@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Windows Bluetooth Stack overflow
• (2) MEDIUM: Trend Micro Control Manager Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.29.1 - Microsoft Windows Bluetooth Stack Remote Code Execution
• 11.29.2 - Microsoft Windows CSRSS Multiple Local Privilege Escalation Vulnerabilities
• 11.29.3 - Microsoft Windows Kernel "Win32k.sys" Multiple Vulnerabilities

Third Party Windows Apps

• 11.29.4 - ESTsoft ALPlayer ".asx" File Buffer Overflow
• 11.29.5 - Chilkat Crypt ActiveX Control "SaveDecrypted()" Insecure Method Vulnerability
• 5.0 - ZipWiz 2005 ".zip" File Buffer Overflow
• 11.29.7 - Effective File Search (EFS) DLL Loading Arbitrary Code Execution
• 11.29.8 - ZipItFree ".zip" File Buffer Overflow
• 11.29.9 - Trend Micro Control Manager "CASProcessor.exe" BLOB Remote Code Execution

Linux

• 11.29.10 - Debian and Ubuntu foo2zjs Insecure Temporary File Creation Vulnerability

HP-UX

• 11.29.11 - HP-UX Dynamic Loader Unspecified Local Privilege Escalation

Cross Platform

• 11.29.12 - Apache XML Security for C++ Signature Key Parsing Denial of Service
• 11.29.13 - libpng PNG File Denial of Service
• 11.29.14 - Opera Web Browser Multiple Security Weaknesses
• 11.29.15 - IBM WebSphere MQ CDP Extension Revoked SSL Certificate Validation Security Bypass Vulnerability
• 11.29.16 - libsndfile PAF File Integer Overflow
• 11.29.17 - libvte9 "vte_sequence_handler_multiple()" Function Remote Denial of Service
• 11.29.18 - SAP MaxDB NULL Pointer Dereference Denial of Service

Web Application

• 11.29.19 - phpMyAdmin Multiple Remote Vulnerabilities
• 11.29.20 - DotNetNuke Multiple Security Bypass Vulnerabilities
• 11.29.21 - Ferdows CMS Cross-Site Scripting and Multiple SQL Injection Vulnerabilities

Network Device

• 11.29.22 - Cisco Content Services Gateway Malformed ICMP Messages Denial of Service
• 11.29.23 - D-Link DSL-2650U Remote Denial of Service
• 11.29.24 - Aruba Networks ArubaOS HTTP Response Splitting and HTML Injection Vulnerabilities
• 11.29.25 - Ingate Firewall and SIParator SIP Module Remote Denial of Service
• 11.29.26 - Symantec Web Gateway Management GUI SQL Injection Vulnerability

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 25, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11686 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.29.1 - CVE: CVE-2011-1265
• Platform: Windows
• Title: Microsoft Windows Bluetooth Stack Remote Code Execution
• Description: Bluetooth is an industry standard protocol that enables wireless connectivity for computers and other devices. The application is exposed to a remote code execution issue because the Bluetooth stack fails to adequately handle specially crafted Bluetooth packets. The issue affects the "bthport.sys" driver. Windows Vista SP1 and SP2, Windows 7 and Windows 7 SP1 are affected.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS11-053.mspx

• 11.29.2 - CVE: CVE-2011-1281, CVE-2011-1282, CVE-2011-1283,CVE-2011-1284, CVE-2011-1870
• Platform: Windows
• Title: Microsoft Windows CSRSS Multiple Local Privilege Escalation Vulnerabilities
• Description: Multiple local privilege escalation issues affect the Microsoft Windows Client/Server Runtime Subsystem (CSRSS) because it fails to sufficiently allocate memory when dealing with specific user transactions. Windows XP SP3 and x64 SP2, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 and Server 2008 SP2, Windows 7 and Windows 7 SP1, Windows Server 2008 R2 x64 and x64 SP1 are affected.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS11-056.mspx

• 11.29.3 - CVE: CVE-2011-1874, CVE-2011-1875, CVE-2011-1876,CVE-2011-1877, CVE-2011-1878, CVE-2011-1879, CVE-2011-1880,CVE-2011-1881, CVE-2011-1882, CVE-2011-1883, CVE-2011-1884,CVE-2011-1885, CVE-2011-1886, CVE-2011-1887, CVE-2011-1888
• Platform: Windows
• Title: Microsoft Windows Kernel "Win32k.sys" Multiple Vulnerabilities
• Description: Microsoft Windows is exposed to multiple security issues that occur in the Windows kernel "Win32k.sys" kernel mode device driver. Multiple local privilege escalation issues are caused by a NULL pointer dereference error that occurs due to a failure to properly manage pointers to certain kernel driver objects. Multiple local privilege escalation issues occur because an use-after-free error occurs due to improper driver object management. A local information disclosure issue occurs because it fails to properly validate certain function parameters. Windows XP SP3 and x64 SP2, Windows Server 2003 SP2, Windows Vista SP1 and SP2, Windows Server 2008 and Server 2008 SP2, Windows 7 and Windows 7 SP1, Windows Server 2008 R2 x64 and x64 SP1 are affected.
• Ref: http://www.microsoft.com/technet/security/bulletin/MS11-054.mspx

• 11.29.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ESTsoft ALPlayer ".asx" File Buffer Overflow
• Description: ALPlayer is a media player available for Microsoft Windows. ALPlayer is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".asx" playlist file. ALPlayer 2.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48583/discuss

• 11.29.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Chilkat Crypt ActiveX Control "SaveDecrypted()" Insecure Method Vulnerability
• Description: Chikat Crypt ActiveX control is used to encrypt, hash, and sign data. The application is exposed to an issue caused by an insecure method that lets attackers overwrite files with arbitrary, attacker-controlled content. This issue occurs in the "SaveDecrypted()" method of the "ChilkatCrypt2.dll" ActiveX control. aTube Catcher version 2.3.570 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/518740

• 5.0 - CVE: Not Available2005 is vulnerable and other versions may also be affected.
• Platform: Third Party Windows Apps
• Title: ZipWiz 2005 ".zip" File Buffer Overflow
• Description: ZipWiz 2005 is a file compression application. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted ".zip" file. ZipWiz
• Ref: http://www.securityfocus.com/bid/48624/discuss

• 11.29.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Effective File Search (EFS) DLL Loading Arbitrary Code Execution
• Description: Effective File Search is a file search utility for Microsoft Windows. The application is exposed to a security issue because the application searches for the "ztvunrar36.dll" Dynamic Link Library in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file that is associated with the vulnerable application in an attacker controlled location. Using the application to open a ".efs" file will cause the malicious library file to be executed. Effective File Search 6.7 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48608/discuss

• 11.29.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ZipItFree ".zip" File Buffer Overflow
• Description: ZipItFree is a file compression application. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted ".zip" file. ZipItFree 3.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48629/discuss

• 11.29.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Trend Micro Control Manager "CASProcessor.exe" BLOB Remote Code Execution
• Description: Trend Micro Control Manager is a Web-based management console. The application is exposed to a remote code execution issue. The issue affects the "En_Utility.dll" file when communicating with the "CASProcessor.exe" process through TCP port 20801. The issue occurs in the "HandleMcpRequest()" function when parsing a specially crafted packet with malformed BLOB encrypted data. Trend Micro Control Manager 5.0 and 5.5 are vulnerable and other versions may also be affected.
• Ref: http://esupport.trendmicro.com/solution/en-us/1058292.aspx

• 11.29.10 - CVE: Not Available
• Platform: Linux
• Title: Debian and Ubuntu foo2zjs Insecure Temporary File Creation Vulnerability
• Description: Foo2zjs is an open source printer driver for the ZjStream protocol. Foo2zjs creates "/tmp/foo2zjs" in an insecure manner. An attacker with local access could potentially exploit this issue to perform symbolic-link attacks, overwriting arbitrary files in the context of the affected application. Debian and Ubuntu are affected.
• Ref: http://www.securityfocus.com/bid/48586/discuss

• 11.29.11 - CVE: CVE-2011-2398
• Platform: HP-UX
• Title: HP-UX Dynamic Loader Unspecified Local Privilege Escalation
• Description: HP-UX Dynamic Loader is a Unix-based operating system. Dynamic Loader is exposed to an unspecified local privilege escalation issue. HP-UX B.11.11, B.11.23, and B.11.31 are vulnerable and other versions may also be affected.
• Ref: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c0
  2904002&ac.admitted=1310010561389.876444892.492883150

• 11.29.12 - CVE: CVE-2011-2516
• Platform: Cross Platform
• Title: Apache XML Security for C++ Signature Key Parsing Denial of Service
• Description: Apache XML Security for C++ is a library that implements the primary security standards for XML. The library is exposed to a denial of service issue. Specifically, the issue is caused by a buffer overflow condition when creating or verifying XML signatures with RSA keys of sizes in the order of 8192 bits or more. Attackers can exploit this issue through overly long keys and cause the application to deny service. Apache XML Security for C++ versions prior to 1.6.1 are affected.
• Ref: http://santuario.apache.org/secadv/CVE-2011-2516.txt

• 11.29.13 - CVE: Not Available
• Platform: Cross Platform
• Title: libpng PNG File Denial of Service
• Description: The "libpng" library is a PNG reference library. The application is exposed to a remote denial of service issue because it fails to properly handle a sCAL chunk. Specifically, the issue occurs when processing specially crafted PNG files. libpng versions 1.5.x before 1.5.4, 1.4.x before 1.4.8, 1.2.x before 1.2.45 and 1.0.x before 1.0.55 are affected.
• Ref: http://www.kb.cert.org/vuls/id/819894

• 11.29.14 - CVE: CVE-2011-2634
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Security Weaknesses
• Description: Opera is a Web browser application. The application is exposed to multiple security weaknesses that may allow unspecified third party applications to hijack searches and customizations. Opera versions prior to 11.10 are vulnerable.
• Ref: http://www.opera.com/docs/changelogs/windows/1110/ http://www.opera.com/docs/changelogs/unix/1110/ http://www.opera.com/docs/changelogs/mac/1110/

• 11.29.15 - CVE: CVE-2011-1224
• Platform: Cross Platform
• Title: IBM WebSphere MQ CDP Extension Revoked SSL Certificate Validation Security Bypass Vulnerability
• Description: IBM WebSphere MQ is a commercially available messaging engine for enterprises. The application is exposed to a security bypass issue that occurs because it fails to use the CRL Distribution Points certificate extension which results in improper validation of revoked SSL certificates. Versions prior to WebSphere MQ 6.0.2.11 and 7.0.1.5 are vulnerable.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27014224 http://www-01.ibm.com/support/docview.wss?uid=swg27007069

• 11.29.16 - CVE: Not Available
• Platform: Cross Platform
• Title: libsndfile PAF File Integer Overflow
• Description: The "libsndfile" library is used for reading and writing audio files. The application is exposed to an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs within the "paf24_init()" function of the "src/paf.c" source file when parsing specially crafted "PAF" (Paris Audio) files. libsndfile 1.0.24 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48644/discuss

• 11.29.17 - CVE: CVE-2011-2198
• Platform: Cross Platform
• Title: libvte9 "vte_sequence_handler_multiple()" Function Remote Denial of Service
• Description: The VTE library provides a terminal emulator widget (VteTerminal) for applications using the GTK+ toolkit. The library is exposed to a remote denial of service issue. Specifically, the issue occurs because the library fails to sanitize user-supplied input that has been submitted to the "insert-blank-characters" capability (defined in "caps.c"). The issue affects the "vte_sequence_handler_multiple()" function of the "vteseq.c" source file. libvte9 1:0.24.3-2 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48645/discuss

• 11.29.18 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP MaxDB NULL Pointer Dereference Denial of Service
• Description: SAP MaxDB is a database application available for multiple platforms. The application is exposed to a denial of service issue. Specifically, the issue occurs due to a NULL pointer dereference error in the "DBTech-MAXDB" service (kernel.exe) when processing specially crafted login handshake packets. SAP MaxDB 7.8.01.18 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48646/discuss

• 11.29.19 - CVE: CVE-2011-2508,CVE-2011-2507,CVE-2011-2506,CVE-2011-2505
• Platform: Web Application
• Title: phpMyAdmin Multiple Remote Vulnerabilities
• Description: phpMyAdmin is a PHP-based Web application. The application is exposed to multiple issues. An arbitrary PHP code execution issue occurs due to an error in the "Swekey_login()" function of the "libraries/auth/swekey/swekey.auth.lib.php" script. An arbitrary PHP code execution issue occurs because the application fails to properly sanitize user-supplied input passed to the "PMA_createTargetTables()" function of the "libraries/server_synchronize.lib.php" script. A local file include issue occurs because the application fails to properly sanitize user-supplied input passed to the "PMA_displayTableBody()" function of the "libraries/display_tbl.lib.php" script. A PHP code injection is possible in the setup scripts if the session variables are overwritten. phpMyAdmin versions prior to 3.3.10.2 and 3.4.3.1 are vulnerable.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-5.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-6.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-7.php http://www.phpmyadmin.net/home_page/security/PMASA-2011-8.php

• 11.29.20 - CVE: Not Available
• Platform: Web Application
• Title: DotNetNuke Multiple Security Bypass Vulnerabilities
• Description: DotNetNuke is an open source framework for creating and deploying web sites. The application is exposed to multiple security bypass issues. A security bypass issue occurs due to an error in the "soft-delete" function. An attacker can exploit this issue to undelete a user by re-registering with the same credentials. A security bypass issue occurs due to an error when validating user permissions in certain management functions. A security bypass issue occurs due to an error when verifying uploaded files. A security bypass issue occurs due to an error when granting edit permissions for a webpage or a module. Versions prior to DotNetNuke 5.6.3 are vulnerable.
• Ref: http://www.securityfocus.com/bid/48584/discuss

• 11.29.21 - CVE: Not Available
• Platform: Web Application
• Title: Ferdows CMS Cross-Site Scripting and Multiple SQL Injection Vulnerabilities
• Description: Ferdows CMS is a web-based application implemented in ASP.NET. Ferdows CMS is exposed to multiple issues. A cross-site scripting issue affects the "dataid" parameter of the "showdata.aspx" script. The application is also exposed to Multiple SQL injection issues. Ferdows CMS Pro 1.1.0 and Ferdows CMS 9.0.5 are affected.
• Ref: http://www.securityfocus.com/bid/48640/discuss

• 11.29.22 - CVE: CVE-2011-2064
• Platform: Network Device
• Title: Cisco Content Services Gateway Malformed ICMP Messages Denial of Service
• Description: Cisco Content Services Gateway is a device used to monitor network use. Cisco Content Services Gateway is exposed to a denial of service issue when handling specially crafted ICMP messages. Second Generation of Content Services Gateway is affected.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b86503.s
  html

• 11.29.23 - CVE: Not Available
• Platform: Network Device
• Title: D-Link DSL-2650U Remote Denial of Service
• Description: The D-Link DSL-2650U is an ADSL router with an 802.11g wireless access point. The Web server running on the device is exposed to a remote denial of service issue. The issue occurs due to the improper handling of an overly large string provided to the "diagPrev" parameter of the "diagpppoe.cgi" script. D-Link DSL-2650U 1.20 is affected; other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/48612/discuss

• 11.29.24 - CVE: Not Available
• Platform: Network Device
• Title: Aruba Networks ArubaOS HTTP Response Splitting and HTML Injection Vulnerabilities
• Description: ArubaOS is an operating system used by various Aruba Networks network devices, including the Aruba Mobility Controller. Aruba Networks ArubaOS is exposed to multiple input validation issues. An HTML injection issue affects the reporting feature of ArubaOS and AirWave Administration WebUIs. An HTTP response splitting issue affects the Captive Portal Web Interface. ArubaOS 3.3.X, 3.4.X, 5.0.X, 6.0.X, 2.4.X-FIPS, 3.3.X-FIPS, 3.4.X-FIPS and AirWave 7.2.X are affected.
• Ref: http://www.securityfocus.com/archive/1/518751

• 11.29.25 - CVE: Not Available
• Platform: Network Device
• Title: Ingate Firewall and SIParator SIP Module Remote Denial of Service
• Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol (SIP) via SIParator SIP-based communication devices. Ingate Firewall and SIParator are exposed to a denial of service issue. The issue occurs when processing SIP requests that contain multiple Transport Layer Security destinations. Ingate SIParator 4.9.1 and prior are affected.
• Ref: http://www.ingate.com/Relnote.php?ver=492

• 11.29.26 - CVE: CVE-2011-0549
• Platform: Network Device
• Title: Symantec Web Gateway Management GUI SQL Injection Vulnerability
• Description: Symantec Web Gateway is a web security gateway appliance. The device is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data passed to the management GUI. Versions prior to Symantec Web Gateway 5.0.1 are vulnerable.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110707_0
  0

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account