@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: HP iNode Management Center Stack Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.28.1 - Winamp Essentials FLV File Heap-Based Buffer Overflow Vulnerability
• 11.28.2 - ESTsoft ALZip MIM File Processing Buffer Overflow
• 11.28.3 - HP Intelligent Management Centre Products Remote Code Execution
• 11.28.4 - IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
• 11.28.5 - XnView DLL Loading Arbitrary Code Execution Vulnerability

BSD

• 11.28.6 - OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
• 11.28.7 - NetBSD Multiple "libc/net" Functions Stack Buffer Overflow Vulnerability

Cross Platform

• 11.28.8 - Asterisk SIP Authentication Request User Enumeration Weakness
• 11.28.9 - Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability
• 11.28.10 - Zope Unspecified Security Bypass Vulnerability

Hardware

• 11.28.11 - Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
• 11.28.12 - Wireshark Lucent/Ascend File Parser Denial of Service
• 11.28.13 - SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
• 11.28.14 - IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
• 11.28.15 - Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
• 11.28.16 - IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
• 11.28.17 - IBM Tivoli Storage Manager Client Multiple Buffer Overflow
• 11.28.18 - Vsftpd Compromised Source Packages Backdoor Vulnerability
• 11.28.19 - ISC BIND 9 RPZ Configurations Remote Denial of Service
• 11.28.20 - Opera Web Browser Multiple Remote Denial of Service Vulnerabilities

Web Application - Cross Site Scripting

• 11.28.21 - WebCalendar Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.28.22 - PhpFood "restaurant.php" SQL Injection Vulnerability

Web Application

• 11.28.23 - AeroMail Multiple Vulnerabilities
• 11.28.24 - IBM Rational DOORS Multiple Unspecified Vulnerabilities
• 11.28.25 - WeBid Local File Include and SQL Injection Vulnerabilities
• 11.28.26 - Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 24, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11590 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.28.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp Essentials FLV File Heap-Based Buffer Overflow Vulnerability
• Description: Winamp Essentials contains plugins for the Winamp media player. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue affects the "f263.w5s" file when parsing "CustomWidth" and "CustomHeight" fields. Winamp Essentials 5.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48494/info

• 11.28.2 - CVE: CVE-2011-1336
• Platform: Third Party Windows Apps
• Title: ESTsoft ALZip MIM File Processing Buffer Overflow
• Description: ESTsoft ALZip is a file compression application. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when handling specially crafted "MIM" files. ESTsoft ALZip versions 8.21 and prior are affected.
• Ref: http://jvn.jp/en/jp/JVN01547302/index.html

• 11.28.3 - CVE: CVE-2011-1867
• Platform: Third Party Windows Apps
• Title: HP Intelligent Management Centre Products Remote Code Execution
• Description: HP Intelligent Management Center (formerly 3com IMC) is a network management application. HP Intelligent Management Center User Access Manager and Endpoint Admission Defense are exposed to a remote code execution issue because of a stack-based buffer overflow issue. Specifically, the issue effects the "iNOdeMngChecker.exe" component when handling a packet of type "0x0A0BF007". HP Intelligent Management Center User Access Manager (UAM) v5.0 (E0101) and prior, HP Intelligent Management Center Endpoint Admission Defense (EAD) v5.0 (E0101) and prior are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02901775

• 11.28.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
• Description: IMesh is a P2P client for the Microsoft Windows operating platform. The application is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user supplied data. This issue affects the "ProcessRequestEx()" method of the "IMWebControl.dll" ActiveX control. This control is identified by CLSID: 7C3B01BC-53A5-48A0-A43B-0C67731134B97. iMesh version 10.0 and the prior are affected.
• Ref: http://packetstormsecurity.org/files/view/102729/imesh-overflow.txt

• 11.28.5 - CVE: CVE-2011-1338
• Platform: Third Party Windows Apps
• Title: XnView DLL Loading Arbitrary Code Execution Vulnerability
• Description: XnView is an application for managing image files. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for Dynamic Link Library files in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file that is associated with the vulnerable application in an attacker controlled location. Using the application to open the associated file will cause the malicious library file to be executed. XnView versions prior to 1.98.1 are affected.
• Ref: http://www.securityfocus.com/bid/48562/discuss

• 11.28.6 - CVE: Not Available
• Platform: BSD
• Title: OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
• Description: OpenSSH (OpenBSD Secure Shell) is software that provides encrypted communications through the SSH protocol. OpenSSH is exposed to a buffer overflow issue because the library fails to properly perform bounds checks on user supplied input before copying it to an insufficiently sized memory buffer. This issue affects the "pam_thread()" function of the "auth2-pam-freebsd.c" source file. OpenSSH 3.5p1 running on FreeBSD 4.9 and 4.11 vulnerable, other versions and platforms may also be affected.
• Ref: http://www.securityfocus.com/bid/48507/info

• 11.28.7 - CVE: CVE-2011-1656
• Platform: BSD
• Title: NetBSD Multiple "libc/net" Functions Stack Buffer Overflow Vulnerability
• Description: NetBSD is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied input. Specifically, this issue affects the following functions in the "libc/net" library: "getservbyname()", "getservbyname_r()", "getservbyport()", "getservbyport_r()", "getaddrinfo()" and "getnameinfo()". NetBSD 5.1 is affected.
• Ref: http://www.securityfocus.com/bid/48528/info

• 11.28.8 - CVE: CVE-2011-2536
• Platform: Cross Platform
• Title: Asterisk SIP Authentication Request User Enumeration Weakness
• Description: Asterisk is a private branch exchange application available for Linux, BSD and Mac OS X platforms. Asterisk is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the SIP authentication requests. Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 , Asterisk Business Edition C.3.7.3 are affected.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-011.html

• 11.28.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability
• Description: Sybase Advantage Server is a relational database management application. The application is exposed to a memory corruption issue. This issue affects the "ads.exe" service when handling a malformed packet sent to TCP or UDP port 6262. Sybase Advantage Server 10.0.0.3 is vulnerable and other versions may also be affected.
• Ref: http://aluigi.altervista.org/adv/sybase_4-adv.txt

• 11.28.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Zope Unspecified Security Bypass Vulnerability
• Description: Zope is a web application server. The application is exposed to an unspecified security bypass issue. Very few technical details are currently available. All versions of Zope and Plone are affected.
• Ref: https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html

• 11.28.11 - CVE: Not Available
• Platform: Hardware
• Title: Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
• Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol (SIP) via SIParator SIP-based communication devices. Ingate Firewall and SIParator are exposed to a denial of service issue. The issue occurs when processing SIP requests that contain multiple Transport Layer Security destinations. Ingate SIParator 4.9.1 and prior are affected
• Ref: http://www.ingate.com/Relnote.php?ver=492

• 11.28.12 - CVE: CVE-2011-2597
• Platform: Cross Platform
• Title: Wireshark Lucent/Ascend File Parser Denial of Service
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to a denial of service issue because it fails to properly handle specially crafted packets. Specifically, the issue affects the Lucent/Ascend file parser when parsing specially crafted packets. Wireshark versions 1.2.0 through 1.2.17, versions 1.4.0 through 1.4.7 and version 1.6.0 are affected.
• Ref: http://www.wireshark.org/security/wnpa-sec-2011-09.html

• 11.28.13 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
• Description: SAP NetWeaver is an integration platform for enterprise applications. The application is exposed to a security bypass issue that can allow a user to create SAPTerm user accounts with hardcoded credentials. SAP Basis versions 620 through 640, SAP Basis versions 700 through 702, 710 through 730 and 72L through 800 are affected.
• Ref: http://www.securityfocus.com/bid/48509/info

• 11.28.14 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
• Description: IBM DB2 is a database management application written for use on multiple platforms. The application is exposed to an issue because the "/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1" binary (installed with root privileges) includes the current working directory (".") in the "DT_RPATH" (runtime library search path) of the ELF (Executable and Linking Format) header. IBM DB2 9.7 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48514/info

• 11.28.15 - CVE: CVE-2011-1898
• Platform: Cross Platform
• Title: Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
• Description: Multiple Virtualization applications using Intel VT-d chipsets are exposed to a privilege escalation issue that occurs when interrupt remapping is not enabled in the chipsets. Specifically, this occurs because the affected chipsets fail to prevent a guest which owns a PCI device from using DMA. An attacker-controlled PCI device can exploit this to generate MSI interrupts by writing to the interrupt injection registers. Xen and KVM are vulnerable and other Virtualization applications may also be affected.
• Ref: http://www.securityfocus.com/bid/48515/info

• 11.28.16 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
• Description: The IBM InfoSphere Information Server is an enterprise platform for data integration. The application is exposed to multiple local privilege escalation issues. Specifically, these issues occur because insecure file permissions and ownership settings may be applied to "ds.rc" and "dsenv" files within the DSEngine directory. IBM InfoSphere Information Server versions 8.5 and 8.5.0.1 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21504279

• 11.28.17 - CVE: CVE-2011-1223,CVE-2011-1222
• Platform: Cross Platform
• Title: IBM Tivoli Storage Manager Client Multiple Buffer Overflow
• Description: IBM Tivoli Storage Manager is an application for running automated backup and recovery of data. The application is exposed to multiple buffer overflow issues. A buffer overflow issue affects the Journal Based Backup function. A buffer overflow issue affects the Alternate Data Streams processing function. IBM Tivoli Storage Manager 6.2.0.0 through 6.2.1.3, 6.1.0.0 through 6.1.3.1, 5.5.0.0 through 5.5.2.10 and 5.4.0.0 through 5.4.3.3 are affected.
• Ref: http://www.securityfocus.com/bid/48519/discuss

• 11.28.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Vsftpd Compromised Source Packages Backdoor Vulnerability
• Description: Vsftpd (Very Secure File Transfer Protocol daemon) is a secure FTP server for Linux, UNIX and similar operating systems. The application is exposed to a backdoor issue because the "vsftpd-2.3.4.tar.gz" source package file contains a backdoor. The Vsftpd 2.3.4 source package is affected.
• Ref: http://www.securityfocus.com/bid/48539/discuss

• 11.28.19 - CVE: CVE-2011-2465
• Platform: Cross Platform
• Title: ISC BIND 9 RPZ Configurations Remote Denial of Service
• Description: ISC BIND (Berkley Internet Name Domain) is an implementation of the Domain Name System protocols. The application is exposed to multiple remote denial of service issues. These issues affect servers with recursion enabled and configured with the Response Policy Zones (RPZ) feature. Specifically, the issues are triggered when processing certain RPZ rule/action patterns, which contain specially crafted DNAME and CNAME records. ISC BIND versions prior to 9.8.0-P4 are vulnerable. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4).
• Ref: https://www.isc.org/software/bind/advisories/cve-2011-2465

• 11.28.20 - CVE:CVE-2011-2633,CVE-2011-2632,CVE-2011-2631,CVE-2011-2630,CVE-2011-2629
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Remote Denial of Service Vulnerabilities
• Description: Opera is a Web browser application. The application is exposed to multiple issues. A denial of service issue occurs when handling unknown content on certain web sites, as was demonstrated on "www.falk.de". A denial of service issue occurs when a popup page of the "Easy Sticky Note" extension is reloaded. A denial of service issue occurs because of an infinite loop when processing the "column-count" Cascading Style Sheet property, as was demonstrated on an unspecified Wikipedia page. A denial of service issue occurs because the browser fails to properly deconstruct certain Silverlight instances, as was demonstrated on "vod.onet.pl". A denial of service issue occurs when processing a certain Certificate Revocation List file, as was demonstrated by the "multicert-ca-02.crl" file. Versions prior to Opera Web Browser 11.11 are affected.
• Ref: http://www.opera.com/docs/changelogs/windows/1111/ http://www.opera.com/docs/changelogs/unix/1111/ http://www.opera.com/docs/changelogs/mac/1111/

• 11.28.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WebCalendar Multiple Cross-Site Scripting Vulnerabilities
• Description: WebCalendar is a PHP-based application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to multiple scripts and parameters. WebCalendar 1.2.3 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48546/info

• 11.28.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: PhpFood "restaurant.php" SQL Injection Vulnerability
• Description: phpFood is a content manager that tracks food orders. PhpFood is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "restaurant.php" script before using it in an SQL query. phpFood 2.00 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48552

• 11.28.23 - CVE: Not Available
• Platform: Web Application
• Title: AeroMail Multiple Vulnerabilities
• Description: Aeromail is an email application. The application is exposed to multiple remote issues. A cross-site scripting issue affects the "folder" URL variable. A cross-site request forgery affects the composition screen. A cross-site request forgery allows attackers to send spam email without a user knowing. An HTML injection issue occurs because the application fails to sanitize folder names. An HTML injection issue occurs because the application fails to sanitize the email attachment names. An HTML injection issue occurs because the application fails to sanitize the subject line before displaying emails. AeroMail version 2.80 is vulnerable, other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48510/discuss

• 11.28.24 - CVE: Not Available
• Platform: Web Application
• Title: IBM Rational DOORS Multiple Unspecified Vulnerabilities
• Description: IBM Rational DOORS is a Web application that works with IBM Rational DOORS databases. The application is exposed to multiple unspecified issues. An unspecified cross-site scripting issue exists. An unspecified issue affects "Server Error" responses. An unspecified issue affects the application. IBM Rational DOORS versions 1.4 through 1.4.0.3 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg27020404

• 11.28.25 - CVE: Not Available
• Platform: Web Application
• Title: WeBid Local File Include and SQL Injection Vulnerabilities
• Description: WeBid is a web-based application implemented in PHP. The application is exposed to multiple input validation issues. A local file include issue affects the "lan" and "USERLANGUAGE" parameters of the "includes/messages.inc.php" script. 2) Multiple SQL-injection issues affect the application. WeBid 1.0.2 is vulnerable and other versions may also be affected.
• Ref: http://www.webidsupport.com/forums/showthread.php?3892

• 11.28.26 - CVE: Not Available
• Platform: Hardware
• Title: Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities
• Description: The Portech MV-372 VoIP Gateway is a GSM/CDMA/UMTS mobile gateway device. The device is exposed to multiple issues. An information disclosure issue exists because the device displays information about the model type, module description, and firmware and codec versions without authentication. A denial of service issue occurs when passing an overly long string to the "password" field while connecting through a Telnet service. Multiple security bypass issues exist because the application allows the modification of configuration settings to occur without the provision of a valid username and password. All version of firmware are affected.
• Ref: http://www.securityfocus.com/bid/48560

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account