netVigilance - assurance has arrived
2011 Issue #46

ScoutNews
The weekly Security update from
the makers of SecureScout
November 25, 2011


Table of Contents

Product Focus

This Week in Review

Top Security News Stories this Week

New Vulnerabilities Tested in SecureScout

New Vulnerabilities found this Week


Product Focus

Apache Chunked Vulnerability Scanner - The S4 Apache Chunked Vulnerability Scanner is a free utility made by SecureScout that will scan up to 256 IP addresses at once to assess if any are vulnerable to the Apache Chunked Encoding buffer overflow.

Download Here:
http://www2.netvigilance.com/productdownloads?productname=apachechunkedvulnerabilityscanner


This Week in Review

Increase in cyber crime expected for the holidays. AT&T under organized attack. Men indicted on ATM skimming charges. Class-act lawsuit against Sutter for lost data.

Enjoy reading & Stay safe.

Call or email netVigilance to get an update on SecureScout.
(503) 524 5758 or sales@netVigilance.com


Top Security News Stories this Week

Cyber Monday to bring increase in online threats

As users prepare for the long Thanksgiving weekend, internet fraudsters are already looking forward to Monday - the unofficial start of the holiday cybercrime season. Cyber Monday, the digital equivalent of the brick-and-mortar world's Black Friday, is one of the busiest online shopping days of the year, and typically marks the beginning of a monthlong period of increased online threats, Andres Kohn, vice president of technology at security firm Proofpoint, told SCMagazineUS.com on Tuesday.

Attack volume usually peaks during the two weeks before Christmas, when last-minute shoppers are online in full force, he said

Safe online shopping tips SC Magazine

Full Story :
http://www.scmagazineus.com/cyber-monday-to-bring-increase-in-online-threats/article/217438/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


AT&T struck with "organized" hacking attempt

AT&T on Monday revealed that it was the target of an "organized" hacking attempt to obtain information about customer accounts, though there was no compromise. The attackers attempted to use automated technologies to link AT&T telephone numbers with online accounts, spokesman Mark Siegel said in a statement sent to SCMagazineUS.com.

Less than one percent of AT&T wireless subscribers were affected by the breach, according to the company. AT&T reported having more than 100 million wireless subscribers at the end of the third quarter, meaning one million subscribers may have been impacted.

The Dallas-based telecommunications giant said it is still investigating the incident to determine the source and intent of the attempted hack. SC Magazine

Full Story :
http://www.scmagazineus.com/att-struck-with-organized-hacking-attempt/article/217380/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


Three indicted in New York on ATM skimming charges

Authorities in New York have busted three men on charges they planted skimming devices on cash machines in Manhattan to rip off debit card numbers and make fraudulent transactions.

Nikolai Ivanov, 31; Dimitar Stamatov, 28; and Iordan Ivanov, 24, were charged last week in an 81-count indictment. The charges, which included identity theft, grand larceny, burglary, criminal possession of forgery devices and scheme to defraud, stem from a five-day-long "skimming spree" in January in Manhattan, according to the New York County district attorney's office. SC Magazine

Full Story :
http://www.scmagazineus.com/three-indicted-in-new-york-on-atm-skimming-charges/article/217419/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


Sutter Health faces lawsuit after lost computer

Individuals affected by the massive data breach at Sutter Health, in which the personal information of 4.2 million patients went missing when an unencrypted desktop computer was stolen, have filed a class-action lawsuit against the Northern California-based health care system, according to a report in The Sacramento Bee.

The suit, filed Monday in Sacramento Superior Court, contends that the company was negligent in securing its computer systems and in notifying victims about the incident. 

The computer was stolen Oct. 17, but impacted patients weren't alerted until about a month later. SC Magazine

Full Story :
http://www.scmagazineus.com/sutter-health-faces-lawsuit-after-lost-computer/article/217507/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+SCMagazineNews+%28SC+Magazine+News%29


New Vulnerabilities Tested in SecureScout

19620 Apache Tomcat 'sort' and 'orderBy' Parameters Cross Site Scripting Vulnerabilities

Multiple cross-site scripting (XSS) vulnerabilities in the Manager application in Apache Tomcat 6.0.12 through 6.0.29 and 7.0.0 through 7.0.4 allow remote attackers to inject arbitrary web script or HTML.
It was discovered that Tomcat did not properly escape certain parameters in the Manager application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain.

Test Case Impact: Gather Info Vulnerability Impact: Attack Risk: High

References:

* BUGTRAQ: 20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
http://www.securityfocus.com/archive/1/archive/1/514866/100/0/threaded
* FULLDISC: 20101122 [SECURITY] CVE-2010-4172: Apache Tomcat Manager application XSS vulnerability
http://archives.neohapsis.com/archives/fulldisclosure/2010-11/0285.html
* CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1037778
* CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1037779
* CONFIRM:
http://tomcat.apache.org/security-6.html
* CONFIRM:
http://tomcat.apache.org/security-7.html
* CONFIRM:
https://bugzilla.redhat.com/show_bug.cgi?id=656246
* CONFIRM:
http://support.apple.com/kb/HT5002
* APPLE: APPLE-SA-2011-10-12-3
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00003.html
* REDHAT: RHSA-2011:0791
http://www.redhat.com/support/errata/RHSA-2011-0791.html
* REDHAT: RHSA-2011:0896
http://www.redhat.com/support/errata/RHSA-2011-0896.html
* REDHAT: RHSA-2011:0897
http://www.redhat.com/support/errata/RHSA-2011-0897.html
* UBUNTU: USN-1048-1
http://www.ubuntu.com/usn/USN-1048-1
* BID: 45015
http://www.securityfocus.com/bid/45015
* SECTRACK: 1024764
http://securitytracker.com/id?1024764
* SECUNIA: 42337
http://secunia.com/advisories/42337
* SECUNIA: 43019
http://secunia.com/advisories/43019
* VUPEN: ADV-2010-3047
http://www.vupen.com/english/advisories/2010/3047
* VUPEN: ADV-2011-0203
http://www.vupen.com/english/advisories/2011/0203
* XF: tomcat-sessionlist-xss(63422)
http://xforce.iss.net/xforce/xfdb/63422
---

Original Posting: http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0014.html
Product Page : http://jakarta.apache.org/tomcat/index.html
BID: http://www.securityfocus.com/bid/5193
SANS Top 20 Apache Web Server: http://www.sans.org/top20/#U3

CVE Reference:

CVE-2010-4172 (cve.mitre.org, nvd.nist.gov)

19621 Adobe Shockwave Player vulnerability DIRapi library cause denial of service(CVE-2011-2446)

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629.
These vulnerabilities could allow an attacker,
who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633.
This update resolves a memory corruption vulnerability in the DIRapi library that could lead to code execution.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High

References:

* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-27.html
* URL: 50581
http://www.securityfocus.com/bid/50581

CVE Reference:

CVE-2011-2446 (cve.mitre.org, nvd.nist.gov)

19622 Adobe Shockwave Player vulnerability run malicious code on the affected system

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633 using the instructions provided below.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High

References:

* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-27.html
* URL: 50581
http://www.securityfocus.com/bid/50581

CVE Reference:

CVE-2011-2447 (cve.mitre.org, nvd.nist.gov)

19623 Adobe Shockwave Player vulnerability DIRapi library cause denial of service(CVE-2011-2448)

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633 using the instructions provided below.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High

References:

* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-27.html
* URL: 50581
http://www.securityfocus.com/bid/50581

CVE Reference:

CVE-2011-2448 (cve.mitre.org, nvd.nist.gov)

19624 Adobe Shockwave Player vulnerability DIRapi library cause denial of service(CVE-2011-2449)

Critical vulnerabilities have been identified in Adobe Shockwave Player 11.6.1.629 and earlier versions on the Windows and Macintosh operating systems. These vulnerabilities could allow an attacker, who successfully exploits these vulnerabilities, to run malicious code on the affected system. Adobe recommends users of Adobe Shockwave Player 11.6.1.629 and earlier versions update to Adobe Shockwave Player 11.6.3.633 using the instructions provided below.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: High

References:

* CONFIRM:
http://www.adobe.com/support/security/bulletins/apsb11-27.html
* URL: 50581
http://www.securityfocus.com/bid/50581

CVE Reference:

CVE-2011-2449 (cve.mitre.org, nvd.nist.gov)

19625 Linux Kernel Integer overflow in the ib_uverbs_poll_cq function

Integer overflow in the ib_uverbs_poll_cq function in drivers/infiniband/core/uverbs_cmd.c in the Linux kernel before 2.6.37 allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a large value of a certain structure member.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* CONFIRM:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7182afea8d1afd432a17c18162cc3fd441d0da93
* CONFIRM:
http://www.kernel.org/pub/linux/kernel/v2.6/ChangeLog-2.6.37
* CONFIRM:
https://bugzilla.redhat.com/show_bug.cgi?id=667916
* BID: 46073
http://www.securityfocus.com/bid/46073

CVE Reference:

CVE-2010-4649 (cve.mitre.org, nvd.nist.gov)

19626 Linux Kernel dvb_ca_ioctl function cause a DOS via a negative value

The dvb_ca_ioctl function in drivers/media/dvb/ttpci/av7110_ca.c in the Linux kernel before 2.6.38-rc2 does not check the sign of a certain integer field, which allows local users to cause a denial of service (memory corruption) or possibly have unspecified other impact via a negative value.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* BUGTRAQ: 20111013 VMSA-2011-0012 VMware ESXi and ESX updates to third party libraries and ESX Service Console
http://www.securityfocus.com/archive/1/archive/1/520102/100/0/threaded
* MLIST: [oss-security] 20110125 Linux kernel av7110 negative array offset
http://openwall.com/lists/oss-security/2011/01/24/2
* MLIST: [oss-security] 20110125 Re: Linux kernel av7110 negative array offset
http://openwall.com/lists/oss-security/2011/01/25/2
* CONFIRM:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=cb26a24ee9706473f31d34cc259f4dcf45cd0644
* CONFIRM:
http://www.kernel.org/pub/linux/kernel/v2.6/testing/ChangeLog-2.6.38-rc2
* CONFIRM:
http://www.vmware.com/security/advisories/VMSA-2011-0012.html
* BID: 45986
http://www.securityfocus.com/bid/45986
* SECTRACK: 1025195
http://www.securitytracker.com/id?1025195
* SECUNIA: 43009
http://secunia.com/advisories/43009
* SECUNIA: 46397
http://secunia.com/advisories/46397
* XF: kernel-av7110ca-privilege-escalation(64988)
http://xforce.iss.net/xforce/xfdb/64988

CVE Reference:

CVE-2011-0521 (cve.mitre.org, nvd.nist.gov)

19627 Linux Kernel br_mdb_ip_get function cause a DOS via an IGMP packet

The br_mdb_ip_get function in net/bridge/br_multicast.c in the Linux kernel before 2.6.35-rc5 allows remote attackers to cause a denial of service (NULL pointer dereference and system crash) via an IGMP packet, related to lack of a multicast table.

Test Case Impact: Gather Info Vulnerability Impact: DoS / Attack Risk: Medium

References:

* MLIST: [netdev] 20100705 bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference
http://www.spinics.net/lists/netdev/msg134414.html
* MLIST: [netdev] 20100706 Re: bridge br_multicast: BUG: unable to handle kernel NULL pointer dereference
http://www.spinics.net/lists/netdev/msg134444.html
* MLIST: [oss-security] 20110216 CVE request - kernel: bridge br_multicast NULL pointer dereference
http://openwall.com/lists/oss-security/2011/02/16/1
* MLIST: [oss-security] 20110216 Re: CVE request - kernel: bridge br_multicast NULL pointer dereference
http://openwall.com/lists/oss-security/2011/02/16/8
* MLIST: [oss-security] 20110216 Re: CVE request - kernel: bridge br_multicast NULL pointer dereference
http://openwall.com/lists/oss-security/2011/02/16/14
* CONFIRM:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7f285fa78d4b81b8458f05e77fb6b46245121b4e
* CONFIRM:
http://www.kernel.org/pub/linux/kernel/v2.6/testing/v2.6.35/ChangeLog-2.6.35-rc5
* BID: 41432
http://www.securityfocus.com/bid/41432

CVE Reference:

CVE-2011-0709 (cve.mitre.org, nvd.nist.gov)

19628 phpMyAdmin cause inject installation path via a direct request for a nonexistent file

phpMyAdmin 2.11.x before 2.11.11.2, and 3.3.x before 3.3.9.1, does not properly handle the absence of the (1) README, (2) ChangeLog, and (3) LICENSE files.

When the files README, ChangeLog or LICENSE have been removed from their original place (possibly by the distributor), the scripts used to display these files can show their full path, leading to possible further attacks.

Test Case Impact: Attack Vulnerability Impact: Attack Risk: High

References:

* CONFIRM:
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=035d002db1e1201e73e560d7d98591563b506a83
* CONFIRM:
http://www.phpmyadmin.net/home_page/security/PMASA-2011-1.php
* FEDORA: FEDORA-2011-1373
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html
* FEDORA: FEDORA-2011-1408
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html
* MANDRIVA: MDVSA-2011:026
http://www.mandriva.com/security/advisories?name=MDVSA-2011:026
* SECUNIA: 43478
http://secunia.com/advisories/43478
* VUPEN: ADV-2011-0385
http://www.vupen.com/english/advisories/2011/0385
* XF: phpmyadmin-readme-path-disclosure(65424)
http://xforce.iss.net/xforce/xfdb/65424

CVE Reference:

CVE-2011-0986 (cve.mitre.org, nvd.nist.gov)

19629 phpMyAdmin PMA_Bookmark_get function cause execution of a SQL query by creating a bookmark

The PMA_Bookmark_get function in libraries/bookmark.lib.php in phpMyAdmin 2.11.x before 2.11.11.3, and 3.3.x before 3.3.9.2, does not properly restrict bookmark queries, which makes it easier for remote authenticated users to trigger another user's execution of a SQL query by creating a bookmark.

Test Case Impact: Attack Vulnerability Impact: Attack Risk: High

References:

* CONFIRM:
http://phpmyadmin.git.sourceforge.net/git/gitweb.cgi?p=phpmyadmin/phpmyadmin;a=commit;h=a5464b4daff0059cdf8c9e5f4d54a80e2dd2a5b0
* CONFIRM:
http://www.phpmyadmin.net/home_page/security/PMASA-2011-2.php
* DEBIAN: DSA-2167
http://www.debian.org/security/2011/dsa-2167
* FEDORA: FEDORA-2011-1373
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054349.html
* FEDORA: FEDORA-2011-1408
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/054355.html
* FEDORA: FEDORA-2011-1282
http://lists.fedoraproject.org/pipermail/package-announce/2011-March/054525.html
* MANDRIVA: MDVSA-2011:026
http://www.mandriva.com/security/advisories?name=MDVSA-2011:026
* BID: 46359
http://www.securityfocus.com/bid/46359
* SECUNIA: 43324
http://secunia.com/advisories/43324
* SECUNIA: 43391
http://secunia.com/advisories/43391
* SECUNIA: 43478
http://secunia.com/advisories/43478
* VUPEN: ADV-2011-0381
http://www.vupen.com/english/advisories/2011/0381
* VUPEN: ADV-2011-0385
http://www.vupen.com/english/advisories/2011/0385
* VUPEN: ADV-2011-0409
http://www.vupen.com/english/advisories/2011/0409
* VUPEN: ADV-2011-0512
http://www.vupen.com/english/advisories/2011/0512
* VUPEN: ADV-2011-0570
http://www.vupen.com/english/advisories/2011/0570
* XF: phpmyadmin-bookmark-security-bypass(65390)
http://xforce.iss.net/xforce/xfdb/65390

CVE Reference:

CVE-2011-0987 (cve.mitre.org, nvd.nist.gov)


New Vulnerabilities found this Week

CVE-2011-4160    HP    CVSS 2.0 Score = 3.2

Unspecified vulnerability in HP Operations Agent 11.00 and Performance Agent 4.73 and 5.0 on AIX, HP-UX, Linux, and Solaris allows local users to bypass intended directory-access restrictions via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: Low

References:

HP: http://marc.info/?l=bugtraq&m=132198248000785&w=2

HP: http://marc.info/?l=bugtraq&m=132198248000785&w=2

CVE Reference: CVE-2011-4160

CVE-2011-4499    Cisco    CVSS 2.0 Score = 7.5

The UPnP IGD implementation in the Broadcom UPnP stack on the Cisco Linksys WRT54G with firmware before 4.30.5, WRT54GS v1 through v3 with firmware before 4.71.1, and WRT54GS v4 with firmware before 1.06.1 allows remote attackers to establish arbitrary port mappings by sending a UPnP AddPortMapping action in a SOAP request to the WAN interface, related to an "external forwarding" vulnerability.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CERT-VN: http://www.kb.cert.org/vuls/id/357851

MISC: http://www.upnp-hacks.org/devices.html

CVE Reference: CVE-2011-4499

CVE-2011-4500    Cisco    CVSS 2.0 Score = 7.5

The UPnP IGD implementation on the Cisco Linksys WRT54GX with firmware 2.00.05, when UPnP is enabled, configures the SOAP server to listen on the WAN port, which allows remote attackers to administer the firewall via SOAP requests.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CERT-VN: http://www.kb.cert.org/vuls/id/357851

MISC: http://www.upnp-hacks.org/devices.html

CVE Reference: CVE-2011-4500

CVE-2011-4256    RealNetworks    CVSS 2.0 Score = 10.0

The RV30 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 does not initialize an unspecified index value, which allows remote attackers to execute arbitrary code via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://service.real.com/realplayer/security/11182011_player/en/

CVE Reference: CVE-2011-4256

CVE-2011-4254    RealNetworks    CVSS 2.0 Score = 10.0

RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via a crafted RTSP SETUP request.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://service.real.com/realplayer/security/11182011_player/en/

CVE Reference: CVE-2011-4254

CVE-2011-4253    RealNetworks    CVSS 2.0 Score = 10.0

Unspecified vulnerability in the RV20 codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://service.real.com/realplayer/security/11182011_player/en/

CVE Reference: CVE-2011-4253

CVE-2011-4250    RealNetworks    CVSS 2.0 Score = 10.0

Unspecified vulnerability in the ATRC codec in RealNetworks RealPlayer before 15.0.0 and Mac RealPlayer before 12.0.0.1703 allows remote attackers to execute arbitrary code via unknown vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://service.real.com/realplayer/security/11182011_player/en/

CVE Reference: CVE-2011-4250

CVE-2011-4249    RealNetworks    CVSS 2.0 Score = 10.0

Array index error in the RV30 codec in RealNetworks RealPlayer before 15.0.0 allows remote attackers to execute arbitrary code via unspecified vectors.

Test Case Impact: Vulnerability Impact: Risk: High

References:

CONFIRM: http://service.real.com/realplayer/security/11182011_player/en/

CVE Reference: CVE-2011-4249


Vulnerability Resource
Check out this compendium of links and up-to-the minute information about network security issues. Their claim to be the 'security portal for information system security professionals' is well founded. http://www.infosyssec.org/infosyssec/

Thank You
Thanks for sifting through another great edition of the ScoutNews. We hope we captured a flavor for the week and gave you just enough information on newly found vulnerabilities to keep you up-to-date. To subscribe or unsubscribe, contact us at ScoutNews@netVigilance.com

About SecureScout
SecureScout is a leading vulnerability scanner and management tool developed and marketed worldwide by NexantiS Corporation.
SecureScout is a trademark of NexantiS Corporation.
netVigilance, Inc. is a partner of NexantiS and an authorized distributor of SecureScout.

For any inquiry about SecureScout by:
Customers in America and Northern Europe contact us at info@netVigilance.com
Customers in France, Italy, Spain, Portugal, Greece, Turkey, Eastern Europe, Middle East, Africa and Asia/Pacific, contact NexantiS at info-scanner@securescout.net