Get an iPad with Online Courses Now!

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 3
January 19, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 7 (#1,#2,#3)
    • Solaris
    • 1
    • Cross Platform
    • 9
    • Web Application - Cross Site Scripting
    • 2
    • Web Application
    • 6
    • Hardware
    • 1

**************************** Sponsored By SANS *************************

Needle in a Haystack? Getting to Attribution in Control Systems, featuring SANS instructor and infrastructure security expert, Matt Luallen http://www.sans.org/info/97061 Wednesday, February 22, 2012 at 1:00 PM EDT

************************************************************************** TRAINING UPDATE --SANS Security East 2012, New Orleans, LA January 17-26, 2012 11 courses. Bonus evening presentations include Advanced VoIP PenTesting: Current Threats and Methods; and Helping Small Businesses with Security. http://www.sans.org/security-east-2012/ --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-39, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Atlanta, Bangalore, San Francisco, Stuttgart, and Nashville, all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Third Party Windows Apps
    Solaris
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application
    Hardware

    ****************************** Sponsored Links: *************************

    1) Take the SANS 8th Annual Log and Event Management Survey and be entered to win a $250 American Express gift card. Follow this link to the survey: http://www.sans.org/info/96596

    2) Take the SANS First Annual Mobility Survey and be entered to win a $250 American Express gift card. Follow this link to the survey: http://www.sans.org/info/96601

    3) Do not miss Ask The Expert Webcast: Fear and Loathing in Information Security: Content Awareness is Key featuring John Strand and Kurt Bertone. Go to: http://www.sans.org/info/97066

    ************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) HIGH: HP Insight Diagnostics Buffer Overflow
    • Affected:
      • HP Insight Diagnostics
    • Description: HP Insight Diagnostics server is susceptible to a buffer overflow vulnerability. HP Insight Diagnostics is a web-based server management tool that runs on Microsoft Windows and Linux. The vulnerability is due to the application trusting a client-provided size value to copy data onto the stack. By sending a malicious request to magentservice.exe, which listens on port 23472 by default, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates not available

    • References:
    • (2) HIGH: McAfee Security-as-a-Service ActiveX Control
    • Affected:
      • McAfee SaaS Endpoint Protection current versions
    • Description: McAfee Security-as-a-Service Endpoint Protection is susceptible to a command-injection vulnerability. McAfee's Endpoint Protection is designed to protect Windows machines from viruses and malware. An ActiveX control installed on the client, myCIOScn.dll, contains a vulnerable function MyCioScan.Scan.ShowReport() that accepts and executes server-controlled commands. McAfee acknowledges this flaw and plans to release an update for it. However, McAfee reports that the harmful effect of this vulnerability is entirely mitigated by a patch released in August. From publicly available information, it isn't clear how attack vectors are cut of by that patch, which was released to address a file upload vulnerability the same dll. Exploitation would require enticing a target to view a malicious web site. See the references for a link to the August patch.

    • Status: vendor confirmed, updates not available

    • References:
    • (3) HIGH: HP Easy Printer Care Multiple ActiveX Vulnerabilities
    • Affected:
      • HP Easy Printer Care current versions
    • Description: HP Easy Printer Care, a web-based system for administering printers, is susceptible to multiple vulnerabilities in its ActiveX controls. The first issue involves a problem with the XMLSimpleAccessor ActiveX vulnerability: by sending an overlong string to the LoadXML method, an attacker can exploit a heap buffer overflow vulnerability in order to execute arbitrary code on a target's machine. Similarly, an arbitrary file write vulnerability in the CacheDocumentXMLWithId() method of the XMLCacheMgr class can be used to exploit arbitrary code in the context of the client's browser. An attacker must entice a target to view a malicious link in order to exploit these vulnerabilities. HP no longer supports HP Easy Printer Care and recommends killbitting or uninstalling this software. See the reference below for information about killbitting ActiveX controls.

    • Status: vendor confirmed, updates not available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 3, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13050 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 12.3.1 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: ExpressView Browser Plug-in Multiple Integer Overflow and Remote Code Execution Vulnerabilities
    • Description: ExpressView Browser Plug-in is a browser plugin for viewing, magnifying, measuring, printing and saving images. The plugin is exposed to multiple security issues. See reference for further details. ExpressView Browser Plug-in 6.5.0.3330 and prior versions are affected.
    • Ref: http://aluigi.altervista.org/adv/expressview_1-adv.txt http://www.securityfocus.com/bid/51367/discuss

    • 12.3.2 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: GreenBrowser Search Bar Short Cut Button Double Free Remote Memory Corruption
    • Description: GreenBrowser is a web browser available for Microsoft Windows. The application is exposed to a memory corruption issue in the "searchbar" when the user uses shortcut button "F6" to perform searches. GreenBrowser 6.0.1002 and prior versions are vulnerable.
    • Ref: http://www.securityfocus.com/archive/1/521231

    • 12.3.3 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: McAfee Security-as-a-Service ActiveX Control Remote Command Execution
    • Description: McAfee Security-as-a-Service is a cloud based security service. McAfee Security-as-a-Service is exposed to a remote command execution issue. This issue affects the "myCIOScn.dll.MyCioScan.Scan.ShowReport()" function of the ActiveX control identified by CLSID: 209EBDEE-065C-11D4-A6B8-00C04F0D38B7. All versions of McAfee Security-as-a-Service are affected.
    • Ref: http://zerodayinitiative.com/advisories/ZDI-12-012/ http://www.securityfocus.com/bid/51397/discuss


    • 12.3.5 - CVE: CVE-2011-4789
    • Platform: Third Party Windows Apps
    • Title: HP Diagnostics Server Remote Stack Buffer Overflow
    • Description: HP Diagnostics Server is exposed to a remote stack-based buffer overflow issue because it fails to properly check user-supplied data before copying it into an insufficiently sized memory buffer. This issue affects the "magentservice.exe" when processing specially crafted packets (packets with "0x00000000" as the first 32-bit value) sent to TCP port 23472. All versions of HP Diagnostics Server are affected.
    • Ref: http://www.zerodayinitiative.com/advisories/ZDI-12-016/ http://www.securityfocus.com/bid/51398/discuss

    • 12.3.6 - CVE: CVE-2012-026811.5.0.152 is vulnerable and other versions may also be affected.
    • Platform: Third Party Windows Apps
    • Title: Yahoo Messenger ".jpg" File Buffer Overflow
    • Description: Yahoo Messenger is a messenger application for the Microsoft Windows. The application is exposed to a heap-based buffer overflow issue that affects the "CYImage::LoadJPG()" function of the "YImage.dll" library. Specifically, the issue is triggered when processing a specially crafted ".jpg" file. Yahoo Messenger version
    • Ref: http://secunia.com/advisories/47041/ http://www.securityfocus.com/bid/51405/discuss

    • 12.3.7 - CVE: CVE-2011-4053
    • Platform: Third Party Windows Apps
    • Title: 7T Interactive Graphical SCADA System DLL Loading Arbitrary Code Execution
    • Description: 7T Interactive Graphical SCADA System is a SCADA application used for monitoring and controlling industrial processes. The application is exposed to an issue that allows attackers to execute arbitrary code. The issue arises because the application searches for an unspecified Dynamic Link Library file in the current working directory. Using the application to open the associated file will cause the malicious library file to be executed. 7T Interactive Graphical SCADA System versions prior to V9.0.0.11291 are affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-353-01.pdf http://www.securityfocus.com/bid/51438/references

    • 12.3.8 - CVE:CVE-2012-0094,CVE-2012-0100,CVE-2012-0096,CVE-2012-0103,CVE-2012-0109,CVE-2012-0099,CVE-2012-0097,CVE-2012-0098
    • Platform: Solaris
    • Title: Oracle Solaris Multiple Vulnerabilities
    • Description: Oracle Solaris is exposed to multiple security issues. See reference for detailed information. Oracle Solaris 8, 9, 10 and 11 Express are affected.
    • Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

    • 12.3.9 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Wireshark Buffer Overflow and Denial of Service Vulnerabilities
    • Description: Wireshark is an application for analyzing network traffic. The application is exposed to multiple issues. A buffer overflow issue exists because of an error in the RLC dissector. A denial of service issue exists due to a null pointer dereference error when reading certain packet information. A denial of service issue exists because the application fails to properly check record sizes for packet capture file formats. Wireshark versions 1.4.0 through 1.4.10 and 1.6.0 through 1.6.4 are affected.
    • Ref: http://www.wireshark.org/security/wnpa-sec-2012-01.html


    • 12.3.11 - CVE: CVE-2012-0034
    • Platform: Cross Platform
    • Title: JBoss Cache Local Information Disclosure
    • Description: JBoss Cache is a custom designed Java SE application. The application is exposed to a local information disclosure issue. This issue occurs because the application fails to properly sanitize user-supplied input to the "getConnection()" function of the "jboss/cache/loader/NonManagedConnectionFactory.java" script. JBoss Cache 3.2.8.GA is vulnerable and other versions may also be affected.
    • Ref: https://issues.jboss.org/browse/JBCACHE-1612 http://www.securityfocus.com/bid/51392/references

    • 12.3.12 - CVE: CVE-2011-4868
    • Platform: Cross Platform
    • Title: ISC DHCP Server DHCPv6 NULL Pointer Dereference Denial Of Service
    • Description: ISC DHCP is a reference implementation of the DHCP protocol and includes a DHCP server, client and relay agent. The application is exposed to a remote denial of service issue caused by a NULL pointer dereference error. This issue affects the DHCPv6 lease structure when updating Dynamic DNS lease status. ISC DHCP 4.2.2, 4.2.3 and 4.2.3-P1 are vulnerable and other versions may also be affected.
    • Ref: https://www.isc.org/software/dhcp/advisories/cve-2011-4868

    • 12.3.13 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Jenkins Hash Collision Denial Of Service
    • Description: Jenkins is a web server application. The application is exposed to a denial of service issue. An attacker can exploit this issue by sending a small number of specially crafted form posts to an affected application. Jenkins 1.446 and prior versions and Jenkins LTS 1.424.1 and prior versions are affected.
    • Ref: http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.c
      b


    • 12.3.15 - CVE: CVE-2011-3573,CVE-2011-3565,CVE-2011-3574,CVE-2011-3570
    • Platform: Cross Platform
    • Title: Oracle Communications Unified Multiple Vulnerabilities
    • Description: Oracle Communications Unified is exposed to multiple security issues. See reference for detailed information. Oracle Communications Unified version 7.0 is affected.
    • Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#Appendi
      xSUNS

    • 12.3.16 - CVE:CVE-2011-3564,CVE-2011-5035,CVE-2012-0104,CVE-2012-0081,CVE-2011-3564
    • Platform: Cross Platform
    • Title: Oracle GlassFish Enterprise Server Multiple Vulnerabilities
    • Description: Oracle GlassFish is an open source Application Server. The application is exposed to multiple security issues. See reference for detailed information. GlassFish Enterprise Server 2.1.1, 3.0.1 and 3.1.1 are affected.
    • Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#Appendi
      xSUNS

    • 12.3.17 - CVE:CVE-2012-0113,CVE-2011-2262,CVE-2012-0116,CVE-2012-0118,CVE-2012-0496,CVE-2012-0087,CVE-2012-0101,CVE-2012-0102,CVE-2012-0115,CVE-2012-0119,CVE-2012-0120,CVE-2012-0484,CVE-2012-0485,CVE-2012-0486,CVE-2012-0487,CVE-2012-0488,CVE-2012-0489,CVE-2012-0490
    • Platform: Cross Platform
    • Title: Oracle MySQL Multiple Vulnerabilities
    • Description: Oracle MySQL is database software. The application is exposed to multiple security issues. These issues may be remotely exploited without authentication. See reference for detailed information. Oracle MySQL versions 5.0.x, 5.1.x and 5.5.x are affected.
    • Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#Appendi
      xMSQL

    • 12.3.18 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: KnowledgeTree Multiple Cross-Site Scripting Vulnerabilities
    • Description: KnowledgeTree is an open source document manager. The application is exposed to multiple cross-site scripting issues because the "config/dmsDefaults.php" script fails to properly sanitize user-supplied input submitted to the append URL of the "login.php", "admin.php" and "preferences.php" scripts. KnowledgeTree 3.7.0.2 is vulnerable and prior versions may also be affected.
    • Ref: http://www.knowledgetree.org/Security_advisory:_URL_Manipulation

    • 12.3.19 - CVE: CVE-2012-0389
    • Platform: Web Application - Cross Site Scripting
    • Title: MailEnable "ForgottonPassword.aspx" Cross-Site Scripting
    • Description: MailEnable is a webmail application. The application is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "Username" parameter of the "ForgottenPassword.aspx" script. Professional, Enterprise and Premium version 4.26 and prior versions, Professional, Enterprise and Premium version 5.52 and prior versions and Professional, Enterprise and Premium version 6.02 and prior versions are affected.
    • Ref: http://www.securityfocus.com/bid/51401/references http://www.mailenable.com/kb/Content/Article.asp?ID=me020567


    • 12.3.21 - CVE: CVE-2011-1376
    • Platform: Web Application
    • Title: IBM WebSphere Application Server "iscdeploy" Script Insecure File Permissions
    • Description: IBM WebSphere Application Server is an application server used for service oriented architecture. The application is exposed to a local insecure file permissions issue. Specifically, this issue occur because the "iscdeploy" script sets insecure permissions to files in the "$WAS_HOME/systemapps/isclite.ear" and "$WAS_HOME/bin/client_ffdc" directories. IBM WebSphere Application Server versions 6.1 through 6.1.0.41, 7.0 through 7.0.0.19 and 8.0 through 8.0.0.1 are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21569205 http://www-01.ibm.com/support/docview.wss?uid=swg24031675

    • 12.3.22 - CVE: Not Available
    • Platform: Web Application
    • Title: Kayako SupportSuite Multiple Vulnerabilities
    • Description: Kayako SupportSuite is a web-based support suite implemented in PHP. The application is exposed to multiple security issues. See reference for further details. Kayako SupportSuite versions prior to 4.0 are affected.
    • Ref: http://www.securityfocus.com/bid/51377/references


    • 12.3.24 - CVE: Not Available
    • Platform: Web Application
    • Title: VBulletin Multiple Products "blog_post.php" Security Bypass
    • Description: VBulletin is a content manager implemented in PHP. The application is exposed to a security bypass issue. Specifically, this issue occurs due to improper checking of certain security permissions in "blog_post.php" script. Versions prior to vBulletin Publishing Suite 4.1.10 are affected.
    • Ref: https://www.vbulletin.com/forum/showthread.php/394259 http://www.securityfocus.com/bid/51391/references

    • 12.3.25 - CVE: CVE-2012-0079
    • Platform: Web Application
    • Title: Oracle OpenSSO Remote Security Vulnerability
    • Description: Oracle OpenSSO is a solution that provides Web access management, federated single sign-on and Web services security in a single, self-contained application. The application is exposed to a remote security issue that can be exploited over the "HTTPS" protocol. The "Administration" sub component is affected. Oracle OpenSSO version 7.1 and 8.0 are affected.
    • Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#Appendi
      xSUNS

    • 12.3.26 - CVE: CVE-2011-4788
    • Platform: Hardware
    • Title: HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities
    • Description: HP StorageWorks is a storage array solution. The device is exposed to multiple security issues. A security bypass issue occurs due to the existence of a default account which allows unauthorized users to log into the device. A directory traversal issue exists within the web interface. HP StorageWorks P2000 G3 is affected.
    • Ref: http://www.securityfocus.com/bid/51399/discuss http://www.zerodayinitiative.com/advisories/ZDI-12-015/

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account