@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Products Multiple Vulnerabilities
• (2) HIGH: Google Chrome Code Execution Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.20.1 - Microsoft Windows Internet Name Service (WINS) Remote Code Execution Vulnerability

Microsoft Office

• 11.20.2 - Microsoft PowerPoint Remote Code Execution

Other Microsoft Products

• 11.20.3 - Microsoft Silverlight Multiple Remote Denial Of Service Vulnerabilities

Third Party Windows Apps

• 11.20.4 - VMware vCenter Server and vSphere Client Multiple Security Vulnerabilities
• 11.20.5 - Sybase M-Business Anywhere Multiple Remote Code Execution Vulnerabilities
• 11.20.6 - HP Intelligent Management Center Multiple Remote Code Execution Vulnerabilities

Mac Os

• 11.20.7 - Skype Technologies Skype for Mac Unspecified Remote Code Execution Vulnerability

Linux

• 11.20.8 - HP Insight Control for Linux Unspecified Privilege Escalation
• 11.20.9 - Linux Kernel DCCP Option Length Remote Denial of Service Vulnerability

Cross Platform

• 11.20.10 - Check Point SSL VPN On Demand Applications Remote Code Execution Vulnerability
• 11.20.11 - IBM Rational Build Forge Session ID Information Disclosure
• 11.20.12 - Tinyproxy "conf.c"Integer Overflow Security Bypass Vulnerability
• 11.20.13 - IBM Runtimes for Java Technology Class File Parsing Denial Of Service
• 11.20.14 - ISC BIND 9 RRSIG Query Type Remote Denial of Service
• 11.20.15 - Exim "dkim_exim_verify_finish()" Remote Format String Vulnerability
• 11.20.16 - Opera Web Browser "SELECT" HTML Tag Remote Memory Corruption Vulnerability
• 11.20.17 - Perl Multiple NULL Pointer Dereference Denial Of Service Vulnerabilities
• 11.20.18 - Google Chrome Unspecified Remote Code Execution Vulnerability
• 11.20.19 - Postfix SMTP Server Cyrus SASL Support Memory Corruption Vulnerability
• 11.20.20 - Xen Multiple Buffer Overflow and Integer Overflow Vulnerabilities

Web Application - Cross Site Scripting

• 11.20.21 - IceWarp Server Multiple Cross-Site Scripting Vulnerabilities
• 11.20.22 - BMC Remedy Knowledge Management Default Account and Multiple Cross-Site Scripting
• 11.20.23 - Apache Struts XWork "s:submit" HTML Tag Cross-Site Scripting

Web Application - SQL Injection

• 11.20.24 - Samsung Integrated Management System DMS SQL Injection

Web Application

• 11.20.25 - Mojolicious Multiple Vulnerabilities

Network Device

• 11.20.26 - Cisco IOS SNMP Message Processing Remote Denial of Service

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*****************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 18, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11251 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.20.1 - CVE: CVE-2011-1248
• Platform: Windows
• Title: Microsoft Windows Internet Name Service (WINS) Remote Code Execution Vulnerability
• Description: Microsoft Windows Internet Naming Service (WINS) is a protocol used to support NetBIOS over TCP/IP and to locate network resources. WINS is exposed to a remote code execution vulnerability because it fails to properly validate certain replication packets during a socket-send exception event. Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium) are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-035.mspx

• 11.20.2 - CVE: CVE-2011-1269, CVE-2011-1270
• Platform: Microsoft Office
• Title: Microsoft PowerPoint Remote Code Execution
• Description: Microsoft PowerPoint is a presentation application. The application is exposed to two remote code execution issues: an issue due to an error in memory handling during function calls and an issue that occurs when parsing a specially crafted PowerPoint file because the application fails to properly bounds check user-supplied input. Microsoft PowerPoint 2002, 2003 and 2007; Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2; Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac and Open XML File Format Converter for Mac are affected.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS11-036.mspx

• 11.20.3 - CVE: CVE-2011-1845,CVE-2011-1844
• Platform: Other Microsoft Products
• Title: Microsoft Silverlight Multiple Remote Denial Of Service Vulnerabilities
• Description: Microsoft Silverlight is a web application framework that provides support for .NET applications. The application is exposed to multiple denial of service issues. Silverlight 4.0 prior to 4.0.60310 are affected.
• Ref: http://support.microsoft.com/kb/2526954

• 11.20.4 - CVE: CVE-2011-1789,CVE-2011-1788,CVE-2011-0426
• Platform: Third Party Windows Apps
• Title: VMware vCenter Server and vSphere Client Multiple Security Vulnerabilities
• Description: The VMware vCenter server is used to manage VMware vSphere. The application is exposed to the following issues: a directory traversal issue in the vCenter server, an information disclosure issue and a weakness in the vSphere client installer package. Vmware vCenter Server 4.1, vCenter Server 4.0 Update 2 and earlier, VirtualCenter 2.5 Update 6 and earlier, ESXi 4.1 GA, ESXi 4.0, ESX 4.1 GA and ESX 4.0 are affected.
• Ref: http://www.vmware.com/security/advisories/VMSA-2011-0008.html

• 11.20.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sybase M-Business Anywhere Multiple Remote Code Execution Vulnerabilities
• Description: Sybase M-Business Anywhere is a development tool for mobile applications. Sybase M-Business Anywhere is exposed to multiple remote code execution issues because it fails to properly validate user-supplied input. M-Business Anywhere 6.7 and 7.0 are affected.
• Ref: http://www.sybase.com/detail?id=1093029

• 11.20.6 - CVE:CVE-2011-1854,CVE-2011-1853,CVE-2011-1852,CVE-2011-1851,CVE-2011-1850,CVE-2011-1849,CVE-2011-1848
• Platform: Third Party Windows Apps
• Title: HP Intelligent Management Center Multiple Remote Code Execution Vulnerabilities
• Description: HP Intelligent Management (IMC) Center (formerly 3com IMC) is a network management application. The software is exposed to multiple remote code execution issues. HP IMC 5.0_E0101L01 and 5.0_E0101, 3Com IMC 3.3.9 R2 606, 3.3 SP2 R2 606 and 3.3 SP1 R2 606 are affected.
• Ref: http://www.securityfocus.com/bid/47789/info

• 11.20.7 - CVE: Not Available
• Platform: Mac Os
• Title: Skype Technologies Skype for Mac Unspecified Remote Code Execution Vulnerability
• Description: Skype is peer-to-peer communications software that supports internet based voice communications. Skype for Mac is exposed to an unspecified remote code execution issue that occurs when handling a specially crafted message. Skype for Mac OS X client version 5.x is affected.
• Ref: http://blogs.skype.com/security/2011/05/security_vulnerability_in_mac.html

• 11.20.8 - CVE: CVE-2011-1535
• Platform: Linux
• Title: HP Insight Control for Linux Unspecified Privilege Escalation
• Description: HP Insight Control Suite for Linux is a management interface for Linux based servers. Insight Control Suite for Linux is exposed to an unspecified privilege escalation issue. Versions prior to HP Insight Control for Linux 6.3 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02794777

• 11.20.9 - CVE: CVE-2011-1770
• Platform: Linux
• Title: Linux Kernel DCCP Option Length Remote Denial of Service Vulnerability
• Description: The Linux kernel is exposed to a remote denial of service issue because of an integer underflow error when parsing Datagram Congestion Control Protocol options. Linux Kernel prior to 2.6.39 rc4 are affected.
• Ref: http://www.securityfocus.com/bid/47769/info

• 11.20.10 - CVE: CVE-2011-1827
• Platform: Cross Platform
• Title: Check Point SSL VPN On Demand Applications Remote Code Execution Vulnerability
• Description: Check Point SSL Network Extender, SecureWorkSpace and Endpoint Security On Demand are light clients that provide on-demand remote connectivity. Multiple Check Point SSL VPN on-demand applications are exposed to a remote code execution issue when they are deployed through a web browser. Check Point Software SecurePlatform versions R75, R71.30, R70.40, R65.70, IPSO6 versions R75, R71.30, R70.40, R65.70, VSX versions R67, R65.20 and Connectra versions R66.1n, R66.1 are affected.
• Ref: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewso
  lutiondetails=&solutionid=sk62410

• 11.20.11 - CVE: CVE-2011-1839
• Platform: Cross Platform
• Title: IBM Rational Build Forge Session ID Information Disclosure
• Description: IBM Rational Build Forge is an adaptive process execution framework. The application is exposed to an information disclosure issue that may allow attackers to harvest session IDs. Rational Build Forge 7.1.0 is affected; other versions may also be affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1PM29655

• 11.20.12 - CVE: CVE-2011-1499
• Platform: Cross Platform
• Title: Tinyproxy "conf.c"Integer Overflow Security Bypass Vulnerability
• Description: Tinyproxy is an HTTP proxy daemon for POSIX operating systems. The application is exposed to a security bypass issue caused by an integer overflow in the "conf.c" source file when handling invalid TCP port numbers. Tinyproxy 1.8.2 is affected.
• Ref: http://www.securityfocus.com/bid/47715/info

• 11.20.13 - CVE: CVE-2011-0311
• Platform: Cross Platform
• Title: IBM Runtimes for Java Technology Class File Parsing Denial Of Service
• Description: IBM Runtimes for Java Technology is a Java application. The application is exposed to a denial of service issue because it fails to properly handle specially crafted class files. Specifically, this issue occurs when parsing a specially crafted class file that contains an invalid attribute length field. IBM Runtimes for Java Technology versions 6.0 and 5.0 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IZ89602

• 11.20.14 - CVE: CVE-2011-1907
• Platform: Cross Platform
• Title: ISC BIND 9 RRSIG Query Type Remote Denial of Service
• Description: ISC BIND (Berkley Internet Domain Name) is an implementation of DNS protocols. ISC BIND is exposed to a remote denial of service issue because it fails to properly handle specially crafted dynamic update requests. Specifically, a query of type "RRSIG" for a name configured for RRset replacement will trigger an assertion failure and cause the name server process to exit. ISC BIND version 9.8.0 is affected.
• Ref: https://www.isc.org/CVE-2011-1907

• 11.20.15 - CVE: CVE-2011-1764
• Platform: Cross Platform
• Title: Exim "dkim_exim_verify_finish()" Remote Format String Vulnerability
• Description: Exim is a mail transfer agent application available for Linux-based and Unix-based operating systems. Exim is exposed to a remote format string issue. This issue occurs because the application fails to sanitize user-supplied data to the "dkim_exim_verify_finish()" function of the "src/dkim.c" source file. Specifically, this issue occurs when handling DKIM signatures containing format string specifiers. Versions prior to Exim 4.76 RC1 are vulnerable.
• Ref: https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html

• 11.20.16 - CVE: CVE-2011-1824
• Platform: Cross Platform
• Title: Opera Web Browser "SELECT" HTML Tag Remote Memory Corruption Vulnerability
• Description: Opera is a web browser available for multiple operating systems. The browser is exposed to a remote memory corruption issue. The issue is caused by an arbitrary memory write due to a "SELECT" tag with a very large "SIZE" parameter. Opera web browser versions 10.60 and prior are affected.
• Ref: http://www.toucan-system.com/advisories/tssa-2011-02.txt

• 11.20.17 - CVE: CVE-2011-0761
• Platform: Cross Platform
• Title: Perl Multiple NULL Pointer Dereference Denial Of Service Vulnerabilities
• Description: Perl is a programming language. The application is exposed to multiple denial of service issues caused by a NULL pointer dereference error. Specifically, the issue affects the following functions: getpeername(), readdir(), closedir(), getsockname(), readdir(), rewinddir(), tell() and telldir(). Perl versions 5.10.x are affected.
• Ref: http://www.toucan-system.com/advisories/tssa-2011-03.txt

• 11.20.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome Unspecified Remote Code Execution Vulnerability
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to an unspecified remote code execution issue. The issue involves ASLR/DEP and sandbox bypassing. Google Chrome 11.0.696.65 is affected.
• Ref: http://www.vupen.com/demos/VUPEN_Pwning_Chrome.php

• 11.20.19 - CVE: CVE-2011-1720
• Platform: Cross Platform
• Title: Postfix SMTP Server Cyrus SASL Support Memory Corruption Vulnerability
• Description: Postfix is an open source Message Transfer Agent. The software is exposed to a memory corruption issue that affects the SMTP server when Cyrus SASL support is enabled. Postfix 2.5.x prior to 2.5.13, 2.6.x prior to 2.6.19, 2.7.x prior to 2.7.4 and 2.8.x prior to 2.8.3 are affected.
• Ref: http://www.securityfocus.com/bid/47778/info

• 11.20.20 - CVE: CVE-2011-1583
• Platform: Cross Platform
• Title: Xen Multiple Buffer Overflow and Integer Overflow Vulnerabilities
• Description: Xen is an open source hypervisor or virtual machine monitor. The software is exposed to multiple security issues. A buffer overflow issue affects the "xc_try_bzip2_decode()" function in the decoding loop. A buffer overflow issue affects the "xc_try_lzma_decode()" function in the decoding loop. Multiple unspecified integer overflow errors could trigger an infinite loop. Xen 3.3.1, Xen 3.3, Xen 3.2, Xen 3.1.2, Xen 3.1.1, Xen 3.0.3, Xen 4.0 and Xen 3.0 are affected.
• Ref: http://www.securityfocus.com/advisories/22062

• 11.20.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IceWarp Server Multiple Cross-Site Scripting Vulnerabilities
• Description: IceWarp Server is a mail server for Microsoft Windows and Linux. The software is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. IceWarp Server 10.2.x versions are affected.
• Ref: http://www.securityfocus.com/bid/47723/info

• 11.20.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: BMC Remedy Knowledge Management Default Account and Multiple Cross-Site Scripting
• Description: BMC Remedy Knowledge Management is a help desk application. The application is exposed to multiple remote security issues. Multiple cross-site scripting issues affect the application because it fails to sufficiently sanitize user-supplied data. A default account issue allows attackers to bypass authentication and access resources through the "Self%20Help" account. Remedy Knowledge Management version 7.5.00 is affected; other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/517888

• 11.20.23 - CVE: CVE-2011-1772
• Platform: Web Application - Cross Site Scripting
• Title: Apache Struts XWork "s:submit" HTML Tag Cross-Site Scripting
• Description: Apache Struts is a framework for building web applications. The application is exposed to a cross-site scripting issue because "XWork" fails to sufficiently sanitize the action or method names submitted to the "<s:submit>" HTML tag. Apache Struts versions 2.0.0 through 2.2.1.1 are affected.
• Ref: https://issues.apache.org/jira/browse/WW-3579

• 11.20.24 - CVE: CVE-2010-4284
• Platform: Web Application - SQL Injection
• Title: Samsung Integrated Management System DMS SQL Injection
• Description: Samsung Integrated Management System DMS is a system that manages multiple air conditioning systems. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data. This issue exists in the web interface of the application. Samsung Integrated Management System versions 1.3.3, 1.4.1 and 1.4.2 are affected.
• Ref: http://www.securityfocus.com/bid/47746/discuss

• 11.20.25 - CVE: CVE-2010-4802,CVE-2010-4803,CVE-2009-5074
• Platform: Web Application
• Title: Mojolicious Multiple Vulnerabilities
• Description: Mojolicious is a web framework for the PERL programming language. The software is exposed to multiple issues. An unspecified issue exists due to an error in "Commands.pm". An HTML injection issue exists in the "link_to_helper" section. An unspecified issue exists in the implementation of "HMAC-MD5" checksums. An unspecified issue exists in the "MojoX::Dispatcher::Static" implementation. Mojolicious prior to version 1.12 are affected.
• Ref: http://www.securityfocus.com/bid/47717

• 11.20.26 - CVE: Not Available
• Platform: Network Device
• Title: Cisco IOS SNMP Message Processing Remote Denial of Service
• Description: Cisco Internet Operating System runs on Cisco networking devices. The Simple Network Management Protocol is a protocol used by the affected devices to allow for remote configuration. The application is exposed to a remote denial of service issue because of an error while processing SNMP messages. Cisco router 2921/K9 IOS 15.0<1r>M6 is affected. Previous versions may also be affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sr-20110505-ios.shtml

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/