|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ85781904701923926
sans.org)Date: Thu Jul 12 2001 - 14:10:22 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 105 (01.28)
Thursday, July 12, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
If you have any problems or questions, please e-mail us at
<consensusnwc.com>.
----------------------------------------------------------------------
----------------------------------------------------------------------
Microsoft released yet (another) patch that fixes a mail relay issue in
all installations of Windows 2000 Server and Advanced Server as well as
in some configurations of Windows 2000 Professional. While not a huge
bug, but it could allow unauthorized people to send e-mail via the
server -- and we don't want to help the spammers now, do we? For more
information, see item {01.28.002} in this issue.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.28.002} Win - MS01-037: SMTP auth error allows mail relay
{01.28.004} Win - BisonFTP trojan .bdl upload vulnerability
{01.28.023} Win - aclogic.com CesarFTP multiple overflows
{01.28.008} Linux - Update {01.25.018}: fetchmail large header buffer
overflow
{01.28.014} Linux - Update {01.23.004}: Webmin leaves auth data in
environment
{01.28.015} Linux - Update {01.23.008}: OpenSSH 'cookie' file deletion
{01.28.021} Linux - xloadimage/faces reader buffer overflow
{01.28.022} Linux - poprelayd authentication bypass
{01.28.010} Sol - Whodo environment variable overflow
{01.28.019} AIX - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
{01.28.020} AIX - Incorrect permissions on PSSP DCE key file directories
{01.28.012} SCO - rpc.statd SM_MON overflow
{01.28.009} NApps - Cobalt Qube Webmail directory traversal
{01.28.001} Cross - phpPgAdmin multiple file disclosure vulnerabilities
{01.28.003} Cross - Merit RADIUS server auth function overflows
{01.28.005} Cross - Basilix PHP script file disclosure
{01.28.006} Cross - FireWall-1 RDP bypass vulnerability
{01.28.007} Cross - SquirrelMail command exec via include()
{01.28.011} Cross - Merit RADIUS server auth function overflows
{01.28.013} Cross - Update {01.27.038}: Lotus Domino CSS vulnerability
{01.28.018} Cross - Update {01.22.032}: HP Openview ecsd
-restore_config parameter buffer overflow
{01.28.016} Tools - BIND 9.1.3 available
{01.28.017} Tools - Snort 1.8 available
- --- Windows News -------------------------------------------------------
*** {01.28.002} Win - MS01-037: SMTP auth error allows mail relay
Microsoft has released MS01-037 ("Authentication error in SMTP service
could allow mail relaying"). The SMTP service installed by default on
Windows 2000 Server builds and optionally on Windows 2000 Professional
contains an error in the authentication routine that may allow a remote
attacker to gain normal user access to the SMTP service. This could lead
to unauthorized mail relaying.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-037.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0001.html
*** {01.28.004} Win - BisonFTP trojan .bdl upload vulnerability
BisonFTP server version V4R1 contains a vulnerability that allows a
remote attacker to upload a particular trojan .bdl file, which will then
allow the attacker to access arbitrary files outside the ftp root
directory.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0025.html
*** {01.28.023} Win - aclogic.com CesarFTP multiple overflows
A recent advisory reports that aclogic.com's CesarFTP server contains
multiple remotely exploitable buffer overflows in the handling of
various FTP commands.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0070.html
- --- Linux News ---------------------------------------------------------
*** {01.28.008} Linux - Update {01.25.018}: fetchmail large header
buffer overflow
Mandrake has released updated fetchmail packages that fix the
vulnerability discussed in {01.25.018} ("fetchmail large header buffer
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0089.html
Source: Mandrake (SF Buqtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0089.html
*** {01.28.014} Linux - Update {01.23.004}: Webmin leaves auth data in
environment
Caldera has released updated Webmin packages that fix the vulnerability
discussed in {01.23.004} ("Webmin leaves auth data in environment").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0001.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0001.html
*** {01.28.015} Linux - Update {01.23.008}: OpenSSH 'cookie' file
deletion
Caldera has released updated openSSH packages that fix the vulnerability
discussed in {01.23.008} ("OpenSSH 'cookie' file deletion").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0002.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0002.html
*** {01.28.021} Linux - xloadimage/faces reader buffer overflow
RedHat has released an advisory indicating a buffer overflow in the
xloadimage/faces reader, which is called from the Netscape 'plugger'
plugin. It's possible for malicious Web sites to execute arbitrary code
on a user's system if they have installed various packages from the
RedHat Powertools version 6.2 collection.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0159.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0159.html
*** {01.28.022} Linux - poprelayd authentication bypass
A recent advisory indicates a problem in poprelayd's handling of log
messages generated by qpop, which could allow a remote attacker to
bypass the authentication mechanism needed to relay mail through the
target system.
Cobalt/Sun has confirmed this vulnerability. An updated version is
available at:
ftp://ftp.cobaltnet.com/pub/experimental/RPMS/poprelayd-2.0-4.noarch.rpm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0064.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0150.html
- --- Solaris News -------------------------------------------------------
*** {01.28.010} Sol - Whodo environment variable overflow
The whodo application has been found to incorrectly handle long
environment variables strings. This vulnerability allows a local
attacker to execute arbitrary code with root privileges (since whodo is
setuid root by default).
The vendor has confirmed this vulnerability and is in the process of
producing patches.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0076.html
- --- AIX News -----------------------------------------------------------
*** {01.28.019} AIX - Update {01.15.001}: ntpd/xntpd control request
parsing buffer overflow
IBM has released APAR IY18265, which fixes the vulnerability discussed
in {01.15.001} ("ntpd/xntpd control request parsing buffer overflow ").
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0000.html
*** {01.28.020} AIX - Incorrect permissions on PSSP DCE key file
directories
IBM has released APAR IY19069 for AIX 3.2.0, which fixes a bug in the
PSSP version 3.2 file set. The key file directories used by PSSP are
created in mode 777, which could allow a local attacker to delete the
key files, thereby causing the SP trusted services to fail.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0000.html
- --- SCO News -----------------------------------------------------------
*** {01.28.012} SCO - rpc.statd SM_MON overflow
Caldera has released an advisory indicating a buffer overflow in
rpc.statd's handling of SM_MON requests. This could allow a remote
attacker to execute arbitrary code with root privileges.
The vendor has confirmed this vulnerability and released a patch, which
is available at:
ftp://ftp.sco.com/pub/security/unixware/sr848098/
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0000.html
- --- Network Appliances News --------------------------------------------
*** {01.28.009} NApps - Cobalt Qube Webmail directory traversal
A vulnerability has been reported in the Cobalt Qube release 6.0 (Linux)
that allows Webmail users to traverse directories on the local file
system. The vulnerability allows remote users to submit malformed URLs
that can be used to gain access to any files accessible by the Web
server process.
The vendor has not confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0092.html
- --- Cross-Platform News ------------------------------------------------
*** {01.28.001} Cross - phpPgAdmin multiple file disclosure
vulnerabilities
phpPgAdmin CGI versions prior to 2.3 have been found to contain a
vulnerability that could allow a remote attacker to view files readable
by the Web server's uid. Combined with several possible tricks to upload
valid PHP code onto the Web server, this could allow a remote attacker
to execute arbitrary PHP code on the server, as well.
The vendor has confirmed this vulnerability and released version 2.3,
which is available at:
ftp://ftp.greatbridge.org/pub/phppgadmin/stable/phpPgAdmin_2-3.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0027.html
*** {01.28.003} Cross - Merit RADIUS server auth function overflows
A recent advisory indicates a buffer overflow in the handling of
authentication requests by Merit RADIUS server version 3.6B (and prior).
The overflow could allow a remote attacker to execute arbitrary code
with root privileges.
The vendor has confirmed this vulnerability and released version 3.6B1,
which is available at: ftp://ftp.merit.edu/radius/releases/
Source: ISS X-Force
http://archives.neohapsis.com/archives/iss/2001-q3/0038.html
*** {01.28.005} Cross - Basilix PHP script file disclosure
The Basilix PHP application has been found to contain a vulnerability
that allows a remote attacker to view the contents of files readable by
the Web server.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0114.html
*** {01.28.006} Cross - FireWall-1 RDP bypass vulnerability
A vulnerability has been found in CheckPoint Firewall-1 and VPN-1
version 4.1 that would allow a remote attacker to pass arbitrary UDP
packets through the firewall by including a particular malformed trojan
RDP header in the packet.
FAQ and Patch:
http://www.checkpoint.com/techsupport/alerts/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0128.html
*** {01.28.007} Cross - SquirrelMail command exec via include()
The SquirrelMail PHP application versions 1.0.4 and prior make insecure
calls to the PHP include() function. A remote attacker can execute
arbitrary commands (and PHP code) on the remote Web server with the
permissions of the Web server user, typically 'nobody.'
The vendor has confirmed this vulnerability and released a patch, which
is available at:
http://www.squirrelmail.org/download.php
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0029.html
*** {01.28.011} Cross - Merit RADIUS server auth function overflows
A recent advisory indicates a buffer overflow in the handling of
authentication requests by Merit RADIUS server version 3.6B. The
overflow could allow a remote attacker to execute arbitrary code with
root privileges.
The vendor has confirmed this vulnerability and released version 3.6B1,
which is available at:
ftp://ftp.merit.edu/radius/releases/
Source: ISS X-Force
http://archives.neohapsis.com/archives/iss/2001-q3/0038.html
*** {01.28.013} Cross - Update {01.27.038}: Lotus Domino CSS
vulnerability
Lotus has confirmed the vulnerability discussed in {01.27.038} ("Lotus
Domino CSS vulnerability") and will include a fix in the upcoming Domino
version R5.0.9.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0042.html
*** {01.28.018} Cross - Update {01.22.032}: HP Openview ecsd
-restore_config parameter buffer overflow
HP has released patches for the vulnerability discussed in {01.22.032}
("HP Openview ecsd -restore_config parameter buffer overflow").
Apply the applicable patch for your platform:
HPUX 10.10,10.20: PHSS_24497
HPUX 11.00: PHSS_24498
Solaris 2.5, 2.6: PSOV_02958
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0006.html
- --- Tool Announcements News --------------------------------------------
*** {01.28.016} Tools - BIND 9.1.3 available
ISC has released BIND version 9.1.3. This version contains only bug
fixes; there are no new features or security additions.
BIND version 9.1.3 can be downloaded at:
ftp://ftp.isc.org/isc/bind9/9.1.3/bind-9.1.3.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0036.html
*** {01.28.017} Tools - Snort 1.8 available
Snort version 1.8 has recently been released. Notable additions include
stream reassembler and stateful inspection, telnet/ftp/rpc normalization
plugins and more command line options.
Snort version 1.8 is available for download at:
http://www.snort.org/files/snort-1.8-RELEASE.tar.gz
Source: Snort
http://archives.neohapsis.com/archives/snort/2001-07/0156.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7TfO2+LUG5KFpTkYRAon9AJ9H1FN4KI5EWD5rax6W2CNthJpldACgj+hI
KbVOVTINykKwB8toieCy++k=
=Dmvj
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46 and
can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the top
of the newsletter. When you submit this form, an e-mail containing a
URL will be sent to you at the e-mail address on record. With this URL
you can make changes to your account (edit the content of your Consensus
mailing, for example) without endangering the security of your personal
URL. If you'd like to change your e-mail address or other information,
or unsubscribe to this newsletter, please visit your new URL as
described above. If you have any problems or questions, e-mail us at
<consensusnwc.com>.
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online. http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]