@RISK Newsletter for February 09, 2012
The consensus security vulnerability alert.
Vol. 12, Num. 6
This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.
Archived issues may be found at the SANS @RISK Newletter Archive.
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
— | —
Third Party Windows App 7
Linux 1 (#2)
Aix 1
Cross Platform | 4 (#1)
Web Application - Cross Site Scripting | 3
Web Application - SQL Injection 2
Web Application 7
Part I – Critical Vulnerabilities from HP TippingPoint (dvlabs.tippingpoint.com)
Widely Deployed Software
(1) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
(2) MEDIUM: Novell iPrint Server Buffer Overflow
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
(www.qualys.com)
Third Party Windows Apps
12.6.1 - Siemens SIMATIC HMI Multiple Unspecified Cross Site Scripting Vulnerabilities
12.6.2 - Skype Prior to 5.8.0.154 Unspecified Security Vulnerability
12.6.3 - Symantec pcAnywhere Session Closure Access Violation
12.6.4 - Edraw Diagram Component ActiveX Control Buffer Overflow
12.6.5 - TYPSoft FTP Server Multiple Commands Remote Denial of Service Vulnerabilities
12.6.6 - XnView JPEG2000 Buffer Overflow
12.6.7 - Ing. Punzenberger COPA-DATA GmbH zenon Multiple Denial of Service Vulnerabilities
Linux
12.6.8 - JBoss Web Remote Denial of Service
Aix
12.6.9 - IBM AIX TCP Stack Denial of Service
Cross Platform
12.6.10 - PHP “htmlspecialchars()” Function Buffer Overflow
12.6.11 - Condor Multiple Format String Vulnerabilities
12.6.12 - Real Networks RealPlayer Multiple Remote Code Execution Vulnerabilities
12.6.13 - Apache CXF UsernameToken Policy Validation Security Bypass
Web Application - Cross Site Scripting
12.6.14 - NexorONE “login.php” Multiple Cross-Site Scripting Vulnerabilities
12.6.15 - Simple Groupware “export” Parameter Cross-Site Scripting
12.6.16 - eFront “administrator.php” Cross-Site Scripting
Web Application - SQL Injection
12.6.17 - HDWiki URI SQL Injection
12.6.18 - BASE “base_qry_main.php” SQL Injection
Web Application
12.6.19 - Apache HTTP Server “mod_proxy” Reverse Proxy Security Bypass
12.6.20 - ManageEngine Applications Manager Multiple Cross-Site Scripting and SQL Injection Vulnerabilities
12.6.21 - TYPO3 Third Party Extensions Multiple Vulnerabilities
12.6.22 - DotNetNuke Cross-Site Scripting and Security Bypass Vulnerabilities
12.6.23 - EMC Documentum xPlore Information Disclosure
12.6.24 - EPiServer CMS Cross-Site Scripting and Security Bypass Vulnerabilities
12.6.25 - Vespa “getid3.php” Local File Include
PART I Critical Vulnerabilities
Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process
(1) MEDIUM: RealNetworks RealPlayer Multiple Security Vulnerabilities
Affected:
RealNetworks RealPlayer 11.0-11.1
RealNetworks RealPlayer SP 1.0-1.1.5
RealNetworks RealPlayer 14.0.0-14.0.7
RealNetworks RealPlayer 15.0.0-15.0.1.13
Description: RealNetworks has released patches for multiple security
vulnerabilities affecting its RealPlayer media player. By enticing a
target to open a malicious file, an attacker can exploit the unspecified
vulnerabilities in order to execute arbitrary code on the target’s
machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.real.com
RealNetworks Security Advisory
http://service.real.com/realplayer/security/02062012_player/en/
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51883
http://www.securityfocus.com/bid/51884
http://www.securityfocus.com/bid/51887
http://www.securityfocus.com/bid/51888
http://www.securityfocus.com/bid/51889
(2) MEDIUM: Novell iPrint Server Buffer Overflow
Affected:
Novell iPrint for Linux Open Enterprise Server prior to OES2 SP3 patch 7885
Description: Novell has released patches for iPrint, its web-based print
management software. The server software for iPrint, which runs on
Linux, provides a web interface for printer administration that can be
accessed on multiple platforms. Vulnerable versions of the server
software, which listens by default on port 631, read attacker-controlled
data of arbitrary length to a fixed-length stack buffer. By sending a
malicious request, an attacker can exploit this vulnerability in order
to execute arbitrary code on the target’s machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.novell.com
Novell iPrint Security Advisory
http://www.novell.com/support/viewContent.do?externalId=7010084
Zero Day Initiative Advisory
http://www.zerodayinitiative.com/advisories/ZDI-12-031/
SecurityFocus BugTraq ID
http://www.securityfocus.com/bid/51791
Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys
This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13206 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.
12.6.1 CVE: CVE-2011-4511,CVE-2011-4510
Platform: Third Party Windows Apps
Title: Siemens SIMATIC HMI Multiple Unspecified Cross-Site Scripting
Vulnerabilities
Description: Siemens SIMATIC HMI is a software package used as an
interface between the operator and the programmable logic controllers
(PLCs) controlling the process. The application is exposed to
multiple unspecified cross-site scripting issues because it fails to
properly sanitize user-supplied input. WinCC flexible versions 2004,
2005, 2007, 2008, WinCC V11 (TIA portal), Multiple SIMATIC HMI panels
(TP, OP, MP, Comfort Panels, Mobile Panels), WinCC V11 Runtime
Advanced and WinCC flexible Runtime are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-12-030-01.pdf
12.6.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Skype Prior to 5.8.0.154 Unspecified Security Vulnerability
Description: Skype is peer-to-peer communications software that
supports internet-based voice communications. Skype for Windows is
exposed to an unspecified security issue. Very few details are
currently available. Skype for Windows versions prior to 5.8.0.154 are
affected.
Ref: http://blogs.skype.com/garage/2012/02/skype_for_windows_update.html
http://www.securityfocus.com/bid/51853/discuss
12.6.3 CVE: CVE-2012-0290
Platform: Third Party Windows Apps
Title: Symantec pcAnywhere Session Closure Access Violation
Description: pcAnywhere is a remote administration application for
Microsoft Windows. PcAnywhere is exposed to an issue that may allow
an attacker to impersonate the server and takeover a valid session.
pcAnywhere version 12.5.x, pcAnywhere version 12.0.x, 12.1.x, Altiris
IT Management Suite version 7.0 and Altiris IT Management Suite
version 7.1 are affected.
Ref:
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00
12.6.4 CVE: Not Available
Platform: Third Party Windows Apps
Title: Edraw Diagram Component ActiveX Control Buffer Overflow
Description: The Edraw Diagram Component ActiveX control is a drawing
board application. The ActiveX control (“EDBoard.ocx”) is exposed to
a remote buffer overflow issue because it fails to perform adequate
boundary checks on user-supplied data. Specifically, the issue occurs
in the “LicenseName()” method when processing a specially-crafted
license name string. Edraw Diagram Component 5 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/51866/discuss
12.6.5 CVE: Not Available
Platform: Third Party Windows Apps
Title: TYPSoft FTP Server Multiple Commands Remote Denial of Service
Vulnerabilities
Description: TYPSoft is an FTP server available for Microsoft Windows.
TYPSoft FTP Server is exposed to multiple remote denial of service
issues because the application fails to properly handle specially
crafted FTP commands. TYPSoft FTP Server 1.10.0 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/51891/discuss
12.6.6 CVE: Not Available
Platform: Third Party Windows Apps
Title: XnView JPEG2000 Buffer Overflow
Description: XnView is a graphics application available for Microsoft
Windows. The application is exposed to a buffer overflow issue because
it fails to perform adequate boundary checks on user-supplied input.
This issue occurs in the “Xjp2.dll” library while processing the
Quantization Default (QCD) marker segment. Specifically, the issue is
triggered when processing a specially crafted JPEG2000 “JP2” file.
XnView 1.98.5 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51896/discuss
https://secunia.com/advisories/47352
12.6.7 CVE: CVE-2011-4534,CVE-2011-4533
Platform: Third Party Windows Apps
Title: Ing. Punzenberger COPA-DATA GmbH zenon Multiple Denial of
Service Vulnerabilities
Description: Ing. Punzenberger COPA-DATA GmbH zenon is a software for
industrial automation. Zenon is exposed to multiple issues. A denial
of service issue affects the “zenAdminSrv.exe” service. A
denial of service issue affects the “ZenSysSrv.exe” service. Zenon
6.51 SP0 is vulnerable and other versions may also be affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-12-013-01.pdf
12.6.8 CVE: CVE-2011-4610
Platform: Linux
Title: JBoss Web Remote Denial of Service
Description: JBoss Web is a web container application in the JBoss
Enterprise Application Platform. JBoss Web is exposed to a remote
denial of service issue. Specifically, the issue occurs because of an
error in the way the application handles specially crafted UTF-8
surrogate pair characters. JBoss Enterprise Application Platform
5.1.2, JBoss Enterprise Web Platform 5.1.2, JBoss Communications
Platform 5.1.3 and JBEWP 5 for RHEL4/RHEL5/RHEL6 are affected.
Ref: https://bugzilla.redhat.com/show_bug.cgi?id=767871
12.6.9 CVE: CVE-2012-0194
Platform: Aix
Title: IBM AIX TCP Stack Denial of Service
Description: IBM AIX is an open standards based UNIX operating system.
IBM AIX is exposed to a denial of service issue that occurs when
processing specially crafted TCP packets. Specifically, this issue
occurs due to an error when the TCP’s large send offload option is
enabled on a network interface. IBM AIX 5.3, 6.1, and 7.1 are
vulnerable and other versions may also be affected.
Ref:
http://aix.software.ibm.com/aix/efixes/security/large_send_advisory.asc
12.6.10 CVE: Not Available
Platform: Cross Platform
Title: PHP “htmlspecialchars()” Function Buffer Overflow
Description: PHP is a general purpose scripting language especially
suited for web development which can be embedded into HTML. PHP is
exposed to a buffer overflow issue because it fails to effectively
bounds check user-supplied input submitted to the “htmlspecialchars()”
function before copying it to an insufficiently sized buffer.
PHP 5.4 is vulnerable and other versions may also be affected.
Ref: https://bugs.php.net/bug.php?id=60965
http://www.securityfocus.com/bid/51860/discuss
12.6.11 CVE: CVE-2011-4930
Platform: Cross Platform
Title: Condor Multiple Format String Vulnerabilities
Description: Condor is a workload management system for UNIX and
Windows platforms. Condor is exposed to multiple
format string vulnerabilities. The application crashes because it
fails to filter format string characters before logging. The
application crashes when an attacker requests for a transfer of file
having specially crafted format string characters in its name. Condor
7.2.0 to 7.6.4 are affected.
Ref:
http://research.cs.wisc.edu/condor/security/vulnerabilities/CONDOR-2012-0001.html
12.6.12 CVE: CVE-2012-0922,CVE-2012-0923,CVE-2012-0924,CVE-2012-0925,CVE-2012-0926,CVE-2012-0927,CVE-2012-0928
Platform: Cross Platform
Title: Real Networks RealPlayer Multiple Remote Code Execution
Vulnerabilities
Description: Real Networks RealPlayer is a media player available for
multiple platforms. The application is exposed to multiple remote
code execution issues. See reference for further details. Versions
prior to RealPlayer 15.02.71 are affected.
Ref: http://service.real.com/realplayer/security/02062012_player/en/
12.6.13 CVE: CVE-2012-0803
Platform: Cross Platform
Title: Apache CXF UsernameToken Policy Validation Security Bypass
Description: Apache CXF is an open source services framework. Apache
CXF is exposed to a security bypass issue because it fails to properly
validate the existence of a WS-Security UsernameToken within a SOAP
request. Apache CXF 2.4.5 and 2.5.1 are affected.
Ref: http://cxf.apache.org/cve-2012-0803.html
12.6.14 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: NexorONE “login.php” Multiple Cross Site Scripting
Vulnerabilities
Description: NexorONE is online banking software. The application is
exposed to multiple cross-site scripting issues because it fails to
sanitize user-supplied input submitted to the “message” and
“visitor_language” parameters of the “login.php” script. NexorONE
Online Banking Software is affected.
Ref: http://www.securityfocus.com/bid/51876/discuss
http://www.vulnerability-lab.com/get_content.php?id=304
12.6.15 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: Simple Groupware “export” Parameter Cross Site Scripting
Description: Simple Groupware is a PHP-based content management
system. Simple Groupware is exposed to a cross-site scripting issue
because it fails to properly sanitize user-supplied input submitted to
the “export” parameter of the “index.php” script. Simple Groupware
0.742 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/521518
12.6.16 CVE: Not Available
Platform: Web Application - Cross Site Scripting
Title: eFront “administrator.php” Cross-Site Scripting
Description: EFront is a PHP-based e-learning application. EFront is
exposed to a cross-site-scripting issue because it fails to properly
sanitize user-supplied input submitted to the “&filter” module of the
“communityplusplus/www/administrator.php” script. EFront 3.6.10 is
vulnerable; other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/521523
http://www.vulnerability-lab.com/get_content.php?id=423
12.6.17 CVE: Not Available
Platform: Web Application - SQL Injection
Title: HDWiki URI SQL Injection
Description: HDWiki is a web-based application implemented in PHP. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data from the URI. This issue
affects the “hdwiki/index.php” script in the “model/comment.class.php”
file. HDWiki 5.1 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51871/discuss
12.6.18 CVE: Not Available
Platform: Web Application - SQL Injection
Title: BASE “base_qry_main.php” SQL Injection
Description: BASE is a web-based application implemented in PHP. The
application is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data submitted to the
“ip_addr[0][9]” parameter of the “base_qry_main.php” script before
using it in an SQL query. BASE 1.4.5 is vulnerable and other versions may
also be affected.
Ref: http://www.securityfocus.com/bid/51874/discuss
12.6.19 CVE: CVE-2011-3639
Platform: Web Application
Title: Apache HTTP Server “mod_proxy” Reverse Proxy Security Bypass
Description: Apache HTTP Server an HTTP webs erver application. Apache
HTTP Server is exposed to a security bypass issue that exists in the
“mod_proxy” component. Specifically, when using the “RewriteRule” or
“ProxyPassMatch” directives to configure a reverse proxy, it may be
possible to access the internal servers due to the failure in handling
a crafted URL containing a scheme. Apache HTTP Server 2.0.x through
2.0.64 and 2.2.x before 2.2.18 are affected.
Ref: https://community.qualys.com/blogs/securitylabs/tags/cve-2011-4317
12.6.20 CVE: Not Available
Platform: Web Application
Title: ManageEngine Applications Manager Multiple Cross-Site Scripting
and SQL Injection Vulnerabilities
Description: The ManageEngine Applications Manager is a web-based
availability and performance monitoring application. The application
is exposed to a SQL injection issue and multiple cross-site scripting
issues because it fails to sufficiently sanitize user-supplied input.
ManageEngine Applications Manager 10.2 is vulnerable and prior versions
may also be affected.
Ref: http://www.vulnerability-lab.com/get_content.php?id=115
http://www.securityfocus.com/bid/51796/discuss
12.6.21 CVE: Not Available
Platform: Web Application
Title: TYPO3 Third Party Extensions Multiple Vulnerabilities
Description: TYPO3 is a PHP-based content manager. Multiple third
party extensions within TYPO3 are exposed to multiple issues. See
reference for further details. Extensions Kitchen recipe, Category-System,
White Papers, Documents download, Post data records to facebook, System
Utilities, Webservices for TYPO3, CSS styled Filelinks, Modern FAQ,
Euro Calculator, Yet another Google search, Terminal PHP Shell,
BE User Switch, Additional TCA Forms and UrlTool are affected.
Ref:
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2012-001/
12.6.22 CVE: Not Available
Platform: Web Application
Title: DotNetNuke Cross-Site Scripting and Security Bypass
Vulnerabilities
Description: DotNetNuke is an open source framework for creating and
deploying websites. The application is exposed to multiple
vulnerabilities. A security-bypass issue occurs because the
application fails to validate a certain unspecified parameter through
the “DotNetNuke.RadEditorProvider” method used to check file extension.
A cross-site scripting issue affects the modal popups. A
security-bypass issue is caused by an error that occurs when validating
user permissions to access user and role functions. DotNetNuke 5.6.7
and 6.x prior to 6.1.3 are affected.
Ref: http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.64.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.63.aspx
http://www.dotnetnuke.com/News/Security-Policy/Security-bulletin-no.62.aspx
12.6.23 CVE: CVE-2012-0396
Platform: Web Application
Title: EMC Documentum xPlore Information Disclosure
Description: EMC Documentum xPlore is a document search application.
EMC Documentum xPlore is exposed to an information disclosure issue.
Specifically users with BROWSE permissions on objects may be able to
gain access to certain metadata on the object without proper
authorization. EMC Documentum xPlore 1.0 (all patch versions),
EMC Documentum xPlore 1.1 (all patch versions prior to 1.1
P07) and EMC Documentum xPlore 1.2 (all patch versions) areaffected.
Ref: http://www.securityfocus.com/archive/1/521481
12.6.24 CVE: Not Available
Platform: Web Application
Title: EPiServer CMS Cross Site Scripting and Security Bypass
Vulnerabilities
Description: EPiServer CMS is a web-based content management
application. The application is exposed to multiple issues: A security
bypass issue occurs due to an unspecified error. A cross-site scripting
issue occurs because the application fails to properly sanitize certain
unspecified user-supplied input. EPiServer CMS 5 and EPiServer CMS 6 are
affected.
Ref:
http://world.episerver.com/Blogs/Shahid-Nawaz/Dates/2012/1/General-Hotfix-CMS-6-R2/
http://world.episerver.com/Blogs/Jens-N/Dates/2012/1/Security-vulnerability---Elevation-of-privilege/
12.6.25 CVE: Not Available
Platform: Web Application
Title: Vespa “getid3.php” Local File Include
Description: Vespa is a Web-based simple parser for directories with
audio files. It is implemented in PHP. The application is exposed to a
local file include issue because it fails to sufficiently sanitize
user-supplied input submitted to the “include” parameter of the
“getid3.php” script. Vespa 0.8.6 is vulnerable and other versions may
also be affected.
Ref: http://www.securityfocus.com/bid/51878/discuss
http://packetstormsecurity.org/files/109476