Last Day to Save $250 on SANS Chicago 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 10
March 8, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 7
    • Linux
    • 1
    • Cross Platform
    • 7 (#1,#2)
    • Web Application - Cross Site Scripting
    • 1
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 5
    • Network Device
    • 1
    • Hardware
    • 1

********************** Sponsored By F5 Networks, Inc. *******************

WHITE PAPER: PROTECTING FEDERAL SYSTEMS FROM ADVANCED PERSISTENT THREATS In today's multilayered attacks against government systems, one of the key entry points is through web applications. This SANS Institute paper discusses how to set policies to develop secure applications and protect against known and unknown threats throughout the application's lifetime.

http://www.sans.org/info/101114

************************************************************************** TRAINING UPDATE -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/appsec-2012/ --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses. http://www.sans.org/secure-amsterdam-2012/ --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/ --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised? http://www.sans.org/rocky-mountain-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php **************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Third Party Windows Apps
    Linux
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    Network Device
    Hardware

    **************************** Sponsored Links: ****************************

    1) Webinar: Experts from Google, Identropy, Ping Identity and UnboundID discuss 2012 Top Security Threats. http://www.sans.org/info/101119

    2) Oracle Entitlements Server Review Featuring: Tanya Baccam and Roger Wigenstam http://www.sans.org/info/101124

    **************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) HIGH: Adobe Flash Player Multiple Vulnerabilities
    • Affected:
      • Adobe Flash Player for Windows, Macintosh, Linux and Solaris 11.1.102.62
      • and prior
    • Description: Adobe has released patches for multiple vulnerabilities affecting its flash player. The problems include unspecified memory corruption and integer handling errors. By enticing a target to view a malicious page, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 10, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13467 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________



    • 12.10.2 - CVE: CVE-2011-4189
    • Platform: Third Party Windows Apps
    • Title: Novell Groupwise Client Address Book Parsing Remote Code Execution
    • Description: Novell GroupWise Client allows users to access Novell services from remote computers. Novell GroupWise Client is exposed to a remote code execution issue. Specifically, the issue is triggered when a specially crafted Novell Address Book (*.NAB) file with an overly long email address is processed. Novell GroupWise 8.0x through 8.02HP3 are affected.
    • Ref: http://www.novell.com/support/viewContent.do?externalId=7010205 http://www.securityfocus.com/bid/52233/discuss




    • 12.10.6 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: TwinCAT Scope Heap Based Buffer Overflow
    • Description: TwinCAT Scope is software for monitoring and controlling SCADA automation equipment and process products. The application is exposed to a heap-based buffer overflow issue because it fails to properly validate user supplied input. Specifically, the issue occurs in "TCatScopeView.exe" when processing a specially crafted "SVW" file. TwinCAT Scope 2.9.0.226 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52294/discuss

    • 12.10.7 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: XArrow Multiple Remote Denial of Service Vulnerabilities
    • Description: XArrow is a SCADA/HMI product. XArrow is exposed to the following remote denial of service issues. 1) A NULL pointer dereference issue. 2) A heap-based memory corruption issue. 3) An invalid read access issue and a memory corruption issue. XArrow 3.2 and prior versions are affected.
    • Ref: http://aluigi.org/adv/xarrow_1-adv.txt http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-065-01.pdf



    • 12.10.10 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Parallels Plesk Panel Unspecified Remote Security Vulnerability
    • Description: Parallels Plesk Panel is a website creation and management application. Parallels Plesk Panel is exposed to an unspecified remote security issue that allows attackers to gain unauthorized administrative access to the application. Parallels Plesk Panel versions 7.6.1 through 10.3.1 are affected.
    • Ref: http://kb.parallels.com/en/113321 http://www.securityfocus.com/bid/52267/discuss

    • 12.10.11 - CVE:CVE-2011-3044,CVE-2011-3043,CVE-2011-3042,CVE-2011-3041,CVE-2011-3040,CVE-2011-3039,CVE-2011-3038,CVE-2011-3037,CVE-2011-3036,CVE-2011-3035,CVE-2011-3034,CVE-2011-3033,CVE-2011-3032,CVE-2011-303117.0.963.65 are affected.
    • Platform: Cross Platform
    • Title: Google Chrome Multiple Security Vulnerabilities
    • Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to the multiple security issues. See reference for further details. Google Chrome versions prior to
    • Ref: http://googlechromereleases.blogspot.in/2012/03/chrome-stable-update.html http://www.securityfocus.com/bid/52271/discuss


    • 12.10.13 - CVE: CVE-2012-0769,CVE-2012-0768
    • Platform: Cross Platform
    • Title: Adobe Flash Player Multiple Vulnerabilities
    • Description: Adobe Flash Player is a multimedia application for multiple platforms. Adobe Flash Player is exposed to a memory corruption issue and an information disclosure issue. Adobe Flash Player11.1.102.62 and earlier versions are affected.
    • Ref: https://www.adobe.com/support/security/bulletins/apsb12-05.html

    • 12.10.14 - CVE: CVE-2012-0397
    • Platform: Cross Platform
    • Title: RSA SecurID Software Token Converter Buffer Overflow
    • Description: RSA SecurID Software Token Converter is a command line utility that converts a software token file (SDTID file) from XML format to a Compressed Token Format. RSA SecurID Software Token Converter is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user supplied data. All versions of RSA SecurID Software Token Converter are affected.
    • Ref: http://www.securityfocus.com/archive/1/521885

    • 12.10.15 - CVE:CVE-2012-1144,CVE-2012-1143,CVE-2012-1142,CVE-2012-1141,CVE-2012-1140,CVE-2012-1139,CVE-2012-1138,CVE-2012-1137,CVE-2012-1136,CVE-2012-1135,CVE-2012-1134,CVE-2012-1133,CVE-2012-1132,CVE-2012-1131,CVE-2012-1130,CVE-2012-1129,CVE-2012-1128,CVE-2012-1127
    • Platform: Cross Platform
    • Title: FreeType Multiple Remote Vulnerabilities
    • Description: FreeType is an open source font handling library. FreeType is exposed to multiple security issues. See reference for further details. FreeType versions prior to 2.4.9 are affected.
    • Ref: http://www.securityfocus.com/bid/52318/references

    • 12.10.16 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: ZB BLOCK Multiple Cross-Site Scripting Vulnerabilities
    • Description: ZB BLOCK is a web-based application implemented in PHP. The application is exposed to multiple cross-site scripting issues. These issues occurs because the application allows attackers to perform certain actions without validating the request. Specifically, attackers can supply data through the "HTTP_REFERER" and "HTTP_USER_AGENT" header of the "zbblock/hackme.php" script. ZB BLOCK 0.4.9 Final is vulnerable and other versions may be affected.
    • Ref: http://www.securityfocus.com/bid/52305/discuss

    • 12.10.17 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: OpenX "sessionID" SQL Injection
    • Description: OpenX is a web-based ad server implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user supplied data submitted to the "sessionID" cookie parameter in the administrative interface before using it in an SQL query. OpenX 2.8.1 through 2.8.7 are affected.
    • Ref: http://blog.openx.org/12/security-matters-3/ http://www.securityfocus.com/bid/52308/discuss

    • 12.10.18 - CVE: Not Available
    • Platform: Web Application
    • Title: LDAP Account Manager Pro Cross Site Scripting and HTML Injection Vulnerabilities
    • Description: LDAP Account Manager Pro is a web frontend for managing accounts stored in an LDAP directory. The application is exposed to the following vulnerabilities because it fails to properly sanitize user supplied input. 1) An HTML injection issue affects certain input submitted to the application. 2) A cross site scripting issue affects the "attr" parameter of the "templates/3rdParty/pla/htdocs/cmd.php" script. LDAP Account Manager Pro 3.6 is vulnerable and other versions may also be affected.
    • Ref: http://www.vulnerability-lab.com/get_content.php?id=458 http://www.securityfocus.com/bid/52255/discuss





    • 12.10.23 - CVE: CVE-2012-0371
    • Platform: Network Device
    • Title: Cisco Wireless LAN Controller Multiple Vulnerabilities
    • Description: Cisco Wireless LAN Controller is used to control various wireless LAN functions. Cisco Wireless LAN Controller is exposed to multiple security issues. See reference for further details. Cisco 2000 Series WLC, Cisco 2100 Series WLC, Cisco 2500 Series WLC, Cisco 4100 Series WLC, Cisco 4400 Series WLC, Cisco 5500 Series WLC, Cisco 500 Series Wireless Express Mobility Controllers, Cisco Wireless Services Modules (WiSM), Cisco Wireless Services Modules version 2 (WiSM version 2), Cisco NME-AIR-WLC Modules for Integrated Services Routers (ISRs), Cisco NM-AIR-WLC Modules for Integrated Services Routers (ISRs), Cisco Catalyst 3750G Integrated WLCs and Cisco Flex 7500 Series Cloud Controllers are affected.
    • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
      120229-wlc

    • 12.10.24 - CVE: CVE-2012-0331,CVE-2012-0330
    • Platform: Hardware
    • Title: Cisco TelePresence Video Communication Server Session Denial of Service Vulnerabilities
    • Description: Cisco TelePresence Video Communication Server is a telepresence management system using policy services integration and dial plan configuration. The server is exposed to multiple denial of service issues when handling specially crafted Session Initiation Protocol (SIP) packets through ports 5060 or 5061. Cisco TelePresence Video Communication Server versions prior to X7.0.1 are affected.
    • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
      120229-vcs
      http://www.securityfocus.com/bid/52214/discuss

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account