@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 33
September 15, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 3 (#1)
    • Microsoft Office
    • 3
    • Third Party Windows Apps
    • 8 (#3)
    • Cross Platform
    • 8 (#2)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application
    • 2
    • Hardware
    • 1

************************* Sponsored By IBM *******************************

SANS Analyst Webcast September 29, 1 PM EST: Integrating Security into Development Cycles, No Pain Required, featuring Senior SANS Analyst Dave Shackleford and IBM Rational's Karl Snyder.

Go to: http://www.sans.org/info/87034 ************************************************************************** TRAINING UPDATE -- SANS Network Security 2011, Las Vegas, NV, September 17-26, 2011 45 courses. Bonus evening presentations include Securing the Kids; Who is Watching the Watchers?; and Emerging Trends in the Law of Information Security and Investigations http://www.sans.org/network-security-2011/ -- The National Security Architecture Workshop, DC, Sept. 29-30,2011 2-day workshop discussing techniques to ensure security is considered in every step of the development life cycle, http://www.sans.org/baking-security-applications-networks-2011/ -- NCIC: The National Cybersecurity Innovations Conference, DC, Oct. 11-12, 2011 3 tracks - Cloud computing, Continuous Monitoring and Enterprise Mobile Security training http://www.sans.org/ncic-2011/ --SANS Chicago 2011, Chicago, IL, October 23-28, 2011 6 courses. Bonus evening presentations include Computer Forensics in the Virtual Realm and Electrical Grid Security http://www.sans.org/chicago-2011/ --SANS Seattle 2011, Seattle, WA, November 2-7, 2011 5 courses. Bonus evening presentations include Future Trends in Network Security; and Ninja Developers: Penetration Testing and Your SDLC http://www.sans.org/seattle-2011/ --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 6 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home http://www.sans.org/san-francisco-2011/ --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. http://www.sans.org/eu-scada-2011/ --SANS San Antonio 2011, San Antonia, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You? http://www.sans.org/san-antonio-2011/ --Looking for training in your own community? http:sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus London, Baltimore, Singapore, Seoul and Rome all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

****************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Third Party Windows Apps
Cross Platform
Web Application - Cross Site Scripting
Web Application
Hardware

*************************** Sponsored Links: *******************************

1) Whitepapers on Critical IT Security Gaps, Securing Configuration Ports and Baseline Configuration Management, Available from TDi Technologies. http://www.sans.org/info/87039

2) Be entered in a drawing to WIN a $100 American Express gift card. Please take five minutes to help us improve the type and quality of Vendor Programs at SANS Conferences. http://www.sans.org/info/87044 ****************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (3) MEDIUM: ScadaTEC SCADAPhone and ModbusTagServer Buffer Overflow Vulnerability
  • Affected:
    • Current Versions of ScadaTEC SCADAPhone
    • Current Versions of ScadaTEC MobusTagServer
  • Description: ScadaTEC SCADAPhone and MobusTagServer are reportedly susceptible to a buffer overflow vulnerability. A public exploit has been made available for this vulnerability as a Metasploit module, but ScadaTEC has not yet confirmed the existence of the vulnerability. The SCADAPhone software is used in industrial settings to send alarms to operators via phone. ModbusTagServer is an OPC (Open Process Control) server. It is not immediately clear whether these vulnerabilities affect the client or server side of these products. By enticing a target to open a malicious zip file with the vulnerable software, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

  • Status: vendor not confirmed, updates not available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 33, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12306 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


  • 11.38.1 - CVE: Not Available
  • Platform: Windows
  • Title: Microsoft Windows stdout/stdin Local Denial of Service
  • Description: Microsoft Windows is exposed to a local denial of service issue. The issue occurs when an attacker closes the "stdout" and "stderr" standard output streams and reads from the "stdin" standard input stream. Successful exploits will result in an access violation error in the CSRSS process. Microsoft Windows Server 2008 R1 is affected.
  • Ref: http://www.securityfocus.com/bid/49489/references

  • 11.38.2 - CVE: CVE-2011-1984
  • Platform: Windows
  • Title: Microsoft Windows WINS Server Elevation of Privilege
  • Description: Windows Internet Naming Service (WINS) is a protocol used to support NetBIOS over TCP/IP and to locate network resources such as computers and printers. Microsoft Windows WINS server is exposed to a local privilege escalation issue that may be triggered by malicious WINS network packets. Windows Server 2003, Windows Server 2008 (except Itanium), and Windows Server 2008 R2 (except Itanium), on which WINS is installed are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-070

  • 11.38.3 - CVE: CVE-2011-1991
  • Platform: Windows
  • Title: Windows Components Remote Code Execution
  • Description: Multiple Microsoft products are exposed to an issue that lets attackers execute arbitrary code. The issue arises because the applications search for Dynamic Link Library (DLL) files in the current working directory through relative paths. All supported releases of Microsoft Windows are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-071

  • 11.38.4 - CVE:CVE-2011-1252,CVE-2011-0653,CVE-2011-1890,CVE-2011-1891,CVE-2011-1892CVE-2011-1893
  • Platform: Microsoft Office
  • Title: Microsoft SharePoint Multiple Vulnerabilities
  • Description: Microsoft SharePoint is an integrated server application providing content management and search capabilities. The application is exposed to multiple issues because it fails to properly sanitize user supplied input. See reference for further details. Microsoft Office Groove 2007, Microsoft SharePoint Workspace 2010, Microsoft Office Forms Server 2007, Microsoft Office SharePoint Server 2007, Microsoft Office SharePoint Server 2010, Microsoft Office Groove Data Bridge Server 2007, Microsoft Office Groove Management Server 2007, Microsoft Groove Server 2010, Microsoft SharePoint Services 2.0, Microsoft SharePoint Services 3.0, Microsoft SharePoint Foundation 2010, Microsoft Office Web Apps 2010, and Microsoft Word Web App 2010 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-074

  • 11.38.5 - CVE: CVE-2011-1980,CVE-2011-1982
  • Platform: Microsoft Office
  • Title: Microsoft Office Remote Code Execution Vulnerabilities
  • Description: Microsoft Office is exposed to multiple security issues. A remote code execution issue exists in the way Microsoft Office handles the loading of DLL files. A remote code execution vulnerability exists in the way Microsoft Office handles specially crafted Word files. Microsoft Office 2003, Microsoft Office 2007 and Microsoft Office 2010 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-073

  • 11.38.6 - CVE:CVE-2011-1989,CVE-2011-1990,CVE-2011-1988,CVE-2011-1987,CVE-2011-1986
  • Platform: Microsoft Office
  • Title: Microsoft Excel Remote Code Execution Vulnerabilities
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. Microsoft Excel is exposed to multiple remote code execution issues. See reference for further details. All supported editions of Microsoft Excel 2003, Microsoft Excel 2007, Microsoft Office 2007, Microsoft Excel 2010, Microsoft Office 2010, Microsoft Office 2004 for Mac, Microsoft Office 2008 for Mac, and Microsoft Office for Mac 2011; Open XML File Format Converter for Mac; and all supported versions of Microsoft Excel Viewer, Microsoft Office Compatibility Pack, Microsoft Excel Services installed on SharePoint Server 2007, Microsoft Excel Services installed on SharePoint Server 2010 and Microsoft Excel Web App 2010 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-072

  • 11.38.7 - CVE: CVE-2011-2595
  • Platform: Third Party Windows Apps
  • Title: ACDSee FotoSlate "id" Parameter "PLP" File Buffer Overflow
  • Description: ACDSee Fotoslate is an application for managing photographs in a digital frame device. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user supplied input. Specifically, the application fails to handle excessively large amounts of data passed through the "id" parameter to the "<String>" or "<Int>" tag in a "PLP" file. ACDSee FotoSlate 4.0 Build 146 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49558/discuss

  • 11.38.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ScadaTEC ModbusTagServer and ScadaPhone Remote Buffer Overflow
  • Description: ScadaPhone is an alarm dialer for Windows platforms. ModbusTagServer is a tag server that collects data from multiple remote sites. The applications are exposed to a remote buffer overflow issue because they fail to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer. Specifically, this issue occurs when loading a project from a zip file. ScadaTEC ScadaPhone version 5.3.11.1230 and prior and ScadaTEC ModbusTagServer version 4.1.1.81 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/49560/discuss

  • 11.38.9 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Wav Player ".pll" File Remote Buffer Overflow
  • Description: Wav Player is a media player. The application is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Specifically, this issue occurs while handling specially crafted ".pll" files. Wav Player version 1.1.3.6 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49563/discuss

  • 11.38.10 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: TwinCAT "TCATSysSrv.exe" Network Packet Denial of Service
  • Description: TwinCAT is Windows control and automation software. The application is exposed to a denial of service issue. Specifically, the issue occurs because of an invalid read access error in "TCATSysSrv.exe" when the application processes certain malicious network packets. TwinCAT 2.11 R2 Build 2032 is vulnerable; other versions may also be affected.
  • Ref: http://aluigi.altervista.org/adv/twincat_1-adv.txt

  • 11.38.11 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Movicon Multiple Heap-Based Buffer Overflow and Denial of Service Vulnerabilities
  • Description: Movicon provides XML-based HMI development solutions. The application is exposed to multiple issues. A heap-based buffer overflow issue occurs because of an error when handling the "Content-Length" HTTP header. A heap-based buffer overflow issue occurs when handling specially crafted HTTP requests. A denial of service issue is caused by an error when handling web request containing "EIDP" content. Movicon 11.2 Build 1085 is vulnerable and other versions may also be affected.
  • Ref: http://aluigi.altervista.org/adv/movicon_2-adv.txt http://aluigi.altervista.org/adv/movicon_3-adv.txt http://aluigi.altervista.org/adv/movicon_1-adv.txt

  • 11.38.12 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: AzeoTech DAQFactory NETB Datagram Parsing Buffer Overflow
  • Description: AzeoTech DAQFactory is data acquisition and control software. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs when handling a malformed NETB datagram sent to UDP port 20034. DAQFactory 5.85 build 1853.is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49606/references

  • 11.38.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: RSLogix Remote Denial of Service
  • Description: RSLogix 5000 is programming software. RSLogix is exposed to a denial of service issue caused by improper handling of 32 bit field size located in the "rna" packets in "RnaUtility.dll" file. RSLogix 5000 is vulnerable. Other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49608/references

  • 11.38.14 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cogent DataHub Buffer Overflow and Integer Overflow
  • Description: Cogent DataHub is an application for the SCADA and automation sector. The application is exposed to a stack-based buffer overflow issue and an integer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Cogent DataHub 7.1.1.63 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49611/references

  • 11.38.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Wireshark Lua Script File Arbitrary Code Execution
  • Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to an issue that allows attackers to execute arbitrary code. The issue arises because the application loads an unspecified file in an insecure manner. Wireshark 1.6.0 to 1.6.1 and 1.4.0 to 1.4.8 are affected.
  • Ref: http://www.wireshark.org/security/wnpa-sec-2011-15.html

  • 11.38.16 - CVE: CVE-2011-3208
  • Platform: Cross Platform
  • Title: Cyrus IMAP Server "split_wildmats()" Remote Buffer Overflow
  • Description: Cyrus IMAP Server is a mail server for Linux and Unix platforms. The application is exposed to a stack-based buffer overflow issue. Specifically, the issue occurs in the "split_wildmats()" function of the "imap/nntpd.c" source file when handling specially crafted NNTP commands. Cyrus IMAP Server versions prior to 2.3.17 and 2.4.11 are affected.
  • Ref: http://www.securityfocus.com/bid/49534/discuss

  • 11.38.17 - CVE: CVE-2011-3146
  • Platform: Cross Platform
  • Title: Librsvg SVG Images Remote Denial of Service
  • Description: librsvg is a library for processing SVG image files. librsvg is exposed to a denial of service issue due to an error in the handling of node types. This issue occurs when the application handles maliciously crafted SVG images. Versions prior to librsvg 2.34.1 are affected.
  • Ref: http://www.securityfocus.com/bid/49550/discuss

  • 11.38.18 - CVE: CVE-2011-3384
  • Platform: Cross Platform
  • Title: Mozilla Firefox Sage Extension RSS Feeds HTML Injection
  • Description: Sage is an RSS feed reader for Mozilla Firefox. The Sage extension for Mozilla Firefox is exposed to an HTML injection issue because the application fails sanitize user-supplied input passed to the RSS feed. Sage 1.3.10 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/49569/references

  • 11.38.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Django Multiple Security Vulnerabilities
  • Description: Django is framework for developing web applications. The application is exposed to multiple issues. A security bypass issue occurs because of an error in handling sessions within "django.contrib.sessions". A denial of service issue occurs because the application fails to properly validate user-supplied input to the "URLField" field. An information disclosure issue occurs in the "URLField" field. A cache poisoning issue occurs when processing malformed "X-Forwarded-Host" HTTP header. Django versions 1.2.x prior to 1.2.7 are affected.
  • Ref: http://www.securityfocus.com/bid/49573/references

  • 11.38.20 - CVE: CVE-2011-2733
  • Platform: Cross Platform
  • Title: EMC Avamar Privilege Enforcement Security Bypass
  • Description: EMC Amavar is a backup and recovery application. The application is exposed to a security bypass issue. This issue occurs because the application allows domain administrators or operators to restore data client data into a domain that they do not have access to. EMC Avamar version 4, 5.0 and 6.0 are affected.
  • Ref: http://www.securityfocus.com/bid/49574/discuss

  • 11.38.21 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Google SketchUp ".DAE" File Memory Corruption
  • Description: Google SketchUp is an application for creating, modifying, and sharing 3D models. The application is exposed to a remote memory corruption issue. Specifically, this issue occurs when the application parses specially crafted ".DAE" files. The issue exists in the configuration and transformation module, which handles the ".DAE" file import function. Google SketchUp 8 is vulnerable; other versions may also be affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=99

  • - CVE: CVE-2011-1353, CVE-2011-2431, CVE-2011-2432,CVE-2011-2433, CVE-2011-2434, CVE-2011-2435, CVE-2011-2436,CVE-2011-2437, CVE-2011-2438, CVE-2011-2439, CVE-2011-2440,CVE-2011-2441, CVE-2011-2442
  • Platform: Cross Platform
  • Title: Adobe Acrobat and Reader Multiple Vulnerabilities
  • Description: Adobe Reader and Acrobat are applications for handling PDF files. The applications are exposed to multiple security issues. These issues could cause the application to crash and potentially allow an attacker to take control of the affected system. Adobe Reader X (10.1) and earlier 10.x versions, 9.4.5 and earlier 9.x versions, 8.3 and earlier 8.x versions, Adobe Acrobat X (10.1) and earlier 10.x versions, 9.4.5 and earlier 9.x versions, 8.3 and earlier 8.x versions are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb11-24.html

  • 11.38.23 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IBM Tivoli Security Information and Event Manager Custom Reports Cross-Site Scripting
  • Description: The IBM Tivoli Security Information and Event Manager is an application used for managing logs and monitoring for insider threat, audit and compliance initiatives. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. Specifically, the issue affects the "custom reports" component. IBM Tivoli Security Information and Event Manager 2.0 is affected.
  • Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IV02459

  • 11.38.24 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: FortiMail "module/admin.fe" Multiple Cross-Site Scripting Vulnerabilities
  • Description: FortiMail is a messaging security application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to the "name" and "password" parameters of the "module/admin.fe" script. FortiMail 4.0 build 0245,101208 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/519621

  • 11.38.25 - CVE: Not Available
  • Platform: Web Application
  • Title: Argus Surveillance DVR Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: Argus Surveillance DVR is surveillance software that simultaneously captures images from video devices including capture cards, USB and IP cameras, TVboards and frame grabbers. The application is exposed to multiple cross-site scripting and HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Argus Surveillance DVR version 2.3 and 4.x are affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=227

  • 11.38.26 - CVE: Not Available
  • Platform: Web Application
  • Title: PHP Support Tickets "page" Parameter Remote PHP Code Execution
  • Description: PHP Support Tickets is a helpdesk application implemented in PHP. The application is exposed to an issue because it fails to sanitize user-supplied input before using it in an "eval()" function call. PHP Support Tickets 2.2 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/49567/references

  • 11.38.27 - CVE: Not Available
  • Platform: Hardware
  • Title: FortiAnalyzer Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: FortiAnalyzer is a network logging, analysis, and reporting appliance. The appliance is exposed to multiple issues. A cross-site scripting issue affects the "Edit Device Group" field. An HTML injection issue affects the "Filter Value" on Log Access IPS Attack. FortiAnalyzer-4000A, FortiAnalyzer-2000B, FortiAnalyzer-1000C, FortiAnalyzer-400B and FortiAnalyzer-100C are affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=145

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account