Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 41
November 10, 2011

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 3 (#1,#2)
    • Other Microsoft Products
    • 1
    • Third Party Windows Apps
    • 3 (#3,#6)
    • Linux
    • 1
    • Cross Platform
    • 5 (#4,#5)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 2
    • Web Application
    • 4
    • Network Device
    • 1
    • Hardware
    • 3

************************* Sponsored By IBM *****************************

Now Available ONDEMAND, Analyst Webcast: Integrating Security into Development, No Pain Required. FEATURING: Dave Shackleford and Karl Snider. Go to http://www.sans.org/info/90986

************************************************************************** TRAINING UPDATE --SANS San Francisco 2011, San Francisco, CA, November 14-19, 2011 5 courses. Bonus evening presentations include The Worst Mistakes in Cloud Computing Security; Offensive Countermeasures; and Watching the Wire at Home http://www.sans.org/san-francisco-2011/ --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. http://www.sans.org/eu-scada-2011/ --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You? http://www.sans.org/san-antonio-2011/ --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions. http://www.sans.org/london-2011/ --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions! http://www.sans.org/incident-detection-summit-2011/ --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity. http://www.sans.org/cyber-defense-initiative-2011/ --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Sydney, Tokyo, Perth and Atlanta all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Other Microsoft Products
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

************************* Sponsored Link: ********************************

1) ECAT Enterprise Malware Threat Detection finds what AV misses - see the video here http://www.sans.org/info/90991 ECAT: Signature-less detection of APT. **************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (1) HIGH: Microsoft Windows Kernel TrueType Font Parsing Vulnerability
  • Affected:
    • Windows XP
    • Windows Server 2003
    • Windows Vista
    • Windows Server 2008
    • Windows 7

  • Description: The Microsoft Windows Kernel is susceptible to a vulnerability due to improper handling of TrueType fonts. This vulnerability is being actively exploited in the wild by the Duqu worm. By enticing the target to view a document with a malicious font, the attacker can exploit this vulnerability in order to execute arbitrary code on the target machine with SYSTEM-level permissions.

  • Status: vendor confirmed, updates not available

  • References:
  • (2) HIGH: Microsoft Windows Windows Kernel Networking Vulnerability
  • Affected:
    • Windows Vista
    • Windows Server 2008
    • Windows 7

  • Description: Microsoft has released a patch for a vulnerability in the Windows kernel relating to its handling of UDP packets. The vulnerability lies in the way UDP packets are managed in memory. By sending a stream of specially crafted crafted UDP packets, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine with SYSTEM-level permissions.

  • Status: vendor confirmed, updates available

  • References:
  • (3) HIGH: HP Data Protector Media Operation 'DBServer.exe' Buffer Overflow Vulnerability
  • Affected:
    • HP Data Protector Media Operations Version 6.20 and prior

  • Description: Luigi Auriemma has published an exploit for a vulnerability affecting Data Protector, HP's centralized backup software. The vulnerability is due to improper handling of large TCP segments. It isn't immediately clear from the writeup whether the vulnerability is in the control server or the component that runs on clients. By sending a malicious request, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

  • Status: vendor not confirmed, updates not available

  • References:
  • (6) MEDIUM: Novell ZENworks Software Packaging Multiple Vulnerabilities Affected Novell ZENworks 10 Configuration Management with Support Pack 2 - 10.2 Novell ZENworks 10 Configuration Management with Support Pack 3 - 10.3 Novell ZENworks 11 Config

  • Description: Novell has released a patch for multiple vulnerabilities in its ZENworks Software Packaging software. ZENworks, which offers configuration management from a centralized console, includes an application packaging component that, in turn, contains three vulnerabilities in its ActiveX controls: a buffer overflow in ISGrid2.dll; a directory traversal in LaunchHelp.dll; and the use of killbitted ActiveX control, circa year 2000, via a scriptable intermediate control, ISList.ISAvi. The elder ActiveX control, mscomct2.ocx, is susceptible to a variety of exploitable vulnerabilities. By enticing a target to view a malicious site, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 41, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12638 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

  • 11.46.1 - CVE: CVE-2011-2013
  • Platform: Windows
  • Title: Microsoft Windows TCP/IP Stack Reference Counter Integer Overflow
  • Description: Microsoft Windows is exposed to a remote integer overflow issue that affects the TCP/IP stack. Specifically, this issue is caused by an integer overflow of the reference counter in the implementation of the TCP/IP stack. All supported editions of Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-083
  • 11.46.2 - CVE: CVE-2011-2004
  • Platform: Windows
  • Title: Microsoft Windows Kernel TrueType Font Parsing Denial of Service
  • Description: Microsoft Windows is exposed to a remote denial of service issue that occurs in the Windows kernel "Win32k.sys" kernel mode device driver. Specifically, this issue is caused by the improper handling of a specially crafted TrueType font file. All supported editions of Windows 7 and Windows 2008 R2 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-084
  • 11.46.3 - CVE: CVE-2011-2016
  • Platform: Windows
  • Title: Windows Mail and Windows Meeting Space DLL Loading Arbitrary Code Execution
  • Description: Microsoft Windows Mail is an email client. Windows Meeting Space is an application that allows users to share documents. A remote code execution issue exists in the way that Windows Mail and Windows Meeting Space handle the loading of DLL files. Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-085
  • 11.46.4 - CVE: CVE-2011-2014
  • Platform: Other Microsoft Products
  • Title: Microsoft Active Directory LDAPS Authentication Bypass
  • Description: Microsoft Active Directory is an LDAP (Lightweight Directory Access Protocol) implementation distributed with multiple Windows operating systems. Microsoft Active Directory is exposed to a security bypass issue. The issue occurs when the application is configured to use LDAPS. Specifically, it fails to validate revoked SSL certificates against the CRL association with the domain account. Active Directory, ADAM, and AD LDS installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7 and Windows Server 2008 R2 (except Itanium) are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-086
  • 11.46.5 - CVE: CVE-2011-1914
  • Platform: Third Party Windows Apps
  • Title: Advantech ADAM OPC Server ActiveX Control Buffer Overflow
  • Description: Advantech ADAM OPC Server is an interface for industrial device servers. Advantech ADAM OPC Server is exposed to a remote buffer overflow issue because it fails to sufficiently validate user supplied data. This issue affects an unspecified ActiveX control. Advantech ADAM OPC Server Versions prior to V3.01.012, Advantech Modbus RTU OPC Server Versions prior to V3.01.010 and Advantech Modbus TCP OPC Server Versions prior to V3.01.010 are affected.
  • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-01.pdf
  • 11.46.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: HP Data Protector Media Operation "DBServer.exe" Heap Buffer Overflow
  • Description: HP Data Protector Media Operations is an application for tracking and managing offline storage media, such as magnetic tapes. The application is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user supplied data before copying it into an insufficiently sized memory buffer. Specifically, this issue occurs in the "DBServer.exe" process when processing a packet sent through TCP port 19813. HP Data Protector Media Operations 6.20 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/50558/references
  • 11.46.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Aviosoft DTV Player ".plf" File Remote Buffer Overflow
  • Description: Aviosoft DTV Player is a media player. The application is exposed to a remote buffer overflow issue because it fails to perform adequate bounds checks on user supplied input. Specifically, this issue occurs while handling specially crafted ".plf" files. Aviosoft DTV Player 1.0.1.2 is vulnerable; other versions may also be affected.
  • Ref: http://www.kb.cert.org/vuls/id/998403
  • 11.46.8 - CVE: CVE-2011-3349
  • Platform: Linux
  • Title: LightDM Symlink Attack Local Privilege Escalation
  • Description: LightDM is a cross-desktop display manager. The application is exposed to a local privilege escalation issue. Specifically, the issue occurs because the application writes to the "~/.dmrc" and "~/.Xauthority" files as root user. This can be exploited to overwrite arbitrary files via symlink attacks. Versions prior to LightDM 0.9.6 are affected.
  • Ref: http://www.securityfocus.com/bid/50506/references
  • 11.46.9 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Serv-U Web Client Unspecified Cross-Site Scripting
  • Description: Serv-U Web Client is a browser-based application for transferring files. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. Versions prior to Serv-U Web Client 11.0.0.4 are affected.
  • Ref: http://www.serv-u.com/releasenotes/
  • 11.46.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: FFmpeg Multiple Unspecified Vulnerabilities
  • Description: FFmpeg is a multimedia player. The application is exposed to multiple unspecified issues. FFmpeg versions prior to 0.7.7 and 0.8.6 are affected.
  • Ref: http://www.securityfocus.com/bid/50555/references
  • 11.46.11 - CVE: CVE-2011-2446,CVE-2011-2447,CVE-2011-2448,CVE-2011-2449
  • Platform: Cross Platform
  • Title: Adobe Shockwave Player Multiple Vulnerabilities
  • Description: Adobe Shockwave Player is a multimedia player. The application is exposed to multiple issues. See reference for further details. Versions prior to Adobe Shockwave Player 11.6.3.633 are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb11-27.html
  • 11.46.12 - CVE: CVE-2011-4000
  • Platform: Cross Platform
  • Title: ChaSen Unspecified Buffer Overflow
  • Description: 5ChaSen is an application for morphologically analyzing Japanese. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. ChaSen 2.4 series are vulnerable and other versions may also be affected.
  • Ref: http://jvn.jp/en/jp/JVN16901583/index.html
  • 11.46.14 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: XAMPP "PHP_SELF" Variable Multiple Cross-Site Scripting Vulnerabilities
  • Description: XAMPP is a bundle that contains the Apache web server, MySQL, PHP, Perl, FTP server and phpMyAdmin. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data passed through URI to "xamppsecurity.php", "cds.php", "perlinfo.pl". XAMPP 1.7.7 for Windows is affected.
  • Ref: http://www.securityfocus.com/bid/50564/references
  • 11.46.15 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: IBM Rational Asset Manager Unspecified Cross-Site Scripting
  • Description: Rational Asset Manager provides a definitive library for managing business and technical assets. The application is exposed to a cross-site scripting issue because it fails to properly sanitize unspecified user-supplied input. Rational Asset Manager 7.5 is vulnerable and other versions may also be affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM38467
  • 11.46.16 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: Serendipity "serendipity" Parameter Cross-Site Scripting
  • Description: Serendipity is a web log application implemented in PHP. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the "serendipity" parameter of the "serendipity_admin_image_selector.php" script. This issue affects Serendipity 1.5.5; prior versions may also be affected.
  • Ref: http://www.rul3z.de/advisories/SSCHADV2011-015.txt
  • 11.46.17 - CVE: CVE-2010-5000
  • Platform: Web Application - SQL Injection
  • Title: OrderSys "where_clause" Parameter Multiple SQL Injection Vulnerabilities
  • Description: OrderSys is a web-based application implemented in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "where_clause" parameter of the "index.php", "index_long.php" and "index_short.php" scripts. OrderSys 1.6.4 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/50550/info
  • 11.46.18 - CVE: Not Available
  • Platform: Web Application - SQL Injection
  • Title: LabStore Multiple SQL Injection Vulnerabilities
  • Description: LabStore is a web-based application written in PHP. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data submitted to the "where_clause" parameter. LabStore 1.5.4 and prior are vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/50551/info
  • 11.46.19 - CVE: Not Available
  • Platform: Web Application
  • Title: Ajax File and Image Manager "data.php" PHP Code Injection
  • Description: Ajax File and Image Manager is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to sanitize the input passed to the "$data" parameter of the "data.php" script. Ajax File and Image Manager 1.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/50523/info
  • 11.46.20 - CVE: CVE-2011-2772
  • Platform: Web Application
  • Title: Mahara Upload Denial of Service
  • Description: Mahara is a web-based portfolio application. The application is exposed to a denial of service issue because it fails to sufficiently restrict uploads. Versions prior to Mahara 1.4.1 are affected.
  • Ref: https://launchpad.net/mahara/+milestone/1.4.1
  • 11.46.21 - CVE: Not Available
  • Platform: Web Application
  • Title: vBulletin "section.php" Unspecified Security Vulnerability
  • Description: vBulletin is a content manager implemented in PHP. The application is exposed to an unspecified issue caused by an unknown error in the "packages/vbcms/dm/section.php" script. vBulletin Publishing Suite 4.x are affected.
  • Ref: http://www.securityfocus.com/bid/50561/references
  • 11.46.22 - CVE: CVE-2010-4353
  • Platform: Web Application
  • Title: UBB.Threads Unspecified File Upload Vulnerability
  • Description: UBB.Threads is a web-based application. The application is exposed to an arbitrary file upload issue because it fails to adequately validate files before uploading them. UBB.Threads 7.3 and later are affected.
  • Ref: http://www.securityfocus.com/bid/50553/references
  • 11.46.23 - CVE: CVE-2011-3682
  • Platform: Network Device
  • Title: SingTel 2Wire Hardcoded Password Security Bypass
  • Description: SingTel 2Wire is a gateway router for Internet service subscribers used to access the web. The device is exposed to a remote security bypass issue because it's Management and Diagnostic Console uses a hardcoded default password: "2wire". SingTel 2Wire firmware versions 5 and below are affected.
  • Ref: http://blog.szechuen.com/cve-2011-3682
  • 11.46.24 - CVE: CVE-2011-4005
  • Platform: Hardware
  • Title: Cisco Small Business SRP500 Series Appliances Web Interface Remote Command Injection
  • Description: Cisco Small Business SRP500 Series Appliances are services-ready platforms that provide IP voice, data, security and wireless services. The devices are exposed to a remote command injection issue because they fail to properly sanitize user-supplied input to the web interface of the SRP (Services Ready Platform) Configuration Utility. SRP520 Series models with firmware prior to version 1.1.24 and SRP540 Series models with firmware prior to version 1.2.1 are affected.
  • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
    111102-srp500
  • 11.46.25 - CVE: CVE-2011-2740
  • Platform: Hardware
  • Title: RSA Key Manager Appliance Session Handling Local Security Bypass
  • Description: The RSA Key Manager Appliance is a hardware device designed to simplify the installation and management of the RSA Key Manager server. The device is exposed to a security bypass issue because it fails to properly end a session when a user logs out. RSA Key Manager Appliance 2.7 Service Pack 1 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/520381
  • 11.46.26 - CVE: Not Available
  • Platform: Hardware
  • Title: DreamBox DM800 "file" Parameter Local File Disclosure
  • Description: The DreamBox is a Linux-based DVB satellite and digital cable decoder. DreamBox DM800 is exposed to a local file disclosure issue because it fails to adequately validate user-supplied input to the "file" parameter of an unspecified script. DreamBox DM800 versions 1.5rc1 and prior are affected.
  • Ref: http://www.securityfocus.com/bid/50520/info

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account

The instructor changed the way I, a network engineer, thought about questions.
-Mike Dye, PTG

GIAC GMOB Certification

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"As a security professional, this info is foundational to do a competent job, let alone be successful."
- Michael Foster, Providence Health & Security

"Because of the use of real-world examples it's easier to apply what you learn."
- Danny Hill, Friedkin Companies, Inc.

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee