@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: Squid Proxy Gopher Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.36.1 - F-Secure Multiple Products ActiveX SEH Overwrite Memory Corruption
• 11.36.2 - NetSaro Enterprise Messenger Server Source Code Information Disclosure
• 11.36.3 - Sunway ForceControl Unspecified Buffer Overflow
• 11.36.4 - MiniFTPServer Remote Denial of Service
• 11.36.5 - Ipswitch WhatsUp Gold LDAP Authentication Security Bypass

Cross Platform

• 11.36.6 - EMC AutoStart Multiple Buffer Overflow Vulnerabilities
• 11.36.7 - Apache HTTP Server Denial of Service
• 11.36.8 - CUPS "gif_read_lzw()" GIF File Heap Buffer Overflow
• 11.36.9 - HP SiteScope Administration Interface Security Bypass
• 11.36.10 - Control Microsystems ClearSCADA Authentication Security Bypass
• 11.36.11 - Apache Tomcat AJP Protocol Security Bypass
• 11.36.12 - Squid Proxy Gopher Remote Buffer Overflow
• 11.36.13 - IBM WebSphere Application Server Administration Console Information Disclosure
• 11.36.14 - IBM Tivoli Federated Identity Manager Multiple Unspecified Vulnerabilities
• 11.36.15 - MapServer Map File Double Free Remote Denial of Service
• 11.36.16 - PHP "crypt()" Function Security Bypass

Web Application - Cross Site Scripting

• 11.36.17 - Citrix Access Gateway Logon Portal Cross-Site Scripting
• 11.36.18 - PhpMyAdmin Tracking Feature Multiple Cross-Site Scripting
• 11.36.19 - Mambo CMS "index.php" Cross-Site Request Forgery
• 11.36.20 - Jcow Social Networking Script "g" Parameter Cross-Site Scripting
• 11.36.21 - IBM Open Admin Tool Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.36.22 - vAuthenticate Multiple Cookie Authentication SQL Injection Vulnerabilities

Web Application

• 11.36.23 - Zazavi "filemanager/controller.php" Arbitrary File Upload

Network Device

• 11.36.24 - Cisco Intercompany Media Engine SAF Packets Handling Multiple Denial of Service Vulnerabilities
• 11.36.25 - Cisco Unified Communications Manager (CUCM) Multiple Vulnerabilities
• 11.36.26 - ASUS RT-N56U Wireless Router "QIS_wizard.htm" Password Information Disclosure

Hardware

• 11.36.27 - RSA enVision Multiple Information Disclosure Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 31, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12194 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.36.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: F-Secure Multiple Products ActiveX SEH Overwrite Memory Corruption
• Description: F-Secure Anti-Virus, F-Secure Internet Security, and F-Secure Protection Service are security products. These F-Secure products are exposed to a memory corruption issue that occurs due to an SEH-overwrite condition. Specifically, the issue affects an ActiveX control DLL used in the products. F-Secure Anti-Virus 2010 and 2011, F-Secure Internet Security 2010 and 2011, F-Secure Protection Service for Consumers 9, F-Secure Protection Service for Business are affected.
• Ref: http://www.f-secure.com/en_EMEA-Labs/news-info/security-advisories/fsc-2011-3.ht
  ml

• 11.36.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NetSaro Enterprise Messenger Server Source Code Information Disclosure
• Description: NetSaro Enterprise Messenger provides solutions to create a private instant messaging network. The application's administration console is exposed to an issue that lets attackers access source code files. Specifically, an HTTP request for a specific file followed by a "%20" character can disclose the source code of the file instead of returning the page to the client. NetSaro Enterprise Messenger 2.0 is vulnerable; other versions may also be affected.
• Ref: http://www.solutionary.com/index/SERT/Vuln-Disclosures/NetSaro-Enterprise-Messen
  ger-Source-Code.html

• 11.36.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sunway ForceControl Unspecified Buffer Overflow
• Description: Sunway ForceControl is a SCADA HMI software that controls various devices. The software is susceptible to an unspecified buffer overflow issue that can result in arbitrary code execution. Very limited information is currently available regarding this issue. All versions of Sunway ForceControl are affected.
• Ref: http://www.securityfocus.com/bid/49346/references

• 11.36.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MiniFTPServer Remote Denial of Service
• Description: MiniFTPServer is an FTP server available for Windows. The application is exposed to a remote denial of service issue. Specifically, the issue occurs when an overly large string is sent to the application after authentication. MiniFTPServer 1.1 is affected and other versions may also be vulnerable.
• Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5040.php

• 11.36.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Ipswitch WhatsUp Gold LDAP Authentication Security Bypass
• Description: Ipswitch WhatsUp Gold is a network monitoring and management solution. Ipswitch WhatsUp Gold is exposed to a security bypass issue because it does not properly verify user credentials when using the LDAP protocol for authentication. Ipswitch WhatsUp Gold versions prior to 15.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/49337

• 11.36.6 - CVE: CVE-2011-2735
• Platform: Cross Platform
• Title: EMC AutoStart Multiple Buffer Overflow Vulnerabilities
• Description: EMC AutoStart allows automatic application recovery within a short period of time. EMC AutoStart is exposed to multiple buffer overflow issues because the application fails to perform adequate boundary checks on user supplied data. EMC AutoStart 5.3.x and 5.4.x are affected.
• Ref: http://www.securityfocus.com/bid/49238/references

• 11.36.7 - CVE: CVE-2011-3192
• Platform: Cross Platform
• Title: Apache HTTP Server Denial of Service
• Description: The Apache HTTP Server is a freely available Web server. Apache HTTP Server is exposed to a denial of service issue due to an error in the "ByteRange" filter. Specifically, this issue occurs when processing a large amount of HTTP HEAD requests including a specially crafted "Range" header. All versions of Apache 1.3 and Apache 2 are affected.
• Ref: http://www.securityfocus.com/bid/49303/references

• 11.36.8 - CVE: CVE-2011-3170
• Platform: Cross Platform
• Title: CUPS "gif_read_lzw()" GIF File Heap Buffer Overflow
• Description: CUPS (Common UNIX Printing System) is a widely used set of printing utilities for UNIX-based systems. CUPS (Common UNIX Printing System) is exposed to a heap-based buffer overflow issue because of a failure to properly bounds check user-supplied data. Specifically, this issue affects the "gif_read_lzw()" function of the "filter/image-gif.c" source file. CUPS 1.4.8 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49323/references

• 11.36.9 - CVE: Not Available
• Platform: Cross Platform
• Title: HP SiteScope Administration Interface Security Bypass
• Description: HP SiteScope is an agent-less monitoring application. HP SiteScope is exposed to a security bypass issue. This issue occurs because the application fails to request for an administrator password when logging in as an administrator. HP SiteScope versions 11.10 Build 2929 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49345/references

• 11.36.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Control Microsystems ClearSCADA Authentication Security Bypass
• Description: Control Microsystems ClearSCADA is an application used for monitoring and controlling industrial processes. The application is exposed to a security bypass issue. This issue occurs when an exception occurs in the "dbserver.exe" file during the authentication process. Versions prior to ClearSCADA 2010 R1.1 are affected.
• Ref: http://www.securityfocus.com/bid/49349/references

• 11.36.11 - CVE: CVE-2011-3190
• Platform: Cross Platform
• Title: Apache Tomcat AJP Protocol Security Bypass
• Description: Apache Tomcat is an HTTP server application. The application is exposed to a security bypass issue that affects the AJP protocol when processing messages. Specifically when Tomcat processes every AJP message as a new request, which may allow attacker to insert arbitrary data into the message. Apache Tomcat versions 7.0.0 through 7.0.20, 6.0.0 through 6.0.33 and 5.0.0 through 5.0.33 are affected.
• Ref: http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html

• 11.36.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Squid Proxy Gopher Remote Buffer Overflow
• Description: Squid is a freely available, open-source, web-proxy software package. The application is exposed to a buffer overflow issue affecting the Gopher-to-HTML functionality. This issue occurs when handling data larger than 4096 bytes. Squid versions 3.0 through 3.0.STABLE25, 3.1 through 3.1.14, and 3.2 through 3.2.0.10 are affected.
• Ref: http://www.squid-cache.org/Advisories/SQUID-2011_3.txt

• 11.36.13 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Administration Console Information Disclosure
• Description: The IBM WebSphere Application Server (WAS) is designed to facilitate the creation of various enterprise Web applications. The application is exposed to an unspecified remote information disclosure issue. IBM WebSphere Application Server version 6.1.0.0 through 6.1.0.39, 7.0.0.0 through 7.0.0.18, and 8.0.0.0 are affected.
• Ref: http://www.securityfocus.com/bid/49362/discuss

• 11.36.14 - CVE: CVE-2011-3137,CVE-2011-3136,CVE-2011-3135
• Platform: Cross Platform
• Title: IBM Tivoli Federated Identity Manager Multiple Unspecified Vulnerabilities
• Description: IBM Tivoli Federated Identity Manager is a single sign-on management application. The application is exposed to multiple unspecified issues. Very few technical details are currently available. IBM Tivoli Federated Identity Manager 6.2.0.0 to 6.2.0.8 and IBM Tivoli Federated Identity Manager Business Gateway 6.2.0.0 to 6.2.0.8 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg24029497 https://www-304.ibm.com/support/docview.wss?uid=swg24029498

• 11.36.15 - CVE: CVE-2011-2975
• Platform: Cross Platform
• Title: MapServer Map File Double Free Remote Denial of Service
• Description: MapServer is a development environment for building spatially enabled Internet applications. MapServer is exposed to a remote denial of service issue due to a double free condition. This issue occurs in the "msAddIamgeSymbol()" function of the "mapsymbol.c" file when handling specially crafted Map Files. Versions prior to MapServer 6.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/49374/references

• 11.36.16 - CVE: CVE-2011-3189
• Platform: Cross Platform
• Title: PHP "crypt()" Function Security Bypass
• Description: PHP is a general purpose scripting language. PHP is exposed to a security bypass issue that affects the "crypt()" function. Specifically, the function returns the salt value when generating salted MD5 hash values. PHP 5.3.7 and prior are affected.
• Ref: http://www.php.net/ChangeLog-5.php#5.3.8

• 11.36.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Citrix Access Gateway Logon Portal Cross-Site Scripting
• Description: Citrix Access Gateway is an SSL/VPN appliance. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "logon" portal. Citrix Access Gateway Enterprise Edition versions 9.2-49.8 and prior are affected.
• Ref: http://support.citrix.com/article/CTX129971

• 11.36.18 - CVE: CVE-2011-3181
• Platform: Web Application - Cross Site Scripting
• Title: PhpMyAdmin Tracking Feature Multiple Cross-Site Scripting
• Description: PhpMyAdmin is a web-based administration interface for MySQL databases; it is implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to the "table", "column" and "index" parameters. Specifically, these issues affect the "Tracking" feature. PhpMyAdmin 3.3.0 to 3.4.3.2 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-13.php

• 11.36.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Mambo CMS "index.php" Cross-Site Request Forgery
• Description: Mambo CMS is a PHP-based content management system. The application allows users to perform HTTP requests without performing sufficient validity checks. Specifically, the "index.php" script is vulnerable. Mambo CMS 4.6.5 is vulnerable. Other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49315/references

• 11.36.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Jcow Social Networking Script "g" Parameter Cross-Site Scripting
• Description: Jcow is a script to develop social networking application. Jcow is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the "g" parameter of the "index.php" script. Versions prior to Jcow 4.3.1 are affected.
• Ref: http://www.securityfocus.com/bid/49325/references

• 11.36.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Open Admin Tool Multiple Cross-Site Scripting Vulnerabilities
• Description: IBM Open Admin Tool is a web administration tool. The application is exposed to multiple cross-site scripting issues because the application fails to sufficiently sanitize user-supplied input. These issues affect the "informixserver", "host", and "port" parameters of the "index.php" script. IBM Open Admin Tool 2.71 and prior are affected.
• Ref: http://www.securityfocus.com/archive/1/519468

• 11.36.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: vAuthenticate Multiple Cookie Authentication SQL Injection Vulnerabilities
• Description: vAuthenticate is a PHP-based user authentication application. vAuthenticate is exposed to multiple SQL injection issues because it fails to adequately verify user-supplied input. This issue affects the "USERNAME" and "PASSWORD" cookies used for authentication. vAuthenticate 3.01 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49366/references

• 11.36.23 - CVE: Not Available
• Platform: Web Application
• Title: Zazavi "filemanager/controller.php" Arbitrary File Upload
• Description: Zazavi is a website builder application implemented in PHP. The application is exposed to an arbitrary file upload issue because it fails to adequately validate file extensions before uploading them. Specifically, this issue affects the "admin/editor/filemanager/controller.php" script. Zazavi 1.2.1 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49309/discuss

• 11.36.24 - CVE: CVE-2011-2564,CVE-2011-2563
• Platform: Network Device
• Title: Cisco Intercompany Media Engine SAF Packets Handling Multiple Denial of Service Vulnerabilities
• Description: Cisco Intercompany Media Engine provides solution for establishing direct IP connectivity between enterprises. Cisco Intercompany Media Engine is exposed to multiple remote denial of service issues. These issues occur when processing a specially crafted Service Advertisement Framework (SAF) packets. Intercompany Media Engine versions 8.0.x are affected
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110824-ime.shtml

• 11.36.25 - CVE: CVE-2011-2562,CVE-2011-2561,CVE-2011-2560,CVE-2011-1643
• Platform: Network Device
• Title: Cisco Unified Communications Manager (CUCM) Multiple Vulnerabilities
• Description: Cisco Unified Communications Manager (CUCM) is a software based call-processing component of the Cisco IP telephony solution. The application was formerly named Unified CallManager. CUCM is exposed to an information disclosure issue and multiple denial of service issues. See the reference for further details. Cisco Unified Communications Manager 4.x, 6.x, 7.x, 8.x are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110824-cucm.shtml

• 11.36.26 - CVE: Not Available
• Platform: Network Device
• Title: ASUS RT-N56U Wireless Router "QIS_wizard.htm" Password Information Disclosure
• Description: ASUS RT-N56U is a Wireless-N Gigabit router. The device is exposed to an information disclosure issue. Specifically, the device fails to restrict access to the "QIS_wizard.htm" page, which contains device's configuration. This allows unauthenticated attackers to obtain sensitive information of the device such as administrative password. ASUS RT-N56U firmware version 1.0.1.4 is affected.
• Ref: http://www.kb.cert.org/vuls/id/200814

• 11.36.27 - CVE: CVE-2011-2737,CVE-2011-2736
• Platform: Hardware
• Title: RSA enVision Multiple Information Disclosure Vulnerabilities
• Description: RSA enVision is a system for collecting and analyzing log data. The application is exposed to multiple issues. 1) An information disclosure issue occurs because the "Tast Escalation" email messages may contain administrative credentials in clear text. 2) An unspecified error in the application allows attackers to disclose the contents of arbitrary files. RSA enVision versions prior to 4 SP4 P3 are affected.
• Ref: http://archives.neohapsis.com/archives/bugtraq/2011-08/att-0149/ESA-2011-030.txt

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account