|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ00447614585975436
sans.org)Date: Thu Jul 19 2001 - 15:51:06 CDT
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 106 (01.29)
Thursday, July 19, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
*** Sponsored by Internet Security Systems (ISS) ***
Security tools are not enough! To truly protect your organization
against loss or theft of proprietary data, money and reputation, you
need a sound strategy for information security management. Download this
*FREE* white paper for guidelines on designing a comprehensive security
plan today!
Click here:
http://www.iss.net/mktg/sac62801/
----------------------------------------------------------------------
Hopefully, everyone is aware that you should not execute programs or
applications sent to you by an unknown party. However, how many of
you are aware that you shouldn't open unknown .zip or .tar files,
either? A few recent posts have come across Bugtraq indicating
various potential problems in the handling of popular archive formats
(.zip, .tar, .rar, .cab and so on). Problems also have been reported
when these formats are used in conjunction with Windows device
names. Floating around the Internet at the extreme end of things
is a particular trojan .zip file (nicknamed 42.zip). E-mail virus
scanners that automatically check within .zip files will find that
this amazingly small file will decompress to gigabytes in size,
using up all available resources -- and typically taking down the
virus scanning gateway. Some more information can be found at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0206.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0232.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.29.007} Win - ArGoSoft FTP server weak password storage
{01.29.008} Win - DB2 service connection DoS
{01.29.010} Win - McAfee ASaP VirusScan agent HTTP file access
{01.29.011} Win - MS01-038: Outlook view control unsafe function
{01.29.028} Win - Teamware Office multiple LDAP vulnerabilities
{01.29.029} Win - Microsoft Exchange LDAP service DoS
{01.29.002} Linux - Engarde AllCommerce debug temp files attack
{01.29.003} Linux - Update {01.26.029}: cfingerd ALLOW_LINE_PARSING
overflow
{01.29.005} Linux - Linux 2.4.x kernel doesn't set UMASK
{01.29.012} Linux - elm message ID overflow
{01.29.013} Linux - vipw leaves /etc/shadow file world-readable
{01.29.016} Linux - Update {01.23.018}: Imp temp file mishandling
{01.29.017} Linux - Samsung ML-85G print driver symlink attack
{01.29.024} Linux - xman MANPATH env variable overflow
{01.29.004} BSD - FreeBSD rfork() shared signal handler
{01.29.018} HPUX - dlkm symbol table misconfiguration
{01.29.019} HPUX - Security vulnerability in login
{01.29.021} NApps - Cisco IOS PPTP DoS
{01.29.023} NApps - Cisco SN5420 DoS and privilege elevation
{01.29.001} Cross - ColdFusion template read/delete/overwrite
vulnerabilities
{01.29.006} Cross - AdCycle CGI SQL command insertion vulnerability
{01.29.009} Cross - Interactive Story CGI next parameter file reading
{01.29.014} Cross - uncgi CGI wrapper arbitrary script execution
{01.29.015} Cross - OpenSSL PRNG predictability
{01.29.020} Cross - VPN-1/FireWall-1 admin format string attack
{01.29.022} Cross - docview CGI allows command execution
{01.29.025} Cross - iPlanet Directory Server multiple LDAP
vulnerabilities
{01.29.026} Cross - IBM Secureway Server LDAP DoS
{01.29.027} Cross - Lotus Domino multiple LDAP vulnerabilities
{01.29.030} Cross - Oracle 8i multiple LDAP vulnerabilities
- --- Windows News -------------------------------------------------------
*** {01.29.007} Win - ArGoSoft FTP server weak password storage
ArGoSoft FTP server version 1.2.2.2 has been found to use a weak
reversible obfuscation to store local user FTP passwords. This
may allow a local attacker to recover the stored authentication
information.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0237.html
*** {01.29.008} Win - DB2 service connection DoS
A report indicates that various DB2 processes listening for network
connections can be made to crash simply by opening a connection to
the service. This could lead to a denial of service situation.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0188.html
*** {01.29.010} Win - McAfee ASaP VirusScan agent HTTP file access
The McAfee VirusScan ASaP agent allows a remote attacker to access
files outside the allowed file root simply by using reverse directory
traversal ('..') notation in a URL request to the agent's embedded
HTTP server.
This vulnerability has been confirmed. A patch has been made available.
Source: SecurityFocus Bugtraq, NTBugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0197.html
http://archives.neohapsis.com/archives/ntbugtraq/2001-q3/0011.html
*** {01.29.011} Win - MS01-038: Outlook view control unsafe function
Microsoft has released MS01-038 ("Outlook view control exposes unsafe
functionality"). The Outlook view ActiveX control contains an unsafe
function that could potentially allow a malicious Web site or e-mail
to tamper with a user's Outlook e-mail.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-038.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0004.html
*** {01.29.028} Win - Teamware Office multiple LDAP vulnerabilities
A recently released CERT advisory indicates that the LDAP service
included with the Teamware Office suite contains multiple buffer
overflow and denial of service vulnerabilities. These could potentially
be used to execute arbitrary code on the target system.
These vulnerabilities have not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
*** {01.29.029} Win - Microsoft Exchange LDAP service DoS
A recent CERT advisory indicates that the LDAP service included with
Microsoft Exchange version 5.5 contains a denial of service in the
handling of malformed LDAP requests.
This vulnerability has not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
- --- Linux News ---------------------------------------------------------
*** {01.29.002} Linux - Engarde AllCommerce debug temp files attack
The AllCommerce package shipped with Engarde Linux has been found
to insecurely create temporary files. This could potentially allow
a local attacker gain user 'webd' privileges.
Engarde has confirmed this vulnerability and released a patch,
available at:
http://ftp.engardelinux.org/pub/engarde/stable/updates/
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0196.html
*** {01.29.003} Linux - Update {01.26.029}: cfingerd ALLOW_LINE_PARSING
overflow
Debian has released an updated cfingerd package for the vulnerability
discussed in {01.26.029} ("cfingerd ALLOW_LINE_PARSING overflow").
Updated packages are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0003.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0003.html
*** {01.29.005} Linux - Linux 2.4.x kernel doesn't set UMASK
A vulnerability was found in the 2.4.x Linux kernels that causes
the kernel to not properly set the UMASK. This could result in the
creation of certain files with world-writable permissions.
This vulnerability has been confirmed and will be fixed in the
2.4.7 kernel.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0257.html
*** {01.29.012} Linux - elm message ID overflow
An overflow was found in elm's handling of long message ID e-mail
headers. This could possibly lead to a malicious e-mail (remote
attacker) executing arbitrary code under the privileges of the user
reading e-mail via elm.
RedHat has confirmed this vulnerability.
RedHat has released updated RPMs, listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0279.html
Source: Redhat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0279.html
*** {01.29.013} Linux - vipw leaves /etc/shadow file world-readable
RedHat has found that the vipw application will leave the shadow
password file world-readable in some cases. This could potentially
allow a local attacker to gain access to users' password hashes. Other
Linux distributions based on RedHat may also be vulnerable. The
vulnerability appears to be limited to RedHat 7.1.
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0268.html
Source: Redhat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0268.html
*** {01.29.016} Linux - Update {01.23.018}: Imp temp file mishandling
Caldera has released updated imp/horde packages to fix the
vulnerability discussed in {01.23.018} ("Imp temp file mishandling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0003.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0003.html
*** {01.29.017} Linux - Samsung ML-85G print driver symlink attack
The Samsung ML-85G GDI printer driver for Linux has been found to
insecurely handle temporary files. This could allow a local attacker
to perform a symlink attack and gain root privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0284.html
*** {01.29.024} Linux - xman MANPATH env variable overflow
The xman application version 3.1.6 has been found to improperly handle
the MANPATH environment variable. This could result in a local attacker
gaining elevated privileges (xman is typically installed setuid).
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0234.html
- --- BSD News -----------------------------------------------------------
*** {01.29.004} BSD - FreeBSD rfork() shared signal handler
A potential problem in FreeBSD version 4.3 rfork() allows a parent
process to set arbitrary handlers of children processes. This could
allow local attackers to elevate their privileges.
The advisory indicates vendor confirmation and commitment of patches
to the CURRENT and STABLE CVS trees.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0179.html
- --- HP-UX News ---------------------------------------------------------
*** {01.29.018} HPUX - dlkm symbol table misconfiguration
HP has released a security advisory reporting a vulnerability in the
dynamically loadable kernel module symbol table. This could allow
local attackers to elevate their privileges. This affects HP9000
Series 700/800 running HP-UX release 11.11 only.
HP has released the following patch:
HPUX 11.11: PHCO_23492
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0013.html
*** {01.29.019} HPUX - Security vulnerability in login
HP has released an advisory indicating that it's possible for local
attackers to use a vulnerability in the login application/function
to circumvent shell and command restrictions.
HP has confirmed this vulnerability and released the following patches:
HPUX 11.00: PHCO_24083
HPUX 11.11: PHCO_23900
HPUX 10.20: PHCO_24267
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0014.html
- --- Network Appliances News --------------------------------------------
*** {01.29.021} NApps - Cisco IOS PPTP DoS
The PPTP implementation in various Cisco IOS software releases contains
a denial of service that could allow a remote attacker to crash the
IOS device.
Vulnerable software releases:
12.1 train, releases: T, E, EZ, YA, YD and YC
12.2 train, all releases
Cisco has confirmed this vulnerability. Refer to the advisory URL
below for update information.
Source: Cisco
http://archives.neohapsis.com/archives/bugtraq/2001-07/0210.html
*** {01.29.023} NApps - Cisco SN5420 DoS and privilege elevation
Cisco has released an advisory concerning the SN5420 Storage
Router. The SN5420 has been found vulnerable to a rapid connection
denial of service as well as to a particular bug that allows normally
allowed users to log into the unit to access an unpassworded
'developer' shell. Software releases up to and including 1.1(3)
are affected.
These issues were fixed with software release 1.1(4).
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q3/0002.html
- --- Cross-Platform News ------------------------------------------------
*** {01.29.001} Cross - ColdFusion template read/delete/overwrite
vulnerabilities
ColdFusion Server versions 2.0 through 4.5.1 SP2 (all editions) have
been found to contain two vulnerabilities. These could potentially
allow a remote attacker to read, delete and truncate CFM templates.
Macromedia/Allaire has confirmed the
problem and released a patch, available at:
http://www.allaire.com/handlers/index.cfm?ID=21566&Method=Full
Source: Macromedia/Allaire
http://archives.neohapsis.com/archives/vendor/2001-q3/0002.html
*** {01.29.006} Cross - AdCycle CGI SQL command insertion vulnerability
The AdCycle CGI application versions 1.15 and prior do not properly
validate the user input before passing it to a SQL query. This allows
a remote attacker to bypass authentication and potentially tamper
with the database.
The vendor has confirmed the vulnerability and released version 1.16.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0249.html
*** {01.29.009} Cross - Interactive Story CGI next parameter file
reading
Valerie Mate's Interactive Story CGI version 1.3 does not properly
validate the "next" URL parameter. This allows a remote attacker to
display the contents of arbitrary files readable by the Web server.
The vendor has confirmed this vulnerability and released version 1.4.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0214.html
*** {01.29.014} Cross - uncgi CGI wrapper arbitrary script execution
The uncgi CGI wrapper has been found to allow a remote attacker to
execute arbitrary scripts found on the target Web server because the
uncgi application does not properly handle reverse directory traversal
('..') notation in a request.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0287.html
*** {01.29.015} Cross - OpenSSL PRNG predictability
OpenSSL versions 0.9.6a and prior contain a vulnerability in the
pseudo-random number generator. This could potentially allow an
attacker to determine the PRNG's internal state and thus predict
future results.
This vulnerability has been confirmed. Patches are available.
Engarde RPMS:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0181.html
Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0191.html
Source: Engarde, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/engarde/2001-q3/0001.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0191.html
*** {01.29.020} Cross - VPN-1/FireWall-1 admin format string attack
A bug in the VPN-1/FireWall-1 version 4.1 software allows a valid
firewall administrator to potentially execute arbitrary code on the
firewall management station. This could also render the management
station unusable. It should be assumed that all installations of
VPN-1/FireWall-1 that allow remote GUI connections are vulnerable.
Checkpoint has confirmed this vulnerability.
Updates can be found at:
http://www.checkpoint.com/techsupport/alerts/format_strings.html
Source: Checkpoint (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0209.html
*** {01.29.022} Cross - docview CGI allows command execution
Caldera has released an advisory indicating that the docview CGI
application allows a remote attacker to execute arbitrary command-line
commands under the privileges of the Web server uid.
Caldera has confirmed this vulnerability and released updated RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0004.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0004.html
*** {01.29.025} Cross - iPlanet Directory Server multiple LDAP
vulnerabilities
A recently released CERT advisory indicates that the LDAP service
included with the iPlanet Directory Server contains multiple buffer
overflow and format string vulnerabilities. These could potentially
be used to execute arbitrary code on the target system.
These vulnerabilities have not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
*** {01.29.026} Cross - IBM Secureway Server LDAP DoS
A recent CERT advisory indicates that the LDAP service included with
IBM's Secureway Server contains a denial of service in the handling
of malformed LDAP requests.
This vulnerability has not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
*** {01.29.027} Cross - Lotus Domino multiple LDAP vulnerabilities
A recently released CERT advisory indicates that the LDAP service
included with the Lotus Domino R5 contains multiple buffer overflow
and format string vulnerabilities. These could potentially be used
to execute arbitrary code on the target system.
These vulnerabilities have not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
*** {01.29.030} Cross - Oracle 8i multiple LDAP vulnerabilities
A recently released CERT advisory indicates that the LDAP service
included with the Oracle 8i suite contains multiple buffer overflow
and format string vulnerabilities. These could potentially be used
to execute arbitrary code on the target system.
These vulnerabilities have not been confirmed.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7V0Tj+LUG5KFpTkYRAs1FAJ91HWAAEdDhOvWeJaeRvZkjX/536wCfTIdY
JuQehgeHAWv74OPnZUqqox0=
=i42T
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by Internet Security Systems (ISS) ***
Security tools are not enough! To truly protect your organization
against loss or theft of proprietary data, money and reputation, you
need a sound strategy for information security management. Download this
*FREE* white paper for guidelines on designing a comprehensive security
plan today!
Click here:
http://www.iss.net/mktg/sac62801/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]