@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

• 09.42.1 - Xlpd Remote Denial of Service

Other Microsoft Products

• 09.42.2 - Puppet Supplementary Groups Information Disclosure

Third Party Windows Apps

• 09.42.3 - Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities
• 09.42.4 - BulletProof FTP Client Malformed ".bps" File Stack Buffer Overflow
• 09.42.5 - Computer Associates Anti-Virus Engine

Linux

• 09.42.6 - mimeTeX Multiple Stack Buffer Overflow Vulnerabilities
• 09.42.7 - mimeTeX Multiple Information Disclosure
• 09.42.8 - Linux Kernel "net/ax25/af_ax25.c" Local Denial of Service
• 09.42.9 - Linux Kernel eCryptfs Lower Dentry Null Pointer Dereference Local Denial of Service

Aix

• 09.42.10 - IBM AIX "rpc.cmsd" Calendar Daemon Remote Stack Buffer Overflow

Cross Platform

• 09.42.11 - Sun VirtualBox VBoxNetAdpCtl Configuration Tool Local Privilege Escalation
• 09.42.12 - VMware Player and Workstation "vmware-authd" Remote Denial of Service Vulnerability
• 09.42.13 - Adobe Acrobat Reader Remote Code Execution
• 09.42.14 - Attachmate Reflection for Secure IT Active Template Library Remote Code Execution Vulnerabilities

Web Application - Cross Site Scripting

• 09.42.15 - Multiple HP JetDirect Printers Multiple Unspecified Cross-Site Scripting
• 09.42.16 - Exponent CMS Contact Module Cross-Site Scripting

Web Application - SQL Injection

• 09.42.17 - Joomla! "com_recerca" SQL Injection
• 09.42.18 - Docebo Multiple SQL Injection Vulnerabilities

Web Application

• 09.42.19 - AIOCP "cp_html2xhtmlbasic.php" Remote File Include Vulnerability
• 09.42.20 - Planet CDATA Filtering HTML Injection Vulnerability
• 09.42.21 - vBulletin "Home Page" Field HTML Injection Vulnerability

PART I Critical Vulnerabilities

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 42, 2009

• 09.42.1 - CVE: Not Available
• Platform: Windows
• Title: Xlpd Remote Denial of Service
• Description: Xlpd is a remotely accessible line printer daemon for the Microsoft Windows platform. The application is exposed to a denial of service issue because it fails to adequately validate user-supplied input. Xlpd version 3.0 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507029

• 09.42.2 - CVE: CVE-2009-3564
• Platform: Other Microsoft Products
• Title: Puppet Supplementary Groups Information Disclosure
• Description: Puppet is a configuration management system. Puppet is exposed to an information disclosure issue because the "puppetmasterd" application does not properly drop supplementary groups. Puppet version 0.24.6 is affected by this issue.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=475201

• 09.42.3 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Omni-NFS Multiple Stack Buffer Overflow Vulnerabilities
• Description: Omni-NFS is a Windows based application that allows users to share directories and files over a network. The application is exposed to multiple issues because it fails to properly bounds check user-supplied network data. Omni-NFS version 5.2 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/36608/

• 09.42.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: BulletProof FTP Client Malformed ".bps" File Stack Buffer Overflow
• Description: BulletProof FTP Client is an FTP client available for Microsoft Windows. The application is exposed to a stack-based buffer overflow issue because it fails to perform adequate boundary checks of user-supplied data. This issue occurs when handling malicious "BulletProof session" (.bps) files. BulletProof FTP version 2.63 build 56 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507031

• 09.42.5 - CVE: CVE-2009-3587, CVE-2009-3588
• Platform: Third Party Windows Apps
• Title: Computer Associates Anti-Virus Engine
• Description: Computer Associates Anti-Virus engine is an antivirus scan engine included in various Computer Associates products. Multiple Computer Associates products are exposed to memory corruption issues that affect the Anti-Virus engine. The application is exposed to this vulnerability because of heap and memory corruption issues in the "arclib" component when handling specially crafted RAR archives. Anti-Virus engine with "arclib" version earlier than 8.1.4.0 are affected by this issue. Ref: http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878
• Ref: http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=218878

• 09.42.6 - CVE: CVE-2009-1382
• Platform: Linux
• Title: mimeTeX Multiple Stack Buffer Overflow Vulnerabilities
• Description: mimeTeX is a math component for LaTeX. The application is exposed to multiple stack-based buffer overflow issues because the application fails to perform adequate boundary checks on user-supplied data. The issue occurs when handling TeX files containing excessively large "picture", "circle", and "input tag" expressions.
• Ref: http://www.ocert.org/advisories/ocert-2009-010.html

• 09.42.7 - CVE: CVE-2009-2459
• Platform: Linux
• Title: mimeTeX Multiple Information Disclosure
• Description: mimeTeX is a Math component for LateX. mimeTeX is exposed to multiple information disclosure issues. The application is exposed to this issue because it fails to sufficiently validate user-supplied input to the "environ", "input" and "counter" TeX directives. Successfully exploiting this issue may give attackers leverage to gain access to sensitive information.
• Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2459

• 09.42.8 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "net/ax25/af_ax25.c" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue because it fails to properly verify signedness of a user-supplied value. The issue occurs because the "ax25_setsockopt()" function of the "net/ax25/af_ax25.c" source file fails to properly check for a negative value in user-supplied input before using it to assign a buffer length. Successfully exploiting this issue will cause the kernel to crash, denying service to legitimate users. Linux kernel version earlier than 2.6.31.2 .
• Ref: http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.31.2

• 09.42.9 - CVE: CVE-2009-2908
• Platform: Linux
• Title: Linux Kernel eCryptfs Lower Dentry Null Pointer Dereference Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue that exists in the "eCryptfs" component. This issue occurs in the "encryptds_read_update_a_time()" function and the "encryptfs_getxattr()" function. Specifically when invoking the "vfs_unlink()" function on the lower dentry, "d_delete()" functions turns the dentry into a negative value when d_count is set to 1. This causes a NULL pointer dereference when a read or write is performed on the negative dentry's "dinode". Linux kernel versions earlier than 2.6.31.2 are affected by this issue.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=527534

• 09.42.10 - CVE: Not Available
• Platform: Aix
• Title: IBM AIX "rpc.cmsd" Calendar Daemon Remote Stack Buffer Overflow
• Description: IBM AIX is a UNIX-based operating system. The Calendar Manager Service daemon is an RPC application used to manage schedules and calendars. AIX is exposed to a remote stack-based buffer overflow issue that occurs in the calendar daemon library "libcsa.a" when the software handles a request for remote procedure 21. The length of the first argument to the affected function isn't properly validated. IBM Virtual I/O Server (VIOS) 1.4, 1.5, 2.1 and IBM AIX 6.1, 5.3 are affected by this issue.
• Ref: http://aix.software.ibm.com/aix/efixes/security/cmsd_advisory.asc

• 09.42.11 - CVE: Not Available
• Platform: Cross Platform
• Title: Sun VirtualBox VBoxNetAdpCtl Configuration Tool Local Privilege Escalation
• Description: Sun VirtualBox is an x86 virtualization application. Sun VirtualBox is exposed to a local privilege escalation issue that occurs in the "VBoxNetAdpCtl" configuration tool. Successfully exploiting this issue will allow to run arbitrary code with superuser privileges and completely compromise affected computer. Sun VirtualBox versions 3.0.6, 3.0.4, 3.0.2 and 3.0 are affected by this issue.
• Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-66-268188-1

• 09.42.12 - CVE: Not Available
• Platform: Cross Platform
• Title: VMware Player and Workstation "vmware-authd" Remote Denial of Service Vulnerability
• Description: VMware Player and Workstation are virtualization applications available for multiple platforms. The applications are exposed to a remote denial of service issue because the applications fail to perform adequate validation checks on user-supplied input. The problem affects the "vmware-authd.exe" process listening on TCP port 912 by default. Specifically, the software fails to handle "USER" and "PASS" parameters containing "x25xFF" characters when logging in remotely. VMware Player 2.5.3 build 185404 and VMware Workstation 6.5.3 build 185404 are affected by this issue. Ref: http://www.shinnai.net/index.php?mod=02_Forum&group=02_Bugs_and_Exploits&argument=01_Remote&topic=1254924405.ff.php
• Ref: http://www.shinnai.net/index.php?mod=02_Forum&group=02_Bugs_and_Exploits&argumen
  t=01_Remote&topic=1254924405.ff.php

• 09.42.13 - CVE: CVE-2009-3459
• Platform: Cross Platform
• Title: Adobe Acrobat Reader Remote Code Execution
• Description: Adobe Acrobat Reader is an application for handling PDF files. It is available for multiple platforms. The application is exposed to a remote code execution issue when handling specially malformed PDF files. Successfully exploiting this issue may allow the attacker to execute arbitrary code in the context of the user running the affected application.
• Ref: http://www.adobe.com/support/security/bulletins/apsb09-15.html

• 09.42.14 - CVE: Not Available
• Platform: Cross Platform
• Title: Attachmate Reflection for Secure IT Active Template Library Remote Code Execution Vulnerabilities
• Description: Attachmate Reflection for Secure IT is a set of Secure Shell clients and servers for Windows and UNIX platforms. The application is exposed to remote code-execution issues because it is being compiled against the Microsoft Active Template Library (ATL). Attachmate Reflection for Secure IT Windows Server 7.0 SP1 and Attachmate Reflection for Secure IT Windows Client 7.0 SP1 are affected by this issue.
• Ref: http://support.attachmate.com/techdocs/2471.html http://support.attachmate.com/techdocs/2446.html

• 09.42.15 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Multiple HP JetDirect Printers Multiple Unspecified Cross-Site Scripting
• Description: HP LasetJet, Color JaserJet, and Digital Senders are print devices that incorporate the HP JetDirect engine and the Embedded Web Server (EWS). Multiple HP print devices are exposed to multiple unspecified cross site scripting issues because the web based interface fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/archive/1/507038

• 09.42.16 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Exponent CMS Contact Module Cross-Site Scripting
• Description: Exponent CMS is a PHP-based content management system. Exponent CMS is exposed to a cross-site scripting issue in the Contact module because the application fails to sufficiently sanitize user-supplied input. This issue affects the "email" parameter. Exponent CMS version 0.97-GA20090213 is affected by this issue.
• Ref: http://www.securityfocus.com/bid/36626

• 09.42.17 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Joomla! "com_recerca" SQL Injection
• Description: "com_recerca" is a PHP-based component for the Joomla! content manager. The component is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the "ansubdepartments_id" parameter before using it an SQL query. Successfully exploiting this issue may allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
• Ref: http://www.securityfocus.com/bid/36627

• 09.42.18 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Docebo Multiple SQL Injection Vulnerabilities
• Description: Docebo is PHP-based elearning software for enterprises. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to some scripts and parameters before using the data in an SQL query. Docebo version 3.6.0.3 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507072

• 09.42.19 - CVE: Not Available
• Platform: Web Application
• Title: AIOCP "cp_html2xhtmlbasic.php" Remote File Include Vulnerability
• Description: AIOCP (All In One Control Panel) is a content manager implemented in PHP and MySQL. The application is exposed to a remote file include issue because it fails to sufficiently sanitize user-supplied input to the "page" parameter of the "public/code/cp_html2xhtmlbasic.php" script. AIOCP version 1.4.001 is affected by this issue.
• Ref: http://www.securityfocus.com/archive/1/507030

• 09.42.20 - CVE: CVE-2009-2937
• Platform: Web Application
• Title: Planet CDATA Filtering HTML Injection Vulnerability
• Description: Planet is a web-based feed aggregator. The application is exposed to an HTML injection issue because the application fails to properly sanitize user-supplied input before displaying it in a web browser. Planet version 2.0 is affected by this issue.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=525772

• 09.42.21 - CVE: Not Available
• Platform: Web Application
• Title: vBulletin "Home Page" Field HTML Injection Vulnerability
• Description: vBulletin is a web-based content manager written in PHP. The Visitor Message addon is included with vBulletin and provides social-networking functionality. vBulletin is exposed to a HTML injection issue because it fails to sufficiently sanitize user-supplied input for the "Home Page" field of the "user-profile" section. vBulletin versions earlier to 3.8.4 PL1, 3.7.6 PL1, and 3.6.12 PL2 are affected by this issue.
• Ref: http://www.vbulletin.com/forum/showthread.php?t=319572

(c) 2009. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.