______________________________________________________________________
@RISK: The Consensus Security Vulnerability Alert
Week 31 2011
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Other Microsoft Products 1
Third Party Windows Apps 5 (#2)
Linux 2
Cross Platform 7 (#1)
Web Application - Cross Site Scripting 2
Web Application - SQL Injection 2
Web Application 6
Hardware 2
****************************************************************************
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com) Widely Deployed Software
(1) HIGH: Apple Safari Multiple Vulnerabilities
(2) MEDIUM: Foxit Reader ActiveX Control Buffer Overflow
*************************** Sponsored Link: ********************************
1) IN CASE YOU MISSED IT...Analyst Webcast: Protecting Access and Data:
A Review of DigitalPersona Pro Version 5.1 To view now, go to:
****************************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
-- Other Microsoft Products
11.31.1 - Internet Explorer EUC-JP Encoded Characters Cross-Site Scripting
-- Third Party Windows Apps
11.31.2 - Foxit Reader "FoxitReaderOCX" ActiveX Control "OpenFile()" Buffer Overflow
11.31.3 - Kingsoft Antivirus "KisKrnl.sys" Driver Local Privilege Escalation
11.31.4 - CiscoKits CCNA TFTP Server Long Filename Remote Denial of Service
11.31.5 - Download Accelerator Plus ".m3u" File Buffer Overflow
11.31.6 - Computer Associates ARCserve D2D "homepageServlet" Servlet Information Disclosure
-- Linux
11.31.7 - SystemTap Multiple Local Privilege Escalation Vulnerabilities
11.31.8 - IcedTea6 and IcedTea-Web Information Disclosure and Security Bypass Vulnerabilities
-- Cross Platform
11.31.9 - Apple Safari Multiple Security Vulnerabilities
11.31.10 - Likewise Open lsassd Service SQL Injection
11.31.11 - BusyBox "udhcpc" Shell Characters in Response Remote Code Execution
11.31.12 - FreeRADIUS Revoked Certificate Authentication Bypass Vulnerability
11.31.13 - OpenSAML XML Signature Wrapping Security Vulnerability
11.31.14 - ClamAV Hash Manager Off-By-One Denial of Service
11.31.15 - ICQ Profile HTML Injection Vulnerability
-- Web Application - Cross Site Scripting
11.31.16 - Tiki Wiki CMS Groupware "snarf_ajax.php" Cross-Site Scripting
11.31.17 - Koha OPAC Multiple Cross-Site Scripting Vulnerabilities
-- Web Application - SQL Injection
11.31.18 - vBulletin "messagegroupid" Parameter SQL Injection Vulnerability
11.31.19 - ExtCalendar "username" and "password" SQL Injection Vulnerabilities
-- Web Application
11.31.20 - PRADO "TActiveFileUpload.php" Directory Traversal Vulnerability
11.31.21 - Free Help Desk Multiple Unspecified Vulnerabilities
11.31.22 - cgit HTML Injection Vulnerability
11.31.23 - phpMyAdmin Multiple Remote Vulnerabilities
11.31.24 - Musicbox Cross-Site Scripting and SQL Injection Vulnerabilities
11.31.25 - ManageEngine ServiceDesk Plus Local Privilege Escalation
-- Hardware
11.31.26 - Cisco SA 500 Series Appliances Web Management Interface SQL Injection
11.31.27 - Dlink DPH 150SE/E/F1 IP Phones Multiple Remote Vulnerabilities
______________________________________________________________________
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/risk/#process
*************************************************************
(1) HIGH: Apple Safari Multiple Vulnerabilities
Affected:
Safari 5.0.6
Safari 5.1
Description: Apple has released patches addressing multiple vulnerabilities in its Safari web browser. The vulnerabilities include use-after-free flaws in WebKit's implementation of the FrameOwner element, Scalar Vector Graphics (SVG) markers, DOM attribute copying, and implicitly defined styles for HTML. Other vulnerabilities listed by Apple include problems in underlying libraries like CoreGraphics that could be exploited via multiple vectors. By enticing a target to view a malicious site, an attacker could exploit these vulnerabilities in order to execute arbitrary code on the target's machine.
Status: vendor confirmed, updates available
References:
Vendor Site
Apple Security Advisory
Zero Day Initiative Advisories
SecurityFocus BugTraq ID
*************************************************************
(2) MEDIUM: Foxit Reader ActiveX Control Buffer Overflow
Affected:
Foxit Reader ActiveX Control version 2.0.1.524.
Foxit Reader version 5.0.1.0523.
Description: Foxit has released a patch addressing a buffer overflow vulnerability in its FoxitReaderOCX ActiveX control, which is included in its plugin for FireFox. By enticing a target to view a web site that instantiates this control and sends an overly long string to the strFilePath parameter of its OpenFile() method, an attacker can exploit this vulnerability in order to execute arbitrary code on the target's machine.
Status: vendor confirmed, updates available
References:
Vendor Site
Foxit Security Bulletin
SecurityFocus BugTraq ID
*************************************************************
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 11861 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.
______________________________________________________________________
11.31.1 CVE: Not Available
Platform: Other Microsoft Products
Title: Internet Explorer EUC-JP Encoded Characters Cross-Site Scripting
Description: Microsoft Internet Explorer is a Web browser for Windows platforms. The application is exposed to a cross-site scripting issue.
Specifically, the issue occurs because the application fails to properly sanitize input passed via EUC-JP encoded characters. Internet Explorer versions 6 and 7 are vulnerable.
______________________________________________________________________
11.31.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Foxit Reader "FoxitReaderOCX" ActiveX Control "OpenFile()"
Buffer Overflow
Description: Foxit Reader is a P2P client for the Microsoft Windows operating platform. Foxit Reader is exposed to a buffer overflow issue because the application fails to perform adequate boundary checks on user-supplied data. This issue affects the "OpenFile()" method of the "FoxitReaderOCX" ActiveX control when passing excessively large amounts of data through the "strfilePath" parameter. Foxit Reader
5.0.1.0523 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.31.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Kingsoft Antivirus "KisKrnl.sys" Driver Local Privilege Escalation
Description: Kingsoft Antivirus is a security application for Microsoft Windows platforms. The application is exposed to a local privilege escalation issue. This issue affects the "NtQueryValueKey"
function of the "KisKrnl.sys" driver, and is due to a failure to properly bounds check the "ResultLength" buffer. Kingsoft Antivirus
2011.7.8.913 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.31.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: CiscoKits CCNA TFTP Server Long Filename Remote Denial of Service
Description: CiscoKits CCNA TFTP Server is a trivial FTP server application. The application is exposed to a remote denial of service issue. This issue occurs when an overly long filename is provided to the "read" command request. CiscoKits CCNA TFTP Server 1.0 is affected and other versions may also be vulnerable.
______________________________________________________________________
11.31.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: Download Accelerator Plus ".m3u" File Buffer Overflow
Description: Download Accelerator Plus is an application used to accelerate file downloads. The application is exposed to a buffer overflow issue because it fails to perform adequate checks on user-supplied input. Specifically, this issue occurs when processing a ".m3u" file. Download Accelerator Plus 9.7 is vulnerable and other versions may also be affected.
______________________________________________________________________
11.31.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: Computer Associates ARCserve D2D "homepageServlet" Servlet Information Disclosure
Description: Computer Associates ARCserve D2D is a disk-based backup solution. The application is exposed to an information-disclosure vulnerability that affects the "homepageServlet" servlet. An unauthenticated attacker can exploit this issue to obtain the "username" and "password" of the administrator by sending a specially crafted RPC (Remote Procedure Call) request to the affected servlet.
The RPC request will contain a message to the "getLocalHost()"
procedure. Computer Associates ARCServe D2D r15 is vulnerable.
______________________________________________________________________
11.31.7 CVE: CVE-2011-2503,CVE-2011-2502
Platform: Linux
Title: SystemTap Multiple Local Privilege Escalation Vulnerabilities
Description: SystemTap is an application for Linux that is used for gathering system information. The SystemTap runtime tool (staprun) is exposed to multiple local privilege escalation issues. When a request is made for ad hoc module instrumentation via user space probing with a user specified module path, the tool fails to properly enforce the module's path sanity check. A race condition issue exists in the tool when loading modules. Specifically, there is a time gap between performing the module sanity checks and actually loading the module. SystemTap 1.4.6 and SystemTap 1.3.9 are affected.
______________________________________________________________________
11.31.8 CVE: CVE-2011-2514,CVE-2011-2513
Platform: Linux
Title: IcedTea6 and IcedTea-Web Information Disclosure and Security Bypass Vulnerabilities
Description: IcedTea6 is a project based on OpenJDK6. IcedTea-Web is a web browser plug-in implementation of Java Web Start. The applications are exposed to multiple issues. An information disclosure issue exists in the Java Network Launching Protocol (JNLP).
IcedTea-Web is exposed to a security bypass issue that exists in the Java Network Launching Protocol (JNLP). IcedTea6 versions 1.9.x prior to 1.9.9, 1.8.x prior to 1.8.9, IcedTea-Web versions 1.1.x prior to 1.1.1, 1.0.x prior to 1.0.4 are vulnerable.
______________________________________________________________________
11.31.9 CVE:
CVE-2011-1797,CVE-2011-1462,CVE-2011-1457,CVE-2011-1453,CVE-2011-1288,CVE-2011-0255,CVE-2011-0254,
CVE-2011-0253,CVE-2011-0240,CVE-2011-0238,CVE-2011-0237,CVE-2011-0235,CVE-2011-0234,CVE-2011-0233,
CVE-2011-0232,CVE-2011-0225,CVE-2011-0222,CVE-2011-0221,CVE-2011-0218
Platform: Cross Platform
Title: Apple Safari Multiple Security Vulnerabilities
Description: Apple Safari is a web browser available for Mac OS X and Microsoft Windows. Safari is exposed to multiple security issues that have been addressed in Apple security advisory APPLE-SA-2011-07-20-1.
Safari 5.1 and 5.0.6 running on Apple Mac OS X, Windows 7, XP and Vista are affected.
Ref:
______________________________________________________________________
11.31.10 CVE: CVE-2011-2467
Platform: Cross Platform
Title: Likewise Open lsassd Service SQL Injection
Description: Likewise Open is an authentication solution for Unix and Linux operating systems. The application is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data to the unspecified parameter of the "lsassd"
service before using it in an SQL query. Likewise Open 5.4, 6.0, 6.1 are affected.
Ref:
______________________________________________________________________
11.31.11 CVE: Not Available
Platform: Cross Platform
Title: BusyBox "udhcpc" Shell Characters in Response Remote Code Execution
Description: "udhcpc" is a DHCP client utility which is distributed in the BusyBox application. The client is exposed to a remote code execution issue because it fails to properly escape certain shell meta-characters from DHCP server responses, such as the "hostname"
parameter passed in the option "0x0c". BusyBox 1.18.5 is affected.
______________________________________________________________________
11.31.12 CVE: CVE-2011-2701
Platform: Cross Platform
Title: FreeRADIUS Revoked Certificate Authentication Bypass Vulnerability
Description: FreeRADIUS is an open source implementation of the RADIUS protocol for authentication. The application is exposed to an authentication bypass issue because it allows attackers to use revoked certificates to gain authenticated access to the FreeRADIUS server. This issue occurs in the "ocsp_check()" function of the "rlm_ear_tls.c" source file. Specifically when the "OCSP_basic_verify()" function validates the certificate, it fails to check if the certificate has been revoked. FreeRADIUS versions 2.1.11 and earlier are vulnerable.
Ref:
______________________________________________________________________
11.31.13 CVE: CVE-2011-1411
Platform: Cross Platform
Title: OpenSAML XML Signature Wrapping Security Vulnerability
Description: OpenSAML is an open source library for the Security Assertion Markup Language (SAML) standard. OpenSAML is exposed to a security issue involving XML signature wrapping. This issue occurs in the XML message signing tool, which is used in place of the TLS mechanism when validating certain queries. OpenSAML prior to V2.5.1 are affected.
______________________________________________________________________
11.31.14 CVE: Not Available
Platform: Cross Platform
Title: ClamAV Hash Manager Off-By-One Denial of Service
Description: ClamAV is a multiplatform toolkit used for scanning email messages for viruses. The application is exposed to a denial of service issue due to an off-by-one error in the "cli_hm_scan()" function of the "libclamav/matcher-hash.c" source file. This issue occurs in the hash manager of the application when scanning certain hashes of malicious messages. Versions prior to ClamAV 0.97.2 are vulnerable.
______________________________________________________________________
11.31.15 CVE: Not Available
Platform: Cross Platform
Title: ICQ Profile HTML Injection Vulnerability
Description: ICQ is an instant messaging client. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to a user's profile. Successful exploits will allow attacker-supplied HTML and script code to run in the context of the browser, potentially allowing the attacker to steal cookie-based authentication credentials or to control how the site is rendered to the user. Other attacks are also possible. ICQ 7.5 and prior running on Windows are vulnerable.
______________________________________________________________________
11.31.16 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Tiki Wiki CMS Groupware "snarf_ajax.php" Cross-Site Scripting
Description: Tiki Wiki CMS Groupware is a PHP-based database management application. The application is exposed to a cross-site scripting issue because it fails to sufficiently sanitize user-supplied data submitted to the "ajax" parameter of the "snarf_ajax.php" script. Tiki Wiki CMS Groupware 7.0 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.31.17 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Koha OPAC Multiple Cross-Site Scripting Vulnerabilities
Description: Koha is a web-based library management system implemented in perl. The application is exposed to multiple cross-site scripting issues in its OPAC (Online Public Access Catalog) interface because it fails to properly sanitize user-supplied input submitted to the following scripts: "opac-downloadcart.pl","opac-addbybiblionumber.pl",
"opac-downloadshelf.pl", "opac-review.pl", "opac-sendshelf.pl", "opac-serial-issues.pl". Koha version 3.2.9 and earlier, 3.4.1 and earlier are vulnerable.
______________________________________________________________________
11.31.18 CVE: Not Available
Platform: Web Application - SQL Injection Vulnerability
Title: vBulletin "messagegroupid" Parameter SQL Injection
Description: vBulletin is a content manager implemented in PHP.
vBulletin is exposed to an SQL injection issue because it fails to sufficiently sanitize user-supplied data submitted to the "messagegroupid" parameter of the "socialgroupmessage.php" script before using it in an SQL query. vBulletin versions 4.0.1 through
4.1.3 are vulnerable; other versions may also be affected.
______________________________________________________________________
11.31.19 CVE: Not Available
Platform: Web Application - SQL Injection
Title: ExtCalendar "username" and "password" SQL Injection Vulnerabilities
Description: ExtCalendar is a powerful multi user web-based calendar application. The application is exposed to multiple SQL injection issues because the application fails to sufficiently sanitize user-supplied data passed to the "username" and "password" cookie parameters before using it in an SQL query. ExtCalendar 2.0 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.31.20 CVE: Not Available
Platform: Web Application
Title: PRADO "TActiveFileUpload.php" Directory Traversal Vulnerability
Description: PRADO is a Web application implemented in PHP. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input passed to the "TActiveFileUpload.php" script. PRADO 3.1.3 and prior versions are affected.
______________________________________________________________________
11.31.21 CVE: Not Available
Platform: Web Application
Title: Free Help Desk Multiple Unspecified Vulnerabilities
Description: Free Help Desk is a Web-based help desk system. The application is exposed to multiple unspecified issues. Free Help Desk versions prior to 1.1b are vulnerable.
______________________________________________________________________
11.31.22 CVE: Not Available
Platform: Web Application
Title: cgit HTML Injection Vulnerability
Description: cgit is a file repository application. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied requests. Specifically, the file name is displayed in the rename hint. Versions prior to cgit 0.9.0.2-2 are vulnerable.
______________________________________________________________________
11.31.23 CVE: CVE-2011-2643,CVE-2011-2642
Platform: Web Application
Title: phpMyAdmin Multiple Remote Vulnerabilities
Description: phpMyAdmin is a PHP-based Web application. phpMyAdmin is exposed to multiple issues. An HTML injection issue affects the "table name" field of the "table print view" script. A local file include issue affects the "MIME-type" transformation parameter.
A local file include issue exists because the application fails to sanitize user-supplied input passed to the "PMA_createTargetTable"
function of the "libraries/server_synchronize_lib.php" script. A security issue exists in the "Swekey" authentication may allow attackers overwrite session variables. phpMyAdmin versions prior to
3.3.10.3 and 3.4.3.2 are affected.
______________________________________________________________________
11.31.24 CVE: Not Available
Platform: Web Application
Title: Musicbox Cross-Site Scripting and SQL Injection Vulnerabilities
Description: Musicbox is a web-based application for hosting a music site. It is implemented in PHP. The application is exposed to multiple issues. A SQL injection issue affects the "show"
parameter of the "index.php" script. A cross-site scripting issue affects the "term" parameter of the "index.php" script. Musicbox 3.7 is affected; other versions may also be vulnerable.
______________________________________________________________________
11.31.25 CVE: Not Available
Platform: Web Application
Title: ManageEngine ServiceDesk Plus Local Privilege Escalation
Description: The ManageEngine Applications Manager is a web-based availability and performance monitoring application. ManageEngine is exposed to a local privilege escalation issue. Specifically, the application fails to sanitize data supplied to the "module" parameter of the "BackupSchedule.do" script. ManageEngine ServiceDesk Plus 8 is vulnerable; other versions may also be affected.
______________________________________________________________________
11.31.26 CVE: CVE-2011-2546
Platform: Hardware
Title: Cisco SA 500 Series Appliances Web Management Interface SQL Injection
Description: Cisco SA 500 series appliances provide security solutions. The devices are exposed to an unspecified SQL injection issue because they fail to sufficiently sanitize user-supplied data before using it in an SQL query. Cisco SA520, Cisco SA520W and Cisco
SA540 are affected.
Ref:
______________________________________________________________________
11.31.27 CVE: Not Available
Platform: Hardware
Title: Dlink DPH 150SE/E/F1 IP Phones Multiple Remote Vulnerabilities
Description: Dlink DPH IP phones are wireless IP phones. Dlink DPH IP phones are exposed to multiple remote issues. An authentication bypass issue may allow attackers to obtain device configuration files including the administrators password. An arbitrary file upload issue exists in the web management interface and may allow an attacker to upload configuration files to the affected device. An unauthorized access issue may allow attackers to modify the messages shown on the devices' LCD displays. A denial of service issue may allow attackers to reboot the affected device. Dlink DPH 150SE, Dlink DPH 150E, Dlink DPH 150F1 are affected.
______________________________________________________________________
