@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Mozilla Firefox Multiple Security Vulnerabilities
• (2) HIGH: Google Chrome Multiple Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.41.1 - SlimPDF Reader Multiple Remote Code Execution Vulnerabilities

BSD

• 11.41.2 - FreeBSD UNIX Domain Socket Local Privilege Escalation

Novell

• 11.41.3 - Novell Identity Manager "apwaDetail" Multiple Cross-Site Scripting Vulnerabilities

Cross Platform

• 11.41.4 - Citrix Provisioning Services Remote Code Execution
• 11.41.5 - Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• 11.41.6 - Symantec IM Manager Code Injection
• 11.41.7 - IBM Tivoli Monitoring Eclipse Help Server Cross-Site Scripting and Spoofing Vulnerabilities
• 11.41.8 - Adobe Photoshop Elements Multiple Memory Corruption Vulnerabilities
• 11.41.9 - Pidgin "silc_private_message()" Denial of Service
• 11.41.10 - KDE KSSL Common Name SSL Certificate Spoofing
• 11.41.11 - Perl Crypt-DSA Module Random Number Values Security Weakness
• 11.41.12 - Google Chrome PDF File Handling Memory Corruption
• 11.41.13 - HP NonStop Server Unspecified Remote Code Execution

Network Device

• 11.41.14 - Cisco IOS IPv6 Remote Denial of Service
• 11.41.15 - Cisco Unified Presence and Jabber XCP XML Bomb Denial of Service
• 11.41.16 - Cisco IOS and Unified Communications Manager Denial of Service
• 11.41.17 - Cisco IOS IPS and Zone-Based Firewall Multiple Denial of Service Vulnerabilities
• 11.41.18 - Cisco IOS IPv6 over MPLS Multiple Denial of Service Vulnerabilities
• 11.41.19 - Cisco 10000 Series Routers ICMP Packets Denial of Service
• 11.41.20 - Cisco IOS Smart Install Remote Code Execution
• 11.41.21 - Cisco IOS SIP Multiple Denial of Service Vulnerabilities
• 11.41.22 - Cisco IOS Data-Link Switching Memory Leak Remote Denial of Service
• 11.41.23 - Cisco IOS IP Service Level Agreement Remote Denial of Service
• 11.41.24 - Multiple HTC devices "HtcLoggers.apk" Application Information Disclosure
• 11.41.25 - SonicWall NSA 4500 HTML Injection and Session Hijacking Vulnerabilities

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 36, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12390 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.41.1 - CVE: Not Available
• Platform: Windows
• Title: SlimPDF Reader Multiple Remote Code Execution Vulnerabilities
• Description: SlimPDF is a PDF reader available for Microsoft Windows. The application is exposed to multiple remote code execution issues when processing specially crafted PDF files. The problem occurs due to various memory access validation issues.
• Ref: http://www.kb.cert.org/vuls/id/275036

• 11.41.2 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD UNIX Domain Socket Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue due to a boundary condition when handling UNIX domain sockets. This issue occurs when the "bind(2)" system call is used to attach the socket.
• Ref: http://www.securityfocus.com/bid/49862

• 11.41.3 - CVE: CVE-2011-2227,CVE-2011-1696
• Platform: Novell
• Title: Novell Identity Manager "apwaDetail" Multiple Cross-Site Scripting Vulnerabilities
• Description: Novell Identity Manager is an application used for automating identity management. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to various parameters of the "apwaDetailId" component. Identity Manager Roles Based Provisioning Module version 3.7.0 (User Application 3.7.0) prior to Field Patch 370E is affected.
• Ref: http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5111711.
  html

• 11.41.4 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix Provisioning Services Remote Code Execution
• Description: Citrix Provisioning Services is exposed to a remote code execution issue due to an unspecified error when processing crafted packets. Citrix Provisioning Services versions 5.6 SP1 and earlier are affected.
• Ref: http://support.citrix.com/article/CTX130846

• 11.41.5 - CVE: CVE-2011-3005, CVE-2011-3004, CVE-2011-3232,CVE-2011-3003, CVE-2011-3002, CVE-2011-3001, CVE-2011-3000,CVE-2011-2999, CVE-2011-2998, CVE-2011-2997, CVE-2011-2996,CVE-2011-2995, CVE-2011-2372
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey Multiple Vulnerabilities
• Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. All three applications are available for multiple platforms. Mozilla Firefox, SeaMonkey and Thunderbird are exposed to a remote HTTP response splitting issue. Firefox versions prior to 7.0 and 3.6.23; Thunderbird versions prior to 7.0; and SeaMonkey versions prior to 2.4 are affected.
• Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-36.html

• 11.41.6 - CVE: CVE-2011-0554
• Platform: Cross Platform
• Title: Symantec IM Manager Code Injection
• Description: Symantec IM Manager logs, manages and secures corporate IM traffic. The application is exposed to an issue that will let attackers inject arbitrary code. The problem occurs because the application fails to properly sanitize user-supplied input to the management console. IM Manager versions prior to 8.4.18 are affected.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110929_0
  0

• 11.41.7 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Monitoring Eclipse Help Server Cross-Site Scripting and Spoofing Vulnerabilities
• Description: IBM Tivoli Monitoring Eclipse Help Server is a help service built into IBM Tivoli Monitoring. IBM Tivoli Monitoring is exposed to an unspecified cross-site scripting issue and an unspecified issue that may aid in phishing attacks.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IV02305

• 11.41.8 - CVE: CVE-2011-2443
• Platform: Cross Platform
• Title: Adobe Photoshop Elements Multiple Memory Corruption Vulnerabilities
• Description: Adobe Photoshop Elements is an application for editing digital photographs. Adobe Photoshop Elements is exposed to multiple remote memory corruption issues that are triggered when processing specially crafted ".ABR" and ".GRD" format files. Adobe Photoshop Elements versions 7.0 and 8.0 are affected.
• Ref: http://www.adobe.com/support/security/advisories/apsa11-03.html

• 11.41.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Pidgin "silc_private_message()" Denial of Service
• Description: Pidgin is a multi-platform instant messaging client that supports various messaging protocols. The application is exposed to a denial of service issue that occurs in the "silc_private_message()" function of the "libpurple/protocols/silc/ops.c" file when processing a crafted SLIC message. Pidgin version 2.10.0 is affected.
• Ref: http://developer.pidgin.im/ticket/14636

• 11.41.10 - CVE: CVE-2011-3366,CVE-2011-3365
• Platform: Cross Platform
• Title: KDE KSSL Common Name SSL Certificate Spoofing
• Description: KDE is a graphical desktop environment for Linux and Unix computers. KDE KSSL is exposed to a security issue that may allow attackers to spoof SSL certificates. This issue occurs because KSSL fails to properly set the "QLabel::AutoText" to "QLabel::PlainText".
• Ref: http://www.kde.org/info/security/advisory-20111003-1.txt

• 11.41.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Perl Crypt-DSA Module Random Number Values Security Weakness
• Description: Crypt-DSA is a module for Perl that provides cryptographic support. The module is exposed to a security weakness because it generates cryptographically weak keys. Specifically, the issue exists because random numbers are generated through a cryptographically insecure method. Perl Crypt-DSA Module version 1.17 is affected.
• Ref: https://rt.cpan.org/Public/Bug/Display.html?id=71421

• 11.41.12 - CVE:CVE-2011-2876,CVE-2011-2877,CVE-2011-2878,CVE-2011-2879,CVE-2011-2880,CVE-2011-2881,CVE-2011-3873
• Platform: Cross Platform
• Title: Google Chrome PDF File Handling Memory Corruption
• Description: Google Chrome is a web browser for multiple platforms. The browser is exposed to a memory corruption issue that occurs during garbage collection when handling malicious PDF files. Specifically, this issue occurs when the browser opens an HTML file that contains multiple <IFRAME> tags pointing to a PDF file. Chrome versions prior to 14.0.835.163 are affected.
• Ref: http://googlechromereleases.blogspot.com/2011/10/stable-channel-update.html

• 11.41.13 - CVE: CVE-2011-2411
• Platform: Cross Platform
• Title: HP NonStop Server Unspecified Remote Code Execution
• Description: HP NonStop Server is a backup server device. HP NonStop Server is exposed to an unspecified code execution vulnerability when Samba is used.
• Ref: http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543 http://www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c03008543

• 11.41.14 - CVE: CVE-2011-0944
• Platform: Network Device
• Title: Cisco IOS IPv6 Remote Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service vulnerability when processing IPv6 packets. An attacker can exploit this issue by sending specially crafted IPv6 packets that cause the affected devices to reload, denying service to legitimate users.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d59.s
  html

• 11.41.15 - CVE: CVE-2011-3287
• Platform: Network Device
• Title: Cisco Unified Presence and Jabber XCP XML Bomb Denial of Service
• Description: Cisco Unified Presence collects information about user availability for use with the Cisco Unified Communications system. Cisco Unified Presence and Jabber XCP are exposed to a denial of service issue because the application fails to properly validate XML data, which can result in an Exponential Entity Expansion attack.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d47.s
  html

• 11.41.16 - CVE: CVE-2011-2072
• Platform: Network Device
• Title: Cisco IOS and Unified Communications Manager Denial of Service
• Description: Cisco IOS and Unified Communications Manager are exposed to a denial of service issue because they leak session control buffer, when handling specially crafted SIP messages.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d58.s
  html

• 11.41.17 - CVE: CVE-2011-3281,CVE-2011-3273
• Platform: Network Device
• Title: Cisco IOS IPS and Zone-Based Firewall Multiple Denial of Service Vulnerabilities
• Description: Cisco IOS is exposed to a denial of service issue due to a memory leak and a denial of service issue when processing specially crafted HTTP packets.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d57.s
  html

• 11.41.18 - CVE: CVE-2011-3282,CVE-2011-3274
• Platform: Network Device
• Title: Cisco IOS IPv6 over MPLS Multiple Denial of Service Vulnerabilities
• Description: Cisco IOS is prone to multiple remote denial of service issues. A denial of service issue occurs when processing an IPv6 packet when the MPLS TTL has expired. A denial of service issue occurs when processing an ICMPv6 packet when the MPLS TTL has expired.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d52.s
  html

• 11.41.19 - CVE: CVE-2011-3270
• Platform: Network Device
• Title: Cisco 10000 Series Routers ICMP Packets Denial of Service
• Description: The Cisco 10000 Series is a device used to monitor network use. The Cisco 10000 Series is exposed to a denial of service issue. An unauthenticated attacker is able to cause a device reload by sending a series of ICMP packets to the device.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d50.s
  html

• 11.41.20 - CVE: CVE-2011-3271
• Platform: Network Device
• Title: Cisco IOS Smart Install Remote Code Execution
• Description: Cisco IOS is exposed to a denial of service issue that exists in the Smart Install feature included in Cisco Catalyst Switches. An attacker can exploit this issue by constructing and submitting a specially crafted packet to TCP port 4786 of the device.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4f.s
  html

• 11.41.21 - CVE: CVE-2011-3275,CVE-2011-0939
• Platform: Network Device
• Title: Cisco IOS SIP Multiple Denial of Service Vulnerabilities
• Description: Cisco IOS is exposed to multiple remote denial of service issues that affect the SIP implementation. A denial of service issue occurs because of a memory leak, which eventually leads to the reload of the affected device. A denial of service issue causes the affected device to reload.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d5a.s
  html

• 11.41.22 - CVE: CVE-2011-0945
• Platform: Network Device
• Title: Cisco IOS Data-Link Switching Memory Leak Remote Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue when devices are configured for Data-Link Switching. Specifically, crafted IP protocol 91 packets can cause a memory leak, eventually leading to the affected device reloading.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4e.s
  html

• 11.41.23 - CVE: CVE-2011-3272
• Platform: Network Device
• Title: Cisco IOS IP Service Level Agreement Remote Denial of Service
• Description: Cisco IOS is exposed to a remote denial of service issue. An attacker can exploit this issue by sending specially crafted malformed UDP packets triggered by malformed IP SLA packets to cause the affected devices to reload, denying service to legitimate users.
• Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a0080b95d4c.s
  html

• 11.41.24 - CVE: Not Available
• Platform: Network Device
• Title: Multiple HTC devices "HtcLoggers.apk" Application Information Disclosure
• Description: "HtcLoggers.apk" is a logging application installed on many HTC mobile devices. Multiple HTC devices are exposed to an information disclosure issue that affects the "HtcLoggers.apk" application. The issue occurs because the affected application fails to restrict access to the log information it collects and then allows other applications installed on the device to access that sensitive information.
• Ref: http://www.androidpolice.com/2011/10/01/massive-security-vulnerability-in-htc-an
  droid-devices-evo-3d-4g-thunderbolt-others-exposes-phone-numbers-gps-sms-emails-
  addresses-much-more/

• 11.41.25 - CVE: Not Available
• Platform: Network Device
• Title: SonicWall NSA 4500 HTML Injection and Session Hijacking Vulnerabilities
• Description: SonicWall NSA 4500 is a network security appliance. The device's web interface is exposed to multiple issues. A session hijacking issue exists because the device allows users to brute force the session ID. Multiple HTML injection issues affect the "Login page content" field included in the "Users/Settings" page and various other unspecified fields.
• Ref: http://www.securityfocus.com/archive/1/519994

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account