@RISK Newsletter for January 26, 2012
The consensus security vulnerability alert.
Vol. 12, Num. 4
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
— | —
Linux | 2
Cross Platform 13 (#1)
Web Application - Cross Site Scripting 2
Web Application - SQL Injection 1
Web Application 4
Network Device 1
Part I – Critical Vulnerabilities from HP TippingPoint
(dvlabs.tippingpoint.com)
Widely Deployed Software
(1) MEDIUM: Google Chrome Stable Channel Updates
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
Linux
12.4.1 - Linux Kernel iocbs Local Denial of Service
12.4.2 - Linux Kernel Local Privilege Escalation
Cross Platform
12.4.3 - Cisco Digital Media Manager Remote Privilege Escalation
12.4.4 - JBoss “mod_cluster” Security Bypass
12.4.5 - OpenSSL DTLS Remote Denial of Service
12.4.6 - Tucan Manager Plugin Update Security Bypass
12.4.7 - Multiple Red Hat Network Products XMLRPC Credential Information Disclosure
12.4.8 - GE Energy D20/D200 Substation Controller Code Execution and Information Disclosure Vulnerabilities
12.4.9 - KingSCADA Credential Information Disclosure
12.4.10 - IBM Lotus Symphony Image Object Integer Overflow
12.4.11 - IBM solidDB “SELECT” Statement Denial of Service
12.4.12 - Apache Struts “ParameterInterceptor” Class OGNL Security Bypass
12.4.13 - Google Chrome Multiple Security Vulnerabilities
12.4.14 - SAP NetWeaver Multiple Remote Vulnerabilities
12.4.15 - Opera Web Browser Information Disclosure and Security Bypass Vulnerabilities
Web Application - Cross Site Scripting
12.4.16 - IBM WebSphere Application Server Cross-Site Scripting
12.4.17 - osCommerce Multiple Unspecified Cross-Site Scripting Vulnerabilities
Web Application - SQL Injection
12.4.18 - SolarWinds Storage Manager Server SQL Injection
Web Application
12.4.19 - IBM WebSphere Application Server SibRaRecoverableSiXaResource Information Disclosure
12.4.20 - WordPress uCan Post plugin Multiple HTML Injection Vulnerabilities
12.4.21 - WordPress AllWebMenus Plugin “actions.php” Arbitrary File Upload
12.4.22 - Joomla! “com_some” Component “controller” Parameter Local File Include
Network Device
12.4.23 - Cisco IP Video Phone E20 Default Root Credentials Authentication Bypass
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process
(1) MEDIUM: Google Chrome Stable Channel Updates
Affected:
Google Chrome prior to 18.0.1017.2
Description: Google Chrome has released updates for multiple security
vulnerabilities affecting its Chrome web browser. The five
vulnerabilities are all rated “High” or “Critical” by Google and include
use-after free vulnerabilities in DOM handling and Safe Browsing
navigation; use of an uninitialized value in Skia, Google’s 2D graphics
library; and a heap-buffer overflow in tree builder. By enticing a
target to view a malicious page, an attacker can exploit these
vulnerabilities in order to execute arbitrary code on the target’s
machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.google.com
Google Stable Channel Update
http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html
SecurityFocus BugTraq ID
http://www.securityfocus.com/bid/51641
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13091 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
12.4.1 CVE: CVE-2012-0058
Platform: Linux
Title: Linux Kernel iocbs Local Denial of Service
Description: Linux kernel is exposed to a local denial of service issue
that occurs when one of the iocbs submitted by a user fails. This
leaves the rest of the iocbs unprocessed and still active. Active iocbs
are not removed and may cause a corrupted list resulting in kernel oops.
Ref: http://www.securityfocus.com/bid/51534/references
12.4.2 CVE: CVE-2012-0056
Platform: Linux
Title: Linux Kernel Local Privilege Escalation
Description: The Linux kernel is exposed to a local privilege
escalation issue because the kernel fails to restrict access to
“/proc/<pid>/mem” file. Successfully exploiting this issue will enable
an attacker to write into the memory of a privileged process.
Ref: http://blog.zx2c4.com/749
12.4.3 CVE: CVE-2012-0329
Platform: Cross Platform
Title: Cisco Digital Media Manager Remote Privilege Escalation
Description: The Cisco Digital Media Manager is the central management
application for all Cisco Digital Media Suite products. The application
is exposed to a remote privilege escalation issue because of improper
validation of unreferenced URLs. See reference for further details.
Ref:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-dmm
12.4.4 CVE: CVE-2011-4608
Platform: Cross Platform
Title: JBoss “mod_cluster” Security Bypass
Description: The JBoss “mod_cluster” module is a server module for
various JBoss applications. The JBoss “mod_cluster” module is exposed
to a remote security bypass issue that occurs because the
“mod_cluster” module allows worker nodes to register on a virtual host.
Ref: https://rhn.redhat.com/errata/RHSA-2012-0040.html
12.4.5 CVE: CVE-2012-0050
Platform: Cross Platform
Title: OpenSSL DTLS Remote Denial of Service
Description: OpenSSL is an open source implementation of the SSL
protocol. OpenSSL is exposed to a denial of service issue because of an
incorrect fix for CVE-2011-4108. OpenSSL versions 1.0.0f and 0.9.8s are
affected.
Ref: http://www.openssl.org/news/secadv_20120118.txt
12.4.6 CVE: CVE-2012-0063
Platform: Cross Platform
Title: Tucan Manager Plugin Update Security Bypass
Description: Tucan Manager is a file sharing application. Tucan
Manager is exposed to a security bypass issue because the
application fails to properly check digital signatures before
installing plugins. Tucan Manager version 0.3.9-1 is affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=782999
12.4.7 CVE: CVE-2012-0059
Platform: Cross Platform
Title: Multiple Red Hat Network Products XMLRPC Credential
Information Disclosure
Description: Multiple Red Hat products including Red Hat Network
Satellite Server, Red Hat Network Proxy Server and Spacewalk are
exposed to a remote information disclosure issue. The problem occurs
when handling a failed XMLRPC system registration call.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=782819
12.4.8 CVE: Not Available
Platform: Cross Platform
Title: GE Energy D20/D200 Substation Controller Code Execution and
Information Disclosure Vulnerabilities
Description: D20/D200 Substation Controller is an software application
that provides substation server functionality in a mission critical
substation hardened package. D20/D200 Substation Controller is exposed
to multiple issues. An arbitrary code execution issue occurs
because of an unspecified error within the TFTP service and an
information disclosure issue occurs because of an unspecified
error within the TFTP service.
Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-019-01.pdf
12.4.9 CVE: Not Available
Platform: Cross Platform
Title: KingSCADA Credential Information Disclosure
Description: KingSCADA is an Interactive Graphical SCADA System.
KingSCADA is exposed to a remote information disclosure issue because
user credentials are insecurely stored in the “user.db”. KingSCADA
version 3.0 is affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-020-06.pdf
12.4.10 CVE: CVE-2012-0192
Platform: Cross Platform
Title: IBM Lotus Symphony Image Object Integer Overflow
Description: IBM Lotus Symphony is productivity software that contains
three applications: Lotus Symphony Documents, Lotus Symphony
Spreadsheets and Lotus Symphony Presentations. IBM Lotus Symphony is
exposed to an integer overflow issue because it fails to properly
validate user-supplied input when processing embedded image objects.
IBM Lotus Symphony version 3.0.0 FP3 revision 20110707.1500 is affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21578684
12.4.11 CVE: Not Available
Platform: Cross Platform
Title: IBM solidDB “SELECT” Statement Denial of Service
Description: IBM solidDB is a relational SQL database. IBM solidDB is
exposed to a denial of service issue when processing a “SELECT”
statement, which contains a rownum condition with a subquery. IBM
solidDB versions prior to 6.5.0.8 Interim Fix 5 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?rs=3457&uid=swg1IC79861
12.4.12 CVE: CVE-2011-3923
Platform: Cross Platform
Title: Apache Struts “ParameterInterceptor” Class OGNL Security Bypass
Description: Apache Struts is a framework for building web
applications. Apache Struts is exposed to a security bypass issue
because it fails to adequately handle user-supplied input.
Specifically, the application permits attackers to bypass protection
mechanisms built into the “ParameterInterceptor” class with OGNL
expressions. Apache Struts versions 2.0.0 through 2.3.1.1 are affected.
Ref:
https://www.sec-consult.com/files/20120104-0_Apache_Struts2_Multiple_Critical_Vulnerabilities.txt
12.4.13 CVE:
CVE-2011-3928,CVE-2011-3927,CVE-2011-3926,CVE-2011-3925,CVE-2011-3924
Platform: Cross Platform
Title: Google Chrome Multiple Security Vulnerabilities
Description: Google Chrome is a web browser for multiple platforms.
Google Chrome is exposed to multiple security issues. See reference
for complete details. Chrome versions prior to 16.0.912.77 are affected.
Ref:
http://googlechromereleases.blogspot.com/2012/01/stable-channel-update_23.html
12.4.14 CVE: Not Available
Platform: Cross Platform
Title: SAP NetWeaver Multiple Remote Vulnerabilities
Description: SAP NetWeaver is an integration platform for enterprise
applications. The platform is exposed to multiple issues. A security
bypass issue allows attackers to gain unauthorized access to Runtime
Workbench resources. An information disclosure issue affects the
“PFL_CHECK_OS_FILE_EXISTENCE” function.
Ref: http://dsecrg.com/pages/vul/show.php?id=411
12.4.15 CVE: Not Available
Platform: Cross Platform
Title: Opera Web Browser Information Disclosure and Security Bypass
Vulnerabilities
Description: Opera Web Browser is a browser available for multiple
operating systems. Opera Web Browser is exposed to multiple issues. An
information disclosure issue occurs because certain types of HTML
elements fail to behave properly when referencing a local file. A
security bypass issue lets attackers bypass the same-origin policy
because of an error related to framed content. Opera versions prior to
11.61 are affected.
Ref: http://www.opera.com/support/kb/view/1008/
12.4.16 CVE: CVE-2011-5065
Platform: Web Application - Cross Site Scripting
Title: IBM WebSphere Application Server Cross-Site Scripting
Description: IBM WebSphere Application Server for z/OS is a web
server. The Server is exposed to an unspecified cross-site scripting
issue because it fails to properly sanitize user-supplied input. IBM
WebSphere Application Server versions prior to 6.1.0.41 are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg27007951
12.4.17 CVE: CVE-2012-0312,CVE-2012-0311
Platform: Web Application - Cross Site Scripting
Title: osCommerce Multiple Unspecified Cross Site Scripting
Vulnerabilities
Description: osCommerce is a web-based shopping cart application. The
application is exposed to multiple unspecified cross-site scripting
issues because it fails to properly sanitize user-supplied input.
Ref: http://jvn.jp/en/jp/JVN36559450/index.html
12.4.18 CVE: Not Available
Platform: Web Application - SQL Injection
Title: SolarWinds Storage Manager Server SQL Injection
Description: Storage Manager Server is an application for storage
virtualization management. The application is exposed to an SQL injection
issue because it fails to sufficiently sanitize user-supplied data to
the “loginName” field of the “LoginServlet” page. Storage Manager
Server version 5.1.2 is affected.
Ref: http://www.securityfocus.com/archive/1/521328
12.4.19 CVE: CVE-2011-5066
Platform: Web Application
Title: IBM WebSphere Application Server SibRaRecoverableSiXaResource
Information Disclosure
Description: The IBM WebSphere Application Server is available
for various operating systems. The IBM WebSphere Application Server is
exposed to a remote information disclosure issue because it does not
properly handle a Service Integration Bus dump operation.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1PM36685
12.4.20 CVE: Not Available
Platform: Web Application
Title: WordPress uCan Post plugin Multiple HTML Injection
Vulnerabilities
Description: WordPress is a PHP-based content manager. uCan Post is a
plugin for WordPress. The plugin is exposed to multiple HTML injection
issues because it fails to properly sanitize user-supplied input
submitted to the “Name”, “Email” and “Title” fields. uCan Post
version 1.0.09 is affected.
Ref: http://www.securityfocus.com/bid/51564
12.4.21 CVE: Not Available
Platform: Web Application
Title: WordPress AllWebMenus Plugin “actions.php” Arbitrary File
Upload
Description: AllWebMenus is a plugin for WordPress. The application is
exposed to an arbitrary files upload issue because the application fails
to properly validate file extensions. AllWebMenus versions prior to
1.1.9 are affected.
Ref: http://www.securityfocus.com/bid/51615
12.4.22 CVE: Not Available
Platform: Web Application
Title: Joomla! “com_some” Component “controller” Parameter Local File
Include
Description: “com_some” is a component for the Joomla! content
manager. The component is exposed to a local file include issue
because it fails to properly sanitize user-supplied input submitted to
the “controller” parameter of the “index.php” script.
Ref: http://www.securityfocus.com/bid/51621
12.4.23 CVE: CVE-2011-4659
Platform: Network Device
Title: Cisco IP Video Phone E20 Default Root Credentials
Authentication Bypass
Description: Cisco IP Video Phone E20 is a communication device which
merges voice, video and collaboration into one unit. Cisco IP Video
Phone E20 is exposed to a remote authentication bypass issue because
the default “root” account is not properly disabled.
Ref:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120118-te