Network Computing Security Express #015

Network Computing Express (expresslist.nwc.com)
Thu, 14 Oct 1999 08:02:33 -0600

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: Network Computing Express: "Network Computing Security Express #016"
• Previous message: Network Computing Express: "Network Computing Security Express #014"

Network Computing Security Express #015
10/14/99
-- Number 015 ------------------------------------------------------------

Welcome to the latest edition of Security Express! Below you should
find only the information pertaining to the categories you requested.
Please bear in mind that you may have little or no information in
particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at questions, please e-mail us at expressnwc.com.

Enjoy Security Express!

--------------------------------------------------------------------------

Now you can get the scoop on the newest security products with Security
Express! Each week, you'll receive new security product announcements
from leaders in computer and information security. If you would not
like to receive this new source of security industry news, simply log
in to your existing Security Express newsletter profile page at:
http://www.0mm.com/express/login.html (that is zero-M-M ) and select
the "Check this box if you would NOT like to receive periodic product
announcements from security vendors" option.

Don't miss these exciting alerts on the latest security products!

If you have any problems or questions, please e-mail us at
expressnwc.com.

If this e-mail was passed to you and you would like to begin receiving
our e-mail newsletter on a weekly basis, we invite you to subscribe
today. Just go to http://www.networkcomputing.com/express/ to become a
Security Express member.

Looking for the latest IT security news, trends and opinions...plus a
chance to discuss vital issues with other security experts like
yourself? Come to Planet IT's Security Technology Center. Planet IT is
the community for IT professionals. Visit the Security Tech Center at:
http://www.PlanetIT.com/techcenters/security

Until next week,
-Security Express Team

-------------------------------------------------------------------------

Access Point QVPN
Xedia
Available now
Xedia Access Point QVPN integrates IP routing, QoS, VPN security, and
firewall services in a single high-performance platform supporting both
site-to-site and remote-access VPNs.
For more details, see: www.xedia.com

PIX Firewall V5.0
Cisco
Available now
Cisco PIX Firewall version 5.0 is a new solution that brings secure IPSec
VPN (virtual private network) capabilities to the market-leading PIX
firewall family--at little or no additional cost to customers.
For more details, see: www.cisco.com

---------------------------------------------------------

Key Area: Windows
Key Element: Information Publishing

File retrieval via Jana Web server
The Jana 1.0 Web server lets a remote attacker
retrieve any file by using a URL that contains /....../.
This is similar to the Personal Web Server bug previously
discovered.

-No patches have been made available. We suggest
disabling the Jana Web server until an update is available.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1225.html

---------------------------------------------------------

Key Area: Windows
Key Element: Applications

Denial of service in Omni-NFS
Reports have indicated that Omni-NFS/X Enterprise version
6.1 is susceptible to a denial-of-service attack by running
various types of stealth portscans against the server.

-No patches have been made available.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1195.html

----

New patch for "ODBC Vulnerabilities"
Microsoft has released a new patch for the "ODBC
Vulnerabilities" previously described in MS99-030. The
patch has been expanded to include a fix for the
"Text I-ISAM" vulnerability, where one could modify
files via ODBC queries.

-FAQ and patch:

http://www.microsoft.com/security/bulletins/MS99-030faq.asp
Source: Microsoft
http://www.security-express.com/archives/vendor/0112.html

----

Patch available for IE "Download Behavior" vulnerability
Microsoft has released a patch for Internet Explorer 5
that prevents a malicious Web site from downloading
known files from an end user's computer.

-Patch and FAQ:

http://www.microsoft.com/security/bulletins/MS99-040faq.asp
Source: Microsoft
http://www.security-express.com/archives/vendor/0113.html

----

IE "IFRAME ExecCommand" vulnerability
Microsoft has announced another vulnerability in
Internet Explorer 5 that may allow malicious Web sites to
view files on the end user's computer.

-Temporary workaround and FAQ:

http://www.microsoft.com/security/bulletins/MS99-042faq.asp
Source: Microsoft
http://www.security-express.com/archives/vendor/0114.html

----

Improper registry permissions on "User Shell Folders"
Windows NT workstation and server have insecure
permissions on the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft
  \Windows\CurrentVersion\Explorer
  \User Shell Folders\Common Startup
This key controls where the startup scripts are located
for all users logging in. A malicious user can change
this variable to another path that contains trojans
and other programs.

-We recommend you allow Authenticated Users 'Read'
access only.

Source: NTBugtraq
http://www.security-express.com/archives/ntbugtraq/0264.html

---------------------------------------------------------

Key Area: Linux and BSD
Key Element: Applications

RedHat 6.x allows rhost logins
A bug in the PAM configuration module for RedHat 6.x
allows anyone to log in using rhosts even if /etc/nologin
is defined.

-You need to switch the position of the following two lines
in /etc/pam.d/rlogin:
auth sufficient /lib/security/pam_rhosts_auth.so
auth required /lib/security/pam_nologin.so
pam_nologin.so needs to appear first.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1222.html

---------------------------------------------------------

Key Area: Other
Key Element: Messaging

New version of rpmmail is available
Now available, Rpmmail 1.4-2 fixes a security
problem recently found that allows a remote
attacker to run commands on the system through the
mail server.

-You can download either of the following packages:
ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4.tar.gz
ftp://reedycreek.com/reedycreek/rpmmaildemo/rpmmail-1.4-2.i386.rpm

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1199.html

---------------------------------------------------------

Key Area: Other
Key Element: Information Publishing

Auto_FTP vulnerabilities
Auto_FTP v0.2 is a Perl script that automatically
synchronizes local directories to an FTP server. Apparently,
the configuration file, /etc/auto_ftp.conf, is world-
readable by default and contains the username and
password to the FTP server in plaintext. It is also possible
for a user to bypass directory restrictions and possibly
cause Auto_FTP to send files by placing the files to be
sent in a (much less strict) temp directory.

-No patches have been made available. You should disable
the use of Auto_FTP until it is fixed and remove the world-
read permission from /etc/auto_ftp.conf

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1201.html

----

Vulnerability in Roxen Web server
An advisory containing a patch to a security problem in
the Roxen Web server has been released. This patch
stops a remote attacker from submitting RXML to be
processed on the server.

-A patch is available from:

http://www.security-express.com/archives/bugtraq/1226.html
Source: Roxen (Bugtraq)
http://www.security-express.com/archives/bugtraq/1226.html

----

Problems with WebTrends Enterprise Reporting Server
Many problems have been encountered with a default
install of WebTrends Enterprise Reporting Server version
1.5. Vulnerabilities include:
-many world-writable and -readable configuration files,
which could lead to a compromise or denial of service
-included reporting server is running under root uid, which
combined with the configuration issue just mentioned, may
lead to full server compromise (local)
-creates world-readable debug logs that may contain
usernames and passwords
-default administrative password is blank

-No patches have been released

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1257.html

---------------------------------------------------------

Key Area: Other
Key Element: Applications

Users can use dos7utils on SCO to run any command
SCO Unixware 7.1 ships with the dos7utils application,
which is found in the /usr/lib/merge/ directory. The problem
is that dos7utils uses a user-defined environment
variable as a location to store a temporary file, which the
user may also create beforehand, thus causing
dos7utils to run whatever is in this file with root privilege.

-No patches have been made available. We suggest you
remove the suid bit (by using 'chmod -s /usr/lib/merge/dos7utils')
from the application until further notice.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1188.html

----

Overwrite any guid root files on SCO
A bug in /etc/sysadm.d/bin/userOsa lets a local
attacker overwrite an guid root file (e.g. /etc/shadow)
with random debug output by using the usual symlink
style attack, linking debug.log to the file to clobber.

-No patches have been released. We suggest removing
any suid bits on /etc/sysadm.d/bin/userOsa.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1265.html

---------------------------------------------------------

Key Area: Network Hardware
Key Element: Network-Level Security

Hybrid Network cable modems allow remote configuration
Hybrid Network's cable modems use a configuration
protocol named HSMP that runs on UDP port 7777.
It is possible for an attacker to remotely reconfigure the
cable modem's settings because there is no built-in
authentication. Also, because UDP is connectionless,
it is possible for the attacker to spoof the source IP
address.

-No upgrades have been made available. We suggest
upstream cable providers block UDP port 7777 on
any available firewalls to minimize exposure.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1202.html

----

Netscreen denial of service
Netscreens with version 1.62 are subject to a denial-of-
service attack similar to the Checkpoint-1 session
table flood attack previously discussed.

-Netscreen has patches available upon request. Public
patches will be released in version 1.64.

Source: Bugtraq
http://www.security-express.com/archives/bugtraq/1215.html

---------------------------------------------------------
If this e-mail was passed to you and you would like to begin receiving
our e-mail newsletter on a weekly basis, we invite you to subscribe
today. Just go to http://www.networkcomputing.com/express/ to become
a Security Express member.

We'd like to know what you think about the newsletter and what
information you'd like to see in future editions. E-mail your
comments to mailto:comments to mailto:expressnwc.com.

If you'd like to change your account information or unsubscribe
from this newsletter please go to http://www.0mm.com/express/login.html.

Copyright 1999 CMP Media Inc. A service of Network Computing.
All Rights Reserved. Reproduction in whole or in part in any form or
medium without express written permission of Network Computing, is
prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/

• Next message: Network Computing Express: "Network Computing Security Express #016"
• Previous message: Network Computing Express: "Network Computing Security Express #014"

This archive was generated by hypermail 2.0b3 on Thu Oct 14 1999 - 09:02:32 CDT