|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ42082443872313775
sans.org)Date: Thu Jun 07 2001 - 13:32:51 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 100 (01.23)
Thursday, June 7, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
***Sponsored by Internet Security Systems (ISS) ***
If you're searching for the right Security Services Partner, it's time
to evaluate your options. Download this ** FREE ** white paper from
leading market research firm Aberdeen, and learn about your choices in
Managed Intrusion Protection Solutions!
Click here:
http://www.iss.net/mktg/sac6701/
----------------------------------------------------------------------
As tools get more automated, we must take care to watch what they do.
Take, for example, the "automatically put people I reply to in my
address book" option available in the mail client Outlook. By simply
crafting a special e-mail message, it's possible to have Outlook save
'trojan' addresses to the address book. Thus, when you use your address
book to send e-mail to someone, it may go to someone else. The actual
details of this user attack can be found at:
http://archives.neohapsis.com/archives/bugtraq/2001-06/0027.html
Unfortunately, humans are the weakest leak in the chain of security,
and they will continue to be so for the foreseeable future. As
technology progresses, we see more potential for the exploitation of
human weaknesses. Of course, the best combat is user education on many
levels -- responsibilities, general security practices and
familiarization with the technologies.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.23.001} Win - Alladin eSafe Gateway multiple JavaScript bypass
vulnerabilities
{01.23.017} Win - SpoonFTP ftp command argument buffer overflows
{01.23.010} Linux - fpf kernel module DoS
{01.23.012} Linux - EnGarde WebTool leaves auth data in environment
{01.23.016} Linux - Update {01.21.024}: Kerberos ftp contains buffer
overflow
{01.23.020} Linux - BestCrypt fsck/mkfs trojan command execution
{01.23.022} Linux - Linux vendor man updates
{01.23.023} Linux - man MANPATH vulnerability
{01.23.011} BSD - Potential local race conditions in OpenBSD kernel
{01.23.013} BSD - NetBSD fragmented packet DoS
{01.23.014} BSD - Update {01.15.006}: IPFilter fragmented packet bypass
vulnerability
{01.23.015} BSD - NetBSD sh3 platform supervisor privilege vulnerability
{01.23.009} Sol - mail HOME env variable buffer overflow
{01.23.019} HPUX - kmmodreg temp file mishandling
{01.23.003} NApps - Cisco CSS Web authentication bypass
{01.23.005} Other - Update {01.22.018}: Other - IPCChip embedded IP
services vulnerabilities
{01.23.002} Cross - gpg filename format string vulnerability
{01.23.004} Cross - Webmin leaves auth data in environment
{01.23.006} Cross - Qpopper vague buffer overflow
{01.23.007} Cross - O'Reilly WebBoard embedded JavaScript in user paging
{01.23.008} Cross - OpenSSH 'cookie' file deletion
{01.23.018} Cross - Imp temp file mishandling
{01.23.021} Cross - Netscape mailbox location disclosure
- --- Windows News -------------------------------------------------------
*** {01.23.001} Win - Alladin eSafe Gateway multiple JavaScript bypass
vulnerabilities
eSafe Gateway versions 3.0 and prior contain vulnerabilities that allow
a malicious Web site to bypass the JavaScript protection with particular
JavaScript/HTML malformities (these vulnerabilities are not the same as
the one reported in {01.21.023}).
Alladin has confirmed the vulnerabilities; a fix will be included in
the next released version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0282.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0284.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0285.html
*** {01.23.017} Win - SpoonFTP ftp command argument buffer overflows
SpoonFTP versions prior to 1.0.0.13 have been found to contain buffer
overflows in the handling of data passed to various FTP commands. This
creates a denial of service and, potentially, executes arbitrary code
on the target system.
The advisory indicates vendor confirmation; the vendor has released
version 1.0.0.13, which fixes the vulnerabilities.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0296.html
- --- Linux News ---------------------------------------------------------
*** {01.23.010} Linux - fpf kernel module DoS
The fpf kernel module (alters IP variables to emulate nmap fingerprints
from other OSes) from pkcrew.org contains a bug that causes the system
to panic when it receives fragmented packets.
This bug is reported as fixed in the newest version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0327.html
http://archives.neohapsis.com/archives/bugtraq/2001-06/0013.html
*** {01.23.012} Linux - EnGarde WebTool leaves auth data in environment
EnGarde has released updated versions of its Web administration tool.
The tool was found to not properly remove the HTTP authentication from
the environment, passing it to services (re)started by the Web
interface.
EnGarde has confirmed this vulnerability and released updated RPMs.
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0006.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0006.html
*** {01.23.016} Linux - Update {01.21.024}: Kerberos ftp contains
buffer overflow
Immunix has released updated Kerberos packages that fix the
vulnerability discussed in {01.21.024} ("Kerberos ftp contains buffer
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0097.html
Source: Immunix
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0097.html
*** {01.23.020} Linux - BestCrypt fsck/mkfs trojan command execution
BestCrypt version 0.7 and prior contain a bug in the handling of the
fsck and format options to the bctool (which is suid root) that allows
a local attacker to execute arbitrary code as root by placing particular
trojan fsck and mkfs binaries in their path.
The vendor has confirmed this vulnerability and released version 0.8.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0005.html
*** {01.23.022} Linux - Linux vendor man updates
SuSE and Immunix have released updated man packages that fix the
vulnerabilities discussed in {01.20.018} ("man -S heap overflow") and
{01.19.015} ("mandb insecure temp file handling").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1126.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0096.html
Source: SuSE, Immunix
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1126.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q2/0096.html
*** {01.23.023} Linux - man MANPATH vulnerability
On some occasions, the man application may use the user's PATH
environment in place of the MANPATH search path. When combined with a
setuid man application, which caches man pages, it's possible for a
local attacker to potentially cache a malicious manpage and even gain
'man' privileges.
Debian has confirmed this vulnerability. The recommended workaround is
to remove setuid privileges on the man application.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0321.html
- --- BSD News -----------------------------------------------------------
*** {01.23.011} BSD - Potential local race conditions in OpenBSD kernel
A report has surfaced indicating problems in the handling of various
system calls by the OpenBSD kernel. These could lead to local denial of
service attacks (kernel panics) or, potentially, to execution of
arbitrary code.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0328.html
*** {01.23.013} BSD - NetBSD fragmented packet DoS
NetBSD has released an advisory indicating a denial of service in the
handling of fragmented IP packets. It's possible for a remote attacker
to flood the system with fragmented packets, which could result in a
resource (mbuf) starvation, subsequently disallowing further packet
processing.
NetBSD-current and NetBSD-1.5 as of April 24, 2001, contain the fixes.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q2/0077.html
*** {01.23.014} BSD - Update {01.15.006}: IPFilter fragmented packet
bypass vulnerability
NetBSD has released an advisory concerning the vulnerability discussed
in {01.15.006} ("IPFilter fragmented packet bypass vulnerability").
NetBSD-current, NetBSD-1.5 and NetBSD-1.4 as of April 14, 2001, all
contain the fixed version.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q2/0076.html
*** {01.23.015} BSD - NetBSD sh3 platform supervisor privilege
vulnerability
NetBSD has released an advisory concerning all platforms based on the
sh3 processor (evbsh3, dreamcast, hpcsh and mmeye). Two kernel functions
(sigreturn and process_write_regs) did not properly handle the supplied
status register value, which would allow regular user programs to
execute code with supervisor (kernel) privileges.
NetBSD-current and NetBSD-1.5 as of May 27, 2001, contain fixes.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q2/0069.html
- --- Solaris News -------------------------------------------------------
*** {01.23.009} Sol - mail HOME env variable buffer overflow
A report has surfaced indicating that the mail application shipped with
Solaris 8 x86 is vulnerable to a buffer overflow in the handling of the
HOME environment variable.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0000.html
- --- HP-UX News ---------------------------------------------------------
*** {01.23.019} HPUX - kmmodreg temp file mishandling
The kmmodreg application shipped with HP-UX 11.00 does not correctly
handle temporary files. This could lead to a local user creating a
world-writable file owned by root anywhere on the file system.
HP has confirmed the problem and released patch PHCO_24112.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0004.html
- --- Network Appliances News --------------------------------------------
*** {01.23.003} NApps - Cisco CSS Web authentication bypass
Cisco's Content Service Switch (CSS) 11000 series contains a
vulnerability in the Web management service that would allow a remote
attacker to bypass the mandatory authentication and access the
management functions.
Cisco has confirmed this vulnerability and released WebNS versions
4.01B29s (or later) and 4.10B17s (or later) to fix the problem.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q2/0005.html
- --- Other News ---------------------------------------------------------
*** {01.23.005} Other - Update {01.22.018}: Other - IPCChip embedded
IP services vulnerabilities
Beck GmbH has released an analysis of the vulnerabilities discussed in
{01.22.018} ("Other - IPCChip embedded IP services vulnerabilities").
The analysis includes workarounds and fix information. See the reference
URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0318.html
- --- Cross-Platform News ------------------------------------------------
*** {01.23.002} Cross - gpg filename format string vulnerability
The Gnu Privacy Guard (gpg) prior to version 1.0.6 contains a format
string vulnerability in the handling of the file name being decrypted.
If a user (or automated tool) attempts to decrypt a maliciously crafted
encrypted file, then it's possible for arbitrary code to be executed
under the user's privileges.
This vulnerability has been confirmed; version 1.0.6 contains a fix. An
exploit has been published. In addition, many Linux vendors have
released updates.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0302.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0301.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0007.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-05/0310.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1202.html
Source: Immunix, Mandrake, Trustix, EnGarde, SuSE (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-05/0301.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0302.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0310.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q2/0007.html
http://archives.neohapsis.com/archives/linux/suse/2001-q2/1202.html
*** {01.23.004} Cross - Webmin leaves auth data in environment
The Webmin Web management CGI prior to version 0.84 does not remove the
HTTP auth information from the CGI environment when (re)starting system
services. This means that the Webmin admin authentication information
is available to the services and any child processes. An example of this
exploitation would include restarting the Apache Web server, which would
then make the auth information available to any CGI executed on the
system.
This vulnerability has been confirmed.
Caldera Linux also has released updated RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0010.html
Source: Caldera, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/caldera/2001-q2/0010.html
http://archives.neohapsis.com/archives/bugtraq/2001-05/0262.html
*** {01.23.006} Cross - Qpopper vague buffer overflow
Qpopper version 4.0.3 was released recently. It fixes a 'buffer
overflow' in version 4.0.2 (and possibly prior). No further information
about the buffer overflow (and the associated risk) is available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0320.html
*** {01.23.007} Cross - O'Reilly WebBoard embedded JavaScript in user
paging
O'Reilly's WebBoard version 4.10.30 contains a bug that allows an
attacker to embed malicious JavaScript within a paging alert is sent to
another user.
This vulnerability has not been confirmed. No patches have been made
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0326.html
*** {01.23.008} Cross - OpenSSH 'cookie' file deletion
OpenSSH versions available prior to June 5, 2001, contain a bug in the
X forwarding code that makes it possible for a local user to delete any
file named 'cookies' from the system. It is uncertain whether other
files can be deleted.
This vulnerability was confirmed, and an update was placed into the
OpenSSH CVS tree.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0322.html
*** {01.23.018} Cross - Imp temp file mishandling
Imp version 2.2.4 contains a vulnerability in the handling of temporary
files that could allow a local attacker to overwrite any file writable
by the Web server's UID.
This vulnerability has been confirmed; Imp version 2.2.5 has been
released, which fixes the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-05/0303.html
*** {01.23.021} Cross - Netscape mailbox location disclosure
A bug in Netscape version 4.7x's handling of mailbox files allows a
malicious Web site or e-mail to have access to the file system location
of the mailbox file because Netscape passes the location in JavaScript
referrer property.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-06/0014.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7H8a1+LUG5KFpTkYRAr3hAJ44yqAWyPtxS3dy0Y8PW/H2HRcuWQCcCkaK
B+qJeeSA5d/whfFUgt/nIPo=
=Jvp3
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
***Sponsored by Internet Security Systems (ISS) ***
If you're searching for the right Security Services Partner, it's time
to evaluate your options. Download this ** FREE ** white paper from
leading market research firm Aberdeen, and learn about your choices in
Managed Intrusion Protection Solutions!
Click here:
http://www.iss.net/mktg/sac6701/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the top
of the newsletter. When you submit this form, an e-mail containing a
URL will be sent to you at the e-mail address on record. With this URL
you can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]