OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Mar 08 2001 - 19:30:52 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                         -- Security Alert Consensus --
                               Number 087 (01.10)
                            Thursday, March 8, 2001
                               Created for you by
                    Network Computing and the SANS Institute
                             Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below you
    should find information pertaining only to the categories you requested.
    If you have any problems or questions, please e-mail us at
    <consensusnwc.com>.

    ----------------------------------------------------------------------

    *** This issue sponsored by NetIQ ***

    FREE EXPERT SECURITY AUDIOCAST ON MARCH 13

    Tired of struggling to make security a priority in your organization?
    Join NetIQ for an exciting, live interactive audiocast, Selling Security
    to Your Manager ... Before It's too Late!, on March 13, 2001.

    Register now at
    http://www.netiq.com/SecurityAudiocast/Default.asp?Origin=secalrtcon

    ----------------------------------------------------------------------

    CERT has released its quarterly summary indicating the latest trends in
    security exploitation. The top four this time around are:
    1. The various vulnerabilities in BIND
    2. Ramen toolkit/worm, which exploits LPRng, rpc.statd and FTPd on Linux
    3. LPRng on various platforms
    4. The Anna Kournakova (VBS/OnTheFly) e-mail 'worm'

    You can view the summary at:
    http://archives.neohapsis.com/archives/cc/2001-q1/0003.html

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.10.008} Win - MS01-014: IIS 5.0/Exchange 2000 Web mail malformed
                URL service failure
    {01.10.011} Win - A1 HTTP server DoS and directory traversal
    {01.10.013} Win - SlimServe FTPd directory traversal/file retrieval
    {01.10.014} Win - FtpXQ Server directory traversal/file retrieval
    {01.10.015} Win - TYPSoft FTP server directory traversal/file retrieval
    {01.10.020} Win - WarFTP server directory traversal vulnerability
    {01.10.024} Win - WFTPD Pro cwd command buffer overflow
    {01.10.025} Win - SlimServe HTTPd directory traversal/file retrieval
    {01.10.026} Win - Broker FTPd directory traversal/file deletion
    {01.10.028} Win - Faststream FTP server directory traversal/file
                retrieval
    {01.10.029} Win - Winzip32 zipandemail command line parameter buffer
                overflow
    {01.10.030} Win - SunFTP server directory traversal/file retrieval
    {01.10.001} Linux - Update {01.09.005}: Sudo command line parameter
                buffer overflow
    {01.10.003} Linux - Update {01.09.026}: Multiple Zope vulnerabilities
    {01.10.017} Linux - Update {01.07.008}: ProFTPD format string buffer
                overflows
    {01.10.018} Linux - Update {00.56.023}: mgetty insecure temp file
                handling
    {01.10.022} Linux - Update {01.08.037}: Kicq embedded URL command
                execution
    {01.10.009} BSD - Update {01.08.006}: USER_LDT allows call gates to
                execute protected kernel code
    {01.10.010} BSD - OpenBSD IPSec authentication header buffer overflow
    {01.10.023} Sol - Veritas Cluster Server lltstat -L system panic/DoS
    {01.10.006} HPUX - Update {01.05.001}: Multiple Bind buffer overflows
                (TSIG/infoleak)
    {01.10.007} HPUX - Software Distributor SD-UX vulnerability
    {01.10.004} NApps - Cisco IOS SNMP vulnerabilities
    {01.10.005} NApps - Cisco IOS TCP ISN prediction
    {01.10.012} Cross - JOE reads configuration file from current directory
    {01.10.016} Cross - Mail(x) print/t command buffer overflow
    {01.10.019} Cross - Mailman list administrators can access user
                passwords
    {01.10.021} Cross - Multiple CUPS vulnerabilities
    {01.10.027} Cross - Post-query CGI entries buffer overflow
    {01.10.031} Cross - PHP-Nuke user preference save vulnerability
    {01.10.002} Tools - Sendmail 8.11.3 available

    - --- Windows News -------------------------------------------------------

    *** {01.10.008} Win - MS01-014: IIS 5.0/Exchange 2000 Web mail
                    malformed URL service failure

    Microsoft has released MS01-014 ("IIS 5.0/Exchange 2000 Web mail
    malformed URL service failure"). It's possible for particularly
    malformed URL requests to cause a memory allocation error, which results
    in the service failing.

    IIS 5.0 and Exchange 2000 (Web mail component) are affected.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-014.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q1/0059.html

    *** {01.10.011} Win - A1 HTTP server DoS and directory traversal

    A1 HTTP server version 1.0a has been reported to contain a denial of
    service that allows a remote attacker to crash the service by sending
    large URL requests. It is also possible for a remote attacker to read
    arbitrary files outside the Web root by submitting URL requests with
    reverse directory traversal notation ('..').

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0457.html

    *** {01.10.013} Win - SlimServe FTPd directory traversal/file retrieval

    SlimServe FTPd version 1.0 has been found to allow remote attackers
    access to files outside the FTP root directory by the use of reverse
    directory traversal ('...') notation in a RETR request.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0507.html

    *** {01.10.014} Win - FtpXQ Server directory traversal/file retrieval

    FtpXQ Server version 2.0.93 has been found to allow remote attackers to
    retrieve files outside the FTP root by the use of reverse directory
    traversal ('..') notation.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0508.html

    *** {01.10.015} Win - TYPSoft FTP server directory traversal/file
                    retrieval

    TYPSoft FTP server version 0.85 has been reported to allow remote
    attackers access to files outside the FTP root if they use reverse
    directory traversal ('..') notation in a RETR request.

    The vendor has confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0511.html

    *** {01.10.020} Win - WarFTP server directory traversal vulnerability

    WarFTP server version 1.67b04 contains a vulnerability that allows a
    remote attacker to access files outside the FTP root.

    The vendor has confirmed this vulnerability and released a patch, which
                    is available at:
    http://support.jgaa.com/

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0091.html

    *** {01.10.024} Win - WFTPD Pro cwd command buffer overflow

    WFTPD Pro server version 3.00R1 contains a buffer overflow in the cwd
    command that could allow a remote attacker to execute arbitrary code on
    the server.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0531.html

    *** {01.10.025} Win - SlimServe HTTPd directory traversal/file retrieval

    SlimServe HTTPd version 1.1a has been found to allow remote attackers
    access to files outside the HTTP root directory through the use of
    reverse directory traversal ('...') notation in a URL request.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0532.html

    *** {01.10.026} Win - Broker FTPd directory traversal/file deletion

    Broker FTPd version 5.0 allows a remote attacker to view directory
    listings and delete files outside the FTP root by using reverse
    directory traversal ('..') notation in various FTP commands.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0533.html

    *** {01.10.028} Win - Faststream FTP server directory traversal/file
                    retrieval

    Faststream's FTP server version 2 beta 11 allows a remote attacker to
    retrieve files outside the Web root by using reverse directory traversal
    ('..') notation.

    The vendor has confirmed this vulnerability and will release a fix in
    the upcoming version 2 beta 12 release.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0534.html
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0013.html

    *** {01.10.029} Win - Winzip32 zipandemail command line parameter
                    buffer overflow

    Winzip32 version 8.0 contains a buffer overflow in the handling of the
    'zipandemail' command line option. The execution of arbitrary code is
    possible; however, practical exploitation is very unlikely.

    The vendor has confirmed the vulnerability and will fix the problem in
    the next version.

    Source: Win2KSecurityAdvice
    http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0085.html

    *** {01.10.030} Win - SunFTP server directory traversal/file retrieval

    SunFTP server version b9(1) has been reported to allow remote attackers
    access to files outside the FTP root if they use reverse directory
    traversal ('..') notation in various FTP commands.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0523.html

    - --- Linux News ---------------------------------------------------------

    *** {01.10.001} Linux - Update {01.09.005}: Sudo command line parameter
                    buffer overflow

    Debian has released updated sudo packages to fix the vulnerability
    discussed in {01.09.005} ("Sudo command line parameter buffer
    overflow").

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q1/0058.html
    http://archives.neohapsis.com/archives/vendor/2001-q1/0063.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2001-q1/0058.html
    http://archives.neohapsis.com/archives/vendor/2001-q1/0063.html

    *** {01.10.003} Linux - Update {01.09.026}: Multiple Zope
                    vulnerabilities

    Conectiva has released updated Zope packages to fix the vulnerability
    discussed in {01.09.026} ("Multiple Zope vulnerabilities").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0013.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0013.html

    *** {01.10.017} Linux - Update {01.07.008}: ProFTPD format string
                    buffer overflows

    Debian has released updated ProFTPD packages for the m68k platform.
    The updates fix the vulnerability discussed in {01.07.008} ("ProFTPD
    format string buffer overflows").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q1/0062.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2001-q1/0062.html

    *** {01.10.018} Linux - Update {00.56.023}: mgetty insecure temp file
                    handling

    Debian has released updated mgetty packages for m68k and powerpc
    platforms. The updated packages fix the vulnerability discussed in
    {00.56.023} ("mgetty insecure temp file handling").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q1/0061.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2001-q1/0061.html

    *** {01.10.022} Linux - Update {01.08.037}: Kicq embedded URL command
                    execution

    Fixes for the vulnerability discussed in {01.08.037} ("Kicq embedded
    URL command execution") have been committed to the Kicq CVS as of March
    3, 2001. You can build an updated version from CVS, or wait for the next
    major release.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0536.html

    - --- BSD News -----------------------------------------------------------

    *** {01.10.009} BSD - Update {01.08.006}: USER_LDT allows call gates to
                    execute protected kernel code

    OpenBSD has released a patch for the vulnerability discussed in
    {01.08.006} ("USER_LDT allows call gates to execute protected kernel
    code").

    OpenBSD kernels using the USER_LDT option (which is required for using
    WINE) should apply the patch referenced in the source URL below. The
    OpenBSD tree is as of January 19, 2001.

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-02/3298.html

    *** {01.10.010} BSD - OpenBSD IPSec authentication header buffer
                    overflow

    OpenBSD has released an advisory indicating a buffer overflow in the
    IPSec authentication header IPv4 option. The buffer overflow could be
    used as a denial of service, or possibly to execute arbitrary code on
    the system under root privileges. Note that this feature is not enabled
    by default.

    The fix was committed to OpenBSD on February 20, 2001. A patch is
    available at:
    http://archives.neohapsis.com/archives/openbsd/2001-02/3300.html

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-02/3300.html

    - --- Solaris News -------------------------------------------------------

    *** {01.10.023} Sol - Veritas Cluster Server lltstat -L system panic/DoS

    The lltstat command shipped with Veritas Cluster Server version 1.3.0
    contains an undocumented command line parameter ('-L') that, when used,
    will cause the system to panic.

    Veritas has confirmed the vulnerability and released a fix.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0528.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.10.006} HPUX - Update {01.05.001}: Multiple Bind buffer
                    overflows (TSIG/infoleak)

    HP has released updated bind packages to fix the vulnerability discussed
    in {01.05.001} ("Multiple Bind buffer overflows (TSIG/infoleak)").

    Apply the appropriate patch:
    HP-UX 11.00: PHNE_23274
    HP-UX 11.11: PHNE_23275
    HP-UX 11.04: PHNE_22919
    HP-UX 10.20: PHNE_23277
    HP-UX 10.24: PHNE_23439
    HP-UX 10.10: PHNE_23277
    HP-UX 10.01: PHNE_23277

    Users of Bind 8.1.2 on HP-UX 11.00 should view the source URL referenced
    below for further upgrade information.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q1/0069.html

    *** {01.10.007} HPUX - Software Distributor SD-UX vulnerability

    HP has released a (vague) advisory indicating a security vulnerability
    in the Software Distributor (SD-UX) component. The vulnerability could
    lead to a local attacker gaining additional privileges.

    The following patches have been released:
    HP-UX 10.01: PHCO_15205
    HP-UX 10.10: PHCO_15205
    HP-UX 10.20: PHCO_20209
    HP-UX 11.00: PHCO_22526

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q1/0069.html

    - --- Network Appliances News --------------------------------------------

    *** {01.10.004} NApps - Cisco IOS SNMP vulnerabilities

    Cisco has released an advisory detailing multiple problems in the SNMP
    implementation in IOS versions 5.5, 6.1 and 12.x. The vulnerabilities
    include an undocumented community string ('cable-docsis'), the ability
    to retrieve read-write community strings by browsing the MIB with a
    read-only community string, and the phenomenon of community strings
    reappearing in the configuration after they are explicitly removed.

    Cisco has released many new IOS images; the full availability matrix is
    available at:
    http://archives.neohapsis.com/archives/cisco/2001-q1/0010.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q1/0010.html

    *** {01.10.005} NApps - Cisco IOS TCP ISN prediction

    Cisco has released many new IOS images to fix a problem in the TCP
    initial sequence number generation used. A predictable ISN allows a
    remote attacker to spoof and hijack connections to/from the affected
    Cisco product.

    An availability matrix of new IOS images is available at:
    http://archives.neohapsis.com/archives/cisco/2001-q1/0009.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q1/0009.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.10.012} Cross - JOE reads configuration file from current
                    directory

    The JOE text editor has been found to load its configuration file from
    the current directory, if it exists. It's possible for a local attacker
    to place a trojaned configuration file in a world-writable directory,
    which would be read by an unsuspecting user who executes JOE in that
    directory.

    OpenBSD and RedHat have confirmed this vulnerability.

    Updated RedHat RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0065.html

    Updated Immunix RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0079.html

    Source: RedHat, Immunix, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0065.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0079.html
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0490.html

    *** {01.10.016} Cross - Mail(x) print/t command buffer overflow

    The mailx package contains a buffer overflow in the handling of the
    print (abbreviated as 't') command, which could allow local attackers
    to gain sgid mail. This would allow them to read and modify other users'
    e-mail on the system. Version 8.1 was reported vulnerable; other
    versions are likely vulnerable, too.

    Caldera has confirmed this vulnerability and released updated RPMs at:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0010.html

    Source: Caldera, SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0010.html
    http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0497.html

    *** {01.10.019} Cross - Mailman list administrators can access user
                    passwords

    Mailman version 2.0.2 has been released. It includes a security fix that
    stops list administrators from viewing user passwords.

    Updated versions can be downloaded at:
    http://mailman.sourceforge.net/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0031.html

    *** {01.10.021} Cross - Multiple CUPS vulnerabilities

    SuSE has released an advisory indicating various local and remote
    vulnerabilities in CUPS prior to version 1.1.6. The vulnerabilities may
    allow a local or remote attacker to gain root privileges.

    Updated SuSE RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1213.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2001-q1/1213.html

    *** {01.10.027} Cross - Post-query CGI entries buffer overflow

    The post-query CGI has been found to contain a buffer overflow in the
    handling of incoming entries. A remote attacker could use this buffer
    overflow to execute arbitrary code.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-03/0003.html

    *** {01.10.031} Cross - PHP-Nuke user preference save vulnerability

    PHP-Nuke version 4.4.1a contains a vulnerability in the way user.php
    saves user preferences. It's possible for a remote attacker to
    overwrite/change various user values.

    No patches have been made available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-02/0525.html

    - --- Tool Announcements News --------------------------------------------

    *** {01.10.002} Tools - Sendmail 8.11.3 available

    Sendmail version 8.11.3 is now available. The new version fixes a large
    bug on systems using buffered file I/O. There is also a fix that
    properly handles buggy accept() calls, preventing a potential denial of
    service.

    The new package can be downloaded at:
    ftp://ftp.sendmail.org/pub/sendmail/

    Source: Sendmail
    http://archives.neohapsis.com/archives/sendmail/2001-q1/0000.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE6qC7E+LUG5KFpTkYRAu5EAKCa4S90xGNlLbaWHhwr5YhukQUvVgCgoK00
    oH+gONF+dyLZSt0v85z9NGk=
    =/sK8
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    *** This issue sponsored by NetIQ ***

    FREE EXPERT SECURITY AUDIOCAST ON MARCH 13

    Tired of struggling to make security a priority in your organization?
    Join NetIQ for an exciting, live interactive audiocast, Selling Security
    to Your Manager ... Before It's too Late!, on March 13, 2001.

    Register now at
    http://www.netiq.com/SecurityAudiocast/Default.asp?Origin=secalrtcon

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today at:
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site: http://www.sans.org.

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form, located at:
    http://www.sans.org/sansurl. On this form you can enter the SD number
    located near your name at the top of the newsletter. When you submit
    this form, an e-mail containing a URL will be sent to you at the e-mail
    address on record. With this URL you can make changes to your account
    (edit the content of your Consensus mailing, for example) without
    endangering the security of your personal URL. If you'd like to change
    your e-mail address or other information, or unsubscribe to this
    newsletter, please visit your new URL as described above. If you have
    any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online at:
    http://archives.neohapsis.com/.

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).