Vulnerability Summary for the Week of December 24, 2012

Released
Jan 02, 2013
Document ID
SB13-002

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
adobe -- shockwave_playerAdobe Shockwave Player through 11.6.8.638 allows remote attackers to trigger installation of a Shockwave Player 10.4.0.025 compatibility feature via a crafted HTML document that references Shockwave content with a certain compatibility parameter, related to a "downgrading" attack.2012-12-209.3CVE-2012-6270
ca -- identityminderUnspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to execute arbitrary commands or modify data via unknown vectors.2012-12-2610.0CVE-2012-6298
ca -- identityminderUnspecified vulnerability in CA IdentityMinder r12.0 through CR16, r12.5 before SP15, and r12.6 GA allows remote attackers to bypass intended access restrictions via unknown vectors.2012-12-2610.0CVE-2012-6299
carlosgavazzi -- eos-box_photovoltaic_monitoring_systemMultiple SQL injection vulnerabilities in Carlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 allow remote attackers to execute arbitrary SQL commands via unspecified vectors, a similar issue to CVE-2012-5861.2012-12-237.5CVE-2012-6427
carlosgavazzi -- eos-box_photovoltaic_monitoring_systemCarlo Gavazzi EOS-Box with firmware before 1.0.0.1080_2.1.10 establishes multiple hardcoded accounts, which makes it easier for remote attackers to obtain administrative access by reading a password in a PHP script, a similar issue to CVE-2012-5862.2012-12-2310.0CVE-2012-6428
citrix -- xenappThe XML Service interface in Citrix XenApp 6.5 and 6.5 Feature Pack 1 allows remote attackers to execute arbitrary code via unspecified vectors.2012-12-269.3CVE-2012-5161
foscam -- h.264_hi3510/11/12_ip_cameraThe web interface on (1) Foscam and (2) Wansview IP cameras allows remote attackers to bypass authentication, and perform administrative functions or read the admin password, via a direct request to an unspecified URL.2012-12-2110.0CVE-2012-3002
ibm -- rational_automation_frameworkIBM Rational Automation Framework (RAF) 3.x through 3.0.0.5 allows remote attackers to bypass intended Env Gen Wizard (aka Environment Generation Wizard) access restrictions by visiting context roots in HTTP sessions on port 8080.2012-12-267.5CVE-2012-4816
ibm -- tivoli_storage_manager_for_space_managementUnspecified vulnerability in IBM Tivoli Storage Manager for Space Management (aka TSM HSM) before 6.2.5.0 and 6.3.x before 6.3.1.0 allows local users to read or modify file system objects via unknown vectors.2012-12-217.2CVE-2012-4859
ibm -- tivoli_netviewUnspecified vulnerability in IBM Tivoli NetView 1.4, 5.1 through 5.4, and 6.1 on z/OS allows local users to gain privileges by leveraging access to the normal Unix System Services (USS) security level.2012-12-267.2CVE-2012-5951
mysql -- mysqlBuffer overflow in yaSSL, as used in MySQL 5.5.20 and possibly other versions including 5.5.x before 5.5.22 and 5.1.x before 5.1.62, allows remote attackers to execute arbitrary code via unspecified vectors, as demonstrated by VulnDisco Pack Professional 9.17. NOTE: as of 20120224, this disclosure has no actionable information. However, because the module author is a reliable researcher, the issue is being assigned a CVE identifier for tracking purposes. NOTE: due to lack of details, it is not clear whether this issue is a duplicate of CVE-2012-0492 or another CVE.2012-12-217.5CVE-2012-0882
netiq -- edirectoryStack-based buffer overflow in the Novell NCP implementation in NetIQ eDirectory 8.8.7.x before 8.8.7.2 allows remote attackers to have an unspecified impact via unknown vectors.2012-12-2510.0CVE-2012-0432
netiq -- privileged_user_managerEval injection vulnerability in the ldapagnt_eval function in ldapagnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote attackers to execute arbitrary Perl code via a crafted application/x-amf request.2012-12-2410.0CVE-2012-5932
novell -- iprintUnspecified vulnerability in Novell iPrint Client before 5.82 allows remote attackers to execute arbitrary code via an op-client-interface-version action.2012-12-2410.0CVE-2012-0411
oracle -- glassfish_web_space_server10.0Directory traversal vulnerability in the Liferay component in Oracle Sun GlassFish Web Space Server before 10.0 Update 7 Patch 2 has unknown impact and attack vectors.2012-12-2110.0CVE-2012-1712
oracle -- hyperion_financial_managementUnspecified vulnerability in a TList 6 ActiveX control in Oracle Hyperion Financial Management 11.1.1.4 and 11.1.2.1.104 allows remote attackers to execute arbitrary code via unknown vectors.2012-12-2110.0CVE-2012-1714
rubyonrails -- ruby_on_railsSQL injection vulnerability in the Authlogic gem for Ruby on Rails allows remote attackers to execute arbitrary SQL commands via a crafted parameter in conjunction with a secret_token value, related to certain behavior of find_by_id and other find_by_ methods.2012-12-267.5CVE-2012-5664
scripthead -- webmail_plusSQL injection vulnerability in the Webmail Plus module for Drupal allows remote attackers to execute arbitrary SQL commands via unspecified vectors.2012-12-267.5CVE-2012-5590
symantec -- endpoint_protectionThe management console in Symantec Endpoint Protection (SEP) 11.0 before RU7-MP3 and 12.1 before RU2, and Symantec Endpoint Protection Small Business Edition 12.x before 12.1 RU2, does not properly validate input for PHP scripts, which allows remote authenticated users to execute arbitrary code via unspecified vectors.2012-12-187.2CVE-2012-4348

Back to top

Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
catalin_florian_radut -- zeropointCross-site scripting (XSS) vulnerability in the Zero Point module 6.x-1.x before 6.x-1.18 and 7.x-1.x before 7.x-1.4 for Drupal allows remote attackers to inject arbitrary web script or HTML via the path aliases.2012-12-264.3CVE-2012-5591
citrix -- xendesktopCitrix XenDesktop Virtual Desktop Agent (VDA) 5.6.x before 5.6.200, when making changes to the server-side policy that control USB redirection, does not propagate changes to the VDA, which allows authenticated users to retain access to the USB device.2012-12-265.0CVE-2012-6314
concrete5 -- concrete5Cross-site scripting (XSS) vulnerability in concrete5 Japanese 5.5.1 through 5.5.2.1 and concrete5 English 5.5.0 through 5.6.0.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2012-12-214.3CVE-2012-5181
emc -- data_protection_advisorDirectory traversal vulnerability in the Web UI in EMC Data Protection Advisor (DPA) 5.6 through SP1, 5.7 through SP1, and 5.8 through SP4 allows remote attackers to read arbitrary files via unspecified vectors.2012-12-265.0CVE-2012-4616
epiqo -- emailCross-site scripting (XSS) vulnerability in the Email Field module 6.x-1.x before 6.x-1.3 for Drupal allows remote attackers to inject arbitrary web script or HTML via the mailto link.2012-12-264.3CVE-2012-5587
fetchmail -- fetchmailFetchmail 5.0.8 through 6.3.21, when using NTLM authentication in debug mode, allows remote NTLM servers to (1) cause a denial of service (crash and delayed delivery of inbound mail) via a crafted NTLM response that triggers an out-of-bounds read in the base64 decoder, or (2) obtain sensitive information from memory via an NTLM Type 2 message with a crafted Target Name structure, which triggers an out-of-bounds read.2012-12-215.8CVE-2012-3482
ibm -- rational_policy_testerIBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during scanning, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate.2012-12-285.8CVE-2012-0738
ibm -- rational_policy_testerIBM Security AppScan Enterprise before 8.6.0.2 and Rational Policy Tester before 8.5.0.3 do not validate X.509 certificates during use of the Manual Explore Proxy feature, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary certificate.2012-12-285.8CVE-2012-0741
ibm -- tivoli_storage_manager_for_space_managementUnspecified vulnerability in IBM Tivoli Storage Manager for Space Management (aka TSM HSM) before 6.2.5.0 and 6.3.x before 6.3.1.0 allows remote attackers to read or modify HSM-managed file system objects via unknown vectors.2012-12-216.4CVE-2012-5954
linux -- linux_kernelThe override_release function in kernel/sys.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from kernel stack memory via a uname system call in conjunction with a UNAME26 personality.2012-12-214.9CVE-2012-0957
linux -- linux_kernelThe ip6_frag_queue function in net/ipv6/reassembly.c in the Linux kernel before 2.6.36 allows remote attackers to bypass intended network restrictions via overlapping IPv6 fragments.2012-12-215.0CVE-2012-4444
linux -- linux_kernelThe tcp_illinois_info function in net/ipv4/tcp_illinois.c in the Linux kernel before 3.4.19, when the net.ipv4.tcp_congestion_control illinois setting is enabled, allows local users to cause a denial of service (divide-by-zero error and OOPS) by reading TCP stats.2012-12-214.7CVE-2012-4565
linux -- linux_kernelThe online_pages function in mm/memory_hotplug.c in the Linux kernel before 3.6 allows local users to cause a denial of service (NULL pointer dereference and system crash) or possibly have unspecified other impact in opportunistic circumstances by using memory that was hot-added by an administrator.2012-12-214.0CVE-2012-5517
linux -- linux_kernelThe main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.8-rc1, allows local users to cause a denial of service (daemon exit) via a crafted application that sends a Netlink message. NOTE: this vulnerability exists because of an incorrect fix for CVE-2012-2669.2012-12-274.9CVE-2012-5532
m2osw -- tableofcontentsThe Table of Contents module 6.x-3.x before 6.x-3.8 for Drupal does not properly check node permissions, which allows remote attackers to read a node's headers by accessing a table of contents block.2012-12-264.3CVE-2012-5584
naver -- loctouchThe Loctouch application 3.4.6 and earlier for Android does not properly handle implicit intents, which allows attackers to obtain sensitive information about logged locations via a crafted application.2012-12-264.3CVE-2012-5182
netiq -- edirectoryCross-site scripting (XSS) vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2012-12-254.3CVE-2012-0428
netiq -- edirectorydhost in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 on Windows allows remote authenticated users to cause a denial of service (daemon crash) via crafted characters in an HTTP request.2012-12-254.0CVE-2012-0429
netiq -- edirectoryUnspecified vulnerability in NetIQ eDirectory 8.8.6.x before 8.8.6.7 and 8.8.7.x before 8.8.7.2 on Windows allows remote attackers to obtain an administrator cookie and bypass authorization checks via unknown vectors.2012-12-256.4CVE-2012-0430
netiq -- privileged_user_managerThe pa_modify_accounts function in auth.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 does not require authentication for the modifyAccounts method, which allows remote attackers to change the passwords of administrative accounts via a crafted application/x-amf request.2012-12-246.4CVE-2012-5930
netiq -- privileged_user_managerDirectory traversal vulnerability in the set_log_config function in regclnt.dll in unifid.exe in NetIQ Privileged User Manager 2.3.x before 2.3.1 HF2 allows remote authenticated users to create or overwrite arbitrary files via directory traversal sequences in a log pathname.2012-12-245.5CVE-2012-5931
openstack -- folsomOpenStack Compute (Nova) Folsom before 2012.2.2 and Grizzly, when using libvirt and LVM backed instances, does not properly clear physical volume (PV) content when reallocating for instances, which allows attackers to obtain sensitive information by reading the memory of the previous logical volume (LV).2012-12-264.3CVE-2012-5625
opera -- opera_miniThe Opera Mobile application before 12.1 and Opera Mini application before 7.5 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application.2012-12-264.3CVE-2012-5180
oracle -- essbase_serverBuffer overflow in the DataDirect ODBC driver, as used in Oracle Hyperion Interactive Reporting 11.1.2.1 and 11.1.2.2, Essbase Server 11.1.2.1 and 11.1.2.2, Production Reporting Server 11.1.2.1 and 11.1.2.2, and Integration Services Server 11.1.2.1 and 11.1.2.2 has unknown impact and attack vectors.2012-12-216.8CVE-2012-3133
perl -- perlThe bsd_glob function in the File::Glob module for Perl before 5.14.2 allows context-dependent attackers to cause a denial of service (crash) via a glob expression with the GLOB_ALTDIRFUNC flag, which triggers an uninitialized pointer dereference.2012-12-214.3CVE-2011-2728
ps_project_management_team -- unity-firefox-extensioncontent/unity-api.js in the unity-firefox-extension extension 2.4.1 for Firefox exposes the toDataURL function in an API call, which allows remote attackers to bypass the Same Origin Policy and obtain sensitive information via a crafted webpage.2012-12-264.3CVE-2012-0958
sebastian_heinlein -- aptdaemonAptdaemon 0.43 in Ubuntu 11.10 and 12.04 LTS uses short IDs when importing PPA GPG keys from a keyserver, which allows remote attackers to install arbitrary package repository GPG keys via a man-in-the-middle (MITM) attack.2012-12-264.3CVE-2012-0962
sensiolabs -- symfonySymfony 2.0.x before 2.0.20 does not process URL encoded data consistently within the Routing and Security components, which allows remote attackers to bypass intended URI restrictions via a doubly encoded string.2012-12-276.4CVE-2012-6431
sensiolabs -- symfonySymfony 2.0.x before 2.0.20, 2.1.x before 2.1.5, and 2.2-dev, when the internal routes configuration is enabled, allows remote attackers to access arbitrary services via vectors involving a URI beginning with a /_internal substring.2012-12-276.8CVE-2012-6432
siemens -- rosSiemens RuggedCom Rugged Operating System (ROS) before 3.12, ROX I OS through 1.14.5, ROX II OS through 2.3.0, and RuggedMax OS through 4.2.1.4621.22 use hardcoded private keys for SSL and SSH communication, which makes it easier for man-in-the-middle attackers to spoof servers and decrypt network traffic by leveraging the availability of these keys within ROS files at all customer installations.2012-12-234.3CVE-2012-4698
vmware -- vcenter_server_applianceDirectory traversal vulnerability in VMware vCenter Server Appliance (vCSA) 5.0 before Update 2 and 5.1 before Patch 1 allows remote authenticated users to read arbitrary files via unspecified vectors.2012-12-214.0CVE-2012-6324
vmware -- vcenter_server_applianceVMware vCenter Server Appliance (vCSA) 5.0 before Update 2 does not properly parse XML documents, which allows remote authenticated users to read arbitrary files via unspecified vectors.2012-12-214.0CVE-2012-6325
xmlsoft -- libxml2libxml2 before 2.8.0 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted XML data.2012-12-215.0CVE-2012-0841

Back to top

Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublishedCVSS ScoreSource & Patch Info
N/A -- N/ACross-site scripting (XSS) vulnerability in data/hybrid/i_hybrid.php in Open Constructor 3.12.0 allows remote authenticated users to inject arbitrary web script or HTML via the header parameter.2012-12-283.5CVE-2012-3871
boatmob -- boat_browserThe Boat Browser application before 4.2 and Boat Browser Mini application before 3.9 for Android do not properly implement the WebView class, which allows attackers to obtain sensitive information via a crafted application.2012-12-261.2CVE-2012-5179
d-link -- dcs-932l_cameraThe D-Link DCS-932L camera with firmware 1.02 allows remote attackers to discover the password via a UDP broadcast packet, as demonstrated by running the D-Link Setup Wizard and reading the _paramR["P"] value.2012-12-243.3CVE-2012-4046
debian -- aptApt 0.8.16~exp5ubuntu13.x before 0.8.16~exp5ubuntu13.6, 0.8.16~exp12ubuntu10.x before 0.8.16~exp12ubuntu10.7, and 0.9.7.5ubuntu5.x before 0.9.7.5ubuntu5.2, as used in Ubuntu, uses world-readable permissions for /var/log/apt/term.log, which allows local users to obtain sensitive shell information by reading the log file.2012-12-262.1CVE-2012-0961
epiqo -- emailThe Email Field module 6.x-1.x before 6.x-1.3 for Drupal, when using a field permission module and the field contact field formatter is set to the full or teaser display mode, does not properly check permissions, which allows remote attackers to email the stored address via unspecified vectors.2012-12-262.6CVE-2012-5588
gnome -- gnome_display_managervicious-extensions/ve-misc.c in GNOME Display Manager (gdm) 2.20.x before 2.20.11, when GDM debug is enabled, logs the user password when it contains invalid UTF8 encoded characters, which might allow local users to gain privileges by reading the information from syslog logs.2012-12-211.9CVE-2010-2387
linux -- linux_kernelThe main function in tools/hv/hv_kvp_daemon.c in hypervkvpd, as distributed in the Linux kernel before 3.4.5, does not validate the origin of Netlink messages, which allows local users to spoof Netlink communication via a crafted connector message.2012-12-273.6CVE-2012-2669
linux -- linux_kernelRace condition in fs/ext4/extents.c in the Linux kernel before 3.4.16 allows local users to obtain sensitive information from a deleted file by reading an extent that was not properly marked as uninitialized.2012-12-211.9CVE-2012-4508
marc_ingram -- servicesThe Services module 6.x-3.x before 6.x-3.3 and 7.x-3.x before 7.x-3.3 for Drupal allows remote authenticated users with the "access user profiles" permission to access arbitrary users' emails via vectors related to the "user index method" and "the path to the user resource."2012-12-262.1CVE-2012-5586
mixpanel_project -- mixpanelCross-site scripting (XSS) vulnerability in the Mixpanel module 6.x-1.x before 6.x-1.1 in Drupal allows remote authenticated users with the "access administration pages" permission to inject arbitrary web script or HTML via the Maxpanel token.2012-12-262.1CVE-2012-5585
naver -- loctouchThe Loctouch application 3.4.6 and earlier for Android allows attackers to obtain sensitive information about logged locations via a crafted application that leverages read permission for system log files.2012-12-262.6CVE-2012-5183
netgenius -- multilinkThe MultiLink module 6.x-2.x before 6.x-2.7 and 7.x-2.x before 7.x-2.7 for Drupal does not properly check node permissions when generating an in-content link, which allows remote authenticated users with text-editing permissions to read arbitrary node titles via a generated link.2012-12-263.5CVE-2012-5589
openstack -- keystonetools/sample_data.sh in OpenStack Keystone 2012.1.3, when access to Amazon Elastic Compute Cloud (Amazon EC2) is configured, uses world-readable permissions for /etc/keystone/ec2rc, which allows local users to obtain access to EC2 services by reading administrative access and secret values from this file.2012-12-262.1CVE-2012-5483
wordpress -- wordpressWordPress 3.4.2 does not invalidate a wordpress_sec session cookie upon an administrator's logout action, which makes it easier for remote attackers to discover valid session identifiers via a brute-force attack, or modify data via a replay attack.2012-12-272.6CVE-2012-5868
x -- x.org_x11The ProcSetEventMask function in difs/events.c in the xfs font server for X.Org X11R6 through X11R6.6 and XFree86 before 3.3.3 calls the SendErrToClient function with a mask value instead of a pointer, which allows local users to cause a denial of service (memory corruption and crash) or obtain potentially sensitive information from memory via a SetEventMask request that triggers an invalid pointer dereference.2012-12-213.6CVE-2012-1699

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.