@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe Flash Player Multiple Vulnerabilities
• (2) MEDIUM: Novell Groupwise Internet Agent Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.40.1 - Sunway ForceControl Multiple Security Vulnerabilities
• 11.40.2 - CellCtrl Read & Write Excel ActiveX Control Buffer Overflow
• 11.40.3 - GMER "0x7201c008" IOCTL Call Local Privilege Escalation
• 11.40.4 - PcVue ActiveX Control Multiple Security Vulnerabilities

Cross Platform

• 11.40.5 - NX Server "nxconfigure.sh" Local Privilege Escalation
• 11.40.6 - Adobe Flash Player Multiple Vulnerabilities
• 11.40.7 - Apache Struts Conversion Error OGNL Expression Evaluation
• 11.40.8 - FFmpeg Multiple Security Vulnerabilities
• 11.40.9 - ldns "rr.c" Remote Heap Buffer Overflow
• 11.40.10 - PHP "is_a()" Function Remote File Include
• 11.40.11 - Apache Tomcat HTTP DIGEST Authentication Multiple Security Weaknesses
• 11.40.12 - IBM WebSphere Application Server Cross-Site Request Forgery
• 11.40.13 - Novell GroupWise Multiple Vulnerabilities
• 11.40.14 - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
• 11.40.15 - Quagga Multiple Remote Security Vulnerabilities
• 11.40.16 - Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities

Web Application - Cross Site Scripting

• 11.40.17 - TWiki Multiple Cross-Site Scripting Vulnerabilities
• 11.40.18 - AWStats "awredir.pl" Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.40.19 - Authenex ASAS Server "username" Parameter SQL Injection
• 11.40.20 - SPIP Unspecified SQL Injection
• 11.40.21 - openEngine "id" Parameter SQL Injection

Web Application

• 11.40.22 - FBC Market CMS Cross-Site Scripting and Multiple HTML Injection Vulnerabilities
• 11.40.23 - Zyncro Multiple HTML Injection Vulnerabilities
• 11.40.24 - SonicWALL Viewpoint Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• 11.40.25 - AdaptCMS Cross-Site Scripting and Information Disclosure Vulnerabilities

Network Device

• 11.40.26 - Barracuda IM Firewall Cross-Site Scripting and HTML Injection Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 35, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12375 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.40.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Sunway ForceControl Multiple Security Vulnerabilities
• Description: Sunway ForceControl is a SCADA HMI that controls various devices. The application is exposed to multiple issues. 1) A stack-based buffer overflow issue affects AngelServer. 2) A directory traversal issue affects the Web server component. 3) Multiple denial of service issues affect AngelServer. 4) A remote code execution issue affects the "Login" method of the "YRWXls.ocx" ActiveX component. 5) A stack-based buffer overflow affects the SNMP NetDBServer. 6) An integer overflow issue affects the SNMP NetDBServer. 7) A denial of service issue affects the SNMP NetDBServer. 8) A directory traversal issue affects the NetServer component. Sunway ForceControl versions 6.1 sp3 and prior are affected.
• Ref: http://aluigi.altervista.org/adv/forcecontrol_1-adv.txt

• 11.40.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: CellCtrl Read & Write Excel ActiveX Control Buffer Overflow
• Description: CellCtrl is a Windows-based application. CellCtrl is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue affects the "Login()" method of the Read & Write Excel ActiveX control. CellCtrl 5.3.9.15 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49752/references

• 11.40.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GMER "0x7201c008" IOCTL Call Local Privilege Escalation
• Description: GMER is an application for Microsoft Windows that is used to detect and remove root kits. The application is exposed to a local privilege escalation issue because it fails to properly handle input through the 0x7201c008 IOCTL call. Specifically, an integer overflow occurs, allowing an attacker to overwrite a buffer with binary data. GMER 1.0.15.15641 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49761/discuss

• 11.40.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: PcVue ActiveX Control Multiple Security Vulnerabilities
• Description: PcVue is a Multi-station HMI/SCADA controller available for Microsoft Windows. The application is exposed to multiple issues. 1) A remote code execution issue affects the "SaveObject()" and "LoadObject()" methods of the "SVUIGrd.ocx" ActiveX control. 2) A memory corruption issue affects the "GetExtendedColor()" method of the "SVUIGrd.ocx" ActiveX control. 3) A memory corruption issue affects the "SaveObject()" and "LoadObject()" methods of the "SVUIGrd.ocx" ActiveX control. 4) A buffer overflow issue affects the "DeletePage()" method of the "aipgctl.ocx" ActiveX control. PcVue 10.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49795

• 11.40.5 - CVE: Not Available
• Platform: Cross Platform
• Title: NX Server "nxconfigure.sh" Local Privilege Escalation
• Description: NX Server is a terminal and remote access server for Linux and Solaris. The application is exposed to a local privilege escalation issue. The problem occurs because the SUID script "nxconfigure.sh" does not properly sanitize user-supplied input. NX Server 3.5.0 is vulnerable and other versions may also be affected.
• Ref: http://www.nomachine.com/tr/view.php?id=TR08I02575

• 11.40.6 - CVE: CVE-2011-2426,CVE-2011-2427,CVE-2011-2428,CVE-2011-2429,CVE-2011-2430,CVE-2011-2444
• Platform: Cross Platform
• Title: Adobe Flash Player Multiple Vulnerabilities
• Description: Adobe Flash Player is a multimedia application for multiple platforms. Adobe Flash Player is exposed to multiple remote code execution issues and a remote information disclosure issue. See reference for further details. Adobe Flash Player 10.3.183.7 and earlier are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-26.html

• 11.40.7 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache Struts Conversion Error OGNL Expression Evaluation
• Description: Apache Struts is a framework for building Web applications. Apache Struts is exposed to an issue that results in the evaluation of arbitrary user-supplied input. The problem occurs when handling a conversion error in the "ConversionErrorInterceptor" and "RepopulateConversionErrorFieldValidatorSupport" methods. Specifically, user-supplied input is evaluated as an OGNL (Object-Graph Navigation Language) expression before being displayed to the user. Apache Software Foundation Struts 2.x prior to 2.2.3.1 are affected.
• Ref: https://issues.apache.org/jira/browse/WW-3668

• 11.40.8 - CVE: Not Available
• Platform: Cross Platform
• Title: FFmpeg Multiple Security Vulnerabilities
• Description: FFmpeg is a multimedia player. The application is exposed to multiple security issues. Specifically, the issues occur due to various unspecified errors related to the "svq3_get_se_golomb()" function. Versions prior to FFmpeg 0.7.5 and 0.8.4 are affected.
• Ref: http://www.securityfocus.com/bid/49736/references

• 11.40.9 - CVE: Not Available
• Platform: Cross Platform
• Title: ldns "rr.c" Remote Heap Buffer Overflow
• Description: The "ldns" library is used for DNS programming. The library is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, the issue resides in the "ldns_rr_new_from_str_internal()" function of the "rr.c" source file while handling unknown Resource Record data. ldns 1.6.10 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49748/references

• 11.40.10 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "is_a()" Function Remote File Include
• Description: PHP is a general purpose scripting language. PHP is exposed to a remote file include issue because it fails to properly implement the "is_a()" function. In certain cases, the "is_a()" function calls the "__autoload()" function in an insecure way. PHP 5.3.7 and 5.3.8 are affected.
• Ref: http://www.securityfocus.com/bid/49754/references

• 11.40.11 - CVE: CVE-2011-1184
• Platform: Cross Platform
• Title: Apache Tomcat HTTP DIGEST Authentication Multiple Security Weaknesses
• Description: Apache Tomcat is a Java-based Web server application for multiple operating systems. The application is exposed to the multiple weaknesses that occur because: 1) Replay attacks were permitted. 2) Server nonce counts were not checked. 3) Client nonce counts were not checked. 4) Qop values were not checked. 5) Realm values were not checked. 6) The server secret was hard-coded to a known string. Tomcat 7.0.0 to 7.0.11, Tomcat 6.0.0 to 6.0.32 and Tomcat 5.5.0 to 5.5.33 are affected.
• Ref: http://www.securityfocus.com/bid/49762/references

• 11.40.12 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Cross-Site Request Forgery
• Description: IBM WebSphere Application Server is an application server used for service oriented architecture. The application is exposed to a cross-site request forgery issue. The problem occurs because the application does not properly verify user-supplied requests before performing certain actions via HTTP. IBM WebSphere Application Server versions prior to 8.0.0.1 are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49766/references

• 11.40.13 - CVE: CVE-2011-0334,CVE-2011-2662,CVE-2011-2661,CVE-2011-2219,CVE-2011-2218,CVE-2011-0333
• Platform: Cross Platform
• Title: Novell GroupWise Multiple Vulnerabilities
• Description: Novell GroupWise is collaboration software available for a number of platforms, including Linux and Microsoft Windows. GroupWise includes an Internet Agent process for mail transfer. Novell GroupWise is exposed to multiple stack-based buffer overflow, cross-site scripting and denial of service issues. Groupwise 8.0x up to 8.02HP2 are vulnerable and other versions may also be affected.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009210&sliceId=1&docTypeID=DT_TID_1_1&dialogID=26844393 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009215&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268451081&st
  ateId=0%200%20268449329 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009214&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268451061&st
  ateId=0%200%20268449323 http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7006378&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268443826&s http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009208&sliceId=1&docTypeID=DT_TID_1_1&dialogID=268443893&st
  ateId=0%200%20268449181

• 11.40.14 - CVE: CVE-2011-3389
• Platform: Cross Platform
• Title: SSL/TLS Protocol Initialization Vector Implementation Information Disclosure
• Description: The Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols, are cryptographic protocols used to provide communication security over the Internet. The SSL and TLS protocols are exposed to an information disclosure issue. SSL 3.0 and TLS 1.0 are affected.
• Ref: http://www.securityfocus.com/bid/49778/references

• 11.40.15 - CVE: CVE-2011-3327,CVE-2011-3326,CVE-2011-3325,CVE-2011-3324,CVE-2011-3323
• Platform: Cross Platform
• Title: Quagga Multiple Remote Security Vulnerabilities
• Description: Quagga is routing software for multiple Unix platforms, including Linux and BSD. Quagga is exposed to multiple remote issues, including a buffer overflow issue and multiple denial of service issues. Quagga prior to 0.99.19 are affected. Ref: http://www.securityfocus.com/bid/49784/references

• 11.40.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
• Description: Adobe ColdFusion is software for developing Web applications. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Adobe ColdFusion 7 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49787/references

• 11.40.17 - CVE: CVE-2011-3010
• Platform: Web Application - Cross Site Scripting
• Title: TWiki Multiple Cross-Site Scripting Vulnerabilities
• Description: TWiki is a web-based wiki application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Versions prior to TWiki 5.1.0 are affected.
• Ref: http://twiki.org/cgi-bin/view/Codev/SecurityAlert-CVE-2011-3010

• 11.40.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: AWStats "awredir.pl" Multiple Cross-Site Scripting Vulnerabilities
• Description: AWStats is a Perl-based application that provides statistics on server traffic. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to the "url" and "key" parameters of "awredir.pl". AWStats 7.0 and 6.95 are vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49749/discuss

• 11.40.19 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Authenex ASAS Server "username" Parameter SQL Injection
• Description: ASAS is a server application to administer two-factor authentication. The application is exposed to a SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "username" parameter of the "akeyActivationLogin.do" script. This issue occurs on servers running End User Self Service (EUSS). ASAS 3.1.0.2 and 3.1.0.3 are affected.
• Ref: http://support.authenex.com/index.php?_m=downloads&_a=viewdownload&downl
  oaditemid=125

• 11.40.20 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SPIP Unspecified SQL Injection
• Description: SPIP is a website publishing application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. SPIP 1.9.2 is vulnerable and other versions may also be affected.
• Ref: http://permalink.gmane.org/gmane.comp.web.spip.english/2460

• 11.40.21 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: openEngine "id" Parameter SQL Injection
• Description: openEngine is a Web-based content manager implemented in PHP. openEngine is exposed to an SQL Injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "id" parameter of the "website.php" script before using it in an SQL query. openEngine 2.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49794/references

• 11.40.22 - CVE: Not Available
• Platform: Web Application
• Title: FBC Market CMS Cross-Site Scripting and Multiple HTML Injection Vulnerabilities
• Description: FBC Market CMS is a Web application. The application is exposed to a cross-site scripting issue and multiple HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. 1) A cross-site scripting issue affects the "Login" module. 2) Multiple HTML injection issues affect the "Categories Add/List", "newItem", and "Index" modules. FBC Market CMS 1.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49731/discuss

• 11.40.23 - CVE: Not Available
• Platform: Web Application
• Title: Zyncro Multiple HTML Injection Vulnerabilities
• Description: Zyncro is a social networking application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input to the "name" and "description" parameters. Zyncro 3.0.1.20 is vulnerable and other versions may also be affected.
• Ref: http://archives.neohapsis.com/archives/fulldisclosure/2011-09/0265.html

• 11.40.24 - CVE: Not Available
• Platform: Web Application
• Title: SonicWALL Viewpoint Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: SonicWALL Viewpoint is a Web-based reporting security tool. SonicWALL Viewpoint is exposed to multiple cross-site scripting and HTML injection issues because it fails to properly sanitize user-supplied input before using it in dynamically generated content. SonicWALL Viewpoint versions 6.x and prior are affected.
• Ref: http://www.securityfocus.com/bid/49759/references

• 11.40.25 - CVE: Not Available
• Platform: Web Application
• Title: AdaptCMS Cross-Site Scripting and Information Disclosure Vulnerabilities
• Description: AdaptCMS is a PHP-based content manager. The application is exposed to multiple issues. 1) An information disclosure issue affects the "admin.php" script. 2) Multiple cross-site scripting issues affect the "view" and "do" parameters of the "admin.php" script. 3) A cross-site scripting issue affects "index.php" through a URI. AdaptCMS 2.0.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/519816

• 11.40.26 - CVE: Not Available
• Platform: Network Device
• Title: Barracuda IM Firewall Cross-Site Scripting and HTML Injection Vulnerabilities
• Description: Barracuda IM Firewall is a security device designed to protect email servers. The application is exposed to multiple input validation issues. 1) A cross-site scripting issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Specifically, the issue affects the "SMTP" module. 2) An HTML injection issue because the application fails to properly sanitize user-supplied input to user reports. Barracuda IM Firewall 4.2.01.004 is vulnerable and other versions may also be affected.
• Ref: http://www.vulnerability-lab.com/get_content.php?id=27

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account