@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Mozilla Firefox Multiple Vulnerabilities
• (2) MEDIUM: Check Point SSL VPN On-Demand Applications Design Flaw
• (3) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
• (4) MEDIUM: MPlayer Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.34.1 - Microsoft Windows DHCPv6 Packets Remote Denial of Service

Other Microsoft Products

• 11.34.2 - Microsoft Internet Explorer 9 "Iedvtool.dll" Malformed HTML Denial of Service

Third Party Windows Apps

• 11.34.3 - BisonFTP Server Remote Buffer Overflow
• 11.34.4 - TeeChart Professional ActiveX Remote Integer Overflow
• 11.34.5 - MPlayer SAMI Subtitle File Buffer Overflow
• 11.34.6 - F-Secure BlackList Local Privilege Escalation

Linux

• 11.34.7 - Torque Server Security Bypass
• 11.34.8 - ktsuss Local Security Bypass and Arbitrary Code Execution Vulnerabilities

Unix

• 11.34.9 - Apache Commons Daemon "jsvc" Information Disclosure

Cross Platform

• 11.34.10 - HP ProLiant SL Advanced Power Manager Unspecified Remote Security Bypass
• 11.34.11 - Symantec Endpoint Protection Cross-Site Request Forgery Vulnerabilities
• 11.34.12 - ISC DHCP Multiple Denial of Service Vulnerabilities
• 11.34.13 - VMware vFabric tc Server JMX Authentication Security Bypass
• 11.34.14 - Ruby Random Number Values Security Weakness
• 11.34.15 - Apple QuickTime PICT File Stack Buffer Overflow
• 11.34.16 - Xen DMA Requests IOMMU Denial of Service
• 11.34.17 - Apache Tomcat Information Disclosure Vulnerability
• 11.34.18 - GIMP GIF Image Parsing "LZWReadByte()" Buffer Overflow
• 11.34.19 - Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• 11.34.20 - Real Networks RealPlayer Multiple Remote Vulnerabilities

Web Application - Cross Site Scripting

• 11.34.21 - Plone "type_name" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 11.34.22 - Mambo CMS "zorder" Parameter SQL Injection
• 11.34.23 - Contrexx Shopsystem Module "productId" Parameter SQL Injection
• 11.34.24 - Curverider Elgg "index.php" Multiple SQL Injection Vulnerabilities

Web Application

• 11.34.25 - Aimluck Products Aipo and Aipo ASP Unspecified SQL Injection

Hardware

• 11.34.26 - Multiple Sagem F@st Routers Authentication Bypass

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 30, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12068 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.34.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows DHCPv6 Packets Remote Denial of Service
• Description: Microsoft Windows is exposed to a remote denial of service issue. The issue has been found to occur on reception of DHCPv6 Reply (message type 7) packets, containing the option "Domain Search List" (option type 24) with an empty domain. Attacker can exploit this issue by specially crafted DHCPv6 packets. Microsoft Windows 7 is affected.
• Ref: http://www.securityfocus.com/archive/1/519297

• 11.34.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer 9 "Iedvtool.dll" Malformed HTML Denial of Service
• Description: Microsoft Internet Explorer is a browser available for the Windows platform. The browser is exposed to a remote denial of service issue. This issue occurs because of a NULL pointer deference error in the "Iedvtool.dll" file, when parsing malformed HTML pages. The issue affects Internet Explorer 9 and other versions may also be vulnerable.
• Ref: http://www.evilcode.com.ar/index.php/advisories/internet-explore-iedvtool-dll-ma
  lformed-html-null-pointer-dereference-vulnerability.html

• 11.34.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BisonFTP Server Remote Buffer Overflow
• Description: BisonFTP Server is an FTP server application. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue occurs when an overly large string is sent to the application. BisonFTP Server versions 3.5 and prior are affected.
• Ref: http://www.securityfocus.com/bid/49109/references

• 11.34.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: TeeChart Professional ActiveX Remote Integer Overflow
• Description: TeeChart Professional is an ActiveX control for charting and graphing data. TeeChart Professional is exposed to an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue occurs in the "AddSeries()" method of the "TeeChart2010.ocx" ActiveX control. All versions of TeeChart are affected.
• Ref: http://www.securityfocus.com/bid/49125/references

• 11.34.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MPlayer SAMI Subtitle File Buffer Overflow
• Description: MPlayer is a multimedia player available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user supplied data. This issue occurs in the "sub_read_line_sami()" function of the "subreader.c" source file when handling a specially crafted SAMI subtitle file. Versions prior to MPlayer 33471 are affected.
• Ref: http://www.securityfocus.com/bid/49149/references

• 11.34.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: F-Secure BlackList Local Privilege Escalation
• Description: F-Secure BlackList is a security product used to detect hidden files, folders and processes in Microsoft Windows. The application is exposed to a local privilege escalation issue. Specifically, the issue occurs due to the improper permissions for the "fsbl.exe" file, with the "C" flag set for "Everyone" group. F-Secure BlackLight 2.2.1092 is vulnerable and other versions may also be affected.
• Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5038.php

• 11.34.7 - CVE: CVE-2011-2907
• Platform: Linux
• Title: Torque Server Security Bypass
• Description: Torque is an open source resource manager. The application is exposed to a security bypass issue. Specifically, the issue exists because the Torque server relies on data provided by the "qsub" client during authorization. Torque 3.0.1 is affected.
• Ref: http://www.clusterresources.com/pipermail/torqueusers/2011-August/013194.html

• 11.34.8 - CVE: Not Available
• Platform: Linux
• Title: ktsuss Local Security Bypass and Arbitrary Code Execution Vulnerabilities
• Description: ktsuss is a graphical version of "su" written in C language. The application is exposed to multiple issues. A local security bypass issue occurs because ktsuss fails to change the effective UID back to the real UID when the target UID is same as the real UID. An arbitrary code execution issue occurs because the GTK interface, executed by the setuid ktsuss binary, runs with root privileges and allows arbitrary code execution via "GTK_MODULES" environmental variable. ktsuss 1.3 and 1.4 are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49151/info

• 11.34.9 - CVE: CVE-2011-2729
• Platform: Unix
• Title: Apache Commons Daemon "jsvc" Information Disclosure
• Description: Apache Commons Daemon provides Java based daemons or services. "Jsvc" is a part of the Commons Daemon that contains a set of libraries and applications for making Java applications run on UNIX. Apache Commons Daemon is exposed to a remote information disclosure issue. This issue occurs because the "jsvc" library fails to drop privileges, which allows applications using the affected library to gain access to files and directories owned by the superuser. Versions prior to Commons Daemon 1.0.7 are vulnerable. Tomcat 7.0.0 through 7.0.19, Tomcat 6.0.30 through 6.0.32 and Tomcat 5.5.32 through 5.5.33 are affected.
• Ref: http://www.securityfocus.com/bid/49143/references

• 11.34.10 - CVE: CVE-2011-2405
• Platform: Cross Platform
• Title: HP ProLiant SL Advanced Power Manager Unspecified Remote Security Bypass
• Description: HP ProLiant SL Advanced Power Manager provides power management capabilities for the HP ProLiant SL Scalable System. The application is exposed to an unspecified security bypass issue that can be exploited to incorrectly validate a user. HP ProLiant SL Advanced Power Manager versions 1.10 and 1.11 are affected.
• Ref: http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c0
  2950841&ac.admitted=1313030969991.876444892.199480143

• 11.34.11 - CVE: CVE-2011-0551
• Platform: Cross Platform
• Title: Symantec Endpoint Protection Cross-Site Request Forgery Vulnerabilities
• Description: Symantec Endpoint Protection is a security application. The application is exposed to an unspecified cross-site request forgery issue and an unspecified cross-site scripting issue because it does not properly validate user-supplied requests. Specifically, these issues affect the Web Console. Symantec Endpoint Protection 11.0 RU6(11.0.600x), Symantec Endpoint Protection 11.0 RU6-MP1(11.0.6100), Symantec Endpoint Protection 11.0 RU6-MP2(11.0.6200) and Symantec Endpoint Protection 11.0 RU6-MP3(11.0.6300) are affected.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110810_0
  0

• 11.34.12 - CVE: CVE-2011-2749,CVE-2011-2748
• Platform: Cross Platform
• Title: ISC DHCP Multiple Denial of Service Vulnerabilities
• Description: ISC DHCP is a reference implementation of the DHCP protocol and includes a DHCP server, client and relay agent. The application is exposed to multiple denial of service issues. Specifically, the application crashes when processing certain types of packets. Versions prior to 4.2.2, versions prior to 4.1-ESV-R3 and versions prior to 3.1-ESV-R3 are affected.
• Ref: http://www.securityfocus.com/bid/49120/references

• 11.34.13 - CVE: CVE-2011-0527
• Platform: Cross Platform
• Title: VMware vFabric tc Server JMX Authentication Security Bypass
• Description: The VMware vFabric tc Server is a Java-based Web server. The application is exposed to a security bypass issue because of an error in the JMX authentication implementation. Exploitation of the issue allows attackers to authenticate using a password either in plain text form or obfuscated form, which bypasses the benefit of obfuscation. VMware vFabric tc Server versions 2.0.0 through 2.0.5, SR01 and 2.1.0.through 2.1.1.SR01 are affected.
• Ref: http://www.springsource.com/security/cve-2011-0527

• 11.34.14 - CVE: CVE-2011-3009
• Platform: Cross Platform
• Title: Ruby Random Number Values Security Weakness
• Description: Ruby is an object oriented scripting language. Ruby is exposed to a security weakness because it fails to reset the random seed upon forking. Versions prior to Ruby 1.8.6-p114 are vulnerable.
• Ref: http://redmine.ruby-lang.org/issues/show/4338

• 11.34.15 - CVE: CVE-2011-0257
• Platform: Cross Platform
• Title: Apple QuickTime PICT File Stack Buffer Overflow
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a stack-based buffer overflow issue because of a failure to properly bounds check user supplied data. The problem occurs because of a signedness error when handling the PICT files. Versions prior to QuickTime 7.7 are affected.
• Ref: http://support.apple.com/kb/HT4826

• 11.34.16 - CVE: CVE-2011-3131
• Platform: Cross Platform
• Title: Xen DMA Requests IOMMU Denial of Service
• Description: Xen is an application used for monitoring hypervisors and virtual machines. Xen is exposed to a denial of service issue. This issue occurs when Xen processes bogus DMA requests to PCI/PCIE devices under direct control of the virtual machine. Xen 3.x and 4.x are affected.
• Ref: http://www.securityfocus.com/bid/49146/references

• 11.34.17 - CVE: CVE-2011-2481
• Platform: Cross Platform
• Title: Apache Tomcat Information Disclosure Vulnerability
• Description: Apache Tomcat is a Java-based web server application for multiple operating systems. The application is exposed to a remote information disclosure issue. This issue is due to a design error that allows malicious web application to disclose the content contained in the "web.xml" file and the "context.xml" file. Tomcat 7.0.0 through 7.0.16 are affected.
• Ref: http://tomcat.apache.org/security-7.html

• 11.34.18 - CVE: CVE-2011-2896
• Platform: Cross Platform
• Title: GIMP GIF Image Parsing "LZWReadByte()" Buffer Overflow
• Description: GIMP is a program for manipulating images. GIMP is exposed to a buffer overflow issue when parsing a GIF file. This issue occurs because the application fails to perform adequate boundary checks when passing data to the "LZWReadByte()" function of the "plug-ins/common/file-gif-load.c" file. GIMP versions up to 2.6.11 are affected.
• Ref: http://www.securityfocus.com/bid/49148/references

• 11.34.19 - CVE:CVE-2011-2993,CVE-2011-2992,CVE-2011-2991,CVE-2011-2990,CVE-2011-2989CVE-2011-2988,CVE-2011-2987,CVE-2011-2986,CVE-2011-2985,CVE-2011-2984CVE-2011-2983,CVE-2011-2982,CVE-2011-2981,CVE-2011-2980,CVE-2011-2978CVE-2011-0084
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• Description: The Mozilla Foundation has released multiple security advisories specifying vulnerabilities in Mozilla Firefox, Thunderbird and SeaMonkey. Mozilla Firefox, Thunderbird and SeaMonkey are exposed to multiple remote vulnerabilities. See reference for further details. All versions of Firefox/Thunderbird/SeaMonkey are affected.
• Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-29.html http://www.mozilla.org/security/announce/2011/mfsa2011-30.html http://www.mozilla.org/security/announce/2011/mfsa2011-31.html http://www.mozilla.org/security/announce/2011/mfsa2011-32.html http://www.mozilla.org/security/announce/2011/mfsa2011-33.html

• 11.34.20 - CVE:CVE-2011-2955,CVE-2011-2954,CVE-2011-2953,CVE-2011-2952,CVE-2011-2951CVE-2011-2950,CVE-2011-2949,CVE-2011-2948,CVE-2011-2947,CVE-2011-2946CVE-2011-2945
• Platform: Cross Platform
• Title: Real Networks RealPlayer Multiple Remote Vulnerabilities
• Description: Real Networks RealPlayer is an application that allows users to play various media formats. The application is exposed to multiple security issues. See reference for further details. RealPlayer for Windows SP 1.1.5 and pervious versions, RealPlayer Enterprise 2.1.5 and previous versions, RealPlayer for Mac 12.0.0.1569 are affected.
• Ref: http://service.real.com/realplayer/security/08162011_player/en/

• 11.34.21 - CVE: CVE-2011-1340
• Platform: Web Application - Cross Site Scripting
• Title: Plone "type_name" Parameter Cross-Site Scripting
• Description: Plone is a web-based content manager implemented in Python. Plone CMS is exposed to a cross-site scripting issue because it fails to properly sanitize user supplied input submitted to the "type_name" parameter of the "skins/plone_templates/default_error_message.pt" script. Versions prior to Plone 2.5.3 are affected.
• Ref: http://www.securityfocus.com/bid/49123/references

• 11.34.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Mambo CMS "zorder" Parameter SQL Injection
• Description: Mambo CMS is a PHP-based content management system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "zorder" parameter of the "administrator/index2.php" script before using it in an SQL query. Mambo CMS 4.6.5 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49130/references

• 11.34.23 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Contrexx Shopsystem Module "productId" Parameter SQL Injection
• Description: Contrexx is a PHP-based content management system. Shopsystem is a module for Contrexx CMS. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "productId" parameter of the "index.php" script before using it in an SQL query. Contrexx 2.2 SP3 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49155/discuss

• 11.34.24 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Curverider Elgg "index.php" Multiple SQL Injection Vulnerabilities
• Description: Curverider Elgg is a PHP-based social media application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "container_guid" and "owner_guid" parameters of the "mod/search/pages/search/index.php" script. Curverider Elgg 1.8 beta2 and versions prior to 1.7.11 are affected.
• Ref: http://www.securityfocus.com/archive/1/519294

• 11.34.25 - CVE: CVE-2011-1342
• Platform: Web Application
• Title: Aimluck Products Aipo and Aipo ASP Unspecified SQL Injection
• Description: Aimluck products are web-based groupware applications. The applications are exposed to an unspecified SQL injection issue because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Versions prior to Aipo 5.1.1 and Aipo ASP 5.1.1 are affected.
• Ref: http://www.securityfocus.com/bid/49158/references

• 11.34.26 - CVE: Not Available
• Platform: Hardware
• Title: Multiple Sagem F@st Routers Authentication Bypass
• Description: SAGEM F@st routers are network routers that ship with a web-based administration interface. Multiple SAGEM F@st routers are are exposed to a remote authentication bypass issue. An attacker can exploit this issue by specially crafted network packets. Sagem F@st 3304, Sagem F@st 3464 and Sagem F@st 3504 are affected.
• Ref: http://www.securityfocus.com/bid/49167/references

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account