|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Mar 22 2001 - 14:57:03 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 089 (01.12)
Thursday, March 22, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** This issue Sponsored by SurfControl ***
What's the SNIFFER ADVANTAGE?
Internet monitoring & filtering products residing at bottlenecks like
proxy servers, firewalls & gateways, slow network performance.
SurfControl's Pass-By technology radically exploits packet sniffer
techniques to build a picture of network traffic without having a
negative impact upon your network.
FREE TRIAL: http://www.surfcontrol.com/promo/SSAC0322
----------------------------------------------------------------------
An interesting report was released this week by OpenWall concerning
various passive analysis vulnerabilities in the SSH protocol(s). The
report includes a discussion of the vulnerabilities, patches and
pointers to updated SSH versions, as well as demonstration code. It's
definitely a worthy read for all shops using SSH 1 and 2.
http://archives.neohapsis.com/archives/bugtraq/2001-03/0225.html
This week also brought many reports of different FTP servers being
vulnerable to a file name globbing denial of service. Which servers are
and are not vulnerable is still sketchy, but it's definitely a problem.
And it's not just limited to FTP servers. The vulnerability is reported
in this issue as {01.12.014}, under the 'Cross-Platform' category.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.12.011} Win - Update {01.11.020}: MS01-016: Malformed WebDAV
request can cause IIS to exhaust CPU resources
{01.12.013} Win - Windows SSHD aborts when handling more than 64
connections
{01.12.016} Win - SAP Internet transaction server cross-site scripting
{01.12.018} Win - MDaemon Web server DOS device request causes server
to crash
{01.12.021} Win - Gordano NTMail large URL DoS
{01.12.027} Win - Windows SFUX telnet client logging file overwrite
{01.12.001} Linux - Update {01.11.025}: sgml-tools insecure temp file
handling
{01.12.002} Linux - Update {01.11.012}: slrn message wrapper buffer
overflow
{01.12.004} Linux - Update {01.10.021}: Multiple CUPS vulnerabilities
{01.12.005} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
{01.12.008} Linux - Update {01.11.028}: POP/IMAP server user-privilege
buffer overflows
{01.12.026} Linux - FTPFS module username buffer overflow
{01.12.006} BSD - Malformed packets can crash timed daemon
{01.12.007} BSD - Malformed packets can crash rwhod
{01.12.028} BSD - Update {00.56.012}: Interbase contains hard-coded
user name backdoor
{01.12.029} BSD - Update {00.41.017}: cfengine CAUTH format string
vulnerability
{01.12.024} Sol - snmpXdmid 'indication' buffer overflow
{01.12.025} Sol - SSP snmpd local argv[0] buffer overflow
{01.12.019} AIX - NFS server does not properly validate remote host
restrictions
{01.12.020} AIX - Hursley Software Lab HSLCTF HTTP object DoS
{01.12.012} HPUX - Update {01.08.007}: Vixie cron long user name buffer
overflow
{01.12.015} NApps - Update {01.11.022}: Multiple Cisco PIX firewall
vulnerabilities
{01.12.003} Cross - Update {01.11.026}: Icecast/libshout multiple
buffer overflows
{01.12.009} Cross - Mutt IMAP format string buffer overflow
{01.12.010} Cross - Mesa utah-glx temp file race condition
{01.12.014} Cross - FTP server globbing denial of service
{01.12.017} Cross - Jelsoft vBulletin Web board arbitrary PHP code
execution
{01.12.022} Cross - MySQL database name/local symlink attack
{01.12.023} Cross - Aspseek multiple buffer overflows
- --- Windows News -------------------------------------------------------
*** {01.12.011} Win - Update {01.11.020}: MS01-016: Malformed WebDAV
request can cause IIS to exhaust CPU resources
Microsoft has released a patch for the vulnerability discussed in
{01.11.020} ("MS01-016: Malformed WebDAV request can cause IIS to
exhaust CPU resources"). The prior release only included a workaround.
The patch also fixes other WebDAV related buffer overflows that could
be used to cause a denial of service.
Patch and FAQ are available at:
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
Source: Microsoft
http://www.microsoft.com/technet/security/bulletin/MS01-016.asp
*** {01.12.013} Win - Windows SSHD aborts when handling more than 64
connections
The Windows SSH daemon version 2.4 from SSH Communications has been
found to crash/abort when more than 64 connection attempts are made;
this results in a remote denial of service. The vendor has confirmed
the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0185.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0198.html
*** {01.12.016} Win - SAP Internet transaction server cross-site
scripting
SAP Internet transaction server version 4640.2.0.328048 has been found
to allow cross-site scripting, which could be used to possibly trick a
client into executing malicious JavaScript or other Web-transported
code.
This vulnerability has not been confirmed.
Source: Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q1/0677.html
*** {01.12.018} Win - MDaemon Web server DOS device request causes
server to crash
The MDaemon Web server prior to version 3.5.6 has been found to crash
if a remote attacker makes a URL request that contains a DOS device
(such as 'aux' or 'con').
The vendor has confirmed this vulnerability and released version 3.5.6.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0188.html
*** {01.12.021} Win - Gordano NTMail large URL DoS
Gordana NTMail version 6.0.3c has been found to crash when a remote
attacker sends a long URL to the listening Web service.
The vendor has confirmed this vulnerability and released a patch:
ftp://ftp.gordano.com/ntmail6/hotfixes/ntmail6C_Intel_20010317.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0248.html
*** {01.12.027} Win - Windows SFUX telnet client logging file overwrite
Windows Services for Unix version 2.0 ships with a telnet client which,
when used in conjunction with Internet Explorer, could allow a malicious
Web site to overwrite arbitrary files on the user's system by invoking
the telnet client's logging function.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0156.html
- --- Linux News ---------------------------------------------------------
*** {01.12.001} Linux - Update {01.11.025}: sgml-tools insecure temp
file handling
Multiple vendors have released updated packages to fix the vulnerability
discussed in {01.11.025} ("sgml-tools insecure temp file handling").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0091.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0083.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0081.html
Source: RedHat, Immunix, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0091.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0083.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0081.html
*** {01.12.002} Linux - Update {01.11.012}: slrn message wrapper buffer
overflow
Multiple vendors have released updated slrn packages to fix the
vulnerability discussed in {01.11.012} ("slrn message wrapper buffer
overflow").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0014.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0089.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0082.html
Source: Conectiva, RedHat, Immunix
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0014.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0089.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0082.html
*** {01.12.004} Linux - Update {01.10.021}: Multiple CUPS
vulnerabilities
Conectiva has released updated CUPS packages to fix the vulnerability
discussed in {01.10.021} ("Multiple CUPS vulnerabilities").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0017.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0017.html
*** {01.12.005} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
Mandrake and Trustix have released new sudo packages to fix the
vulnerability discussed in {01.09.005} ("Sudo command line parameter
buffer overflow").
Rereleased Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0080.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0165.html
Source: Mandrake, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0080.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0165.html
*** {01.12.008} Linux - Update {01.11.028}: POP/IMAP server
user-privilege buffer overflows
Conectiva has released updated imapd packages to fix the vulnerability
discussed in {01.11.028} ("POP/IMAP server user-privilege buffer
overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0019.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0019.html
*** {01.12.026} Linux - FTPFS module username buffer overflow
The FTP file system Linux kernel module contains a buffer overflow in
the user name parameter. If a local user is allowed to mount FTP volumes
onto the local system, they could potentially execute arbitrary code
with root (actually, kernel) privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0163.html
- --- BSD News -----------------------------------------------------------
*** {01.12.006} BSD - Malformed packets can crash timed daemon
FreeBSD has released an advisory indicating a denial of service in the
timed daemon that allows remote attackers to crash the service.
FreeBSD 3.5-STABLE as of March 10, 2001, and 4.2-STABLE as of January
7, 2001, contain the corrected versions.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-03/0162.html
*** {01.12.007} BSD - Malformed packets can crash rwhod
FreeBSD has released an advisory indicating a denial of service in the
rwhod daemon that allows remote attackers to crash the service.
FreeBSD 3.5-STABLE and 4.2-STABLE as of December 23, 2000, contain the
corrected versions.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-03/0163.html
*** {01.12.028} BSD - Update {00.56.012}: Interbase contains hard-coded
user name backdoor
FreeBSD has released an advisory concerning the vulnerability discussed
in {00.56.012} ("Interbase contains hard-coded user name backdoor").
The Interbase port is maintained by Rios Corp., which has not provided
a security fix for the problem. Therefore, the only effective workaround
is to deinstall the port.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-03/0160.html
*** {01.12.029} BSD - Update {00.41.017}: cfengine CAUTH format string
vulnerability
FreeBSD has released updated cfengine packages to fix the vulnerability
discussed in {00.41.017} ("cfengine CAUTH format string vulnerability").
The FreeBSD ports collection as of January 21, 2001, contains the
updated versions. Individual packages available for download are listed
at:
http://archives.neohapsis.com/archives/freebsd/2001-03/0161.html
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-03/0161.html
- --- Solaris News -------------------------------------------------------
*** {01.12.024} Sol - snmpXdmid 'indication' buffer overflow
The snmpXdmid daemon, which handles SNMP and DMI messages, has been
found to contain a remotely exploitable buffer overflow in the
'indication' field. This buffer overflow could allow a remote attacker
to execute arbitrary code as root.
Sun is currently producing patches to fix the vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0175.html
*** {01.12.025} Sol - SSP snmpd local argv[0] buffer overflow
The SNMP proxy agent shipped in the Solaris 8 SUNWsspop bundle (which
should only be installed on SSP Enterprise 10000 machines) contains a
local buffer overflow in the handling of the program name (argv[0]).
Since the application is setuid root, this could lead to a local root
compromise.
Sun is currently producing patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0160.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0181.html
- --- AIX News -----------------------------------------------------------
*** {01.12.019} AIX - NFS server does not properly validate remote host
restrictions
IBM has released APAR IY10455 to fix a name service resolution bug in
the NFS service. This bug could allow a remote attacker to circumvent
client access restrictions if NFS access is limited to source DNS names.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q1/0016.html
*** {01.12.020} AIX - Hursley Software Lab HSLCTF HTTP object DoS
Hursley Software Laboratories Consumer Transaction Framework Web server
version 1.0 has been found susceptible to a denial of service attack
that causes the HTTP object, and possibly other objects (such as SMTP),
to fail.
This vulnerability has been confirmed. A workaround is detailed at:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0243.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0243.html
- --- HP-UX News ---------------------------------------------------------
*** {01.12.012} HPUX - Update {01.08.007}: Vixie cron long user name
buffer overflow
HP has released patches for the vulnerability discussed in {01.08.007}
("Vixie cron long user name buffer overflow").
HP-UX 11.00: PHCO_22767
HP-UX 11.04: PHCO_23429
HP-UX 10.20: PHCO_22768
HP-UX 10.24: PHCO_23455
HP-UX 10.10: PHCO_22769
HP-UX 10.01: PHCO_22770
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0093.html
- --- Network Appliances News --------------------------------------------
*** {01.12.015} NApps - Update {01.11.022}: Multiple Cisco PIX firewall
vulnerabilities
Cisco has released a response addressing the issues discussed in
{01.11.022} ("Multiple Cisco PIX firewall vulnerabilities").
The response is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0194.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0194.html
- --- Cross-Platform News ------------------------------------------------
*** {01.12.003} Cross - Update {01.11.026}: Icecast/libshout multiple
buffer overflows
A new version of Icecast has been released to fix the vulnerability
discussed in {01.11.026} ("Icecast/libshout multiple buffer overflows").
FreeBSD and Conectiva have also released updated Icecast packages.
Icecast version 1.3.10 is available at:
http://www.icecast.org/
The FreeBSD ports collection as of March 10, 2001, contains the fix.
Individual packages are listed for download at:
http://archives.neohapsis.com/archives/freebsd/2001-03/0159.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0018.html
Source: FreeBSD, Conectiva, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/freebsd/2001-03/0159.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0162.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0018.html
*** {01.12.009} Cross - Mutt IMAP format string buffer overflow
Mutt versions prior to 1.2.5 contain a format string buffer overflow in
the IMAP handling code.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0090.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0081.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0016.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0082.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0246.html
Source: RedHat, Immunix, Conectiva, Mandrake, Trustix
http://archives.neohapsis.com/archives/linux/redhat/2001-q1/0090.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0081.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0016.html
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0082.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0246.html
*** {01.12.010} Cross - Mesa utah-glx temp file race condition
The utah-glx component in the Mesa graphics library has been found to
insecurely handle temporary files, leading to a local race condition.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0079.html
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0079.html
*** {01.12.014} Cross - FTP server globbing denial of service
A denial of service has been found in various FTP servers that would
allow a remote attack to consume memory and CPU by specifying many
wildcards in a file or directory FTP command.
The vendor has confirmed ProFTPd versions 1.2.1 and prior as vulnerable.
Other reports indicated PureFTPd, BeroFTPd, OpenBSD and FreeBSD ftpd as
vulnerable, and wu-ftpd, vsftpd and ncFTPd as not vulnerable.
For those interested, we suggest you look through the collected reports
from various sources at the URLs listed below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0184.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0197.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0200.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0203.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0210.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0211.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0223.html
*** {01.12.017} Cross - Jelsoft vBulletin Web board arbitrary PHP code
execution
Jelsoft's vBulletin PHP Web board has been found to allow a remote
attacker to execute arbitrary PHP code by tampering with the template
cache URL parameter. Versions prior to 1.1.6 and 2.0 beta 3 are
vulnerable.
The vendor has confirmed this vulnerability and released updates.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0180.html
*** {01.12.022} Cross - MySQL database name/local symlink attack
An interesting potential problem has been discovered in MySQL. It allows
malicious users, who have both local system access and MySQL access, to
potentially overwrite files writeable by the MySQL server UID. If MySQL
is running as root, this could potentially lead to a root compromise.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0237.html
*** {01.12.023} Cross - Aspseek multiple buffer overflows
Multiple buffer overflows have been found in Aspseek versions 1.0.3 and
prior that contain multiple remotely exploitable buffer overflows. These
would allow an attacker to execute arbitrary code under the Web server's
privileges.
The vendor has provided a patch, which is available at
http://www.aspseek.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0233.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6umRU+LUG5KFpTkYRApWxAJ9cDSZgPvfhvnoi87hdJJ2XPw4ErQCfZSRJ
Zf5ZKhlCHMgxGtyyyL69oOA=
=B70z
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** This issue Sponsored by SurfControl ***
What's the SNIFFER ADVANTAGE?
Internet monitoring & filtering products residing at bottlenecks like
proxy servers, firewalls & gateways, slow network performance.
SurfControl's Pass-By technology radically exploits packet sniffer
techniques to build a picture of network traffic without having a
negative impact upon your network.
FREE TRIAL: http://www.surfcontrol.com/promo/SSAC0322
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]