|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ06016924497846342
sans.org)Date: Thu May 23 2002 - 20:23:25 CDT
To: Security Express (SD397643)
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 020 (02.20)
Thursday, May 23, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
- DEPLOY THE LATEST ENCRYPTION and authentication techniques
- DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users.
And more. Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n06120091000057000
----------------------------------------------------------------------
First off, last week we incorrectly identified item {02.19.012} as a
buffer overflow pertaining to wu-imapd, when in fact it was uw-imapd,
also known as just plain 'imapd.' Thanks to Michael Vincenc for
pointing out our mistake.
Next, there has been some interesting discussion on the Security Focus
Vuln-Dev list concerning Xeros DocuTech printers, which ship with and
support Windows and Sun systems. Basically, the included Windows/Sun
boxes are default installs, right down to the passwords. Have
you thought about securing your printer installation? Oh, and the
catch is that in order to maintain a support contract with Xerox,
you really can't change things around. Feel free to read over the
"Xerox DocuTech problems" thread at:
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/thread.html
Lastly, you may have heard about it via other outlets, but we figured
we should include a quick blurb here anyway: A Microsoft SQL worm is
running around and preying on installations that haven't installed an
'sa' account password. If you have an Internet-accessible Microsoft
SQL Server with no password on the sa account, then you need to change
it immediately (we hoped this would be common sense).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.20.003} Win - Update {02.19.012}: (uw-)imapd BODY command overflow
{02.20.013} Win - MS02-023: May 2002 Cumulative Patch for Internet
Explorer
{02.20.014} Win - PGP interacts with Windows EFS to expose files
{02.20.026} Win - Hosting Controller CGI file manipulation and browsing
{02.20.027} Win - IMail LDAP service 'bind DN' overflow
{02.20.001} Linux - SuSE shadow scripts allow file tampering
{02.20.002} Linux - lukemftp PASV server response overflow
{02.20.004} Linux - Update {02.18.023}: Mozilla XML HTTP Request file
disclosure
{02.20.005} Linux - Update {02.16.027}: OpenSSH AFS/Kerberos support
overflow
{02.20.010} Linux - Update {02.10.016}: GNU fileutils recursive symlink
attack
{02.20.011} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.20.012} Linux - Update {02.08.034}: PHP file upload vulnerabilities
{02.20.029} Linux - Linux/KDE talkd format string vulnerability
{02.20.023} BSD - k5su lacks normal su checks
{02.20.024} BSD - FreeBSD ports collection security updates
{02.20.028} Sol - Answerbook2 gettransbitmap CGI file name overflow
{02.20.009} AIX - cspoc.log exposes encrypted password
{02.20.007} SCO - Update {01.22.024}: yppasswdd RPC service buffer
overflow
{02.20.018} NApps - Cisco cache/content engine default proxy
vulnerability
{02.20.019} NApps - Cisco CSS Web admin service HTTP POST DoS
{02.20.006} Cross - mpg123 network stream overflow
{02.20.008} Cross - fetchmail large e-mail index overflow
{02.20.015} Cross - Update {02.09.027}: Java applets can hijack HTTP
proxy connections
{02.20.016} Cross - Opera browser cross-frame scripting vulnerability
{02.20.017} Cross - Quake2 server cvar leak
{02.20.020} Cross - Phorum CGI plugin.php script execution
{02.20.021} Cross - OpenSSH 3.2.2 released
{02.20.022} Cross - ViewCVS CGI CSS vulnerability
{02.20.025} Cross - bzip2 insecure temp file handling and overwrite
vulnerabilities
- --- Windows News -------------------------------------------------------
*** {02.20.003} Win - Update {02.19.012}: (uw-)imapd BODY command
overflow
Caldera released updated imapd packages, which fix the vulnerability
discussed in {02.19.012} ("uw-imapd BODY command overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0013.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0013.html
*** {02.20.013} Win - MS02-023: May 2002 Cumulative Patch for Internet
Explorer
Microsoft released MS02-023 ("May 2002 Cumulative Patch for
Internet Explorer"). This cumulative patch fixes six new security
vulnerabilities in Internet Explorer, including the ability to
execute arbitrary applications, local file reading, cookie reading
and a local cross-site scripting vulnerability.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-023.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0033.html
*** {02.20.014} Win - PGP interacts with Windows EFS to expose files
PGP version 7.0.3 includes an option to "wipe deleted files." If
enabled, this option interacts with Windows EFS (Encrypted File System)
in a manner that could leave unencrypted copies of EFS-protected
files laying around.
NAI confirmed this vulnerability and released a hot fix, which is
available at:
http://www.nai.com/naicommon/download/upgrade/upgrades-patch.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0052.html
*** {02.20.026} Win - Hosting Controller CGI file manipulation and
browsing
The Hosting Controller ASP CGI suite contains bugs that allow users of
the hosting controller software to view and overtake files on the local
system by submitting various malformed URL requests to the CGI pages.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0142.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0168.html
*** {02.20.027} Win - IMail LDAP service 'bind DN' overflow
IpSwitch IMail versions 7.1 and prior reportedly contain a buffer
overflow in the handling of the 'bind DN' parameter passed to the
internal LDAP service, thereby allowing a remote attacker to execute
arbitrary code with local system privileges.
This vulnerability is confirmed; a vendor patch is available at:
http://www.ipswitch.com/Support/IMail/patch-upgrades.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0172.html
- --- Linux News ---------------------------------------------------------
*** {02.20.001} Linux - SuSE shadow scripts allow file tampering
SuSE released an advisory indicating that the various utilities
shipped with SuSE for modifying /etc/passwd and /etc/shadow entries
allow a local attacker to potentially corrupt these files.
SuSE confirmed this vulnerability and released updated RPMs, which
are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0628.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0628.html
*** {02.20.002} Linux - lukemftp PASV server response overflow
The lukemftp client shipped with SuSE contains a buffer overflow in
the handling of passive FTP command responses, thereby allowing a
malicious FTP server to execute arbitrary code on the client.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0632.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0632.html
*** {02.20.004} Linux - Update {02.18.023}: Mozilla XML HTTP Request
file disclosure
Red Hat released updated mozilla packages, which fix the vulnerability
discussed in {02.18.023} ("Mozilla XML HTTP Request file disclosure").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0052.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0052.html
*** {02.20.005} Linux - Update {02.16.027}: OpenSSH AFS/Kerberos
support overflow
Caldera released updated openSSH packages, which fix the vulnerability
discussed in {02.16.027} ("OpenSSH AFS/Kerberos support overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0014.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0014.html
*** {02.20.010} Linux - Update {02.10.016}: GNU fileutils recursive
symlink attack
Mandrake released updated fileutils packages, which fix the
vulnerability discussed in {02.10.016} ("GNU fileutils recursive
symlink attack").
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0134.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0134.html
*** {02.20.011} Linux - Update {01.30.001}: tcpdump AFS parsing
overflow (2)
Mandrake released updated tcpdump packages, which fix the vulnerability
discussed in {01.30.001} ("tcpdump AFS parsing overflow (2)").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0138.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0138.html
*** {02.20.012} Linux - Update {02.08.034}: PHP file upload
vulnerabilities
Caldera released updated PHP packages, which fix the vulnerability
discussed in {02.08.034} ("PHP file upload vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0015.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0015.html
*** {02.20.029} Linux - Linux/KDE talkd format string vulnerability
The talkd daemon shipped with various Linux distributions, as well
as KDE, contains a format string vulnerability in the print_mesg()
function, thereby allowing a remote attacker to execute arbitrary
code on the system.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0073.html
- --- BSD News -----------------------------------------------------------
*** {02.20.023} BSD - k5su lacks normal su checks
FreeBSD released an advisory indicating that the k5su Kerberos
application does not include the checks found in the normal su
application. In particular, k5su ignores the user requirement to
be in the wheel group before allowing a user to su to root. It also
ignores password expiration and invalid shells.
FreeBSD RELENG_4x as of May 16, 2002, contains the fixes.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-05/0309.html
*** {02.20.024} BSD - FreeBSD ports collection security updates
FreeBSD released an advisory indicating that several ports applications
were updated to fix security vulnerabilities. Those packages include:
analog; radiusd-cistron; dnews; ethereal; icecast; isc-dhcp3; mozilla;
mod_python; ntop; p5-SOAP-Lite; puf; sudo; webalizer; and xpilot.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-05/0210.html
- --- Solaris News -------------------------------------------------------
*** {02.20.028} Sol - Answerbook2 gettransbitmap CGI file name overflow
The Answerbook2 suite versions 1.4.3 and prior contain a buffer
overflow in the gettransbitmap CGI, thereby allowing a remote attacker
to execute arbitrary code under user 'daemon' privileges.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0071.html
- --- AIX News -----------------------------------------------------------
*** {02.20.009} AIX - cspoc.log exposes encrypted password
The clchkspuser and clpasswdremote utilities include the encrypted
password in the cspoc.log file, potentially allowing the password to
be recovered by a local user.
IBM released APAR IY24556, which fixes the problem.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q2/0011.html
- --- SCO News -----------------------------------------------------------
*** {02.20.007} SCO - Update {01.22.024}: yppasswdd RPC service buffer
overflow
Caldera/SCO released updated yppasswd packages, which fix the
vulnerability discussed in {01.22.024} ("yppasswdd RPC service buffer
overflow").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.1
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0016.html
- --- Network Appliances News --------------------------------------------
*** {02.20.018} NApps - Cisco cache/content engine default proxy
vulnerability
Cisco's cache engine and content engine devices contain a default
configuration that could allow an attacker to use the device as a
proxy, thus hiding the attacker's source IP address from the final
target.
Cisco confirmed this vulnerability; the proper fix is to change the
default configuration to limit the HTTPS proxy destination ports.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0009.html
*** {02.20.019} NApps - Cisco CSS Web admin service HTTP POST DoS
Cisco released an advisory indicating that a denial of service exists
and causes Cisco Content Service Switches to reboot when an attacker
makes an HTTP POST request to the administrative Web interface.
Cisco confirmed this vulnerability. A full upgrade matrix is listed at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0010.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {02.20.006} Cross - mpg123 network stream overflow
The mpg123 utility contains a buffer overflow in the handling of
malformed MP3 data, which potentially could be fed to the application
via a remote network stream and result in the remote execution of
arbitrary code.
Red Hat confirmed this vulnerability and released updated RPMs,
which are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0058.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0058.html
*** {02.20.008} Cross - fetchmail large e-mail index overflow
Fetchmail prior to version 5.9.10 does not properly check to see if the
amount of e-mail indicated by the server is outside internal fetchmail
bounds, thereby allowing a malicious server to execute arbitrary
code on the client system. The SAC team is not sure whether this
vulnerability is related to the vulnerability reported as {01.33.005}.
This vulnerability is confirmed. Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0064.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0064.html
*** {02.20.015} Cross - Update {02.09.027}: Java applets can hijack
HTTP proxy connections
Compaq released updated packages, which fix the vulnerability discussed
in {02.09.027} ("Java applets can hijack HTTP proxy connections").
Among the updated packages are Tru64, OpenVMS patches and Compaq
management software, including Compaq Insight Manager.
A full list of updates is available at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0021.html
Source: Compaq
http://archives.neohapsis.com/archives/tru64/2002-q2/0021.html
*** {02.20.016} Cross - Opera browser cross-frame scripting
vulnerability
Opera Web browser versions 6.01 and prior contain vulnerabilities
in the handling of frames and iframes, which allow a malicious Web
site to execute arbitrary JavaScript code in the security context of
other Web sites or in the local system. Only the Windows version is
reportedly vulnerable.
The advisory indicates both vendor confirmation and that version 6.02
contains a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0117.html
*** {02.20.017} Cross - Quake2 server cvar leak
A bug found in Quake2 server versions 3.21 and prior allows users to
query the server's cvars, including the rcon_password, by submitting
a nonexpanded macro to a server. This would allow them to take control
of the Quake server.
This vulnerability is confirmed; a fix is available at:
http://www.aq2tng.barrysworld.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0118.html
*** {02.20.020} Cross - Phorum CGI plugin.php script execution
The Phorum CGI suite version 3.3.2a contains a bug in the plugin.php
page that could allow a remote attacker to view local files as well
as execute arbitrary PHP code by including remote files.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0147.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0153.html
*** {02.20.021} Cross - OpenSSH 3.2.2 released
OpenSSH version 3.2.2 was released. In addition to various bug fixes,
it contains security fixes for problems previously reported in SAC.
As always, the latest code is available from:
http://www.openssh.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0150.html
*** {02.20.022} Cross - ViewCVS CGI CSS vulnerability
The ViewCVS CGI suite version 0.9.2 contains multiple cross-site
scripting bugs.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0161.html
*** {02.20.025} Cross - bzip2 insecure temp file handling and overwrite
vulnerabilities
The bzip2 utility reportedly contains two vulnerabilities: insecure
temporary file handling (allowing a local symlink attack) and the
potential to overwrite files without warning.
FreeBSD confirmed these vulnerabilities and committed fixes to FreeBSD
CVS as of Feb. 23, 2002.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-05/0310.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE87Y5p+LUG5KFpTkYRAnueAJ9xND7KfIIqQJLCZ6TvKJHAm8I8bACfZl95
i77OdtfFCcov2MfbJnlt3Nw=
=iEyM
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Sponsored by VeriSign - The Value of Trust
Secure all your Web servers now - with a proven 5-part strategy.
The FREE Server Security Guide shows you how:
- DEPLOY THE LATEST ENCRYPTION and authentication techniques
- DELIVER TRANSPARENT PROTECTION with the strongest security without
disrupting users.
And more. Get your FREE Guide now:
http://www.verisign.com/cgi-bin/go.cgi?a=n06120091000057000
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]