@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Products Multiple Security Vulnerabilities
• (2) HIGH: Apple iTunes Multiple Security Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.42.1 - Microsoft Active Accessibility Remote Code Execution
• 11.42.2 - Microsoft Windows Kernel Mode Drivers Remote Code Execution
• 11.42.3 - Microsoft Ancillary Function Driver Elevation of Privileges

Other Microsoft Products

• 11.42.4 - Microsoft .NET Framework and Silverlight Remote Code Execution
• 11.42.5 - Microsoft Host Integration Server Remote Denial of Service
• 11.42.6 - Microsoft Forefront Unified Access Gateway Multiple Remote Issues
• 11.42.7 - Microsoft Windows Media Center Remote Code Execution
• 11.42.8 - Microsoft Internet Explorer Cumulative Security Update

Third Party Windows Apps

• 11.42.9 - IBM Rational AppScan Remote Command Execution Vulnerabilities
• 11.42.10 - Autonomy KeyView Filter "jtdsr.dll" Multiple Buffer Overflow Vulnerabilities

Aix

• 11.42.11 - IBM AIX Fibre Channel Driver QLogic Local Denial of Service

Cross Platform

• 11.42.12 - Apache HTTP Server "mod_proxy" Reverse Proxy Information Disclosure
• 11.42.13 - Real Networks RealPlayer Cross-Zone Scripting
• 11.42.14 - VLC Media Player "httpd_ClientRecv()" Heap-Based Buffer Overflow
• 11.42.15 - Apple iTunes Multiple Vulnerabilities

Web Application - Cross Site Scripting

• 11.42.16 - JAKCMS "userpost" Parameter Cross-Site Scripting
• 11.42.17 - SilverStripe Multiple Cross-Site Scripting

Web Application - SQL Injection

• 11.42.18 - vtiger CRM "onlyforuser" Parameter SQL Injection
• 11.42.19 - NexusPHP "thanks.php" SQL Injection

Web Application

• 11.42.20 - XOOPS HTML Injection and Cross-Site Scripting Vulnerabilities
• 11.42.21 - Movable Type A-Form Plugins Cross-Site Scripting and Unspecified Security Vulnerabilities
• 11.42.22 - Jaws Multiple Remote File Include Vulnerabilities
• 11.42.23 - KaiBB SQL Injection and Cross-Site Scripting Vulnerabilities
• 11.42.24 - ZOHO ManageEngine ADSelfService Plus Authentication Bypass

Hardware

• 11.42.25 - Xerox ColorQube Unspecified Authentication Bypass
• 11.42.26 - D-Link DIR-685 Encryption Failure Authentication Bypass

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 37, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12405 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.42.1 - CVE: CVE-2011-1247
• Platform: Windows
• Title: Microsoft Active Accessibility Remote Code Execution
• Description: The Microsoft Active Accessibility component is a Component Object Model based technology that improves the way accessibility aids work with applications running on Microsoft Windows. The Active Accessibility component is exposed to an arbitrary code execution issue. The issue arises because the application searches for a Dynamic Link Library file in the current working directory. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-075

• 11.42.2 - CVE: CVE-2011-1985,CVE-2011-1985,CVE-2011-2002,CVE-2011-2003
• Platform: Windows
• Title: Microsoft Windows Kernel Mode Drivers Remote Code Execution
• Description: The "Win32k.sys" kernel mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface. It also serves as a wrapper for DirectX support. The driver is exposed to multiple issues. See reference for further details. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-077

• 11.42.3 - CVE: CVE-2011-2005
• Platform: Windows
• Title: Microsoft Ancillary Function Driver Elevation of Privileges
• Description: Microsoft Windows is exposed to a local privilege escalation issue. This issue affects the ancillary function driver ("AFD.sys"). This issue occurs because the AFD driver fails to properly validate data passed from user mode to kernel mode. All supported editions of Windows XP and Windows Server 2003 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-080

• 11.42.4 - CVE: CVE-2011-1253
• Platform: Other Microsoft Products
• Title: Microsoft .NET Framework and Silverlight Remote Code Execution
• Description: The Microsoft .NET Framework is a software framework for applications designed to run under Microsoft Windows. Microsoft Silverlight is a web application framework that provides support for .NET applications. Microsoft Silverlight and Microsoft .NET Framework are exposed to a remote code execution issue due to the way in which they restrict inheritance within classes. Microsoft .NET Framework 1.0 Service Pack 3, Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5.1, Microsoft .NET Framework 4 and Microsoft Silverlight 4 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-078

• 11.42.5 - CVE: CVE-2011-2008,CVE-2011-2007
• Platform: Other Microsoft Products
• Title: Microsoft Host Integration Server Remote Denial of Service
• Description: Microsoft Host Integration Server facilitates integration between Microsoft and IBM technologies. Microsoft Host Integration Server is exposed to a denial of service issue caused by improper input validation when Host Integration Server processes specially crafted network traffic. All supported editions of Microsoft Host Integration Server 2004, Microsoft Host Integration Server 2006, Microsoft Host Integration Server 2009 and Microsoft Host Integration Server 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-082

• 11.42.6 - CVE:CVE-2011-1895,CVE-2011-1896,CVE-2011-1897,CVE-2011-1969,CVE-2011-2012
• Platform: Other Microsoft Products
• Title: Microsoft Forefront Unified Access Gateway Multiple Remote Issues
• Description: Microsoft Forefront Unified Access Gateway provides remote access to enterprise resources. Microsoft Forefront Unified Access Gateway is exposed to multiple remote issues. See reference for further details. All supported versions of Microsoft Forefront Unified Access Gateway 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-079

• 11.42.7 - CVE: CVE-2011-2009
• Platform: Other Microsoft Products
• Title: Microsoft Windows Media Center Remote Code Execution
• Description: Media Center is an audio/visual application for Microsoft Windows. Media Center is exposed to an arbitrary code execution issue. The issue arises because the application searches for a Dynamic Link Library file in the current working directory. All supported editions of Windows Vista, Windows 7 and Windows Media Center TV Pack for Windows Vista are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-076

• 11.42.8 - CVE:CVE-2011-1993,CVE-2011-1995,CVE-2011-1996,CVE-2011-1997,CVE-2011-1998CVE-2011-1999,CVE-2011-2000,CVE-2011-2001
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer Cumulative Security Update
• Description: Microsoft Internet Explorer is a web browser available for Microsoft Windows platforms. Microsoft Internet Explorer is exposed to multiple remote issues. See reference for further details. Internet Explorer 6, 7, 8 and 9 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-081

• 11.42.9 - CVE: CVE-2011-1366,CVE-2011-1367
• Platform: Third Party Windows Apps
• Title: IBM Rational AppScan Remote Command Execution Vulnerabilities
• Description: IBM Rational AppScan is a web-based tool for scanning and reporting vulnerabilities. The application is exposed to multiple remote command execution issues that occurs when handling specially crafted "ZIP" files and "scan" files. Versions 5.2 through 8.0.1 of IBM Rational AppScan Enterprise and IBM Rational AppScan Reporting Console running on Microsoft Windows are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21515110

• 11.42.10 - CVE: CVE-2011-0339,CVE-2011-0338,CVE-2011-0337
• Platform: Third Party Windows Apps
• Title: Autonomy KeyView Filter "jtdsr.dll" Multiple Buffer Overflow Vulnerabilities
• Description: Autonomy KeyView Filter is a component used in multiple applications. It allows the filtering, viewing and exporting of documents to Web-ready HTML or valid XML. Autonomy KeyView Filter is exposed to multiple buffer overflow issues because it fails to properly bounds check user-supplied data. Autonomy KeyView Filter 10.3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50006/references

• 11.42.11 - CVE: CVE-2011-3982
• Platform: Aix
• Title: IBM AIX Fibre Channel Driver QLogic Local Denial of Service
• Description: IBM AIX is exposed to a local denial of service issue. This issue occurs because the Fiber Channel driver for the QLogic adapters fail to properly handle DMA resource limitation. IBM AIX version 6.1 and 7.1 are affected.
• Ref: http://www.securityfocus.com/bid/50000/references

• 11.42.12 - CVE: CVE-2011-3368
• Platform: Cross Platform
• Title: Apache HTTP Server "mod_proxy" Reverse Proxy Information Disclosure
• Description: Apache HTTP Server is an HTTP web server application. Apache HTTP Server is exposed to an information disclosure issue that exists in the "mod_proxy" component. Specifically, when using the "RewriteRule" or "PrxyPassMatch" directives to configure a reverse proxy using a pattern match, it may be possible to disclose the internal servers. Apache HTTP Server 1.3.x through 1.3.42, 2.0.x through 2.0.64 and 2.2.x through 2.2.21 are affected.
• Ref: http://www.apache.org/dist/httpd/patches/apply_to_2.2.21/ http://www.securityfocus.com/bid/49957/references

• 11.42.13 - CVE: CVE-2011-1221
• Platform: Cross Platform
• Title: Real Networks RealPlayer Cross-Zone Scripting
• Description: Real Networks RealPlayer is a media player available for multiple platforms. The application is exposed to a cross-zone scripting issue because the RealPlayer ActiveX control allows users to run local HTML files with scripting enabled without providing any warning. RealPlayer 11.0 to 11.1, SP 1.0 to 1.1.5 and Enterprise 2.0 to 2.1.5 are affected.
• Ref: http://www.securityfocus.com/bid/49996/references

• 11.42.14 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player "httpd_ClientRecv()" Heap-Based Buffer Overflow
• Description: VLC is a cross-platform media player. The application is exposed to a heap-based memory corruption issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized buffer. Specifically, this issue occurs due to a NULL pointer dereference error in the "httpd_ClientRecv()" function of the "src/network/httpd.c" source file. The issue affects the "HTTP" and "RTSP" server components. VLC Media Player 1.1.11 and prior versions are affected.
• Ref: http://www.videolan.org/security/sa1107.html

• 11.42.15 - CVE:CVE-2011-0259,CVE-2011-0200,CVE-2011-3252,CVE-2011-3219,CVE-2011-0204,CVE-2011-0215,CVE-2010-1823,CVE-2011-0164,CVE-2011-0218,CVE-2011-0221,CVE-2011-0222,CVE-2011-0223,CVE-2011-0225,CVE-2011-0232,CVE-2011-0233,CVE-2011-0234,CVE-2011-0235,CVE-2011-0237
• Platform: Cross Platform
• Title: Apple iTunes Multiple Vulnerabilities
• Description: Apple iTunes is a media player for Microsoft Windows and Apple Mac OS X. iTunes components CoreFoundation, ColorSync, CoreAudio, CoreMedia, ImageIO and WebKit are exposed to multiple issues ranging from buffer overflow to memory corruption. Apple iTunes versions prior to 10.5 are affected.
• Ref: http://lists.apple.com/archives/security-announce/2011//Oct/msg00000.html

• 11.42.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: JAKCMS "userpost" Parameter Cross-Site Scripting
• Description: JAKCMS is a content manager implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "userpost" parameter of the "index.php" script. JAKCMS 2.0.4.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50034/discuss

• 11.42.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: SilverStripe Multiple Cross-Site Scripting
• Description: SilverStripe is an open source content management system. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user supplied input. SilverStripe 2.4.5 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520050

• 11.42.18 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: vtiger CRM "onlyforuser" Parameter SQL Injection
• Description: vtiger CRM is a PHP-based customer relationship management application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "onlyforuser" parameter of the "index.php" script. vtiger CRM 5.2.1 is vulnerable and prior versions may also be affected.
• Ref: http://yehg.net/lab/pr0js/advisories/%5BvTiger_5.2.1%5D_blind_sqlin

• 11.42.19 - CVE: CVE-2011-4026
• Platform: Web Application - SQL Injection
• Title: NexusPHP "thanks.php" SQL Injection
• Description: NexusPHP is a PHP-based Web application. The application is exposed to an SQL injection issue because it fails to adequately sanitize user-supplied input submitted to the "id" parameter of the "thanks.php" script. NexusPHP 1.5 is affected and other versions may also be vulnerable.
• Ref: http://www.securityfocus.com/bid/50025/discuss

• 11.42.20 - CVE: Not Available
• Platform: Web Application
• Title: XOOPS HTML Injection and Cross-Site Scripting Vulnerabilities
• Description: XOOPS is a PHP-based content management system. The application is exposed to multiple issues. A cross-site scripting issue affects the "img" BBCode tag in the "message" parameter of the "pmlite.php" script. An HTML injection issue affects the "text" parameter of the "include/formdhtmltextarea_preview.php" script. XOOPS 2.5.1a is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/49995/references

• 11.42.21 - CVE: CVE-2011-2676
• Platform: Web Application
• Title: Movable Type A-Form Plugins Cross-Site Scripting and Unspecified Security Vulnerabilities
• Description: Movable Type is a weblog publishing system. Movable Type A-Form plugins are exposed to multiple issues. An unspecified cross-site scripting issue occurs because they fail to sufficiently sanitize user-supplied data. A security bypass issue occurs due to tampering of an admin HTTP parameter. Versions prior to Movable Type 4.36 and 5.05 are affected.
• Ref: http://www.securityfocus.com/bid/50017/references

• 11.42.22 - CVE: Not Available
• Platform: Web Application
• Title: Jaws Multiple Remote File Include Vulnerabilities
• Description: Jaws is a Web-based application framework and content management system written in PHP. The application is exposed to multiple remote file include issues because it fails to sufficiently sanitize user-supplied input. Jaws 0.8.14 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50022/discuss

• 11.42.23 - CVE: Not Available
• Platform: Web Application
• Title: KaiBB SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: KaiBB is a PHP-based online community application. The application is exposed to the multiple issues because it fails to sufficiently sanitize user-supplied input KaiBB 2.0.1 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50029/references

• 11.42.24 - CVE: CVE-2011-3485
• Platform: Web Application
• Title: ZOHO ManageEngine ADSelfService Plus Authentication Bypass
• Description: ManageEngine ADSelfService Plus is a web-based end user password reset management program. The application is exposed to an authentication bypass issue. Specifically, the authentication process allows an attacker to bypass it and gain administrative access by setting "resetUnLock" value to "true" through POST request. ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50071/references

• 11.42.25 - CVE: Not Available
• Platform: Hardware
• Title: Xerox ColorQube Unspecified Authentication Bypass
• Description: Xerox ColorQube is a Web-capable printer and photocopier. Xerox ColorQube is exposed to an unspecified authentication bypass issue. Specifically, the issue can be exploited by sending a specially crafted sequence of commands. Xerox ColorQube 9301, Xerox ColorQube 9302 and Xerox ColorQube 9393 are affected.
• Ref: http://www.xerox.com/download/security/security-bulletin/127873b-15292-4aeb8bc95
  ec00/cert_XRX11-004-v1.02.pdf

• 11.42.26 - CVE: Not Available
• Platform: Hardware
• Title: D-Link DIR-685 Encryption Failure Authentication Bypass
• Description: D-Link DIR-685 is a wireless router with attached storage. The device is exposed to an authentication bypass issue that occurs when the device is configured with WPA/WPA2 and an AES cipher with a pre-shared key. Specifically, this issue is caused by an encryption failure that occurs during heavy network load, which keeps the device in an open unencrypted state until rebooted. D-Link DIR-685 Xtreme N is affected.
• Ref: http://www.kb.cert.org/vuls/id/924307

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account