@RISK: The Consensus Security Vulnerability Alert

Volume: X, Issue: 48
December 29, 2011

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • ______________________________________________________________________
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 1
    • Third Party Windows Apps
    • 7
    • Linux
    • 1
    • BSD
    • 1
    • Novell
    • 1
    • Cross Platform
    • 5 (#1)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application
    • 4
    • Network Device
    • 3
    • Hardware
    • 1

*************************** Sponsored By SANS ***************************

What devices are accessing what resources and by whom?

Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012!

Follow this link to the survey: http://www.sans.org/info/95574 ************************************************************************** TRAINING UPDATE - --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ - --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ - --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ - --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ - --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. http://www.sans.org/singapore-2012/ - --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Why Our Defenses Are Failing Us: One Click is all It Takes ...; Evolving Threats; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/sans-2012/ - --Looking for training in your own community? http: sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Windows
    Third Party Windows Apps
    Linux
    BSD
    Novell
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application
    Network Device
    Hardware

    *************************** Sponsored Link: ******************************

    1) Take the SANS 8th Annual Log and Event Management Survey Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/95579 **************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) MEDIUM: VideoLan VLC get_chunk_header Double-Free Vulnerability
    • Affected:
      • VLC media player 0.9.0-1.1.12
    • Description: VideoLan has released a patch for its VLC media player. The patch addresses a heap corruption vulnerability that can be triggered when the VLC player opens a malicious TY Tivo file. The vulnerability is due to a double-free vulnerability in the "get_chunk_header()" function of the TY demuxer component of VLC. By enticing a target to open a malicious file, an attacker can exploit this vulnerability in order to corrupt the heap and possibly execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 48, 2011

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12894 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 11.53.1 - CVE: Not Available
    • Platform: Windows
    • Title: Microsoft Windows "win32k.sys" Remote Memory Corruption
    • Description: Microsoft Windows is exposed to a memory corruption issue. Specifically, the issue occurs when the "win32k.sys" kernel-mode driver parses a specially crafted web page containing an IFRAME with an overly large value of "height" attribute. This issue occurs when viewing the webpage with the Apple Safari browser. Windows 7 64-bit is affected.
    • Ref: https://secunia.com/advisories/47237/

    • 11.53.2 - CVE: CVE-2011-4784
    • Platform: Third Party Windows Apps
    • Title: NVIDIA Stereoscopic 3D Driver Local Privilege Escalation
    • Description: NVIDIA Stereoscopic 3D Driver is used to play 3D games. The driver is exposed to a local privilege escalation issue. Specifically, the issue occurs because the driver fails to properly validate and sanitize specific commands to a named pipe. NVIDIA Stereoscopic 3D Driver 7.17.12.7536 and earlier versions are affected.
    • Ref: http://technet.microsoft.com/en-us/security/msvr/msvr11-016

    • 11.53.3 - CVE: CVE-2011-4536
    • Platform: Third Party Windows Apps
    • Title: KingView "HistoryServer.exe" Heap Based Buffer Overflow
    • Description: KingView is software for monitoring and controlling SCADA automation equipment and process products. The application is exposed to a heap-based buffer overflow issue because it fails to properly validate user-supplied input. Specifically, the issue occurs in "HistoryServer.exe" when processing a specially crafted request. KingView 65.30.2010.18018 is vulnerable and other versions may also be affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-02.pdf

    • 11.53.4 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Kaspersky Internet Security/Anti-Virus ".cfg" File Memory Corruption
    • Description: Kaspersky Internet Security and Anti-Virus are security products. Kaspersky Internet Security and Anti-Virus are exposed to a local memory corruption issue. Specifically, this issue affects the "basegui.ppl" and "basegui.dll" files when processing a specially-crafted ".cfg" file. Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012, Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011 and Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010 are affected.
    • Ref: http://www.securityfocus.com/bid/51161/discuss

    • 11.53.5 - CVE: CVE-2011-4537
    • Platform: Third Party Windows Apps
    • Title: 7-Technologies Interactive Graphical SCADA System Buffer Overflow
    • Description: 7-Technologies Interactive Graphical SCADA System (IGSS) is used to control and monitor programmable logic controllers (PLCs) in industrial processes. The system is exposed to a buffer overflow issue because it fails to handle specially crafted packets sent to TCP port 12399 and 12397. 7-Technologies Interactive Graphical SCADA System 9.0.0.11355 and prior versions are affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-01-7.pdf


    • 11.53.7 - CVE: CVE-2011-4509,CVE-2011-4508
    • Platform: Third Party Windows Apps
    • Title: Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities
    • Description: Siemens SIMATIC products are Human machine Interaction (HMI) software. Multiple Siemens SIMATIC products are exposed to the following authentication bypass issues. 1) An authentication bypass issue affects the products because they generate weak and predictable session cookie values for the administrator account. 2) An authentication bypass issue affects the products because they contain default credentials for the web interface (Username: "Administrator" and Password: "100") and VNC service (No username and Password:"100"). SIMATIC WinCC Flexible 2004 through 2008 SP2, SIMATIC WinCC V11, V11 SP1, and V11 SP2 and SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels are affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf


    • 11.53.9 - CVE: CVE-2011-4622
    • Platform: Linux
    • Title: Linux Kernel KVM "create_pit_timer()" Function Local Denial of Service
    • Description: The Linux kernel is exposed to a local denial of service issue. Specifically, the issue affects the KVM implementation and occurs because of a NULL pointer dereference error in the "create_pit_timer()" function of the "arch/x86/kvm/i8254.c" file when configuring a Programmable Interrupt Timer (PIT). Linux kernel 2.6.x is affected.
    • Ref: http://www.securityfocus.com/bid/51172/discuss

    • 11.53.10 - CVE: CVE-2011-4862
    • Platform: BSD
    • Title: FreeBSD "telnetd" Daemon Remote Buffer Overflow
    • Description: FreeBSD is a BSD-based operating system. FreeBSD is exposed to a remote buffer overflow issue. This issue affects the "telnetd" daemon because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. Specifically, the problem occurs when validating a specially crafted encryption key length received through the TELNET protocol. All supported versions of FreeBSD are affected.
    • Ref: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc

    • 11.53.11 - CVE: Not Available
    • Platform: Novell
    • Title: Novell Sentinel Log Manager "filename" Parameter Directory Traversal
    • Description: Sentinel Log Manager is a log management solution. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input submitted to the "filename" parameter of the "novelllogmanager/FileDownload" script. Sentinel Log Manager versions 1.2.0.1 and prior are affected.
    • Ref: http://secunia.com/advisories/47258 http://www.securityfocus.com/bid/51104/discuss

    • 11.53.12 - CVE: Not Available
    • Platform: Cross Platform
    • Title: VLC Media Player "get_chunk_header()" Function Memory Corruption
    • Description: VLC is a cross-platform media player. VLC is exposed to a remote code execution issue due to a double-free error in the "get_chunk_header()" function of the "modules/demux/ty.c" source file. Specifically, the issue is triggered when processing a crafted ".ty" TiVo file. VLC Media Player versions 0.9.0 through 1.1.12 are affected.
    • Ref: http://www.videolan.org/security/sa1108.html

    • 11.53.13 - CVE: CVE-2011-4783
    • Platform: Cross Platform
    • Title: IDAPython Script Loading Arbitrary Code Execution
    • Description: IDAPython is an plugin for IDA Pro. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the Python script file in the current working directory. IDAPython versions 1.5.0 through 1.5.2 are vulnerable; other versions may also be affected.
    • Ref: http://technet.microsoft.com/en-us/security/msvr/msvr11-015 http://www.securityfocus.com/bid/51164/references

    • 11.53.14 - CVE: CVE-2011-1393
    • Platform: Cross Platform
    • Title: IBM Lotus Domino RPC Operation Denial of Service
    • Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino Server supports email, scheduling, instant messaging, and data-driven applications. IBM Lotus Domino is exposed to a denial of service issue. This issue is caused due to an error when processing RPC operations related to authentication. IBM Lotus Domino Server 8.5.2 FP3 and earlier, 8.5.1, 8.5 and 8.0.x are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21575247

    • 11.53.15 - CVE: CVE-2011-4623
    • Platform: Cross Platform
    • Title: RSyslog Function Imfile Module Buffer Overflow
    • Description: RSyslog is a daemon for managing system logs; it is available for UNIX and Linux systems. RSyslog is exposed to a heap-based buffer overflow issue when handling the imfile module. Specifically, this issue occurs because the rsyslog daemon fails to properly handle log files larger than 64 kilobytes. Red Hat Enterprise Linux 6 is affected.
    • Ref: http://www.securityfocus.com/bid/51171/info https://bugzilla.redhat.com/show_bug.cgi?id=769822

    • 11.53.16 - CVE: CVE-2011-4061
    • Platform: Cross Platform
    • Title: IBM DB2 and DB2 Connect Tivoli Monitoring Agent Local Privilege Escalation
    • Description: IBM DB2 and DB2 Connect are database applications designed to run on various platforms, including Linux, AIX, Solaris and Microsoft Windows. IBM DB2 and DB2 Connect are exposed to a local privilege escalation issue. This issue occurs because the SUID "Tmaitm6/lx8266/bin/kbbacf1" executable included in the Tivoli Monitoring Agent (ITMA) fails to properly use the "DT_RPATH" retry to load the "libkbb.so" library. IBM DB2 Express Edition, IBM DB2 Workgroup Server Edition, IBM DB2 Enterprise Server Edition, IBM DB2 Advanced Enterprise Server Edition, IBM DB2 Connect Application Server Edition, IBM DB2 Connect Enterprise Edition, IBM DB2 Connect Unlimited Edition for System i and IBM DB2 Connect Unlimited Edition for System z are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21576372

    • 11.53.17 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: epesi BIM Multiple Cross-Site Scripting Vulnerabilities
    • Description: epesi BIM is a PHP-based application for creating dynamic Web applications. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. epesi BIM 1.2.0 rev 8154 is vulnerable; prior versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51149/references


    • 11.53.19 - CVE:CVE-2011-3839,CVE-2011-3838,CVE-2011-3837,CVE-2011-3836,CVE-2011-3835
    • Platform: Web Application
    • Title: Wuzly Multiple Security Vulnerabilities
    • Description: Wuzly is a PHP-based blog application. Wuzly is exposed to the multiple remote security issues. See reference for further details. Wuzly version 2.0 is affected; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51114/references

    • 11.53.20 - CVE: Not Available
    • Platform: Web Application
    • Title: OBM Multiple Remote Vulnerabilities
    • Description: OBM is a messaging and collaboration application. The application is exposed to multiple remote issues. 1) A local file-include issue affects the "module" parameter of the "exportcsv_index.php" script. 2) Multiple SQL injection issues. 3) Multiple cross-site scripting issues. 4) An insecure file permissions issue occurs because "test.php" is stored with insecure permissions. OBM 2.4.0-rc13 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/520986

    • 11.53.21 - CVE: Not Available
    • Platform: Web Application
    • Title: Government Site Builder "videos.html" HTML Injection
    • Description: Government Site Builder is a content management application. The application is exposed to an HTML injection issue that affects the "media" module. Specifically, this issue occurs because the application fails to sufficiently sanitize user-supplied data submitted to the "page" parameter of the "videos.html" script. Government Site Builder Government Site Builder 4.1 is affected.
    • Ref: http://www.securityfocus.com/bid/51162/discuss

    • 11.53.22 - CVE: CVE-2011-4782
    • Platform: Web Application
    • Title: PhpMyAdmin "$host" Variable HTML Injection
    • Description: phpMyAdmin is a web-based administration interface for MySQL databases; it is implemented in PHP. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "$host" variable. phpMyAdmin versions 3.4.x prior to 3.4.9 are affected.
    • Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php

    • 11.53.23 - CVE: Not Available
    • Platform: Network Device
    • Title: SpamTitan Multiple HTML Injection Vulnerabilities
    • Description: SpamTitan is an anti spam software application. SpamTitan is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input passed to the following scripts: "auth-settings.php", "setup-relay.php", "setup-network.php". SpamTitan 5.08 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51155/discuss

    • 11.53.24 - CVE: CVE-2011-4197
    • Platform: Network Device
    • Title: PfSense Cross Site Scripting and Security Bypass Vulnerabilities
    • Description: PfSense is an open-source distribution of FreeBSD designed for use as a firewall and router. pfSense is exposed to the following remote issues. 1) A cross-site scripting issue affects the "style" parameter of the "status_rrd_graph.php" script. 2) A security bypass issue occurs due to an insecure certificate creation. pfSense 2.0 is vulnerable and other versions may also be affected.
    • Ref: http://blog.pfsense.org/?p=633 http://www.securityfocus.com/bid/51169/info

    • 11.53.25 - CVE: Not Available
    • Platform: Network Device
    • Title: Ubiquiti Networks AirOS Remote Command Execution
    • Description: AirOS is firmware for network devices. It has a web-based user interface to provide wireless configurations and routing functionality. The application is exposed to an issue that lets attackers execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately restrict access to certain web accessible scripts, including the "admin.cgi" script. 802.11 products AirOS v 3.6.1/v4.0, all versions of Products AirMax-AirOS V5.x are affected.
    • Ref: http://ubnt.com/forum/showthread.php?p=236875 http://www.securityfocus.com/bid/51178/discuss

    • 11.53.26 - CVE: CVE-2011-4861
    • Platform: Hardware
    • Title: Schneider Electric Quantum Ethernet Module Multiple Vulnerabilities
    • Description: Schneider Electric products provide solutions to energy management. Quantum Ethernet Module is exposed to multiple remote issues. Multiple hardcoded credentials are found. This can enable access to the multiple services. See reference for the affected products and firmware versions.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account