@RISK: The Consensus Security Vulnerability Alert

Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys

• (1) HIGH: Apple Products Multiple Security Vulnerabilities
• (2) HIGH: Apple Mac OS X Apple Type Services "CFF" Font Remote Code Execution
• (3) HIGH: ProFTPD "mod_sql" Remote Heap Based Buffer Overflow

Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Third Party Windows Apps

• 10.48.1 - Serv-U Empty Password Authentication Bypass

Mac Os

• 10.48.2 - Apple Mac OS X Apple Type Services "CFF" Font Remote Code Execution

Linux

• 10.48.3 - Linux Kernel "execve()" Memory Expansion "OOM-killer" Local Denial of Service
• 10.48.4 - Linux Kernel Reliable Datagram Sockets "rds_cmsg_rdma_args()" Local Integer Overflow
• 10.48.5 - Linux Kernel "posix-cpu-timers.c" Local Race Condition

Cross Platform

• 10.48.6 - Perl MIME Boundary "multipart_init" Unspecified Security Issue
• 10.48.7 - Apache "mod_fcgid" Module Unspecified Stack Buffer Overflow Issue
• 10.48.8 - SAP NetWeaver Security Bypass Denial of Service
• 10.48.9 - SAP NetWeaver SQL Monitor Multiple Cross-Site Scripting Issues
• 10.48.10 - Hitachi Multiple Groupmax Products Unspecified Buffer Overflow Issue
• 10.48.11 - VLC Media Player Calling Convention Remote Buffer Overflow Issue
• 10.48.12 - Apple iPhone/iPod/iPad Configuration Profile Signature Validation Bypass Issue
• 10.48.13 - IBM WebSphere MQ FDC Processing Denial of Service
• 10.48.14 - SAP NetWeaver XRFC SOAP Request Stack Buffer Overflow Issue
• 10.48.15 - Mozilla Firefox "js/src/jsstr.cpp" UTF-8 Input Validation Issue
• 10.48.16 - ProFTPD "mod_sql" Remote Heap Based Buffer Overflow
• 10.48.17 - Symantec PGP Desktop OpenPGP Message Data Insertion Issue
• 10.48.18 - Apple Safari Prior Multiple Security Issues
• 10.48.19 - Apple iOS Networking Packet Filter Rules Local Privilege Escalation
• 10.48.20 - Linux Kernel "hci_uart_tty_open()" Local Denial of Service Issue
• 10.48.21 - IBM OmniFind "ESSearchApplication" Security Bypass Issue
• 10.48.22 - PHP NULL Character Security Bypass Issue
• 10.48.23 - Novell iPrint Client "ienipp.ocx" ActiveX 'GetDriverSettings()' Buffer Overflow Issue
• 10.48.24 - PHP "ext/imap/php_imap.c" Use After Free Denial of Service
• 10.48.25 - Wireshark Multiple Security Issues
• 10.48.26 - DotNetNuke Logging Provider Information Disclosure
• 10.48.27 - Pidgin Media Code Use Afer Free Race Condition Denial of Service
• 10.48.28 - Pidgin Google Relay (V/V) Double Free Memory Corruption Issue
• 10.48.29 - Pidgin MSN Use After Free Denial of Service Issue
• 10.48.30 - MuPDF "pdf_shade4.c" Multiple Stack Buffer Overflow Issue
• 10.48.31 - Juniper NetScreen Remote VPN Client Security Bypass Issue

Web Application - Cross Site Scripting

• 10.48.32 - Apache Tomcat "sort" Parameter Cross-Site Scripting

Web Application - SQL Injection

• 10.48.33 - Free Simple Software "download_id" SQL Injection

Web Application

• 10.48.34 - phpBB "includes/message_parser.php" HTML Injection
• 10.48.35 - webApp.secure "Content-Length" Remote Denial of Service

Network Device

• 10.48.36 - HP Multiple LaserJet Printers PJL Directory Traversal Issue
• 10.48.37 - Hitachi Multiple Collaboration Products Unspecified Denial of Service
• 10.48.38 - Cisco Unified Videoconferencing Hardcoded User Credentials Authentication Bypass Issue
• 10.48.39 - Fujitsu Interstage Multiple Products IP Evasion Security Bypass Issue

PART I Critical Vulnerabilities

Critical Vulnerabilities Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process

Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 48, 2010

Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com) This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 10565 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

• 10.48.1 - CVE: Not Available
• Platform: Third Party Windows Apps
• Title: Serv-U Empty Password Authentication Bypass
• Description: Serv-U is a remote file management application for Microsoft Windows. The application is exposed to an authentication bypass issue that allows attackers to gain access by supplying a valid username and an empty password. Serv-U version 10.2.0.2 and versions prior to 10.3.0.1 are affected.
• Ref: http://www.serv-u.com/releasenotes/

• 10.48.2 - CVE: CVE-2010-4010
• Platform: Mac Os
• Title: Apple Mac OS X Apple Type Services "CFF" Font Remote Code Execution
• Description: Apple Type Services is a component of the Apple Mac OS X operating system. Apple Mac OS X is exposed to a remote code execution issue due a signedness error when handling documents containing embedded "Compact Font Format" fonts. Mac OS X v10.5.8 and Mac OS X Server v10.5.8 are affected.
• Ref: http://www.securityfocus.com/bid/44984

• 10.48.3 - CVE: CVE-2010-4243
• Platform: Linux
• Title: Linux Kernel "execve()" Memory Expansion "OOM-killer" Local Denial of Service
• Description: The Linux kernel is exposed to a local denial of service issue because OOM-killer fails to properly detect memory usage. The issue is triggered because of a memory expansion by the argument of the "execve()" system call.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=625688#c0

• 10.48.4 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel Reliable Datagram Sockets "rds_cmsg_rdma_args()" Local Integer Overflow
• Description: The Linux kernel is exposed to a local integer overflow issue that occurs in the Reliable Datagram Sockets protocol implementation, because calculations performed on certain user-supplied input could lead to an integer overflow.
• Ref: http://marc.info/?l=linux-netdev&m=129001184803080&w=2

• 10.48.5 - CVE: Not Available
• Platform: Linux
• Title: Linux Kernel "posix-cpu-timers.c" Local Race Condition
• Description: The Linux kernel is exposed to a local race condition issue. The issue occurs in the "posix-cpu-timers.c" source file.
• Ref: https://bugzilla.redhat.com/show_bug.cgi?id=656264

• 10.48.6 - CVE: Not Available
• Platform: Cross Platform
• Title: Perl MIME Boundary "multipart_init" Unspecified Security Issue
• Description: Perl is a general purpose scripting language. Safe is a module for Perl that allows the isolated compilation and execution of additional Perl code within a Perl application. Perl is exposed to an unspecified security issue because the MIME part of the "multipart_init" is not random.
• Ref: http://perl5.git.perl.org/perl.git/commit/84601d63a7e34958da47dad1e61e27cb3bd467
  d1

• 10.48.7 - CVE: CVE-2010-3872
• Platform: Cross Platform
• Title: Apache "mod_fcgid" Module Unspecified Stack Buffer Overflow Issue
• Description: "mod_fcgid" is a module for the Apache HTTP Server. The module is exposed to an unspecified stack-based buffer overflow issue.
• Ref: http://www.securityfocus.com/bid/44900

• 10.48.8 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP NetWeaver Security Bypass Denial of Service
• Description: SAP NetWeaver is a platform for enterprise applications. The application is exposed to a remote denial of service issue because it fails to restrict access to the SAP Metamodel Repository performance test. The test can be run with maximum data size.
• Ref: http://dsecrg.com/pages/vul/show.php?id=206

• 10.48.9 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP NetWeaver SQL Monitor Multiple Cross-Site Scripting Issues
• Description: SAP NetWeaver is an integration platform for enterprise applications. The SQL Monitor of SAP NetWeaver is exposed to multiple cross-site scripting issues because it fails to sufficiently sanitize user-supplied input to multiple scripts and parameters.
• Ref: http://www.securityfocus.com/bid/44904

• 10.48.10 - CVE: Not Available
• Platform: Cross Platform
• Title: Hitachi Multiple Groupmax Products Unspecified Buffer Overflow Issue
• Description: Multiple Hitachi Groupmax products are exposed to an unspecified remote buffer overflow issue due to an unspecified error when processing files
• Ref: http://www.securityfocus.com/bid/44906

• 10.48.11 - CVE: Not Available
• Platform: Cross Platform
• Title: VLC Media Player Calling Convention Remote Buffer Overflow Issue
• Description: VLC Media Player is a media player for a number of platforms. The application has a web-based interface. The application is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate boundary checks on user supplied data. VLC Media Player versions prior to 1.1.5 for Windows are affected.
• Ref: http://www.securityfocus.com/bid/44909

• 10.48.12 - CVE: CVE-2010-3827
• Platform: Cross Platform
• Title: Apple iPhone/iPod/iPad Configuration Profile Signature Validation Bypass Issue
• Description: Apple iOS for iPhone, iPod touch, and iPad are exposed to a security bypass issue that affects the Configuration Profiles component. Specifically, an attacker can forge the signature contained in a configuration profile.
• Ref: http://www.securityfocus.com/bid/45006

• 10.48.13 - CVE: CVE-2010-2638
• Platform: Cross Platform
• Title: IBM WebSphere MQ FDC Processing Denial of Service
• Description: IBM WebSphere MQ is a commercially available messaging engine for enterprises. IBM WebSphere MQ is exposed to a remote denial of service issue that can be triggered with the creation of an FDC from probe id RM680004. WebSphere MQ versions prior to 7.0.1.5 are affected.
• Ref: http://xforce.iss.net/xforce/xfdb/63147

• 10.48.14 - CVE: Not Available
• Platform: Cross Platform
• Title: SAP NetWeaver XRFC SOAP Request Stack Buffer Overflow Issue
• Description: SAP NetWeaver XRFC is a platform for enterprise applications. The application is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied data. This issue occurs when the XML parser processes specially crafted tags in RFC SOAP requests. SAP NetWeaver XRFC version 6.4 and 7.0 are affected.
• Ref: http://www.securityfocus.com/bid/44912

• 10.48.15 - CVE: CVE-2009-5017
• Platform: Cross Platform
• Title: Mozilla Firefox "js/src/jsstr.cpp" UTF-8 Input Validation Issue
• Description: Mozilla Firefox is a web browser available for multiple platforms. Mozilla Firefox is exposed to an input validation issue because it fails to sufficiently sanitize user-supplied input. Specifically, certain UTF-8 encoded input handled by the "js/src/jsstr.cpp" source file will be incorrectly decoded. Firefox versions prior to 3.6 Beta 3 are affected.
• Ref: http://www.securityfocus.com/bid/44919

• 10.48.16 - CVE: Not Available
• Platform: Cross Platform
• Title: ProFTPD "mod_sql" Remote Heap Based Buffer Overflow
• Description: ProFTPD is an FTP server implementation that is available for UNIX and Linux platforms. It can be integrated with multiple database servers. ProFTPD is exposed to a remote buffer overflow issue that affects the "mod_sql" module.
• Ref: http://phrack.org/issues.html?issue=67&id=7#article

• 10.48.17 - CVE: CVE-2010-3618
• Platform: Cross Platform
• Title: Symantec PGP Desktop OpenPGP Message Data Insertion Issue
• Description: Symantec PGP Desktop is an encryption application. Symantec PGP Desktop is exposed to a issue that may allow attackers to insert data into a signed message undetected. Symantec PGP Desktop version 10.0.3, 10.1.0, and prior are affected for Windows and Mac OS X.
• Ref: http://www.securityfocus.com/bid/44920

• 10.48.18 - CVE: CVE-2010-3826,CVE-2010-3824,CVE-2010-3823,CVE-2010-3822,CVE-2010-3821,CVE-2010-3820,CVE-2010-3819,CVE-2010-3818,CVE-2010-3817,CVE-2010-3816,CVE-2010-3813,CVE-2010-3812,CVE-2010-3811,CVE-2010-3810,CVE-2010-3809,CVE-2010-3808,CVE-2010-3805,CVE-2010-380
• Platform: Cross Platform
• Title: Apple Safari Prior Multiple Security Issues
• Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Safari is exposed to multiple security issues that have been addressed in Apple security advisory APPLE-SA-2010-11-18-1.
• Ref: http://www.securityfocus.com/bid/44938

• 10.48.19 - CVE: CVE-2010-3830
• Platform: Cross Platform
• Title: Apple iOS Networking Packet Filter Rules Local Privilege Escalation
• Description: Apple iOS is an operating platform for iPhone, iPod touch, and iPad. The iPhone is a mobile phone that runs on the ARM architecture. The iPod touch is a portable music player. The iPad is a tablet device. Apple iOS is exposed to a local privilege escalation issue due to an invalid pointer reference when handling packet filter rules.
• Ref: http://www.securityfocus.com/bid/45010

• 10.48.20 - CVE: CVE-2010-4242
• Platform: Cross Platform
• Title: Linux Kernel "hci_uart_tty_open()" Local Denial of Service Issue
• Description: The Linux kernel is exposed to a local denial of service issue that affects the "hci_uart_tty_open()" function in the "drivers/bluetooth/hci_ldisc.c" source file.
• Ref: http://www.securityfocus.com/bid/45014

• 10.48.21 - CVE: CVE-2010-3896
• Platform: Cross Platform
• Title: IBM OmniFind "ESSearchApplication" Security Bypass Issue
• Description: IBM OmniFind is an application used for knowledge driven search. A security bypass issue affects the configuration panel of the application. Specifically, it fails to authenticate a user before allowing access to the pages in the "ESSearchApplication" directory. IBM OmniFind versions 8.5 and 9.0 are affected.
• Ref: http://www.securityfocus.com/archive/1/514688

• 10.48.22 - CVE: Not Available
• Platform: Cross Platform
• Title: PHP NULL Character Security Bypass Issue
• Description: PHP is a general purpose scripting language that is especially suited for web development and can be embedded into HTML. PHP is exposed to a security bypass issue that affects the "include_once()" and "file_exists()" functions that perform filesystem operations. PHP versions prior to 5.3.4 RC1 are affected.
• Ref: http://comments.gmane.org/gmane.comp.security.oss.general/3798

• 10.48.23 - CVE: Not Available
• Platform: Cross Platform
• Title: Novell iPrint Client "ienipp.ocx" ActiveX 'GetDriverSettings()' Buffer Overflow Issue
• Description: Novell iPrint Client lets users access printers from remote locations. Novell iPrint Client "ienipp.ocx" ActiveX control is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user supplied data. This issue affects the "GetDriverSettings()" method of the "ienipp.ocx" library. iPrint Client version 5.52 is affected.
• Ref: http://www.securityfocus.com/bid/44966

• 10.48.24 - CVE: CVE-2010-4510
• Platform: Cross Platform
• Title: PHP "ext/imap/php_imap.c" Use After Free Denial of Service
• Description: PHP is a general purpose scripting language that is suited for web development. PHP is exposed to a denial of service issue due to a user after free condition that affects the "Zend/zend.gc.c" source file. PHP 5.3 branch is affected.
• Ref: http://svn.php.net/viewvc?view=revision&revision=305032

• 10.48.25 - CVE: Not Available
• Platform: Cross Platform
• Title: Wireshark Multiple Security Issues
• Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to a denial of service issue that affects the ZigBee ZCL dissector and will cause the affected application to fall into an infinite loop. Wireshark versions 1.2.0 up to 1.2.12 and 1.4.0 to 1.4.1 are affected.
• Ref: http://www.securityfocus.com/bid/44986

• 10.48.26 - CVE: Not Available
• Platform: Cross Platform
• Title: DotNetNuke Logging Provider Information Disclosure
• Description: DotNetNuke is an open source framework for creating and deploying websites. DotNetNuke is exposed to a remote information disclosure issue. Specifically, the issue occurs when the logging provider is not available while handling exceptions. DotNetNuke versions 3.0.0 through 5.5.1 are affected.
• Ref: http://www.dotnetnuke.com/News/SecurityPolicy/securitybulletinno44/tabid/2035/De
  fault.aspx

• 10.48.27 - CVE: Not Available
• Platform: Cross Platform
• Title: Pidgin Media Code Use Afer Free Race Condition Denial of Service
• Description: Pidgin is a multi-platform instant messaging client that supports multiple messaging protocols. Pidgin is exposed to a denial of service issue due to a use after free race condition that occurs in media code when an error is reported by the GStreamer. Pidgin versions prior to 2.7.6 are affected.
• Ref: http://developer.pidgin.im/ticket/12806

• 10.48.28 - CVE: Not Available
• Platform: Cross Platform
• Title: Pidgin Google Relay (V/V) Double Free Memory Corruption Issue
• Description: Pidgin is a multiplatform instant messaging client that supports multiple messaging protocols. Pidgin is exposed to a double free memory corruption issue. Pidgin versions prior to 2.7.6 are affected.
• Ref: http://www.securityfocus.com/bid/45022

• 10.48.29 - CVE: Not Available
• Platform: Cross Platform
• Title: Pidgin MSN Use After Free Denial of Service Issue
• Description: Pidgin is a multiplatform instant messaging client that supports multiple messaging protocols. Pidgin is exposed to a denial of service issue due to a use after free error that occurs in the MSN protocol. Pidgin versions prior to 2.7.6 are affected.
• Ref: http://www.securityfocus.com/bid/45024

• 10.48.30 - CVE: CVE-2009-4117
• Platform: Cross Platform
• Title: MuPDF "pdf_shade4.c" Multiple Stack Buffer Overflow Issue
• Description: MuPDF is a PDF viewer and toolkit used by Sumatra PDF. The application is exposed to multiple stack-based buffer overflow issues. MuPDF Versions prior to 20091125231942 are affected and versions prior to Sumatra PDF 1.0.1 are affected.
• Ref: http://www.securityfocus.com/bid/41818

• 10.48.31 - CVE: Not Available
• Platform: Cross Platform
• Title: Juniper NetScreen Remote VPN Client Security Bypass Issue
• Description: Juniper NetScreen Remote VPN Client is exposed to a security bypass issue because the application fails to properly restrict access to unauthenticated users when connecting to a remote computer over a Remote Desktop session using the affected application.
• Ref: http://www.securityfocus.com/archive/1/514871

• 10.48.32 - CVE: CVE-2010-4172
• Platform: Web Application - Cross Site Scripting
• Title: Apache Tomcat "sort" Parameter Cross-Site Scripting
• Description: Apache Tomcat is an HTTP server application. The application is exposed to a cross-site scripting issue because it fails to sanitize user-supplied input to the "sort" parameter in the "sessionList.jsp" script.
• Ref: http://www.securityfocus.com/archive/1/514866

• 10.48.33 - CVE: CVE-2010-4298
• Platform: Web Application - SQL Injection
• Title: Free Simple Software "download_id" SQL Injection
• Description: Free Simple Software is a PHP-based web application. The application is exposed to an SQL injection issue because it fails to adequately sanitize user-supplied input to the "download_id" parameter of the download module.
• Ref: http://www.securityfocus.com/archive/1/514863

• 10.48.34 - CVE: Not Available
• Platform: Web Application
• Title: phpBB "includes/message_parser.php" HTML Injection
• Description: phpBB is a PHP-based bulletin board application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the "[flash=] BBCode" parameter in the "includes/message_parser.php" script. phpBB versions prior to 3.0.8 are affected.
• Ref: http://www.phpbb.com/support/documents.php?mode=changelog&version=3#v307-PL1

• 10.48.35 - CVE: Not Available
• Platform: Web Application
• Title: webApp.secure "Content-Length" Remote Denial of Service
• Description: webApp.secure is an application used to provide protection against web-based attacks. The application is exposed to a remote denial of service issue that occurs when processing an HTTP request that contains an overly large value in the "Content-Length" field. webApp.secure version 4.0.1 Standard Edition is affected.
• Ref: http://www.securityfocus.com/bid/45019

• 10.48.36 - CVE: CVE-2010-4107
• Platform: Network Device
• Title: HP Multiple LaserJet Printers PJL Directory Traversal Issue
• Description: HP LaserJet printers are network attached printers. The devices are exposed to an unspecified directory traversal issue because they fail to sufficiently sanitize user-supplied input in the Printer Job Language interface.
• Ref: http://www.securityfocus.com/bid/44882

• 10.48.37 - CVE: Not Available
• Platform: Network Device
• Title: Hitachi Multiple Collaboration Products Unspecified Denial of Service
• Description: Multiple Hitachi Collaboration products are exposed to an unspecified denial of service issue due to an unspecified error related to the Collaboration File Sharing component.
• Ref: http://www.securityfocus.com/bid/44907

• 10.48.38 - CVE: CVE-2010-3038,CVE-2010-3037
• Platform: Network Device
• Title: Cisco Unified Videoconferencing Hardcoded User Credentials Authentication Bypass Issue
• Description: Cisco Unified Videoconferencing products are a series of video conferencing devices. Cisco Unified Videoconferencing is exposed to an authentication bypass issue that may allow attackers to gain access to the "root", "cs", and "develop" accounts. These accounts contain hardcoded user credentials that cannot be modified or deleted.
• Ref: http://www.securityfocus.com/bid/44924

• 10.48.39 - CVE: Not Available
• Platform: Network Device
• Title: Fujitsu Interstage Multiple Products IP Evasion Security Bypass Issue
• Description: Multiple Fujitsu Interstage products are exposed to a security bypass issue.
• Ref: http://www.securityfocus.com/bid/44976

(c) 2010. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

Subscriptions: @RISK is distributed free of charge by the SANS Institute to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization. For a free subscription or to update a current subscription, visit http://portal.sans.org/