Higher Ed IT Pros: Take the SANS Survey & Enter to Win iPad

@RISK: The Consensus Security Vulnerability Alert

Volume: XI, Issue: 9
March 1, 2012

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Summary of Updates and Vulnerabilities in this Consensus
    • Platform Number of Updates and Vulnerabilities
    • - ------------------------ -------------------------------------
    • Third Party Windows Apps
    • 2
    • Linux
    • 2
    • Aix
    • 1
    • Cross Platform
    • 6 (#1)
    • Web Application - Cross Site Scripting
    • 1
    • Web Application - SQL Injection
    • 2
    • Web Application
    • 10
    • Hardware
    • 2

********************* Sponsored By Quest Software ***********************

Using sudo? Centralize the management of sudo, the sudoers policy file and reporting on sudoers access rights and activities. Quest One Privilege Manager for Sudo makes administering sudo easy, intuitive and consistent - eliminating the inefficient and inconsistent box-by-box management.

Visit http://www.sans.org/info/100584 for a free trial. **************************************************************************

TRAINING UPDATE --SANS Secure Singapore 2012, Singapore, Singapore March 5-17, 2012 5 courses. Bonus evening presentations include Introduction to Windows Memory Analysis; and Why Our Defenses are Failing Us: One Click is All It Takes ... http://www.sans.org/singapore-2012/ -- SANS Mobile Device Security Summit: The Growing and Constantly Changing Challenge, Nashville, TN Summit: March 12-13, 2012; Post-Summit Courses: March 14-15, 2012 Mobile device security experts and practitioners from organizations that have implemented successful programs will discuss the most promising approaches to this new and evolving challenge. http://www.sans.org/mobile-device-security-summit-2012/ --SANS 2012, Orlando, FL March 23-29, 2012 40 courses. Bonus evening presentations include Exploiting Vulnerabilities: 60 Minutes from Discovery to Exploit; Evolving Threats; and Harbinger of Evil: The Forensic Art of Finding Malware. http://www.sans.org/sans-2012/ --SANS Northern Virginia 2012, Reston, VA April 15-20, 2012 7 courses. Bonus evening presentations include Linux Forensics for Non-Linux Folks; and Who Do You Trust? SSL and TLS Under Attack http://www.sans.org/northern-virginia-2012/ --SANS Cyber Guardian 2012, Baltimore, MD April 30-May 7, 2012 11 courses. Bonus evening presentations include Ninja Assessments: Stealth Security testing for Organizations; and Adjusting Our Defenses for 2012. http://www.sans.org/cyber-guardian-2012/ --SANS AppSec 2012, Las Vegas, NV April 24-May 1, 2012 5 courses. http://www.sans.org/appsec-2012/ --SANS Secure Europe 2012, Amsterdam, Netherlands May 7-19, 2012 11 courses. http://www.sans.org/secure-amsterdam-2012/ --SANS Security West 2012, San Diego, CA May 10-18, 2012 25 courses. Bonus evening presentations include Metametrics - A New Approach to Information Security Management Metrics; and Malware Analysis Essentials Using REMnux. http://www.sans.org/security-west-2012/ --Looking for training in your own community? http: sans.org/community/ Save on On-Demand training (30 full courses) - See samples at http://www.sans.org/ondemand/discounts.php#current Plus Stuttgart, Boston, Abu Dhabi, Toronto, and Brisbane all in the next 90 days. For a list of all upcoming events, on-line and live: http://www.sans.org/index.php

**************************************************************************

Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
    Third Party Windows Apps
    Linux
    Aix
    Cross Platform
    Web Application - Cross Site Scripting
    Web Application - SQL Injection
    Web Application
    Hardware

    ***************************** Sponsored Links: ****************************

    1) SANS Analyst webcast! Password Sharing: Root of All Evil Join senior SANS Analyst, J. Michael Butler and learn how to protect shared passwords in mixed server environments. http://www.sans.org/info/100581

    2) Take the SANS 8th Annual Log and Event Management Survey. Be entered to WIN a $250 American Express Card giveaway when survey results are released during SANS webcasts held in early May. Follow this link to the survey: http://www.sans.org/info/100586

    **************************************************************************

    PART I Critical Vulnerabilities

    PART I Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

    *************************************************************

    Widely Deployed Software
    • (1) HIGH: Samba Remote Code Execution Vulnerability
    • Affected:
      • Samba versions prior to 3.4.0
    • Description: A patch has been released for Samba addressing a code execution vulnerability in the Samba server. Samba provides an open-source platform for file and print services over the SMB/CIFS protocol used by Microsoft Windows operating systems. The SMB protocol includes AndX messages, which contain SMB commands and an offset to the next AndX block in memory. Samba does not verify that the messages are monotonically increasing, so an attacker can cause SMB to enter a loop with an offset that points to a previous AndX message. Eventually Samba will overwrite a buffer on its heap. By sending a malicious request to a Samba server, an attacker can exploit this vulnerability in order to execute arbitrary code with root permissions on the target's machine.

    • Status: vendor confirmed, updates available

    • References:
    Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
    Week 9, 2012

    Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 13392 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________





    • 12.9.4 - CVE: CVE-2011-4142
    • Platform: Linux
    • Title: Notmuch Emacs Information Disclosure
    • Description: Notmuch Emacs is an email management application for indexing emails. The application is exposed to an information disclosure issue. The issue is triggered when processing an email with a specially crafted MML tag. Notmuch Emacs prior to 0.11.1 are vulnerable and other versions may also be affected.
    • Ref: http://notmuchmail.org/news/release-0.11.1/ http://www.securityfocus.com/bid/52155/references

    • 12.9.5 - CVE: CVE-2011-1385
    • Platform: Aix
    • Title: IBM AIX Remote Denial of Service
    • Description: IBM AIX is an open standard based UNIX operating system. The system is exposed to a remote denial of service issue. Specifically, this issue is caused by an unspecified error when processing specially crafted ICMP packets. IBM AIX versions 5.3, 6.1 and 7.1 are vulnerable and other versions may also be affected.
    • Ref: aix.software.ibm.com/aix/efixes/security/icmp_advisory.asc


    • 12.9.7 - CVE: CVE-2012-0270
    • Platform: Cross Platform
    • Title: Csound "getnum()" Multiple Buffer Overflow Vulnerabilities
    • Description: Csound is a sound and music composition application. The application is exposed to multiple buffer overflow issues because it fails to properly bounds check user-supplied data. Csound version 5.13.0 is vulnerable and other versions may also be affected.
    • Ref: http://secunia.com/secunia_research/2012-3/ http://www.securityfocus.com/bid/52144/references

    • 12.9.8 - CVE: CVE-2012-1054,CVE-2012-1053
    • Platform: Cross Platform
    • Title: Puppet Multiple Local Privilege Escalation Vulnerabilities
    • Description: Puppet is a configuration management system. The application is exposed to multiple local privilege escalation issues. Puppet Enterprise versions prior to 2.0.3, Puppet Enterprise versions 1.0, 1.1 and 1.2.x, Puppet versions prior to 2.6.14 and prior to 2.7.11 are affected.
    • Ref: http://puppetlabs.com/security/cve/CVE-2012-1053/ http://puppetlabs.com/security/cve/CVE-2012-1054/

    • 12.9.9 - CVE: CVE-2012-0920
    • Platform: Cross Platform
    • Title: Dropbear SSH Server Use After Free Remote Code Execution
    • Description: Dropbear is an SSH client and server application. The application is exposed to a remote code execution issue because of a use after free error within the Dropbear daemon. An attacker can exploit this issue by specially crafted requests. Dropbear SSH Server versions from 0.52 to 2011.54 are vulnerable.
    • Ref: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749 http://www.securityfocus.com/bid/52159/references

    • 12.9.10 - CVE: CVE-2012-1257
    • Platform: Cross Platform
    • Title: libpurple OTR Information Disclosure
    • Description: libpurple is a library used to provide instant messaging functionality. It is used by the Pidgin and Adium IM clients. The library is exposed to an information disclosure issue. Specifically, the issue exists because OTR (off-the-record) messages are broadcast in plain text through DBUS. libpurple versions prior to 2.10.1, pidgin versions prior to 2.10.1 and pidgin-otr versions prior to 3.2.0 are affected.
    • Ref: http://www.securityfocus.com/bid/52175/references http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/

    • 12.9.11 - CVE: CVE-2012-0868,CVE-2012-0867,CVE-2012-0866
    • Platform: Cross Platform
    • Title: PostgreSQL Multiple Security Vulnerabilities
    • Description: PostgreSQL is an open-source relational database suite. The application is exposed to multiple security issues that affect the "core server" component. A privilege escalation issue occurs because it fails to properly check permissions on a function called by a trigger. An SSL certificate validation security bypass issue occurs due to an improper "x509_v3 CN" validation during certificate verification, when SSL support is enabled. An SQL injection issue occurs because the "pg_dump" utility of PostgreSQL fails to sufficiently sanitize newline "n" characters in object names before using them in an SQL query. PostgreSQL version 9.1, 9.0, 8.4 and 8.3 are affected.
    • Ref: http://www.postgresql.org/support/security/ http://www.securityfocus.com/bid/52188/references

    • 12.9.12 - CVE: CVE-2012-1224
    • Platform: Web Application - Cross Site Scripting
    • Title: ContentLion Alpha "login.php" Cross-Site Scripting
    • Description: ContentLion Alpha is a PHP-based content manager. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input submitted to the "system/classes/login.php" script. ContentLion Alpha 1.3 is vulnerable and other versions may also be affected.
    • Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1224 http://www.securityfocus.com/bid/52112/discuss

    • 12.9.13 - CVE: CVE-2011-2944
    • Platform: Web Application - SQL Injection
    • Title: The Uploader "username" Parameter SQL Injection
    • Description: The Uploader is a PHP-based application. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "username" parameter of the "login.php" script before using it in an SQL query. The Uploader versions prior to 2.0.5 are affected.
    • Ref: http://www.securityfocus.com/bid/52156/references http://packetstormsecurity.org/files/cve/CVE-2011-2944

    • 12.9.14 - CVE: Not Available
    • Platform: Web Application - SQL Injection
    • Title: MyJobList "eid" Parameter SQL Injection
    • Description: MyJobList is a web-based application implemented in PHP. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "eid" parameter of an unspecified script. MyJobList 0.1.3 is vulnerable and other versions may also be affected.
    • Ref: https://secunia.com/advisories/48169 http://www.securityfocus.com/bid/52168/discuss

    • 12.9.15 - CVE: Not Available2010.1.1.89 is vulnerable and other versions may also be affected.
    • Platform: Web Application
    • Title: EasyVista Single Sign-on Authentication Bypass
    • Description: EasyVista is an application that provides solutions for IT service and asset management. The application is exposed to an authentication bypass issue due to an error in the EasyVista single sign-on feature, which does not use encoded values. EasyVista
    • Ref: http://www.kb.cert.org/vuls/id/273502 http://www.securityfocus.com/bid/52102/references


    • 12.9.17 - CVE: CVE-2012-1001
    • Platform: Web Application
    • Title: Chyrp "ajax.php" HTML Injection
    • Description: Chyrp is a PHP-based blogging engine. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input submitted to the "content" parameter of "includes/ajax.php" script. Chyrp 2.1.1 is vulnerable and other versions may also be affected.
    • Ref: https://www.htbridge.ch/advisory/HTB23073 http://www.securityfocus.com/bid/52115/references

    • 12.9.18 - CVE: Not Available
    • Platform: Web Application
    • Title: WebcamXP and Webcam7 Directory Traversal
    • Description: WebcamXP and Webcam7 are webcam and network camera software for Windows. The applications are exposed to a directory traversal issue because they fail to sufficiently sanitize user-supplied input. WebcamXP 5.5.1.2 and Webcam7 0.9.9.32 are vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52119/references http://xforce.iss.net/xforce/xfdb/73385

    • 12.9.19 - CVE: Not Available
    • Platform: Web Application
    • Title: Drupal FAQ Module Unspecified HTML Injection
    • Description: FAQ is a module for the Drupal content manager. The module is exposed to an unspecified HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. FAQ 6.x-1.x versions prior to 6.x-1.13 are vulnerable.
    • Ref: http://drupal.org/node/1451194 http://www.securityfocus.com/bid/52126/references

    • 12.9.20 - CVE: CVE-2012-0453
    • Platform: Web Application
    • Title: Bugzilla Cross-Site Request Forgery
    • Description: Bugzilla is a web-based bug tracking application. The application is exposed to a cross-site request forgery issue because it does not properly validate HTTP requests. Specifically, the issue exists in the implementation of the XML-RPC API when running under mod_perl. Bugzilla versions 4.0.2 through 4.0.4 and 4.1.1 through 4.2rc2 are vulnerable.
    • Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=725663 http://www.bugzilla.org/security/4.0.4/

    • 12.9.21 - CVE: CVE-2012-0320,CVE-2012-0319,CVE-2012-0318,CVE-2012-0317
    • Platform: Web Application
    • Title: Movable Type Multiple Remote Vulnerabilities
    • Description: Movable Type is a web log application implemented in Perl and PHP. The application is exposed to multiple issues. A cross-site scripting issue affects the "mt-wizard.cgi" script. A cross-site scripting issue affects the "templates" page. A cross-site request forgery issue exists. A session hijacking issue affects the "commenting" and "community" scripts. A remote command execution issue occurs because it fails to properly sanitize user-supplied input passed to the file management system. Movable Type versions prior to 5.13, 5.07 and 4.38 are affected.
    • Ref: http://www.movabletype.org/documentation/appendices/release-notes/513.html http://www.securityfocus.com/bid/52138/references

    • 12.9.22 - CVE: Not Available
    • Platform: Web Application
    • Title: TYPO3 PDF Controller Unspecified Remote Code Execution and Information Disclosure Vulnerabilities
    • Description: PDF Controller ("pdfcontroller") is an extension for the TYPO3 content manager. The extension is exposed to unspecified remote code execution and information disclosure issues. PDF Controller 1.0.1 and prior versions are vulnerable.
    • Ref: http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa
      -2012-003/

    • 12.9.23 - CVE: Not Available
    • Platform: Web Application
    • Title: OSQA's CMS Multiple HTML Injection Vulnerabilities
    • Description: OSQA is an open source Q and A system written in Python. The application is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input appended to the "Url Bar", "Picture Bar" and "Blockquote" module. OSQA 3b is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/bid/52184/references http://www.securityfocus.com/archive/1/521798

    • 12.9.24 - CVE: Not Available
    • Platform: Web Application
    • Title: Wolf CMS SQL Injection and Multiple HTML Injection Vulnerabilities
    • Description: Wolf CMS is a free content management system implemented in PHP. The application is exposed to multiple issues because it fails to sufficiently sanitize user-supplied input. Wolf CMS 0.7.5 is vulnerable and other versions may also be affected.
    • Ref: http://www.securityfocus.com/archive/1/521797 http://www.securityfocus.com/bid/52187/references

    • 12.9.25 - CVE: Not Available
    • Platform: Hardware
    • Title: snom VoIP Phone Firmware Remote Privilege Escalation
    • Description: snom VoIP phones are voice over IP phone devices. The application is exposed to a remote privilege escalation issue. Specifically, this issue occurs because of an error in the authentication code. snom VoIP phone firmware versions prior to 8.4.35 are vulnerable.
    • Ref: http://www.senseofsecurity.com.au/advisories/SOS-12-001

    • 12.9.26 - CVE: CVE-2012-0365
    • Platform: Hardware
    • Title: Cisco Small Business SRP500 Series Appliances Directory Traversal
    • Description: Cisco Small Business SRP500 series appliances are services-ready platforms that provide IP voice, data, security and wireless services. The devices are exposed to a directory traversal issue due to an error in the Local TFTP file upload application. Cisco SRP 500 Series devices are affected.
    • Ref: http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20
      120223-srp500

    (c) 2012. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

    Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit https://www.sans.org/account