@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Multiple Security Vulnerabilities
• (2) HIGH: Apple iOS FreeType Font Library Memory Corruption

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.47.1 - Microsoft Windows AppLocker Rules Local Security Bypass

Third Party Windows Apps

• 11.47.2 - CitectSCADA and Mitsubishi MX4 SCADA Batch Server Module Remote Buffer Overflow
• 11.47.3 - Directories Support for ProLiant Management Processors Unauthorized Access Security Bypass
• 11.47.4 - InduSoft Web Studio "CEServer" Buffer Overflow Vulnerabilities

Linux

• 11.47.5 - IcedTea-Web Plugin Same Origin Policy Bypass
• 11.47.6 - LightDM Two Security vulnerabilities

Aix

• 11.47.7 - IBM AIX WPAR System Calls Local Denial Of Service

Cross Platform

• 11.47.8 - Apache Tomcat Manager Application Security Bypass
• 11.47.9 - ProFTPD Use-After-Free Remote Code Execution
• 11.47.10 - HP Network Node Manager i Multiple Cross-Site Scripting Vulnerabilities
• 11.47.11 - Google Chrome Multiple Security Vulnerabilities
• 11.47.12 - Apache HTTP Server "ap_pregsub()" Function Local Denial of Service
• 11.47.13 - Adobe Flash Player Multiple Vulnerabilities
• 11.47.14 - IBM DB2 Remote Denial of Service

Web Application - Cross Site Scripting

• 11.47.15 - Tiki Wiki CMS Groupware "tiki-pagehistory.php" Cross-Site Scripting Vulnerabilities
• 11.47.16 - Dolibarr Multiple Cross-Site Scripting Vulnerabilities
• 11.47.17 - ReviewBoard Commenting System Cross-Site Scripting
• 11.47.18 - Plume Unspecified Cross-Site Scripting

Web Application

• 11.47.19 - TYPO3 "eu_ldap" LDAP Injection
• 11.47.20 - AShop Open-Redirection and Cross-Site Scripting Vulnerabilities
• 11.47.21 - Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
• 11.47.22 - CMS Made Simple Remote Database Corruption
• 11.47.23 - ResourceSpace Unauthorized Access
• 11.47.24 - Cacti Unspecified SQL Injection and Cross-Site Scripting Vulnerabilities

Hardware

• 11.47.25 - Dell Kace K2000 Multiple Remote Security Vulnerabilities
• 11.47.26 - Cisco TelePresence System Integrator C Series and EX Series Root Authentication Bypass

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 42, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12689 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.47.1 - CVE: CVE-2011-4434
• Platform: Windows
• Title: Microsoft Windows AppLocker Rules Local Security Bypass
• Description: Microsoft Windows is exposed to a local security bypass issue. This issue occurs because of a failure to properly enforce AppLocker rules. This may allow attackers to bypass security restrictions by using the macro or scripting features of Windows applications such as Microsoft Office. Attackers can execute applications present in the directories that are restricted by AppLocker rules by using the "SANDBOX_INERT" and "LOAD_IGNORE_CODE_AUTHZ_LEVEL" flags. Windows 7, Windows 7 Service Pack 1, Windows Server 2008 R2 and Windows Server 2008 R2 Service Pack 1 are vulnerable.
• Ref: http://support.microsoft.com/kb/2532445

• 11.47.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: CitectSCADA and Mitsubishi MX4 SCADA Batch Server Module Remote Buffer Overflow
• Description: CitectSCADA is a human-machine interface product offered by Schneider Electric. MX4 SCADA is a product offered by Mitsubishi. These applications are exposed to a buffer overflow issue because they fail to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. Specifically, this issue occurs in an unspecified third party component used by the Batch server module. CitectSCADA 7.10 and prior using the CitectSCADA Batch Server module and Mitsubishi MX4 SCADA 7.10 and prior using the MX4 SCADA Batch module are vulnerable.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf

• 11.47.3 - CVE: CVE-2011-4158
• Platform: Third Party Windows Apps
• Title: Directories Support for ProLiant Management Processors Unauthorized Access Security Bypass
• Description: HP Directories Support for ProLiant Management Processors is software to support directories. The application is exposed to an unspecified security-bypass issue. HP Directories Support for ProLiant Management Processors 3.10 and 3.20 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006

• 11.47.4 - CVE: CVE-2011-4051,CVE-2011-4052
• Platform: Third Party Windows Apps
• Title: InduSoft Web Studio "CEServer" Buffer Overflow Vulnerabilities
• Description: InduSoft Web Studio is a set of automation tools used to develop human machine interfaces and supervisory control and data acquisition systems. The application is exposed to two remote code execution issues that affect the remote agent component ("CEServer.exe"), which is listening on TCP port 4322 by default. InduSoft Web Studio versions 6.1 and 7.0 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdf

• 11.47.5 - CVE: CVE-2011-3377
• Platform: Linux
• Title: IcedTea-Web Plugin Same Origin Policy Bypass
• Description: IcedTea-Web is a web browser plug-in implementing Java Web Start. The application is exposed to an issue that allows attackers to bypass the same-origin policy. This issue allows malicious applets to open network connections to hosts other than the originating host. IcedTea-Web 1.1.x prior to 1.1.4 and IcedTea-Web 1.0.x priro to 1.0.6 are affected.
• Ref: http://dbhole.wordpress.com/2011/11/08/icedtea-web-1-0-6-and-1-1-4-security-rele
  ases-released/ http://www.securityfocus.com/bid/50610/references

• 11.47.6 - CVE: CVE-2011-4105,CVE-2011-3153
• Platform: Linux
• Title: LightDM Two Security vulnerabilities
• Description: LightDM is a cross-desktop display manager. The application is exposed multiple security issues. An arbitrary file-access issue occurs because the application fails to properly handle links when modifying permissions of ".Xauthority" files. A local issue occurs because of incorrectly handled privileges when reading .dmrc files. LightDM versions 1.0.4 and 1.0.5 are affected.
• Ref: http://www.ubuntu.com/usn/usn-1262-1/ http://www.securityfocus.com/bid/50685/references

• 11.47.7 - CVE: CVE-2011-1375
• Platform: Aix
• Title: IBM AIX WPAR System Calls Local Denial Of Service
• Description: AIX is a UNIX operating system from IBM. AIX is exposed to a denial of service issue caused by unspecified behavior of "wpar_limits_config" and "wpar_limits_modify" WPAR system calls. IBM AIX versions 6.1 and 7.1 are affected.
• Ref: http://aix.software.ibm.com/aix/efixes/security/wpar_advisory.asc

• 11.47.8 - CVE: CVE-2011-3376
• Platform: Cross Platform
• Title: Apache Tomcat Manager Application Security Bypass
• Description: Apache Tomcat is an HTTP server application. The application is exposed to a security bypass issue. Specifically, the issue occurs because the application fails to properly check the privileges of a web application before allowing it to use the functionality of Manager application. Apache Tomcat 7.0 versions prior to 7.0.22 are affected.
• Ref: http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.22

• 11.47.9 - CVE: Not Available
• Platform: Cross Platform
• Title: ProFTPD Use-After-Free Remote Code Execution
• Description: ProFTPD is an FTP server implementation available for UNIX and Linux platforms. It can be integrated with multiple database servers. The application is exposed to a remote code execution issue because of a use-after-free error. Specifically, the issue occurs when processing the response pool allocation lists. ProFTPD versions prior to 1.3.3g are vulnerable.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-328/ http://bugs.proftpd.org/show_bug.cgi?id=3711 http://www.proftpd.org/docs/NEWS-1.3.3g

• 11.47.10 - CVE: CVE-2011-4156,CVE-2011-4155
• Platform: Cross Platform
• Title: HP Network Node Manager i Multiple Cross-Site Scripting Vulnerabilities
• Description: HP Network Node Manager i is a fault management application for IP networks. The application is exposed to multiple unspecified cross-site scripting issues because it fails to properly sanitize certain user-supplied input submitted to the application before displaying it to the user. HP Network Node Manager i 9.0x and 9.1x running on HP-UX, Linux, Solaris and Windows are affected.
• Ref: http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c0
  3035744

• 11.47.11 - CVE:CVE-2011-3898,CVE-2011-3897,CVE-2011-3896,CVE-2011-3895,CVE-2011-3894,CVE-2011-3893,CVE-2011-389215.0.874.120 are vulnerable.
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a Web browser available for multiple platforms. The application is exposed to multiple security issues. See reference for detailed information. Versions prior to Chrome
• Ref: http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html http://www.securityfocus.com/bid/50642/references

• 11.47.12 - CVE: CVE-2011-4415
• Platform: Cross Platform
• Title: Apache HTTP Server "ap_pregsub()" Function Local Denial of Service
• Description: Apache HTTP Server is an HTTP webserver application. The application is exposed to a local denial of service issue due to a NULL pointer dereference error or a memory exhaustion. Specifically, this issue affects the "ap_pregsub()" function of the "server/utils.c" source file because it fails to restrict the size of values of environment variables. Attackers can exploit this issue by placing a malicious ".htaccess" file with a crafted "SetEnvIf" directive on the affected server. Note: To trigger this issue, "mod_setenvif" must be enabled and the attacker should be able to place a malicious ".htaccess" file on the affected webserver. Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21 are vulnerable. Other versions may also be affected.
• Ref: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/ http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4415

• 11.47.13 - CVE: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451,CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455,CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459,CVE-2011-2460
• Platform: Cross Platform
• Title: Adobe Flash Player Multiple Vulnerabilities
• Description: Adobe Flash Player is a multimedia application for multiple platforms. The application is exposed to an unspecified remote buffer overflow issue because it fails to properly bounds check user-supplied input. See reference for detailed information. Adobe Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh, Linux and Solaris, Adobe Flash Player 11.0.1.153 and earlier versions for Android and Adobe AIR 3.0 and earlier versions for Windows, Macintosh, and Android are affected.
• Ref: http://www.adobe.com/support/security/bulletins/apsb11-28.html

• 11.47.14 - CVE: CVE-2011-1373
• Platform: Cross Platform
• Title: IBM DB2 Remote Denial of Service
• Description: IBM DB2 is a database application available for multiple platforms. The application is exposed to a remote denial of service issue due to an unspecified error when "Self Tuning Memory Manager" is enabled and "DATABASE_MEMORY" is set to "AUTOMATIC". IBM DB2 version 9.7 is affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC70473 http://xforce.iss.net/xforce/xfdb/71043

• 11.47.15 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Tiki Wiki CMS Groupware "tiki-pagehistory.php" Cross-Site Scripting Vulnerabilities
• Description: Tiki Wiki CMS Groupware is a PHP-based database management application. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied data to the "tiki-pagehistory.php" and "tiki-admin_system.php" scripts. Tiki Wiki CMS Groupware 6.4 and 7.2 are affected.
• Ref: http://info.tiki.org/article182-Tiki-8-1-Now-Available-End-of-Life-for-Tiki-7-x

• 11.47.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Dolibarr Multiple Cross-Site Scripting Vulnerabilities
• Description: Dolibarr is a company/foundation activity management application implemented in PHP. Dolibarr is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. The following scripts are affected: "company.php", "security_other.php", "events.php", "user.php". Dolibarr 3.1.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520442

• 11.47.17 - CVE: CVE-2011-4312
• Platform: Web Application - Cross Site Scripting
• Title: ReviewBoard Commenting System Cross-Site Scripting
• Description: ReviewBoard is a web-based code review application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the commenting system of the application. Specifically, this issue affects the "diff viewer" and "screenshot pages" components. ReviewBoard 1.6 versions prior to 1.6.3 and ReviewBoard 1.5 versions prior to 1.5.7 are vulnerable.
• Ref: http://www.reviewboard.org/news/

• 11.47.18 - CVE: CVE-2011-3985
• Platform: Web Application - Cross Site Scripting
• Title: Plume Unspecified Cross-Site Scripting
• Description: Plume CMS is a content manager for dynamic web content, blogs, and customer forums. The application is exposed to an unspecified cross-site scripting issue because it fails to sanitize user-supplied input. Plume versions prior to Plume 1.2.3 are affected.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3985

• 11.47.19 - CVE: Not Available
• Platform: Web Application
• Title: TYPO3 "eu_ldap" LDAP Injection
• Description: TYPO3 is a web application programmed in PHP. "eu_ldap" is an extension for the TYPO3 content manager. The extension is exposed to an LDAP injection issue because it fails to sufficiently sanitize user-supplied data. Specifically, the username and password values sent by the login form are not sanitized before being used in LDAP queries. TYPO3 "eu_ldap" 2.8.10 and all prior versions are vulnerable.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa
  -2011-017/

• 11.47.20 - CVE: Not Available
• Platform: Web Application
• Title: AShop Open-Redirection and Cross-Site Scripting Vulnerabilities
• Description: AShop is a web-based shopping application implemented in PHP. The software is exposed to multiple input validation issues. Open-redirection issues affect the "redirect" parameter of the "language.php" and "currency.php" scripts. Cross-site scripting issues affect multiple scripts and parameters. Versions prior to AShop 5.1.4 are vulnerable.
• Ref: http://www.securityfocus.com/archive/1/520446

• 11.47.21 - CVE:CVE-2011-3833,CVE-2011-3832,CVE-2011-3831,CVE-2011-3830,CVE-2011-3829
• Platform: Web Application
• Title: Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
• Description: Support Incident Tracker is an open-source web application for tracking technical support requests. It is implemented in PHP and MySQL. The application is exposed to multiple input-validation issues. A path disclosure issue affects the "ftp_upload_file.php" script. A cross-site scripting issue affects the "search_string" parameter to "search.php" script. An SQL injection issue affects the "incident_attachments.php" script. An issue that allows attackers inject arbitrary PHP code affects the "application_name" parameter of the "config.php" script when the "action" parameter is set to "save" in the "eval()" function. An issue that allows attackers upload arbitrary files occurs because the application fails to adequately sanitize file extensions before uploading files to the webserver through the "ftp_upload_file.php" script. Support Incident Tracker 3.65 is vulnerable and other versions may also be affected.
• Ref: http://secunia.com/secunia_research/2011-78/ http://secunia.com/secunia_research/2011-77/ http://secunia.com/secunia_research/2011-76/ http://secunia.com/secunia_research/2011-75/ http://secunia.com/secunia_research/2011-79/

• 11.47.22 - CVE: Not Available
• Platform: Web Application
• Title: CMS Made Simple Remote Database Corruption
• Description: CMS Made Simple is a web-based content manager. It is implemented in PHP. The application is exposed to an issue that could result in the corruption of the database. An attacker can exploit this issue to corrupt the news articles. Versions prior to CMS Made Simple 1.9.4.3 are affected.
• Ref: http://www.cmsmadesimple.org/2011/08/Announcing-CMSMS-1-9-4-3---Security-Release
  /

• 11.47.23 - CVE: CVE-2011-4311
• Platform: Web Application
• Title: ResourceSpace Unauthorized Access
• Description: ResourceSpace is a web-based digital asset management system, implemented in PHP. ResourceSpace is exposed to an unauthorized access issue due to an insufficient access check on access keys. ResourceSpace 4.2.2833 is vulnerable and other versions may also be affected.
• Ref: http://www.resourcespace.org/download.php http://secunia.com/advisories/46753/

• 11.47.24 - CVE: Not Available
• Platform: Web Application
• Title: Cacti Unspecified SQL Injection and Cross-Site Scripting Vulnerabilities
• Description: Cacti is a web-based network graphing solution. The application is exposed to an SQL injection issue and a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data to unspecified parameters. Cacti 0.8.7g is vulnerable and other versions may also be affected.
• Ref: http://www.cacti.net/release_notes_0_8_7h.php

• 11.47.25 - CVE: CVE-2011-4048,CVE-2011-4047,CVE-2011-4046
• Platform: Hardware
• Title: Dell Kace K2000 Multiple Remote Security Vulnerabilities
• Description: Dell Kace K2000 is a system deployment appliance. The device is exposed to mulitple remote security issues. A backdoor issue occurs because of a hidden administrator account. An information disclosure issue occurs because the application fails to restrict access to username and password hashes. A remote command execution issue affects the appliance. Multiple cross-site scripting issues occur because the application fails to sanitize certain unspecified user-supplied input passed through the administrative web interface. Dell Kace K2000 is vulnerable.
• Ref: http://www.kace.com/support/kb/index.php?action=artikel&id=1120&artlang=
  en

• 11.47.26 - CVE: Not Available
• Platform: Hardware
• Title: Cisco TelePresence System Integrator C Series and EX Series Root Authentication Bypass
• Description: Cisco TelePresence System Integrator C Series are devices designed for telepresence. Cisco TelePresence EX Series are face-to-face Cisco TelePresence meeting devices. The devices are exposed to a remote authentication bypass issue due to a manufacturing error. Specifically, this issue occurs because the root user account is enabled with a well known password by default. All Cisco TelePresence System Integrator C Series, Cisco TelePresence EX Series and Cisco TelePresence Quick Set products distributed between November 18, 2010 and September 19, 2011 with software release TC4.0, TC4.1 or TC4.2 are affected.
• Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
  111109-telepresence-c-ex-series

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account