@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: RealPlayer AVI Parsing Buffer Overflow
• (2) HIGH: Apple QuickTime Sprite Transformation Buffer Overflow Vulnerability
• (3) HIGH: HP OpenView Performance Insight Server Backdoor

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 11.6.1 - Microsoft Windows MHTML Script Code Injection

Third Party Windows Apps

• 11.6.2 - EMC NetWorker "librpc.dll" Spoofing

Linux

• 11.6.3 - Linux-PAM "pam_xauth" Module Denial of Service and Security Bypass Vulnerabilities
• 11.6.4 - Linux Kernel I/O-Warrior USB Device Heap Buffer Overflow

Novell

• 11.6.5 - Novell GroupWise Internet Agent "TZID" Variable Parsing Remote Code Execution

Cross Platform

• 11.6.6 - HP OpenView Storage Data Protector Unspecified Denial of Service
• 11.6.7 - RubyGems mail Remote Arbitrary Shell Command Injection
• 11.6.8 - Cisco Content Services Gateway Malformed TCP Packet Denial of Service
• 11.6.9 - MuPDF "closedctd()" PDF File Handling Remote Code Execution
• 11.6.10 - Symantec Intel Alert Management System Buffer Overflow Vulnerabilities
• 11.6.11 - PRTG Network Monitor "errormsg" Parameter Multiple Cross-Site Scripting Vulnerabilities
• 11.6.12 - Symantec Intel Alert Management System Message Handling
• 11.6.13 - OpenOffice Multiple Remote Code Execution Vulnerabilities
• 11.6.14 - ISC DHCP Server DHCPv6 Decline Message Denial of Service
• 11.6.15 - Opera Web Browser Multiple Security Vulnerabilities
• 11.6.16 - IBM DB2 Administration Server Unspecified Buffer Overflow
• 11.6.17 - VLC Media Player MKV File Parsing Remote Code Execution
• 11.6.18 - IBM DB2 DBADM Privilege Revocation Security Bypass
• 11.6.19 - Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities
• 11.6.20 - Symantec IM Manager "eval()" Code Injection
• 11.6.21 - Cisco WebEx Remote Stack Buffer Overflow
• 11.6.22 - IBM DB2 Administration Server "validateUser()" Stack Buffer Overflow
• 11.6.23 - HP OpenView Performance Insight Server "doPost()" Remote Arbitrary Code Execution
• 11.6.24 - Cisco WebEx ATP File Remote Stack Buffer Overflow
• 11.6.25 - Sun Java Floating-Point Value Denial of Service

Web Application - Cross Site Scripting

• 11.6.26 - TYPO3 Media [DAM] Extension Unspecified Cross-Site Scripting
• 11.6.27 - WordPress FCChat Widget Plugin "path" Parameter Cross-Site Scripting

Web Application

• 11.6.28 - WordPress ImageManager Plugin "manager.php" Arbitrary File Upload

Network Device

• 11.6.29 - Cisco Content Services Gateway Malformed TCP Packet Denial of Service

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 6, 2011

Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10893 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 11.6.1 - CVE: CVE-2011-0096
• Platform: Windows
• Title: Microsoft Windows MHTML Script Code Injection
• Description: Microsoft Windows is exposed to an issue that may allow attackers to inject arbitrary script code into the current browser session. The problem is due to the way MHTML handles MIME formatted requests.
• Ref: http://blogs.technet.com/b/srd/archive/2011/01/28/more-information-about-the-mht
  ml-script-injection-vulnerability.aspx

• 11.6.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: EMC NetWorker "librpc.dll" Spoofing
• Description: EMC NetWorker is a centralized data protection system available for multiple operating systems. EMC NetWorker is exposed to an issue that allows attackers to spoof source addresses. The problem affects the "librpc.dll" RPC library.
• Ref: http://www.securityfocus.com/archive/1/516000

• 11.6.3 - CVE: CVE-2010-4707,CVE-2010-4706
• Platform: Linux
• Title: Linux-PAM "pam_xauth" Module Denial of Service and Security Bypass Vulnerabilities
• Description: Pluggable authentication modules provide a standard interface to various authentication mechanisms. The "pamxauth" module is used to forward "xauth" cookies for a user that has assumed another user's privileges with the "su" command. Local attackers may exploit these issues to bypass certain security restrictions or to cause denial of service. Linux-PAM versions 1.1.2 and earlier are affected.
• Ref: http://openwall.com/lists/oss-security/2010/10/03/1

• 11.6.4 - CVE: CVE-2010-4656
• Platform: Linux
• Title: Linux Kernel I/O-Warrior USB Device Heap Buffer Overflow
• Description: The Linux kernel is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "drivers/usb/misc/iowarrier.c" source file.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=672420

• 11.6.5 - CVE: CVE-2010-4325
• Platform: Novell
• Title: Novell GroupWise Internet Agent "TZID" Variable Parsing Remote Code Execution
• Description: Novell GroupWise is collaboration software available for a number of platforms, including Linux and Microsoft Windows. GroupWise includes an Internet Agent process for mail transfer. Novell GroupWise Internet Agent is exposed to a remote code execution issue because it fails to parse the "TZID" variable of "VCALENDAR" data included in e-mail messages.
• Ref: http://www.securityfocus.com/archive/1/516002

• 11.6.6 - CVE: CVE-2011-0275
• Platform: Cross Platform
• Title: HP OpenView Storage Data Protector Unspecified Denial of Service
• Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The application is exposed to an unspecified remote denial of service issue. HP OpenView Storage Data Protector versions 6.0, 6.10 and 6.11 are affected.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02699143

• 11.6.7 - CVE: Not Available
• Platform: Cross Platform
• Title: RubyGems mail Remote Arbitrary Shell Command Injection
• Description: RubyGems mail is a Ruby mail handler. The application is exposed to a remote command injection issue because it fails to adequately sanitize user-supplied input. Specifically, the issue occurs when processing an email message's "from" address in the "deliver()" method of the "lib/mail/network/delivery_methods/sendmail.rb" script. RubyGems mail versions prior to 2.2.15 are affected.
• Ref: http://groups.google.com/group/mail-ruby/browse_thread/thread/e93bbd05706478dd?p
  li=1

• 11.6.8 - CVE: CVE-2011-0349, CVE-2011-0348, CVE-2011-0350
• Platform: Cross Platform
• Title: Cisco Content Services Gateway Malformed TCP Packet Denial of Service
• Description: Cisco Content Services Gateway is a device used to monitor network usage. Cisco Content Services Gateway is prone to a denial of service issue when handling specially crafted TCP packets.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml

• 11.6.9 - CVE: Not Available
• Platform: Cross Platform
• Title: MuPDF "closedctd()" PDF File Handling Remote Code Execution
• Description: MuPDF is a PDF parser. The application is exposed to a remote code execution issue due to stack corruption when processing malformed PDF files containing specially crafted JPEG images. This issue affects the "closedctd()" function of the "fitz/filt_dctd.c" source file. MuPDF version 0.7 is affected.
• Ref: http://code.google.com/p/sumatrapdf/issues/detail?id=1180

• 11.6.10 - CVE: CVE-2010-0110
• Platform: Cross Platform
• Title: Symantec Intel Alert Management System Buffer Overflow Vulnerabilities
• Description: Symantec Intel Alert Management System (AMS2) is used to manage and report alerts in multiple Symantec products including Symantec AntiVirus Corporate Edition Server, Symantec System Center, and Symantec Quarantine Server. AMS2 is exposed to multiple remote buffer overflow issues because it fails to properly bounds check user-supplied input. The problem occurs when handling specially malformed packets sent to the service.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110126_0
  0

• 11.6.11 - CVE: Not Available
• Platform: Cross Platform
• Title: PRTG Network Monitor "errormsg" Parameter Multiple Cross-Site Scripting Vulnerabilities
• Description: PRTG Network Monitor is a network usage monitoring application. PRTG Network Monitor is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. These issues affect the "errormsg" parameter of the "login.htm" and "error.htm" scripts. PRTG Network Monitor version 8.1.2.1809 is affected.
• Ref: http://www.securityfocus.com/bid/46029

• 11.6.12 - CVE: CVE-2010-0111
• Platform: Cross Platform
• Title: Symantec Intel Alert Management System Message Handling
• Description: Symantec Intel Alert Management System (AMS2) is used to manage and report alerts in multiple Symantec products including Symantec AntiVirus Corporate Edition Server, Symantec System Center, and Symantec Quarantine Server. AMS2 is exposed to a remote issue due to improper message handling.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110126_0
  1

• 11.6.13 - CVE:CVE-2010-4643,CVE-2010-4253,CVE-2010-3689,CVE-2010-3454,CVE-2010-3453,CVE-2010-3452,CVE-2010-3451,CVE-2010-3450
• Platform: Cross Platform
• Title: OpenOffice Multiple Remote Code Execution Vulnerabilities
• Description: OpenOffice is a suite of office applications for multiple operating platforms. The application is exposed to multiple remote code execution issues. Attackers can exploit these issues to execute arbitrary code in the context of the application.
• Ref: http://seclists.org/fulldisclosure/2011/Jan/487

• 11.6.14 - CVE: CVE-2011-0413
• Platform: Cross Platform
• Title: ISC DHCP Server DHCPv6 Decline Message Denial of Service
• Description: The ISC DHCP Server is a reference implementation of the DHCP protocol and includes a DHCP server, client and relay agent. The application is exposed to a denial of service issue. Specifically, the application triggers an assert failure when processing DHCPv6 messages for an address that was previously declined. ISC DHCP Server versions 4.0 through 4.2.1 are affected.
• Ref: http://www.kb.cert.org/vuls/id/686084

• 11.6.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Opera Web Browser Multiple Security Vulnerabilities
• Description: The Opera Web Browser runs on multiple operating systems. The Opera Web Browser is exposed to multiple security issues. Exploiting these issues may allow a remote attacker to compromise the affected application, obtain sensitive information, bypass certain security restrictions, perform unauthorized actions, and execute arbitrary code within the context of the affected application. Opera Web Browser versions prior to 11.01 are affected.
• Ref: http://www.opera.com/docs/changelogs/windows/1101/

• 11.6.16 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Administration Server Unspecified Buffer Overflow
• Description: IBM DB2 is a database manager. IBM DB2 is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. This issue occurs due to an unspecified error in the DB2 administration server.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-036/

• 11.6.17 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player MKV File Parsing Remote Code Execution
• Description: VLC Media Player is an application that allows users to play back various media formats. VLC Media Player is exposed to a remote code execution issue that affects the "MKV_IS_ID" macro in the "modules/demux/mkv/mkv.hpp" file for the MKV demuxer when processing crafted MKV files. VLC Media Player versions 1.1.6.1 and earlier are affected.
• Ref: http://www.videolan.org/security/sa1102.html

• 11.6.18 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 DBADM Privilege Revocation Security Bypass
• Description: IBM DB2 is a database application available for multiple platforms. IBM DB2 is exposed to a security bypass issue that can allow an attacker to run "non-DDL" statements. The issue arises because the application fails to properly revoke "DBADM" privileges.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21426108

• 11.6.19 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi JP1/NETM/DM Information Disclosure and Denial of Service Vulnerabilities
• Description: Hitachi JP1/NETM/DM is exposed to multiple issues: A local information disclosure issue that occurs because certain file permissions are not properly set, which allows local users to access files that they are not intended to access, and an unspecified remote denial of service issue.
• Ref: http://www.securityfocus.com/bid/46063

• 11.6.20 - CVE: CVE-2010-3719
• Platform: Cross Platform
• Title: Symantec IM Manager "eval()" Code Injection
• Description: Symantec IM Manager logs, manages and secures corporate IM traffic. IM Manager is exposed to an issue that will let attackers inject arbitrary code. The problem occurs because the application fails to properly sanitize user-supplied input to the administration console before processing it in an "eval()" function call. IM Manager versions prior to 8.4.17 are affected.
• Ref: http://www.symantec.com/business/security_response/securityupdates/detail.jsp?fi
  d=security_advisory&pvid=security_advisory&year=2011&suid=20110131_0
  0

• 11.6.21 - CVE: CVE-2010-3041, CVE-2010-3042, CVE-2010-3043,CVE-2010-3044, CVE-2010-3269
• Platform: Cross Platform
• Title: Cisco WebEx Remote Stack Buffer Overflow
• Description: Cisco WebEx is a sharing and conferencing application for Microsoft Windows, Linux, and Mac OS X. Cisco WebEx is exposed to a remote stack buffer overflow issue due to a failure to properly bounds check user-supplied data. The problem occurs when handling specially crafted ATP files.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110201-webex.shtml

• 11.6.22 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Administration Server "validateUser()" Stack Buffer Overflow
• Description: IBM DB2 is a database application available for multiple platforms. IBM DB2 is exposed to a stack-based buffer overflow issue because the application's administrative server fails to perform adequate boundary checks on user-supplied input. DB2 version 9.1 prior to Fix Pack 10; DB2 version 9.5 prior to Fix Pack 6 and DB2 version 9.7 prior to Fix Pack 3 are affected.
• Ref: https://www-304.ibm.com/support/docview.wss?uid=swg1IC70538

• 11.6.23 - CVE: CVE-2011-0276
• Platform: Cross Platform
• Title: HP OpenView Performance Insight Server "doPost()" Remote Arbitrary Code Execution
• Description: HP OpenView Performance Insight Server is a component of the HP OpenView product family which consists of network and systems management products. HP OpenView Performance Insight Server is exposed to a remote code execution because a hidden account in the "com.trinagy.security.XMLUserManager" Java class allows attackers to access the "com.trinagy.servlet.HelpManagerServlet" Java class.
• Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02695453

• 11.6.24 - CVE: CVE-2010-3270
• Platform: Cross Platform
• Title: Cisco WebEx ATP File Remote Stack Buffer Overflow
• Description: Cisco WebEx is a sharing and conferencing application for Microsoft Windows, Linux, and Mac OS X. Cisco WebEx is exposed to a remote stack buffer overflow issue because it fails to properly bounds check user-supplied data. The problem occurs when handling specially crafted ATP files.
• Ref: http://www.coresecurity.com/content/webex-atp-and-wrf-overflow-vulnerabilities

• 11.6.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun Java Floating-Point Value Denial of Service
• Description: Sun Java is a web programming language. Java is exposed to a denial of service issue when processing certain double precision floating-point values. The problem occurs in applications that convert a user-supplied decimal input to a double-precision binary floating-point.
• Ref: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-30
  8/

• 11.6.26 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: TYPO3 Media [DAM] Extension Unspecified Cross-Site Scripting
• Description: Media [DAM] is an extension for the TYPO3 content manager. The extension is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input from a file rename operation. Media [DAM] versions prior to 1.1.8 are affected.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-sa-2011-001/

• 11.6.27 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: WordPress FCChat Widget Plugin "path" Parameter Cross-Site Scripting
• Description: WordPress is a PHP-based content manager. The FCChat Widget plugin is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input to the "path" parameter of the "wp-content/plugins/fcchat/js/import.config.php" script. FCChat Widget version 2.1.7 is affected.
• Ref: http://www.securityfocus.com/bid/46009

• 11.6.28 - CVE: Not Available
• Platform: Web Application
• Title: WordPress ImageManager Plugin "manager.php" Arbitrary File Upload
• Description: WordPress is a PHP-based content manager. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files through the "wp-content/plugins/ImageManager/manager.php" script.
• Ref: http://www.securityfocus.com/bid/46010

• 11.6.29 - CVE: CVE-2011-0350
• Platform: Network Device
• Title: Cisco Content Services Gateway Malformed TCP Packet Denial of Service
• Description: Cisco Content Services Gateway is a device used to monitor network usage. Cisco Content Services Gateway is exposed to a denial of service issue when handling specially crafted TCP packets.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110126-csg2.shtml

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/