OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: SANS Security Digest
From: The SANS Institute (sanssans.org)
Date: Fri Feb 18 2000 - 12:38:37 CST


-----BEGIN PGP SIGNED MESSAGE-----

=================================================================
| |
| |
| |
| Vol. 4, No. 2 |
| February 18, 2000 |
| |
| |
| |
| The SANS Network Security Digest |
| Executive Editor: Michele D. Guel |
| Managing Editors: Liz Coolbaugh and Mark Edmead |
| Assistant Editor: Jean Chouanard |
| |
| Editorial Review Board: Fred Avolio, Steve Bellovin, |
| Matt Bishop, Bill Cheswick, Dorothy Denning, Rob Kolstad, |
| Richard Jackson, Peter Neumann, Alan Paller, Marcus Ranum, |
| Gene Schultz, Gene Spafford, and John Stewart |
| |
====A Resource for Computer and Network Security Professionals===

CONTENTS:
  i) UPCOMING CHANGES IN SANS NETWORK SECURITY DIGEST
 ii) SANS2000 REPORT

  1) MALICIOUS CODE EMBEDDED IN CLIENT WEB REQUESTS
  2) HP SECURITY PROBLEMS AND PATCHES
  3) SUN SECURITY PROBLEMS AND PATCHES
  4) SGI SECURITY PROBLEMS AND PATCHES
  5) IBM AIX SECURITY PROBLEMS AND PATCHES
  6) COMPAQ SECURITY PROBLEMS AND PATCHES
  7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES
  8) BSDI/FreeBSD/NetBSD/OpenBSD PROBLEMS AND PATCHES
  9) LINUX SECURITY PROBLEMS AND PATCHES
 10) CISCO SECURITY PROBLEMS AND PATCHES
 11) GENERAL VIRUS INFORMATION
 12) QUICK TIDBITS

*****************************************

i) UPCOMING CHANGES IN SANS NETWORK SECURITY DIGEST

In a few weeks SANS and Network Computing Magazine will begin an
experimental program to deliver a weekly digest designed to be a summary
of all security alerts for the previous seven days -- a single message
that will provide summaries and pointers to all information relevant to
your environment personalized for you! We'll send you samples in a week
or two along with instructions for customizing the news for your needs.

                        ---------------

ii) SANS2000 REPORT

SANS 2000 in Orlando, March 21-28: We have replicated the two-day Hacker
Exploits: Step-by-Step class because the first set filled up. Please
see the revised schedule at www.sans.org. Also, IDNet at SANS2000 offers
a wonderful chance to test your penetration skills and see how the
commercial defensive tools work. Bring a disk with the exploits you
want to run or bring your laptop. We'll have network connections that
allow you to connect to the victim machines. And there will be large
screens so others can watch and learn as you work.

========================================================================

1) MALICIOUS CODE EMBEDDED IN CLIENT WEB REQUESTS (02/03/2000)

The CERT Coordination Center in conjunction with several other response
centers issued an advisory regarding a growing problem with malicious
content embedded in web requests. There are a number of problems that
can arise is web users unknowingly execute coded embedded in web pages
and web requests. The CERT Advisory provide a lot of details and several
examples. Although there is no complete solution to correct the problem,
there are steps web page developer can take to minimize the occurrence
of such problems. For more information see the CERT Advisory at:
        http://www.cert.org/advisories/CA-2000-02.html

There were also various good discussions on Bugtraq. You can search the
archives at:
        http://www.securityfocus.com

========================================================================

2) HP SECURITY PROBLEMS AND PATCHES

The HP Electronic Support Center is located at:
        http://us-support.external.hp.com/ (US and Canada)
        http://europe-support.external.hp.com/ (Europe)

                        ---------------

A) 02/17/2000 - HP issued a security advisory regard the Ignite program
on their Trusted Systems platform (11.x). Under certain conditions the
password filed in the /etc/passwd file can be set to a blank rather than
a "*". This can occur is a system image is created using the Ignite-UX
program and select not to save /etc/passwd. The problem can be avoided
by overriding the default in Ignite-UX and save the /etc/passwd and by
doing a verify on the /etc/passwd file after a restore. For more
information refer to the HP Security Advisory #00111.

                        ---------------

B) 02/14/2000 & 01/24/2000 - HP issued a security advisory concerning
a serious flaw in their protocol which is used to discover the maximum
path MTU for a connection. The flaw can be exploited in such a way so
a malicious hacker can use the host as an amplifier for Denial of Service
attacks. The problem can be corrected by using the ndd program to modify
the kernel. The revised bulletin stated the problem was only present
on HP-UX 10.30, 11.00 and 11.04. The problem has been corrected in
VirtualValt 11.04. For more information see HP's Security Advisory
#00110 or refer to the CIAC Bulletin at:
        http://ciac.llnl.gov/ciac/bulletins/k-018.shtml

========================================================================

3) SUN SECURITY PROBLEMS AND PATCHES
 
Sun Security Bulletins are available at:
       http://sunsolve.sun.com/pub-cgi/secBulletin.pl

Sun Security Patches are available at:
       http://sunsolve.sun.com/pub-cgi/show.pl?target=patches/patch-access

                        ---------------
Sun has not issued an Security Bulletins since January 5th, 2000.

========================================================================

4) SGI SECURITY PROBLEMS AND PATCHES
         
SGI maintains a security home page at:
        http://www.sgi.com/support/security/index.html

SGI patches are available at:
        ftp://ftp.sgi.com/security/

                        ---------------

SGI has not issued any security advisories for IRIX since May 21st, 1999.

========================================================================

5) IBM AIX SECURITY PROBLEMS AND PATCHES

  
IBM maintains a security home page:
   http://www-1.ibm.com/services/continuity/recover1.nsf/advisories

IBM maintains an on-line support center:
   http://service.boulder.ibm.com/cgi-bin/support/rs6000.support/databases/

                         ---------------
IBM has not issued an Security Advisories since December 30, 1999.

======================================================================

6) COMPAQ SECURITY PROBLEMS AND PATCHES

Compaq Tru64 UNIX, OpenVMS, Ultrix, and Windows patches located at:
        http://ftp.service.digital.com/public/

                         ---------------

A) 02/04/2000 - Compaq updated a previous announcement for a Tru64 UNIX
vulnerability with BIND, named. Compaq Tru64 UNIX V4.0D - V4.0F and
V5.0 are affected and a patch is available. The Compaq reference number
is SSRT0636U. Please note if the previous version of the patch,
1/10/2000, was applied, then this version should be applied since the
previous version did not fully address the vulnerability. For more
information see the pages:
   http://ftp.service.digital.com/patches/public/osf/v4.0d/v40_ssrt0636u.html
   http://ftp.service.digital.com/patches/public/osf/v5.0/v50_ssrt0636u.html

======================================================================

7) NT/WIN95/WIN98 SECURITY PROBLEMS AND PATCHES

The Microsoft Security page is located at:
        http://www.microsoft.com/security/

Additional NT Security Related web pages may be found at:
        http://www.ntbugtraq.com/
        http://www.ntbugtraq.com/ntfixes.asp
        http://www.ntsecurity.net/

                        ---------------

A) 02/17/2000 - Microsoft published a security bulletin and a patch
regarding the "Image Source Redirect" vulnerability in IE 4.0, 4.01,
5.0 and 5.01. The vulnerability may allow a web site owner to view
certain files/pages on the user visiting the site. A person would need
to know (or guess) the names and locations of the files. Microsoft has
published patched for IE 4.01 SP2 and higher. For more information see
the Microsoft Security Bulletin at:
        http://www.microsoft.com/technet/security/bulletin/ms00-009.asp

                        ---------------

B) 02/04/2000 - Microsoft published a revised version of bulletin MS00-006
concerning two separate security problems in the MS Index Server. These
vulnerabilities can lead to inadvertent information exposure. Vulnerable
versions of the software include MS Index Server 2.0 and the Indexing
Services in Windows 2000. Microsoft have published a patch to correct
both problems. For more information see the Microsoft Security Bulletin
at:
        http://www.microsoft.com/technet/security/bulletin/ms00-006.asp

                        ---------------

C) 02/04/2000 - Microsoft released a revised version of their bulletin
MS00-004 concerning a problem with the RDISK utility. In the original
bulletin, MS thought the problem was isolated to NT 4.0 Server, Terminal
Server, but they discovered that NT 4.0 servers and workstations are
affected as well. The RDISK utility creates a temporary file, while the
utility is executing, that is not properly restricted. If a user knew
an administrator were running the program, they could look at the contents
of the temporary file. Patches are available for all affected versions.
For more information see the Microsoft Security Bulletin at:
         http://www.microsoft.com/technet/security/bulletin/ms00-004.asp

                        ---------------

D) 02/01/2000 - Microsoft released a patch to correct the "Recycle Bin
Creation" vulnerability in NT 4.0. Although a complex set of condition
must be met to exploit the problem, a malicious user could create, delete
or modify files in the Recycle Bin of another user who shared the same
machine. NT Workstation 4.0, NT Server 4.0 and NT Server 4.0 Enterprise
are all affected. For more information, refer to the Microsoft Security
Bulletin at:
        http://www.microsoft.com/technet/security/bulletin/ms00-007.asp
        
                        ---------------

E) 01/20/2000 - Microsoft release a patch for the "Malformed Conversion
Data" buffer overflow vulnerability. The affected program is a conversion
utility for older Word 5 documents (East Asian languages) to newer Word
formats. A patch is available for all affected platforms. Refer to
the Microsoft Security Bulletin for a list of affected software versions:
        http://www.microsoft.com/technet/security/bulletin/ms00-002.asp
        
                        ---------------

F) 01/17/2000 - Microsoft released a patch that corrects a buffer overflow
vulnerability in the RTF reader that ships with WIN95, WIN98 and WIN/NT
4.0. The vulnerability may cause email programs to crash. For more
information, refer to the Microsoft Security Bulletin at:
        http://www.microsoft.com/technet/security/bulletin/ms00-005.asp

                        ---------------

G) 01/12/2000 - Microsoft release a patch to correct a security flaw in
the LPC Ports facility that could allow a malicious user to become
administrator on a NT 4.0 machine. Keyboard access to the machine is
required to exploit the vulnerability. For more information, refer to
the Microsoft Security Bulletin at:
        http://www.microsoft.com/technet/security/bulletin/ms00-003.asp

========================================================================

8) FreeBSD/OpenBSD/BSD4.4 PROBLEMS AND PATCHES

BSDI maintains a support web page at:
        http://www.BSDI.COM/services/support/

FreeBSD maintains a security web page at:
        http://www.freebsd.org/security/security.html

NetBSD's Security web page is at:
        http://www.NetBSD.ORG/Security/

OpenBSD's Security web page is at
        http://www.openbsd.org/security.html

                        ---------------

BSDI: BSDI did not release any security patches/bulletins this period.

                        ---------------
FreeBSD:
A) 01/19/2000 - FreeBSD released a patch to correct a security flaw in
the make (1) program that involved the creation of a temporary file that
may lead to a race condition. According the the bulletin, all version
of NetBSD and OpenBSD are also thought to be vulnerable. A workaround
to the problem is to not use the "-j" flag when running make (1). A
patch is available at:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:01/make.patch

For more information, see the FreeBSD Advisory FreeBSD-SA-00:01.

                        ---------------

B) 01/28/2000 - FreeBSD released a patch to correct a security flaw in
the procfs program. See the OpenBSD item below. The patch is available
at:
        ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:02/procfs.patch

For more information, see the FreeBSD Advisory FreeBSD-SA-00:02/

                        ---------------

NetBSD: NetBSD did not release any security patches/bulletins this period.

                        ---------------
OpenBSD:
A) 01/20/2000 - OpenBSD announced a security fix to the procfs program
to correct a problem with the stderr output. For more information see
the page at:
        http://www.openbsd.org/errata.html#procfs

========================================================================

9) LINUX SECURITY PROBLEMS AND PATCHES

Caldera OpenLinux security information can be found at:
        http://www.calderasystems.com/support/security

Debian GNU/Linux maintain a security web page at:
        http://www.debian.org/security/

Linux-Mandrake update information can be found at:
        http://www.linux-mandrake.com/en/fupdates.php3
 
LinuxPPC security updates can be found at:
        http://www.linuxppc.com/support/updates/security/

Red Hat Linux maintains a support page at:
        http://www.redhat.com/support/

Red Hat ftp site:
        ftp://updates.redhat.com/
     
S.u.S.E. information can be found at:
        http://www.suse.de/security/index.html

Yellow Dog Linux errata can be found at:
        http://www.yellowdoglinux.com/resources/errata.shtml

                        ---------------
Caldera:
A) 02/03/2000 - Buffer overflow in the mount/umount programs in Desktop
2.3 and eServer 2.3 and all packages previous to util-linux-2.9s-5s.
Upgrading to the corrected versions of the packages is recommended.
For more information see:
        ftp://ftp.calderasystems.com/pub/OpenLinux/security/\
                CSSA-2000-002.0.txt

                        ---------------

B) 01/31/2000 - Caldera announces patch to correct a problem with handling
of MySQL passwords. eServer 2.3 or packages prior to mysql-3.22.30-15
are affected. For more information see:
        ftp://ftp.calderasystems.com/pub/OpenLinux/security/\
                CSSA-2000-001.0.txt

                        ---------------

C) 01/25/2000 - Caldera announced patches to correct several problems
in the Majordomo package that could allow users to execute random commands
as the user process running Majordomo. All versions up to COL 2.4 or
packages previous to Majordomo-1.94.5-1 are vulnerable. These problems
were also discussed in the January SANS Digest in item 12-A. For more
information see:
        ftp://ftp.calderasystems.com/pub/OpenLinux/security/\
                CSSA-1999-039.0.txt

                        ---------------
Debian: A) 02/01/2000 - Debian announced a patch to correct a security
flaw in the apcd package that involves a symlink attack. The affected
program is shipped with Debian GNU/Linux 2.1. The corrected version is
available as 0.6a_nr-4slink1. For more information see:
        http://www.debian.org/security/2000/20000201

                        ---------------

Linux-Mandrake: 02/04/2000 - A new ISO image of Mandrake 7.0 is available.

                        ---------------

LinuxPPC: No security updates have been issued since November 12th,
1999.

                        ---------------

RedHat: There have been no RedHat security advisories since January 7th,
2000.

                        ---------------

S.u.S.E.:
A) 01/11/2000 - SuSE released a patch to corrects two security
vulnerability in the lprold printer daemon that could lead to a root
compromise. Other Linux vendors posted patches as well (refer to the
January SANS Digest). For more information see:
  http://www.suse.de/de/support/security/suse_security_announce_37.txt

                        ---------------

Yellow Dog Linux: Yellow Dog has not released any security alerts since
January 4th, 2000.

========================================================================

10) CISCO PROBLEMS AND PATCHES

Cisco Systems maintains an Internet Security Advisories page at:
        http://www.cisco.com/warp/public/707/advisory.html

                        ---------------

Cisco has not released any new advisories since December 16th, 1999.

========================================================================

11) VIRUS UPDATE INFORMATION

We will only include items on viruses that have been widely discussed.
This is not meant to be an all-inclusive update on recent virus problems
and solutions.

Virus information is available from a variety of sites, including:
      http://www.antivirus.com/
      http://www.avpve.com/
      http://www.drsolomon.com/
      http://www.datafellows.com/
      http://www.nai.com/
      http://www.sophos.com/
      http://www.symantec.com/avcenter/

Good sources for virus myths and hoaxes are:
      http://www.kumite.com/myths/
      http://ciac.llnl.gov/ciac/CIACHoaxes.html
                        ---------------

There were no major (high vulnerability) virus alerts posted during the
last month.

========================================================================

12) QUICK TIDBITS

A) 02/09/2000 - SCO has posted a series of security patches during
the last month:
        SSE061 - UnixWare cu security patch
        ftp://ftp.sco.com/SSE/security_bulletins/SB-00.05a

        SNMPD Config problem:
        ftp://ftp.sco.com/SSE/security_bulletins/SB-00.04a

        SSE056-059 - rtpm security patches
        ftp://ftp.sco.com/SSE/security_bulletins/SB-00.03a

        SSE060 - scohelp security patch
        ftp://ftp.sco.com/SSE/security_bulletins/SB-00.02a

        SSE055 - OpenServer package tool security update
        ftp://ftp.sco.com/SSE/security_bulletins/SB-00.01a
                        ---------------

B) 02/01/2000 - The Advanced Research Corporation released a new version
of their SARA (Security Auditor's Research Assistant) tool. You can
find it at:
        http://www-arc.com/sara

                        ---------------

C) 01/27/2000 - Cerberus Information Security, Ltd announced the release
of a new version of the CIS Vulnerability Scanner. You can find this
at:
        http://www.cerberus-infosec.co.uk/

                        ---------------

D) 01/20/2000 - AUSCERT issued an advisory regarding a security
vulnerability in the opencall() routine in Majordomo. All version up to
and including 1.94.4 are vulnerable. The flaw may allow a local user to
gain gain privileges of the user process running Majordomo. For more
information refer to the AUSCERT Advisory at:
        ftp://ftp.auscert.org.au/pub/auscert/advisory/AA-2000.01

                        ---------------

E) 01/05/2000 - Problem in ColdFusion 4.x (all platforms) can lead to
information exposure about your web site. The problem is specifically
related to the CFCACHE tag which stores information in a public ally
accessible document directory. A patch has been published by Allaire.
For information see the follow web pages:
        http://www.securiteam.com/windowsntfocus/ColdFusion_Information\
            _Exposure__CFCACHE_Tag_.html

        http://ciac.llnl.gov/ciac/bulletins/k-015.shtml

                    **********************

Copyright, 2000, The SANS Institute. No copying, forwarding or posting
allowed without written permission (ask <sanssans.org> for permission).

Email <digestsans.org> for information on subscribing. You'll receive
a free subscription package and sample issue in return.

To unsubscribe, email <sanssans.org> with the subject `unsubscribe
security digest'.

The digest is available at no cost to practicing security, networking
and system administration professionals in medium and large organizations.

Archives of past issues are posted at http://www.sans.org/digest.htm

-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition

iQCVAwUBOK19+qNx5suARNUhAQHbdwQAtt1+ve6JxSE5PKO5yO+P06DiuqWA5OFW
YegEDP/pdqbfTZSjwAbo+VcdQYrymP2b5zCDft5iYjs4fb+u07o+Vx3z+YtbP06v
NgYIY8YtyGk82MvNHx1m7+VxleCbkHqB3iY3moIcwOuKvCs26TJ7oGBiGToK/FxI
7J856nMFSFA=
=s3e5
-----END PGP SIGNATURE-----