@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Multiple Vulnerabilitise

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.44.1 - Novell ZENworks Handheld Management Multiple Unspecified Remote Code Execution Vulnerabilities
• 11.44.2 - HP MFP Digital Sending Software Local Information Disclosure
• 11.44.3 - Oracle DataDirect Multiple Native Wire Protocol ODBC Driver Buffer Overflow
• 11.44.4 - Skype Technologies Skype Client for Windows File Transfer Remote Buffer Overflow
• 11.44.5 - Multiple Schneider Electric Products UnitelWay Device Driver Privilege Escalation
• 11.44.6 - Oracle AutoVue "AutoVueX.ocx" ActiveX Control Insecure Method
• 11.44.7 - Cyclope Internet Filtering Proxy "CEPMServer.exe" Denial of Service

Linux

• 11.44.8 - apt SSL Certificate Validation Security Bypass

Cross Platform

• 11.44.9 - MIT Kerberos Multiple Denial of Service Vulnerabilities
• 11.44.10 - Oracle GlassFish Server/Java System App Server Remote Vulnerability
• 11.44.11 - IBM WebSphere Application Server JAX-WS Unspecified Vulnerability
• 11.44.12 - MetaSploit Framework "project [name]" Field HTML Injection
• 11.44.13 - Mozilla NSS "NSS_NoDB_Init()" Insecure Library Loading Arbitrary Code Execution
• 11.44.14 - Opera Web Browser Tree Traversing Use-After-Free Memory Corruption
• 11.44.15 - Wing FTP Server Versions Prior to 4.0.1 Information Disclosure
• 11.44.16 - Google Chrome Prior to 15.0.874.102 Multiple Security Vulnerabilities

Web Application - Cross Site Scripting

• 11.44.17 - InverseFlow Multiple Cross-Site Scripting Vulnerabilities
• 11.44.18 - PacketFence Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 11.44.19 - Boonex Dolphin "xml/get_list.php" SQL Injection
• 11.44.20 - Elgg "limit" Parameter SQL Injection
• 11.44.21 - Radius Manager "admin.php" SQL Injection

Web Application

• 11.44.22 - phpLDAPadmin "functions.php" Remote PHP Code Injection
• 11.44.23 - Alsbtain Bulletin Multiple Local File Include Vulnerabilities

Network Device

• 11.44.24 - Cisco Nexus OS "section" and "less" Local Command Injection Vulnerabilities

Hardware

• 11.44.25 - D-Link Password Field Remote Command Execution
• 11.44.26 - McAfee Web Gateway Web Access Cross-Site Scripting

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 39, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12562 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.44.1 - CVE: CVE-2011-2656,CVE-2011-2655
• Platform: Third Party Windows Apps
• Title: Novell ZENworks Handheld Management Multiple Unspecified Remote Code Execution Vulnerabilities
• Description: Novell ZENworks Handheld Management is an application used to secure stolen handheld devices from leaking sensitive information. Novell ZENworks Handheld Management is exposed to multiple unspecified remote code-execution issues. Novell ZENworks Handheld Management 7 is affected.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009489&sliceId=1&docTypeID=DT_TID_1_1&dialogID=275049409&st
  ateId=0%200%20275045722

• 11.44.2 - CVE: CVE-2011-3163
• Platform: Third Party Windows Apps
• Title: HP MFP Digital Sending Software Local Information Disclosure
• Description: HP MFP Digital Sending Software is an application used by HP Multifunction Peripheral (MFP) to send scanned documents. The application is exposed to a local information disclosure issue. Specifically, a local attacker can exploit the issue to disclose personal information from the workflow metadata to unintended recipients. HP MFP Digital Sending Software 4.91.21 and previous 4.9x versions are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03052686

• 11.44.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Oracle DataDirect Multiple Native Wire Protocol ODBC Driver Buffer Overflow
• Description: Oracle DataDirect is a set of drivers that allow users to connect to various types of databases. Oracle DataDirect is exposed to a buffer overflow issue. This issue affects the "ADODB.Connection" object when trying to connect to a database. Specifically, the application fails to perform adequate boundary checks on user-supplied data before passing it to the "HOST" parameter of the connection string. DataDirect 6.0 SQL Server Native Wire Protocol, DataDirect 6.0 Greenplum Wire Protocol, DataDirect 6.0 Informix Wire Protocol, DataDirect 6.0 PostgreSQL Wire Protocol and DataDirect 6.0 MySQL Wire Protocol are affected.
• Ref: http://www.securityfocus.com/archive/1/520169

• 11.44.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Skype Technologies Skype Client for Windows File Transfer Remote Buffer Overflow
• Description: Skype is peer-to-peer communications software that supports Internet based voice communications. The application is exposed to a remote buffer overflow issue because it fails to perform adequate checks on user-initiated file transfer requests. Specifically, the problem occurs when handling file transfers initiated during an "unavailable" or "busy" mode. Skype versions 5.3.0.120 and prior are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50308/references

• 11.44.5 - CVE: CVE-2011-3330
• Platform: Third Party Windows Apps
• Title: Multiple Schneider Electric Products UnitelWay Device Driver Privilege Escalation
• Description: Schneider Electric products provide solutions to energy management. The applications are exposed to a local privilege-escalation issue. Specifically, this issue affects the UnitelWay device driver when processing a specially crafted input, which may result in triggering a buffer overflow. Vijeo Citect 7.20 and prior versions, OPC Factory Server 3.34, Telemecanique Driver Pack 2.6 and prior versions, Unity Pro 6.0 and prior versions, Monitor 7.6 and prior versions and PL7 Pro 4.5 SP5 and prior versions are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-277-01.pdf

• 11.44.6 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Oracle AutoVue "AutoVueX.ocx" ActiveX Control Insecure Method
• Description: Oracle AutoVue is a suite of visualization applications. Oracle AutoVue "AutoVueX.ocx" ActiveX control is exposed to an issue caused by an insecure method. The issue occurs because the application fails to handle user-supplied input passed to the "Export3DBom()" method. The control is identified by CLSID: B6FCC215-D303-11D1-BC6C-0000C078797F. Oracle AutoVue 20.0.1 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50333/references

• 11.44.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Cyclope Internet Filtering Proxy "CEPMServer.exe" Denial of Service
• Description: Cyclope Internet Filtering Proxy is a website navigation filtering application. The application is exposed to a denial of service issue. Specifically, the issue occurs in the "CEPMServer.exe" service when an overly long string is provided to the "<user>" tag. Cyclope Internet Filtering Proxy version 4.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50335/discuss

• 11.44.8 - CVE: Not Available
• Platform: Linux
• Title: apt SSL Certificate Validation Security Bypass
• Description: apt is a package manager. Apt is exposed to a security bypass issue because it fails to properly validate SSL certificates. Specifically, the program fails to verify the host name in the certificates from "/etc/ssl/certs/ca-certificates.crt". Apt versions prior to 0.8.11 are affected.
• Ref: http://www.securityfocus.com/bid/50288/discuss

• 11.44.9 - CVE: CVE-2011-1529,CVE-2011-1528,CVE-2011-1527
• Platform: Cross Platform
• Title: MIT Kerberos Multiple Denial of Service Vulnerabilities
• Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is freely available and operates on numerous platforms. MIT Kerberos is exposed to multiple remote denial of service issues. See reference for further details. krb5-1.8 and later and krb5-1.9 and later are affected.
• Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt

• 11.44.10 - CVE: CVE-2011-3559
• Platform: Cross Platform
• Title: Oracle GlassFish Server/Java System App Server Remote Vulnerability
• Description: Oracle GlassFish Server and Sun Java System Application Server are exposed to a remote issue. The issue can be exploited over the "HTTP" protocol. The "Web Container" sub component is affected. Communications Server 2.0, GlassFish Enterprise Server 2.1.1, 3.0.1 amd 3.1.1, and Sun Java System App Server 8.1 and 8.2 are affected.
• Ref: http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

• 11.44.11 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Application Server JAX-WS Unspecified Vulnerability
• Description: IBM WebSphere Application Server is a web server. The application is exposed to an unspecified issue in the WS-Security policy enabled Java API for XML Web Services application. IBM WebSphere Application Server versions 6.1 through 6.1.0.40 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM50205

• 11.44.12 - CVE: Not Available
• Platform: Cross Platform
• Title: MetaSploit Framework "project [name]" Field HTML Injection
• Description: Metasploit Framework is a tool for penetration testing and exploit development. It is available for Linux and Microsoft Windows platforms. The application is exposed to an HTML injection issue that affects the web user interface because it fails to properly sanitize user-supplied input submitted to the "project [name]" field. MetaSploit Framework 4.1.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50315/references

• 11.44.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Mozilla NSS "NSS_NoDB_Init()" Insecure Library Loading Arbitrary Code Execution
• Description: Mozilla Network Security Services (NSS) is a library providing cryptographic and security functionality. It is used by a number of products, including Mozilla Firefox, Thunderbird and SeaMonkey. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the "NSS_NoDB_Init()" function fails to properly create the file path for the "/pkcs11.txt" configuration file and for "/secmod.db". Mozilla NSS version 3.12.5 and prior are affected.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=641052

• 11.44.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Tree Traversing Use-After-Free Memory Corruption
• Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to a remote memory corruption issue because it fails to properly handle tree traversing. Specifically, this issue occurs because of a use-after-free error when processing specially crafted HTML elements. Opera 11.51 is vulnerable and other versions may also be affected.
• Ref: http://dl.packetstormsecurity.net/1110-exploits/opera-useafterfree.txt

• 11.44.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Wing FTP Server Versions Prior to 4.0.1 Information Disclosure
• Description: Wing FTP Server is an FTP server application. Wing FTP Server is exposed to an unspecified information disclosure issue that occurs when handling specially crafted HTTP requests. Versions prior to Wing FTP Server 4.1.0 are affected.
• Ref: http://www.wftpserver.com/serverhistory.htm#gotop

• 11.44.16 - CVE:CVE-2011-3891,CVE-2011-3890,CVE-2011-3889,CVE-2011-3888,CVE-2011-3887,CVE-2011-3886,CVE-2011-3885,CVE-2011-3884,CVE-2011-3883,CVE-2011-3882,CVE-2011-3881,CVE-2011-3880,CVE-2011-3879,CVE-2011-3878,CVE-2011-3877,CVE-2011-3876,CVE-2011-3875,CVE-2011-2845
• Platform: Cross Platform
• Title: Google Chrome Prior to 15.0.874.102 Multiple Security Vulnerabilities
• Description: Google Chrome is a Web browser available for multiple platforms. Google Chrome is exposed to multiple security issues. See reference for further details. Versions prior to Chrome
• Ref: http://googlechromereleases.blogspot.com/2011/10/chrome-stable-release.html

• 11.44.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: InverseFlow Multiple Cross-Site Scripting Vulnerabilities
• Description: InverseFlow is a web-based application implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. InverseFlow 2.4 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50344/references

• 11.44.18 - CVE: CVE-2011-4067
• Platform: Web Application - Cross Site Scripting
• Title: PacketFence Multiple Cross-Site Scripting Vulnerabilities
• Description: PacketFence is a network access control application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. Versions prior to PacketFence 3.0.2 are affected.
• Ref: http://www.securityfocus.com/bid/50353/references

• 11.44.19 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Boonex Dolphin "xml/get_list.php" SQL Injection
• Description: Dolphin is a PHP-based application for creating online communities. The application is exposed to an SQL injection issue because it fails to properly sanitize user-supplied input submitted to the "iIDcat" parameter of the "xml/get_list.php" script. Boonex Dolphin 6.1 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520146

• 11.44.20 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Elgg "limit" Parameter SQL Injection
• Description: Curverider Elgg is a PHP-based social media application. The plugin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "limit" parameter of the "mod/search/search_hooks.php" script. Elgg 1.7.10 through 1.7.13 are affected.
• Ref: http://www.securityfocus.com/bid/50327/references

• 11.44.21 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Radius Manager "admin.php" SQL Injection
• Description: Radius Manager is a web-based router administration application. Radius Manager is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "cont" parameter of the "admin.php" script. Radius Manager 3.9.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50337/references

• 11.44.22 - CVE: Not Available
• Platform: Web Application
• Title: phpLDAPadmin "functions.php" Remote PHP Code Injection
• Description: phpLDAPadmin is a web-based application implemented in PHP for administering LDAP servers. The application is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to sanitize the input passed to the "sortby" parameter in "masort()" function of the "lib/functions.php" script. phpLDAPadmin versions 1.2.0 through 1.2.1.1 are affected.
• Ref: http://www.securityfocus.com/bid/50331/references

• 11.44.23 - CVE: Not Available
• Platform: Web Application
• Title: Alsbtain Bulletin Multiple Local File Include Vulnerabilities
• Description: Alsbtain Bulletin is a web application implemented in PHP. Alsbtain Bulletin is exposed to multiple local file include issues because it fails to properly sanitize user-supplied input submitted to the "style" and "act" parameters of the "index.php" script. Alsbtain Bulletin 1.5 and 1.6 are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50350/references

• 11.44.24 - CVE: CVE-2011-2569
• Platform: Network Device
• Title: Cisco Nexus OS "section" and "less" Local Command Injection Vulnerabilities
• Description: Cisco MDS, UCS, Nexus 7000, 5000, 4000, 3000, 2000 and 1000V switches are networking hardware devices. Cisco Nexus OS is the operating system running on those devices. Cisco Nexus OS is exposed to multiple local command injection issues because it fails to handle "section" and "less" sub-commands. Specially, the user-supplied input to AWK script is not properly sanitized. Commands can be executed due to improper handling of "|" and "$" symbols. Cisco MDS, UCS, Nexus 7000, 5000, 4000, 3000, 2000 and 1000V are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50347/references

• 11.44.25 - CVE: Not Available
• Platform: Hardware
• Title: D-Link Password Field Remote Command Execution
• Description: D-Link DCS-2121 is a wireless IP camera. The device is exposed to a remote command execution issue. This issue occurs because the application fails to sanitize user-supplied input to the "Password" field of the "recorder_test.cgi" script. D-Link DCS-2121 with firmware version 1.04 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50277/discuss

• 11.44.26 - CVE: Not Available
• Platform: Hardware
• Title: McAfee Web Gateway Web Access Cross-Site Scripting
• Description: McAfee Web Gateway is an anti malware application installed on appliances for web threats. McAfee Web Gateway is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input, when processing data passed to the web access component. McAfee Web Gateway 7.1.5.1 is affected.
• Ref: https://kc.mcafee.com/resources/sites/MCAFEE/content/live/PRODUCT_DOCUMENTATION/
  23000/PD23455/en_US/mwg_7152_release_notes.pdf

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account