Search

See Resources

@RISK Newsletter for December 29, 2011 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 11, Num. 53

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Windows 1
Third Party Windows Apps 7
Linux | 1
BSD 1
Novell 1
Cross Platform 5 (#1)
Web Application - Cross Site Scripting 2
Web Application 4
Network Device 3
Hardware 1


Part I – Critical Vulnerabilities from TippingPoint ( www.tippingpoint.com)

Widely Deployed Software
(1) MEDIUM: VideoLan VLC get_chunk_header Double-Free Vulnerability


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

Windows

11.53.1 - Microsoft Windows “win32k.sys” Remote Memory Corruption

Third Party Windows Apps

11.53.2 - NVIDIA Stereoscopic 3D Driver Local Privilege Escalation
11.53.3 - KingView “HistoryServer.exe” Heap Based Buffer Overflow
11.53.4 - Kaspersky Internet Security/Anti-Virus “.cfg” File Memory Corruption
11.53.5 - 7-Technologies Interactive Graphical SCADA System Buffer Overflow
11.53.6 - HP Managed Printing Administration Multiple Remote Security Vulnerabilities
11.53.7 - Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities
11.53.8 - BB Flashback SDK FBRecorder ActiveX Control Multiple Remote Code Execution Vulnerabilities

Linux

11.53.9 - Linux Kernel KVM “create_pit_timer()” Function Local Denial of Service

BSD

11.53.10 - FreeBSD “telnetd” Daemon Remote Buffer Overflow

Novell

11.53.11 - Novell Sentinel Log Manager “filename” Parameter Directory Traversal

Cross Platform

11.53.12 - VLC Media Player “get_chunk_header()” Function Memory Corruption
11.53.13 - IDAPython Script Loading Arbitrary Code Execution
11.53.14 - IBM Lotus Domino RPC Operation Denial of Service
11.53.15 - RSyslog Function Imfile Module Buffer Overflow
11.53.16 - IBM DB2 and DB2 Connect Tivoli Monitoring Agent Local Privilege Escalation

Web Application - Cross Site Scripting

11.53.17 - epesi BIM Multiple Cross-Site Scripting Vulnerabilities
11.53.18 - PukiWiki Plus! Cross-Site Scripting

Web Application

11.53.19 - Wuzly Multiple Security Vulnerabilities
11.53.20 - OBM Multiple Remote Vulnerabilities
11.53.21 - Government Site Builder “videos.html” HTML Injection
11.53.22 - PhpMyAdmin “$host” Variable HTML Injection

Network Device

11.53.23 - SpamTitan Multiple HTML Injection Vulnerabilities
11.53.24 - PfSense Cross-Site Scripting and Security Bypass Vulnerabilities
11.53.25 - Ubiquiti Networks AirOS Remote Command Execution – Hardware
11.53.26 - Schneider Electric Quantum Ethernet Module Multiple Vulnerabilities


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint, a division of HP, as a by-product of that company’s continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint’s analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) MEDIUM: VideoLan VLC get_chunk_header Double-Free Vulnerability

Affected: VLC media player 0.9.0-1.1.12
Description: VideoLan has released a patch for its VLC media player. The patch addresses a heap corruption vulnerability that can be triggered when the VLC player opens a malicious TY Tivo file. The vulnerability is due to a double-free vulnerability in the “get_chunk_header()” function of the TY demuxer component of VLC. By enticing a target to open a malicious file, an attacker can exploit this vulnerability in order to corrupt the heap and possibly execute arbitrary code on the target’s machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.videolan.org
VideoLan Security Advisory
http://www.videolan.org/security/sa1108.html
SecurityFocus BugTraq ID
http://www.securityfocus.com/bid/51147


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that company’s ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 12894 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.


11.53.1 CVE: Not Available

Platform: Windows
Title: Microsoft Windows “win32k.sys” Remote Memory Corruption
Description: Microsoft Windows is exposed to a memory corruption issue. Specifically, the issue occurs when the “win32k.sys” kernel-mode driver parses a specially crafted web page containing an IFRAME with an overly large value of “height” attribute. This issue occurs when viewing the webpage with the Apple Safari browser. Windows 7 64-bit is affected.
Ref: https://secunia.com/advisories/47237/


11.53.2 CVE: CVE-2011-4784

Platform: Third Party Windows Apps
Title: NVIDIA Stereoscopic 3D Driver Local Privilege Escalation
Description: NVIDIA Stereoscopic 3D Driver is used to play 3D games. The driver is exposed to a local privilege escalation issue. Specifically, the issue occurs because the driver fails to properly validate and sanitize specific commands to a named pipe. NVIDIA Stereoscopic 3D Driver 7.17.12.7536 and earlier versions are affected.
Ref: http://technet.microsoft.com/en-us/security/msvr/msvr11-016


11.53.3 CVE: CVE-2011-4536

Platform: Third Party Windows Apps
Title: KingView “HistoryServer.exe” Heap Based Buffer Overflow
Description: KingView is software for monitoring and controlling SCADA automation equipment and process products. The application is exposed to a heap-based buffer overflow issue because it fails to properly validate user-supplied input. Specifically, the issue occurs in “HistoryServer.exe” when processing a specially crafted request. KingView 65.30.2010.18018 is vulnerable and other versions may also be affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-02.pdf


11.53.4 CVE: Not Available

Platform: Third Party Windows Apps
Title: Kaspersky Internet Security/Anti-Virus “.cfg” File Memory Corruption
Description: Kaspersky Internet Security and Anti-Virus are security products. Kaspersky Internet Security and Anti-Virus are exposed to a local memory corruption issue. Specifically, this issue affects the “basegui.ppl” and “basegui.dll” files when processing a specially-crafted “.cfg” file. Kaspersky Anti-Virus 2012 & Kaspersky Internet Security 2012, Kaspersky Anti-Virus 2011 & Kaspersky Internet Security 2011 and Kaspersky Anti-Virus 2010 & Kaspersky Internet Security 2010 are affected.
Ref: http://www.securityfocus.com/bid/51161/discuss


11.53.5 CVE: CVE-2011-4537

Platform: Third Party Windows Apps
Title: 7-Technologies Interactive Graphical SCADA System Buffer Overflow
Description: 7-Technologies Interactive Graphical SCADA System (IGSS) is used to control and monitor programmable logic controllers (PLCs) in industrial processes. The system is exposed to a buffer overflow issue because it fails to handle specially crafted packets sent to TCP port 12399 and 12397. 7-Technologies Interactive Graphical SCADA System 9.0.0.11355 and prior versions are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-355-01-7.pdf


11.53.6 CVE: CVE-2011-4169,CVE-2011-4168, CVE-2011-4167,CVE-2011-4166

Platform: Third Party Windows Apps
Title: HP Managed Printing Administration Multiple Remote Security Vulnerabilities
Description: HP Managed Printing Administration is a printer management application. HP Managed Printing Administration is exposed to multiple remote security issues. See reference for further details. Versions prior to HP Managed Printing Administration 2.6.4 are affected.
Ref: https://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03128469&ac.admitted=1324576855759.876444892.492883150


11.53.7 CVE: CVE-2011-4509,CVE-2011-4508

Platform: Third Party Windows Apps
Title: Multiple Siemens SIMATIC Products Authentication Bypass Vulnerabilities
Description: Siemens SIMATIC products are Human machine Interaction (HMI) software. Multiple Siemens SIMATIC products are exposed to the following authentication bypass issues. 1) An authentication bypass issue affects the products because they generate weak and predictable session cookie values for the administrator account. 2) An authentication bypass issue affects the products because they contain default credentials for the web interface (Username: “Administrator” and Password “100”) and VNC service (No username and Password:”100”). SIMATIC WinCC Flexible 2004 through 2008 SP2, SIMATIC WinCC V11, V11 SP1, and V11 SP2 and SIMATIC HMI TP, OP, MP, Mobile, and Comfort Series Panels are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-356-01.pdf


11.53.8 CVE: CVE-2011-1392,CVE-2011-1391, CVE-2011-1388

Platform: Third Party Windows Apps
Title: BB Flashback SDK FBRecorder ActiveX Control Multiple Remote Code Execution Vulnerabilities
Description: BB Flashback is a screen recorder. BB Flashback is exposed to multiple remote code execution issues in the “BB FlashBack Recorder.dll” library due to unspecified errors. These issues occur when the application handles the “Start()”, “PauseAndSave()”, “InsertMarker()”, “InsertSoundToFBRAtMarker()” and “TestCompatibilityRecordMode() “ methods. BB Flashback versions prior to 2.0.0.214, IBM Rational Rhapsody before 7.6.1, and other products which include Flashback are affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1388
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1391
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1392
http://www-01.ibm.com/support/docview.wss?uid=swg21576352


11.53.9 CVE: CVE-2011-4622

Platform: Linux
Title: Linux Kernel KVM “create_pit_timer()” Function Local Denial of Service
Description: The Linux kernel is exposed to a local denial of service issue. Specifically, the issue affects the KVM implementation and occurs because of a NULL pointer dereference error in the “create_pit_timer()” function of the “arch/x86/kvm/i8254.c” file when configuring a Programmable Interrupt Timer (PIT). Linux kernel 2.6.x is affected.
Ref: http://www.securityfocus.com/bid/51172/discuss


11.53.10 CVE: CVE-2011-4862

Platform: BSD
Title: FreeBSD “telnetd” Daemon Remote Buffer Overflow
Description: FreeBSD is a BSD-based operating system. FreeBSD is exposed to a remote buffer overflow issue. This issue affects the “telnetd” daemon because it fails to perform adequate boundary checks on user-supplied data before copying it to insufficiently sized buffers. Specifically, the problem occurs when validating a specially crafted encryption key length received through the TELNET protocol. All supported versions of FreeBSD are affected.
Ref: http://security.freebsd.org/advisories/FreeBSD-SA-11:08.telnetd.asc


11.53.11 CVE: Not Available

Platform: Novell
Title: Novell Sentinel Log Manager “filename” Parameter Directory Traversal
Description: Sentinel Log Manager is a log management solution. The application is exposed to a directory traversal issue because it fails to sufficiently sanitize user-supplied input submitted to the “filename” parameter of the “novelllogmanager/ FileDownload” script. Sentinel Log Manager versions 1.2.0.1 and prior are affected.
Ref: http://secunia.com/advisories/47258
http://www.securityfocus.com/bid/51104/discuss


11.53.12 CVE: Not Available

Platform: Cross Platform
Title: VLC Media Player “get_chunk_header()” Function Memory Corruption
Description: VLC is a cross-platform media player. VLC is exposed to a remote code execution issue due to a double-free error in the “get_chunk_header()” function of the “modules/demux/ty.c” source file. Specifically, the issue is triggered when processing a crafted “.ty” TiVo file. VLC Media Player versions 0.9.0 through 1.1.12 are affected.
Ref: http://www.videolan.org/security/sa1108.html


11.53.13 CVE: CVE-2011-4783

Platform: Cross Platform
Title: IDAPython Script Loading Arbitrary Code Execution
Description: IDAPython is an plugin for IDA Pro. The application is exposed to an issue that lets attackers execute arbitrary code. The issue arises because the application searches for the Python script file in the current working directory. IDAPython versions 1.5.0 through 1.5.2 are vulnerable; other versions may also be affected.
Ref: http://technet.microsoft.com/en-us/security/msvr/msvr11-015
http://www.securityfocus.com/bid/51164/references


11.53.14 CVE: CVE-2011-1393

Platform: Cross Platform
Title: IBM Lotus Domino RPC Operation Denial of Service
Description: IBM Lotus Domino is a client/server product designed for collaborative working environments. Domino Server supports email, scheduling, instant messaging, and data-driven applications. IBM Lotus Domino is exposed to a denial of service issue. This issue is caused due to an error when processing RPC operations related to authentication. IBM Lotus Domino Server 8.5.2 FP3 and earlier, 8.5.1, 8.5 and 8.0.x are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21575247


11.53.15 CVE: CVE-2011-4623

Platform: Cross Platform
Title: RSyslog Function Imfile Module Buffer Overflow
Description: RSyslog is a daemon for managing system logs; it is available for UNIX and Linux systems. RSyslog is exposed to a heap-based buffer overflow issue when handling the imfile module. Specifically, this issue occurs because the rsyslog daemon fails to properly handle log files larger than 64 kilobytes. Red Hat Enterprise Linux 6 is affected.
Ref: http://www.securityfocus.com/bid/51171/info
https://bugzilla.redhat.com/show_bug.cgi?id=769822


11.53.16 CVE: CVE-2011-4061

Platform: Cross Platform
Title: IBM DB2 and DB2 Connect Tivoli Monitoring Agent Local Privilege Escalation
Description: IBM DB2 and DB2 Connect are database applications designed to run on various platforms, including Linux, AIX, Solaris and Microsoft Windows. IBM DB2 and DB2 Connect are exposed to a local privilege escalation issue. This issue occurs because the SUID “Tmaitm6/lx8266/bin/kbbacf1” executable included in the Tivoli Monitoring Agent (ITMA) fails to properly use the “DT_RPATH” retry to load the “libkbb.so” library. IBM DB2 Express Edition, IBM DB2 Workgroup Server Edition, IBM DB2 Enterprise Server Edition, IBM DB2 Advanced Enterprise Server Edition, IBM DB2 Connect Application Server Edition, IBM DB2 Connect Enterprise Edition, IBM DB2 Connect Unlimited Edition for System i and IBM DB2 Connect Unlimited Edition for System z are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21576372


11.53.17 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: epesi BIM Multiple Cross-Site Scripting Vulnerabilities
Description: epesi BIM is a PHP-based application for creating dynamic Web applications. The application is exposed to multiple cross-site scripting issues because it fails to properly sanitize user-supplied input. epesi BIM 1.2.0 rev 8154 is vulnerable; prior versions may also be affected.
Ref: http://www.securityfocus.com/bid/51149/references


11.53.18 CVE: CVE-2011-3990

Platform: Web Application - Cross Site Scripting
Title: PukiWiki Plus! Cross-Site Scripting
Description: PukiWiki Plus! is an application which provides wiki functionality to websites. PukiWiki Plus! is exposed to a cross-site scripting issue because it fails to properly sanitize web form entries. PukiWiki Plus! 1.4.7plus-u2-i18n and prior versions are affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-3990
http://www.securityfocus.com/bid/51173/info


11.53.19 CVE: CVE-2011-3839,CVE-2011-3838, CVE-2011-3837,CVE-2011-3836, CVE-2011-3835

Platform: Web Application
Title: Wuzly Multiple Security Vulnerabilities
Description: Wuzly is a PHP-based blog application. Wuzly is exposed to the multiple remote security issues. See reference for further details. Wuzly version 2.0 is affected; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51114/references


11.53.20 CVE: Not Available

Platform: Web Application
Title: OBM Multiple Remote Vulnerabilities
Description: OBM is a messaging and collaboration application. The application is exposed to multiple remote issues. 1) A local file-include issue affects the “module” parameter of the “exportcsv_index.php” script. 2) Multiple SQL injection issues. 3) Multiple cross-site scripting issues. 4) An insecure file permissions issue occurs because “test.php” is stored with insecure permissions. OBM 2.4.0-rc13 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520986


11.53.21 CVE: Not Available

Platform: Web Application
Title: Government Site Builder “videos.html” HTML Injection
Description: Government Site Builder is a content management application. The application is exposed to an HTML injection issue that affects the “media” module. Specifically, this issue occurs because the application fails to sufficiently sanitize user-supplied data submitted to the “page” parameter of the “videos.html” script. Government Site Builder Government Site Builder 4.1 is affected.
Ref: http://www.securityfocus.com/bid/51162/discuss


11.53.22 CVE: CVE-2011-4782

Platform: Web Application
Title: PhpMyAdmin “$host” Variable HTML Injection
Description: phpMyAdmin is a web-based administration interface for MySQL databases; it is implemented in PHP. The application is exposed to an HTML injection issue because it fails to properly sanitize user-supplied input to the “$host” variable. phpMyAdmin versions 3.4.x prior to 3.4.9 are affected.
Ref: http://www.phpmyadmin.net/home_page/security/PMASA-2011-19.php


11.53.23 CVE: Not Available

Platform: Network Device
Title: SpamTitan Multiple HTML Injection Vulnerabilities
Description: SpamTitan is an anti spam software application. SpamTitan is exposed to multiple HTML injection issues because it fails to properly sanitize user-supplied input passed to the following scripts: “auth-settings.php”, “setup-relay.php”, “setup-network.php”. SpamTitan 5.08 is vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51155/discuss


11.53.24 CVE: CVE-2011-4197

Platform: Network Device
Title: PfSense Cross Site Scripting and Security Bypass Vulnerabilities
Description: PfSense is an open-source distribution of FreeBSD designed for use as a firewall and router. pfSense is exposed to the following remote issues. 1) A cross-site scripting issue affects the “style” parameter of the “status_rrd_graph.php” script. 2) A security bypass issue occurs due to an insecure certificate creation. pfSense 2.0 is vulnerable and other versions may also be affected.
Ref: http://blog.pfsense.org/?p=633
http://www.securityfocus.com/bid/51169/info


11.53.25 CVE: Not Available

Platform: Network Device
Title: Ubiquiti Networks AirOS Remote Command Execution
Description: AirOS is firmware for network devices. It has a web-based user interface to provide wireless configurations and routing functionality. The application is exposed to an issue that lets attackers execute arbitrary commands in the context of the application. This issue occurs because the application fails to adequately restrict access to certain web accessible scripts, including the “admin.cgi” script. 802.11 products AirOS v 3.6.1/v4.0, all versions of Products AirMax-AirOS V5.x are affected.
Ref: http://ubnt.com/forum/showthread.php?p=236875
http://www.securityfocus.com/bid/51178/discuss


11.53.26 CVE: CVE-2011-4861

Platform: Hardware
Title: Schneider Electric Quantum Ethernet Module Multiple Vulnerabilities
Description: Schneider Electric products provide solutions to energy management. Quantum Ethernet Module is exposed to multiple remote issues. Multiple hardcoded credentials are found. This can enable access to the multiple services. See reference for the affected products and firmware versions.
Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-11-346-01.pdf


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics