U.S. Flag Official website of the Department of Homeland Security

Bulletin (SB11-318)

Vulnerability Summary for the Week of November 7, 2011

Original release date: November 14, 2011 | Last revised: November 08, 2012

The US-CERT Cyber Security Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. The NVD is sponsored by the Department of Homeland Security (DHS) National Cybersecurity and Communications Integration Center (NCCIC) / United States Computer Emergency Readiness Team (US-CERT). For modified or updated entries, please visit the NVD, which contains historical vulnerability information.

The vulnerabilities are based on the CVE vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High - Vulnerabilities will be labeled High severity if they have a CVSS base score of 7.0 - 10.0

  • Medium - Vulnerabilities will be labeled Medium severity if they have a CVSS base score of 4.0 - 6.9

  • Low - Vulnerabilities will be labeled Low severity if they have a CVSS base score of 0.0 - 3.9

Entries may include additional information provided by organizations and efforts sponsored by US-CERT. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletins is compiled from external, open source reports and is not a direct result of US-CERT analysis.

High Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
adobe -- shockwave_player
The DIRapi library in Adobe Shockwave Player before 11.6.3.633 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2448. 2011-11-08 10.0 CVE-2011-2446
adobe -- shockwave_player
Adobe Shockwave Player before 11.6.3.633 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 2011-11-08 10.0 CVE-2011-2447
adobe -- shockwave_player
The DIRapi library in Adobe Shockwave Player before 11.6.3.633 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors, a different vulnerability than CVE-2011-2446. 2011-11-08 10.0 CVE-2011-2448
adobe -- shockwave_player
The TextXtra module in Adobe Shockwave Player before 11.6.3.633 allows attackers to execute arbitrary code or cause a denial of service (memory corruption) via unspecified vectors. 2011-11-08 10.0 CVE-2011-2449
e107 -- e107
Static code injection vulnerability in install_.php in e107 CMS 0.7.24 and probably earlier versions, when the installation script is not removed, allows remote attackers to inject arbitrary PHP code into e107_config.php via a crafted MySQL server name. 2011-11-04 7.5 CVE-2011-1513
emc -- documentum_eroom
The file-blocking feature in EMC Documentum eRoom 7.3.x and 7.4.x before 7.4.3.g does not properly restrict the uploading and opening of files with dangerous file types, which allows remote authenticated users to execute arbitrary code via an uploaded file. 2011-11-09 8.5 CVE-2011-2739
emc -- rsa_key_manager_appliance
EMC RSA Key Manager (RKM) Appliance 2.7 SP1 before 2.7.1.6, when Firefox 4.x or 5.0 is used, does not properly terminate a user session upon a logout action, which makes it easier for remote attackers to execute arbitrary code by leveraging an unattended workstation. 2011-11-09 9.3 CVE-2011-2740
ffftp -- ffftp
Untrusted search path vulnerability in FFFTP 1.98a and earlier allows local users to execute arbitrary code via unspecified functions. 2011-11-04 9.3 CVE-2011-3991
google -- chrome
Double free vulnerability in the Theora decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream. 2011-11-11 7.5 CVE-2011-3892
google -- chrome
Google Chrome before 15.0.874.120 does not properly perform VP8 decoding, which allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via a crafted stream. 2011-11-11 7.5 CVE-2011-3894
google -- chrome
Heap-based buffer overflow in the Vorbis decoder in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted stream. 2011-11-11 7.5 CVE-2011-3895
google -- chrome
Buffer overflow in Google Chrome before 15.0.874.120 allows remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to shader variable mapping. 2011-11-11 7.5 CVE-2011-3896
google -- chrome
Google Chrome before 15.0.874.120, when Java Runtime Environment (JRE) 7 is used, does not request user confirmation before applet execution begins, which allows remote attackers to have an unspecified impact via a crafted applet. 2011-11-11 7.5 CVE-2011-3898
hiroyuki_oyama -- dbd::mysqlpp
SQL injection vulnerability in DBD::mysqlPP 0.04 and earlier allows remote attackers to execute arbitrary SQL commands via unspecified vectors. 2011-11-04 7.5 CVE-2011-3989
microsoft -- windows_7
Array index error in win32k.sys in the kernel-mode drivers in Microsoft Windows Server 2008 R2 and R2 SP1 and Windows 7 Gold and SP1 allows remote attackers to cause a denial of service (reboot) via a crafted TrueType font file, aka "TrueType Font Parsing Vulnerability," a different vulnerability than CVE-2011-3402. 2011-11-08 7.1 CVE-2011-2004
microsoft -- windows_7
Integer overflow in the TCP/IP implementation in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code by sending a sequence of crafted UDP packets to a closed port, aka "Reference Counter Overflow Vulnerability." 2011-11-08 10.0 CVE-2011-2013
microsoft -- windows_7
The LDAP over SSL (aka LDAPS) implementation in Active Directory, Active Directory Application Mode (ADAM), and Active Directory Lightweight Directory Service (AD LDS) in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 does not examine Certificate Revocation Lists (CRLs), which allows remote authenticated users to bypass intended certificate restrictions and access Active Directory resources by leveraging a revoked X.509 certificate for a domain account, aka "LDAPS Authentication Bypass Vulnerability." 2011-11-08 9.0 CVE-2011-2014
microsoft -- windows_7
Untrusted search path vulnerability in Windows Mail and Windows Meeting Space in Microsoft Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, as demonstrated by a directory that contains a .eml or .wcinv file, aka "Windows Mail Insecure Library Loading Vulnerability." 2011-11-08 9.3 CVE-2011-2016
microsoft -- windows_7
Unspecified vulnerability in the Win32k TrueType font parsing engine in the kernel in Microsoft Windows XP SP2 and SP3, Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2, R2, and R2 SP1, and Windows 7 Gold and SP1 allows remote attackers to execute arbitrary code via crafted font data in a Word document, as exploited in the wild in November 2011 by Duqu. 2011-11-04 9.3 CVE-2011-3402
mozilla -- firefox
The JSSubScriptLoader in Mozilla Firefox before 3.6.24 and Thunderbird before 3.1.6 does not properly handle XPCNativeWrappers during calls to the loadSubScript method in an add-on, which makes it easier for remote attackers to gain privileges via a crafted web site that leverages certain unwrapping behavior, a related issue to CVE-2011-3004. 2011-11-09 9.3 CVE-2011-3647
mozilla -- firefox
Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 do not properly handle JavaScript files that contain many functions, which allows user-assisted remote attackers to cause a denial of service (memory corruption and application crash) or possibly have unspecified other impact via a crafted file that is accessed by debugging APIs, as demonstrated by Firebug. 2011-11-09 9.3 CVE-2011-3650
mozilla -- firefox
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox 7.0 and Thunderbird 7.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors. 2011-11-09 10.0 CVE-2011-3651
mozilla -- firefox
The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly allocate memory, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. 2011-11-09 10.0 CVE-2011-3652
mozilla -- firefox
The browser engine in Mozilla Firefox before 8.0 and Thunderbird before 8.0 does not properly handle links from SVG mpath elements to non-SVG elements, which allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors. 2011-11-09 10.0 CVE-2011-3654
mozilla -- firefox
Mozilla Firefox 4.x through 7.0 and Thunderbird 5.0 through 7.0 perform access control without checking for use of the NoWaiverWrapper wrapper, which allows remote attackers to gain privileges via a crafted web site. 2011-11-09 9.3 CVE-2011-3655
nara_institute_of_science_and_technology -- chasen
Buffer overflow in ChaSen 2.4.x allows remote attackers to execute arbitrary code via a crafted string. 2011-11-08 9.3 CVE-2011-4000
opengear -- opengear_console_server_firmware
Opengear console servers with firmware before 2.2.1 allow remote attackers to bypass authentication, and modify settings or access connected equipment, via unspecified vectors. 2011-11-09 7.5 CVE-2011-3997
schneider-electric -- monitor_pro
Buffer overflow in the UnitelWay Windows Device Driver, as used in Schneider Electric Unity Pro 6 and earlier, OPC Factory Server 3.34, Vijeo Citect 7.20 and earlier, Telemecanique Driver Pack 2.6 and earlier, Monitor Pro 7.6 and earlier, and PL7 Pro 4.5 and earlier, allows local users, and possibly remote attackers, to execute arbitrary code via an unspecified system parameter. 2011-11-04 7.2 CVE-2011-3330
sir -- gnuboard
SQL injection vulnerability in bbs/tb.php in Gnuboard 4.33.02 and earlier allows remote attackers to execute arbitrary SQL commands via the PATH_INFO. 2011-11-04 7.5 CVE-2011-4066
Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apache -- http_server
Integer overflow in the ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, allows local users to gain privileges via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, leading to a heap-based buffer overflow. 2011-11-08 4.4 CVE-2011-3607
apple -- webobjects
Cross-site scripting (XSS) vulnerability in Apple WebObjects 5.2 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-11-09 4.3 CVE-2011-3998
conky -- conky
The getSkillname function in the eve module in Conky 1.8.1 and earlier allows local users to overwrite arbitrary files via a symlink attack on /tmp/.cesf. 2011-11-04 6.3 CVE-2011-3616
gnome -- ifcfg-rh_plug-in
Incomplete blacklist vulnerability in the svEscape function in settings/plugins/ifcfg-rh/shvar.c in the ifcfg-rh plug-in for GNOME NetworkManager 0.9.1, 0.9.0, 0.8.1, and possibly other versions, when PolicyKit is configured to allow users to create new connections, allows local users to execute arbitrary commands via a newline character in the name for a new network connection, which is not properly handled when writing to the ifcfg file. 2011-11-04 6.9 CVE-2011-3364
google -- chrome
Google Chrome before 15.0.874.120 does not properly implement the MKV and Vorbis media handlers, which allows remote attackers to cause a denial of service (out-of-bounds read) via unspecified vectors. 2011-11-11 5.0 CVE-2011-3893
google -- chrome
Use-after-free vulnerability in Google Chrome before 15.0.874.120 allows user-assisted remote attackers to cause a denial of service or possibly have unspecified other impact via vectors related to editing. 2011-11-11 6.8 CVE-2011-3897
hp -- hp-ux_containers
Unspecified vulnerability in HP-UX Containers (formerly HP-UX Secure Resource Partitions (SRP)) A.03.00, A.03.00.002, and A.03.01, when running with patch PHKL_42310, allows local users to gain privileges via unknown vectors. 2011-11-04 6.8 CVE-2011-3164
hp -- tcp_ip_services_openvms
Unspecified vulnerability in the POP and IMAP service implementations in HP TCP/IP Services 5.6 and 5.7 for OpenVMS allows remote attackers to obtain sensitive information via unknown vectors. 2011-11-07 5.0 CVE-2011-3168
hp -- tcp_ip_services_openvms
Unspecified vulnerability in the SMTP service implementation in HP TCP/IP Services 5.6 and 5.7 for OpenVMS allows remote attackers to cause a denial of service via unknown vectors. 2011-11-07 5.0 CVE-2011-3169
ibc.co.jp -- iwate_portal_bar
Cross-site scripting (XSS) vulnerability in the RSS/Atom feed-reader implementation in Iwate Portal Bar allows remote attackers to inject arbitrary web script or HTML via a crafted feed. 2011-11-09 4.3 CVE-2011-3999
merethis -- centreon
Directory traversal vulnerability in main.php in Merethis Centreon before 2.3.2 allows remote authenticated users to execute arbitrary commands via a .. (dot dot) in the command_name parameter. 2011-11-09 6.5 CVE-2011-4431
merethis -- centreon
www/include/configuration/nconfigObject/contact/DB-Func.php in Merethis Centreon before 2.3.2 does not use a salt during calculation of a password hash, which makes it easier for context-dependent attackers to determine cleartext passwords via a rainbow-table approach. 2011-11-09 5.0 CVE-2011-4432
mozilla -- firefox
Cross-site scripting (XSS) vulnerability in Mozilla Firefox before 3.6.24 and 4.x through 7.0 and Thunderbird before 3.1.6 and 5.0 through 7.0 allows remote attackers to inject arbitrary web script or HTML via crafted text with Shift JIS encoding. 2011-11-09 4.3 CVE-2011-3648
mozilla -- firefox
Mozilla Firefox before 8.0 and Thunderbird before 8.0 on Mac OS X do not properly interact with the GPU memory behavior of a certain driver for Intel integrated GPUs, which allows remote attackers to bypass the Same Origin Policy and read image data via vectors related to WebGL textures. 2011-11-09 5.0 CVE-2011-3653
nlnetlabs -- ldns
Heap-based buffer overflow in the ldns_rr_new_frm_str_internal function in ldns before 1.6.11 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a Resource Record (RR) with an unknown type containing input that is longer than a specified length. 2011-11-04 6.8 CVE-2011-3581
pidgin -- libpurple
The g_markup_escape_text function in the SILC protocol plug-in in libpurple 2.10.0 and earlier, as used in Pidgin and possibly other products, allows remote attackers to cause a denial of service (crash) via invalid UTF-8 sequences that trigger use of invalid pointers and an out-of-bounds read, related to interactions with certain versions of glib2. 2011-11-04 4.3 CVE-2011-3594
Back to top

Low Vulnerabilities

Primary
Vendor -- Product
Description Published CVSS Score Source & Patch Info
apache -- http_server
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607. 2011-11-081.2 CVE-2011-4415
ibm -- db2
Unspecified vulnerability in IBM DB2 9.7 before FP5 on UNIX, when the Self Tuning Memory Manager (STMM) feature and the AUTOMATIC DATABASE_MEMORY setting are configured, allows local users to cause a denial of service (daemon crash) via unknown vectors. 2011-11-091.5 CVE-2011-1373
mozilla -- firefox
Mozilla Firefox 7.0 and Thunderbird 7.0, when the Direct2D (aka D2D) API is used on Windows in conjunction with the Azure graphics back-end, allow remote attackers to bypass the Same Origin Policy, and obtain sensitive image data from a different domain, by inserting this data into a canvas. NOTE: this issue exists because of a CVE-2011-2986 regression. 2011-11-092.6 CVE-2011-3649
plume-cms -- plume_cms
Cross-site scripting (XSS) vulnerability in Plume before 1.2.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. 2011-11-092.6 CVE-2011-3985
pureftpd -- pure-ftpd
Directory traversal vulnerability in pure-FTPd 1.0.22 and possibly other versions, when running on SUSE Linux Enterprise Server and possibly other operating systems, when the Netware OES remote server feature is enabled, allows local users to overwrite arbitrary files via unknown vectors. 2011-11-043.6 CVE-2011-3171
Back to top

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top