Weekly Vulnerabilities Reports > May 28 to June 3, 2012

Overview

20 new vulnerabilities reported during this period, including 2 critical vulnerabilities and 6 high severity vulnerabilities. This weekly summary report vulnerabilities in 24 products from 18 vendors including Puppet, Puppetlabs, Google, Canonical, and ZTE. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Improper Input Validation", "Resource Management Errors", and "Information Exposure".

  • 16 reported vulnerabilities are remotely exploitables.
  • 2 reported vulnerabilities have public exploit available.
  • 4 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 16 reported vulnerabilities are exploitable by an anonymous user.
  • Puppet has the most reported vulnerabilities, with 6 reported vulnerabilities.
  • Google has the most reported critical vulnerabilities, with 1 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

2 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-29 CVE-2012-0804 CVS Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in CVS 1.11/1.12

Heap-based buffer overflow in the proxy_connect function in src/client.c in CVS 1.11 and 1.12 allows remote HTTP proxy servers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted HTTP response.

10.0
2012-05-29 CVE-2012-2949 Google
ZTE
Permissions, Privileges, and Access Controls vulnerability in ZTE Score M

The ZTE sync_agent program for Android 2.3.4 on the Score M device uses a hardcoded ztex1609523 password to control access to commands, which allows remote attackers to gain privileges via a crafted application.

10.0

6 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-31 CVE-2012-2488 Cisco Improper Input Validation vulnerability in Cisco products

Cisco IOS XR before 4.2.1 on ASR 9000 series devices and CRS series devices allows remote attackers to cause a denial of service (packet transmission outage) via a crafted packet, aka Bug IDs CSCty94537 and CSCtz62593.

7.8
2012-06-01 CVE-2012-2944 Networkupstools Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Networkupstools NUT

Buffer overflow in the addchar function in common/parseconf.c in upsd in Network UPS Tools (NUT) before 2.6.4 allows remote attackers to execute arbitrary code or cause a denial of service (electric-power outage) via a long string containing non-printable characters.

7.5
2012-06-01 CVE-2012-0409 EMC Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in EMC Autostart

Multiple buffer overflows in EMC AutoStart 5.3.x and 5.4.x before 5.4.3 allow remote attackers to cause a denial of service (agent crash) or possibly execute arbitrary code via crafted packets.

7.5
2012-05-31 CVE-2012-2352 Sympa Permissions, Privileges, and Access Controls vulnerability in Sympa

The archive management (arc_manage) page in wwsympa/wwsympa.fcgi.in in Sympa before 6.1.11 does not check permissions, which allows remote attackers to list, read, and delete arbitrary list archives via vectors related to the (1) do_arc_manage, (2) do_arc_download, or (3) do_arc_delete functions.

7.5
2012-05-29 CVE-2012-2952 Jaow SQL Injection vulnerability in Jaow 2.1/2.3/2.4

SQL injection vulnerability in add_ons.php in Jaow 2.4.5 and earlier allows remote attackers to execute arbitrary SQL commands via the add_ons parameter.

7.5
2012-06-01 CVE-2012-2752 Vmware Unspecified vulnerability in VMWare VMA 4.0/4.1/5.0.0.1

Untrusted search path vulnerability in VMware vMA 4.x and 5.x before 5.0.0.2 allows local users to gain privileges via a Trojan horse DLL in the current working directory.

7.2

8 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-29 CVE-2012-1053 Puppet
Puppetlabs
Permissions, Privileges, and Access Controls vulnerability in multiple products

The change_user method in the SUIDManager (lib/puppet/util/suidmanager.rb) in Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3 does not properly manage group privileges, which allows local users to gain privileges via vectors related to (1) the change_user not dropping supplementary groups in certain conditions, (2) changes to the eguid without associated changes to the egid, or (3) the addition of the real gid to supplementary groups.

6.9
2012-05-30 CVE-2010-5099 Typo3 Improper Input Validation vulnerability in Typo3

The fileDenyPattern functionality in the PHP file inclusion protection API in TYPO3 4.2.x before 4.2.16, 4.3.x before 4.3.9, and 4.4.x before 4.4.5 does not properly filter file types, which allows remote attackers to bypass intended access restrictions and access arbitrary PHP files, as demonstrated using path traversal sequences with %00 null bytes and CVE-2010-3714 to read the TYPO3 encryption key from localconf.php.

6.8
2012-05-29 CVE-2011-3048 Libpng Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Libpng

The png_set_text_2 function in pngset.c in libpng 1.0.x before 1.0.59, 1.2.x before 1.2.49, 1.4.x before 1.4.11, and 1.5.x before 1.5.10 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a crafted text chunk in a PNG image file, which triggers a memory allocation failure that is not properly handled, leading to a heap-based buffer overflow.

6.8
2012-05-29 CVE-2012-1988 Puppet
Puppetlabs
Command Injection vulnerability in multiple products

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys and file-creation permissions on the puppet master to execute arbitrary commands by creating a file whose full pathname contains shell metacharacters, then performing a filebucket request.

6.0
2012-05-31 CVE-2012-0949 Canonical Information Exposure vulnerability in Canonical Ubuntu Linux 11.04/11.10/12.04

The Apport hook in Update Manager as used by Ubuntu 12.04 LTS, 11.10, and 11.04 uploads certain system state archive files when reporting bugs to Launchpad, which allows remote attackers to read repository credentials by viewing a public bug report.

5.0
2012-05-29 CVE-2012-1054 Puppet
Puppetlabs
Permissions, Privileges, and Access Controls vulnerability in multiple products

Puppet 2.6.x before 2.6.14 and 2.7.x before 2.7.11, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x before 2.0.3, when managing a user login file with the k5login resource type, allows local users to gain privileges via a symlink attack on .k5login.

4.4
2012-05-29 CVE-2012-0220 Ikiwiki Cross-Site Scripting vulnerability in Ikiwiki

Multiple cross-site scripting (XSS) vulnerabilities in the meta plugin (Plugin/meta.pm) in ikiwiki before 3.20120516 allow remote attackers to inject arbitrary web script or HTML via the (1) author or (2) authorurl meta tags.

4.3
2012-06-02 CVE-2012-2948 Asterisk Resource Management Errors vulnerability in Asterisk Certified Asterisk and Open Source

chan_skinny.c in the Skinny (aka SCCP) channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by closing a connection in off-hook mode.

4.0

4 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2012-05-29 CVE-2012-1987 Puppet
Puppetlabs
Multiple Security vulnerability in Puppet

Unspecified vulnerability in Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with agent SSL keys to (1) cause a denial of service (memory consumption) via a REST request to a stream that triggers a thread block, as demonstrated using CVE-2012-1986 and /dev/random; or (2) cause a denial of service (filesystem consumption) via crafted REST requests that use "a marshaled form of a Puppet::FileBucket::File object" to write to arbitrary file locations.

3.5
2012-05-29 CVE-2012-1906 Puppet
Puppetlabs
Permissions, Privileges, and Access Controls vulnerability in multiple products

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 uses predictable file names when installing Mac OS X packages from a remote source, which allows local users to overwrite arbitrary files or install arbitrary packages via a symlink attack on a temporary file in /tmp.

3.3
2012-06-02 CVE-2012-2947 Debian
Digium
Improper Access Control vulnerability in multiple products

chan_iax2.c in the IAX2 channel driver in Certified Asterisk 1.8.11-cert before 1.8.11-cert2 and Asterisk Open Source 1.8.x before 1.8.12.1 and 10.x before 10.4.1, when a certain mohinterpret setting is enabled, allows remote attackers to cause a denial of service (daemon crash) by placing a call on hold.

2.6
2012-05-29 CVE-2012-1986 Puppet
Puppetlabs
Permissions, Privileges, and Access Controls vulnerability in multiple products

Puppet 2.6.x before 2.6.15 and 2.7.x before 2.7.13, and Puppet Enterprise (PE) Users 1.0, 1.1, 1.2.x, 2.0.x, and 2.5.x before 2.5.1 allows remote authenticated users with an authorized SSL key and certain permissions on the puppet master to read arbitrary files via a symlink attack in conjunction with a crafted REST request for a file in a filebucket.

2.1