Vulnerability Summary for the Week of January 24, 2011

Released
Jan 31, 2011
Document ID
SB11-031

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 


High Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
anserv -- php_low_bidsSQL injection vulnerability in viewfaqs.php in PHP LOW BIDS allows remote attackers to execute arbitrary SQL commands via the cat parameter.2011-01-257.5CVE-2011-0646
XF
BID
EXPLOIT-DB
SECUNIA
OSVDB
apple -- mac_os_xApple Mac OS X does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.2011-01-249.3CVE-2011-0639
MISC
MISC
MISC
automatedsolutions -- modbus/tcp_master_opc_serverHeap-based buffer overflow in Automated Solutions Modbus/TCP Master OPC Server before 3.0.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a MODBUS response packet with a crafted length field.2011-01-287.6CVE-2010-4709
VUPEN
BID
EXPLOIT-DB
SECUNIA
CONFIRM
cisco -- linksys_wrt54gc_router_firmwareBuffer overflow in the web-based management interface on the Cisco Linksys WRT54GC router with firmware before 1.06.1 allows remote attackers to cause a denial of service (device crash) via a long string in a POST request.2011-01-247.8CVE-2011-0352
CONFIRM
SECUNIA
JVNDB
JVN
ffmpeg -- ffmpegInteger overflow in the vorbis_residue_decode_internal function in libavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg, possibly 0.6, has unspecified impact and remote attack vectors, related to the sizes of certain integer data types. NOTE: this might overlap CVE-2011-0480.2011-01-229.3CVE-2010-4705
CONFIRM
hp -- openview_storage_data_protectorBuffer overflow in crs.exe in HP OpenView Storage Data Protector Cell Manager 6.11 allows remote attackers to execute arbitrary code via unspecified message types.2011-01-249.3CVE-2011-0273
HP
HP
SECTRACK
SECUNIA
kernel -- linux-pamThe pam_env module in Linux-PAM (aka pam) 1.1.2 and earlier reads the .pam_environment file in a user's home directory, which might allow local users to run programs with an unintended environment by executing a program that relies on the pam_env PAM check.2011-01-247.2CVE-2010-4708
MISC
CONFIRM
MLIST
CONFIRM
linux -- linux_kernelThe default configuration of udev on Linux does not warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.2011-01-249.3CVE-2011-0640
MISC
MISC
MISC
microsoft -- windowsMicrosoft Windows does not properly warn the user before enabling additional Human Interface Device (HID) functionality over USB, which allows user-assisted attackers to execute arbitrary programs via crafted USB data, as demonstrated by keyboard and mouse data sent by malware on a smartphone that the user connected to the computer.2011-01-249.3CVE-2011-0638
MISC
MISC
MISC
mozilla -- bugzillaBugzilla 2.14 through 2.22.7; 3.0.x, 3.1.x, and 3.2.x before 3.2.10; 3.4.x before 3.4.10; 3.6.x before 3.6.4; and 4.0.x before 4.0rc2 does not properly generate random values for cookies and tokens, which allows remote attackers to obtain access to arbitrary accounts via unspecified vectors, related to an insufficient number of calls to the srand function.2011-01-287.5CVE-2010-4568
CONFIRM
CONFIRM
CONFIRM
VUPEN
BID
CONFIRM
SECUNIA
openvas -- openvas_managerThe email function in manage_sql.c in OpenVAS Manager 1.0.x through 1.0.3 and 2.0.x through 2.0rc2 allows remote authenticated users to execute arbitrary commands via the (1) To or (2) From e-mail address in an OMP request to the Greenbone Security Assistant (GSA).2011-01-289.0CVE-2011-0018
CONFIRM
VUPEN
BID
BUGTRAQ
pango -- pangoHeap-based buffer overflow in the pango_ft2_font_render_box_glyph function in pango/pangoft2-render.c in libpango in Pango 1.28.3 and earlier, when the FreeType2 backend is enabled, allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file, related to the glyph box for an FT_Bitmap object.2011-01-247.6CVE-2011-0020
CONFIRM
CONFIRM
VUPEN
MLIST
MLIST
phpcms -- phpcms_2008SQL injection vulnerability in include/admin/model_field.class.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the modelid parameter to flash_upload.php.2011-01-257.5CVE-2011-0644
XF
BID
EXPLOIT-DB
SECUNIA
OSVDB
phpcms -- phpcms_2008SQL injection vulnerability in data.php in PHPCMS 2008 V2 allows remote attackers to execute arbitrary SQL commands via the where_time parameter in a get action.2011-01-257.5CVE-2011-0645
XF
BID
MISC
videolan -- vlc_media_playerMultiple heap-based buffer overflows in cdg.c in the CDG decoder in VideoLAN VLC Media Player before 1.1.6 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted CDG video.2011-01-259.3CVE-2011-0021
MLIST
CONFIRM
CONFIRM
VUPEN
MLIST

Back to top


Medium Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
citrix -- xenThe vbd_create function in Xen 3.1.2, when the Linux kernel 2.6.18 on Red Hat Enterprise Linux (RHEL) 5 is used, allows guest OS users to cause a denial of service (host OS panic) via an attempted access to a virtual CD-ROM device through the blkback driver. NOTE: some of these details are obtained from third party information.2011-01-225.5CVE-2010-4238
CONFIRM
XF
BID
MISC
citrix -- xenThe fixup_page_fault function in arch/x86/traps.c in Xen 4.0.1 and earlier on 64-bit platforms, when paravirtualization is enabled, does not verify that kernel mode is used to call the handle_gdt_ldt_mapping_fault function, which allows guest OS users to cause a denial of service (host OS BUG_ON) via a crafted memory access.2011-01-246.1CVE-2010-4255
CONFIRM
MLIST
MLIST
MLIST
collabnet -- scrumworksCollabNet ScrumWorks Basic 1.8.4 uses cleartext credentials for network communication and the internal database, which makes it easier for context-dependent attackers to obtain sensitive information by (1) sniffing the network for transmissions of Java objects or (2) reading the database.2011-01-245.0CVE-2011-0410
CERT-VN
SECUNIA
ffmpeg -- ffmpeglibavcodec/vorbis_dec.c in the Vorbis decoder in FFmpeg 0.6.1 and earlier allows remote attackers to cause a denial of service (application crash) via a crafted .ogg file, related to the vorbis_floor0_decode function. NOTE: this might overlap CVE-2011-0480.2011-01-224.3CVE-2010-4704
CONFIRM
CONFIRM
fuse -- fuseFUSE, possibly 2.8.5 and earlier, allows local users to create mtab entries with arbitrary pathnames, and consequently unmount any filesystem, via a symlink attack on the parent directory of the mountpoint of a FUSE filesystem, a different vulnerability than CVE-2010-0789.2011-01-225.8CVE-2010-3879
CONFIRM
MISC
CONFIRM
CONFIRM
CONFIRM
XF
VUPEN
UBUNTU
UBUNTU
BID
SECUNIA
OSVDB
MLIST
MLIST
FULLDISC
heart5 -- statpresscnMultiple cross-site scripting (XSS) vulnerabilities in wp-admin/admin.php in the StatPressCN plugin 1.9.0 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) what1, (2) what2, (3) what3, (4) what4, and (5) what5 parameters. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.2011-01-254.3CVE-2011-0641
BID
SECUNIA
OSVDB
hp -- business_availability_centerCross-site scripting (XSS) vulnerability in HP Business Availability Center (BAC) 7.x through 7.55 and 8.x through 8.05, and Business Service Management (BSM) through 9.01, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.2011-01-244.3CVE-2011-0274
VUPEN
BID
SECTRACK
SECUNIA
SECUNIA
HP
HP
ibm -- aixThe FC SCSI protocol driver in IBM AIX 6.1 does not verify that a timer is unused before deallocating this timer, which might allow attackers to cause a denial of service (system crash) via unspecified vectors.2011-01-244.9CVE-2011-0637
VUPEN
AIXAPAR
SECUNIA
kernel -- linux-pamThe privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not perform the required setfsgid and setgroups system calls, which might allow local users to obtain sensitive information by leveraging unintended group permissions, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.2011-01-244.7CVE-2010-3430
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
kernel -- linux-pamThe privilege-dropping implementation in the (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) 1.1.2 does not check the return value of the setfsuid system call, which might allow local users to obtain sensitive information by leveraging an unintended uid, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory. NOTE: this vulnerability exists because of an incomplete fix for CVE-2010-3435.2011-01-244.7CVE-2010-3431
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
kernel -- linux-pamThe (1) pam_env and (2) pam_mail modules in Linux-PAM (aka pam) before 1.1.2 use root privileges during read access to files and directories that belong to arbitrary user accounts, which might allow local users to obtain sensitive information by leveraging this filesystem activity, as demonstrated by a symlink attack on the .pam_environment file in a user's home directory.2011-01-244.7CVE-2010-3435
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
CONFIRM
REDHAT
REDHAT
MLIST
MLIST
MLIST
kernel -- linux-pampam_namespace.c in the pam_namespace module in Linux-PAM (aka pam) before 1.1.3 uses the environment of the invoking application or service during execution of the namespace.init script, which might allow local users to gain privileges by running a setuid program that relies on the pam_namespace PAM check, as demonstrated by the sudo program.2011-01-246.9CVE-2010-3853
CONFIRM
CONFIRM
REDHAT
REDHAT
kernel -- linux-pamThe pam_sm_close_session function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not properly handle a failure to determine a certain target uid, which might allow local users to delete unintended files by executing a program that relies on the pam_xauth PAM check.2011-01-244.9CVE-2010-4706
MLIST
CONFIRM
kernel -- linux-pamThe check_acl function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) 1.1.2 and earlier does not verify that a certain ACL file is a regular file, which might allow local users to cause a denial of service (resource consumption) via a special file.2011-01-244.9CVE-2010-4707
MLIST
CONFIRM
linux -- kernelfs/exec.c in the Linux kernel before 2.6.37 does not enable the OOM Killer to assess use of stack memory by arrays representing the (1) arguments and (2) environment, which allows local users to cause a denial of service (memory consumption) via a crafted exec system call, aka an "OOM dodging issue," a related issue to CVE-2010-3858.2011-01-224.9CVE-2010-4243
CONFIRM
MLIST
MLIST
MLIST
CONFIRM
XF
CONFIRM
EXPLOIT-DB
MLIST
MLIST
MLIST
MLIST
MISC
lunascape -- lunascapeUntrusted search path vulnerability in Lunascape before 6.4.0 allows local users to gain privileges via a Trojan horse DLL in the current working directory.2011-01-246.9CVE-2010-3927
SECUNIA
CONFIRM
JVNDB
JVN
MISC
CONFIRM
menalto -- galleryUnrestricted file upload vulnerability in modules/gallery/models/item.php in Menalto Gallery before 3.0 and beta allows remote authenticated users with upload permissions to execute arbitrary code by uploading a file with an executable extension, then accessing it via a direct request to the file in an unspecified directory.2011-01-246.0CVE-2010-4353
BID
CONFIRM
SECUNIA
miloslav_trmac -- libuserlibuser before 0.57 uses a cleartext password value of (1) !! or (2) x for new LDAP user accounts, which makes it easier for remote attackers to obtain access by specifying one of these values.2011-01-226.4CVE-2011-0002
CONFIRM
CONFIRM
XF
VUPEN
BID
REDHAT
OSVDB
SECTRACK
SECUNIA
SECUNIA
FEDORA
mozilla -- bugzillaBugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 does not properly handle whitespace preceding a (1) javascript: or (2) data: URI, which allows remote attackers to conduct cross-site scripting (XSS) attacks via the URL (aka bug_file_loc) field.2011-01-284.3CVE-2010-4567
CONFIRM
VUPEN
BID
CONFIRM
SECUNIA
mozilla -- bugzillaCross-site scripting (XSS) vulnerability in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the real name field of a user account, related to the AutoComplete widget in YUI.2011-01-284.3CVE-2010-4569
CONFIRM
MISC
MISC
VUPEN
BID
CONFIRM
mozilla -- bugzillaCross-site scripting (XSS) vulnerability in the duplicate-detection functionality in Bugzilla 3.7.1, 3.7.2, 3.7.3, and 4.0rc1 allows remote attackers to inject arbitrary web script or HTML via the summary field, related to the DataTable widget in YUI.2011-01-284.3CVE-2010-4570
CONFIRM
MISC
MISC
VUPEN
BID
CONFIRM
mozilla -- bugzillaCRLF injection vulnerability in chart.cgi in Bugzilla before 3.2.10, 3.4.x before 3.4.10, 3.6.x before 3.6.4, and 4.0.x before 4.0rc2 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response splitting attacks via the query string, a different vulnerability than CVE-2010-2761 and CVE-2010-4411.2011-01-284.3CVE-2010-4572
CONFIRM
VUPEN
BID
CONFIRM
SECUNIA
network-13 -- n-13_newsCross-site request forgery (CSRF) vulnerability in news/admin.php in N-13 News 3.4, 3.7, and 4.0 allows remote attackers to hijack the authentication of administrators for requests that create new users via the options action. NOTE: some of these details are obtained from third party information.2011-01-256.8CVE-2011-0642
XF
EXPLOIT-DB
SECUNIA
OSVDB
phplinkdirectory -- php_link_directoryCross-site request forgery (CSRF) vulnerability in admin/conf_users_edit.php in PHP Link Directory (phpLD) 4.1.0 allows remote attackers to hijack the authentication of administrators for requests that add an administrator via the N action.2011-01-256.8CVE-2011-0643
EXPLOIT-DB
SECUNIA
simploo -- simploo_cmsStatic code injection vulnerability in Simploo CMS 1.7.1 and earlier allows remote authenticated users to inject arbitrary PHP code into config/custom/base.ini.php via the ftpserver parameter (FTP-Server field) to the sicore/updates/optionssav operation for index.php.2011-01-226.0CVE-2011-0635
BID
BUGTRAQ
EXPLOIT-DB
SECUNIA
OSVDB

Back to top


Low Vulnerabilities

Primary
Vendor -- Product
DescriptionPublished CVSS ScoreSource & Patch Info
bestpractical -- rtBest Practical Solutions RT 3.x before 3.8.9rc2 and 4.x before 4.0.0rc4 uses the MD5 algorithm for password hashes, which makes it easier for context-dependent attackers to determine cleartext passwords via a brute-force attack on the database.2011-01-253.3CVE-2011-0009
CONFIRM
MLIST
CONFIRM
VUPEN
BID
DEBIAN
fedorahosted -- sssdThe pam_parse_in_data_v2 function in src/responder/pam/pamsrv_cmd.c in the PAM responder in SSSD 1.5.0, 1.4.x, and 1.3 allows local users to cause a denial of service (infinite loop, crash, and login prevention) via a crafted packet.2011-01-242.1CVE-2010-4341
CONFIRM
FEDORA
FEDORA
VUPEN
BID
SECUNIA
SECUNIA
kernel -- linux-pamThe run_coprocess function in pam_xauth.c in the pam_xauth module in Linux-PAM (aka pam) before 1.1.2 does not check the return values of the setuid, setgid, and setgroups system calls, which might allow local users to read arbitrary files by executing a program that relies on the pam_xauth PAM check.2011-01-243.3CVE-2010-3316
CONFIRM
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
MLIST
CONFIRM
MISC
REDHAT
REDHAT
MLIST
MLIST
linux -- kernelThe pipe_fcntl function in fs/pipe.c in the Linux kernel before 2.6.37 does not properly determine whether a file is a named pipe, which allows local users to cause a denial of service via an F_SETPIPE_SZ fcntl call.2011-01-252.1CVE-2010-4256
MLIST
MLIST
CONFIRM
CONFIRM
nvidia -- cuda_toolkitThe (1) cudaHostAlloc and (2) cuMemHostAlloc functions in the NVIDIA CUDA Toolkit 3.2 developer drivers for Linux 260.19.26, and possibly other versions, do not initialize pinned memory, which allows local users to read potentially sensitive memory, such as file fragments during read or write operations.2011-01-222.1CVE-2011-0636
XF
SECTRACK
BID
BUGTRAQ
SECUNIA
OSVDB
MISC
MISC

Back to top

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.