Last Day to Save $200 on SANS Cyber Defense San Diego 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 46
December 15, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 5 (#2)
    • Microsoft Office
    • 5
    • Other Microsoft Products
    • 2 (#4)
    • Third Party Windows Apps
    • 3
    • Linux
    • 2
    • Cross Platform
    • 5 (#1,#3)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application
    • 1
    • Hardware
    • 1

*********** Sponsored By SANS ***********

SANS 8th Annual Log and Event Management Survey is Under Way

Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts.

Follow this link to the survey: http://www.sans.org/info/93814 ************************************************************************** TRAINING UPDATE - --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ - --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ - --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ - --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ - --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. http://www.sans.org/singapore-2012/ - --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Windows
Microsoft Office
Other Microsoft Products
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application
Hardware

*************************** Sponsored Link: ******************************

1) Take the first annual SANS Mobility Survey and Win $250

Take this groundbreaking survey to help determine policy, controls and standards needed to enable users to use their own small mobile devices for work-related functions. Also be entered to win a $250 American Express Card Giveaway when results are announced in late March at www.sans.org/webcasts.

Follow this link to the survey: http://www.sans.org/info/93819 **************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (1) HIGH: Adobe Reader Unspecified Vulnerability
  • Affected:
    • Adobe Reader X (10.1.1) and earlier
    • Adobe Reader 9.4.6 and earlier
  • Description: Researchers claim to have identified an unspecified and unpatched vulnerability in Adobe Reader. They have posted a video demonstrating the exploit. By enticing a target to view a malicious file, an attacker can exploit either of these vulnerabilities in order to execute arbitrary code on a target's machine.

  • Status: vendor not confirmed, updates not available

  • References:
  • (4) MEDIUM: HP OpenView Network Node Manager Heap Buffer Overflow
  • Affected:
  • Description: HP has released a patch for Network Node Manager, its configuration management software. By sending a malicious request to the nnmRptConfig.exe CGI program, an attacker can send a crafted nameParams parameter in order to trigger a heap buffer overflow. The attacker will then have the ability to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 46, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12814 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


  • 11.51.1 - CVE: CVE-2011-2018
  • Platform: Windows
  • Title: Microsoft Windows Kernel Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel. Specifically, the issue arises when the kernel accesses an object that has not been properly initialized. All supported 32-bit editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 and Windows 7 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-098

  • 11.51.2 - CVE: CVE-2011-3397
  • Platform: Windows
  • Title: Microsoft Windows Time Component Remote Code Execution
  • Description: Microsoft Windows is exposed to a remote code execution issue that affects the Microsoft Time component. The issue can be exploited to corrupt the system state allowing code execution when the binary behavior is used in Internet Explorer. All supported editions of Microsoft Windows are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-090

  • 11.51.3 - CVE: CVE-2011-3408
  • Platform: Windows
  • Title: Microsoft Windows CSRSS Local Privilege Escalation
  • Description: Microsoft Windows is exposed to a local privilege escalation issue that affects the Client/Server Run-time Subsystem. Specifically, the issue occurs in the "csrss.dll" file because of improper validation of permissions when a lower-integrity process communicates a device event message to a higher-integrity process. All supported releases Microsoft Windows are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-097

  • 11.51.4 - CVE: CVE-2011-3400
  • Platform: Windows
  • Title: Microsoft Windows OLE Property Remote Code Execution
  • Description: Microsoft Windows is exposed to a remote code execution issue. Specifically, the issue occurs due to improper handling of OLE objects in memory. All supported editions of Windows XP and Windows Server 2003 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-093

  • 11.51.5 - CVE: CVE-2011-3406
  • Platform: Windows
  • Title: Microsoft Active Directory Buffer Overflow
  • Description: Microsoft Active Directory is an LDAP implementation distributed with multiple Windows operating systems. The application is exposed to a buffer overflow issue. Specifically, the issue occurs when Active Directory processes a specially crafted query and attempts to access the contents of a memory buffer that has not been properly initialized. Active Directory, ADAM and AD LDS when installed on supported editions of Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008 (except Itanium), Windows 7 and Windows Server 2008 R2 (except Itanium) are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-095

  • 11.51.6 - CVE: CVE-2011-3412,CVE-2011-3411,CVE-2011-3410,CVE-2011-1508
  • Platform: Microsoft Office
  • Title: Microsoft Publisher Multiple Vulnerabilities
  • Description: Microsoft Publisher is a desktop publishing application. The application is exposed to multiple issues. See reference for detailed information. All supported editions of Microsoft Publisher 2003 and Microsoft Publisher 2007 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-091

  • 11.51.7 - CVE: CVE-2011-3403
  • Platform: Microsoft Office
  • Title: Microsoft Excel Remote Code Execution
  • Description: Microsoft Excel is a spreadsheet application that is part of the Microsoft Office suite. The application is exposed to a remote code execution issue. Specifically, the issue occurs when the application incorrectly handles objects in memory. All supported editions of Microsoft Excel 2003 and Microsoft Office 2004 for Mac are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-096

  • 11.51.8 - CVE: CVE-2011-3396,CVE-2011-3413
  • Platform: Microsoft Office
  • Title: Microsoft PowerPoint Remote Code Execution
  • Description: Microsoft PowerPoint is a presentation application. The application is exposed to multiple issues. See reference for detailed information. Microsoft PowerPoint 2007 Service Pack 2, Microsoft PowerPoint 2010, Microsoft Office 2008 for Mac, Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007 File Formats Service Pack 2 and Microsoft PowerPoint Viewer 2007 Service Pack 2 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-094 http://www.securityfocus.com/bid/50967/references

  • 11.51.9 - CVE: CVE-2011-1983
  • Platform: Microsoft Office
  • Title: Microsoft Word Access Violation Remote Code Execution
  • Description: Microsoft Word is a word processor available for multiple platforms. The application is exposed to a remote code execution issue. This issue is due to an access violation error when handling a specially crafted Word file. All supported editions of Microsoft Office 2007, Microsoft Office 2010 and Microsoft Office for Mac 2011. are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-089

  • 11.51.10 - CVE: CVE-2011-2010
  • Platform: Microsoft Office
  • Title: Microsoft Pinyin IME Local Privilege Escalation
  • Description: Microsoft Pinyin IME is allows a user to input Chinese characters by entering the pinyin of a Chinese character and then presents the user with a list of possible characters with that pronunciation. The application is exposed to a local privilege escalation issue that affects Microsoft Office IME (Chinese) because it improperly exposes configuration options not designed to run on the secure desktop. All supported editions of Microsoft Office 2010 where Microsoft Pinyin IME 2010 is installed, Microsoft Office Pinyin SimpleFast Style 2010 and Microsoft Office Pinyin New Experience Style 2010 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-088

  • 11.51.11 - CVE: CVE-2011-3404
  • Platform: Other Microsoft Products
  • Title: Microsoft Internet Explorer Cross-Domain Information Disclosure
  • Description: Microsoft Internet Explorer is a web browser for Windows platforms. The application is exposed to a cross-domain information disclosure issue. This issue occurs because the application fails to properly enforce the content settings supplied by the Web server. Internet Explorer 6 on all supported editions of Windows XP, Internet Explorer 7, Internet Explorer 8 and Internet Explorer 9 on Windows clients and Internet Explorer on Windows servers are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-099

  • 11.51.12 - CVE: CVE-2011-3401
  • Platform: Other Microsoft Products
  • Title: Microsoft Windows Media Player And Media Center ".dvr-ms" Files Remote Code Execution
  • Description: Microsoft Windows Media Player and Windows Media Center are multimedia applications available for the Windows operating system. The applications are exposed to a remote code execution issue when handling specially crafted ".dvr-ms" media files. Windows XP (including Windows XP Media Center Edition 2005) and all supported editions of Windows Vista and Windows 7 are affected.
  • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS11-092

  • 11.51.13 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Winamp Multiple Integer Overflow Vulnerabilities
  • Description: Winamp is a multiform media player for Microsoft Windows platforms. The application is exposed to multiple integer overflow issues in the "in_avi.dll" file. An integer overflow issue occurs when allocating memory using the number of stream headers. An attacker can trigger a heap overflow by enticing an unsuspecting user to open a specially crafted AVI file. An integer overflow issue occurs when parsing the "RIFF INFO" chunk included in an AVI file. An attacker can exploit this issue by enticing an unsuspecting victim to open a specially crafted AVI file. An integer overflow issue occurs when parsing song message data included in an Impulse Tracker file. Winamp versions prior to 5.623 are vulnerable.
  • Ref: http://forums.winamp.com/showthread.php?t=332010 http://www.securityfocus.com/archive/1/520827

  • 11.51.14 - CVE: CVE-2011-4717
  • Platform: Third Party Windows Apps
  • Title: zFTPServer "rmdir" Command Directory Traversal
  • Description: zFTPServer is a file transfer server for Microsoft Windows. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings (..) passed to the "rmdir" command. zFTPServer 6.0.0.52 is vulnerable and prior versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/520822 http://www.securityfocus.com/bid/51018/references

  • 11.51.15 - CVE: CVE-2011-3339
  • Platform: Third Party Windows Apps
  • Title: SafeNet Sentinel HASP and 7T IGSS Unspecified HTML Injection
  • Description: Sentinel HASP is a digital license manager. 7T IGSS is an application using the SafeNet Sentinel HASP SDK for its digital license manager to enable its software products. The applications are exposed to an HTML injection issue because they fail to properly sanitize user-supplied input. Specifically, attackers can craft and inject HTML code into the configuration file. Sentinel HASP SDK prior to 5.11, Sentinel HASP Run-time prior to 6.x and 7 Technologies (7T) IGSS 7 are affected.
  • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-314-01.pdf http://www.safenet-inc.com/support-downloads/sentinel-drivers/CVE-2011-3339/


  • 11.51.17 - CVE: CVE-2011-4539
  • Platform: Linux
  • Title: ISC DHCP Regular Expressions Denial of Service
  • Description: ISC DHCP is a reference implementation of the DHCP protocol and includes a DHCP server, client, and relay agent. The application is exposed to a denial of service issue. Specifically, the application crashes when processing a crafted evaluated regular expression. ISC DHCP versions prior to 4.1-ESV-R4 and 4.2.3-P1 are affected.
  • Ref: https://www.isc.org/software/dhcp/advisories/cve-2011-4539


  • 11.51.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Asterisk SIP "automon" NULL Pointer Dereference Denial Of Service
  • Description: Asterisk is a private branch exchange application available for Linux, BSD and Mac OSX platforms. The server is exposed to a remote denial of service issue caused by a NULL pointer dereference error. Specifically, the issue occurs because the server fails to properly handle malicious session initiation protocol requests when the "automon" feature is enabled in the "features.conf" file. Asterisk versions 1.8.x prior to 1.8.7.2 and 1.6.2.x prior to 1.6.2.21 are affected.
  • Ref: http://downloads.asterisk.org/pub/security/AST-2011-014.html

  • 11.51.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: PuTTY SSH keyboard Interactive Authentication Password Information Disclosure
  • Description: PuTTY is a free Telnet and SSH client. The application is exposed to an information disclosure issue. Specifically, this issue occurs because the application fails to properly clean the replies typed by the user from memory during keyboard interactive authentication. PuTTY versions 0.59 through 0.61 are vulnerable.
  • Ref: http://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/password-not-wiped.ht
    ml

  • 11.51.21 - CVE: CVE-2011-4263
  • Platform: Cross Platform
  • Title: Schneider Electric PowerChute Business Edition Unspecified Cross-Site Scripting
  • Description: PowerChute Business Edition from Schneider Electric is an application for power management. This application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to unspecified vectors. PowerChute Business Edition versions prior to 8.5 are vulnerable.
  • Ref: http://jvndb.jvn.jp/en/contents/2011/JVNDB-2011-000100.html http://www.securityfocus.com/bid/51022/references


  • 11.51.23 - CVE: CVE-2011-4368,CVE-2011-2463
  • Platform: Web Application - Cross Site Scripting
  • Title: Adobe ColdFusion Multiple Cross-Site Scripting Vulnerabilities
  • Description: Adobe ColdFusion is an application for developing web sites. The application is exposed to two cross-site scripting issues. See detailed information in reference. ColdFusion 9.0.1, 9.0, 8.0.1 and 8.0 for Windows, Macintosh and UNIX are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb11-29.html



  • 11.51.26 - CVE: CVE-2011-4202
  • Platform: Hardware
  • Title: Restorepoint Insecure File Permissions Local Privilege Escalation
  • Description: Restorepoint is a network appliance backup and disaster recovery system. The application is exposed to a local privilege escalation issue because of an insecure file permission error. Specifically, this issue occurs because certain scripts running with root privileges have insecure permissions, which allow local attackers to modify them. Restorepoint 3.2 is affected and other versions may also be vulnerable.
  • Ref: https://www.trustmatta.com/advisories/MATTA-2011-003.txt http://www.securityfocus.com/bid/50991/references

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account