2 Days Left to Save $400 on SANS Cyber Defense Initiative 2014, Wash DC

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 6
February 9, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • ______________________________________________________________________
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows App
    • 7
    • Linux
    • 1 (#2)
    • Aix
    • 1
    • Cross Platform
    • 4 (#1)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 2
    • Web Application
    • 7

************************************************************************** TRAINING UPDATE --SANS Phoenix 2012, Phoenix, AZ February 13-18, 2012 6 courses. Bonus evening presentations include Desktop Betrayal: Exploiting Clients Through the Features They Demand; and Windows Exploratory Surgery with Process Hacker. http://www.sans.org/phoenix-2012/ --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses. http://www.sans.org/appsec-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Bangalore, San Francisco, Stuttgart, Boston, and Abu Dhabi all in the next 90 days. For a list of all upcoming events, on-line and live: https://www.sans.org/index.php

************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Third Party Windows Apps
    Linux
    Aix
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (2) MEDIUM: Novell iPrint Server Buffer Overflow
    • Affected:
      • Novell iPrint for Linux Open Enterprise Server prior to OES2 SP3 patch 7885
    • Description: Novell has released patches for iPrint, its web-based print management software. The server software for iPrint, which runs on Linux, provides a web interface for printer administration that can be accessed on multiple platforms. Vulnerable versions of the server software, which listens by default on port 631, read attacker-controlled data of arbitrary length to a fixed-length stack buffer. By sending a malicious request, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 6, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13206 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


    • 12.6.1 - CVE: CVE-2011-4511,CVE-2011-4510
    • Platform: Third Party Windows Apps
    • Title: Siemens SIMATIC HMI Multiple Unspecified Cross-Site Scripting Vulnerabilities
    • Description: Siemens SIMATIC HMI is a software package used as an interface between the operator and the programmable logic controllers (PLCs) controlling the process. The application is exposed to multiple unspecified cross-site scripting issues because it fails to properly sanitize user-supplied input. WinCC flexible versions 2004, 2005, 2007, 2008, WinCC V11 (TIA portal), Multiple SIMATIC HMI panels (TP, OP, MP, Comfort Panels, Mobile Panels), WinCC V11 Runtime Advanced and WinCC flexible Runtime are affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf



    • 12.6.4 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: Edraw Diagram Component ActiveX Control Buffer Overflow
    • Description: The Edraw Diagram Component ActiveX control is a drawing board application. The ActiveX control ("EDBoard.ocx") is exposed to a remote buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, the issue occurs in the "LicenseName()" method when processing a specially-crafted license name string. Edraw Diagram Component 5 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51866/discuss

    • 12.6.5 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: TYPSoft FTP Server Multiple Commands Remote Denial of Service Vulnerabilities
    • Description: TYPSoft is an FTP server available for Microsoft Windows. TYPSoft FTP Server is exposed to multiple remote denial of service issues because the application fails to properly handle specially crafted FTP commands. TYPSoft FTP Server 1.10.0 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51891/discuss

    • 12.6.6 - CVE: Not Available
    • Platform: Third Party Windows Apps
    • Title: XnView JPEG2000 Buffer Overflow
    • Description: XnView is a graphics application available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue occurs in the "Xjp2.dll" library while processing the Quantization Default (QCD) marker segment. Specifically, the issue is triggered when processing a specially crafted JPEG2000 "JP2" file. XnView 1.98.5 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51896/discuss https://secunia.com/advisories/47352

    • 12.6.7 - CVE: CVE-2011-4534,CVE-2011-4533
    • Platform: Third Party Windows Apps
    • Title: Ing. Punzenberger COPA-DATA GmbH zenon Multiple Denial of Service Vulnerabilities
    • Description: Ing. Punzenberger COPA-DATA GmbH zenon is a software for industrial automation. Zenon is exposed to multiple issues. A denial of service issue affects the "zenAdminSrv.exe" service. A denial of service issue affects the "ZenSysSrv.exe" service. Zenon 6.51 SP0 is vulnerable and other versions may also be affected.
    • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-12-013-01.pdf

    • 12.6.8 - CVE: CVE-2011-4610
    • Platform: Linux
    • Title: JBoss Web Remote Denial of Service
    • Description: JBoss Web is a web container application in the JBoss Enterprise Application Platform. JBoss Web is exposed to a remote denial of service issue. Specifically, the issue occurs because of an error in the way the application handles specially crafted UTF-8 surrogate pair characters. JBoss Enterprise Application Platform 5.1.2, JBoss Enterprise Web Platform 5.1.2, JBoss Communications Platform 5.1.3 and JBEWP 5 for RHEL4/RHEL5/RHEL6 are affected.
    • Ref: https://bugzilla.redhat.com/show_bug.cgi?id=767871

    • 12.6.9 - CVE: CVE-2012-0194
    • Platform: Aix
    • Title: IBM AIX TCP Stack Denial of Service
    • Description: IBM AIX is an open standards based UNIX operating system. IBM AIX is exposed to a denial of service issue that occurs when processing specially crafted TCP packets. Specifically, this issue occurs due to an error when the TCP's large send offload option is enabled on a network interface. IBM AIX 5.3, 6.1, and 7.1 are vulnerable and other versions may also be affected.
    • Ref: http://aix.software.ibm.com/aix/efixes/security/large_send_advisory.asc

    • 12.6.10 - CVE: Not Available
    • Platform: Cross Platform
    • Title: PHP "htmlspecialchars()" Function Buffer Overflow
    • Description: PHP is a general purpose scripting language especially suited for web development which can be embedded into HTML. PHP is exposed to a buffer overflow issue because it fails to effectively bounds check user-supplied input submitted to the "htmlspecialchars()" function before copying it to an insufficiently sized buffer. PHP 5.4 is vulnerable and other versions may also be affected.
    • Ref: https://bugs.php.net/bug.php?id=60965 http://www.securityfocus.com/bid/51860/discuss

    • 12.6.11 - CVE: CVE-2011-4930
    • Platform: Cross Platform
    • Title: Condor Multiple Format String Vulnerabilities
    • Description: Condor is a workload management system for UNIX and Windows platforms. Condor is exposed to multiple format string vulnerabilities. The application crashes because it fails to filter format string characters before logging. The application crashes when an attacker requests for a transfer of file having specially crafted format string characters in its name. Condor 7.2.0 to 7.6.4 are affected.
    • Ref: http://research.cs.wisc.edu/condor/security/vulnerabilities/CONDOR-2012-0001.htm
      l

    • 12.6.12 - CVE: CVE-2012-0922,CVE-2012-0923,CVE-2012-0924,CVE-2012-0925,CVE-2012-0926,CVE-2012-0927,CVE-2012-0928
    • Platform: Cross Platform
    • Title: Real Networks RealPlayer Multiple Remote Code Execution Vulnerabilities
    • Description: Real Networks RealPlayer is a media player available for multiple platforms. The application is exposed to multiple remote code execution issues. See reference for further details. Versions prior to RealPlayer 15.02.71 are affected.
    • Ref: http://service.real.com/realplayer/security/02062012_player/en/

    • 12.6.13 - CVE: CVE-2012-0803
    • Platform: Cross Platform
    • Title: Apache CXF UsernameToken Policy Validation Security Bypass
    • Description: Apache CXF is an open source services framework. Apache CXF is exposed to a security bypass issue because it fails to properly validate the existence of a WS-Security UsernameToken within a SOAP request. Apache CXF 2.4.5 and 2.5.1 are affected.
    • Ref: http://cxf.apache.org/cve-2012-0803.html

    • 12.6.14 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: NexorONE "login.php" Multiple Cross Site Scripting Vulnerabilities
    • Description: NexorONE is online banking software. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input submitted to the "message" and "visitor_language" parameters of the "login.php" script. NexorONE Online Banking Software is affected.
    • Ref: http://www.securityfocus.com/bid/51876/discuss http://www.vulnerability-lab.com/get_content.php?id=304

    • 12.6.15 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: Simple Groupware "export" Parameter Cross Site Scripting
    • Description: Simple Groupware is a PHP-based content management system. Simple Groupware is exposed to a cross-site scripting issue because it fails to properly sanitize user-supplied input submitted to the "export" parameter of the "index.php" script. Simple Groupware 0.742 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521518

    • 12.6.16 - CVE: Not Available
    • Platform: Web Application - Cross Site Scripting
    • Title: eFront "administrator.php" Cross-Site Scripting
    • Description: EFront is a PHP-based e-learning application. EFront is exposed to a cross-site-scripting issue because it fails to properly sanitize user-supplied input submitted to the "&filter" module of the "communityplusplus/www/administrator.php" script. EFront 3.6.10 is vulnerable; other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521523 http://www.vulnerability-lab.com/get_content.php?id=423

    • 12.6.17 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: HDWiki URI SQL Injection
    • Description: HDWiki is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data from the URI. This issue affects the "hdwiki/index.php" script in the "model/comment.class.php" file. HDWiki 5.1 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51871/discuss

    • 12.6.18 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: BASE "base_qry_main.php" SQL Injection
    • Description: BASE is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "ip_addr[0][9]" parameter of the "base_qry_main.php" script before using it in an SQL query. BASE 1.4.5 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51874/discuss

    • 12.6.19 - CVE: CVE-2011-3639
    • Platform: Web Application
    • Title: Apache HTTP Server "mod_proxy" Reverse Proxy Security Bypass
    • Description: Apache HTTP Server an HTTP webs erver application. Apache HTTP Server is exposed to a security bypass issue that exists in the "mod_proxy" component. Specifically, when using the "RewriteRule" or "ProxyPassMatch" directives to configure a reverse proxy, it may be possible to access the internal servers due to the failure in handling a crafted URL containing a scheme. Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x before 2.2.18 are affected.
    • Ref: https://community.qualys.com/blogs/securitylabs/tags/cve-2011-4317

    • 12.6.20 - CVE: Not Available
    • Platform: Web Application
    • Title: ManageEngine Applications Manager Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
    • Description: The ManageEngine Applications Manager is a web-based availability and performance monitoring application. The application is exposed to a SQL injection issue and multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input. ManageEngine Applications Manager 10.2 is vulnerable and prior versions may also be affected.
    • Ref: http://www.vulnerability-lab.com/get_content.php?id=115 http://www.securityfocus.com/bid/51796/discuss

    • 12.6.21 - CVE: Not Available
    • Platform: Web Application
    • Title: TYPO3 Third Party Extensions Multiple Vulnerabilities
    • Description: TYPO3 is a PHP-based content manager. Multiple third party extensions within TYPO3 are exposed to multiple issues. See reference for further details. Extensions Kitchen recipe, Category-System, White Papers, Documents download, Post data records to facebook, System Utilities, Webservices for TYPO3, CSS styled Filelinks, Modern FAQ, Euro Calculator, Yet another Google search, Terminal PHP Shell, BE User Switch, Additional TCA Forms and UrlTool are affected.
    • Ref: http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa
      -2012-001/


    • 12.6.23 - CVE: CVE-2012-0396
    • Platform: Web Application
    • Title: EMC Documentum xPlore Information Disclosure
    • Description: EMC Documentum xPlore is a document search application. EMC Documentum xPlore is exposed to an information disclosure issue. Specifically users with BROWSE permissions on objects may be able to gain access to certain metadata on the object without proper authorization. EMC Documentum xPlore 1.0 (all patch versions), EMC Documentum xPlore 1.1 (all patch versions prior to 1.1 P07) and EMC Documentum xPlore 1.2 (all patch versions) areaffected.
    • Ref: http://www.securityfocus.com/archive/1/521481


    • 12.6.25 - CVE: Not Available
    • Platform: Web Application
    • Title: Vespa "getid3.php" Local File Include
    • Description: Vespa is a Web-based simple parser for directories with audio files. It is implemented in PHP. The application is exposed to a local file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "include" parameter of the "getid3.php" script. Vespa 0.8.6 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/51878/discuss http://packetstormsecurity.org/files/109476

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account