@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Mozilla Products Multiple Vulnerabilities
• (2) HIGH: Google Chrome Multiple Vulnerabilities
• (3) MEDIUM: IBM Rational System Architect
• (4) MEDIUM: Libmodplug Stack Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.19.1 - Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Vulnerabilities
• 11.19.2 - 7T Interactive Graphical SCADA System ODBC Service Remote Stack-Based Buffer Overflow
• 11.19.3 - Data Dynamics ActiveBar ActiveX Control Insecure Method
• 11.19.4 - Adobe Photoshop Multiple Unspecified Vulnerabilities

Linux

• 11.19.5 - SSSD Kerberos Ticket Renewal Cached Password Security Bypass

Unix

• 11.19.6 - VMware ESXi and ESX Multiple Remote Denial of Service

Novell

• 11.19.7 - SuSE openSUSE Build Service Multiple Security Vulnerabilities

Cross Platform

• 11.19.8 - JBoss Seam Expression Language (EL) Remote Code Execution
• 11.19.9 - HP Virtual Server Environment Remote Code Execution
• 11.19.10 - Asterisk Manager Interface Arbitrary Command Execution Security Bypass
• 11.19.11 - IBM Tivoli Directory Server Multiple Vulnerabilities
• 11.19.12 - IBM solidDB "rpc_test_svc" Commands Multiple Denial of Service
• 11.19.13 - Google Chrome Multiple Security Vulnerabilities
• 11.19.14 - Up.time Software Administration Interface Remote Authentication Bypass
• 11.19.15 - Netop Remote Control ".dws" File Buffer Overflow
• 11.19.16 - Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• 11.19.17 - HP OpenView Storage Data Protector Multiple Unspecified Remote Code Execution
• 11.19.18 - Embarcadero InterBase XE "connect" Request Stack Buffer Overflow
• 11.19.19 - Asterisk SIP INVITE Request User Enumeration Weakness

Web Application - Cross Site Scripting

• 11.19.20 - CA Arcot WebFort Versatile Authentication Server Cross-Site Scripting
• 11.19.21 - RSA Data Loss Prevention (DLP) Enterprise Manager Unspecified Cross-Site Scripting
• 11.19.22 - LDAP Account Manager "selfserviceSaveOk" Parameter Cross-Site Scripting

Web Application

• 11.19.23 - Trustwave WebDefend Local Privilege Escalation
• 11.19.24 - Cisco Unified Communications Manager SIP Message Multiple Vulnerabilities
• 11.19.25 - SMSGATE.4 Multiple Remote Denial Of Service and Memory Corruption
• 11.19.26 - Proofpoint Protection Server Multiple Input Validation Security Vulnerabilities

Network Device

• 11.19.27 - Avaya CS1000 Communications Server Remote Denial of Service
• 11.19.28 - Blue Coat BCAAA Stack Buffer Overflow

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 17, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11219 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.19.1 - CVE: CVE-2011-0340
• Platform: Third Party Windows Apps
• Title: Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Vulnerabilities
• Description: Advantech Studio is an integrated collection of automation tools. The software is exposed to multiple buffer overflow issues because it fails to perform adequate checks on user-supplied input. Advantech Studio 6.1 SP6 Build 61.6.01.05 is affected; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/47596/info

• 11.19.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: 7T Interactive Graphical SCADA System ODBC Service Remote Stack-Based Buffer Overflow
• Description: The 7T Interactive Graphical SCADA System is a SCADA application used for monitoring and controlling industrial processes. The application is exposed to a remote stack-based buffer overflow issue. Specifically, this issue occurs in the ODBC service when parsing a large amount of data sent to TCP port 20222, which is copied into a variable length buffer. Interactive Graphical SCADA System v9 is affected.
• Ref: http://www.insomniasec.com/advisories/ISVA-110427.1.htm

• 11.19.3 - CVE: CVE-2011-1207
• Platform: Third Party Windows Apps
• Title: Data Dynamics ActiveBar ActiveX Control Insecure Method
• Description: Data Dynamics ActiveBar is a toolbar control for use on the Microsoft Windows operating system. The software is exposed to an issue caused by an insecure method. This issue occurs because the application fails to handle user-supplied input to the "Data" argument of the "SetLayoutData()" method. Data Dynamics ActiveBar 1.0.6.5 is affected.
• Ref: http://www.securityfocus.com/bid/47643/info

• 11.19.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Adobe Photoshop Multiple Unspecified Vulnerabilities
• Description: Adobe Photoshop is an application that allows users to view and edit various graphic formats. Adobe Photoshop is exposed to multiple unspecified issues. Adobe Photoshop versions prior to CS5 12.0.4 are affected.
• Ref: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4973

• 11.19.5 - CVE: CVE-2011-1758
• Platform: Linux
• Title: SSSD Kerberos Ticket Renewal Cached Password Security Bypass
• Description: SSSD provides a set of daemons to manage access to remote directories and other authentication mechanisms. The application is exposed to a security bypass issue. Specifically, when SSSD is configured to use Kerberos automatic ticket renewal, a cached password is overwritten with a predictable cache filename which may allow attackers to bypass the authentication mechanism. Red Hat SSSD versions before 1.5.7 are affected.
• Ref: https://fedorahosted.org/pipermail/sssd-devel/2011-April/006138.html

• 11.19.6 - CVE: CVE-2011-1785, CVE-2011-1786
• Platform: Unix
• Title: VMware ESXi and ESX Multiple Remote Denial of Service
• Description: VMware ESXi and ESX are virtualization applications. The applications are exposed to multiple remote denial of service issues. ESXi 4.0, 4.1 and ESX 4.0, 4.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/517739

• 11.19.7 - CVE: CVE-2011-0466,CVE-2011-0462
• Platform: Novell
• Title: SuSE openSUSE Build Service Multiple Security Vulnerabilities
• Description: SuSE openSUSE Build Service is a package building application. The application is exposed to multiple issues. 1) A cross-site scripting issue affects the login page of the "webui" component. 2) A security bypass issue in the "api" component allows an attacker without write access to modify packages. 3) A security bypass issue in the "api" component allows passwords to be changed by a foreign user while in LDAP mode. OpenSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 are affected.
• Ref: http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fix
  ing-security-problems/

• 11.19.8 - CVE: CVE-2011-1484
• Platform: Cross Platform
• Title: JBoss Seam Expression Language (EL) Remote Code Execution
• Description: JBoss Seam is a framework for developing web 2.0 applications. The software is exposed to a remote code execution issue because it fails to properly restrict access to JBoss Expression Language (EL) constructs during page exception handling. JBoss Group JBoss Seam 2.0.2, 2.0.2.SP1 and 2.0 GA are affected.
• Ref: http://www.securityfocus.com/bid/47516/info

• 11.19.9 - CVE: CVE-2011-1724
• Platform: Cross Platform
• Title: HP Virtual Server Environment Remote Code Execution
• Description: HP Virtual Server Environment contains components that enhance the functionality and flexibility of a server environment. The software is exposed to a remote code execution issue. HP Virtual Server Environment versions prior to 6.3 are affected.
• Ref: http://www.securityfocus.com/bid/47523/info

• 11.19.10 - CVE: CVE-2011-1599
• Platform: Cross Platform
• Title: Asterisk Manager Interface Arbitrary Command Execution Security Bypass
• Description: Asterisk is a private branch exchange (PBX) application. Asterisk is exposed to a security bypass issue that affects the manager interface. This issue occurs because the interface fails to properly perform certain security checks when handling specially crafted headers. Asterisk 1.6.1.x, 1.6.2.x and 1.8.x are affected.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-006.html

• 11.19.11 - CVE: CVE-2011-1821, CVE-2011-1822
• Platform: Cross Platform
• Title: IBM Tivoli Directory Server Multiple Vulnerabilities
• Description: IBM Tivoli Directory Server is an LDAP based identity management application. The application is exposed to two security issues. 1) A denial of service issue because the application fails to properly handle certain change log search requests. 2) An information disclosure issue. IBM Tivoli Directory Server versions prior to 5.2.0.5-TIV-ITDS-IF0010 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg24029663

• 11.19.12 - CVE: CVE-2011-1208
• Platform: Cross Platform
• Title: IBM solidDB "rpc_test_svc" Commands Multiple Denial of Service
• Description: IBM solidDB is a relational SQL database. The application is exposed to multiple denial of service issues that affect the "solidDB.exe" service. Specifically, attackers can issue "rpc_test_svc_readwrite" and "rpc_test_svc_done" remote procedure commands through TCP port 2315 to trigger a NULL pointer exception. IBM solidDB versions 4.5.181 and below, 6.0.1068 and below, 6.3 Fix Pack 7 and below, 6.5 Fix Pack 3 and below are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21496106

• 11.19.13 - CVE:CVE-2011-1456,CVE-2011-1455,CVE-2011-1454,CVE-2011-1452,CVE-2011-1451,CVE-2011-1450,CVE-2011-1449,CVE-2011-1448,CVE-2011-1447,CVE-2011-1446,CVE-2011-1445,CVE-2011-1444,CVE-2011-1443,CVE-2011-1442,CVE-2011-1441,CVE-2011-1440,CVE-2011-1439,CVE-2011-1438
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. The software is exposed to multiple security issues. See the reference below for complete details. Google Chrome versions prior to 11.0.696.57 are affected.
• Ref: http://googlechromereleases.blogspot.com/2011/04/chrome-stable-update.html?utm_s
  ource=feedburner&utm_medium=feed&utm_campaign=Feed%3A+GoogleChromeReleas
  es+%28Google+Chrome+Releases%29

• 11.19.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Up.time Software Administration Interface Remote Authentication Bypass
• Description: Up.time is IT systems management software. The application is exposed to a remote authentication bypass issue that affects the administration interface, which runs on TCP port 9999. Specifically, when the administration interface is loaded for the first time, it contains a function designed to set the administrator password. Though the process is completed, the code is left behind, which can allow an attacker to bypass server authentication and reset account passwords. Up.time 5 is affected; other versions may also be affected.
• Ref: http://www.insomniasec.com/advisories/ISVA-110427.2.htm

• 11.19.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Netop Remote Control ".dws" File Buffer Overflow
• Description: Netop Remote Control is a remote server management application. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted ".dws" file. Netop Remote Control versions 9.5, 9.2, 9.1 and 8.0 are affected.
• Ref: http://www.securityfocus.com/bid/47631/discuss

• 11.19.16 - CVE:CVE-2011-1202,CVE-2011-0081,CVE-2011-0080,CVE-2011-0079,CVE-2011-0078,CVE-2011-0077,CVE-2011-0076,CVE-2011-0075,CVE-2011-0074,CVE-2011-0073,CVE-2011-0072,CVE-2011-0071,CVE-2011-0070,CVE-2011-0069,CVE-2011-0068,CVE-2011-0067,CVE-2011-0066,CVE-2011-0065
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. Mozilla Firefox, SeaMonkey, and Thunderbird are exposed to multiple memory corruption issues. See the reference below for further details. Affected versions: Firefox version 3.6.x before 3.6.17, 3.5.x before 3.5.19, Thunderbird version 3.x before 3.1.10, and SeaMonkey version 2.x before 2.0.14.
• Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-12.html

• 11.19.17 - CVE:CVE-2011-1736,CVE-2011-1735,CVE-2011-1734,CVE-2011-1733,CVE-2011-1732,CVE-2011-1731,CVE-2011-1730,CVE-2011-1729,CVE-2011-1728
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Multiple Unspecified Remote Code Execution
• Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The software is exposed to multiple unspecified remote code execution issues. HP OpenView Storage Data Protector v6.00, v6.10, and v6.11 running on Windows are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

• 11.19.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Embarcadero InterBase XE "connect" Request Stack Buffer Overflow
• Description: Embarcadero InterBase XE is a database. The application is exposed to a stack-based buffer overflow issue that affects the "ibserver.exe" process, which listens by default on TCP port 3050. The issue can be triggered when a specially crafted "connect" message is sent to the affected service. Embarcadero InterBase XE and InterBase SMP 2009 versions 9.0.3.437 and 9.0.2.369 are affected.
• Ref: http://www.securityfocus.com/archive/1/517773

• 11.19.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk SIP INVITE Request User Enumeration Weakness
• Description: Asterisk is a private branch exchange application. The software is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the "INVITE" request. Asterisks 1.8 is affected.
• Ref: http://www.securityfocus.com/bid/47676/info

• 11.19.20 - CVE: CVE-2011-1825
• Platform: Web Application - Cross Site Scripting
• Title: CA Arcot WebFort Versatile Authentication Server Cross-Site Scripting
• Description: CA Arcot WebFort Versatile Authentication provides solutions to deploy authentication methods. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize certain unspecified user-supplied data submitted to the administration console. Versions prior to CA Arcot WebFort Versatile Authentication Server 6.2.5 are affected.
• Ref: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A71F5839-D2
  14-4719-B918-4476E4537998}

• 11.19.21 - CVE: CVE-2011-1423
• Platform: Web Application - Cross Site Scripting
• Title: RSA Data Loss Prevention (DLP) Enterprise Manager Unspecified Cross-Site Scripting
• Description: RSA Data Loss Prevention (DLP) Enterprise Manager is a data integrity application. The software is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. RSA Data Loss Prevention (DLP) Enterprise Manager versions 8.x are affected.
• Ref: http://www.securityfocus.com/archive/1/517763

• 11.19.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: LDAP Account Manager "selfserviceSaveOk" Parameter Cross-Site Scripting
• Description: LDAP Account Manager is a web frontend for managing accounts stored in an LDAP directory. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "selfserviceSaveOk" parameter of the "templates/login.php" script. This issue occurs in "lib/status.inc". LDAP Account Manager 3.4.0 is affected; other versions may also be affected.
• Ref: http://www.autosectools.com/Advisory/LDAP-Account-Manager-3.4.0-Reflected-Cross-
  site-Scripting-193

• 11.19.23 - CVE: Not Available
• Platform: Web Application
• Title: Trustwave WebDefend Local Privilege Escalation
• Description: Trustwave WebDefend is a web application firewall appliance. The appliance is exposed to a local privilege escalation issue. Specifically, the issue occurs because the appliance executes the login script of the operator account ("/opt/breach/bwd/bin/bgadmin_cli") with root privileges. Trustwave WebDefend 5.0 is affected; other versions may also be affected.
• Ref: http://www.securitypentest.com/2011/04/trustwave-webdefend-privilege.html

• 11.19.24 - CVE:CVE-2011-1606,CVE-2011-1609,CVE-2011-1610,CVE-2011-1607,CVE-2011-1604,CVE-2011-1605
• Platform: Web Application
• Title: Cisco Unified Communications Manager SIP Message Multiple Vulnerabilities
• Description: Cisco Unified Communications Manager is a software based call processing component of the Cisco IP telephony solution. CUCM is exposed to multiple remote issues. 1) Multiple denial of service issues when handling specially crafted SIP messages. 2) Multiple unspecified SQL injection issues. 3) A directory traversal issue while processing "POST" requests. Cisco Unified Communications Manager versions 6.x, 7.x and 8.x are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110427-cucm.shtml

• 11.19.25 - CVE: Not Available
• Platform: Web Application
• Title: SMSGATE.4 Multiple Remote Denial Of Service and Memory Corruption
• Description: SMSGATE.4 is a web-based application. The application is exposed to multiple remote issues. 1) A memory corruption issue occurs because of an error in processing certain XML requests. 2) A denial of service issue occurs because of an error in processing overly large HTTP "GET" requests through URI parameters. SMSGATE.4 versions prior to SMSGATE.4 4.07r are affected.
• Ref: http://dsecrg.com/pages/vul/show.php?id=319

• 11.19.26 - CVE: Not Available
• Platform: Web Application
• Title: Proofpoint Protection Server Multiple Input Validation Security Vulnerabilities
• Description: Proofpoint Protection Server is a web-based security application. The application is exposed to multiple security issues. 1) An authentication bypass issue due to a failure to sufficiently sanitize user-supplied input. 2) A command injection issue due to a failure to adequately sanitize unspecified user-supplied input. 3) An unspecified SQL injection issue. 4) A security bypass issue due to a failure to sufficiently sanitize user-supplied input. 5) An unspecified directory traversal issue due to a failure to sufficiently sanitize user-supplied input. Proofpoint Protection Server versions 6.2.0, 6.1.1, 6.0.2, and 5.5.3 to 5.5.5 are affected.
• Ref: http://www.securityfocus.com/bid/47675/discuss

• 11.19.27 - CVE: Not Available
• Platform: Network Device
• Title: Avaya CS1000 Communications Server Remote Denial of Service
• Description: Avaya CS1000 Communications Server is an IP telephony server. The application is exposed to a remote denial of service issue. Specifically, the issue occurs when listening to UDP port 5100. Avaya Communication Server 1000 CS1000E 5.5, CS1000M 5.5 and CS1000E/CS1000M Signaling Server are affected.
• Ref: https://support.avaya.com/css/P8/documents/100133768

• 11.19.28 - CVE: Not Available
• Platform: Network Device
• Title: Blue Coat BCAAA Stack Buffer Overflow
• Description: Blue Coat BCAAA is an authentication and authorization agent. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs while handling specially crafted packets sent to TCP port 16102. All versions of BCAAA associated with ProxySG releases available prior to April 21, 2011 or with a build number less than 60258 are affected, and all versions of BCAAA associated with ProxyOne are affected.
• Ref: https://kb.bluecoat.com/index?page=content&id=SA55

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/