Weekly Vulnerabilities Reports > January 9 to 15, 2012

Overview

45 new vulnerabilities reported during this period, including 14 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 49 products from 25 vendors including Microsoft, HP, IBM, Adobe, and Apple. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Cross-site Scripting", "Code Injection", "Improper Restriction of Operations within the Bounds of a Memory Buffer", and "Resource Management Errors".

  • 39 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 8 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 43 reported vulnerabilities are exploitable by an anonymous user.
  • Microsoft has the most reported vulnerabilities, with 11 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 5 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

14 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-15 CVE-2011-1377 IBM Unspecified vulnerability in IBM Websphere Application Server

The Web Services Security component in the Web Services Feature Pack before 6.1.0.41 for IBM WebSphere Application Server (WAS) 6.1 does not properly handle the enabling of WS-Security for a JAX-WS application, which has unspecified impact and attack vectors.

10.0
2012-01-13 CVE-2012-0697 HP Path Traversal vulnerability in HP Storageworks P2000 G3 MSA

HP StorageWorks P2000 G3 MSA array systems have a default account, which makes it easier for remote attackers to perform administrative tasks via unspecified vectors, a different vulnerability than CVE-2011-4788.

10.0
2012-01-13 CVE-2011-4789 HP Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in HP Diagnostics

Stack-based buffer overflow in magentservice.exe in the server in HP LoadRunner 11.00 before patch 4 allows remote attackers to execute arbitrary code via a crafted size value in a packet.

10.0
2012-01-12 CVE-2012-0695 Google
Acer
Samsung
Remote Security vulnerability in Chrome Os

Multiple unspecified vulnerabilities in Google Chrome before 17.0.963.27 on the Acer AC700, Samsung Series 5, and Cr-48 Chromebook platforms have unknown impact and attack vectors.

10.0
2012-01-10 CVE-2011-5059 Finaldraft Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Finaldraft 8/8.01

Stack-based buffer overflow in Final Draft 8 before 8.02 allows remote attackers to execute arbitrary code via a crafted SmartType element, a different vulnerability than CVE-2011-5002.

10.0
2012-01-15 CVE-2012-0267 Ntrglobal Improper Input Validation vulnerability in Ntrglobal NTR Activex Control

The StopModule method in the NTR ActiveX control before 2.0.4.8 allows remote attackers to execute arbitrary code via a crafted lModule parameter that triggers use of an arbitrary memory address as a function pointer.

9.3
2012-01-15 CVE-2012-0266 Ntrglobal Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Ntrglobal NTR Activex Control

Multiple stack-based buffer overflows in the NTR ActiveX control before 2.0.4.8 allow remote attackers to execute arbitrary code via (1) a long bstrUrl parameter to the StartModule method, (2) a long bstrParams parameter to the Check method, a long bstrUrl parameter to the (3) Download or (4) DownloadModule method during construction of a .ntr pathname, or a long bstrUrl parameter to the (5) Download or (6) DownloadModule method during construction of a URL.

9.3
2012-01-12 CVE-2011-4787 HP Code Injection vulnerability in HP Easy Printer Care Software

A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4786.

9.3
2012-01-12 CVE-2011-4786 HP Code Injection vulnerability in HP Easy Printer Care Software

A certain ActiveX control in HPTicketMgr.dll in HP Easy Printer Care Software 2.5 and earlier allows remote attackers to download an arbitrary program onto a client machine, and execute this program, via unspecified vectors, a different vulnerability than CVE-2011-2404 and CVE-2011-4787.

9.3
2012-01-10 CVE-2012-0013 Microsoft Unspecified vulnerability in Microsoft products

Incomplete blacklist vulnerability in the Windows Packager configuration in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted ClickOnce application in a Microsoft Office document, related to .application files, aka "Assembly Execution Vulnerability."

9.3
2012-01-10 CVE-2012-0009 Microsoft Remote Code Execution vulnerability in Microsoft Windows Server 2003 and Windows XP

Untrusted search path vulnerability in the Windows Object Packager configuration in Microsoft Windows XP SP2 and SP3 and Server 2003 SP2 allows local users to gain privileges via a Trojan horse executable file in the current working directory, as demonstrated by a directory that contains a file with an embedded packaged object, aka "Object Packager Insecure Executable Launching Vulnerability." Per: http://technet.microsoft.com/en-us/security/bulletin/ms12-002 'The vulnerability could allow remote code execution if a user opens a legitimate file with an embedded packaged object that is located in the same network directory as a specially crafted executable file.' Per: http://cwe.mitre.org/data/definitions/426.html 'CWE-426: Untrusted Search Path'

9.3
2012-01-10 CVE-2012-0004 Microsoft Remote Code Execution vulnerability in Microsoft DirectX DirectShow Filters

Unspecified vulnerability in DirectShow in DirectX in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via a crafted media file, related to Quartz.dll, Qdvd.dll, closed captioning, and the Line21 DirectShow filter, aka "DirectShow Remote Code Execution Vulnerability."

9.3
2012-01-10 CVE-2012-0003 Microsoft Remote Buffer Overflow vulnerability in Microsoft Windows Media Player 'winmm.dll' MIDI File Parsing

Unspecified vulnerability in winmm.dll in Windows Multimedia Library in Windows Media Player (WMP) in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2 allows remote attackers to execute arbitrary code via a crafted MIDI file, aka "MIDI Remote Code Execution Vulnerability."

9.3
2012-01-10 CVE-2012-0001 Microsoft SafeSEH Security Bypass vulnerability in Microsoft Windows Kernel

The kernel in Microsoft Windows XP SP2, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not properly load structured exception handling tables, which allows context-dependent attackers to bypass the SafeSEH security feature by leveraging a Visual C++ .NET 2003 application, aka "Windows Kernel SafeSEH Bypass Vulnerability."

9.3

8 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-13 CVE-2011-4788 HP Path Traversal vulnerability in HP products

Absolute path traversal vulnerability in the web interface on HP StorageWorks P2000 G3 MSA array systems allows remote attackers to read arbitrary files via a pathname in the URI.

7.8
2012-01-10 CVE-2011-4785 HP Information Exposure vulnerability in HP Hp-Chaisoe 1.0

Directory traversal vulnerability in the HP-ChaiSOE/1.0 web server on the HP LaserJet P3015 printer with firmware before 07.080.3, LaserJet 4650 printer with firmware 07.006.0, and LaserJet 2430 printer with firmware 08.113.0_I35128 allows remote attackers to read arbitrary files via unspecified vectors, a different vulnerability than CVE-2008-4419.

7.8
2012-01-14 CVE-2011-5061 Whmcs Code Injection vulnerability in Whmcs Whmcompletesolution

functions.php in WHMCompleteSolution (WHMCS) 4.0.x through 5.0.x allows remote attackers to trigger arbitrary code execution in the Smarty templating system by submitting a crafted ticket, related to improper handling of characters in the subject field.

7.5
2012-01-13 CVE-2011-3597 Gisle AAS Improper Input Validation vulnerability in Gisle AAS Digest

Eval injection vulnerability in the Digest module before 1.17 for Perl allows context-dependent attackers to execute arbitrary commands via the new constructor.

7.5
2012-01-10 CVE-2011-4373 Adobe Unspecified vulnerability in Adobe products

Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-4370 and CVE-2011-4372.

7.5
2012-01-10 CVE-2011-4372 Adobe Unspecified vulnerability in Adobe products

Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-4370 and CVE-2011-4373.

7.5
2012-01-10 CVE-2011-4371 Adobe Unspecified vulnerability in Adobe products

Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (heap memory corruption) via unspecified vectors.

7.5
2012-01-10 CVE-2011-4370 Adobe Unspecified vulnerability in Adobe products

Adobe Reader and Acrobat before 9.5, and 10.x before 10.1.2, on Windows and Mac OS X allow attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-4372 and CVE-2011-4373.

7.5

20 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-10 CVE-2012-0005 Microsoft Permissions, Privileges, and Access Controls vulnerability in Microsoft products

The Client/Server Run-time Subsystem (aka CSRSS) in the Win32 subsystem in Microsoft Windows XP SP2 and SP3, Server 2003 SP2, Vista SP2, and Server 2008 SP2, when a Chinese, Japanese, or Korean system locale is used, can access uninitialized memory during the processing of Unicode characters, which allows local users to gain privileges via a crafted application, aka "CSRSS Elevation of Privilege Vulnerability."

6.9
2012-01-10 CVE-2011-5058 3Ssoftware Permissions, Privileges, and Access Controls vulnerability in 3Ssoftware Codesys 3.4

The CmbWebserver.dll module of the Control service in 3S CoDeSys 3.4 SP4 Patch 2 allows remote attackers to create arbitrary directories under the web root by specifying a non-existent directory using \ (backslash) characters in an HTTP GET request.

6.4
2012-01-15 CVE-2011-4868 ISC Resource Management Errors vulnerability in ISC Dhcp

The logging functionality in dhcpd in ISC DHCP before 4.2.3-P2, when using Dynamic DNS (DDNS) and issuing IPv6 addresses, does not properly handle the DHCPv6 lease structure, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via crafted packets related to a lease-status update.

6.1
2012-01-13 CVE-2012-0310 Cogentdatahub Code Injection vulnerability in Cogentdatahub Cascade Datahub, Cogent Datahub and OPC Datahub

CRLF injection vulnerability in Cogent DataHub 7.1.2 and earlier, Cascade DataHub 6.4.20 and earlier, and OPC DataHub 6.4.20 and earlier allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via unspecified vectors.

5.8
2012-01-13 CVE-2011-2939 DAN Kogai
Perl
Numeric Errors vulnerability in multiple products

Off-by-one error in the decode_xs function in Unicode/Unicode.xs in the Encode module before 2.44, as used in Perl before 5.15.6, might allow context-dependent attackers to cause a denial of service (memory corruption) via a crafted Unicode string, which triggers a heap-based buffer overflow.

5.1
2012-01-14 CVE-2011-5062 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Tomcat

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

5.0
2012-01-14 CVE-2011-1184 Apache Permissions, Privileges, and Access Controls vulnerability in Apache Tomcat

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

5.0
2012-01-14 CVE-2012-0039 Gnome Cryptographic Issues vulnerability in Gnome Glib

** DISPUTED ** GLib 2.31.8 and earlier, when the g_str_hash function is used, computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

5.0
2012-01-14 CVE-2012-0693 Whmcs Code Injection vulnerability in Whmcs Whmcompletesolution 5.03

** DISPUTED ** submitticket.php in WHMCompleteSolution (WHMCS) 5.03 allows remote attackers to inject arbitrary code into a subject field via crafted ticket data, a different vulnerability than CVE-2011-5061.

5.0
2012-01-13 CVE-2011-4057 Wibu Resource Management Errors vulnerability in Wibu Codemeter Runtime 4.10B/4.20A/4.30C

Wibu-Systems AG CodeMeter Runtime 4.30c, 4.10b, and possibly other versions before 4.40 allows remote attackers to cause a denial of service (CodeMeter.exe crash) via certain crafted packets to TCP port 22350.

5.0
2012-01-13 CVE-2012-0030 Openstack Permissions, Privileges, and Access Controls vulnerability in Openstack Essex and Nova

Nova 2011.3 and Essex, when using the OpenStack API, allows remote authenticated users to bypass access restrictions for tenants of other users via an OSAPI request with a modified project_id URI parameter.

4.9
2012-01-13 CVE-2011-4925 Cluster Resources
Clusterresources
Permissions, Privileges, and Access Controls vulnerability in multiple products

Terascale Open-Source Resource and Queue Manager (aka TORQUE Resource Manager) before 2.5.9, when munge authentication is used, allows remote authenticated users to impersonate arbitrary user accounts via unspecified vectors.

4.9
2012-01-13 CVE-2011-2776 Robert Luberda Buffer Errors vulnerability in Robert Luberda Super 3.30.0

Buffer overflow in the Error function in super.c in Super 3.30.0 might allow local users to execute arbitrary code via vectors related to syslog logging.

4.4
2012-01-15 CVE-2011-5065 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 allows remote attackers to inject arbitrary web script or HTML via vectors related to web messaging.

4.3
2012-01-15 CVE-2011-1362 IBM Cross-Site Scripting vulnerability in IBM Websphere Application Server

Cross-site scripting (XSS) vulnerability in the Installation Verification Test (IVT) application in the Install component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 and 7.0 before 7.0.0.19 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-01-14 CVE-2011-5064 Apache Cryptographic Issues vulnerability in Apache Tomcat

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

4.3
2012-01-14 CVE-2011-5063 Apache Improper Authentication vulnerability in Apache Tomcat

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

4.3
2012-01-13 CVE-2012-0696 IBM Cross-Site Scripting vulnerability in IBM Cognos Executive Viewer and Cognos TM1

Multiple cross-site scripting (XSS) vulnerabilities in the Executive Viewer (EV) in IBM Cognos TM1 before 9.5 FP1 allow remote attackers to inject arbitrary web script or HTML via unspecified requests to (1) aspnet_client or (2) evserver/createcontrol.js.

4.3
2012-01-13 CVE-2012-0309 Cogentdatahub Cross-Site Scripting vulnerability in Cogentdatahub Cascade Datahub, Cogent Datahub and OPC Datahub

Cross-site scripting (XSS) vulnerability in Cogent DataHub 7.1.2 and earlier, Cascade DataHub 6.4.20 and earlier, and OPC DataHub 6.4.20 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2012-01-10 CVE-2012-0007 Microsoft Cross-Site Scripting vulnerability in Microsoft Anti-Cross Site Scripting Library 3.1/4.0

The Microsoft Anti-Cross Site Scripting (AntiXSS) Library 3.x and 4.0 does not properly evaluate characters after the detection of a Cascading Style Sheets (CSS) escaped character, which allows remote attackers to conduct cross-site scripting (XSS) attacks via HTML input, aka "AntiXSS Library Bypass Vulnerability."

4.3

3 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-01-13 CVE-2011-5060 Roderich Schupp Permissions, Privileges, and Access Controls vulnerability in Roderich Schupp Par-Packer Module

The par_mktmpdir function in the PAR module before 1.003 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program, a different vulnerability in a different package than CVE-2011-4114.

3.3
2012-01-13 CVE-2011-4114 Roderich Schupp Permissions, Privileges, and Access Controls vulnerability in Roderich Schupp Par-Packer Module

The par_mktmpdir function in the PAR::Packer module before 1.012 for Perl creates temporary files in a directory with a predictable name without verifying ownership and permissions of this directory, which allows local users to overwrite files when another user extracts a PAR packed program.

3.3
2012-01-15 CVE-2011-5066 IBM Information Exposure vulnerability in IBM Websphere Application Server

The SibRaRecoverableSiXaResource class in the Default Messaging Component in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.41 does not properly handle a Service Integration Bus (SIB) dump operation involving the First Failure Data Capture (FFDC) introspection code, which allows local users to obtain sensitive information by reading the FFDC log file.

2.1