|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ37615150336353473
sans.org)Date: Thu May 10 2001 - 14:29:29 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 096 (01.19)
Thursday, May 10, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
Sponsored by PKWare, Inc.
Concerned about Email viruses? Do you use X.509v.3-based Public Key
Certificates and want to authenticate and detect changes to any data
file type? Use PKZIP Explorer to Compress and Digitally Sign one or
thousands of files. TRY IT NOW!
http://www.pkware.com/catalog/pkzipe11.html
----------------------------------------------------------------------
A recent worm has cropped up that propagates through the Solaris sadmind
vulnerability (previously reported as {99.24.011} "Remote root buffer
overflow in sadmind"). Once the worm has infected a Solaris host, it
starts scanning for and exploiting Microsoft IIS servers via the Unicode
bug (reported as {00.43.014} "MS00-078: IIS Web folder traversal
vulnerability"). Upon finding a vulnerable IIS server, the worm will
automatically deface the hosted Web site. Note that both of these bugs
are old (IIS Unicode has had a patch available for over six months and
sadmind has had a patch for over a year). And yet the worm is still
propagating.
More information is available via the CERT advisory; a copy can be found
at:
http://archives.neohapsis.com/archives/cc/2001-q2/0005.html
For anyone going to the Baltimore SANS show next week, a few members of
the Neohapsis/SAC team will be performing some live demonstrations of
leading-edge security technologies (IDS, VA, wireless, DDoS filters and
so on) on Tuesday, May 15th. It's free, it's all day and it should be
appealing to both managers and engineers alike. You can sign up for it
here.
http://www.networkcomputing.com/events/may_challenge.html
Please feel free to stop by and say hello.
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.19.005} Win - Update {01.15.026}: Compaq Presario ships ActiveX
control with vulnerable LogDataListToFile function
{01.19.017} Win - MP3Mystic reverse directory traversal vulnerability
{01.19.023} Win - ElectroComm large data stream DoS
{01.19.024} Win - VDNSServer abrupt connection closure DoS
{01.19.025} Win - Spytech Chat server connection flood DoS
{01.19.026} Win - CrushFTP reverse directory traversal vulnerability
{01.19.029} Win - MediaPlayer ASX file banner tag buffer overflow
{01.19.003} Linux - Update {01.18.034}: OpenSSL 0.9.6a released
{01.19.006} Linux - Update {01.11.025}: sgml-tools insecure temp file
handling
{01.19.008} Linux - World-readable swap files created during install
{01.19.009} Linux - Update {00.37.005}: Libc/glibc gettext() locale
format vulnerability
{01.19.010} Linux - Update {00.49.033}: ed creates insecure temporary
files
{01.19.011} Linux - Update {00.45.041}: ncurses library buffer overflows
{01.19.012} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
{01.19.013} Linux - Update {01.16.002}: Pine/pico insecure temp file
handling
{01.19.015} Linux - mandb insecure temp file handling
{01.19.016} Linux - Update {01.18.014}: gftp format string vulnerability
{01.19.021} Linux - Update {00.44.011}: crontab -e file viewing
{01.19.028} Sol - mailx -F parameter buffer overflow
{01.19.001} HPUX - kernsymtab leaves world-writable directories
{01.19.019} NApps - Cisco HSRP DoS
{01.19.027} NApps - Potential DoS via SNMP on Cisco Catalyst switch
{01.19.004} Other - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
{01.19.002} Cross - Bind 9.1.2 available
{01.19.007} Cross - Recent predictable TCP ISN research
{01.19.014} Cross - Zope ZClasses permission remapping
{01.19.018} Cross - Multiple vulnerabilities in A1Stats CGI
{01.19.020} Cross - Format string vulnerabilities in minicom
{01.19.022} Cross - Oracle ADI records user name/passwords into plain
file
- --- Windows News -------------------------------------------------------
*** {01.19.005} Win - Update {01.15.026}: Compaq Presario ships ActiveX
control with vulnerable LogDataListToFile function
Compaq has rereleased an update for the vulnerability discussed in
{01.15.026} ("Compaq Presario ships ActiveX control with vulnerable
LogDataListToFile function"). The previous one (SoftPaq 16629) was found
to not fully correct the problem. This vulnerability affects Windows 98
and Windows ME shipped on Compaq Presario systems.
Download and install SoftPaq 17398 at:
http://web14.compaq.com/falco/sp_syn.asp?page=splist&detail=yes&
recid=17398
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q2/0020.html
*** {01.19.017} Win - MP3Mystic reverse directory traversal
vulnerability
MP3Mystic versions 1.04 and prior have been reported to contain a file
disclosure vulnerability whereby a remote attacker can download files
contained outside the Web root by using reverse directory traversal
('..') notation in a URL request.
The report indicates confirmation by the vendor, which has released
version 1.04b3 as a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0046.html
*** {01.19.023} Win - ElectroComm large data stream DoS
ElectroComm version 2.0 contains a denial of service whereby a remote
attacker can send a large amount of data to the listening telnet server,
causing the application to crash.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0049.html
*** {01.19.024} Win - VDNSServer abrupt connection closure DoS
VDNSServer version 1.0 contains a denial of service that allows a remote
attacker to cause the application to crash simply by making a connection
to port 6070 (where the application listens), which abruptly closes the
connection.
The advisory indicates confirmation by the vendor, which has released
VDNSServer version 2.0.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0050.html
*** {01.19.025} Win - Spytech Chat server connection flood DoS
Spytech Chat server version 6.5 contains a denial of service whereby a
remote attacker can make many (100+) connections to the chat service,
causing the application to crash.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0051.html
*** {01.19.026} Win - CrushFTP reverse directory traversal vulnerability
CrushFTP server version 2.1.4 contains a reverse directory traversal
vulnerability that allows a remote attacker to access arbitrary files
outside the Web root by using '..' notation in file-related commands.
The advisory indicates confirmation by the vendor, which has released
version 2.1.7 as a fix. Product homepage:
http://www.crushftp.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0036.html
*** {01.19.029} Win - MediaPlayer ASX file banner tag buffer overflow
An advisory was released indicating an exploitable buffer overflow in
the handling of banner tags in ASX files by Windows MediaPlayer version
6.4 (and possibly others). The vulnerability allows a malicious Web site
to execute arbitrary code on the user's system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0007.html
- --- Linux News ---------------------------------------------------------
*** {01.19.003} Linux - Update {01.18.034}: OpenSSL 0.9.6a released
EnGarde has released updated OpenSSL packages to fix the vulnerability
discussed in {01.18.034} ("OpenSSL 0.9.6a released ").
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/
0002.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/
0002.html
*** {01.19.006} Linux - Update {01.11.025}: sgml-tools insecure temp
file handling
SuSE has released updated sgml-tools packages to fix the vulnerability
discussed in {01.11.025} ("sgml-tools insecure temp file handling").
Updatd SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0672.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q2/0672.html
*** {01.19.008} Linux - World-readable swap files created during install
RedHat has released an advisory indicating a potential problem in the
installation routines that could create world-readable swap files. This
could allow a local attacker to access sensitive information held in
virtual memory. RedHat also has released an updated mount package, which
will check the permissions on swap files to alert of potential security
problems.
Note that Linux distributions based on RedHat (such as Conectiva,
Mandrake and so on) also may be vulnerable.
Updated RedHat mount RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0064.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q2/0064.html
*** {01.19.009} Linux - Update {00.37.005}: Libc/glibc gettext() locale
format vulnerability
TurboLinux has released updated glibc packages to fix the vulnerability
discussed in {00.37.005} ("Libc/glibc gettext() locale format
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0001.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0001.html
*** {01.19.010} Linux - Update {00.49.033}: ed creates insecure
temporary files
TurboLinux has released updated ed packages to fix the vulnerability
discussed in {00.49.033} ("ed creates insecure temporary files").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0002.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0002.html
*** {01.19.011} Linux - Update {00.45.041}: ncurses library buffer
overflows
TurboLinux has released updated ncurses packages to fix the
vulnerability discussed in {00.45.041} ("ncurses library buffer
overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0003.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/2001-q2/
0003.html
*** {01.19.012} Linux - Update {00.56.034}: glibc incorrectly loads
libraries from ld.so.cache for suid/sgid apps
EnGarde has released updated glibc packages to fix the vulnerability
discussed in {00.56.034} ("glibc incorrectly loads libraries from
ld.so.cache for suid/sgid apps").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0003.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0003.html
*** {01.19.013} Linux - Update {01.16.002}: Pine/pico insecure temp
file handling
Mandrake has released updated pine packages to fix the vulnerability
discussed in {01.16.002} ("Pine/pico insecure temp file handling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0052.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-05/0052.html
*** {01.19.015} Linux - mandb insecure temp file handling
The mandb application, when used with the -u or -c command line
parameter, has been found to handle temporary files insecurely,
potentially allowing a local attacker to overwrite files owned by uid
'man,' which includes the mandb application itself.
Debian has confirmed this vulnerability.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0027.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q2/0027.html
*** {01.19.016} Linux - Update {01.18.014}: gftp format string
vulnerability
Debian has released updated gftp packages to fix the vulnerability
discussed in {01.18.014} ("gftp format string vulnerability").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0028.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q2/0028.html
*** {01.19.021} Linux - Update {00.44.011}: crontab -e file viewing
Debian has rereleased the patch for the vulnerability discussed in
{00.44.011} ("crontab -e file viewing"). It turns out the previous patch
introduces another error that can be used to gain root privileges.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0025.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q2/0025.html
- --- Solaris News -------------------------------------------------------
*** {01.19.028} Sol - mailx -F parameter buffer overflow
The mailx application on Solaris 2.5 through 8 has been found to contain
a buffer overflow in the handling of the -F command line parameter. This
allows a local attacker to execute arbitrary code under group 'mail'
privileges.
The advisory indicates vendor confirmation; patches are currently being
developed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0016.html
- --- HP-UX News ---------------------------------------------------------
*** {01.19.001} HPUX - kernsymtab leaves world-writable directories
Hewlett-Packard has released patch PHCO_23492 to fix a bug in kernsymtab
that results in world-write permissions in some kernel components and
kernel-related directories. Potentially, this could allow a local
attacker to disable kernel features or otherwise trojan the kernel.
Only HP-UX 11.11 is reported as vulnerable.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q2/0025.html
- --- Network Appliances News --------------------------------------------
*** {01.19.019} NApps - Cisco HSRP DoS
A reminder note has been posted to Bugtraq illustrating how easy it is
to cause a denial of service to a Cisco router by faking HSRP packets
using the default HSRP password ('cisco'). However, the attack is
limited to the same network segment.
Cisco's official response is to use HSRP in combination with IPSec. A
demonstration exploit has been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0035.html
*** {01.19.027} NApps - Potential DoS via SNMP on Cisco Catalyst switch
An unconfirmed report has surfaced indicating that it's possible to
crash a Cisco Catalyst switch (they tested on a 2900XL) by sending an
empty UDP packet to the SNMP port when SNMP is disabled. According to
follow-up posts the problem has not been reproduced, but we felt it
would be appropriate to alert you to the potential vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0040.html
- --- Other News ---------------------------------------------------------
*** {01.19.004} Other - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
Compaq has released updated xntp packages for Tru64 to fix the
vulnerability discussed in {01.15.001} ("ntpd/xntpd control request
parsing buffer overflow").
Download and install the appropriate patch for your Tru64 version.
4.0d: duv40d16-c0058302-10580-20010430
4.0f: duv40f16-c0042002-10579-20010430
4.0g: t64v40g16-c0003502-10577-20010430
5.0: t64v5016-c0006102-10575-20010430
5.0a: t64v50a16-c0010402-10574-20010430
5.1: t64v513-c0027202-10573-20010430
Source: Tru64
http://archives.neohapsis.com/archives/tru64/2001-q2/0011.html
- --- Cross-Platform News ------------------------------------------------
*** {01.19.002} Cross - Bind 9.1.2 available
Bind 9.1.2 has been released. This is a maintenance release, primarily
featuring bug fixes over version 9.1.1.
It can be downloaded at:
ftp://ftp.isc.org/isc/bind9/9.1.2/bind-9.1.2.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0025.html
*** {01.19.007} Cross - Recent predictable TCP ISN research
Various research papers recently released describe shortcomings in the
generation of TCP ISNs (Initials Sequence Numbers). If attackers are
able to predict the ISN a system will use for a connection, they can
remotely inject data, close the connection or spoof the existence of a
nonexistent server.
For an overview, we suggest you read the CERT summation. The CERT
advisory also contains further reading and links to the specific
research papers.
Source: CERT
http://archives.neohapsis.com/archives/cc/2001-q2/0003.html
*** {01.19.014} Cross - Zope ZClasses permission remapping
A hot fix has been released for Zope that fixes a potential
vulnerability whereby attackers can remap permissions for methods and
objects defined within a ZClass, which could allow them unauthorized
access.
The vendor has confirmed this vulnerability and released a hot fix.
Debian has released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q2/0026.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q2/0026.html
*** {01.19.018} Cross - Multiple vulnerabilities in A1Stats CGI
A1Stats CGI application download prior to April 24, 2001, contains
multiple vulnerabilities that allow a remote attacker to view arbitrary
files (readable by the Web server) and run command line commands under
the Web server's privileges.
The advisory indicates confirmation by the vendor, which has retrofitted
a fix into the application as of April 24th. All downloads after that
date contain the fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0047.html
*** {01.19.020} Cross - Format string vulnerabilities in minicom
An advisory was released recently demonstrating format string
vulnerabilities in the upload/download functionality of minicom. If
minicom is set sgid uucp (which was recommended at one point in time),
it is possible to gain uucp group privileges and potentially use those
privileges to gain root privileges (the advisory details a potential
exploit path).
No patches have been made available. This vulnerability has not been
confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0026.html
*** {01.19.022} Cross - Oracle ADI records user name/passwords into
plain file
Oracle Application Desktop Integrator version 7.1.1.10.1 is vulnerable
in that it records various authentication information (user names and
passwords) in a debugging file named 'dbg.txt' on the local file system.
The advisory indicates confirmation by Oracle, which has not yet
released a patch.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0044.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE6+upG+LUG5KFpTkYRAtJXAJ9t6nkG0yLs4Ob5TPehzqQvkJjWBQCgjBD9
yLrH9AllaoF4xRWnf0VqdJ0=
=w5SA
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Sponsored by PKWare, Inc.
Concerned about Email viruses? Do you use X.509v.3-based Public Key
Certificates and want to authenticate and detect changes to any data
file type? Use PKZIP Explorer to Compress and Digitally Sign one or
thousands of files. TRY IT NOW!
http://www.pkware.com/catalog/pkzipe11.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today at:
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site: http://www.sans.org.
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form, located at:
http://www.sans.org/sansurl. On this form you can enter the SD number
located near your name at the top of the newsletter. When you submit
this form, an e-mail containing a URL will be sent to you at the e-mail
address on record. With this URL you can make changes to your account
(edit the content of your Consensus mailing, for example) without
endangering the security of your personal URL. If you'd like to change
your e-mail address or other information, or unsubscribe to this
newsletter, please visit your new URL as described above. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online at:
http://archives.neohapsis.com/.
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]