Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 1
January 5, 2012

SANS Newsletters Home

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Other Microsoft Products
    • 1 (#1)
    • Third Party Windows Apps
    • 1
    • Linux
    • 1
    • Cross Platform
    • 4
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 5
    • Web Application
    • 8
    • Network Device
    • 1
    • Hardware
    • 2

**************************** Sponsored By SANS **************************

What devices are accessing what resources and by whom?

Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012!

http://www.sans.org/info/96264 ************************************************************************** TRAINING UPDATE - --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP Pen Testing: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ - --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ - --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ - --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ - --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ - --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ - --Looking for training in your own community? http: sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Atlanta, Bangalore, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Other Microsoft Products
    Third Party Windows Apps
    Linux
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    Network Device
    Hardware

    **************************** Sponsored Link: ***************************

    1) Take the SANS 8th Annual Log and Event Management Survey.

    Be a part of this industry leading survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/96269 ************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) MEDIUM: ASP.NET Authentication Bypass
    • Affected:
      • Microsoft .NET Framework 1.1 Service Pack 1
      • Microsoft .NET Framework 2.0 Service Pack 2
      • Microsoft .NET Framework 3.5 Service Pack 1
      • Microsoft .NET Framework 4

    • Description: Microsoft has released patches for multiple security vulnerabilities affecting its ASP.NET web application framework. ASP.NET has built-in code for authenticating users to web applications, and the updates address vulnerabilities in that code. By sending a malicious request to a vulnerable ASP.NET server, an attacker can exploit one of these security vulnerabilities in order to gain access to a user account whose name the attacker already knew. And by enticing a target to click a malicious link, an attacker could again gain access to the target's user account. After gaining access to a user account, the attacker could execute arbitrary commands on the site with the permissions of that user account.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 1, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12975 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

    • 12.2.1 - CVE: CVE-2011-3414,CVE-2011-3415,CVE-2011-3416,CVE-2011-3417
    • Platform: Other Microsoft Products
    • Title: Microsoft ASP.NET Multiple vulnerabilities
    • Description: ASP.NET is a Web application framework developed and marketed by Microsoft. The application is exposed to multiple security issues. See reference for further details. Microsoft .NET Framework 1.1 Service Pack 1, Microsoft .NET Framework 2.0 Service Pack 2, Microsoft .NET Framework 3.5 Service Pack 1, Microsoft .NET Framework 3.5.1 and Microsoft .NET Framework 4 on all supported editions of Microsoft Windows are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms11-100
    • 12.2.2 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: IBM Web Experience Factory Smart Refresh HTML Injection
    • Description: IBM Web Experience Factory is a software lifecycle management application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input. This issue affects the "Smart Refresh" component. IBM Web Experience Factory 7.0 and 7.0.1 are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21575083
    • 12.2.3 - CVE: Not Available
    • Platform: Linux
    • Title: lio-utils Debug Mode Insecure Temporary File Creation
    • Description: lio-utils is a low-level configuration tool set. The application is exposed to an insecure temporary file creation issue. This issue is caused by a logic error in the "etc/init.d/target" script, which allows the application to fall unexpectedly into debug mode. The application later creates the "/tmp/tgetctl-dbug" file in an insecure manner while running in debug mode. lio-utils 4.1 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51242/references
    • 12.2.4 - CVE: Not Available
    • Platform: Cross Platform
    • Title: VLC Media Player TiVo Demuxer Remote Heap-Based Buffer Overflow
    • Description: VLC is a cross-platform media player. VLC media player is exposed to a heap-based buffer overflow issue that affects the TiVo demuxer. This issue occurs when handling a specially crafted header of the TiVo (".TY") files. VLC media player versions 0.9.0 through 1.1.12 are vulnerable; other versions may also be affected.
    • Ref: http://www.videolan.org/security/sa1108.html
    • 12.2.5 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Java Hash Collision Denial of Service
    • Description: Java is a programming language. The application is exposed to a denial of service issue due to an error during hashing form posts and updating a hash table. Specially crafted forms in HTTP POST requests can trigger hash collisions resulting in high CPU consumption. Java 7 and prior are affected.
    • Ref: http://www.ocert.org/advisories/ocert-2011-003.html http://www.securityfocus.com/bid/51236/references
    • 12.2.6 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Python Hash Collision Denial of Service
    • Description: Python is a programming language available for multiple platforms. The application is exposed to a denial of service issue due to an error during hashing form posts and updating a hash table. Specially crafted forms in HTTP POST requests can trigger hash collisions resulting in high CPU consumption. All versions of Python are affected.
    • Ref: http://www.securityfocus.com/bid/51239/references
    • 12.2.8 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: Siena CMS "err" Parameter Cross-Site Scripting
    • Description: Siena CMS is a PHP-based content management system. PHP-SCMS is exposed to a cross-site-scripting issue because it fails to properly sanitize user-supplied input submitted to the "err" parameter of the "index.php" script. Siena CMS 1.242 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51218/discuss
    • 12.2.9 - CVE: CVE-2011-4780
    • Platform: Web Application - Cross Site Scripting
    • Title: PhpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
    • Description: PhpMyAdmin is a web-based administration interface for MySQL databases. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input submitted to the "libraries/display_export.lib.php" script. Specifically, these issues affect the export panels in the server, database and table sections. phpMyAdmin versions prior to 3.4.x are affected.
    • Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-20.php
    • 12.2.10 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: BigACE Multiple Cross-Site Scripting Vulnerabilities
    • Description: BigACE is a PHP-based content manager. The application is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input submitted to multiple scripts and parameters. BigACE 2.7.5 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521088
    • 12.2.11 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: WSN Links "report.php" SQL Injection
    • Description: WSN Links is a web-based directory application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input submitted to the "id" parameter of the "report.php" script. All versions of WSN Links are affected.
    • Ref: http://www.securityfocus.com/bid/51222/discuss
    • 12.2.12 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: Plogger "id" Parameter SQL Injection
    • Description: Plogger is a web-based photo gallery application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "id" parameter. Plogger 1.0 Rc1 is affected.
    • Ref: http://www.securityfocus.com/bid/51228/discuss
    • 12.2.14 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: DedeCMS Multiple SQL Injection Vulnerabilities
    • Description: DedeCMS is a PHP-based content manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data submitted to the following scripts and parameters: "list.php": "id", "members.php": "id" and "book.php": "id". DeDeCMS 5.1, 5.3, 5.5 and 5.6 are affected.
    • Ref: http://www.securityfocus.com/bid/51211/discuss
    • 12.2.15 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: Akiva WebBoard "name" Parameter SQL Injection
    • Description: Akiva WebBoard is a PHP-based bulletin board application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "name" parameter of the "WB/Default.asp" script. Versions prior to Akiva WebBoard 8 SR 1 are affected.
    • Ref: http://www.securityfocus.com/bid/51210/references
    • 12.2.16 - CVE: Not Available
    • Platform: Web Application
    • Title: RapidLeech "notes" Parameter HTML Injection
    • Description: RapidLeech is a PHP-based server transfer script. The application is exposed to an HTML injection issue because it fails to sufficiently sanitize user-supplied data to the "notes" parameter of the "notes.php" script. RapidLeech 2.3 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51230/discuss
    • 12.2.18 - CVE: Not Available
    • Platform: Web Application
    • Title: Joomla! Simple File Upload Arbitrary File Upload
    • Description: Joomla is a PHP-based content management system. Simple File Upload is an extension for Joomla. The application is exposed to an arbitrary file upload issue because it fails to properly sanitize user-supplied input. Specifically, it fails to adequately validate files with ".php5" extension before uploading them onto the web server. Simple File Upload 1.3 is vulnerable and other versions may also be affected.
    • Ref: http://wasen.net/index.php?option=com_content&view=article&id=64&Ite
      mid=59
    • 12.2.19 - CVE: Not Available
    • Platform: Web Application
    • Title: Mavili Guestbook Multiple Security Vulnerabilities
    • Description: Mavili Guestbook is a web-based application implemented in ASP. Mavili Guestbook is exposed to multiple security vulnerabilities. An SQL injection issue affects the "id" parameter of the "/edit.asp" script. Multiple cross-site scripting issues occur and a security bypass issue exists. Mavili Guestbook 200711 is affected.
    • Ref: http://www.securityfocus.com/archive/1/521090
    • 12.2.20 - CVE: Not Available
    • Platform: Web Application
    • Title: E107 Multiple Vulnerabilities
    • Description: E107 is a PHP-based Web application. The application is exposed to multiple issues. A cross-site scripting issue affects the "resend_name" parameter of the "e107_admin/users.php" script. Multiple cross-site scripting issues affect the "e107_images/thumb.php" and "rate.php" scripts. An HTML injection issue affects the "link" BBCode in user signatures. An SQL injection issue affects the "username" parameter of the "usersettings.php" script. E107 0.7.26 is vulnerable and other versions may be affected.
    • Ref: http://secunia.com/advisories/46706/ http://permalink.gmane.org/gmane.comp.security.oss.general/6571
    • 12.2.21 - CVE: CVE-2011-3657,CVE-2011-3667
    • Platform: Web Application
    • Title: Bugzilla Cross Site Scripting and Security Bypass Vulnerabilities
    • Description: Bugzilla is a web-based bug tracking application. The application is exposed to multiple issues. A cross-site scripting issue occurs in the "chart.cgi" and "report.cgi" scripts. A security-bypass issue occurs because the "User.offer_account_by_email()" method fails to check the "user_can_create_account" setting of the authentication method in accounts creation. Bugzilla 2.17.1 to 3.4.12, 3.5.1 to 3.6.6, 3.7.1 to 4.0.2 and 4.1.1 to 4.1.3 are affected.
    • Ref: http://www.bugzilla.org/security/3.4.12/ http://www.securityfocus.com/bid/51213/references
    • 12.2.23 - CVE: Not Available
    • Platform: Web Application
    • Title: Vtiger CRM "graph.php" Script Authentication Bypass
    • Description: Vtiger CRM is a PHP-based customer relationship management application. The application is exposed to an authentication bypass issue because it fails to check credentials in database backup requests through the "graph.php" script. Vtiger CRM 5.2.x and 5.1.x are affected.
    • Ref: http://francoisharvey.ca/2011/12/advisory-meds-2011-01-vtigercrm-anonymous-acces
      s-to-setting-module/
    • 12.2.24 - CVE: Not Available
    • Platform: Network Device
    • Title: WiFi Protected Setup PIN Brute Force Authentication Bypass
    • Description: WiFi Protected Setup is a computing standard created by the WiFi Alliance to ease the setup and securing of a wireless home network. WiFi Protected Setup is exposed to an authentication bypass issue because it fails to provide a lock out policy for brute force attempts. Specifically, the "external registrar" method requires just the router's PIN in authentication. Attackers can determine whether the PIN is correct through the "EAP-NACK" message, which is sent when the PIN authentication fails. wireless routers that support WPS are affected.
    • Ref: http://www.kb.cert.org/vuls/id/723755 http://www.securityfocus.com/bid/51187/references
    • 12.2.25 - CVE: Not Available
    • Platform: Hardware
    • Title: Multiple Digital Satellite TV Platforms Multiple Unspecified Vulnerabilities
    • Description: Multiple Digital Satellite TV Platforms are exposed to multiple unspecified issues. In total, 24 unspecified security issues have been reported in various Satellite TV products. The most serious issue will allow attackers to completely compromise the affected application. Limited information is currently available regarding these issues. Devices from Onet.pl S.A, Advanced Digital Broadcast, STMicroelectronics, ITI Neovision, Conax AS and DreamLab Onet.pl S are affected.
    • Ref: http://www.securityfocus.com/bid/51251/discuss http://www.security-explorations.com/en/SE-2011-01.html
    • 12.2.26 - CVE: CVE-2012-0261,CVE-2012-0262,CVE-2012-0263,CVE-2012-0264
    • Platform: Hardware
    • Title: Op5 Appliance Multiple Unspecified Remote Command Execution Vulnerabilities
    • Description: Op5 Monitor and op5 Appliance are network monitoring servers. The servers are exposed to multiple remote command execution issues and a credentials leaking issue because it fails to properly validate user-supplied input. op5 Monitor 5.5.x and op5 Appliance are affected.
    • Ref: http://www.op5.com/news/support-news/fixed-vulnerabilities-op5-monitor-op5-appli
      ance/

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account

    SANS gives real world examples of tools and how to use them.
    -Nichole Kennedy, OKDOC

    Security 760

    Latest Whitepapers

    Building and Maintaining a "Certifiable" Workforce
    By Robert J. Mavretich

    How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
    By Tim Proffitt

    Daisy Chain Authentication
    By Courtney Imbert

    Latest Tweets

    NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
    October 1, 2013 - 6:30 PM

    Tips on how to convince your boss to let you train online wi [...]
    October 1, 2013 - 6:23 PM

    #2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
    October 1, 2013 - 3:00 PM

    Contact Us

    (301) 654-SANS (7267)
    Mon-Fri 9am - 8pm EST/EDT
    info@sans.org

    "It has really been an eye opener concerning the depth of security training & awareness that SANS has to offer."
    - Michael Hall, Drivesavers

    "It was a great learning experience that helped open my eyes wider. The instructor's knowledge was fantastic."
    - Manuja Wikesekera, Melbourne Cricket Club

    "SANS is far more in-depth than other training I have attended."
    - Frank Rajnai, Sears Canada Inc