|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Mar 15 2001 - 18:14:52 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 088 (01.11)
Thursday, March 15, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** This issue sponsored by NetIQ, Inc. ***
FREE SECURITY BOOK FROM NETIQ
Secure your FREE copy from NetIQ of "Securing Windows NT/2000 Servers
for the Internet." Learn how to simplify your job by paring down
installation and configuration instructions into a series of security
checklists. Quantities are limited.
Register now at http://www.netiq.com/sponsor/default.asp?175
----------------------------------------------------------------------
Those of you who are interested in either testing or running beta
software, or gaining new features, have a lot of options this week. New
beta versions of Bind, Apache and Sendmail have been released.
Bind 9.1.1rc4 contains mostly bug fixes.
http://archives.neohapsis.com/archives/bind/2001/0015.html
Sendmail 8.12.0 beta starts the new 8.12.x series. The initial beta
release provides many performance enhancements and external database
query options.
http://archives.neohapsis.com/archives/sendmail/2001-q1/0001.html
Apache 2.0.14 includes *many* bug fixes over prior releases.
http://archives.neohapsis.com/archives/apache/2001/0004.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.11.002} Win - MS01-015: IE may divulge location to cached content
{01.11.006} Win - Update {00.55.005}: IBM WebSphere AfpaCache memory
leak DoS
{01.11.020} Win - MS01-016: Malformed WebDAV request can cause IIS to
exhaust CPU resources
{01.11.021} Win - Savant Web server %%% DoS/server crash
{01.11.031} Win - Websweeper long URL request DoS
{01.11.001} Linux - Update {01.10.012}: JOE reads configuration file
from current directory
{01.11.008} Linux - Update {01.09.026}: Multiple Zope vulnerabilities
{01.11.009} Linux - Update {01.08.021}: Analog ALIAS buffer overflow
{01.11.013} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
{01.11.014} Linux - Update {01.06.022}: gnuserv/xemacs remote buffer
overflow/code execution
{01.11.023} Linux - Update {00.49.038}: Midnight commander directory
name command execution
{01.11.024} Linux - man2html memory consumption DoS
{01.11.007} NW - Predictable user login with print server UID
{01.11.017} HPUX - asecure improper file permissions
{01.11.016} NApps - Cisco/Aironet wireless bridge Web interface doesn't
disable
{01.11.022} NApps - Multiple Cisco PIX firewall vulnerabilities
{01.11.004} Other - MPE/iX AIFCHANGELOGON privilege escalation
{01.11.003} Cross - IBM NetCommerce/Net.Data password
retrieval/decryption
{01.11.010} Cross - INDEXU cookie tampering/authentication bypass
{01.11.011} Cross - ePerl buffer overflows
{01.11.012} Cross - slrn message wrapper buffer overflow
{01.11.015} Cross - Athena asciisrc and multisrc widget temp file
handling vulnerabilities
{01.11.018} Cross - MIT Kerberos improper temp file handling
{01.11.019} Cross - ascdc -d parameter buffer overflow
{01.11.025} Cross - sgml-tools insecure temp file handling
{01.11.026} Cross - Icecast/libshout multiple buffer overflows
{01.11.027} Cross - Ikonboard help.cgi file disclosure
{01.11.028} Cross - POP/IMAP server user-privilege buffer overflows
{01.11.029} Cross - 'Free online dictionary of computing' template.cgi
file disclosure
{01.11.030} Cross - Half-Life server map/exec/config file buffer
overflows
{01.11.032} Cross - Netscape/iPlanet Directory Server LDAP query buffer
overflow
{01.11.005} Tools - Nmap 2.54beta22
- --- Windows News -------------------------------------------------------
*** {01.11.002} Win - MS01-015: IE may divulge location to cached
content
Microsoft has released MS01-015 ("IE may divulge location to cached
content"). It's possible for a remote Web site to learn the exact
location that Internet Explorer uses to cache Web content. This allows
a malicious Web site to execute various scripting content in the local
system security zone.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-015.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0065.html
*** {01.11.006} Win - Update {00.55.005}: IBM WebSphere AfpaCache
memory leak DoS
IBM has released a patch for the vulnerability discussed in {00.55.005}
("IBM WebSphere AfpaCache memory leak DoS"), which affects IBM HTTP
Server versions 1.3.6.4, 1.3.12 and 1.3.12.2 on Windows platforms.
The update can be downloaded at:
http://www-4.ibm.com/software/webservers/httpservers/efix.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0061.html
*** {01.11.020} Win - MS01-016: Malformed WebDAV request can cause IIS
to exhaust CPU resources
Microsoft has released MS01-016 ("Malformed WebDAV request can cause
IIS to exhaust CPU resources"). Repeated malformed PROPFIND WebDAV
requests to an IIS 5 (both 5.0 and 5.1) server cause it to consume
available memory and possibly restart. This can result in a denial of
service against the server.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0073.html
*** {01.11.021} Win - Savant Web server %%% DoS/server crash
Savant Web server version 3.0 has been found to crash when a remote
attacker submits a URL request containing '%%%'.
This vulnerability has not been confirmed.
Software homepage:
http://savant.sourceforge.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0097.html
*** {01.11.031} Win - Websweeper long URL request DoS
Websweeper version 4.0 has been found to contain a denial of service in
the handling of incoming Web requests. It's possible for a remote
attacker to consume all the available memory on the target system by
sending a continuous stream of arbitrary data to the Web server.
This vulnerability has not been confirmed.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0095.html
- --- Linux News ---------------------------------------------------------
*** {01.11.001} Linux - Update {01.10.012}: JOE reads configuration
file from current directory
Mandrake and Debian have released updated JOE packages to fix the
vulnerability discussed in {01.10.012} ("JOE reads configuration file
from current directory").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0075.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0076.html
Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0075.html
http://archives.neohapsis.com/archives/vendor/2001-q1/0076.html
*** {01.11.008} Linux - Update {01.09.026}: Multiple Zope
vulnerabilities
Debian has released an updated Zope package to fix the vulnerability
discussed in {01.09.026} ("Multiple Zope vulnerabilities").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0079.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0079.html
*** {01.11.009} Linux - Update {01.08.021}: Analog ALIAS buffer overflow
Debian has released updated analog packages to fix the vulnerability
discussed in {01.08.021} ("Analog ALIAS buffer overflow").
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0066.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0066.html
*** {01.11.013} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
Debian has released updated glibc packages to fix the vulnerability
discussed in {00.56.034} ("glibc incorrectly loads libraries from
ld.so.cache for suid/sgid apps").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0072.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0072.html
*** {01.11.014} Linux - Update {01.06.022}: gnuserv/xemacs remote
buffer overflow/code execution
Debian has released updated xemacs packages to fix the vulnerability
discussed in {01.06.022} ("gnuserv/xemacs remote buffer overflow/code
execution").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0078.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0078.html
*** {01.11.023} Linux - Update {00.49.038}: Midnight commander
directory name command execution
Debian has released updated midnight commander packages to fix the
vulnerability discussed in {00.49.038} ("Midnight commander directory
name command execution").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0069.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0069.html
*** {01.11.024} Linux - man2html memory consumption DoS
Debian has released an advisory indicating a remote denial of service
against man2html. The attack causes the application to consume all
available memory on the system.
Debian has confirmed this vulnerability.
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0068.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0068.html
- --- NetWare News -------------------------------------------------------
*** {01.11.007} NW - Predictable user login with print server UID
A (brief) advisory was released pointing to a vulnerability that would
allow remote attackers to log into an NDS tree using the print server
as the username. By default, NetWare assigns a blank password to print
server user IDs. Print server user IDs also are immune to account
lockout, so it's possible for a remote attacker to brute force the
appropriate password (should one be set).
The vendor has not confirmed this vulnerability; however, there have
been third-party confirmations.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0093.html
- --- HP-UX News ---------------------------------------------------------
*** {01.11.017} HPUX - asecure improper file permissions
HP has released an advisory indicating improper permissions on files
shipped in the asecure component. This vulnerability is limited to local
attackers.
HP has released the following patches:
HP-UX 10.01, 10.10, 10.20: PHSS_22935
HP-UX 11.00: PHSS_22936
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0080.html
- --- Network Appliances News --------------------------------------------
*** {01.11.016} NApps - Cisco/Aironet wireless bridge Web interface
doesn't disable
Cisco has released an advisory indicating Aironet wireless bridges with
firmware prior to version 8.55 do not correctly disable the Web
configuration interface, even if the configuration says explicitly to
do so. As a result, it's possible for an attacker to reconfigure the
bridge via the Web interface through either locally connected networks
or a wireless link.
Firmware version 8.55 fixes the problem.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q1/0014.html
*** {01.11.022} NApps - Multiple Cisco PIX firewall vulnerabilities
A lengthy report was recently released indicating (potential) problems
in Cisco's PIX firewall. The report discusses a few potential denials
of service against the firewall, various packet anomalies and how the
PIX (mis)handles them, and common misconfigurations.
The URL to the report is indicated below. Cisco has not commented on
the report.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0110.html
- --- Other News ---------------------------------------------------------
*** {01.11.004} Other - MPE/iX AIFCHANGELOGON privilege escalation
HP has released patches for MPE/iX versions 5.5, 6.0 and 6.5. The
patches correct a vulnerability in the AIFCHANGELOGON facility that
allows users to escalate their privileges.
HP has released the following patches:
MPE/iX 6.5: MPELXJ3C
MPE/iX 6.0: MPELXJ3B
MPE/iX 5.5: MPELXJ3A
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0087.html
- --- Cross-Platform News ------------------------------------------------
*** {01.11.003} Cross - IBM NetCommerce/Net.Data password
retrieval/decryption
IBM's NetCommerce/Net.Data platform (prior to version 5.1) has been
found to use a weak password storage scheme (triple DES with static
key). This allows an attacker, who can retrieve the password hashes, to
decrypt and retrieve the original password. One published method of
remotely retrieving the password hashes was discussed in {01.06.013}
("IBM NetCommerce/Net.Data macro SQL tampering").
IBM has released a statement on the vulnerability. It's available at:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0075.html
Source: Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0136.html
*** {01.11.010} Cross - INDEXU cookie tampering/authentication bypass
The INDEXU Web portal/content management system (version 2.0 beta and
prior) has been found to allow a remote attacker to gain administrative
privileges by forging a cookie that indicates the user has successfully
logged in as an administrator.
The software author has confirmed this problem in an advisory and
indicated a future version will contain a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0068.html
*** {01.11.011} Cross - ePerl buffer overflows
ePerl has been found to contain multiple buffer overflows that could be
used by local attackers to elevate their privileges should ePerl be
installed suid/sgid. An optional CGI interface also could allow remote
exploitation.
This vulnerability has been confirmed.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0067.html
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0077.html
Source: Debian, Mandrake
http://archives.neohapsis.com/archives/vendor/2001-q1/0067.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0077.html
*** {01.11.012} Cross - slrn message wrapper buffer overflow
A buffer overflow has been found in the wrapping/unwrapping functions
of slrn newsreader (versions prior to 0.9.6.3pl4). It's possible for a
malicious news message to execute arbitrary code on the user's system.
Note that message wrapping is not enabled by default.
This vulnerability has been confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0075.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0078.html
Source: Debian, Mandrake
http://archives.neohapsis.com/archives/vendor/2001-q1/0075.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0078.html
*** {01.11.015} Cross - Athena asciisrc and multisrc widget temp file
handling vulnerabilities
The asciisrc and multisrc Athena widgets have been found to insecurely
handle temporary files, allowing a local attacker to perform a symlink
attack.
Debian has released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q1/0070.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0070.html
*** {01.11.018} Cross - MIT Kerberos improper temp file handling
MIT has released an advisory indicating improper temp file handling in
Kerberos distributions based on MIT Kerberos 4, including MIT Kerberos
5 prior to version 1.2.2 beta1, MIT Kerberos 4 patch 10 and prior,
Cygnus CNS and Kerbnet, as well as certain kth-krb.
A patch for MIT Kerberos version 1.2.1 is available at:
http://web.mit.edu/kerberos/www/advisories/krb4tkt_121_patch.txt
Source: MIT (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0078.html
*** {01.11.019} Cross - ascdc -d parameter buffer overflow
The ascdc version 0.3 application has been found to contain a buffer
overflow in the handling of the -d command line parameter. This is only
a problem if ascdc is installed setuid root (which is not default, but
is suggested in the documentation).
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0084.html
*** {01.11.025} Cross - sgml-tools insecure temp file handling
Debian has released an advisory indicating insecure temporary file
handling by the sgml-tools suite for versions prior to 1.0.9-15. It's
possible for a local attacker to use this vulnerability in a symlink
attack.
Debian has confirmed this vulnerability.
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q1/0071.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q1/0071.html
*** {01.11.026} Cross - Icecast/libshout multiple buffer overflows
Icecast prior to version 1.3.9 and libshout prior to version 1.0.4
contain multiple remotely exploitable buffer overflows that could allow
a remote attacker to gain access to the target system.
The vendor has confirmed this vulnerability and released updated
versions.
Vendor homepage:
http://www.icecast.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0121.html
*** {01.11.027} Cross - Ikonboard help.cgi file disclosure
Ikonboard version 2.1.7b contains a vulnerability in the included
help.cgi CGI application that allows a remote attacker to view arbitrary
files on the system that are readable by the Web server.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0124.html
*** {01.11.028} Cross - POP/IMAP server user-privilege buffer overflows
Caldera has released an advisory indicating multiple buffer overflows
in the IMAP and POP (ipop2 and ipop3d) servers. These buffer overflows
are accessible only after a user correctly logs in; they allow system
access under the privileges of the logged-in user. Setups that do not
allow user shell access to the system also will find this a security
risk.
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0011.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q1/0011.html
*** {01.11.029} Cross - 'Free online dictionary of computing'
template.cgi file disclosure
The 'Free online dictionary of computing' CGI application allows a
remote attacker to view arbitrary files that are viewable by the Web
server by sending a malformed template URL parameter to the template.cgi
application. Also possible are limited remote command executions.
This vulnerability has not been confirmed. Vendor homepage:
http://www.foldoc.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0109.html
*** {01.11.030} Cross - Half-Life server map/exec/config file buffer
overflows
Multiple buffer overflows have been found in the Half-Life server
builds 1572 and 1573 for Windows and Linux, respectively. The buffer
overflows, which lie in the parsing of the map and exec commands, would
allow a remote attacker (who is capable of running map and exec
commands) to execute arbitrary code on the server. There also is a
buffer overflow in the parsing of configuration files, which could allow
for a local attack.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0111.html
*** {01.11.032} Cross - Netscape/iPlanet Directory Server LDAP query
buffer overflow
Netscape/iPlanet Directory Server versions 4.1 and 4.12 on Windows NT
(although other platforms may be vulnerable) have been found to contain
a buffer overflow in the handling of incoming LDAP queries. This
vulnerability could be used to either execute arbitrary code or cause
a denial of service attack.
The vendor has confirmed the vulnerability and released Directory Server
version 4.13. It is available via iPlanet support.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0093.html
- --- Tool Announcements News --------------------------------------------
*** {01.11.005} Tools - Nmap 2.54beta22
Although still in beta, Nmap 2.54beta 22 has been released. This version
contains many new and useful features, including new TCPID sequence
prediction, remote OS uptime querying and significant Windows support.
Nmap can be downloaded at:
http://www.insecure.org/nmap/#download
Source: Nmap-hackers
http://archives.neohapsis.com/archives/nmap/2001/0010.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6sVh/+LUG5KFpTkYRAi5AAJ42QUjtzWttTd1JJfSH7+10INE/JACgmKM6
CE0Qy3/f4bDWzcic8C1P1xY=
=OFZt
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** This issue sponsored by NetIQ, Inc. ***
FREE SECURITY BOOK FROM NETIQ
Secure your FREE copy from NetIQ of "Securing Windows NT/2000 Servers
for the Internet." Learn how to simplify your job by paring down
installation and configuration instructions into a series of security
checklists. Quantities are limited.
Register now at http://www.netiq.com/sponsor/default.asp?175
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]