|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Mar 08 2001 - 19:30:52 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 087 (01.10)
Thursday, March 8, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** This issue sponsored by NetIQ ***
FREE EXPERT SECURITY AUDIOCAST ON MARCH 13
Tired of struggling to make security a priority in your organization?
Join NetIQ for an exciting, live interactive audiocast, Selling Security
to Your Manager ... Before It's too Late!, on March 13, 2001.
Register now at
http://www.netiq.com/SecurityAudiocast/Default.asp?Origin=secalrtcon
----------------------------------------------------------------------
CERT has released its quarterly summary indicating the latest trends in
security exploitation. The top four this time around are:
1. The various vulnerabilities in BIND
2. Ramen toolkit/worm, which exploits LPRng, rpc.statd and FTPd on Linux
3. LPRng on various platforms
4. The Anna Kournakova (VBS/OnTheFly) e-mail 'worm'
You can view the summary at:
http://archives.neohapsis.com/archives/cc/2001-q1/0003.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.10.008} Win - MS01-014: IIS 5.0/Exchange 2000 Web mail malformed
URL service failure
{01.10.011} Win - A1 HTTP server DoS and directory traversal
{01.10.013} Win - SlimServe FTPd directory traversal/file retrieval
{01.10.014} Win - FtpXQ Server directory traversal/file retrieval
{01.10.015} Win - TYPSoft FTP server directory traversal/file retrieval
{01.10.020} Win - WarFTP server directory traversal vulnerability
{01.10.024} Win - WFTPD Pro cwd command buffer overflow
{01.10.025} Win - SlimServe HTTPd directory traversal/file retrieval
{01.10.026} Win - Broker FTPd directory traversal/file deletion
{01.10.028} Win - Faststream FTP server directory traversal/file
retrieval
{01.10.029} Win - Winzip32 zipandemail command line parameter buffer
overflow
{01.10.030} Win - SunFTP server directory traversal/file retrieval
{01.10.001} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
{01.10.003} Linux - Update {01.09.026}: Multiple Zope vulnerabilities
{01.10.017} Linux - Update {01.07.008}: ProFTPD format string buffer
overflows
{01.10.018} Linux - Update {00.56.023}: mgetty insecure temp file
handling
{01.10.022} Linux - Update {01.08.037}: Kicq embedded URL command
execution
{01.10.009} BSD - Update {01.08.006}: USER_LDT allows call gates to
execute protected kernel code
{01.10.010} BSD - OpenBSD IPSec authentication header buffer overflow
{01.10.023} Sol - Veritas Cluster Server lltstat -L system panic/DoS
{01.10.006} HPUX - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.10.007} HPUX - Software Distributor SD-UX vulnerability
{01.10.004} NApps - Cisco IOS SNMP vulnerabilities
{01.10.005} NApps - Cisco IOS TCP ISN prediction
{01.10.012} Cross - JOE reads configuration file from current directory
{01.10.016} Cross - Mail(x) print/t command buffer overflow
{01.10.019} Cross - Mailman list administrators can access user
passwords
{01.10.021} Cross - Multiple CUPS vulnerabilities
{01.10.027} Cross - Post-query CGI entries buffer overflow
{01.10.031} Cross - PHP-Nuke user preference save vulnerability
{01.10.002} Tools - Sendmail 8.11.3 available
- --- Windows News -------------------------------------------------------
*** {01.10.008} Win - MS01-014: IIS 5.0/Exchange 2000 Web mail
malformed URL service failure
Microsoft has released MS01-014 ("IIS 5.0/Exchange 2000 Web mail
malformed URL service failure"). It's possible for particularly
malformed URL requests to cause a memory allocation error, which results
in the service failing.
IIS 5.0 and Exchange 2000 (Web mail component) are affected.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-014.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0059.html
*** {01.10.011} Win - A1 HTTP server DoS and directory traversal
A1 HTTP server version 1.0a has been reported to contain a denial of
service that allows a remote attacker to crash the service by sending
large URL requests. It is also possible for a remote attacker to read
arbitrary files outside the Web root by submitting URL requests with
reverse directory traversal notation ('..').
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0457.html
*** {01.10.013} Win - SlimServe FTPd directory traversal/file retrieval
SlimServe FTPd version 1.0 has been found to allow remote attackers
access to files outside the FTP root directory by the use of reverse
directory traversal ('...') notation in a RETR request.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0507.html
*** {01.10.014} Win - FtpXQ Server directory traversal/file retrieval
FtpXQ Server version 2.0.93 has been found to allow remote attackers to
retrieve files outside the FTP root by the use of reverse directory
traversal ('..') notation.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0508.html
*** {01.10.015} Win - TYPSoft FTP server directory traversal/file
retrieval
TYPSoft FTP server version 0.85 has been reported to allow remote
attackers access to files outside the FTP root if they use reverse
directory traversal ('..') notation in a RETR request.
The vendor has confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0511.html
*** {01.10.020} Win - WarFTP server directory traversal vulnerability
WarFTP server version 1.67b04 contains a vulnerability that allows a
remote attacker to access files outside the FTP root.
The vendor has confirmed this vulnerability and released a patch, which
is available at:
http://support.jgaa.com/
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0091.html
*** {01.10.024} Win - WFTPD Pro cwd command buffer overflow
WFTPD Pro server version 3.00R1 contains a buffer overflow in the cwd
command that could allow a remote attacker to execute arbitrary code on
the server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0531.html
*** {01.10.025} Win - SlimServe HTTPd directory traversal/file retrieval
SlimServe HTTPd version 1.1a has been found to allow remote attackers
access to files outside the HTTP root directory through the use of
reverse directory traversal ('...') notation in a URL request.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0532.html
*** {01.10.026} Win - Broker FTPd directory traversal/file deletion
Broker FTPd version 5.0 allows a remote attacker to view directory
listings and delete files outside the FTP root by using reverse
directory traversal ('..') notation in various FTP commands.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0533.html
*** {01.10.028} Win - Faststream FTP server directory traversal/file
retrieval
Faststream's FTP server version 2 beta 11 allows a remote attacker to
retrieve files outside the Web root by using reverse directory traversal
('..') notation.
The vendor has confirmed this vulnerability and will release a fix in
the upcoming version 2 beta 12 release.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0534.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0013.html
*** {01.10.029} Win - Winzip32 zipandemail command line parameter
buffer overflow
Winzip32 version 8.0 contains a buffer overflow in the handling of the
'zipandemail' command line option. The execution of arbitrary code is
possible; however, practical exploitation is very unlikely.
The vendor has confirmed the vulnerability and will fix the problem in
the next version.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0085.html
*** {01.10.030} Win - SunFTP server directory traversal/file retrieval
SunFTP server version b9(1) has been reported to allow remote attackers
access to files outside the FTP root if they use reverse directory
traversal ('..') notation in various FTP commands.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0523.html
- --- Linux News ---------------------------------------------------------
*** {01.10.001} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
Debian has released updated sudo packages to fix the vulnerability
discussed in {01.09.005} ("Sudo command line parameter buffer
overflow").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0058.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0063.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0058.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0063.html
*** {01.10.003} Linux - Update {01.09.026}: Multiple Zope
vulnerabilities
Conectiva has released updated Zope packages to fix the vulnerability
discussed in {01.09.026} ("Multiple Zope vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0013.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0013.html
*** {01.10.017} Linux - Update {01.07.008}: ProFTPD format string
buffer overflows
Debian has released updated ProFTPD packages for the m68k platform.
The updates fix the vulnerability discussed in {01.07.008} ("ProFTPD
format string buffer overflows").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0062.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0062.html
*** {01.10.018} Linux - Update {00.56.023}: mgetty insecure temp file
handling
Debian has released updated mgetty packages for m68k and powerpc
platforms. The updated packages fix the vulnerability discussed in
{00.56.023} ("mgetty insecure temp file handling").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0061.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0061.html
*** {01.10.022} Linux - Update {01.08.037}: Kicq embedded URL command
execution
Fixes for the vulnerability discussed in {01.08.037} ("Kicq embedded
URL command execution") have been committed to the Kicq CVS as of March
3, 2001. You can build an updated version from CVS, or wait for the next
major release.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0536.html
- --- BSD News -----------------------------------------------------------
*** {01.10.009} BSD - Update {01.08.006}: USER_LDT allows call gates to
execute protected kernel code
OpenBSD has released a patch for the vulnerability discussed in
{01.08.006} ("USER_LDT allows call gates to execute protected kernel
code").
OpenBSD kernels using the USER_LDT option (which is required for using
WINE) should apply the patch referenced in the source URL below. The
OpenBSD tree is as of January 19, 2001.
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-02/3298.html
*** {01.10.010} BSD - OpenBSD IPSec authentication header buffer
overflow
OpenBSD has released an advisory indicating a buffer overflow in the
IPSec authentication header IPv4 option. The buffer overflow could be
used as a denial of service, or possibly to execute arbitrary code on
the system under root privileges. Note that this feature is not enabled
by default.
The fix was committed to OpenBSD on February 20, 2001. A patch is
available at:
http://archives.neohapsis.com/archives/openbsd/2001-02/3300.html
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-02/3300.html
- --- Solaris News -------------------------------------------------------
*** {01.10.023} Sol - Veritas Cluster Server lltstat -L system panic/DoS
The lltstat command shipped with Veritas Cluster Server version 1.3.0
contains an undocumented command line parameter ('-L') that, when used,
will cause the system to panic.
Veritas has confirmed the vulnerability and released a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0528.html
- --- HP-UX News ---------------------------------------------------------
*** {01.10.006} HPUX - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
HP has released updated bind packages to fix the vulnerability discussed
in {01.05.001} ("Multiple Bind buffer overflows (TSIG/infoleak)").
Apply the appropriate patch:
HP-UX 11.00: PHNE_23274
HP-UX 11.11: PHNE_23275
HP-UX 11.04: PHNE_22919
HP-UX 10.20: PHNE_23277
HP-UX 10.24: PHNE_23439
HP-UX 10.10: PHNE_23277
HP-UX 10.01: PHNE_23277
Users of Bind 8.1.2 on HP-UX 11.00 should view the source URL referenced
below for further upgrade information.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0069.html
*** {01.10.007} HPUX - Software Distributor SD-UX vulnerability
HP has released a (vague) advisory indicating a security vulnerability
in the Software Distributor (SD-UX) component. The vulnerability could
lead to a local attacker gaining additional privileges.
The following patches have been released:
HP-UX 10.01: PHCO_15205
HP-UX 10.10: PHCO_15205
HP-UX 10.20: PHCO_20209
HP-UX 11.00: PHCO_22526
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0069.html
- --- Network Appliances News --------------------------------------------
*** {01.10.004} NApps - Cisco IOS SNMP vulnerabilities
Cisco has released an advisory detailing multiple problems in the SNMP
implementation in IOS versions 5.5, 6.1 and 12.x. The vulnerabilities
include an undocumented community string ('cable-docsis'), the ability
to retrieve read-write community strings by browsing the MIB with a
read-only community string, and the phenomenon of community strings
reappearing in the configuration after they are explicitly removed.
Cisco has released many new IOS images; the full availability matrix is
available at:
http://archives.neohapsis.com/archives/cisco/2001-q1/0010.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q1/0010.html
*** {01.10.005} NApps - Cisco IOS TCP ISN prediction
Cisco has released many new IOS images to fix a problem in the TCP
initial sequence number generation used. A predictable ISN allows a
remote attacker to spoof and hijack connections to/from the affected
Cisco product.
An availability matrix of new IOS images is available at:
http://archives.neohapsis.com/archives/cisco/2001-q1/0009.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q1/0009.html
- --- Cross-Platform News ------------------------------------------------
*** {01.10.012} Cross - JOE reads configuration file from current
directory
The JOE text editor has been found to load its configuration file from
the current directory, if it exists. It's possible for a local attacker
to place a trojaned configuration file in a world-writable directory,
which would be read by an unsuspecting user who executes JOE in that
directory.
OpenBSD and RedHat have confirmed this vulnerability.
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0065.html
Updated Immunix RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0079.html
Source: RedHat, Immunix, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0065.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0079.html
http://archives.neohapsis.com/archives/bugtraq/2001-02/0490.html
*** {01.10.016} Cross - Mail(x) print/t command buffer overflow
The mailx package contains a buffer overflow in the handling of the
print (abbreviated as 't') command, which could allow local attackers
to gain sgid mail. This would allow them to read and modify other users'
e-mail on the system. Version 8.1 was reported vulnerable; other
versions are likely vulnerable, too.
Caldera has confirmed this vulnerability and released updated RPMs at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0010.html
Source: Caldera, SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0010.html
http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0497.html
*** {01.10.019} Cross - Mailman list administrators can access user
passwords
Mailman version 2.0.2 has been released. It includes a security fix that
stops list administrators from viewing user passwords.
Updated versions can be downloaded at:
http://mailman.sourceforge.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0031.html
*** {01.10.021} Cross - Multiple CUPS vulnerabilities
SuSE has released an advisory indicating various local and remote
vulnerabilities in CUPS prior to version 1.1.6. The vulnerabilities may
allow a local or remote attacker to gain root privileges.
Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1213.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1213.html
*** {01.10.027} Cross - Post-query CGI entries buffer overflow
The post-query CGI has been found to contain a buffer overflow in the
handling of incoming entries. A remote attacker could use this buffer
overflow to execute arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0003.html
*** {01.10.031} Cross - PHP-Nuke user preference save vulnerability
PHP-Nuke version 4.4.1a contains a vulnerability in the way user.php
saves user preferences. It's possible for a remote attacker to
overwrite/change various user values.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-02/0525.html
- --- Tool Announcements News --------------------------------------------
*** {01.10.002} Tools - Sendmail 8.11.3 available
Sendmail version 8.11.3 is now available. The new version fixes a large
bug on systems using buffered file I/O. There is also a fix that
properly handles buggy accept() calls, preventing a potential denial of
service.
The new package can be downloaded at:
ftp://ftp.sendmail.org/pub/sendmail/
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q1/0000.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6qC7E+LUG5KFpTkYRAu5EAKCa4S90xGNlLbaWHhwr5YhukQUvVgCgoK00
oH+gONF+dyLZSt0v85z9NGk=
=/sK8
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** This issue sponsored by NetIQ ***
FREE EXPERT SECURITY AUDIOCAST ON MARCH 13
Tired of struggling to make security a priority in your organization?
Join NetIQ for an exciting, live interactive audiocast, Selling Security
to Your Manager ... Before It's too Late!, on March 13, 2001.
Register now at
http://www.netiq.com/SecurityAudiocast/Default.asp?Origin=secalrtcon
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]