@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Samba Remote Code Execution Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 12.9.1 - ABB WebWare Server "RobNetScanHost.exe" Buffer Overflow
• 12.9.2 - Socusoft Photo to Video Converter "pdmlog.dll" Buffer Overflow

Linux

• 12.9.3 - python-paste-script Root GID Files Arbitrary File Access
• 12.9.4 - Notmuch Emacs Information Disclosure

Aix

• 12.9.5 - IBM AIX Remote Denial of Service

Cross Platform

• 12.9.6 - IBM solidDB "SELECT" Statement "WHERE" Condition Denial of Service
• 12.9.7 - Csound "getnum()" Multiple Buffer Overflow Vulnerabilities
• 12.9.8 - Puppet Multiple Local Privilege Escalation Vulnerabilities
• 12.9.9 - Dropbear SSH Server Use After Free Remote Code Execution
• 12.9.10 - libpurple OTR Information Disclosure
• 12.9.11 - PostgreSQL Multiple Security Vulnerabilities

Web Application - Cross Site Scripting

• 12.9.12 - ContentLion Alpha "login.php" Cross-Site Scripting

Web Application - SQL Injection

• 12.9.13 - The Uploader "username" Parameter SQL Injection
• 12.9.14 - MyJobList "eid" Parameter SQL Injection

Web Application

• 12.9.15 - EasyVista Single Sign-on Authentication Bypass
• 12.9.16 - Dolibarr Multiple Directory Traversal Vulnerabilities
• 12.9.17 - Chyrp "ajax.php" HTML Injection
• 12.9.18 - WebcamXP and Webcam7 Directory Traversal
• 12.9.19 - Drupal FAQ Module Unspecified HTML Injection
• 12.9.20 - Bugzilla Cross-Site Request Forgery
• 12.9.21 - Movable Type Multiple Remote Vulnerabilities
• 12.9.22 - TYPO3 PDF Controller Unspecified Remote Code Execution and Information Disclosure Vulnerabilities
• 12.9.23 - OSQA's CMS Multiple HTML Injection Vulnerabilities
• 12.9.24 - Wolf CMS SQL Injection and Multiple HTML Injection Vulnerabilities

Hardware

• 12.9.25 - snom VoIP Phone Firmware Remote Privilege Escalation
• 12.9.26 - Cisco Small Business SRP500 Series Appliances Directory Traversal

PART I Critical Vulnerabilities

PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

*************************************************************

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 9, 2012

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13392 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________

• 12.9.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: ABB WebWare Server "RobNetScanHost.exe" Buffer Overflow
• Description: ABB WebWare Server is a software product that provides solutions for production management tasks with connected robot controllers. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. Specifically, this issue occurs in the "RobNetScanHost.exe" file when processing specially crafted "Netscan" packets with opcodes. ABB WebWare Server version 4.6 through 4.91 are affected.
• Ref: http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c1257
  9a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf http://www.securityfocus.com/bid/52123/references

• 12.9.2 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Socusoft Photo to Video Converter "pdmlog.dll" Buffer Overflow
• Description: Socusoft Photo to Video Converter is a multimedia converter available for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, the issue occurs in the "pdmlog.dll" file when processing certain specially crafted files associated with the application. Socusoft Photo to Video Converter version 8.05 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/521796/30/0/threaded http://www.vulnerability-lab.com/get_content.php?id=460 http://www.securityfocus.com/bid/52186/references

• 12.9.3 - CVE: CVE-2012-0878
• Platform: Linux
• Title: python-paste-script Root GID Files Arbitrary File Access
• Description: python-paste-script is a plug-able command line frontend. The script is exposed to an arbitrary file access issue. Specifically, it fails to properly drop the group privileges in the ".ini" configuration file. Ian Bicking python-paste-script version 1.7.5 is vulnerable.
• Ref: http://www.securityfocus.com/bid/52147/references https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4

• 12.9.4 - CVE: CVE-2011-4142
• Platform: Linux
• Title: Notmuch Emacs Information Disclosure
• Description: Notmuch Emacs is an email management application for indexing emails. The application is exposed to an information disclosure issue. The issue is triggered when processing an email with a specially crafted MML tag. Notmuch Emacs prior to 0.11.1 are vulnerable and other versions may also be affected.
• Ref: http://notmuchmail.org/news/release-0.11.1/ http://www.securityfocus.com/bid/52155/references

• 12.9.5 - CVE: CVE-2011-1385
• Platform: Aix
• Title: IBM AIX Remote Denial of Service
• Description: IBM AIX is an open standard based UNIX operating system. The system is exposed to a remote denial of service issue. Specifically, this issue is caused by an unspecified error when processing specially crafted ICMP packets. IBM AIX versions 5.3, 6.1 and 7.1 are vulnerable and other versions may also be affected.
• Ref: aix.software.ibm.com/aix/efixes/security/icmp_advisory.asc

• 12.9.6 - CVE: CVE-2012-0200
• Platform: Cross Platform
• Title: IBM solidDB "SELECT" Statement "WHERE" Condition Denial of Service
• Description: IBM solidDB is a relational SQL database. The application is exposed to a denial of service issue. Specifically, this issue is triggered when processing a "SELECT" statement containing a redundant "WHERE" condition. IBM solidDB versions prior to 6.5.0.8 Interim Fix 6 are vulnerable.
• Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC81244 http://www-01.ibm.com/support/docview.wss?uid=swg27021052#if6 http://www.securityfocus.com/bid/52111/references

• 12.9.7 - CVE: CVE-2012-0270
• Platform: Cross Platform
• Title: Csound "getnum()" Multiple Buffer Overflow Vulnerabilities
• Description: Csound is a sound and music composition application. The application is exposed to multiple buffer overflow issues because it fails to properly bounds check user-supplied data. Csound version 5.13.0 is vulnerable and other versions may also be affected.
• Ref: http://secunia.com/secunia_research/2012-3/ http://www.securityfocus.com/bid/52144/references

• 12.9.8 - CVE: CVE-2012-1054,CVE-2012-1053
• Platform: Cross Platform
• Title: Puppet Multiple Local Privilege Escalation Vulnerabilities
• Description: Puppet is a configuration management system. The application is exposed to multiple local privilege escalation issues. Puppet Enterprise versions prior to 2.0.3, Puppet Enterprise versions 1.0, 1.1 and 1.2.x, Puppet versions prior to 2.6.14 and prior to 2.7.11 are affected.
• Ref: http://puppetlabs.com/security/cve/CVE-2012-1053/ http://puppetlabs.com/security/cve/CVE-2012-1054/

• 12.9.9 - CVE: CVE-2012-0920
• Platform: Cross Platform
• Title: Dropbear SSH Server Use After Free Remote Code Execution
• Description: Dropbear is an SSH client and server application. The application is exposed to a remote code execution issue because of a use after free error within the Dropbear daemon. An attacker can exploit this issue by specially crafted requests. Dropbear SSH Server versions from 0.52 to 2011.54 are vulnerable.
• Ref: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 http://www.securityfocus.com/bid/52159/references

• 12.9.10 - CVE: CVE-2012-1257
• Platform: Cross Platform
• Title: libpurple OTR Information Disclosure
• Description: libpurple is a library used to provide instant messaging functionality. It is used by the Pidgin and Adium IM clients. The library is exposed to an information disclosure issue. Specifically, the issue exists because OTR (off-the-record) messages are broadcast in plain text through DBUS. libpurple versions prior to 2.10.1, pidgin versions prior to 2.10.1 and pidgin-otr versions prior to 3.2.0 are affected.
• Ref: http://www.securityfocus.com/bid/52175/references http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

• 12.9.11 - CVE: CVE-2012-0868,CVE-2012-0867,CVE-2012-0866
• Platform: Cross Platform
• Title: PostgreSQL Multiple Security Vulnerabilities
• Description: PostgreSQL is an open-source relational database suite. The application is exposed to multiple security issues that affect the "core server" component. A privilege escalation issue occurs because it fails to properly check permissions on a function called by a trigger. An SSL certificate validation security bypass issue occurs due to an improper "x509_v3 CN" validation during certificate verification, when SSL support is enabled. An SQL injection issue occurs because the "pg_dump" utility of PostgreSQL fails to sufficiently sanitize newline "n" characters in object names before using them in an SQL query. PostgreSQL version 9.1, 9.0, 8.4 and 8.3 are affected.
• Ref: http://www.postgresql.org/support/security/ http://www.securityfocus.com/bid/52188/references

• 12.9.12 - CVE: CVE-2012-1224
• Platform: Web Application - Cross Site Scripting
• Title: ContentLion Alpha "login.php" Cross-Site Scripting
• Description: ContentLion Alpha is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "system/classes/login.php" script. ContentLion Alpha 1.3 is vulnerable and other versions may also be affected.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1224 http://www.securityfocus.com/bid/52112/discuss

• 12.9.13 - CVE: CVE-2011-2944
• Platform: Web Application - SQL Injection
• Title: The Uploader "username" Parameter SQL Injection
• Description: The Uploader is a PHP-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "username" parameter of the "login.php" script before using it in an SQL query. The Uploader versions prior to 2.0.5 are affected.
• Ref: http://www.securityfocus.com/bid/52156/references http://packetstormsecurity.org/files/cve/CVE-2011-2944

• 12.9.14 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: MyJobList "eid" Parameter SQL Injection
• Description: MyJobList is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "eid" parameter of an unspecified script. MyJobList 0.1.3 is vulnerable and other versions may also be affected.
• Ref: https://secunia.com/advisories/48169 http://www.securityfocus.com/bid/52168/discuss

• 12.9.15 - CVE: Not Available2010.1.1.89 is vulnerable and other versions may also be affected.
• Platform: Web Application
• Title: EasyVista Single Sign-on Authentication Bypass
• Description: EasyVista is an application that provides solutions for IT service and asset management. The application is exposed to an authentication bypass issue due to an error in the EasyVista single sign-on feature, which does not use encoded values. EasyVista
• Ref: http://www.kb.cert.org/vuls/id/273502 http://www.securityfocus.com/bid/52102/references

• 12.9.16 - CVE: CVE-2012-1226
• Platform: Web Application
• Title: Dolibarr Multiple Directory Traversal Vulnerabilities
• Description: Dolibarr is a foundation activity management application implemented in PHP. The application is exposed to multiple directory traversal issues because it fails to sufficiently sanitize user-supplied input. Dolibarr 3.2.0 Alpha is vulnerable and other versions may also be affected.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1226 http://www.securityfocus.com/bid/52113/discuss

• 12.9.17 - CVE: CVE-2012-1001
• Platform: Web Application
• Title: Chyrp "ajax.php" HTML Injection
• Description: Chyrp is a PHP-based blogging engine. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input submitted to the "content" parameter of "includes/ajax.php" script. Chyrp 2.1.1 is vulnerable and other versions may also be affected.
• Ref: https://www.htbridge.ch/advisory/HTB23073 http://www.securityfocus.com/bid/52115/references

• 12.9.18 - CVE: Not Available
• Platform: Web Application
• Title: WebcamXP and Webcam7 Directory Traversal
• Description: WebcamXP and Webcam7 are webcam and network camera software for Windows. The applications are exposed to a directory traversal issue because they fail to sufficiently sanitize user-supplied input. WebcamXP 5.5.1.2 and Webcam7 0.9.9.32 are vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/52119/references http://xforce.iss.net/xforce/xfdb/73385

• 12.9.19 - CVE: Not Available
• Platform: Web Application
• Title: Drupal FAQ Module Unspecified HTML Injection
• Description: FAQ is a module for the Drupal content manager. The module is exposed to an unspecified HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. FAQ 6.x-1.x versions prior to 6.x-1.13 are vulnerable.
• Ref: http://drupal.org/node/1451194 http://www.securityfocus.com/bid/52126/references

• 12.9.20 - CVE: CVE-2012-0453
• Platform: Web Application
• Title: Bugzilla Cross-Site Request Forgery
• Description: Bugzilla is a web-based bug tracking application. The application is exposed to a cross-site request forgery issue because it does not properly validate HTTP requests. Specifically, the issue exists in the implementation of the XML-RPC API when running under mod_perl. Bugzilla versions 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2 are vulnerable.
• Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=725663 http://www.bugzilla.org/security/4.0.4/

• 12.9.21 - CVE: CVE-2012-0320,CVE-2012-0319,CVE-2012-0318,CVE-2012-0317
• Platform: Web Application
• Title: Movable Type Multiple Remote Vulnerabilities
• Description: Movable Type is a web log application implemented in Perl and PHP. The application is exposed to multiple issues. A cross-site scripting issue affects the "mt-wizard.cgi" script. A cross-site scripting issue affects the "templates" page. A cross-site request forgery issue exists. A session hijacking issue affects the "commenting" and "community" scripts. A remote command execution issue occurs because it fails to properly sanitize user-supplied input passed to the file management system. Movable Type versions prior to 5.13, 5.07 and 4.38 are affected.
• Ref: http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.securityfocus.com/bid/52138/references

• 12.9.22 - CVE: Not Available
• Platform: Web Application
• Title: TYPO3 PDF Controller Unspecified Remote Code Execution and Information Disclosure Vulnerabilities
• Description: PDF Controller ("pdfcontroller") is an extension for the TYPO3 content manager. The extension is exposed to unspecified remote code execution and information disclosure issues. PDF Controller 1.0.1 and prior versions are vulnerable.
• Ref: http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa
  -2012-003/

• 12.9.23 - CVE: Not Available
• Platform: Web Application
• Title: OSQA's CMS Multiple HTML Injection Vulnerabilities
• Description: OSQA is an open source Q and A system written in Python. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input appended to the "Url Bar", "Picture Bar" and "Blockquote" module. OSQA 3b is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/bid/52184/references http://www.securityfocus.com/archive/1/521798

• 12.9.24 - CVE: Not Available
• Platform: Web Application
• Title: Wolf CMS SQL Injection and Multiple HTML Injection Vulnerabilities
• Description: Wolf CMS is a free content management system implemented in PHP. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. Wolf CMS 0.7.5 is vulnerable and other versions may also be affected.
• Ref: http://www.securityfocus.com/archive/1/521797 http://www.securityfocus.com/bid/52187/references

• 12.9.25 - CVE: Not Available
• Platform: Hardware
• Title: snom VoIP Phone Firmware Remote Privilege Escalation
• Description: snom VoIP phones are voice over IP phone devices. The application is exposed to a remote privilege escalation issue. Specifically, this issue occurs because of an error in the authentication code. snom VoIP phone firmware versions prior to 8.4.35 are vulnerable.
• Ref: http://www.senseofsecurity.com.au/advisories/SOS-12-001

• 12.9.26 - CVE: CVE-2012-0365
• Platform: Hardware
• Title: Cisco Small Business SRP500 Series Appliances Directory Traversal
• Description: Cisco Small Business SRP500 series appliances are services-ready platforms that provide IP voice, data, security and wireless services. The devices are exposed to a directory traversal issue due to an error in the Local TFTP file upload application. Cisco SRP 500 Series devices are affected.
• Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
  120223-srp500

(c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account