@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Google Chrome Multiple Vulnerabilities
• (2) HIGH: Adobe Shockwave Player Code Execution Vulnerabilities

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 10.35.1 - Adersoft VbsEdit ".vbs" File Denial Of Service Issue
• 10.35.2 - UiPlayer "UiCheck.dll" ActiveX Buffer Overflow
• 10.35.3 - Tuniac ".m3u" File Buffer Overflow

Linux

• 10.35.4 - Red Hat VDSM Module SSL Connection Denial of Service Issue
• 10.35.5 - Linux Kernel KVM Intel VT-x Extension NULL Pointer Denial of Service
• 10.35.6 - Linux Kernel Controller Area Network Protocol Local Privilege Escalation
• 10.35.7 - Linux Kernel JFS xattr Namespace Rules Security Bypass Issue

BSD

• 10.35.8 - FreeBSD "setusercontext()" Local Security Bypass Issue

Cross Platform

• 10.35.9 - PHP "ibase_gen_id()" Function off-by-one Buffer Overflow
• 10.35.10 - Serv-U Denial of Service and Security Bypass Vulnerabilities
• 10.35.11 - Apple iTunes Log File Insecure File Operation Local Privilege Escalation
• 10.35.12 - IBM Tivoli Storage Manager FastBack Remote Code Execution and Denial of Service Vulnerabilities
• 10.35.13 - Google Chrome Multiple Security Vulnerabilities
• 10.35.14 - Novell iPrint Client Multiple Security Vulnerabilities
• 10.35.15 - QEMU KVM Multiple Issues
• 10.35.16 - libHX "HX_split()" Remote Heap-Based Buffer Overflow Issue
• 10.35.17 - Oracle MySQL "TEMPORARY InnoDB" Tables Denial of Service

Web Application - Cross Site Scripting

• 10.35.18 - LXR Cross Referencer TITLE Element Cross-Site Scripting Issue
• 10.35.19 - ACCESSGUARDIAN Unspecified Cross-Site Scripting Issue
• 10.35.20 - Online Work Order Suite Lite Edition Multiple Cross-Site Scripting Vulnerabilities
• 10.35.21 - Drupal Simplenews Content Selection Module Cross-Site Scripting Issue
• 10.35.22 - ViArt Helpdesk Multiple Cross-Site Scripting Vulnerabilities
• 10.35.23 - phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities

Web Application - SQL Injection

• 10.35.24 - PHP City Portal "login.php" Multiple SQL Injection Issues

Web Application

• 10.35.25 - PHPCMS2008 "download.php" Information Disclosure Issue
• 10.35.26 - Mollify Authentication Bypass Vulnerability and Multiple Information Disclosure Weaknesses
• 10.35.27 - MAXcms Multiple Remote File Include Issues
• 10.35.28 - DotNetNuke Syndication Handler Remote Denial of Service Issue
• 10.35.29 - Netpet CMS "confirm.php" Local File Include
• 10.35.30 - In-Portal CMS "index.php" Local File Include
• 10.35.31 - phpMyAdmin Configuration File PHP Code Injection

Network Device

• 10.35.32 - Blue Coat ProxySG Read Only Administrator Security Bypass Issue
• 10.35.33 - SonicWALL E-Class SSL-VPN Format String Issue

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 35, 2010

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 9947 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 10.35.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Adersoft VbsEdit ".vbs" File Denial Of Service Issue
• Description: Adersoft VbsEdit is a VBScript editor available for Microsoft Windows. The application is exposed to a denial of service issue. Specifically, the issue occurs when a crafted ".vbs" file is parsed. Adersoft VbsEdit version 4.6.1 is affected.
• Ref: http://www.securityfocus.com/bid/42525/references

• 10.35.2 - CVE: CVE-2009-2970
• Platform: Third Party Windows Apps
• Title: UiPlayer "UiCheck.dll" ActiveX Buffer Overflow
• Description: UiPlayer is exposed to a buffer overflow issue because the application utilize an ActiveX control that fails to adequately validate user-supplied input. UiTV UiPlayer versions1.0.0.6 and earlier are affected.
• Ref: http://www.nsfocus.com/en/advisories/0901.html

• 10.35.3 - CVE: CVE-2009-4867
• Platform: Third Party Windows Apps
• Title: Tuniac ".m3u" File Buffer Overflow
• Description: Tuniac is a multimedia application for Microsoft Windows. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".m3u" file. Tuniac version 090517c is affected.
• Ref: http://www.securityfocus.com/bid/42568

• 10.35.4 - CVE: Not Available
• Platform: Linux
• Title: Red Hat VDSM Module SSL Connection Denial of Service Issue
• Description: Red Hat VDSM Module is management module that serves as a Red Hat Enterprise Virtualization Manager agent on Red Hat Enterprise Virtualization Hypervisor or Red Hat Enterprise Linux hosts. The module is exposed to a denial of service issue. Specifically, this issue occurs when accepting a specially crafted SSL connection.
• Ref: http://www.securityfocus.com/bid/42580/references

• 10.35.5 - CVE: CVE-2010-0435
• Platform: Linux
• Title: Linux Kernel KVM Intel VT-x Extension NULL Pointer Denial of Service
• Description: The Linux kernel is exposed to a denial of service issue that affects the Kernel based Virtual Machine. Specifically, if the Intel-VT-x extension is enabled, a NULL pointer exception can be triggered with a crafted "mov" instruction.
• Ref: https://patchwork.kernel.org/patch/95725/

• 10.35.6 - CVE: CVE-2010-2959
• Platform: Linux
• Title: Linux Kernel Controller Area Network Protocol Local Privilege Escalation
• Description: The Linux kernel is exposed to a local privilege escalation issue because it fails to properly handle applications that expand stacks into adjacent memory regions. Linux kernel is affected on multiple architectures.
• Ref: http://www.securityfocus.com/bid/42585/references

• 10.35.7 - CVE: CVE-2010-2946
• Platform: Linux
• Title: Linux Kernel JFS xattr Namespace Rules Security Bypass Issue
• Description: The Linux kernel is exposed to a security bypass issue affecting the JFS filesystem. Specifically, local attackers can bypass extended file attributes ("xattr") namespace access rules by appending "os2." to the front of a valid "xattr" name.
• Ref: http://www.securityfocus.com/bid/42589

• 10.35.8 - CVE: Not Available
• Platform: BSD
• Title: FreeBSD "setusercontext()" Local Security Bypass Issue
• Description: FreeBSD is a BSD based operating system. FreeBSD is exposed to a local security bypass issue. Specifically, this issue occurs because the "setusercontext()" function in the "lib/libutil/login_class.c" file applies certain user settings in an insecure manner while running with the privileges of another user.
• Ref: http://www.freebsd.org/cgi/query-pr.cgi?pr=141840

• 10.35.9 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP "ibase_gen_id()" Function off-by-one Buffer Overflow
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to an off-by-one buffer overflow issue because it fails to perform boundary checks before copying user-supplied data to insufficiently sized memory buffers. PHP version 5.3.3 is affected.
• Ref: http://www.exploit-db.com/exploits/14678/

• 10.35.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Serv-U Denial of Service and Security Bypass Vulnerabilities
• Description: Serv-U is a file server. The application is exposed to multiple issues. A security bypass issue occurs when handling virtual paths and may allow attackers to create directories without sufficient privileges. A denial of service issue that occurs when processing certain invalid URL parameters may result in a crash of the application. Serv-U versions prior to 10.2.0.0 are affected.
• Ref: http://www.serv-u.com/releasenotes/

• 10.35.11 - CVE: CVE-2010-1768, CVE-2010-1795
• Platform: Cross Platform
• Title: Apple iTunes Log File Insecure File Operation Local Privilege Escalation
• Description: Apple iTunes is a media player for Microsoft Windows and Apple Mac OS X. Apple iTunes is exposed to a local privilege escalation issue due to an insecure file operation when handling log files for mobile devices. Apple iTunes versions prior to 9.1 on Apple Mac OS X are affected.
• Ref: http://support.apple.com/kb/HT4105

• 10.35.12 - CVE: Not Available
• Platform: Cross Platform
• Title: IBM Tivoli Storage Manager FastBack Remote Code Execution and Denial of Service Vulnerabilities
• Description: IBM Tivoli Storage Manager FastBack is a storage management and recovery application for Microsoft Windows and Linux. The application is exposed to multiple remote issues. IBM Tivoli Storage Manager FastBack versions prior to 5.5.7 or 6.1.1 are affected.
• Ref: http://www.securityfocus.com/bid/42549/references

• 10.35.13 - CVE: Not Available
• Platform: Cross Platform
• Title: Google Chrome Multiple Security Vulnerabilities
• Description: Google Chrome is a web browser for multiple platforms. Google Chrome is exposed to multiple issues. Attackers can exploit these issues to execute arbitrary code in the context of the browser, cause denial of service, or disclose sensitive information. Other attacks are also possible. Chrome Versions prior to 5.0.375.127 are affected.
• Ref: http://googlechromereleases.blogspot.com/2010/08/stable-channel-update_19.html

• 10.35.14 - CVE: CVE-2010-1527
• Platform: Cross Platform
• Title: Novell iPrint Client Multiple Security Vulnerabilities
• Description: Novell iPrint Client is a client application for printing over the Internet. The application is exposed to multiple security issues. A stack-based buffer overflow issue affects the "call-back-url" parameter for a "op-client-interface-version" operation when the "result-type" parameter is set to "url". A security issue that occurs in PluginGetDriverFile can be exploited to use data in uninitialized memory as a pointer. Novell iPrint Client versions prior 5.44 are affected.
• Ref: http://www.novell.com/support/viewContent.do?externalId=7006679

• 10.35.15 - CVE: CVE-2010-0428, CVE-2010-0431, CVE-2010-2784,CVE-2010-0429
• Platform: Cross Platform
• Title: QEMU KVM Multiple Issues
• Description: QEMU is a processor emulator that is available for various platforms. QEMU KVM is exposed to multiple issues. A local privilege escalation issue occurs because the "libspice" component of QEMU KVM on the host fails to validate all pointers provided from the guest system's QXL graphics card driver. A local memory corruption issue occurs in the QXL graphics card driver.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=568809

• 10.35.16 - CVE: CVE-2010-2947
• Platform: Cross Platform
• Title: libHX "HX_split()" Remote Heap-Based Buffer Overflow Issue
• Description: libHX is a C library that provides functionality common to scripting languages. The library is exposed to a heap-based buffer overflow issue because it fails to properly validate user-supplied input. The issue occurs when the "HX_split()" function is called with fewer string fields than expected. libHX version 3.5 is affected.
• Ref: http://www.securityfocus.com/bid/42592

• 10.35.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Oracle MySQL "TEMPORARY InnoDB" Tables Denial of Service
• Description: MySQL is an open-source SQL database available for multiple operating systems. MySQL is exposed to a denial of service issue because the application fails to properly use "TEMPORARY InnoDB" tables with nullable columns. MySQL versions prior to 5.1.49 are affected.
• Ref: http://bugs.mysql.com/bug.php?id=54044

• 10.35.18 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: LXR Cross Referencer TITLE Element Cross-Site Scripting Issue
• Description: LXR Cross Referencer is a web-based general purpose source code indexer and cross referencer. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data. This issue affects a string in the search page's TITLE element in the "lib/LXR/Common.pm" file. LXR Cross Referencer versions prior 0.98 are affected.
• Ref: http://lxr.cvs.sourceforge.net/viewvc/lxr/lxr/lib/LXR/Common.pm?view=log#rev1.64

• 10.35.19 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: ACCESSGUARDIAN Unspecified Cross-Site Scripting Issue
• Description: ACCESSGUARDIAN is a web application. ACCESSGUARDIAN is exposed to an unspecified cross-site scripting issue because it fails to properly sanitize user-supplied input. ACCESSGUARDIAN versions prior to 3.0.16 and 3.5.9 are affected.
• Ref: http://www.securityfocus.com/bid/42522/references

• 10.35.20 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Online Work Order Suite Lite Edition Multiple Cross-Site Scripting Vulnerabilities
• Description: Online Work Order Suite Lite Edition is a PHP-based web application. The application is exposed to multiple cross-site scripting issues because it fails to sanitize user-supplied input. Online Work Order Suite Lite Edition 3.10 is affected.
• Ref: http://www.securityfocus.com/bid/42535

• 10.35.21 - CVE: Not Available
• Platform: Web Application - Cross Site Scripting
• Title: Drupal Simplenews Content Selection Module Cross-Site Scripting Issue
• Description: Simplenews Content Selection is a module of the Drupal content manager. The module is exposed to a cross-site scripting issue because it fails to properly sanitize unspecified user input in its administrator page. Simplenews Content Selection version 6.x-1.5 is affected.
• Ref: http://www.securityfocus.com/bid/42540

• 10.35.22 - CVE: CVE-2009-4548
• Platform: Web Application - Cross Site Scripting
• Title: ViArt Helpdesk Multiple Cross-Site Scripting Vulnerabilities
• Description: ViArt Helpdesk is a PHP-based web application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input.
• Ref: http://www.securityfocus.com/bid/42543

• 10.35.23 - CVE: CVE-2010-3056
• Platform: Web Application - Cross Site Scripting
• Title: phpMyAdmin Multiple Cross-Site Scripting Vulnerabilities
• Description: phpMyAdmin is a web-based administration interface for MySQL databases. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. phpMyAdmin versions 2.11.x prior to 2.11.10.1 and phpMyAdmin 3.x prior to 3.3.5.1 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2010-5.php

• 10.35.24 - CVE: CVE-2009-4870
• Platform: Web Application - SQL Injection
• Title: PHP City Portal "login.php" Multiple SQL Injection Issues
• Description: PHP City Portal is a PHP-based content management application. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user supplied data to the "req_username" and "req_password" parameters of the "login.php" script.
• Ref: http://www.securityfocus.com/bid/42536/references

• 10.35.25 - CVE: Not Available
• Platform: Web Application
• Title: PHPCMS2008 "download.php" Information Disclosure Issue
• Description: PHPCMS2008 is a PHP-based content manager. The application is exposed to an information disclosure issue because it fails to sufficiently validate user supplied input to the "f" parameter of the "download.php" script.
• Ref: http://www.securityfocus.com/archive/1/507271

• 10.35.26 - CVE: Not Available
• Platform: Web Application
• Title: Mollify Authentication Bypass Vulnerability and Multiple Information Disclosure Weaknesses
• Description: Mollify is a web file manager. The application is exposed to an authentication bypass issue because it fails to verify user-supplied data to the "backend/r.php" script before using it to download files. Mollify versions prior to 1.6.5.5 are affected.
• Ref: http://code.google.com/p/mollify/wiki/ChangeLog#Version_1.6.5.5

• 10.35.27 - CVE: Not Available
• Platform: Web Application
• Title: MAXcms Multiple Remote File Include Issues
• Description: MAXcms is a PHP-based content management system. The application is exposed to multiple remote file include issues because it fails to properly sanitize user supplied input to multiple parameters and scripts. MAXcms version 3.11.20b is affected.
• Ref: http://www.securityfocus.com/bid/42534/references

• 10.35.28 - CVE: Not Available
• Platform: Web Application
• Title: DotNetNuke Syndication Handler Remote Denial of Service Issue
• Description: DotNetNuke is an open source framework for creating and deploying websites. The application is exposed to a denial of service issue that occurs when handling certain requests for the syndication handler. DotNetNuke versions prior to 5.5.0 are affected.
• Ref: http://www.securityfocus.com/bid/42550

• 10.35.29 - CVE: Not Available
• Platform: Web Application
• Title: Netpet CMS "confirm.php" Local File Include
• Description: Netpet CMS is a PHP-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "language" parameter of the "netpet/confirm.php" script. Netpet CMS version 1.9 is affected.
• Ref: http://www.securityfocus.com/bid/42553/references

• 10.35.30 - CVE: Not Available
• Platform: Web Application
• Title: In-Portal CMS "index.php" Local File Include
• Description: In-Portal is a PHP-based content management system. The application is exposed to a local file include issue because it fails to properly sanitize user-supplied input to the "env" parameter of the "index.php" script. In-Portal CMS version 4.3.1 is affected.
• Ref: http://www.securityfocus.com/bid/42565

• 10.35.31 - CVE: CVE-2010-3055
• Platform: Web Application
• Title: phpMyAdmin Configuration File PHP Code Injection
• Description: phpMyAdmin is a PHP-based web application. phpMyAdmin is exposed to an issue that lets attackers inject arbitrary PHP code. The issue occurs because the application fails to properly sanitize user-supplied input to the setup script. phpMyAdmin versions prior to 2.11.10.1 are affected.
• Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2010-4.php

• 10.35.32 - CVE: Not Available
• Platform: Network Device
• Title: Blue Coat ProxySG Read Only Administrator Security Bypass Issue
• Description: Blue Coat ProxySG is an enterprise proxy appliance. The device is exposed to a security bypass issue because it fails to restrict access to certain pages in the Management Console and the Command Line Interface. Specifically, commands sent through an HTTPS URI bypasses the privilege enforcement and allow a read only administrator to execute all administrative commands. Blue Coat ProxySG Versions prior to 5.5.3.1 are affected.
• Ref: https://kb.bluecoat.com/index?page=content&id=SA45

• 10.35.33 - CVE: Not Available
• Platform: Network Device
• Title: SonicWALL E-Class SSL-VPN Format String Issue
• Description: SonicWALL E-Class SSL VPN is an appliance designed to provide remote VPN access to the corporate network. It comes with an ActiveX control. The ActiveX control contains a format string issue that occurs because the application fails to properly sanitize user-supplied data that contain format specifiers. Specifically, a format string issue resides in the "AuthCredential" function of the ActiveX control identified by CLSID: 2A1BE1E7-C550-4D67-A553-7F2D3A39233D This issue affects SonicWALL E-Class SSL-VPN version 10.0.4 and all previous versions as well as 10.5.1 without a hot fix.
• Ref: http://www.securityfocus.com/bid/42548

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.