|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans
sans.org)Date: Thu Mar 29 2001 - 16:34:02 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 090 (01.13)
Thursday, March 29, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by Thawte ***
Secure all your Web servers now - with a proven 5-part strategy. The
FREE Server Security Guide shows you how:
* DEPLOY THE LATEST ENCRYPTION and authentication techniques
* DELIVER TRANSPARENT PROTECTION without disrupting users.
Get your FREE Guidenow:
http://www.verisign.com/cgi-bin/go.cgi?a=n094430110013000
----------------------------------------------------------------------
As we install new products, we must always be aware of how they impact
our security. Unfortunately, many vendors take the
"turn-everything-on-out-of-the-box" approach to application design. This
inflicts a heavy burden, because we must to go through and disable all
the superfluous (and most likely insecure) features. One very important
modification, one that should ALWAYS be implemented, is changing any
default passwords. Take, for example, the default store passwords
shipped with Akopia Interchange:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0337.html
Of course, there are times when we won't necessarily know about default
passwords. They are, after all, "hidden" in the code. A recent example
is the backdoor password in Interbase (and its derivative) products
({00.56.012}). So, too, are the SNMP community strings of Cisco
equipment ({01.10.004}) and Crosscom routers ({01.13.022}). Very little
can be done about a backdoor password we don't know about. That is why
it's crucial to limit access to as many services as we can afford to
block.
Just because there are no known problems with a particular piece of
software/hardware doesn't mean there aren't bugs in it. Paranoia will
always buy a safer network. :)
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.13.014} Win - REDIProducts REDI stores user name/password in clear
text
{01.13.023} Win - Weblogic appended character directory browsing
{01.13.024} Win - MS01-018: Visual Studio VB-TSQL object contains
unchecked buffer
{01.13.002} Linux - Update {01.11.025}: sgml-tools insecure temp file
handling
{01.13.003} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
{01.13.005} Linux - Update {01.12.006}: Malformed packets can crash
timed daemon
{01.13.012} Linux - Update {01.11.028}: POP/IMAP server user-privilege
buffer overflows
{01.13.017} Linux - Update {01.11.018}: MIT Kerberos improper temp file
handling
{01.13.018} Linux - Linux kernel 2.2.19 released
{01.13.020} BSD - OpenBSD read-line history files may have insecure
permissions
{01.13.021} Sol - perfmon creates root-owned world-writeable files
{01.13.007} HPUX - Update {00.34.013}: newgrp local buffer overflow
{01.13.008} HPUX - Update {01.11.017}: asecure improper file permissions
{01.13.022} NApps - Crosscom/Olicom hidden ILMI community string
{01.13.001} Other - DG/UX lpsched long printer name buffer overflow
{01.13.004} Cross - Malicious embedded VIM control codes
{01.13.006} Cross - Compaq Insight Service acts as an authorized proxy
{01.13.009} Cross - PGP private key file storage concern
{01.13.010} Cross - licq URL link can contain embedded commands
{01.13.011} Cross - MS01-017: Spoofed MS VeriSign certificates released
{01.13.013} Cross - UFS/EXT2FS deleted inode data recovery
{01.13.015} Cross - Raptor firewall can proxy HTTP requests to other
hosts
{01.13.016} Cross - Update {01.12.022}: MySQL database name/local
symlink attack
{01.13.019} Cross - Multiple OpenSSH vulnerabilities
- --- Windows News -------------------------------------------------------
*** {01.13.014} Win - REDIProducts REDI stores user name/password in
clear text
REDIProducts' REDI application has been found to store all user
authentication information in a text file. The authentication
information allows users to make online stock trades.
The vendor has confirmed the problem and released an update, which is
available at:
http://www.redi.com/rpdownload.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0275.html
*** {01.13.023} Win - Weblogic appended character directory browsing
BEA's Weblogic version 6.0 (and possibly prior) contains a vulnerability
that allows remote users to gain directory listings of Web-accessible
directories by appending various extra URL-encoded characters to the
URL request.
BEA has confirmed the problem, and a patch is available at:
http://commerce.bea.com/downloads/weblogic_server.jsp#wls
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0390.html
*** {01.13.024} Win - MS01-018: Visual Studio VB-TSQL object contains
unchecked buffer
Microsoft has released MS01-018 ("Visual Studio VB-TSQL object contains
unchecked buffer"). The VB-TSQL debugger object that ships with Visual
Studio 6.0 Enterprise Edition contains a buffer overflow that would
allow a remote attacker to execute arbitrary code on the system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-018.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0087.html
- --- Linux News ---------------------------------------------------------
*** {01.13.002} Linux - Update {01.11.025}: sgml-tools insecure temp
file handling
Conectiva and Mandrake have released updated sgml-tools packages to fix
the vulnerability discussed in {01.11.025} ("sgml-tools insecure temp
file handling").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0083.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0021.html
Source: Mandrake, Conectiva
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0083.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0021.html
*** {01.13.003} Linux - Update {01.09.005}: Sudo command line parameter
buffer overflow
RedHat has released updated sudo packages to fix the vulnerability
discussed in {01.09.005} ("Sudo command line parameter buffer
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0288.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0288.html
*** {01.13.005} Linux - Update {01.12.006}: Malformed packets can crash
timed daemon
Mandrake and SuSE have released updated timed packages to fix the
vulnerability discussed in {01.12.006} ("Malformed packets can crash
timed daemon").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0324.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1475.html
Source: SuSE, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0324.html
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1475.html
*** {01.13.012} Linux - Update {01.11.028}: POP/IMAP server
user-privilege buffer overflows
SuSE has released updated pop packages to fix the vulnerability
discussed in {01.11.028} ("POP/IMAP server user-privilege buffer
overflows").
Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1479.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q1/1479.html
*** {01.13.017} Linux - Update {01.11.018}: MIT Kerberos improper temp
file handling
RedHat has released updated Kerberos packages to fix the vulnerability
discussed in {01.11.018} ("MIT Kerberos improper temp file handling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0415.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0415.html
*** {01.13.018} Linux - Linux kernel 2.2.19 released
The Linux 2.2.19 kernel has been released. It contains a security patch
that fixes a ptrace/execve race condition that could allow local
attackers to elevate their privileges.
The Linux kernel is available at:
http://www.kernel.org/
Immunix has released updated kernel RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0088.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0088.html
- --- BSD News -----------------------------------------------------------
*** {01.13.020} BSD - OpenBSD read-line history files may have insecure
permissions
The read-line library shipped with OpenBSD didn't properly set the
user's UMASK, which results in the creation of read-line history files
with insecure permissions. This could allow a local attacker to recover
sensitive information.
A patch for OpenBSD version 2.8 is available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/024_readline.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-03/1627.html
- --- Solaris News -------------------------------------------------------
*** {01.13.021} Sol - perfmon creates root-owned world-writeable files
A report has surfaced indicating that the JunSoft
/opt/JSParm/bin/perfmon application allows a local attacker to create
arbitrary root-owned files that are world-writeable.
JunSoft has not yet released any patches, nor has this vulnerability
been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0326.html
- --- HP-UX News ---------------------------------------------------------
*** {01.13.007} HPUX - Update {00.34.013}: newgrp local buffer overflow
HP has released a patch for HP-UX 11.11 to fix the vulnerability
discussed in {00.34.013} ("newgrp local buffer overflow").
Apply the following patch:
HP-UX 11.11: PHCO_23083
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0101.html
*** {01.13.008} HPUX - Update {01.11.017}: asecure improper file
permissions
HP has released additional patches for HP-UX 11.04 to fix the
vulnerability discussed in {01.11.017} ("asecure improper file
permissions").
Apply the following patches:
HP-UX 11.04: PHSS_23621
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q1/0096.html
- --- Network Appliances News --------------------------------------------
*** {01.13.022} NApps - Crosscom/Olicom hidden ILMI community string
A recent report indicates that Crosscom/Olicom routers have an
undocumented SNMP community string ('ILMI') that allows SNMP
read-and-write access.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0364.html
- --- Other News ---------------------------------------------------------
*** {01.13.001} Other - DG/UX lpsched long printer name buffer overflow
DG/UX versions R4.20MU02 and R42.0MU06 ship with a vulnerable version
of lpsched that allows local attackers to elevate their privileges.
This vulnerability has not been confirmed; however, an exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0250.html
- --- Cross-Platform News ------------------------------------------------
*** {01.13.004} Cross - Malicious embedded VIM control codes
Certain VIM implementations (VIM-X11 and VIM-enhanced) have been found
to contain a vulnerability whereby a malicious file could contain
embedded VIM control codes. This could result in command execution when
a user opens the file.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0289.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0397.html
Source: RedHat, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-03/0289.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0397.html
*** {01.13.006} Cross - Compaq Insight Service acts as an authorized
proxy
Compaq has released a security advisory indicating the potential for
the Compaq Insight Management agent (which includes an HTTP server) to
act as an authorized HTTP proxy. This could potentially allow remote
attackers to use the proxy services to access internal systems that are
not normally remotely accessible.
Compaq has released updated CIM agents. Full patch information and
workarounds are available at:
http://archives.neohapsis.com/archives/compaq/2001-q1/0099.html
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q1/0099.html
*** {01.13.009} Cross - PGP private key file storage concern
Some recent research with PGP brought a particular security concern to
light. It seems it may be possible to deduce a user's private key,
should an attacker be able to slightly 'modify' the user's private key
file and capture a signature based on that modified key.
Realistically, there is very little room for practical exploitation;
however, due to the nature of cryptography and the paranoia that comes
with it, we felt it worthy of a report.
To read about this further, go to:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0274.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0311.html
Patches for Gnu Privacy Guard (GPG):
http://cert.uni-stuttgart.de/files/fw/gnupg-klima-rosa.diff
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0252.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0274.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0311.html
*** {01.13.010} Cross - licq URL link can contain embedded commands
Licq has been found to pass shell metacharacters embedded in received
URLs. This could cause an unwary user to execute arbitrary command line
commands.
This vulnerability has been confirmed.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0084.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0292.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0020.html
Source: Mandrake, Conectiva, RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/mandrake/2001-q1/0084.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0292.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q1/0020.html
*** {01.13.011} Cross - MS01-017: Spoofed MS VeriSign certificates
released
Microsoft has released MS01-017 ("Spoofed MS VeriSign certificates
released"). VeriSign wound up providing two class 3 code-signing
certificates to an individual who claimed to be from Microsoft. Although
the certificates appear to be owned by Microsoft, they are not. This
allows people in possession of the certificates to sign malicious code
and make it appear as if Microsoft has signed the code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-017.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q1/0084.html
*** {01.13.013} Cross - UFS/EXT2FS deleted inode data recovery
A vulnerability has been found in the UFS and EXT2FS file systems,
whereby a local attacker could potentially gain access to deleted data
on the system's hard drive. This vulnerability is due to a race
condition in the file system drivers, which may leave newly allocated
inodes unmodified, thus allowing the attacker to read the information
previously contained in the drive.
FreeBSD has confirmed this vulnerability. FreeBSD (3.5-STABLE and
4.2-STABLE) as of December 22, 2000, contains the corrected versions.
Platforms other than FreeBSD may be vulnerable.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2001-03/0403.html
*** {01.13.015} Cross - Raptor firewall can proxy HTTP requests to
other hosts
Raptor firewall version 6.5 (and possibly prior) has been found to allow
remote attackers to use the HTTP tunnel service as a proxy to reach
other systems on the internal network.
Axent has confirmed this problem; an update is available at:
ftp://ftp.axent.com/pub/RaptorFirewall/International/Patches/NT6.5/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0359.html
*** {01.13.016} Cross - Update {01.12.022}: MySQL database name/local
symlink attack
The latest version of MySQL (version 3.23.36) has been released. This
version includes a fix for the vulnerability discussed in {01.12.022}
("MySQL database name/local symlink attack").
Updated versions can be downloaded at:
http://www.mysql.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0396.html
*** {01.13.019} Cross - Multiple OpenSSH vulnerabilities
OpenSSH has released version 2.5.2. It includes two security fixes that
aim to make passive traffic analysis harder and fixes a session key
attack previously described in {01.07.028} ("SSH1 Bleichenbacher session
key attack").
OpenSSH version 2.5.2 can be downloaded at:
http://www.openssh.com/
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0319.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0086.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-03/0400.html
Source: Mandrake, RedHat, Immunix, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-03/0291.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0319.html
http://archives.neohapsis.com/archives/bugtraq/2001-03/0400.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q1/0086.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6w7YL+LUG5KFpTkYRAu9AAJ4hhZljHVIe6vSkSydGi91CLZSAvACdEuW2
77dGcDzsF/Mrr/8r2XMQTYA=
=0521
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by Thawte ***
Secure all your Web servers now - with a proven 5-part strategy. The
FREE Server Security Guide shows you how:
* DEPLOY THE LATEST ENCRYPTION and authentication techniques
* DELIVER TRANSPARENT PROTECTION without disrupting users.
Get your FREE Guidenow:
http://www.verisign.com/cgi-bin/go.cgi?a=n094430110013000
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]