Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Subject: Network Computing Security Express #032
From: Network Computing Express (expresslist.nwc.com)
Date: Thu Feb 17 2000 - 09:04:22 CST

Network Computing Security Express #032
-- Number 032 (00.08) ----------------------------------------------------

Welcome to the latest edition of Security Express! Below you'll
find only the information pertaining to the categories you requested.
Please bear in mind that you may have little or no information in
particular categories--this means no security problems pertaining to
those categories were found this week. If you have any problems or
questions, please e-mail us at expressnwc.com.

Enjoy Security Express!


Last week proved to be a landmark in Internet history. Distributed denial
of service (dDoS) tools were used against many popular sites, including
Yahoo.com, eBay.com and Amazon.com. This prompted a large response in
products designed to detect and "stop" such attacks, as well as many
proclaimed "hacker-trackers."

Microsoft has released its international 128-bit "high-encryption"
update for Internet Explorer and Windows 2000. More information is
available at:

Until next week,
-Security Express Team



Key Area: Windows
Key Element: Messaging

{00.08.007} User denial of service in Internet Anywhere
Internet Anywhere Mail Server version 3.1.3 has a denial of service whereby
an authenticated user can submit a large RETR command to the POP service,
overflowing a buffer and causing the daemon to crash.

-No patches have been released. True North reportedly is creating a patch.

Source: NTBugtraq


Key Area: Windows
Key Element: Applications

{00.08.002} IE5 crashes with its://
Multiple reports indicate that Internet Explorer version 5.x crashes when
given multiple "its:" method/protocol strings. Some reports indicate high
CPU utilization, and other's confirm Dr. Watson errors.

-No patches have been made available.

Source: Vuln-Dev


{00.08.004} Windows 9x denial of service (twinge) A new denial of service named twinge.c has been made available. The DoS sends all possible types of ICMP traffic, making Windows 95 and 98 systems crash immediately. Windows NT 4.0 and 2000 do not seem to be vulnerable.

-No patches have been made available. We suggest filtering all incoming ICMP traffic via an upstream router/firewall.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/current/0102.html


{00.08.011} Timbuktu denial of service A denial of service has been found in Timbuktu Pro version 2.0b650 whereby an attacker can make connections to Ports 407 and 1417, causing the service to hang.

-NO patches have been made available.

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/current/0121.html


Key Area: NetWare Key Element: Applications

{00.08.001} BorderManager denial of service The CS Audit Trail Proxy NLM shipped with BorderManager versions 3.0 and 3.5 for NetWare 4.11 and 5.x has been found to contain a denial of service. An attacker can telnet to Port 2000, which can cause csatpxy.nlm to slowly consume memory, possibly crashing the system after an extended period of time. There have also been reports of high CPU utilization.

-Novell has released a new ctaspxy.nlm, which limits the memory consumption; however, a denial of service may still be possible. Recommendations include limiting access to Port 2000. The patched ctaspxy1.exe is available from:

http://support.novell.com Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/current/0067.html


Key Area: Linux and BSD Key Element: Applications

{00.08.005} Linux make creates temporary files Make version 3.77-44 and prior have been found to create files in /tmp when passed a makefile on STDIN. An attacker can possibly trojan the temporary makefiles to execute commands.

-SuSE has released updated packages: ftp://ftp.suse.com/pub/suse/axp/update/6.1/ d1/make-3.78.1-4.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/ d1/make-3.78.1-5.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/ d1/make-3.78.1-3.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/ d1/make-3.78.1-2.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/ d1/make-3.78.1-2.i386.rpm

Other Linux distributions should check with their vendor for patch information.

Source: SuSE http://archives.neohapsis.com/archives/linux/suse/current/0261.html


{00.08.008} Local buffer overflow in Linux mount/umount Mount and umount are suid applications that contain a buffer overflow that let local users run arbitrary commands as root. Mount and umount are a part of the "utils" package, and all versions prior to 2.10f are vulnerable.

-SuSE has released updated packages ftp://ftp.suse.com/pub/suse/axp/update/6.1/ a1/util-2.10f-4.alpha.rpm ftp://ftp.suse.com/pub/suse/axp/update/6.3/ a1/util-2.10f-0.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.1/ a1/util-2.10f-3.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/ a1/util-2.10f-4.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/ a1/util-2.10f-4.i386.rpm Other Linux distributions are likely to be vulnerable. You should contact your vendor to verify when a patch will be made available.

Source: SuSE http://archives.neohapsis.com/archives/linux/suse/current/0270.html


Key Area: Other Key Element: Information Publishing

{00.08.010} Attackers can run commands through UltimateBB UltimateBB is a CGI-based forum software package. A vulnerability has been found whereby an attacker can submit a specific formatted value for "topic," which will cause the perl interpreter to execute commands under the UID of the Web server.

-No patches have been made available. Product home page:

http://www.ultimatebb.com Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/current/0118.html


Key Area: Other Key Element: Applications

{00.08.003} Update to {00.04.011}: HP-UX PMTU can be used as packet amplifier Hewlett-Packard has released an update to {00.04.011} ("HP-UX PMTU can be used as packet amplifier"). The company has indicated that HP-UX version 11.04 is also vulnerable.

-HP's recommended solution is available at:

http://archives.neohapsis.com/archives/bugtraq/current/0112.html Source: HP (Bugtraq) http://archives.neohapsis.com/archives/bugtraq/current/0112.html


{00.08.006} New MySQL version fixes {00.07.017}: MySQL authentication weakness MySQL version 3.22.32 has been released, which includes a fix for {00.07.017} ("MySQL password authentication weakness"). Note that 3.23 is due out soon.

SuSE has made updated packages available: UW PICO(tm) 3.5 File: nwc UW PICO(tm) 3.5 File: nwc.txt Modified {00.08.006} New MySQL version fixes {00.07.017}: MySQL authentication weakness MySQL version 3.22.32 has been released, which includes a fix for {00.07.017} ("MySQL password authentication weakness"). Note that 3.23 is due out soon.

SuSE has made updated packages available: ftp://ftp.suse.com/pub/suse/axp/update/6.3/pay1/mysql-3.22.30-4.alpha.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.2/pay1/mysql-3.22.30-4.i386.rpm ftp://ftp.suse.com/pub/suse/i386/update/6.3/pay1/mysql-3.22.30-4.i386.rpm

Source: Bugtraq http://archives.neohapsis.com/archives/bugtraq/current/0111.html


{00.08.009} FTP/firewall bypass on FireWall-1 Check Point's FireWall-1 contains a vulnerability whereby an outside attacker could force the sending of a PASV command response. This causes the firewall to open the associated port on the firewall, giving the attacker access.

This problem might be found in other vendor firewalls.

-Check Point has released recommendations for resolving this problem, as well as a patch for customers that use FTP stateful inspection. More information is available at:

http://archives.neohapsis.com/archives/bugtraq/current/0117.html Source: Vuln-Dev http://archives.neohapsis.com/archives/vuln-dev/current/0277.html

--------------------------------------------------------- If this e-mail was passed to you and you would like to begin receiving our e-mail newsletter on a weekly basis, we invite you to subscribe today. Just go to http://www.networkcomputing.com/express/ to become a Security Express member.

We'd like to know what you think about the newsletter and what information you'd like to see in future editions. E-mail your comments to mailto:expressnwc.com.

If you'd like to change your account information for this newsletter please go to http://www.0mm.com/express/login.html.

To unsubscribe, reply to this message and include REMOVE or UNSUBSCRIBE in the subject line.

Copyright 2000 CMP Media Inc. A service of Network Computing. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Network Computing, is prohibited.

Distributed by MessageMedia, Inc. -- http://www.messagemedia.com/