Weekly Vulnerabilities Reports > June 6 to 12, 2011

Overview

43 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 3 high severity vulnerabilities. This weekly summary report vulnerabilities in 37 products from 25 vendors including Novell, Vmware, Wireshark, Maynard Johnson, and Apache. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Resource Management Errors", and "Path Traversal".

  • 35 reported vulnerabilities are remotely exploitables.
  • 1 reported vulnerabilities have public exploit available.
  • 8 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 38 reported vulnerabilities are exploitable by an anonymous user.
  • Novell has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • Novell has the most reported critical vulnerabilities, with 10 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-09 CVE-2011-2475 Sybase USE of Externally-Controlled Format String vulnerability in Sybase Onebridge Mobile Data Suite 5.5/5.6

Format string vulnerability in ECTrace.dll in the iMailGateway service in the Internet Mail Gateway in OneBridge Server and DMZ Proxy in Sybase OneBridge Mobile Data Suite 5.5 and 5.6 allows remote attackers to execute arbitrary code via format string specifiers in unspecified string fields, related to authentication logging.

10.0
2011-06-08 CVE-2010-4663 Cmsmadesimple Unspecified vulnerability in Cmsmadesimple CMS Made Simple

Unspecified vulnerability in the News module in CMS Made Simple (CMSMS) before 1.9.1 has unknown impact and attack vectors.

10.0
2011-06-09 CVE-2011-1708 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted op-printer-list-all-jobs cookie.

9.3
2011-06-09 CVE-2011-1707 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted op-printer-list-all-jobs parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1706 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Stack-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted iprint-client-config-info parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1705 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted client-file-name parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1704 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted core-package parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1703 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted driver-version parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1702 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted file-date-time parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1701 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted profile-name parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1700 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted profile-time parameter in a printer-url.

9.3
2011-06-09 CVE-2011-1699 Novell Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Novell Iprint

Heap-based buffer overflow in nipplib.dll in Novell iPrint Client before 5.64 allows remote attackers to execute arbitrary code via a crafted uri parameter in a printer-url.

9.3
2011-06-08 CVE-2011-2386 Visiwave Code Injection vulnerability in Visiwave Site Survey 1.6.12/2.0.12/2.1

VisiWaveReport.exe in AZO Technologies, Inc.

9.3
2011-06-06 CVE-2011-2217 Tomsawyer
Vmware
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Certain ActiveX controls in (1) tsgetxu71ex552.dll and (2) tsgetx71ex552.dll in Tom Sawyer GET Extension Factory 5.5.2.237, as used in VI Client (aka VMware Infrastructure Client) 2.0.2 before Build 230598 and 2.5 before Build 204931 in VMware Infrastructure 3, do not properly handle attempted initialization within Internet Explorer, which allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption) via a crafted HTML document.

9.3

3 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-09 CVE-2011-1823 Google Integer Overflow or Wraparound vulnerability in Google Android

The vold volume manager daemon on Android 3.0 and 2.x before 2.3.4 trusts messages that are received from a PF_NETLINK socket, which allows local users to execute arbitrary code and gain root privileges via a negative index that bypasses a maximum-only signed integer check in the DirectVolume::handlePartitionAdded method, which triggers memory corruption, as demonstrated by Gingerbreak.

7.8
2011-06-09 CVE-2011-2471 Maynard Johnson Permissions, Privileges, and Access Controls vulnerability in Maynard Johnson Oprofile

utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to gain privileges via shell metacharacters in the (1) --vmlinux, (2) --session-dir, or (3) --xen argument, related to the daemonrc file and the do_save_setup and do_load_setup functions, a different vulnerability than CVE-2011-1760.

7.2
2011-06-09 CVE-2011-1760 Maynard Johnson Code Injection vulnerability in Maynard Johnson Oprofile

utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to conduct eval injection attacks and gain privileges via shell metacharacters in the -e argument.

7.2

24 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-06 CVE-2011-1787 Vmware Race Condition vulnerability in VMWare products

Race condition in mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to gain privileges on the guest OS by mounting a filesystem on top of an arbitrary directory.

6.9
2011-06-06 CVE-2011-1954 Postrev Cross-Site Request Forgery (CSRF) vulnerability in Postrev Post Revolution

Multiple cross-site request forgery (CSRF) vulnerabilities in Post Revolution 0.8.0c-2 and earlier allow remote attackers to hijack the authentication of arbitrary users for requests to (1) ajax-weblog-guardar.php, (2) verpost.php, (3) comments.php, or (4) perfil.php.

6.8
2011-06-08 CVE-2011-1584 Dotclear Permissions, Privileges, and Access Controls vulnerability in Dotclear

The updateFile function in inc/core/class.dc.media.php in the Media Manager in Dotclear before 2.2.3 does not properly restrict pathnames, which allows remote authenticated users to upload and execute arbitrary PHP code via the media_path or media_file parameter.

6.5
2011-06-09 CVE-2011-2473 Maynard Johnson Link Following vulnerability in Maynard Johnson Oprofile

The do_dump_data function in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to create or overwrite arbitrary files via a crafted --session-dir argument in conjunction with a symlink attack on the opd_pipe file, a different vulnerability than CVE-2011-1760.

6.3
2011-06-09 CVE-2011-2472 Maynard Johnson Path Traversal vulnerability in Maynard Johnson Oprofile

Directory traversal vulnerability in utils/opcontrol in OProfile 0.9.6 and earlier might allow local users to overwrite arbitrary files via a ..

6.3
2011-06-06 CVE-2011-2145 Vmware
Freebsd
Oracle
Permissions, Privileges, and Access Controls vulnerability in VMWare products

mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1, when a Solaris or FreeBSD guest OS is used, allows guest OS users to modify arbitrary guest OS files via unspecified vectors, related to a "procedural error."

6.3
2011-06-09 CVE-2011-1711 Novell Unauthorized Access vulnerability in Novell Data Synchronizer User Account

Unspecified vulnerability in the Mobility Pack 1.1.2 and earlier in Novell Data Synchronizer 1.0.x, and 1.1.x through 1.1.1 build 428, allows remote authenticated users to access the accounts of other users via unknown vectors.

5.5
2011-06-06 CVE-2011-1950 Plone Permissions, Privileges, and Access Controls vulnerability in Plone 4.0/4.1

plone.app.users in Plone 4.0 and 4.1 allows remote authenticated users to modify the properties of arbitrary accounts via unspecified vectors, as exploited in the wild in June 2011.

5.5
2011-06-09 CVE-2011-2474 Sybase Path Traversal vulnerability in Sybase Easerver 6.3.1

Directory traversal vulnerability in the HTTP Server in Sybase EAServer 6.3.1 Developer Edition allows remote attackers to read arbitrary files via a /.\../\../\ sequence in a path.

5.0
2011-06-09 CVE-2011-2468 Anymacro Path Traversal vulnerability in Anymacro Mail System G4X

Directory traversal vulnerability in the web interface in AnyMacro Mail System G4X allows remote attackers to read arbitrary files via directory traversal sequences in a request.

5.0
2011-06-09 CVE-2011-2395 Cisco Configuration vulnerability in Cisco IOS

The Neighbor Discovery (ND) protocol implementation in Cisco IOS on unspecified switches allows remote attackers to bypass the Router Advertisement Guarding functionality via a fragmented IPv6 packet in which the Router Advertisement (RA) message is contained in the second fragment, as demonstrated by (1) a packet in which the first fragment contains a long Destination Options extension header or (2) a packet in which the first fragment contains an ICMPv6 Echo Request message.

5.0
2011-06-06 CVE-2011-2216 Digium Denial of Service vulnerability in Asterisk 'Contact' Header SIP Channel Driver

reqresp_parser.c in the SIP channel driver in Asterisk Open Source 1.8.x before 1.8.4.2 does not initialize certain strings, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed Contact header.

5.0
2011-06-06 CVE-2011-1952 Postrev Resource Management Errors vulnerability in Postrev Post Revolution

common.php in Post Revolution before 0.8.0c-2 allows remote attackers to cause a denial of service (infinite loop) via malformed HTML markup, as demonstrated by an a< sequence.

5.0
2011-06-06 CVE-2011-1752 Apache Denial of Service and Information Disclosure vulnerability in Subversion 'mod_dav_svn'

The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion before 1.6.17, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a request for a baselined WebDAV resource, as exploited in the wild in May 2011.

5.0
2011-06-09 CVE-2011-2107 Adobe
Apple
Linux
Microsoft
SUN
Google
Cross-Site Scripting vulnerability in Adobe Acrobat, Acrobat Reader and Flash Player

Cross-site scripting (XSS) vulnerability in Adobe Flash Player before 10.3.181.22 on Windows, Mac OS X, Linux, and Solaris, and 10.3.185.22 and earlier on Android, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors, related to a "universal cross-site scripting vulnerability." Per: http://www.adobe.com/support/security/bulletins/apsb11-13.html 'This issue also affects the authplay.dll component that ships with Adobe Reader and Acrobat X (10.0.3) and earlier 10.x and 9.x versions of Adobe Reader and Acrobat for Windows and Macintosh operating systems.' Per: http://www.adobe.com/support/security/bulletins/apsb11-13.html 'We expect to make available an update for Adobe Acrobat X (10.0.3) and earlier 10.x and 9.x versions for Windows and Macintosh, Adobe Reader X (10.0.1) for Windows, Adobe Reader X (10.0.3) for Macintosh, and Adobe Reader 9.4.3 and earlier 9.x versions for Windows and Macintosh with the next quarterly security update for Adobe Reader, currently scheduled for June 14, 2011.

4.3
2011-06-06 CVE-2011-2175 Wireshark Numeric Errors vulnerability in Wireshark

Integer underflow in the visual_read function in wiretap/visual.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a malformed Visual Networks file that triggers a heap-based buffer over-read.

4.3
2011-06-06 CVE-2011-2174 Wireshark Resource Management Errors vulnerability in Wireshark

Double free vulnerability in the tvb_uncompress function in epan/tvbuff.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 allows remote attackers to cause a denial of service (application crash) via a packet with malformed data that uses zlib compression.

4.3
2011-06-06 CVE-2011-1959 Wireshark Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Wireshark

The snoop_read function in wiretap/snoop.c in Wireshark 1.2.x before 1.2.17 and 1.4.x before 1.4.7 does not properly handle certain virtualizable buffers, which allows remote attackers to cause a denial of service (application crash) via a large length value in a snoop file that triggers a stack-based buffer over-read.

4.3
2011-06-06 CVE-2011-1956 Wireshark Unspecified vulnerability in Wireshark 1.4.5

The bytes_repr_len function in Wireshark 1.4.5 uses an incorrect pointer argument, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via arbitrary TCP traffic.

4.3
2011-06-06 CVE-2011-1953 Postrev Cross-Site Scripting vulnerability in Postrev Post Revolution

Multiple cross-site scripting (XSS) vulnerabilities in common.php in Post Revolution before 0.8.0c-2 allow remote attackers to inject arbitrary web script or HTML via an attribute of a (1) P, a (2) STRONG, a (3) A, a (4) EM, a (5) I, a (6) IMG, a (7) LI, an (8) OL, a (9) VIDEO, or a (10) BLOCKQUOTE element.

4.3
2011-06-06 CVE-2011-1921 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Subversion

The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is disabled, does not properly enforce permissions for files that had been publicly readable in the past, which allows remote attackers to obtain sensitive information via a replay REPORT operation.

4.3
2011-06-06 CVE-2011-1783 Apache Resource Management Errors vulnerability in Apache Http Server and Subversion

The mod_dav_svn module for the Apache HTTP Server, as distributed in Apache Subversion 1.5.x and 1.6.x before 1.6.17, when the SVNPathAuthz short_circuit option is enabled, allows remote attackers to cause a denial of service (infinite loop and memory consumption) in opportunistic circumstances by requesting data.

4.3
2011-06-06 CVE-2011-0767 Imperva Cross-Site Scripting vulnerability in Imperva Securesphere web Application Firewall

Cross-site scripting (XSS) vulnerability in the management GUI in the MX Management Server in Imperva SecureSphere Web Application Firewall 6.2, 7.x, and 8.x allows remote attackers to inject arbitrary web script or HTML via an HTTP request to a firewalled server, aka Bug ID 31759.

4.3
2011-06-06 CVE-2011-0082 Mozilla Improper Input Validation vulnerability in Mozilla Firefox 4.0/4.0.1

The X.509 certificate validation functionality in Mozilla Firefox 4.0.x through 4.0.1 does not properly implement single-session security exceptions, which might make it easier for user-assisted remote attackers to spoof an SSL server via an untrusted certificate that triggers potentially unwanted local caching of documents from that server.

4.3

2 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-06-06 CVE-2011-1949 Plone Cross-Site Scripting vulnerability in Plone

Cross-site scripting (XSS) vulnerability in the safe_html filter in Products.PortalTransforms in Plone 2.1 through 4.1 allows remote authenticated users to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2010-2422.

3.5
2011-06-06 CVE-2011-2146 Vmware Information Exposure vulnerability in VMWare products

mount.vmhgfs in the VMware Host Guest File System (HGFS) in VMware Workstation 7.1.x before 7.1.4, VMware Player 3.1.x before 3.1.4, VMware Fusion 3.1.x before 3.1.3, VMware ESXi 3.5 through 4.1, and VMware ESX 3.0.3 through 4.1 allows guest OS users to determine the existence of host OS files and directories via unspecified vectors.

2.1