@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Widely Deployed Software

• (1) HIGH: Libpurple "msn_slplink_process_msg()" Memory Corruption Vulnerability
• (2) MODERATE: Acer AcerCtrls.APlunch ActiveX control Command Execution Vulnerability
• (3) LOW: IBM WebSphere Application Server (SCA) feature pack Security Bypass Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Linux

• 09.34.1 - HP Insight Control Suite for Linux (ICE-LX) Unspecified Security
• 09.34.2 - Linux Kernel "binfmt_flat.c" NULL Pointer Dereference Denial of Service
• 09.34.3 - Linux Kernel "sock_sendpage()" NULL Pointer Dereference

Cross Platform

• 09.34.4 - SAP NetWeaver Application Server "uddiclient/process" HTML Injection

Web Application

• 09.34.5 - ViewVC Cross-Site Scripting and Unspecified Security Vulnerabilities
• 09.34.6 - Drupal Printer, e-mail and PDF versions Module Multiple HTML Injection Vulnerabilities
• 09.34.7 - WordPress Plugin WP-Syntax Remote PHP Code Execution
• 09.34.8 - ICQ Incoming Message HTML Injection

Network Device

• 09.34.9 - 2Wire Routers "CD35_SETUP_01" Access Validation

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Rohan Kotian at TippingPoint, a division of 3Com, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 34, 2009

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 7394 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 09.34.1 - CVE: Not Available
• Platform: Linux
• Title: HP Insight Control Suite for Linux (ICE-LX) Unspecified Security
• Description: HP Insight Control Suite for Linux (ICE-LX) is a management interface for Linux based servers. The application is exposed to an unspecified security issue. HP Insight Control Suite for Linux (ICE-LX) versions prior to 2.11 are affected.
• Ref: http://www.securityfocus.com/bid/36036

• 09.34.2 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "binfmt_flat.c" NULL Pointer Dereference Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue. This issue stems from a potential NULL-pointer dereference error in the "load_flat_shared_library()" function in the "fs/binfmt_flat.c" source file because it may use an uninitialized cred pointer. Linux kernel version 2.6.30 is affected.
• Ref: http://www.openwall.com/lists/oss-security/2009/08/13/1

• 09.34.3 - CVE: CVE-2009-2692
• Platform: Linux
• Title: Linux Kernel "sock_sendpage()" NULL Pointer Dereference
• Description: The Linux kernel is exposed to a local NULL pointer dereference issue. This issue stems from an error in the "sock_sendpage()" function in the "net/socket.c" file. The issue arises because the code uses a function pointer contained in a "proto_ops" data structure before checking it for a NULL value. This issue may be exploited through network protocols that do not properly initialize function pointers. Ref: http://blog.cr0.org/2009/08/linux-null-pointer-dereference-due-to.html

• 09.34.4 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP NetWeaver Application Server "uddiclient/process" HTML Injection
• Description: SAP NetWeaver is a platform for enterprise applications. The application is exposed to an HTML injection issue because the UDDI client fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue affects the "TModel Key" field of the "uddiclient/process" script.
• Ref: http://www.securityfocus.com/archive/1/505697

• 09.34.5 - CVE: Not Available
• Platform: Web Application
• Title: ViewVC Cross-Site Scripting and Unspecified Security Vulnerabilities
• Description: ViewVC is a web-based interface for CVS and Subversion version control repositories; it is implemented in Python. The application is exposed to multiple remote issues. An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site and steal cookie-based authentication credentials. ViewVC versions prior to 1.0.9 are affected. Ref: http://viewvc.tigris.org/source/browse/viewvc/trunk/CHANGES?view=log&pathrev=HEAD

• 09.34.6 - CVE: Not Available
• Platform: Web Application
• Title: Drupal Printer, e-mail and PDF versions Module Multiple HTML Injection Vulnerabilities
• Description: The "Printer, e-mail and PDF versions" module for Drupal allows users to forward a link to a specific node on a website. The module is exposed to multiple HTML injection issues because it fails to sufficiently sanitize user-supplied input. Attacker supplied HTML and script code would run in the context of the affected browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. "Printer, e-mail and PDF versions" versions 5.x-4.7 and 6.x-1.7 are affected.
• Ref: http://lampsecurity.org/drupal-print-module-vulnerabilities

• 09.34.7 - CVE: Not Available
• Platform: Web Application
• Title: WordPress Plugin WP-Syntax Remote PHP Code Execution
• Description: WordPress is a web-based publishing application implemented in PHP. The WP-Syntax plugin provides syntax highlighting. The WP-Syntax plugin for WordPress is exposed to an issue that lets remote attackers execute arbitrary code because it fails to sanitize user-supplied input. WP-Syntax versions 0.9.1 and earlier are affected.
• Ref: http://www.securityfocus.com/bid/36040

• 09.34.8 - CVE: Not Available
• Platform: Web Application
• Title: ICQ Incoming Message HTML Injection
• Description: ICQ is an instant messaging client. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input before using it in dynamically generated content. This issue affects the incoming message window. ICQ version 6.5 build 1042 is affected.
• Ref: http://www.securityfocus.com/archive/1/505754

• 09.34.9 - CVE: Not Available
• Platform: Network Device
• Title: 2Wire Routers "CD35_SETUP_01" Access Validation
• Description: 2Wire routers are network devices designed for home and small office setups. Multiple 2Wire routers are exposed to an access validation issue because they fail to adequately authenticate users before performing certain actions. This issue occurs when the devices handle "xslt" requests for the "CD35_SETUP_01" or "CD35_SETUP_01_POST" pages. 2Wire routers prior to Firmware version 5.29.135.5 are affected.
• Ref: http://www.securityfocus.com/archive/1/505694

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.