Search

See Resources

@RISK Newsletter for December 08, 2011 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 11, Num. 50

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Other Microsoft Products 1
Third Party Windows Apps 5
Linux | 1
Cross Platform 8 (#1, #2)
Web Application - Cross Site Scripting 3
Web Application - SQL Injection 2
Web Application 5
Hardware 2


Part I – Critical Vulnerabilities from TippingPoint ( www.tippingpoint.com )

Widely Deployed Software
(1) HIGH: Adobe U3D Memory Corruption Vulnerability
(2) MEDIUM: Trend Micro Control Manager Buffer Overflow Vulnerability


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Other Microsoft Products

11.50.1 - Microsoft Internet Explorer CSS “:visited” Information Disclosure

Third Party Windows Apps

11.50.2 - CoDeSys Multiple Remote Denial of Service Vulnerabilities
11.50.3 - HS TFTP Server Software Multiple Remote Denial of Service Vulnerabilities
11.50.4 - HP Device Access Manager for HP ProtectTools Heap Memory Corruption
11.50.5 - SopCast Local Privilege Escalation
11.50.6 - Sielco Sistemi Multiple Products Buffer Overflow

Linux

11.50.7 - Red Hat Enterprise Linux Sos Private Information Disclosure

Cross Platform

11.50.8 - Iron Mountain Connected Backup Remote Command Execution
11.50.9 - Apache ActiveMQ Failover Mechanism Remote Denial of Service
11.50.10 - PHP Remote Integer Overflow
11.50.11 - Serv-U Denial of Service and Security Bypass Vulnerabilities
11.50.12 - Opera Web Browser Multiple Security Vulnerabilities
11.50.13 - Multiple Web Browsers “:visited” Information Disclosure
11.50.14 - Adobe Acrobat and Reader U3D Memory Corruption
11.50.15 - MIT Kerberos KDC TGS Handling NULL Pointer Dereference Denial of Service

Web Application - Cross Site Scripting

11.50.16 - JBoss Application Server Administrative Console Cross-Site Scripting
11.50.17 - Ariadne Multiple Cross-Site Scripting Vulnerabilities
11.50.18 - Hero “month” Parameter Cross-Site Scripting

Web Application - SQL Injection

11.50.19 - Meditate “username_input” Parameter SQL Injection
11.50.20 - AlstraSoft EPay Enterprise “process.htm” SQL Injection

Web Application

11.50.21 - Apache MyFaces Information Disclosure
11.50.22 - WikkaWiki Multiple Security Vulnerabilities
11.50.23 - WSN Classifieds Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
11.50.24 - Support Incident Tracker (SiT!) Multiple Input Validation Vulnerabilities
11.50.25 - Moodle Multiple Security Vulnerabilities

Hardware

11.50.26 - HP Printers and Digital Senders Remote Firmware Update Security Bypass
11.50.27 - Intel Trusted Execution Technology SINIT Authenticated Code Modules Buffer Overflow


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) HIGH: Adobe U3D Memory Corruption Vulnerability

Affected:
Adobe Reader X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX
Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and Macintosh
Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows and Macintosh

Description: Adobe Acrobat is a very popular application software suite
developed by Adobe Systems that allows users to view, create, and
manipulate files in the popular Portable Document Format (PDF). A memory
corruption vulnerability has been identified in Adobe Reader and Adobe
Acrobat caused by an unspecified error in the way the application
handles U3D data. By enticing a target to open a malicious file, an
attacker can exploit this vulnerability in order to execute arbitrary
code on the target’s machine.

Status: vendor confirmed, updates available

References:
Vendor Advisory
http://www.adobe.com/support/security/advisories/apsa11-04.html
Wikipedia Entry on Adobe Reader
http://en.wikipedia.org/wiki/Adobe_reader
Vendor Site
http://www.adobe.com/


(2) MEDIUM: Trend Micro Control Manager Buffer Overflow Vulnerability

Affected:
Trend Micro Control Manager 5.x

Description: A buffer overflow vulnerability has been detected in Trend
Micro Control Manager. The specific flaw is caused insufficient bound
checking in CGenericScheduler::AddTask function of
cmdHandlerRedAlertController.dll while processing specially crafted IPC
packet. Successful exploitation will allow attackers to execute
arbitrary code under the context of the user. Authentication is not
required to exploit the vulnerability.

Status: vendor confirmed, updates available

References:
Vendor Update
http://downloadcenter.trendmicro.com/index.php?prodid=7
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-11-345
Vendor Site
http://us.trendmicro.com/us/home/index.html


Part II – Comprehensive List of Newly Discovered Vulnerabilities from

Qualys (www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12777 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


11.50.1 CVE: Not Available

Platform: Other Microsoft Products
Title: Microsoft Internet Explorer CSS “:visited” Information
Disclosure
Description: Microsoft Internet Explorer is a web browser application
available for Windows operating systems. Microsoft Internet Explorer
is exposed to an information disclosure issue. This issue affects the
“:visited” tag included in a Cascading Style Sheet. Specifically,
the application will allow attackers to collect browser history based
on cache timing. Microsoft Internet Explorer 6, 7, 8 and 9 are affected.
Ref: http://secunia.com/advisories/47129/
http://lcamtuf.coredump.cx/cachetime/msie.html


11.50.2 CVE: Not Available

Platform: Third Party Windows Apps
Title: CoDeSys Multiple Remote Denial of Service Vulnerabilities
Description: CoDeSys is an application for industrial automation
technology. The application is exposed to multiple denial of service
issues which affect the “CmpWebServer” component. CoDeSys up to 3.4
SP4 Patch 2 are affected.
Ref: http://aluigi.altervista.org/adv/codesys_1-adv.txt
http://www.securityfocus.com/bid/50854/discuss


11.50.3 CVE: Not Available

Platform: Third Party Windows Apps
Title: HS TFTP Server Software Multiple Remote Denial of Service
Vulnerabilities
Description: HS TFTP Server Software is a library written in C, which
implements Trivial File Transfer Protocol. HS TFTP Server
Software is exposed to multiple remote denial of service issues
because it fails to handle user-supplied input. Specifically, the
issue affects “WRITE” and “READ” commands. HS TFTP Server Software
1.3.2 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/50886/discuss
http://packetstormsecurity.org/files/107468/hillstone-dos.txt


11.50.4 CVE: CVE-2011-4162

Platform: Third Party Windows Apps
Title: HP Device Access Manager for HP ProtectTools Heap Memory
Corruption
Description: HP Device Access Manager for HP ProtectTools is a
policy based access control system. HP Device Access Manager for HP
ProtectTools is exposed to a remote heap memory corruption issue.
Specifically, this issue affects the multiple methods. HP Device
Access Manager for HP ProtectTools versions prior to 6.1.0.1 are
affected.
Ref:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03082368


11.50.5 CVE: Not Available

Platform: Third Party Windows Apps
Title: SopCast Local Privilege Escalation
Description: SopCast is an application used to broadcast video and
audio on the Internet. The application is exposed to a local
privilege escalation issue. Specifically, the issue occurs due to
improper permissions being set for the “Diagnose.exe” file, with the
“FDiagnose.exe” flag set for the “Everyone” group. SopCast 3.4.7.45585
is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/50908/references
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5062.php


11.50.6 CVE: CVE-2011-4037

Platform: Third Party Windows Apps
Title: Sielco Sistemi Multiple Products Buffer Overflow
Description: Winlog Pro and Winlog Lite are SCADA/HMI applications for
monitoring industrial and civil factories. Winlog Pro and Winlog Lite
are exposed to a remote buffer overflow issue because they fail to
perform adequate boundary checks on user-supplied data. Winlog Lite
versions older than version 2.07.09 and Winlog PRO versions older than
Version 2.07.09 are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-298-01.pdf


11.50.7 CVE: CVE-2011-4083

Platform: Linux
Title: Red Hat Enterprise Linux Sos Private Information Disclosure
Description: Red Hat Enterprise Linux is a Linux based operating system
developed by Red Hat. Sos is a set of tools that gather information
about system hardware and configuration. Red Hat Enterprise Linux is
exposed to an information disclosure issue. Specifically, this issue
occurs because the Sosreport utility incorrectly includes certificate
based Red Hat network private entitlement keys for archive of debugging
information, which allows an attacker to access Red Hat Network content
by using these keys. Red Hat Enterprise Linux version 6 is affected.
Ref: http://www.securityfocus.com/bid/50936/discuss
https://www.redhat.com/security/data/cve/CVE-2011-4083.html


11.50.8 CVE: CVE-2011-2397

Platform: Cross Platform
Title: Iron Mountain Connected Backup Remote Command Execution
Description: Iron Mountain Connected Backup is a backup solution. Iron
Mountain Connected Backup is exposed to a remote command execution
issue because it fails to properly validate user-supplied input. This
issue affects the Agent service that listens on TCP port 16388.
Specifically, the issue is triggered within the
“LaunchCompoundFileAnalyzer” class when a request contains an opcode

  1. Iron Mountain Connected Backup from 8.2.2 to 8.5.1 are affected.
    Ref: http://www.zerodayinitiative.com/advisories/ZDI-11-339/
    http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2397

11.50.9 CVE: Not Available

Platform: Cross Platform
Title: Apache ActiveMQ Failover Mechanism Remote Denial of Service
Description: Apache ActiveMQ is a Message Broker and Enterprise
Integration Patterns provider. It is implemented in Java and available
for a number of platforms. Apache ActiveMQ is exposed to a
denial of service issue. This issue occurs when handling openwire
connection requests. Specifically, after various connection requests,
a “Java.net.SocketException” will occur. Apache ActiveMQ
5.2.0 and 5.5.0 are affected.
Ref: https://issues.apache.org/jira/browse/AMQ-3294


11.50.10 CVE: CVE-2011-4566

Platform: Cross Platform
Title: PHP Remote Integer Overflow
Description: PHP is a general purpose scripting language suitable for
web development and embeddable into HTML. PHP is exposed to a remote
integer overflow issue that affects the “Exif” extension.
Specifically, this issue affects the “exif_process_IFD_TAG()” function
in the “ext/exif/exif.c” source file. PHP 5.4.0beta2 on 32-bit
platforms is vulnerable; other versions may also be affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4566
https://bugs.php.net/bug.php?id=60150


11.50.11 CVE: Not Available

Platform: Cross Platform
Title: Serv-U Denial of Service and Security Bypass Vulnerabilities
Description: Serv-U is an FTP server application. Serv-U is exposed to
multiple remote issues. A denial of service issue occurs because the
application opens new ports for each request made and fails to close
old ports. A security bypass issue allows attackers to gain
unauthorized administrative access to the management interface.
Serv-U 11.1.0.3 and prior versions are affected.
Ref: http://www.securityfocus.com/archive/1/520746


11.50.12 CVE: Not Available

Platform: Cross Platform
Title: Opera Web Browser Multiple Security Vulnerabilities
Description: Opera is a Web browser available for multiple platforms.
The application is exposed to multiple issues. See reference for
further details. Versions prior to Opera Web Browser 11.60 are
affected.
Ref: http://www.opera.com/docs/changelogs/unix/1160/
http://www.opera.com/docs/changelogs/mac/1160/
http://www.opera.com/docs/changelogs/windows/1160/


11.50.13 CVE: Not Available

Platform: Cross Platform
Title: Multiple Web Browsers “:visited” Information Disclosure
Description: Multiple Web Browsers are exposed to an
information disclosure issue. This issue affects the “:visited” tag
included in a Cascading Style Sheet. Specifically, the applications
allows attackers to collect browser history based on cache timing.
Mozilla Firefox and Opera are affected.
Ref: http://lcamtuf.coredump.cx/cachetime/
http://www.securityfocus.com/bid/50909/discuss
http://www.securityfocus.com/bid/50920/discuss


11.50.14 CVE: CVE-2011-2462

Platform: Cross Platform
Title: Adobe Acrobat and Reader U3D Memory Corruption
Description: Adobe Reader and Acrobat are applications for handling
PDF files. Adobe Acrobat and Reader are exposed to a memory corruption
issue that occurs when handling U3D encoded files. Adobe Reader X
(10.1.1) and earlier 10.x versions for Windows and Macintosh, Adobe
Reader 9.4.6 and earlier 9.x versions for Windows, Macintosh and UNIX,
Adobe Acrobat X (10.1.1) and earlier 10.x versions for Windows and
Macintosh, Adobe Acrobat 9.4.6 and earlier 9.x versions for Windows
and Macintosh are affected.
Ref: https://www.adobe.com/support/security/advisories/apsa11-04.html


11.50.15 CVE: CVE-2011-1530

Platform: Cross Platform
Title: MIT Kerberos KDC TGS Handling NULL Pointer Dereference Denial
of Service
Description: MIT Kerberos is a suite of applications and libraries
designed to implement the Kerberos network authentication protocol. It
is freely available and operates on numerous platforms. MIT Kerberos
is exposed to a remote denial of service issue caused by a
NULL-pointer dereference which exists in the TGS service.
Specifically, the flaw exists in the “process_tgs_req()” function when
the “TGS-REQ” is unknown. This will cause the “KRB5_KDB_NOENTRY”
parameter to be set to NULL, triggering a NULL-pointer dereference.
krb5-1.9 and later are affected.
Ref: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt


11.50.16 CVE: CVE-2011-3606

Platform: Web Application - Cross Site Scripting
Title: JBoss Application Server Administrative Console Cross-Site
Scripting
Description: JBoss Application Server is an open source Java
application server. JBoss Application Server is exposed to a
cross-site scripting issue while handling DOM objects. This issue
occurs because the administrative console of the application fails to
sanitize user-supplied input passed to the “onerror” argument. JBoss
Application Server 7.0 is vulnerable; other versions may also be
affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-3606
http://www.securityfocus.com/bid/50885/discuss


11.50.17 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Ariadne Multiple Cross-Site Scripting Vulnerabilities
Description: Ariadne is a PHP-based content manager. The application
is exposed to multiple cross-site scripting issues because it fails to
properly sanitize user-supplied input to multiple scripts. Ariadne
2.7.6 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520708


11.50.18 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Hero “month” Parameter Cross-Site Scripting
Description: Hero is a PHP-based content management system. Hero is
exposed to a cross-site scripting issue because it fails to properly
sanitize user-supplied input submitted to the “month” parameter of the
“index.php” script. Hero 3.69 is vulnerable; other versions may also
be affected.
Ref: http://www.securityfocus.com/bid/50878/discuss
http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5061.php


11.50.19 CVE: Not Available

Platform: Web Application - SQL Injection
Title: Meditate “username_input” Parameter SQL Injection
Description: Meditate is a Web-based content editor application.
Meditate is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data submitted to the
“username_input” parameter of the “index.php” script when “page” is
set to “login”. Meditate versions 1.1 is vulnerable; prior versions
may also be affected.
Ref:
http://www.arlomedia.com/software/meditate/meditate/docs/release_notes.html


11.50.20 CVE: Not Available

Platform: Web Application - SQL Injection
Title: AlstraSoft EPay Enterprise “process.htm” SQL Injection
Description: EPay Enterprise is a web-based application implemented in
PHP. The application is exposed to an SQL injection issue because it
fails to sufficiently sanitize user-supplied data to the “product”
parameter of the “process.htm” page. EPay Enterprise 4.0 is
vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/50917/references
http://packetstormsecurity.org/files/107540/alstrasoftepay-sql.txt


11.50.21 CVE: CVE-2011-4343

Platform: Web Application
Title: Apache MyFaces Information Disclosure
Description: Apache MyFaces is used to create server-side GUI web
applications. Apache MyFaces is exposed to a remote information
disclosure issue because it is possible to inject EL expressions
directly into input fields mapped as view parameters. Apache MyFaces
2.0.1 through 2.0.10 and Apache MyFaces 2.1.0 through 2.1.4 are
affected.
Ref: https://issues.apache.org/jira/browse/MYFACES-3405


11.50.22 CVE: CVE-2011-4451,CVE-2011-4450, CVE-2011-4449,CVE-2011-4448

Platform: Web Application
Title: WikkaWiki Multiple Security Vulnerabilities
Description: WikkaWiki is a wiki application implemented in PHP. The
application is exposed to an SQL injection issue, multiple arbitrary file
upload issues and a PHP code injection issue.
WikkaWiki 1.3.2 and prior versions are affected.
Ref: http://www.securityfocus.com/archive/1/520687


11.50.23 CVE: Not Available

Platform: Web Application
Title: WSN Classifieds Multiple Cross Site Scripting and SQL Injection
Vulnerabilities
Description: WSN Classifieds is a PHP-based application for
classifying advertisements. The application is exposed to an
SQL-injection issue and multiple cross-site scripting issues because it
fails to sufficiently sanitize user-supplied input. WSN Classifieds
6.2.12 and 6.2.18 are vulnerable; other versions may also be affected.
Ref: http://secunia.com/advisories/47106
http://xforce.iss.net/xforce/xfdb/71607


11.50.24 CVE: Not Available

Platform: Web Application
Title: Support Incident Tracker (SiT!) Multiple Input Validation
Vulnerabilities
Description: Support Incident Tracker is an open-source web
application for tracking technical support requests. It is implemented
in PHP and MySQL. The application is exposed to multiple
input-validation issues. Support Incident Tracker 3.65 is
vulnerable; prior versions may also be affected.
Ref: http://www.kb.cert.org/vuls/id/576355
http://www.securityfocus.com/bid/50896/references


11.50.25 CVE: Not Available

Platform: Web Application
Title: Moodle Multiple Security Vulnerabilities
Description: Moodle is a content manager for online courseware. The
application is exposed to multiple security issues. See reference for
further details. Moodle 2.1.x prior to 2.1.2, Moodle 2.0.x prior to
2.0.5 and Moodle 1.9.x prior to 1.9.14 are affected.
Ref: http://moodle.org/mod/forum/view.php?id=7128
http://www.securityfocus.com/bid/50923/references


11.50.26 CVE: CVE-2011-4161

Platform: Hardware
Title: HP Printers and Digital Senders Remote Firmware Update Security
Bypass
Description: HP Printers and Digital Senders are exposed to a
security bypass issue. Specifically, an attacker can send a
firmware update remotely through a crafted request to TCP port 9100
without authentication. Multiple HP Printers and HP Digital Senders
are affected. See reference for details.
Ref:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03102449


11.50.27 CVE: Not Available

Platform: Hardware
Title: Intel Trusted Execution Technology SINIT Authenticated Code
Modules Buffer Overflow
Description: Intel Trusted Execution Technology SINIT Authenticated
Code Modules (ACMs) are exposed to a buffer overflow issue due to a
failure to properly bounds check user-supplied input. The problem
occurs when Intel Trusted Execution Technology measured launch is
invoked using vulnerable SINIT ACMs. This may compromise certain SINIT
ACM functionality, launch control policy, and System Management Mode.
Multiple Intel processors and Chipsets are affected. See
reference for details.
Ref:
http://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00030&languageid=en-fr


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics