@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: Novell Groupwise Internet Agent Multiple Vulnerabilities
• (2) MEDIUM: Opera Browser Multiple Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.5.1 - Microsoft Windows Fax Cover Page Editor Double Free Memory Corruption

Linux

• 11.5.2 - Linux Kernel "ethtool.c" Information Disclosure
• 11.5.3 - libxml2 "XMLWriter::writeAttribute()" Memory Leak Information Disclosure
• 11.5.4 - Linux Kernel "drivers/media/dvb/ttpci/av7110_ca" IOCTL Local Privilege Escalation

Aix

• 11.5.5 - IBM AIX "FC SCSI" Protocol Driver Denial of Service

Novell

• 11.5.6 - Novell GroupWise Internet Agent REQUEST-STATUS Buffer Overflow

Cross Platform

• 11.5.7 - Asterisk SIP Channel Driver Stack Buffer Overflow
• 11.5.8 - Citrix Provisioning Services Unspecified Remote Code Execution
• 11.5.9 - MyProxy SSL Certificate Validation Security Bypass
• 11.5.10 - IBM WebSphere MQ Header Field Remote Buffer Overflow
• 11.5.11 - Golden FTP Server Malformed Message Denial of Service
• 11.5.12 - VLC Media Player Multiple Remote Heap Buffer Overflow Vulnerabilities
• 11.5.13 - HP OpenView Storage Data Protector Unspecified Remote Code Execution
• 11.5.14 - WordPress StatPressCN Plugin "wp-admin/admin.php" Multiple Cross-Site Scripting Vulnerabilities
• 11.5.15 - Opera Web Browser "Select" HTML Element Integer Overflow
• 11.5.16 - PHP Zend Engine Use-after-free Heap Corruption
• 11.5.17 - Golden FTP Server PASS Command Remote Buffer Overflow
• 11.5.18 - Request Tracker Password Information Disclosure
• 11.5.19 - A-V Tronics InetServ SMTP Denial of Service
• 11.5.20 - Sun SunScreen Firewall Local Privilege Escalation
• 11.5.21 - SAP Crystal Reports Server Multiple Vulnerabilities
• 11.5.22 - Progress OpenEdge Multiple Vulnerabilities
• 11.5.23 - Bugzilla Multiple Vulnerabilities
• 11.5.24 - ActiveWeb Professional Arbitrary File Upload
• 11.5.25 - OpenVAS Manager Remote Arbitrary Command Injection
• 11.5.26 - Oracle January 2011 Multiple Vulnerabilities
• 11.5.27 - IBM WebSphere Portal and Workplace Web Content Management Unspecified Information Disclosure
• 11.5.28 - Opera Web Browser "option" HTML Element Integer Overflow
• 11.5.29 - VLC Media Player Subtitle "StripTags()" Function Memory Corruption

Web Application - Cross Site Scripting

• 11.5.30 - Eclipse IDE Multiple Cross-Site Scripting Vulnerabilities
• 11.5.31 - WordPress Uploader Plugin "num" Parameter Cross-Site Scripting

PART I Critical Vulnerabilities

Part I Critical Vulnerabilities PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 5, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10878 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.5.1 - CVE: Not Available
• Platform: Windows
• Title: Microsoft Windows Fax Cover Page Editor Double Free Memory Corruption
• Description: Microsoft Windows Fax Cover Page Editor is an application for viewing and editing Fax Cover Page files. Microsoft Windows Fax Cover Page Editor (fxscover.exe) is exposed to a double free memory corruption issue that occurs when the various "Text" elements, which have a negative value by default, use a positive value greater than zero and lower than the total number of elements. Microsoft Windows Fax Cover Page Editor versions 5.2.3790.3959 and earlier are affected.
• Ref: http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page

• 11.5.2 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "ethtool.c" Information Disclosure
• Description: The Linux kernel is exposed to an information disclosure issue that affects various functions of the "ethtool.c" source file. Specifically, the functions fail to clear the heap when returning from kernel mode to usermode which may allow attackers to gain access to sensitive information.
• Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=b009
  16b189d13a615ff05c9242201135992fcda3

• 11.5.3 - CVE: Not Available
• Platform: Linux
• Title: libxml2 "XMLWriter::writeAttribute()" Memory Leak Information Disclosure
• Description: The "libxml2" library is an open-source software designed to manipulate XML files. The "libxml2" library is exposed to a local information disclosure issue caused by a heap memory leak in the "XMLWriter::writeAttribute()" function. Ref:http://permalink.gmane.org/gmane.comp.security.oss.general/4122

• 11.5.4 - CVE: CVE-2011-0521
• Platform: Linux
• Title: Linux Kernel "drivers/media/dvb/ttpci/av7110_ca" IOCTL Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue due to an integer overflow error that occurs in the "dvb_ca_ioctl()" function of the "drivers/media/dvb/ttpci/av7110_ca.c" source file. Ref: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644

• 11.5.5 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX "FC SCSI" Protocol Driver Denial of Service
• Description: IBM AIX is an open standards based UNIX operating system. IBM AIX is exposed to a denial of service issue that occurs due to an error in the "FC SCSI" protocol driver while deallocating a timer. IBM AIX version 6.1 is affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=isg1IZ92478

• 11.5.6 - CVE: CVE-2010-4326
• Platform: Novell
• Title: Novell GroupWise Internet Agent REQUEST-STATUS Buffer Overflow
• Description: Novell GroupWise is collaboration software available for a number of platforms, including Linux and Microsoft Windows. Novell GroupWise Internet Agent is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-025/

• 11.5.7 - CVE: Not Available
• Platform: Cross Platform
• Title: Asterisk SIP Channel Driver Stack Buffer Overflow
• Description: Asterisk is a private branch exchange (PBX) application available for Linux, BSD, and Mac OS X platforms. Asterisk is exposed to a remote stack-based buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data.
• Ref: http://downloads.asterisk.org/pub/security/AST-2011-001.html

• 11.5.8 - CVE: Not Available
• Platform: Cross Platform
• Title: Citrix Provisioning Services Unspecified Remote Code Execution
• Description: Citrix Provisioning Services is exposed to a remote code execution issue.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-023/

• 11.5.9 - CVE: Not Available
• Platform: Cross Platform
• Title: MyProxy SSL Certificate Validation Security Bypass
• Description: MyProxy is an open source software for managing X.509 Public Key Infrastructure (PKI) security credentials (certificates and private keys). The "myproxy-logon" program in MyProxy is exposed to a security bypass issue that occurs because it fails to properly validate SSL certificates received from the MyProxy server. MyProxy versions 5.0, 5.1, and 5.2 are affected. Ref: http://lists.globus.org/pipermail/security-announce/2011-January/000018.html

• 11.5.10 - CVE: CVE-2011-0310
• Platform: Cross Platform
• Title: IBM WebSphere MQ Header Field Remote Buffer Overflow
• Description: IBM WebSphere MQ is a commercially available messaging engine for enterprises. WebSphere MQ is exposed to a buffer overflow issue because it fails to properly bounds check user-supplied data before copying it into an insufficiently sized memory buffer. WebSphere MQ versions prior to 7.0.1.4 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?rs=171&uid=swg21254675

• 11.5.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Golden FTP Server Malformed Message Denial of Service
• Description: Golden FTP Server is designed for use with Microsoft Windows operating systems. Golden FTP Server is exposed to a denial of service issue that occurs when sending specially crafted message to the server. Golden FTP Server version 4.70 is affected.
• Ref: http://www.securityfocus.com/bid/45924

• 11.5.12 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player Multiple Remote Heap Buffer Overflow Vulnerabilities
• Description: VLC is a cross-platform media player. VLC media player is exposed to multiple heap-based buffer overflow issues that affect the CDG decoder ("modules/codec/cdg.c") of the player. VLC media player version 1.1.5 is affected. Ref: http://git.videolan.org/?p=vlc.git;a=commit;h=f9b664eac0e1a7bceed9d7b5854fd9fc351b4aab

• 11.5.13 - CVE: CVE-2011-0273
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Unspecified Remote Code Execution
• Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The application is exposed to a remote arbitrary code execution issue. HP OpenView Storage Data Protector version 6.11 running on HP-UX, Solaris, Linux, and Windows are affected.
• Ref: https://www11.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02688353&a
  dmit=109447626+1295911495805+28353475

• 11.5.14 - CVE: Not Available
• Platform: Cross Platform
• Title: WordPress StatPressCN Plugin "wp-admin/admin.php" Multiple Cross-Site Scripting Vulnerabilities
• Description: StatPressCN is a plugin for WordPress. WordPress is a web-based publishing application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. StatPressCN version 1.9.0 is affected.
• Ref: http://www.securityfocus.com/bid/45950

• 11.5.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser "Select" HTML Element Integer Overflow
• Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to a remote integer overflow issue that occurs in the processing of a "select" HTML tag with a very large number of children because of an error in the "opera.dll" Dynamic-link library (DLL) file.
• Ref: http://www.securityfocus.com/bid/45951

• 11.5.16 - CVE: CVE-2010-4697
• Platform: Cross Platform
• Title: PHP Zend Engine Use-after-free Heap Corruption
• Description: PHP is an open-source scripting language used for web development. Zend engine is an open source scripting engine. PHP is exposed to a heap corruption issue in the Zend engine. This issue occurs because of a use-after-free error when unreferencing a PHP object using the "__set", "__get", "__isset" and "__unset" methods in a malicious manner. PHP versions prior to 5.2.15 and 5.3.4 are affected.
• Ref: http://bugs.php.net/52879

• 11.5.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Golden FTP Server PASS Command Remote Buffer Overflow
• Description: Golden FTP Server is designed for use with Microsoft Windows operating systems. Golden FTP Server is exposed to a remote buffer overflow issue because it fails to bounds check user-supplied input before copying it into an insufficiently sized memory buffer. Golden FTP Server version 4.70 is affected.
• Ref: http://www.securityfocus.com/bid/45957

• 11.5.18 - CVE: CVE-2011-0009
• Platform: Cross Platform
• Title: Request Tracker Password Information Disclosure
• Description: Request Tracker is an issue tracking application. The application is exposed to an information disclosure issue. Specifically, the application uses an insufficient hashing method to store passwords in the database. Request Tracker versions 3.6.x and 3.8.x are affected.
• Ref: http://www.securityfocus.com/bid/45959

• 11.5.19 - CVE: Not Available
• Platform: Cross Platform
• Title: A-V Tronics InetServ SMTP Denial of Service
• Description: InetServ is an open-source Win32 email server. InetServ is exposed to a denial of service issue. An attacker can exploit this issue by supplying a large number of format string characters ('%s') to the "EXPN" SMTP command. A-V Tronics Inetserv version 3.23 is affected.
• Ref: http://www.securityfocus.com/bid/45960

• 11.5.20 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun SunScreen Firewall Local Privilege Escalation
• Description: SunScreen Firewall is a host-based firewall available for Solaris platforms. SunScreen Firewall is exposed to a local privilege escalation issue. Specifically, a local attacker can modify the "PATH" variable to forge the "cat" binary and send crafted data to the SunScreen Firewall program running on port 3858 to elevate privileges.
• Ref: http://www.securityfocus.com/bid/45963

• 11.5.21 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP Crystal Reports Server Multiple Vulnerabilities
• Description: SAP Crystal Reports Server is an application for sharing, scheduling, and delivering interactive reports. The application is exposed to multiple issues. 1) Multiple cross-site scripting vulnerabilities affect the application because it fails to sufficiently sanitize user-supplied input. 2) A directory traversal issue affects the "path" parameter of the "PerformanceManagement/jsp/qa.jsp" script when the "func" parameter is set to "browse" and the "root" parameter is set to "wi". SAP Crystal Reports Server 2008 is affected.
• Ref: http://dsecrg.com/pages/vul/show.php?id=303

• 11.5.22 - CVE: Not Available
• Platform: Cross Platform
• Title: Progress OpenEdge Multiple Vulnerabilities
• Description: Progress OpenEdge is a development platform for managing business applications. The application is exposed to multiple issues. 1) An authentication bypass issue that occurs when the application authenticates users on the client side. 2) A userID enumeration weakness affects the application because it responds differently to separate login attempts, depending on whether or not the user ID exists. Progress OpenEdge version 10.2A is affected.
• Ref: http://dsecrg.com/pages/vul/show.php?id=308

• 11.5.23 - CVE:CVE-2011-0048,CVE-2011-0046,CVE-2010-4570,CVE-2010-4569,CVE-2010-4568,CVE-2010-4567
• Platform: Cross Platform
• Title: Bugzilla Multiple Vulnerabilities
• Description: Bugzilla is a web-based bug-tracking application. The application is exposed to multiple issues. 1) A security bypass issue. 2) Multiple cross-site scripting issues affect the "URL" parameter, the username field, and the bug entry page. 3) Multiple cross-site request forgery issues affect various unspecified pages. Bugzilla 3.2.x versions prior to 3.2.10; 3.4.x versions prior to 3.4.10; 3.6.x versions prior to 3.6.4 and 4.x versions prior to 4.0rc2 are affected.
• Ref: http://www.bugzilla.org/security/3.2.9/

• 11.5.24 - CVE: Not Available
• Platform: Cross Platform
• Title: ActiveWeb Professional Arbitrary File Upload
• Description: ActiveWeb Professional is a content management system implemented in cold fusion. ActiveWeb Professional is exposed to an arbitrary file upload issue because it fails to adequately validate file extensions before uploading them. Lomtec ActiveWeb Professional version 3.0 is affected.
• Ref: http://www.kb.cert.org/vuls/id/528212

• 11.5.25 - CVE: CVE-2011-0018
• Platform: Cross Platform
• Title: OpenVAS Manager Remote Arbitrary Command Injection
• Description: OpenVAS (Open Vulnerability Assessment System) is a framework offering vulnerability scanning and vulnerability management solution. OpenVAS Manager is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input data.
• Ref: http://www.securityfocus.com/bid/45987

• 11.5.26 - CVE: CVE-2010-3600, CVE-2010-4423, CVE-2010-4421,CVE-2010-3590, CVE-2010-4413, CVE-2010-4420, CVE-2009-3555,CVE-2010-4449, CVE-2010-3574, CVE-2010-3510, CVE-2010-3599,CVE-2010-3591, CVE-2010-3592, CVE-2010-3595, CVE-2010-3598,CVE-2010-4417, CVE-2010-4416,
• Platform: Cross Platform
• Title: Oracle January 2011 Multiple Vulnerabilities
• Description: Oracle released "Critical Patch Update Advisory - January 2011" which affects multiple Oracle products. Please refer to the following link for further information. Ref: http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

• 11.5.27 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM WebSphere Portal and Workplace Web Content Management Unspecified Information Disclosure
• Description: IBM WebSphere Portal and Workplace Web Content Management are web content managers for enterprises. The applications are exposed to an unspecified remote information disclosure issue.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM22167

• 11.5.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser "option" HTML Element Integer Overflow
• Description: Opera Web Browser is a browser that runs on multiple operating systems. The application is exposed to a remote integer overflow issue that occurs in the processing of an excessive number of "option" HTML tag. Opera version 11.00 is affected.
• Ref: http://www.securityfocus.com/bid/46003

• 11.5.29 - CVE: CVE-2011-0522
• Platform: Cross Platform
• Title: VLC Media Player Subtitle "StripTags()" Function Memory Corruption
• Description: VLC is a cross-platform media player. VLC is exposed to a heap-based memory corruption issue that occurs within the "StripTags()" function in the "modules/codec/subtitles/subsdec.c" source file when parsing specially crafted subtitles.
• Ref: http://mailman.videolan.org/pipermail/vlc-devel/2011-January/078607.html

• 11.5.30 - CVE: CVE-2008-7271
• Platform: Web Application - Cross Site Scripting
• Title: Eclipse IDE Multiple Cross-Site Scripting Vulnerabilities
• Description: Eclipse is an integrated development environment (IDE). Eclipse is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Eclipse IDE version 3.3.2 is affected. Ref: http://r00tin.blogspot.com/2008/04/eclipse-local-web-server-exploitation.html

• 11.5.31 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WordPress Uploader Plugin "num" Parameter Cross-Site Scripting
• Description: Uploader is a plugin for WordPress. The Uploader Plugin is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "num" parameter of the "wp-content/plugins/uploader/views/notify.php" script. Uploader version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/45984

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/