@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Multiple Security Vulnerabilities
• (2) HIGH: IBM Lotus Domino Stack Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.39.1 - Measuresoft ScadaPro Multiple Security Vulnerabilities
• 11.39.2 - DivX Plus Web Player "file://" URL Stack Buffer Overflow
• 11.39.3 - MetaServer RT Multiple Remote Denial of Service Vulnerabilities
• 11.39.4 - EViews Multiple Memory Corruption Vulnerabilities

Linux

• 11.39.5 - Red Hat Network Satellite Server Multiple Cross-Site Scripting Vulnerabilities

Cross Platform

• 11.39.6 - EtherApe "get_rpc()" NULL Pointer Dereference Denial Of Service
• 11.39.7 - Apache HTTP Server Denial Of Service
• 11.39.8 - TIBCO Managed File Transfer Products Session Fixation and Cross- Site Scripting Vulnerabilities
• 11.39.9 - SAP WebAS Malicious SAP Shortcut Generation Remote Command Injection
• 11.39.10 - Google Chrome Prior to 14.0.835.163 Multiple Security Vulnerabilities
• 11.39.11 - Cyrus IMAP Server "index_get_ids()" NULL Pointer Dereference Denial Of Service
• 11.39.12 - IBM Lotus Domino Remote Stack Buffer Overflow and Cross-Site Scripting

Web Application - Cross Site Scripting

• 11.39.13 - Orion Network Performance Monitor "CustomChart.aspx" Cross-Site Scripting
• 11.39.14 - SAP Crystal Report Server 2008 "pubDBLogon.jsp" Cross-Site Scripting
• 11.39.15 - SemanticScuttle "address" Parameter Cross-Site Scripting
• 11.39.16 - Gerry GuestBook Cross-Site Scripting
• 11.39.17 - Pligg CMS Multiple Cross-Site Scripting Vulnerabilities
• 11.39.18 - Gerd Tentler Simple Forum "sfText" Parameter Cross-Site Scripting

Web Application

• 11.39.19 - Mercator Sentinel SQL Injection
• 11.39.20 - JasperReports Server "_flowExecutionKey" Parameter Cross-Site Request Forgery
• 11.39.21 - StarDevelop LiveHelp "index.php" Local File Include
• 11.39.22 - Cisco TelePresence Endpoint HTML Injection and Memory Corruption Vulnerabilities
• 11.39.23 - Toko LiteCMS HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
• 11.39.24 - OneOrZero AIMS "show_report" Local File Include

Network Device

• 11.39.25 - Cisco Identity Services Engine Database Default Credentials Security Bypass

Hardware

• 11.39.26 - Blue Coat Director Unspecified Cross-Site Scripting
• 11.39.27 - NETGEAR Wireless Cable Modem Gateway Cross-Site Request Forgery and Security Bypass Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12350 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.39.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Measuresoft ScadaPro Multiple Security Vulnerabilities
• Description: Measuresoft ScadaPro is a SCADA application used for data acquisition. The application is exposed to multiple issues. 1) Multiple stack-based buffer overflow issues occur in the "service.exe" service, which listens by default on TCP port 11234, when copying an overly long full path string into a fixed-size buffer. These issues occur when handing almost all of the supporting commands (such as "TF") that are divided in the "sscanf" and in-line "strcpy" functions. 2) Multiple directory traversal issues exist because the application fails to properly sanitize user-supplied input submitted through the "RF" and "WF" commands. 3) Multiple remote command execution issues occur because the application fails to sufficiently sanitize user-supplied input submitted to the parameters through the "BF", "OF", "EF", and "XF" commands. Measuresoft ScadaPro versions 4.0.0 and earlier are affected.
• Ref: http://aluigi.altervista.org/adv/scadapro_1-adv.txt

• 11.39.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DivX Plus Web Player "file://" URL Stack Buffer Overflow
• Description: DivX Plus Web Player is an application for playing videos in browser. The application is exposed to a remote stack based buffer overflow issue due to a failure to properly bounds-check user-supplied data. The problem occurs when processing an overly long "file://" URL in a specially crafted webpage. DivX Plus Web Player 2.1.2.265 is affected.
• Ref: http://www.securityfocus.com/bid/49647/discuss

• 11.39.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: MetaServer RT Multiple Remote Denial of Service Vulnerabilities
• Description: MetaServer RT is real-time data processing and calculation software. The application is exposed to multiple denial of service issues. 1) A denial of service issue occurs due to heap overflow when processing multiple specially crafted packets. 2) A denial of service issue occurs due to invalid memory read when processing a specially crafted packet sent to port 2194. MetaServer RT versions 3.2.1.450 and earlier are affected.
• Ref: http://aluigi.altervista.org/adv/metaserver_1-adv.txt

• 11.39.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EViews Multiple Memory Corruption Vulnerabilities
• Description: EViews is an application used for econometric and statistical analysis. The application is exposed to multiple memory corruption issues. 1) A heap based buffer overflow issue occurs while handling subroutine declarations and can be exploited via specially crafted "PRG" files. 2) A memory corruption issue occurs when allocating memory for arrays used in "WF1" files. EViews versions 7.0.0.1 and earlier are affected.
• Ref: http://aluigi.altervista.org/adv/eviews_1-adv.txt

• 11.39.5 - CVE: CVE-2011-3344,CVE-2011-2927,CVE-2011-2920,CVE-2011-2919
• Platform: Linux
• Title: Red Hat Network Satellite Server Multiple Cross-Site Scripting Vulnerabilities
• Description: Red Hat Network Satellite Server is a server application that allows users to perform Red Hat Network updates on computers that are not directly attached to the internet. The Satellite Server is responsible for acting like a proxy, downloading updates, and serving them to client computers. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. Red Hat Network Satellite Server version 5.4 is affected.
• Ref: http://rhn.redhat.com/errata/RHSA-2011-1299.html

• 11.39.6 - CVE: Not Available
• Platform: Cross Platform
• Title: EtherApe "get_rpc()" NULL Pointer Dereference Denial Of Service
• Description: EtherApe is an application for analyzing network traffic. The application is exposed to a remote denial of service issue caused by a NULL pointer dereference error. Specifically, the issue occurs in the "get_rpc()" function of the "decode_proto.c" source file. EtherApe versions prior to 0.9.12 are affected.
• Ref: http://sourceforge.net/tracker/?func=detail&aid=3309061&group_id=2712&am
  p;atid=102712

• 11.39.7 - CVE: CVE-2011-3348
• Platform: Cross Platform
• Title: Apache HTTP Server Denial Of Service
• Description: Apache HTTP Server is exposed to a denial of service issue due to an error in "mod_proxy_ajp" when used together with "mod_proxy_balancer". Specifically, this issue occurs when processing malformed HTTP requests, which results in a temporary denial of service by putting a backend server into an error state until the retry timeout expires. Apache versions prior to 2.2.21 are affected.
• Ref: http://httpd.apache.org/security/vulnerabilities_22.html#2.2.21Deep%20Links

• 11.39.8 - CVE: CVE-2011-3424,CVE-2011-3423
• Platform: Cross Platform
• Title: TIBCO Managed File Transfer Products Session Fixation and Cross- Site Scripting Vulnerabilities
• Description: TIBCO Managed File Transfer products are business-grade applications used for exchanging files. The products are exposed to multiple issues. 1) An unspecified cross-site scripting issue occurs because the application fails to sufficiently sanitize user-supplied data. 2) An unspecified session fixation issue occurs when handling sessions. TIBCO Managed File Transfer Internet Server 7.1.0 and earlier, TIBCO Managed File Transfer Command Center 7.1.0 and earlier, TIBCO Slingshot versions 1.8.0 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/49619/references

• 11.39.9 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP WebAS Malicious SAP Shortcut Generation Remote Command Injection
• Description: SAP Web Application Server is a web server component included in SAP Kernel. The application is exposed to a remote command injection issue. This issue occurs because the application fails to sanitize user-supplied input passed to the SHORTCUT ICF service. SAP Web Application Server version 7.0 is affected.
• Ref: http://www.securityfocus.com/bid/49642/discuss

• 11.39.10 - CVE:CVE-2011-3234,CVE-2011-2874,CVE-2011-2864,CVE-2011-2862,CVE-2011-2861,CVE-2011-2860,CVE-2011-2859,CVE-2011-2858,CVE-2011-2857,CVE-2011-2856,CVE-2011-2855,CVE-2011-2854,CVE-2011-2853,CVE-2011-2852,CVE-2011-2851,CVE-2011-2849,CVE-2011-2848,CVE-2011-2847
• Platform: Cross Platform
• Title: Google Chrome Prior to 14.0.835.163 Multiple Security Vulnerabilities
• Description: Google Chrome is a Web browser that is available for multiple platforms. The application is exposed to the multiple security issues. See reference for further details. Chrome versions prior to
• Ref: http://www.securityfocus.com/bid/49658/discuss

• 11.39.11 - CVE: CVE-2011-3481
• Platform: Cross Platform
• Title: Cyrus IMAP Server "index_get_ids()" NULL Pointer Dereference Denial Of Service
• Description: Cyrus IMAP Server is a mail server for Linux and Unix platforms. The application is exposed to a remote denial of service issue caused by a NULL-pointer dereference error. Specifically, this issue affects the "index_get_ids()" function of the "index.c" source file in the "imapd" daemon. Versions prior to Cyrus IMAP Server 2.4.11 are affected.
• Ref: http://www.securityfocus.com/bid/49659/references

• 11.39.12 - CVE: CVE-2011-3575,CVE-2011-3576
• Platform: Cross Platform
• Title: IBM Lotus Domino Remote Stack Buffer Overflow and Cross-Site Scripting
• Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. The application is exposed to a remote stack-based buffer overflow issue and a cross-site scripting issue because it fails to perform adequate boundary checks on user-supplied input. Lotus Domino version 8.5.2 is affected.
• Ref: http://xforce.iss.net/xforce/xfdb/69802

• 11.39.13 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Orion Network Performance Monitor "CustomChart.aspx" Cross-Site Scripting
• Description: Orion Network Performance Monitor is a Web-based application for detecting, diagnosing, and resolving network problems. Orion Network Performance Monitor is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the "Title" parameter of the "CustomChart.aspx" script. Orion Network Performance Monitor version 10.1.3 is affected.
• Ref: http://seclists.org/fulldisclosure/2011/Sep/107

• 11.39.14 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SAP Crystal Report Server 2008 "pubDBLogon.jsp" Cross-Site Scripting
• Description: SAP Crystal Report Server 2008 is an application used to design interactive reports. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the "service" parameter of the "pubDBLogon.jsp" file. SAP Crystal Report Server 2008 is affected.
• Ref: http://dsecrg.com/pages/vul/show.php?id=333

• 11.39.15 - CVE: CVE-2011-2672
• Platform: Web Application - Cross Site Scripting
• Title: SemanticScuttle "address" Parameter Cross-Site Scripting
• Description: SemanticScuttle is a social-bookmarking application written in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "address" parameter of the "bookmarks.php" script. SemanticScuttle version 0.97.2 is affected.
• Ref: http://jvn.jp/en/jp/JVN28973089/index.html

• 11.39.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Gerry GuestBook Cross-Site Scripting
• Description: Gerry GuestBook is a Web application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "gbText" parameter of the "guestbook.php" script. Gerry GuestBook version 1.21 is affected.
• Ref: http://www.securityfocus.com/bid/49694/discuss

• 11.39.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Pligg CMS Multiple Cross-Site Scripting Vulnerabilities
• Description: Pligg CMS is a PHP-based content management system. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. Pligg CMS versions 1.1.5 and 1.1.4 are affected.
• Ref: http://www.securityfocus.com/bid/49700/discuss

• 11.39.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Gerd Tentler Simple Forum "sfText" Parameter Cross-Site Scripting
• Description: Gerd Tentler Simple Forum is Web-based forum software implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "sfText" POST parameter of the "forum.php" script. Gerd Tentler Simple Forum 3.11 is affected.
• Ref: http://www.securityfocus.com/bid/49699/discuss

• 11.39.19 - CVE: CVE-2011-1913
• Platform: Web Application
• Title: Mercator Sentinel SQL Injection
• Description: Sentinel is a flight safety management system. The application is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. Specifically, the issue affects the "login" form and allows attackers to bypass authentication. Sentinel version 2.0 is affected.
• Ref: http://www.kb.cert.org/vuls/id/122142

• 11.39.20 - CVE: CVE-2011-1911
• Platform: Web Application
• Title: JasperReports Server "_flowExecutionKey" Parameter Cross-Site Request Forgery
• Description: JasperReports Server is a stand-alone and embeddable reporting server. The application is exposed to a cross-site request forgery issue because it allows attackers to perform certain actions without validating the request. Specifically, attackers can supply data through the "_flowExecutionKey" parameter of an unspecified script. JasperServer 3.7.0 Community Edition and JasperServer 3.7.1 Community Edition are affected.
• Ref: http://www.kb.cert.org/vuls/id/519588

• 11.39.21 - CVE: Not Available
• Platform: Web Application
• Title: StarDevelop LiveHelp "index.php" Local File Include
• Description: StarDevelop LiveHelp is a PHP-based help desk application. The application is exposed to a local file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "language_file" parameter of the "index.php" script. StarDevelop LiveHelp version 2.0 is affected.
• Ref: http://www.securityfocus.com/bid/49650/discuss

• 11.39.22 - CVE: CVE-2011-2544,CVE-2011-2543
• Platform: Web Application
• Title: Cisco TelePresence Endpoint HTML Injection and Memory Corruption Vulnerabilities
• Description: Cisco TelePresence is a suite of applications and devices for remote communication. 1) Cisco TelePresence Endpoint is exposed to a HTML injection issue which affects the web interface. 2) Cisco TelePresence systems are exposed to a memory corruption issue. Specifically, this issue affects the "getXML" handle. Cisco TelePresence Endpoint C versions TC4.1.2 and earlie; and MXP versions F9.1 and earlier are affected.
• Ref: http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf

• 11.39.23 - CVE: Not Available
• Platform: Web Application
• Title: Toko LiteCMS HTTP Response Splitting and Cross-Site Scripting Vulnerabilities
• Description: Toko LiteCMS is a content manager implemented in PHP. The application is exposed to multiple input validation issues. 1) Multiple cross-site scripting issues affect the "currPath" and "path" parameters in the "editnavbar.php" script. 2) A HTTP response splitting issue affects the "charSet" parameter of the "edit.php" script. Toko LiteCMS version 1.5.2 is affected.
• Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5047.php, http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5048.php

• 11.39.24 - CVE: CVE-2010-4835
• Platform: Web Application
• Title: OneOrZero AIMS "show_report" Local File Include
• Description: OneOrZero AIMS is a PHP-based help desk application. The application is exposed to a local file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "controller" parameter of the "index.php" script when the "show_report" option is selected. OneOrZero AIMS 2.6.0 is affected.
• Ref: http://www.securityfocus.com/bid/49708/discuss

• 11.39.25 - CVE: CVE-2011-3290
• Platform: Network Device
• Title: Cisco Identity Services Engine Database Default Credentials Security Bypass
• Description: Cisco Identity Services Engine (ISE) is an authentication, authorization, and accounting application. The application is exposed to a security bypass issue. Specifically, the application uses default credentials for its underlying database. All releases of Cisco ISE prior to release 1.0.4.MR2 are affected.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110920-ise.shtml

• 11.39.26 - CVE: Not Available
• Platform: Hardware
• Title: Blue Coat Director Unspecified Cross-Site Scripting
• Description: Blue Coat Director is an enterprise proxy appliance. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. Blue Coat Director versions prior to 5.5.2.3 are vulnerable.
• Ref: https://kb.bluecoat.com/index?page=content&id=SA62&actp=LIST

• 11.39.27 - CVE: Not Available
• Platform: Hardware
• Title: NETGEAR Wireless Cable Modem Gateway Cross-Site Request Forgery and Security Bypass Vulnerabilities
• Description: NETGEAR Wireless Cable Modem Gateway is a centrally managed ISP solution. The device is exposed to multiple issues. 1) A security bypass issue exists because of a lack of authentication for the administrator interface on the device. A remote attacker can exploit this issue by sending a valid POST request to the device without sending any authentication header. 2) A cross-site request forgery issue exists in the Web interface. Attackers can exploit this issue by tricking a victim into visiting a malicious Web page. The page will consist of specially crafted script code designed to perform some action on the attacker's behalf. NETGEAR Wireless Cable Modem Gateway CG814WG 3.9.26 R14 is affected.
• Ref: http://www.senseofsecurity.com.au/advisories/SOS-11-011.pdf

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account