Search

See Resources

@RISK Newsletter for January 19, 2012 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 3

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Third Party Windows Apps 7 (#1,#2,#3)
Solaris 1
Cross Platform | 9
Web Application - Cross Site Scripting | 2
Web Application 6
Hardware 1


Part I – Critical Vulnerabilities from HP TippingPoint

(dvlabs.tippingpoint.com)

Widely Deployed Software
(1) HIGH: HP Insight Diagnostics Buffer Overflow
(2) HIGH: McAfee Security-as-a-Service ActiveX Control
(3) HIGH: HP Easy Printer Care Multiple ActiveX Vulnerabilities


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Third Party Windows Apps

12.3.1 - ExpressView Browser Plug-in Multiple Integer Overflow and Remote Code Execution Vulnerabilities
12.3.2 - GreenBrowser Search Bar Short Cut Button Double Free Remote Memory Corruption
12.3.3 - McAfee Security-as-a-Service ActiveX Control Remote Command Execution
12.3.4 - HP Easy Printer Care Software Remote Code Execution
12.3.5 - HP Diagnostics Server Remote Stack Buffer Overflow
12.3.6 - Yahoo Messenger “.jpg” File Buffer Overflow
12.3.7 - 7T Interactive Graphical SCADA System DLL Loading Arbitrary Code Execution

Solaris

12.3.8 - Oracle Solaris Multiple Vulnerabilities

Cross Platform

12.3.9 - Wireshark Buffer Overflow and Denial of Service Vulnerabilities
12.3.10 - Wibu-Systems CodeMeter TCP Packets Denial of Service
12.3.11 - JBoss Cache Local Information Disclosure
12.3.12 - ISC DHCP Server DHCPv6 NULL Pointer Dereference Denial Of Service
12.3.13 - Jenkins Hash Collision Denial Of Service
12.3.14 - Oracle Database Server Multiple Vulnerabilities
12.3.15 - Oracle Communications Unified Multiple Vulnerabilities
12.3.16 - Oracle GlassFish Enterprise Server Multiple Vulnerabilities
12.3.17 - Oracle MySQL Multiple Vulnerabilities

Web Application - Cross Site Scripting

12.3.18 - KnowledgeTree Multiple Cross-Site Scripting Vulnerabilities
12.3.19 - MailEnable “ForgottonPassword.aspx” Cross-Site Scripting

Web Application

12.3.20 - Apache HTTP Server Scoreboard Local Security Bypass
12.3.21 - IBM WebSphere Application Server “iscdeploy” Script Insecure File Permissions
12.3.22 - Kayako SupportSuite Multiple Vulnerabilities
12.3.23 - MediaWiki Cache Pollution Information Disclosure
12.3.24 - VBulletin Multiple Products “blog_post.php” Security Bypass
12.3.25 - Oracle OpenSSO Remote Security Vulnerability

Hardware

12.3.26 - HP StorageWorks Default Accounts and Directory Traversal Vulnerabilities


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) HIGH: HP Insight Diagnostics Buffer Overflow

Affected:
HP Insight Diagnostics

Description: HP Insight Diagnostics server is susceptible to a buffer
overflow vulnerability. HP Insight Diagnostics is a web-based server
management tool that runs on Microsoft Windows and Linux. The
vulnerability is due to the application trusting a client-provided size
value to copy data onto the stack. By sending a malicious request to
magentservice.exe, which listens on port 23472 by default, an attacker
can exploit this vulnerability in order to execute arbitrary code on the
target’s machine.

Status: vendor confirmed, updates not available

References:
Vendor Site
http://www.hp.com
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-12-016
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51398


(2) HIGH: McAfee Security-as-a-Service ActiveX Control

Affected:
McAfee SaaS Endpoint Protection current versions

Description: McAfee Security-as-a-Service Endpoint Protection is
susceptible to a command-injection vulnerability. McAfee’s Endpoint
Protection is designed to protect Windows machines from viruses and
malware. An ActiveX control installed on the client, myCIOScn.dll,
contains a vulnerable function MyCioScan.Scan.ShowReport() that accepts
and executes server-controlled commands. McAfee acknowledges this flaw
and plans to release an update for it. However, McAfee reports that the
harmful effect of this vulnerability is entirely mitigated by a patch
released in August. From publicly available information, it isn’t clear
how attack vectors are cut of by that patch, which was released to
address a file upload vulnerability the same dll. Exploitation would
require enticing a target to view a malicious web site. See the
references for a link to the August patch.

Status: vendor confirmed, updates not available

References:
Vendor Site
http://www.mcafee.com
McAfee Security Update
https://kc.mcafee.com/corporate/index?page=content&id=SB10016
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-12-012
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/49087
http://www.securityfocus.com/bid/51397


(3) HIGH: HP Easy Printer Care Multiple ActiveX Vulnerabilities

Affected:
HP Easy Printer Care current versions

Description: HP Easy Printer Care, a web-based system for administering
printers, is susceptible to multiple vulnerabilities in its ActiveX
controls. The first issue involves a problem with the XMLSimpleAccessor
ActiveX vulnerability: by sending an overlong string to the LoadXML
method, an attacker can exploit a heap buffer overflow vulnerability in
order to execute arbitrary code on a target’s machine. Similarly, an
arbitrary file write vulnerability in the CacheDocumentXMLWithId()
method of the XMLCacheMgr class can be used to exploit arbitrary code
in the context of the client’s browser. An attacker must entice a target
to view a malicious link in order to exploit these vulnerabilities. HP
no longer supports HP Easy Printer Care and recommends killbitting or
uninstalling this software. See the reference below for information
about killbitting ActiveX controls.

Status: vendor confirmed, updates not available

References:
Vendor Site
http://www.hp.com
Microsoft Support Page
http://support.microsoft.com/kb/240797
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-12-013/
http://www.zerodayinitiative.com/advisories/ZDI-12-014/
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51396
http://www.securityfocus.com/bid/51400


Part II – Comprehensive List of Newly Discovered Vulnerabilities from

Qualys (www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13050 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


12.3.1 CVE: Not Available

Platform: Third Party Windows Apps
Title: ExpressView Browser Plug-in Multiple Integer Overflow and
Remote Code Execution Vulnerabilities
Description: ExpressView Browser Plug-in is a browser plugin for
viewing, magnifying, measuring, printing and saving images. The
plugin is exposed to multiple security issues. See reference for
further details. ExpressView Browser Plug-in 6.5.0.3330 and prior
versions are affected.
Ref: http://aluigi.altervista.org/adv/expressview_1-adv.txt
http://www.securityfocus.com/bid/51367/discuss


12.3.2 CVE: Not Available

Platform: Third Party Windows Apps
Title: GreenBrowser Search Bar Short Cut Button Double Free Remote
Memory Corruption
Description: GreenBrowser is a web browser available for Microsoft
Windows. The application is exposed to a memory corruption issue in the
“searchbar” when the user uses shortcut button “F6” to perform searches.
GreenBrowser 6.0.1002 and prior versions are vulnerable.
Ref: http://www.securityfocus.com/archive/1/521231


12.3.3 CVE: Not Available

Platform: Third Party Windows Apps
Title: McAfee Security-as-a-Service ActiveX Control Remote Command
Execution
Description: McAfee Security-as-a-Service is a cloud based security
service. McAfee Security-as-a-Service is exposed to a remote command
execution issue. This issue affects the
“myCIOScn.dll.MyCioScan.Scan.ShowReport()” function of the ActiveX
control identified by CLSID: 209EBDEE-065C-11D4-A6B8-00C04F0D38B7. All
versions of McAfee Security-as-a-Service are affected.
Ref: http://zerodayinitiative.com/advisories/ZDI-12-012/
http://www.securityfocus.com/bid/51397/discuss


12.3.4 CVE: CVE-2011-4786

Platform: Third Party Windows Apps
Title: HP Easy Printer Care Software Remote Code Execution
Description: HP Easy Printer Care Software is a printer management
tool. The application is exposed to a remote code execution issue. The
problem affects the “CacheDocumentXMLWithId()” method of the “XMLCacheMgr”
ActiveX control. HP Easy Printer Care Software 2.5 and prior versions are
vulnerable.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-12-013/
http://h20565.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c02949847&ac.admitted=1326698542591.876444892.492883150


12.3.5 CVE: CVE-2011-4789

Platform: Third Party Windows Apps
Title: HP Diagnostics Server Remote Stack Buffer Overflow
Description: HP Diagnostics Server is exposed to a remote stack-based
buffer overflow issue because it fails to properly check
user-supplied data before copying it into an insufficiently sized
memory buffer. This issue affects the “magentservice.exe” when
processing specially crafted packets (packets with “0x00000000” as the
first 32-bit value) sent to TCP port 23472. All versions of HP
Diagnostics Server are affected.
Ref: http://www.zerodayinitiative.com/advisories/ZDI-12-016/
http://www.securityfocus.com/bid/51398/discuss


12.3.6 CVE: CVE-2012-0268

Platform: Third Party Windows Apps
Title: Yahoo Messenger “.jpg” File Buffer Overflow
Description: Yahoo Messenger is a messenger application for the
Microsoft Windows. The application is exposed to a heap-based
buffer overflow issue that affects the “CYImage::LoadJPG()” function
of the “YImage.dll” library. Specifically, the issue is triggered when
processing a specially crafted “.jpg” file. Yahoo Messenger version
11.5.0.152 is vulnerable and other versions may also be affected.
Ref: http://secunia.com/advisories/47041/
http://www.securityfocus.com/bid/51405/discuss


12.3.7 CVE: CVE-2011-4053

Platform: Third Party Windows Apps
Title: 7T Interactive Graphical SCADA System DLL Loading Arbitrary
Code Execution
Description: 7T Interactive Graphical SCADA System is a SCADA
application used for monitoring and controlling industrial processes.
The application is exposed to an issue that allows attackers to
execute arbitrary code. The issue arises because the application
searches for an unspecified Dynamic Link Library file in the current
working directory. Using the application to open the associated file
will cause the malicious library file to be executed. 7T Interactive
Graphical SCADA System versions prior to V9.0.0.11291 are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-353-01.pdf
http://www.securityfocus.com/bid/51438/references


12.3.8 CVE:

CVE-2012-0094,CVE-2012-0100,CVE-2012-0096,CVE-2012-0103,CVE-2012-0109,CVE-2012-0099,CVE-2012-0097,CVE-2012-0098
Platform: Solaris
Title: Oracle Solaris Multiple Vulnerabilities
Description: Oracle Solaris is exposed to multiple security issues.
See reference for detailed information. Oracle Solaris 8, 9, 10 and 11
Express are affected.
Ref: http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html


12.3.9 CVE: Not Available

Platform: Cross Platform
Title: Wireshark Buffer Overflow and Denial of Service Vulnerabilities
Description: Wireshark is an application for analyzing network traffic.
The application is exposed to multiple issues. A buffer overflow issue
exists because of an error in the RLC dissector. A denial of service
issue exists due to a null pointer dereference error when reading
certain packet information. A denial of service issue exists because the
application fails to properly check record sizes for packet capture file
formats. Wireshark versions 1.4.0 through 1.4.10 and 1.6.0 through
1.6.4 are affected.

Ref: http://www.wireshark.org/security/wnpa-sec-2012-01.html


12.3.10 CVE: CVE-2011-4057

Platform: Cross Platform
Title: Wibu-Systems CodeMeter TCP Packets Denial of Service
Description: CodeMeter is a dongle-based licensing application. The
application is exposed to a denial of service issue that occurs when
processing crafted TCP packets. Wibu-Systems CodeMeter versions prior
to 4.40 are affected.
Ref: http://jvn.jp/en/jp/JVN78901873/index.html
http://www.securityfocus.com/bid/51382/discuss


12.3.11 CVE: CVE-2012-0034

Platform: Cross Platform
Title: JBoss Cache Local Information Disclosure
Description: JBoss Cache is a custom designed Java SE application.
The application is exposed to a local information disclosure issue. This
issue occurs because the application fails to properly sanitize
user-supplied input to the “getConnection()” function of the
“jboss/cache/loader/NonManagedConnectionFactory.java” script. JBoss
Cache 3.2.8.GA is vulnerable and other versions may also be affected.
Ref: https://issues.jboss.org/browse/JBCACHE-1612
http://www.securityfocus.com/bid/51392/references


12.3.12 CVE: CVE-2011-4868

Platform: Cross Platform
Title: ISC DHCP Server DHCPv6 NULL Pointer Dereference Denial Of
Service
Description: ISC DHCP is a reference implementation of the DHCP protocol
and includes a DHCP server, client and relay agent. The application is
exposed to a remote denial of service issue caused by a NULL pointer
dereference error. This issue affects the DHCPv6 lease structure when
updating Dynamic DNS lease status. ISC DHCP 4.2.2, 4.2.3 and 4.2.3-P1
are vulnerable and other versions may also be affected.
Ref: https://www.isc.org/software/dhcp/advisories/cve-2011-4868


12.3.13 CVE: Not Available

Platform: Cross Platform
Title: Jenkins Hash Collision Denial Of Service
Description: Jenkins is a web server application. The application is
exposed to a denial of service issue. An attacker can exploit this issue
by sending a small number of specially crafted form posts to an affected
application. Jenkins 1.446 and prior versions and Jenkins LTS 1.424.1 and
prior versions are affected.
Ref:
http://www.cloudbees.com/jenkins-advisory/jenkins-security-advisory-2012-01-10.cb


12.3.14 CVE: CVE-2012-0072,CVE-2012-0082

Platform: Cross Platform
Title: Oracle Database Server Multiple Vulnerabilities
Description: Oracle Database Server is exposed two remote security issues.
See reference for detailed information. Oracle Database Server version
10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2 and
11.2.0.3 are affected.
Ref:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixDB


12.3.15 CVE: CVE-2011-3573,CVE-2011-3565,CVE-2011-3574,CVE-2011-3570

Platform: Cross Platform
Title: Oracle Communications Unified Multiple Vulnerabilities
Description: Oracle Communications Unified is exposed to multiple
security issues. See reference for detailed information. Oracle
Communications Unified version 7.0 is affected.
Ref:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixSUNS


12.3.16 CVE:

CVE-2011-3564,CVE-2011-5035,CVE-2012-0104,CVE-2012-0081,CVE-2011-3564
Platform: Cross Platform
Title: Oracle GlassFish Enterprise Server Multiple Vulnerabilities
Description: Oracle GlassFish is an open source Application Server.
The application is exposed to multiple security issues. See reference
for detailed information. GlassFish Enterprise Server 2.1.1, 3.0.1 and
3.1.1 are affected.
Ref:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixSUNS


12.3.17 CVE:

CVE-2012-0113,CVE-2011-2262,CVE-2012-0116,CVE-2012-0118,CVE-2012-0496,CVE-2012-0087,CVE-2012-0101,CVE-2012-0102,CVE-2012-0115,CVE-2012-0119,CVE-2012-0120,CVE-2012-0484,CVE-2012-0485,CVE-2012-0486,CVE-2012-0487,CVE-2012-0488,CVE-2012-0489,CVE-2012-0490,CVE-2012-0491,CVE-2012-0495,CVE-2012-0112,CVE-2012-0117,CVE-2012-0114,CVE-2012-0492,CVE-2012-0493,CVE-2012-0075,CVE-2012-0494
Platform: Cross Platform
Title: Oracle MySQL Multiple Vulnerabilities
Description: Oracle MySQL is database software. The application is
exposed to multiple security issues. These issues may be remotely
exploited without authentication. See reference for detailed
information. Oracle MySQL versions 5.0.x, 5.1.x and 5.5.x are affected.
Ref:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixMSQL


12.3.18 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: KnowledgeTree Multiple Cross-Site Scripting Vulnerabilities
Description: KnowledgeTree is an open source document manager. The
application is exposed to multiple cross-site scripting issues because
the “config/dmsDefaults.php” script fails to properly sanitize
user-supplied input submitted to the append URL of the “login.php”,
“admin.php” and “preferences.php” scripts. KnowledgeTree 3.7.0.2 is
vulnerable and prior versions may also be affected.
Ref: http://www.knowledgetree.org/Security_advisory:_URL_Manipulation


12.3.19 CVE: CVE-2012-0389

Platform: Web Application - Cross Site Scripting
Title: MailEnable “ForgottonPassword.aspx” Cross-Site Scripting
Description: MailEnable is a webmail application. The application is
exposed to a cross-site scripting issue because it fails to properly
sanitize user-supplied input submitted to the “Username” parameter of
the “ForgottenPassword.aspx” script. Professional, Enterprise and
Premium version 4.26 and prior versions, Professional, Enterprise and
Premium version 5.52 and prior versions and Professional, Enterprise
and Premium version 6.02 and prior versions are affected.
Ref: http://www.securityfocus.com/bid/51401/references
http://www.mailenable.com/kb/Content/Article.asp?ID=me020567


12.3.20 CVE: CVE-2012-0031

Platform: Web Application
Title: Apache HTTP Server Scoreboard Local Security Bypass
Description: Apache HTTP Server an HTTP web server application. The
application is exposed to a local security bypass issue. Specifically,
this issue occurs because the child processes are able to change the
the value of “ap_scoreboard_e sb_type” present in the “global_score”
structure on the shared memory segment. Apache 2.0.x and 2.2.x are
affected.
Ref:
http://www.halfdog.net/Security/2011/ApacheScoreboardInvalidFreeOnShutdown/
http://svn.apache.org/viewvc?view=revision&revision=1230065
http://www.securityfocus.com/bid/51407/references


12.3.21 CVE: CVE-2011-1376

Platform: Web Application
Title: IBM WebSphere Application Server “iscdeploy” Script Insecure
File Permissions
Description: IBM WebSphere Application Server is an application server
used for service oriented architecture. The application is exposed to
a local insecure file permissions issue. Specifically, this issue
occur because the “iscdeploy” script sets insecure permissions to
files in the “$WAS_HOME/systemapps/isclite.ear” and
“$WAS_HOME/bin/client_ffdc” directories. IBM WebSphere Application
Server versions 6.1 through 6.1.0.41, 7.0 through 7.0.0.19 and 8.0
through 8.0.0.1 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21569205
http://www-01.ibm.com/support/docview.wss?uid=swg24031675


12.3.22 CVE: Not Available

Platform: Web Application
Title: Kayako SupportSuite Multiple Vulnerabilities
Description: Kayako SupportSuite is a web-based support suite
implemented in PHP. The application is exposed to multiple
security issues. See reference for further details. Kayako
SupportSuite versions prior to 4.0 are affected.
Ref: http://www.securityfocus.com/bid/51377/references


12.3.23 CVE: Not Available

Platform: Web Application
Title: MediaWiki Cache Pollution Information Disclosure
Description: MediaWiki is a media and image content wiki application.
The application is exposed to an information disclosure issue.
Specifically, if a privileged user diffs a hidden revision against
another, the diff may be cached and retrieved by a non-privileged
user. The issue affects the “ApiQueryRevisions.php” source file.
MediaWiki versions prior to 1.17.2 are affected.
Ref: https://bugzilla.wikimedia.org/show_bug.cgi?id=33117
http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_17_2/phase3/RELEASE-NOTES


12.3.24 CVE: Not Available

Platform: Web Application
Title: VBulletin Multiple Products “blog_post.php” Security Bypass
Description: VBulletin is a content manager implemented in PHP. The
application is exposed to a security bypass issue. Specifically, this
issue occurs due to improper checking of certain security permissions
in “blog_post.php” script. Versions prior to vBulletin Publishing
Suite 4.1.10 are affected.
Ref: https://www.vbulletin.com/forum/showthread.php/394259
http://www.securityfocus.com/bid/51391/references


12.3.25 CVE: CVE-2012-0079

Platform: Web Application
Title: Oracle OpenSSO Remote Security Vulnerability
Description: Oracle OpenSSO is a solution that provides Web access
management, federated single sign-on and Web services security in a
single, self-contained application. The application is exposed to a
remote security issue that can be exploited over the “HTTPS” protocol.
The “Administration” sub component is affected. Oracle OpenSSO version
7.1 and 8.0 are affected.
Ref:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html#AppendixSUNS


12.3.26 CVE: CVE-2011-4788

Platform: Hardware
Title: HP StorageWorks Default Accounts and Directory Traversal
Vulnerabilities
Description: HP StorageWorks is a storage array solution. The device is
exposed to multiple security issues. A security bypass issue occurs due
to the existence of a default account which allows unauthorized users
to log into the device. A directory traversal issue exists within the
web interface. HP StorageWorks P2000 G3 is affected.
Ref: http://www.securityfocus.com/bid/51399/discuss
http://www.zerodayinitiative.com/advisories/ZDI-12-015/


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics