Last Day to Save $250 on SANS Chicago 2014

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 8
February 23, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - --------------------- -------------------------------------
    • Third Party Windows Apps
    • 6
    • Linux
    • 1
    • Cross Platform
    • 7 (#1,#2,#3,#4)
    • Web Application - Cross Site Scripting
    • 3
    • Web Application - SQL Injection
    • 1
    • Web Application
    • 4
    • Network Device
    • 3
    • Hardware
    • 1

************************** Sponsored By SANS *****************************

Take the SANS 8th Annual Log and Event Management Survey and be entered to WIN a $250 American Express Card. http://www.sans.org/info/99976

************************************************************************** TRAINING UPDATE --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses. http://www.sans.org/appsec-2012/ --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses. http://www.sans.org/secure-amsterdam-2012/ --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/ --Looking for training in your own community? http://www.sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus San Francisco, Stuttgart, Boston, Abu Dhabi, and Toronto all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Third Party Windows Apps
Linux
Cross Platform
Web Application - Cross Site Scripting
Web Application - SQL Injection
Web Application
Network Device
Hardware

*************************** Sponsored Link: *****************************

1) Privileged Password Sharing: Root of All Evil Featuring Senior SANS Analyst, J. Michael Butler, and Jason Fehrenbach from Quest Software. http://www.sans.org/info/99981 ************************************************************************

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Widely Deployed Software
  • (2) HIGH: Mozilla Firefox png_decompress_chunk Integer Overflow
  • Affected:
    • Firefox 10.0.2
    • Firefox 3.6.27
  • Description: Mozilla has released a patch for an unspecified integer overflow affecting its libpng library. The overflow occurs when decompressing some PNG files. Mozilla reports that the issue may be exploitable, meaning that an attacker may be able to use it to control the instruction pointer. If so, by enticing a target to view a malicious site, an attacker can potentially exploit the vulnerability in order to execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
  • (4) MEDIUM: Google Chrome Multiple Security Vulnerabilities
  • Affected:
    • Chrome prio to 17.0.963.56
  • Description: Google has released patches for multiple security vulnerabilities affecting its Chrome web browser. The issues include seven vulnerabilities rated "High," including integer overflows in Chrome's PDF handling and libpng, a possible use-after-free in database handling, a heap overflow in path and MKVrendering, a use-after-free in subframe handling, and a bad cast in column handling. Although the details of these issues are not disclosed, it is likely that at least some of them are exploitable. By enticing a target to view a malicious site, an attacker can potentially execute arbitrary code on the target's machine.

  • Status: vendor confirmed, updates available

  • References:
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 8, 2012

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13306 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________


  • 12.8.1 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: R2/Extreme Stack Based Buffer Overflow and Directory Traversal Vulnerabilities
  • Description: R2/Extreme is a plugin for the WinAmp music player. The application is exposed to multiple issues. A stack-based buffer overflow issue affects the application when processing a specially crafted "File" command. A directory traversal issue affects the application when processing a specially crafted "File" command. R2/Extreme 1.65 is vulnerable; other versions may also be affected.
  • Ref: http://aluigi.org/adv/r2_1-adv.txt http://www.securityfocus.com/bid/52061/discuss

  • 12.8.2 - CVE: CVE-2012-0224
  • Platform: Third Party Windows Apps
  • Title: 7T AQUIS DLL Loading Arbitrary Code Execution
  • Description: 7T AQUIS is a water network simulation platform for improving system design and operation. The application is exposed to an issue that allows attackers to execute arbitrary code. The issue arises because the application searches for an unspecified Dynamic Link Library file in the current working directory. Using the application to open the associated file will cause the malicious library file to be executed. AQUIS 1.5 and prior versions are affected.
  • Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-12-025-01.pdf


  • 12.8.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ELBA Multiple Security Vulnerabilities
  • Description: ELBA is a banking application. The application is exposed to multiple security issues. An SQL injection issue affects the application because it fails to properly validate the account group name before creating an account group. An information disclosure issue exists because the application doesn't properly encrypt usernames. A denial of service issue exists. ELBA versions 5.4.1 and 5.5.0 are vulnerable; other versions may also be affected.
  • Ref: https://www.sec-consult.com/files/20120220-1_ELBA5_multiple_vulnerabilities.txt http://www.securityfocus.com/bid/52082/discuss

  • 12.8.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Jeskola Buzz Memory Corruption and Multiple Buffer Overflow Vulnerabilities
  • Description: Jeskola Buzz is a free modular software-based synthesizer. The application is exposed to an arbitrary memory corruption issue and multiple buffer overflow issues. Buzz Build 1458 is vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/52089/discuss http://aluigi.org/adv/buzz_1-adv.txt

  • 12.8.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Psycle Multiple Buffer Overflow Vulnerabilities
  • Description: Psycle is a modular music creation application. Psycle is exposed to multiple buffer overflow issues because it fails to properly bounds check user supplied data. A heap-based buffer overflow issue affects the application when parsing specially crafted PATD data structures. A buffer overflow issue affects the application when parsing specially crafted SNGI structures. A heap-based buffer overflow issue affects the application when parsing specially crafted SNGI structures. Psycle 1.10.0 and prior versions are vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/52092/discuss http://aluigi.org/adv/psycle_1-adv.txt

  • 12.8.7 - CVE: Not Available
  • Platform: Linux
  • Title: Endian Firewall Multiple Cross-Site Scripting Vulnerabilities
  • Description: Endian Firewall is a firewall application. Endian Firewall is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to the following scripts and parameters: "dnat.cgi": "createrule", "dansguardian.cgi": "addrule", "openvpn_users.cgi". Endian UTM Firewall v2.4.x is affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=436 http://www.securityfocus.com/bid/52076/discuss

  • 12.8.8 - CVE:CVE-2011-3027,CVE-2011-3026,CVE-2011-3025,CVE-2011-3024,CVE-2011-3023,CVE-2011-3022,CVE-2011-3021,CVE-2011-3020,CVE-2011-3019,CVE-2011-3018,CVE-2011-3017,CVE-2011-3016,CVE-2011-3015
  • Platform: Cross Platform
  • Title: Google Chrome Prior to 17.0.963.56 Multiple Security Vulnerabilities
  • Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple security issues. See reference for further details. Versions prior to Chrome 17.0.963.56 are affected.
  • Ref: googlechromereleases.blogspot.com/2012/02/chrome-stable-update.html http://www.securityfocus.com/bid/52031/discuss

  • 12.8.9 - CVE: CVE-2012-0751, CVE-2012-0752, CVE-2012-0753,CVE-2012-0754, CVE-2012-0755, CVE-2012-0756, CVE-2012-076711.1.102.55 and earlier versions are affected.
  • Platform: Cross Platform
  • Title: Adobe Flash Player Multiple Vulnerabilities
  • Description: Adobe Flash Player is a multimedia application for multiple platforms. Adobe Flash Player is exposed to multiple security issues. See reference for further details. Adobe Flash Player
  • Ref: http://www.adobe.com/support/security/bulletins/apsb12-03.html

  • 12.8.10 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Jenkins Multiple HTML Injection Vulnerabilities
  • Description: Jenkins is a web server application. The application is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input passed to the "Description" and other unspecified fields. Jenkins versions 1.408 through 1.451 are vulnerable; other versions may also be affected.
  • Ref: http://www.securityfocus.com/bid/52055/discuss


  • 12.8.12 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Skype Windows/Linux Communication Handling Denial of Service
  • Description: Skype is peer to peer communications software that supports internet based voice communications. The application is exposed to a denial of service issue that occurs when handling specially crafted transfers/communication processes from a Linux client to a Windows client. Skype 5.6.59.10 is vulnerable and other versions may also be affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=315 http://www.securityfocus.com/bid/52067/discuss

  • 12.8.13 - CVE: Not Available
  • Platform: Cross Platform
  • Title: SAP NetWeaver Multiple Vulnerabilities
  • Description: SAP NetWeaver is an integration platform for enterprise applications. SAP NetWeaver is exposed to multiple security issues. See reference for further details. SAP NetWeaver version 7.0 is vulnerable; other versions may also be affected.
  • Ref: http://secunia.com/advisories/47861/ http://www.securityfocus.com/bid/52101/discuss

  • 12.8.14 - CVE: Not Available
  • Platform: Cross Platform
  • Title: IBM WebSphere Lombardi Edition "Coach" Script HTML Injection
  • Description: IBM WebSphere Lombardi Edition is a unified business process management environment for collaborative process improvement. IBM WebSphere Lombardi Edition is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input submitted through input controls within coaches before using it in dynamically generated content. WebSphere Lombardi Edition 7.2 is vulnerable; other versions may also be affected.
  • Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC79890 http://www.securityfocus.com/bid/52104/discuss http://secunia.com/advisories/48055

  • 12.8.15 - CVE: Not Available
  • Platform: Web Application - Cross Site Scripting
  • Title: SQL Buddy Multiple Cross-Site Scripting
  • Description: SQL Buddy is a web-based MySQL administration application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input submitted to the "HOST", "USER", and "DATABASE" parameters of the "login.php" script and "db" parameter of the "dboverview.php" script. SQL Buddy 1.3.3 is vulnerable; other versions may also be affected.
  • Ref: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5074.php http://www.securityfocus.com/bid/52066/discuss



  • 12.8.18 - CVE: CVE-2012-0939,CVE-2012-0938
  • Platform: Web Application - SQL Injection
  • Title: TestLink Multiple SQL Injection Vulnerabilities
  • Description: TestLink is a PHP-based testing suite. The application is exposed to multiple SQL injection issues because it fails to properly sanitize user-supplied input before using it in an SQL query. TestLink versions 1.8.5b and 1.9.3 are vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/521706

  • 12.8.19 - CVE: Not Available
  • Platform: Web Application
  • Title: Pandora FMS "sec2" Parameter Local File Include
  • Description: Pandora FMS is a web-based application implemented in PHP. The application is exposed to a local file include issue because it fails to sufficiently sanitize user-supplied input submitted to the "sec2" parameter of the "index.php" script. Pandora FMS 4.0.1 is vulnerable and other versions may also be affected.
  • Ref: http://www.vulnerability-lab.com/get_content.php?id=435 http://www.securityfocus.com/bid/52058/discuss

  • 12.8.20 - CVE: Not Available
  • Platform: Web Application
  • Title: Mitra Iranian CMS "manager.php" Remote Arbitrary File Upload
  • Description: Mitra Iranian CMS is a PHP-based content management system. The application is exposed to a remote arbitrary file upload issue because it fails to sufficiently sanitize user-supplied input. Specifically, a malicious PHP file named with a ".JPG", ".GIF" or ".PNG" extension can be uploaded through the "manager.php" script. Mitra Iranian CMS versions 3.0.3 is vulnerable; other versions may also be affected.
  • Ref: http://secunia.com/advisories/48057/

  • 12.8.21 - CVE: CVE-2012-0872
  • Platform: Web Application
  • Title: Oxwall Multiple Cross-Site Scripting and HTML Injection Vulnerabilities
  • Description: Oxwall is a software package for building social networks, family sites and collaboration systems. The application is exposed to multiple HTML injection issues and multiple cross-site scripting issues. Oxwall 1.1.1 and prior versions are vulnerable and other versions may also be affected.
  • Ref: http://www.securityfocus.com/archive/1/521709 http://yehg.net/lab/pr0js/advisories/%5BOxWall_1.1.1%5D_xss



  • 12.8.24 - CVE: Not Available101220 is affected.
  • Platform: Network Device
  • Title: Mercury MR804 Router Multiple HTTP Header Fields Denial of Service Vulnerabilities
  • Description: Mercury MR804 is a router device. Mercury MR804 is exposed to multiple denial of service issues. Specifically, these issues occur because it fails to handle malformed HTTP header fields such as "If-Modified-Since", "If-None-Match", and "If-Unmodified-Since". Mercury MR804 running version 3.8.1 Build
  • Ref: http://www.securityfocus.com/archive/1/521731

  • 12.8.25 - CVE: Not Available
  • Platform: Network Device
  • Title: Linksys WAG54GS Wireless Router Cross-Site Request Forgery
  • Description: The Linksys WAG54GS is a wireless ADSL modem and router for domestic use. The router is exposed to a cross-site request forgery issue that affects the "setup.cgi" script. Attackers can exploit this issue by tricking a victim into visiting a malicious web page. The page will consist of specially crafted script code designed to perform some action on the attacker's behalf. Linksys WAG54GS running firmware 1.01.03 is affected.
  • Ref: http://www.securityfocus.com/bid/52105/discuss

  • 12.8.26 - CVE: Not Available
  • Platform: Hardware
  • Title: UTC Fire & Security GE-MC100-NTP/GPS-ZB Default Credentials Authentication Bypass
  • Description: UTC Fire & Security GE-MC100-NTP/GPS-ZB is a master clock device. The device is exposed to a remote authentication bypass issue. This issue occurs because the device contains default login credentials for the administrator account. An attacker can exploit this issue to view or change system configuration files or other sensitive data.
  • Ref: http://www.kb.cert.org/vuls/id/707254

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account