Weekly Vulnerabilities Reports > May 30 to June 5, 2011
Overview
43 new vulnerabilities reported during this period, including 17 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 52 products from 23 vendors including Cisco, IBM, Microsoft, Apache, and Apple. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Resource Management Errors", "Permissions, Privileges, and Access Controls", "Numeric Errors", and "Improper Input Validation".
- 37 reported vulnerabilities are remotely exploitables.
- 1 reported vulnerabilities have public exploit available.
- 3 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
- 34 reported vulnerabilities are exploitable by an anonymous user.
- Cisco has the most reported vulnerabilities, with 15 reported vulnerabilities.
- IBM has the most reported critical vulnerabilities, with 9 reported vulnerabilities.
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
VULNERABILITIES
EXPLOITABLE
EXPLOITABLE
AVAILABLE
ANONYMOUSLY
WEB APPLICATION
Vulnerability Details
The following table list reported vulnerabilities for the period covered by this report:
17 Critical Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-06-02 | CVE-2011-2331 | HP | Numeric Errors vulnerability in HP Intelligent Management Center Integer overflow in img.exe in HP Intelligent Management Center (IMC) allows remote attackers to execute arbitrary code via a crafted length value in an a packet that triggers a heap-based buffer overflow, possibly related to an "recv" field. | 10.0 |
| 2011-06-02 | CVE-2011-2024 | Cisco | Credentials Management vulnerability in Cisco CNS Network Registrar Cisco Network Registrar before 7.2 has a default administrative password, which makes it easier for remote attackers to obtain access via a TCP session, aka Bug ID CSCsm50627. | 10.0 |
| 2011-06-02 | CVE-2011-1623 | Cisco | Credentials Management vulnerability in Cisco products Cisco Media Processing Software before 1.2 on Media Experience Engine (MXE) 5600 devices has a default root password, which makes it easier for context-dependent attackers to obtain access via (1) the local console, (2) an SSH session, or (3) a TELNET session, aka Bug ID CSCto77737. | 10.0 |
| 2011-05-31 | CVE-2011-2214 | 7T | Remote Memory Corruption vulnerability in 7T Interactive Graphical SCADA System Malformed ODBC Packet Unspecified vulnerability in the Open Database Connectivity (ODBC) component in 7T Interactive Graphical SCADA System (IGSS) before 9.0.0.11143 allows remote attackers to execute arbitrary code via a crafted packet to TCP port 20222, which triggers memory corruption related to an "invalid structure being used." | 10.0 |
| 2011-06-02 | CVE-2011-2040 | Cisco Apple Linux | Improper Input Validation vulnerability in Cisco Anyconnect Secure Mobility Client The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.5.3041, and 3.0.x before 3.0.629, on Linux and Mac OS X downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a Java applet, aka Bug ID CSCsy05934. | 9.3 |
| 2011-05-31 | CVE-2011-1645 | Cisco | Configuration vulnerability in Cisco products The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the backup configuration file, and consequently execute arbitrary code, via unspecified vectors, aka Bug ID CSCtn23871. | 9.3 |
| 2011-05-31 | CVE-2011-1512 | Autonomy IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Heap-based buffer overflow in xlssr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a malformed BIFF record in a .xls Excel spreadsheet attachment, aka SPR PRAD8E3HKR. | 9.3 |
| 2011-05-31 | CVE-2011-1218 | Autonomy IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products Buffer overflow in kvarcve.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted .zip attachment, aka SPR PRAD8E3NSP. | 9.3 |
| 2011-05-31 | CVE-2011-1217 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Lotus Notes Buffer overflow in kpprzrdr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted .prz attachment. | 9.3 |
| 2011-05-31 | CVE-2011-1216 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Lotus Notes Stack-based buffer overflow in assr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via crafted tag data in an Applix spreadsheet attachment, aka SPR PRAD8823A7. | 9.3 |
| 2011-05-31 | CVE-2011-1215 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Lotus Notes Stack-based buffer overflow in mw8sr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted link in a Microsoft Office document attachment, aka SPR PRAD8823ND. | 9.3 |
| 2011-05-31 | CVE-2011-1214 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Lotus Notes Stack-based buffer overflow in rtfsr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted link in a .rtf attachment, aka SPR PRAD8823JQ. | 9.3 |
| 2011-05-31 | CVE-2011-1213 | IBM | Numeric Errors vulnerability in IBM Lotus Notes Integer underflow in lzhsr.dll in Autonomy KeyView, as used in IBM Lotus Notes before 8.5.2 FP3, allows remote attackers to execute arbitrary code via a crafted header in a .lzh attachment that triggers a stack-based buffer overflow, aka SPR PRAD88MJ2W. | 9.3 |
| 2011-05-31 | CVE-2011-0628 | Adobe Apple Linux Microsoft Oracle | Numeric Errors vulnerability in Adobe Flash Player Integer overflow in Adobe Flash Player before 10.3.181.14 on Windows, Mac OS X, Linux, and Solaris and before 10.3.185.21 on Android allows remote attackers to execute arbitrary code via ActionScript that improperly handles a long array object. | 9.3 |
| 2011-06-02 | CVE-2011-2330 | IBM | Permissions, Privileges, and Access Controls vulnerability in IBM Tivoli Management Framework Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 has an unspecified "built-in account" that is "trivially" accessed, which makes it easier for remote attackers to send requests to restricted pages via a session on TCP port 9495, a different vulnerability than CVE-2011-1220. | 9.0 |
| 2011-06-02 | CVE-2011-1220 | IBM | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in IBM Tivoli Management Framework Stack-based buffer overflow in lcfd.exe in Tivoli Endpoint in IBM Tivoli Management Framework 3.7.1, 4.1, 4.1.1, and 4.3.1 allows remote authenticated users to execute arbitrary code via a long opts field. | 9.0 |
| 2011-05-31 | CVE-2011-1646 | Cisco | Code Injection vulnerability in Cisco products The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote authenticated users to execute arbitrary commands via the (1) ping test parameter or (2) traceroute test parameter, aka Bug ID CSCtn23871. | 9.0 |
8 High Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-05-31 | CVE-2011-1651 | Cisco | Resource Management Errors vulnerability in Cisco IOS XR Cisco IOS XR 3.9.x and 4.0.x before 4.0.3 and 4.1.x before 4.1.1, when an SPA interface processor is installed, allows remote attackers to cause a denial of service (device reload) via a crafted IPv4 packet, aka Bug ID CSCto45095. | 7.8 |
| 2011-05-31 | CVE-2011-1649 | Cisco | Resource Management Errors vulnerability in Cisco products The Internet Streamer application in Cisco Content Delivery System (CDS) with software 2.5.7, 2.5.8, and 2.5.9 before build 126 allows remote attackers to cause a denial of service (Web Engine crash) via a crafted URL, aka Bug IDs CSCtg67333 and CSCth25341. | 7.8 |
| 2011-05-31 | CVE-2011-0949 | Cisco | Resource Management Errors vulnerability in Cisco IOS XR Cisco IOS XR 3.6.x, 3.8.x before 3.8.3, and 3.9.x before 3.9.1 does not properly remove sshd_lock files from /tmp/, which allows remote attackers to cause a denial of service (disk consumption) by making many SSHv1 connections, aka Bug ID CSCtd64417. | 7.8 |
| 2011-05-31 | CVE-2011-0943 | Cisco | Resource Management Errors vulnerability in Cisco IOS XR 3.8.3/3.8.4/3.9.1 Cisco IOS XR 3.8.3, 3.8.4, and 3.9.1 allows remote attackers to cause a denial of service (NetIO process restart or device reload) via a crafted IPv4 packet, aka Bug ID CSCth44147. | 7.8 |
| 2011-06-02 | CVE-2011-2039 | Cisco Microsoft | Improper Input Validation vulnerability in Cisco Anyconnect Secure Mobility Client The helper application in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.185 on Windows, and on Windows Mobile, downloads a client executable file (vpndownloader.exe) without verifying its authenticity, which allows remote attackers to execute arbitrary code via the url property to a certain ActiveX control in vpnweb.ocx, aka Bug ID CSCsy00904. | 7.6 |
| 2011-05-31 | CVE-2011-2215 | Walrus Digit | Security vulnerability in WalRack Unspecified vulnerability in WalRack 1.x before 1.1.8 and 2.x before 2.0.6 has unknown impact and attack vectors, possibly related to file deletion and an encoded URL, a different vulnerability than CVE-2011-1329. | 7.5 |
| 2011-05-31 | CVE-2011-1938 | PHP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in PHP Stack-based buffer overflow in the socket_connect function in ext/sockets/sockets.c in PHP 5.3.3 through 5.3.6 might allow context-dependent attackers to execute arbitrary code via a long pathname for a UNIX socket. | 7.5 |
| 2011-06-02 | CVE-2011-2041 | Cisco Microsoft | Permissions, Privileges, and Access Controls vulnerability in Cisco Anyconnect Secure Mobility Client The Start Before Logon (SBL) functionality in Cisco AnyConnect Secure Mobility Client (formerly AnyConnect VPN Client) before 2.3.254 on Windows, and on Windows Mobile, allows local users to gain privileges via unspecified user-interface interaction, aka Bug ID CSCta40556. | 7.2 |
16 Medium Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-05-31 | CVE-2011-1485 | Redhat | Race Condition vulnerability in Redhat Policykit 0.96 Race condition in the pkexec utility and polkitd daemon in PolicyKit (aka polkit) 0.96 allows local users to gain privileges by executing a setuid program from pkexec, related to the use of the effective user ID instead of the real user ID. | 6.9 |
| 2011-06-02 | CVE-2011-2328 | HP | Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Loadrunner Buffer overflow in HP LoadRunner allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a .usr (aka Virtual User script) file with long directives. | 6.8 |
| 2011-06-02 | CVE-2011-1026 | Apache | Cross-Site Request Forgery (CSRF) vulnerability in Apache Archiva Multiple cross-site request forgery (CSRF) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to hijack the authentication of administrators. | 6.8 |
| 2011-05-31 | CVE-2011-1329 | Walrus Digit | Permissions, Privileges, and Access Controls vulnerability in Walrus Digit Walrack WalRack 1.x before 1.1.9 and 2.x before 2.0.7 does not properly restrict file uploads, which allows remote attackers to execute arbitrary PHP code via vectors involving a double extension, as demonstrated by a .php.zzz file. | 6.8 |
| 2011-06-02 | CVE-2011-1603 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco products Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.2.1 allow local users to gain privileges via unspecified vectors, aka Bug ID CSCtn65815. | 6.6 |
| 2011-06-02 | CVE-2011-1602 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco products The su utility on Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.0.3 allows local users to gain privileges via unspecified vectors, aka Bug ID CSCtf07426. | 6.6 |
| 2011-06-02 | CVE-2011-2329 | Apache | Permissions, Privileges, and Access Controls vulnerability in Apache Rampart/C 1.3.0 The rampart_timestamp_token_validate function in util/rampart_timestamp_token.c in Apache Rampart/C 1.3.0 does not properly calculate the expiration of timestamp tokens, which allows remote attackers to bypass intended access restrictions by leveraging an expired token, a different vulnerability than CVE-2011-0730. | 6.5 |
| 2011-06-02 | CVE-2011-0730 | Eucalyptus Canonical | Improper Input Validation vulnerability in multiple products Eucalyptus before 2.0.3 and Eucalyptus EE before 2.0.2, as used in Ubuntu Enterprise Cloud (UEC) and other products, do not properly interpret signed elements in SOAP requests, which allows man-in-the-middle attackers to execute arbitrary commands by modifying a request, related to an "XML Signature Element Wrapping" or a "SOAP signature replay" issue. | 6.5 |
| 2011-05-31 | CVE-2011-0546 | Symantec | Improper Input Validation vulnerability in Symantec Backup Exec Symantec Backup Exec 11.0, 12.0, 12.5, 13.0, and 13.0 R2 does not validate identity information sent between the media server and the remote agent, which allows man-in-the-middle attackers to execute NDMP commands via unspecified vectors. | 6.5 |
| 2011-06-02 | CVE-2009-4008 | Nlnetlabs | Resource Management Errors vulnerability in Nlnetlabs Unbound Unbound before 1.4.4 does not send responses for signed zones after mishandling an unspecified query, which allows remote attackers to cause a denial of service (DNSSEC outage) via a crafted query. | 5.0 |
| 2011-06-02 | CVE-2011-1947 | Fetchmail | Resource Management Errors vulnerability in Fetchmail fetchmail 5.9.9 through 6.3.19 does not properly limit the wait time after issuing a (1) STARTTLS or (2) STLS request, which allows remote servers to cause a denial of service (application hang) by acknowledging the request but not sending additional packets. | 5.0 |
| 2011-05-31 | CVE-2011-1910 | ISC | Numeric Errors vulnerability in ISC Bind Off-by-one error in named in ISC BIND 9.x before 9.7.3-P1, 9.8.x before 9.8.0-P2, 9.4-ESV before 9.4-ESV-R4-P1, and 9.6-ESV before 9.6-ESV-R4-P1 allows remote DNS servers to cause a denial of service (assertion failure and daemon exit) via a negative response containing large RRSIG RRsets. | 5.0 |
| 2011-05-31 | CVE-2011-1647 | Cisco | Information Exposure vulnerability in Cisco products The web management interface on the Cisco RVS4000 Gigabit Security Router with software 1.x before 1.3.3.4 and 2.x before 2.0.2.7, and the WRVS4400N Gigabit Security Router with software before 2.0.2.1, allows remote attackers to read the private key for the admin SSL certificate via unspecified vectors, aka Bug ID CSCtn23871. | 5.0 |
| 2011-06-02 | CVE-2011-1077 | Apache | Cross-Site Scripting vulnerability in Apache Archiva Multiple cross-site scripting (XSS) vulnerabilities in Apache Archiva 1.0 through 1.2.2, and 1.3.x before 1.3.5, allow remote attackers to inject arbitrary web script or HTML via unspecified vectors. | 4.3 |
| 2011-05-31 | CVE-2011-1937 | Webmin | Cross-Site Scripting vulnerability in Webmin Cross-site scripting (XSS) vulnerability in Webmin 1.540 and earlier allows local users to inject arbitrary web script or HTML via a chfn command that changes the real (aka Full Name) field, related to useradmin/index.cgi and useradmin/user-lib.pl. | 4.3 |
| 2011-05-31 | CVE-2011-1922 | Nlnetlabs | Resource Management Errors vulnerability in Nlnetlabs Unbound daemon/worker.c in Unbound 1.x before 1.4.10, when debugging functionality and the interface-automatic option are enabled, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via a crafted DNS request that triggers improper error handling. | 4.3 |
2 Low Vulnerabilities
| DATE | CVE | VENDOR | VULNERABILITY | CVSS |
|---|---|---|---|---|
| 2011-05-31 | CVE-2011-1945 | Openssl | Cryptographic Issues vulnerability in Openssl The elliptic curve cryptography (ECC) subsystem in OpenSSL 1.0.0d and earlier, when the Elliptic Curve Digital Signature Algorithm (ECDSA) is used for the ECDHE_ECDSA cipher suite, does not properly implement curves over binary fields, which makes it easier for context-dependent attackers to determine private keys via a timing attack and a lattice calculation. | 2.6 |
| 2011-06-02 | CVE-2011-1637 | Cisco | Permissions, Privileges, and Access Controls vulnerability in Cisco products Cisco Unified IP Phones 7900 devices (aka TNP phones) with software before 9.2.1 do not properly verify signatures for software images, which allows local users to gain privileges via a crafted image, aka Bug ID CSCtn65962. | 1.5 |