@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: RockWell FactoryTalk Memory Corruption Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.32.1 - Ipswitch WhatsUp Gold SNMP Response Denial Of Service
• 11.32.2 - ICQ "MUIMessage.dll" File Transfer Denial of Service
• 11.32.3 - AzeoTech DAQFactory Denial of Service
• 11.32.4 - Rockwell Automation FactoryTalk Diagnostics Viewer ".ftd" File Remote Code Execution

Linux

• 11.32.5 - Cisco TelePresence Recording Server Default Root Credentials Authentication Bypass

Unix

• 11.32.6 - SCO UnixWare License Policy Manager Daemon "sco_pmd" Unspecified Denial of Service

Cross Platform

• 11.32.7 - EMC Data Protection Advisor Account Credentials Local Information Disclosure
• 11.32.8 - HP SiteScope Unspecified Cross-Site Scripting Vulnerability
• 11.32.9 - HP OpenView Storage Data Protector Denial of Service
• 11.32.10 - HP Network Automation Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities
• 11.32.11 - Libsoup SoupServer Directory Traversal
• 11.32.12 - FlexNet License Server Manager "lmadmin" Component Heap Buffer Overflow Vulnerability
• 11.32.13 - ManageEngine ServiceDesk Plus Multiple HTML Injection Vulnerabilities
• 11.32.14 - Sybase Products Multiple Unspecified Vulnerabilities
• 11.32.15 - IBM Lotus Symphony Multiple Denial of Service Vulnerabilities and Unspecified Vulnerabilities
• 11.32.16 - ActFax Server "USER" Command Remote Buffer Overflow Vulnerability
• 11.32.17 - Skype Facebook Plugin Multiple Cross-Site Scripting Vulnerabilities
• 11.32.18 - Google Chrome Multiple Security Vulnerabilities

Web Application - Cross Site Scripting

• 11.32.19 - Samba SWAT Cross-Site Request Forgery Vulnerability
• 11.32.20 - SEO Panel Multiple Cross-Site Scripting Vulnerabilities
• 11.32.21 - Ecava IntegraXor Multiple Cross-Site Scripting Vulnerabilities

Web Application

• 11.32.22 - MyWebServer dot Character Remote Script File Disclosure
• 11.32.23 - CFTP Insecure Cookie Authentication Bypass Vulnerability
• 11.32.24 - Group-Office Command Injection and SQL Injection Vulnerabilities
• 11.32.25 - ZoneMinder "view" Parameter Local File Include Vulnerability

Network Device

• 11.32.26 - Avaya Secure Access Link Gateway Invalid Domain Servers Information Disclosure Vulnerability

Hardware

• 11.32.27 - Google Search Appliance Unspecified Cross-Site Scripting

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 28, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11938 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.32.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ipswitch WhatsUp Gold SNMP Response Denial Of Service
• Description: Ipswitch WhatsUp Gold is a network monitoring and management solution. Ipswitch WhatsUp Gold is exposed to a denial of service issue. Specifically, an attacker can crash the "Discovery Service" by sending crafted SNMP responses during the discovery process. Ipswitch WhatsUp Gold versions prior to 14.4.1 are affected.
• Ref: http://docs.ipswitch.com/NM/82_WhatsUp%20Gold%20v14.4/01_Release%20Notes/14.4.1/
  index.htm

• 11.32.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ICQ "MUIMessage.dll" File Transfer Denial of Service
• Description: ICQ is an instant messaging client. ICQ is exposed to a remote denial of service issue. This issue affects the "MUIMessage.dll" file and arises when handling specially crafted files received through the "File Transfer" functionality of the application. ICQ 7.5 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48943/references

• 11.32.3 - CVE: CVE-2011-2956
• Platform: Third Party Windows Apps
• Title: AzeoTech DAQFactory Denial of Service
• Description: AzeoTech DAQFactory is data acquisition and control application. The application is exposed to a denial of service issue because it fails to perform authentication for certain signals. Versions prior to DAQFactory 5.85 are affected.
• Ref: http://www.securityfocus.com/bid/48955/discuss

• 11.32.4 - CVE: CVE-2011-2957
• Platform: Third Party Windows Apps
• Title: Rockwell Automation FactoryTalk Diagnostics Viewer ".ftd" File Remote Code Execution
• Description: FactoryTalk Diagnostics Viewer is a part of FactoryTalk Services Platform that provides diagnosis solutions to the products on the platform. The application is exposed to a remote code execution issue. This issue occurs because of an unspecified memory corruption issue which is triggered when processing a specially crafted configuration (".ftd") file. Versions prior to FactoryTalk Diagnostics Viewer 2.30.00 are affected.
• Ref: http://www.securityfocus.com/bid/48962/references

• 11.32.5 - CVE: CVE-2011-2555
• Platform: Linux
• Title: Cisco TelePresence Recording Server Default Root Credentials Authentication Bypass
• Description: Cisco TelePresence Recording Server is an application for remote communication. The application is exposed to a remote authentication bypass issue. Cisco TelePresence Recording Server Software Release 1.7.2 is affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110729-tp.shtml

• 11.32.6 - CVE: Not Available
• Platform: Unix
• Title: SCO UnixWare License Policy Manager Daemon "sco_pmd" Unspecified Denial of Service
• Description: UnixWare is a UNIX operating system maintained by SCO Group. UnixWare is exposed to a denial of service issue caused by an unspecified error in the License Policy Manager Daemon "sco_pmd". UnixWare 7.1.4 is vulnerable and other versions may also be affected.
• Ref: ftp://ftp.sco.com/pub/unixware7/714/security/p535239a_uw7/p535239a_uw7.txt

• 11.32.7 - CVE: CVE-2011-1742
• Platform: Cross Platform
• Title: EMC Data Protection Advisor Account Credentials Local Information Disclosure
• Description: EMC Data Protection Advisor manages data protection environments. The application is exposed to a local information disclosure issue. Specifically, this issue occurs because under certain circumstances, the configuration file of the application discloses the sensitive account credentials in plain text form. Versions prior to EMC Data Protection Advisor 5.8.1 are affected.
• Ref: http://www.securityfocus.com/archive/1/519012

• 11.32.8 - CVE: CVE-2011-2400
• Platform: Cross Platform
• Title: HP SiteScope Unspecified Cross-Site Scripting Vulnerability
• Description: HP SiteScope is an agent-less monitoring application. The application is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. HP SiteScope versions 11.x, 10.x, 9.x, and prior are affected.
• Ref: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c0
  2940969&ac.admitted=1311850160211.876444892.199480143

• 11.32.9 - CVE: CVE-2011-2399
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Denial of Service
• Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The application is exposed to a remote denial of service issue. Specifically, this issue affects the media management daemon component. HP OpenView Storage Data Protector versions 6.0, 6.10, and 6.11 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02940981

• 11.32.10 - CVE: CVE-2011-2402,CVE-2011-2403
• Platform: Cross Platform
• Title: HP Network Automation Unspecified Cross-Site Scripting and SQL Injection Vulnerabilities
• Description: HP Network Automation is an application for managing network data. The application is exposed to multiple issues. An unspecified cross-site scripting issue is caused by a failure to properly sanitize user-supplied input. An SQL injection issue is caused by a failure to properly sanitize user-supplied input before using it in an SQL query. HP Network Automation versions 7.2x, v7.5x, v7.6x, v9.0 and v9.10 are affected.
• Ref: http://www.securityfocus.com/archive/1/519054

• 11.32.11 - CVE: CVE-2011-2524
• Platform: Cross Platform
• Title: Libsoup SoupServer Directory Traversal
• Description: Libsoup is an HTTP client server library for GNOME. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. The problem affects the "SoupServer" component and can be exploited by sending a specially crafted URI request containing directory traversal strings to the affected server. libsoup 2.4 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48926/discuss

• 11.32.12 - CVE: Not Available
• Platform: Cross Platform
• Title: FlexNet License Server Manager "lmadmin" Component Heap Buffer Overflow Vulnerability
• Description: FlexNet License Server Manager is a license management application. The application is exposed to a remote heap-based buffer overflow issue that affects the "lmadmin" component when handling packets that include opcode 0x2f. Specifically, the application fails to perform adequate boundary checks on user-supplied data before copying it into a fixed size buffer. All versions of FlexNet License Server Manager are affected.
• Ref: http://www.securityfocus.com/archive/1/519060

• 11.32.13 - CVE: Not Available
• Platform: Cross Platform
• Title: ManageEngine ServiceDesk Plus Multiple HTML Injection Vulnerabilities
• Description: ManageEngine ServiceDesk Plus is a helpdesk application that is available for Windows and Linux. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user supplied input passed to the following scripts and parameters: "SetUpWizard.do":"Name", "SiteDef.do":"Site name", "GroupResourcesDef.do":"Group Name", "LicenseAgreement.do":"Agreement Number", "ManualNodeAddition.do":"Name". ManageEngine ServiceDesk Plus 8.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48928/discuss

• 11.32.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Sybase Products Multiple Unspecified Vulnerabilities
• Description: Multiple Sybase products are exposed to multiple unspecified issues. An unspecified error occurs in the Open Server component when handling Tabular Data Stream packets. An unspecified error occurs in the Open Server component when handling certain login packets. Sybase Adaptive Server Enterprise 15, Sybase EAServer 6, Sybase ECDA 15, Sybase MFC/DC 15, Sybase OpenSwitch 15, Sybase Replication Server 15 are affected.
• Ref: http://www.sybase.com/detail?id=1094235

• 11.32.15 - CVE:CVE-2011-2893,CVE-2011-2888,CVE-2011-2887,CVE-2011-2886,CVE-2011-2885CVE-2011-2884
• Platform: Cross Platform
• Title: IBM Lotus Symphony Multiple Denial of Service Vulnerabilities and Unspecified Vulnerabilities
• Description: IBM Lotus Symphony is productivity software that contains three applications: Lotus Symphony Documents, Lotus Symphony Spreadsheets, and Lotus Symphony Presentations. IBM Lotus Symphony is exposed to multiple unspecified issues (CVE-2011-2884) and multiple denial of service issues (CVE-2011-2885, CVE-2011-2886). IBM Lotus Symphony 3 versions prior to Fix Pack 3 are affected.
• Ref: http://www.securityfocus.com/bid/48936/references

• 11.32.16 - CVE: Not Available
• Platform: Cross Platform
• Title: ActFax Server "USER" Command Remote Buffer Overflow Vulnerability
• Description: ActFax is a fax server for Windows and Unix. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a specially crafted "USER" command. ActFax versions 4.27 and prior are affected.
• Ref: http://www.securityfocus.com/bid/48947/references

• 11.32.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Skype Facebook Plugin Multiple Cross-Site Scripting Vulnerabilities
• Description: Skype is peer-to-peer communications software that supports internet-based voice communications. Skype is exposed to multiple cross-site scripting issues in the facebook plugin because the application fails to sanitize user-supplied input to the "comment" and "wall posting" fields. Versions prior to Skype 5.5 are affected.
• Ref: http://www.securityfocus.com/bid/48950/references

• 11.32.18 - CVE:CVE-2011-2819,CVE-2011-2818,CVE-2011-2805,CVE-2011-2804,CVE-2011-2803CVE-2011-2802,CVE-2011-2801,CVE-2011-2800,CVE-2011-2799,CVE-2011-2798CVE-2011-2797,CVE-2011-2796,CVE-2011-2795,CVE-2011-2794,CVE-2011-2793CVE-2011-2792,CVE-2011-2791,CVE-2011-2790,CV
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. The application is exposed to multiple security issues. See reference for further details. Versions prior to Chrome 13.0.782.107 are affected.
• Ref: http://googlechromereleases.blogspot.com/2011/08/stable-channel-update.html

• 11.32.19 - CVE: CVE-2011-2522
• Platform: Web Application - Cross Site Scripting
• Title: Samba SWAT Cross-Site Request Forgery Vulnerability
• Description: SAMBA SWAT (Samba Web Administration Tool) is an administration tool for Samba. SAMBA SWAT is exposed to multiple cross-site request forgery issues. These issues can be exploited by manipulating the following parameters: "smbd_start", "smbd_stop", "smbd_restart", "nmbd_start", "nmbd_stop", "nmbd_restart". SAMBA SWAT 3.0 through 3.5.9 are affected.
• Ref: http://www.samba.org/samba/security/CVE-2011-2522

• 11.32.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SEO Panel Multiple Cross-Site Scripting Vulnerabilities
• Description: SEO Panel is a search engine optimization tool implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to multiple scripts and parameters. SEO Panel 3.0.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48933/references

• 11.32.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Ecava IntegraXor Multiple Cross-Site Scripting Vulnerabilities
• Description: Ecava IntegraXor is web-based HMI/SCADA software. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Ecava IntegraXor versions prior to 3.60.4080 are affected.
• Ref: http://www.securityfocus.com/bid/48958/references

• 11.32.22 - CVE: Not Available
• Platform: Web Application
• Title: MyWebServer dot Character Remote Script File Disclosure
• Description: MyWebServer is a peer-to-peer web, file and application server. The application is exposed to a file disclosure issue because it fails to properly sanitize user-supplied input. Specifically, an attacker can obtain the source code of a file by providing a dot "." or "%20" character at the end of the filename in an HTTP request. MyWebServer 1.0.3 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48921/references

• 11.32.23 - CVE: Not Available
• Platform: Web Application
• Title: CFTP Insecure Cookie Authentication Bypass Vulnerability
• Description: CFTP is a web-based application implemented in PHP. The application is exposed to an authentication bypass issue because it fails to adequately verify user-supplied input used for cookie-based authentication. Specifically, attackers can gain administrative access to the application by setting the "access" cookie parameter to "admin" and "userlevel" cookie parameter to "9". cFTP r80 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/48931/discuss

• 11.32.24 - CVE: Not Available
• Platform: Web Application
• Title: Group-Office Command Injection and SQL Injection Vulnerabilities
• Description: Group-Office is a PHP-based content manager. The application is exposed to an SQL injection issue and a command injection issue because it fails to properly sanitize user-supplied input to unspecified parameters and scripts. Versions prior to Group-Office 3.7.25 are affected.
• Ref: http://www.securityfocus.com/bid/48941/references

• 11.32.25 - CVE: Not Available
• Platform: Web Application
• Title: ZoneMinder "view" Parameter Local File Include Vulnerability
• Description: ZoneMinder is a freely available application designed to control and record video from security cameras. It contains a web-based administrative application implemented in PHP. The application is exposed to a local file include issue because it fails to properly sanitize user supplied-input submitted to the "view" parameter in the "web/index.php" script. Versions prior to ZoneMinder 1.24.4 are affected.
• Ref: http://www.securityfocus.com/bid/48949/references

• 11.32.26 - CVE: Not Available
• Platform: Network Device
• Title: Avaya Secure Access Link Gateway Invalid Domain Servers Information Disclosure Vulnerability
• Description: Avaya Secure Access Link is a gateway that provides security solutions for remote access management. The application is exposed to an information disclosure issue. Specifically, by default the application incorrectly points the Secondary Core Server URL and the Remote Server URL to "secavaya.com" and "secaxeda.com" respectively; these domains are invalid. This can result in the application sending sensitive information such as alarms or logs to the email addresses of these invalid domain severs. Secure Access Link 1.5, 1.8, and 2.0 are affected.
• Ref: http://support.avaya.com/css/P8/documents/100140483

• 11.32.27 - CVE: CVE-2011-1339
• Platform: Hardware
• Title: Google Search Appliance Unspecified Cross-Site Scripting
• Description: Google Search Appliance is a commercial search device produced by Google. Google Search Appliance is exposed to a cross-site scripting issue because it fails to properly sanitize certain unspecified user-supplied input. Versions prior to Google Search Appliance 5.0 are affected.
• Ref: http://www.securityfocus.com/bid/48957/discuss

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account