@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Adobe U3D Memory Corruption Vulnerability
• (2) MEDIUM: Trend Micro Control Manager Buffer Overflow Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Other Microsoft Products

• 11.50.1 - Microsoft Internet Explorer CSS ":visited" Information Disclosure

Third Party Windows Apps

• 11.50.2 - CoDeSys Multiple Remote Denial of Service Vulnerabilities
• 11.50.3 - HS TFTP Server Software Multiple Remote Denial of Service Vulnerabilities
• 11.50.4 - HP Device Access Manager for HP ProtectTools Heap Memory Corruption
• 11.50.5 - SopCast Local Privilege Escalation
• 11.50.6 - Sielco Sistemi Multiple Products Buffer Overflow

Linux

• 11.50.7 - Red Hat Enterprise Linux Sos Private Information Disclosure

Cross Platform

• 11.50.8 - Iron Mountain Connected Backup Remote Command Execution
• 11.50.9 - Apache ActiveMQ Failover Mechanism Remote Denial of Service
• 11.50.10 - PHP Remote Integer Overflow
• 11.50.11 - Serv-U Denial of Service and Security Bypass Vulnerabilities
• 11.50.12 - Opera Web Browser Multiple Security Vulnerabilities
• 11.50.13 - Multiple Web Browsers ":visited" Information Disclosure
• 11.50.14 - Adobe Acrobat and Reader U3D Memory Corruption
• 11.50.15 - MIT Kerberos KDC TGS Handling NULL Pointer Dereference Denial of Service

Web Application - Cross Site Scripting

• 11.50.16 - JBoss Application Server Administrative Console Cross-Site Scripting
• 11.50.17 - Ariadne Multiple Cross-Site Scripting Vulnerabilities
• 11.50.18 - Hero "month" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 11.50.19 - Meditate "username_input" Parameter SQL Injection
• 11.50.20 - AlstraSoft EPay Enterprise "process.htm" SQL Injection

Web Application

• 11.50.21 - Apache MyFaces Information Disclosure
• 11.50.22 - WikkaWiki Multiple Security Vulnerabilities
• 11.50.23 - WSN Classifieds Multiple Cross Site Scripting and SQL Injection Vulnerabilities
• 11.50.24 - Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
• 11.50.25 - Moodle Multiple Security Vulnerabilities

Hardware

• 11.50.26 - HP Printers and Digital Senders Remote Firmware Update Security Bypass
• 11.50.27 - Intel Trusted Execution Technology SINIT Authenticated Code Modules Buffer Overflow

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 45, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12777 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.50.1 - CVE: Not Available
• Platform: Other Microsoft Products
• Title: Microsoft Internet Explorer CSS ":visited" Information Disclosure
• Description: Microsoft Internet Explorer is a web browser application available for Windows operating systems. Microsoft Internet Explorer is exposed to an information disclosure issue. This issue affects the ":visited" tag included in a Cascading Style Sheet. Specifically, the application will allow attackers to collect browser history based on cache timing. Microsoft Internet Explorer 6, 7, 8 and 9 are affected.
• Ref: http://secunia.com/advisories/47129/ http://lcamtuf.coredump.cx/cachetime/msie.html

• 11.50.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: CoDeSys Multiple Remote Denial of Service Vulnerabilities
• Description: CoDeSys is an application for industrial automation technology. The application is exposed to multiple denial of service issues which affect the "CmpWebServer" component. CoDeSys up to 3.4 SP4 Patch 2 are affected.
• Ref: http://aluigi.altervista.org/adv/codesys_1-adv.txt http://www.securityfocus.com/bid/50854/discuss

• 11.50.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: HS TFTP Server Software Multiple Remote Denial of Service Vulnerabilities
• Description: HS TFTP Server Software is a library written in C, which implements Trivial File Transfer Protocol. HS TFTP Server Software is exposed to multiple remote denial of service issues because it fails to handle user-supplied input. Specifically, the issue affects "WRITE" and "READ" commands. HS TFTP Server Software 1.3.2 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50886/discuss http://packetstormsecurity.org/files/107468/hillstone-dos.txt

• 11.50.4 - CVE: CVE-2011-4162
• Platform: Third Party Windows Apps
• Title: HP Device Access Manager for HP ProtectTools Heap Memory Corruption
• Description: HP Device Access Manager for HP ProtectTools is a policy based access control system. HP Device Access Manager for HP ProtectTools is exposed to a remote heap memory corruption issue. Specifically, this issue affects the multiple methods. HP Device Access Manager for HP ProtectTools versions prior to 6.1.0.1 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082368

• 11.50.5 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SopCast Local Privilege Escalation
• Description: SopCast is an application used to broadcast video and audio on the Internet. The application is exposed to a local privilege escalation issue. Specifically, the issue occurs due to improper permissions being set for the "Diagnose.exe" file, with the "FDiagnose.exe" flag set for the "Everyone" group. SopCast 3.4.7.45585 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50908/references http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5062.php

• 11.50.6 - CVE: CVE-2011-4037
• Platform: Third Party Windows Apps
• Title: Sielco Sistemi Multiple Products Buffer Overflow
• Description: Winlog Pro and Winlog Lite are SCADA/HMI applications for monitoring industrial and civil factories. Winlog Pro and Winlog Lite are exposed to a remote buffer overflow issue because they fail to perform adequate boundary checks on user-supplied data. Winlog Lite versions older than version 2.07.09 and Winlog PRO versions older than Version 2.07.09 are affected.
• Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-298-01.pdf

• 11.50.7 - CVE: CVE-2011-4083
• Platform: Linux
• Title: Red Hat Enterprise Linux Sos Private Information Disclosure
• Description: Red Hat Enterprise Linux is a Linux based operating system developed by Red Hat. Sos is a set of tools that gather information about system hardware and configuration. Red Hat Enterprise Linux is exposed to an information disclosure issue. Specifically, this issue occurs because the Sosreport utility incorrectly includes certificate based Red Hat network private entitlement keys for archive of debugging information, which allows an attacker to access Red Hat Network content by using these keys. Red Hat Enterprise Linux version 6 is affected.
• Ref: http://www.securityfocus.com/bid/50936/discuss https://www.redhat.com/security/data/cve/CVE-2011-4083.html

• 11.50.8 - CVE: CVE-2011-2397
• Platform: Cross Platform
• Title: Iron Mountain Connected Backup Remote Command Execution
• Description: Iron Mountain Connected Backup is a backup solution. Iron Mountain Connected Backup is exposed to a remote command execution issue because it fails to properly validate user-supplied input. This issue affects the Agent service that listens on TCP port 16388. Specifically, the issue is triggered within the "LaunchCompoundFileAnalyzer" class when a request contains an opcode 13. Iron Mountain Connected Backup from 8.2.2 to 8.5.1 are affected.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-339/ http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2397

• 11.50.9 - CVE: Not Available
• Platform: Cross Platform
• Title: Apache ActiveMQ Failover Mechanism Remote Denial of Service
• Description: Apache ActiveMQ is a Message Broker and Enterprise Integration Patterns provider. It is implemented in Java and available for a number of platforms. Apache ActiveMQ is exposed to a denial of service issue. This issue occurs when handling openwire connection requests. Specifically, after various connection requests, a "Java.net.SocketException" will occur. Apache ActiveMQ 5.2.0 and 5.5.0 are affected.
• Ref: https://issues.apache.org/jira/browse/AMQ-3294

• 11.50.10 - CVE: CVE-2011-4566
• Platform: Cross Platform
• Title: PHP Remote Integer Overflow
• Description: PHP is a general purpose scripting language suitable for web development and embeddable into HTML. PHP is exposed to a remote integer overflow issue that affects the "Exif" extension. Specifically, this issue affects the "exif_process_IFD_TAG()" function in the "ext/exif/exif.c" source file. PHP 5.4.0beta2 on 32-bit platforms is vulnerable; other versions may also be affected.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4566 https://bugs.php.net/bug.php?id=60150

• 11.50.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Serv-U Denial of Service and Security Bypass Vulnerabilities
• Description: Serv-U is an FTP server application. Serv-U is exposed to multiple remote issues. A denial of service issue occurs because the application opens new ports for each request made and fails to close old ports. A security bypass issue allows attackers to gain unauthorized administrative access to the management interface. Serv-U 11.1.0.3 and prior versions are affected.
• Ref: http://www.securityfocus.com/archive/1/520746

• 11.50.12 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Security Vulnerabilities
• Description: Opera is a Web browser available for multiple platforms. The application is exposed to multiple issues. See reference for further details. Versions prior to Opera Web Browser 11.60 are affected.
• Ref: http://www.opera.com/docs/changelogs/unix/1160/ http://www.opera.com/docs/changelogs/mac/1160/ http://www.opera.com/docs/changelogs/windows/1160/

• 11.50.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Multiple Web Browsers ":visited" Information Disclosure
• Description: Multiple Web Browsers are exposed to an information disclosure issue. This issue affects the ":visited" tag included in a Cascading Style Sheet. Specifically, the applications allows attackers to collect browser history based on cache timing. Mozilla Firefox and Opera are affected.
• Ref: http://lcamtuf.coredump.cx/cachetime/ http://www.securityfocus.com/bid/50909/discuss http://www.securityfocus.com/bid/50920/discuss

• 11.50.14 - CVE: CVE-2011-2462
• Platform: Cross Platform
• Title: Adobe Acrobat and Reader U3D Memory Corruption
• Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Acrobat and Reader are exposed to a memory corruption issue that occurs when handling U3D encoded files. Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh, Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX, Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh, Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh are affected.
• Ref: https://www.adobe.com/support/security/advisories/apsa11-04.html

• 11.50.15 - CVE: CVE-2011-1530
• Platform: Cross Platform
• Title: MIT Kerberos KDC TGS Handling NULL Pointer Dereference Denial of Service
• Description: MIT Kerberos is a suite of applications and libraries designed to implement the Kerberos network authentication protocol. It is freely available and operates on numerous platforms. MIT Kerberos is exposed to a remote denial of service issue caused by a NULL-pointer dereference which exists in the TGS service. Specifically, the flaw exists in the "process_tgs_req()" function when the "TGS-REQ" is unknown. This will cause the "KRB5_KDB_NOENTRY" parameter to be set to NULL, triggering a NULL-pointer dereference. krb5-1.9 and later are affected.
• Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt

• 11.50.16 - CVE: CVE-2011-3606
• Platform: Web Application - Cross Site Scripting
• Title: JBoss Application Server Administrative Console Cross-Site Scripting
• Description: JBoss Application Server is an open source Java application server. JBoss Application Server is exposed to a cross-site scripting issue while handling DOM objects. This issue occurs because the administrative console of the application fails to sanitize user-supplied input passed to the "onerror" argument. JBoss Application Server 7.0 is vulnerable; other versions may also be affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606 http://www.securityfocus.com/bid/50885/discuss

• 11.50.17 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Ariadne Multiple Cross-Site Scripting Vulnerabilities
• Description: Ariadne is a PHP-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to multiple scripts. Ariadne 2.7.6 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/520708

• 11.50.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Hero "month" Parameter Cross-Site Scripting
• Description: Hero is a PHP-based content management system. Hero is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "month" parameter of the "index.php" script. Hero 3.69 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50878/discuss http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5061.php

• 11.50.19 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Meditate "username_input" Parameter SQL Injection
• Description: Meditate is a Web-based content editor application. Meditate is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "username_input" parameter of the "index.php" script when "page" is set to "login". Meditate versions 1.1 is vulnerable; prior versions may also be affected.
• Ref: http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.html

• 11.50.20 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: AlstraSoft EPay Enterprise "process.htm" SQL Injection
• Description: EPay Enterprise is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "product" parameter of the "process.htm" page. EPay Enterprise 4.0 is vulnerable; other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/50917/references http://packetstormsecurity.org/files/107540/alstrasoftepay-sql.txt

• 11.50.21 - CVE: CVE-2011-4343
• Platform: Web Application
• Title: Apache MyFaces Information Disclosure
• Description: Apache MyFaces is used to create server-side GUI web applications. Apache MyFaces is exposed to a remote information disclosure issue because it is possible to inject EL expressions directly into input fields mapped as view parameters. Apache MyFaces 2.0.1 through 2.0.10 and Apache MyFaces 2.1.0 through 2.1.4 are affected.
• Ref: https://issues.apache.org/jira/browse/MYFACES-3405

• 11.50.22 - CVE: CVE-2011-4451,CVE-2011-4450,CVE-2011-4449,CVE-2011-4448
• Platform: Web Application
• Title: WikkaWiki Multiple Security Vulnerabilities
• Description: WikkaWiki is a wiki application implemented in PHP. The application is exposed to an SQL injection issue, multiple arbitrary file upload issues and a PHP code injection issue. WikkaWiki 1.3.2 and prior versions are affected.
• Ref: http://www.securityfocus.com/archive/1/520687

• 11.50.23 - CVE: Not Available
• Platform: Web Application
• Title: WSN Classifieds Multiple Cross Site Scripting and SQL Injection Vulnerabilities
• Description: WSN Classifieds is a PHP-based application for classifying advertisements. The application is exposed to an SQL-injection issue and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. WSN Classifieds 6.2.12 and 6.2.18 are vulnerable; other versions may also be affected.
• Ref: http://secunia.com/advisories/47106 http://xforce.iss.net/xforce/xfdb/71607

• 11.50.24 - CVE: Not Available
• Platform: Web Application
• Title: Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
• Description: Support Incident Tracker is an open-source web application for tracking technical support requests. It is implemented in PHP and MySQL. The application is exposed to multiple input-validation issues. Support Incident Tracker 3.65 is vulnerable; prior versions may also be affected.
• Ref: http://www.kb.cert.org/vuls/id/576355 http://www.securityfocus.com/bid/50896/references

• 11.50.25 - CVE: Not Available
• Platform: Web Application
• Title: Moodle Multiple Security Vulnerabilities
• Description: Moodle is a content manager for online courseware. The application is exposed to multiple security issues. See reference for further details. Moodle 2.1.x prior to 2.1.2, Moodle 2.0.x prior to 2.0.5 and Moodle 1.9.x prior to 1.9.14 are affected.
• Ref: http://moodle.org/mod/forum/view.php?id=7128 http://www.securityfocus.com/bid/50923/references

• 11.50.26 - CVE: CVE-2011-4161
• Platform: Hardware
• Title: HP Printers and Digital Senders Remote Firmware Update Security Bypass
• Description: HP Printers and Digital Senders are exposed to a security bypass issue. Specifically, an attacker can send a firmware update remotely through a crafted request to TCP port 9100 without authentication. Multiple HP Printers and HP Digital Senders are affected. See reference for details.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449

• 11.50.27 - CVE: Not Available
• Platform: Hardware
• Title: Intel Trusted Execution Technology SINIT Authenticated Code Modules Buffer Overflow
• Description: Intel Trusted Execution Technology SINIT Authenticated Code Modules (ACMs) are exposed to a buffer overflow issue due to a failure to properly bounds check user-supplied input. The problem occurs when Intel Trusted Execution Technology measured launch is invoked using vulnerable SINIT ACMs. This may compromise certain SINIT ACM functionality, launch control policy, and System Management Mode. Multiple Intel processors and Chipsets are affected. See reference for details.
• Ref: http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&langua
  geid=en-fr

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account