OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ55775345430526040sans.org)
Date: Thu Dec 06 2001 - 15:32:29 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    To: Security Express (SD397643)
    Re: Your personalized newsletter

                        -- Security Alert Consensus --
                               Number 126 (01.49)
                          Thursday, December 6, 2001
                              Created for you by
                    Network Computing and the SANS Institute
                             Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to SANS' distribution of the Security Alert Consensus.

    ----------------------------------------------------------------------

    This issue is brought to you by ...
    Nokia Internet Communications - a division of Nokia. NOKIA TEAMS UP WITH
    LEADING PUBLISHERS, Offering the most reliable, up-to-date SECURITY-
    focused information on the Web including: News & Assessment tools,
    Reviews & Analyst Reports For more information, visit our Security
    Resource Center:
    http://www.nokia.com/internet/na

    ----------------------------------------------------------------------

    Another worm (W32.Goner) is making its rounds this week via Outlook
    and ICQ clients. The fix is the same as always: Update your virus
    signature file. In the meantime, you also might want to update your
    Outlook patches and watch for e-mails with the subject line of "Hi."

    In other news, the Internet is seeing a surge of attackers going
    after SSH daemons vulnerable to the reported SSH CRC compensation
    detector overflow. In fact, a recent poll indicates that as many as
    30 percent of the SSH daemons on the Internet are vulnerable. So be
    sure to double check your SSH installs and update the latest versions.
    http://www.citi.umich.edu/u/provos/ssh/

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.49.023} Win - ASPUpload demo script vulnerabilities
    {01.49.025} Win - Alchemy Eye/Network Monitor log viewing
    {01.49.003} Linux - Update {01.48.023}: Cyrus/sasl logging function
                format string vulnerability
    {01.49.006} Linux - Update {01.42.011}: Apache 1.3.22 available, with
                security fixes
    {01.49.013} Linux - Update {01.23.008}: OpenSSH 'cookie' file deletion
    {01.49.015} Linux - Update {01.46.007}: IMP Webmail CSS vulnerability
    {01.49.018} Linux - Update {01.47.012}: Postfix session log memory DoS
    {01.49.010} BSD - OpenBSD lpd can create files in root directory
    {01.49.012} BSD - OpenBSD local kernel crash DoS
    {01.49.004} SGI - Update {01.17.009}: Nirvana editor (nedit) insecure
                temp file handling
    {01.49.005} SGI - Update {01.45.019}: Overflow in dtspcd via DCE SPC
                library
    {01.49.021} SCO - setcontext full memory access
    {01.49.017} NApps - Cisco IOS CBAC filter bypass
    {01.49.014} Other - UNICOS NQSD job schedule format string vulnerability
    {01.49.001} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
                overflow
    {01.49.002} Cross - SETIHome SOCKS support overflows
    {01.49.007} Cross - Update {01.32.009}: Oracle dbsnmp ORACLE_HOME env
                variable overflow
    {01.49.008} Cross - Oracle dbsnmp exec various trojan programs
    {01.49.009} Cross - OpenSSH UseLogin unfiltered environment
    {01.49.011} Cross - Valicert Enterprise VA forms CGI vulnerabilities
    {01.49.016} Cross - mailmain listinfo CGI CSS vulnerability
    {01.49.019} Cross - PGPMail.pl CGI command execution
    {01.49.022} Cross - frox ftp proxy MDTM response overflow
    {01.49.024} Cross - Lotus Notes https listener DoS
    {01.49.026} Cross - Allaire JRun SSI source code disclosure
    {01.49.027} Cross - Allaire JRun Web directory browsing
    {01.49.028} Cross - Allaire JRun duplicate session ID leak
    {01.49.029} Cross - Multiple vulnerabilities in Easynews CGI
    {01.49.020} Tools - Snort 1.8.3 available

    - --- Windows News -------------------------------------------------------

    *** {01.49.023} Win - ASPUpload demo script vulnerabilities

    The ASPUpload suite from ASPUpload.com has been found to install
    various demonstration scripts that can be used by a remote attacker
    to view arbitrary files and to upload new files.

    The advisory indicates vendor confirmation. The best fix is to delete
    the sample applications.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0292.html

    *** {01.49.025} Win - Alchemy Eye/Network Monitor log viewing

    The Alchemy Eye Network Monitor Suite version 2.6.18 has been found
    to install by default an HTTP server that allows a remote attacker
    to access various log files. These log files could expose sensitive
    information.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0304.html

    - --- Linux News ---------------------------------------------------------

    *** {01.49.003} Linux - Update {01.48.023}: Cyrus/sasl logging function
                    format string vulnerability

    Caldera and RedHat have released updated cyrus/sasl packages, which
    fix the vulnerability discussed in {01.48.023} ("Cyrus/sasl logging
    function format string vuln").

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0012.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0139.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0141.html

    Source: Caldera, RedHat
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0012.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0139.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0141.html

    *** {01.49.006} Linux - Update {01.42.011}: Apache 1.3.22 available,
                    with security fixes

    Mandrake and RedHat have released updated apache packages, which fix
    the vulnerability discussed in {01.42.011} ("Apache 1.3.22 available,
    with security fixes").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0244.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0148.html

    Source: Mandrake , RedHat (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0244.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0148.html

    *** {01.49.013} Linux - Update {01.23.008}: OpenSSH 'cookie' file
                    deletion

    SuSE has released updated openSSH packages, which fix the vulnerability
    discussed in {01.23.008} ("OpenSSH 'cookie' file deletion").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/1320.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q4/1320.html

    *** {01.49.015} Linux - Update {01.46.007}: IMP Webmail CSS
                    vulnerability

    Caldera has released updated imp packages, which fix the vulnerability
    discussed in {01.46.007} ("IMP Webmail CSS vuln").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0011.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0011.html

    *** {01.49.018} Linux - Update {01.47.012}: Postfix session log memory
                    DoS

    Mandrake and RedHat have released updated postfix packages, which
    fix the vulnerability discussed in {01.47.012} ("Postfix session log
    memory DoS").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0288.html

    Updated RedHat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0135.html

    Source: RedHat, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0288.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0135.html

    - --- BSD News -----------------------------------------------------------

    *** {01.49.010} BSD - OpenBSD lpd can create files in root directory

    OpenBSD has committed patches to the line printer daemon to fix a bug
    that allows a remote attacker, who is coming from an lpd-accepted host,
    to create arbitrary files in the root ('/') directory.

    The vendor has confirmed this vulnerability. Patches have
    been committed to the 2.9-stable, 3.0-stable and current
    branches. Individual patches are available at:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/017_lpd.patch
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/008_lpd.patch

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-12/0225.html

    *** {01.49.012} BSD - OpenBSD local kernel crash DoS

    A post made to the OpenBSD tech list includes a demonstration program
    that reportedly crashes OpenBSD 2.9 and 3.0 systems. This could allow
    a local attacker to cause a denial of service.

    This vulnerability has been confirmed, and a patch has been committed
    to the OpenBSD source tree. Third-party patches are available at:
    http://archives.neohapsis.com/archives/openbsd/2001-12/0046.html

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-12/0046.html

    - --- SGI News -----------------------------------------------------------

    *** {01.49.004} SGI - Update {01.17.009}: Nirvana editor (nedit)
                    insecure temp file handling

    SGI has released nedit patches, which fix the vulnerability discussed
    in {01.17.009} ("Nirvana editor (nedit) insecure temp file handling").

    An updated patch matrix is available at:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0039.html

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2001-q4/0039.html

    *** {01.49.005} SGI - Update {01.45.019}: Overflow in dtspcd via DCE
                    SPC library

    SGI has released various CDE patches, which fix the vulnerability
    discussed in {01.45.019} ("Overflow in dtspcd via DCE SPC library")
    as well as other previously reported CDE-related vulnerabilities.

    A patch matrix is available at:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0041.html

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2001-q4/0041.html

    - --- SCO News -----------------------------------------------------------

    *** {01.49.021} SCO - setcontext full memory access

    Caldera/SCO has released a fix for a bug by which normal users
    can manipulate particular segment registers, allowing them to
    read/overwrite values in memory. Vulnerability has been found in
    OpenServer versions 5.0.6 and prior.

    Updated binaries are available at:
    ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35/

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0014.html

    - --- Network Appliances News --------------------------------------------

    *** {01.49.017} NApps - Cisco IOS CBAC filter bypass

    The Cisco IOS firewall feature set, also known as CBAC, has been found
    to contain a bug that could allow traffic, which normally would be
    filtered, to pass unhindered.

    Cisco has confirmed this vulnerability. A patch matrix is available at:
    http://archives.neohapsis.com/archives/cisco/2001-q4/0007.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q4/0007.html

    - --- Other News ---------------------------------------------------------

    *** {01.49.014} Other - UNICOS NQSD job schedule format string
                    vulnerability

    An advisory was released indicating the existence of a format string
    vulnerability in the nqsd daemon included with UNICOS/mk version
    2.0.5.54. Users who can schedule jobs with qsub can potentially
    execute arbitrary code with root access.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0231.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.49.001} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
                    overflow

    Multiple vendors have released updated wu-ftpd packages, which fix
    the vulnerability discussed in {01.48.028} ("wu-ftpd unclosed glob
    heap overflow").

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0300.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0018.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0042.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html

    Updated SCO/OpenServer binaries:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36/

    Source: Mandrake, Conectiva, Debian (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0300.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0018.html
    http://archives.neohapsis.com/archives/vendor/2001-q4/0042.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0015.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html

    *** {01.49.002} Cross - SETIHome SOCKS support overflows

    The SETIHome client version 3.03 has been found to contain a buffer
    overflow in the handling of various parameters passed to configure
    the built-in SOCKS support. Installations that have added suid or
    sgid privileges to the client are vulnerable to a local privilege
    escalation attack. Fortunately, the client does not have extra
    privileges by default.

    The advisory indicates confirmation by the vendor, which will fix
    the vulnerability in the next version.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0662.html

    *** {01.49.007} Cross - Update {01.32.009}: Oracle dbsnmp ORACLE_HOME
                    env variable overflow

    Oracle has released patches, which fix the vulnerability discussed in
    {01.32.009} ("Oracle dbsnmp ORACLE_HOME env variable overflow"). All
    Unix versions are affected.

    A patch matrix is available on Oracle's OTN network at:
    http://metalink.oracle.com/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0309.html

    *** {01.49.008} Cross - Oracle dbsnmp exec various trojan programs

    Two vulnerabilities have been found in the Oracle dbsnmp program
    that could allow a local attacker to execute arbitrary programs
    with elevated privileges. First, dbsnmp does not sanitize the PATH
    environment variable before chown and chgrp, thereby allowing a
    local attacker to put trojaned versions of these commands in their
    path. Second, dbsnmp will use the user-supplied ORACLE_HOME environment
    variable, thus allowing a local attacker to specify an alternate,
    trojaned directory from which to load libraries and run commands.

    Oracle has confirmed these vulnerabilities and released a patch,
    which is available on its OTN network at:
    http://metalink.oracle.com

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0306.html
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0307.html

    *** {01.49.009} Cross - OpenSSH UseLogin unfiltered environment

    OpenSSH versions prior to 3.0.2 contain a bug if OpenSSH is configured
    with the 'UseLogin' option. The OpenSSH daemon does not sanitize the
    user's environment before passing it to the specified login program,
    potentially allowing a local attacker to execute arbitrary code with
    elevated privileges.

    OpenSSH version 3.0.2 fixes this problem. It can be downloaded from:
    http://www.openssh.com/

    RedHat has released updated RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0150.html

    Source: OpenBSD, RedHat
    http://archives.neohapsis.com/archives/openbsd/2001-12/0261.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0150.html

    *** {01.49.011} Cross - Valicert Enterprise VA forms CGI vulnerabilities

    An advisory was released detailing multiple vulnerabilities in
    the forms CGI component distributed with Valicert's Enterprise VA
    suite. The vulnerabilities range from information disclosure and
    cross-site scripting to 14 various buffer overflows that could allow
    a remote attacker to execute arbitrary code with elevated privileges.

    The advisory indicates confirmation by the vendor, which has patches
    available from its site at:
    http://www.valicert.com/

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0065.html

    *** {01.49.016} Cross - mailmain listinfo CGI CSS vulnerability

    The listinfo CGI distributed with mailman versions prior to 2.0.8 has
    been found vulnerable to cross-site scripting. This could potentially
    allow a malicious e-mail or Web site to execute arbitrary JavaScript.

    The vendor has confirmed this vulnerability and released version 2.0.8,
    which is available at:
    http://sourceforge.net/projects/mailman

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0236.html

    *** {01.49.019} Cross - PGPMail.pl CGI command execution

    The PGPMail.pl CGI script version 1.31 from venturablvd.com has been
    found to allow a remote attacker to execute arbitrary command line
    commands by using Unix shell metacharacters in the pgpuserid and
    recipient parameters of the URL.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0289.html

    *** {01.49.022} Cross - frox ftp proxy MDTM response overflow

    Versions 0.6.6 and prior of the frox transparent ftp proxy have
    been found to contain a buffer overflow in the handling of MDTM FTP
    responses. The vulnerability could allow a malicious FTP server to
    execute arbitrary code under the frox daemon's privileges.

    The vendor has confirmed this vulnerability. Version 0.6.7 has been
    released at:
    http://frox.sourceforge.net/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0285.html

    *** {01.49.024} Cross - Lotus Notes https listener DoS

    An advisory has been released indicating that Lotus Notes versions
    5.08 and prior shipped with an https (SSL) listener that is vulnerable
    to a denial of service attack. The bug can be triggered if you use
    nmap to perform an RPC scan (-sR) against the https port (443). The
    result is a service crash.

    This vulnerability has been confirmed and fixed in version 5.09.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-11/0302.html

    *** {01.49.026} Cross - Allaire JRun SSI source code disclosure

    Versions 3.1 and prior of Allaire's JRun have been found to contain a
    vulnerability whereby a remote attacker can trick the SSI (server-side
    include) component into executing arbitrary SSI commands. This allows
    the remote attacker to view the contents of files, particularly JSP
    source code.

    Allaire/Macromedia has confirmed this vulnerability. A workaround is
    available at:
    http://www.allaire.com/handlers/index.cfm?ID=22235&Method=Full

    Source: Allaire/Macromedia
    http://archives.neohapsis.com/archives/vendor/2001-q4/0036.html

    *** {01.49.027} Cross - Allaire JRun Web directory browsing

    Allaire's JRun version 3.1 has been found to contain a vulnerability
    that could allow a remote attacker to gain directory listings of
    various Web directories by appending particular characters to the
    requested URL.

    Allaire has confirmed this vulnerability. A workaround is available at:
    http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full

    Source: Allaire/Macromedia
    http://archives.neohapsis.com/archives/vendor/2001-q4/0036.html

    *** {01.49.028} Cross - Allaire JRun duplicate session ID leak

    Versions 3.1 and prior of Allaire's JRun contain a vulnerability
    whereby a particular request to an application may result in the
    server reusing an active session ID, which allows the current session
    to be hijacked.

    Allaire/Macromedia has confirmed this vulnerability. A hot fix is
    available at:
    http://www.allaire.com/handlers/index.cfm?ID=22234&Method=Full

    Source: Allaire/Macromedia
    http://www.allaire.com/handlers/index.cfm?ID=22234&Method=Full

    *** {01.49.029} Cross - Multiple vulnerabilities in Easynews CGI

    Easynews CGI version 1.5 from easyscripts.power-gaming.de reportedly
    contains multiple vulnerabilities: overwriting .dat files (databases
    and templates used by Easynews); cross-site scripting problems;
    storage of authentication information in plain text; and information
    exposure that yields the physical path of the Web root.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0000.html

    - --- Tool Announcements News --------------------------------------------

    *** {01.49.020} Tools - Snort 1.8.3 available

    Snort 1.8.3 has been released. Those of you who use the open source
    IDS might be interested in some of the bug fixes and new features of
    this version.

    It can be downloaded from:
    http://www.snort.org/releases/snort-1.8.3.tar.gz

    Source: Snort
    http://archives.neohapsis.com/archives/snort/2001-11/0990.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8D9w8+LUG5KFpTkYRAqCkAJ4osQKNWovAXq8IXyMMKg1m1Bb3JwCfTlQl
    ml/ITOkxHdPzl5gGoXJKjIQ=
    =4mhy
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue is brought to you by ...
    Nokia Internet Communications - a division of Nokia. NOKIA TEAMS UP WITH
    LEADING PUBLISHERS, Offering the most reliable, up-to-date SECURITY-
    focused information on the Web including: News & Assessment tools,
    Reviews & Analyst Reports For more information, visit our Security
    Resource Center:
    http://www.nokia.com/internet/na

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.sans.org/sansnews/

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).