@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Microsoft Windows Kernel 0-Day Vulnerability
• (2) MEDIUM: Apple QuickTime Multiple Vulnerabilities
• (3) MEDIUM: Adobe Reader Multiple Security Vulnerabilities
• (4) MEDIUM: Novell iPrint Client nipplib.dll Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.45.1 - Microsoft Windows Kernel Word File Handling Remote Code Execution

Other Microsoft Products

• 11.45.2 - Microsoft Outlook Web Access Session Replay Security Bypass

Third Party Windows Apps

• 11.45.3 - Novell iPrint Client "nipplib.dll" Remote Code Execution
• 11.45.4 - Novell ZENworks Handheld Management "Common.dll" Directory Traversal
• 11.45.5 - Winamp Multiple Remote Vulnerabilities
• 11.45.6 - FFFTP Insecure Executable File Loading Arbitrary Code Execution
• 11.45.7 - GFI Faxmaker Divide-By-Zero Denial of Service
• 11.45.8 - YaTFTPSvr TFTP Server Directory Traversal
• 11.45.9 - NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow
• 11.45.10 - GE Proficy Historian Data Archiver Service Remote Buffer Overflow

Linux

• 11.45.11 - Openswan Crpyotgraphic Helper Use After Free Remote Denial Of Service

Cross Platform

• 11.45.12 - Apple QuickTime Multiple Vulnerabilities
• 11.45.13 - IBM Lotus Sametime Configuration Servlet Authentication Security Bypass
• 11.45.14 - Tor Directory Remote Information Disclosure Vulnerability Bridge Enumeration Weaknesses
• 11.45.15 - Opera Web Browser Escape Sequence Stack Buffer Overflow Denial of Service
• 11.45.16 - net6 Session Hijacking and Information Disclosure Vulnerabilities
• 11.45.17 - Novell Messenger Server Memory Information Disclosure
• 11.45.18 - Squid Proxy Caching Server CNAME Denial of Service
• 11.45.19 - IBM WebSphere MQ CCDT File Local Privilege Escalation
• 11.45.20 - HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities

Web Application - Cross Site Scripting

• 11.45.21 - BackupPC "index.cgi" Cross-Site Scripting

Web Application - SQL Injection

• 11.45.22 - SjXjV "post.php" SQL Injection

Web Application

• 11.45.23 - IBM HTTP Server Multiple Cross-Site Scripting Vulnerabilities
• 11.45.24 - IBM WebSphere ILOG Rule Team Server Unspecified Cross-Site Scripting
• 11.45.25 - eFront Multiple Security Vulnerabilities

Network Device

• 11.45.26 - D-Link DIR-300 Unspecified Remote Code Execution and Remote File Disclosure Vulnerabilities

Hardware

• 11.45.27 - Toshiba e-Studio Devices Password Information Disclosure

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 40, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12615 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.45.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Kernel Word File Handling Remote Code Execution
• Description: Microsoft Windows kernel is exposed to a remote code execution issue when handling a specially crafted Word (.doc) file. Microsoft Windows XP, Vista, Windows 7, Windows Server 2003 and Windows Server 2008 are vulnerable.
• Ref: http://www.securityfocus.com/bid/50462/references

• 11.45.2 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Outlook Web Access Session Replay Security Bypass
• Description: Microsoft Outlook Web Access is a web-based email client application that is bundled with Microsoft Exchange. The application is exposed to a security bypass issue. The issue occurs because the application allows attackers to sniff web cookies and then replay them. This will allow attackers to clone another user's web session. Microsoft Outlook Web Access 8.2.254.0 is vulnerable and other versions may also be affected.
• Ref: http://seclists.org/fulldisclosure/2011/Oct/818

• 11.45.3 - CVE: CVE-2011-3173
• Platform: Third Party Windows Apps
• Title: Novell iPrint Client "nipplib.dll" Remote Code Execution
• Description: Novell iPrint Client is a client application for printing over the Internet. The application is exposed to a remote code execution issue. The problem occurs in the "GetDriverSettings" function of the "nipplib.dll" file. Versions prior to Novell iPrint Client 5.72 are affected.
• Ref: http://www.securityfocus.com/bid/50367/discuss

• 11.45.4 - CVE: CVE-2011-4027
• Platform: Third Party Windows Apps
• Title: Novell ZENworks Handheld Management "Common.dll" Directory Traversal
• Description: Novell ZENworks Handheld Management is an application used to secure stolen handheld devices from leaking sensitive information. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. The problem affects the "Common.dll" library and allows attackers to create arbitrary files on the affected system. Novell ZENworks Handheld Management version 7 and 7 SP1 are affected.
• Ref: http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=InfoDocument-patchbuilder-readme5112510&sliceId=&docTypeID=DT_SUSESD
  B_PSDB_1_1&dialogID=276545417&stateId=0%200%20276543451, http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externa
  lId=7009486&sliceId=1&docTypeID=DT_TID_1_1&dialogID=276545417&st
  ateId=0%200%20276543451

• 11.45.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Winamp Multiple Remote Vulnerabilities
• Description: Nullsoft Winamp is a media player for Microsoft Windows. The application is exposed to multiple issues. A heap-based buffer overflow issue affects the "in_midi.dll" plugin when processing the "iOffsetMusic" value within the Creative Music Format header. A heap-based buffer overflow issue affects the "in_mod.dll" plugin when processing the "channels" value within the Advanced Module Format header. A heap-based buffer overflow issue affects the "in_nsv.dll" plugin when handling the "toc_alloc" value within the Nullsoft Streaming Video header. Winamp version 5.621 is vulnerable and prior versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50387/discuss

• 11.45.6 - CVE: CVE-2011-3991
• Platform: Third Party Windows Apps
• Title: FFFTP Insecure Executable File Loading Arbitrary Code Execution
• Description: FFFTP is an FTP client for Microsoft Windows. The application is exposed to a issue that lets attackers execute arbitrary code. The issue arises because the application loads an executable (notepad.exe) file in an insecure manner. Attackers must entice an unsuspecting user into opening a file on a remote WebDAV or SMB share to exploit this issue. FFFTP versions prior to 1.98b are affected.
• Ref: http://www.securityfocus.com/bid/50412/references

• 11.45.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: GFI Faxmaker Divide-By-Zero Denial of Service
• Description: GFI Faxmaker is an application for managing network fax servers. The application is exposed to a remote denial of service issue due to an integer division by zero condition when processing crafted ".fax" files. GFI Faxmaker 10.0 Build 237 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50429/discuss

• 11.45.8 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: YaTFTPSvr TFTP Server Directory Traversal
• Description: YaTFTPSvr is a TFTP server for various Microsoft Windows platforms. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings from user-supplied filenames. YaTFTPSvr 1.0.1.200 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520302

• 11.45.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow
• Description: NJStar Communicator is a web-based communication application. The application is exposed to a remote stack-based buffer overflow issue because it fails to properly bounds check user-supplied data before copying it to an insufficiently sized memory buffer. A specially crafted packet can be used to trigger this vulnerability. NJStar Communicator 3.00 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50452/discuss

• 11.45.10 - CVE: CVE-2011-1918
• Platform: Third Party Windows Apps
• Title: GE Proficy Historian Data Archiver Service Remote Buffer Overflow
• Description: Proficy Historian is a data historian application that collects, archives and distributes production information. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer. Proficy Historian version 4.0 and prior, Proficy HMI/SCADA CIMPLICITY version 8.1 (If Historian is installed), Proficy HMI/SCADA iFix version 5.0 and 5.1 (If Historian is installed) are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-243-03.pdf

• 11.45.11 - CVE: CVE-2011-4073
• Platform: Linux
• Title: Openswan Crpyotgraphic Helper Use After Free Remote Denial Of Service
• Description: Openswan is an implementation of IPsec for Linux. Openswan is exposed to a remote denial of service issue because of a use-after-free error related to the cryptographic helper handler. This issue occurs when handling a specially crafted ISAKMP phase 1 authentication packet. This issue occurs only when Openswan is configured with "nhelpers=0". Openswan 2.3.0 to 2.6.36 are affected.
• Ref: http://www.openswan.org/download/CVE-2011-4073/CVE-2011-4073.txt

• 11.45.12 - CVE: CVE-2011-3219,CVE-2011-3220,CVE-2011-3221,CVE-2011-3218,CVE-2011-3222,CVE-2011-3223,CVE-2011-3228,CVE-2011-3247,CVE-2011-3248,CVE-2011-3249,CVE-2011-3250,CVE-2011-3251
• Platform: Cross Platform
• Title: Apple QuickTime Multiple Vulnerabilities
• Description: Apple QuickTime is a media player that supports multiple file formats. The application is exposed to multiple security issues. See reference for detailed information. Versions prior to QuickTime 7.7.1 are vulnerable on Windows 7, Vista and XP.
• Ref: http://support.apple.com/kb/HT5016

• 11.45.13 - CVE: CVE-2011-1370
• Platform: Cross Platform
• Title: IBM Lotus Sametime Configuration Servlet Authentication Security Bypass
• Description: IBM Lotus Sametime is a real time web conferencing application. The application is exposed to a security bypass issue. This issue occurs because the configuration servlet does not require any authentication for requests. All version of IBM Lotus Sametime are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21569452

• 11.45.14 - CVE: CVE-2011-2769,CVE-2011-2768
• Platform: Cross Platform
• Title: Tor Directory Remote Information Disclosure Vulnerability Bridge Enumeration Weaknesses
• Description: Tor is an implementation of second generation onion routing, a connection oriented anonymous communication service. The application is exposed to multiple bridge enumeration weaknesses and an information disclosure issue that occurs because the application allows attackers to reuse TLS certificates on certain connections. This will allow the attacker to conduct fingerprinting attacks. Versions prior to Tor 0.2.2.34 are vulnerable.
• Ref: http://www.securityfocus.com/bid/50414/discuss

• 11.45.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Escape Sequence Stack Buffer Overflow Denial of Service
• Description: Opera is a Web browser application. The application is exposed to a denial of service issue. This issue occurs when the application processes a web page with specially crafted JavaScript code containing two different escape sequences. This will result in a stack overflow and cause the application to terminate. Opera Web Browser 11.52 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50421/discuss

• 11.45.16 - CVE: CVE-2011-4093,CVE-2011-4091
• Platform: Cross Platform
• Title: net6 Session Hijacking and Information Disclosure Vulnerabilities
• Description: net6 is a networking library. net6 is exposed to multiple issues. An information disclosure issue occurs because it fails to properly validate the authentication of a connecting user, which may result in disclosure of certain information about already logged in users. A session hijacking issue occurs due to an integer overflow of the internal ID counter. net6 1.3.13 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50442/references

• 11.45.17 - CVE: CVE-2011-3179
• Platform: Cross Platform
• Title: Novell Messenger Server Memory Information Disclosure
• Description: Novell GroupWise Messenger is a corporate instant messaging application for multiple platforms. The application is exposed to an information disclosure issue that lets attackers retrieve contents of arbitrary memory locations when processing certain commands. Novell Messenger 2.2.0, Novell Messenger 2.1 and GroupWise Messenger 2.04 and earlier are affected.
• Ref: http://www.novell.com/support/viewContent.do?externalId=7009634

• 11.45.18 - CVE: Not Available
• Platform: Cross Platform
• Title: Squid Proxy Caching Server CNAME Denial of Service
• Description: Squid is a caching proxy for the Web, supporting HTTP, HTTPS and FTP. The application is exposed to a denial of service issue because of an error while handling DNS requests. Specifically, the issue occurs when a CNAME record points to another CNAME record referring to an empty A-record. Squid 3.1.16 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50449/references

• 11.45.19 - CVE: CVE-2009-0900
• Platform: Cross Platform
• Title: IBM WebSphere MQ CCDT File Local Privilege Escalation
• Description: IBM WebSphere MQ is a messaging application. The application is exposed to a local privilege escalation issue due to a buffer overflow condition. This issue occurs when handling a specially crafted Client Channel Definition Table file containing incorrect SSL information. IBM WebSphere MQ versions 6 prior to 6.0.2.7 and IBM WebSphere MQ 7 versions prior to 7.0.1.0 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/51038

• 11.45.20 - CVE: CVE-2011-3167,CVE-2011-3166,CVE-2011-3165
• Platform: Cross Platform
• Title: HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities
• Description: HP OpenView Network Node Manager (NNM) is a fault-management application for IP networks. The application is exposed to multiple remote code execution issues. These issues affects NNM 7.51 and 7.53 running on HP-UX, Linux, Solaris and Windows. Other versions and platforms may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520349

• 11.45.21 - CVE: CVE-2011-3361
• Platform: Web Application - Cross Site Scripting
• Title: BackupPC "index.cgi" Cross-Site Scripting
• Description: BackupPC is a remote backup application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "num" parameter of the "index.cgi" script. BackupPC 3.2.1 is vulnerable and other versions may also be affected.
• Ref: http://osvdb.org/72055

• 11.45.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: SjXjV "post.php" SQL Injection
• Description: SjXjV is a web-based application implemented in PHP. SjXjV is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "tid" parameter of the "post.php" script. SjXjV 2.3 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50426/discuss

• 11.45.23 - CVE: CVE-2011-1360
• Platform: Web Application
• Title: IBM HTTP Server Multiple Cross-Site Scripting Vulnerabilities
• Description: IBM HTTP Server is an application server used for service oriented architecture. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input located in the "manual/ibm" and "htdocs/*/manual/ibm/" sub-directories. IBM HTTP Server Versions 1.3.x, and 2.0 (2.0.42 and 2.0.47) are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21502580

• 11.45.24 - CVE: Not Available
• Platform: Web Application
• Title: IBM WebSphere ILOG Rule Team Server Unspecified Cross-Site Scripting
• Description: IBM WebSphere ILOG Rule Team Server is a business rule management application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input. IBM WebSphere ILOG Rule Team Server 7.11 is vulnerable and other versions may also be affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1RS00810

• 11.45.25 - CVE: Not Available
• Platform: Web Application
• Title: eFront Multiple Security Vulnerabilities
• Description: eFront is a PHP-based e-learning application. The application is exposed to multiple SQL injection issues, a remote code injection issue, an authentication bypass and privilege escalation issue, a remote code execution issue and a file upload issue. eFront 3.6.10 is vulnerable and prior versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50391/discuss

• 11.45.26 - CVE: Not Available
• Platform: Network Device
• Title: D-Link DIR-300 Unspecified Remote Code Execution and Remote File Disclosure Vulnerabilities
• Description: The D-Link DIR-300 is a wireless router. The device is exposed to an unspecified remote code execution issue and an unspecified remote file disclosure issue. D-Link DIR-300 is affected.
• Ref: http://www.securityfocus.com/archive/1/520286

• 11.45.27 - CVE: Not Available
• Platform: Hardware
• Title: Toshiba e-Studio Devices Password Information Disclosure
• Description: Toshiba e-Studio Device provides printing solutions. The device is exposed to an information disclosure issue. Specifically, the device fails to restrict access to the various configuration pages, which allows unauthenticated attackers to obtain passwords in plaintext from the html source code (such as administrative password). Toshiba e-STUDIO305, e-STUDIO455, e-STUDIO600 and e-STUDIO603 are affected.
• Ref: http://www.foofus.net/?page_id=457

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account