Weekly Vulnerabilities Reports > May 23 to 29, 2011

Overview

34 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 5 high severity vulnerabilities. This weekly summary report vulnerabilities in 29 products from 24 vendors including Google, IBM, Linux, Dovecot, and Redhat. Vulnerabilities are notably categorized as "Improper Input Validation", "Resource Management Errors", "Permissions, Privileges, and Access Controls", "Resource Exhaustion", and "Cross-site Scripting".

  • 29 reported vulnerabilities are remotely exploitables.
  • 9 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 27 reported vulnerabilities are exploitable by an anonymous user.
  • Google has the most reported vulnerabilities, with 7 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-05-26 CVE-2011-1807 Google Out-Of-Bounds Write vulnerability in Google Chrome

Google Chrome before 11.0.696.71 does not properly handle blobs, which allows remote attackers to execute arbitrary code via unspecified vectors that trigger an out-of-bounds write.

10.0
2011-05-26 CVE-2011-1806 Google Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Google Chrome

Google Chrome before 11.0.696.71 does not properly implement the GPU command buffer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors.

10.0
2011-05-24 CVE-2011-2171 Google Unspecified vulnerability in Google Chrome OS

Unspecified vulnerability in the dbugs package in Google Chrome OS before R12 0.12.433.38 Beta has unknown impact and attack vectors.

10.0
2011-05-26 CVE-2011-1581 Linux Improper Input Validation vulnerability in Linux Kernel

The bond_select_queue function in drivers/net/bonding/bond_main.c in the Linux kernel before 2.6.39, when a network device with a large number of receive queues is installed but the default tx_queues setting is used, does not properly restrict queue indexes, which allows remote attackers to cause a denial of service (BUG and system crash) or possibly have unspecified other impact by sending network traffic.

9.0

5 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-05-26 CVE-2010-4805 Linux
Redhat
Resource Exhaustion vulnerability in multiple products

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.35 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service by sending a large amount of network traffic, related to the sk_add_backlog function and the sk_rmem_alloc socket field.

7.8
2011-05-26 CVE-2010-4251 Linux
Vmware
Redhat
Resource Exhaustion vulnerability in multiple products

The socket implementation in net/core/sock.c in the Linux kernel before 2.6.34 does not properly manage a backlog of received packets, which allows remote attackers to cause a denial of service (memory consumption) by sending a large amount of network traffic, as demonstrated by netperf UDP tests.

7.8
2011-05-26 CVE-2011-1804 Apple
Google
Improper Input Validation vulnerability in Google Chrome

rendering/RenderBox.cpp in WebCore in WebKit before r86862, as used in Google Chrome before 11.0.696.71, does not properly render floats, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer."

7.5
2011-05-24 CVE-2011-1328 Radvision SQL Injection vulnerability in Radvision Iview Suite 5.5/5.7/7.0

SQL injection vulnerability in RADVISION iVIEW Suite before 7.5 allows remote attackers to execute arbitrary SQL commands via unspecified vectors.

7.5
2011-05-24 CVE-2011-2169 Google Permissions, Privileges, and Access Controls vulnerability in Google Chrome OS

Google Chrome OS before R12 0.12.433.38 Beta allows local users to gain privileges by creating a /var/lib/chromeos-aliases.conf file and placing commands in it.

7.2

21 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-05-23 CVE-2011-2165 Watchguard Permissions, Privileges, and Access Controls vulnerability in Watchguard XCS 9.0/9.1

The STARTTLS implementation in WatchGuard XCS 9.0 and 9.1 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted SMTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

6.8
2011-05-24 CVE-2011-2167 Dovecot Path Traversal vulnerability in Dovecot

script-login in Dovecot 2.0.x before 2.0.13 does not follow the chroot configuration setting, which might allow remote authenticated users to conduct directory traversal attacks by leveraging a script.

6.5
2011-05-24 CVE-2011-2166 Dovecot Configuration vulnerability in Dovecot

script-login in Dovecot 2.0.x before 2.0.13 does not follow the user and group configuration settings, which might allow remote authenticated users to bypass intended access restrictions by leveraging a script.

6.5
2011-05-24 CVE-2011-1521 Python Resource Management Errors vulnerability in Python

The urllib and urllib2 modules in Python 2.x before 2.7.2 and 3.x before 3.2.1 process Location headers that specify redirection to file: URLs, which makes it easier for remote attackers to obtain sensitive information or cause a denial of service (resource consumption) via a crafted URL, as demonstrated by the file:///etc/passwd and file:///dev/zero URLs.

6.4
2011-05-26 CVE-2011-1775 Tigervnc Improper Input Validation vulnerability in Tigervnc 1.1

The CSecurityTLS::processMsg function in common/rfb/CSecurityTLS.cxx in the vncviewer component in TigerVNC 1.1beta1 does not properly verify the server's X.509 certificate, which allows man-in-the-middle attackers to spoof a TLS VNC server via an arbitrary certificate.

5.8
2011-05-23 CVE-2011-1766 Mediawiki Improper Authentication vulnerability in Mediawiki

includes/User.php in MediaWiki before 1.16.5, when wgBlockDisablesLogin is enabled, does not clear certain cached data after verification of an auth token fails, which allows remote attackers to bypass authentication by creating crafted wikiUserID and wikiUserName cookies, or by leveraging an unattended workstation.

5.8
2011-05-23 CVE-2011-1575 Pureftpd Resource Management Errors vulnerability in Pureftpd Pure-Ftpd

The STARTTLS implementation in ftp_parser.c in Pure-FTPd before 1.0.30 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted FTP sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

5.8
2011-05-26 CVE-2010-2246 FEH Project Improper Input Validation vulnerability in FEH Project FEH

feh before 1.8, when the --wget-timestamp option is enabled, might allow remote attackers to execute arbitrary commands via shell metacharacters in a URL.

5.1
2011-05-23 CVE-2011-1926 CMU Permissions, Privileges, and Access Controls vulnerability in CMU Cyrus Imap Server

The STARTTLS implementation in Cyrus IMAP Server before 2.4.7 does not properly restrict I/O buffering, which allows man-in-the-middle attackers to insert commands into encrypted sessions by sending a cleartext command that is processed after TLS is in place, related to a "plaintext command injection" attack, a similar issue to CVE-2011-0411.

5.1
2011-05-26 CVE-2011-1801 Google Unspecified vulnerability in Google Chrome

Unspecified vulnerability in Google Chrome before 11.0.696.71 allows remote attackers to bypass the pop-up blocker via unknown vectors.

5.0
2011-05-24 CVE-2011-2168 Openbsd Numeric Errors vulnerability in Openbsd

Multiple integer overflows in the glob implementation in libc in OpenBSD before 4.9 might allow context-dependent attackers to have an unspecified impact via a crafted string, related to the GLOB_APPEND and GLOB_DOOFFS flags, a different issue than CVE-2011-0418.

5.0
2011-05-24 CVE-2011-1929 Dovecot Improper Input Validation vulnerability in Dovecot

lib-mail/message-header-parser.c in Dovecot 1.2.x before 1.2.17 and 2.0.x before 2.0.13 does not properly handle '\0' characters in header names, which allows remote attackers to cause a denial of service (daemon crash or mailbox corruption) via a crafted e-mail message.

5.0
2011-05-23 CVE-2009-5024 Viewvc Resource Management Errors vulnerability in Viewvc

ViewVC before 1.1.11 allows remote attackers to bypass the cvsdb row_limit configuration setting, and consequently conduct resource-consumption attacks, via the limit parameter, as demonstrated by a "query revision history" request.

5.0
2011-05-24 CVE-2011-2170 Google Improper Input Validation vulnerability in Google Chrome OS

Google Chrome OS before R12 0.12.433.38 Beta, when Guest mode is enabled, does not prevent changes on the about:flags page, which has unspecified impact and local attack vectors.

4.4
2011-05-26 CVE-2011-2172 IBM Cross-Site Scripting vulnerability in IBM Websphere Portal 7.0.0.1

Cross-site scripting (XSS) vulnerability in the search center in IBM WebSphere Portal 7.0.0.1 before CF004 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-05-24 CVE-2011-1928 Apache Resource Management Errors vulnerability in Apache Apr-Util and Http Server

The fnmatch implementation in apr_fnmatch.c in the Apache Portable Runtime (APR) library 1.4.3 and 1.4.4, and the Apache HTTP Server 2.2.18, allows remote attackers to cause a denial of service (infinite loop) via a URI that does not match unspecified types of wildcard patterns, as demonstrated by attacks against mod_autoindex in httpd when a /*/WEB-INF/ configuration pattern is used.

4.3
2011-05-24 CVE-2011-1595 Rdesktop Path Traversal vulnerability in Rdesktop

Directory traversal vulnerability in the disk_create function in disk.c in rdesktop before 1.7.0, when disk redirection is enabled, allows remote RDP servers to read or overwrite arbitrary files via a ..

4.3
2011-05-23 CVE-2011-1765 Mediawiki Cross-Site Scripting vulnerability in Mediawiki

Cross-site scripting (XSS) vulnerability in MediaWiki before 1.16.5, when Internet Explorer 6 or earlier is used, allows remote attackers to inject arbitrary web script or HTML via an uploaded file accessed with a dangerous extension such as .shtml at the end of the query string, in conjunction with a modified URI path that has a %2E sequence in place of the .

4.3
2011-05-26 CVE-2011-2173 IBM Resource Management Errors vulnerability in IBM Websphere Portal 6.0.1.7/7.0.0.1

The implementation of OutputMediator objects in IBM WebSphere Portal 6.0.1.7, and 7.0.0.1 before CF002, allows remote authenticated users to cause a denial of service (memory consumption) via requests.

4.0
2011-05-26 CVE-2010-4806 IBM Permissions, Privileges, and Access Controls vulnerability in IBM web Content Manager 6.1.5/7.0.01

The authoring tool in IBM Web Content Manager (WCM) 6.1.5, and 7.0.0.1 before CF003, allows remote authenticated users to bypass intended access restrictions on draft creation by leveraging certain resource editor privileges.

4.0
2011-05-24 CVE-2011-0418 Pureftpd
Netbsd
Improper Input Validation vulnerability in multiple products

The glob implementation in Pure-FTPd before 1.0.32, and in libc in NetBSD 5.1, does not properly expand expressions containing curly brackets, which allows remote authenticated users to cause a denial of service (memory consumption) via a crafted FTP STAT command.

4.0

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-05-26 CVE-2011-1758 Fedoraproject Improper Authentication vulnerability in Fedoraproject Sssd

The krb5_save_ccname_done function in providers/krb5/krb5_auth.c in System Security Services Daemon (SSSD) 1.5.x before 1.5.7, when automatic ticket renewal and offline authentication are configured, uses a pathname string as a password, which allows local users to bypass Kerberos authentication by listing the /tmp directory to obtain the pathname.

3.7
2011-05-26 CVE-2010-4807 IBM Race Condition vulnerability in IBM web Content Manager 7.0.0.1

Race condition in IBM Web Content Manager (WCM) 7.0.0.1 before CF003 allows remote authenticated users to cause a denial of service (infinite recursive query) via unspecified vectors, related to a StackOverflowError exception.

3.5
2011-05-24 CVE-2011-1424 EMC
Microsoft
IBM
Configuration vulnerability in EMC Sourceone Email Management 6.5.2.3668

The default configuration of ExShortcut\Web.config in EMC SourceOne Email Management before 6.6 SP1, when the Mobile Services component is used, does not properly set the localOnly attribute of the trace element, which allows remote authenticated users to obtain sensitive information via ASP.NET Application Tracing.

3.5
2011-05-23 CVE-2011-1920 Netbsd
Ihji
Link Following vulnerability in multiple products

The make include files in NetBSD before 1.6.2, as used in pmake 1.111 and other products, allow local users to overwrite arbitrary files via a symlink attack on a /tmp/_depend##### temporary file, related to (1) bsd.lib.mk and (2) bsd.prog.mk.

3.3