NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SANS> 2002

From: Network Computing and The SANS Institute (sans+ZZ99021509189486493sans.org)
Date: Thu Jun 27 2002 - 15:24:13 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

To: Security Express (SD397643)
Re: Your personalized newsletter

                  -- Security Alert Consensus --
                        Number 025 (02.25)
                     Thursday, June 27, 2002
                        Created for you by
             Network Computing and the SANS Institute
                       Powered by Neohapsis

----------------------------------------------------------------------

Welcome to SANS' distribution of the Security Alert Consensus.

----------------------------------------------------------------------

You'll find two thousand unique research reports on all aspects of
information security -- at the SANS Reading Room. See: rr.sans.org

And don't delay in signing up for SANS Network Security 2002. With all
five US military organizations running their security leadership
conferences there, the courses will fill up quickly.
http://www.sans.org/NS2002

----------------------------------------------------------------------

This week has left most of the security lists discussing the Apache
bug released last week and a new OpenSSH bug that is likely to affect
many systems. Full information is reported in the cross-platform
category as item {02.25.023}.

Next week we will be releasing SAC one day early (Wednesday) to
accommodate the July 4 holiday.

Until next week,
- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{02.25.006} Win - BlackICE open connection DoS
{02.25.009} Win - MS SQL Server OpenDataSource() overflow
{02.25.013} Win - AdvServer HTTP server empty request DoS
{02.25.022} Win - Pirch 98 IRC client hyperlink overflow
{02.25.011} Linux - Update {02.19.012}: (uw-)imapd BODY command overflow
{02.25.016} Linux - Update {02.21.001}: in.rarpd syserr()/error()
            overflows and format string vulns
{02.25.017} NW - DHCP server request overflow DoS
{02.25.018} NW - FTP server format string DoS
{02.25.002} SGI - NetVisualyzer nveventd arbitrary file writing
{02.25.003} SGI - Update {01.25.033}: pmpost PCP_LOG_DIR env variable
            symlink attack
{02.25.004} SGI - Multiple xfsmd vulnerabilities
{02.25.019} SCO - Update {02.17.015}: dtprintinfo help search keyword
            overflow
{02.25.010} NApps - Cisco ONS15454 TOS bit DoS
{02.25.015} NApps - Cisco PIX password encryption weakness
{02.25.001} Cross - Update {02.24.002}: Apache chunked encoding DoS and
            overflow
{02.25.005} Cross - Cisco vpnclient 'connect' param overflow
{02.25.008} Cross - Basilix CGI multiple vulns
{02.25.012} Cross - YaBB CGI missing thread CSS vuln
{02.25.014} Cross - Duma Photo Gallery System CGI file overwriting
{02.25.020} Cross - Half-life server ghost players DoS
{02.25.021} Cross - Apache Tomcat NULL request DoS
{02.25.023} Cross - OpenBSD version 3.4 available, security vulns
{02.25.007} Tools - Bind 8.3.2 available

- --- Windows News -------------------------------------------------------

*** {02.25.006} Win - BlackICE open connection DoS

BlackICE agent version 3.1ebh has been found to contain a remotely
exploitable denial of service in certain configurations, which lets
a remote attacker consume large amounts of memory (200 to 400 MB) on
the system by simply opening many connections to the BlackICE system.

This vulnerability has been confirmed by the vendor, who recommends
users lower the maximum number of open connections by changing the
'tcp.maxconnections' parameter in the blackice.ini file.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0114.html

*** {02.25.009} Win - MS SQL Server OpenDataSource() overflow

MS SQL Server 2000 has been found to contain a buffer overflow in the
handling of the OpenDataSource() SQL function, letting an attacker
capable of running SQL queries execute arbitrary code on the SQL
server system.

This vulnerability has not been confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0116.html

*** {02.25.013} Win - AdvServer HTTP server empty request DoS

AdvServer version 1.03 has been found vulnerable to a denial of service
attack whereby a remote attacker submits multiple empty HTTP requests
to the server, eventually causing it to not accept new connections.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0262.html

*** {02.25.022} Win - Pirch 98 IRC client hyperlink overflow

The Pirch 98 IRC client has been found to contain a buffer overflow
in the handling of hyperlinks embedded in IRC text, potentially
letting a malicious attacker on IRC execute arbitrary code on the
Pirch user's system.

The advisory indicates the latest version of Pirch fixes the problem.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0256.html

- --- Linux News ---------------------------------------------------------

*** {02.25.011} Linux - Update {02.19.012}: (uw-)imapd BODY command
overflow

EnGarde has released updated imapd packages that fix the vulnerability
discussed in {02.19.012} ("(uw-)imapd BODY command overflow").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0009.html

Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0009.html

*** {02.25.016} Linux - Update {02.21.001}: in.rarpd syserr()/error()
overflows and format string vulns

Caldera has released updated in.rarpd packages that fix the
vulnerability discussed in {02.21.001} ("in.rarpd syserr()/error()
overflows and format string vulns").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0031.html

Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0031.html

- --- NetWare News -------------------------------------------------------

*** {02.25.017} NW - DHCP server request overflow DoS

The DHCP server shipped with NetWare 6.0 SP1 has been found to contain
various buffer overflows in the handling of malformed DHCP requests,
which causes the service to ABEND and potentially causes the entire
server to reboot.

The advisory indicates confirmation by the vendor, who is working on
a patch.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0126.html

*** {02.25.018} NW - FTP server format string DoS

The FTP server shipped with NetWare 6.0 SP1 (with latest NWFTPD
updates) has been found to contain a format string vulnerability that
lets a remote attacker cause the service to ABEND, thus leading to a
denial of service attack. The server needs to be rebooted in order
to regain FTP functionality.

The advisory indicates confirmation by the vendor, who is producing
a fix.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0127.html

- --- SGI News -----------------------------------------------------------

*** {02.25.002} SGI - NetVisualyzer nveventd arbitrary file writing

SGI has released an advisory that indicates the NetVisualyzer
nveventd application can be configured to let a local attacker
overwrite arbitrary files on the system, leading to a root compromise.
Irix versions 6.5.0 through 6.5.16 are vulnerable.

SGI's official workaround is to remove setuid permissions from
/usr/NetVis/etc/nveventd. The product is no longer supported, so a
patch will not be issued.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0069.html

*** {02.25.003} SGI - Update {01.25.033}: pmpost PCP_LOG_DIR env
variable symlink attack

SGI has released updated packages that fix the vulnerability discussed
in {01.25.033} ("pmpost PCP_LOG_DIR env variable symlink attack").

Upgrading to Irix 6.5.13 or later will fix the vulnerability.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0070.html

*** {02.25.004} SGI - Multiple xfsmd vulnerabilities

SGI has released an advisory that indicates the xfsmd daemon contains
multiple vulnerabilities that would let a remote attacker gain root
access to the system.

Since the XFS Server suite is a retired product, no patches will be
made available; admins should remove the vulnerable software from
their systems.

Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0065.html

- --- SCO News -----------------------------------------------------------

*** {02.25.019} SCO - Update {02.17.015}: dtprintinfo help search
keyword overflow

Caldera/SCO has released updated dtprintinfo packages that fix the
vulnerability discussed in {02.17.015} ("dtprintinfo help search
keyword overflow").

Updated binaries are located at:
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.30

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0032.html

- --- Network Appliances News --------------------------------------------

*** {02.25.010} NApps - Cisco ONS15454 TOS bit DoS

Cisco has released an advisory indicating the ONS15454 platforms
running software versions 3.1.0 through 3.2.0 contain a remotely
exploitable denial of service attack involving the TOS bit field set
in IP packets.

This vulnerability is fixed in Cisco ONS versions 3.2.1 and later.
Information on how to upgrade is available at:
http://www.cisco.com/univercd/cc/td/doc/product/ong/15400/r33docs/sftuprgd/index.htm

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0016.html

*** {02.25.015} NApps - Cisco PIX password encryption weakness

The enable password encryption used by Cisco PIX devices has been
found not as strong as that used by other Cisco IOS devices--this
allows an offline brute-force attempt to recover passwords in an
acceptable period of time.

This vulnerability has not been confirmed. In the meantime,
the recommendation is to use long, strong passwords of many mixed
character types.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0121.html

- --- Cross-Platform News ------------------------------------------------

*** {02.25.001} Cross - Update {02.24.002}: Apache chunked encoding DoS
and overflow

Multiple vendors have released updated Apache packages that fix the
vulnerability discussed in {02.24.002} ("Apache chunked encoding DoS
and overflow").

Updated Engarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0011.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q2/0060.html
http://archives.neohapsis.com/archives/vendor/2002-q2/0063.html
http://archives.neohapsis.com/archives/vendor/2002-q2/0066.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0030.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/1062.html

Updated OpenPKG RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0235.html

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0101.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0102.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0242.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0258.html

Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2002-06/0266.html

Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0030.html

*** {02.25.005} Cross - Cisco vpnclient 'connect' param overflow

Cisco has released an advisory that indicates the Unix vpnclient
application, which is installed setuid root, contains an exploitable
buffer overflow that would let a local attacker execute arbitrary
code with root privileges.

This vulnerability has been confirmed by the vendor. Fixes are
available by contacting your Cisco representative.

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0015.html

*** {02.25.008} Cross - Basilix CGI multiple vulns

The Basilix CGI suite versions 1.1.0 and prior have been found to
contain multiple vulnerabilities: ability for remote attackers
to attach local files to e-mails; multiple cross-site scripting
problems; SQL injection/tampering; local users can recover all e-mail
attachments.

These vulnerabilities have not been confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0117.html

*** {02.25.012} Cross - YaBB CGI missing thread CSS vuln

The YaBB CGI suite has been found to contain a cross-site scripting
vulnerability in the handling of invalid 'num' URL parameters.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0261.html

*** {02.25.014} Cross - Duma Photo Gallery System CGI file overwriting

The Duma Photo Gallery System CGI suite has been found to not properly
filter all user data, letting a remote attacker potentially overwrite
files writable by the Web server.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0265.html

*** {02.25.020} Cross - Half-life server ghost players DoS

An advisory was released that indicates a possible denial of service
against Half-Life servers because of how the protocol handles new
joining players. Essentially, a remote attacker can easily fill the
available player slots on a server, thus preventing legitimate users
from using the server.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-06/0248.html

*** {02.25.021} Cross - Apache Tomcat NULL request DoS

Apache's Tomcat server version 4.0.3 has been found vulnerable to
a remote denial of service whereby an attacker repeatedly sends
a particular malformed HTTP request full of NULLs to a server,
eventually causing it to reject any further requests.

This vulnerability has not been confirmed. Version 4.1.3 beta is
reportedly not vulnerable.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0120.html

*** {02.25.023} Cross - OpenBSD version 3.4 available, security vulns

OpenBSD version 3.4 has been released. This version contains fixes
for various remotely exploitable buffer overflows that could let
an attacker gain root privileges on systems not using OpenSSH in
privilege separation mode (a new feature).

Updated source packages are available at:
http://www.openssh.org/

Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2002-06/2391.html
http://archives.neohapsis.com/archives/openbsd/2002-06/2433.html

- --- Tool Announcements News --------------------------------------------

*** {02.25.007} Tools - Bind 8.3.2 available

Bind version 8.3.2 has been released. This version features bug fixes
and feature updates over prior versions; there are no security-related
fixes associated with this release.

The source can be downloaded from:
ftp://ftp.isc.org/isc/bind/src/8.3.2/bind-src.tar.gz

Source: BIND
http://archives.neohapsis.com/archives/bind/2002/0011.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE9G20K+LUG5KFpTkYRAlLbAJ9TAa2CJYhv4WQA03lIYDykjQuSOwCdHXmx
IAZZy+BBrCRP2SAMnM371iw=
=lgVk
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

You'll find two thousand unique research reports on all aspects of
information security -- at the SANS Reading Room. See: rr.sans.org

----------------------------------------------------------------------

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.

If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]