@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Windows Media Player Monkey Audio Parsing Vulnerability
• (2) HIGH: RealNetworks RealPlayer Buffer Overflow
• (3) HIGH: VLC Media Player '.AMV' and '.NSV' Invalid Pointer
• (4) MEDIUM: Google Chrome Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.14.1 - Microsoft Windows Media Player ".ape" File Remote Buffer Overflow

Mac Os

• 11.14.2 - Apple Mac OS X Multiple Vulnerabilities

Linux

• 11.14.3 - Linux Kernel "iriap.c" Multiple Remote Buffer Overflow Vulnerabilities
• 11.14.4 - Linux Kernel Generic Receive Offload (GRO) Local Denial of Service

Cross Platform

• 11.14.5 - HP Data Protector Remote Code Execution
• 11.14.6 - PHP "Zip" Extension "zip_fread()" Function Denial of Service
• 11.14.7 - openSUSE "aaa_base" Package Tab Expansion Local Privilege Escalation
• 11.14.8 - IBM Lotus Domino Remote Console Authentication Bypass
• 11.14.9 - Apple QuickTime JPEG2000 Image Multiple Memory Corruption Vulnerabilities
• 11.14.10 - Perl "Perl_reg_numbered_buff_fetch()" Function Remote Denial of Service
• 11.14.11 - VLC Media Player ".AMV" and ".NSV" Files Multiple Remote Buffer Overflow Vulnerabilities
• 11.14.12 - Avaya IP Office Manager TFTP Server Remote Denial of Service
• 11.14.13 - Citrix Presentation Server and XenApp ActiveSync Service Remote Code Execution
• 11.14.14 - Python "urllib" and "urllib2" Modules Information Disclosure and Denial of Service Vulnerabilities
• 11.14.15 - IBM Lotus Quickr Multiple Remote Denial of Service Vulnerabilities
• 11.14.16 - Google Chrome Multiple Security Vulnerabilities
• 11.14.17 - Google Picasa Insecure Library Loading Arbitrary Code Execution
• 11.14.18 - EMC Data Protection Advisor Collector for Solaris SPARC Insecure File Permissions
• 11.14.19 - RealPlayer ".rmp' File Remote Buffer Overflow
• 11.14.20 - eXPert PDF Batch Creator Denial of Service
• 11.14.21 - wodWebServer.NET Directory Traversal
• 11.14.22 - Zend Server Java Bridge "javamw.jar" Service Remote Code Execution
• 11.14.23 - GNOME Display Manager Race Condition Local Privilege Escalation
• 11.14.24 - rsync Client Incremental File List Remote Memory Corruption
• 11.14.25 - Rumble Mail Server "MAIL FROM" Command Remote Denial of Service
• 11.14.26 - Distributed Ruby Multiple Remote Code Execution Vulnerabilities
• 11.14.27 - jHTTPd Directory Traversal

Web Application - Cross Site Scripting

• 11.14.28 - Alkacon OpenCms Multiple Cross-Site Scripting Vulnerabilities
• 11.14.29 - SPIP "404.html" Cross-Site Scripting

Web Application

• 11.14.30 - Cetera eCommerce Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• 11.14.31 - webEdition CMS HTML Injection and Local File Include Vulnerabilities
• 11.14.32 - Alkacon OpenCms HTTPOnly Cookie Flag Information Disclosure Weakness

Network Device

• 11.14.33 - Nokia E75 Firmware Lock Code Authentication Bypass

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 13, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11053 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.14.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Microsoft Windows Media Player ".ape" File Remote Buffer Overflow
• Description: Microsoft Windows Media Player is a multimedia application available for the Windows operating system. Microsoft Windows Media Player is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Microsoft Windows Media Player version 11.0 is affected.
• Ref: http://www.securityfocus.com/bid/47041

• 11.14.2 - CVE:CVE-2011-0172,CVE-2010-1452,CVE-2010-2068,CVE-2011-0173,CVE-2011-0174,CVE-2011-0175,CVE-2011-0176,CVE-2011-0177,CVE-2010-0405,CVE-2011-0178,CVE-2010-3434,CVE-2010-4260,CVE-2010-4261,CVE-2010-4479,CVE-2011-0179,CVE-2011-0180,CVE-2011-0170,CVE-2011-0181
• Platform: Mac Os
• Title: Apple Mac OS X Multiple Vulnerabilities
• Description: Apple Mac OS X is exposed to multiple issues because it fails to properly sanitize user-supplied input. Apple Mac OS X versions prior to OS X 10.6.7 are affected.
• Ref: http://lists.apple.com/archives/security-announce/2011/Mar/msg00006.html

• 11.14.3 - CVE: CVE-2011-1180
• Platform: Linux
• Title: Linux Kernel "iriap.c" Multiple Remote Buffer Overflow Vulnerabilities
• Description: The Linux kernel is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user supplied data in the Infrared Data Association (IrDA) subsystem. Specifically, the "iriap_getvaluesbyclass_indication()" function in the "net/irda/iriap.c" source file fails to properly validate the length of peer names and attributes before they are copied into a fixed-length stack buffer.
• Ref: http://marc.info/?l=linux-netdev&m=130067113628164&w=2

• 11.14.4 - CVE: CVE-2011-1478
• Platform: Linux
• Title: Linux Kernel Generic Receive Offload (GRO) Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue when handling specially crafted sockets in the core Generic Receive Offload (GRO) code. This issue can occur because of insufficient freeing of a socket buffer belonging to an unknown VLAN.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-1478

• 11.14.5 - CVE: Not Available
• Platform: Cross Platform
• Title: HP Data Protector Remote Code Execution
• Description: HP Data Protector is a commercial data management product for backup and recovery operations. HP Data Protector is exposed to a remote code execution issue in the "DBServer.exe" process. The problem occurs when processing a packet sent through TCP port 19813.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-112/

• 11.14.6 - CVE: CVE-2011-1471
• Platform: Cross Platform
• Title: PHP "Zip" Extension "zip_fread()" Function Denial of Service
• Description: PHP is a general purpose scripting language that is suited for web development. "Zip" is an extension to read or write ZIP compressed archives. PHP is exposed to a remote denial of service issue that affects the "Zip" extension. PHP versions prior to 5.3.6 are affected.
• Ref: http://bugs.php.net/bug.php?id=49072

• 11.14.7 - CVE: CVE-2011-0468
• Platform: Cross Platform
• Title: openSUSE "aaa_base" Package Tab Expansion Local Privilege Escalation
• Description: The openSUSE "aaa_base" package is exposed to a local privilege escalation issue. The problem occurs when handling filenames containing meta characters when performing tab expansions.
• Ref: https://hermes.opensuse.org/messages/7712778

• 11.14.8 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Lotus Domino Remote Console Authentication Bypass
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. The application is exposed to a remote authentication bypass issue. Specifically, the remote console listens for requests by default on TCP port 2050.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-110/

• 11.14.9 - CVE: CVE-2011-0186
• Platform: Cross Platform
• Title: Apple QuickTime JPEG2000 Image Multiple Memory Corruption Vulnerabilities
• Description: Apple QuickTime is a media player that supports multiple file formats. Apple QuickTime is exposed to multiple memory corruption issues that occur while handling specially crafted JPEG2000 images. Mac OS X versions 10.6 through 10.6.6 and Mac OS X Server versions 10.6 through 10.6.6 are affected.
• Ref: http://www.securityfocus.com/bid/46995/references

• 11.14.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Perl "Perl_reg_numbered_buff_fetch()" Function Remote Denial of Service
• Description: Perl is a programming language available for multiple platforms. Perl is exposed to a remote denial of service issue that occurs in the "Perl_reg_numbered_buff_fetch()" function of the "regcomp.c" source file because of an assertion failure when processing certain specially crafted regular expressions.
• Ref: http://rt.perl.org/rt3/Public/Bug/Display.html?id=76538#txn-713602

• 11.14.11 - CVE: CVE-2010-3276,CVE-2010-3275
• Platform: Cross Platform
• Title: VLC Media Player ".AMV" and ".NSV" Files Multiple Remote Buffer Overflow Vulnerabilities
• Description: VLC is a cross-platform media player. VLC media player is exposed to stack-based buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. These issues may be triggered when the vulnerable application opens malformed ".AMV" or ".NSV" files. VLC media player versions prior to 1.1.8 are affected.
• Ref: http://www.securityfocus.com/archive/1/517150

• 11.14.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Avaya IP Office Manager TFTP Server Remote Denial of Service
• Description: Avaya IP Office Manager is an application for IP Office system. The TFTP server is a component of the application. The application is exposed to a remote denial of service issue. Avaya IP Office Manager version 8.1 is affected.
• Ref: http://www.securityfocus.com/bid/47021

• 11.14.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix Presentation Server and XenApp ActiveSync Service Remote Code Execution
• Description: Citrix Presentation Server and XenApp are virtualization applications. Citrix Presentation Server and XenApp are exposed to a remote code execution issue that occurs in the ActiveSync service when processing a specially crafted packet.
• Ref: http://support.citrix.com/article/CTX128366

• 11.14.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Python "urllib" and "urllib2" Modules Information Disclosure and Denial of Service Vulnerabilities
• Description: Python is an open source object-oriented programming language. The application is exposed to an information disclosure issue and a denial of service issue that affect the "urllib" and "urllib2" modules when handling "ftp://" and "file://" URL schemes. Python versions 2.4.6 and 2.6.5 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=690560

• 11.14.15 - CVE:CVE-2009-5060,CVE-2009-5062,CVE-2009-5061,CVE-2009-5059,CVE-2009-5058,CVE-2008-7286,CVE-2008-7285,CVE-2008-7284
• Platform: Cross Platform
• Title: IBM Lotus Quickr Multiple Remote Denial of Service Vulnerabilities
• Description: IBM Lotus Quickr is web-based collaboration software designed for sharing documents and media. The application is exposed to multiple issues that result in a crash of the service, denying service to legitimate users.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg27013341

• 11.14.16 - CVE:CVE-2011-1296,CVE-2011-1295,CVE-2011-1294,CVE-2011-1293,CVE-2011-1292,CVE-2011-1291
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple security issues. Chrome versions prior to 10.0.648.204 are affected.
• Ref: http://googlechromereleases.blogspot.com/2011/03/stable-channel-update.html

• 11.14.17 - CVE: CVE-2011-0458
• Platform: Cross Platform
• Title: Google Picasa Insecure Library Loading Arbitrary Code Execution
• Description: Google Picasa is a graphics application available for Microsoft Windows. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application uses the file search path in a non-secure manner. Google Picasa versions prior to 3.8 are affected.
• Ref: http://jvn.jp/en/jp/JVN99977321/index.html

• 11.14.18 - CVE: CVE-2011-1420
• Platform: Cross Platform
• Title: EMC Data Protection Advisor Collector for Solaris SPARC Insecure File Permissions
• Description: EMC Data Protection Advisor Collector provides management solutions for data protection. The application is exposed to an insecure file permissions issue that affects certain unspecified files.
• Ref: http://www.securityfocus.com/archive/1/517179

• 11.14.19 - CVE: Not Available
• Platform: Cross Platform
• Title: RealPlayer ".rmp' File Remote Buffer Overflow
• Description: RealPlayer is an application that allows users to play back various media formats. RealPlayer is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. RealPlayer version 11.0 is affected.
• Ref: http://www.securityfocus.com/bid/47039

• 11.14.20 - CVE: Not Available
• Platform: Cross Platform
• Title: eXPert PDF Batch Creator Denial of Service
• Description: eXPert PDF is a PDF creator and editor application for Microsoft Windows. The application is exposed to a denial of service issue that affects the batch creator "vsbatch2pdf.exe" file. eXPert PDF version 7.0.880.0 is affected.
• Ref: http://www.securityfocus.com/bid/47040

• 11.14.21 - CVE: CVE-2010-3743
• Platform: Cross Platform
• Title: wodWebServer.NET Directory Traversal
• Description: wodWebServer.NET is a .NET component that implements server-side HTTP and HTTPS protocols. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. wodWebServer.NET version 1.3.3 is affected.
• Ref: http://www.weonlydo.com/WebServer.NET/web-http-net-server.asp

• 11.14.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Zend Server Java Bridge "javamw.jar" Service Remote Code Execution
• Description: Zend Server is a web application server. Zend Server is exposed to a remote code execution issue in the Zend Java Bridge component. The problem occurs when processing a packet sent through TCP port 10001.
• Ref: http://www.securityfocus.com/archive/1/517210

• 11.14.23 - CVE: CVE-2011-0727
• Platform: Cross Platform
• Title: GNOME Display Manager Race Condition Local Privilege Escalation
• Description: GNOME Display Manager (GDM) is a display manager for the X Window System. GNOME Display Manager is exposed to a local privilege escalation issue that occurs because it fails to properly handle the cache directories used to store users "dmrc" and "face" icon files.
• Ref: http://www.securityfocus.com/bid/47063

• 11.14.24 - CVE: CVE-2011-1097
• Platform: Cross Platform
• Title: rsync Client Incremental File List Remote Memory Corruption
• Description: The "rsync" client is used to synchronize files and directory structures across a network. It is commonly used to maintain mirrors of FTP sites, often through anonymous access to the rsync server. The application is exposed to a remote memory corruption issue that is exposed when the application handles a malformed file list data.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=675036

• 11.14.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Rumble Mail Server "MAIL FROM" Command Remote Denial of Service
• Description: Rumble is a mail server available for Unix and Windows. Rumble is exposed to a remote denial of service issue because the application fails to perform adequate boundary checks on user-supplied data. Rumble version 0.25.2232 is affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=675036

• 11.14.26 - CVE: Not Available
• Platform: Cross Platform
• Title: Distributed Ruby Multiple Remote Code Execution Vulnerabilities
• Description: Distributed Ruby (dRuby) is a distributed object-oriented scripting language that allows programs to communicate with each other on the same machine or over a network. Distributed Ruby (dRuby) is exposed to multiple remote code execution issues that affects the "instance_eval" and "syscall" methods.
• Ref: http://www.securityfocus.com/bid/47071

• 11.14.27 - CVE: CVE-2010-3743
• Platform: Cross Platform
• Title: jHTTPd Directory Traversal
• Description: jHTTPd is a threaded web server implemented in Java. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. This issue can be exploited by sending a specially crafted URI request containing directory-traversal strings. jHTTPd version 0.1a is affected.
• Ref: http://www.securityfocus.com/bid/47075

• 11.14.28 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Alkacon OpenCms Multiple Cross-Site Scripting Vulnerabilities
• Description: Alkacon OpenCms is a web-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to various scripts and parameters. OpenCms versions prior to 7.5.4 are affected.
• Ref: http://www.securityfocus.com/archive/1/517209

• 11.14.29 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SPIP "404.html" Cross-Site Scripting
• Description: SPIP is a website-publishing application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "404.html" script. SPIP versions prior to 2.1.9, 1.9.2j, and 2.0.14 are affected.
• Ref: http://www.securityfocus.com/bid/47061

• 11.14.30 - CVE: Not Available
• Platform: Web Application
• Title: Cetera eCommerce Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: Cetera eCommerce is a website creation, management, and development software kit. Cetera eCommerce is exposed to multiple cross-site scripting and SQL injection issues because it fails to sufficiently sanitize user-supplied data. Cetera eCommerce versions 15.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/47044

• 11.14.31 - CVE: Not Available
• Platform: Web Application
• Title: webEdition CMS HTML Injection and Local File Include Vulnerabilities
• Description: webEdition CMS is a PHP-based content manager. The application is exposed to multiple input validation issues. webEdition CMS version 6.1.0.2 is affected.
• Ref: http://www.securityfocus.com/bid/47047

• 11.14.32 - CVE: Not Available
• Platform: Web Application
• Title: Alkacon OpenCms HTTPOnly Cookie Flag Information Disclosure Weakness
• Description: OpenCms is a web-based application implemented using Java and XML. The application is exposed to an information disclosure weakness because it fails to properly protect sensitive cookie data with the "HTTPOnly" protection mechanism. OpenCms versions prior to 7.5.4 are affected.
• Ref: http://www.securityfocus.com/archive/1/517209

• 11.14.33 - CVE: CVE-2011-1472
• Platform: Network Device
• Title: Nokia E75 Firmware Lock Code Authentication Bypass
• Description: Nokia E75 is a smart phone. Nokia E75 is exposed to an authentication bypass issue that occurs because of an unspecified error in the device which allows the user to bypass the "lock code" during the boot process.
• Ref: http://www.cert.fi/en/reports/2011/vulnerability410355.html

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/