U.S. Flag Official website of the Department of Homeland Security

Bulletin (SB11-094)

Vulnerability Summary for the Week of March 28, 2011

Original release date: April 04, 2011 | Last revised: November 07, 2012

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
emc -- data_protection_advisor_collector
EMC Data Protection Advisor Collector 5.7 and 5.7.1 on Solaris SPARC platforms uses weak permissions for unspecified files, which allows local users to gain privileges via unknown vectors. 2011-03-28 7.2 CVE-2011-1420
foolabs -- xpdf
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, uses an invalid pointer in conjunction with a dereference operation, which allows remote attackers to execute arbitrary code via a crafted Type 1 font in a PDF document, as demonstrated by testz.2184122398.pdf. 2011-03-31 9.3 CVE-2011-0764
google -- chrome
Google Chrome before 10.0.648.204 does not properly handle base strings, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors, related to a "buffer error." 2011-03-25 7.5 CVE-2011-1291
google -- chrome
Use-after-free vulnerability in the frame-loader implementation in Google Chrome before 10.0.648.204 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 2011-03-25 7.5 CVE-2011-1292
google -- chrome
Use-after-free vulnerability in the HTMLCollection implementation in Google Chrome before 10.0.648.204 allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors. 2011-03-25 7.5 CVE-2011-1293
google -- chrome
Google Chrome before 10.0.648.204 does not properly handle Cascading Style Sheets (CSS) token sequences, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." 2011-03-25 7.5 CVE-2011-1294
google -- chrome
Google Chrome before 10.0.648.204 does not properly handle node parentage, which allows remote attackers to cause a denial of service (DOM tree corruption) or possibly have unspecified other impact via unknown vectors. 2011-03-25 7.5 CVE-2011-1295
google -- chrome
Google Chrome before 10.0.648.204 does not properly handle SVG text, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via unknown vectors that lead to a "stale pointer." 2011-03-25 7.5 CVE-2011-1296
ibm -- lotus_domino
The remote console in the Server Controller in IBM Lotus Domino 7.x and 8.x verifies credentials against a file located at a UNC share pathname specified by the client, which allows remote attackers to bypass authentication, and consequently execute arbitrary code, by placing this pathname in the COOKIEFILE field. NOTE: this might overlap CVE-2011-0920. 2011-03-25 10.0 CVE-2011-1519
ibm -- lotus_domino
The default configuration of the server console in IBM Lotus Domino does not require a password (aka Server_Console_Password), which allows physically proximate attackers to perform administrative changes or obtain sensitive information via a (1) Load, (2) Tell, or (3) Set Configuration command. 2011-03-25 7.2 CVE-2011-1520
nokia -- e75_firmware
The Nokia E75 phone with firmware before 211.12.01 allows physically proximate attackers to bypass the Device Lock code by entering an unspecified button sequence at boot time. 2011-03-29 7.2 CVE-2011-1472
novell -- opensuse_factory
SUSE openSUSE Factory assigns ownership of the /var/log/cobbler/ directory tree to the web-service user account, which might allow local users to gain privileges by leveraging access to this account during root filesystem operations by the Cobbler daemon. 2011-03-30 7.2 CVE-2011-1551
videolan -- vlc_media_player
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an AMV file, related to a "dangling pointer vulnerability." 2011-03-28 9.3 CVE-2010-3275
videolan -- vlc_media_player
libdirectx_plugin.dll in VideoLAN VLC Media Player before 1.1.8 allows remote attackers to execute arbitrary code via a crafted width in an NSV file. 2011-03-28 9.3 CVE-2010-3276
wireshark -- wireshark
Heap-based buffer overflow in wiretap/pcapng.c in Wireshark before 1.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted capture file. 2011-03-28 9.3 CVE-2011-0024
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adminofsystem -- wp_related_posts
Multiple cross-site request forgery (CSRF) vulnerabilities in the configuration screen in wp-relatedposts.php in the WP Related Posts plugin 1.0 for WordPress allow remote attackers to hijack the authentication of administrators for requests that insert cross-site scripting (XSS) sequences via the (1) wp_relatedposts_title, (2) wp_relatedposts_num, or (3) wp_relatedposts_type parameter. 2011-03-28 4.3 CVE-2011-0760
cisco -- nac_guest_server_software
The default configuration of the RADIUS authentication feature on the Cisco Network Access Control (NAC) Guest Server with software before 2.0.3 allows remote attackers to bypass intended access restrictions and obtain network connectivity via unspecified vectors, aka Bug ID CSCtj66922. 2011-03-31 5.0 CVE-2011-0963
debian -- tex-common
The default configuration of the shell_escape_commands directive in conf/texmf.d/95NonPath.cnf in the tex-common package before 2.08.1 in Debian GNU/Linux squeeze lists certain programs, which might allow remote attackers to execute arbitrary code via a crafted TeX document. 2011-03-25 6.8 CVE-2011-1400
digium -- asterisk
manager.c in Asterisk Open Source 1.6.1.x before 1.6.1.24, 1.6.2.x before 1.6.2.17.2, and 1.8.x before 1.8.3.2 allows remote attackers to cause a denial of service (CPU and memory consumption) via a series of manager sessions involving invalid data. 2011-03-31 5.0 CVE-2011-1174
digium -- asterisk
tcptls.c in the TCP/TLS server in Asterisk Open Source 1.6.1.x before 1.6.1.23, 1.6.2.x before 1.6.2.17.1, and 1.8.x before 1.8.3.1 allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) by establishing many short TCP sessions to services that use a certain TLS API. 2011-03-31 5.0 CVE-2011-1175
foolabs -- xpdf
t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, reads from invalid memory locations, which allows remote attackers to cause a denial of service (application crash) via a crafted Type 1 font in a PDF document, a different vulnerability than CVE-2011-0764. 2011-03-31 4.3 CVE-2011-1552
foolabs -- xpdf
Use-after-free vulnerability in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory write, a different vulnerability than CVE-2011-0764. 2011-03-31 4.3 CVE-2011-1553
foolabs -- xpdf
Off-by-one error in t1lib 5.1.2 and earlier, as used in Xpdf before 3.02pl6 and other products, allows remote attackers to cause a denial of service (application crash) via a PDF document containing a crafted Type 1 font that triggers an invalid memory read, integer overflow, and invalid pointer dereference, a different vulnerability than CVE-2011-0764. 2011-03-31 4.3 CVE-2011-1554
gentoo -- logrotate
Race condition in the createOutputFile function in logrotate.c in logrotate 3.7.9 and earlier allows local users to read log data by opening a file before the intended permissions are in place. 2011-03-30 4.7 CVE-2011-1098
gentoo -- logrotate
The shred_file function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to execute arbitrary commands via shell metacharacters in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. 2011-03-30 6.9 CVE-2011-1154
gentoo -- logrotate
The writeState function in logrotate.c in logrotate 3.7.9 and earlier might allow context-dependent attackers to cause a denial of service (rotation outage) via a (1) (newline) or (2) (backslash) character in a log filename, as demonstrated by a filename that is automatically constructed on the basis of a hostname or virtual machine name. 2011-03-30 4.7 CVE-2011-1155
gentoo -- logrotate
The default configuration of logrotate on Debian GNU/Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by /var/log/postgresql/. 2011-03-30 6.9 CVE-2011-1548
gentoo -- logrotate
The default configuration of logrotate on Gentoo Linux uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories under /var/log/ for packages. 2011-03-30 6.9 CVE-2011-1549
gentoo -- logrotate
The default configuration of logrotate on SUSE openSUSE Factory uses root privileges to process files in directories that permit non-root write access, which allows local users to conduct symlink and hard link attacks by leveraging logrotate's lack of support for untrusted directories, as demonstrated by directories for the (1) cobbler, (2) inn, (3) safte-monitor, and (4) uucp packages. 2011-03-30 6.9 CVE-2011-1550
gnome -- gdm
GNOME Display Manager (gdm) 2.x before 2.32.1 allows local users to change the ownership of arbitrary files via a symlink attack on a (1) dmrc or (2) face icon file under /var/cache/gdm/. 2011-03-31 6.9 CVE-2011-0727
gnu -- glibc
** DISPUTED ** ldd in the GNU C Library (aka glibc or libc6) 2.13 and earlier allows local users to gain privileges via a Trojan horse executable file linked with a modified loader that omits certain LD_TRACE_LOADED_OBJECTS checks. NOTE: the GNU C Library vendor states "This is just nonsense. There are a gazillion other ways to introduce code if people are downloading arbitrary binaries and install them in appropriate directories or set LD_LIBRARY_PATH etc." 2011-03-30 6.9 CVE-2009-5064
google -- picasa
Untrusted search path vulnerability in the Locate on Disk feature in Google Picasa before 3.8 allows local users to gain privileges via a Trojan horse executable file in the current working directory. 2011-03-28 6.9 CVE-2011-0458
horde -- groupware_webmail_edition
Cross-site scripting (XSS) vulnerability in fetchmailprefs.php in Horde IMP before 4.3.8, and Horde Groupware Webmail Edition before 1.2.7, allows remote attackers to inject arbitrary web script or HTML via the fm_id parameter in a fetchmail_prefs_save action, related to the Fetchmail configuration. 2011-03-31 4.3 CVE-2010-3695
hp -- discovery&dependency_mapping_inventory
HP Discovery & Dependency Mapping Inventory (DDMI) 7.50, 7.51, 7.60, 7.61, 7.70, and 9.30 launches the Windows SNMP service with its default configuration, which allows remote attackers to obtain potentially sensitive information or have unspecified other impact by leveraging the public read community. 2011-03-25 5.0 CVE-2011-0890
hp -- diagnostics
Cross-site scripting (XSS) vulnerability in HP Diagnostics 7.5x and 8.0x before 8.05.54.225 allows remote attackers to inject arbitrary web script or HTML via unknown vectors. 2011-03-29 4.3 CVE-2011-0892
ibm -- rational_clearcase
Multiple buffer overflows in unspecified COM objects in Rational Common Licensing 7.0 through 7.1.1.4 in IBM Rational ClearCase 7.0.0.4 through 7.1.1.4, ClearQuest 7.0.0.4 through 7.1.1.4, and other products allow local users to gain privileges via a Trojan horse HTML document in the My Computer zone. 2011-03-29 6.9 CVE-2011-1205
libtiff -- libtiff
Heap-based buffer overflow in the thunder (aka ThunderScan) decoder in tif_thunder.c in LibTIFF 3.9.4 and earlier allows remote attackers to execute arbitrary code via crafted THUNDER_2BITDELTAS data in a .tiff file that has an unexpected BitsPerSample value. 2011-03-28 6.8 CVE-2011-1167
mahara -- mahara
Cross-site scripting (XSS) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to inject arbitrary web script or HTML via the Pieforms select box. 2011-03-28 4.3 CVE-2011-0439
mahara -- mahara
Cross-site request forgery (CSRF) vulnerability in Mahara 1.2.x before 1.2.7 and 1.3.x before 1.3.4 allows remote attackers to hijack the authentication of arbitrary users for requests that delete blogs. 2011-03-28 5.8 CVE-2011-0440
php -- php
The Debian GNU/Linux /etc/cron.d/php5 cron job for PHP 5.3.5 allows local users to delete arbitrary files via a symlink attack on a directory under /var/lib/php5/. 2011-03-29 6.3 CVE-2011-0441
quagga -- quagga
The extended-community parser in bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed Extended Communities attribute. 2011-03-29 5.0 CVE-2010-1674
quagga -- quagga
bgpd in Quagga before 0.99.18 allows remote attackers to cause a denial of service (session reset) via a malformed AS_PATHLIMIT path attribute. 2011-03-29 5.0 CVE-2010-1675
samba -- rsync
rsync 3.x before 3.0.8, when certain recursion, deletion, and ownership options are used, allows remote rsync servers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via malformed data. 2011-03-30 5.1 CVE-2011-1097
steinar_h_gunderson -- mpm-itk
The configuration merger in itk.c in the Steinar H. Gunderson mpm-itk Multi-Processing Module 2.2.11-01 and 2.2.11-02 for the Apache HTTP Server does not properly handle certain configuration sections that specify NiceValue but not AssignUserID, which might allow remote attackers to gain privileges by leveraging the root uid and root gid of an mpm-itk process. 2011-03-29 4.3 CVE-2011-1176
symantec -- liveupdate_administrator
Cross-site request forgery (CSRF) vulnerability in adduser.do in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to hijack the authentication of administrators for requests that create new administrative accounts, and possibly have unspecified other impact, via the userRole parameter. 2011-03-28 6.8 CVE-2011-0545
symantec -- liveupdate_administrator
Cross-site scripting (XSS) vulnerability in the management login GUI page in Symantec LiveUpdate Administrator (LUA) before 2.3 allows remote attackers to inject arbitrary web script or HTML via the username field, as demonstrated by injecting an IFRAME element into the event log, a different vulnerability than CVE-2011-0545. 2011-03-28 4.3 CVE-2011-1524
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
michael_hudson-doyle -- loggerhead
Cross-site scripting (XSS) vulnerability in templatefunctions.py in Loggerhead before 1.18.1 allows remote authenticated users to inject arbitrary web script or HTML via a filename, which is not properly handled in a revision view. 2011-03-293.5 CVE-2011-0728
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top