@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 47
December 22, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 0 (#1)
    • Third Party Windows Apps
    • 4
    • Linux
    • 2
    • Aix
    • 1
    • Cross Platform
    • 8 (#2,#3,#4)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 8

**************************** Sponsored By SANS ***************************

Take this groundbreaking survey to help determine policy, controls and standards needed to enable users to use their own small mobile devices for work-related functions. Also be entered to win a $250 American Express Card Giveaway when results are announced in late March at www.sans.org/webcasts.

Follow this link to the survey: http://www.sans.org/info/94549

************************************************************************** TRAINING UPDATE - --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ - --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ - --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ - --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ - --SANS Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. http://www.sans.org/singapore-2012/ - --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/sans-2012/ - --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Aix
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application

************************** Sponsored Link: *******************************

1) Take the SANS 8th Annual Log and Event Management Survey http://www.sans.org/info/94554 **************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (1) HIGH: Microsoft Windows 7 win32k.sys Memory Corruption Vulnerability
  • Affected:
    • Microsoft Windows 7 64-bit (and possibly previous versions)
  • Description: Windows 7 is reportedly vulnerable to an unspecified and unpatched vulnerability that can be used to execute arbitrary code with kernel-mode privileges. The publicly available attack vector involves enticing a target to view a malicious page with Apple Safari on a Windows 7 machine. The vulnerability can reportedly be triggered by a page that contains an overlong "height" element in an IFRAME element.

  • Status: vendor confirmed, updates available

  • References:
  • (2) HIGH: Adobe Reader Memory Corruption Vulnerability
  • Affected:
    • Adobe Reader 9.4.6 and earlier
    • Adobe Reader X
  • Description: Adobe has reported that an unspecified memory corruption vulnerability in its Reader PDF viewer is being actively exploited in the wild. Adobe has released a patch for Reader 9.x that addresses this vulnerability, but Adobe is planning to wait until January 10th to release a patch for Reader X. Adobe reports that its Reader X Protected Mode, a security feature designed to limit the capabilities of malicious documents, will already prevent the attack from executing arbitrary code. By enticing a target to view a malicious document in a vulnerable version of Reader, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
  • (4) MEDIUM: Google Chrome Stable Channel Updates
  • Affected:
    • Google Chrome versions prior to 16.0.912.63
  • Description: Google has released patches for multiple security vulnerabilities affecting its Chrome web browser. The vulnerabilities include a use-after-free vulnerabilities in SVG filters and range handling, an out-of-bounds write in v8 i18n handling, a buffer overflow in PDF font handling, and a use-after-free in bidi handling. Although the details of these vulnerabilities are unspecified, it is likely that some of them can be exploited for code execution. To do so, an attacker would have to entice a target to view a malicious page with a vulnerable version of Google Chrome.

  • Status: vendor confirmed, updates available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 47, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12841 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________



  • 11.52.2 - CVE: CVE-2011-4141
  • Platform: Third Party Windows Apps
  • Title: RSA SecurID Software Token DLL Loading Arbitrary Code Execution
  • Description: RSA SecurID Software Token is a commercial product that provides local and remote authentication to prevent unauthorized access to resources on a host. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for an unspecified Dynamic Link Library file in the current working directory. RSA SecurID Software Token 4.1 for Microsoft Windows is vulnerable.
  • Ref: http://www.securityfocus.com/archive/1/520878 http://www.securityfocus.com/bid/51073/references

  • 11.52.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Invensys Wonderware inBatch BatchField ActiveX Control Multiple Buffer Overflow Vulnerabilities
  • Description: Invensys Wonderware InTouch is a SCADA system interface for Windows. Invensys Wonderware inBatch is exposed to multiple remote stack-based buffer overflow issues. These issues occur because the application fails to perform adequate boundary checks when handling data passed to the "GUIControls", "BatchObjSrv" and "BatchSecCtrl" ActiveX controls. Invensys Wonderware InBatch version 8.1, 9.0, 9.0 SP1, 9.0 SP2 and 9.5 are affected.
  • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-332-01.pdf http://www.securityfocus.com/bid/51129/references

  • 11.52.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: IrfanView TIFF Image File Remote Heap-Based Buffer Overflow
  • Description: IrfanView is an image viewer that supports multiple file formats. The application is exposed to a remote heap-based buffer overflow issue because it fails to properly bounds check user-supplied input before copying it to an insufficiently sized memory buffer. Specifically, a heap-based overflow can occur when parsing a specially crafted TIFF image file. IrfanView 4.30 is vulnerable and other versions may also be affected.
  • Ref: http://www.irfanview.com/main_history.htm http://www.securityfocus.com/bid/51132/references

  • 11.52.5 - CVE: CVE-2011-4596
  • Platform: Linux
  • Title: Ubuntu Nova Image Registration Arbitrary Input Validation
  • Description: Nova is an Ubuntu component for OpenStack Compute cloud infrastructure. Nova is exposed to an input validation issue that lets attackers overwrite arbitrary files. This issue occurs because Nova fails to validate input during image registration. Attackers can register a crafted image by applying the "EC2 API" or "S3/RegisterImage" method and overwrite files as a Nova user. Ubuntu 11.10 is affected.
  • Ref: http://www.ubuntu.com/usn/usn-1305-1/ http://www.securityfocus.com/bid/51047/references



  • 11.52.8 - CVE: CVE-2011-1386
  • Platform: Cross Platform
  • Title: IBM Tivoli Federated Identity Manager SAML Signature Validation Security Bypass
  • Description: IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are single sign-on management applications. The applications are exposed to a security bypass issue. This issue occurs when validating SAML signatures. Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway versions 6.2.1.x prior to 6.2.1.2, 6.2.0.x prior to 6.2.0.10, 6.1.1.x prior to 6.1.1.12 are affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21575309 http://xforce.iss.net/xforce/xfdb/71686 http://www.securityfocus.com/bid/51064/references

  • 11.52.9 - CVE: CVE-2011-4602
  • Platform: Cross Platform
  • Title: Pidgin Jingle Extension XMPP Protocol Denial of Service Vulnerabilities
  • Description: Pidgin is a multi-platform instant messaging client that supports multiple messaging protocols. The application is exposed to multiple denial of service issues due to a NULL pointer dereference condition in the Jingle extension included in the Extensible Message and Presence Protocol plugin. Pidgin versions prior to 2.10.1 are affected.
  • Ref: http://pidgin.im/news/security/?id=58 http://www.securityfocus.com/bid/51070/references

  • 11.52.10 - CVE: CVE-2011-4369
  • Platform: Cross Platform
  • Title: Adobe Acrobat and Reader Memory Corruption
  • Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Acrobat and Reader are exposed to a memory corruption issue. See reference for detailed information. Adobe Reader X (10.1.1) and earlier 10.x versions, Adobe Reader 9.4.6 and earlier 9.x versions, Adobe Acrobat X (10.1.1) and earlier 10.x versions, Adobe Acrobat 9.4.6 and earlier 9.x versions are affected.
  • Ref: http://www.adobe.com/support/security/bulletins/apsb11-30.html

  • 11.52.11 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SecCommerce SecSigner Java Applet Arbitrary File Upload
  • Description: SecCommerce SecSigner is a Java applet that creates and appends digital signatures to files. The component is exposed to an issue that lets attackers upload arbitrary files. This issue occurs because the SecSigner applet uses the file "secsigner.properties" to configure certain settings in the applet. Specifically when the "seccommerce.resource.localcopy" variable is set to "on" it is possible to upload files to arbitrary locations on the affected computer. SecSigner 3.5.0 is vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/520936 http://www.securityfocus.com/bid/51112/references

  • 11.52.12 - CVE: CVE-2011-4528
  • Platform: Cross Platform
  • Title: Unbound Multiple Denial of Service Vulnerabilities
  • Description: Unbound is a validating, recursive and caching DNS resolver. The application is exposed to multiple remote denial of service issues. A denial of service issue occurs due to a memory allocation error when processing certain RRs (Resource Records). Specifically, an attacker can cause the application to crash by sending signed duplicate redirecting RRs. A denial of service issue occurs due to an error when processing certain responses for NSEC3-signed zones. Versions prior to Unbound 1.4.14 or 1.4.13p2 are vulnerable.
  • Ref: http://unbound.nlnetlabs.nl/downloads/CVE-2011-4528.txt http://www.securityfocus.com/bid/51115/references


  • 11.52.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Enterasys Network Management Suite "nssyslogd.exe" Component Stack Buffer Overflow
  • Description: Network Management Suite is a centralized visibility and control management application. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data before copying it to an insufficiently sized buffer. Specifically, this issue occurs in the "nssyslogd.exe" component which listens by default on UDP port 514, when handling a specially-crafted "PRIO" field of the syslog message. Versions prior to Network Management Suite 4.1.0.80 are vulnerable.
  • Ref: http://www.securityfocus.com/bid/51124/references https://cp-enterasys.kb.net/al/12/3/article.aspx?aid=14206&bt=4

  • 11.52.15 - CVE: CVE-2011-3666
  • Platform: Cross Platform
  • Title: Mozilla Firefox and Thunderbird Remote Code Execution
  • Description: Firefox is a browser. Thunderbird is an email client. The applications are exposed to a remote code execution issue when handling ".jar" files. Specifically, this issue occurs because Firefox and Thunderbird treat ".jar" files as fully functional applications rather than as Java Applets. Firefox versions prior to 3.6.25 and Thunderbird versions prior to 3.1.17 are affected.
  • Ref: http://www.mozilla.org/security/announce/2011/mfsa2011-59.html http://www.securityfocus.com/bid/51139/references

  • 11.52.16 - CVE: CVE-2011-3206
  • Platform: Web Application - Cross Site Scripting
  • Title: JBoss Operations Network Multiple Cross-Site Scripting Vulnerabilities
  • Description: JBoss Operations Network provides solutions for managing JBoss Enterprise Middleware, applications and services. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize unspecified user-supplied input. Specifically, these issues affect the administration interface. JBoss Operations Network 2.4.1 is vulnerable and other versions may also be affected.
  • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=734662 http://www.securityfocus.com/bid/51095/references

  • 11.52.17 - CVE: CVE-2011-4634
  • Platform: Web Application - Cross Site Scripting
  • Title: phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
  • Description: phpMyAdmin is a web-based administration interface for mySQL databases. It is implemented in PHP. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to crafted database names, SQL queries or column types. phpMyAdmin versions prior to 3.4.8 are vulnerable.
  • Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-18.php



  • 11.52.20 - CVE: Not Available
  • Platform: Web Application
  • Title: Cacti Multiple Input Validation Vulnerabilities
  • Description: Cacti is a frontend for RRDTool. It is implemented in PHP and uses an SQL backend database. The application is exposed to multiple security issues. Multiple cross-site scripting issues exist in the "default_height" and "default_width" parameters of the "graph_settings.php" script. A cross-site request forgery issue exists because the application does not properly validate HTTP requests. Specifically, it allows attackers to add and delete galleries through specially crafted links. An HTML injection issue exists in the "num_columns" parameter of the "graph_settings.php" script. Versions prior to Cacti 0.8.7i are vulnerable.
  • Ref: http://forums.cacti.net/viewtopic.php?f=4&t=45871 http://xforce.iss.net/xforce/xfdb/71792 http://www.securityfocus.com/bid/51048/references

  • 11.52.21 - CVE: Not Available
  • Platform: Web Application
  • Title: Splunk Cross-Site Scripting and Cross-Site Request Forgery Vulnerabilities
  • Description: Splunk is an IT infrastructure monitoring system. The application is exposed to multiple issues. A cross-site scripting issue exists because the application fails to properly sanitize certain unspecified user-supplied input. A cross-site request forgery issue exists because the application does not properly validate HTTP requests. Splunk 4.2 to 4.2.4 are vulnerable and other versions may also be affected.
  • Ref: http://www.splunk.com/view/SP-CAAAGMM http://www.securityfocus.com/bid/51061/references






(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account