@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Patch Tuesday Multiple Vulnerabilities
• (2) HIGH: Adobe Flash Player Multiple Security Vulnerabilities
• (3) MEDIUM: ScadaTEC SCADAPhone and ModbusTagServer Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.38.1 - Microsoft Windows stdout/stdin Local Denial of Service
• 11.38.2 - Microsoft Windows WINS Server Elevation of Privilege
• 11.38.3 - Windows Components Remote Code Execution

Microsoft Office

• 11.38.4 - Microsoft SharePoint Multiple Vulnerabilities
• 11.38.5 - Microsoft Office Remote Code Execution Vulnerabilities
• 11.38.6 - Microsoft Excel Remote Code Execution Vulnerabilities

Third Party Windows Apps

• 11.38.7 - ACDSee FotoSlate "id" Parameter "PLP" File Buffer Overflow
• 11.38.8 - ScadaTEC ModbusTagServer and ScadaPhone Remote Buffer Overflow
• 11.38.9 - Wav Player ".pll" File Remote Buffer Overflow
• 11.38.10 - TwinCAT "TCATSysSrv.exe" Network Packet Denial of Service
• 11.38.11 - Movicon Multiple Heap-Based Buffer Overflow and Denial of Service Vulnerabilities
• 11.38.12 - AzeoTech DAQFactory NETB Datagram Parsing Buffer Overflow
• 11.38.13 - RSLogix Remote Denial of Service
• 11.38.14 - Cogent DataHub Buffer Overflow and Integer Overflow

Cross Platform

• 11.38.15 - Wireshark Lua Script File Arbitrary Code Execution
• 11.38.16 - Cyrus IMAP Server "split_wildmats()" Remote Buffer Overflow
• 11.38.17 - Librsvg SVG Images Remote Denial of Service
• 11.38.18 - Mozilla Firefox Sage Extension RSS Feeds HTML Injection
• 11.38.19 - Django Multiple Security Vulnerabilities
• 11.38.20 - EMC Avamar Privilege Enforcement Security Bypass
• 11.38.21 - Google SketchUp ".DAE" File Memory Corruption
• - Adobe Acrobat and Reader Multiple Vulnerabilities

Web Application - Cross Site Scripting

• 11.38.23 - IBM Tivoli Security Information and Event Manager Custom Reports Cross-Site Scripting
• 11.38.24 - FortiMail "module/admin.fe" Multiple Cross-Site Scripting Vulnerabilities

Web Application

• 11.38.25 - Argus Surveillance DVR Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• 11.38.26 - PHP Support Tickets "page" Parameter Remote PHP Code Execution

Hardware

• 11.38.27 - FortiAnalyzer Cross-Site Scripting and HTML Injection Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 33, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12306 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.38.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows stdout/stdin Local Denial of Service
• Description: Microsoft Windows is exposed to a local denial of service issue. The issue occurs when an attacker closes the "stdout" and "stderr" standard output streams and reads from the "stdin" standard input stream. Successful exploits will result in an access violation error in the CSRSS process. Microsoft Windows Server 2008 R1 is affected.
• Ref: http://www.securityfocus.com/bid/49489/references

• 11.38.2 - CVE: CVE-2011-1984
• Platform: Windows
• Title: Microsoft Windows WINS Server Elevation of Privilege
• Description: Windows Internet Naming Service (WINS) is a protocol used to support NetBIOS over TCP/IP and to locate network resources such as computers and printers. Microsoft Windows WINS server is exposed to a local privilege escalation issue that may be triggered by malicious WINS network packets. Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-070

• 11.38.3 - CVE: CVE-2011-1991
• Platform: Windows
• Title: Windows Components Remote Code Execution
• Description: Multiple Microsoft products are exposed to an issue that lets attackers execute arbitrary code. The issue arises because the applications search for Dynamic Link Library (DLL) files in the current working directory through relative paths. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-071

• 11.38.4 - CVE:CVE-2011-1252,CVE-2011-0653,CVE-2011-1890,CVE-2011-1891,CVE-2011-1892CVE-2011-1893
• Platform: Microsoft Office
• Title: Microsoft SharePoint Multiple Vulnerabilities
• Description: Microsoft SharePoint is an integrated server application providing content management and search capabilities. The application is exposed to multiple issues because it fails to properly sanitize user supplied input. See reference for further details. Microsoft Office Groove 2007, Microsoft SharePoint Workspace 2010, Microsoft Office Forms Server 2007, Microsoft Office SharePoint Server 2007, Microsoft Office SharePoint Server 2010, Microsoft Office Groove Data Bridge Server 2007, Microsoft Office Groove Management Server 2007, Microsoft Groove Server 2010, Microsoft SharePoint Services 2.0, Microsoft SharePoint Services 3.0, Microsoft SharePoint Foundation 2010, Microsoft Office Web Apps 2010, and Microsoft Word Web App 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-074

• 11.38.5 - CVE: CVE-2011-1980,CVE-2011-1982
• Platform: Microsoft Office
• Title: Microsoft Office Remote Code Execution Vulnerabilities
• Description: Microsoft Office is exposed to multiple security issues. A remote code execution issue exists in the way Microsoft Office handles the loading of DLL files. A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Word files. Microsoft Office 2003, Microsoft Office 2007 and Microsoft Office 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-073

• 11.38.6 - CVE:CVE-2011-1989,CVE-2011-1990,CVE-2011-1988,CVE-2011-1987,CVE-2011-1986
• Platform: Microsoft Office
• Title: Microsoft Excel Remote Code Execution Vulnerabilities
• Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Microsoft Excel is exposed to multiple remote code execution issues. See reference for further details. All supported editions of Microsoft Excel 2003, Microsoft Excel 2007, Microsoft Office 2007, Microsoft Excel 2010, Microsoft Office 2010, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; Open XML File Format Converter for Mac; and all supported versions of Microsoft Excel Viewer, Microsoft Office Compatibility Pack, Microsoft Excel Services installed on SharePoint Server 2007, Microsoft Excel Services installed on SharePoint Server 2010 and Microsoft Excel Web App 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-072

• 11.38.7 - CVE: CVE-2011-2595
• Platform: Third Party Windows Apps
• Title: ACDSee FotoSlate "id" Parameter "PLP" File Buffer Overflow
• Description: ACDSee Fotoslate is an application for managing photographs in a digital frame device. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user supplied input. Specifically, the application fails to handle excessively large amounts of data passed through the "id" parameter to the "<String>" or "<Int>" tag in a "PLP" file. ACDSee FotoSlate 4.0 Build 146 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49558/discuss

• 11.38.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ScadaTEC ModbusTagServer and ScadaPhone Remote Buffer Overflow
• Description: ScadaPhone is an alarm dialer for Windows platforms. ModbusTagServer is a tag server that collects data from multiple remote sites. The applications are exposed to a remote buffer overflow issue because they fail to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer. Specifically, this issue occurs when loading a project from a zip file. ScadaTEC ScadaPhone version 5.3.11.1230 and prior and ScadaTEC ModbusTagServer version 4.1.1.81 and prior are affected.
• Ref: http://www.securityfocus.com/bid/49560/discuss

• 11.38.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Wav Player ".pll" File Remote Buffer Overflow
• Description: Wav Player is a media player. The application is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Specifically, this issue occurs while handling specially crafted ".pll" files. Wav Player version 1.1.3.6 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49563/discuss

• 11.38.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: TwinCAT "TCATSysSrv.exe" Network Packet Denial of Service
• Description: TwinCAT is Windows control and automation software. The application is exposed to a denial of service issue. Specifically, the issue occurs because of an invalid read access error in "TCATSysSrv.exe" when the application processes certain malicious network packets. TwinCAT 2.11 R2 Build 2032 is vulnerable; other versions may also be affected.
• Ref: http://aluigi.altervista.org/adv/twincat_1-adv.txt

• 11.38.11 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Movicon Multiple Heap-Based Buffer Overflow and Denial of Service Vulnerabilities
• Description: Movicon provides XML-based HMI development solutions. The application is exposed to multiple issues. A heap-based buffer overflow issue occurs because of an error when handling the "Content-Length" HTTP header. A heap-based buffer overflow issue occurs when handling specially crafted HTTP requests. A denial of service issue is caused by an error when handling web request containing "EIDP" content. Movicon 11.2 Build 1085 is vulnerable and other versions may also be affected.
• Ref: http://aluigi.altervista.org/adv/movicon_2-adv.txt http://aluigi.altervista.org/adv/movicon_3-adv.txt http://aluigi.altervista.org/adv/movicon_1-adv.txt

• 11.38.12 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: AzeoTech DAQFactory NETB Datagram Parsing Buffer Overflow
• Description: AzeoTech DAQFactory is data acquisition and control software. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a malformed NETB datagram sent to UDP port 20034. DAQFactory 5.85 build 1853.is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49606/references

• 11.38.13 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: RSLogix Remote Denial of Service
• Description: RSLogix 5000 is programming software. RSLogix is exposed to a denial of service issue caused by improper handling of 32 bit field size located in the "rna" packets in "RnaUtility.dll" file. RSLogix 5000 is vulnerable. Other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49608/references

• 11.38.14 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Cogent DataHub Buffer Overflow and Integer Overflow
• Description: Cogent DataHub is an application for the SCADA and automation sector. The application is exposed to a stack-based buffer overflow issue and an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Cogent DataHub 7.1.1.63 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49611/references

• 11.38.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark Lua Script File Arbitrary Code Execution
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to an issue that allows attackers to execute arbitrary code. The issue arises because the application loads an unspecified file in an insecure manner. Wireshark 1.6.0 to 1.6.1 and 1.4.0 to 1.4.8 are affected.
• Ref: http://www.wireshark.org/security/wnpa-sec-2011-15.html

• 11.38.16 - CVE: CVE-2011-3208
• Platform: Cross Platform
• Title: Cyrus IMAP Server "split_wildmats()" Remote Buffer Overflow
• Description: Cyrus IMAP Server is a mail server for Linux and Unix platforms. The application is exposed to a stack-based buffer overflow issue. Specifically, the issue occurs in the "split_wildmats()" function of the "imap/nntpd.c" source file when handling specially crafted NNTP commands. Cyrus IMAP Server versions prior to 2.3.17 and 2.4.11 are affected.
• Ref: http://www.securityfocus.com/bid/49534/discuss

• 11.38.17 - CVE: CVE-2011-3146
• Platform: Cross Platform
• Title: Librsvg SVG Images Remote Denial of Service
• Description: librsvg is a library for processing SVG image files. librsvg is exposed to a denial of service issue due to an error in the handling of node types. This issue occurs when the application handles maliciously crafted SVG images. Versions prior to librsvg 2.34.1 are affected.
• Ref: http://www.securityfocus.com/bid/49550/discuss

• 11.38.18 - CVE: CVE-2011-3384
• Platform: Cross Platform
• Title: Mozilla Firefox Sage Extension RSS Feeds HTML Injection
• Description: Sage is an RSS feed reader for Mozilla Firefox. The Sage extension for Mozilla Firefox is exposed to an HTML injection issue because the application fails sanitize user-supplied input passed to the RSS feed. Sage 1.3.10 and prior are affected.
• Ref: http://www.securityfocus.com/bid/49569/references

• 11.38.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Django Multiple Security Vulnerabilities
• Description: Django is framework for developing web applications. The application is exposed to multiple issues. A security bypass issue occurs because of an error in handling sessions within "django.contrib.sessions". A denial of service issue occurs because the application fails to properly validate user-supplied input to the "URLField" field. An information disclosure issue occurs in the "URLField" field. A cache poisoning issue occurs when processing malformed "X-Forwarded-Host" HTTP header. Django versions 1.2.x prior to 1.2.7 are affected.
• Ref: http://www.securityfocus.com/bid/49573/references

• 11.38.20 - CVE: CVE-2011-2733
• Platform: Cross Platform
• Title: EMC Avamar Privilege Enforcement Security Bypass
• Description: EMC Amavar is a backup and recovery application. The application is exposed to a security bypass issue. This issue occurs because the application allows domain administrators or operators to restore data client data into a domain that they do not have access to. EMC Avamar version 4, 5.0 and 6.0 are affected.
• Ref: http://www.securityfocus.com/bid/49574/discuss

• 11.38.21 - CVE: Not Available
• Platform: Cross Platform
• Title: Google SketchUp ".DAE" File Memory Corruption
• Description: Google SketchUp is an application for creating, modifying, and sharing 3D models. The application is exposed to a remote memory corruption issue. Specifically, this issue occurs when the application parses specially crafted ".DAE" files. The issue exists in the configuration and transformation module, which handles the ".DAE" file import function. Google SketchUp 8 is vulnerable; other versions may also be affected.
• Ref: http://www.vulnerability-lab.com/get_content.php?id=99

• - CVE: CVE-2011-1353, CVE-2011-2431, CVE-2011-2432,CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436,CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440,CVE-2011-2441, CVE-2011-2442
• Platform: Cross Platform
• Title: Adobe Acrobat and Reader Multiple Vulnerabilities
• Description: Adobe Reader and Acrobat are applications for handling PDF files. The applications are exposed to multiple security issues. These issues could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe Reader X (10.1) and earlier 10.x versions, 9.4.5 and earlier 9.x versions, 8.3 and earlier 8.x versions, Adobe Acrobat X (10.1) and earlier 10.x versions, 9.4.5 and earlier 9.x versions, 8.3 and earlier 8.x versions are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-24.html

• 11.38.23 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: IBM Tivoli Security Information and Event Manager Custom Reports Cross-Site Scripting
• Description: The IBM Tivoli Security Information and Event Manager is an application used for managing logs and monitoring for insider threat, audit and compliance initiatives. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. Specifically, the issue affects the "custom reports" component. IBM Tivoli Security Information and Event Manager 2.0 is affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IV02459

• 11.38.24 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: FortiMail "module/admin.fe" Multiple Cross-Site Scripting Vulnerabilities
• Description: FortiMail is a messaging security application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to the "name" and "password" parameters of the "module/admin.fe" script. FortiMail 4.0 build 0245,101208 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/519621

• 11.38.25 - CVE: Not Available
• Platform: Web Application
• Title: Argus Surveillance DVR Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: Argus Surveillance DVR is surveillance software that simultaneously captures images from video devices including capture cards, USB and IP cameras, TVboards and frame grabbers. The application is exposed to multiple cross-site scripting and HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Argus Surveillance DVR version 2.3 and 4.x are affected.
• Ref: http://www.vulnerability-lab.com/get_content.php?id=227

• 11.38.26 - CVE: Not Available
• Platform: Web Application
• Title: PHP Support Tickets "page" Parameter Remote PHP Code Execution
• Description: PHP Support Tickets is a helpdesk application implemented in PHP. The application is exposed to an issue because it fails to sanitize user-supplied input before using it in an "eval()" function call. PHP Support Tickets 2.2 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49567/references

• 11.38.27 - CVE: Not Available
• Platform: Hardware
• Title: FortiAnalyzer Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: FortiAnalyzer is a network logging, analysis, and reporting appliance. The appliance is exposed to multiple issues. A cross-site scripting issue affects the "Edit Device Group" field. An HTML injection issue affects the "Filter Value" on Log Access IPS Attack. FortiAnalyzer-4000A, FortiAnalyzer-2000B, FortiAnalyzer-1000C, FortiAnalyzer-400B and FortiAnalyzer-100C are affected.
• Ref: http://www.vulnerability-lab.com/get_content.php?id=145

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account