@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 11
March 16, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Windows
    • 4 (#2)
    • Other Microsoft Products
    • 2
    • Third Party Windows Apps
    • 4 (#1,#3)
    • Cross Platform
    • 7
    • Web Application - Cross Site Scripting
    • 4
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 4

********************* Sponsored By F5 Networks, Inc. *********************

WHITE PAPER: THE NEW DATA CENTER FIREWALL PARADIGM The increasing sophistication, frequency, and diversity of today's network attacks are overwhelming conventional stateful security devices at the edge of the data center. Read this white paper to learn how to combat modern attacks while reducing capital expenditures. http://www.sans.org/info/101699 ************************************************************************** TRAINING UPDATE --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 Listen to two of the best minds in Application Security, Jeremiah Grossman and Chenxi Wang, at the AppSec Summit. Maximize your training by also attending one or more of the 4 pre-summit courses. http://www.sans.org/appsec-2012/ --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 12 courses. http://www.sans.org/secure-amsterdam-2012/ --SANS Security West 2012, San Diego, CA May 10-18, 2012 24 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/ --SANS Rocky Mountain 2012, Denver, CO June 4-9, 2012 10 courses. Bonus evening presentations include Adjusting Our Defenses for 2012; and Why Do Organizations Get Compromised? http://www.sans.org/rocky-mountain-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Abu Dhabi, Toronto, Brisbane, and Bangalore all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

***************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Windows
    Other Microsoft Products
    Third Party Windows Apps
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application

    *************************** Sponsored Links: ******************************

    1) Nearly 90% of organizations are not fully aware of what personal devices are accessing what company resources! Register for the SANS Mobile Security Survey and be among the first to receive full results in a paper written by SANS mobility expert, Kevin Johnson. http://www.sans.org/info/101704

    2) New Analyst Paper in the SANS Reading Room! Review of NetIQ Sentinel 7 for Security Information and Event Management, by senior SANS analyst, Jerry Shenk. http://www.sans.org/info/101709 For a full index of SANS Analyst papers, go here: http://www.sans.org/reading_room/analysts_program/ **************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (2) HIGH: Microsoft Remote Desktop Protocol Vulnerability
    • Affected:
      • Windows 7
      • Windows Server 2003
      • Windows Server 2008
      • Windows Vista
      • Windows XP
    • Description: As part of its Patch Tuesday program, Microsoft has released patches for a memory corruption vulnerability affecting its Remote Desktop Protocol, which is disabled by default on Windows machines. By sending a malicious request, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    • (3) HIGH: Mozilla Firefox Use-After-Free Vulnerability
    • Affected:
      • Firefox prior to 11.0
    • Description: Mozilla has released a patch for its Firefox web browser. The vulnerability is due to memory on the heap being used after being freed, and it can be triggered when a new parent window causes a child window using the file open dialog box to close. By enticing a target to view a malicious page, it is possible that an attacker could exploit this vulnerability in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 11, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13467 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 12.11.1 - CVE: CVE-2012-0002,CVE-2012-0152
    • Platform: Windows
    • Title: Microsoft Remote Desktop Protocol Multiple Vulnerabilities
    • Description: Microsoft Remote Desktop Protocol is a protocol that allows users to connect to remote desktops. The protocol is exposed to multiple issues. See reference for detailed information. All supported releases of Microsoft Windows are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-020

    • 12.11.2 - CVE: CVE-2012-0006
    • Platform: Windows
    • Title: Microsoft Windows DNS Server Remote Denial of Service
    • Description: The Microsoft Windows DNS Server is exposed to a remote denial of service issue. This issue occurs because the application fails to properly handle uninitialized objects when looking up a resource record for a domain that does not exist. The issue can be exploited by sending a specially crafted DNS query to the affected server. All supported editions of Windows Server 2003 32-bit and x64-based editions of Windows Server 2008 and x64-based editions of Windows Server 2008 R2 are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-017

    • 12.11.3 - CVE: CVE-2012-0157
    • Platform: Windows
    • Title: Microsoft Windows Kernel "Win32k.sys" Local Privilege Escalation
    • Description: The "Win32k.sys" kernel-mode device driver provides various functions such as the window manager, collection of user input, screen output and Graphics Device Interface. It also serves as a wrapper for DirectX support. Microsoft Windows is exposed to a local privilege escalation issue that occurs in the Windows kernel "Win32k.sys" kernel-mode device driver. See reference for detailed information. All supported releases of Microsoft Windows are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-018

    • 12.11.4 - CVE: CVE-2012-0156
    • Platform: Windows
    • Title: Microsoft Windows "DirectWrite" API Denial of Service
    • Description: Microsoft Windows is exposed to a remote denial of service issue because the "DirectWrite" API incorrectly renders a specially crafted sequence of Unicode characters in memory. See reference for detailed information. All supported editions of Windows Vista, Windows Server 2008 (except Windows Server 2008 for Itanium-based Systems), Windows 7 and Windows Server 2008 R2 are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-019

    • 12.11.5 - CVE: CVE-2012-0016
    • Platform: Other Microsoft Products
    • Title: Microsoft Expression "wintab32.dll" DLL Loading Arbitrary Code Execution
    • Description: Microsoft Expression Web is a web design tool for creating standards-based Web sites. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "wintab32.dll" Dynamic Link Library file in the current working directory. See reference for detailed information. All supported releases of Microsoft Expression Design are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/ms12-022

    • 12.11.6 - CVE: CVE-2012-0008
    • Platform: Other Microsoft Products
    • Title: Microsoft Visual Studio Add-In Local Privilege Escalation
    • Description: Microsoft Visual Studio is an application development environment for Microsoft Windows. The application is exposed to a local privilege escalation issue. Specifically the issue occurs because Visual Studio loads add-ins from insecure file locations. See reference for detailed information. All supported editions of Microsoft Visual Studio 2008 and Microsoft Visual Studio 2010 are affected.
    • Ref: http://technet.microsoft.com/en-us/security/bulletin/MS12-021

    • 12.11.7 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: DAEMON Tools "IOCTL" Handling Local Privilege Escalation
    • Description: DAEMON Tools is an optical media emulation application for Microsoft Windows. The application is exposed to a local privilege escalation issue due to an indexing error when processing the 0x00222850 "IOCTL" in dtsoftbus01.sys. DAEMON Tools Lite 4.41.3.0173 and DAEMON Tools Pro Standard/Advanced 4.41.0315.0262 are affected.
    • Ref: http://www.securityfocus.com/bid/52417/discuss

    • 12.11.8 - CVE: CVE-2012-1472
    • Platform: Third Party Windows Apps
    • Title: VMware vCenter Chargeback Manager Information Disclosure and Denial of Service Vulnerabilities
    • Description: VMware vCenter Server is used to manage VMware vSphere, which provides the unified management of all server hosts. The application is exposed to an information disclosure issue and a denial of service issue. Specifically, the issue is triggered when handling a specially crafted XML API request. vCenter Chargeback Manager versions prior to 2.0.1 are vulnerable.
    • Ref: https://www.vmware.com/support/vcbm/doc/vcbm_2_0_1_release_notes.html#aboutrelea
      se
      http://www.securityfocus.com/bid/52376/discuss

    • 12.11.9 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: XnView Multiple Buffer Overflow Vulnerabilities
    • Description: XnView is a graphics application available for Microsoft Windows. The application is exposed to multiple buffer overflow issues. A heap-based buffer overflow issue affects the application when processing a specially crafted "FPX" file. Specifically, the issue affects the "Xfpx.dll" library due to a signedness error. A stack-based buffer overflow issue occurs due to a boundary error when parsing a directory name while browsing folders. A heap-based buffer overflow issue affects the application when processing a specially crafted "PCX" file. XnView 1.98.5 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52405/discuss

    • 12.11.10 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Vegas Movie Studio HD "CFHDDecoder.dll" DLL Loading Arbitrary Code Execution
    • Description: Vegas Movie Studio HD is video editing software. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the "CFHDDecoder.dll" Dynamic Link Library file in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file associated with the vulnerable application in an attacker controlled location. Using the application to open the associated file will cause the malicious library file to be executed. Reportedly, the issue arises when the application opens the following file types: Project (".VF") and Perfect Clarity Audio (".PCA"). Vegas Movie Studio HD version 11.0 Build 37, Vegas Movie Studio HD Platinum version 11.0 Build 283 are affected.
    • Ref: http://www.securityfocus.com/bid/52410/references


    • 12.11.12 - CVE:CVE-2012-0195,CVE-2011-4819,CVE-2011-4818,CVE-2011-4817,CVE-2011-4816,CVE-2011-1397,CVE-2011-1396,CVE-2011-1395,CVE-2011-1394
    • Platform: Cross Platform
    • Title: IBM Maximo Asset Management Multiple Security Vulnerabilities
    • Description: IBM Maximo Asset Management unifies asset life cycle and maintenance management on a single platform. The application is exposed to multiple security issues. See reference for further information. Maximo Asset Management V7.5, V7.1 and V6.2, Maximo Asset Management Essentials V7.5, V7.1 and V6.2, Tivoli Asset Management for IT V7.1, V7.2, V6.2, Tivoli Service Request Manager V7.1, V7.2, Maximo Service Desk 6.2, Change and Configuration Management Database V7.1, V7.2, V6.2 are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21584666

    • 12.11.13 - CVE: CVE-2012-0876,CVE-2012-1148,CVE-2012-1147
    • Platform: Cross Platform
    • Title: Expat XML Parsing Multiple Remote Denial of Service
    • Description: Expat is a C library used for parsing XML documents. The library is exposed to multiple issues because it fails to handle specially crafted XML data. A denial of service issue occurs due to Resource leak in the "readfilemap.c" file. A denial of service issue occurs due to memory leak in poolGrow. A denial of service issue occurs related to hash table collisions. Expat versions prior to 2.1.0 are vulnerable.
    • Ref: http://www.securityfocus.com/bid/52379/references http://sourceforge.net/projects/expat/files/expat/2.1.0/

    • 12.11.14 - CVE: CVE-2011-3047
    • Platform: Cross Platform
    • Title: Google Chrome Remote Code Execution
    • Description: Google Chrome is a web browser for multiple platforms. The application is exposed to a remote code execution issue. Specifically, the issue exists in the GPU process and occurs due to a memory corruption flaw in the plug-in loading mechanism. Google Chrome versions prior to 17.0.963.79 are vulnerable.
    • Ref: http://www.securityfocus.com/bid/52395/references

    • 12.11.15 - CVE: Not Available
    • Platform: Cross Platform
    • Title: OpenLDAP LDAP Search Request Remote Denial of Service
    • Description: OpenLDAP is an implementation of the Lightweight Directory Access Protocol. The implementation is exposed to a remote denial of service issue. Specifically, the issue occurs when processing a crafted LDAP search request with "attrsOnly" set to true. OpenLDAP versions prior to 2.4.30 are affected.
    • Ref: http://www.securityfocus.com/bid/52404/references http://www.openldap.org/software/release/changes.html


    • 2.8 - CVE: CVE-2012-045410.0.3, Thunderbird versions prior to Thunderbird ESR versionsprior to and SeaMonkey versions prior to are affected.
    • Platform: Cross Platform
    • Title: Mozilla Firefox/Thunderbird/SeaMonkey "shlwapi.dll" Use-After-Free Memory Corruption
    • Description: Firefox is a browser. SeaMonkey is a suite of applications that includes a browser and an email client. Thunderbird is an email client. The applications are exposed to a memory corruption issue in the "shlwapi.dll" file that may allow remote code execution. Specifically, a use-after-free condition occurs when a parent window spawns and closes a child window that uses the file open dialog. Firefox versions prior to 11.0, Firefox ESR versions prior to
    • Ref: https://www.mozilla.org/security/announce/2012/mfsa2012-12.html

    • 12.11.18 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: Splunk Unspecified Cross-Site Scripting
    • Description: Splunk is an IT infrastructure monitoring system. The application is exposed to an unspecified cross-site scripting issue because it fails to sufficiently sanitize user-supplied input. Splunk versions 4.0 through 4.3 are vulnerable.
    • Ref: http://www.splunk.com/view/SP-CAAAGTK http://www.securityfocus.com/bid/52320/discuss

    • 12.11.19 - CVE: CVE-2012-0323
    • Platform: Web Application - Cross Site Scripting
    • Title: SquirrelMail Autocomplete Plugin Email Addresses Cross-Site Scripting
    • Description: Autocomplete is a plugin for the SquirrelMail webmail application. The application is exposed to a cross-site scripting issue when searching for registered email addresses in user contacts. Autocomplete versions prior to 3.0 are vulnerable.
    • Ref: http://jvn.jp/en/jp/JVN56653852/index.html http://www.securityfocus.com/bid/52387/references


    • 12.11.21 - CVE: CVE-2012-1556
    • Platform: Web Application - Cross Site Scripting
    • Title: Synology Photo Station "photo_one.php" Script Cross-Site Scripting
    • Description: Synology Photo Station is an application for sharing your photos, videos and blog over the Internet. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "gallery" parameter of the "index.php" script. Photo Station 5 DSM 3.2 (1955) is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521933

    • 12.11.22 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: Aurora WebOPAC "txtEmailAliasBarcode" Parameter SQL Injection
    • Description: Aurora WebOPAC is an online library system. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "txtEmailAliasBarcode" parameter of the "MemberDetailsRecovery.aspx" script before using it in an SQL query. Aurora WebOPAC version 3.5.0e, 3.4.6a, 3.5.3, 3.5.0i, 3.4.7b, 3.5.2.2 and 3.4.7b are affected and other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521940

    • 12.11.23 - CVE: Not Available
    • Platform: Web Application
    • Title: LotusCMS Multiple PHP Code Execution Vulnerabilities
    • Description: LotusCMS is a web application implemented in PHP. The application is exposed to multiple PHP code execution issues. A PHP code execution issue affects the application because it fails to sanitize user-supplied input to the "req" parameter of the "index.php" script. A PHP code execution issue affects the application because it fails to sanitize user-supplied input to the "page" parameter of the "index.php" script in the "Router()" function. LotusCMS 3.0.3 and 3.0.5 are vulnerable.
    • Ref: http://secunia.com/secunia_research/2011-21/ http://www.securityfocus.com/bid/52349/references

    • 12.11.24 - CVE: CVE-2012-0325,CVE-2012-0324
    • Platform: Web Application
    • Title: Jenkins Multiple Cross-Site Scripting and Directory Traversal Vulnerabilities
    • Description: Jenkins is a web server application. The application is exposed to an unspecified cross-site scripting issue and an unspecified directory traversal issue because it fails to sanitize user-supplied input. Jenkins versions 1.452 and earlier, Jenkins Enterprise by CloudBees 1.424.3 and earlier, Jenkins Enterprise by CloudBees 1.400.0.12 and earlier are affected.
    • Ref: http://www.securityfocus.com/bid/52384/references

    • 12.11.25 - CVE: Not Available
    • Platform: Web Application
    • Title: Zend Server Multiple HTML Injection Vulnerabilities
    • Description: Zend Server is a web application server implemented in PHP. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input. Zend Server 5.6.0 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52397/references

    • 12.11.26 - CVE: Not Available
    • Platform: Web Application
    • Title: Invision Power Board Unspecified HTML Injection
    • Description: Invision Power Board is a web-based forum application implemented in PHP. The application is exposed to an unspecified HTML injection issue when editing another member's post. This issue occurs because the application fails to sufficiently sanitize user-supplied input. Invision Power Board 3.2.0, 3.2.1, 3.2.2 and 3.2.3 are vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52406/discuss http://community.invisionpower.com/topic/358403-ipboard-32x-security-update/

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account