@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Sandbox Escapes
• (2) HIGH: Microsoft Remote Desktop Protocol Vulnerability
• (3) HIGH: Mozilla Firefox Use-After-Free Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 12.11.1 - Microsoft Remote Desktop Protocol Multiple Vulnerabilities
• 12.11.2 - Microsoft Windows DNS Server Remote Denial of Service
• 12.11.3 - Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation
• 12.11.4 - Microsoft Windows "DirectWrite" API Denial of Service

Other Microsoft Products

• 12.11.5 - Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code Execution
• 12.11.6 - Microsoft Visual Studio Add-In Local Privilege Escalation

Third Party Windows Apps

• 12.11.7 - DAEMON Tools "IOCTL" Handling Local Privilege Escalation
• 12.11.8 - VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
• 12.11.9 - XnView Multiple Buffer Overflow Vulnerabilities
• 12.11.10 - Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary Code Execution

Cross Platform

• 12.11.11 - IBM DB2 Multiple Security Vulnerabilities
• 12.11.12 - IBM Maximo Asset Management Multiple Security Vulnerabilities
• 12.11.13 - Expat XML Parsing Multiple Remote Denial of Service
• 12.11.14 - Google Chrome Remote Code Execution
• 12.11.15 - OpenLDAP LDAP Search Request Remote Denial of Service
• 12.11.16 - Apple Safari International Domain Name URI Spoofing
• 2.8 - Mozilla Firefox/Thunderbird/SeaMonkey "shlwapi.dll" Use-After-Free Memory Corruption

Web Application - Cross Site Scripting

• 12.11.18 - Splunk Unspecified Cross-Site Scripting
• 12.11.19 - SquirrelMail Autocomplete Plugin Email Addresses Cross-Site Scripting
• 12.11.20 - EJBCA "issuer" Parameter Cross-Site Scripting
• 12.11.21 - Synology Photo Station "photo_one.php" Script Cross-Site Scripting

Web Application - SQL Injection

• 12.11.22 - Aurora WebOPAC "txtEmailAliasBarcode" Parameter SQL Injection

Web Application

• 12.11.23 - LotusCMS Multiple PHP Code Execution Vulnerabilities
• 12.11.24 - Jenkins Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
• 12.11.25 - Zend Server Multiple HTML Injection Vulnerabilities
• 12.11.26 - Invision Power Board Unspecified HTML Injection

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 11, 2012

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13467 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 12.11.1 - CVE: CVE-2012-0002,CVE-2012-0152
• Platform: Windows
• Title: Microsoft Remote Desktop Protocol Multiple Vulnerabilities
• Description: Microsoft Remote Desktop Protocol is a protocol that allows users to connect to remote desktops. The protocol is exposed to multiple issues. See reference for detailed information. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-020

• 12.11.2 - CVE: CVE-2012-0006
• Platform: Windows
• Title: Microsoft Windows DNS Server Remote Denial of Service
• Description: The Microsoft Windows DNS Server is exposed to a remote denial of service issue. This issue occurs because the application fails to properly handle uninitialized objects when looking up a resource record for a domain that does not exist. The issue can be exploited by sending a specially crafted DNS query to the affected server. All supported editions of Windows Server 2003 32-bit and x64-based editions of Windows Server 2008 and x64-based editions of Windows Server 2008 R2 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-017

• 12.11.3 - CVE: CVE-2012-0157
• Platform: Windows
• Title: Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation
• Description: The "Win32k.sys" kernel-mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface. It also serves as a wrapper for DirectX support. Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel "Win32k.sys" kernel-mode device driver. See reference for detailed information. All supported releases of Microsoft Windows are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-018

• 12.11.4 - CVE: CVE-2012-0156
• Platform: Windows
• Title: Microsoft Windows "DirectWrite" API Denial of Service
• Description: Microsoft Windows is exposed to a remote denial of service issue because the "DirectWrite" API incorrectly renders a specially crafted sequence of Unicode characters in memory. See reference for detailed information. All supported editions of Windows Vista, Windows Server 2008 (except Windows Server 2008 for Itanium-based Systems), Windows 7 and Windows Server 2008 R2 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-019

• 12.11.5 - CVE: CVE-2012-0016
• Platform: Other Microsoft Products
• Title: Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code Execution
• Description: Microsoft Expression Web is a web design tool for creating standards-based Web sites. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "wintab32.dll" Dynamic Link Library file in the current working directory. See reference for detailed information. All supported releases of Microsoft Expression Design are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-022

• 12.11.6 - CVE: CVE-2012-0008
• Platform: Other Microsoft Products
• Title: Microsoft Visual Studio Add-In Local Privilege Escalation
• Description: Microsoft Visual Studio is an application development environment for Microsoft Windows. The application is exposed to a local privilege escalation issue. Specifically the issue occurs because Visual Studio loads add-ins from insecure file locations. See reference for detailed information. All supported editions of Microsoft Visual Studio 2008 and Microsoft Visual Studio 2010 are affected.
• Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-021

• 12.11.7 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: DAEMON Tools "IOCTL" Handling Local Privilege Escalation
• Description: DAEMON Tools is an optical media emulation application for Microsoft Windows. The application is exposed to a local privilege escalation issue due to an indexing error when processing the 0x00222850 "IOCTL" in dtsoftbus01.sys. DAEMON Tools Lite 4.41.3.0173 and DAEMON Tools Pro Standard/Advanced 4.41.0315.0262 are affected.
• Ref: http://www.securityfocus.com/bid/52417/discuss

• 12.11.8 - CVE: CVE-2012-1472
• Platform: Third Party Windows Apps
• Title: VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
• Description: VMware vCenter Server is used to manage VMware vSphere, which provides the unified management of all server hosts. The application is exposed to an information disclosure issue and a denial of service issue. Specifically, the issue is triggered when handling a specially crafted XML API request. vCenter Chargeback Manager versions prior to 2.0.1 are vulnerable.
• Ref: https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html#aboutrelea
  se http://www.securityfocus.com/bid/52376/discuss

• 12.11.9 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: XnView Multiple Buffer Overflow Vulnerabilities
• Description: XnView is a graphics application available for Microsoft Windows. The application is exposed to multiple buffer overflow issues. A heap-based buffer overflow issue affects the application when processing a specially crafted "FPX" file. Specifically, the issue affects the "Xfpx.dll" library due to a signedness error. A stack-based buffer overflow issue occurs due to a boundary error when parsing a directory name while browsing folders. A heap-based buffer overflow issue affects the application when processing a specially crafted "PCX" file. XnView 1.98.5 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/52405/discuss

• 12.11.10 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary Code Execution
• Description: Vegas Movie Studio HD is video editing software. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "CFHDDecoder.dll" Dynamic Link Library file in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file associated with the vulnerable application in an attacker controlled location. Using the application to open the associated file will cause the malicious library file to be executed. Reportedly, the issue arises when the application opens the following file types: Project (".VF") and Perfect Clarity Audio (".PCA"). Vegas Movie Studio HD version 11.0 Build 37, Vegas Movie Studio HD Platinum version 11.0 Build 283 are affected.
• Ref: http://www.securityfocus.com/bid/52410/references

• 12.11.11 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM DB2 Multiple Security Vulnerabilities
• Description: IBM DB2 is a database application available for multiple platforms. The application is exposed to multiple security issues. See reference for further details. IBM DB2 versions prior to 9.5 Fix Pack 9 are vulnerable.
• Ref: http://www.securityfocus.com/bid/52326/references http://www-01.ibm.com/support/docview.wss?uid=swg21586193

• 12.11.12 - CVE:CVE-2012-0195,CVE-2011-4819,CVE-2011-4818,CVE-2011-4817,CVE-2011-4816,CVE-2011-1397,CVE-2011-1396,CVE-2011-1395,CVE-2011-1394
• Platform: Cross Platform
• Title: IBM Maximo Asset Management Multiple Security Vulnerabilities
• Description: IBM Maximo Asset Management unifies asset life cycle and maintenance management on a single platform. The application is exposed to multiple security issues. See reference for further information. Maximo Asset Management V7.5, V7.1 and V6.2, Maximo Asset Management Essentials V7.5, V7.1 and V6.2, Tivoli Asset Management for IT V7.1, V7.2, V6.2, Tivoli Service Request Manager V7.1, V7.2, Maximo Service Desk 6.2, Change and Configuration Management Database V7.1, V7.2, V6.2 are affected.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21584666

• 12.11.13 - CVE: CVE-2012-0876,CVE-2012-1148,CVE-2012-1147
• Platform: Cross Platform
• Title: Expat XML Parsing Multiple Remote Denial of Service
• Description: Expat is a C library used for parsing XML documents. The library is exposed to multiple issues because it fails to handle specially crafted XML data. A denial of service issue occurs due to Resource leak in the "readfilemap.c" file. A denial of service issue occurs due to memory leak in poolGrow. A denial of service issue occurs related to hash table collisions. Expat versions prior to 2.1.0 are vulnerable.
• Ref: http://www.securityfocus.com/bid/52379/references http://sourceforge.net/projects/expat/files/expat/2.1.0/

• 12.11.14 - CVE: CVE-2011-3047
• Platform: Cross Platform
• Title: Google Chrome Remote Code Execution
• Description: Google Chrome is a web browser for multiple platforms. The application is exposed to a remote code execution issue. Specifically, the issue exists in the GPU process and occurs due to a memory corruption flaw in the plug-in loading mechanism. Google Chrome versions prior to 17.0.963.79 are vulnerable.
• Ref: http://www.securityfocus.com/bid/52395/references

• 12.11.15 - CVE: Not Available
• Platform: Cross Platform
• Title: OpenLDAP LDAP Search Request Remote Denial of Service
• Description: OpenLDAP is an implementation of the Lightweight Directory Access Protocol. The implementation is exposed to a remote denial of service issue. Specifically, the issue occurs when processing a crafted LDAP search request with "attrsOnly" set to true. OpenLDAP versions prior to 2.4.30 are affected.
• Ref: http://www.securityfocus.com/bid/52404/references http://www.openldap.org/software/release/changes.html

• 12.11.16 - CVE: CVE-2012-0584
• Platform: Cross Platform
• Title: Apple Safari International Domain Name URI Spoofing
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. The application is affected by a URI spoofing issue because it fails to adequately handle unspecified characters in IDN domains. Versions prior to Apple Safari 5.1.4 on Windows systems are vulnerable.
• Ref: http://lists.apple.com/archives/security-announce/2012/Mar/msg00003.html http://www.securityfocus.com/bid/52419/discuss

• 2.8 - CVE: CVE-2012-045410.0.3, Thunderbird versions prior to Thunderbird ESR versionsprior to and SeaMonkey versions prior to are affected.
• Platform: Cross Platform
• Title: Mozilla Firefox/Thunderbird/SeaMonkey "shlwapi.dll" Use-After-Free Memory Corruption
• Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. The applications are exposed to a memory corruption issue in the "shlwapi.dll" file that may allow remote code execution. Specifically, a use-after-free condition occurs when a parent window spawns and closes a child window that uses the file open dialog. Firefox versions prior to 11.0, Firefox ESR versions prior to
• Ref: https://www.mozilla.org/security/announce/2012/mfsa2012-12.html

• 12.11.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Splunk Unspecified Cross-Site Scripting
• Description: Splunk is an IT infrastructure monitoring system. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Splunk versions 4.0 through 4.3 are vulnerable.
• Ref: http://www.splunk.com/view/SP-CAAAGTK http://www.securityfocus.com/bid/52320/discuss

• 12.11.19 - CVE: CVE-2012-0323
• Platform: Web Application - Cross Site Scripting
• Title: SquirrelMail Autocomplete Plugin Email Addresses Cross-Site Scripting
• Description: Autocomplete is a plugin for the SquirrelMail webmail application. The application is exposed to a cross-site scripting issue when searching for registered email addresses in user contacts. Autocomplete versions prior to 3.0 are vulnerable.
• Ref: http://jvn.jp/en/jp/JVN56653852/index.html http://www.securityfocus.com/bid/52387/references

• 12.11.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: EJBCA "issuer" Parameter Cross-Site Scripting
• Description: EJBCA is an enterprise PKI certification authority and management system. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied input submitted to the "issuer" parameter of the "certdist" script. EJBCA 4.0.7 is vulnerable and other versions may also be affected.
• Ref: http://primekey.se/News/All+Releases/Release+detail/EJBCA_4.0.8_release_Feb_2012
  .cid3129 http://www.securityfocus.com/bid/52400/references

• 12.11.21 - CVE: CVE-2012-1556
• Platform: Web Application - Cross Site Scripting
• Title: Synology Photo Station "photo_one.php" Script Cross-Site Scripting
• Description: Synology Photo Station is an application for sharing your photos, videos and blog over the Internet. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "gallery" parameter of the "index.php" script. Photo Station 5 DSM 3.2 (1955) is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/521933

• 12.11.22 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Aurora WebOPAC "txtEmailAliasBarcode" Parameter SQL Injection
• Description: Aurora WebOPAC is an online library system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "txtEmailAliasBarcode" parameter of the "MemberDetailsRecovery.aspx" script before using it in an SQL query. Aurora WebOPAC version 3.5.0e, 3.4.6a, 3.5.3, 3.5.0i, 3.4.7b, 3.5.2.2 and 3.4.7b are affected and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/521940

• 12.11.23 - CVE: Not Available
• Platform: Web Application
• Title: LotusCMS Multiple PHP Code Execution Vulnerabilities
• Description: LotusCMS is a web application implemented in PHP. The application is exposed to multiple PHP code execution issues. A PHP code execution issue affects the application because it fails to sanitize user-supplied input to the "req" parameter of the "index.php" script. A PHP code execution issue affects the application because it fails to sanitize user-supplied input to the "page" parameter of the "index.php" script in the "Router()" function. LotusCMS 3.0.3 and 3.0.5 are vulnerable.
• Ref: http://secunia.com/secunia_research/2011-21/ http://www.securityfocus.com/bid/52349/references

• 12.11.24 - CVE: CVE-2012-0325,CVE-2012-0324
• Platform: Web Application
• Title: Jenkins Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
• Description: Jenkins is a web server application. The application is exposed to an unspecified cross-site scripting issue and an unspecified directory traversal issue because it fails to sanitize user-supplied input. Jenkins versions 1.452 and earlier, Jenkins Enterprise by CloudBees 1.424.3 and earlier, Jenkins Enterprise by CloudBees 1.400.0.12 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/52384/references

• 12.11.25 - CVE: Not Available
• Platform: Web Application
• Title: Zend Server Multiple HTML Injection Vulnerabilities
• Description: Zend Server is a web application server implemented in PHP. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input. Zend Server 5.6.0 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/52397/references

• 12.11.26 - CVE: Not Available
• Platform: Web Application
• Title: Invision Power Board Unspecified HTML Injection
• Description: Invision Power Board is a web-based forum application implemented in PHP. The application is exposed to an unspecified HTML injection issue when editing another member's post. This issue occurs because the application fails to sufficiently sanitize user-supplied input. Invision Power Board 3.2.0, 3.2.1, 3.2.2 and 3.2.3 are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/52406/discuss http://community.invisionpower.com/topic/358403-ipboard-32x-security-update/

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account