OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ95012654401106191sans.org)
Date: Thu Nov 08 2001 - 15:08:59 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter

                         -- Security Alert Consensus --
                               Number 122 (01.45)
                          Thursday, November 8, 2001
                               Created for you by
                     Network Computing and the SANS Institute
                              Powered by Neohapsis

    ----------------------------------------------------------------------

    We wish to express our sincerest condolences to all those affected
    by the horrible events of September 11th.

    If you are or know of a company that needs assistance getting back
    up and running, view our list of currently available services and
    resources.
    http://www.nwc.com/helpamerica/services.html

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    Not worried about hackers? You should be. If your customers don't feel
    comfortable with you online, they'll go with someone else. With IBM
    infrastructure, you'll have the security your company needs to keep your
    networks safe & clients comfortable. Find out more from our latest
    security white paper today. Download at:
    http://www.ibm.com/e-business/soready/n177

    ----------------------------------------------------------------------

    Some interesting accusations were made this week about the security
    of Microsoft's Passport technology. A researcher found that Passport's
    caching of credentials can be preyed upon; a few cross-site scripting
    attacks also provided avenues of exploitation. Microsoft, fortunately,
    has fixed or addressed many of the problems, but it does raise an
    interesting question: Given Microsoft's track record of security
    exposures (100 published bulletins in 2000 and 54 bulletins to date
    for 2001), do you trust Passport to be a central database of user
    information?
    http://alive.znep.com/~marcs/passport/

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.45.006} Win - WS_FTP STAT command overflow
    {01.45.010} Win - MS01-054: Invalid uPnP packet DoS
    {01.45.017} Win - MS ISA server fragmented UDP DoS
    {01.45.004} Linux - SYNCookie problems in Linux kernels
    {01.45.005} Linux - libdb format string vulnerability
    {01.45.009} Linux - Update {01.44.004}: Webalizer referrer/host name
                CSS vulnerability
    {01.45.011} Linux - Update {01.42.020}: Login stored PAM result absorbs
                other user credentials
    {01.45.012} Linux - Update {01.41.007}: htdig/htsearch alternate
                configuration file vulnerability
    {01.45.013} Linux - teTeX insecure temp file and dvips invocation
    {01.45.014} Linux - Update {01.43.009}: procmail privilege elevation
                via signals
    {01.45.018} Linux - TUX large Host header DoS
    {01.45.020} Linux - Update {01.34.017}: ucd-snmp multiple
                vulnerabilities
    {01.45.021} Linux - Update {01.37.015}: uucp user-supplied
                configuration file privilege elevation
    {01.45.016} SCO - Overflow in DCE ToolTalk library
    {01.45.019} SCO - Overflow in dtspcd via DCE SPC library
    {01.45.001} Cross - Lotus Domino restricted view bypass
    {01.45.002} Cross - Lotus Notes default navigator redirection bypass
    {01.45.003} Cross - Lotus Notes template access via ReplicaID
    {01.45.007} Cross - Entrust GetAccess CGI script file retrieval
    {01.45.008} Cross - Lots and lots of lpd problems
    {01.45.015} Cross - Viralator proxy virus scanner command execution
    {01.45.022} Cross - dreamcatchersWeb.com multiple CGI command execution
    {01.45.023} Cross - leoboard.com Ikonboard/LB5000 CGI file overwrite

    - --- Windows News -------------------------------------------------------

    *** {01.45.006} Win - WS_FTP STAT command overflow

    WS_FTP server version 2.0.3 is reported to contain a buffer overflow
    in the handling of the STAT command. This could allow a remote attacker
    to execute arbitrary code with local system privileges.

    The vendor has confirmed this vulnerability and released version 2.0.4,
    which is available at:
    http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0019.html

    *** {01.45.010} Win - MS01-054: Invalid uPnP packet DoS

    Microsoft has released MS01-054 ("Invalid uPnP packet DoS"). A bug
    in the uPnP service found on Windows ME, XP and some instances of 98
    allows a remote attacker to perform a DoS against the system by sending
    invalid packets to the uPnP (universal plug and play) service. The
    DoS effects range from memory leakage to full system crashes.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-054.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q4/0021.html

    *** {01.45.017} Win - MS ISA server fragmented UDP DoS

    An advisory was released indicating that Microsoft ISA server is
    vulnerable to a denial of service attack whereby a remote attacker
    sends many fragmented UDP packets, which causes abnormally high
    CPU utilization.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html

    - --- Linux News ---------------------------------------------------------

    *** {01.45.004} Linux - SYNCookie problems in Linux kernels

    A bug was found in the SYNcookies implementations in both the 2.2
    and 2.4 Linux kernel series. It's possible that packets using valid
    SYNcookies could bypass firewall filters. It also has been noted that
    it's possible to brute-force a valid SYNcookie within an acceptable
    amount of time.

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0107.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0007.html

    Source: RedHat, EnGarde, Caldera, Conectiva
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0107.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0007.html

    *** {01.45.005} Linux - libdb format string vulnerability

    Caldera has released an advisory confirming that format string
    vulnerabilities within the libdb library would affect all programs
    using the library. The vulnerability may allow a local attacker to
    execute arbitrary code with elevated privileges.

    It is unknown at this time if other Linux distributions are affected.

    Updated Caldera RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0003.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0003.html

    *** {01.45.009} Linux - Update {01.44.004}: Webalizer referrer/host
                    name CSS vulnerability

    Multiple Linux vendors have released updated Webalizer packages,
    which fix the vulnerability discussed in {01.44.004} ("Webalizer
    referrer/host name CSS vulnerability").

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/0699.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0009.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0097.html

    Source: SuSE, EnGarde, RedHat
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/0699.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0009.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0097.html

    *** {01.45.011} Linux - Update {01.42.020}: Login stored PAM result
                    absorbs other user credentials

    Mandrake has released updated util-linux packages, which fix the
    vulnerability discussed in {01.42.020} ("Login stored PAM result
    absorbs other user credentials").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0006.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0006.html

    *** {01.45.012} Linux - Update {01.41.007}: htdig/htsearch alternate
                    configuration file vulnerability

    Mandrake has released updated htdig packages, which fix the
    vulnerability discussed in {01.41.007} ("htdig/htsearch alternate
    configuration file vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0007.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0007.html

    *** {01.45.013} Linux - teTeX insecure temp file and dvips invocation

    RedHat has released an advisory indicating that the teTeX suite does
    not properly create temporary files, potentially allowing a local
    attacker to gain LPRng group privileges. teTeX also was found to not
    securely invoke dvips, which could lead to potential command execution.

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0100.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0100.html

    *** {01.45.014} Linux - Update {01.43.009}: procmail privilege
                    elevation via signals

    Conectiva has released updated procmail packages, which fix the
    vulnerability discussed in {01.43.009} ("procmail privilege elevation
    via signals").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0008.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0008.html

    *** {01.45.018} Linux - TUX large Host header DoS

    TUX Web server version 2.1.0 has been reported vulnerable to a denial
    of service whereby a remote attacker submits a large Host header in
    an HTTP request. This causes the server system to crash.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0033.html

    *** {01.45.020} Linux - Update {01.34.017}: ucd-snmp multiple
                    vulnerabilities

    RedHat has released updated ucd-snmp packages, which fix the
    vulnerability discussed in {01.34.017} ("ucd-snmp multiple
    vulnerabilities").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0104.html

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0104.html

    *** {01.45.021} Linux - Update {01.37.015}: uucp user-supplied
                    configuration file privilege elevation

    SuSE has released updated uucp packages, which fix the vulnerability
    discussed in {01.37.015} ("uucp user-supplied configuration file
    privilege elevation").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/0603.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/0603.html

    - --- SCO News -----------------------------------------------------------

    *** {01.45.016} SCO - Overflow in DCE ToolTalk library

    Caldera/SCO has released an advisory indicating that a buffer overflow
    exists in the DCE ToolTalk library. This could allow a local user to
    execute arbitrary code with elevated privileges.

    Patches are available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.29/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0004.html

    *** {01.45.019} SCO - Overflow in dtspcd via DCE SPC library

    Caldera/SCO has released an advisory indicating that a remotely
    exploitable buffer overflow exists in the DCE SPC library, which is
    used by dtspcd. This could lead to an attacker executing arbitrary
    code.

    Updates are available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0006.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.45.001} Cross - Lotus Domino restricted view bypass

    Lotus Domino version 5.x has been found to contain a bug that could
    allow an attacker to access a document even if a particular view is
    restricted. Lotus responds that, technically, the document itself
    should be restricted and not just its parent view.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0027.html

    *** {01.45.002} Cross - Lotus Notes default navigator redirection bypass

    It is seemingly a known security problem to let remote attackers
    access the 'default navigator' of databases. Thus, the accepted fix is
    to use a URL filter to redirect or reject access to URLs containing
    '.nsf/$defaultNav'. It appears it is easy to bypass this filter by
    using various forms of URL encoding, thus allowing the attacker to
    still gain access to the default navigator.

    The advisory referenced below recommends a few workarounds to help
    fix this problem.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0028.html

    *** {01.45.003} Cross - Lotus Notes template access via ReplicaID

    Lotus Notes version 5.x has been found vulnerable to a bug that allows
    a remote attacker to access otherwise inaccessible templates by making
    a request containing the templates' ReplicaID. One specific risk is
    access to the Web administration template, which potentially allows
    attackers to affect the Web services.

    The advisory indicates vendor confirmation and the availability of
    a fix in the next Lotus Notes release.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0029.html

    *** {01.45.007} Cross - Entrust GetAccess CGI script file retrieval

    Entrust's GetAccess CGI application has been found to allow a remote
    attacker to view the contents of arbitrary files readable by the Web
    server. The problem is because the GetAccess CGI does not correctly
    handle data passed in via URL parameters.

    Entrust has released a patch, which is available at:
    https://login.encommerce.com/private/docs/techSupport/Patches-BugFix

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html

    *** {01.45.008} Cross - Lots and lots of lpd problems

    CERT has released an advisory about the slew of lpd problems that have
    come to attention as of late. We've reported on most of them in past
    SAC issues, but we feel it's best to mention them again. The number
    of actual vulnerabilities varies depending on platform, so you should
    review the CERT advisory for details on your platform:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html

    Updated RedHat RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0054.html

    IRIX update information:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0022.html

    Source: CERT, RedHat, SGI
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0054.html
    http://archives.neohapsis.com/archives/vendor/2001-q4/0022.html

    *** {01.45.015} Cross - Viralator proxy virus scanner command execution

    The Viralator virus scanner script for Squid proxies has been reported
    to not properly filter malicious URL characters before using them in
    a system call, thus allowing a remote attacker to execute arbitrary
    command-line commands under the privileges of the proxy server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0001.html

    *** {01.45.022} Cross - dreamcatchersWeb.com multiple CGI command
                    execution

    Two CGIs written by Seth Leonard and available from
    dreamcatchersWeb.com have been found to improperly filter out
    metacharacters. Specifically, the "book of guests" and "post it!" CGIs
    allow a remote attacker to execute arbitrary command-line commands
    under the privileges of the Web server.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0270.html

    *** {01.45.023} Cross - leoboard.com Ikonboard/LB5000 CGI file overwrite

    The LB5000 and Ikonboard Web BBS CGIs available from leoboard.com have
    been found to contain bugs that allow remote attackers to overwrite
    files writable by the Web server process.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0272.html
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0273.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE76utn+LUG5KFpTkYRArRjAJ0XtRvQgvezxw1CosbiHeVbl9or1wCgjHcE
    eWQLlI3ArPD56k/IGpNg3NI=
    =4uER
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Not worried about hackers? You should be. If your customers don't feel
    comfortable with you online, they'll go with someone else. With IBM
    infrastructure, you'll have the security your company needs to keep your
    networks safe & clients comfortable. Find out more from our latest
    security white paper today. Download at:
    http://www.ibm.com/e-business/soready/n177

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.sans.org/sansnews/

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).