|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #018
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu May 08 2003 - 17:21:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 017 (03.17)
Thursday, May 1, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Internet Security Systems.
New Appliance whitepaper from Internet Security Systems!
ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without
requiring separate firewalls, antivirus and intrusion
detection. Click here to download whitepaper:
http://www.iss.net/ad/appliance_cmpnetsansappliance050803
************************** End Advertisement *************************
The most prominent vulnerabilities this week are various bugs in
Microsoft Outlook Express and Internet Explorer, which allow malicious
e-mail or Web sites to execute arbitrary code on the user's system,
amongst other things. Details are reported in items {03.17.008} and
{03.17.009}. There also is a buffer overflow in an Oracle CONNECT SQL
statement parameter, which allows attackers to take over the database
and possibly the entire host if they can execute arbitrary SQL commands
(via direct access or proxied through an insecure Web application). More
information is available in item {03.17.017}.
Plus, Microsoft released new security guides for locking down Windows
Server 2003 deployments. If you're looking into using Windows Server
2003, you should definitely have a look.
http://archives.neohapsis.com/archives/bugtraq/2003-04/0321.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.17.005} Win - Cisco SecureACS admin service user name overflow
{03.17.008} Win - MS03-014: Cumulative patch for Outlook Express
{03.17.009} Win - MS03-015: Cumulative patch for Internet Explorer
{03.17.010} Win - Xeneo Web server malformed encoding DoS
{03.17.011} Win - BttlxeForum CGI SQL injection
{03.17.021} Win - Auerswald COMsuite default account/password
{03.17.022} Win - Kerio firewall replay attack and admin overflow
{03.17.023} Win - MDaemon IMAP overflow and POP DoS
{03.17.024} Win - VisNetic ActiveDefense large request DoS
{03.17.001} Linux - Updated patches for previous vulnerabilities
{03.17.002} Linux - gkrellm-newsticker arbitrary command exec and DoS
{03.17.015} Linux - les ATM utility -f parameter overflow
{03.17.003} HP-UX - Updated patches for previous vulnerabilities
{03.17.006} SGI - LDAP nsd possible password bypass
{03.17.019} SGI - Updated patches for previous vulnerabilities
{03.17.012} NetDev - Cisco CatOS 7.5(1) enable password bypass
{03.17.014} NetDev - 3Com NBX phone manager FTP 'CEL' DoS
{03.17.007} Cross - Vulnerable PHP applications 04/29
{03.17.013} Cross - Opera browser multiple reported vulns
{03.17.016} Cross - Qpopper poppassd local SMB auth command exec
{03.17.017} Cross - Oracle DB connect overflow
{03.17.018} Cross - opt library multiple vulns
{03.17.020} Cross - Album.pl CGI remote command exec
{03.17.004} Tru64 - dupatch and setld symlink attacks
- --- Windows News -------------------------------------------------------
*** {03.17.005} Win - Cisco SecureACS admin service user name overflow
Cisco SecureACS versions 2.6.4, 3.0.3 and 3.1.1 (and prior) contain a
buffer overflow in the administration service listening on port 2002,
which allows a remote attacker to execute arbitrary code with local
system privileges.
This vulnerability is confirmed. Update information is available at the
reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0001.html
*** {03.17.008} Win - MS03-014: Cumulative patch for Outlook Express
Microsoft released MS03-014 ("Cumulative Patch for Outlook Express").
This patch is an accumulation of all security patches for Outlook
Express to date. In addition, it fixes a vulnerability that allows MHTML
documents to execute arbitrary code on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-014.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0007.html
*** {03.17.009} Win - MS03-015: Cumulative patch for Internet Explorer
Microsoft released MS03-015 ("Cumulative Patch for Internet Explorer").
This patch fixes all problems to date as well as four new
vulnerabilities: a buffer overflow in URLMON.DLL, which allows a remote
Web site to run arbitrary code; the file upload control allows uploading
of arbitrary user files; calls to third-party programs could lead to
arbitrary command execution; and incorrect handling of a dialog could
allow an attacker to execute arbitrary active script.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0006.html
*** {03.17.010} Win - Xeneo Web server malformed encoding DoS
Xeneo Web server versions 2.2.9 and prior crashes when it receives a
particular malformed encoded URL, which allows a remote attacker to
cause a denial of service.
This vulnerability is confirmed and fixed in version 2.2.10.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0035.html
*** {03.17.011} Win - BttlxeForum CGI SQL injection
The BttlxeForum ASP CGI suite does not properly filter out unsafe SQL
characters, which allows a remote attacker to manipulate the back-end
database.
This vulnerability is confirmed. A fix was released.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0038.html
*** {03.17.021} Win - Auerswald COMsuite default account/password
The Auerswald COMsuite CTI ControlCenter version 3.1 creates a default
user account with a known password, which may allow a remote attacker
to access system resources. It also appears that disabling the account
may affect COMsuite operation.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0373.html
*** {03.17.022} Win - Kerio firewall replay attack and admin overflow
The Kerio personal firewall versions 2.1.4 and prior reportedly contain
two vulnerabilities: a weakness in the encryption used by the
administrative console, which allows an attacker able to sniff
administrative traffic to replay administrative commands; and a buffer
overflow in the administrative handshake, which allows a remote attacker
to execute arbitrary code on the system.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0046.html
*** {03.17.023} Win - MDaemon IMAP overflow and POP DoS
The MDaemon server suite reportedly contains two vulnerabilities: a
buffer overflow in the IMAP 'CREATE' command, which allows the remote
execution of arbitrary code; and specifying negative number values to
various POP commands causes the service to crash.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0352.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0353.html
*** {03.17.024} Win - VisNetic ActiveDefense large request DoS
VisNetic ActiveDefense version 1.3.1 stops forwarding HTTP traffic after
receiving a particular stream of large HTTP requests, which leads to a
denial of service.
The advisory indicates confirmation by the vendor, which released a
patch.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0297.html
- --- Linux News ---------------------------------------------------------
*** {03.17.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:032-01: tcpdump
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0030.html
RHSA-2003:076-01: ethereal
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0032.html
RHSA-2003:079-01: zlib
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0040.html
RHSA-2003:093-01: MySQL
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0041.html
RHSA-2003:112-01: squirrelmail
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0034.html
RHSA-2003:118-01: mICQ
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0036.html
RHSA-2003:142-01: LPRng
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0037.html
- --- Debian:
DSA 292-2: mime-support
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0276.html
DSA 293-1: kdelibs
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0278.html
- --- Mandrake:
MDKSA-2003:017-1: pam
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0071.html
MDKSA-2003:049-1: kde3
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0069.html
MDKSA-2003:050: Apache
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0061.html
MDKSA-2003:051: ethereal
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0070.html
MDKSA-2003:052: snort
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0072.html
- --- SuSE:
SuSE-SA:2003:0026: KDE
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0236.html
Source: Red Hat, Debian, Mandrake, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0030.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0032.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0040.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0041.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0034.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0036.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0037.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0276.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0278.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0071.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0069.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0061.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0070.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0072.html
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0236.html
*** {03.17.002} Linux - gkrellm-newsticker arbitrary command exec and
DoS
Debian released an advisory indicating the gkrellm-newsticker plug-in
for gkrellm contains two vulnerabilities: malicious characters could be
included in links, causing the user to unknowingly execute arbitrary
commands; and certain malformed elements can cause the plug-in to crash,
leading to a denial of service attack.
These vulnerabilities are confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0282.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0282.html
*** {03.17.015} Linux - les ATM utility -f parameter overflow
The 'les' ATM configuration utility included in the Linux-atm suite
contains a buffer overflow in the handling of the -f command-line
parameter. Since the utility is typically installed setuid root, this
allows a local attacker to execute arbitrary code with elevated
privileges.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0342.html
- --- HP-UX News ---------------------------------------------------------
*** {03.17.003} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT2439: libc xdrmem_getbytes()
http://archives.neohapsis.com/archives/hp/2003-q2/0019.html
SSRT3534: Apache 2.0 DoS
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
SSRT3499: OpenSSL RSA blinding
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0019.html
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
- --- SGI News -----------------------------------------------------------
*** {03.17.006} SGI - LDAP nsd possible password bypass
The nsd LDAP implementation does not check for the USERPASSWORD
attribute in the LDAP database, which may allow a remote attacker to
log in without using a password.
This vulnerability is confirmed. A patch is available at the reference
URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0038.html
*** {03.17.019} SGI - Updated patches for previous vulnerabilities
The following is a list of SGI patches for vulnerabilities previously
reported in Security Alert Consensus.
20030406-02-P: BSD LPR subsystem (updated patch)
http://archives.neohapsis.com/archives/vendor/2003-q2/0039.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0039.html
- --- Network Devices News -----------------------------------------------
*** {03.17.012} NetDev - Cisco CatOS 7.5(1) enable password bypass
Cisco Catalyst switches running Catalyst OS version 7.5(1) contain a
bug that allows a normal user to access enable mode without knowing the
enable password. The problem is only present in version 7.5(1).
This vulnerability is confirmed and fixed in version 7.6(1).
Source: Cisco (VulnWatch)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0040.html
*** {03.17.014} NetDev - 3Com NBX phone manager FTP 'CEL' DoS
The 3Com NBX phone manager crashes when a remote attacker issues an
abnormally long 'CEL' FTP command, which causes a denial of service.
The advisory indicates confirmation by the vendor, which released a
patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0045.html
- --- Cross-Platform News ------------------------------------------------
*** {03.17.007} Cross - Vulnerable PHP applications 04/29
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
PHP-Nuke 6.5: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-04/0314.html
True Galerie 1.0: admin log-in bypass, file reading
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0043.html
Bugzilla <2.16.3: cross-site scripting, insecure temp file
http://archives.neohapsis.com/archives/bugtraq/2003-04/0323.html
OpenBB 1.1.0: SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-04/0325.html
phpSysInfo <2.1: possible file reading
http://archives.neohapsis.com/archives/bugtraq/2003-04/0326.html
XOOPS MyTextSanitizer 2.x: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-04/0327.html
IdeaBox 1.0: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-04/0361.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-04/0314.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0043.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0323.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0325.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0326.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0327.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0361.html
*** {03.17.013} Cross - Opera browser multiple reported vulns
Multiple vulnerabilities are reported in the Opera Web browser: long
file extensions cause a heap-based buffer overflow; the JavaScript
console could allow execution of arbitrary JavaScript; and long URLs
entered in the URL dialog box causes a crash. Versions 6.x and 7.x are
reportedly vulnerable.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0298.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0345.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0346.html
*** {03.17.016} Cross - Qpopper poppassd local SMB auth command exec
The poppassd utility included with qpopper versions 4.0.x allows a local
attacker to execute arbitrary commands with root privileges because root
privileges are not dropped before executing the 'smbpasswd' command
using a user-specified path.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0047.html
*** {03.17.017} Cross - Oracle DB connect overflow
Oracle versions 9.x, 8.x and 7.x reportedly contain a buffer overflow
in the handling of large 'CONNECT TO' clauses, which allows an attacker
capable of running arbitrary SQL commands to gain full DB administrative
privileges and, on Windows systems, potentially local system access as
well.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0048.html
*** {03.17.018} Cross - opt library multiple vulns
The opt options parsing library versions 3.18 and prior reportedly
contain various buffer overflows, which could cause a program using the
opt functions to be vulnerable to exploitation.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0042.html
*** {03.17.020} Cross - Album.pl CGI remote command exec
The album.pl CGI application versions 6.1 and prior reportedly allow
remote attackers to execute arbitrary commands under the Web server's
privileges.
The advisory indicates confirmation by the vendor, which fixed the bug
in version 6.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0337.html
- --- Tru64 News ---------------------------------------------------------
*** {03.17.004} Tru64 - dupatch and setld symlink attacks
The dupatch and setld installation/update tools insecurely handle
existing symlinks while handling temporary files, which allows a local
attacker to potentially cause a denial of service or gain elevated
privileges when either tool is executed.
This vulnerability is confirmed. Patch and workaround information is
available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2003-q2/0006.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+urpK+LUG5KFpTkYRAiOLAKCWHqWt1aCpOun+thGd3/HHa5YZvACeMWS0
p/E4q/kKxyvJGJFGaIRIfsA=
=sIC9
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Internet Security Systems.
New Appliance whitepaper from Internet Security Systems!
ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without
requiring separate firewalls, antivirus and intrusion
detection. Click here to download whitepaper:
http://www.iss.net/ad/appliance_cmpnetsansappliance050803
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]