|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #020
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu May 22 2003 - 17:16:33 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 020 (03.20)
Thursday, May 22, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
********* This Issue Sponsored by VeriSign, Inc. *********
Testing the Network - Key Steps to Complete Security: FREE White Paper
Make sure your network works as planned through proper network testing
and identify weaknesses that could lead to attack or system vulnerability.
Get effective, comprehensive solutions using state-of-the-art tools and
processes and more.
Click here for VeriSign's FREE White Paper on Network Vulnerability Testing:
http://www.verisign.com/cgi-bin/go.cgi?a=n36810124890748000
************************** End Advertisement *************************
This week, two significant vulnerabilities were found in the Linux
kernel (discussed as items {03.20.001} and {03.20.002}). If you include
the recent ptrace kernel vulnerability, this makes three significant
vulnerabilities in the stable 2.4.20 kernel, and the final 2.4.21 still
nowhere in sight (although it is in RC2 stage). We find it interesting
that it's almost six months since the release of 2.4.20. Historically,
kernels were released in much shorter timeframes, particular when
security vulnerabilities were discovered. The timeframe between 2.4.18
and 2.4.19 was about six months; all releases since 2.4.14 had been
between one and three months. Of course, there are many other factors
involved in the release timeline of the Linux kernel (obviously);
however, we can't help but notice that this is one of those rare times
where we've been waiting an abnormally long time for the next official
Linux kernel version to fix reported security vulnerabilities. Yes,
patches for 2.4.20 are available --if you know where to look for them.
But as it stands, the current official 2.4 kernel version contains two
local root vulnerabilities and one remote denial of service
vulnerability, and still there is no updated version. This is a bit out
of the norm when you look at the historical trend of Linux kernel
development.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.20.014} Win - Venturi client 2.1 acts as protocol proxy
{03.20.015} Win - Snowblind Web server Web root escaping and DoS
{03.20.016} Win - Cisco VPN client automatic exec logon bypass
{03.20.001} Linux - Updated patches for previous vulnerabilities
{03.20.002} Linux - Linux 2.4 kernel route table hash DoS
{03.20.003} Linux - Linux 2.4 kernel ioperm vuln
{03.20.011} HP-UX - ipcs local buffer overflow
{03.20.012} HP-UX - Updated patches for previous vulnerabilities
{03.20.008} SGI - Updated patches for previous vulnerabilities
{03.20.006} NetDev - Cisco RTR/SAA malformed packet DoS
{03.20.013} NetDev - 3Com DSL router DHCP information leak
{03.20.004} Cross - Vulnerable PHP applications, 05/20
{03.20.005} Cross - lv config file mishandling
{03.20.007} Cross - Sendmail contrib scripts insecure file handling
{03.20.009} Cross - BEA WebLogic various password disclosure
{03.20.010} Cross - Multiple IMAP client overflows
- --- Windows News -------------------------------------------------------
*** {03.20.014} Win - Venturi client 2.1 acts as protocol proxy
The Venturi client version 2.1 reportedly proxies various requests
without any authorization. One notable attack would be to use it as an
open relay to send unsolicited e-mail.
The advisory indicates confirmation by the vendor, which released
version 2.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0188.html
*** {03.20.015} Win - Snowblind Web server Web root escaping and DoS
The Snowblind Web server version 1.0 contains two vulnerabilities:
downloading of files outside the Web root and a denial of service
whereby particular requests cause the service to crash.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0190.html
*** {03.20.016} Win - Cisco VPN client automatic exec logon bypass
The Cisco VPN client can be configured to automatically attempt a VPN
connection upon logon. In this process, the VPN client can execute any
third-party application necessary to attach to the network. The
vulnerability lies in the fact that the third-party application is
executed with local system privileges. Since the vpnclient.ini
configuration file is editable by all users, any local user can edit
the file to invoke explorer.exe as the third-party application, logout
and, upon next login, be granted a Windows desktop with local system
privileges.
He vendor confirmed this vulnerability.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0078.html
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0082.html
- --- Linux News ---------------------------------------------------------
*** {03.20.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:174-01: tcpdump
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0057.html
- --- Debian:
DSA-303-1: MySQL
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0604.html
DSA 306-1: BitchX
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0653.html
- --- Mandrake:
MDKSA-2003:056: xinetd
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0114.html
MDKSA-2003:057: MySQL
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0115.html
MDKSA-2003:058: cdrecord
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0116.html
- --- Conectiva:
CLA-2003:648: evolution
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0036.html
- --- EnGarde:
ESA-20030515-015: sudo
http://archives.neohapsis.com/archives/bugtraq/2003-05/0170.html
ESA-20030515-016: gnupg
http://archives.neohapsis.com/archives/bugtraq/2003-05/0168.html
- --- Immunix:
IMNX-2003-7+-010-01: fileutils
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0014.html
Source: Red Hat, Debian, Mandrake, Conectiva, EnGarde, Immunix
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0114.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0115.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0057.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0604.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0653.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0116.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0036.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0170.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0168.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0014.html
*** {03.20.002} Linux - Linux 2.4 kernel route table hash DoS
The Linux 2.4 kernel contains a denial of service whereby a remote
attacker can send particular IP packets that cause the host to consume
an abnormal amount of processing time because of inefficient hash
balancing in the route table.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0056.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-05/0169.html
Source: VulnWatch, Red Hat, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0073.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0056.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0169.html
*** {03.20.003} Linux - Linux 2.4 kernel ioperm vuln
EnGarde reported that the Linux 2.4 kernel contains a flaw in the
ioperm() function, potentially allowing an unprivileged local attacker
to access I/O ports of the system.
This vulnerability is confirmed.
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-05/0169.html
Source: VulnWatch, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0076.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0169.html
- --- HP-UX News ---------------------------------------------------------
*** {03.20.011} HP-UX - ipcs local buffer overflow
HP released an advisory indicating the ipcs utility contains a buffer
overflow that can be exploited by a local user to gain elevated
privileges. No further details were released.
Update information is available at the reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0044.html
*** {03.20.012} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT3555: kermit
http://archives.neohapsis.com/archives/hp/2003-q2/0044.html
SSRT3483: wall
http://archives.neohapsis.com/archives/hp/2003-q2/0044.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0044.html
- --- SGI News -----------------------------------------------------------
*** {03.20.008} SGI - Updated patches for previous vulnerabilities
The following is a list of SGI vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
20030501-01-I: OpenSSL
http://archives.neohapsis.com/archives/vendor/2003-q2/0050.html
20030502-01-I: Mediabase (Apache and PHP)
http://archives.neohapsis.com/archives/vendor/2003-q2/0055.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0050.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0055.html
- --- Network Devices News -----------------------------------------------
*** {03.20.006} NetDev - Cisco RTR/SAA malformed packet DoS
Cisco released an advisory indicating that routers with the Service
Assurance Agent (formerly known as Response Time Reporter) enabled can
be caused to crash when receiving a particular malformed RTR packet.
Various versions of IOS 12.x are affected.
This vulnerability is confirmed. Update information is listed at the
reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0006.html
*** {03.20.013} NetDev - 3Com DSL router DHCP information leak
The 3Com 812 DSL router with firmware prior to version 1.1.9 reportedly
leaks previous network packet data within DHCP responses, potentially
exposing sensitive information.
The advisory indicates confirmation by the vendor, which released
firmware version 1.1.9.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0148.html
- --- Cross-Platform News ------------------------------------------------
*** {03.20.004} Cross - Vulnerable PHP applications, 05/20
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
Poster version.two: admin auth bypass
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0068.html
VBulletin 3.0.0: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-05/0152.html
PHP-Nuke 6.5: cross-site scripting, SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-05/0153.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0200.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0217.html
PHP-Proxima 6.0: local file reading
http://archives.neohapsis.com/archives/bugtraq/2003-05/0155.html
OneOrZero 1.4rc4: SQL tampering, admin access
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0070.html
EzPublish 2.2: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-05/0186.html
ttForum and ttCMS: SQL tampering, remote file code exec
http://archives.neohapsis.com/archives/bugtraq/2003-05/0202.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0215.html
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0068.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0152.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0153.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0200.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0217.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0155.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0070.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0186.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0202.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0215.html
*** {03.20.005} Cross - lv config file mishandling
The lv file viewer reads configuration files out of the current working
directory. This could allow a local attacker to sprinkle trojan
configuration files on the system, thereby causing unsuspecting users
to use the configuration file the next time they execute lv.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0603.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0058.html
Source: Debian, Red Hat
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0603.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0058.html
*** {03.20.007} Cross - Sendmail contrib scripts insecure file handling
Three utility programs included in the general Sendmail distribution
insecurely handle temporary files, potentially allowing a local attacker
to gain the privileges of the user running any of the utility programs.
The vulnerable programs include expn.pl, doublebounce.pl and
checksendmail.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0605.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0605.html
*** {03.20.009} Cross - BEA WebLogic various password disclosure
BEA WebLogic Server and WebLogic Express versions 7.x allow a local
nonprivileged attacker to potentially recover WebLogic-related password
information.
The vendor confirmed these vulnerabilities and released Service Pack 2:
ftp://ftpna.beasys.com/pub/releases/security/CR104520_700sp2.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0151.html
*** {03.20.010} Cross - Multiple IMAP client overflows
A released report indicates that many various IMAP clients are
vulnerable to various overflows in the handling of large data amounts.
In some cases, this leads to a denial of service (the application
crashes); in other cases, it may lead to execution of arbitrary code.
Vulnerable clients include Pine, Evolution, kmail, Mozilla, mutt,
Sylpheed, Outlook Express and Eudora.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0157.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+zS4U+LUG5KFpTkYRAkTHAJ9mtIL9YiBvEQmJX0PIXbfwKQ3PkgCeOD/U
FLLn0KZm6BmNBLIZfX+sglw=
=gVNv
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
********* This Issue Sponsored by VeriSign, Inc. *********
Testing the Network - Key Steps to Complete Security: FREE White Paper
Make sure your network works as planned through proper network testing
and identify weaknesses that could lead to attack or system vulnerability.
Get effective, comprehensive solutions using state-of-the-art tools and
processes and more.
Click here for VeriSign's FREE White Paper on Network Vulnerability Testing:
http://www.verisign.com/cgi-bin/go.cgi?a=n36810124890748000
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]