cgi-bin/hgwebdir.cgi/geeklog/rev/20a98e6bab20

• 11.2.17 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Gallarific "gallery.php" SQL Injection
• Description: Gallarific is a web-gallery application. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input before using it in an SQL query. Specifically, the application fails to sanitize data supplied to the "id" parameter of the "gallery.php" script.
• Ref: http://www.securityfocus.com/bid/45635

• 11.2.18 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Technote "category" Parameter SQL Injection
• Description: Technote is a web-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "category" parameter of the "board.php" script before using it in an SQL query. Technote version 7 is affected.
• Ref: http://www.securityfocus.com/bid/45636

• 11.2.19 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Ariadne WCM Username Enumeration Weakness and SQL Injection Vulnerabilities
• Description: Ariadne WCM is a content manager. The application is exposed to multiple security issues. Attackers may exploit these issues to discern valid usernames, which may aid them in brute-force password cracking or other attacks. Ariadne WCM version 4.4 is affected.
• Ref: http://www.securityfocus.com/archive/1/515515

• 11.2.20 - CVE: Not Available
• Platform: Web Application
• Title: Amoeba Multiple Remote Vulnerabilities
• Description: Amoeba is a PHP-based content management system. The application is exposed to multiple input validation issues because it fails to sufficiently sanitize user-supplied data. Amoeba version 1.0.1 is affected.
• Ref: http://www.securityfocus.com/bid/45637

• 11.2.21 - CVE: Not Available
• Platform: Web Application
• Title: Sahana Agasti Multiple Remote File Include Vulnerabilities
• Description: Sahana Agasti is a disaster management web application. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "global[approot]" parameter of the "AccessController.php" and "dao.php" scripts. Sahana Agasti versions 0.6.4 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/45656

• 11.2.22 - CVE: Not Available
• Platform: Web Application
• Title: Piwik Multiple Unspecified Security Vulnerabilities
• Description: Piwik is a PHP-based wiki application. Piwik is exposed to multiple unspecified issues. Piwik versions prior to 1.1 are affected
• Ref: http://www.securityfocus.com/bid/45659

• 11.2.23 - CVE: Not Available
• Platform: Web Application
• Title: SkaDate Multiple HTML Injection Vulnerabilities
• Description: SkaDate is a web-based dating application. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied data to new topics and new events.
• Ref: http://www.securityfocus.com/bid/45664

• 11.2.24 - CVE:CVE-2010-4629,CVE-2010-4628,CVE-2010-4626,CVE-2010-4625,CVE-2010-4624
• Platform: Web Application
• Title: MyBB Prior to 1.4.12 Multiple Security Vulnerabilities
• Description: MyBB (MyBulletinBoard) is a PHP-based bulletin board application. MyBB is exposed to multiple security issues. MyBB versions prior to 1.4.12 are affected.
• Ref: http://blog.mybb.com/2010/04/13/mybb-1-4-12-released-security-maintenance-update
  /

• 11.2.25 - CVE: Not Available
• Platform: Web Application
• Title: Nucleus CMS Multiple Remote File Include Vulnerabilities
• Description: Nucleus CMS is a PHP-based content management system. Nucleus CMS is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input to the "DIR_LIBS" parameter of the "action.php", "media.php", "server.php" and "PLUGINADMIN.php" scripts. Nucleus CMS versions 3.61 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/45671

• 11.2.26 - CVE: Not Available
• Platform: Network Device
• Title: Linksys BEFSR41 Multiple HTML Injection Vulnerabilities
• Description: Linksys BEFSR41 is a wireless router. The router is exposed to multiple HTML injection issues because the application fails to sanitize the "Host name", "User Name(PPPoE and PPTP)", "Customized Applications", and various other, unspecified fields.
• Ref: http://www.securityfocus.com/archive/1/515532

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/