@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) MEDIUM: IcedTea Multiple Signers Privilege Escalation

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 11.9.1 - SolarFTP "USER" Command Remote Denial of Service

Linux

• 11.9.2 - Linux Kernel FSGEOMETRY_V1 IOCTL Local Information Disclosure
• 11.9.3 - Linux Kernel Native Instruments USB Device Name String Buffer Overflow
• 11.9.4 - Debian/Ubuntu Linux "shadow" Package Local Security Bypass
• 11.9.5 - Red Hat Directory Server Multiple Security Vulnerabilities

Cross Platform

• 11.9.6 - Wireshark Visual C++ Analyzer Buffer Overflow
• 11.9.7 - Oracle Database "exp.exe" Parameter File Remote Buffer Overflow
• 11.9.8 - Cisco Security Agent Remote Code Execution
• 11.9.9 - PHP "grapheme_extract()" NULL Pointer Dereference Denial of Service
• 11.9.10 - IBM FileNet Products Content Engine Security Bypass
• 11.9.11 - Apple iOS "keychain" Local Information Disclosure
• 11.9.12 - OpenJDK "IcedTea" Multiple Signers Privilege Escalation
• 11.9.13 - Dell DellSystemLite.Scanner ActiveX Control Multiple Vulnerabilities
• 11.9.14 - PHP "EXTR_OVERWRITE" Parameter Security Bypass Issue
• 11.9.15 - IBM WebSphere Application Server Login Module Security Bypass
• 11.9.16 - Oracle Passlogix v-GO Self-Service Password Reset Unauthorized Access
• 11.9.17 - Google Chrome OS "flimflam" Use-After-Free Denial of Service
• 11.9.18 - ISC BIND 9 IXFR Transfer/DDNS Update Remote Denial of Service

Web Application

• 11.9.19 - IBM FileNet Content Manager Rendition Engine Unspecified Security Bypass
• 11.9.20 - WordPress User Photo "user-photo.php" Arbitrary File Upload
• 11.9.21 - MediaWiki Multiple Local File Include Vulnerabilities
• 11.9.22 - MySQL Eventum "full_name" Field HTML Injection
• 11.9.23 - Ruby "FileUtils.remove_entry_secure()" Method Race Condition
• 11.9.24 - WordPress cdnvote "cdnvote-post.php" Multiple SQL Injection Vulnerabilities

PART I Critical Vulnerabilities

Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2011

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10941 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 11.9.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SolarFTP "USER" Command Remote Denial of Service
• Description: SolarFTP is an FTP server available for Microsoft Windows. SolarFTP is exposed to a remote denial of service issue because the application fails to properly handle a specially crafted FTP command. Specifically, the issue occurs when format string characters are provided to the "USER" FTP command. SolarFTP version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/46504

• 11.9.2 - CVE: CVE-2011-0711
• Platform: Linux
• Title: Linux Kernel FSGEOMETRY_V1 IOCTL Local Information Disclosure
• Description: The Linux kernel is exposed to a local information disclosure issue that affects the "FSGEOMETRY_V1" IOCTL in the "fs/xfs/xfs_fsops.c" source file. Specifically, four bytes of uninitialized stack data can be leaked to user space because the "logsunit" member of the "xfs_fsop_geom_t" structure is not properly filled in during calls to the "xfs_fs_geometry()" function.
• Ref: https://patchwork.kernel.org/patch/555461/

• 11.9.3 - CVE: CVE-2011-0712
• Platform: Linux
• Title: Linux Kernel Native Instruments USB Device Name String Buffer Overflow
• Description: The Linux kernel is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. This issue occurs in the "sound/usb/caiaq/audio.c" and "sound/usb/caiaq/midi.c" source files. The device name string used on Native Instruments USB devices is copied unsafely with "strcpy()" calls.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=677881

• 11.9.4 - CVE: CVE-2011-0721
• Platform: Linux
• Title: Debian/Ubuntu Linux "shadow" Package Local Security Bypass
• Description: "chfn" and "chsh" are utilities for changing finger (gecos) information and for changing a login shell. The Debian/Ubuntu Linux "shadow" package is exposed to a local security bypass issue. Specifically, the "chfn" and "chsh" utilities of this package fail to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/46426

• 11.9.5 - CVE: CVE-2011-0532,CVE-2011-0022,CVE-2011-0019
• Platform: Linux
• Title: Red Hat Directory Server Multiple Security Vulnerabilities
• Description: Red Hat Directory Server is an LDAPv3-compliant authentication solution. Directory Server is exposed to multiple security issues. Directory Server versions 8 EL4 and 8 EL5 are affected.
• Ref: http://rhn.redhat.com/errata/RHSA-2011-0293.html

• 11.9.6 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark Visual C++ Analyzer Buffer Overflow
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic; it is available for Microsoft Windows and for UNIX-like operating systems. Wireshark is exposed to a buffer overflow issue that affects the "dct3 trace" functionality when using Visual C++ analyzer to analyze network traffic.
• Ref: http://anonsvn.wireshark.org/viewvc?view=rev&revision=35953

• 11.9.7 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle Database "exp.exe" Parameter File Remote Buffer Overflow
• Description: Oracle Database is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs in the Export Utility ("exp.exe") when processing a very long value provided to the "FILE" parameter in a specially crafted parameter file.
• Ref: http://www.stratsec.net/Research/Advisories/Oracle-Export-Utility-Buffer-Overflo
  w-%28SS-2010-009

• 11.9.8 - CVE: CVE-2011-0364
• Platform: Cross Platform
• Title: Cisco Security Agent Remote Code Execution
• Description: Cisco Security Agent is a software agent used to protect server and desktop computers. Cisco Security Agent is exposed to a remote code execution issue that occurs when sending certain packets to the web management interface, which by default listens on TCP port 443.
• Ref: http://www.cisco.com/warp/public/707/cisco-sa-20110216-csa.shtml

• 11.9.9 - CVE: CVE-2011-0420
• Platform: Cross Platform
• Title: PHP "grapheme_extract()" NULL Pointer Dereference Denial of Service
• Description: PHP is an open-source scripting language used for web development. The application is exposed to a denial of service issue caused by a NULL pointer dereference error. Specifically, the issue occurs in the "grapheme_extract()" function of the "ext/intl/grapheme/grapheme_string.c" source file. PHP version 5.3.5 is affected.
• Ref: http://securityreason.com/achievement_securityalert/94

• 11.9.10 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM FileNet Products Content Engine Security Bypass
• Description: IBM FileNet Business Process Manager (BPM) manages workflows among people and systems for content and case-based processes. IBM FileNet Content Manager and Business Process Manager are exposed to a security bypass issue that affects the content engine. This issue occurs because the applications fail to handle actions that require "PRIVILEGED_WRITE" access.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21462438

• 11.9.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple iOS "keychain" Local Information Disclosure
• Description: Apple iOS is an operating platform for iPhone, iPod touch, and iPad. Apple iOS is exposed to a local information disclosure issue. The problem occurs because data stored in the keychain can be decrypted with information stored on the device. Devices using iOS 4.2.1 and earlier are affected.
• Ref: http://www.sit.fraunhofer.de/en/Images/sc_iPhone%20Passwords_tcm502-80443.pdf

• 11.9.12 - CVE: CVE-2011-0706
• Platform: Cross Platform
• Title: OpenJDK "IcedTea" Multiple Signers Privilege Escalation
• Description: OpenJDK (Open Java Development Kit) is an open source implementation of the Java programming language for multiple operating systems. OpenJDK "IcedTea" plugin is exposed to a privilege escalation issue due to a "multiple signer" issue that occurs when viewing specially crafted Java applets.
• Ref: http://www.securityfocus.com/bid/46439

• 11.9.13 - CVE: CVE-2011-0330,CVE-2011-0329
• Platform: Cross Platform
• Title: Dell DellSystemLite.Scanner ActiveX Control Multiple Vulnerabilities
• Description: The DellSystemLite.Scanner ActiveX control is used to scan computers in order to locate appropriate drivers and programs for the product. The application is exposed to multiple input validation issues. DellSystemLite.ocx version 1.0.0.0 is affected.
• Ref: http://secunia.com/secunia_research/2011-11/

• 11.9.14 - CVE: CVE-2011-0752
• Platform: Cross Platform
• Title: PHP "EXTR_OVERWRITE" Parameter Security Bypass Issue
• Description: PHP is a general-purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a security bypass issue because the application allows users to use the "EXT_OVERWRITE" parameter to overwrite the "GLOBAL" super global array and the "this" parameter. Versions of PHP 5.2 (prior to 5.2.15) are affected.
• Ref: http://www.openwall.com/lists/oss-security/2010/12/13/4

• 11.9.15 - CVE: CVE-2008-7274
• Platform: Cross Platform
• Title: IBM WebSphere Application Server Login Module Security Bypass
• Description: The IBM WebSphere Application Server (WAS) is an application server used for service-oriented architecture. IBM WebSphere Application Server is exposed to a security bypass issue that affects JAAS login functionality. WebSphere Application Server version 6.1.0.9 is affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PK54565

• 11.9.16 - CVE: CVE-2010-4506
• Platform: Cross Platform
• Title: Oracle Passlogix v-GO Self-Service Password Reset Unauthorized Access
• Description: Oracle Passlogix is a password management application. Oracle Passlogix v-GO Self-Service Password Reset is exposed to an issue that allows unauthorized access. During the password reset process of the login screen, if an invalid SSL certificate is encountered, the resulting error page will grant the attacker access to the underlying file system. Oracle Passlogix v-GO Self-Service Password Reset versions prior to 7.0A are affected.
• Ref: https://www.trustwave.com/spiderlabs/advisories/TWSL2010-007.txt

• 11.9.17 - CVE: CVE-2011-1042
• Platform: Cross Platform
• Title: Google Chrome OS "flimflam" Use-After-Free Denial of Service
• Description: Chrome OS is a Linux-based operating system from Google. Google Chrome OS is exposed to a denial of service issue due to a use-after-free error that occurs in the "flimflam" module. The problem occurs when processing the name of a non-responsive hidden wireless network. Google Chrome OS versions prior to 0.9.130.14 Beta are affected.
• Ref: http://code.google.com/p/chromium-os/issues/detail?id=8871

• 11.9.18 - CVE: CVE-2011-0414
• Platform: Cross Platform
• Title: ISC BIND 9 IXFR Transfer/DDNS Update Remote Denial of Service
• Description: ISC BIND (Berkley Internet Domain Name) is an implementation of DNS protocols. ISC BIND is exposed to a remote denial of service issue. Specifically, a deadlock may occur if a server receives a query when processing an IXFR transfer or a dynamic DNS update. BIND versions 9.7.1 and 9.7.2 are affected.
• Ref: http://www.kb.cert.org/vuls/id/559980

• 11.9.19 - CVE: Not Available
• Platform: Web Application
• Title: IBM FileNet Content Manager Rendition Engine Unspecified Security Bypass
• Description: IBM FileNet Content Manager is a web-based content manager for the FileNet P8 platform. IBM FileNet Content Manager is exposed to an unspecified security bypass issue that affects the "Rendition Engine".
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21462440

• 11.9.20 - CVE: Not Available
• Platform: Web Application
• Title: WordPress User Photo "user-photo.php" Arbitrary File Upload
• Description: WordPress User Photo is a plugin for WordPress. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately determine the MIME type of an image file uploaded through the "wp-content/uploads/userphoto/user-photo.php" script. WordPress User Photo versions 0.9.4 and earlier are affected.
• Ref: http://wordpress.org/extend/plugins/user-photo/

• 11.9.21 - CVE: CVE-2011-0537
• Platform: Web Application
• Title: MediaWiki Multiple Local File Include Vulnerabilities
• Description: MediaWiki is a PHP-based wiki application. MediaWiki is exposed to multiple local file include issues because the application fails to sufficiently sanitize user-supplied input to the "languages/Language.php" and "includes/StubObject.php" scripts.
• Ref: http://lists.wikimedia.org/pipermail/mediawiki-announce/2011-February/000095.htm
  l

• 11.9.22 - CVE: Not Available
• Platform: Web Application
• Title: MySQL Eventum "full_name" Field HTML Injection
• Description: MySQL Eventum is a web-based content manager. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. Specifically, this issue affects the "full_name" field. MySQL Eventum version 2.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/46456

• 11.9.23 - CVE: Not Available
• Platform: Web Application
• Title: Ruby "FileUtils.remove_entry_secure()" Method Race Condition
• Description: Ruby is exposed to a race condition issue that occurs in the "FileUtils.remove_entry_secure()" method and can be exploited to delete arbitrary directories and files via symlink attacks.
• Ref: http://www.ruby-lang.org/en/news/2011/02/18/fileutils-is-vulnerable-to-symlink-r
  ace-attacks/

• 11.9.24 - CVE: Not Available
• Platform: Web Application
• Title: WordPress cdnvote "cdnvote-post.php" Multiple SQL Injection Vulnerabilities
• Description: WordPress is a web-based blogging application. The application is exposed to multiple SQL injection issues because it fails to properly sanitize input in the "dnvote_post_id" and the "cdnvote_point" parameters of the "cdnvote-post.php" script. cdnvote version 0.4.1 is affected.
• Ref: http://www.securityfocus.com/archive/1/516587

(c) 2011. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/