6 days to save $250 for SANS Crystal City 2014 - ends August 6

@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 24
July 7, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 5 (#1)
    • BSD
    • 2
    • Cross Platform
    • 12
    • Web Application - Cross Site Scripting
    • 1
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 3
    • Hardware
    • 2

************************* Sponsored By SANS ****************************

Two-day workshop on the Art and Science of Baking Security into Applications and Networks - listen to techniques leading companies have used which have provided IT architects and engineers knowledge to ensure security is considered in every step of the development life cycle. SANS Baking Security into Applications and Networks Workshop, Washington DC, August 29 - 30, http://www.sans.org/info/81229

************************************************************************* TRAINING UPDATE --SANSFIRE 2011, Washington, DC, July 15-24, 2011 42 courses. Bonus evening presentations include Ninja developers: Penetration testing and Your SDLC; and Are Your Tools Ready for IPv6? http://www.sans.org/sansfire-2011/ --SANS Boston 2011, Boston, MA, August 8-15, 2011 13 courses. Bonus evening presentations include Cost Effectively Implementing PCI through the Critical Controls; and More Practical Insights on the 20 Critical Controls http://www.sans.org/boston-2011/ --SANS Virginia Beach 2011, August 22- September 2, 2011 11 courses. Bonus evening presentations include SANS Hacklab; Offensive Countermeasures; and Evolving VoIP Threats http://www.sans.org/virginia-beach-2011/ --SANS Ottawa 2011, Ottawa, Ontario, August 28- September 2, 2011 6 courses. Bonus evening presentations include DNS Sinkhole: Peer Into Your Network While You Sleep; and I See What You Did There: Forensic Time Line Analysis http://www.sans.org/ottawa-2011/ --SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 46 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of information Security and Investigations http://www.sans.org/network-security-2011/ --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security http://www.sans.org/chicago-2011/ --Looking for training in your own community? http://sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Melbourne, Tokyo, Delhi and London all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ****************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Third Party Windows Apps
    BSD
    Cross Platform
    Hardware
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application

    ************************** Sponsored Link: ******************************

    1) Learn how to secure your network during the IPv6 transition at the Security Impact of IPv6 Summit July 15th in Washington DC and take advantage of the post-Summit IPv6 Essentials course July 16th. http://www.sans.org/ipv6-summit-2011/ *************************************************************************

    PART I Critical Vulnerabilities

    Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) MEDIUM: HP iNode Management Center Stack Buffer Overflow
    • Affected:
      • HP Intelligent Management Center User Access Manager (UAM) prior to IMC_UAM_5.0_SP1_E0101P03
      • HP Intelligent Management Center Endpoint Admission Defense (EAD) prior to IMC_EAD_5.0_SP1_E0101P03
    • Description: HP has released patches for its Intelligent Management Center network management software. A component of the software, iNOdeMngChecker.exe, listens by default on port 9090 and copies attacker-provided data onto a fixed-length buffer on the stack. By sending a malicious request, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine with SYSTEM-level privileges.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 24, 2011

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11590 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 11.28.1 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Winamp Essentials FLV File Heap-Based Buffer Overflow Vulnerability
    • Description: Winamp Essentials contains plugins for the Winamp media player. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue affects the "f263.w5s" file when parsing "CustomWidth" and "CustomHeight" fields. Winamp Essentials 5.6 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/48494/info

    • 11.28.2 - CVE: CVE-2011-1336
    • Platform: Third Party Windows Apps
    • Title: ESTsoft ALZip MIM File Processing Buffer Overflow
    • Description: ESTsoft ALZip is a file compression application. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when handling specially crafted "MIM" files. ESTsoft ALZip versions 8.21 and prior are affected.
    • Ref: http://jvn.jp/en/jp/JVN01547302/index.html

    • 11.28.3 - CVE: CVE-2011-1867
    • Platform: Third Party Windows Apps
    • Title: HP Intelligent Management Centre Products Remote Code Execution
    • Description: HP Intelligent Management Center (formerly 3com IMC) is a network management application. HP Intelligent Management Center User Access Manager and Endpoint Admission Defense are exposed to a remote code execution issue because of a stack-based buffer overflow issue. Specifically, the issue effects the "iNOdeMngChecker.exe" component when handling a packet of type "0x0A0BF007". HP Intelligent Management Center User Access Manager (UAM) v5.0 (E0101) and prior, HP Intelligent Management Center Endpoint Admission Defense (EAD) v5.0 (E0101) and prior are affected.
    • Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02901775

    • 11.28.4 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
    • Description: IMesh is a P2P client for the Microsoft Windows operating platform. The application is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user supplied data. This issue affects the "ProcessRequestEx()" method of the "IMWebControl.dll" ActiveX control. This control is identified by CLSID: 7C3B01BC-53A5-48A0-A43B-0C67731134B97. iMesh version 10.0 and the prior are affected.
    • Ref: http://packetstormsecurity.org/files/view/102729/imesh-overflow.txt

    • 11.28.5 - CVE: CVE-2011-1338
    • Platform: Third Party Windows Apps
    • Title: XnView DLL Loading Arbitrary Code Execution Vulnerability
    • Description: XnView is an application for managing image files. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for Dynamic Link Library files in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file that is associated with the vulnerable application in an attacker controlled location. Using the application to open the associated file will cause the malicious library file to be executed. XnView versions prior to 1.98.1 are affected.
    • Ref: http://www.securityfocus.com/bid/48562/discuss

    • 11.28.6 - CVE: Not Available
    • Platform: BSD
    • Title: OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
    • Description: OpenSSH (OpenBSD Secure Shell) is software that provides encrypted communications through the SSH protocol. OpenSSH is exposed to a buffer overflow issue because the library fails to properly perform bounds checks on user supplied input before copying it to an insufficiently sized memory buffer. This issue affects the "pam_thread()" function of the "auth2-pam-freebsd.c" source file. OpenSSH 3.5p1 running on FreeBSD 4.9 and 4.11 vulnerable, other versions and platforms may also be affected.
    • Ref: http://www.securityfocus.com/bid/48507/info

    • 11.28.7 - CVE: CVE-2011-1656
    • Platform: BSD
    • Title: NetBSD Multiple "libc/net" Functions Stack Buffer Overflow Vulnerability
    • Description: NetBSD is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied input. Specifically, this issue affects the following functions in the "libc/net" library: "getservbyname()", "getservbyname_r()", "getservbyport()", "getservbyport_r()", "getaddrinfo()" and "getnameinfo()". NetBSD 5.1 is affected.
    • Ref: http://www.securityfocus.com/bid/48528/info

    • 11.28.8 - CVE: CVE-2011-2536
    • Platform: Cross Platform
    • Title: Asterisk SIP Authentication Request User Enumeration Weakness
    • Description: Asterisk is a private branch exchange application available for Linux, BSD and Mac OS X platforms. Asterisk is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the SIP authentication requests. Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 , Asterisk Business Edition C.3.7.3 are affected.
    • Ref: http://downloads.asterisk.org/pub/security/AST-2011-011.html

    • 11.28.9 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability
    • Description: Sybase Advantage Server is a relational database management application. The application is exposed to a memory corruption issue. This issue affects the "ads.exe" service when handling a malformed packet sent to TCP or UDP port 6262. Sybase Advantage Server 10.0.0.3 is vulnerable and other versions may also be affected.
    • Ref: http://aluigi.altervista.org/adv/sybase_4-adv.txt

    • 11.28.10 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Zope Unspecified Security Bypass Vulnerability
    • Description: Zope is a web application server. The application is exposed to an unspecified security bypass issue. Very few technical details are currently available. All versions of Zope and Plone are affected.
    • Ref: https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html

    • 11.28.11 - CVE: Not Available
    • Platform: Hardware
    • Title: Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
    • Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol (SIP) via SIParator SIP-based communication devices. Ingate Firewall and SIParator are exposed to a denial of service issue. The issue occurs when processing SIP requests that contain multiple Transport Layer Security destinations. Ingate SIParator 4.9.1 and prior are affected
    • Ref: http://www.ingate.com/Relnote.php?ver=492

    • 11.28.12 - CVE: CVE-2011-2597
    • Platform: Cross Platform
    • Title: Wireshark Lucent/Ascend File Parser Denial of Service
    • Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to a denial of service issue because it fails to properly handle specially crafted packets. Specifically, the issue affects the Lucent/Ascend file parser when parsing specially crafted packets. Wireshark versions 1.2.0 through 1.2.17, versions 1.4.0 through 1.4.7 and version 1.6.0 are affected.
    • Ref: http://www.wireshark.org/security/wnpa-sec-2011-09.html

    • 11.28.13 - CVE: Not Available
    • Platform: Cross Platform
    • Title: SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
    • Description: SAP NetWeaver is an integration platform for enterprise applications. The application is exposed to a security bypass issue that can allow a user to create SAPTerm user accounts with hardcoded credentials. SAP Basis versions 620 through 640, SAP Basis versions 700 through 702, 710 through 730 and 72L through 800 are affected.
    • Ref: http://www.securityfocus.com/bid/48509/info

    • 11.28.14 - CVE: Not Available
    • Platform: Cross Platform
    • Title: IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
    • Description: IBM DB2 is a database management application written for use on multiple platforms. The application is exposed to an issue because the "/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1" binary (installed with root privileges) includes the current working directory (".") in the "DT_RPATH" (runtime library search path) of the ELF (Executable and Linking Format) header. IBM DB2 9.7 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/48514/info

    • 11.28.15 - CVE: CVE-2011-1898
    • Platform: Cross Platform
    • Title: Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
    • Description: Multiple Virtualization applications using Intel VT-d chipsets are exposed to a privilege escalation issue that occurs when interrupt remapping is not enabled in the chipsets. Specifically, this occurs because the affected chipsets fail to prevent a guest which owns a PCI device from using DMA. An attacker-controlled PCI device can exploit this to generate MSI interrupts by writing to the interrupt injection registers. Xen and KVM are vulnerable and other Virtualization applications may also be affected.
    • Ref: http://www.securityfocus.com/bid/48515/info

    • 11.28.16 - CVE: Not Available
    • Platform: Cross Platform
    • Title: IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
    • Description: The IBM InfoSphere Information Server is an enterprise platform for data integration. The application is exposed to multiple local privilege escalation issues. Specifically, these issues occur because insecure file permissions and ownership settings may be applied to "ds.rc" and "dsenv" files within the DSEngine directory. IBM InfoSphere Information Server versions 8.5 and 8.5.0.1 are affected.
    • Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21504279

    • 11.28.17 - CVE: CVE-2011-1223,CVE-2011-1222
    • Platform: Cross Platform
    • Title: IBM Tivoli Storage Manager Client Multiple Buffer Overflow
    • Description: IBM Tivoli Storage Manager is an application for running automated backup and recovery of data. The application is exposed to multiple buffer overflow issues. A buffer overflow issue affects the Journal Based Backup function. A buffer overflow issue affects the Alternate Data Streams processing function. IBM Tivoli Storage Manager 6.2.0.0 through 6.2.1.3, 6.1.0.0 through 6.1.3.1, 5.5.0.0 through 5.5.2.10 and 5.4.0.0 through 5.4.3.3 are affected.
    • Ref: http://www.securityfocus.com/bid/48519/discuss

    • 11.28.18 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Vsftpd Compromised Source Packages Backdoor Vulnerability
    • Description: Vsftpd (Very Secure File Transfer Protocol daemon) is a secure FTP server for Linux, UNIX and similar operating systems. The application is exposed to a backdoor issue because the "vsftpd-2.3.4.tar.gz" source package file contains a backdoor. The Vsftpd 2.3.4 source package is affected.
    • Ref: http://www.securityfocus.com/bid/48539/discuss

    • 11.28.19 - CVE: CVE-2011-2465
    • Platform: Cross Platform
    • Title: ISC BIND 9 RPZ Configurations Remote Denial of Service
    • Description: ISC BIND (Berkley Internet Name Domain) is an implementation of the Domain Name System protocols. The application is exposed to multiple remote denial of service issues. These issues affect servers with recursion enabled and configured with the Response Policy Zones (RPZ) feature. Specifically, the issues are triggered when processing certain RPZ rule/action patterns, which contain specially crafted DNAME and CNAME records. ISC BIND versions prior to 9.8.0-P4 are vulnerable. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4).
    • Ref: https://www.isc.org/software/bind/advisories/cve-2011-2465

    • 11.28.20 - CVE:CVE-2011-2633,CVE-2011-2632,CVE-2011-2631,CVE-2011-2630,CVE-2011-2629
    • Platform: Cross Platform
    • Title: Opera Web Browser Multiple Remote Denial of Service Vulnerabilities
    • Description: Opera is a Web browser application. The application is exposed to multiple issues. A denial of service issue occurs when handling unknown content on certain web sites, as was demonstrated on "www.falk.de". A denial of service issue occurs when a popup page of the "Easy Sticky Note" extension is reloaded. A denial of service issue occurs because of an infinite loop when processing the "column-count" Cascading Style Sheet property, as was demonstrated on an unspecified Wikipedia page. A denial of service issue occurs because the browser fails to properly deconstruct certain Silverlight instances, as was demonstrated on "vod.onet.pl". A denial of service issue occurs when processing a certain Certificate Revocation List file, as was demonstrated by the "multicert-ca-02.crl" file. Versions prior to Opera Web Browser 11.11 are affected.
    • Ref: http://www.opera.com/docs/changelogs/windows/1111/ http://www.opera.com/docs/changelogs/unix/1111/ http://www.opera.com/docs/changelogs/mac/1111/

    • 11.28.21 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: WebCalendar Multiple Cross-Site Scripting Vulnerabilities
    • Description: WebCalendar is a PHP-based application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to multiple scripts and parameters. WebCalendar 1.2.3 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/48546/info

    • 11.28.22 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: PhpFood "restaurant.php" SQL Injection Vulnerability
    • Description: phpFood is a content manager that tracks food orders. PhpFood is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "restaurant.php" script before using it in an SQL query. phpFood 2.00 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/48552

    • 11.28.23 - CVE: Not Available
    • Platform: Web Application
    • Title: AeroMail Multiple Vulnerabilities
    • Description: Aeromail is an email application. The application is exposed to multiple remote issues. A cross-site scripting issue affects the "folder" URL variable. A cross-site request forgery affects the composition screen. A cross-site request forgery allows attackers to send spam email without a user knowing. An HTML injection issue occurs because the application fails to sanitize folder names. An HTML injection issue occurs because the application fails to sanitize the email attachment names. An HTML injection issue occurs because the application fails to sanitize the subject line before displaying emails. AeroMail version 2.80 is vulnerable, other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/48510/discuss

    • 11.28.24 - CVE: Not Available
    • Platform: Web Application
    • Title: IBM Rational DOORS Multiple Unspecified Vulnerabilities
    • Description: IBM Rational DOORS is a Web application that works with IBM Rational DOORS databases. The application is exposed to multiple unspecified issues. An unspecified cross-site scripting issue exists. An unspecified issue affects "Server Error" responses. An unspecified issue affects the application. IBM Rational DOORS versions 1.4 through 1.4.0.3 are affected.
    • Ref: https://www-304.ibm.com/support/docview.wss?uid=swg27020404

    • 11.28.25 - CVE: Not Available
    • Platform: Web Application
    • Title: WeBid Local File Include and SQL Injection Vulnerabilities
    • Description: WeBid is a web-based application implemented in PHP. The application is exposed to multiple input validation issues. A local file include issue affects the "lan" and "USERLANGUAGE" parameters of the "includes/messages.inc.php" script. 2) Multiple SQL-injection issues affect the application. WeBid 1.0.2 is vulnerable and other versions may also be affected.
    • Ref: http://www.webidsupport.com/forums/showthread.php?3892

    • 11.28.26 - CVE: Not Available
    • Platform: Hardware
    • Title: Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities
    • Description: The Portech MV-372 VoIP Gateway is a GSM/CDMA/UMTS mobile gateway device. The device is exposed to multiple issues. An information disclosure issue exists because the device displays information about the model type, module description, and firmware and codec versions without authentication. A denial of service issue occurs when passing an overly long string to the "password" field while connecting through a Telnet service. Multiple security bypass issues exist because the application allows the modification of configuration settings to occur without the provision of a valid username and password. All version of firmware are affected.
    • Ref: http://www.securityfocus.com/bid/48560

    (c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account