@RISK Newsletter for November 24, 2011
The consensus security vulnerability alert.
Vol. 11, Num. 48
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
— | —
Windows 1
Third Party Windows Apps 4
Linux 2
HP-UX 1
Cross Platform | 9 (#1)
Web Application - Cross Site Scripting | 1
Web Application - SQL Injection 1
Web Application 6
Network Device | 1
Part I – Critical Vulnerabilities from TippingPoint ( www.tippingpoint.com )
Widely Deployed Software
(1) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
Windows
11.48.1 - Microsoft Windows Kernel “Win32k.sys” Keyboard Layout Local Privilege Escalation
Third Party Windows Apps
11.48.2 - DVR Remote ActiveX Control DLL Loading Arbitrary Code Execution
11.48.3 - Image Viewer CP Pro/Gold ActiveX Control Buffer Overflow
11.48.4 - Thunder kankan player “.wav” File Remote Stack Buffer Overflow
11.48.5 - QQ Player “PnSize” Value Buffer Overflow
Linux
11.48.6 - JBoss Enterprise SOA Platform Invoker Servlets Authentication Bypass
11.48.7 - Ubuntu Software Center Certificate Handling Security Bypass
HP-UX
11.48.8 - HP-UX System Administration Manager Local Privilege Escalation
Cross Platform
11.48.9 - Nginx DNS Resolver Remote Heap Buffer Overflow
11.48.10 - Hastymail2 Unspecified Security Vulnerability
11.48.11 - Ruby on Rails Translate Helper Method Cross-Site Scripting
11.48.12 - ejabberd “mod_pubsub” Module Denial of Service
11.48.13 - Real Networks RealPlayer Multiple Remote Vulnerabilities
11.48.14 - GNU Gnash Cookie Files Local Information Disclosure
11.48.15 - HP Operations Agent and Performance Agent Local Unauthorized Access
11.48.16 - FFmpeg Multiple Remote Code Execution Vulnerabilities
11.48.17 - IBM Lotus Mobile Connect Cross-Site Scripting
Web Application - Cross Site Scripting
11.48.18 - ZOHO ManageEngine ADSelfService Plus Cross-Site Scripting
Web Application - SQL Injection
11.48.19 - Freelancer calendar “SearchField” Parameter Multiple SQL Injection Vulnerabilities
Web Application
11.48.20 - Privoxy RFC 3986 HTTP Response Splitting
11.48.21 - Website Baker Backup Module Security Bypass
11.48.22 - Support Incident Tracker “translate.php” Remote Code Execution
11.48.23 - OWASP Java HTML Sanitizer Information Disclosure
11.48.24 - HP no Mawashimono Nikki Unspecified Directory Traversal
11.48.25 - FishEye and Crucible Multiple HTML Injection and Unauthorized Access Vulnerabilities
Network Device
11.48.26 - Juniper Juno IPv6 Over IPv4 Tunnel Security Bypass
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process
(1) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
Affected:
RealPlayer 11.0 - 11.1
RealPlayer SP 1.0 - 1.1.5
RealPlayer 14.0.0 - 14.0.7
Mac RealPlayer 12.0.0.1701
Description: RealNetworks has released patches for multiple
vulnerabilities affecting its RealPlayer media player. The issues
include unspecified vulnerabilities dealing with a variety of formats.
Many of the vulnerabilities were reported through the Zero Day
Initiative, which tests to ensure that they can be used for code
execution. It is likely, then, that by enticing a target to open a
malicious file, an attacker could exploit many of these vulnerabilities
in order to execute arbitrary code on the target’s machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.real.com
RealNetworks Release Update
http://service.real.com/realplayer/security/11182011_player/en/
SecurityFocus BugTraq ID
http://www.securityfocus.com/bid/50741
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12706 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
11.48.1 CVE: Not Available
Platform: Windows
Title: Microsoft Windows Kernel “Win32k.sys” Keyboard Layout Local
Privilege Escalation
Description: The “Win32k.sys” kernel mode device driver provides
various functions such as the window manager, collection of user
input, screen output, and Graphics Device Interface (GDI); it also
serves as a wrapper for DirectX support. Microsoft Windows is exposed
to a local privilege escalation issue. Specifically, this issue occurs
due to an indexing error in the “win32k.sys” kernel mode device driver
when loading a keyboard layout file. Windows XP SP3 is affected.
Ref: http://secunia.com/advisories/46919/
11.48.2 CVE: CVE-2011-3828
Platform: Third Party Windows Apps
Title: DVR Remote ActiveX Control DLL Loading Arbitrary Code
Execution
Description: DVR Remote ActiveX Control is prone to a vulnerability
that lets attackers execute arbitrary code. DVR Remote ActiveX Control
is exposed to a remote issue. The issue arises because certain shared
components of the application search for Dynamic Link Library (DLL)
files in the current working directory. DVR Remote ActiveX Control
2.1.0.39 is vulnerable and other versions may also be affected.
Ref: http://secunia.com/secunia_research/2011-80/
11.48.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Image Viewer CP Pro/Gold ActiveX Control Buffer Overflow
Description: Image Viewer CP Pro SDK ActiveX and Image Viewer CP Gold
SDK ActiveX are image viewing applications. Image Viewer CP Pro and
Gold ActiveX controls are exposed to a stack-based buffer overflow
issue because the applications fail to perform adequate boundary
checks on user-supplied data. Image Viewer CP Pro SDK ActiveX 8.0 and
Image Viewer CP Gold SDK ActiveX 6.0 are affected.
Ref: http://www.securityfocus.com/bid/50712/references
11.48.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Thunder kankan player “.wav” File Remote Stack Buffer Overflow
Description: Thunder kankan is a multimedia player application
available for Microsoft Windows. Thunder kankan player is exposed to a
remote stack-based buffer overflow issue because it fails to perform
adequate checks on user-supplied input. Specifically, this issue
occurs when processing a specially crafted “.wav” file. Thunder kankan
4.8.3.840 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/50725/info
11.48.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: QQ Player “PnSize” Value Buffer Overflow
Description: QQ Player is a media player available for Microsoft
Windows. QQ Player is exposed to a buffer overflow issue because of a
failure to properly bounds check user-supplied data. Specifically, the
issue occurs because of a specially crafted “PnSize” value when
handling “.mov” files. QQ Player 3.2 is vulnerable and other versions may
also be affected.
Ref: http://www.securityfocus.com/bid/50739/info
11.48.6 CVE: CVE-2011-4085
Platform: Linux
Title: JBoss Enterprise SOA Platform Invoker Servlets Authentication
Bypass
Description: JBoss Enterprise SOA Platform is an environment for
developing Enterprise Application Integration and SOA solutions. The
application is exposed to a remote authentication bypass issue.
Specifically, this issue occurs because the invoker servlets deployed
through “httpha-invoker” only enforced access restrictions on the HTTP
GET and POST methods. JBoss Enterprise SOA Platform prior to 5.2.0 are
affected.
Ref: https://rhn.redhat.com/errata/RHSA-2011-1456.html
11.48.7 CVE: CVE-2011-3150
Platform: Linux
Title: Ubuntu Software Center Certificate Handling Security Bypass
Description: Software Center is a program for browsing, installing and
removing software on Ubuntu. The application is exposed to a
security bypass issue because it fails to properly validate server
certificates in secure connections. Ubuntu 11.10, 11.04 and 10.10 are
affected.
Ref: http://www.ubuntu.com/usn/usn-1270-1/
11.48.8 CVE: CVE-2011-4159
Platform: HP-UX
Title: HP-UX System Administration Manager Local Privilege Escalation
Description: HP-UX is a UNIX-based operating system. HP-UX is exposed
to a local privilege escalation issue due to unspecified error within
the System Administration Manager (SAM). HP-UX B.11.11, HP-UX B.11.23
and HP-UX B.11.31 are affected.
Ref:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03089106
11.48.9 CVE: CVE-2011-4315
Platform: Cross Platform
Title: Nginx DNS Resolver Remote Heap Buffer Overflow
Description: nginx is an HTTP server, reverse proxy, and mail proxy
server. nginx is available for multiple platforms, including Microsoft
Windows. nginx is exposed to a remote heap-based buffer overflow issue
due to a failure to properly bounds check user-supplied input to the
DNS resolver. Specifically, this issue occurs when the DNS resolver
processes messages more than 255 bytes. Versions prior to nginx
1.0.10 are affected.
Ref: http://www.nginx.org/en/CHANGES
http://www.securityfocus.com/bid/50710/references
11.48.10 CVE: Not Available
Platform: Cross Platform
Title: Hastymail2 Unspecified Security Vulnerability
Description: Hastymail2 is a PHP-based IMAP/SMTP mail client. The
application is exposed to an unspecified issue involving white-list
filtering in an AJAX callback function. Hastymail2 1.1 RC1 is
vulnerable and other versions may also be affected.
Ref: http://www.hastymail.org/security/
11.48.11 CVE: Not Available
Platform: Cross Platform
Title: Ruby on Rails Translate Helper Method Cross-Site Scripting
Description: Ruby on Rails is a web application framework for multiple
platforms. The application is exposed to a cross-site scripting issue.
The issue exists because the application fails to validate
user-supplied data in the translate helper method. Ruby on Rails
versions prior to 3.0.11 and 3.1.2 are affected.
Ref:
http://weblog.rubyonrails.org/2011/11/18/rails-3-0-11-has-been-released
http://weblog.rubyonrails.org/2011/11/18/rails-3-1-2-has-been-released
11.48.12 CVE: CVE-2011-4320
Platform: Cross Platform
Title: ejabberd “mod_pubsub” Module Denial of Service
Description: ejabberd is a Jabber/XMPP instant messaging server.
ejabberd is exposed to a denial of service issue. Specifically, the
issue occurs in the “mod_pubsub” module when processing a specially
crafted “” stanza. ejabberd versions prior to 2.1.9 are
affected.
Ref:
http://www.process-one.net/en/ejabberd/release_notes/release_note_ejabberd_2.1.9/
11.48.13 CVE:
CVE-2011-4262,CVE-2011-4261,CVE-2011-4260,CVE-2011-4259,CVE-2011-4258,CVE-2011-4257,CVE-2011-4256,
CVE-2011-4255,CVE-2011-4254,CVE-2011-4253,CVE-2011-4252,CVE-2011-4251,CVE-2011-4250,CVE-2011-4249,
CVE-2011-4248,CVE-2011-4247,CVE-2011-4246,CVE-2011-4245,CVE-2011-4244
Platform: Cross Platform
Title: Real Networks RealPlayer Multiple Remote Vulnerabilities
Description: Real Networks RealPlayer is an application that allows
users to play various media formats. Real Networks RealPlayer is
exposed to multiple security issues. See reference for further details.
RealPlayer 11.0 to 11.1, RealPlayer SP 1.0 to 1.1.5, RealPlayer 14.0.0
to 14.0.7, Mac RealPlayer 12.0.0.1701 are affected.
Ref: http://service.real.com/realplayer/security/11182011_player/en/
11.48.14 CVE: CVE-2011-4328
Platform: Cross Platform
Title: GNU Gnash Cookie Files Local Information Disclosure
Description: GNU Gnash is a flash movie player. GNU Gnash is exposed
to a local information disclosure issue. This issue occurs because the
application creates cookie files with insecure permissions. GNU Gnash
0.8.9 is vulnerable; other versions may also be affected.
Ref: http://www.openwall.com/lists/oss-security/2011/11/21/12
https://bugzilla.redhat.com/show_bug.cgi?id=755518
11.48.15 CVE: CVE-2011-4160
Platform: Cross Platform
Title: HP Operations Agent and Performance Agent Local Unauthorized
Access
Description: HP Operations Agent is an application for managing IT
infrastructure. HP Performance Agent is a web-based analysis and
visualization tool. HP Operations Agent and Performance Agent are
exposed to a local unauthorized-access issue. HP Operations Agent
v11.00 and Performance Agent v4.73, v5.0 for AIX, HP-UX, Linux, and
Solaris are vulnerable; other versions may also be affected.
Ref: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03091656
11.48.16 CVE: Not Available
Platform: Cross Platform
Title: FFmpeg Multiple Remote Code Execution Vulnerabilities
Description: FFmpeg is a multimedia player. The application is exposed
to multiple remote code execution issues. See reference for further
details. Versions prior to FFmpeg 0.7.8 and 0.8.7 are affected.
Ref: http://ffmpeg.org/#pr7dot8and8dot7
11.48.17 CVE: CVE-2011-4465
Platform: Cross Platform
Title: IBM Lotus Mobile Connect Cross-Site Scripting
Description: Lotus Mobile Connect is IBM VPN security software for
wireless and wired network connections. The application is exposed to
a cross-site scripting issue because it fails to sufficiently sanitize
user-supplied data submitted to a certain hidden redirect URL. IBM
Lotus Mobile Connect 6.1.4 is affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27020327
11.48.18 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: ZOHO ManageEngine ADSelfService Plus Cross-Site Scripting
Description: ManageEngine ADSelfService Plus is a web-based end-user
password reset management program. The application is exposed to a
cross-site scripting issue because it fails to properly sanitize
user-supplied input submitted to the JavaScript variable assignment.
ManageEngine ADSelfService Plus 4.5 Build 4521 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/50717/references
11.48.19 CVE: Not Available
Platform: Web Application - SQL Injection
Title: Freelancer calendar “SearchField” Parameter Multiple SQL
Injection Vulnerabilities
Description: Freelancer calendar is a PHP-based calendar application.
The application is exposed to multiple SQL injection issues because it
fails to sufficiently sanitize user-supplied data submitted to the
“SearchField” parameter of multiple scripts. Freelancer calendar 1.01
and prior are affected.
Ref: http://www.securityfocus.com/bid/50733/info
11.48.20 CVE: Not Available
Platform: Web Application
Title: Privoxy RFC 3986 HTTP Response Splitting
Description: Privoxy is a web proxy. The application is exposed to an
HTTP response splitting issue when the “+fast-redirects” action is
used. Specifically, the issue occurs because the application fails to
properly encode characters RFC 3986 contained in a generated redirect
URL. Privoxy 3.0.5 to 3.0.17 are vulnerable and other versions may also
be affected.
Ref: http://www.securityfocus.com/bid/50768/references
http://www.privoxy.org/announce.txt
11.48.21 CVE: Not Available
Platform: Web Application
Title: Website Baker Backup Module Security Bypass
Description: Website Baker is an open source content management system
implemented in PHP. The application is exposed to a security bypass
issue. Specifically, this issue may give attackers access to the
backup module. Website Baker 2.8.1 and prior are affected.
Ref:
http://www.websitebaker2.org/posts/security-vulnerability-backup-module-in-wb-core-13.php
11.48.22 CVE: Not Available
Platform: Web Application
Title: Support Incident Tracker “translate.php” Remote Code Execution
Description: Support Incident Tracker is a PHP-based customer
relationship management application. The application is exposed to a
remote code execution issue because it fails to sanitize user-supplied
input submitted to the “$_POST” array of the “translate.php” script
before being stored in the “i18nfile” variable of the “il8n”
directory. Support Incident Tracker 3.45 to 3.65 is vulnerable and prior
versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520577
11.48.23 CVE: CVE-2011-4457
Platform: Web Application
Title: OWASP Java HTML Sanitizer Information Disclosure
Description: OWASP Java HTML Sanitizer is an HTML sanitizer implemented
in Java. The application is exposed to a remote information disclosure
issue because it fails to block redirecting or POSTing to an
arbitrary URL. Specifically, the “form” element of the “noscript”
element releases private information when JavaScript is disabled.
OWASP Java HTML Sanitizer versions prior to release 88 are affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4457
11.48.24 CVE: CVE-2011-4001
Platform: Web Application
Title: HP no Mawashimono Nikki Unspecified Directory Traversal
Description: Nikki is CGI-based application. Nikki is exposed to a
directory traversal issue because it fails to sufficiently sanitize
unspecified user-supplied input. Few technical details are available.
Versions prior to Nikki 6.61 are affected.
Ref: http://www.securityfocus.com/bid/50749/references
11.48.25 CVE: Not Available
Platform: Web Application
Title: FishEye and Crucible Multiple HTML Injection and Unauthorized
Access Vulnerabilities
Description: FishEye is a web-based bug tracking application. Crucible
is a web-based application used for code review. The applications are
exposed to multiple issues. 1) A HTML injection issue occurs because
the applications fail to sanitize user-supplied input to the user
profile display name. 2) A HTML injection issue occurs because the
applications fail to sanitize user-supplied input to snippets in a
user’s comment. 3) Multiple unauthorized-access issues because the
applications fail to properly verify permissions before granting
access to certain sections of the application. FishEye and Crucible
earlier than 2.5.7 are affected.
Ref:
http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2011-11-22
11.48.26 CVE: Not Available
Platform: Network Device
Title: Juniper Juno IPv6 Over IPv4 Tunnel Security Bypass
Description: Juniper Juno is a network operating system running on
various Juniper devices. Juniper Juno is exposed to a security bypass
issue that occurs when handling IPv6 datagrams over IPv4 tunnels.
Versions prior to Juniper Juno 10.2 R3 are affected.
Ref: http://www.securityfocus.com/bid/50705/references