NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2001

From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Apr 12 2001 - 14:54:52 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                    -- Security Alert Consensus --
                         Number 092 (01.15)
                       Thursday, April 12, 2001
                         Created for you by
              Network Computing and the SANS Institute
                        Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.

----------------------------------------------------------------------

*** Sponsored by Internet Security Systems (ISS) ***

If you're searching for the right Security Services Partner, it's time
to evaluate your options. Download this ** FREE ** white paper from
leading market research firm Aberdeen, and learn about your choices in
Managed Intrusion Protection Solutions!

Click here:
http://www.iss.net/mktg/sac41201/

----------------------------------------------------------------------

This week was a busy one. The Internet worm siege persists, as reports
continue to come in detailing compromises over vulnerable LPR, Bind and
RPC services. In addition to the stock versions of the "1i0n" and
"adore" worms, the GIAC team now is seeing mutations crop up on a fairly
regular basis. It's safe to say that automation is primetime in the
exploit scene.

The most important bugs found this week include: a remote buffer
overflow in the ntpd time server (reported in this issue as {01.15.001}
in the Cross-Platform category); IPFilter seems to allow fragmented
packets to pass by its rule set (reported as {01.15.006} in
Cross-Platform); and a multivendor FTPd bug in the handling of file name
globbing, which results in a remote root exploit (reported as
{01.15.011} in Cross-Platform).

The Linux scene saw two more vendors begin to release advisories this
week: Progeny Linux and EnGuarde Linux. Lastly, we are reporting on a
bug in Alcatel DSL modems ({01.15.024} in the Network Appliances
category) that may affect a good number of users. According to research
firm Dell'Oro, Alcatel owns approximately 33 percent of the DSL device
market, although it is unclear as to what percentage of those devices
are affected.

Until next week,
- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{01.15.013} Win - Gene6 G6 FTP/BPFTP server multiple vulnerabilities
{01.15.016} Win - Windows PGP ASCII armor decoding yields arbitrary
            files
{01.15.020} Win - Savant Web server long Host header DoS
{01.15.026} Win - Compaq Presario ships ActiveX control with vulnerable
            LogDataListToFile function
{01.15.027} Win - PGP shared keys and cached passphrase vulnerability
{01.15.003} Linux - Update {01.13.019}: Multiple OpenSSH vulnerabilities
{01.15.004} Linux - Update {01.13.018}: Linux kernel 2.2.19 released
{01.15.008} Linux - Update {00.24.021}: Mail/mailx buffer overflow in
            carbon copy (-c) parameter
{01.15.009} Linux - Update {00.49.038}: Midnight Commander directory
            name command execution
{01.15.010} Linux - Update {01.13.004}: Malicious embedded VIM control
            codes
{01.15.015} Sol - kcms_configure command line buffer overflow
{01.15.017} HPUX - Update {01.11.017}: asecure improper file permissions
{01.15.005} NApps - Watchguard Firebox II malformed packet DoS
{01.15.007} NApps - Cisco CSS/Arrowpoint debug mode privilege elevation
{01.15.014} NApps - BinTec router crashes when port scanned
{01.15.024} NApps - Multiple vulnerabilities in Alcatel Speed Touch DSL
            modems
{01.15.002} Other - Update {01.13.006}: Compaq Insight Service acts as
            an authorized proxy
{01.15.018} Other - Reliant Unix ICMP port unreachable DoS
{01.15.001} Cross - ntpd/xntpd control request parsing buffer overflow
{01.15.006} Cross - IPFilter fragmented packet bypass vulnerability
{01.15.011} Cross - Multivendor FTP glob functionality buffer overflow
{01.15.012} Cross - Netscape GIF comment can may contain malicious
            JavaScript
{01.15.019} Cross - WaytotheWeb.com Talkback CGI article parameter file
            disclosure
{01.15.021} Cross - PHP-Nuke banner ad manager tampering
{01.15.022} Cross - Resin Web server allows access to restricted Java
            classes
{01.15.023} Cross - Apache Tomcat discloses source in HTTP/0.9 requests
{01.15.025} Cross - Oracle OAS ndwfn4.so library buffer overflow

- --- Windows News -------------------------------------------------------

*** {01.15.013} Win - Gene6 G6 FTP/BPFTP server multiple vulnerabilities

Gene6's G6 FTP server (renamed to BPFTP) version 2.0 has been found to
contain two vulnerabilities. It's possible for a remote attacker to
access files outside the FTP root directory. It's also possible for an
attacker to instigate the FTP server into making a remote NetBIOS
connection, exposing NetBIOS credentials.

BPFTP server version 2.10 can be downloaded at:
http://www.bpftpserver.com/download.html

Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0003.html

*** {01.15.016} Win - Windows PGP ASCII armor decoding yields arbitrary
files

Windows PGP versions 7.0.3 and prior contain a vulnerability that would
allow a particularly crafted ASCII armored message to create an
arbitrary file when the message is decoded. This could lead to the
execution of arbitrary code by exploiting another (known) Windows flaw,
which involves using DLLs out of the current working directory.

PGP Security has released hot fixes for both versions 7.0.3 and 7.0.4.
Information is available at:
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0022.html

Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0022.html

*** {01.15.020} Win - Savant Web server long Host header DoS

A report indicates a potential denial of service in Savant Web server
version 3.0. The DoS can be triggered by a remote attacker who submits
a large Host HTTP header.

This vulnerability has not been confirmed. No patches have been made
available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0071.html

*** {01.15.026} Win - Compaq Presario ships ActiveX control with
vulnerable LogDataListToFile function

Compaq has released a SoftPaq for Presario systems containing an ActiveX
control that could allow a malicious Web site to write an arbitrary file
on the user's system.

Compaq has released a fix, available at:
http://Web14.compaq.com/falco/sp_syn.asp?page=splist&detail=yes&
recid=16629

Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q2/0006.html

*** {01.15.027} Win - PGP shared keys and cached passphrase
vulnerability

A recent advisory indicates a problem in the handling of shared keys by
PGP Desktop version 7.0. If a user has enabled the 'cache passphrase'
feature, it's possible for them to retain the use of the split keys,
thus allowing a single user to sign/encrypt other documents (defeating
the concept of a split key).

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0148.html

- --- Linux News ---------------------------------------------------------

*** {01.15.003} Linux - Update {01.13.019}: Multiple OpenSSH
vulnerabilities

RedHat has released an OpenSSH update for RedHat 7 to fix the
vulnerability discussed in {01.13.019} ("Multiple OpenSSH
vulnerabilities").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0009.html

Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0009.html

*** {01.15.004} Linux - Update {01.13.018}: Linux kernel 2.2.19 released

Caldera, Progeny and Trustix have released updated Linux kernels that
include the fixes for the vulnerability discussed in {01.13.018} ("Linux
kernel 2.2.19 released").

Updates Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0001.html

Updated Progeny DEBs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0119.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0060.html

Source: Caldera, Progeny, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0001.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0119.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0060.html

*** {01.15.008} Linux - Update {00.24.021}: Mail/mailx buffer overflow
in carbon copy (-c) parameter

Progeny has released an updated mailx package to fix the vulnerability
discussed in {00.24.021} ("Mail/mailx buffer overflow in carbon copy
(-c) parameter").

Updated DEBs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0122.html

Source: Progeny
http://archives.neohapsis.com/archives/bugtraq/2001-04/0122.html

*** {01.15.009} Linux - Update {00.49.038}: Midnight Commander
directory name command execution

SuSE has released updated mc packages to fix the vulnerability discussed
in {00.49.038} ("Midnight Commander directory name command execution").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0182.html

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0182.html

*** {01.15.010} Linux - Update {01.13.004}: Malicious embedded VIM
control codes

SuSE has released updated VIM packages to fix the vulnerability
discussed in {01.13.004} ("Malicious embedded VIM control codes").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0183.html

Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0183.html

- --- Solaris News -------------------------------------------------------

*** {01.15.015} Sol - kcms_configure command line buffer overflow

The kcms_configure application shipped with Solaris 7 and 8 contains a
buffer overflow that would allow a local attacker to gain root
privileges.

Sun has confirmed the problem and is currently working on a patch.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0140.html

- --- HP-UX News ---------------------------------------------------------

*** {01.15.017} HPUX - Update {01.11.017}: asecure improper file
permissions

HP has released an updated advisory concerning the vulnerability
discussed in {01.11.017} ("asecure improper file permissions").

It seems the released patches may cause problems on various HP
X-terminals. More information is available at:
http://archives.neohapsis.com/archives/hp/2001-q2/0000.html

Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0000.html

- --- Network Appliances News --------------------------------------------

*** {01.15.005} NApps - Watchguard Firebox II malformed packet DoS

The Watchguard Firebox II with software versions prior to 4.6 are
vulnerable to a denial of service, whereby a remote attacker can cause
the system to crash by sending a large stream (10,000+) of malformed
TCP or ICMP packets.

Watchguard has released software version 4.6, which fixes the problem.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0054.html

*** {01.15.007} NApps - Cisco CSS/Arrowpoint debug mode privilege
elevation

Cisco has released an advisory concerning the Content Services Switch
in software versions prior to 4.01B19s. This vulnerability allows a
normal user, who has command-line access to the CSS device, to enter
debug mode and elevate his or her privileges.

Cisco has released WebNS version 4.01B19s, which fixes the problem.

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q2/0000.html

*** {01.15.014} NApps - BinTec router crashes when port scanned

BinTec X1000, X1200 and X4000 routers have been found to lock up or
otherwise become unresponsive when port scanned (such as with nmap).

The vendor has confirmed this problem and will be releasing an updated
software version shortly.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0145.html

*** {01.15.024} NApps - Multiple vulnerabilities in Alcatel Speed Touch
DSL modems

A recent advisory indicates multiple vulnerabilities in Alcatel's Speed
Touch ADSL modems, with firmware KHDSAA.134 and prior. It appears that
the modem allows for password retrieval via TFTP, contains a password
challenge/response backdoor and could but doesn't use a password by
default. All of these 'features' can be remotely exploited.

These vulnerabilities have been confirmed. No patches have been made
available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0142.html

- --- Other News ---------------------------------------------------------

*** {01.15.002} Other - Update {01.13.006}: Compaq Insight Service acts
as an authorized proxy

Compaq has released updated Insight Service patches for Tru64 to fix
the vulnerability discussed in {01.13.006} ("Compaq Insight Service acts
as an authorized proxy").

Apply patch MUPssrt0715u_cpqim_01.tar.

Source: Compaq
http://archives.neohapsis.com/archives/tru64/2001-q2/0000.html

*** {01.15.018} Other - Reliant Unix ICMP port unreachable DoS

A recent post indicates Reliant Unix will close any open connections
with a host if the Reliant Unix system receives an ICMP port unreachable
message from the remote host. This means it's possible for a remote
attacker to spoof the ICMP messages, thus killing connectivity with
arbitrary hosts.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0076.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0118.html

- --- Cross-Platform News ------------------------------------------------

*** {01.15.001} Cross - ntpd/xntpd control request parsing buffer
overflow

The ntpd/xntpd time-server versions 4.0.99k and prior have been found
to contain a buffer overflow in the parsing of control requests. The
buffer overflow allows a remote attacker to execute arbitrary code with
root privileges.

Sun and HP are currently producing patches.

Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0002.html

Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0004.html

Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0014.html

Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0099.html

Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q2/0000.html

Updated Progeny RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0121.html

Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0127.html

Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0002.html

Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0072.html

Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0129.html

Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0169.html

NetBSD, current as of April 5, 2001, contains the updated fixes.
Individual patches are available at:
http://archives.neohapsis.com/archives/netbsd/2001-q2/0003.html

The FreeBSD and OpenBSD port collections as of April 4, 2001 contain
updated fixes.

The following client workaround configuration has been recommended:
restrict default ignore
restrict <time1.server.ip> noquery nomodify notrap nopeer
restrict <time2.server.ip> noquery nomodify notrap nopeer

*** {01.15.006} Cross - IPFilter fragmented packet bypass vulnerability

A vulnerability has been found in IPFilter that allows a remote attacker
to send particular fragmented packets; these packets will be allowed to
pass by IPFilter. Note that this vulnerability still exists even if
IPFilter is configured to not allow fragmented packets.

The vendor has confirmed the problem and released versions 3.4.17 and
3.3.22, which fix the problem. Patches are available at:
http://archives.neohapsis.com/archives/bugtraq/2001-04/0090.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0090.html

*** {01.15.011} Cross - Multivendor FTP glob functionality buffer
overflow

Cert and NAI have released an advisory indicating various
vulnerabilities relating to FTP server handling of file name globbing.
The end result is a remotely exploitable buffer overflow that allows
the attacker to execute arbitrary code as root.

NetBSD-current, -1.5 and -1.4 as of April 4, 2001, contain fixes.
http://archives.neohapsis.com/archives/netbsd/2001-q2/0012.html

IBM reports that AIX is not affected.
http://archives.neohapsis.com/archives/aix/2001-q2/0002.html

FreeBSD (via CERT) indicates FreeBSD 5.0-CURRENT and 4.2-STABLE have
been updated.

The NAI advisory indicates OpenBSD 2.8, IRIX 6.5.x, HP-UX 11.00 and
Solaris 8 also are vulnerable.

Source: CERT, NetBSD, IBM, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/cc/2001-q2/0001.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0139.html
http://archives.neohapsis.com/archives/netbsd/2001-q2/0012.html
http://archives.neohapsis.com/archives/aix/2001-q2/0002.html

*** {01.15.012} Cross - Netscape GIF comment can may contain malicious
JavaScript

An advisory was recently released that indicates it's possible to embed
malicious JavaScript into a GIF comment under Netscape versions prior
to 4.77. This would potentially give an attacker access to information
contained in various 'about:' pages (such as recently browsed pages and
so on).

Netscape version 4.77 is supposed to fix the issue. This vulnerability
has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0125.html

*** {01.15.019} Cross - WaytotheWeb.com Talkback CGI article parameter
file disclosure

The talkback CGI application from WaytotheWeb.com contains a file
disclosure vulnerability in the handling of the article URL parameter;
this allows a remote attacker to view arbitrary files readable by the
Web server.

The vendor has released an updated version, available at:
http://www.waytotheweb.com/webscripts/index.htm

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0128.html

*** {01.15.021} Cross - PHP-Nuke banner ad manager tampering

A vulnerability has been found in PHP Nuke that allows a remote attacker
to change the associated URLs of stored banner ads.

The vendor has released an update, available at:
http://phpnuke.org/download.php?dcategory=Fixes

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0017.html
http://archives.neohapsis.com/archives/bugtraq/2001-04/0045.html

*** {01.15.022} Cross - Resin Web server allows access to restricted
Java classes

Resin Web server versions 1.2.x and 1.3b1 (tested on a Windows platform)
have been found to allow a remote attacker access to an otherwise
restricted Java class if the attacker submits a particularly malformed
URL.

This vulnerability has not been confirmed. No patches have been made
available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q2/0004.html

*** {01.15.023} Cross - Apache Tomcat discloses source in HTTP/0.9
requests

A recent report indicates that Apache's Tomcat Web software (tested with
version 3.2.1) allows a remote attacker to retrieve the source code of
a JSP file by making an HTTP/0.9 (simple) Web request.

This vulnerability has not been confirmed. No patches have been made
available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0031.html

*** {01.15.025} Cross - Oracle OAS ndwfn4.so library buffer overflow

The ndwfn4.so shared library shipped with Oracle's Application Server
version 4.0.8.2 has been found to contain a remotely exploitable buffer
overflow in the handling of long URL requests. The ndwfn4.so library is
designed to plug into iPlanet Web Server (tested with 4.x).

No patches have been made available.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-04/0149.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE61gXd+LUG5KFpTkYRAiamAJ9pvMJaQl2eJgtvCbRSJKcDhgPuxQCdFIir
/MnpSTHhGyULimpnWSCDdR8=
=BE/k
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

*** Sponsored by Internet Security Systems (ISS) ***

Click here:
http://www.iss.net/mktg/sac41201/

----------------------------------------------------------------------

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.

Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.

Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2001 CMP Media Inc. A service of Network Computing. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]