Search

See Resources

@RISK Newsletter for March 01, 2012 The Consensus Security Vulnerability Alert

This is a weekly newsletter that provides in-depth analysis of the latest vulnerabilities with straightforward remediation advice. Qualys supplies a large part of the newly-discovered vulnerability content used in this newsletter.


@RISK: The Consensus Security Vulnerability Alert
Vol. 12, Num. 9

Providing a reliable, weekly summary of newly discovered attack vectors, vulnerabilities with active exploits, and explanations of how recent attacks worked.

Archived issues may be found at https://www.qualys.com/research/sans-at-risk/


Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Third Party Windows Apps 2
Linux 2
Aix 1
Cross Platform | 6 (#1)
Web Application - Cross Site Scripting | 1
Web Application - SQL Injection 2
Web Application 10
Hardware 2


Part I – Critical Vulnerabilities from HP TippingPoint (dvlabs.tippingpoint.com)

Widely Deployed Software
(1) HIGH: Samba Remote Code Execution Vulnerability


Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Third Party Windows Apps

12.9.1 - ABB WebWare Server “RobNetScanHost.exe” Buffer Overflow
12.9.2 - Socusoft Photo to Video Converter “pdmlog.dll” Buffer Overflow

Linux

12.9.3 - python-paste-script Root GID Files Arbitrary File Access
12.9.4 - Notmuch Emacs Information Disclosure

Aix

12.9.5 - IBM AIX Remote Denial of Service

Cross Platform

12.9.6 - IBM solidDB “SELECT” Statement “WHERE” Condition Denial of Service
12.9.7 - Csound “getnum()” Multiple Buffer Overflow Vulnerabilities
12.9.8 - Puppet Multiple Local Privilege Escalation Vulnerabilities
12.9.9 - Dropbear SSH Server Use After Free Remote Code Execution
12.9.10 - libpurple OTR Information Disclosure
12.9.11 - PostgreSQL Multiple Security Vulnerabilities

Web Application - Cross Site Scripting

12.9.12 - ContentLion Alpha “login.php” Cross-Site Scripting

Web Application - SQL Injection

12.9.13 - The Uploader “username” Parameter SQL Injection
12.9.14 - MyJobList “eid” Parameter SQL Injection

Web Application

12.9.15 - EasyVista Single Sign-on Authentication Bypass
12.9.16 - Dolibarr Multiple Directory Traversal Vulnerabilities
12.9.17 - Chyrp “ajax.php” HTML Injection
12.9.18 - WebcamXP and Webcam7 Directory Traversal
12.9.19 - Drupal FAQ Module Unspecified HTML Injection
12.9.20 - Bugzilla Cross-Site Request Forgery
12.9.21 - Movable Type Multiple Remote Vulnerabilities
12.9.22 - TYPO3 PDF Controller Unspecified Remote Code Execution and
Information Disclosure Vulnerabilities
12.9.23 - OSQA’s CMS Multiple HTML Injection Vulnerabilities
12.9.24 - Wolf CMS SQL Injection and Multiple HTML Injection Vulnerabilities

Hardware

12.9.25 - snom VoIP Phone Firmware Remote Privilege Escalation
12.9.26 - Cisco Small Business SRP500 Series Appliances Directory Traversal


PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process


(1) HIGH: Samba Remote Code Execution Vulnerability

Affected:
Samba versions prior to 3.4.0
Description: A patch has been released for Samba addressing a code
execution vulnerability in the Samba server. Samba provides an
open-source platform for file and print services over the SMB/CIFS
protocol used by Microsoft Windows operating systems. The SMB protocol
includes AndX messages, which contain SMB commands and an offset to the
next AndX block in memory. Samba does not verify that the messages are
monotonically increasing, so an attacker can cause SMB to enter a loop
with an offset that points to a previous AndX message. Eventually Samba
will overwrite a buffer on its heap. By sending a malicious request to
a Samba server, an attacker can exploit this vulnerability in order to
execute arbitrary code with root permissions on the target’s machine.
Status: vendor confirmed, updates available
References:
Vendor Site
http://www.samba.org
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/52103


Part II – Comprehensive List of Newly Discovered Vulnerabilities from

Qualys (www.qualys.com)
This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13392 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.


12.9.1 CVE: Not Available

Platform: Third Party Windows Apps
Title: ABB WebWare Server “RobNetScanHost.exe” Buffer Overflow
Description: ABB WebWare Server is a software product that provides
solutions for production management tasks with connected robot
controllers. The application is exposed to a stack-based buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied data. Specifically, this issue occurs in the
“RobNetScanHost.exe” file when processing specially crafted “Netscan”
packets with opcodes. ABB WebWare Server version 4.6 through 4.91 are affected.
Ref:
http://www05.abb.com/global/scot/scot348.nsf/veritydisplay/f261be074480dc24c12579a00049ecd5/$file/si10227a1%20vulnerability%20security%20advisory.pdf
http://www.securityfocus.com/bid/52123/references


12.9.2 CVE: Not Available

Platform: Third Party Windows Apps
Title: Socusoft Photo to Video Converter “pdmlog.dll” Buffer Overflow
Description: Socusoft Photo to Video Converter is a multimedia converter
available for Microsoft Windows. The application is exposed to a buffer
overflow issue because it fails to perform adequate boundary checks on
user-supplied input. Specifically, the issue occurs in the “pdmlog.dll”
file when processing certain specially crafted files associated with the
application. Socusoft Photo to Video Converter version 8.05 is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/521796/30/0/threaded
http://www.vulnerability-lab.com/get_content.php?id=460
http://www.securityfocus.com/bid/52186/references


12.9.3 CVE: CVE-2012-0878

Platform: Linux
Title: python-paste-script Root GID Files Arbitrary File Access
Description: python-paste-script is a plug-able command line frontend.
The script is exposed to an arbitrary file access issue. Specifically,
it fails to properly drop the group privileges in the “.ini”
configuration file. Ian Bicking python-paste-script version 1.7.5 is
vulnerable.
Ref: http://www.securityfocus.com/bid/52147/references
https://bitbucket.org/ianb/pastescript/changeset/a19e462769b4


12.9.4 CVE: CVE-2011-4142

Platform: Linux
Title: Notmuch Emacs Information Disclosure
Description: Notmuch Emacs is an email management application for
indexing emails. The application is exposed to an information disclosure
issue. The issue is triggered when processing an email with a specially
crafted MML tag. Notmuch Emacs prior to 0.11.1 are vulnerable and other
versions may also be affected.
Ref: http://notmuchmail.org/news/release-0.11.1/
http://www.securityfocus.com/bid/52155/references


12.9.5 CVE: CVE-2011-1385

Platform: Aix
Title: IBM AIX Remote Denial of Service
Description: IBM AIX is an open standard based UNIX operating system.
The system is exposed to a remote denial of service issue.
Specifically, this issue is caused by an unspecified error when
processing specially crafted ICMP packets. IBM AIX versions 5.3, 6.1 and
7.1 are vulnerable and other versions may also be affected.
Ref: aix.software.ibm.com/aix/efixes/security/icmp_advisory.asc


12.9.6 CVE: CVE-2012-0200

Platform: Cross Platform
Title: IBM solidDB “SELECT” Statement “WHERE” Condition Denial of
Service
Description: IBM solidDB is a relational SQL database. The application
is exposed to a denial of service issue. Specifically, this issue is
triggered when processing a “SELECT” statement containing a
redundant “WHERE” condition. IBM solidDB versions prior to 6.5.0.8
Interim Fix 6 are vulnerable.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1IC81244
http://www-01.ibm.com/support/docview.wss?uid=swg27021052#if6
http://www.securityfocus.com/bid/52111/references


12.9.7 CVE: CVE-2012-0270

Platform: Cross Platform
Title: Csound “getnum()” Multiple Buffer Overflow Vulnerabilities
Description: Csound is a sound and music composition application. The
application is exposed to multiple buffer overflow issues because it
fails to properly bounds check user-supplied data. Csound version 5.13.0
is vulnerable and other versions may also be affected.
Ref: http://secunia.com/secunia_research/2012-3/
http://www.securityfocus.com/bid/52144/references


12.9.8 CVE: CVE-2012-1054,CVE-2012-1053

Platform: Cross Platform
Title: Puppet Multiple Local Privilege Escalation Vulnerabilities
Description: Puppet is a configuration management system. The
application is exposed to multiple local privilege escalation issues.
Puppet Enterprise versions prior to 2.0.3, Puppet Enterprise versions 1.0,
1.1 and 1.2.x, Puppet versions prior to 2.6.14 and prior to 2.7.11 are
affected.
Ref: http://puppetlabs.com/security/cve/CVE-2012-1053/
http://puppetlabs.com/security/cve/CVE-2012-1054/


12.9.9 CVE: CVE-2012-0920

Platform: Cross Platform
Title: Dropbear SSH Server Use After Free Remote Code Execution
Description: Dropbear is an SSH client and server application. The
application is exposed to a remote code execution issue because of a
use after free error within the Dropbear daemon. An attacker can
exploit this issue by specially crafted requests. Dropbear SSH Server
versions from 0.52 to 2011.54 are vulnerable.
Ref: https://secure.ucc.asn.au/hg/dropbear/rev/818108bf7749
http://www.securityfocus.com/bid/52159/references


12.9.10 CVE: CVE-2012-1257

Platform: Cross Platform
Title: libpurple OTR Information Disclosure
Description: libpurple is a library used to provide instant messaging
functionality. It is used by the Pidgin and Adium IM clients. The
library is exposed to an information disclosure issue. Specifically,
the issue exists because OTR (off-the-record) messages are broadcast
in plain text through DBUS. libpurple versions prior to 2.10.1, pidgin
versions prior to 2.10.1 and pidgin-otr versions prior to 3.2.0 are
affected.
Ref: http://www.securityfocus.com/bid/52175/references
http://census-labs.com/news/2012/02/25/libpurple-otr-info-leak/


12.9.11 CVE: CVE-2012-0868,CVE-2012-0867,CVE-2012-0866

Platform: Cross Platform
Title: PostgreSQL Multiple Security Vulnerabilities
Description: PostgreSQL is an open-source relational database suite.
The application is exposed to multiple security issues that affect the
“core server” component. A privilege escalation issue occurs because
it fails to properly check permissions on a function called by a trigger.
An SSL certificate validation security bypass issue occurs due to an
improper “x509_v3 CN” validation during certificate verification, when SSL
support is enabled. An SQL injection issue occurs because the
“pg_dump” utility of PostgreSQL fails to sufficiently sanitize newline
“n” characters in object names before using them in an SQL query.
PostgreSQL version 9.1, 9.0, 8.4 and 8.3 are affected.
Ref: http://www.postgresql.org/support/security/
http://www.securityfocus.com/bid/52188/references


12.9.12 CVE: CVE-2012-1224

Platform: Web Application - Cross Site Scripting
Title: ContentLion Alpha “login.php” Cross-Site Scripting
Description: ContentLion Alpha is a PHP-based content manager. The
application is exposed to a cross-site scripting issue because it fails
to sanitize user-supplied input submitted to the
“system/classes/login.php” script. ContentLion Alpha 1.3 is vulnerable
and other versions may also be affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1224
http://www.securityfocus.com/bid/52112/discuss


12.9.13 CVE: CVE-2011-2944

Platform: Web Application - SQL Injection
Title: The Uploader “username” Parameter SQL Injection
Description: The Uploader is a PHP-based application. The application
is exposed to an SQL injection issue because it fails to sufficiently
sanitize user-supplied data submitted to the “username” parameter of
the “login.php” script before using it in an SQL query. The Uploader
versions prior to 2.0.5 are affected.
Ref: http://www.securityfocus.com/bid/52156/references
http://packetstormsecurity.org/files/cve/CVE-2011-2944


12.9.14 CVE: Not Available

Platform: Web Application - SQL Injection
Title: MyJobList “eid” Parameter SQL Injection
Description: MyJobList is a web-based application implemented in PHP.
The application is exposed to an SQL injection issue because it fails
to sufficiently sanitize user-supplied data submitted to the “eid”
parameter of an unspecified script. MyJobList 0.1.3 is vulnerable and
other versions may also be affected.
Ref: https://secunia.com/advisories/48169
http://www.securityfocus.com/bid/52168/discuss


12.9.15 CVE: Not Available

Platform: Web Application
Title: EasyVista Single Sign-on Authentication Bypass
Description: EasyVista is an application that provides solutions for
IT service and asset management. The application is exposed to an
authentication bypass issue due to an error in the EasyVista single
sign-on feature, which does not use encoded values. EasyVista
2010.1.1.89 is vulnerable and other versions may also be affected.
Ref: http://www.kb.cert.org/vuls/id/273502
http://www.securityfocus.com/bid/52102/references


12.9.16 CVE: CVE-2012-1226

Platform: Web Application
Title: Dolibarr Multiple Directory Traversal Vulnerabilities
Description: Dolibarr is a foundation activity management
application implemented in PHP. The application is exposed to multiple
directory traversal issues because it fails to sufficiently sanitize
user-supplied input. Dolibarr 3.2.0 Alpha is vulnerable and other
versions may also be affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1226
http://www.securityfocus.com/bid/52113/discuss


12.9.17 CVE: CVE-2012-1001

Platform: Web Application
Title: Chyrp “ajax.php” HTML Injection
Description: Chyrp is a PHP-based blogging engine. The application is
exposed to an HTML injection issue because it fails to properly
sanitize user-supplied input submitted to the “content” parameter of
“includes/ajax.php” script. Chyrp 2.1.1 is vulnerable and other
versions may also be affected.
Ref: https://www.htbridge.ch/advisory/HTB23073
http://www.securityfocus.com/bid/52115/references


12.9.18 CVE: Not Available

Platform: Web Application
Title: WebcamXP and Webcam7 Directory Traversal
Description: WebcamXP and Webcam7 are webcam and network camera
software for Windows. The applications are exposed to a directory
traversal issue because they fail to sufficiently sanitize
user-supplied input. WebcamXP 5.5.1.2 and Webcam7 0.9.9.32 are
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/52119/references
http://xforce.iss.net/xforce/xfdb/73385


12.9.19 CVE: Not Available

Platform: Web Application
Title: Drupal FAQ Module Unspecified HTML Injection
Description: FAQ is a module for the Drupal content manager. The module
is exposed to an unspecified HTML injection issue because it fails to
properly sanitize user-supplied input before using it in dynamically
generated content. FAQ 6.x-1.x versions prior to 6.x-1.13 are
vulnerable.
Ref: http://drupal.org/node/1451194
http://www.securityfocus.com/bid/52126/references


12.9.20 CVE: CVE-2012-0453

Platform: Web Application
Title: Bugzilla Cross-Site Request Forgery
Description: Bugzilla is a web-based bug tracking application. The
application is exposed to a cross-site request forgery issue because
it does not properly validate HTTP requests.
Specifically, the issue exists in the implementation of the XML-RPC
API when running under mod_perl. Bugzilla versions 4.0.2 through 4.0.4
and 4.1.1 through 4.2rc2 are vulnerable.
Ref: https://bugzilla.mozilla.org/show_bug.cgi?id=725663
http://www.bugzilla.org/security/4.0.4/


12.9.21 CVE: CVE-2012-0320,CVE-2012-0319,CVE-2012-0318,CVE-2012-0317

Platform: Web Application
Title: Movable Type Multiple Remote Vulnerabilities
Description: Movable Type is a web log application implemented in Perl
and PHP. The application is exposed to multiple issues. A cross-site
scripting issue affects the “mt-wizard.cgi” script. A cross-site
scripting issue affects the “templates” page. A cross-site request
forgery issue exists. A session hijacking issue affects the “commenting”
and “community” scripts. A remote command execution issue occurs because
it fails to properly sanitize user-supplied input passed to the file
management system. Movable Type versions prior to 5.13, 5.07 and 4.38
are affected.
Ref:
http://www.movabletype.org/documentation/appendices/release-notes/513.html
http://www.securityfocus.com/bid/52138/references


12.9.22 CVE: Not Available

Platform: Web Application
Title: TYPO3 PDF Controller Unspecified Remote Code Execution and
Information Disclosure Vulnerabilities
Description: PDF Controller (“pdfcontroller”) is an extension for the
TYPO3 content manager. The extension is exposed to unspecified remote
code execution and information disclosure issues. PDF Controller 1.0.1
and prior versions are vulnerable.
Ref:
http://typo3.org/teams/security/security-bulletins/typo3-extensions/typo3-ext-sa-2012-003/


12.9.23 CVE: Not Available

Platform: Web Application
Title: OSQA’s CMS Multiple HTML Injection Vulnerabilities
Description: OSQA is an open source Q and A system written in Python.
The application is exposed to multiple HTML injection issues because
it fails to sufficiently sanitize user-supplied input appended to the
“Url Bar”, “Picture Bar” and “Blockquote” module. OSQA 3b is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/52184/references
http://www.securityfocus.com/archive/1/521798


12.9.24 CVE: Not Available

Platform: Web Application
Title: Wolf CMS SQL Injection and Multiple HTML Injection
Vulnerabilities
Description: Wolf CMS is a free content management system implemented
in PHP. The application is exposed to multiple issues because it fails
to sufficiently sanitize user-supplied input. Wolf CMS 0.7.5 is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/521797
http://www.securityfocus.com/bid/52187/references


12.9.25 CVE: Not Available

Platform: Hardware
Title: snom VoIP Phone Firmware Remote Privilege Escalation
Description: snom VoIP phones are voice over IP phone devices. The
application is exposed to a remote privilege escalation issue.
Specifically, this issue occurs because of an error in the
authentication code. snom VoIP phone firmware versions prior to
8.4.35 are vulnerable.
Ref: http://www.senseofsecurity.com.au/advisories/SOS-12-001


12.9.26 CVE: CVE-2012-0365

Platform: Hardware
Title: Cisco Small Business SRP500 Series Appliances Directory
Traversal
Description: Cisco Small Business SRP500 series appliances are
services-ready platforms that provide IP voice, data, security and
wireless services. The devices are exposed to a directory traversal
issue due to an error in the Local TFTP file upload application.
Cisco SRP 500 Series devices are affected.
Ref:
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20120223-srp500


Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Company
Free Trial & Tools
Popular Topics