______________________________________________________________________
@RISK: The Consensus Security Vulnerability Alert
Week 28 2011
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 5 (#1)
BSD 2
Cross Platform 12
Web Application - Cross Site Scripting 1
Web Application - SQL Injection 1
Web Application 3
Hardware 2
****************************************************************************
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com) Widely Deployed Software
(1) MEDIUM: HP iNode Management Center Stack Buffer Overflow
*************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
-- Third Party Windows Apps
11.28.1 - Winamp Essentials FLV File Heap-Based Buffer Overflow Vulnerability
11.28.2 - ESTsoft ALZip MIM File Processing Buffer Overflow
11.28.3 - HP Intelligent Management Centre Products Remote Code Execution
11.28.4 - IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
11.28.5 - XnView DLL Loading Arbitrary Code Execution Vulnerability
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com) Widely Deployed Software
(1) MEDIUM: HP iNode Management Center Stack Buffer Overflow
*************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
-- Third Party Windows Apps
11.28.1 - Winamp Essentials FLV File Heap-Based Buffer Overflow Vulnerability
11.28.2 - ESTsoft ALZip MIM File Processing Buffer Overflow
11.28.3 - HP Intelligent Management Centre Products Remote Code Execution
11.28.4 - IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
11.28.5 - XnView DLL Loading Arbitrary Code Execution Vulnerability
-- BSD
11.28.6 - OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
11.28.7 - NetBSD M ultiple 'libc/net' Functions Stack Buffer Overflow Vulnerability
11.28.6 - OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
11.28.7 - NetBSD M ultiple 'libc/net' Functions Stack Buffer Overflow Vulnerability
-- Cross Platform
11.28.8 - Asterisk SIP Authentication Request User Enumeration Weakness
11.28.9 - Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability 11.28.10 - Zope Unspecified Security Bypass Vulnerability
11.28.11 - Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
11.28.12 - Wireshark Lucent/Ascend File Parser Denial of Service
11.28.13 - SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
11.28.14 - IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
11.28.15 - Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
11.28.16 - IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
11.28.17 - IBM Tivoli Storage Manager Client Multiple Buffer Overflow
11.28.18 - Vsftpd Compromised Source Packages Backdoor Vulnerability
11.28.19 - ISC BIND 9 RPZ Configurations Remote Denial of Service 11.28.20 - Opera Web Browser Multiple Remote Denial of Service Vulnerabilities
11.28.8 - Asterisk SIP Authentication Request User Enumeration Weakness
11.28.9 - Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability 11.28.10 - Zope Unspecified Security Bypass Vulnerability
11.28.11 - Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
11.28.12 - Wireshark Lucent/Ascend File Parser Denial of Service
11.28.13 - SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
11.28.14 - IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
11.28.15 - Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
11.28.16 - IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
11.28.17 - IBM Tivoli Storage Manager Client Multiple Buffer Overflow
11.28.18 - Vsftpd Compromised Source Packages Backdoor Vulnerability
11.28.19 - ISC BIND 9 RPZ Configurations Remote Denial of Service 11.28.20 - Opera Web Browser Multiple Remote Denial of Service Vulnerabilities
-- Web Application - Cross Site Scripting
11.28.21 - WebCalendar Multiple Cross-Site Scripting Vulnerabilities
11.28.21 - WebCalendar Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
11.28.22 - PhpFood "restaurant.php" SQL Injection Vulnerability
11.28.22 - PhpFood "restaurant.php" SQL Injection Vulnerability
-- Web Application
11.28.23 - AeroMail Multiple Vulnerabilities
11.28.24 - IBM Rational DOORS Multiple Unspecified Vulnerabilities
11.28.25 - WeBid Local File Include and SQL Injection Vulnerabilities
-- Hardware
11.28.26 - Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities
______________________________________________________________________11.28.23 - AeroMail Multiple Vulnerabilities
11.28.24 - IBM Rational DOORS Multiple Unspecified Vulnerabilities
11.28.25 - WeBid Local File Include and SQL Injection Vulnerabilities
-- Hardware
11.28.26 - Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process
*************************************************************
(1) MEDIUM: HP iNode Management Center Stack Buffer Overflow
Affected:
HP Intelligent Management Center User Access Manager (UAM) prior to IMC_UAM_5.0_SP1_E0101P03 HP Intelligent Management Center Endpoint Admission Defense (EAD) prior to IMC_EAD_5.0_SP1_E0101P03
Description: HP has released patches for its Intelligent Management Center network management software. A component of the software, iNOdeMngChecker.exe, listens by default on port 9090 and copies attacker-provided data onto a fixed-length buffer on the stack. By sending a malicious request, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine with SYSTEM-level privileges.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.hp.com
HP Security Bulletin
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02901775
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-11-232/
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/48527
*************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11590 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
______________________________________________________________________
11.28.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: Winamp Essentials FLV File Heap-Base d Buffer Overflow Vulnerability
Description: Winamp Essentials contains plugins for the Winamp media player. The application is exposed to a heap-based buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. This issue affects the "f263.w5s" file when parsing "CustomWidth" and "CustomHeight" fields. Winamp Essentials 5.6 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/48494/info
______________________________________________________________________
11.28.2 CVE: CVE-2011-1336
Platform: Third Party Windows Apps
Title: ESTsoft ALZip MIM File Processing Buffer Overflow
Description: ESTsoft ALZip is a file compression application. The application is exposed to a buffer overflow issue because it fails to perform adequate boundary checks on user-supplied input. Specifically, this issue occurs when handling specially crafted "MIM" files. ESTsoft ALZip versions 8.21 and prior are affected.
Ref: http://jvn.jp/en/jp/JVN01547302/index.html
______________________________________________________________________
11.28.3 CVE: CVE-2011-1867
Platform: Third Party Windows Apps
Title: HP Intelligent Management Centre Products Remote Code Execution
Description: HP Intelligent Management Center (formerly 3com
IMC) is a network management application. HP Intelligent Management Center User Access Manager and Endpoint Admission Defense are exposed to a remote code execution issue because of a stack-based buffer overflow issue. Specifically, the issue effects the "iNOdeMngChecker.exe" component when handling a packet of type "0x0A0BF007". HP Intelligent Management Center User Access Manager
(UAM) v5.0 (E0101) and prior, HP Intelligent Management Center Endpoint Admission Defense (EAD) v5.0 (E0101) and prior are affected.
Ref:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02901775
______________________________________________________________________
11.28.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: IMesh "IMWebControl.dll" ActiveX Control Buffer Overflow
Description: IMesh is a P2P client for the Microsoft Windows operating platform. The application is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user supplied data. This issue affects the "ProcessRequestEx()" method of the "IMWebControl.dll" ActiveX control. This control is identified by CLSID: 7C3B01BC-53A5-48A0-A43B-0C67731134B97. iMesh version 10.0 and the prior are affected.
Ref: http://packetstormsecurity.org/files/view/102729/imesh-overflow.txt
______________________________________________________________________
11.28.5 CVE: CVE-2011-1338
Platform: Third Party Windows Apps
Title: XnView DLL Loading A rbitrary Code Execution Vulnerability
Description: XnView is an application for managing image files. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for Dynamic Link Library files in the current working directory. The issue can be exploited by placing both a specially crafted library file and a file that is associated with the vulnerable application in an attacker controlled location. Using the application to open the associated file will cause the malicious library file to be executed.
XnView versions prior to 1.98.1 are affected.
Ref: http://www.securityfocus.com/bid/48562/discuss
______________________________________________________________________
11.28.6 CVE: Not Available
Platform: BSD
Title: OpenSSH "pam_thread()" Remote Buffer Overflow Vulnerability
Description: OpenSSH (OpenBSD Secure Shell) is software that provides encrypted communications through the SSH protocol. OpenSSH is exposed to a buffer overflow issue because the library fails to properly perform bounds checks on user supplied input before copying it to an insufficiently sized memory buffer. This issue affects the "pam_thread()" function of the "auth2-pam-freebsd.c" source file.
OpenSSH 3.5p1 running on FreeBSD 4.9 and 4.11 vulnerable, other versions and platforms may also be affected.
Ref: http://www.securityfocus.com/bid/48507/info
______________________________________________________________________
11.28.7 CVE: CVE-2011-1656
Platform: BSD
Title: NetBSD Multiple "libc/net" Functions Stack Buffer Overflow Vulnerability
Description: NetBSD is exposed to a stack-based buffer overflow issue because it fails to properly bounds check user-supplied input.
Specifically, this issue affects the following functions in the "libc/net" library: "getservbyname()", "getservbyname_r()", "getservbyport()", "getservbyport_r()", "getaddrinfo()" and "getnameinfo()". NetBSD 5.1 is affected.
Ref: http://www.securityfocus.com/bid/48528/info
______________________________________________________________________
11.28.8 CVE: CVE-2011-2536
Platform: Cross Platform
Title: Asterisk SIP Authentication Request User Enumeration Weakness
Description: Asterisk is a private branch exchange application available for Linux, BSD and Mac OS X platforms. Asterisk is exposed to a user enumeration weakness. This issue occurs because the application responds differently when enumerating valid and invalid SIP usernames using the SIP authentication requests. Asterisk 1.4.41.2, 1.6.2.18.2, and 1.8.4.4 , Asterisk Business Edition C.3.7.3 are affected.
Ref: http://downloads.asterisk.org/pub/security/AST-2011-011.html
______________________________________________________________________
11.28.9 CVE: Not Available
Platform: Cross Platform
Title: Sybase Advantage Server "ADS" Process Memory Corruption Vulnerability
Description: Sybase Advantage Server is a relational database management application. The application is exposed to a memory corruption issue.
This issue affects the "ads.exe" service when handling a malformed packet sent to TCP or UDP port 6262. Sybase Advantage Server 10.0.0.3 is vulnerable and other versions may also be affected.
Ref: http://aluigi.altervista.org/adv/sybase_4-adv.txt
______________________________________________________________________
11.28.10 CVE: Not Available
Platform: Cross Platform
Title: Zope Unspecified Security Bypass Vulnerability
Description: Zope is a web application server. The application is exposed to an unspecified security bypass issue. Very few technical details are currently available. All versions of Zope and Plone are affected.
Ref: https://mail.zope.org/pipermail/zope-announce/2011-June/002260.html
______________________________________________________________________
11.28.11 CVE: Not Available
Platform: Hardware
Title: Ingate Firewall and SIParator SIP Module Remote Denial of Service Vulnerability
Description: Ingate Firewalls are hardware firewall devices that support Session Initiation Protocol (SIP) via SIParator SIP-based communication devices. Ingate Firewall and SIParator are exposed to a denial of service issue. The issue occurs when processing SIP requests that contain multiple Transport Layer Security destinations.
Ingate SIParator 4.9.1 and prior are affected
Ref: http://www.ingate.com/Relnote.php?ver=492
______________________________________________________________________
11.28.12 CVE: CVE-2011-2597
Platform: Cross Platform
Title: Wireshark Lucent/Ascend File Parser Denial of Service
Description: Wireshark (formerly Ethereal) is an application for analyzing network traffic. The application is exposed to a denial of service issue because it fails to properly handle specially crafted packets. Specifically, the issue affects the Lucent/Ascend file parser when parsing specially crafted packets. Wireshark versions 1.2.0 through 1.2.17, versions 1.4.0 through 1.4.7 and version 1.6.0 are affected.
Ref: http://www.wireshark.org/security/wnpa-sec-2011-09.html
______________________________________________________________________
11.28.13 CVE: Not Available
Platform: Cross Platform
Title: SAP Netweaver Insecure SAPTerm User Account Creation Security Bypass Vulnerability
Description: SAP NetWeaver is an integration platform for enterprise applications. The application is exposed to a security bypass issue that can allow a user to create SAPTerm user accounts with hardcoded credentials. SAP Basis versions 620 through 640, SAP Basis versions 700 through 702, 710 through 730 and 72L through 800 are affected.
Ref: http://www.securityfocus.com/bid/48509/info
______________________________________________________________________
11.28.14 CVE: Not Available
Platform: Cross Platform
Title: IBM DB2 "DT_RPATH" Insecure Library Loading Arbitrary Code Execution Vulnerability
Description: IBM DB2 is a database management application written for use on multiple platforms. The application is exposed to an issue because the "/opt/ibm/db2/V9.7/itma/tmaitm6/lx8266/bin/kbbacf1" binary (installed with root privileges) includes the current working directory
(".") in the "DT_RPATH" (runtime library search path) of the ELF (Executable and Linking Format) header. IBM DB2 9.7 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/48514/info
______________________________________________________________________
11.28.15 CVE: CVE-2011-1898
Platform: Cross Platform
Title: Multiple Virtualization Applications Intel VT-d chipsets Local Privilege Escalation Vulnerability
Description: Multiple Virtualization applications using Intel VT-d chipsets are exposed to a privilege escalation issue that occurs when interrupt remapping is not enabled in the chipsets.
Specifically, this occurs because the affected chipsets fail to prevent a guest which owns a PCI device from using DMA. An attacker-controlled PCI device can exploit this to generate MSI interrupts by writing to the interrupt injection registers. Xen and KVM are vulnerable and other Virtualization applications may also be affected.
Ref: http://www.securityfocus.com/bid/48515/info
______________________________________________________________________
11.28.16 CVE: Not Available
Platform: Cross Platform
Title: IBM InfoSphere Information Server Multiple Local Privilege Escalation Vulnerabilities
Description: The IBM InfoSphere Information Server is an enterprise platform for data integration. The application is exposed to multiple local privilege escalation issues. Specifically, these issues occur because insecure file permissions and ownership settings may be applied to "ds.rc" and "dsenv" files within the DSEngine directory.
IBM InfoSphere Information Server versions 8.5 and 8.5.0.1 are affected.
Ref: https://www-304.ibm.com/support/docview.wss?uid=swg21504279
______________________________________________________________________
11.28.17 CVE: CVE-2011-1223,CVE-2011-1222
Platform: Cross Platform
Title: IBM Tivoli Storage Manager Client Multiple Buffer Overflow
Description: IBM Tivoli Storage Manager is an application for running automated backup and recovery of data. The application is exposed to multiple buffer overflow issues. A buffer overflow issue affects the Journal Based Backup function. A buffer overflow issue affects the Alternate Data Streams processing function.
IBM Tivoli Storage Manager 6.2.0.0 through 6.2.1.3, 6.1.0.0 through 6.1.3.1, 5.5.0.0 through 5.5.2.10 and 5.4.0.0 through 5.4.3.3 are affected.
Ref: http://www.securityfocus.com/bid/48519/discuss
______________________________________________________________________
11.28.18 CVE: Not Available
Platform: Cross Platform
Title: Vsftpd Compromised Source Packages Backdoor Vulnerability
Description: Vsftpd (Very Secure File Transfer Protocol daemon) is a secure FTP server for Linux, UNIX and similar operating systems.
The application is exposed to a backdoor issue because the "vsftpd-2.3.4.tar.gz" source package file contains a backdoor.
The Vsftpd 2.3.4 source package is affected.
Ref: http://www.securityfocus.com/bid/48539/discuss
______________________________________________________________________
11.28.19 CVE: CVE-2011-2465
Platform: Cross Platform
Title: ISC BIND 9 RPZ Configurations Remote Denial of Service
Description: ISC BIND (Berkley Internet Name Domain) is an implementation of the Domain Name System protocols. The application is exposed to multiple remote denial of service issues.
These issues affect servers with recursion enabled and configured with the Response Policy Zones (RPZ) feature. Specifically, the issues are triggered when processing certain RPZ rule/action patterns, which contain specially crafted DNAME and CNAME records. ISC BIND versions prior to 9.8.0-P4 are vulnerable. (Note that 9.8.0-P3 is not affected but has been replaced by 9.8.0-P4).
Ref: https://www.isc.org/software/bind/advisories/cve-2011-2465
______________________________________________________________________
11.28.20 CVE:
CVE-2011-2633,CVE-2011-2632,CVE-2011-2631,CVE-2011-2630,CVE-2011-2629
Platform: Cross Platform
Title: Opera Web Browser Multiple Remote Denial of Service Vulnerabilities
Description: Opera is a Web browser application. The application is exposed to multiple issues. A denial of service issue occurs when handling unknown content on certain web sites, as was demonstrated on "www.falk.de". A denial of service issue occurs when a popup page of the "Easy Sticky Note" extension is reloaded. A denial of service issue occurs because of an infinite loop when processing the "column-count" Cascading Style Sheet property, as was demonstrated on an unspecified Wikipedia page. A denial of service issue occurs because the browser fails to properly deconstruct certain Silverlight instances, as was demonstrated on "vod.onet.pl". A denial of service issue occurs when processing a certain Certificate Revocation List file, as was demonstrated by the "multicert-ca-02.crl" file. Versions prior to Opera Web Browser 11.11 are affected.
Ref: http://www.opera.com/docs/changelogs/windows/1111/
http://www.opera.com/docs/changelogs/unix/1111/
http://www.opera.com/docs/changelogs/mac/1111/
______________________________________________________________________
11.28.21 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: WebCalendar Multiple Cross-Site Scripting Vulnerabilities
Description: WebCalendar is a PHP-based application. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input to multiple scripts and parameters. WebCalendar 1.2.3 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/48546/info
______________________________________________________________________
11.28.22 CVE: Not Available
Platform: Web Application - SQL Injection
Title: PhpFood "restaurant.php" SQL Injection Vulnerability
Description: phpFood is a content manager that tracks food orders.
PhpFood is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied input to the "id" parameter of the "restaurant.php" script before using it in an SQL query. phpFood 2.00 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/48552
______________________________________________________________________
11.28.23 CVE: Not Available
Platform: Web Application
Title: AeroMail Multiple Vulnerabilities
Description: Aeromail is an email application. The application is exposed to multiple remote issues. A cross-site scripting issue affects the "folder" URL variable. A cross-site request forgery affects the composition screen. A cross-site request forgery allows attackers to send spam email without a user knowing. An HTML injection issue occurs because the application fails to sanitize folder names. An HTML injection issue occurs because the application fails to sanitize the email attachment names. An HTML injection issue occurs because the application fails to sanitize the subject line before displaying emails.
AeroMail version 2.80 is vulnerable, other versions may also be affected.
Ref: http://www.securityfocus.com/bid/48510/discuss
______________________________________________________________________
11.28.24 CVE: Not Available
Platform: Web Application
Title: IBM Rational DOORS Multiple Unspecified Vulnerabilities
Description: IBM Rational DOORS is a Web application that works with IBM Rational DOORS databases. The application is exposed to multiple unspecified issues. An unspecified cross-site scripting issue exists. An unspecified issue affects "Server Error"
responses. An unspecified issue affects the application.
IBM Rational DOORS versions 1.4 through 1.4.0.3 are affected.
Ref: https://www-304.ibm.com/support/docview.wss?uid=swg27020404
______________________________________________________________________
11.28.25 CVE: Not Available
Platform: Web Application
Title: WeBid Local File Include and SQL Injection Vulnerabilities
Description: WeBid is a web-based application implemented in PHP. The application is exposed to multiple input validation issues. A local file include issue affects the "lan" and "USERLANGUAGE" parameters of the "includes/messages.inc.php" script. 2) Multiple SQL-injection issues affect the application. WeBid 1.0.2 is vulnerable and other versions may also be affected.
Ref: http://www.webidsupport.com/forums/showthread.php?3892
______________________________________________________________________
11.28.26 CVE: Not Available
Platform: Hardware
Title: Portech MV-372 VoIP Gateway Multiple Security Vulnerabilities
Description: The Portech MV-372 VoIP Gateway is a GSM/CDMA/UMTS mobile gateway device. The device is exposed to multiple issues. An information disclosure issue exists because the device displays information about the model type, module description, and firmware and codec versions without authentication. A denial of service issue occurs when passing an overly long string to the "password" field while connecting through a Telnet service. Multiple security bypass issues exist because the application allows the modification of configuration settings to occur without the provision of a valid username and password. All version of firmware are affected.
Ref: http://www.securityfocus.com/bid/48560
______________________________________________________________________
