|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ22811122250567248
sans.org)Date: Thu Jan 10 2002 - 17:15:41 CST
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 001 (02.01)
Thursday, January 10, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Sponsored by the Center for Internet Security
Which Consulting Firm Should You Choose For an Important Security Audit?
The answer will be announced March 20 (at the FOSE Conference in
Washington) when the names of the first three CIS Certified Security
Consulting Organizations are released to the public. For more
information about the benchmarks, review the web site at
http://www.cisecurity.org and contact Clint Kreitner at
ckreitnercisecurity.org
----------------------------------------------------------------------
Since it's a new year, the SAC item numbers have progressed to the
next numbering series. Just a reminder, the SAC item numbers follow
a pattern of "{XX.YY.ZZZ}." The 'XX' portion is the year, the 'YY'
portion is the issue number and the 'ZZZ' value is the item within
that issue. So {02.01.003} is the third item in the first issue of year
2002. SAC item numbers are used to reference older items, particularly
those concerning updates and patches. Item numbers are independent
of platform categories, so you may find that some item numbers are
missing if you have not subscribed to all the various categories.
If you missed an issue, that's OK. All past SAC issues are available
online at:
http://archives.neohapsis.com/archives/sac/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.01.004} Win - AOLServer '.' appension authentication bypass
{02.01.021} Win - Update {01.51.026}: CentraOne log file info disclosure
{02.01.024} Win - AOL Instant Messenger Buffer Overflow Resolved
{02.01.026} Win - BEA WebLogic DOS device file name DoS
{02.01.027} Win - Savant Web server large URL DoS
{02.01.015} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
{02.01.016} Linux - Update {01.48.020}: libgtop_daemon syslog() format
string vulnerability
{02.01.019} Linux - Update {01.52.020}: Exim local pipe forward/command
execution
{02.01.025} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
{02.01.007} AIX - Update {01.51.009}: /bin/login command line
environment overflow
{02.01.018} HPUX - File system deadlock DoS
{02.01.005} NApps - Linksys DSL router SNMP possible DDoS vulnerability
{02.01.010} NApps - Cisco UBR900 series SNMP auth bypass
{02.01.001} Cross - Lynx syslog() URL format string vulnerability
{02.01.002} Cross - stunnel format string vulnerability
{02.01.003} Cross - Mutt e-mail address handling overflow
{02.01.006} Cross - Multiple Oracle9iAS Web cache vulnerabilities
{02.01.008} Cross - gpm-root format string vulnerabilities
{02.01.009} Cross - Cherokee Web server file traversal
{02.01.011} Cross - Multiple DayDream BBS vulnerabilities
{02.01.012} Cross - Zml.cgi file parameter file reading
{02.01.013} Cross - grpck/pwck command line overflow
{02.01.014} Cross - Linux encrypted loop device data relocation
{02.01.017} Cross - UCD snmpnetstat interface list heap overflow
{02.01.020} Cross - Virusexperts.com QwikAd referer SQL injection
{02.01.022} Cross - PHP Rocket Addin page parameter file reading
{02.01.023} Cross - Lastlines.cgi command execution
{02.01.028} Cross - Multiple Bugzilla vulnerabilities
- --- Windows News -------------------------------------------------------
*** {02.01.004} Win - AOLServer '.' appension authentication bypass
A bug has been found in AOLServer version 3.4.2 running on the
Windows platform. By appending a '.' character to the request URL
file name, it's possible to retrieve files that would normally require
authentication.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0005.html
*** {02.01.021} Win - Update {01.51.026}: CentraOne log file info
disclosure
Centra has confirmed the vulnerability discussed in {01.51.026}
("CentraOne log file info disclosure").
The proper solution is to upgrade to version 5.3.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2001-q4/0205.html
*** {02.01.024} Win - AOL Instant Messenger Buffer Overflow Resolved
AOL recently learned of an issue when sending a Game invitation
in its AOL Instant Messenger(TM) software that could be exploited
to compromise the security of an AIM user's PC. AOL has made
changes to our instant messaging infrastructure to resolve the
issue. Because these changes were made to the AOL infrastructure,
all users automatically take advantage of the fix without the need
of obtaining a patch or new client software.
This vulnerability has been resolved.
Source: VulnWatch
http://www.aim.com/index.adp?aolperm=h#?aolperm=h
*** {02.01.026} Win - BEA WebLogic DOS device file name DoS
BEA's WebLogic application server version 6.1sp1 has been found
vulnerable to a denial of service situation whereby a remote attacker
requests a file name containing a DoS device name ('aux', 'con'
and so on).
The vendor has confirmed this vulnerability and released service pack
2 to address the problem.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0006.html
*** {02.01.027} Win - Savant Web server large URL DoS
The Savant HTTP server version 3.0 has been found to crash
when a remote attacker submits a large URL containing a lot of
'.' characters. This results in a denial of service situation.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0004.html
- --- Linux News ---------------------------------------------------------
*** {02.01.015} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
Conectiva has released updated glibc packages, which fix the
vulnerability discussed in {01.51.024} ("glibc glob()/globfree()
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0000.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0000.html
*** {02.01.016} Linux - Update {01.48.020}: libgtop_daemon syslog()
format string vulnerability
Debian and Conectiva have released updated libgtop packages, which fix
the vulnerability discussed in {01.48.020} ("libgtop_daemon syslog()
format string vulnerability").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0001.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0000.html
Source: Conectiva, Debian
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0001.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0000.html
*** {02.01.019} Linux - Update {01.52.020}: Exim local pipe
forward/command execution
RedHat and Debian have released updated Exim packages, which
fix the vulnerability discussed in {01.52.020} ("Exim local pipe
forward/command execution").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0079.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q4/0066.html
Source: Debian, RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0079.html
http://archives.neohapsis.com/archives/vendor/2001-q4/0066.html
*** {02.01.025} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
RedHat has released updated mailman packages, which fix the
vulnerability discussed in {01.49.016} ("mailman listinfo CGI CSS
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0003.html
Source: RedHat
http://archives.neohapsis.com/archives/bugtraq/2002-01/0003.html
- --- AIX News -----------------------------------------------------------
*** {02.01.007} AIX - Update {01.51.009}: /bin/login command line
environment overflow
IBM has released APAR IY26443, which fixes the vulnerability discussed
in {01.51.009} ("/bin/login command line environment overflow"). The
tsmlogin binary in AIX is vulnerable.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0011.html
- --- HP-UX News ---------------------------------------------------------
*** {02.01.018} HPUX - File system deadlock DoS
HP has released patches for HP-UX 10.200 through 11.11, which fix the
potential for a local user to cause a deadlock in the file system,
thus putting the system in a hung state and causing a denial of
service situation.
Apply the applicable patch:
HPUX 10.20/700: PHKL_24517
HPUX 10.20/800: PHKL_24518
HPUX 11.00: PHKL_22932
HPUX 11.04: PHKL_25033
HPUX 11.11: PHKL_23335
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0004.html
- --- Network Appliances News --------------------------------------------
*** {02.01.005} NApps - Linksys DSL router SNMP possible DDoS
vulnerability
An advisory has surfaced indicating that various Linksys DSL routers,
including the BEFN2PS4 and BEFSR81, will send SNMP diagnostic trap
messages to the last address to properly query the SNMP service. If the
default community string is unchanged (and Linksys does not provide
a way to do this), then it's potentially possible to spoof an SNMP
query. This in turn triggers the device to start sending the SNMP
traps to the spoofed target.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0061.html
*** {02.01.010} NApps - Cisco UBR900 series SNMP auth bypass
To meet the DOCSIS requirement, it appears that the Cisco UBR900 series
cable modem routers allow a remote attacker to perform an SNMP read
query using any community string. Since many default configurations
do not include a read-write community name, it may then be possible
to change values using any read-only name.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0002.html
- --- Cross-Platform News ------------------------------------------------
*** {02.01.001} Cross - Lynx syslog() URL format string vulnerability
Lynx versions 2.8.5dev5 and prior contain a bug in the logging of
URLs, which could allow a malicious Web site to execute arbitrary
code under the user's privileges. This bug is only present when Lynx
is compiled with the '--enable-syslog' option (which appears to be
the case with the FreeBSD port).
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0084.html
*** {02.01.002} Cross - stunnel format string vulnerability
stunnel versions 3.15 through 3.21c contain remotely exploitable
format string vulnerabilities in the handling of POP, NNTP and SMTP
protocol negotiations. Malicious servers may exploit users who use
stunnel in client mode.
A patch is available at:
http://www.stunnel.org/patches/desc/formatbug_ml.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0014.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0075.html
Source: EnGarde, RedHat, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0014.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0279.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0075.html
*** {02.01.003} Cross - Mutt e-mail address handling overflow
A buffer overflow has been found in Mutt's handling of e-mail
addresses, which could potentially allow a malicious e-mail to execute
arbitrary code. Mutt versions 1.2.5 and prior, as well as 1.3.24 and
prior, are vulnerable.
Patches/updated mutt source tarballs are available at:
ftp://ftp.mutt.org/pub/mutt/
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q4/0064.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0093.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0068.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0002.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0074.html
Source: Debian, SuSE, Trustix, Conectiva, RedHat, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0001.html
http://archives.neohapsis.com/archives/vendor/2001-q4/0064.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0093.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0068.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0002.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0074.html
*** {02.01.006} Cross - Multiple Oracle9iAS Web cache vulnerabilities
The Oracle9iAS Web Cache has been found to contain multiple
vulnerabilities, including weak encryption used to obfuscate the
Web cache administrative password (which is also readable by local
users). It's also possible for local users to execute commands and
overwrite files under user 'oracle' privileges.
Oracle has confirmed these vulnerabilities. Update information is
available at:
http://otn.oracle.com/deploy/security/pdf/webcache2.pdf
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0064.html
*** {02.01.008} Cross - gpm-root format string vulnerabilities
Debian has released an advisory indicating the suid gpm-root
application contains locally exploitable format string vulnerabilities,
which allow a local attacker to execute arbitrary code with root
privileges.
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0063.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q4/0063.html
*** {02.01.009} Cross - Cherokee Web server file traversal
Cherokee Web server version 0.2.0 has been found to allow a remote
attacker to access arbitrary files outside the Webroot by using
'..' notation in a URL request.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0085.html
*** {02.01.011} Cross - Multiple DayDream BBS vulnerabilities
The DayDream BBS software has been found to contain multiple buffer
overflows and format string vulnerabilities in some file control
codes and menu commands.
Some of these vulnerabilities have been confirmed and fixed in the
latest version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0300.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0301.html
*** {02.01.012} Cross - Zml.cgi file parameter file reading
Jero.cc's zml.cgi CGI script has been found to not properly filter
out '..' notation from the 'file' URL parameter, thereby allowing a
remote attacker to view files readable by the Web server.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0086.html
*** {02.01.013} Cross - grpck/pwck command line overflow
An advisory has surfaced indicating that suid versions of the grpck
and pwck commands found in IRIX and some Linux distributions contain a
buffer overflow in the handling of long command line arguments. This
could potentially allow a local attacker to execute arbitrary code
with elevated privileges.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0000.html
*** {02.01.014} Cross - Linux encrypted loop device data relocation
An interesting research paper released last week indicates the
potential for an attacker to shift around data within an encrypted
file used via a Linux loopback device. Because of the particular
crypto methods involved, it's possible to relocate already encrypted
blocks to other locations, where they would still be accepted as valid.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0010.html
*** {02.01.017} Cross - UCD snmpnetstat interface list heap overflow
The snmpnetstat utility included with the UCD-SNMP tools package
contains a vulnerability whereby a malicious SNMP server can trigger
a heap overflow when returning the information associated with the
server's network interfaces. This allows the malicious server to
execute arbitrary code on the user's system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0017.html
*** {02.01.020} Cross - Virusexperts.com QwikAd referer SQL injection
Virusexperts.com's QwikAd CGI suite has been found vulnerable to
SQL injection via the HTTP referer header, thereby allowing a remote
attacker to execute arbitrary SQL commands on the backend SQL database.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0083.html
*** {02.01.022} Cross - PHP Rocket Addin page parameter file reading
The PHP Rocket Addin CGI suite has been found to not properly filter
malicious characters out of the 'page' URL parameter, thereby allowing
a remote attacker to use reverse directory traversal notation and
view files readable by the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0285.html
*** {02.01.023} Cross - Lastlines.cgi command execution
The lastlines.cgi CGI script by David Powell does not properly filter
user data before passing it to a Perl open() command, thereby allowing
a remote attacker to execute arbitrary command line commands under
the privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0298.html
*** {02.01.028} Cross - Multiple Bugzilla vulnerabilities
Bugzilla prior to version 2.14.1 contains multiple security
vulnerabilities, including user account hijacking, restricted data
viewable by unauthorized users, SQL injection and cross-site scripting.
These vulnerabilities have been confirmed and fixed in either version
2.14.1 or the current CVS version (2.15).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0034.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8Phiz+LUG5KFpTkYRAvuXAJ9232sHaiDlr/RwNptkqq9ggtTe1gCggVdc
QrZ0FijLdjEzB4BVhkJjcJQ=
=Le7b
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Sponsored by the Center for Internet Security
Which Consulting Firm Should You Choose For an Important Security Audit?
The answer will be announced March 20 (at the FOSE Conference in
Washington) when the names of the first three CIS Certified Security
Consulting Organizations are released to the public. For more
information about the benchmarks, review the web site at
http://www.cisecurity.org and contact Clint Kreitner at
ckreitnercisecurity.org
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]