Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2000

Security Express Archives: Network Computing Security Express #

Network Computing Security Express #029

Subject: Network Computing Security Express #029
From: Network Computing Express (expresslist.nwc.com)
Date: Thu Jan 27 2000 - 09:01:09 CST

Next message: Network Computing Express: "Network Computing Security Express #030"
Previous message: Network Computing Express: "Network Computing Security Express #028"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Network Computing Security Express #029
1/27/00
-- Number 029 (00.04) ----------------------------------------------------

Welcome to the latest edition of Security Express! Below you'll
find only the information pertaining to the categories requested.
Please bear in mind that you may have little or no information in
particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at expressnwc.com.

Enjoy Security Express!

--------------------------------------------------------------------------

Bugtraq spent most of this week discussing a new network-based
denial of service attack, named stream.c. This attack is essentially a
SYN flood, but uses ACKs instead. Derivitive code and a multicast version
have been made available. More discussion on this further in the
issue.

Until next week,
-Security Express Team

--------------------------------------------------------------------------

---------------------------------------------------------

Key Area: Windows
Key Element: Applications

{00.04.002} New patch for MS00-003: "Spoofed LPC Port Request"
A new patch has been issued for {00.03.009} MS00-003: "Spoofed LPC Port
Request." The old patch contained a version error that could let it
be misreported as being installed or even overwritten.

-New patch can be found at:

http://www.microsoft.com/security/bulletins/ms00-003.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0049.html

----

{00.04.003} MS00-002: "Malformed Conversion Data" patch A buffer overflow has been found in the East Asian language Microsoft Office document-conversion utility. It could allow a trojan document to run arbitrary code when opened with the converter.

-Patch and FAQ:

http://www.microsoft.com/security/bulletins/MS00-002faq.asp Source: Microsoft http://archives.neohapsis.com/archives/vendor/2000-q1/0009.html

----

{00.04.004} MS00-004: "RDISK Registry Enumeration File" patch Microsoft has released a patch for the "RDISK Registry Enumeration File" vulnerability. This vulnerability could let a local user obtain a temporary file used in the rdisk process that may contain sensitive information (password hashes for all local accounts on the system).

-FAQ and patch:

http://www.microsoft.com/security/bulletins/MS00-004faq.asp Source: Microsoft http://archives.neohapsis.com/archives/vendor/2000-q1/0010.html

----

{00.04.012} Lexmark Optra PCL cause terminal server to crash Lexmark Optra PCL print drivers (version 4.22) for the Optra N, Optra S and Optra R series seem to cause Windows NT Terminal Server with a bugcheck to crash when a print job is sent to the appropriate printer.

-No patches have been made available.

Source: NTBugtraq http://archives.neohapsis.com/archives/ntbugtraq/2000-q1/0058.html

---------------------------------------------------------

Key Area: Solaris Key Element: Applications

{00.04.010} spellhist/vold.log used to fill up /var/ Solaris 7 ships with world-writable versions of /var/adm/spellhist and /var/adm/vold.log. Solaris 8's /var/adm/spellhist is world-writable as well. These files can be used by a malicious user to fill the /var/ partition, creating a denial of service.

-You can safely remove write permissions from vold.log. However, spell requires spellhist to be world-writable; by changing the permissions, you risk breaking spell.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0312.html

---------------------------------------------------------

Key Area: Linux and BSD Key Element: Applications

{00.04.008} Make -j allows local users to run commands Using make -j causes make to use various temporary files to handle execution of compilation/build commands. However, it is possible for a local user to enter a race condition, substituting commands to be run under the UID of the user running make -j.

-A patch for FreeBSD is below. Other BSD distributions are believed to be affected.

http://archives.neohapsis.com/archives/bugtraq/2000-01/0258.html Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0258.html

----

{00.04.009} Red Hat 6.1 initial root password is crypt() A bug in the Red Hat installation routine will leave the initial root password in crypt() format, even if MD5 format is requested.

-The first usage of passwd for root will change switch to using MD5 storage. This bug will be fixed in future versions.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0296.html

---------------------------------------------------------

Key Area: Other Key Element: Network Attacks and Trends

{00.04.001} stream.c/raped.c denial of service This is really more of an awareness than a full-fledged vulnerability. The past week has seen much discussion over a supposed new denial of service attack caused by a scripted, stream.c (with a derivitive named raped.c). This attack is almost identical to a SYN flood, except the ACK bit is used, rather than SYN. The methodology behind it is that some OSes take longer to process ACKs to open ports and respond with an RST, therefore large number of packets sent to a system could impact the system performance.

-The reported results have been widely varied, but leaning more towards the "not a problem" side of the fence. The FreeBSD group has put out a patch that will help minimize system impact at:

http://www.freebsd.org/~alfred/tcp_fix.diff Source: Technotronic http://archives.neohapsis.com/archives/technotronic/2000-q1/0012.html

---------------------------------------------------------

Key Area: Other Key Element: Messaging

{00.04.007} Qmail vpopmail buffer overflow An attacker can cause qmail-pop3d to pass overly long authentication strings to vpopmail, causing it to execute arbitrary code under the privilege of the authentication module.

-Vpopmail version 3.4.11k is available for download from:

http://www.inter7.com/vpopmail/ Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0313.html

---------------------------------------------------------

Key Area: Other Key Element: Applications

{00.04.005} OPIE and S/KEY world-readable key files Many Unix installations of OPIE and S/KEY have been found to contain world-readable /etc/skeykeys or /etc/opiekeys files. While not directly exploitable, access to the key file may accelerate the process of brute-forcing the user keys.

-Change /etc/skeykeys and/or /etc/opiekeys to mode 600.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0328.html

----

{00.04.006} VMWare overwrites files via symlink VMWare version 1.1.2 (Build 364) creates a temporary file in /tmp, blindly following symlinks. Since VMWare needs to run with root privileges, this can easily lead to a denial of service situation.

-No patches have been made available.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0366.html

----

{00.04.011} HP-UX PMTU can be used as packet amplifier HP-UX versions 10.30 and 11.00 have a vulnerability in their PMTU procedure that let them be used as packet amplifiers for network-based denial of service attacks.

-HP has guidelines for correcting the problem:

http://archives.neohapsis.com/archives/bugtraq/2000-01/0356.html Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/2000-01/0356.html

--------------------------------------------------------- If this e-mail was passed to you and you would like to begin receiving our e-mail newsletter on a weekly basis, we invite you to subscribe today. Just go to http://www.networkcomputing.com/express/ to become a Security Express member.

We'd like to know what you think about the newsletter and what information you'd like to see in future editions. E-mail your comments to mailto:expressnwc.com.

If you'd like to change your account information for this newsletter please go to http://www.0mm.com/express/login.html.

To unsubscribe, reply to this message and include REMOVE or UNSUBSCRIBE in the subject line.

Copyright 2000 CMP Media Inc. A service of Network Computing. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Network Computing, is prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/

Next message: Network Computing Express: "Network Computing Security Express #030"
Previous message: Network Computing Express: "Network Computing Security Express #028"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b27 : Thu Jan 27 2000 - 09:03:16 CST