Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Third Party Windows Apps 3
Linux 2 Cross Platform 9 (#1,#2)
Web Application - Cross Site Scripting 2
Web Application - SQL Injection 1
Web Application 5
Network Device 1
Hardware 2

Part I – Critical Vulnerabilities from HP TippingPoint (dvlabs.tippingpoint.com)

Widely Deployed Software
(1) MEDIUM: Mozilla Firefox Multiple Security Vulnerabilities
(2) MEDIUM: Symantec PCAnywhere Buffer Overflow

Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Third Party Windows Apps

12.5.1 - Trend Micro DataArmor and DriveArmor Pre-boot Local Privilege Escalation
12.5.2 - RSA enVision Environmental Variable Information Disclosure
12.5.3 - PDF-XChange pdfSaver ActiveX Multiple Buffer Overflow Vulnerabilities

Linux

12.5.4 - Debian Openssh Server Forced Command Handling Information Disclosure
12.5.5 - Wicd “wicd/configmanager.py” Local Information Disclosure

Cross Platform

12.5.6 - EMC NetWorker Unspecified Buffer Overflow
12.5.7 - Limit My Call Remote Unauthorized Access
12.5.8 - Wireshark Buffer Underflow and Denial of Service Vulnerabilities
12.5.9 - Samba Memory Leak Local Denial Of Service
12.5.10 - Todd Miller Sudo “Sudo_Debug()” Path Resolution Local Privilege Escalation
12.5.11 - FFmpeg Multiple Remote Vulnerabilities
12.5.12 - HP Network Automation Remote Unauthorized Access
12.5.13 - RESTEasy JaxB XML Entity References Information Disclosure
12.5.14 - Mozilla Firefox/SeaMonkey/Thunderbird Multiple Vulnerabilities

Web Application - Cross Site Scripting

12.5.15 - Mibew Messenger Multiple Cross-Site Scripting Vulnerabilities
12.5.16 - Hitachi JP1/IT Desktop Management Manager Unspecified Cross-Site Scripting

Web Application - SQL Injection

12.5.17 - Campaign Enterprise “SID” Parameter SQL Injection

Web Application

12.5.18 - Apache HTTP Server mod_log_config Denial Of Service
12.5.19 - PEEL SHOPPING SQL Injection and Cross-Site Scripting Vulnerabilities
12.5.20 - OSClass Multiple Remote Vulnerabilities
12.5.21 - FishEye and Crucible Webwork 2 Framework Remote Code Injection
12.5.22 - HostBill PHP Code Injection

Network Device

12.5.23 - D-Link DIR-601 TFTP Server Directory Traversal

Hardware

12.5.24 - Syneto Unified Threat Management Cross-Site Request Forgery
12.5.25 - Fortigate UTM WAF Appliance Cross-Site Scripting and HTML Injection Vulnerabilities

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process

(1) MEDIUM: Mozilla Firefox Multiple Security Vulnerabilities

Affected:
Mozilla Firefox prior to 10.0
Mozilla Firefox 3.6.x prior to 3.6.26

Description: Mozilla has released patches to address multiple security
vulnerabilities in its Firefox web browser. The vulnerabilities include
unspecified memory corruption issues, a use-after-free error in
AttributeChildRemoved() that can be exploited by removing child nodes
from the nsDOMAttribute node, an unspecified vulnerability in the
handling of Ogg Vorbis multimedia files, and a memory corruption
vulnerability in XSLT stylesheets. By enticing a target to view a
malicious site, an attacker can exploit these vulnerabilities in order
to execute arbitrary code on the target’s machine.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.mozilla.org
Mozilla Firefox Security Bulletins
http://www.mozilla.org/security/announce/2012/mfsa2012-01.html
http://www.mozilla.org/security/announce/2012/mfsa2012-02.html
http://www.mozilla.org/security/announce/2012/mfsa2012-03.html
http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
http://www.mozilla.org/security/announce/2012/mfsa2012-05.html
http://www.mozilla.org/security/announce/2012/mfsa2012-06.html
http://www.mozilla.org/security/announce/2012/mfsa2012-07.html
http://www.mozilla.org/security/announce/2012/mfsa2012-08.html
http://www.mozilla.org/security/announce/2012/mfsa2012-09.html
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51752
http://www.securityfocus.com/bid/51753
http://www.securityfocus.com/bid/51754
http://www.securityfocus.com/bid/51755
http://www.securityfocus.com/bid/51756
http://www.securityfocus.com/bid/51757
http://www.securityfocus.com/bid/51765
http://www.securityfocus.com/bid/51786
http://www.securityfocus.com/bid/51787

(2) MEDIUM: Symantec PCAnywhere Buffer Overflow

Affected:
Symantec pcAnywhere 12.0.x and 12.1.x prior to 12.5.3

Description: Symantec has released a patch to address a vulnerability
in its pcAnywhere product. PcAnywhere consists of a server and a client
that allow a user to connect to a computer and control it remotely. The
server component accepts requests for authentication on port 5631 and
copies the user-controlled username in these requests to a fixed-length
264-byte buffer. By sending an overlong username, an attacker can
exploit this buffer overflow in order to execute arbitrary code on the
target’s machine with SYSTEM-level privileges.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.symantec.om
Symantec Security Advisory
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/51592

Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 13127 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

12.5.1 CVE: Not Available

Platform: Third Party Windows Apps
Title: Trend Micro DataArmor and DriveArmor Pre-boot Local Privilege
Escalation
Description: DataArmor and DriveArmor are data encryption products.
DataArmor and DriveArmor are exposed to an unspecified local privilege
escalation issue that occurs in the pre-boot environment. Trend Micro
DriveArmor versions 3.0.0.x prior to 3.0.0.439 and Trend Micro
DataArmor versions 3.0.1x prior to 3.0.12.861 are affected.
Ref: http://esupport.trendmicro.com/solution/en-us/1060043.aspx

12.5.2 CVE: CVE-2011-4143

Platform: Third Party Windows Apps
Title: RSA enVision Environmental Variable Information Disclosure
Description: RSA enVision is a system for collecting and analyzing log
data. The application is exposed to an information disclosure issue
because it fails to properly handle an environment variable. RSA
enVision versions 4.x are vulnerable.
Ref: http://www.securityfocus.com/archive/1/521375
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4143

12.5.3 CVE: Not Available

Platform: Third Party Windows Apps
Title: PDF-XChange pdfSaver ActiveX Multiple Buffer Overflow
Vulnerabilities
Description: PDF-XChange is an application for converting documents
to PDF files. The application is exposed to multiple stack-based
buffer overflow issues that affect the PDF-Saver Technology.
Specifically, this issue affects the “pdfxctrl.dll” PDF Printer
Preferences ActiveX control. The issue occurs because the
application fails to sanitize user-supplied input submitted to the
“sub_path” item of the “StoreInRegistry” function and the “sub_key”
item of the “InitFromRegistry” function. PDF-XChange pdfSaver ActiveX
3.60.0128 is vulnerable and other versions may also be affected.
Ref: http://xforce.iss.net/xforce/xfdb/72774
http://www.securityfocus.com/bid/51712/discuss

12.5.4 CVE: CVE-2012-0814

Platform: Linux
Title: Debian Openssh Server Forced Command Handling Information
Disclosure
Description: Debian openssh server is software that provides encrypted
communications through the SSH protocol. The package is exposed to an
information disclosure issue. Specifically, the issue occurs because
the sever sends the information about configured forced commands to
the client when the verbose switch is used. This can help an attacker
to disclose usernames for tools such as gitolite that are dependent
upon forced commands. Debian openssh-server 1:5.5p1-6+squeeze1 is
affected and other versions may also be vulnerable.
Ref: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=657445
http://www.securityfocus.com/bid/51702/references

12.5.5 CVE: CVE-2012-0813

Platform: Linux
Title: Wicd “wicd/configmanager.py” Local Information Disclosure
Description: Wicd (Wireless Interface Connection Daemon) is a tool used
for establishing wired and wireless network connections for Linux. The
application is exposed to a local information disclosure issue.
Specifically, this issue occurs because the Wicd daemon writes sensitive
information such as passwords and passphrases in the log files. Wicd
1.7.1~b3-3 is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51703/references

12.5.6 CVE: CVE-2012-0395

Platform: Cross Platform
Title: EMC NetWorker Unspecified Buffer Overflow
Description: EMC NetWorker is a centralized data protection system
available for multiple operating systems. The application is exposed to
a buffer overflow issue because it fails to bounds check user-supplied
data before copying it into an insufficiently sized buffer. This issue
only affects EMC NetWorker Server hosts. EMC NetWorker Server 7.5.x
and 7.6.x are affected.
Ref: http://www.securityfocus.com/archive/1/521374

12.5.7 CVE: CVE-2011-4703

Platform: Cross Platform
Title: Limit My Call Remote Unauthorized Access
Description: Limit My Call is an application for limiting the duration
of outgoing calls for mobile devices using the Android operating
system. The application is exposed to a remote unauthorized access
issue. Limit My Call 2.11 is vulnerable and other versions may
also be affected.
Ref: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4703
http://www.securityfocus.com/bid/51693/references

12.5.8 CVE: CVE-2012-0068,CVE-2012-0067,CVE-2012-0066

Platform: Cross Platform
Title: Wireshark Buffer Underflow and Denial of Service
Vulnerabilities
Description: Wireshark (formerly Ethereal) is an application for
analyzing network traffic. The application is exposed to multiple
issues. A denial of service issue exists because the application fails
to properly check record sizes for “5Views”, “i4b” and “netmon” packet
capture file formats. A denial of service issue exists because of an
integer overflow error when handling the IPTrace capture file format.
A buffer underflow issue exists because of an error in the LANalyzer
dissector. Specifically, the application fails to properly handle
specially crafted LANalyzer packet capture files. Wireshark versions
1.4.0 through 1.4.10 and 1.6.0 through 1.6.4 are vulnerable.
Ref: http://www.wireshark.org/security/wnpa-sec-2012-01.html
http://www.securityfocus.com/bid/51710/references

12.5.9 CVE: CVE-2012-0817

Platform: Cross Platform
Title: Samba Memory Leak Local Denial Of Service
Description: Samba allows users to share files and printers between
operating systems on UNIX and Windows platforms. The application is
exposed to a local denial of service issue. Specifically, this issue
occurs in “smbd” daemon due to a memory leak error while handling
connection requests. Samba versions 3.6.0 through 3.6.2 are affected.
Ref: http://www.samba.org/samba/security/CVE-2012-0817

12.5.10 CVE: CVE 2012-0809

Platform: Cross Platform
Title: Todd Miller Sudo “Sudo_Debug()” Path Resolution Local Privilege
Escalation
Description: Todd Miller “sudo” is a widely used Linux/UNIX command that
allows users to securely run commands as the superuser or as other
users. The utility is exposed to a local privilege escalation issue due
to a format string error that affects the “sudo_debug()” function of the
“sudo.c” source file. This issue affects “sudo” 1.8.0 up to and
including 1.8.3p1.
Ref: http://www.sudo.ws/sudo/alerts/sudo_debug.html

12.5.11 CVE:

CVE-2011-3952,CVE-2011-3951,CVE-2011-3950,CVE-2011-3949,CVE-2011-3947,CVE-2011-3946,CVE-2011-3945,CVE-2011-3944,CVE-2011-3941,CVE-2011-3940,CVE-2011-3937,CVE-2011-3936,CVE-2011-3935,CVE-2011-3934,CVE-2011-3929
Platform: Cross Platform
Title: FFmpeg Multiple Remote Vulnerabilities
Description: FFmpeg is a multimedia player. The application is exposed
to multiple remote issues, see reference for detailed information.
FFmpeg versions prior to 0.10 are vulnerable.
Ref: http://ffmpeg.org/security.html

12.5.12 CVE: CVE-2011-4790

Platform: Cross Platform
Title: HP Network Automation Remote Unauthorized Access
Description: HP Network Automation is an application for managing
network data. The application is exposed to an unauthorized access
issue. HP Network Automation 7.2, 7.5, 7.6, 9.0 and 9.10 are
vulnerable.
Ref:
http://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay/?docId=emr_na-c03171149&ac.admitted=1328063432282.876444892.199480143

12.5.13 CVE: CVE-2012-0818

Platform: Cross Platform
Title: RESTEasy JaxB XML Entity References Information Disclosure
Description: RESTEasy is a JBoss module that provides frameworks to
build RESTful Web Services and RESTful Java applications. The
application is exposed to an information disclosure issue when
processing JaxB XML data. This issue can be exploited by sending
specially crafted JaxB XML data, including external entity references.
RESTEasy version 2.3.1 is affected.
Ref: https://issues.jboss.org/browse/RESTEASY-637
http://www.securityfocus.com/bid/51766/references

12.5.14 CVE:

CVE-2012-0445,CVE-2012-0447,CVE-2011-3659,CVE-2012-0442,CVE-2012-0443,CVE-2012-0444,CVE-2012-0449,CVE-2012-0446
Platform: Cross Platform
Title: Mozilla Firefox/SeaMonkey/Thunderbird Multiple Vulnerabilities
Description: Mozilla Firefox, SeaMonkey and Thunderbird are
exposed to multiple security issues. See references for detailed
information. Firefox versions 3.6.x prior to 3.6.26 and other versions
prior to 10.0, Thunderbird versions 3.1.x prior to 3.1.18 and other
versions prior to 10.0, SeaMonkey 2.7 are affected.
Ref: http://www.mozilla.org/security/announce/2012/mfsa2012-06.html
http://www.mozilla.org/security/announce/2012/mfsa2012-04.html
http://www.mozilla.org/security/announce/2012/mfsa2012-01.html
http://www.mozilla.org/security/announce/2012/mfsa2012-07.html
http://www.mozilla.org/security/announce/2012/mfsa2012-08.html
http://www.mozilla.org/security/announce/2012/mfsa2012-05.html
http://www.mozilla.org/security/announce/2012/mfsa2012-03.html

12.5.15 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Mibew Messenger Multiple Cross-Site Scripting Vulnerabilities
Description: Mibew Messenger is a web messenger implemented in PHP.
The application is exposed to multiple cross-site scripting issues

because it fails to properly sanitize user-supplied input submitted to
the following scripts and parameters: “/operator/ban.php” : “address”,
“threadid”, “/operator/settings.php” : “geolinkparams”,
“/operator/settings.php” : “title”, “chattitle”. Mibew Messenger 1.6.4
is vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/51723/references
http://www.codseq.it/advisories/mibew_messenger_multiple_xss
http://secunia.com/advisories/47787

12.5.16 CVE: Not Available

Platform: Web Application - Cross Site Scripting
Title: Hitachi JP1/IT Desktop Management Manager Unspecified
Cross-Site Scripting
Description: Hitachi JP1/IT Desktop Management is used to centrally
manage all the IT assets. The application is exposed to an unspecified
cross-site scripting issue because it fails to sanitize user-supplied input.
Hitachi JP1/IT Desktop Management Manager 09-50 is vulnerable.
Ref:
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS12-004/index.html

12.5.17 CVE: Not Available

Platform: Web Application - SQL Injection
Title: Campaign Enterprise “SID” Parameter SQL Injection
Description: Campaign Enterprise is an email marketing application.
The application is exposed to an SQL injection issue because it fails
to properly sanitize user-supplied input submitted to the “SID”
parameter of the “/Command” script before using it in an SQL query.
Campaign Enterprise 11.0.421 is vulnerable and other versions may also
be affected.
Ref: http://www.securityfocus.com/bid/51724/discuss
http://packetstormsecurity.org/files/109243/campaignenterprise-sql.txt

12.5.18 CVE: CVE-2012-0021

Platform: Web Application
Title: Apache HTTP Server mod_log_config Denial Of Service
Description: Apache HTTP Server is exposed to a denial of service issue
that affects the “mod_log_config” module. Specifically, if a
“%{cookiename}C” log format string is used, a remote attacker could
crash the application by sending a specially crafted cookie. Apache HTTP
Server versions 2.2.17, 2.2.18, 2.219, 2.2.20 and 2.2.21 are affected.
Ref: http://httpd.apache.org/security/vulnerabilities_22.html

12.5.19 CVE: Not Available

Platform: Web Application
Title: PEEL SHOPPING SQL Injection and Cross-Site Scripting
Vulnerabilities
Description: PEEL SHOPPING is a web-based e-commerce application. The
application is exposed to multiple issues because it fails
to sufficiently sanitize user-supplied input. Multiple cross-site
scripting issues affect the following scripts and parameters:
“index.php/achat/recherche.php” : “motclef”,
“index.php” : “PHP_SELF”. An SQL injection issue affects the “id”
parameter of the “administrer/tva.php” script. PEEL SHOPPING versions
2.8 and 2.9 are affected and other versions may also be vulnerable.
Ref: http://www.securityfocus.com/bid/51700/discuss
http://packetstormsecurity.org/files/109130/peelshopping-sqlxss.txt

12.5.20 CVE: Not Available

Platform: Web Application
Title: OSClass Multiple Remote Vulnerabilities
Description: OSClass is a PHP-based web application. The application
is exposed to multiple remote issues because it fails to sufficiently
sanitize user-supplied input. Multiple SQL injection issues affect
the “id” parameter of the “index.php” script, when performing the
“edit_category_post” and “enable_category” actions. A remote file
include issue affects the “file” parameter of the “index.php” script
in the “osc_downloadFile()” function. A cross-site scripting issue
affects the “id” parameter of the “index.php” script. OSClass 2.3.4 is
vulnerable and other versions may also be affected.
Ref: http://osclass.org/2012/01/16/osclass-2-3-5/
http://www.securityfocus.com/bid/51721/references

12.5.21 CVE: Not Available

Platform: Web Application
Title: FishEye and Crucible Webwork 2 Framework Remote Code Injection
Description: FishEye is a web-based bug tracking application. Crucible
is a web-based application used for code review. The applications are
exposed to an arbitrary code injection issue because the Webwork 2
framework fails to properly sanitize certain unspecified user-supplied
input. FishEye versions prior to 2.7.9 or 2.6.7, Crucible versions
prior to 2.7.9 or 2.6.7 are affected.
Ref:
http://confluence.atlassian.com/display/FISHEYE/FishEye+and+Crucible+Security+Advisory+2012-01-31
http://www.securityfocus.com/bid/51762/references

12.5.22 CVE: Not Available

Platform: Web Application
Title: HostBill PHP Code Injection
Description: HostBill is billing software for online businesses. The
application is exposed to an issue that lets attackers inject
arbitrary PHP code. The issue is caused by an error when processing
the subject field of submitted tickets. HostBill versions prior to
3.1.2 are vulnerable.
Ref: http://hostbillapp.com/changelog/
http://www.securityfocus.com/bid/51763/references

12.5.23 CVE: CVE-2011-4821

Platform: Network Device
Title: D-Link DIR-601 TFTP Server Directory Traversal
Description: D-Link DIR-601 is a wireless router. The router is
exposed to a directory traversal issue because it fails to
sufficiently sanitize user-supplied input in TFTP requests. D-Link
DIR-601 1.02NA is vulnerable and other versions may be affected.
Ref: http://www.securityfocus.com/archive/1/521369
http://xforce.iss.net/xforce/xfdb/72696
http://www.securityfocus.com/bid/51659

12.5.24 CVE: Not Available

Platform: Hardware
Title: Syneto Unified Threat Management Cross-Site Request Forgery
Description: Syneto Unified Threat Management is a security
appliance. The appliance is exposed to a cross-site request forgery
issue because the application does not properly validate HTTP
requests. Syneto Unified Threat Management 1.3.3 CE and 1.4.2 are
vulnerable and other versions may also be affected.
Ref: http://www.vulnerability-lab.com/get_content.php?id=373
http://www.securityfocus.com/bid/51707/references

12.5.25 CVE: Not Available

Platform: Hardware
Title: Fortigate UTM WAF Appliance Cross-Site Scripting and HTML
Injection Vulnerabilities
Description: Fortigate UTM WAF Appliance is a security appliance. The
appliance is exposed to multiple cross-site scripting and HTML injection
issues because it fails to properly sanitize user-supplied input to the
UTM WAF Web Application Interface. Fortinet FortiGate 800, 620B, 5000,
3950, 3810A, 3600A, 311B, 310B, 3016B, 300A, 224B, 200B and 1240B are
affected.
Ref: http://vulnerability-lab.com/get_content.php?id=144
http://www.securityfocus.com/bid/51708/info