|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Mar 01 2001 - 13:14:38 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 086 (00.62)
Thursday, March 1, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
----------------------------------------------------------------------
Over the past few days we've received numerous queries about last week's
commentary on the Anna Kournijova virus. We'd like to clear the air by
stating that although our comments were not meant as product
endorsements, the SANS GIAC (Global Incident Analysis Center, one of
our sister efforts) did field numerous reports concerning antivirus
vendors' responses, and the lack there of. On the Monday the "Anna"
virus hit most organizations, it became obvious that some antivirus
vendors were prepared, some were not and worse, some claimed they were,
but still failed to catch the culprit. In short, we were simply trying
to reiterate what many of you wrote in and told us.
In other news, there was an interesting thread on the Security Focus'
BUGTRAQ mailing list last week concerning the use and abuse of SNMP.
The authors posted a number of interesting brute-forcing tools, and made
further comment on the potentially dangerous abuses of SNMP. Readers
are reminded that not only are there myriad security concerns
surrounding the use of SNMP, but if organizations are forced to use it
they should try to limit its accessibility. If possible, organizations
forced to use SNMP should look to limit its use to Read-Only (RO) and
implement proper ACLs (access control lists) on infrastructure devices
to limit its exposure.
The thread can be found at the following URL, if anyone is interested
in reading more:
http://archives.neohapsis.com/archives/bugtraq/2000-02/0152.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.09.016} Win - MS01-012: Outlook (Express) vcard handler contains
unchecked buffer
{01.09.017} Win - MS01-013: Windows 2000 Event Viewer contains
unchecked buffer
{01.09.019} Win - My Getright file download/custom skin vulnerabilities
{01.09.021} Win - MERCUR SMTP server EXPN command buffer overflow
{01.09.023} Win - Windows driver DbgPrint() format string potential
insecurities
{01.09.024} Win - SEDUM HTTP server large URL DoS
{01.09.006} Linux - Update {01.08.021}: Analog ALIAS buffer overflow
{01.09.007} Linux - Update {00.42.011}: lpr remote syslog format bug
{01.09.008} Linux - Update {00.45.019}: Dump executes arbitrary
commands as root
{01.09.009} Linux - Update {00.43.003}: PHP logging format bug overflow
{01.09.012} Linux - Discontinued support for old SuSE distributions
{01.09.022} Linux - Update {00.51.014}: apcupsd world writable
/var/run/apcupsd.pid file
{01.09.027} Linux - Update {00.54.001}: Sendmail 8.11.2 released
{01.09.025} HPUX - Update {00.53.028}: kermit buffer overflow
{01.09.028} NApps - APC HTTP/SNMP/telnet connection timeout DoS
{01.09.029} NApps - Nortel CES switch DES key-length downgrade
{01.09.001} Other - Update {00.50.003}: Sun Java runtime environment
allows untrusted calls between classes
{01.09.002} Other - MPE/ix linkeditor grants administration capabilities
{01.09.003} Other - MPE/ix NM debug breakpoint mishandling/privilege
elevation
{01.09.011} Other - Update {01.05.022}: inetd open socket DoS
{01.09.004} Cross - Update {01.08.007}: Vixie cron long user name
buffer overflow
{01.09.005} Cross - Sudo command line parameter buffer overflow
{01.09.010} Cross - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.09.013} Cross - Chili!Soft ASP default admin account/sample
scripts/improper file permissions
{01.09.014} Cross - Sun JRE unauthorized command execution
{01.09.015} Cross - Infopop UBB IMG tag embedded JavaScript and
authentication bypass
{01.09.018} Cross - FirstClass InternetGateway local address spoofing
{01.09.020} Cross - PHP-Nuke file disclosure/authentication bypass
{01.09.026} Cross - Multiple Zope vulnerabilities
- --- Windows News -------------------------------------------------------
*** {01.09.016} Win - MS01-012: Outlook (Express) vcard handler
contains unchecked buffer
Microsoft has released MS01-012 ("Outlook (Express) vcard handler
contains unchecked buffer"). Outlook and Outlook Express contain a
buffer overflow when a user attempts to import a maliciously crafted
vcard attachment. The buffer overflow can be used to execute arbitrary
code on a user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-012.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0055.html
*** {01.09.017} Win - MS01-013: Windows 2000 Event Viewer contains
unchecked buffer
Microsoft has released MS01-013 ("Windows 2000 Event Viewer contains
unchecked buffer"). There is an exploitable buffer overflow in the
handling of event records when viewed with the Event Viewer. Since
unprivileged applications can log events to the System and Application
logs, it's possible for an attacker to insert an event record into the
log that executes arbitrary code under the privileges of the person who
later views that event record.
Windows 2000 is affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-013.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0057.html
*** {01.09.019} Win - My Getright file download/custom skin
vulnerabilities
The My Getright application, version 1.0, contains two vulnerabilities
that allow a malicious Web site to crash the My Getright application
and possibly to force the download of files to arbitrary locations on
a user's hard drive, possibly overwriting files in the process.
The vendor has confirmed the vulnerability and released version 1.0b,
which contains the fixes. It can be downloaded at:
http://www.mygetright.com/
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0080.html
*** {01.09.021} Win - MERCUR SMTP server EXPN command buffer overflow
MERCUR SMTP server version 3.30.3.0 contains a remotely exploitable
buffer overflow in the handling of the EXPN command, which allows an
attacker to execute arbitrary code.
This vulnerability has not been confirmed, but an exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0413.html
*** {01.09.023} Win - Windows driver DbgPrint() format string potential
insecurities
An advisory was released detailing potential problems in Windows drivers
calling the DbgPrint() command. It may be possible to perform a format
string attack on the drivers, allowing a local attacker to execute code
under local system privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0379.html
*** {01.09.024} Win - SEDUM HTTP server large URL DoS
SEDUM HTTP server version 2.1 has been found to contain a denial of
service. It's possible for a remote attacker to send an overly long URL
request, which will cause the service to crash.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0419.html
- --- Linux News ---------------------------------------------------------
*** {01.09.006} Linux - Update {01.08.021}: Analog ALIAS buffer overflow
RedHat has released updated packages to fix the vulnerability discussed
in {01.08.021} ("Analog ALIAS buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0056.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0056.html
*** {01.09.007} Linux - Update {00.42.011}: lpr remote syslog format bug
Immunix has released updated lpr packages to fix the vulnerability
discussed in {00.42.011} ("lpr remote syslog format bug").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
*** {01.09.008} Linux - Update {00.45.019}: Dump executes arbitrary
commands as root
Immunix has released updated dump packages to fix the vulnerability
discussed in {00.45.019} ("Dump executes arbitrary commands as root").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
*** {01.09.009} Linux - Update {00.43.003}: PHP logging format bug
overflow
Immunix has released updated PHP packages to fix the vulnerability
discussed in {00.43.003} ("PHP logging format bug overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0069.html
*** {01.09.012} Linux - Discontinued support for old SuSE distributions
SuSE has officially closed support for SuSE distribution versions 6.0,
6.1 and 6.2. Versions 6.3, 6.4, 7.0 and 7.1 will still be supported.
Users of discontinued distributions should consider upgrading, since
security patches will no longer be released for the discontinued
versions.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1064.html
*** {01.09.022} Linux - Update {00.51.014}: apcupsd world writable
/var/run/apcupsd.pid file
Mandrake has released an updated cups package to fix the vulnerability
discussed in {00.51.014} ("apcupsd world writable /var/run/apcupsd.pid
file").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0070.html
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0070.html
*** {01.09.027} Linux - Update {00.54.001}: Sendmail 8.11.2 released
TurboLinux has released an updated Sendmail package to fix the various
general problems discussed in {00.54.001} ("Sendmail 8.11.2 released").
Update RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q1/
0006.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q1/
0006.html
- --- HP-UX News ---------------------------------------------------------
*** {01.09.025} HPUX - Update {00.53.028}: kermit buffer overflow
HP bundled the wrong version of kermit into the patches meant to fix
the vulnerability discussed in {00.53.028} ("kermit buffer overflow").
It has re-released correct versions of the patches:
HP-UX 10.20: PHCO_23319
HP-UX 10.10: PHCO_23320
HP-UX 10.01: PHCO_23321
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0060.html
- --- Network Appliances News --------------------------------------------
*** {01.09.028} NApps - APC HTTP/SNMP/telnet connection timeout DoS
APC's network management card (used in Symmetra and other APC products)
contains a denial of service in the handling of failed logins--three
incorrect logins cause the services to temporarily timeout and become
unavailable. It's possible for a malicious attacker to induce this
behavior, causing the management features to become unavailable.
The advisory indicates vendor confirmation. No fixes have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0436.html
*** {01.09.029} NApps - Nortel CES switch DES key-length downgrade
Nortel's Contivity Extranet Switch (CES) contains a vulnerability
whereby the ISAKMP agent negotiates 3DES VPN connections using only
single DES to exchange keys, regardless of encryption security level
setting. This means the VPN is only as strong as single DES, which is
considered weak by today's standards.
Nortel has confirmed the problem and released CES software version 3.50
and Extranet Client Access software version 2.62, which fix the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0439.html
- --- Other News ---------------------------------------------------------
*** {01.09.001} Other - Update {00.50.003}: Sun Java runtime
environment allows untrusted calls between classes
HP has released updated JRE patches for MPE/ix to fix the vulnerability
discussed in {00.50.003} ("Sun Java runtime environment allows untrusted
calls between classes").
MPE/ix releases 6.0, 6.5 and 7.0 should update to JDK 1.2.2, which is
available at:
http://jazz.external.hp.com/src/java/jdks/JDK1.2.2.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0050.html
*** {01.09.002} Other - MPE/ix linkeditor grants administration
capabilities
HP has released patches for MPE/ix releases 5.5, 6.0 and 6.5, which
allow a local user to potentially gain administrative capabilities
normally limited to a system administrator.
The vendor has confirmed this vulnerability.
HP has released the following patches:
MPE/iX 6.5: LNKLXG1A
MPE/iX 6.0: LNKLXG1B
MPE/iX 5.5: LNKLXG1C
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0050.html
*** {01.09.003} Other - MPE/ix NM debug breakpoint
mishandling/privilege elevation
HP has released patches for MPE/ix 5.5, 6.0 and 6.5 to fix a
vulnerability in NM debug. The vulnerability allows local users to
elevate their privileges due to the mishandling of breakpoints.
The vendor has confirmed this vulnerability.
HP has released the following patches:
MPE/iX 5.5: MPELX89D
MPE/iX 6.0: MPELX89E
MPE/iX 6.5: MPELX89F
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0050.html
*** {01.09.011} Other - Update {01.05.022}: inetd open socket DoS
Compaq has released a patch for Tru64 release 5.1 to fix the
vulnerability discussed in {01.05.022} ("inetd open socket DoS").
Those needing the patch will have to contact Compaq support and request
patch SSRT0708U.
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q1/0071.html
- --- Cross-Platform News ------------------------------------------------
*** {01.09.004} Cross - Update {01.08.007}: Vixie cron long user name
buffer overflow
Mandrake has released updated vixie-cron packages to fix the
vulnerability discussed in {01.08.007} ("Vixie cron long user name
buffer overflow"). HP has also released updated cron patches, which the
Security Alert Consensus staff believes may correct the mentioned
vulnerability (HP hasn't indicate whether the vulnerability has been
fixed).
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/
0064.html
Updated HP-UX cron patches:
HP-UX 10.20: PHCO_22768
HP-UX 11.00: PHCO_22767
Source: Mandrake, HP
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0064.html
http://archives.neohapsis.com/archives/hp/2001-q1/0054.html
http://archives.neohapsis.com/archives/hp/2001-q1/0055.html
*** {01.09.005} Cross - Sudo command line parameter buffer overflow
Sudo versions prior to 1.6.3p6 contain a buffer overflow in the handling
of long command line parameters. It is unknown at this time whether it
is possible to execute arbitrary code.
The vendor has confirmed this vulnerability.
Locations for download are listed at:
http://www.courtesan.com/sudo/
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/
0012.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0427.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/
0073.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0437.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/
0070.html
Available OpenBSD patches:
http://archives.neohapsis.com/archives/openbsd/2001-02/2539.html
FreeBSD ports collection as of February 22, 2001, contains an updated
version.
Source: Conectiva, Trustix, Mandrake, Slackware, Immunix, OpenBSD,
FreeBSD, SF Bugtraq
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/
0012.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0414.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0427.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/
0073.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0437.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0070.html
http://archives.neohapsis.com/archives/openbsd/2001-02/2539.html
http://archives.neohapsis.com/archives/freebsd/2001-02/0501.html
*** {01.09.010} Cross - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
Compaq and TurboLinux have released updated bind packages to fix the
vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
(TSIG/infoleak)").
A complete list of released Compaq Tru64 patches is available at:
http://archives.neohapsis.com/archives/compaq/2001-q1/0074.html
Updated TurboLinux RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q1/
0005.html
Source: Compaq, TurboLinux
http://archives.neohapsis.com/archives/compaq/2001-q1/0074.html
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q1/
0005.html
*** {01.09.013} Cross - Chili!Soft ASP default admin account/sample
scripts/improper file permissions
Chili!Soft ASP version 3.5.2 (and possibly prior) contains multiple
vulnerabilities. First, a default administrative account with static
password is created. This could allow a remote attacker to administer
the application if the account password wasn't changed or
removed/disabled. Next, there is a particular sample script,
codebrws.asp, which allows a remote attacker to view the source of files
readable by the Web server. Lastly, various configuration files are
created world-readable; these configuration files could hold ODBC
authentication information.
The vendor has confirmed all of the above problems and offered
workarounds, which are listed at the URLs referenced below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0378.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0443.html
*** {01.09.014} Cross - Sun JRE unauthorized command execution
Sun has released updated versions of its Java Development Kit (JDK),
which have been found to contain a vulnerability that would allow
unauthorized commands to be executed. JDK versions 1.2.2_005(a) and
prior are vulnerable.
The vendor has confirmed this vulnerability.
A list of updated JDK versions available for download are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-02/0383.html
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-02/0383.html
*** {01.09.015} Cross - Infopop UBB IMG tag embedded JavaScript and
authentication bypass
A vulnerability has been found in Infopop's Ultimate Bulletin Board
prior to version 5.47e. The vulnerability allows a malicious user to
embed JavaScript in an IMG tag, which could then possibly be used to
gain access to authentication information stored in a user's cookie.
Version 6.0 beta 7.8 also does not properly check authentication
credentials. This allows a malicious user with a valid UBB account to
assume the identity of any other user, including the administrator.
The vendor has confirmed both problems. The first problem has been fixed
in version 5.47e. The second problem, which only appears in the 6.0 beta
series, has been fixed in 6.0 beta 7.9. All versions are available for
download at: http://www.infopop.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0384.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0388.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0390.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0411.html
*** {01.09.018} Cross - FirstClass InternetGateway local address
spoofing
FirstClass InternetGateway version 5.50 does not properly disallow the
spoofing of local e-mail addresses, allowing an outside attacker to
compose an e-mail that appears to originate from an arbitrary internal
user.
The vendor has confirmed the problem and will fix it in the upcoming
release.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0376.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0440.html
*** {01.09.020} Cross - PHP-Nuke file disclosure/authentication bypass
A vulnerability has been found in PHP-Nuke version 4.4. that allows a
remote attacker to view arbitrary files (readable by the Web server) on
the system by sending a particular malformed URL parameter. The advisory
also indicates that it's possible to gain administrative privileges to
the application.
The vendor has confirmed this vulnerability and released version 4.4.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0425.html
*** {01.09.026} Cross - Multiple Zope vulnerabilities
Zope has released a hotfix to correct multiple vulnerabilities found in
Zope versions 2.3.1b1 and prior. The vulnerabilities allow a user with
through-the-Web scripting capabilities to possibly modify Zclass
instances. There is also a problem with the return values of
ObjectManager, PropertyManager and PropertySheet class methods.
The hotfix is available at:
http://www.zope.org/
RedHat has released updated RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0059.html
Mandrake has released updated RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0074.html
Source: RedHat, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0059.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0074.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6npy1+LUG5KFpTkYRAjeKAJ430auWjkSOkkTkZymLJGk1ULOm2gCfVCiW
BzH+U4C5JfhbK8kZWLCB3us=
=ONfg
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]