|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
RISK: The Consensus Security Vulnerability Alert Vol. 3 No. 14B
From: The SANS Institute (ConsensusSecurityVulnerabilityAlertsans.org)
Date: Sun Apr 11 2004 - 22:30:43 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Beginning with this issue, expect to see RISK arrive in your inbox on
Monday mornings (or even Sunday evenings).
This issue includes a sad example of a vendor, that ought to know better
(Cisco), hard coding a user name and password into a system used to
manage wireless LANs. Is no one at Cisco teaching the engineers and
developers about how to avoid the most basic security errors? If
security matters at all at Cisco, the company should publicly identify
the project manager who made the error so other developers at the
company will think about security, if only to avoid public
embarrassment.
Alan
*************************************************************************
RISK: The Consensus Security Vulnerability Alert
April 12, 2004 Vol. 3. Week 14B
*************************************************************************
RISK is the SANS community's consensus bulletin summarizing the most
important vulnerabilities and exploits identified during the past week
and providing guidance on appropriate actions to protect your systems
(PART I). It also includes a comprehensive list of all new
vulnerabilities discovered in the past week (PART II).
- -----------------------------------------------------------------------
Summary of the vulnerabilities reported this week
Category - # of Updates & Vulnerabilities
(Found in Part I(Item #) or Part II)
- -----------------------------------------------------------------------
Windows - 1 (#3)
Third Party Windows Apps - 3 (#5)
Linux - 1
Solaris - 2
UNIX - 1
Cross Platform - 4 (#1, #4))
Web Application - 4
Network Device - 2 (#2)
Hardware - 1
- -----------------------------------------------------------------------
Part I Critical Vulnerabilities
Part I is compiled by the security team at TippingPoint
(www.tippingpoint.com) as a by-product of that company's continuous
effort to ensure that its intrusion prevention products effectively
block exploits using known vulnerabilities. TippingPoint's analysis is
complemented by input from a council of security managers from twelve
large organizations who confidentially share with SANS the specific
actions they have taken to protect their systems. A detailed
description of the process may be found at
http://www.sans.org/newsletters/cva/#process
Archives at http://www.sans.org/newsletters/
******************
Contents of Part I
Moderately Deployed Software
(1) HIGH: Oracle Application Server Web Cache Heap Overflow
(2) MODERATE: Cisco WLSE/HSE Devices Default Username And Password
(3) LOW: RealPlayer R3T File Processing Buffer Overflow
Other Software
(4) HIGH: Tildeslash monit Multiple Vulnerabilities
(5) MODERATE: Perl "win32_stat" Function Buffer Overflow
***********************************************************************
This Week's Featured Security Training Program:
SANSFIRE 2004 - 450,000 brochures arrived in mail boxes last week.
SANSFIRE offers you 14 immersion training tracks in one of the most
beautiful and romantic places in America - Monterey, California - in
early July. Phenomenal training for auditors who want to master the
challenges of security auditors, for managers who want to build a great
security program, for security beginners who want to get a fast start,
and, of course, the only place to go for technologists who want to
master the most current methods for protecting systems and networks.
SANSFire also offers lots of evening programs, extra one-day classes
ranging from security business law to cyberwarrior training, and vendor
exhibits, too.
Register soon to get a seat at your choice of courses.
http://www.sans.org/sansfire2004
***********************************************************************
*****************************
Moderately Deployed Software
*****************************
(1) HIGH: Oracle Application Server Web Cache Heap Overflow
Affected:
Oracle AS Web Cache 10g
Oracle 9iAS Web Cache versions 9.0.3.1.0, 9.0.2.3.0 and 2.0.0.4.0
Description: Oracle Web Cache is typically positioned between an
application web server and client browsers to speed-up the delivery of
the web content to the client browsers. The Web Cache is reported to
contain a heap-based buffer overflow vulnerability that can be triggered
by an HTTP request with an overlong HTTP method. The flaw can possibly
be exploited to execute arbitrary code with "SYSTEM" privileges on
Windows platforms, and "Oracle" privileges on Unix/Linux platforms. Note
that when the Web Cache listens on standard HTTP/HTTPS ports, firewalls
may not offer protection against this vulnerability. The technical
details required to exploit the flaw have been posted.
Status: Vendor confirmed, patches available. Although the patch was
posted by Oracle earlier, the discoverer first released the technical
details on April 8th.
Council Site Actions: Three of the reporting council sites are using
Oracle software. One site is still investigating whether the Web Cache
software is used and is vulnerable. Another site does not believe that
any of their Oracle installations use the Web Cache option, thus they
are not taking any action at this time. The third site has notified
their Oracle support staff and plans to test and deploy the patches
soon.
References:
Posting by Ioannis Migadakis
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0078.html
Oracle Security Advisory
http://otn.oracle.com/deploy/security/pdf/2004alert66.pdf
Oracle Web Cache
http://otn.oracle.com/products/ias/web_cache/pdf/OracleAS-Web-Cache-10g-904-twp.pdf
SecurityFocus BID
http://www.securityfocus.com/bid/9868
******************************************************************
(2) MODERATE: Cisco WLSE/HSE Devices Default Username And Password
Affected:
Wireless LAN Solution Engine versions 2.0, 2.0.2 and 2.5
Hosting Solution Engine versions 1.7, 1.7.1, 1.7.2 and 1.7.3
Description: Cisco Wireless LAN Solution Engine (WLSE) is used to manage
wireless LANs, and the Cisco Hosting Solution Engine (HSE) is used to
monitor the e-business services in Cisco powered data centers. All the
releases of the WLSE and HSE software have a default hard coded username
and password. A remote attacker can exploit the hard coded
username/password to login and gain a complete control over the HLSE/WSE
device.
Status: Vendor confirmed, patches available. Note that the default
username cannot be disabled; hence there are no possible workarounds.
Council Site Actions: One reporting council sites is using the affected
software. However they say they have other administration
username/passwords set and are not using the default username/password.
Thus no action was needed.
References:
Cisco Security Advisory
http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml
CERT Advisory
http://www.kb.cert.org/vuls/id/659228
WLSE Documentation
http://www.cisco.com/en/US/products/sw/cscowork/ps3915/index.html
HSE Documentation
http://www.cisco.com/en/US/products/sw/cscowork/ps150/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/10076
****************************************************************
(3) LOW: RealPlayer R3T File Processing Buffer Overflow
Affected:
RealPlayer version 8, 10 Beta and Enterprise
RealOne Player version 2
Description: RealPlayer is one of the popular internet media players
that reportedly has a user base of over 200 million. The player contains
a stack-based buffer overflow vulnerability in the plug-in responsible
for loading the Real Text 3D (".r3t") media files. The flaw can be
exploited by a webpage delivering a crafted "r3t" media file to execute
arbitrary code on a client system. The code would execute at the
privilege level of the logged-on user. Alternatively, an attacker can
also send the crafted media file as an email attachment. Very limited
technical details required to exploit the flaw have been posted.
Status: Vendor confirmed, update available. Note that the vulnerable
r3t plug-in is not installed by default.
Council Site Actions: All council sites commented that although
RealPlayer is not part of their standard desktop image, they assume it
is widely used among the users. Given the non-support status of the
software, none of the council sites plan to address the issue. One site
did post the vulnerability notice to their central support email list.
References:
Posting by Mark Litchfield
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0077.html
RealNetworks Advisory
http://service.real.com/help/faq/security/040406_r3t/en/
SecurityFocus BID
http://www.securityfocus.com/bid/10070
******************************
Other Software
******************************
(4) HIGH: Tildeslash monit Multiple Vulnerabilities
Affected: monit version 4.2 and prior, version 4.3 beta 2 and prior
Description: Tildeslash's monit utility is designed to manage and
monitor files, devices and processes on Unix systems. A monit server
can be configured with HTTP(S) support to allow remote management via
web. This webserver contains the following vulnerabilities: (a) An
overlong username (over 256 bytes) during basic authentication can
trigger a stack-based buffer overflow. (b) An HTTP "POST" request 1024
bytes long can trigger an off-by-one overflow (c) An HTTP "POST" request
with a negative content-length can trigger a heap-based buffer overflow.
Some of these flaws can possibly be exploited to execute arbitrary code
with the monit's privileges (typically root). Exploit code has been
publicly posted.
Status: Vendor confirmed. Upgrade to version 4.2.1 or 4.3. Beta 3. A
workaround is to restrict access to the monit's webserver from the
Internet.
Council Site Actions: The affected software is not in production or
widespread use at any of the council sites. They reported that no action
was necessary.
References:
Posting by Matt Murphy
http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0076.html
Exploit Code
http://www.securityfocus.com/archive/1/359972/2004-04-07/2004-04-13/0
monit httpd configuration
http://www.tildeslash.com/monit/monit.html#monit%20httpd
Vendor Homepage
http://www.tildeslash.com/monit/index.html
SecurityFocus BID
http://www.securityfocus.com/bid/10051
****************************************************************
(5) MODERATE: Perl "win32_stat" Function Buffer Overflow
Affected: Activestate ActivePerl versions 5.6, 5.7, 5.8 and 5.9 dev
LarryWall Perl 5.0.x, 5.6 and 5.8
Description: Perl is a widely used scripting language for web
applications. Perl's "stat" function takes filename as an argument and
returns information such as the file's owner, creation time etc.
"win32_stat" is a wrapper for the "stat" function in Perl on Windows
platform. This function contains a buffer overflow vulnerability that
can be triggered by passing an overlong filename ending in a backslash
character. It is possible that the flaw can be exploited to execute
arbitrary code if the user-supplied input is passed to this function
without any sanitization. For example, a perl script on a webserver
receiving a user input for the pathname variable may be vulnerable. The
technical details required to exploit the flaw have been posted.
Status: Vendor confirmed, updates available.
Council Site Actions: Several council sites commented that they are
running Perl on Windows systems. However they are not aware of any cases
where Perl is running on web server in the vulnerable configuration.
Thus, no action is needed.
References:
iDefense Advisory
http://www.idefense.com/application/poi/display?id=93&type=vulnerabilities&flashstatus=true
Unix stat() Function
http://unixhelp.ed.ac.uk/CGI/man-cgi?stat+2
SecurityFocus BID
http://www.securityfocus.com/bid/10050
====================================================================
______________________________________________________________________
Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 14 (update) 2004
______________________________________________________________________
This list is compiled by Qualys ( www.qualys.com ) as part of that
company's ongoing effort to ensure its vulnerability management web
service tests for all known vulnerabilities that can be scanned. As of
this week Qualys scans for 3362 unique vulnerabilities. For this
special SANS community listing, Qualys also includes vulnerabilities
that can not be scanned remotely.
______________________________________________________________________
Summary of Updates and Vulnerabilities in this Consensus
Platform Number of Updates and Vulnerabilities
- ------------------------ -------------------------------------
Third Party Windows Apps 3
Linux 1
Solaris 2
Unix 1
Cross Platform 4
Web Application 4
Network Device 2
Hardware 1
______________________________________________________________________
04.14b.1 - Third Party Windows Apps - Floosietek FTGate Mail Server Path
Disclosure
04.14b.2 - Third Party Windows Apps - Blaxxun Contact 3D Browser Plug-In
Buffer Overrun
04.14b.3 - Third Party Windows Apps - Symantec Security Check COM Object
Buffer Overflow
04.14b.4 - Linux - Suse YaST Insecure Local File Creation
04.14b.5 - Solaris - Sun Solaris Secure Shell Daemon Logging
Circumvention
04.14b.6 - Solaris - Sun Cluster Global File System Denial of Service
04.14b.7 - Unix - HP OpenView Remote Authentication Bypass
04.14b.8 - Cross Platform - Ada ImgSvr Buffer Overflow
04.14b.9 - Cross Platform - Open WebMail Arbitrary Directory Creation
04.14b.10 - Cross Platform - Mail Non-Delivery Notice "Mail Bomb" Attack
04.14b.11 - Cross Platform - Crackalaka IRC Server Remote Denial of
Service
04.14b.12 - Web Application - McAfee FreeScan Information Disclosure
04.14b.13 - Web Application - NukeCalendar Multiple Vulnerabilities
04.14b.14 - Web Application - AzDGDatingLite Multiple Cross-Site
Scripting Vulnerabilities
04.14b.15 - Web Application - 1st Class Mail Server Multiple Input
Validation Vulnerabilities
04.14b.16 - Network Device - Cisco IOS Malformed IKE Packet Denial of
Service
04.14b.17 - Network Device - Cisco Wireless LAN Solution Engine WLSE/HSE
Devices Default Credentials
04.14b.18 - Hardware - Intel Motherboard Remote Configuration
Authentication Bypass
______________________________________________________________________
04.14b.1 CVE: Not Available
Platform: Third Party Windows Apps
Title: Floosietek FTGate Mail Server Path Disclosure
Description: The FTGate mail server is reportedly vulnerable to an
installation path disclosure vulnerability. This happens when the
"inbox/message.fts" script runs into an error condition. This issue
was reported for version 1.2 of the software.
Ref: http://members.lycos.co.uk/r34ct/main/FTGateOfficeFTGatePro%20V1.2.txt
______________________________________________________________________
04.14b.2 CVE: Not Available
Platform: Third Party Windows Apps
Title: Blaxxun Contact 3D Browser Plug-In Buffer Overrun
Description: Blaxxun Contact 3D is an application used to produce
dynamic web content. A buffer overrun vulnerability exists in the
"x-cc3d" browser plug-in. The vulnerability could result in arbitrary
code execution. The affected version is Blaxxun Platform 7.
Ref: http://theinsider.deep-ice.com/texts/advisory52.txt
______________________________________________________________________
04.14b.3 CVE: Not Available
Platform: Third Party Windows Apps
Title: Symantec Security Check COM Object Buffer Overflow
Description: Symantec Virus Detection is a web-based virus scanner
that can be used from within a web browser. The site uses a COM
object that is installed on the system when the user navigates to the
Symantec Security Check web site. This object is vulnerable to a
buffer overflow attack which may be exploited by a specially
constructed web page.
Ref: http://theinsider.deep-ice.com/texts/advisory55.txt
______________________________________________________________________
04.14b.4 CVE: Not Available
Platform: Linux
Title: Suse YaST Insecure Local File Creation
Description: Suse YaST Online Update creates temporary work
directories in a predictable location without checking for a
pre-existing directory. Users with local access may create a malicious
symlink which could potentially result in sensitive files being
overwritten when the update is executed by an administrator.
Ref: http://www.excluded.org/advisories/advisory12.txt
______________________________________________________________________
04.14b.5 CVE: Not Available
Platform: Solaris
Title: Sun Solaris Secure Shell Daemon Logging Circumvention
Description: Secure Shell Daemon is an SSH Server that ships with Sun
Solaris 9.0. A logging abnormality has been uncovered that could
result in client connections being incorrectly attributed to
"0.0.0.0". A remote user attempting to compromise the SSH server could
have their IP obfuscated in the logs. Affected systems have
"ListenAddress" set to "0.0.0.0" in the "sshd_config" file.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57538
______________________________________________________________________
04.14b.6 CVE: Not Available
Platform: Solaris
Title: Sun Cluster Global File System Denial of Service
Description: A race condition has been discovered in the Global File
System component of Sun Cluster. Malicious local users may exploit
this flaw to cause a cluster node to panic, requiring a restart to
resume normal functionality. The issue is known to affect Sun Cluster
3.0 and 3.1 for Solaris 8 and 9.
Ref: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57502
______________________________________________________________________
04.14b.7 CVE: Not Available
Platform: Unix
Title: HP OpenView Remote Authentication Bypass
Description: HP OpenView for Solaris and HP-UX operating systems is
reportedly vulnerable to an authentication bypass issue. This issue
was reported by the vendor for versions 6.x and 7.x of the software.
Ref: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01010
______________________________________________________________________
04.14b.8 CVE: Not Available
Platform: Cross Platform
Title: Ada ImgSvr Buffer Overflow
Description: ImgSvr is a server that facilitates sharing image files
through a web interface. It is available for Linux and Microsoft
Windows operating systems. A remote buffer overflow has been reported
that could allow a remote attacker to crash the ImgSvr or potentially
launch arbitrary code. The vulnerable version is ImgSvr 0.4.
Ref: http://members.lycos.co.uk/r34ct/main/ADA%20Image%20Server%20(ImgSvr)%200.4.txt
______________________________________________________________________
04.14b.9 CVE: Not Available
Platform: Cross Platform
Title: Open WebMail Arbitrary Directory Creation
Description: Open WebMail provides a web-based user interface for
reading e-mail. A problem has been identified with the application
which may allow remote users to create directories on the vulnerable
host. All releases of Open WebMail are affected. A vendor fix is
available in the product's CVS tree.
Ref: http://openwebmail.org/openwebmail/doc/changes.txt
______________________________________________________________________
04.14b.10 CVE: Not Available
Platform: Cross Platform
Title: Mail Non-Delivery Notice "Mail Bomb" Attack
Description: Many mail servers accept all mails for the domain they
are responsible for, without checking if the recipient exists or not.
It becomes a problem when the mail server returns a "Non-Delivery
Notice" for each non-existent user and includes the original email
text and attachments.
Ref: http://www.techzoom.net/paper-mailbomb.asp
______________________________________________________________________
04.14b.11 CVE: Not Available
Platform: Cross Platform
Title: Crackalaka IRC Server Remote Denial of Service
Description: The Crackalaka IRC server is reportedly vulnerable to a
remote denial of service condition. This occurs when an excessive
amount of random data is received. The "hash_strcmp" function
references incorrect areas in memory thus crashing the process. This
has been reported for version 1.0.8.
Ref: http://www.autistici.org/fdonato/advisory/crackalaka1.0.8-adv.txt
______________________________________________________________________
04.14b.12 CVE: Not Available
Platform: Web Application
Title: McAfee FreeScan Information Disclosure
Description: McAfee FreeScan is a web-based virus detection service.
The "McFreeScan.CoMcFreeScan.1" COM object fails to validate access
credentials. This may allow malicious users to access sensitive
information.
Ref: http://theinsider.deep-ice.com/texts/advisory54.txt
______________________________________________________________________
04.14b.13 CVE: Not Available
Platform: Web Application
Title: NukeCalendar Multiple Vulnerabilities
Description: NukeCalendar is a calendar module for PHP-Nuke. A path
disclosure issue is exposed when an invalid request is issued to the
calendar module. Insufficient sanitization of the "eid" URI parameter
exposes SQL injection and cross-site scripting vulnerabilities. The
affected version is NukeCalendar v1.1.a.
Ref: http://www.zone.ee/waraxe/?modname=sa&id=015
______________________________________________________________________
04.14b.14 CVE: Not Available
Platform: Web Application
Title: AzDGDatingLite Multiple Cross-Site Scripting Vulnerabilities
Description: AzDGDatingLite is a web-based dating application. It is
reportedly vulnerable to multiple cross-site scripting conditions.
This is due to insufficient user-input validation in the "index.php"
and "view.php" scripts. It has been reported for version 2.1.1 of the
package.
Ref: http://archives.neohapsis.com/archives/bugtraq/2004-04/0086.html
______________________________________________________________________
04.14b.15 CVE: Not Available
Platform: Web Application
Title: 1st Class Mail Server Multiple Input Validation
Vulnerabilities
Description: 1st Class Mail Server is a web-based mail server.
Insufficient sanitization of user-supplied data in the "MessageIndex"
and "Mailbox" parameters exposes various cross-site scripting
problems. A "../" directory traversal string allows access to the
files outside the web server root.
Ref: http://members.lycos.co.uk/r34ct/main/1st%20Class%20mail%20server%204.01.txt
______________________________________________________________________
04.14b.16 CVE: Not Available
Platform: Network Device
Title: Cisco IOS Malformed IKE Packet Denial of Service
Description: Cisco IOS is susceptible to a remotely exploitable denial
of service attack. The condition may be triggered by sending malformed
IKE packets to the device. This will cause the device to crash and
reboot. The issue is known to affect Catalyst 6500 Series Switches and
7600 Series Routers which have the VPN services module installed.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040408-vpnsm.shtml
______________________________________________________________________
04.14b.17 CVE: Not Available
Platform: Network Device
Title: Cisco Wireless LAN Solution Engine WLSE/HSE Devices Default
Credentials
Description: Cisco Wireless LAN Solution Engine (WLSE) is a management
device for Cisco Wireless devices. Cisco Hosting Solution Engine (HSE)
is a device used to monitor Cisco devices in hosted environments. In
both systems, a default username and password credential set has been
identified. The credential set allows for complete administrative
control. WLSE version 1.7.x and HSE version 2.x are affected.
Ref: http://www.cisco.com/warp/public/707/cisco-sa-20040407-username.shtml
______________________________________________________________________
04.14b.18 CVE: Not Available
Platform: Hardware
Title: Intel Motherboard Remote Configuration Authentication Bypass
Description: Intel motherboards that ship with Intel Server Control
and Server Management enabled are affected by a misconfiguration
problem. Due to an improper firmware setting, unauthorized users can
gain access to the management interface of the motherboard. Affected
versions include Intel Server Control 3.x and Intel Server Management
5.x.
Ref: http://support.intel.com/support/motherboards/server/sb/CS-010422.htm
______________________________________________________________________
(c) 2004. All rights reserved. The information contained in this
newsletter, including any external links, is provided "AS IS," with no
express or implied warranty, for informational purposes only. In some
cases, copyright for material in this newsletter may be held by a
party other than Qualys (as indicated herein) and permission to use
such material must be requested from the copyright owner.
==END OF PART II==
Subscriptions: RISK is distributed free of charge to people
responsible for managing and securing information systems and networks.
You may forward this newsletter to others with such responsibility
inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may
also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit
http://portal.sans.org
Copyright 2004. All rights reserved. No posting or reuse allowed,
other that listed above, without prior written permission.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (Darwin)
iD8DBQFAegEY+LUG5KFpTkYRAn7BAKCFFso/ui7hx43LklqYqqhjviE/YgCfQ24G
UN6ujVRcyAqSvNdtLN2Nrmg=
=UwTH
-----END PGP SIGNATURE-----
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]