@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: HP 3COM/H3C Intelligent Management Center img recv Buffer Overflow
• (2) HIGH: IBM Tivoli Endpoint lcfd.exe opts Argument Remote Code Execution Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.23.1 - Microsoft Internet Explorer Cross Zone Local Cookie File Access Security Bypass

Third Party Windows Apps

• 11.23.2 - Symantec Backup Exec for Windows Servers Unauthorized Access Vulnerability
• 11.23.3 - Poison Ivy Unspecified Remote Buffer Overflow
• 11.23.4 - HP 3COM/H3C Intelligent Management Center "img.exe" Remote Heap Buffer Overflow

BSD

• 11.23.5 - OpenBSD libc glob "GLOB_APPEND" and "GLOB_DOOFFS" Flags Multiple Integer Overflow Vulnerabilities

Cross Platform

• 11.23.6 - Sybase EAServer Unspecified Directory Traversal
• 11.23.7 - Eucalyptus SOAP Interface Remote Arbitrary Command Injection
• 11.23.8 - Wing FTP Server LDAP Authentication Security Bypass
• 11.23.9 - ISC BIND 9 Large RRSIG RRsets Remote Denial of Service
• 11.23.10 - Asterisk SIP "REGISTER" Request User Enumeration Weakness
• 11.23.11 - NetVault SmartDisk "libnvbasics.dll" Remote Denial of Service
• 11.23.12 - IBM WebSphere Portal "OutputMediator" Objects Denial of Service
• 11.23.13 - Fetchmail STARTTLS Remote Denial of Service
• 11.23.14 - IBM Tivoli Management Framework "opts" Argument Stack Buffer Overflow
• 11.23.15 - Red Hat Xen Hypervisor Implementation Local Guest Denial of Service
• 11.23.16 - Mozilla Firefox SSL Certificate Validation Security Weakness

Web Application - SQL Injection

• 11.23.17 - Radvision iVIEW SCOPIA Management Suite Unspecified SQL Injection

Web Application

• 11.23.18 - Drupal Multiple Vulnerabilities
• 11.23.19 - Apache Archiva Multiple Unspecified Cross-Site Scripting and HTML Injection Vulnerabilities
• 11.23.20 - IBM Web Content Management Race Condition Denial of Service
• 11.23.21 - Anymacro Mail System Web Interface Directory Traversal

Network Device

• 11.23.22 - Vordel Gateway Directory Traversal
• 11.23.23 - Cisco IOS XR Multiple Remote Denial of Service Vulnerabilities
• 11.23.24 - Cisco RVS4000/WRVS4400N Web Management Interface Multiple Vulnerabilities
• 11.23.25 - WebDefend Enterprise Manager Appliance Hard Coded Authentication Security Bypass
• 11.23.26 - Imperva SecureSphere Web Application Firewall And MX Management Server HTML Injection Vulnerability

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 20, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11347 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.23.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Cross Zone Local Cookie File Access Security Bypass
• Description: Microsoft Internet Explorer is a web browser. Microsoft Internet Explorer is exposed to a cross zone security bypass issue because the application fails to properly enforce the same origin policy for certain local files. Specifically, an attacker may obtain cookie data through iframe "src" tags that point to a specific local cookie. Internet Explorer 6, Internet Explorer 7, Internet Explorer 8, Internet Explorer 9 are affected.
• Ref: http://www.securityfocus.com/bid/47989/info

• 11.23.2 - CVE: CVE-2011-0546
• Platform: Third Party Windows Apps
• Title: Symantec Backup Exec for Windows Servers Unauthorized Access Vulnerability
• Description: Symantec Backup Exec for Windows Servers is a file archiving tool. The software is exposed to an unauthorized access issue. The issue occurs because of a lack of proper data validation in the NDMP communication protocol implementation. Symantec Backup Exec for Windows Servers 11.0, 12.0, 12.5 and Symantec Backup Exec 2010 13.0, 13.0 R2 are affected.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110526_0
  0

• 11.23.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Poison Ivy Unspecified Remote Buffer Overflow
• Description: Poison Ivy is a remote administration tool. The application is exposed to an unspecified remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Poison Ivy version 2.3.2 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48039/discuss

• 11.23.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HP 3COM/H3C Intelligent Management Center "img.exe" Remote Heap Buffer Overflow
• Description: HP 3COM/H3C Intelligent Management Center is a network management application. The application is exposed to a remote heap based buffer overflow issue in the "img.exe" process. Specifically, the application fails to perform adequate boundary checks on user supplied data sent to TCP port 8800. All versions of HP 3COM/H3C Intelligent Management Center are affected.
• Ref: http://www.securityfocus.com/bid/48065/discuss

• 11.23.5 - CVE: CVE-2011-2168
• Platform: BSD
• Title: OpenBSD libc glob "GLOB_APPEND" and "GLOB_DOOFFS" Flags Multiple Integer Overflow Vulnerabilities
• Description: libc in OpenBSD is exposed to multiple integer overflow issues that affect the glob implementation. Specifically, the issues arise because of integer overflow errors in the implementation of "GLOB_APPEND" and "GLOB_DOOFFS" flags. These issues occur when processing specially crafted strings passed to the affected flags. OpenBSD versions prior to 4.9 are affected.
• Ref: http://www.securityfocus.com/bid/48004/discuss

• 11.23.6 - CVE: Not Available
• Platform: Cross Platform
• Title: Sybase EAServer Unspecified Directory Traversal
• Description: Sybase EAServer is an application used for custom deployments. Sybase EAServer is exposed to a directory traversal vulnerability because it fails to sufficiently sanitize unspecified user-supplied input. EAServer 6.3.1 and earlier are affected.
• Ref: http://www.sybase.com/detail?id=1093216

• 11.23.7 - CVE: CVE-2011-0730
• Platform: Cross Platform
• Title: Eucalyptus SOAP Interface Remote Arbitrary Command Injection
• Description: Eucalyptus is an open source software platform that implements IaaS style cloud computing. Eucalyptus is exposed to a remote command injection issue because it fails to adequately validate user-supplied data. Specifically, this issue occurs when processing SOAP requests. Eucalyptus versions 2.0.2 and prior are affected.
• Ref: http://open.eucalyptus.com/wiki/esa-02

• 11.23.8 - CVE: Not Available
• Platform: Cross Platform
• Title: Wing FTP Server LDAP Authentication Security Bypass
• Description: Wing FTP Server is a secure multi-protocol file server for Windows, Linux, Mac, FreeBSD, and Solaris. The software is exposed to a security bypass issue because it does not properly verify user credentials when using the LDAP protocol for authentication. An attacker can exploit this issue by entering an empty password. Versions prior to Wing FTP Server 3.8.7 are affected.
• Ref: http://www.securityfocus.com/bid/47998/discuss

• 11.23.9 - CVE: CVE-2011-1910
• Platform: Cross Platform
• Title: ISC BIND 9 Large RRSIG RRsets Remote Denial of Service
• Description: ISC BIND is exposed to a remote denial of service issue. Specifically, querying a domain with large RRSIG resource record sets (RRsets) will trigger an assertion failure and cause the name server process to crash due to an off by one error in a buffer size check. ISC BIND 9.4-ESV-R3 and later, 9.6-ESV-R2 and later, 9.6.3, 9.7.1 and later, 9.8.0 and later are affected.
• Ref: http://www.isc.org/software/bind/advisories/cve-2011-1910

• 11.23.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk SIP "REGISTER" Request User Enumeration Weakness
• Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. Asterisk is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the "REGISTER" request. This issue affects Asterisk version 1.8.4.1 and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48008/discuss

• 11.23.11 - CVE: Not Available
• Platform: Cross Platform
• Title: NetVault SmartDisk "libnvbasics.dll" Remote Denial of Service
• Description: NetVault SmartDisk is an application used to provide backup service. The application is exposed to a remote denial of service issue. Specifically, the issue occurs due to an integer overflow condition in the "libnvbasics.dll" file when specially crafted data is sent to the application's TCP port 37452. NetVault SmartDisk versions 1.2.2 and prior are affected.
• Ref: http://www.securityfocus.com/bid/48029/discuss

• 11.23.12 - CVE: CVE-2011-2173
• Platform: Cross Platform
• Title: IBM WebSphere Portal "OutputMediator" Objects Denial of Service
• Description: IBM WebSphere Portal provides portal solutions. IBM WebSphere Portal is exposed to a remote denial of service issue. This issue occurs when "OutputMediator" objects are not properly cleaned up at the end of a request. IBM WebSphere Portal 6.0.1.7, and 7.0.0.1 before CF002 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg24029452

• 11.23.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Fetchmail STARTTLS Remote Denial of Service
• Description: Fetchmail is a freely available, open source, mail retrieval utility. Fetchmail is exposed to a remote denial of service issue because the application fails to properly handle SSL/TLS negotiation. Fetchmail versions 5.9.9 up to and including 6.3.19 are vulnerable.
• Ref: http://gitorious.org/fetchmail/fetchmail/blobs/legacy_63/fetchmail-SA-2011-01.tx
  t

• 11.23.14 - CVE: CVE-2011-1220
• Platform: Cross Platform
• Title: IBM Tivoli Management Framework "opts" Argument Stack Buffer Overflow
• Description: IBM Tivoli Management Framework provides tools for managing large numbers of remote locations or devices. The application is exposed to a remote stack based buffer overflow issue because it fails to perform adequate boundary checks on user supplied input. Specifically, this issue occurs when sending a specially crafted HTTP request with an "opts" argument larger than 256 bytes, causing a stack based buffer overflow. IBM Tivoli Management Framework versions 4.1, 4.1.1 and 4.3.1 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21499146

• 11.23.15 - CVE: CVE-2011-1126
• Platform: Cross Platform
• Title: Red Hat Xen Hypervisor Implementation Local Guest Denial of Service
• Description: Xen is an open source hypervisor or virtual machine monitor. The implementation of Xen Hypervisor included in Red Hat Linux is exposed to a denial of service issue. This issue occurs because a 64 bit guest user account can place one of its "vcpus" into user mode without providing a valid non-kernel page table. RedHat Enterprise Linux 5 server and Red Hat Enterprise Linux Desktop 5 clients are affected.
• Ref: http://www.securityfocus.com/bid/48058/discuss

• 11.23.16 - CVE: CVE-2011-0082
• Platform: Cross Platform
• Title: Mozilla Firefox SSL Certificate Validation Security Weakness
• Description: Mozilla Firefox is a browser available for multiple platforms. The software is exposed to a security weakness because it fails to properly validate SSL certificates under certain circumstances. This issue occurs when a user validates a self-signed X.509 certificate for a single session; subsequent visits to the site do not require revalidation as expected because the page contents are loaded from the browser cache. Users are not given the opportunity to reconfirm the exception. Firefox versions 4.0.x are affected.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=660749

• 11.23.17 - CVE: CVE-2011-1328
• Platform: Web Application - SQL Injection
• Title: Radvision iVIEW SCOPIA Management Suite Unspecified SQL Injection
• Description: iVIEW SCOPIA Management Suite is a network management tool. The application is exposed to an unspecified SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Versions prior to iVIEW SCOPIA Management Suite 7.5 are vulnerable.
• Ref: http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000030.html

• 11.23.18 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Multiple Vulnerabilities
• Description: Drupal is a PHP based content manager. The application is exposed to multiple issues. 1) A security bypass issue when handling private files with the node module. 2) A cross-site scripting issue because it fails to sanitize user-supplied input, specifically the issue affects the error handler. 3) The "color" module for Drupal is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Drupal versions 7.x and 6.x are affected.
• Ref: http://drupal.org/node/1168756

• 11.23.19 - CVE: CVE-2011-1077
• Platform: Web Application
• Title: Apache Archiva Multiple Unspecified Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: Apache Archiva is data repository management software. The application is exposed to multiple cross-site scripting and HTML injection issues because it fails to properly sanitize certain unspecified user-supplied input before using it in dynamically generated content. Versions prior to Apache Archiva 1.3.5 are vulnerable.
• Ref: http://archiva.apache.org/security.html

• 11.23.20 - CVE: CVE-2010-4807
• Platform: Web Application
• Title: IBM Web Content Management Race Condition Denial of Service
• Description: IBM Web Content Management is a web content manager for enterprises. The application is exposed to a remote denial of service issue because it fails to prevent a race condition. The problem is due to a "StackOverflowError" exception. IBM Web Content Management versions 7.0.0.1 before CF003 are vulnerable; other versions may also be affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg24029452

• 11.23.21 - CVE: Not Available
• Platform: Web Application
• Title: Anymacro Mail System Web Interface Directory Traversal
• Description: Anymacro Mail System is a mail server application. The application is exposed to a directory traversal issue that can be exploited by providing directory traversal strings in the URI. Anymacro Mail System G4X is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48063/discuss

• 11.23.22 - CVE: Not Available
• Platform: Network Device
• Title: Vordel Gateway Directory Traversal
• Description: Vordel Gateway is designed to accelerate, secure and integrate all types of traffic on the SOA network. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input passed to the "/manager" page. Vordel Gateway version 6.0.3 is vulnerable and other versions may also be affected.
• Ref: https://www.upsploit.com/index.php/advisories/view/UPS-2011-0023

• 11.23.23 - CVE: CVE-2011-0949,CVE-2011-1651,CVE-2011-0943
• Platform: Network Device
• Title: Cisco IOS XR Multiple Remote Denial of Service Vulnerabilities
• Description: Cisco IOS XR is a microkernel-based operating system for various Cisco devices. Cisco IOS XR is exposed to multiple remote denial of service issues. 1) A remote denial of service issue in the SSH server implementation. 2) A remote denial of service issue that affects the Shared Port Adapters (SPA) interface processor. 3) A remote denial of service issue affects devices that have an IPv4 address configured on a Cisco Line Card or Cisco Carrier Routing System (CRS) Modular Services Card (MSC) interface. Cisco IOS XR Software Releases 3.8.3, 3.8.4, 3.9.0, 3.9.1, 3.9.2, 4.0.0, 4.0.1, 4.0.2 and 4.1.0 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr-ssh.shtml, http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxrspa.shtml, http://www.cisco.com/warp/public/707/cisco-sa-20110525-iosxr.shtml

• 11.23.24 - CVE: CVE-2011-1645, CVE-2011-0766, CVE-2011-1646
• Platform: Network Device
• Title: Cisco RVS4000/WRVS4400N Web Management Interface Multiple Vulnerabilities
• Description: Cisco RVS4000 and WRVS4400N routers are gigabit networking devices that have IPsec VPN, firewall, and intrusion-prevention capabilities. Cisco RVS4000 and WRVS4400N routers are exposed to multiple issues. 1) An information disclosure issue that affects the web-based management interface. 2) An information disclosure issue that affects the web-management interface. This issue is due to an error that may allow attackers to gain access to the administrator's SSL certificate's private and public keys used for connecting to a VPN network. 3) A remote command injection issue that affects the web-based management interface. Specifically, arbitrary commands may be injected through ping "test" and traceroute "test" parameters. Cisco RVS4000 Gigabit Security Router v1 and v2, Cisco WRVS4400N Wireless-N Gigabit Security Router V1.0, V1.1 and V2 which prior to the first fixed release are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b7f190.s
  html

• 11.23.25 - CVE: Not Available
• Platform: Network Device
• Title: WebDefend Enterprise Manager Appliance Hard Coded Authentication Security Bypass
• Description: WebDefend is a security appliance. WebDefend Enterprise Manager Appliance is exposed to a security bypass issue. This issue occurs because the application stores hard coded MySQL username and password credentials. Trustwave WebDefend Enterprise Manager Appliance versions 5.0 (7.01.903) and 4.0 (6.45.659) are affected.
• Ref: http://www.securityfocus.com/bid/48002/discuss

• 11.23.26 - CVE: CVE-2011-0767
• Platform: Network Device
• Title: Imperva SecureSphere Web Application Firewall And MX Management Server HTML Injection Vulnerability
• Description: Imperva SecureSphere Web Application Firewall and MX Management Server are firewall applications. The applications are exposed to an HTML injection issue because they fail to properly sanitize user-supplied input to the management GUI. SecureSphere Web Application Firewall 6.2 MX Management Server (all 6.2 releases), 7.x MX Management Server (all 7.x releases) and 8.x MX Management Server (all 8.x releases) are affected.
• Ref: http://www.imperva.com/resources/adc/adc_advisories_response_secureworks.html

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account