OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ42082443872313775sans.org)
Date: Thu Jun 07 2001 - 13:32:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                 Number 100 (01.23)
                              Thursday, June 7, 2001
                                Created for you by
                     Network Computing and the SANS Institute
                               Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below you
    should find information pertaining only to the categories you requested.
    If you have any problems or questions, please e-mail us at
    <consensusnwc.com>.

    ----------------------------------------------------------------------

    ***Sponsored by Internet Security Systems (ISS) ***

    If you're searching for the right Security Services Partner, it's time
    to evaluate your options. Download this ** FREE ** white paper from
    leading market research firm Aberdeen, and learn about your choices in
    Managed Intrusion Protection Solutions!

    Click here:
    http://www.iss.net/mktg/sac6701/

    ----------------------------------------------------------------------

    As tools get more automated, we must take care to watch what they do.
    Take, for example, the "automatically put people I reply to in my
    address book" option available in the mail client Outlook. By simply
    crafting a special e-mail message, it's possible to have Outlook save
    'trojan' addresses to the address book. Thus, when you use your address
    book to send e-mail to someone, it may go to someone else. The actual
    details of this user attack can be found at:
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0027.html

    Unfortunately, humans are the weakest leak in the chain of security,
    and they will continue to be so for the foreseeable future. As
    technology progresses, we see more potential for the exploitation of
    human weaknesses. Of course, the best combat is user education on many
    levels -- responsibilities, general security practices and
    familiarization with the technologies.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.23.001} Win - Alladin eSafe Gateway multiple JavaScript bypass
                vulnerabilities
    {01.23.017} Win - SpoonFTP ftp command argument buffer overflows
    {01.23.010} Linux - fpf kernel module DoS
    {01.23.012} Linux - EnGarde WebTool leaves auth data in environment
    {01.23.016} Linux - Update {01.21.024}: Kerberos ftp contains buffer
                overflow
    {01.23.020} Linux - BestCrypt fsck/mkfs trojan command execution
    {01.23.022} Linux - Linux vendor man updates
    {01.23.023} Linux - man MANPATH vulnerability
    {01.23.011} BSD - Potential local race conditions in OpenBSD kernel
    {01.23.013} BSD - NetBSD fragmented packet DoS
    {01.23.014} BSD - Update {01.15.006}: IPFilter fragmented packet bypass
                vulnerability
    {01.23.015} BSD - NetBSD sh3 platform supervisor privilege vulnerability
    {01.23.009} Sol - mail HOME env variable buffer overflow
    {01.23.019} HPUX - kmmodreg temp file mishandling
    {01.23.003} NApps - Cisco CSS Web authentication bypass
    {01.23.005} Other - Update {01.22.018}: Other - IPCChip embedded IP
                services vulnerabilities
    {01.23.002} Cross - gpg filename format string vulnerability
    {01.23.004} Cross - Webmin leaves auth data in environment
    {01.23.006} Cross - Qpopper vague buffer overflow
    {01.23.007} Cross - O'Reilly WebBoard embedded JavaScript in user paging
    {01.23.008} Cross - OpenSSH 'cookie' file deletion
    {01.23.018} Cross - Imp temp file mishandling
    {01.23.021} Cross - Netscape mailbox location disclosure

    - --- Windows News -------------------------------------------------------

    *** {01.23.001} Win - Alladin eSafe Gateway multiple JavaScript bypass
                    vulnerabilities

    eSafe Gateway versions 3.0 and prior contain vulnerabilities that allow
    a malicious Web site to bypass the JavaScript protection with particular
    JavaScript/HTML malformities (these vulnerabilities are not the same as
    the one reported in {01.21.023}).

    Alladin has confirmed the vulnerabilities; a fix will be included in
    the next released version.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0284.html
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html

    *** {01.23.017} Win - SpoonFTP ftp command argument buffer overflows

    SpoonFTP versions prior to 1.0.0.13 have been found to contain buffer
    overflows in the handling of data passed to various FTP commands. This
    creates a denial of service and, potentially, executes arbitrary code
    on the target system.

    The advisory indicates vendor confirmation; the vendor has released
    version 1.0.0.13, which fixes the vulnerabilities.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0296.html

    - --- Linux News ---------------------------------------------------------

    *** {01.23.010} Linux - fpf kernel module DoS

    The fpf kernel module (alters IP variables to emulate nmap fingerprints
    from other OSes) from pkcrew.org contains a bug that causes the system
    to panic when it receives fragmented packets.

    This bug is reported as fixed in the newest version.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0327.html
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0013.html

    *** {01.23.012} Linux - EnGarde WebTool leaves auth data in environment

    EnGarde has released updated versions of its Web administration tool.
    The tool was found to not properly remove the HTTP authentication from
    the environment, passing it to services (re)started by the Web
    interface.

    EnGarde has confirmed this vulnerability and released updated RPMs.
    http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0006.html

    Source: EnGarde
    http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0006.html

    *** {01.23.016} Linux - Update {01.21.024}: Kerberos ftp contains
                    buffer overflow

    Immunix has released updated Kerberos packages that fix the
    vulnerability discussed in {01.21.024} ("Kerberos ftp contains buffer
    overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0097.html

    Source: Immunix
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0097.html

    *** {01.23.020} Linux - BestCrypt fsck/mkfs trojan command execution

    BestCrypt version 0.7 and prior contain a bug in the handling of the
    fsck and format options to the bctool (which is suid root) that allows
    a local attacker to execute arbitrary code as root by placing particular
    trojan fsck and mkfs binaries in their path.

    The vendor has confirmed this vulnerability and released version 0.8.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0005.html

    *** {01.23.022} Linux - Linux vendor man updates

    SuSE and Immunix have released updated man packages that fix the
    vulnerabilities discussed in {01.20.018} ("man -S heap overflow") and
    {01.19.015} ("mandb insecure temp file handling").

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1126.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0096.html

    Source: SuSE, Immunix
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1126.html
    http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0096.html

    *** {01.23.023} Linux - man MANPATH vulnerability

    On some occasions, the man application may use the user's PATH
    environment in place of the MANPATH search path. When combined with a
    setuid man application, which caches man pages, it's possible for a
    local attacker to potentially cache a malicious manpage and even gain
    'man' privileges.

    Debian has confirmed this vulnerability. The recommended workaround is
    to remove setuid privileges on the man application.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0321.html

    - --- BSD News -----------------------------------------------------------

    *** {01.23.011} BSD - Potential local race conditions in OpenBSD kernel

    A report has surfaced indicating problems in the handling of various
    system calls by the OpenBSD kernel. These could lead to local denial of
    service attacks (kernel panics) or, potentially, to execution of
    arbitrary code.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0328.html

    *** {01.23.013} BSD - NetBSD fragmented packet DoS

    NetBSD has released an advisory indicating a denial of service in the
    handling of fragmented IP packets. It's possible for a remote attacker
    to flood the system with fragmented packets, which could result in a
    resource (mbuf) starvation, subsequently disallowing further packet
    processing.

    NetBSD-current and NetBSD-1.5 as of April 24, 2001, contain the fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q2/0077.html

    *** {01.23.014} BSD - Update {01.15.006}: IPFilter fragmented packet
                    bypass vulnerability

    NetBSD has released an advisory concerning the vulnerability discussed
    in {01.15.006} ("IPFilter fragmented packet bypass vulnerability").

    NetBSD-current, NetBSD-1.5 and NetBSD-1.4 as of April 14, 2001, all
    contain the fixed version.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q2/0076.html

    *** {01.23.015} BSD - NetBSD sh3 platform supervisor privilege
                    vulnerability

    NetBSD has released an advisory concerning all platforms based on the
    sh3 processor (evbsh3, dreamcast, hpcsh and mmeye). Two kernel functions
    (sigreturn and process_write_regs) did not properly handle the supplied
    status register value, which would allow regular user programs to
    execute code with supervisor (kernel) privileges.

    NetBSD-current and NetBSD-1.5 as of May 27, 2001, contain fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2001-q2/0069.html

    - --- Solaris News -------------------------------------------------------

    *** {01.23.009} Sol - mail HOME env variable buffer overflow

    A report has surfaced indicating that the mail application shipped with
    Solaris 8 x86 is vulnerable to a buffer overflow in the handling of the
    HOME environment variable.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0000.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.23.019} HPUX - kmmodreg temp file mishandling

    The kmmodreg application shipped with HP-UX 11.00 does not correctly
    handle temporary files. This could lead to a local user creating a
    world-writable file owned by root anywhere on the file system.

    HP has confirmed the problem and released patch PHCO_24112.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0004.html

    - --- Network Appliances News --------------------------------------------

    *** {01.23.003} NApps - Cisco CSS Web authentication bypass

    Cisco's Content Service Switch (CSS) 11000 series contains a
    vulnerability in the Web management service that would allow a remote
    attacker to bypass the mandatory authentication and access the
    management functions.

    Cisco has confirmed this vulnerability and released WebNS versions
    4.01B29s (or later) and 4.10B17s (or later) to fix the problem.

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2001-q2/0005.html

    - --- Other News ---------------------------------------------------------

    *** {01.23.005} Other - Update {01.22.018}: Other - IPCChip embedded
                    IP services vulnerabilities

    Beck GmbH has released an analysis of the vulnerabilities discussed in
    {01.22.018} ("Other - IPCChip embedded IP services vulnerabilities").
    The analysis includes workarounds and fix information. See the reference
    URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0318.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.23.002} Cross - gpg filename format string vulnerability

    The Gnu Privacy Guard (gpg) prior to version 1.0.6 contains a format
    string vulnerability in the handling of the file name being decrypted.
    If a user (or automated tool) attempts to decrypt a maliciously crafted
    encrypted file, then it's possible for arbitrary code to be executed
    under the user's privileges.

    This vulnerability has been confirmed; version 1.0.6 contains a fix. An
    exploit has been published. In addition, many Linux vendors have
    released updates.

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0302.html

    Updated Immunix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0301.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0007.html

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0310.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1202.html

    Source: Immunix, Mandrake, Trustix, EnGarde, SuSE (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0301.html
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0302.html
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0310.html
    http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0007.html
    http://archives.neohapsis.com/archives/linux/suse/2001-q2/1202.html

    *** {01.23.004} Cross - Webmin leaves auth data in environment

    The Webmin Web management CGI prior to version 0.84 does not remove the
    HTTP auth information from the CGI environment when (re)starting system
    services. This means that the Webmin admin authentication information
    is available to the services and any child processes. An example of this
    exploitation would include restarting the Apache Web server, which would
    then make the auth information available to any CGI executed on the
    system.

    This vulnerability has been confirmed.

    Caldera Linux also has released updated RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0010.html

    Source: Caldera, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0010.html
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html

    *** {01.23.006} Cross - Qpopper vague buffer overflow

    Qpopper version 4.0.3 was released recently. It fixes a 'buffer
    overflow' in version 4.0.2 (and possibly prior). No further information
    about the buffer overflow (and the associated risk) is available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0320.html

    *** {01.23.007} Cross - O'Reilly WebBoard embedded JavaScript in user
                    paging

    O'Reilly's WebBoard version 4.10.30 contains a bug that allows an
    attacker to embed malicious JavaScript within a paging alert is sent to
    another user.

    This vulnerability has not been confirmed. No patches have been made
    available.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0326.html

    *** {01.23.008} Cross - OpenSSH 'cookie' file deletion

    OpenSSH versions available prior to June 5, 2001, contain a bug in the
    X forwarding code that makes it possible for a local user to delete any
    file named 'cookies' from the system. It is uncertain whether other
    files can be deleted.

    This vulnerability was confirmed, and an update was placed into the
    OpenSSH CVS tree.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html

    *** {01.23.018} Cross - Imp temp file mishandling

    Imp version 2.2.4 contains a vulnerability in the handling of temporary
    files that could allow a local attacker to overwrite any file writable
    by the Web server's UID.

    This vulnerability has been confirmed; Imp version 2.2.5 has been
    released, which fixes the problem.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-05/0303.html

    *** {01.23.021} Cross - Netscape mailbox location disclosure

    A bug in Netscape version 4.7x's handling of mailbox files allows a
    malicious Web site or e-mail to have access to the file system location
    of the mailbox file because Netscape passes the location in JavaScript
    referrer property.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-06/0014.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.4 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7H8a1+LUG5KFpTkYRAr3hAJ44yqAWyPtxS3dy0Y8PW/H2HRcuWQCcCkaK
    B+qJeeSA5d/whfFUgt/nIPo=
    =Jvp3
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ***Sponsored by Internet Security Systems (ISS) ***

    If you're searching for the right Security Services Partner, it's time
    to evaluate your options. Download this ** FREE ** white paper from
    leading market research firm Aberdeen, and learn about your choices in
    Managed Intrusion Protection Solutions!

    Click here:
    http://www.iss.net/mktg/sac6701/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed to
    you and you would like to begin receiving our security e-mail newsletter
    on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter with PGP. The new SANS PGP key
    is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
    can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form (http://www.sans.org/sansurl). On
    this form you can enter the SD number located near your name at the top
    of the newsletter. When you submit this form, an e-mail containing a
    URL will be sent to you at the e-mail address on record. With this URL
    you can make changes to your account (edit the content of your Consensus
    mailing, for example) without endangering the security of your personal
    URL. If you'd like to change your e-mail address or other information,
    or unsubscribe to this newsletter, please visit your new URL as
    described above. If you have any problems or questions, e-mail us at
    <consensusnwc.com>.

    Missed an issue? You can find all back issues of Security Alert
    Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
    Rights Reserved. Distributed by Network Computing
    (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).