Weekly Vulnerabilities Reports > February 25 to March 3, 2013

Overview

46 new vulnerabilities reported during this period, including 4 critical vulnerabilities and 8 high severity vulnerabilities. This weekly summary report vulnerabilities in 41 products from 17 vendors including Linux, Cisco, Redhat, IBM, and Apple. Vulnerabilities are notably categorized as "Permissions, Privileges, and Access Controls", "Improper Restriction of Operations within the Bounds of a Memory Buffer", "Cross-site Scripting", "Resource Management Errors", and "Improper Input Validation".

  • 25 reported vulnerabilities are remotely exploitables.
  • 4 reported vulnerabilities have public exploit available.
  • 7 reported vulnerabilities are related to weaknesses in OWASP Top Ten.
  • 44 reported vulnerabilities are exploitable by an anonymous user.
  • Linux has the most reported vulnerabilities, with 18 reported vulnerabilities.
  • Microsoft has the most reported critical vulnerabilities, with 3 reported vulnerabilities.

TOTAL
VULNERABILITIES
CRITICAL RISK
VULNERABILITIES
HIGH RISK
VULNERABILITIES
MEDIUM RISK
VULNERABILITIES
LOW RISK
VULNERABILITIES
REMOTELY
EXPLOITABLE
LOCALLY
EXPLOITABLE
EXPLOIT
AVAILABLE
EXPLOITABLE
ANONYMOUSLY
AFFECTING
WEB APPLICATION

Vulnerability Details

The following table list reported vulnerabilities for the period covered by this report:

Expand/Hide

4 Critical Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-27 CVE-2013-0504 Adobe
Apple
Microsoft
Linux
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Adobe Flash Player

Buffer overflow in the broker service in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows attackers to execute arbitrary code via unspecified vectors.

10.0
2013-03-01 CVE-2013-0707 Justsystems Arbitrary Code Execution vulnerability in Multiple JustSystems Products

Unspecified vulnerability in JustSystems Ichitaro 2006 and 2007, Ichitaro Government 2006 and 2007, Ichitaro Portable with oreplug, Hanako 2006 through 2013, Hanako Police, Hanako Police 3, and Hanako Police 2010 allows remote attackers to execute arbitrary code via a crafted file.

9.3
2013-02-27 CVE-2013-0648 Adobe
Apple
Microsoft
Linux
Remote Code Execution vulnerability in Adobe Flash Player

Unspecified vulnerability in the ExternalInterface ActionScript functionality in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, allows remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.

9.3
2013-02-27 CVE-2013-0643 Adobe
Apple
Microsoft
Linux
Permissions, Privileges, and Access Controls vulnerability in Adobe Flash Player

The Firefox sandbox in Adobe Flash Player before 10.3.183.67 and 11.x before 11.6.602.171 on Windows and Mac OS X, and before 10.3.183.67 and 11.x before 11.2.202.273 on Linux, does not properly restrict privileges, which makes it easier for remote attackers to execute arbitrary code via crafted SWF content, as exploited in the wild in February 2013.

9.3

8 High Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-27 CVE-2013-1137 Cisco Buffer Errors vulnerability in Cisco Unified Presence Server 8.6/9.0/9.1

Cisco Unified Presence Server (CUPS) 8.6, 9.0, and 9.1 before 9.1.1 allows remote attackers to cause a denial of service (CPU consumption) via crafted packets to the SIP TCP port, aka Bug ID CSCua89930.

7.8
2013-02-27 CVE-2013-1133 Cisco Improper Input Validation vulnerability in Cisco Unified Communications Manager

Cisco Unified Communications Manager (CUCM) 8.6 before 8.6(2a)su2, 8.6 BE3k before 8.6(4) BE3k, and 9.x before 9.0(1) allows remote attackers to cause a denial of service (CPU consumption and GUI and voice outages) via malformed packets to unused UDP ports, aka Bug ID CSCtx43337.

7.8
2013-02-27 CVE-2013-2277 Ffmpeg Unspecified vulnerability in Ffmpeg

The ff_h264_decode_seq_parameter_set function in h264_ps.c in libavcodec in FFmpeg before 1.1.3 does not validate the relationship between luma depth and chroma depth, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted H.264 data.

7.5
2013-02-27 CVE-2013-2276 Ffmpeg Unspecified vulnerability in Ffmpeg

The avcodec_decode_audio4 function in utils.c in libavcodec in FFmpeg before 1.1.3 does not verify the decoding state before proceeding with certain skip operations, which allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted audio data.

7.5
2013-02-28 CVE-2013-1763 Linux Improper Input Validation vulnerability in Linux Kernel

Array index error in the __sock_diag_rcv_msg function in net/core/sock_diag.c in the Linux kernel before 3.7.10 allows local users to gain privileges via a large family value in a Netlink message.

7.2
2013-02-27 CVE-2013-0490 IBM Local Privilege Escalation vulnerability in IBM Infosphere Guardium 8.00

Unspecified vulnerability in IBM InfoSphere Guardium S-TAP 8.1 for DB2 on z/OS allows local users to gain privileges via unknown vectors.

7.2
2013-02-27 CVE-2013-1135 Cisco Improper Input Validation vulnerability in Cisco Prime Central for Hosted Collaboration Solution Assurance 8.6/9.0

Cisco Prime Central for Hosted Collaboration Solution (HCS) Assurance 8.6 and 9.0 allows remote attackers to cause a denial of service (CPU consumption and monitoring outage) via malformed TLS messages to TCP port (1) 9043 or (2) 9443, aka Bug ID CSCuc07155.

7.1
2013-02-27 CVE-2013-1134 Cisco Improper Authentication vulnerability in Cisco Unified Communications Manager 9.0(1)

The Location Bandwidth Manager (LBM) Intracluster-communication feature in Cisco Unified Communications Manager (CUCM) 9.x before 9.1(1) does not require authentication from the remote LBM Hub node, which allows remote attackers to conduct cache-poisoning attacks against transaction records, and cause a denial of service (bandwidth-pool consumption and call outage), via unspecified vectors, aka Bug ID CSCub28920.

7.1

26 Medium Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-02-27 CVE-2012-5767 IBM Security Bypass vulnerability in IBM Ts3500 Tape Library and Ts3500 Tape Library Firmware

Unspecified vulnerability in the web interface on the IBM TS3500 Tape Library with firmware before C260 allows remote authenticated users to gain privileges via unspecified vectors.

6.5
2013-03-01 CVE-2013-0228 Linux Numeric Errors vulnerability in Linux Kernel

The xen_iret function in arch/x86/xen/xen-asm_32.S in the Linux kernel before 3.7.9 on 32-bit Xen paravirt_ops platforms does not properly handle an invalid value in the DS segment register, which allows guest OS users to gain guest OS privileges via a crafted application.

6.2
2013-03-01 CVE-2011-2905 Linux Unspecified vulnerability in Linux Kernel

Untrusted search path vulnerability in the perf_config function in tools/perf/util/config.c in perf, as distributed in the Linux kernel before 3.1, allows local users to overwrite arbitrary files via a crafted config file in the current working directory.

6.2
2013-02-28 CVE-2013-1773 Linux
Redhat
Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in multiple products

Buffer overflow in the VFAT filesystem implementation in the Linux kernel before 3.3 allows local users to gain privileges or cause a denial of service (system crash) via a VFAT write operation on a filesystem with the utf8 mount option, which is not properly handled during UTF-8 to UTF-16 conversion.

6.2
2013-02-28 CVE-2013-1767 Linux Resource Management Errors vulnerability in Linux Kernel

Use-after-free vulnerability in the shmem_remount_fs function in mm/shmem.c in the Linux kernel before 3.7.10 allows local users to gain privileges or cause a denial of service (system crash) by remounting a tmpfs filesystem without specifying a required mpol (aka mempolicy) mount option.

6.2
2013-02-28 CVE-2013-1141 Cisco Buffer Errors vulnerability in Cisco products

The mDNS snooping functionality on Cisco Wireless LAN Controller (WLC) devices with software 7.4.1.54 and earlier does not properly manage buffers, which allows remote authenticated users to cause a denial of service (device reload) via crafted mDNS packets, aka Bug ID CSCue04153.

6.1
2013-02-28 CVE-2013-1124 Cisco
Apple
Cryptographic Issues vulnerability in Cisco Network Admission Control

The Cisco Network Admission Control (NAC) agent on Mac OS X does not verify the X.509 certificate of an Identity Services Engine (ISE) server during an SSL session, which allows man-in-the-middle attackers to spoof ISE servers via an arbitrary certificate, aka Bug ID CSCub24309.

5.8
2013-02-27 CVE-2012-4842 IBM Resource Management Errors vulnerability in IBM Lotus Domino

Open redirect vulnerability in the web server in IBM Lotus Domino 8.5.x through 8.5.3 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via unspecified vectors.

5.8
2013-03-01 CVE-2013-0183 Rack Project Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Rack Project Rack

multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.

5.0
2013-02-25 CVE-2013-1138 Cisco Buffer Errors vulnerability in Cisco products

The NAT process on Cisco Adaptive Security Appliances (ASA) devices allows remote attackers to cause a denial of service (connections-table memory consumption) via crafted packets, aka Bug ID CSCue46386.

5.0
2013-03-01 CVE-2011-2491 Linux
Redhat
Resource Exhaustion vulnerability in Linux Kernel

The Network Lock Manager (NLM) protocol implementation in the NFS client functionality in the Linux kernel before 3.0 allows local users to cause a denial of service (system hang) via a LOCK_UN flock system call.

4.9
2013-03-01 CVE-2011-2479 Linux Resource Management Errors vulnerability in Linux Kernel

The Linux kernel before 2.6.39 does not properly create transparent huge pages in response to a MAP_PRIVATE mmap system call on /dev/zero, which allows local users to cause a denial of service (system crash) via a crafted application.

4.9
2013-02-28 CVE-2012-4542 Linux Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

block/scsi_ioctl.c in the Linux kernel through 3.8 does not properly consider the SCSI device class during authorization of SCSI commands, which allows local users to bypass intended access restrictions via an SG_IO ioctl call that leverages overlapping opcodes.

4.6
2013-03-01 CVE-2013-0709 Bayashi Cross-Site Scripting vulnerability in Bayashi Dopvstar* 0091

Cross-site scripting (XSS) vulnerability in dopvSTAR* 0091 allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header, which is not properly handled during display of the access log.

4.3
2013-03-01 CVE-2013-0708 Bayashi Cross-Site Scripting vulnerability in Bayashi Dopvcomet* 0009

Cross-site scripting (XSS) vulnerability in dopvCOMET* 0009b allows remote attackers to inject arbitrary web script or HTML via the HTTP Referer header, which is not properly handled during display of the access log.

4.3
2013-03-01 CVE-2013-0256 Dave Thomas
Ruby Lang
Cross-Site Scripting vulnerability in multiple products

darkfish.js in RDoc 2.3.0 through 3.12 and 4.x before 4.0.0.preview2.1, as used in Ruby, does not properly generate documents, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a crafted URL.

4.3
2013-03-01 CVE-2013-0184 Rack Project Denial of Service vulnerability in Rack 'Rack::Auth::AbstractRequest'

Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."

4.3
2013-03-01 CVE-2012-6109 Rack Project Denial of Service vulnerability in Rack 'lib/rack/multipart.rb'

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

4.3
2013-03-01 CVE-2012-5604 Redhat Permissions, Privileges, and Access Controls vulnerability in Redhat Cloudforms 1.1

The ldap_fluff gem for Ruby, as used in Red Hat CloudForms 1.1, when using Active Directory for authentication, allows remote attackers to bypass authentication via unspecified vectors.

4.3
2013-02-27 CVE-2012-4844 IBM Cross-Site Scripting vulnerability in IBM Lotus Domino

Cross-site scripting (XSS) vulnerability in the web server in IBM Lotus Domino 8.5.x through 8.5.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

4.3
2013-02-26 CVE-2012-4558 Apache Cross-Site Scripting vulnerability in Apache Http Server

Multiple cross-site scripting (XSS) vulnerabilities in the balancer_handler function in the manager interface in mod_proxy_balancer.c in the mod_proxy_balancer module in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via a crafted string.

4.3
2013-02-26 CVE-2012-3499 Apache Cross-Site Scripting vulnerability in Apache Http Server

Multiple cross-site scripting (XSS) vulnerabilities in the Apache HTTP Server 2.2.x before 2.2.24-dev and 2.4.x before 2.4.4 allow remote attackers to inject arbitrary web script or HTML via vectors involving hostnames and URIs in the (1) mod_imagemap, (2) mod_info, (3) mod_ldap, (4) mod_proxy_ftp, and (5) mod_status modules.

4.3
2013-03-01 CVE-2011-3638 Linux Unspecified vulnerability in Linux Kernel

fs/ext4/extents.c in the Linux kernel before 3.0 does not mark a modified extent as dirty in certain cases of extent splitting, which allows local users to cause a denial of service (system crash) via vectors involving ext4 umount and mount operations.

4.0
2013-02-28 CVE-2013-1774 Linux
Redhat
Permissions, Privileges, and Access Controls vulnerability in Linux Kernel

The chase_port function in drivers/usb/serial/io_ti.c in the Linux kernel before 3.7.4 allows local users to cause a denial of service (NULL pointer dereference and system crash) via an attempted /dev/ttyUSB read or write operation on a disconnected Edgeport USB serial converter.

4.0
2013-02-28 CVE-2013-1772 Linux Improper Restriction of Operations Within the Bounds of A Memory Buffer vulnerability in Linux Kernel

The log_prefix function in kernel/printk.c in the Linux kernel 3.x before 3.4.33 does not properly remove a prefix string from a syslog header, which allows local users to cause a denial of service (buffer overflow and system crash) by leveraging /dev/kmsg write access and triggering a call_console_drivers function call.

4.0
2013-02-27 CVE-2013-1139 Cisco Permissions, Privileges, and Access Controls vulnerability in Cisco Cloud Portal

The nsAPI interface in Cisco Cloud Portal 9.1 SP1 and SP2, and 9.3 through 9.3.2, does not properly check privileges, which allows remote authenticated users to obtain sensitive information via a crafted URL, aka Bug ID CSCud81134.

4.0

8 Low Vulnerabilities

DATE CVE VENDOR VULNERABILITY CVSS
2013-03-01 CVE-2011-1182 Linux
Redhat
Unspecified vulnerability in Linux Kernel

kernel/signal.c in the Linux kernel before 2.6.39 allows local users to spoof the uid and pid of a signal sender via a sigqueueinfo system call.

3.6
2013-02-28 CVE-2013-0343 Linux IPv6 Temporary Addresses Remote Security vulnerability in Linux Kernel

The ipv6_create_tempaddr function in net/ipv6/addrconf.c in the Linux kernel through 3.8 does not properly handle problems with the generation of IPv6 temporary addresses, which allows remote attackers to cause a denial of service (excessive retries and address-generation outage), and consequently obtain sensitive information, via ICMPv6 Router Advertisement (RA) messages.

3.2
2013-03-01 CVE-2013-0162 Ryan Davis Permissions, Privileges, and Access Controls vulnerability in Ryan Davis Ruby Parser

The diff_pp function in lib/gauntlet_rubyparser.rb in the ruby_parser gem 3.1.1 and earlier for Ruby allows local users to overwrite arbitrary files via a symlink attack on a temporary file with a predictable name in /tmp.

2.1
2013-03-01 CVE-2012-6116 Katello Permissions, Privileges, and Access Controls vulnerability in Katello and Katello-Configure

modules/certs/manifests/config.pp in katello-configure before 1.3.3.pulpv2 in Katello uses weak permissions (666) for the Candlepin bootstrap RPM, which allows local users to modify the Candlepin CA certificate by writing to this file.

2.1
2013-03-01 CVE-2012-5561 Katello Information Exposure vulnerability in Katello 1.1

script/katello-generate-passphrase in Katello 1.1 uses world-readable permissions for /etc/katello/secure/passphrase, which allows local users to obtain the passphrase by reading the file.

2.1
2013-03-01 CVE-2011-1019 Linux Unspecified vulnerability in Linux Kernel

The dev_load function in net/core/dev.c in the Linux kernel before 2.6.38 allows local users to bypass an intended CAP_SYS_MODULE capability requirement and load arbitrary modules by leveraging the CAP_NET_ADMIN capability.

1.9
2013-03-01 CVE-2012-1568 Fedoraproject
Redhat
The ExecShield feature in a certain Red Hat patch for the Linux kernel in Red Hat Enterprise Linux (RHEL) 5 and 6 and Fedora 15 and 16 does not properly handle use of many shared libraries by a 32-bit executable file, which makes it easier for context-dependent attackers to bypass the ASLR protection mechanism by leveraging a predictable base address for one of these libraries.
1.9
2013-02-28 CVE-2013-0349 Linux Information Exposure vulnerability in Linux Kernel

The hidp_setup_hid function in net/bluetooth/hidp/core.c in the Linux kernel before 3.7.6 does not properly copy a certain name field, which allows local users to obtain sensitive information from kernel memory by setting a long name and making an HIDPCONNADD ioctl call.

1.9