@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Products Multiple Vulnerabilities
• (2) HIGH: Microsoft Patch Tuesday Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.25.1 - Microsoft Lync Server 2010 "ReachJoin.aspx" Remote Command Injection

Third Party Windows Apps

• 11.25.2 - Trend Micro Data Loss Prevention Directory Traversal

Linux

• 11.25.3 - GNOME NetworkManager "/var/log/messages" Information Disclosure
• 11.25.4 - OProfile Multiple Security Vulnerabilities

Aix

• 11.25.5 - IBM AIX Luns Ownership Security Bypass Issue

Unix

• 11.25.6 - HP Operations for UNIX Unspecified Cross-Site Scripting and Unauthorized Access Vulnerabilities
• 11.25.7 - D-Bus Message Byte Order Denial of Service

Cross Platform

• 11.25.8 - Fabric Insecure Temporary File Creation Vulnerability
• 11.25.9 - KMPlayer ".mp3" File Remote Buffer Overflow
• 11.25.10 - Wireshark Multiple Denial of Service Vulnerabilities
• 11.25.11 - Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses
• 11.25.12 - HP Service Manager and Service Center Multiple Vulnerabilities
• 11.25.13 - VLC Media Player XSPF Playlist Integer Overflow Memory Corruption
• 11.25.14 - HP OpenView Storage Data Protector Unspecified Remote Code Execution
• 11.25.15 - libmodplug "S3M" Stack Based Buffer Overflow
• 11.25.16 - Jabberd XML Parsing Denial of Service
• 11.25.17 - PHP Security Bypass Issue
• 11.25.18 - Opera Web Browser Denial of Service
• 11.25.19 - Adobe Acrobat and Reader Multiple Vulnerabilities
• 11.25.20 - Adobe LiveCycle Data Services and BlazeDS Multiple Remote Vulnerabilities
• 11.25.21 - Adobe ColdFusion Unspecified Cross-Site Request Forgery and Remote Denial of Service
• 11.25.22 - Adobe Shockwave Player Multiple Remote Vulnerabilities
• 11.25.23 - Adobe Flash Player Remote Memory Corruption

Web Application - SQL Injection

• 11.25.24 - WebFileExplorer "user" and "pass" SQL Injection Vulnerabilities

Web Application

• 11.25.25 - Drupal Spam Module Cross-Site Request Forgery
• 11.25.26 - Horde Authentication Framework Composite Driver Authentication Bypass
• 11.25.27 - HTML Purifier Cross-Site Scripting and Denial of Service Vulnerabilities

Network Device

• 11.25.28 - Veri-NAC URI Handling Directory Traversal Vulnerability
• 11.25.29 - Barracuda NG Firewall and phion netfence Remote Code Execution

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 22, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11428 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.25.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Lync Server 2010 "ReachJoin.aspx" Remote Command Injection
• Description: Microsoft Lync Server 2010 is a unified communication server. The application is exposed to a command injection issue because it fails to adequately sanitize user-supplied input submitted to the "reachLocale" parameter of the "ReachJoin.aspx" script. Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48235/discuss

• 11.25.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Trend Micro Data Loss Prevention Directory Traversal
• Description: Trend Micro Data Loss Prevention is a data management and loss prevention application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Trend Micro Data Loss Prevention 5.5 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48225/discuss

• 11.25.3 - CVE: CVE-2011-1943
• Platform: Linux
• Title: GNOME NetworkManager "/var/log/messages" Information Disclosure
• Description: GNOME NetworkManager is an application used for automated networking on Linux platforms. The application is exposed to an information disclosure issue that may allow local attackers to access user passwords from the "/var/log/messages" file. GNOME NetworkManager 0.8.999-3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48218/discuss

• 11.25.4 - CVE: Not Available
• Platform: Linux
• Title: OProfile Multiple Security Vulnerabilities
• Description: OProfile is a system wide profiler for Linux computers. The application is exposed to multiple issues because the software fails to properly sanitize user-supplied input. See the reference below for further details. OProfile version 0.9.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48241/discuss

• 11.25.5 - CVE: Not Available5300-10 are affected.
• Platform: Aix
• Title: IBM AIX Luns Ownership Security Bypass Issue
• Description: IBM AIX is an open standards-based UNIX operating system. IBM AIX is exposed to a security bypass issue due to the error in "MPIO_GET_CONFIG". IBM Aix 5300-12, IBM Aix 5300-11 and IBM Aix
• Ref: https://www-304.ibm.com/support/docview.wss?uid=isg1IZ86569&wv=1 https://www-304.ibm.com/support/docview.wss?uid=isg1IZ86230&wv=1 https://www-304.ibm.com/support/docview.wss?uid=isg1IZ82968&wv=1

• 11.25.6 - CVE: CVE-2011-0894,CVE-2011-0893
• Platform: Unix
• Title: HP Operations for UNIX Unspecified Cross-Site Scripting and Unauthorized Access Vulnerabilities
• Description: HP Operations for UNIX is a set of infrastructure monitoring tools. HP Operations for UNIX is exposed to multiple issues. 1) An unspecified cross-site scripting issue affects the application because if fails to adequately sanitize user-supplied input. 2) An unauthorized access issue affects the application because of an unspecified error. HP Operations for UNIX 9.10 is affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02770049

• 11.25.7 - CVE: Not Available
• Platform: Unix
• Title: D-Bus Message Byte Order Denial of Service
• Description: D-Bus is an IPC (Inter-Process Communication) system for applications to talk to one another. The application is exposed to a local denial of service issue because of an error while processing messages with a non-native byte order. D-BUS 1.4.10 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48216/discuss

• 11.25.8 - CVE: Not Available
• Platform: Cross Platform
• Title: Fabric Insecure Temporary File Creation Vulnerability
• Description: Fabric is a deployment tool implemented in python. Fabric is exposed to an issue because it creates temporary files in an insecure manner. Specifically, the application creates temporary files with predictable file names in world writable directories when uploading template text files and project files to a remote server. Fabric 0.9.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48103/discuss

• 11.25.9 - CVE: Not Available
• Platform: Cross Platform
• Title: KMPlayer ".mp3" File Remote Buffer Overflow
• Description: KMPlayer is a media player. KMPlayer is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Specifically, this issue occurs while handling specially crafted ".mp3" files. KMPlayer 3.0.0.1440 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48112/discuss

• 11.25.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark Multiple Denial of Service Vulnerabilities
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The software is exposed to multiple issues. 1) A denial of service issue occurs when sorting columns during packet capturing. 2) A denial of service issue occurs because packet capture from a named pipe fails to properly stop until the next packet is captured. Wireshark versions prior to 1.6.0 are affected.
• Ref: http://www.wireshark.org/docs/relnotes/wireshark-1.6.0.html

• 11.25.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses
• Description: Ruby on Rails is a web application framework for multiple platforms. Ruby on Rails is exposed to multiple security bypass weaknesses because it fails to properly mark certain strings as "HTML safe". Versions prior to Ruby on Rails 3.0.8 and 2.3.12 are affected.
• Ref: http://www.securityfocus.com/bid/48169/discuss

• 11.25.12 - CVE:CVE-2011-1863,CVE-2011-1862,CVE-2011-1861,CVE-2011-1860,CVE-2011-1859,CVE-2011-1858,CVE-2011-1857
• Platform: Cross Platform
• Title: HP Service Manager and Service Center Multiple Vulnerabilities
• Description: HP Service Manager is an IT helpdesk application available for multiple platforms. HP Service Center is a web-based IT service management application. The applications are exposed to multiple issues due to insufficient sanitization of user-supplied input. See the reference below for further details. These versions are affected: HP Service Manager v9.21, v9.20, v7.11, v7.02, HP Service Manager client v9.21, v9.20, v7.11, v7.02 running on Windows, HP Service Center v6.2.8 Client running on Windows, HP Service Center v6.2.8.
• Ref: https://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02863015&a
  dmit=109447627+1307582364958+28353475

• 11.25.13 - CVE: CVE-2011-2194
• Platform: Cross Platform
• Title: VLC Media Player XSPF Playlist Integer Overflow Memory Corruption
• Description: VLC is a cross-platform media player. The application is exposed to a memory corruption issue because of an integer overflow error in the XSPF playlist file parser. This occurs within the "libplaylist_plugin.dll" file when parsing specially crafted XSPF playlist files. In particular, attackers can exploit this issue by passing a large value to the "id" tag of the XSPF file. VLC Media Player versions 1.1.9 down to 0.8.5 are vulnerable.
• Ref: http://www.videolan.org/security/sa1104.html

• 11.25.14 - CVE: CVE-2011-1864
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Unspecified Remote Code Execution
• Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The application is exposed to an unspecified remote code execution issue. HP OpenView Storage Data Protector versions 6.0, 6.10, and 6.11 for HP-UX, Solaris, Linux, and Windows are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/518318

• 11.25.15 - CVE: CVE-2011-1574
• Platform: Cross Platform
• Title: libmodplug "S3M" Stack Based Buffer Overflow
• Description: The libmodplug library allows various media players to play multiple media formats. The library is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user supplied data before copying it into an insufficiently sized buffer. Libmodplug 0.8.8.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/47248/discuss

• 11.25.16 - CVE: CVE-2011-1755
• Platform: Cross Platform
• Title: Jabberd XML Parsing Denial of Service
• Description: LuaExpat is a SAX XML parser that is based on the Expat library. Jabberd is exposed to a denial of service issue. Specifically, the issue occurs because the application fails to handle specially crafted XML data. Applications using the affected parser may consume excessive amounts of system memory when processing large numbers of nested references. Versions prior to jabberd 2.2.14 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48250/discuss

• 11.25.17 - CVE: CVE-2011-2202
• Platform: Cross Platform
• Title: PHP Security Bypass Issue
• Description: PHP is a scripting language. PHP is exposed to a security bypass issue because the application allows an attacker to delete files from the root directory. Specifically, the issue exists in the "SAPI_POST_HANDLER_FUNC()" function of the "rfc1867.c" file. PHP 5.3.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48259/discuss

• 11.25.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Denial of Service
• Description: Opera is a web browser application. The application is exposed to a denial of service issue. This issue occurs when the application processes a webpage containing specially crafted JavaScript code. Opera Web Browser 11.11 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48262/discuss

• 11.25.19 - CVE: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096,CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100,CVE-2011-2101, CVE-2011-2102, CVE-2011-2103, CVE-2011-2104,CVE-2011-2105, CVE-2011-2106
• Platform: Cross Platform
• Title: Adobe Acrobat and Reader Multiple Vulnerabilities
• Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Acrobat and Reader are exposed to multiple issues such as memory corruptions, buffer overflows and a cross document script execution issue. Adobe Reader and Acrobat versions prior to 10.1 are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-16.html

• 11.25.20 - CVE: CVE-2011-2093,CVE-2011-2092
• Platform: Cross Platform
• Title: Adobe LiveCycle Data Services and BlazeDS Multiple Remote Vulnerabilities
• Description: Adobe BlazeDS is a Java-based messaging server. Adobe LifeCycle is a software management and deployment application. Adobe LiveCycle Data Services and BlazeDS are exposed to the following remote issues. 1) A security bypass issue that will allow unauthorized users to create classes during AMF/AMFX deserialization. 2) A denial of service issue that affects a complex object graph. LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions, LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions, BlazeDS 4.0.1 and earlier versions are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-15.html

• 11.25.21 - CVE: CVE-2011-0629, CVE-2011-2091
• Platform: Cross Platform
• Title: Adobe ColdFusion Unspecified Cross-Site Request Forgery and Remote Denial of Service
• Description: Adobe ColdFusion is an application for developing websites. The application is exposed to the following issues. 1) An unspecified cross-site request forgery issue because it fails to properly validate HTTP requests. 2) A remote denial of service issue. Versions prior to Adobe ColdFusion 9.0.1 and prior are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-14.html

• 11.25.22 - CVE:CVE-2011-2128,CVE-2011-2127,CVE-2011-2126,CVE-2011-2125,CVE-2011-2124,CVE-2011-2123,CVE-2011-2122,CVE-2011-2121,CVE-2011-2120,CVE-2011-2119,CVE-2011-2118,CVE-2011-2117,CVE-2011-2116,CVE-2011-2115,CVE-2011-2114,CVE-2011-2113,CVE-2011-2112,CVE-2011-2111
• Platform: Cross Platform
• Title: Adobe Shockwave Player Multiple Remote Vulnerabilities
• Description: Adobe Shockwave Player is a multimedia player application. The application is exposed to multiple remote issues. See the reference below for details. Versions prior to Adobe Shockwave Player 11.6.0.626 are vulnerable.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-17.html

• 11.25.23 - CVE: CVE-2011-2110
• Platform: Cross Platform
• Title: Adobe Flash Player Remote Memory Corruption
• Description: Adobe Flash Player is a multimedia application for multiple platforms. The application is exposed to a remote memory corruption issue that can result in arbitrary code execution. Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.3.185.23 and earlier versions for Android are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-18.html

• 11.25.24 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: WebFileExplorer "user" and "pass" SQL Injection Vulnerabilities
• Description: WebFileExplorer is an ASP-based file manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "User" and "Pass" fields in the admin login page before using the data in an SQL query. WebFileExplorer 3.6 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48233/discuss

• 11.25.25 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Spam Module Cross-Site Request Forgery
• Description: Spam is a module for the Drupal content manager. The module is exposed to a cross-site request forgery issue because the application does not properly validate user-supplied requests. Specifically, the issue affects the "mark as spam" links. Versions prior to Spam 6.x-1.1 are vulnerable.
• Ref: http://drupal.org/node/1183116

• 11.25.26 - CVE: Not Available
• Platform: Web Application
• Title: Horde Authentication Framework Composite Driver Authentication Bypass
• Description: Horde Authentication Framework is a web application, implemented in PHP. The framework is exposed to an authentication bypass issue due to an error in the composite authentication driver. Horde 1.0.0alpha1 through 1.0.3 are vulnerable and other versions may also be affected.
• Ref: http://lists.horde.org/archives/announce/2011/000638.html

• 11.25.27 - CVE: Not Available
• Platform: Web Application
• Title: HTML Purifier Cross-Site Scripting and Denial of Service Vulnerabilities
• Description: HTML Purifier is an HTML filtering application implemented in PHP. The application is exposed to the following issues. 1) Multiple cross-site scripting issues because the application fails to sufficiently sanitize user-supplied input passed to "CDATA" and "cssText/innerHTML" parameters. 2) A denial of service issue exists while handling DOM objects. Specifically, the issue affects the "tokenizeDOM()" function in the "HTMLPurifier/Lexer/DOMLex.php" script. HTML Purifier versions prior to 4.3.0 are vulnerable.
• Ref: http://www.securityfocus.com/bid/47053/discuss

• 11.25.28 - CVE: Not Available
• Platform: Network Device
• Title: Veri-NAC URI Handling Directory Traversal Vulnerability
• Description: Veri-NAC is a network access control device. Veri-NAC is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input sent through the URL. Veri-NAC firmware versions prior to 8.0.10 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48131/discuss

• 11.25.29 - CVE: Not Available
• Platform: Network Device
• Title: Barracuda NG Firewall and phion netfence Remote Code Execution
• Description: Barracuda NG Firewall is a security device designed to protect network infrastructure. Phion netfence is a web application firewall. Barracuda NG Firewall and phion netfence are exposed to a remote code execution issue. Specially, the issue occurs during the "ssh" login procedure. NG Firewall versions prior to 5.0.2, phion netfence versions 4.0.x prior to 4.2.15 are affected.
• Ref: http://www.securityfocus.com/archive/1/518362

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account