3 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 43
November 23, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 1
    • Third Party Windows Apps
    • 4
    • Linux
    • 2
    • HP-UX
    • 1
    • Cross Platform
    • 9 (#1)
    • Web Application - Cross Site Scripting
    • 1
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 6
    • Network Device
    • 1

*********** Sponsored By IBM ***********

Register today for SANS Analyst webcast sponsored by IBM, "Integrating Security into Development, No Pain Required" FREE SANS Analyst Paper also available at http://www.sans.org/info/91811 ************************************************************************** TRAINING UPDATE --EURO SCADA & Process Control System Security Summit, Rome, Dec 1-2, 2011 Pre-Summit Courses November 26-30, 2011 Post-Summit Courses December 3-4, 2011 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. http://www.sans.org/eu-scada-2011/ --SANS San Antonio 2011, San Antonio, TX, November 28-December 5, 2011 7 courses. Bonus evening presentations include Effective Methods for Implementing the 20 Critical Security Controls; and Assessing Deception: Are They Lying to You? http://www.sans.org/san-antonio-2011/ --SANS London 2011, London, UK, December 3-12, 2011 18 courses. Bonus evening presentations include IPv6 Challenges for Intrusion Detection and Understanding How Attackers Bypass Network and Content Restrictions. http://www.sans.org/london-2011/ --Incident Detection & Log Management Summit, Washington DC, December 7-8, 2011 Learn the latest techniques to detect breaches and intrusions! http://www.sans.org/incident-detection-summit-2011/ --SANS CDI 2011, Washington, DC, December 9-16, 2011 27 courses. Bonus evening presentations include Emerging Trends in Data Law and Investigations, and Critical Infrastructure Control Systems Cybersecurity. http://www.sans.org/cyber-defense-initiative-2011/ --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Perth, Atlanta, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Windows
    Third Party Windows Apps
    Linux
    HP-UX
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    Network Device
    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
    • Affected:
      • RealPlayer 11.0 - 11.1
      • RealPlayer SP 1.0 - 1.1.5
      • RealPlayer 14.0.0 - 14.0.7
      • Mac RealPlayer 12.0.0.1701
    • Description: RealNetworks has released patches for multiple vulnerabilities affecting its RealPlayer media player. The issues include unspecified vulnerabilities dealing with a variety of formats. Many of the vulnerabilities were reported through the Zero Day Initiative, which tests to ensure that they can be used for code execution. It is likely, then, that by enticing a target to open a malicious file, an attacker could exploit many of these vulnerabilities in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 43, 2011

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12706 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 11.48.1 - CVE: Not Available
    • Platform: Windows
    • Title: Microsoft Windows Kernel "Win32k.sys" Keyboard Layout Local Privilege Escalation
    • Description: The "Win32k.sys" kernel mode device driver provides various functions such as the window manager, collection of user input, screen output, and Graphics Device Interface (GDI); it also serves as a wrapper for DirectX support. Microsoft Windows is exposed to a local privilege escalation issue. Specifically, this issue occurs due to an indexing error in the "win32k.sys" kernel mode device driver when loading a keyboard layout file. Windows XP SP3 is affected.
    • Ref: http://secunia.com/advisories/46919/

    • 11.48.2 - CVE: CVE-2011-3828
    • Platform: Third Party Windows Apps
    • Title: DVR Remote ActiveX Control DLL Loading Arbitrary Code Execution
    • Description: DVR Remote ActiveX Control is prone to a vulnerability that lets attackers execute arbitrary code. DVR Remote ActiveX Control is exposed to a remote issue. The issue arises because certain shared components of the application search for Dynamic Link Library (DLL) files in the current working directory. DVR Remote ActiveX Control 2.1.0.39 is vulnerable and other versions may also be affected.
    • Ref: http://secunia.com/secunia_research/2011-80/

    • 11.48.3 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Image Viewer CP Pro/Gold ActiveX Control Buffer Overflow
    • Description: Image Viewer CP Pro SDK ActiveX and Image Viewer CP Gold SDK ActiveX are image viewing applications. Image Viewer CP Pro and Gold ActiveX controls are exposed to a stack-based buffer overflow issue because the applications fail to perform adequate boundary checks on user-supplied data. Image Viewer CP Pro SDK ActiveX 8.0 and Image Viewer CP Gold SDK ActiveX 6.0 are affected.
    • Ref: http://www.securityfocus.com/bid/50712/references

    • 11.48.4 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Thunder kankan player ".wav" File Remote Stack Buffer Overflow
    • Description: Thunder kankan is a multimedia player application available for Microsoft Windows. Thunder kankan player is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a specially crafted ".wav" file. Thunder kankan 4.8.3.840 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/50725/info

    • 11.48.5 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: QQ Player "PnSize" Value Buffer Overflow
    • Description: QQ Player is a media player available for Microsoft Windows. QQ Player is exposed to a buffer overflow issue because of a failure to properly bounds check user-supplied data. Specifically, the issue occurs because of a specially crafted "PnSize" value when handling ".mov" files. QQ Player 3.2 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/50739/info

    • 11.48.6 - CVE: CVE-2011-4085
    • Platform: Linux
    • Title: JBoss Enterprise SOA Platform Invoker Servlets Authentication Bypass
    • Description: JBoss Enterprise SOA Platform is an environment for developing Enterprise Application Integration and SOA solutions. The application is exposed to a remote authentication bypass issue. Specifically, this issue occurs because the invoker servlets deployed through "httpha-invoker" only enforced access restrictions on the HTTP GET and POST methods. JBoss Enterprise SOA Platform prior to 5.2.0 are affected.
    • Ref: https://rhn.redhat.com/errata/RHSA-2011-1456.html

    • 11.48.7 - CVE: CVE-2011-3150
    • Platform: Linux
    • Title: Ubuntu Software Center Certificate Handling Security Bypass
    • Description: Software Center is a program for browsing, installing and removing software on Ubuntu. The application is exposed to a security bypass issue because it fails to properly validate server certificates in secure connections. Ubuntu 11.10, 11.04 and 10.10 are affected.
    • Ref: http://www.ubuntu.com/usn/usn-1270-1/

    • 11.48.8 - CVE: CVE-2011-4159
    • Platform: HP-UX
    • Title: HP-UX System Administration Manager Local Privilege Escalation
    • Description: HP-UX is a UNIX-based operating system. HP-UX is exposed to a local privilege escalation issue due to unspecified error within the System Administration Manager (SAM). HP-UX B.11.11, HP-UX B.11.23 and HP-UX B.11.31 are affected.
    • Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03089106

    • 11.48.9 - CVE: CVE-2011-4315
    • Platform: Cross Platform
    • Title: Nginx DNS Resolver Remote Heap Buffer Overflow
    • Description: nginx is an HTTP server, reverse proxy, and mail proxy server. nginx is available for multiple platforms, including Microsoft Windows. nginx is exposed to a remote heap-based buffer overflow issue due to a failure to properly bounds check user-supplied input to the DNS resolver. Specifically, this issue occurs when the DNS resolver processes messages more than 255 bytes. Versions prior to nginx 1.0.10 are affected.
    • Ref: http://www.nginx.org/en/CHANGES http://www.securityfocus.com/bid/50710/references

    • 11.48.10 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Hastymail2 Unspecified Security Vulnerability
    • Description: Hastymail2 is a PHP-based IMAP/SMTP mail client. The application is exposed to an unspecified issue involving white-list filtering in an AJAX callback function. Hastymail2 1.1 RC1 is vulnerable and other versions may also be affected.
    • Ref: http://www.hastymail.org/security/


    • 11.48.12 - CVE: CVE-2011-4320
    • Platform: Cross Platform
    • Title: ejabberd "mod_pubsub" Module Denial of Service
    • Description: ejabberd is a Jabber/XMPP instant messaging server. ejabberd is exposed to a denial of service issue. Specifically, the issue occurs in the "mod_pubsub" module when processing a specially crafted "<publish>" stanza. ejabberd versions prior to 2.1.9 are affected.
    • Ref: http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.9
      /

    • 11.48.13 - CVE:CVE-2011-4262,CVE-2011-4261,CVE-2011-4260,CVE-2011-4259,CVE-2011-4258,CVE-2011-4257,CVE-2011-4256,CVE-2011-4255,CVE-2011-4254,CVE-2011-4253,CVE-2011-4252,CVE-2011-4251,CVE-2011-4250,CVE-2011-4249,CVE-2011-4248,CVE-2011-4247,CVE-2011-4246,CVE-2011-4245
    • Platform: Cross Platform
    • Title: Real Networks RealPlayer Multiple Remote Vulnerabilities
    • Description: Real Networks RealPlayer is an application that allows users to play various media formats. Real Networks RealPlayer is exposed to multiple security issues. See reference for further details. RealPlayer 11.0 to 11.1, RealPlayer SP 1.0 to 1.1.5, RealPlayer 14.0.0 to 14.0.7, Mac RealPlayer 12.0.0.1701 are affected.
    • Ref: http://service.real.com/realplayer/security/11182011_player/en/


    • 11.48.15 - CVE: CVE-2011-4160
    • Platform: Cross Platform
    • Title: HP Operations Agent and Performance Agent Local Unauthorized Access
    • Description: HP Operations Agent is an application for managing IT infrastructure. HP Performance Agent is a web-based analysis and visualization tool. HP Operations Agent and Performance Agent are exposed to a local unauthorized-access issue. HP Operations Agent v11.00 and Performance Agent v4.73, v5.0 for AIX, HP-UX, Linux, and Solaris are vulnerable; other versions may also be affected.
    • Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03091656

    • 11.48.16 - CVE: Not Available
    • Platform: Cross Platform
    • Title: FFmpeg Multiple Remote Code Execution Vulnerabilities
    • Description: FFmpeg is a multimedia player. The application is exposed to multiple remote code execution issues. See reference for further details. Versions prior to FFmpeg 0.7.8 and 0.8.7 are affected.
    • Ref: http://ffmpeg.org/#pr7dot8and8dot7

    • 11.48.17 - CVE: CVE-2011-4465
    • Platform: Cross Platform
    • Title: IBM Lotus Mobile Connect Cross-Site Scripting
    • Description: Lotus Mobile Connect is IBM VPN security software for wireless and wired network connections. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to a certain hidden redirect URL. IBM Lotus Mobile Connect 6.1.4 is affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27020327

    • 11.48.18 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: ZOHO ManageEngine ADSelfService Plus Cross-Site Scripting
    • Description: ManageEngine ADSelfService Plus is a web-based end-user password reset management program. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the JavaScript variable assignment. ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/50717/references

    • 11.48.19 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: Freelancer calendar "SearchField" Parameter Multiple SQL Injection Vulnerabilities
    • Description: Freelancer calendar is a PHP-based calendar application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data submitted to the "SearchField" parameter of multiple scripts. Freelancer calendar 1.01 and prior are affected.
    • Ref: http://www.securityfocus.com/bid/50733/info

    • 11.48.20 - CVE: Not Available
    • Platform: Web Application
    • Title: Privoxy RFC 3986 HTTP Response Splitting
    • Description: Privoxy is a web proxy. The application is exposed to an HTTP response splitting issue when the "+fast-redirects" action is used. Specifically, the issue occurs because the application fails to properly encode characters RFC 3986 contained in a generated redirect URL. Privoxy 3.0.5 to 3.0.17 are vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/50768/references http://www.privoxy.org/announce.txt

    • 11.48.21 - CVE: Not Available
    • Platform: Web Application
    • Title: Website Baker Backup Module Security Bypass
    • Description: Website Baker is an open source content management system implemented in PHP. The application is exposed to a security bypass issue. Specifically, this issue may give attackers access to the backup module. Website Baker 2.8.1 and prior are affected.
    • Ref: http://www.websitebaker2.org/posts/security-vulnerability-backup-module-in-wb-co
      re-13.php

    • 11.48.22 - CVE: Not Available
    • Platform: Web Application
    • Title: Support Incident Tracker "translate.php" Remote Code Execution
    • Description: Support Incident Tracker is a PHP-based customer relationship management application. The application is exposed to a remote code execution issue because it fails to sanitize user-supplied input submitted to the "$_POST" array of the "translate.php" script before being stored in the "i18nfile" variable of the "il8n" directory. Support Incident Tracker 3.45 to 3.65 is vulnerable and prior versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/520577

    • 11.48.23 - CVE: CVE-2011-4457
    • Platform: Web Application
    • Title: OWASP Java HTML Sanitizer Information Disclosure
    • Description: OWASP Java HTML Sanitizer is an HTML sanitizer implemented in Java. The application is exposed to a remote information disclosure issue because it fails to block redirecting or POSTing to an arbitrary URL. Specifically, the "form" element of the "noscript" element releases private information when JavaScript is disabled. OWASP Java HTML Sanitizer versions prior to release 88 are affected.
    • Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4457

    • 11.48.24 - CVE: CVE-2011-4001
    • Platform: Web Application
    • Title: HP no Mawashimono Nikki Unspecified Directory Traversal
    • Description: Nikki is CGI-based application. Nikki is exposed to a directory traversal issue because it fails to sufficiently sanitize unspecified user-supplied input. Few technical details are available. Versions prior to Nikki 6.61 are affected.
    • Ref: http://www.securityfocus.com/bid/50749/references

    • 11.48.25 - CVE: Not Available
    • Platform: Web Application
    • Title: FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
    • Description: FishEye is a web-based bug tracking application. Crucible is a web-based application used for code review. The applications are exposed to multiple issues. 1) A HTML injection issue occurs because the applications fail to sanitize user-supplied input to the user profile display name. 2) A HTML injection issue occurs because the applications fail to sanitize user-supplied input to snippets in a user's comment. 3) Multiple unauthorized-access issues because the applications fail to properly verify permissions before granting access to certain sections of the application. FishEye and Crucible earlier than 2.5.7 are affected.
    • Ref: http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Ad
      visory+2011-11-22

    • 11.48.26 - CVE: Not Available
    • Platform: Network Device
    • Title: Juniper Juno IPv6 Over IPv4 Tunnel Security Bypass
    • Description: Juniper Juno is a network operating system running on various Juniper devices. Juniper Juno is exposed to a security bypass issue that occurs when handling IPv6 datagrams over IPv4 tunnels. Versions prior to Juniper Juno 10.2 R3 are affected.
    • Ref: http://www.securityfocus.com/bid/50705/references

    (c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account