Get an iPad with Online Courses Now!

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 4
January 26, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Linux
    • 2
    • Cross Platform
    • 13 (#1)
    • Web Application - Cross Site Scripting
    • 2
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 4
    • Network Device
    • 1

************************** Sponsored By SANS *****************************

SANS 8th Annual Log and Event Management Survey is Under Way - 8 Days Left!!!

Take the SANS 8th Annual Log and Event Management Survey. Be a part of this industry leading survey cited in top technology publications and blogs! Also be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May at www.sans.org/webcasts.

Follow this link to the survey: http://www.sans.org/info/97436 ************************************************************************** TRAINING UPDATE - --SANS North American SCADA 2012, Lake Buena Vista, FL January 21-29, 2012 Gain the most current information regarding SCADA and Control System threats and learn how to best prepare to defend against them. Hear what works and what doesn't from peer organizations. Network with top individuals in the field of SCADA security. Return from the summit with solutions that you can immediately put to use in your organization. Pre-Summit courses: January 21-25, 2012 Summit: January 26-27, 2012 Post-Summit Courses: January 28-29, 2012 http://www.sans.org/north-american-scada-2012/ - --SANS Monterey 2012, Monterey, CA January 30-February 4, 2012 6 courses. Bonus evening presentations include Who Do You Trust? SSL and TLS Under Attack; and IOS Programming Demo. http://www.sans.org/monterey-2012/ - --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 7 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ - --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN March 12-15, 2012 Summit: March 12-13, 2012 Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners will discuss the best approaches to this new and evolving challenge. Organizations who have developed successful mobile device security programs will share how they developed and gained management support for their plans. http://www.sans.org/mobile-device-security-summit-2012/ - --SANS 2012, Orlando, FL March 23-29, 2012 42 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ - - - --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ - --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ - --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Bangalore, San Francisco, Stuttgart, Nashville, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php ************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Linux
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    Network Device

    **************************** Sponsored Link: ***************************

    1) What devices are accessing what resources and by whom?

    Take the SANS first annual mobility survey and be entered to win a $250 American Express Card Giveaway when results are announced in late March at SANS 2012! http://www.sans.org/info/97441m ************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) MEDIUM: Google Chrome Stable Channel Updates
    • Affected:
      • Google Chrome prior to 18.0.1017.2
    • Description: Google Chrome has released updates for multiple security vulnerabilities affecting its Chrome web browser. The five vulnerabilities are all rated "High" or "Critical" by Google and include use-after free vulnerabilities in DOM handling and Safe Browsing navigation; use of an uninitialized value in Skia, Google's 2D graphics library; and a heap-buffer overflow in tree builder. By enticing a target to view a malicious page, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 4, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13091 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 12.4.1 - CVE: CVE-2012-0058
    • Platform: Linux
    • Title: Linux Kernel iocbs Local Denial of Service
    • Description: Linux kernel is exposed to a local denial of service issue that occurs when one of the iocbs submitted by a user fails. This leaves the rest of the iocbs unprocessed and still active. Active iocbs are not removed and may cause a corrupted list resulting in kernel oops.
    • Ref: http://www.securityfocus.com/bid/51534/references

    • 12.4.2 - CVE: CVE-2012-0056
    • Platform: Linux
    • Title: Linux Kernel Local Privilege Escalation
    • Description: The Linux kernel is exposed to a local privilege escalation issue because the kernel fails to restrict access to "/proc/<pid>/mem" file. Successfully exploiting this issue will enable an attacker to write into the memory of a privileged process.
    • Ref: http://blog.zx2c4.com/749

    • 12.4.3 - CVE: CVE-2012-0329
    • Platform: Cross Platform
    • Title: Cisco Digital Media Manager Remote Privilege Escalation
    • Description: The Cisco Digital Media Manager is the central management application for all Cisco Digital Media Suite products. The application is exposed to a remote privilege escalation issue because of improper validation of unreferenced URLs. See reference for further details.
    • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
      120118-dmm

    • 12.4.4 - CVE: CVE-2011-4608
    • Platform: Cross Platform
    • Title: JBoss "mod_cluster" Security Bypass
    • Description: The JBoss "mod_cluster" module is a server module for various JBoss applications. The JBoss "mod_cluster" module is exposed to a remote security bypass issue that occurs because the "mod_cluster" module allows worker nodes to register on a virtual host.
    • Ref: https://rhn.redhat.com/errata/RHSA-2012-0040.html

    • 12.4.5 - CVE: CVE-2012-0050
    • Platform: Cross Platform
    • Title: OpenSSL DTLS Remote Denial of Service
    • Description: OpenSSL is an open source implementation of the SSL protocol. OpenSSL is exposed to a denial of service issue because of an incorrect fix for CVE-2011-4108. OpenSSL versions 1.0.0f and 0.9.8s are affected.
    • Ref: http://www.openssl.org/news/secadv_20120118.txt

    • 12.4.6 - CVE: CVE-2012-0063
    • Platform: Cross Platform
    • Title: Tucan Manager Plugin Update Security Bypass
    • Description: Tucan Manager is a file sharing application. Tucan Manager is exposed to a security bypass issue because the application fails to properly check digital signatures before installing plugins. Tucan Manager version 0.3.9-1 is affected.
    • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=782999

    • 12.4.7 - CVE: CVE-2012-0059
    • Platform: Cross Platform
    • Title: Multiple Red Hat Network Products XMLRPC Credential Information Disclosure
    • Description: Multiple Red Hat products including Red Hat Network Satellite Server, Red Hat Network Proxy Server and Spacewalk are exposed to a remote information disclosure issue. The problem occurs when handling a failed XMLRPC system registration call.
    • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=782819

    • 12.4.8 - CVE: Not Available
    • Platform: Cross Platform
    • Title: GE Energy D20/D200 Substation Controller Code Execution and Information Disclosure Vulnerabilities
    • Description: D20/D200 Substation Controller is an software application that provides substation server functionality in a mission critical substation hardened package. D20/D200 Substation Controller is exposed to multiple issues. An arbitrary code execution issue occurs because of an unspecified error within the TFTP service and an information disclosure issue occurs because of an unspecified error within the TFTP service.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-019-01.pdf

    • 12.4.9 - CVE: Not Available
    • Platform: Cross Platform
    • Title: KingSCADA Credential Information Disclosure
    • Description: KingSCADA is an Interactive Graphical SCADA System. KingSCADA is exposed to a remote information disclosure issue because user credentials are insecurely stored in the "user.db". KingSCADA version 3.0 is affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-06.pdf

    • 12.4.10 - CVE: CVE-2012-0192
    • Platform: Cross Platform
    • Title: IBM Lotus Symphony Image Object Integer Overflow
    • Description: IBM Lotus Symphony is productivity software that contains three applications: Lotus Symphony Documents, Lotus Symphony Spreadsheets and Lotus Symphony Presentations. IBM Lotus Symphony is exposed to an integer overflow issue because it fails to properly validate user-supplied input when processing embedded image objects. IBM Lotus Symphony version 3.0.0 FP3 revision 20110707.1500 is affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21578684

    • 12.4.11 - CVE: Not Available
    • Platform: Cross Platform
    • Title: IBM solidDB "SELECT" Statement Denial of Service
    • Description: IBM solidDB is a relational SQL database. IBM solidDB is exposed to a denial of service issue when processing a "SELECT" statement, which contains a rownum condition with a subquery. IBM solidDB versions prior to 6.5.0.8 Interim Fix 5 are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?rs=3457&uid=swg1IC79861

    • 12.4.12 - CVE: CVE-2011-3923
    • Platform: Cross Platform
    • Title: Apache Struts "ParameterInterceptor" Class OGNL Security Bypass
    • Description: Apache Struts is a framework for building web applications. Apache Struts is exposed to a security bypass issue because it fails to adequately handle user-supplied input. Specifically, the application permits attackers to bypass protection mechanisms built into the "ParameterInterceptor" class with OGNL expressions. Apache Struts versions 2.0.0 through 2.3.1.1 are affected.
    • Ref: https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vu
      lnerabilities.txt

    • 12.4.13 - CVE:CVE-2011-3928,CVE-2011-3927,CVE-2011-3926,CVE-2011-3925,CVE-2011-3924
    • Platform: Cross Platform
    • Title: Google Chrome Multiple Security Vulnerabilities
    • Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple security issues. See reference for complete details. Chrome versions prior to 16.0.912.77 are affected.
    • Ref: http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html

    • 12.4.14 - CVE: Not Available
    • Platform: Cross Platform
    • Title: SAP NetWeaver Multiple Remote Vulnerabilities
    • Description: SAP NetWeaver is an integration platform for enterprise applications. The platform is exposed to multiple issues. A security bypass issue allows attackers to gain unauthorized access to Runtime Workbench resources. An information disclosure issue affects the "PFL_CHECK_OS_FILE_EXISTENCE" function.
    • Ref: http://dsecrg.com/pages/vul/show.php?id=411

    • 12.4.15 - CVE: Not Available
    • Platform: Cross Platform
    • Title: Opera Web Browser Information Disclosure and Security Bypass Vulnerabilities
    • Description: Opera Web Browser is a browser available for multiple operating systems. Opera Web Browser is exposed to multiple issues. An information disclosure issue occurs because certain types of HTML elements fail to behave properly when referencing a local file. A security bypass issue lets attackers bypass the same-origin policy because of an error related to framed content. Opera versions prior to 11.61 are affected.
    • Ref: http://www.opera.com/support/kb/view/1008/

    • 12.4.16 - CVE: CVE-2011-5065
    • Platform: Web Application - Cross Site Scripting
    • Title: IBM WebSphere Application Server Cross-Site Scripting
    • Description: IBM WebSphere Application Server for z/OS is a web server. The Server is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. IBM WebSphere Application Server versions prior to 6.1.0.41 are affected.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27007951

    • 12.4.17 - CVE: CVE-2012-0312,CVE-2012-0311
    • Platform: Web Application - Cross Site Scripting
    • Title: osCommerce Multiple Unspecified Cross Site Scripting Vulnerabilities
    • Description: osCommerce is a web-based shopping cart application. The application is exposed to multiple unspecified cross-site scripting issues because it fails to properly sanitize user-supplied input.
    • Ref: http://jvn.jp/en/jp/JVN36559450/index.html

    • 12.4.18 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: SolarWinds Storage Manager Server SQL Injection
    • Description: Storage Manager Server is an application for storage virtualization management. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "loginName" field of the "LoginServlet" page. Storage Manager Server version 5.1.2 is affected.
    • Ref: http://www.securityfocus.com/archive/1/521328

    • 12.4.19 - CVE: CVE-2011-5066
    • Platform: Web Application
    • Title: IBM WebSphere Application Server SibRaRecoverableSiXaResource Information Disclosure
    • Description: The IBM WebSphere Application Server is available for various operating systems. The IBM WebSphere Application Server is exposed to a remote information disclosure issue because it does not properly handle a Service Integration Bus dump operation.
    • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM36685

    • 12.4.20 - CVE: Not Available
    • Platform: Web Application
    • Title: WordPress uCan Post plugin Multiple HTML Injection Vulnerabilities
    • Description: WordPress is a PHP-based content manager. uCan Post is a plugin for WordPress. The plugin is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input submitted to the "Name", "Email" and "Title" fields. uCan Post version 1.0.09 is affected.
    • Ref: http://www.securityfocus.com/bid/51564

    • 12.4.21 - CVE: Not Available
    • Platform: Web Application
    • Title: WordPress AllWebMenus Plugin "actions.php" Arbitrary File Upload
    • Description: AllWebMenus is a plugin for WordPress. The application is exposed to an arbitrary files upload issue because the application fails to properly validate file extensions. AllWebMenus versions prior to 1.1.9 are affected.
    • Ref: http://www.securityfocus.com/bid/51615

    • 12.4.22 - CVE: Not Available
    • Platform: Web Application
    • Title: Joomla! "com_some" Component "controller" Parameter Local File Include
    • Description: "com_some" is a component for the Joomla! content manager. The component is exposed to a local file include issue because it fails to properly sanitize user-supplied input submitted to the "controller" parameter of the "index.php" script.
    • Ref: http://www.securityfocus.com/bid/51621

    • 12.4.23 - CVE: CVE-2011-4659
    • Platform: Network Device
    • Title: Cisco IP Video Phone E20 Default Root Credentials Authentication Bypass
    • Description: Cisco IP Video Phone E20 is a communication device which merges voice, video and collaboration into one unit. Cisco IP Video Phone E20 is exposed to a remote authentication bypass issue because the default "root" account is not properly disabled.
    • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
      120118-te

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account