Summary of Updates and Vulnerabilities in this Consensus

Platform Number of Updates and Vulnerabilities
— | —
Windows 1 (#1)
Other Microsoft Products 1
Third Party Windows Apps 8
Linux 1
Cross Platform | 9 (#2,#3,#4)
Web Application - Cross Site Scripting | 1
Web Application - SQL Injection 1
Web Application 3
Network Device | 1
Hardware 1

Part I – Critical Vulnerabilities from TippingPoint ( www.tippingpoint.com )

Widely Deployed Software
(1) HIGH: Microsoft Windows Kernel 0-Day Vulnerability
(2) MEDIUM: Apple QuickTime Multiple Vulnerabilities
(3) MEDIUM: Adobe Reader Multiple Security Vulnerabilities
(4) MEDIUM: Novell iPrint Client nipplib.dll Buffer Overflow

Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

Windows

11.45.1 - Microsoft Windows Kernel Word File Handling Remote Code Execution

Other Microsoft Products

11.45.2 - Microsoft Outlook Web Access Session Replay Security Bypass

Third Party Windows Apps

11.45.3 - Novell iPrint Client “nipplib.dll” Remote Code Execution
11.45.4 - Novell ZENworks Handheld Management “Common.dll” Directory Traversal
11.45.5 - Winamp Multiple Remote Vulnerabilities
11.45.6 - FFFTP Insecure Executable File Loading Arbitrary Code Execution
11.45.7 - GFI Faxmaker Divide-By-Zero Denial of Service
11.45.8 - YaTFTPSvr TFTP Server Directory Traversal
11.45.9 - NJStar Communicator MiniSMTP Server Remote Stack Buffer Overflow
11.45.10 - GE Proficy Historian Data Archiver Service Remote Buffer Overflow

Linux

11.45.11 - Openswan Crpyotgraphic Helper Use After Free Remote Denial Of Service

Cross Platform

11.45.12 - Apple QuickTime Multiple Vulnerabilities
11.45.13 - IBM Lotus Sametime Configuration Servlet Authentication Security Bypass
11.45.14 - Tor Directory Remote Information Disclosure Vulnerability Bridge Enumeration Weaknesses
11.45.15 - Opera Web Browser Escape Sequence Stack Buffer Overflow Denial of Service
11.45.16 - net6 Session Hijacking and Information Disclosure Vulnerabilities
11.45.17 - Novell Messenger Server Memory Information Disclosure
11.45.18 - Squid Proxy Caching Server CNAME Denial of Service
11.45.19 - IBM WebSphere MQ CCDT File Local Privilege Escalation
11.45.20 - HP OpenView Network Node Manager Multiple Remote Code Execution Vulnerabilities

Web Application - Cross Site Scripting

11.45.21 - BackupPC “index.cgi” Cross-Site Scripting

Web Application - SQL Injection

11.45.22 - SjXjV “post.php” SQL Injection

Web Application

11.45.23 - IBM HTTP Server Multiple Cross-Site Scripting Vulnerabilities
11.45.24 - IBM WebSphere ILOG Rule Team Server Unspecified Cross-Site Scripting
11.45.25 - eFront Multiple Security Vulnerabilities

Network Device

11.45.26 - D-Link DIR-300 Unspecified Remote Code Execution and Remote File Disclosure Vulnerabilities

Hardware

11.45.27 - Toshiba e-Studio Devices Password Information Disclosure

PART I Critical Vulnerabilities

Part I for this issue has been compiled by Josh Bronson at TippingPoint,
a division of HP, as a by-product of that company’s continuous effort
to ensure that its intrusion prevention products effectively block
exploits using known vulnerabilities. TippingPoint’s analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed description
of the process may be found at
http://www.sans.org/newsletters/risk/#process

(1) HIGH: Microsoft Windows Kernel 0-Day Vulnerability

Affected:
Microsoft Windows XP
Microsoft Windows Vista
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows 7

Description: The Microsoft Windows Kernel is susceptible to an 0-day
vulnerability that is being actively exploited in the wild by the
W32.Duqu worm. By enticing the target to view a malicious Word document,
the worm exploits a previously unknown vulnerability in the Windows
kernel to exploit arbitrary code on the target’s machine. Technical
information about the vulnerability is not available publicly. Microsoft
has not yet publicly acknowledged the vulnerability, but, according to
Secunia, Microsoft is working on a patch.

Status: vendor not confirmed, updates not available

References:
Vendor Site
http://www.microsoft.com
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/50462

(2) MEDIUM: Apple QuickTime Multiple Vulnerabilities

Affected:
Apple QuickTime prior to 7.7.1

Description: Apple has released patches for multiple security
vulnerabilities affecting its QuickTime media player. The
vulnerabilities include buffer overflows in the code responsible for
handling H.264-encoded movie files, FlashPix files, FLIC files, and FLC
movie files; an unspecified implementation issue; various memory
corruption issues in the code responsible for movie files and the TKHD
atoms in QuickTime movie files; integer overflows in the code
responsible for handling PICT files and JPEG2000-encoded movie files;
and a signedness issue in the code responsible for handling font tables
in embedded QuickTime files. By enticing a target to open a malicious
file, an attacker can exploit these vulnerabilities in order to execute
arbitrary code on the target’s machine.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.apple.com
Apple Security Advisory
http://support.apple.com/kb/HT5016
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/50068
http://www.securityfocus.com/bid/50100
http://www.securityfocus.com/bid/50101
http://www.securityfocus.com/bid/50122
http://www.securityfocus.com/bid/50127
http://www.securityfocus.com/bid/50130
http://www.securityfocus.com/bid/50131
http://www.securityfocus.com/bid/50399
http://www.securityfocus.com/bid/50400
http://www.securityfocus.com/bid/50401
http://www.securityfocus.com/bid/50403
http://www.securityfocus.com/bid/50404
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-11-314/
http://www.zerodayinitiative.com/advisories/ZDI-11-315/
http://www.zerodayinitiative.com/advisories/ZDI-11-316/

(3) MEDIUM: Adobe Reader Multiple Security Vulnerabilities

Affected:
Adobe Reader X (10.1) and earlier versions for Windows and Macintosh
Adobe Reader 9.4.2 and earlier versions for UNIX
Adobe Acrobat X (10.1) and earlier versions for Windows and Macintosh

Description: Adobe has released patches addressing multiple security
vulnerabilities in its Reader and Acrobat products. The vulnerabilities
include a flaw in the version of libtiff used by Adobe Reader X, which
copies attacker-controlled U3D data onto a fixed length stack; heap and
stack buffer overflows in the code responsible for handling PICT, IFF,
and BMP images; and an integer overflow vulnerability in the code
responsible for handling PCX images. By enticing a target to open a
malicious file, an attacker can exploit these vulnerabilities in order
to execute arbitrary code on the target’s machine.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.adobe.com
Adobe Security Bulletin
http://www.adobe.com/support/security/bulletins/apsb11-24.html
SecurityFocus BugTraq IDs
http://www.securityfocus.com/bid/49572
http://www.securityfocus.com/bid/49575
http://www.securityfocus.com/bid/49576
http://www.securityfocus.com/bid/49577
http://www.securityfocus.com/bid/49578
http://www.securityfocus.com/bid/49579
http://www.securityfocus.com/bid/49580
http://www.securityfocus.com/bid/49581
http://www.securityfocus.com/bid/49582
http://www.securityfocus.com/bid/49583
http://www.securityfocus.com/bid/49584
http://www.securityfocus.com/bid/49585
http://www.securityfocus.com/bid/49586
Zero Day Initiative Advisories
http://www.zerodayinitiative.com/advisories/ZDI-11-296/
http://www.zerodayinitiative.com/advisories/ZDI-11-297/
http://www.zerodayinitiative.com/advisories/ZDI-11-298/
http://www.zerodayinitiative.com/advisories/ZDI-11-299/
http://www.zerodayinitiative.com/advisories/ZDI-11-300/
http://www.zerodayinitiative.com/advisories/ZDI-11-301/
http://www.zerodayinitiative.com/advisories/ZDI-11-302/

(4) MEDIUM: Novell iPrint Client nipplib.dll Buffer Overflow

Affected:
Novell iPrint Client prior to 5.72

Description: Novell has released a patch addressing a vulnerability in
its iPrint client, part of its iPrint system, which is designed to allow
shared access to printers using the Internet Printing Protocol (IPP).
The vulnerability is due to a problem in the GetDriverSettings method
in nipplib.dll library, which can be exploited via an ActiveX web site.
The vulnerable method copies an attacker-controlled hostname and port
into a fixed-length buffer when it writes to a log. By enticing a target
to view such a malicious page, an attacker can exploit this
vulnerability in order to execute arbitrary code on a target’s machine.

Status: vendor confirmed, updates available

References:
Vendor Site
http://www.novell.com
Novell Advisory
http://www.novell.com/support/viewContent.do?externalId=7009676
SecurityFocus BugTraq ID
http://www.securityfocus.com/bid/50367

Part II – Comprehensive List of Newly Discovered Vulnerabilities from Qualys

(www.qualys.com)

This list is compiled by Qualys (www.qualys.com) as part of that
company’s ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 12615 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that cannot be scanned remotely.

11.45.1 CVE: Not Available

Platform: Windows
Title: Microsoft Windows Kernel Word File Handling Remote Code
Execution
Description: Microsoft Windows kernel is exposed to a remote code
execution issue when handling a specially crafted Word (.doc) file.
Microsoft Windows XP, Vista, Windows 7, Windows Server 2003 and
Windows Server 2008 are vulnerable.
Ref: http://www.securityfocus.com/bid/50462/references

11.45.2 CVE: Not Available

Platform: Other Microsoft Products
Title: Microsoft Outlook Web Access Session Replay Security Bypass
Description: Microsoft Outlook Web Access is a web-based email client
application that is bundled with Microsoft Exchange. The application
is exposed to a security bypass issue. The issue occurs because the
application allows attackers to sniff web cookies and then replay
them. This will allow attackers to clone another user’s web session.
Microsoft Outlook Web Access 8.2.254.0 is vulnerable and other
versions may also be affected.
Ref: http://seclists.org/fulldisclosure/2011/Oct/818

11.45.3 CVE: CVE-2011-3173

Platform: Third Party Windows Apps
Title: Novell iPrint Client “nipplib.dll” Remote Code Execution
Description: Novell iPrint Client is a client application for printing
over the Internet. The application is exposed to a remote
code execution issue. The problem occurs in the “GetDriverSettings”
function of the “nipplib.dll” file. Versions prior to Novell iPrint
Client 5.72 are affected.
Ref: http://www.securityfocus.com/bid/50367/discuss

11.45.4 CVE: CVE-2011-4027

Platform: Third Party Windows Apps
Title: Novell ZENworks Handheld Management “Common.dll” Directory
Traversal
Description: Novell ZENworks Handheld Management is an application
used to secure stolen handheld devices from leaking sensitive
information. The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize user-supplied input. The
problem affects the “Common.dll” library and allows attackers to
create arbitrary files on the affected system. Novell ZENworks
Handheld Management version 7 and 7 SP1 are affected.
Ref:
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=InfoDocument-patchbuilder-readme5112510&sliceId=&docTypeID=DT_SUSESDB_PSDB_1_1&dialogID=276545417&stateId=0%200276543451,
http://www.novell.com/support/search.do?cmd=displayKC&docType=kc&externalId=7009486&sliceId=1&docTypeID=DT_TID_1_1&dialogID=276545417&stateId=00 276543451

11.45.5 CVE: Not Available

Platform: Third Party Windows Apps
Title: Winamp Multiple Remote Vulnerabilities
Description: Nullsoft Winamp is a media player for Microsoft Windows.
The application is exposed to multiple issues. A heap-based buffer
overflow issue affects the “in_midi.dll” plugin when processing the
“iOffsetMusic” value within the Creative Music Format header.
A heap-based buffer overflow issue affects the “in_mod.dll” plugin
when processing the “channels” value within the Advanced Module Format
header. A heap-based buffer overflow issue affects the
“in_nsv.dll” plugin when handling the “toc_alloc” value within the
Nullsoft Streaming Video header. Winamp version 5.621 is
vulnerable and prior versions may also be affected.
Ref: http://www.securityfocus.com/bid/50387/discuss

11.45.6 CVE: CVE-2011-3991

Platform: Third Party Windows Apps
Title: FFFTP Insecure Executable File Loading Arbitrary Code Execution
Description: FFFTP is an FTP client for Microsoft Windows. The
application is exposed to a issue that lets attackers execute
arbitrary code. The issue arises because the application loads an
executable (notepad.exe) file in an insecure manner. Attackers must
entice an unsuspecting user into opening a file on a remote WebDAV or
SMB share to exploit this issue. FFFTP versions prior to 1.98b are
affected.
Ref: http://www.securityfocus.com/bid/50412/references

11.45.7 CVE: Not Available

Platform: Third Party Windows Apps
Title: GFI Faxmaker Divide-By-Zero Denial of Service
Description: GFI Faxmaker is an application for managing network fax
servers. The application is exposed to a remote denial of service
issue due to an integer division by zero condition
when processing crafted “.fax” files. GFI Faxmaker 10.0 Build 237 is
vulnerable and other versions may also be affected.
Ref: http://www.securityfocus.com/bid/50429/discuss

11.45.8 CVE: Not Available

Platform: Third Party Windows Apps
Title: YaTFTPSvr TFTP Server Directory Traversal
Description: YaTFTPSvr is a TFTP server for various Microsoft Windows
platforms. The application is exposed to a directory traversal issue
because it fails to sufficiently sanitize directory traversal strings
from user-supplied filenames. YaTFTPSvr 1.0.1.200 is vulnerable and
other versions may also be affected.
Ref: http://www.securityfocus.com/archive/1/520302

11.45.9 CVE: Not Available

Platform: Third Party Windows Apps
Title: NJStar Communicator MiniSMTP Server Remote Stack Buffer
Overflow
Description: NJStar Communicator is a web-based communication
application. The application is exposed to a remote stack-based buffer
overflow issue because it fails to properly bounds check user-supplied
data before copying it to an insufficiently sized memory buffer. A
specially crafted packet can be used to trigger this vulnerability.
NJStar Communicator 3.00 is vulnerable and other versions may also be
affected.
Ref: http://www.securityfocus.com/bid/50452/discuss

11.45.10 CVE: CVE-2011-1918

Platform: Third Party Windows Apps
Title: GE Proficy Historian Data Archiver Service Remote Buffer
Overflow
Description: Proficy Historian is a data historian application that
collects, archives and distributes production information. The
application is exposed to a remote stack-based buffer overflow issue
because it fails to perform adequate boundary checks on user-supplied
data before copying it to an insufficiently sized buffer. Proficy
Historian version 4.0 and prior, Proficy HMI/SCADA CIMPLICITY version
8.1 (If Historian is installed), Proficy HMI/SCADA iFix version 5.0 and
5.1 (If Historian is installed) are affected.
Ref: http://www.us-cert.gov/control_systems/pdf/ICSA-11-243-03.pdf

11.45.11 CVE: CVE-2011-4073

Platform: Linux
Title: Openswan Crpyotgraphic Helper Use After Free Remote Denial Of
Service
Description: Openswan is an implementation of IPsec for Linux.
Openswan is exposed to a remote denial of service issue because of a
use-after-free error related to the cryptographic helper handler. This
issue occurs when handling a specially crafted ISAKMP phase 1
authentication packet. This issue occurs only when Openswan is
configured with “nhelpers=0”. Openswan 2.3.0 to 2.6.36 are affected.
Ref: http://www.openswan.org/download/CVE-2011-4073/CVE-2011-4073.txt

11.45.12 CVE: CVE-2011-3219,CVE-2011-3220, CVE-2011-3221,CVE-2011-3218,CVE-2011-3222,CVE-2011-3223, CVE-2011-3228,

CVE-2011-3247,CVE-2011-3248, CVE-2011-3249,CVE-2011-3250,CVE-2011-3251
Platform: Cross Platform
Title: Apple QuickTime Multiple Vulnerabilities
Description: Apple QuickTime is a media player that supports multiple
file formats. The application is exposed to multiple security issues.
See reference for detailed information. Versions prior to QuickTime
7.7.1 are vulnerable on Windows 7, Vista and XP.
Ref: http://support.apple.com/kb/HT5016

11.45.13 CVE: CVE-2011-1370

Platform: Cross Platform
Title: IBM Lotus Sametime Configuration Servlet Authentication
Security Bypass
Description: IBM Lotus Sametime is a real time web conferencing
application. The application is exposed to a security bypass issue.
This issue occurs because the configuration servlet does not require
any authentication for requests. All version of IBM Lotus Sametime are
affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21569452

11.45.14 CVE: CVE-2011-2769,CVE-2011-2768

Platform: Cross Platform
Title: Tor Directory Remote Information Disclosure Vulnerability
Bridge Enumeration Weaknesses
Description: Tor is an implementation of second generation onion
routing, a connection oriented anonymous communication service. The
application is exposed to multiple bridge enumeration weaknesses and an
information disclosure issue that occurs because the application allows
attackers to reuse TLS certificates on certain connections. This will
allow the attacker to conduct fingerprinting attacks.
Versions prior to Tor 0.2.2.34 are vulnerable.
Ref: http://www.securityfocus.com/bid/50414/discuss

11.45.15 CVE: Not Available

Platform: Cross Platform
Title: Opera Web Browser Escape Sequence Stack Buffer Overflow Denial
of Service
Description: Opera is a Web browser application. The application
is exposed to a denial of service issue. This issue occurs when the
application processes a web page with specially crafted
JavaScript code containing two different escape sequences. This will
result in a stack overflow and cause the application to terminate.
Opera Web Browser 11.52 is vulnerable and other versions may also be
affected.
Ref: http://www.securityfocus.com/bid/50421/discuss

11.45.16 CVE: CVE-2011-4093,CVE-2011-4091

Platform: Cross Platform
Title: net6 Session Hijacking and Information Disclosure
Vulnerabilities
Description: net6 is a networking library. net6 is exposed to multiple
issues. An information disclosure issue occurs because it fails to
properly validate the authentication of a connecting user, which may
result in disclosure of certain information about already logged in
users. A session hijacking issue occurs due to an integer overflow
of the internal ID counter. net6 1.3.13 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/50442/references

11.45.17 CVE: CVE-2011-3179

Platform: Cross Platform
Title: Novell Messenger Server Memory Information Disclosure
Description: Novell GroupWise Messenger is a corporate
instant messaging application for multiple platforms. The application
is exposed to an information disclosure issue that lets attackers
retrieve contents of arbitrary memory locations when processing
certain commands. Novell Messenger 2.2.0, Novell Messenger 2.1 and
GroupWise Messenger 2.04 and earlier are affected.
Ref: http://www.novell.com/support/viewContent.do?externalId=7009634

11.45.18 CVE: Not Available

Platform: Cross Platform
Title: Squid Proxy Caching Server CNAME Denial of Service
Description: Squid is a caching proxy for the Web, supporting HTTP,
HTTPS and FTP. The application is exposed to a denial of service
issue because of an error while handling DNS requests. Specifically,
the issue occurs when a CNAME record points to another CNAME record
referring to an empty A-record. Squid 3.1.16 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/50449/references

11.45.19 CVE: CVE-2009-0900

Platform: Cross Platform
Title: IBM WebSphere MQ CCDT File Local Privilege Escalation
Description: IBM WebSphere MQ is a messaging application. The
application is exposed to a local privilege escalation issue due to a
buffer overflow condition. This issue occurs when handling a specially
crafted Client Channel Definition Table file containing
incorrect SSL information. IBM WebSphere MQ versions 6 prior to
6.0.2.7 and IBM WebSphere MQ 7 versions prior to 7.0.1.0 are affected.
Ref: http://xforce.iss.net/xforce/xfdb/51038

11.45.20 CVE: CVE-2011-3167,CVE-2011-3166, CVE-2011-3165

Platform: Cross Platform
Title: HP OpenView Network Node Manager Multiple Remote Code Execution
Vulnerabilities
Description: HP OpenView Network Node Manager (NNM) is a
fault-management application for IP networks. The application is
exposed to multiple remote code execution issues. These issues affects
NNM 7.51 and 7.53 running on HP-UX, Linux, Solaris and Windows.
Other versions and platforms may also be affected.
Ref: http://www.securityfocus.com/archive/1/520349

11.45.21 CVE: CVE-2011-3361

Platform: Web Application - Cross Site Scripting
Title: BackupPC “index.cgi” Cross-Site Scripting
Description: BackupPC is a remote backup application. The application
is exposed to a cross-site scripting issue because it fails to
properly sanitize user-supplied input to the “num” parameter of the
“index.cgi” script. BackupPC 3.2.1 is vulnerable and other versions may
also be affected.
Ref: http://osvdb.org/72055

11.45.22 CVE: Not Available

Platform: Web Application - SQL Injection
Title: SjXjV “post.php” SQL Injection
Description: SjXjV is a web-based application implemented in PHP.
SjXjV is exposed to an SQL injection issue because it fails to
sufficiently sanitize user-supplied data submitted to the “tid”
parameter of the “post.php” script. SjXjV 2.3 is vulnerable and other
versions may also be affected.
Ref: http://www.securityfocus.com/bid/50426/discuss

11.45.23 CVE: CVE-2011-1360

Platform: Web Application
Title: IBM HTTP Server Multiple Cross-Site Scripting Vulnerabilities
Description: IBM HTTP Server is an application server used for
service oriented architecture. The application is exposed to multiple
cross-site scripting issues because it fails to properly sanitize
user-supplied input located in the “manual/ibm” and
“htdocs/*/manual/ibm/“ sub-directories. IBM HTTP Server Versions
1.3.x, and 2.0 (2.0.42 and 2.0.47) are affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg21502580

11.45.24 CVE: Not Available

Platform: Web Application
Title: IBM WebSphere ILOG Rule Team Server Unspecified Cross-Site
Scripting
Description: IBM WebSphere ILOG Rule Team Server is a business rule
management application. The application is exposed to a cross-site
scripting issue because it fails to properly sanitize user-supplied
input. IBM WebSphere ILOG Rule Team Server 7.11 is vulnerable and
other versions may also be affected.
Ref: http://www-01.ibm.com/support/docview.wss?uid=swg1RS00810

11.45.25 CVE: Not Available

Platform: Web Application
Title: eFront Multiple Security Vulnerabilities
Description: eFront is a PHP-based e-learning application. The
application is exposed to multiple SQL injection issues, a remote code
injection issue, an authentication bypass and privilege escalation
issue, a remote code execution issue and a file upload issue. eFront
3.6.10 is vulnerable and prior versions may also be affected.
Ref: http://www.securityfocus.com/bid/50391/discuss

11.45.26 CVE: Not Available

Platform: Network Device
Title: D-Link DIR-300 Unspecified Remote Code Execution and Remote
File Disclosure Vulnerabilities
Description: The D-Link DIR-300 is a wireless router. The device is
exposed to an unspecified remote code execution issue and an
unspecified remote file disclosure issue. D-Link DIR-300 is affected.
Ref: http://www.securityfocus.com/archive/1/520286

11.45.27 CVE: Not Available

Platform: Hardware
Title: Toshiba e-Studio Devices Password Information Disclosure
Description: Toshiba e-Studio Device provides printing solutions. The
device is exposed to an information disclosure issue. Specifically,
the device fails to restrict access to the various configuration
pages, which allows unauthenticated attackers to obtain passwords in
plaintext from the html source code (such as administrative password).
Toshiba e-STUDIO305, e-STUDIO455, e-STUDIO600 and e-STUDIO603 are
affected.
Ref: http://www.foofus.net/?page_id=457