@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: IBM Lotus Domino Server Controller Authentication Bypass
• (2) HIGH: HP Products Multiple Security Vulnerabilities
• (3) HIGH: RealPlayer Heap Buffer Overflow Vulnerability
• (4) HIGH: Mac OS X Multiple Security Vulnerabilities
• (5) MEDIUM: LibTIFF Parsing Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.13.1 - Honeywell ScanServer ActiveX Control Use-After-Free Remote Code Execution

Mac Os

• 11.13.2 - Apple Mac OS X Image RAW Multiple Buffer Overflow Vulnerabilities

Linux

• 11.13.3 - Linux Kernel Netfilter

Novell

• 11.13.4 - Novell Netware "NWFTPD.NLM" DELE Command Remote Buffer Overflow

Cross Platform

• 11.13.5 - Asterisk Manager Interface Remote Denial of Service
• 11.13.6 - Sybase OneBridge Server and DMZ Proxy Unspecified Security
• 11.13.7 - Progea Movicon "TCPUploadServer.exe" Security Bypass
• 11.13.8 - OpenSCAP Project Unspecified Security
• 11.13.9 - CORE Multimedia Suite ".m3u" File Buffer Overflow
• 11.13.10 - MPlayer ".m3u" File Buffer Overflow
• 11.13.11 - 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities
• 11.13.12 - Quagga BGP Daemon Null Pointer Deference Denial of Service
• 11.13.13 - Multiple Apple Products IPv6 MAC Address in SLAAC Security Weakness
• 11.13.14 - Wireshark Capture File Heap Buffer Overflow
• 11.13.15 - Real Networks RealPlayer ".ivr" File Parsing Heap Buffer Overflow
• 11.13.16 - libTIFF ThunderCode Decoder Heap Buffer Overflow
• 11.13.17 - Apache MPM-ITK Module Security Weakness
• 11.13.18 - PHP "Zip" Extension "stream_get_contents()" Function Denial of Service
• 11.13.19 - Apache HttpComponents "HttpClient" Information Disclosure

Web Application - Cross Site Scripting

• 11.13.20 - WordPress Rating-Widget Plugin Multiple Cross-Site Scripting Vulnerabilities
• 11.13.21 - WordPress Related Posts Plugin Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.13.22 - iCMS "/admin/item_detail.php" SQL Injection

Web Application

• 11.13.23 - IBM Lotus Quickr Unspecified
• 11.13.24 - Web Poll Pro "error" Parameter HTML Injection
• 11.13.25 - Symantec LiveUpdate Administrator Management GUI HTML Injection

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 12, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11029 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.13.1 - CVE: CVE-2011-0331
• Platform: Third Party Windows Apps
• Title: Honeywell ScanServer ActiveX Control Use-After-Free Remote Code Execution
• Description: The Honeywell ScanServer ActiveX control is used to connect to a server accessed through a web page. The Honeywell ScanServer ActiveX control is exposed to a remote code execution issue due to a use-after-free error. Specifically, the issue occurs when handling the "addOSPLext()" method. Honeywell ScanServer ActiveX control version 780.0.20.5 is affected.
• Ref: http://secunia.com/secunia_research/2011-22/

• 11.13.2 - CVE: CVE-2011-0193
• Platform: Mac Os
• Title: Apple Mac OS X Image RAW Multiple Buffer Overflow Vulnerabilities
• Description: Apple Mac OS X is prone to multiple buffer overflow issues because it fails to properly bounds check user-supplied input. The problems occur when handling Canon RAW images. Successful exploits may allow an attacker to execute arbitrary code in the context of the application. OS X versions prior to 10.6.7 are affected.
• Ref: http://www.securityfocus.com/archive/1/517102

• 11.13.3 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Netfilter
• Description: The Linux kernel is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue affects the "buffer" string in the "net/ipv4/netfilter/ipt_CLUSTERIP.c" source file.
• Ref: http://marc.info/?l=netfilter-devel&m=130036157327564&w=2

• 11.13.4 - CVE: CVE-2010-4228
• Platform: Novell
• Title: Novell Netware "NWFTPD.NLM" DELE Command Remote Buffer Overflow
• Description: Netware is a network operating system from Novell. Netware is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue occurs in the "NWFTPD.NLM" component when processing a specially crafted argument to the DELE command.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-106/

• 11.13.5 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk Manager Interface Remote Denial of Service
• Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. Asterisk is exposed to a remote denial of service issue because it fails to properly handle invalid connections to the Asterisk Manager Interface. Asterisk series 1.6.1.x, 1.6.2.x, and 1.8.x are affected.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-003.pdf

• 11.13.6 - CVE: Not Available
• Platform: Cross Platform
• Title: Sybase OneBridge Server and DMZ Proxy Unspecified Security
• Description: OneBridge is an application that provides mobile solutions for extending software applications to mobile devices. Sybase OneBridge Server and DMZ Proxy are exposed to an unspecified security issue that affects the iMailGateway service of the application.
• Ref: http://www.sybase.com/detail?id=1092074

• 11.13.7 - CVE: Not Available
• Platform: Cross Platform
• Title: Progea Movicon "TCPUploadServer.exe" Security Bypass
• Description: Movicon provides XML-based HMI development solutions. The application is exposed to a security bypass issue. Specifically, "TCPUploadServer.exe" listening on TCP port 10651 fails to restrict access to administrative functions which allows attackers to execute a program with specially crafted arguments. Movicon versions prior to 11.2 Build 1084 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-056-01.pdf

• 11.13.8 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenSCAP Project Unspecified Security
• Description: The OpenSCAP project provides an open-source framework to enable integration with the Security Content Automation Protocol (SCAP) standards and capabilities. The OpenSCAP project is exposed to an unspecified security vulnerability involving paths to probes. OpenSCAP versions prior to 0.7.1 are affected.
• Ref: https://www.redhat.com/archives/open-scap-list/2011-March/msg00001.html

• 11.13.9 - CVE: Not Available
• Platform: Cross Platform
• Title: CORE Multimedia Suite ".m3u" File Buffer Overflow
• Description: CORE Multimedia Suite is a multimedia application for playing media files. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. CORE Multimedia Suite version 2.4 is affected.
• Ref: http://www.securityfocus.com/bid/46912

• 11.13.10 - CVE: Not Available
• Platform: Cross Platform
• Title: MPlayer ".m3u" File Buffer Overflow
• Description: MPlayer is a multimedia player available for Microsoft Windows. MPlayer is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing an ".m3u" file. MPlayer Lite version 33064 is affected.
• Ref: http://www.securityfocus.com/bid/46926

• 11.13.11 - CVE: Not Available
• Platform: Cross Platform
• Title: 7T Interactive Graphical SCADA System Multiple Security Vulnerabilities
• Description: 7T Interactive Graphical SCADA System is a SCADA application used for monitoring and controlling industrial processes. 7T Interactive Graphical SCADA System is exposed to multiple issues.
• Ref: http://www.securityfocus.com/archive/1/517080

• 11.13.12 - CVE: CVE-2010-1674
• Platform: Cross Platform
• Title: Quagga BGP Daemon Null Pointer Deference Denial of Service
• Description: Quagga is routing software for multiple Unix platforms, including Linux and BSD. Quagga is exposed to a remote denial of service issue caused by a NULL pointer dereference in the Border Gateway Protocol daemon (bgpd) when handling specially crafted Extended Communities attributes.
• Ref: http://www.securityfocus.com/bid/46942

• 11.13.13 - CVE: CVE-2011-1418
• Platform: Cross Platform
• Title: Multiple Apple Products IPv6 MAC Address in SLAAC Security Weakness
• Description: Apple iOS is an operating platform for iPhone, iPod touch, and iPad. The iPhone is a mobile phone that runs on the ARM architecture. The iPod touch is a portable music player. The iPad is a tablet device. Apple TV and iOS are exposed to a remote security weakness. A device using stateless address autoconfiguration (SLAAC) will include its MAC address when it chooses its IPv6 address.
• Ref: http://www.securityfocus.com/bid/46944

• 11.13.14 - CVE: CVE-2011-0024
• Platform: Cross Platform
• Title: Wireshark Capture File Heap Buffer Overflow
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and for Unix-like operating systems. Wireshark is exposed to a heap-based buffer overflow issue because it fails to properly bounds-check user-supplied input. The problem occurs when parsing a specially crafted capture file.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=671331

• 11.13.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Real Networks RealPlayer ".ivr" File Parsing Heap Buffer Overflow
• Description: Real Networks RealPlayer is an application that allows users to play back various media formats. Real Networks RealPlayer is exposed to a heap-based buffer overflow issue because the software fails to perform adequate boundary checks on user-supplied data. The problem occurs in the "rvrender.dll" module when parsing specially crafted ".ivr" files. RealPlayer versions 14.0.1.633 and earlier are affected.
• Ref: http://www.securityfocus.com/archive/1/517083

• 11.13.16 - CVE: CVE-2011-1167
• Platform: Cross Platform
• Title: libTIFF ThunderCode Decoder Heap Buffer Overflow
• Description: libTIFF is a library for reading and manipulating Tag Image File Format (TIFF) files. It is freely available for Unix, Unix-like operating systems, and Microsoft Windows. libTIFF is exposed to a heap-based buffer overflow issue because it fails to adequately bounds check user-supplied data before copying it into an insufficiently sized buffer.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-107/

• 11.13.17 - CVE: CVE-2011-1176
• Platform: Cross Platform
• Title: Apache MPM-ITK Module Security Weakness
• Description: Apache is an HTTP web server available for multiple operating platforms. The application is exposed to a security weakness that affects the MPM-ITK module. Specifically, this issue occurs because under certain configuration, MPM-ITK module processes requests as the root user instead of the user specified in the application configuration file.
• Ref: http://www.securityfocus.com/bid/46953/references

• 11.13.18 - CVE: CVE-2011-1470
• Platform: Cross Platform
• Title: PHP "Zip" Extension "stream_get_contents()" Function Denial of Service
• Description: PHP is a general-purpose scripting language that is suited for web development and can be embedded into HTML. "Zip" is an extension to read or write ZIP compressed archives. PHP is exposed to a remote denial of service issue that affects the "Zip" extension. The issue occurs because the "stream_get_contents()" function fails to properly handle certain zip archive streams. PHP versions prior to 5.3.6 are affected.
• Ref: http://bugs.php.net/bug.php?id=53579

• 11.13.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache HttpComponents "HttpClient" Information Disclosure
• Description: Apache HttpComponents is exposed to an information disclosure issue that occurs due to an unspecified error in the "HttpClient" component. HttpClient version 4.1 is affected.
• Ref: http://hc.apache.org/httpcomponents-client-ga/index.html

• 11.13.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WordPress Rating-Widget Plugin Multiple Cross-Site Scripting Vulnerabilities
• Description: Rating-Widget is a web-based publishing application implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Rating-Widget version 1.3.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/517048

• 11.13.21 - CVE: CVE-2011-0760
• Platform: Web Application - Cross Site Scripting
• Title: WordPress Related Posts Plugin Multiple Cross-Site Scripting Vulnerabilities
• Description: Related Posts is a plugin for WordPress. WordPress is a web-based publishing application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Related Posts version 1.0 is affected.
• Ref: http://wordpress.org/extend/plugins/wp-related-posts/

• 11.13.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: iCMS "/admin/item_detail.php" SQL Injection
• Description: iCMS is a content management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user supplied data to the "id" parameter of the "/admin/item_detail.php" script, when logging in as an administrator. iCMS version 1.1 is affected.
• Ref: http://www.securityfocus.com/bid/46918

• 11.13.23 - CVE: Not Available
• Platform: Web Application
• Title: IBM Lotus Quickr Unspecified
• Description: IBM Lotus Quickr is web-based collaboration software. IBM Lotus Quickr is exposed to an unspecified issue that affects the login module.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg27013341

• 11.13.24 - CVE: Not Available
• Platform: Web Application
• Title: Web Poll Pro "error" Parameter HTML Injection
• Description: Web Poll Pro is a web-based application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "error" parameter of the "poll/submit.php" script. Web Poll Pro version 1.0.3 is affected.
• Ref: http://www.securityfocus.com/archive/1/517072

• 11.13.25 - CVE: CVE-2011-0545
• Platform: Web Application
• Title: Symantec LiveUpdate Administrator Management GUI HTML Injection
• Description: Symantec LiveUpdate Administrator provides infrastructure support for content distribution. The application's web interface is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the login GUI interface.
• Ref: http://www.securityfocus.com/archive/1/517109

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/