@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Flash Multiple Vulnerabilities
• (2) HIGH: Google Chrome Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.21.1 - Microsoft .NET Framework JIT Compiler Optimization NULL String Security Bypass

Third Party Windows Apps

• 11.21.2 - Symantec Backup Exec System Recovery "GEARAspiWDM.sys" Denial of Service
• 11.21.3 - Adobe Audition ".ses" Buffer Overflow
• 11.21.4 - InduSoft Web Studio Directory Traversal
• 11.21.5 - Winamp "in_midi" Component Heap-Based Buffer Overflow
• 11.21.6 - 7T Interactive Graphical SCADA System HMI Multiple Denial of Service Issues

Linux

• 11.21.7 - Nagios XI "reset_configs-perms.c" Local Privilege Escalation

Cross Platform

• 11.21.8 - HP webOS Plug-in Development Kit (PDK) Remote Script Code Injection
• 11.21.9 - Citrix XenServer Multiple Unspecified Denial of Service Vulnerabilities and Local Information Disclosure
• 11.21.10 - Oracle GlassFish Server Administration Console Remote Authentication Bypass
• 11.21.11 - Apache APR "apr_fnmatch()" Denial of Service
• 11.21.12 - Google Chrome WebKit Glue Bad Cast Remote Code Execution
• 11.21.13 - IBM WebSphere Application Server WS-Security XML Encryption Weakness
• 11.21.14 - Exim DKIM Remote Code Execution
• 11.21.15 - Adobe Flash Media Server XML Data Remote Denial of Service
• 11.21.16 - Adobe Flash Player Multiple Vulnerabilities
• 11.21.17 - EMC Multiple SourceOne Products ASP.NET Application Tracing Information Disclosure
• 11.21.18 - Oracle MySQL Multiple Denial Of Service
• 11.21.19 - IBM Informix "librpc.dll" Spoofing Vulnerability

Web Application - Cross Site Scripting

• 11.21.20 - Computer Associates eHealth Cross-Site Scripting
• 11.21.21 - Adobe RoboHelp Server and RoboHelp Cross-Site Scripting
• 11.21.22 - HP Business Availability Center Unspecified Cross-Site Scripting

Web Application - SQL Injection

• 11.21.23 - IBM Datacap Taskmaster Capture Unspecified SQL Injection

Web Application

• 11.21.24 - Mahara Multiple Remote Vulnerabilities
• 11.21.25 - MediaCast Multiple Input Validation Vulnerabilities

Network Device

• 11.21.26 - FON La Fonera+ Unspecified Denial of Service
• 11.21.27 - Trustwave WebDefend Enterprise Multiple Information Disclosure Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 19, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11290 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.21.1 - CVE: CVE-2011-1271
• Platform: Other Microsoft Products
• Title: Microsoft .NET Framework JIT Compiler Optimization NULL String Security Bypass
• Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. It supports a security model that limits the privileges granted to .NET applications. The application is exposed to a security bypass issue that affects Just-In-Time (JIT) compiler optimization on x86 architectures. The Microsoft .NET Framework versions 1.0, 2.0, 3.0 and 3.5 are affected.
• Ref: http://stackoverflow.com/questions/2135509/bug-only-occurring-when-compile-optim
  ization-enabled/

• 11.21.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Symantec Backup Exec System Recovery "GEARAspiWDM.sys" Denial of Service
• Description: Symantec Backup Exec System Recovery is an application for system recovery. The application is exposed to a denial of service issue because the CD/DVD filter driver "GEARAspiWDM.sys" does not properly check for all the inputs of an IOCTL. Symantec Backup Exec System Recovery 8.5 is affected; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/47822/discuss

• 11.21.3 - CVE: CVE-2011-0614, CVE-2011-0615
• Platform: Third Party Windows Apps
• Title: Adobe Audition ".ses" Buffer Overflow
• Description: Adobe Audition is audio production software. The application is exposed to a memory corruption issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, the issue is triggered while parsing several fields inside the TRKM chunk included in a session (".ses") file. Adobe Audition 3.0.1 is vulnerable; other versions may also be affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-10.html

• 11.21.4 - CVE: CVE-2011-1900
• Platform: Third Party Windows Apps
• Title: InduSoft Web Studio Directory Traversal
• Description: InduSoft Web Studio is a web server application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. InduSoft Web Studio versions prior to 6.1 and 7.0 are vulnerable.
• Ref: http://www.indusoft.com/hotfixes/hotfixes.php

• 11.21.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp "in_midi" Component Heap-Based Buffer Overflow
• Description: NullSoft Winamp is a media player application. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue affects the "in_midi" component while parsing the "midi" file with a specially crafted system exclusive message type. Winamp 5.61 is affected; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/47849/discuss

• 11.21.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: 7T Interactive Graphical SCADA System HMI Multiple Denial of Service Issues
• Description: The 7T Interactive Graphical SCADA System is a SCADA application used for monitoring and controlling industrial processes. The application is exposed to multiple denial of service issues that affect the human machine interface component. These issues affect the "IGSSdataServer" service that listens on TCP port 12401 and the "dc.exe" service that listens on TCP port 12397. 7T IGSS SCADA HMI versions prior to 9.0.0.11129 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-132-01.pdf

• 11.21.7 - CVE: Not Available
• Platform: Linux
• Title: Nagios XI "reset_configs-perms.c" Local Privilege Escalation
• Description: Nagios XI is an IT infrastructure monitoring application. The application is exposed to a local privilege escalation issue because it fails to properly validate the return value of a "setuid()" function call. Nagios XI 2011R1.2 is vulnerable and other versions may also be affected.
• Ref: http://seclists.org/fulldisclosure/2011/May/306

• 11.21.8 - CVE: CVE-2011-1738
• Platform: Cross Platform
• Title: HP webOS Plug-in Development Kit (PDK) Remote Script Code Injection
• Description: HP webOS is an operating system for mobile phones and devices. The application is exposed to a remote script injection issue because it fails to properly sanitize user-supplied input. This issue affects arbitrary Plug-in Development Kit applications. webOS versions 1.4.5 and 1.4.5.1 are vulnerable.
• Ref: http://www.securityfocus.com/bid/47788/discuss

• 11.21.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix XenServer Multiple Unspecified Denial of Service Vulnerabilities and Local Information Disclosure
• Description: Citrix XenServer is used to provide a virtualization platform. The application is exposed to multiple security issues. 1) Multiple unspecified denial of service issues. Specifically, these issues cause an interruption to the normal operation of the hypervisor when administrative users log in on a guest operating system. 2) A local information disclosure issue because it insecurely stores media connection credentials in log files. Citrix XenServer versions 5.0, 5.5 and 5.6 are affected.
• Ref: http://support.citrix.com/article/CTX129208 http://support.citrix.com/article/CTX129228

• 11.21.10 - CVE: CVE-2011-1511
• Platform: Cross Platform
• Title: Oracle GlassFish Server Administration Console Remote Authentication Bypass
• Description: The Oracle GlassFish Server is an implementation of the Java Platform, Enterprise Edition (Java EE) 6 specification. The software is exposed to a remote authentication bypass issue that affects the administration interface, which runs on TCP port 4848. The issue exists because a specially crafted "TRACE" request is not properly handled. The Oracle GlassFish Server 3.0.1 and Sun GlassFish Enterprise Server 2.1.1 are affected.
• Ref: http://www.securityfocus.com/bid/47818/discuss

• 11.21.11 - CVE: CVE-2011-0419
• Platform: Cross Platform
• Title: Apache APR "apr_fnmatch()" Denial of Service
• Description: Apache APR is a library of utility functions used by several applications, including the Apache HTTP server. The software is exposed to a denial of service issue. Specifically, this issue triggers an infinite recursion within the "apr_fnmatch()" function when processing a request containing "*" wildcard characters. Apache APR versions prior to 1.4.4 are affected.
• Ref: http://www.apache.org/dist/apr/CHANGES-APR-1.4

• 11.21.12 - CVE: CVE-2011-1799
• Platform: Cross Platform
• Title: Google Chrome WebKit Glue Bad Cast Remote Code Execution
• Description: Google Chrome is a web browser for multiple platforms. The software is exposed to a remote code execution issue due to bad casts in the Chromium WebKit glue abstraction layers. Versions prior to Chrome 11.0.696.68 are affected.
• Ref: http://googlechromereleases.blogspot.com/2011/05/stable-channel-update.html

• 11.21.13 - CVE: CVE-2011-1209
• Platform: Cross Platform
• Title: IBM WebSphere Application Server WS-Security XML Encryption Weakness
• Description: IBM WebSphere Application Server is available for various operating systems. The application is exposed to a security weakness because the application uses a weak WS-Security XML encryption algorithm. WebSphere Application Server versions prior to 6.1.0.39 and 7.0.0.17 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg24029632

• 11.21.14 - CVE: CVE-2011-1407
• Platform: Cross Platform
• Title: Exim DKIM Remote Code Execution
• Description: Exim is a mail transfer agent (MTA) application. Exim is exposed to a remote code execution issue that affects DomainKeys Identified Mail (DKIM). Exim versions prior to Exim 4.76 are affected.
• Ref: http://www.gossamer-threads.com/lists/exim/announce/91341

• 11.21.15 - CVE: CVE-2011-0612
• Platform: Cross Platform
• Title: Adobe Flash Media Server XML Data Remote Denial of Service
• Description: Adobe Flash Media Server provides streaming media and a development environment for creating and delivering media applications. The software is exposed to a remote denial of service issue because of an unspecified XML data corruption error. Adobe Flash Media Server versions prior to 3.5.6 and 4.0.2 are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-11.html

• 11.21.16 - CVE:CVE-2011-0579,CVE-2011-0624,CVE-2011-0623,CVE-2011-0627,CVE-2011-0625,CVE-2011-0618,CVE-2011-0626,CVE-2011-0621,CVE-2011-0622,CVE-2011-0619,CVE-2011-062010.2.159.1 and earlier are affected.
• Platform: Cross Platform
• Title: Adobe Flash Player Multiple Vulnerabilities
• Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla and Apple technologies. Adobe Flash Player is exposed to multiple issues. 1) An information disclosure issue. 2) Multiple remote buffer overflow issues due to a failure to properly bounds check user-supplied input. 3) Multiple remote memory corruption issues. 4) A remote integer overflow issue. Adobe Flash Player versions
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-12.html

• 11.21.17 - CVE: CVE-2011-1424
• Platform: Cross Platform
• Title: EMC Multiple SourceOne Products ASP.NET Application Tracing Information Disclosure
• Description: EMC SourceOne is an enterprise content manager and information governance application. Multiple EMC SourceOne products are exposed to an information disclosure issue. EMC SourceOne Email Management for MS Exchange version 6.5.2.3668 (SP2 HF3) and prior, Notes/Domino 6.5.2.3668 (SP2 HF3) and prior, MS Exchange 6.6.0.1209 (HF1) and prior, and Notes/Domino 6.6.0.1209 (HF1) and prior are affected.
• Ref: http://www.securityfocus.com/archive/1/518003

• 11.21.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle MySQL Multiple Denial Of Service
• Description: MySQL is an open source SQL database available. The application is exposed to multiple denial of service issues. 1) A problem in the InnoDB Storage Engine when handling a "TRUNCATE TABLE" command when also examining the same table's information in the "INFORMATION_SCHEMA" database. 2) An issue when handling an incorrect type assignment when dealing with items of type "GeometryCollection". 3) An issue when handling "EXPLAIN EXTENDED" in certain prepared statements; in "prepared-statement" mode, an "EXPLAIN" statement for a "SELECT" statement from a derived table may cause the server to crash. 4) Multiple other denial of service issues may also have a security impact. MySQL versions prior to 5.1.52 are affected.
• Ref: http://dev.mysql.com/doc/refman/5.1/en/news-5-1-52.html

• 11.21.19 - CVE: CVE-2011-1210
• Platform: Cross Platform
• Title: IBM Informix "librpc.dll" Spoofing Vulnerability
• Description: IBM Informix is an application server that runs on various platforms. Informix Storage Manager (ISM) is distributed as part of IBM Informix. Informix is exposed to an issue in ISM that allows attackers to spoof source addresses. The problem affects the "librpc.dll" RPC library and occurs when handling a "pmap_set" request. Informix versions earlier than 11.10.TC3W2X1 or 11.10.FC3W1X1 on Windows are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IC76179

• 11.21.20 - CVE: CVE-2011-1899
• Platform: Web Application - Cross Site Scripting
• Title: Computer Associates eHealth Cross-Site Scripting
• Description: Computer Associates eHealth is an application for managing the performance of network applications and services. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize certain unspecified user-supplied data. Computer Associates eHealth versions 6.0.x, 6.1.x, 6.2.1 and 6.2.2 are affected.
• Ref: https://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID={5662845D-4C
  D7-4CE6-8829-4F07A4C67366}

• 11.21.21 - CVE: CVE-2011-0613
• Platform: Web Application - Cross Site Scripting
• Title: Adobe RoboHelp Server and RoboHelp Cross-Site Scripting
• Description: Adobe RoboHelp Server is an application for serving RoboHelp files using the IIS web server. Adobe RoboHelp is an application for generating online help systems. The applications are exposed to a cross-site scripting issue because they fail to sufficiently sanitize user-supplied input. RoboHelp 8, RoboHelp 7, RoboHelp Server 8 and RoboHelp Server 7 for Windows are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-09.html

• 11.21.22 - CVE: CVE-2011-1856
• Platform: Web Application - Cross Site Scripting
• Title: HP Business Availability Center Unspecified Cross-Site Scripting
• Description: HP Business Availability Center is a business service management application. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. HP Business Availability Center versions 8.06 and prior are vulnerable.
• Ref: http://www.securityfocus.com/bid/47846/discuss

• 11.21.23 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: IBM Datacap Taskmaster Capture Unspecified SQL Injection
• Description: Datacap Taskmaster Capture is the on ramp to enterprise content management. The application is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize user supplied data to the "TMWeb" component before using it in an SQL query. Versions prior to Datacap Taskmaster Capture 8.0.1 Fix Pack 1 are affected.
• Ref: http://www.securityfocus.com/bid/47848/discuss

• 11.21.24 - CVE: CVE-2011-1405,CVE-2011-1404,CVE-2011-1403,CVE-2011-1402
• Platform: Web Application
• Title: Mahara Multiple Remote Vulnerabilities
• Description: Mahara is a web-based portfolio application. The application is exposed to the multiple remote issues. 1) Multiple security bypass issues in the "artefact/plans/viewtasks.json.php", "artefact/blog/posts.json.php" and "blocktype/myfriends/myfriends.json.php" scripts. 2) A security bypass issue in the "admin/users/search.json.php" script. 3) A cross-site request forgery issue. 4) Multiple HTML injection issues in the "artefact/comment/lib.php" and "interaction/forum/lib.php" scripts. Mahara versions prior to 1.3.6 are affected.
• Ref: https://launchpad.net/mahara/+milestone/1.3.6

• 11.21.25 - CVE: CVE-2011-2081,CVE-2011-2080,CVE-2011-2079,CVE-2011-2078
• Platform: Web Application
• Title: MediaCast Multiple Input Validation Vulnerabilities
• Description: MediaCast is an open source digital content management system. The application is exposed to the multiple input validation issues. MediaCast version 8 is vulnerable and other versions may also be affected. See the reference below for complete details.
• Ref: http://www.securityfocus.com/bid/47833/discuss

• 11.21.26 - CVE: CVE-2011-1326
• Platform: Network Device
• Title: FON La Fonera+ Unspecified Denial of Service
• Description: FON La Fonera+ is a wireless router. The application is exposed to an unspecified denial of service issue. La Fonera+ firmware version 1.7.0.1 Prior is affected.
• Ref: http://jvn.jp/jp/JVN96839637/index.html

• 11.21.27 - CVE: CVE-2011-1906,CVE-2011-0756
• Platform: Network Device
• Title: Trustwave WebDefend Enterprise Multiple Information Disclosure Vulnerabilities
• Description: Trustwave WebDefend is a web application firewall appliance. The software is exposed to multiple information disclosure issues. 1) An information disclosure issue exists because the device uses a hardcoded username and password. 2) An information disclosure issue exists because certain user account credentials are stored in the MySQL database. WebDefend Enterprise versions before 5.0 7.01.903-1.4 are affected.
• Ref: http://www.securityfocus.com/bid/47829/discuss

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account