@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Oracle Java Multiple Security Vulnerabilities
• (2) HIGH: Novell iPrint Multiple Vulnerabilities
• (3) MEDIUM: Google Chrome Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Novell

• 11.24.1 - Novell Data Synchronizer User Account Unspecified Unauthorized Access Vulnerability
• 11.24.2 - Novell iPrint Client Multiple Remote Code Execution Vulnerabilities

Cross Platform

• 11.24.3 - Erlang/OTP SSH Library Random Number Generator Weakness
• 11.24.4 - Wireshark Multiple Denial of Service Vulnerabilities
• 11.24.5 - Citadel XML Parsing Denial of Service
• 11.24.6 - Ejabberd XML Parsing Denial of Service
• 11.24.7 - HP LoadRunner Virtual User Script Files Remote Buffer Overflow Vulnerability
• 11.24.8 - Cisco AnyConnect Secure Mobility Client Two Vulnerabilities
• 11.24.9 - Subversion "mod_dav_svn" Multiple Denial of Service and Information Disclosure Vulnerabilities
• 11.24.10 - Asterisk "Contact" Header SIP Channel Driver Denial of Service Vulnerability
• 11.24.11 - VMware products "Mount.vmhgfs" Multiple Security Vulnerabilities
• 11.24.12 - Adobe Flash Player Cross-Site Scripting
• 11.24.13 - GeeNian OpenDrive Local Password Encryption Weakness
• 11.24.14 - LuaExpat SAX XML Parsing Denial of Service
• 11.24.15 - Prosody XML Parsing Denial of Service
• 11.24.16 - Google Chrome Multiple Security Vulnerabilities
• 11.24.17 - Oracle Java SE and Java for Business Multiple Remote Java Runtime Environment Vulnerabilities

Web Application - Cross Site Scripting

• 11.24.18 - Nagios "expand" Parameter Cross-Site Scripting Vulnerability
• 11.24.19 - MultiModem iSMS Multiple Cross-Site Scripting Vulnerabilities
• 11.24.20 - vBulletin vBExperience "sortorder" Parameter Cross-Site Scripting Vulnerability

Web Application

• 11.24.21 - WebSVN "path" Parameter Remote Command Injection Vulnerability

Network Device

• 11.24.22 - NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities

Hardware

• 11.24.23 - Cisco CNS Network Registrar Default Credentials Authentication Bypass Vulnerability
• 11.24.24 - Cisco Media Experience Engine 5600 Default Credentials Authentication Bypass
• 11.24.25 - Cisco 7900 Series Unified IP Phone Multiple Vulnerabilities
• 11.24.26 - MODACOM URoad-5000 Security Bypass Vulnerability and Remote Command Execution Vulnerability
• 11.24.27 - IP Power 9258 TGI Scripts Unauthorized Access Vulnerability

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 21, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11378 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.24.1 - CVE: CVE-2011-1711
• Platform: Novell
• Title: Novell Data Synchronizer User Account Unspecified Unauthorized Access Vulnerability
• Description: Novell Data Synchronizer is a data management application. The software is exposed to an unspecified unauthorized access issue. This issue is caused by an unspecified error within the Mobility Pack. Data Synchronizer 1.1.2 and earlier are affected.
• Ref: http://download.novell.com/Download?buildid=dq9zR9J9RzY~

• 11.24.2 - CVE:CVE-2011-1708,CVE-2011-1707,CVE-2011-1706,CVE-2011-1705,CVE-2011-1704,CVE-2011-1703,CVE-2011-1702,CVE-2011-1701,CVE-2011-1700,CVE-2011-1699
• Platform: Novell
• Title: Novell iPrint Client Multiple Remote Code Execution Vulnerabilities
• Description: Novell iPrint Client is a client application for printing over the Internet. The software is exposed to multiple remote code execution issues because of an error in the Netscape/ActiveX compatible browser plugins. Versions prior to Novell iPrint Client 5.64 are affected.
• Ref: http://www.securityfocus.com/bid/48124/info

• 11.24.3 - CVE: CVE-2011-0766
• Platform: Cross Platform
• Title: Erlang/OTP SSH Library Random Number Generator Weakness
• Description: Erlang is a programming language. OTP is a set of Erlang libraries. Erlang/OTP is exposed to a random number generator weakness. This issue occurs because the SSH library uses a weak method to generate the seed used in various encryption and digital signature algorithms. Erlang/OTP ssh library versions before R14B03 are affected.
• Ref: http://www.securityfocus.com/bid/47980/info

• 11.24.4 - CVE: CVE-2011-1957, CVE-2011-1958, CVE-2011-1959,CVE-2011-2174, CVE-2011-2175
• Platform: Cross Platform
• Title: Wireshark Multiple Denial of Service Vulnerabilities
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to multiple vulnerabilities. A denial of service issue occurs due to an infinite loop caused in the DICOM dissector. A denial of service issue occurs due to a corrupted diameter dictionary file. A denial of service issue occurs due to a corrupted snoop file. A denial of service issue occurs due to malformed compressed captured data. A denial of service issue occurs due to a corrupted Visual Networks file. Wireshark versions 1.2.0 to 1.2.16 and 1.4.0 to 1.4.6 are affected.
• Ref: http://www.wireshark.org/docs/relnotes/wireshark-1.4.7.html http://www.wireshark.org/docs/relnotes/wireshark-1.2.17.html

• 11.24.5 - CVE: CVE-2011-1756
• Platform: Cross Platform
• Title: Citadel XML Parsing Denial of Service
• Description: Citadel is a messaging and collaboration system for groupware and BBS applications. The application is exposed to a denial of service issue. Specifically, the issue occurs because the application does not prevent entity expansion when processing crafted XML data. Citadel version 7.83 is affected.
• Ref: http://www.securityfocus.com/bid/48071/discuss

• 11.24.6 - CVE: CVE-2011-1753
• Platform: Cross Platform
• Title: Ejabberd XML Parsing Denial of Service
• Description: ejabberd is a Jabber/XMPP instant messaging server. The application is exposed to a denial of service issue. Specifically, the issue occurs because the application does not prevent entity expansion when processing crafted XML data. ejabberd version 2.1.6 is affected and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48072/discuss

• 11.24.7 - CVE: Not Available
• Platform: Cross Platform
• Title: HP LoadRunner Virtual User Script Files Remote Buffer Overflow Vulnerability
• Description: HP LoadRunner is a tool for testing system performance. The software is exposed to a remote buffer overflow issue. This issue occurs because the application fails to handle specially crafted virtual user script files. All versions of LoadRunner are affected.
• Ref: http://www.securityfocus.com/bid/48073/info

• 11.24.8 - CVE: CVE-2011-2040,CVE-2011-2039,CVE-2011-2041
• Platform: Cross Platform
• Title: Cisco AnyConnect Secure Mobility Client Two Vulnerabilities
• Description: Cisco AnyConnect Secure Mobility Client is a VPN client application that provides secure remote connections to specific Cisco devices. The software is exposed to multiple vulnerabilities. The helper application fails to validate the origin or authenticity of the client application. A local privilege escalation issue exists. All versions prior to 2.3.254 on Windows and 2.5.x releases prior to 2.5.3041, 3.0.x releases prior to 3.0.629 on Linux/Unix are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80123.s
  html

• 11.24.9 - CVE: CVE-2011-1921,CVE-2011-1783,CVE-2011-1752
• Platform: Cross Platform
• Title: Subversion "mod_dav_svn" Multiple Denial of Service and Information Disclosure Vulnerabilities
• Description: Subversion is an open-source version control application available for numerous platforms. The application is exposed to two denial of service issues and an information disclosure issue that occurs in the "mod_dav_svn" module. Versions prior to Subversion 1.6.17 are affected.
• Ref: http://subversion.apache.org/security/CVE-2011-1783-advisory.txt http://subversion.apache.org/security/CVE-2011-1752-advisory.txt http://subversion.apache.org/security/CVE-2011-1921-advisory.txt

• 11.24.10 - CVE: CVE-2011-2216
• Platform: Cross Platform
• Title: Asterisk "Contact" Header SIP Channel Driver Denial of Service Vulnerability
• Description: Asterisk is an open-source PBX application available for multiple operating platforms. Asterisk is exposed to a denial of service issue in the Session Initiation Protocol channel driver. Specifically, a specially crafted "Contact" header can trigger a segmentation fault due to a NULL pointer dereference error. Asterisk Open Source 1.8.x are affected.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-007.html

• 11.24.11 - CVE: CVE-2011-2146,CVE-2011-2145,CVE-2011-1787
• Platform: Cross Platform
• Title: VMware products "Mount.vmhgfs" Multiple Security Vulnerabilities
• Description: Multiple VMware products are exposed to an information disclosure issue and multiple privilege escalation issues that affect "Mount.vmhgfs". An information disclosure issue allows an attacker with access to the guest operating system to determine if a path exists in the host filesystem and determine if it is a file or directory, regardless of permissions. A privilege escalation issue stems from a race condition that occurs when an attacker mounts arbitrary directories in the guest filesystem. A privilege escalation issue allows an attacker to gain write access to an arbitrary file in the guest filesystem. VMware Workstation 7.1.x for Linux and Windows, VMware Player 3.1.x for Linux and Windows, VMware Fusion 3.1.x for OSX, VMware ESXi 3.5, 4.0, and 4.1, VMware ESX 3.5, 4.0, and 4.1 are affected.
• Ref: http://www.vmware.com/security/advisories/VMSA-2011-0009.html

• 11.24.12 - CVE: CVE-2011-2107
• Platform: Cross Platform
• Title: Adobe Flash Player Cross-Site Scripting
• Description: Adobe Flash Player is a multimedia application available for multiple platforms. The application is exposed to an unspecified cross-site scripting issue. Adobe Flash Player 10.3.181.16 and prior versions for Windows, Macintosh, Linux and Solaris operating systems and Adobe Flash Player 10.3.185.22 and prior versions for Android are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-13.html

• 11.24.13 - CVE: Not Available
• Platform: Cross Platform
• Title: GeeNian OpenDrive Local Password Encryption Weakness
• Description: geeNian OpenDrive is a server based storage application. The application is exposed to a password encryption weakness that allows local attackers to decrypt credentials stored in the Registry. OpenDrive version 1.3.141 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48120/discuss

• 11.24.14 - CVE: Not Available
• Platform: Cross Platform
• Title: LuaExpat SAX XML Parsing Denial of Service
• Description: LuaExpat is a SAX XML parser based on the Expat library. The application is exposed to a denial of service issue. Specifically, the issue occurs because the application fails to handle specially crafted XML data. Applications using the affected parser may consume system memory when processing large numbers of nested references. Expat version 2.0.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48123/discuss

• 11.24.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Prosody XML Parsing Denial of Service
• Description: Prosody is a communications server for Jabber/XMPP. The application is exposed to a denial of service issue. Specifically, the issue occurs because the application fails to handle specially crafted XML data. Applications using the affected parser may consume excessive system memory when processing large numbers of nested references. Prosody versions prior to 0.8.1 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48125/discuss

• 11.24.16 - CVE:CVE-2011-2342,CVE-2011-2332,CVE-2011-1819,CVE-2011-1818,CVE-2011-1817,CVE-2011-1816,CVE-2011-1815,CVE-2011-1814,CVE-2011-1813,CVE-2011-1812,CVE-2011-1811,CVE-2011-1810,CVE-2011-1809,CVE-2011-1808
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. The application is exposed to multiple security issues. See reference for complete details. Versions prior to Chrome 12.0.742.91 are affected.
• Ref: http://www.securityfocus.com/bid/48129/discuss

• 11.24.17 - CVE:CVE-2011-0865,CVE-2011-0814,CVE-2011-0869,CVE-2011-0815,CVE-2011-0867,CVE-2011-0871,CVE-2011-0872,CVE-2011-0866,CVE-2011-0868,CVE-2011-0864,CVE-2011-0863,CVE-2011-0788,CVE-2011-0862,CVE-2011-0817,CVE-2011-0786,CVE-2011-0802,CVE-2011-0873
• Platform: Cross Platform
• Title: Oracle Java SE and Java for Business Multiple Remote Java Runtime Environment Vulnerabilities
• Description: Java Runtime Environment (JRE) is a platform that supports the execution of programs that are developed using the Java programming language. The JRE platform also supports Java Applets, which can be loaded from Web pages. Oracle Java SE and Java for Business are exposed to multiple remote issues in Java Runtime Environment. These issues affect multiple subcomponents. JDK and JRE 6 Update 25 and earlier, JDK 5.0 Update 29 and earlier and SDK 1.4.2_31 and earlier are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/javacpujune2011-313339.html

• 11.24.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Nagios "expand" Parameter Cross-Site Scripting Vulnerability
• Description: Nagios is an open-source application designed to monitor networks and services for interruptions and to notify administrators when various events occur. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "expand" parameter of the "config.cgi" script. Nagios 3.2.3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48087/info

• 11.24.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: MultiModem iSMS Multiple Cross-Site Scripting Vulnerabilities
• Description: MultiModem iSMS is an SMS text messaging application. The application is exposed to multiple issues. A cross-site scripting issue occurs in the "username" field. A cross-site scripting issue occurs when viewing the logs through the web management interface. MultiModem iSMS 1.47 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48094/info

• 11.24.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: vBulletin vBExperience "sortorder" Parameter Cross-Site Scripting Vulnerability
• Description: vBulletin vBExperience is a web-based application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "sortorder" parameter of the "xperience.php" script. vBulletin vBExperience 3.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48106/info

• 11.24.21 - CVE: Not Available
• Platform: Web Application
• Title: WebSVN "path" Parameter Remote Command Injection Vulnerability
• Description: WebSVN is an online viewer for SVN repositories. The application is exposed to a command injection issue because it fails to adequately sanitize user-supplied input submitted to the "path" argument of the "websvn/dl.php" script. Specifically, the application fails to properly escape metacharacters included in the "path" parameter before using them in an "exec()" function call. WebSVN version 2.3.2 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/518245

• 11.24.22 - CVE: Not Available
• Platform: Network Device
• Title: NetGear WNDAP350 Wireless Access Point Multiple Information Disclosure Vulnerabilities
• Description: NetGear WNDAP350 is a wireless access point. NetGear WNDAP350 wireless access point is exposed to multiple remote information disclosure issues because it fails to restrict access to sensitive information. Specifically, attackers can access the "/var/config" file which contains sensitive information such as the administrator password and WPA2 keys. The file is accessible by downloading through the "downloadFile.php" and "BackupConfig.php" scripts. WNDAP350 with firmware 2.0.1 and 2.0.9 are vulnerable and other firmware versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48085/discuss

• 11.24.23 - CVE: CVE-2011-2024
• Platform: Hardware
• Title: Cisco CNS Network Registrar Default Credentials Authentication Bypass Vulnerability
• Description: Cisco CNS Network Registrar devices provide DNS, DHCP, and IP address management. Cisco CNS Network Registrar is exposed to a remote authentication bypass issue. This issue occurs because the device contains a default password for the administrative account. Cisco Network Registrar Software releases prior to 7.2 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110601-cnr.shtml

• 11.24.24 - CVE: CVE-2011-1623
• Platform: Hardware
• Title: Cisco Media Experience Engine 5600 Default Credentials Authentication Bypass
• Description: Cisco Media Experience Engine 5600 is a modular media processing platform. Cisco Media Experience Engine 5600 is exposed to a remote authentication bypass issue. This issue occurs because the device contains a default password for the root account. Cisco MXE 5600 devices that are running Cisco Media Processing Software releases prior to 1.2 are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80122.s
  html

• 11.24.25 - CVE: CVE-2011-1637,CVE-2011-1603,CVE-2011-1602
• Platform: Hardware
• Title: Cisco 7900 Series Unified IP Phone Multiple Vulnerabilities
• Description: Cisco 7900 Series Unified IP Phones are Voice over IP phone devices. Cisco 7900 Series Unified IP Phone devices are exposed multiple issues: a security bypass issue, that affects signature verification and two privilege escalation issues. Cisco Unified IP Phone 7975G, 7971G-GE, 7970G, 7965G, 7962G, 7961G, 7961G-GE, 7945G, 7942G, 7941G, 7941G-GE, 7931G, 7911G and 7906 are affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b80111.s
  html

• 11.24.26 - CVE: Not Available
• Platform: Hardware
• Title: MODACOM URoad-5000 Security Bypass Vulnerability and Remote Command Execution Vulnerability
• Description: MODACOM URoad-5000 is a wireless router. URoad-5000 is exposed to multiple remote issues. A security bypass issue occurs because the device is configured to use "admin" as the administrator username and password. Specifically, the device fails to prompt the user to change the administration credentials. A remote command execution issue affects the "gofrom/SystemCommad" method. MODACOM URoad-5000 firmware version 1450 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48089/discuss

• 11.24.27 - CVE: Not Available
• Platform: Hardware
• Title: IP Power 9258 TGI Scripts Unauthorized Access Vulnerability
• Description: IP Power 9258 is a switched power distribution unit. The device is exposed to an unauthorized access issue because it fails to properly restrict access to the scripts in the "/tgi/" folder. Opengear IP Power 9258 units are affected.
• Ref: http://www.securityfocus.com/bid/48104/info

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account