Search

See Resources

@RISK Newsletter for November 17, 2011 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 11, Num. 47

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Windows | 1
Third Party Windows Apps 3
Linux 2
Aix | 1
Cross Platform 7 (#1,#2)
Web Application - Cross Site Scripting 4
Web Application | 6
Hardware 2


Part I – Critical Vulnerabilities from TippingPoint ( www.tippingpoint.com )

Widely Deployed Software
(1) HIGH: Google Chrome Multiple Security Vulnerabilities
(2) HIGH: Apple iOS FreeType Font Library Memory Corruption

Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)

Windows

11.47.1 - Microsoft Windows AppLocker Rules Local Security Bypass

Third Party Windows Apps

11.47.2 - CitectSCADA and Mitsubishi MX4 SCADA Batch Server Module Remote Buffer Overflow
11.47.3 - Directories Support for ProLiant Management Processors Unauthorized Access Security Bypass
11.47.4 - InduSoft Web Studio “CEServer” Buffer Overflow Vulnerabilities

Linux

11.47.5 - IcedTea-Web Plugin Same Origin Policy Bypass
11.47.6 - LightDM Two Security vulnerabilities

Aix

11.47.7 - IBM AIX WPAR System Calls Local Denial Of Service

Cross Platform

11.47.8 - Apache Tomcat Manager Application Security Bypass
11.47.9 - ProFTPD Use-After-Free Remote Code Execution
11.47.10 - HP Network Node Manager i Multiple Cross-Site Scripting Vulnerabilities
11.47.11 - Google Chrome Multiple Security Vulnerabilities
11.47.12 - Apache HTTP Server “ap_pregsub()” Function Local Denial of Service
11.47.13 - Adobe Flash Player Multiple Vulnerabilities
11.47.14 - IBM DB2 Remote Denial of Service

Web Application - Cross Site Scripting

11.47.15 - Tiki Wiki CMS Groupware “tiki-pagehistory.php” Cross-Site Scripting Vulnerabilities
11.47.16 - Dolibarr Multiple Cross-Site Scripting Vulnerabilities
11.47.17 - ReviewBoard Commenting System Cross-Site Scripting
11.47.18 - Plume Unspecified Cross-Site Scripting

Web Application

11.47.19 - TYPO3 “eu_ldap” LDAP Injection
11.47.20 - AShop Open-Redirection and Cross-Site Scripting Vulnerabilities
11.47.21 - Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
11.47.22 - CMS Made Simple Remote Database Corruption
11.47.23 - ResourceSpace Unauthorized Access
11.47.24 - Cacti Unspecified SQL Injection and Cross-Site Scripting Vulnerabilities

Hardware

11.47.25 - Dell Kace K2000 Multiple Remote Security Vulnerabilities
11.47.26 - Cisco TelePresence System Integrator C Series and EX Series Root Authentication Bypass


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) HIGH: Google Chrome Multiple Security Vulnerabilities

Affected:
Google Chrome versions prior to 15.0.874.120

Description: Google has released patches addressing multiple
vulnerabilities in its Chrome web browser. The vulnerabilities include
a double free in its theora decoder, a memory corruption in VP8
decoding, buffer overflows in the Vorbis decoder and shader variable
mappings, and a use-after-free in editing. The technical details
surrounding these vulnerabilities are not publicly available, but it is
likely that an attacker could exploit these vulnerabilities in order to
execute arbitrary code on a target’s machine by enticing the target to
view a malicious page.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.google.com
Google Chrome Stable Channel Updates
http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/50618
http://www.securityfocus.com/bid/50619
http://www.securityfocus.com/bid/50620
http://www.securityfocus.com/bid/50621
http://www.securityfocus.com/bid/50622
http://www.securityfocus.com/bid/50623
http://www.securityfocus.com/bid/50624
http://www.securityfocus.com/bid/50625
http://www.securityfocus.com/bid/50626
http://www.securityfocus.com/bid/50627
http://www.securityfocus.com/bid/50628
http://www.securityfocus.com/bid/50629
http://www.securityfocus.com/bid/50642


(2) HIGH: Apple iOS FreeType Font Library Memory Corruption

Affected:
Apple iOS versions prior to 5.0.1

Description: Apple has released a patch addressing multiple security
vulnerabilities in its iOS mobile operating system. The vulnerabilities
include memory corruptions in the FreeType font library. By enticing a
target to view maliciously crafted files, an attacker could exploit this
vulnerability in order to execute arbitrary code on the target’s
machine.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.apple.com
Apple Security Advisory
http://support.apple.com/kb/HT5052
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/50115
http://www.securityfocus.com/bid/50575
http://www.securityfocus.com/bid/50640
http://www.securityfocus.com/bid/50641
http://www.securityfocus.com/bid/50643


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12689 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


11.47.1 CVE: CVE-2011-4434

Platform: Windows
Title: Microsoft Windows AppLocker Rules Local Security Bypass
Description: Microsoft Windows is exposed to a local security bypass
issue. This issue occurs because of a failure to properly enforce
AppLocker rules. This may allow attackers to bypass security
restrictions by using the macro or scripting features of Windows
applications such as Microsoft Office. Attackers can execute
applications present in the directories that are restricted by
AppLocker rules by using the “SANDBOX_INERT” and
“LOAD_IGNORE_CODE_AUTHZ_LEVEL” flags. Windows 7, Windows 7 Service
Pack 1, Windows Server 2008 R2 and Windows Server 2008 R2 Service Pack 1
are vulnerable.
Ref: http://support.microsoft.com/kb/2532445


11.47.2 CVE: Not Available

Platform: Third Party Windows Apps
Title: CitectSCADA and Mitsubishi MX4 SCADA Batch Server Module Remote
Buffer Overflow
Description: CitectSCADA is a human-machine interface product
offered by Schneider Electric. MX4 SCADA is a product offered
by Mitsubishi. These applications are exposed to a buffer overflow issue
because they fail to properly bounds check user-supplied data before
copying it into an insufficiently sized memory buffer. Specifically,
this issue occurs in an unspecified third party component used by the
Batch server module. CitectSCADA 7.10 and prior using the CitectSCADA
Batch Server module and Mitsubishi MX4 SCADA 7.10 and prior using the
MX4 SCADA Batch module are vulnerable.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-279-02.pdf


11.47.3 CVE: CVE-2011-4158

Platform: Third Party Windows Apps
Title: Directories Support for ProLiant Management Processors
Unauthorized Access Security Bypass
Description: HP Directories Support for ProLiant Management Processors
is software to support directories. The application is exposed to an
unspecified security-bypass issue. HP Directories Support for
ProLiant Management Processors 3.10 and 3.20 are affected.
Ref:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082006


11.47.4 CVE: CVE-2011-4051,CVE-2011-4052

Platform: Third Party Windows Apps
Title: InduSoft Web Studio “CEServer” Buffer Overflow Vulnerabilities
Description: InduSoft Web Studio is a set of automation tools used to
develop human machine interfaces and supervisory control and
data acquisition systems. The application is exposed to
two remote code execution issues that affect the remote agent
component (“CEServer.exe”), which is listening on TCP port 4322 by
default. InduSoft Web Studio versions 6.1 and 7.0 are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-319-01.pdf


11.47.5 CVE: CVE-2011-3377

Platform: Linux
Title: IcedTea-Web Plugin Same Origin Policy Bypass
Description: IcedTea-Web is a web browser plug-in implementing Java
Web Start. The application is exposed to an issue that allows
attackers to bypass the same-origin policy. This issue allows
malicious applets to open network connections to hosts other than the
originating host. IcedTea-Web 1.1.x prior to 1.1.4 and IcedTea-Web 1.0.x
priro to 1.0.6 are affected.
Ref:
http://dbhole.wordpress.com/2011/11/08/icedtea-web-1-0-6-and-1-1-4-security-releases-released/
http://www.securityfocus.com/bid/50610/references


11.47.6 CVE: CVE-2011-4105,CVE-2011-3153

Platform: Linux
Title: LightDM Two Security vulnerabilities
Description: LightDM is a cross-desktop display manager. The application
is exposed multiple security issues. An arbitrary file-access issue
occurs because the application fails to properly handle links when
modifying permissions of “.Xauthority” files. A local issue occurs
because of incorrectly handled privileges when reading .dmrc files.
LightDM versions 1.0.4 and 1.0.5 are affected.
Ref: http://www.ubuntu.com/usn/usn-1262-1/
http://www.securityfocus.com/bid/50685/references


11.47.7 CVE: CVE-2011-1375

Platform: Aix
Title: IBM AIX WPAR System Calls Local Denial Of Service
Description: AIX is a UNIX operating system from IBM. AIX is exposed to
a denial of service issue caused by unspecified behavior of
“wpar_limits_config” and “wpar_limits_modify” WPAR system calls. IBM AIX
versions 6.1 and 7.1 are affected.
Ref: http://aix.software.ibm.com/aix/efixes/security/wpar_advisory.asc


11.47.8 CVE: CVE-2011-3376

Platform: Cross Platform
Title: Apache Tomcat Manager Application Security Bypass
Description: Apache Tomcat is an HTTP server application. The
application is exposed to a security bypass issue. Specifically, the
issue occurs because the application fails to properly check the
privileges of a web application before allowing it to use the
functionality of Manager application. Apache Tomcat 7.0 versions prior
to 7.0.22 are affected.
Ref:
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.22


11.47.9 CVE: Not Available

Platform: Cross Platform
Title: ProFTPD Use-After-Free Remote Code Execution
Description: ProFTPD is an FTP server implementation available
for UNIX and Linux platforms. It can be integrated with multiple
database servers. The application is exposed to a remote code
execution issue because of a use-after-free error. Specifically, the
issue occurs when processing the response pool allocation lists.
ProFTPD versions prior to 1.3.3g are vulnerable.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-328/
http://bugs.proftpd.org/show_bug.cgi?id=3711
http://www.proftpd.org/docs/NEWS-1.3.3g


11.47.10 CVE: CVE-2011-4156,CVE-2011-4155

Platform: Cross Platform
Title: HP Network Node Manager i Multiple Cross-Site Scripting
Vulnerabilities
Description: HP Network Node Manager i is a fault management application
for IP networks. The application is exposed to multiple unspecified
cross-site scripting issues because it fails to properly sanitize
certain user-supplied input submitted to the application before
displaying it to the user. HP Network Node Manager i 9.0x and 9.1x
running on HP-UX, Linux, Solaris and Windows are affected.
Ref:
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03035744


11.47.11 CVE:

CVE-2011-3898,CVE-2011-3897,CVE-2011-3896,CVE-2011-3895,CVE-2011-3894,CVE-2011-3893,CVE-2011-3892
Platform: Cross Platform
Title: Google Chrome Multiple Security Vulnerabilities
Description: Google Chrome is a Web browser available for multiple
platforms. The application is exposed to multiple security issues. See
reference for detailed information. Versions prior to Chrome
15.0.874.120 are vulnerable.
Ref:
http://googlechromereleases.blogspot.com/2011/11/stable-channel-update.html
http://www.securityfocus.com/bid/50642/references


11.47.12 CVE: CVE-2011-4415

Platform: Cross Platform
Title: Apache HTTP Server “ap_pregsub()” Function Local Denial of
Service
Description: Apache HTTP Server is an HTTP webserver application. The
application is exposed to a local denial of service issue due to a
NULL pointer dereference error or a memory exhaustion. Specifically,
this issue affects the “ap_pregsub()” function of the “server/utils.c”
source file because it fails to restrict the size of values of
environment variables. Attackers can exploit this issue by placing a
malicious “.htaccess” file with a crafted “SetEnvIf” directive on the
affected server. Note: To trigger this issue, “mod_setenvif” must be
enabled and the attacker should be able to place a malicious
“.htaccess” file on the affected webserver. Apache HTTP Server 2.0.x
through 2.0.64 and 2.2.x through 2.2.21 are vulnerable. Other versions
may also be affected.
Ref: http://www.halfdog.net/Security/2011/ApacheModSetEnvIfIntegerOverflow/
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4415


11.47.13 CVE: CVE-2011-2445, CVE-2011-2450, CVE-2011-2451,

CVE-2011-2452, CVE-2011-2453, CVE-2011-2454, CVE-2011-2455,
CVE-2011-2456, CVE-2011-2457, CVE-2011-2458, CVE-2011-2459,
CVE-2011-2460
Platform: Cross Platform
Title: Adobe Flash Player Multiple Vulnerabilities
Description: Adobe Flash Player is a multimedia application for
multiple platforms. The application is exposed to an unspecified
remote buffer overflow issue because it fails to properly bounds check
user-supplied input. See reference for detailed information. Adobe
Flash Player 11.0.1.152 and earlier versions for Windows, Macintosh,
Linux and Solaris, Adobe Flash Player 11.0.1.153 and
earlier versions for Android and Adobe AIR 3.0 and earlier versions for
Windows, Macintosh, and Android are affected.
Ref: http://www.adobe.com/support/security/bulletins/apsb11-28.html


11.47.14 CVE: CVE-2011-1373

Platform: Cross Platform
Title: IBM DB2 Remote Denial of Service
Description: IBM DB2 is a database application available for multiple
platforms. The application is exposed to a remote denial of service
issue due to an unspecified error when “Self Tuning Memory Manager”
is enabled and “DATABASE_MEMORY” is set to “AUTOMATIC”. IBM DB2 version 9.7
is affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC70473
http://xforce.iss.net/xforce/xfdb/71043


11.47.15 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Tiki Wiki CMS Groupware “tiki-pagehistory.php” Cross-Site
Scripting Vulnerabilities
Description: Tiki Wiki CMS Groupware is a PHP-based database
management application. The application is exposed to multiple
cross-site scripting issues because it fails to sufficiently sanitize
user-supplied data to the “tiki-pagehistory.php” and
“tiki-admin_system.php” scripts. Tiki Wiki CMS Groupware 6.4 and 7.2
are affected.
Ref:
http://info.tiki.org/article182-Tiki-8-1-Now-Available-End-of-Life-for-Tiki-7-x


11.47.16 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Dolibarr Multiple Cross-Site Scripting Vulnerabilities
Description: Dolibarr is a company/foundation activity management
application implemented in PHP. Dolibarr is exposed to multiple
cross-site scripting issues because it fails to properly sanitize
user-supplied input. The following scripts are affected:
“company.php”, “security_other.php”, “events.php”, “user.php”.
Dolibarr 3.1.0 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520442


11.47.17 CVE: CVE-2011-4312

Platform: Web Application - Cross Site Scripting
Title: ReviewBoard Commenting System Cross-Site Scripting
Description: ReviewBoard is a web-based code review application. The
application is exposed to a cross-site scripting issue because it
fails to sufficiently sanitize user-supplied input submitted to the
commenting system of the application. Specifically, this issue affects
the “diff viewer” and “screenshot pages” components. ReviewBoard 1.6
versions prior to 1.6.3 and ReviewBoard 1.5 versions prior to 1.5.7
are vulnerable.
Ref: http://www.reviewboard.org/news/


11.47.18 CVE: CVE-2011-3985

Platform: Web Application - Cross Site Scripting
Title: Plume Unspecified Cross-Site Scripting
Description: Plume CMS is a content manager for dynamic web content,
blogs, and customer forums. The application is exposed to an unspecified
cross-site scripting issue because it fails to sanitize user-supplied
input. Plume versions prior to Plume 1.2.3 are affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3985


11.47.19 CVE: Not Available

Platform: Web Application
Title: TYPO3 “eu_ldap” LDAP Injection
Description: TYPO3 is a web application programmed in PHP. “eu_ldap”
is an extension for the TYPO3 content manager. The extension is
exposed to an LDAP injection issue because it fails to
sufficiently sanitize user-supplied data. Specifically, the username
and password values sent by the login form are not sanitized before
being used in LDAP queries. TYPO3 “eu_ldap” 2.8.10 and all prior
versions are vulnerable.
Ref:
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2011-017/


11.47.20 CVE: Not Available

Platform: Web Application
Title: AShop Open-Redirection and Cross-Site Scripting Vulnerabilities
Description: AShop is a web-based shopping application implemented in
PHP. The software is exposed to multiple input validation issues.
Open-redirection issues affect the “redirect” parameter of the
“language.php” and “currency.php” scripts. Cross-site scripting
issues affect multiple scripts and parameters. Versions prior to AShop
5.1.4 are vulnerable.
Ref: http://www.securityfocus.com/archive/1/520446


11.47.21 CVE:

CVE-2011-3833,CVE-2011-3832, CVE-2011-3831,CVE-2011-3830,CVE-2011-3829
Platform: Web Application
Title: Support Incident Tracker (SiT!) Multiple Input Validation
Vulnerabilities
Description: Support Incident Tracker is an open-source web
application for tracking technical support requests. It is implemented
in PHP and MySQL. The application is exposed to multiple
input-validation issues. A path disclosure issue affects the
“ftp_upload_file.php” script. A cross-site scripting issue affects
the “search_string” parameter to “search.php” script. An SQL
injection issue affects the “incident_attachments.php” script. An
issue that allows attackers inject arbitrary PHP code
affects the “application_name” parameter of the “config.php” script
when the “action” parameter is set to “save” in the “eval()” function.
An issue that allows attackers upload arbitrary files
occurs because the application fails to adequately sanitize file
extensions before uploading files to the webserver through the
“ftp_upload_file.php” script. Support Incident Tracker 3.65 is
vulnerable and other versions may also be affected.
Ref: http://secunia.com/secunia_research/2011-78/
http://secunia.com/secunia_research/2011-77/
http://secunia.com/secunia_research/2011-76/
http://secunia.com/secunia_research/2011-75/
http://secunia.com/secunia_research/2011-79/


11.47.22 CVE: Not Available

Platform: Web Application
Title: CMS Made Simple Remote Database Corruption
Description: CMS Made Simple is a web-based content manager. It is
implemented in PHP. The application is exposed to an issue that could
result in the corruption of the database. An attacker can exploit this
issue to corrupt the news articles. Versions prior to CMS Made Simple
1.9.4.3 are affected.
Ref:
http://www.cmsmadesimple.org/2011/08/Announcing-CMSMS-1-9-4-3---Security-Release/


11.47.23 CVE: CVE-2011-4311

Platform: Web Application
Title: ResourceSpace Unauthorized Access
Description: ResourceSpace is a web-based digital asset management
system, implemented in PHP. ResourceSpace is exposed to an unauthorized
access issue due to an insufficient access check on access keys.
ResourceSpace 4.2.2833 is vulnerable and other versions may also be
affected.
Ref: http://www.resourcespace.org/download.php
http://secunia.com/advisories/46753/


11.47.24 CVE: Not Available

Platform: Web Application
Title: Cacti Unspecified SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: Cacti is a web-based network graphing solution. The
application is exposed to an SQL injection issue and a cross-site
scripting issue because it fails to sufficiently sanitize
user-supplied data to unspecified parameters. Cacti 0.8.7g is
vulnerable and other versions may also be affected.
Ref: http://www.cacti.net/release_notes_0_8_7h.php


11.47.25 CVE: CVE-2011-4048,CVE-2011-4047, CVE-2011-4046

Platform: Hardware
Title: Dell Kace K2000 Multiple Remote Security Vulnerabilities
Description: Dell Kace K2000 is a system deployment appliance. The
device is exposed to mulitple remote security issues. A backdoor issue
occurs because of a hidden administrator account. An information
disclosure issue occurs because the application fails to restrict access
to username and password hashes. A remote command execution issue
affects the appliance. Multiple cross-site scripting issues occur
because the application fails to sanitize certain unspecified
user-supplied input passed through the administrative web interface.
Dell Kace K2000 is vulnerable.
Ref:
http://www.kace.com/support/kb/index.php?action=artikel&id=1120&artlang=en


11.47.26 CVE: Not Available

Platform: Hardware
Title: Cisco TelePresence System Integrator C Series and EX Series
Root Authentication Bypass
Description: Cisco TelePresence System Integrator C Series are devices
designed for telepresence. Cisco TelePresence EX Series are
face-to-face Cisco TelePresence meeting devices. The devices are
exposed to a remote authentication bypass issue due to a manufacturing
error. Specifically, this issue occurs because the root user account
is enabled with a well known password by default. All Cisco
TelePresence System Integrator C Series, Cisco TelePresence EX Series
and Cisco TelePresence Quick Set products distributed
between November 18, 2010 and September 19, 2011 with software
release TC4.0, TC4.1 or TC4.2 are affected.
Ref:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20111109-telepresence-c-ex-series


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics