Our Registration System will be undergoing scheduled maintenance on August 20th from 11:30pm - 12:30 am EDT.
Last Day to Save $250 on SANS Baltimore 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 17
May 5, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 4 (#3)
    • Linux
    • 1
    • Unix
    • 1
    • Novell
    • 1 (#1,#2,#4)
    • Cross Platform
    • 12
    • Web Application - Cross Site Scripting
    • 3
    • Web Application
    • 4
    • Network Device
    • 2

***************************************************************** TRAINING UPDATE - -- SANS Security West 2011, San Diego, CA, May 3-12, 2011 23 courses. Bonus evening presentations include The Emerging Security Threat Panel Discussion; and Emerging Trends in Data Law and Investigation http://www.sans.org/security-west-2011/ - -- SANS Cyber Guardian 2011, Baltimore, MD, May 15-22, 2011 8 courses. Bonus evening presentations include Windows Exploratory Surgery with Process Hacker and State of the Hack: Stuxnet. 8 courses. http://www.sans.org/cyber-guardian-2011/ - -- SANS Rocky Mountain 2011, Denver, CO, June 25-30, 2011 7 courses. Bonus evening presentations include SANS Hacklab and Why End Users are Your Weakest Link http://www.sans.org/rocky-mountain-2011/ - -- SANSFIRE 2011, Washington, DC, July 15-24, 2011 40 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6? http://www.sans.org/sansfire-2011/ - -- SANS Boston 2011, Boston, MA, August 8-15, 2011 12 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls http://www.sans.org/boston-2011/ - -- SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. http://www.sans.org/virginia-beach-2011/ - -- Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Barcelona, Amsterdam, Brisbane, London and Austin all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Unix
Novell
Cross Platform
Web Application - Cross Site Scripting
Web Application
Network Device
PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Widely Deployed Software
  • (2) HIGH: Google Chrome Multiple Vulnerabilities
  • Affected:
    • Google Chrome prior to 11.0.696.57
  • Description: Google has released a patch addressing multiple security vulnerabilities in its Chrome web browser. Details are scarce on the vulnerabilities, but this is a particularly large patch with sixteen vulnerabilities rated "High" by Google. Vulnerabilities rated "High" are typically issues with stale pointers, buffer overflows, and other issues with memory corruption. By enticing a target to view a malicious page, an attacker can exploit vulnerabilities like these in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
  • (3) MEDIUM: IBM Rational System Architect
  • Affected:
    • System Architect prior to 11.4.0.3
    • System Architect prior to 11.3.1.4
  • Description: IBM has released a patch addressing security vulnerabilities in Rational System Architect, a tool used to model business processes and systems. The vulnerabilities are exposed via the ActiveX controls actbar.ocx and actbar2.ocx, which can be instantiated from Internet Explorer. The Save(), SaveLayoutchanges(), SaveMenuUsageData(), and SetLayoutData() methods are all vulnerable due to a design flaw in the application. By enticing a target to view a malicious site, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
  • (4) MEDIUM: Libmodplug Stack Buffer Overflow Vulnerability
  • Affected:
    • applications using libmodplug, including current versions of VLC and XMMS
  • Description: Libmodplug, a library used by some popular open-source media players, is susceptible to a stack-buffer-overflow vulnerability. Libmodplug is used to play module music files. Module files contain music samples and patterns in which those samples should be replayed. They are similar to MIDI files but are guaranteed to sound the same on all platforms. By enticing a target to open a malicious module music file with a vulnerable application, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine. A simple public proof of concept is available for this vulnerability.

  • Status: vendor not confirmed, updates not available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 17, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11219 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


  • 11.19.1 - CVE: CVE-2011-0340
  • Platform: Third Party Windows Apps
  • Title: Advantech Studio ISSymbol ActiveX Control Multiple Buffer Overflow Vulnerabilities
  • Description: Advantech Studio is an integrated collection of automation tools. The software is exposed to multiple buffer overflow issues because it fails to perform adequate checks on user-supplied input. Advantech Studio 6.1 SP6 Build 61.6.01.05 is affected; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/47596/info

  • 11.19.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: 7T Interactive Graphical SCADA System ODBC Service Remote Stack-Based Buffer Overflow
  • Description: The 7T Interactive Graphical SCADA System is a SCADA application used for monitoring and controlling industrial processes. The application is exposed to a remote stack-based buffer overflow issue. Specifically, this issue occurs in the ODBC service when parsing a large amount of data sent to TCP port 20222, which is copied into a variable length buffer. Interactive Graphical SCADA System v9 is affected.
  • Ref: http://www.insomniasec.com/advisories/ISVA-110427.1.htm

  • 11.19.3 - CVE: CVE-2011-1207
  • Platform: Third Party Windows Apps
  • Title: Data Dynamics ActiveBar ActiveX Control Insecure Method
  • Description: Data Dynamics ActiveBar is a toolbar control for use on the Microsoft Windows operating system. The software is exposed to an issue caused by an insecure method. This issue occurs because the application fails to handle user-supplied input to the "Data" argument of the "SetLayoutData()" method. Data Dynamics ActiveBar 1.0.6.5 is affected.
  • Ref: http://www.securityfocus.com/bid/47643/info

  • 11.19.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Adobe Photoshop Multiple Unspecified Vulnerabilities
  • Description: Adobe Photoshop is an application that allows users to view and edit various graphic formats. Adobe Photoshop is exposed to multiple unspecified issues. Adobe Photoshop versions prior to CS5 12.0.4 are affected.
  • Ref: http://www.adobe.com/support/downloads/detail.jsp?ftpID=4973

  • 11.19.5 - CVE: CVE-2011-1758
  • Platform: Linux
  • Title: SSSD Kerberos Ticket Renewal Cached Password Security Bypass
  • Description: SSSD provides a set of daemons to manage access to remote directories and other authentication mechanisms. The application is exposed to a security bypass issue. Specifically, when SSSD is configured to use Kerberos automatic ticket renewal, a cached password is overwritten with a predictable cache filename which may allow attackers to bypass the authentication mechanism. Red Hat SSSD versions before 1.5.7 are affected.
  • Ref: https://fedorahosted.org/pipermail/sssd-devel/2011-April/006138.html

  • 11.19.6 - CVE: CVE-2011-1785, CVE-2011-1786
  • Platform: Unix
  • Title: VMware ESXi and ESX Multiple Remote Denial of Service
  • Description: VMware ESXi and ESX are virtualization applications. The applications are exposed to multiple remote denial of service issues. ESXi 4.0, 4.1 and ESX 4.0, 4.1 are affected.
  • Ref: http://www.securityfocus.com/archive/1/517739

  • 11.19.7 - CVE: CVE-2011-0466,CVE-2011-0462
  • Platform: Novell
  • Title: SuSE openSUSE Build Service Multiple Security Vulnerabilities
  • Description: SuSE openSUSE Build Service is a package building application. The application is exposed to multiple issues. 1) A cross-site scripting issue affects the login page of the "webui" component. 2) A security bypass issue in the "api" component allows an attacker without write access to modify packages. 3) A security bypass issue in the "api" component allows passwords to be changed by a foreign user while in LDAP mode. OpenSUSE Build Service (OBS) 2.0.x before 2.0.8 and 2.1.x before 2.1.6 are affected.
  • Ref: http://news.opensuse.org/2011/03/02/build-service-team-releases-new-versions-fix
    ing-security-problems/

  • 11.19.8 - CVE: CVE-2011-1484
  • Platform: Cross Platform
  • Title: JBoss Seam Expression Language (EL) Remote Code Execution
  • Description: JBoss Seam is a framework for developing web 2.0 applications. The software is exposed to a remote code execution issue because it fails to properly restrict access to JBoss Expression Language (EL) constructs during page exception handling. JBoss Group JBoss Seam 2.0.2, 2.0.2.SP1 and 2.0 GA are affected.
  • Ref: http://www.securityfocus.com/bid/47516/info

  • 11.19.9 - CVE: CVE-2011-1724
  • Platform: Cross Platform
  • Title: HP Virtual Server Environment Remote Code Execution
  • Description: HP Virtual Server Environment contains components that enhance the functionality and flexibility of a server environment. The software is exposed to a remote code execution issue. HP Virtual Server Environment versions prior to 6.3 are affected.
  • Ref: http://www.securityfocus.com/bid/47523/info

  • 11.19.10 - CVE: CVE-2011-1599
  • Platform: Cross Platform
  • Title: Asterisk Manager Interface Arbitrary Command Execution Security Bypass
  • Description: Asterisk is a private branch exchange (PBX) application. Asterisk is exposed to a security bypass issue that affects the manager interface. This issue occurs because the interface fails to properly perform certain security checks when handling specially crafted headers. Asterisk 1.6.1.x, 1.6.2.x and 1.8.x are affected.
  • Ref: http://downloads.asterisk.org/pub/security/AST-2011-006.html

  • 11.19.11 - CVE: CVE-2011-1821, CVE-2011-1822
  • Platform: Cross Platform
  • Title: IBM Tivoli Directory Server Multiple Vulnerabilities
  • Description: IBM Tivoli Directory Server is an LDAP based identity management application. The application is exposed to two security issues. 1) A denial of service issue because the application fails to properly handle certain change log search requests. 2) An information disclosure issue. IBM Tivoli Directory Server versions prior to 5.2.0.5-TIV-ITDS-IF0010 are affected.
  • Ref: https://www-304.ibm.com/support/docview.wss?uid=swg24029663

  • 11.19.12 - CVE: CVE-2011-1208
  • Platform: Cross Platform
  • Title: IBM solidDB "rpc_test_svc" Commands Multiple Denial of Service
  • Description: IBM solidDB is a relational SQL database. The application is exposed to multiple denial of service issues that affect the "solidDB.exe" service. Specifically, attackers can issue "rpc_test_svc_readwrite" and "rpc_test_svc_done" remote procedure commands through TCP port 2315 to trigger a NULL pointer exception. IBM solidDB versions 4.5.181 and below, 6.0.1068 and below, 6.3 Fix Pack 7 and below, 6.5 Fix Pack 3 and below are affected.
  • Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21496106


  • 11.19.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Up.time Software Administration Interface Remote Authentication Bypass
  • Description: Up.time is IT systems management software. The application is exposed to a remote authentication bypass issue that affects the administration interface, which runs on TCP port 9999. Specifically, when the administration interface is loaded for the first time, it contains a function designed to set the administrator password. Though the process is completed, the code is left behind, which can allow an attacker to bypass server authentication and reset account passwords. Up.time 5 is affected; other versions may also be affected.
  • Ref: http://www.insomniasec.com/advisories/ISVA-110427.2.htm

  • 11.19.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Netop Remote Control ".dws" File Buffer Overflow
  • Description: Netop Remote Control is a remote server management application. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted ".dws" file. Netop Remote Control versions 9.5, 9.2, 9.1 and 8.0 are affected.
  • Ref: http://www.securityfocus.com/bid/47631/discuss

  • 11.19.16 - CVE:CVE-2011-1202,CVE-2011-0081,CVE-2011-0080,CVE-2011-0079,CVE-2011-0078,CVE-2011-0077,CVE-2011-0076,CVE-2011-0075,CVE-2011-0074,CVE-2011-0073,CVE-2011-0072,CVE-2011-0071,CVE-2011-0070,CVE-2011-0069,CVE-2011-0068,CVE-2011-0067,CVE-2011-0066,CVE-2011-0065
  • Platform: Cross Platform
  • Title: Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
  • Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. Mozilla Firefox, SeaMonkey, and Thunderbird are exposed to multiple memory corruption issues. See the reference below for further details. Affected versions: Firefox version 3.6.x before 3.6.17, 3.5.x before 3.5.19, Thunderbird version 3.x before 3.1.10, and SeaMonkey version 2.x before 2.0.14.
  • Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-12.html

  • 11.19.17 - CVE:CVE-2011-1736,CVE-2011-1735,CVE-2011-1734,CVE-2011-1733,CVE-2011-1732,CVE-2011-1731,CVE-2011-1730,CVE-2011-1729,CVE-2011-1728
  • Platform: Cross Platform
  • Title: HP OpenView Storage Data Protector Multiple Unspecified Remote Code Execution
  • Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The software is exposed to multiple unspecified remote code execution issues. HP OpenView Storage Data Protector v6.00, v6.10, and v6.11 running on Windows are affected.
  • Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02810240

  • 11.19.18 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Embarcadero InterBase XE "connect" Request Stack Buffer Overflow
  • Description: Embarcadero InterBase XE is a database. The application is exposed to a stack-based buffer overflow issue that affects the "ibserver.exe" process, which listens by default on TCP port 3050. The issue can be triggered when a specially crafted "connect" message is sent to the affected service. Embarcadero InterBase XE and InterBase SMP 2009 versions 9.0.3.437 and 9.0.2.369 are affected.
  • Ref: http://www.securityfocus.com/archive/1/517773

  • 11.19.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk SIP INVITE Request User Enumeration Weakness
  • Description: Asterisk is a private branch exchange application. The software is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the "INVITE" request. Asterisks 1.8 is affected.
  • Ref: http://www.securityfocus.com/bid/47676/info

  • 11.19.20 - CVE: CVE-2011-1825
  • Platform: Web Application - Cross Site Scripting
  • Title: CA Arcot WebFort Versatile Authentication Server Cross-Site Scripting
  • Description: CA Arcot WebFort Versatile Authentication provides solutions to deploy authentication methods. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize certain unspecified user-supplied data submitted to the administration console. Versions prior to CA Arcot WebFort Versatile Authentication Server 6.2.5 are affected.
  • Ref: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={A71F5839-D2
    14-4719-B918-4476E4537998}

  • 11.19.21 - CVE: CVE-2011-1423
  • Platform: Web Application - Cross Site Scripting
  • Title: RSA Data Loss Prevention (DLP) Enterprise Manager Unspecified Cross-Site Scripting
  • Description: RSA Data Loss Prevention (DLP) Enterprise Manager is a data integrity application. The software is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. RSA Data Loss Prevention (DLP) Enterprise Manager versions 8.x are affected.
  • Ref: http://www.securityfocus.com/archive/1/517763

  • 11.19.22 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: LDAP Account Manager "selfserviceSaveOk" Parameter Cross-Site Scripting
  • Description: LDAP Account Manager is a web frontend for managing accounts stored in an LDAP directory. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "selfserviceSaveOk" parameter of the "templates/login.php" script. This issue occurs in "lib/status.inc". LDAP Account Manager 3.4.0 is affected; other versions may also be affected.
  • Ref: http://www.autosectools.com/Advisory/LDAP-Account-Manager-3.4.0-Reflected-Cross-
    site-Scripting-193

  • 11.19.23 - CVE: Not Available
  • Platform: Web Application
  • Title: Trustwave WebDefend Local Privilege Escalation
  • Description: Trustwave WebDefend is a web application firewall appliance. The appliance is exposed to a local privilege escalation issue. Specifically, the issue occurs because the appliance executes the login script of the operator account ("/opt/breach/bwd/bin/bgadmin_cli") with root privileges. Trustwave WebDefend 5.0 is affected; other versions may also be affected.
  • Ref: http://www.securitypentest.com/2011/04/trustwave-webdefend-privilege.html

  • 11.19.24 - CVE:CVE-2011-1606,CVE-2011-1609,CVE-2011-1610,CVE-2011-1607,CVE-2011-1604,CVE-2011-1605
  • Platform: Web Application
  • Title: Cisco Unified Communications Manager SIP Message Multiple Vulnerabilities
  • Description: Cisco Unified Communications Manager is a software based call processing component of the Cisco IP telephony solution. CUCM is exposed to multiple remote issues. 1) Multiple denial of service issues when handling specially crafted SIP messages. 2) Multiple unspecified SQL injection issues. 3) A directory traversal issue while processing "POST" requests. Cisco Unified Communications Manager versions 6.x, 7.x and 8.x are affected.
  • Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110427-cucm.shtml

  • 11.19.25 - CVE: Not Available
  • Platform: Web Application
  • Title: SMSGATE.4 Multiple Remote Denial Of Service and Memory Corruption
  • Description: SMSGATE.4 is a web-based application. The application is exposed to multiple remote issues. 1) A memory corruption issue occurs because of an error in processing certain XML requests. 2) A denial of service issue occurs because of an error in processing overly large HTTP "GET" requests through URI parameters. SMSGATE.4 versions prior to SMSGATE.4 4.07r are affected.
  • Ref: http://dsecrg.com/pages/vul/show.php?id=319

  • 11.19.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Proofpoint Protection Server Multiple Input Validation Security Vulnerabilities
  • Description: Proofpoint Protection Server is a web-based security application. The application is exposed to multiple security issues. 1) An authentication bypass issue due to a failure to sufficiently sanitize user-supplied input. 2) A command injection issue due to a failure to adequately sanitize unspecified user-supplied input. 3) An unspecified SQL injection issue. 4) A security bypass issue due to a failure to sufficiently sanitize user-supplied input. 5) An unspecified directory traversal issue due to a failure to sufficiently sanitize user-supplied input. Proofpoint Protection Server versions 6.2.0, 6.1.1, 6.0.2, and 5.5.3 to 5.5.5 are affected.
  • Ref: http://www.securityfocus.com/bid/47675/discuss

  • 11.19.27 - CVE: Not Available
  • Platform: Network Device
  • Title: Avaya CS1000 Communications Server Remote Denial of Service
  • Description: Avaya CS1000 Communications Server is an IP telephony server. The application is exposed to a remote denial of service issue. Specifically, the issue occurs when listening to UDP port 5100. Avaya Communication Server 1000 CS1000E 5.5, CS1000M 5.5 and CS1000E/CS1000M Signaling Server are affected.
  • Ref: https://support.avaya.com/css/P8/documents/100133768

  • 11.19.28 - CVE: Not Available
  • Platform: Network Device
  • Title: Blue Coat BCAAA Stack Buffer Overflow
  • Description: Blue Coat BCAAA is an authentication and authorization agent. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs while handling specially crafted packets sent to TCP port 16102. All versions of BCAAA associated with ProxySG releases available prior to April 21, 2011 or with a build number less than 60258 are affected, and all versions of BCAAA associated with ProxyOne are affected.
  • Ref: https://kb.bluecoat.com/index?page=content&id=SA55

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/