En esta semana sorprende la cantidad de vulnerabilidades descubiertas en Adobe… en las próximas semanas de seguro se verá una cantidad importante de malware explotando estas fallas, y lo más probable que sea a través de correo electrónico y xss en aplicaciones web.
______________________________________________________________________
@RISK: The Consensus Security Vulnerability Alert
Week 25 2011
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Other Microsoft Products 1 (#2)
Third Party Windows Apps 1
Linux 2
Aix 1
Unix 2
Cross Platform 16 (#1)
Web Application - SQL Injection 1
Web Application 3
Network Device 2
***************************************************************************
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com) Widely Deployed Software (1) HIGH: Adobe Products Multiple Vulnerabilities
(2) HIGH: Microsoft Patch Tuesday Multiple Vulnerabilities
***************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
-- Other Microsoft Products
11.25.1 - Microsoft Lync Server 2010 "ReachJoin.aspx" Remote Command Injection
-- Third Party Windows Apps
11.25.2 - Trend Micro Data Loss Prevention Directory Traversal
-- Linux
11.25.3 - GNOME NetworkManager "/var/log/messages" Information Disclosure
11.25.4 - OProfile Multiple Security Vulnerabilities
-- Aix
11.25.5 - IBM AIX Luns Ownership Security Bypass Issue
-- Unix
11.25.6 - HP Operations for UNIX Unspecified Cross-Site Scripting and Unauthorized Access Vulnerabilities
11.25.7 - D-Bus Message Byte Order Denial of Service
-- Cross Platform
11.25.8 - Fabric Insecure Temporary File Creation Vulnerability
11.25.9 - KMPlayer ".mp3" File Remote Buffer Overflow
11.25.10 - Wireshark Multiple Denial of Service Vulnerabilities
11.25.11 - Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses
11.25.12 - HP Service Manager and Service Center Multiple Vulnerabilities
11.25.13 - VLC Media Player XSPF Playlist Integer Overflow Memory Corruption
11.25.14 - HP OpenView Storage Data Protector Unspecified Remote Code Execution
11.25.15 - libmodplug "S3M" Stack Based Buffer Overflow
11.25.16 - Jabberd XML Parsing Denial of Service
11.25.17 - PHP Security Bypass Issue
11.25.18 - Opera Web Browser Denial of Service
11.25.19 - Adobe Acrobat and Reader Multiple Vulnerabilities
11.25.20 - Adobe LiveCycle Data Services and BlazeDS Multiple Remote Vulnerabilities
11.25.21 - Adobe ColdFusion Unspecified Cross-Site Request Forgery and Remote Denial of Service
11.25.22 - Adobe Shockwave Player Multiple Remote Vulnerabilities
11.25.23 - Adobe Flash Player Remote Memory Corruption
-- Web Application - SQL Injection
11.25.24 - WebFileExplorer "user" and "pass" SQL Injection Vulnerabilities
-- Web Application
11.25.25 - Drupal Spam Module Cross-Site Request Forgery
11.25.26 - Horde Authentication Framework Composite Driver Authentication Bypass
11.25.27 - HTML Purifier Cross-Site Scripting and Denial of Service Vulnerabilities
-- Network Device
11.25.28 - Veri-NAC URI Handling Directory Traversal Vulnerability
11.25.29 - Barracuda NG Firewall and phion netfence Remote Code Execution
*************************************************************
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process
*************************************************************
(1) HIGH: Adobe Products Multiple Vulnerabilities
Affected:
ColdFusion 9.0.1 and earlier
Adobe Flash Player 10.3.181.23 and earlier Adobe Shockwave Player 11.5.9.620 and earlier Adobe Reader X (10.0.1) and earlier Adobe Acrobat X (10.0.3) and earlier
Description: Adobe has released patches for multiple security vulnerabilities affecting multiple products. Adobe has reported that the unspecified memory corruption vulnerability in Adobe Flash is being actively exploited in the wild. That issue was initially reported as an 0-day vulnerability. The Shockwave Player vulnerabilities involve various errors in the handling of malformed Adobe director files. The Reader vulnerabilities involve the vulnerable code blindly trusting malicious attacker-provided lengths in malicious files. By enticing a target to open a malicious file, an attacker can exploit these vulnerabilities in order to execute arbitrary code on the target's machine. Code will execute with the permissions of the user running the browser or Reader application.
Status: vendor confirmed, updates available
References:
Vendor Site
Adobe Security Updates
Zero Day Initiative Advisories
SecurityFocus BugTraq IDs
*************************************************************
(2) HIGH: Microsoft Patch Tuesday Multiple Vulnerabilities
Affected:
Microsoft Internet Explorer
Microsoft Windows
Microsoft Office Excel
Description: As part of its patch Tuesday program, Microsoft has released patches addressing vulnerabilities in multiple products.
Included in this month's patches are fixes for code-execution vulnerabilities affecting Internet Explorer. Four vulnerabilities involve memory corruption issues while handling malicious DOM manipulation of a web page; one involves a redirect to a CDL protocol, which causes a crash in Internet Explorer; and another involves a use-after-free vulnerability caused by unsafe handling of unusual values for the layout-grid-char styel property. By enticing a target to view a malicious page, an attacker can exploit these vulnerabilities in order to execute arbitrary code with the permissions of the user running the browser. Microsoft also released patches for its internal SMB client and server, Microsoft Silverlight, and Office Excel; these issues could also be used by an attacker to execute arbitrary code on a target's machine.
Status: vendor confirmed, updates available
References:
Vendor Site
Microsoft Security Bulletins
Zero Day Initiative Advisories
SecurityFocus BugTraq IDs
*************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11428 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely. ______________________________________________________________________
11.25.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Microsoft Lync Server 2010 "ReachJoin.aspx" Remote Command Injection
Description: Microsoft Lync Server 2010 is a unified communication server. The application is exposed to a command injection issue because it fails to adequately sanitize user-supplied input submitted to the "reachLocale" parameter of the "ReachJoin.aspx" script.
Microsoft Lync Server 2010 version 4.0.7577.0 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Trend Micro Data Loss Prevention Directory Traversal
Description: Trend Micro Data Loss Prevention is a data management and loss prevention application. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input. Trend Micro Data Loss Prevention 5.5 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.3 CVE: CVE-2011-1943
Platform: Linux
Title: GNOME NetworkManager "/var/log/messages" Information Disclosure
Description: GNOME NetworkManager is an application used for automated networking on Linux platforms. The application is exposed to an information disclosure issue that may allow local attackers to access user passwords from the "/var/log/messages" file. GNOME NetworkManager
0.8.999-3 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.4 CVE: Not Available
Platform: Linux
Title: OProfile Multiple Security Vulnerabilities
Description: OProfile is a system wide profiler for Linux computers.
The application is exposed to multiple issues because the software fails to properly sanitize user-supplied input. See the reference below for further details. OProfile version 0.9.6 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.5 CVE: Not Available
Platform: Aix
Title: IBM AIX Luns Ownership Security Bypass Issue
Description: IBM AIX is an open standards-based UNIX operating system.
IBM AIX is exposed to a security bypass issue due to the error in "MPIO_GET_CONFIG". IBM Aix 5300-12, IBM Aix 5300-11 and IBM Aix
5300-10 are affected.
______________________________________________________________________
11.25.6 CVE: CVE-2011-0894,CVE-2011-0893
Platform: Unix
Title: HP Operations for UNIX Unspecified Cross-Site Scripting and Unauthorized Access Vulnerabilities
Description: HP Operations for UNIX is a set of infrastructure monitoring tools. HP Operations for UNIX is exposed to multiple issues. 1) An unspecified cross-site scripting issue affects the application because if fails to adequately sanitize user-supplied input. 2) An unauthorized access issue affects the application because of an unspecified error. HP Operations for UNIX 9.10 is affected.
Ref:
______________________________________________________________________
11.25.7 CVE: Not Available
Platform: Unix
Title: D-Bus Message Byte Order Denial of Service
Description: D-Bus is an IPC (Inter-Process Communication) system for applications to talk to one another. The application is exposed to a local denial of service issue because of an error while processing messages with a non-native byte order. D-BUS 1.4.10 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.25.8 CVE: Not Available
Platform: Cross Platform
Title: Fabric Insecure Temporary File Creation Vulnerability
Description: Fabric is a deployment tool implemented in python. Fabric is exposed to an issue because it creates temporary files in an insecure manner. Specifically, the application creates temporary files with predictable file names in world writable directories when uploading template text files and project files to a remote server.
Fabric 0.9.1 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.9 CVE: Not Available
Platform: Cross Platform
Title: KMPlayer ".mp3" File Remote Buffer Overflow
Description: KMPlayer is a media player. KMPlayer is exposed to a remote stack-based buffer overflow issue because it fails to perform adequate bounds checks on user-supplied input. Specifically, this issue occurs while handling specially crafted ".mp3" files. KMPlayer
3.0.0.1440 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.10 CVE: Not Available
Platform: Cross Platform
Title: Wireshark Multiple Denial of Service Vulnerabilities
Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The software is exposed to multiple issues.
1) A denial of service issue occurs when sorting columns during packet capturing. 2) A denial of service issue occurs because packet capture from a named pipe fails to properly stop until the next packet is captured. Wireshark versions prior to 1.6.0 are affected.
______________________________________________________________________
11.25.11 CVE: Not Available
Platform: Cross Platform
Title: Ruby on Rails Multiple Cross-Site Scripting Filter Security Bypass Weaknesses
Description: Ruby on Rails is a web application framework for multiple platforms. Ruby on Rails is exposed to multiple security bypass weaknesses because it fails to properly mark certain strings as "HTML safe". Versions prior to Ruby on Rails 3.0.8 and 2.3.12 are affected.
______________________________________________________________________
11.25.12 CVE:
CVE-2011-1863,CVE-2011-1862,CVE-2011-1861,CVE-2011-1860,CVE-2011-1859,CVE-2011-1858,CVE-2011-1857
Platform: Cross Platform
Title: HP Service Manager and Service Center Multiple Vulnerabilities
Description: HP Service Manager is an IT helpdesk application available for multiple platforms. HP Service Center is a web-based IT service management application. The applications are exposed to multiple issues due to insufficient sanitization of user-supplied input. See the reference below for further details. These versions are affected: HP Service Manager v9.21, v9.20, v7.11, v7.02, HP Service Manager client v9.21, v9.20, v7.11, v7.02 running on Windows, HP Service Center v6.2.8 Client running on Windows, HP Service Center v6.2.8.
Ref:
______________________________________________________________________
11.25.13 CVE: CVE-2011-2194
Platform: Cross Platform
Title: VLC Media Player XSPF Playlist Integer Overflow Memory Corruption
Description: VLC is a cross-platform media player. The application is exposed to a memory corruption issue because of an integer overflow error in the XSPF playlist file parser. This occurs within the "libplaylist_plugin.dll" file when parsing specially crafted XSPF playlist files. In particular, attackers can exploit this issue by passing a large value to the "id" tag of the XSPF file. VLC Media Player versions 1.1.9 down to 0.8.5 are vulnerable.
______________________________________________________________________
11.25.14 CVE: CVE-2011-1864
Platform: Cross Platform
Title: HP OpenView Storage Data Protector Unspecified Remote Code Execution
Description: HP OpenView Storage Data Protector is a commercial data management product for backup and recovery operations. The application is exposed to an unspecified remote code execution issue.
HP OpenView Storage Data Protector versions 6.0, 6.10, and 6.11 for HP-UX, Solaris, Linux, and Windows are vulnerable.
______________________________________________________________________
11.25.15 CVE: CVE-2011-1574
Platform: Cross Platform
Title: libmodplug "S3M" Stack Based Buffer Overflow
Description: The libmodplug library allows various media players to play multiple media formats. The library is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user supplied data before copying it into an insufficiently sized buffer.
Libmodplug 0.8.8.1 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.16 CVE: CVE-2011-1755
Platform: Cross Platform
Title: Jabberd XML Parsing Denial of Service
Description: LuaExpat is a SAX XML parser that is based on the Expat library. Jabberd is exposed to a denial of service issue.
Specifically, the issue occurs because the application fails to handle specially crafted XML data. Applications using the affected parser may consume excessive amounts of system memory when processing large numbers of nested references. Versions prior to jabberd 2.2.14 are vulnerable.
______________________________________________________________________
11.25.17 CVE: CVE-2011-2202
Platform: Cross Platform
Title: PHP Security Bypass Issue
Description: PHP is a scripting language. PHP is exposed to a security bypass issue because the application allows an attacker to delete files from the root directory. Specifically, the issue exists in the "SAPI_POST_HANDLER_FUNC()" function of the "rfc1867.c" file. PHP 5.3.6 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.18 CVE: Not Available
Platform: Cross Platform
Title: Opera Web Browser Denial of Service
Description: Opera is a web browser application. The application is exposed to a denial of service issue. This issue occurs when the application processes a webpage containing specially crafted JavaScript code. Opera Web Browser 11.11 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.25.19 CVE: CVE-2011-2094, CVE-2011-2095, CVE-2011-2096, CVE-2011-2097, CVE-2011-2098, CVE-2011-2099, CVE-2011-2100, CVE-2011-2101, CVE-2011-2102, CVE-2011-2103, CVE-2011-2104, CVE-2011-2105, CVE-2011-2106
Platform: Cross Platform
Title: Adobe Acrobat and Reader Multiple Vulnerabilities
Description: Adobe Reader and Acrobat are applications for handling PDF files. Adobe Acrobat and Reader are exposed to multiple issues such as memory corruptions, buffer overflows and a cross document script execution issue. Adobe Reader and Acrobat versions prior to 10.1 are affected.
______________________________________________________________________
11.25.20 CVE: CVE-2011-2093,CVE-2011-2092
Platform: Cross Platform
Title: Adobe LiveCycle Data Services and BlazeDS Multiple Remote Vulnerabilities
Description: Adobe BlazeDS is a Java-based messaging server. Adobe LifeCycle is a software management and deployment application. Adobe LiveCycle Data Services and BlazeDS are exposed to the following remote issues. 1) A security bypass issue that will allow unauthorized users to create classes during AMF/AMFX deserialization. 2) A denial of service issue that affects a complex object graph. LiveCycle Data Services 3.1, 2.6.1, 2.5.1 and earlier versions, LiveCycle 9.0.0.2, 8.2.1.3, 8.0.1.3 and earlier versions, BlazeDS 4.0.1 and earlier versions are affected.
______________________________________________________________________
11.25.21 CVE: CVE-2011-0629, CVE-2011-2091
Platform: Cross Platform
Title: Adobe ColdFusion Unspecified Cross-Site Request Forgery and Remote Denial of Service
Description: Adobe ColdFusion is an application for developing websites. The application is exposed to the following issues. 1) An unspecified cross-site request forgery issue because it fails to properly validate HTTP requests. 2) A remote denial of service issue.
Versions prior to Adobe ColdFusion 9.0.1 and prior are vulnerable.
______________________________________________________________________
11.25.22 CVE:
CVE-2011-2128,CVE-2011-2127,CVE-2011-2126,CVE-2011-2125,CVE-2011-2124,CVE-2011-2123,
CVE-2011-2122,CVE-2011-2121,CVE-2011-2120,CVE-2011-2119,CVE-2011-2118,CVE-2011-2117,CVE-2011-2116,
CVE-2011-2115,CVE-2011-2114,CVE-2011-2113,CVE-2011-2112,CVE-2011-2111,CVE-2011-2109,CVE-2011-2108,
CVE-2011-0335,CVE-2011-0320,CVE-2011-0319,CVE-2011-0318,CVE-2011-0317
Platform: Cross Platform
Title: Adobe Shockwave Player Multiple Remote Vulnerabilities
Description: Adobe Shockwave Player is a multimedia player application. The application is exposed to multiple remote issues.
See the reference below for details. Versions prior to Adobe Shockwave Player 11.6.0.626 are vulnerable.
______________________________________________________________________
11.25.23 CVE: CVE-2011-2110
Platform: Cross Platform
Title: Adobe Flash Player Remote Memory Corruption
Description: Adobe Flash Player is a multimedia application for multiple platforms. The application is exposed to a remote memory corruption issue that can result in arbitrary code execution. Adobe Flash Player 10.3.181.23 and earlier versions for Windows, Macintosh, Linux and Solaris operating systems, Adobe Flash Player 10.3.185.23 and earlier versions for Android are affected.
______________________________________________________________________
11.25.24 CVE: Not Available
Platform: Web Application - SQL Injection
Title: WebFileExplorer "user" and "pass" SQL Injection Vulnerabilities
Description: WebFileExplorer is an ASP-based file manager. The application is exposed to multiple SQL injection issues because it fails to sufficiently sanitize user-supplied data to the "User" and "Pass" fields in the admin login page before using the data in an SQL query. WebFileExplorer 3.6 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.25.25 CVE: Not Available
Platform: Web Application
Title: Drupal Spam Module Cross-Site Request Forgery
Description: Spam is a module for the Drupal content manager. The module is exposed to a cross-site request forgery issue because the application does not properly validate user-supplied requests.
Specifically, the issue affects the "mark as spam" links. Versions prior to Spam 6.x-1.1 are vulnerable.
______________________________________________________________________
11.25.26 CVE: Not Available
Platform: Web Application
Title: Horde Authentication Framework Composite Driver Authentication Bypass
Description: Horde Authentication Framework is a web application, implemented in PHP. The framework is exposed to an authentication bypass issue due to an error in the composite authentication driver.
Horde 1.0.0alpha1 through 1.0.3 are vulnerable and other versions may also be affected.
______________________________________________________________________
11.25.27 CVE: Not Available
Platform: Web Application
Title: HTML Purifier Cross-Site Scripting and Denial of Service Vulnerabilities
Description: HTML Purifier is an HTML filtering application implemented in PHP. The application is exposed to the following issues. 1) Multiple cross-site scripting issues because the application fails to sufficiently sanitize user-supplied input passed to "CDATA" and "cssText/innerHTML" parameters. 2) A denial of service issue exists while handling DOM objects. Specifically, the issue affects the "tokenizeDOM()" function in the "HTMLPurifier/Lexer/DOMLex.php" script.
HTML Purifier versions prior to 4.3.0 are vulnerable.
______________________________________________________________________
11.25.28 CVE: Not Available
Platform: Network Device
Title: Veri-NAC URI Handling Directory Traversal Vulnerability
Description: Veri-NAC is a network access control device. Veri-NAC is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input sent through the URL.
Veri-NAC firmware versions prior to 8.0.10 are vulnerable.
______________________________________________________________________
11.25.29 CVE: Not Available
Platform: Network Device
Title: Barracuda NG Firewall and phion netfence Remote Code Execution
Description: Barracuda NG Firewall is a security device designed to protect network infrastructure. Phion netfence is a web application firewall. Barracuda NG Firewall and phion netfence are exposed to a remote code execution issue. Specially, the issue occurs during the "ssh" login procedure. NG Firewall versions prior to 5.0.2, phion netfence versions 4.0.x prior to 4.2.15 are affected.
______________________________________________________________________
