Weekly Vulnerabilities Reports > September 5 to 11, 2011

Overview

26 new vulnerabilities reported during this period, including 3 critical vulnerabilities and 4 high severity vulnerabilities. This weekly summary report vulnerabilities in 30 products from 18 vendors including Linux, IBM, Phorum, Openttd, and Microsoft. Vulnerabilities are notably categorized as "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Cross-site Scripting", "NULL Pointer Dereference", and "Permissions, Privileges, and Access Controls".

  • 17 reported vulnerabilities are remotely exploitables.
  • 5 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 25 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 5 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

3 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-06 CVE-2011-2654 Novell Improper Input Validation vulnerability in Novell Cloud Manager 1.1.2

The RPC implementation in the server in Novell Cloud Manager 1.1.2 before Patch 3 does not properly initialize objects, which allows remote attackers to execute arbitrary code by making RPC calls that leverage incorrect privileges associated with a partially initialized session.

9.3
2011-09-06 CVE-2011-0258 Apple
Microsoft
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Apple Quicktime

Apple QuickTime before 7.7 on Windows allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) via a crafted image description associated with an mp4v tag in a movie file.

9.3
2011-09-06 CVE-2010-4833 GTK DLL Loading Arbitrary Code Execution vulnerability in GTK+

Untrusted search path vulnerability in modules/engines/ms-windows/xp_theme.c in GTK+ before 2.24.0 allows local users to gain privileges via a Trojan horse uxtheme.dll file in the current working directory, a different vulnerability than CVE-2010-4831.

9.3

4 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-08 CVE-2011-3342 Openttd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Openttd

Multiple buffer overflows in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors related to (1) NAME, (2) PLYR, (3) CHTS, or (4) AIPL (aka AI config) chunk loading from a savegame.

7.5
2011-09-08 CVE-2011-3341 Openttd Numeric Errors vulnerability in Openttd

Multiple off-by-one errors in order_cmd.cpp in OpenTTD before 1.1.3 allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via a crafted CMD_INSERT_ORDER command.

7.5
2011-09-06 CVE-2011-2660 Suse Improper Input Validation vulnerability in Suse Linux Enterprise Desktop and Vpnc

The modify_resolvconf_suse script in the vpnc package before 0.5.1-55.10.1 in SUSE Linux Enterprise Desktop 11 SP1 might allow remote attackers to execute arbitrary commands via a crafted DNS domain name.

7.5
2011-09-06 CVE-2011-2184 Linux Null Pointer Dereference vulnerability in Linux Kernel

The key_replace_session_keyring function in security/keys/process_keys.c in the Linux kernel before 2.6.39.1 does not initialize a certain structure member, which allows local users to cause a denial of service (NULL pointer dereference and OOPS) or possibly have unspecified other impact via a KEYCTL_SESSION_TO_PARENT argument to the keyctl function, a different vulnerability than CVE-2010-2960.

7.2

16 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-06 CVE-2010-4831 GTK DLL Loading Arbitrary Code Execution vulnerability in GTK+

Untrusted search path vulnerability in gdk/win32/gdkinput-win32.c in GTK+ before 2.21.8 allows local users to gain privileges via a Trojan horse Wintab32.dll file in the current working directory.

6.9
2011-09-08 CVE-2011-3381 Phorum Cross-Site Request Forgery (CSRF) vulnerability in Phorum

Cross-site request forgery (CSRF) vulnerability in Phorum before 5.2.16 allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

6.8
2011-09-06 CVE-2011-3205 Squid Cache Remote Buffer Overflow vulnerability in Squid Proxy Gopher

Buffer overflow in the gopherToHTML function in gopher.cc in the Gopher reply parser in Squid 3.0 before 3.0.STABLE26, 3.1 before 3.1.15, and 3.2 before 3.2.0.11 allows remote Gopher servers to cause a denial of service (memory corruption and daemon restart) or possibly have unspecified other impact via a long line in a response.

6.8
2011-09-06 CVE-2011-2723 Linux Improper Input Validation vulnerability in Linux Kernel

The skb_gro_header_slow function in include/linux/netdevice.h in the Linux kernel before 2.6.39.4, when Generic Receive Offload (GRO) is enabled, resets certain fields in incorrect situations, which allows remote attackers to cause a denial of service (system crash) via crafted network traffic.

5.7
2011-09-06 CVE-2011-1776 Linux
Redhat
Buffer Errors vulnerability in Linux Kernel

The is_gpt_valid function in fs/partitions/efi.c in the Linux kernel before 2.6.39 does not check the size of an Extensible Firmware Interface (EFI) GUID Partition Table (GPT) entry, which allows physically proximate attackers to cause a denial of service (heap-based buffer overflow and OOPS) or obtain sensitive information from kernel heap memory by connecting a crafted GPT storage device, a different vulnerability than CVE-2011-1577.

5.6
2011-09-06 CVE-2011-3200 Rsyslog Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rsyslog

Stack-based buffer overflow in the parseLegacySyslogMsg function in tools/syslogd.c in rsyslogd in rsyslog 4.6.x before 4.6.8 and 5.2.0 through 5.8.4 might allow remote attackers to cause a denial of service (application exit) via a long TAG in a legacy syslog message.

5.0
2011-09-06 CVE-2011-1359 IBM Path Traversal vulnerability in IBM Websphere Application Server

Directory traversal vulnerability in the administration console in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41, 7.0 before 7.0.0.19, and 8.0 before 8.0.0.1 allows remote attackers to read arbitrary files via a ..

5.0
2011-09-08 CVE-2011-3343 Openttd Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Openttd

Multiple buffer overflows in OpenTTD before 1.1.3 allow local users to cause a denial of service (daemon crash) or possibly gain privileges via (1) a crafted BMP file with RLE compression or (2) crafted dimensions in a BMP file.

4.6
2011-09-06 CVE-2011-1771 Linux Null Pointer Dereference vulnerability in Linux Kernel

The cifs_close function in fs/cifs/file.c in the Linux kernel before 2.6.39 allows local users to cause a denial of service (NULL pointer dereference and BUG) or possibly have unspecified other impact by setting the O_DIRECT flag during an attempt to open a file on a CIFS filesystem.

4.4
2011-09-08 CVE-2011-3392 Phorum Cross-Site Scripting vulnerability in Phorum

Cross-site scripting (XSS) vulnerability in control.php in the controlcenter in Phorum before 5.2.17 allows remote attackers to inject arbitrary web script or HTML via the real_name parameter.

4.3
2011-09-08 CVE-2011-3384 Sage Mozdev
Mozilla
Cross-Site Scripting vulnerability in Sage-Mozdev Sage 1.3.8

Cross-site scripting (XSS) vulnerability in the Sage add-on 1.3.10 and earlier for Firefox allows remote attackers to inject arbitrary web script or HTML via a crafted feed, a different vulnerability than CVE-2009-4102.

4.3
2011-09-08 CVE-2011-3382 Phorum Cross-Site Scripting vulnerability in Phorum

Cross-site scripting (XSS) vulnerability in Phorum before 5.2.16 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2011-09-06 CVE-2011-3389 Google
Opera
Microsoft
Mozilla
Improper Input Validation vulnerability in multiple products

The SSL protocol, as used in certain configurations in Microsoft Windows and Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, Opera, and other products, encrypts data by using CBC mode with chained initialization vectors, which allows man-in-the-middle attackers to obtain plaintext HTTP headers via a blockwise chosen-boundary attack (BCBA) on an HTTPS session, in conjunction with JavaScript code that uses (1) the HTML5 WebSocket API, (2) the Java URLConnection API, or (3) the Silverlight WebClient API, aka a "BEAST" attack.

4.3
2011-09-06 CVE-2011-3388 Opera Information Exposure vulnerability in Opera Browser

Opera before 11.51 allows remote attackers to cause an insecure site to appear secure or trusted via unspecified actions related to Extended Validation and loading content from trusted sources in an unspecified sequence that causes the address field and page information dialog to contain security information based on the trusted site, instead of the insecure site.

4.3
2011-09-06 CVE-2011-3390 IBM Cross-Site Scripting vulnerability in IBM Openadmin Tool

Multiple cross-site scripting (XSS) vulnerabilities in index.php in IBM OpenAdmin Tool (OAT) before 2.72 for Informix allow remote attackers to inject arbitrary web script or HTML via the (1) informixserver, (2) host, or (3) port parameter in a login action.

4.3
2011-09-08 CVE-2011-3391 IBM Permissions, Privileges, and Access Controls vulnerability in IBM Rational Build Forge 7.1.2

IBM Rational Build Forge 7.1.2 relies on client-side JavaScript code to enforce the EditSecurity permission requirement for the Export Key File function, which allows remote authenticated users to read a key file by removing a disable attribute in the Security sub-menu.

4.0

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2011-09-06 CVE-2011-3204 Geoff Wong Link Following vulnerability in Geoff Wong Hammerhead 2.1.4

hammerhead.cc in Hammerhead 2.1.4 allows local users to write to arbitrary files via a symlink attack on (1) /tmp/hammer.log (aka the HH_LOG file) or (2) the REPORT_LOG file.

3.3
2011-09-06 CVE-2011-2700 Linux Classic Buffer Overflow vulnerability in Linux Kernel

Multiple buffer overflows in the si4713_write_econtrol_string function in drivers/media/radio/si4713-i2c.c in the Linux kernel before 2.6.39.4 on the N900 platform might allow local users to cause a denial of service or have unspecified other impact via a crafted s_ext_ctrls operation with a (1) V4L2_CID_RDS_TX_PS_NAME or (2) V4L2_CID_RDS_TX_RADIO_TEXT control ID.

2.1
2011-09-06 CVE-2011-2724 Samba Improper Input Validation vulnerability in Samba

The check_mtab function in client/mount.cifs.c in mount.cifs in smbfs in Samba 3.5.10 and earlier does not properly verify that the (1) device name and (2) mountpoint strings are composed of valid characters, which allows local users to cause a denial of service (mtab corruption) via a crafted string.

1.2