@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

• (1) HIGH: Microsoft Office Multiple Code Execution Vulnerabilities
• (2) HIGH: Adobe Flash Media Server Remote Code Execution
• (3) MEDIUM: Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch
• (4) MEDIUM: Apple Quicktime Movie Malformed H.264 Sample Remote Code Execution Vulnerability

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Microsoft Office

• 10.46.1 - Microsoft Office Remote Code Execution Issue
• 10.46.2 - Microsoft PowerPoint Remote Buffer Overflow Issue

Other Microsoft Products

• 10.46.3 - Microsoft Forefront Unified Access Gateway Elevation of Privilege Issues

Third Party Windows Apps

• 10.46.4 - SmartFTP "filename" Unspecified Security Issue

Mac Os

• 10.46.5 - Apple Mac OS X ATSServer CFF "CharStrings" Index Sign Mismatch Remote Code Execution

Linux

• 10.46.6 - Linux Kernel Multiple "net/" Subsystems Local Information Disclosure Issues
• 10.46.7 - Linux Kernel "x25_parse_facilities()" Remote Denial of Service
• 10.46.8 - Linux Kernel CAN Protocol Information Disclosure Issue
• 10.46.9 - Linux Kernel "ipc/sem.c" Information Disclosure Issue
• 10.46.10 - Red Hat Certificate System Authentication Bypass And Security Bypass Vulnerabilities
• 10.46.11 - Linux Kernel "io_submit_one()" NULL Pointer Dereference Denial of Service

Novell

• 10.46.12 - Novell ZENworks Handheld Management "ZfHIPCND.exe" Buffer Overflow

Cross Platform

• 10.46.13 - ISC DHCP Server Relay-Forward Empty Link-Address Field Denial of Service
• 10.46.14 - Apache Shiro Directory Traversal
• 10.46.15 - Adobe Shockwave Player "Shockwave Settings" Memory Corruption Issue
• 10.46.16 - Adobe Reader 9.4 Remote Memory Corruption Issue
• 10.46.17 - Crystal Reporting Viewer "SearchByFormula()" Method ActiveX Control Buffer Overflow Issue
• 10.46.18 - FreeType TrueType Font Handling "ttinterp.c" Remote Code Execution Issue
• 10.46.19 - HtaEdit ".hta" File Buffer Overflow Issue
• 10.46.20 - GSPlayer ".m3u" File Remote Buffer Overflow Issue
• 10.46.21 - Adobe Flash Player multiple security Issues
• 10.46.22 - Cisco Unified Intelligent Contact Management Enterprise "agent.exe" Multiple Issues
• 10.46.23 - Quick Tftp Server Pro Directory Traversal
• 10.46.24 - PHP "open_basedir" Security Bypass Issue
• 10.46.25 - PHP "mb_strcut()" Function Information Disclosure
• 10.46.26 - IBM OmniFind Multiple Vulnerabilities
• 10.46.27 - Apple iOS URL Schemes Handling Security Bypass Issue
• 10.46.28 - Suricata TCP Detection Evasion Security Bypass Issue
• 10.46.29 - gnome-shell "LD_LIBRARY_PATH" Local Privilege Escalation Issue
• 10.46.30 - Adobe Flash Media Server Remote Memory Corruption Issue
• 10.46.31 - Adobe Flash Media Server Remote Denial of Service
• 10.46.32 - FileCOPA FTP Server Directory Traversal

Web Application - SQL Injection

• 10.46.33 - Dolphin SQL Injection and Information Disclosure Issues

Web Application

• 10.46.34 - Bugzilla Response Splitting and Security Bypass Issues
• 10.46.35 - TextPattern Comment HTML Injection Issue
• 10.46.36 - WordPress DB Toolkit "uploadify.php" Arbitrary File Upload Issue

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 46, 2010

Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10459 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 10.46.1 - CVE: CVE-2010-3333,CVE-2010-3334,CVE-2010-3335,CVE-2010-3336,CVE-2010-3337
• Platform: Microsoft Office
• Title: Microsoft Office Remote Code Execution Issue
• Description: Microsoft Office is exposed to a remote code execution issue. This issue occurs when handling a specially crafted Office file.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-087.mspx

• 10.46.2 - CVE: CVE-2010-2572,CVE-2010-2573
• Platform: Microsoft Office
• Title: Microsoft PowerPoint Remote Buffer Overflow Issue
• Description: Microsoft PowerPoint is a presentation application. Microsoft PowerPoint is exposed to a remote buffer overflow issue. Specifically, this issue occurs when parsing specially crafted PowerPoint 95 files.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-088.mspx

• 10.46.3 - CVE: CVE-2010-2732,CVE-2010-2733,CVE-2010-2734,CVE-2010-3936
• Platform: Other Microsoft Products
• Title: Microsoft Forefront Unified Access Gateway Elevation of Privilege Issues
• Description: Microsoft Forefront Unified Access Gateway provides remote access to enterprise resources. Microsoft Forefront Unified Access Gateway is exposed to multiple security issues.
• Ref: http://www.microsoft.com/technet/security/Bulletin/MS10-089.mspx

• 10.46.4 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: SmartFTP "filename" Unspecified Security Issue
• Description: SmartFTP is an FTP client program for Microsoft Windows. The application is exposed to an unspecified security issue that occurs when a filename is processed by the application. SmartFTP versions prior to 4.0 Build 1142 are affected.
• Ref: http://smartftp.com/forums/index.php?/topic/16425-smartftp-client-4-0-change-log

• 10.46.5 - CVE: Not Available
• Platform: Mac Os
• Title: Apple Mac OS X ATSServer CFF "CharStrings" Index Sign Mismatch Remote Code Execution
• Description: ATSServer is a process built into Mac OS X that manages fonts and makes them available to various applications. Apple Mac OS X is exposed to a remote code execution issue in the ATSServer component. Apple Mac OS X version 10.5 is affected.
• Ref: http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatc
  h

• 10.46.6 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Multiple "net/" Subsystems Local Information Disclosure Issues
• Description: The Linux kernel is exposed to multiple local information disclosure issues because it fails to properly clear certain structure members before sending them to user space.
• Ref: http://www.securityfocus.com/bid/44630

• 10.46.7 - CVE: CVE-2010-3873
• Platform: Linux
• Title: Linux Kernel "x25_parse_facilities()" Remote Denial of Service
• Description: The Linux kernel is exposed to a remote denial of service issue because it fails to properly handle user supplied input. Specifically, the "x25_parse_facilities()" function in the "net/x25/x25_facilities.c" source file does not properly parse x.25 facilities.
• Ref: http://www.securityfocus.com/bid/44642

• 10.46.8 - CVE: CVE-2010-3874
• Platform: Linux
• Title: Linux Kernel CAN Protocol Information Disclosure Issue
• Description: The Linux kernel is exposed to an information disclosure issue in the CAN protocol implementation. Specifically, this issue occurs in the "bcm_connect()" function of the "net/can/bcm.c" file as it discloses the address of a kernel heap object in the form of a proc filename.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/3703

• 10.46.9 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "ipc/sem.c" Information Disclosure Issue
• Description: The Linux kernel is prone to a local denial of service issue that affects the "inet_diag.c" source file. The problem occurs because "INET_DIAG" is not consistent when it is looking up the bytecode string contained in a netlink message. This can be exploited to cause unaudited bytecode to be executed.
• Ref: http://www.securityfocus.com/bid/44665

• 10.46.10 - CVE: CVE-2010-3869,CVE-2010-3868
• Platform: Linux
• Title: Red Hat Certificate System Authentication Bypass And Security Bypass Vulnerabilities
• Description: Red Hat Certificate System is an enterprise level Public Key Infrastructure deployment manager. Red Hat Certificate System is exposed to multiple issues. An authentication bypass issue occurs when capturing Simple Certificate Enrollment Protocol requests from the network to obtain a one time PIN. A security bypass issue may allow a remote attacker to generate an unlimited number of certificates and perform unauthorized actions. Red Hat Certificate System versions 7.3 and 8 are affected.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=648883

• 10.46.11 - CVE: CVE-2010-3066
• Platform: Linux
• Title: Linux Kernel "io_submit_one()" NULL Pointer Dereference Denial of Service
• Description: The Linux kernel is exposed to a denial of service issue due to a NULL pointer dereference condition. This issue occurs in the "io_submit_one()" function in the implementation of asynchronous I/O.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=631716

• 10.46.12 - CVE: Not Available
• Platform: Novell
• Title: Novell ZENworks Handheld Management "ZfHIPCND.exe" Buffer Overflow
• Description: Novell ZENworks Handheld Management is an application used to secure stolen handheld devices from leaking sensitive information. Novell ZENworks Handheld Management is exposed to a heap-based buffer overflow issue that affects the "ZfHIPCND.exe" service, which listens on TCP port 2400 by default. Novell ZENworks Handheld Management version 7 SP1 is affected.
• Ref: http://www.zerodayinitiative.com/advisories/ZDI-10-230/

• 10.46.13 - CVE: CVE-2010-3611
• Platform: Cross Platform
• Title: ISC DHCP Server Relay-Forward Empty Link-Address Field Denial of Service
• Description: ISC DHCP is a reference implementation of the DHCP protocol, including a DHCP server, client and relay agent. The application is exposed to a denial of service issue when processing specially crafted DHCPv6 packets. ISC DHCP Server versions 4.0 through 4.2 are affected.
• Ref: http://www.isc.org/software/dhcp/advisories/cve-2010-3611

• 10.46.14 - CVE: CVE-2010-3863
• Platform: Cross Platform
• Title: Apache Shiro Directory Traversal
• Description: Apache Shiro is a Java security framework that is used for authorization, cryptography, authentication and session management. Apache Shiro is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Apache Shiro version 1.0.0 is affected.
• Ref: http://www.securityfocus.com/bid/44616

• 10.46.15 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Shockwave Player "Shockwave Settings" Memory Corruption Issue
• Description: Adobe Shockwave Player is a multimedia player application. Adobe Shockwave Player is exposed to a remote memory corruption issue. The issue is caused by a use after free condition in an automatically installed compatibility component. Adobe Shockwave Player version 11.5.9.615 is affected.
• Ref: http://www.securityfocus.com/bid/44617

• 10.46.16 - CVE: Not Available
• Platform: Cross Platform
• Title: Adobe Reader 9.4 Remote Memory Corruption Issue
• Description: Adobe Reader is an application for handling PDF files. Adobe Reader is exposed to a remote memory corruption issue when handling specially crafted PDF files. Adobe Reader version 9.4.0 is affected.
• Ref: http://seclists.org/fulldisclosure/2010/Nov/23

• 10.46.17 - CVE: Not Available
• Platform: Cross Platform
• Title: Crystal Reporting Viewer "SearchByFormula()" Method ActiveX Control Buffer Overflow Issue
• Description: Crystal Reporting Viewer is an ActiveX control that allows users to view crystal reports. Crystal Reporting Viewer is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied data. The issue affects the "SearchByFormula()" method of the "crviewer.dll" ActiveX control. The ActiveX control is identified by CLSID: C4847596-972C-11D0-9567-00A0C9273C2A. Crystal Reporting Viewer version 8.0.0.371 is affected.
• Ref: http://www.securityfocus.com/bid/44635

• 10.46.18 - CVE: CVE-2010-3814
• Platform: Cross Platform
• Title: FreeType TrueType Font Handling "ttinterp.c" Remote Code Execution Issue
• Description: FreeType is an open source font handling library. FreeType is exposed to a remote code execution issue. The problem occurs in "truetype/ttinterp.c" when handling "SHZ" bytecode instructions in malformed TrueType fonts.
• Ref: http://www.securityfocus.com/bid/44643

• 10.46.19 - CVE: Not Available
• Platform: Cross Platform
• Title: HtaEdit ".hta" File Buffer Overflow Issue
• Description: HtaEdit is a text editor application. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when opening a specially crafted ".hta" file. HtaEdit version 3.2.3.0 is affected.
• Ref: http://www.securityfocus.com/bid/44639

• 10.46.20 - CVE: Not Available
• Platform: Cross Platform
• Title: GSPlayer ".m3u" File Remote Buffer Overflow Issue
• Description: GSPlayer is a multimedia player. Apollo is exposed to a buffer overflow issue because it fails to bounds check user-supplied data before copying it into an insufficiently sized buffer. GSPlayer version 1.83a is affected.
• Ref: http://www.securityfocus.com/bid/44658

• 10.46.21 - CVE:CVE-2010-3636,CVE-2010-3637,CVE-2010-3638,CVE-2010-3639,CVE-2010-3640,CVE-2010-3641,CVE-2010-3642,CVE-2010-3643,CVE-2010-3644,CVE-2010-3645,CVE-2010-3646,CVE-2010-3647,CVE-2010-3648,CVE-2010-3649,CVE-2010-3650,CVE-2010-3652,CVE-2010-3654,CVE-2010-3976
• Platform: Cross Platform
• Title: Adobe Flash Player multiple security Issues
• Description: Adobe Flash Player is a multimedia application for Microsoft Windows, Mozilla, and Apple technologies. Adobe Flash Player is exposed to an information disclosure issue.
• Ref: http://www.adobe.com/support/security/bulletins/apsb10-26.html

• 10.46.22 - CVE: CVE-2010-3040
• Platform: Cross Platform
• Title: Cisco Unified Intelligent Contact Management Enterprise "agent.exe" Multiple Issues
• Description: Cisco Unified Intelligent Contact Management Enterprise is used to integrate traditional inbound and outbound voice applications with Internet applications such as real time chat, Web collaboration, and e-mail. Cisco Unified Intelligent Contact Management Enterprise is exposed to multiple stack-based buffer overflow issues.
• Ref: http://www.securityfocus.com/bid/44699

• 10.46.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Quick Tftp Server Pro Directory Traversal
• Description: Quick Tftp Server Pro is a Trivial File Transfer Protocol (TFTP) server for Microsoft Windows. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings from user-supplied input. Quick Tftp Server Pro version 2.1 is affected.
• Ref: http://www.securityfocus.com/bid/44712

• 10.46.24 - CVE: CVE-2010-3436
• Platform: Cross Platform
• Title: PHP "open_basedir" Security Bypass Issue
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a security bypass issue that may allow users to bypass the "open_basedir" restrictions.
• Ref: http://www.securityfocus.com/bid/44723

• 10.46.25 - CVE: CVE-2010-4156
• Platform: Cross Platform
• Title: PHP "mb_strcut()" Function Information Disclosure
• Description: PHP is a programming language commonly used for web applications. PHP is exposed to an information disclosure issue because the "mb_strcut()" function will incorrectly cut a string when the offset is within a multibyte character.
• Ref: http://permalink.gmane.org/gmane.comp.security.oss.general/3715

• 10.46.26 - CVE:CVE-2010-3899,CVE-2010-3898,CVE-2010-3897,CVE-2010-3896,CVE-2010-3895,CVE-2010-3894,CVE-2010-3893,CVE-2010-3892,CVE-2010-3891,CVE-2010-3890
• Platform: Cross Platform
• Title: IBM OmniFind Multiple Vulnerabilities
• Description: IBM OmniFind is an application used for knowledge driven search. IBM OmniFind is exposed to multiple security issues. IBM OmniFind versions 8.5 and 9.0 are affected.
• Ref: http://www.securityfocus.com/archive/1/514688

• 10.46.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Apple iOS URL Schemes Handling Security Bypass Issue
• Description: Apple iOS is an operating platform for iPhone, iPod touch, and iPad. Apple iOS is exposed to a security bypass issue that may result in the execution of arbitrary applications on an affected device.
• Ref: http://blogs.sans.org/appsecstreetfighter/2010/11/08/insecure-handling-url-schem
  es-apples-ios/

• 10.46.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Suricata TCP Detection Evasion Security Bypass Issue
• Description: Suricata is a multi-threaded intrusion detection/prevention engine. Suricata is exposed to a security bypass issue that occurs in the processing of certain TCP packets. Suricata versions prior to 1.0.2 are affected.
• Ref: http://www.packetstan.com/2010/09/suricata-tcp-evasions.html

• 10.46.29 - CVE: CVE-2010-4000
• Platform: Cross Platform
• Title: gnome-shell "LD_LIBRARY_PATH" Local Privilege Escalation Issue
• Description: gnome-shell is a component of GNOME desktop. gnome-shell is exposed to a local privilege escalation issue because the script fails to properly set the "LD_LIBRARY_PATH" environment variable. Specifically, the scripts include the current directory ('.') in the "LD_LIBRARY_PATH" environment variable. gnome-shell version 2.31.5 is affected.
• Ref: http://www.securityfocus.com/bid/44751

• 10.46.30 - CVE: CVE-2010-3633, CVE-2010-3634, CVE-2010-3635
• Platform: Cross Platform
• Title: Adobe Flash Media Server Remote Memory Corruption Issue
• Description: Adobe Flash Media Server provides streaming media and a development environment for creating and delivering media applications. Adobe Flash Media Server is exposed to a remote memory corruption issue that can trigger a segmentation fault.
• Ref: http://www.adobe.com/support/security/bulletins/apsb10-27.html

• 10.46.31 - CVE: CVE-2010-3633
• Platform: Cross Platform
• Title: Adobe Flash Media Server Remote Denial of Service
• Description: Adobe Flash Media Server provides streaming media and a development environment for creating and delivering media applications. Adobe Flash Media Server is exposed to a remote denial of service issue due to a memory leak issue.
• Ref: http://www.adobe.com/support/security/bulletins/apsb10-27.html

• 10.46.32 - CVE: Not Available
• Platform: Cross Platform
• Title: FileCOPA FTP Server Directory Traversal
• Description: FileCOPA FTP Server is a Windows based FTP server. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize directory traversal strings from user-supplied commands. FileCOPA FTP Server version 6.01 is affected.
• Ref: http://www.securityfocus.com/bid/44759

• 10.46.33 - CVE: Not Available
• Platform: Web Application - SQL Injection
• Title: Dolphin SQL Injection and Information Disclosure Issues
• Description: Dolphin is a web-based content manager implemented in PHP. The application is exposed to an information disclosure issue that affects "file" parameter of the "gzip_loader.php" script. Dolphin version 7.0.3 is affected.
• Ref: http://www.securityfocus.com/bid/44620

• 10.46.34 - CVE: CVE-2010-3764,CVE-2010-3172
• Platform: Web Application
• Title: Bugzilla Response Splitting and Security Bypass Issues
• Description: Bugzilla is a web-based bug tracking application. Bugzilla is exposed to multiple security issues. Bugzilla versions prior to 3.2.9, 3.4.9, and 3.6.3 are affected.
• Ref: http://www.securityfocus.com/bid/44618

• 10.46.35 - CVE: Not Available
• Platform: Web Application
• Title: TextPattern Comment HTML Injection Issue
• Description: TextPattern is a PHP-based content management system. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input when posting a comment. TextPattern version 4.2.0 is affected.
• Ref: http://www.securityfocus.com/bid/44662

• 10.46.36 - CVE: Not Available
• Platform: Web Application
• Title: WordPress DB Toolkit "uploadify.php" Arbitrary File Upload Issue
• Description: WordPress DB Toolkit is a plug-in for the WordPress publishing application. The application is exposed to an issue that lets attackers upload arbitrary files. The issue occurs because the application fails to adequately sanitize user-supplied input before uploading files through the "wp-content/plugins/db-toolkit/data_form/fieldtypes/file/scripts/uploadify.php" script. WordPress DB Toolkit 0.1.10 and prior versions are affected.
• Ref: http://www.securityfocus.com/bid/44708

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/