@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Siemens SIMATIC WinCC Client-Side Exploit
• (2) HIGH: BroadWin WebAccess Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.37.1 - Microsoft Windows Script Host "wshesn.dll" DLL Loading Arbitrary Code Execution

Third Party Windows Apps

• 11.37.2 - InduSoft ISSymbol ActiveX Control "ISSymbol.ocx" Multiple Buffer Overflow Vulnerabilities
• 11.37.3 - Siemens SIMATIC WinCC Flexible Tag Simulator Remote Memory Corruption
• 11.37.4 - ICONICS IcoSetServer ActiveX Control Trusted Zone Vulnerability
• 11.37.5 - KnFTPd FTP Server Multiple Commands Remote Buffer Overflow Vulnerabilities
• 11.37.6 - BroadWin WebAccess Client Multiple Remote Vulnerabilities
• 11.37.7 - BisonFTP Server Multiple Remote Buffer Overflow Vulnerabilities
• 11.37.8 - Cerberus FTP Server Remote Buffer Overflow
• 11.37.9 - ZipX ".zip" File Buffer Overflow

Mac Os

• 11.37.10 - Apple Mac OS X Keychain Certificate Settings Security Bypass

Cross Platform

• 11.37.11 - Ingres Database IIPROMPT Unspecified Vulnerability
• 11.37.12 - Inductive Automation Ignition Remote Information Disclosure
• 11.37.13 - GTK+ Multiple DLL Loading Arbitrary Code Execution Vulnerabilities
• 11.37.14 - Opera Web Browser Information Disclosure and Unspecified Vulnerabilities
• 11.37.15 - IBM WebSphere Application Server Tomcat Webdav Servlet Unspecified Vulnerability
• 11.37.16 - TIBCO Spotfire Products Multiple Remote Vulnerabilities
• 11.37.17 - Openads "lib-view-main.inc.php" Remote File Include
• 11.37.18 - OpenVAS Scanner Symlink Attack Local Privilege Escalation
• 11.37.19 - Apple QuickTime "QuickTimePlayer.dll" ActiveX Buffer Overflow
• 11.37.20 - OpenSSL Internal Certificate Verification Routine Security Bypass

Web Application - Cross Site Scripting

• 11.37.21 - Phorum "real_name" Parameter Cross-Site Scripting
• 11.37.22 - YABSoft Advanced Image Hosting Script "report.php" Cross-Site Scripting

Web Application

• 11.37.23 - KaiBB SQL Injection and Arbitrary File Upload Vulnerabilities
• 11.37.24 - MantisBT Multiple Local File Include and Cross-Site Scripting Vulnerabilities

Network Device

• 11.37.25 - Cisco TelePresence Codecs SIP Packet Remote Denial of Service

Hardware

• 11.37.26 - Siemens Gigaset IP SIP Username Remote Information Disclosure

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 32, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12254 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.37.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Windows Script Host "wshesn.dll" DLL Loading Arbitrary Code Execution
• Description: Microsoft Windows Script Host is a Windows administration tool. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "wshesn.dll" Dynamic Link Library files in the current working directory. Microsoft Windows Script Host 5.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49436/references

• 11.37.2 - CVE: CVE-2011-0342
• Platform: Third Party Windows Apps
• Title: InduSoft ISSymbol ActiveX Control "ISSymbol.ocx" Multiple Buffer Overflow Vulnerabilities
• Description: The ISSymbol ActiveX control is a plug-in for InduSoft Web Studio. The "ISSymbol.ocx" ActiveX control is exposed to multiple buffer overflow issues. A heap based buffer overflow issue affects the "Open()" method when passing an overly long string as a parameter. A heap based buffer overflow issue affects the "Close()" method when passing an overly long string as a parameter. A stack based buffer overflow issue affects the "SetCurrentLanguage()" method when passing an overly long string as a parameter. Indusoft ISSymbol ActiveX Control version 301.1104.601.0 is affected.
• Ref: http://secunia.com/secunia_research/2011-61/

• 11.37.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Siemens SIMATIC WinCC Flexible Tag Simulator Remote Memory Corruption
• Description: Siemens SIMATIC WinCC Flexible is a SCADA device management application. The application is exposed to a remote memory corruption issue. This issue occurs in the tag simulator when handling a specially crafted file. ProTool 6.0 SP3, WinCC flexible 2004, WinCC flexible 2005, WinCC flexible 2005 SP1, WinCC flexible 2007, WinCC flexible 2008, WinCC flexible 2008 SP1, WinCC flexible 2008 SP2 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-175-02.pdf

• 11.37.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ICONICS IcoSetServer ActiveX Control Trusted Zone Vulnerability
• Description: ICONICS IcoSetServer ActiveX control is a component of ICONICS GENESIS and BizViz. The component is exposed to an issue that can allow an attacker to insert an arbitrary domain into the Trusted Zone. The issue is caused by an error in the "SetTrustedZone Policy" functionality. GENESIS32 version 9.21 and BizViz version 9.21 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-182-01.pdf

• 11.37.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: KnFTPd FTP Server Multiple Commands Remote Buffer Overflow Vulnerabilities
• Description: KnFTPd FTP Server is an FTP server application available for Microsoft Windows platforms. The application is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. KnFTPd FTP Server version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/archive/1/519498

• 11.37.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BroadWin WebAccess Client Multiple Remote Vulnerabilities
• Description: BroadWin WebAccess Client is a web-based application for human/machine interfaces and supervisory control and data acquisition. BroadWin WebAccess Client is exposed to a format string issue and multiple memory corruption issues. BroadWin WebAccess Client 7.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49428/references

• 11.37.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BisonFTP Server Multiple Remote Buffer Overflow Vulnerabilities
• Description: BisonFTP Server is an FTP server application. The application is exposed to multiple remote buffer overflow issues because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issues affect the "XMKD", "MKD", "REST" and "ACCL" commands. BisonFTP Server 3.5 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49441/references

• 11.37.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Cerberus FTP Server Remote Buffer Overflow
• Description: Cerberus FTP Server is an FTP server application. The application is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue affects the "REST" command. Cerberus FTP Server 4.0.9.8 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49444/discuss

• 11.37.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ZipX ".zip" File Buffer Overflow
• Description: ZipX is a file compression and encryption application for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".zip" file. ZipX 1.71 Build 987 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49450/discuss

• 11.37.10 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X Keychain Certificate Settings Security Bypass
• Description: Apple Mac OS X is exposed to a security bypass issue in the Certificate Trust Policy. This issue occurs because the application will accept an Extended validation certificate when the certificate authority (CA) trust setting in the KeyChain Access is set to "Never Trusted". Mac OS X 10.6.8 and prior are vulnerable.
• Ref: http://securitytracker.com/id/1026002

• 11.37.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Ingres Database IIPROMPT Unspecified Vulnerability
• Description: Ingres Database is a database application available for multiple platforms. The application is exposed to an unspecified issue that can be exploited to overflow data. This issue is related to an error in the shared memory segment and "IIPROMPT" in the Ingres name server ("iigcn") service. Ingres Database versions 2.6, 9.1, 9.2, 9.3, and 10.0 for Windows are affected.
• Ref: http://downloads.ingres.com/support/alert/Ingres-SecAlert_August_30_2011_Final_I
  ngres.pdf

• 11.37.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Inductive Automation Ignition Remote Information Disclosure
• Description: Ignition is a web-based application. The application is exposed to an information disclosure issue because it fails to sufficiently validate user-supplied input passed through a URL. Versions prior to Ignition 7.2.8.178 are affected.
• Ref: http://www.securityfocus.com/bid/49447/references

• 11.37.13 - CVE: CVE-2010-4831
• Platform: Cross Platform
• Title: GTK+ Multiple DLL Loading Arbitrary Code Execution Vulnerabilities
• Description: GTK+ is a toolkit for creating graphical user interfaces. GTK+ is exposed to multiple issues because the application searches for the "wintab32.dll" and "uxtheme.dll" Dynamic Link Libraries in the current working directory. Specifically, the issues affect the "_gdk_input_wintab_init_check()" and "xp_theme_init()" functions of the "gdk/win32/gdkinput-win32.c" and "modules/engines/ms-windows/xp_theme.c" respectively. GTK+ before 2.21.8 are affected.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4831

• 11.37.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Information Disclosure and Unspecified Vulnerabilities
• Description: Opera is a Web browser application. The application is exposed to an unspecified security issue and an information disclosure issue that will allow attackers to gain access to security information. Versions prior to Opera 11.51 are vulnerable.
• Ref: http://www.securityfocus.com/bid/49388/discuss

• 11.37.15 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Tomcat Webdav Servlet Unspecified Vulnerability
• Description: IBM WebSphere Application Server (WAS) Community Edition is a web server. The application is exposed to an unspecified issue that exists in the implementation of the Tomcat Webdav servlet. IBM WebSphere Application Server Community Edition 1.1.0.2 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49389/discuss

• 11.37.16 - CVE: CVE-2011-3134,CVE-2011-3133,CVE-2011-3132
• Platform: Cross Platform
• Title: TIBCO Spotfire Products Multiple Remote Vulnerabilities
• Description: Spotfire Analytics Server and Spotfire Server are web server applications. TIBCO Spotfire products are exposed to multiple remote issues an unspecified cross-site scripting issue, an unspecified SQL injection issue and a session hijacking issue. Spotfire Analytics Server versions prior to 10.1.1, Spotfire Server versions 3.0.0, 3.0.1, 3.1.0, 3.1.1, 3.2.0, and 3.3.0 are affected.
• Ref: http://www.tibco.com/multimedia/spotfire_advisory_20110831_tcm8-14230.txt

• 11.37.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Openads "lib-view-main.inc.php" Remote File Include
• Description: Openads (formerly known as phpAdsNew) is a PHP-based ad server. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "row" parameter of the "lib-view-main.inc.php" script. Openads 2.0.11 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49440/discuss

• 11.37.18 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenVAS Scanner Symlink Attack Local Privilege Escalation
• Description: OpenVAS (Open Vulnerability Assessment System) is a framework that offers vulnerability scanning and vulnerability management solutions. OpenVAS Scanner is the core SSL-secured service oriented architecture. The application is exposed to a local privilege escalation issue. Specifically, the issue occurs because the application passes a predictable temporary filename to the "-r" parameter of the "ovaldi" application. OpenVAS Scanner 3.2.4 is vulnerable and others versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49460/discuss

• 11.37.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple QuickTime "QuickTimePlayer.dll" ActiveX Buffer Overflow
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to a buffer overflow issue because of a failure to properly bounds check user-supplied data. This issue affects the "openURL()" method of the "QuickTimePlayer.dll" ActiveX control identified by CLSID: 0F5B08E7-94EE-470B-A184-5CD4A7DF35A3. QuickTime version 7.6.9 is vulnerable and other versions may also be affected.
• Ref: http://www.evilcode.com.ar/index.php/advisories/quick-time-player-7-6-9-buffer-o
  verflow-vulnerability-in-an-activex-control.html

• 11.37.20 - CVE: CVE-2011-3207
• Platform: Cross Platform
• Title: OpenSSL Internal Certificate Verification Routine Security Bypass
• Description: OpenSSL is an open source implementation of the SSL protocol that is used by a number of other projects. OpenSSL is exposed to a security bypass issue. This issue occurs because the verification routine incorrectly accepts a CRL with an "nextUpdate" field containing a date in the past. OpenSSL versions 1.0.0 through 1.0.0d are affected.
• Ref: http://openssl.org/news/secadv_20110906.txt

• 11.37.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Phorum "real_name" Parameter Cross-Site Scripting
• Description: Phorum is a PHP-based web forum. Phorum is exposed to a cross-site scripting issue because the application fails to sufficiently sanitize user-supplied input. This issue affects the "real_name" parameter. Phorum 5.2.16 and prior are affected.
• Ref: http://www.securityfocus.com/bid/49347/discuss

• 11.37.22 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: YABSoft Advanced Image Hosting Script "report.php" Cross-Site Scripting
• Description: YABSoft Advanced Image Hosting Script is a PHP-based web application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input to the "img_id" parameter of the "report.php" script. Advanced Image Hosting Script 2.3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49457/discuss

• 11.37.23 - CVE: Not Available
• Platform: Web Application
• Title: KaiBB SQL Injection and Arbitrary File Upload Vulnerabilities
• Description: KaiBB is a PHP-based bulletin board application. The application is exposed to multiple issues. Multiple SQL injection issues affect the "t", "f", "user", and "page" parameters. An arbitrary file upload issue occurs because the application fails to sanitize file extensions before uploading files onto the web server. KaiBB 2.0.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49421/discuss

• 11.37.24 - CVE: Not Available
• Platform: Web Application
• Title: MantisBT Multiple Local File Include and Cross-Site Scripting Vulnerabilities
• Description: MantisBT is a web-based bug management application implemented in PHP. The application is exposed to multiple security issues. Multiple local file include issues affect the "action" parameter of the "bug_actiongroup_ext_page.php" and "bug_actiongroup_page.php" scripts. Multiple cross-site scripting issues affect multiple parameters and scripts. MantisBT versions prior to 1.2.8 are vulnerable.
• Ref: https://www.htbridge.ch/advisory/multiple_vulnerabilities_in_mantisbt.html

• 11.37.25 - CVE: CVE-2011-2577
• Platform: Network Device
• Title: Cisco TelePresence Codecs SIP Packet Remote Denial of Service
• Description: Cisco TelePresence Codecs are video collaboration engines. Cisco TelePresence Codecs are exposed to a denial of service issue when handling specially crafted SIP messages. 6000MXP, 3000MXP, 2000MXP, 1700MXP, 1000MXP, 990MXP, 880MXP, 770MXP, 550MXP, Edge 75MXP, Edge 85MXP, Edge 95MXP,C20, C40, C60, C90, EX60, EX90 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110831-tandberg.shtml

• 11.37.26 - CVE: Not Available
• Platform: Hardware
• Title: Siemens Gigaset IP SIP Username Remote Information Disclosure
• Description: Gigaset A580 IP is a VoIP device. The device is exposed to an information disclosure issue. Specifically, this issue occurs when processing a specially crafted SIP OPTIONS request. Attackers can exploit this issue by sending a "From" header with an empty SIP username field. This causes the device to send an SIP response which contains a "Contact" header with the device's username field. Siemens Gigaset A580 IP is affected.
• Ref: http://packetstormsecurity.org/files/view/104362/siemens-enumerate.txt

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account