@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Flash Player Multiple Vulnerabilities
• (2) HIGH: Microsoft Internet Explorer Multiple Vulnerabilities (Pwn2Own)
• (3) HIGH: Google Chrome Memory Corruption Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.12.1 - Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities

Third Party Windows Apps

• 11.12.2 - SAP GUI DLL Loading Arbitrary Code Execution

Linux

• 11.12.3 - Red Hat scsi-target-utils TGT Daemon Remote Denial of Service
• 11.12.4 - Linux Kernel "drivers/char/tpm/tpm.c" Information Disclosure
• 11.12.5 - Linux Kernel "fs/partitions/osf.c" Information Disclosure

Cross Platform

• 11.12.6 - Apple QuickTime ".m3u" File Remote Stack Buffer Overflow
• 11.12.7 - Apple iOS Mobile Safari Crafted Cache Launch Remote Denial of Service
• 11.12.8 - OpenLDAP "modrdn" NULL OldDN Remote Denial of Service
• 11.12.9 - PHP "substr_replace()" Use After Free Remote Memory Corruption
• 11.12.10 - Adobe Flash Player "SWF" File Remote Memory Corruption
• 11.12.11 - HP Client Automation Remote Code Execution
• 11.12.12 - Trend Micro WebReputation API URI Security Bypass
• 11.12.13 - python-feedparser Denial of Service and Security Bypass Vulnerabilities
• 11.12.14 - VLC Media Player ".ape" File Denial of Service
• 11.12.15 - Opera Web Browser Window Null Pointer Dereference Denial of Service
• 11.12.16 - RSA Access Manager Server Security Bypass
• 11.12.17 - EMC Avamar Information Disclosure
• 11.12.18 - MIT Kerberos KDC "do_as_req.c" Double Free Memory Corruption
• 11.12.19 - SugarCRM Information Disclosure

Web Application - Cross Site Scripting

• 11.12.20 - PHP-Nuke "Submit_News" Multiple Cross-Site Scripting Vulnerabilities
• 11.12.21 - HP Power Manager Unspecified Cross-Site Scripting
• 11.12.22 - SAP Netweaver XI SOAP Adapter "HelperServlet" Cross-Site Scripting
• 11.12.23 - LotusCMS Multiple Cross-Site Scripting and Local File Include Vulnerabilities
• 11.12.24 - CMS WebManager-Pro "menu_id" Parameter Cross-Site Scripting

Web Application

• 11.12.25 - TYPO3 Direct Mail Extension Cross-Site Scripting and SQL Injection Vulnerabilities
• 11.12.26 - If-CMS "newlang" Parameter Local File Include

Network Device

• 11.12.27 - Blackberry Browser Multiple Unspecified Information Disclosure and Integer Overflow Vulnerabilities

PART I Critical Vulnerabilities

Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11013 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.12.1 - CVE: CVE-2011-1345, CVE-2011-1346, CVE-2011-1347
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Multiple Unspecified Remote Code Execution Vulnerabilities
• Description: Internet Explorer is a browser for the Microsoft Windows operating system. Microsoft Internet Explorer is exposed to multiple unspecified remote code execution issues. Successful exploits will allow an attacker to run arbitrary code in the context of the user running the application. Microsoft Internet Explorer 8 is affected.
• Ref: http://www.zdnet.com/blog/security/pwn2own-2011-ie8-on-windows-7-hijacked-with-3
  -vulnerabilities/8367?tag=content;feature-roto

• 11.12.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SAP GUI DLL Loading Arbitrary Code Execution
• Description: SAP GUI is a client interface for accessing various SAP applications. SAP GUI is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for a Dynamic Link Library file in the current working directory. SAP GUI versions 6.4 through 7.2 are affected.
• Ref: http://blog.rapid7.com/?p=5325

• 11.12.3 - CVE: CVE-2011-0001
• Platform: Linux
• Title: Red Hat scsi-target-utils TGT Daemon Remote Denial of Service
• Description: Red Hat scsi-target-utils is a SCSI utility device for Red Hat Linux. Red Hat scsi-target-utils is exposed to a remote denial of service issue caused by a double-free-flaw when handling specially crafted networks.
• Ref: http://www.securityfocus.com/bid/46817

• 11.12.4 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "drivers/char/tpm/tpm.c" Information Disclosure
• Description: The Linux kernel is exposed to an information disclosure issue that affects the "drivers/char/tpm/tpm.c" source file and may allow local attackers to read uninitialized stack memory.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=684671#c0

• 11.12.5 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "fs/partitions/osf.c" Information Disclosure
• Description: The Linux kernel is exposed to an information disclosure issue that affects the "fs/partitions/osf.c" source file when reading certain corrupted OSF partition tables and may allow local attackers to read heap memory.
• Ref: http://www.spinics.net/lists/mm-commits/msg82737.html

• 11.12.6 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime ".m3u" File Remote Stack Buffer Overflow
• Description: Apple QuickTime is a media player that supports multiple file formats. QuickTime is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. QuickTime version 7.5.x is affected.
• Ref: http://www.securityfocus.com/bid/46799

• 11.12.7 - CVE: CVE-2011-0163
• Platform: Cross Platform
• Title: Apple iOS Mobile Safari Crafted Cache Launch Remote Denial of Service
• Description: Apple Mobile Safari is a web browser for Apple's mobile operating system (iOS) and devices, such as iPhone, iPad, and iPod touch. Mobile Safari is exposed to a denial of service issue when handling a specially crafted website. This issue exist in WebKit's handling of a cached resource. iOS versions prior to 4.3 are affected.
• Ref: http://www.securityfocus.com/bid/46815

• 11.12.8 - CVE: CVE-2011-1081
• Platform: Cross Platform
• Title: OpenLDAP "modrdn" NULL OldDN Remote Denial of Service
• Description: OpenLDAP is an implementation of the Lightweight Directory Access Protocol. OpenLDAP is exposed to a remote denial of service issue that affects the "modify relative distinguished name" command.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=680975

• 11.12.9 - CVE: CVE-2011-1148
• Platform: Cross Platform
• Title: PHP "substr_replace()" Use After Free Remote Memory Corruption
• Description: PHP is a general purpose scripting language that is suited for web development; PHP can be embedded into HTML. PHP is exposed to a use-after-free memory corruption issue that affects the "substr_replace()" function.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/4473

• 11.12.10 - CVE: CVE-2011-0609
• Platform: Cross Platform
• Title: Adobe Flash Player "SWF" File Remote Memory Corruption
• Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla, and Apple technologies. Adobe Flash Player is exposed to a remote memory corruption issue that occurs when handling a malicious ".swf" file embedded in a Microsoft Excel file.
• Ref: http://www.adobe.com/support/security/advisories/apsa11-01.html

• 11.12.11 - CVE: CVE-2011-0889
• Platform: Cross Platform
• Title: HP Client Automation Remote Code Execution
• Description: HP Client Automation is a software and policy deployment application. HP Client Automation is exposed to a remote code execution issue. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges.
• Ref: http://www.securityfocus.com/archive/1/517002

• 11.12.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Trend Micro WebReputation API URI Security Bypass
• Description: Trend Micro WebReputation API is a security API that prevents the downloading of malicious code on computers. Trend Micro WebReputation API is exposed to a security bypass issue that occurs because attackers can bypass the download filter mechanism by appending a "?" or "@" character to the end of a URI. WebReputation API version 10.5 is affected.
• Ref: http://www.securityfocus.com/bid/46864

• 11.12.13 - CVE: Not Available
• Platform: Cross Platform
• Title: python-feedparser Denial of Service and Security Bypass Vulnerabilities
• Description: python-feedparser parses RSS and ATOM feeds. python-feedparser is exposed to multiple remote issues. A denial of service issue exists when handling malformed XML data. A security bypass issue occurs because the application fails sanitize certain HTML characters. A security bypass issue exists because the application fails to sanitize certain URI sequences. python-feedparser versions prior to 5.0.1 are affected.
• Ref: https://code.google.com/p/feedparser/issues/detail?id=91

• 11.12.14 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player ".ape" File Denial of Service
• Description: VLC Media Player is multimedia playback software. The application is exposed to a denial of service issue because it fails to properly handle specially crafted ".ape" files. VLC Media Player version 1.0.5 is affected.
• Ref: http://www.securityfocus.com/bid/46868

• 11.12.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Window Null Pointer Dereference Denial of Service
• Description: Opera Web Browser is a browser that runs on multiple operating systems. Opera Web Browser is exposed to a remote denial of service issue due to a NULL pointer dereference condition when handling malformed elements passed into a "window" object. Opera 11.01 is affected.
• Ref: http://www.securityfocus.com/bid/46872

• 11.12.16 - CVE: CVE-2011-0322
• Platform: Cross Platform
• Title: RSA Access Manager Server Security Bypass
• Description: RSA Access Manager Server is used to centralize the management of authentication and authorization policies. RSA Access Manager Server is exposed to a security bypass issue that occurs because it fails to adequately sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/517023

• 11.12.17 - CVE: CVE-2011-0442
• Platform: Cross Platform
• Title: EMC Avamar Information Disclosure
• Description: EMC Avamar is a backup and recovery application. The application is exposed to an information disclosure issue because it transmits users' credentials to other EMC internal systems.
• Ref: http://www.securityfocus.com/archive/1/517022

• 11.12.18 - CVE: CVE-2011-0284
• Platform: Cross Platform
• Title: MIT Kerberos KDC "do_as_req.c" Double Free Memory Corruption
• Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. MIT Kerberos is exposed to a remote memory corruption issue in the Key Distribution Center (KDC) daemon. The problem occurs in the "prepare_error_as()" function of the "do_as_req.c" source file and is due to a double-free error.
• Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt

• 11.12.19 - CVE: CVE-2011-0745
• Platform: Cross Platform
• Title: SugarCRM Information Disclosure
• Description: SugarCRM is a customer relationship management (CRM) suite that is implemented in Java and PHP. The application is exposed to an information disclosure issue because it fails to restrict access to certain portions of the application data.
• Ref: http://www.securityfocus.com/archive/1/517027

• 11.12.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: PHP-Nuke "Submit_News" Multiple Cross-Site Scripting Vulnerabilities
• Description: PHP-Nuke is a PHP-based content management system. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "field Title", "Story Text" and "Extended Text" fields of the "Submit_News" module. PHP-Nuke versions 8.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/46824

• 11.12.21 - CVE: CVE-2011-0280
• Platform: Web Application - Cross Site Scripting
• Title: HP Power Manager Unspecified Cross-Site Scripting
• Description: HP Power Manager is a power management application. The HP Power Manager is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/46830

• 11.12.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SAP Netweaver XI SOAP Adapter "HelperServlet" Cross-Site Scripting
• Description: SAP NetWeaver is an integration platform for enterprise applications. The NetWeaver is exposed to a cross-site scripting issue that affects the XI SOAP adapter. Specifically, the application fails to sanitize user-supplied input to the "action" parameter of the "HelperServlet" page.
• Ref: http://dsecrg.com/pages/vul/show.php?id=310

• 11.12.23 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: LotusCMS Multiple Cross-Site Scripting and Local File Include Vulnerabilities
• Description: LotusCMS is a PHP-based content management system. The application is exposed to multiple input validation issues. 1) A local file include vulnerability affects the "page" parameter of the "core/model/PageModel.php" script. 2) Multiple cross-site scripting issues. LotusCMS version 3.0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/517018

• 11.12.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: CMS WebManager-Pro "menu_id" Parameter Cross-Site Scripting
• Description: CMS WebManager-Pro is a PHP-based content manager. CMS WebManager-Pro is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "menu_id" parameter of the "index.php" script. CMS WebManager-Pro version 7.4.3 is affected.
• Ref: http://www.securityfocus.com/bid/46877

• 11.12.25 - CVE: Not Available
• Platform: Web Application
• Title: TYPO3 Direct Mail Extension Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Direct Mail is an extension for the TYPO3 content manager. The extension is exposed to unspecified SQL injection and cross-site scripting issues because it fails to sufficiently sanitize user-supplied data. TYPO3 Direct Mail extension versions prior to 2.6.10 are affected.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-002/

• 11.12.26 - CVE: Not Available
• Platform: Web Application
• Title: If-CMS "newlang" Parameter Local File Include
• Description: If-CMS is a web-based content manager. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "newlang" parameter of the "index.php" script. If-CMS version 2.07 is affected.
• Ref: http://www.securityfocus.com/bid/46884

• 11.12.27 - CVE: Not Available
• Platform: Network Device
• Title: Blackberry Browser Multiple Unspecified Information Disclosure and Integer Overflow Vulnerabilities
• Description: Blackberry devices include a web browser based on the WebKit framework. The browser is affected by multiple information disclosure and integer-overflow issues.
• Ref: http://threatpost.com/en_us/blogs/iphone-blackberry-fall-second-day-pwn2own-0310
  11

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/