|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ96188069748223322
sans.org)Date: Thu Aug 23 2001 - 17:12:35 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 111 (01.34)
Thursday, August 23, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
If you've got security problems, why not ask Mike Fratto, one of NWC's
senior technology editors and an "Ask the Experts" resident consultant.
Mike is knowledgeable in all areas of security, and is particularly
experienced with firewalls, VPN, PKI and authentication services. Go
ahead and ask -- he won't bite.
http://networkcomputing.exp.com/app/expertProfile?adv_id=548382
----------------------------------------------------------------------
Just in case any of you are bored, this week has lots of software
upgrade potential for almost everyone. Windows shops will be busy
rolling out the IIS cumulative hot fix, which contains five more
security fixes as well as every other security fix released thus far
for IIS. Unix shops should consider updating Sendmail, because of
a local bug that gives users root privileges. Even NetWare folk get
a piece of the action: Novell sent out an 'urgent' security fix for
Groupwise installations.
What's that? You don't run IIS, Sendmail or Groupwise? Well, lucky
you. But do you use Hotmail? What about Windows 2000 on a laptop? Those
have problems in this issue, too.
Fun for everyone!
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.34.001} Win - Update {01.29.011}: MS01-038: Outlook view control
unsafe function
{01.34.002} Win - MS01-043: NNTP service memory leak DoS
{01.34.003} Win - MS01-044: IIS cumulative patch (five-plus new
vulnerabilities)
{01.34.004} Win - MS01-045: ISA server memory leaks and CSS issues
{01.34.012} Win - MS01-046: Malformed IrDA packets cause system crash
{01.34.016} Win - Panda Anti-Virus malformed .EXE vulnerability
{01.34.019} Win - Nudester arbitrary file retrieval/uploading
{01.34.025} Win - TrendMicro Virus Buster/Officescan cgiwebupdate.exe
CGI file reading
{01.34.007} Linux - Update {01.33.005}: Fetchmail LIST response memory
overwrite
{01.34.008} Linux - Update {01.32.006}: sdbsearch CGI local keylist.txt
shell script execution
{01.34.009} Linux - Update {01.25.018}: Fetchmail large header buffer
overflow
{01.34.010} Linux - XDMCP query overflow in gdm
{01.34.013} NW - Groupwise 'padlock fix' available
{01.34.014} NW - Novell Groupwise/WebAccess NDS browsing and directory
indexing
{01.34.006} NApps - Update {01.28.009}: Cobalt Qube Webmail directory
traversal
{01.34.011} Cross - Netegrity SiteMinder encoded URL filtering bypass
{01.34.015} Cross - Arkeia client/server communication concerns
{01.34.017} Cross - ucd-snmp multiple vulnerabilities
{01.34.020} Cross - Sendmail -d parameter arbitrary memory writing
{01.34.021} Cross - glFTPD large file globbing DoS
{01.34.022} Cross - Surf-net ASP discussion forum CGI authentication
bypass
{01.34.023} Cross - tdscripts.com tdforum CGI allows malicious embedded
JavaScript
{01.34.024} Cross - 4D.com Web server arbitrary file access
{01.34.005} Tools - Microsoft Personal Security Advisor (MPSA)
{01.34.018} Svc - Hotmail arbitrary user e-mail reading
- --- Windows News -------------------------------------------------------
*** {01.34.001} Win - Update {01.29.011}: MS01-038: Outlook view
control unsafe function
Microsoft has released an official patch for the vulnerability
discussed in {01.29.011} ("MS01-038: Outlook view control unsafe
function").
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0027.html
*** {01.34.002} Win - MS01-043: NNTP service memory leak DoS
Microsoft has released MS01-043 ("NNTP Service in Windows NT 4.0 and
Windows 2000 contains memory leak "). The NNTP service shipped with
Windows NT 4.0 and 2000 has been found to have a memory leak in the
handling of particular incoming posts. This could result in a remote
attacker exhausting available system memory, causing a denial of
service situation.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-043.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0024.html
*** {01.34.003} Win - MS01-044: IIS cumulative patch (five-plus new
vulnerabilities)
Microsoft has released MS01-044, which is a cumulative patch of all
IIS patches released to date. It also contains fixes for five new
vulnerabilities:
- - A buffer overflow in the handling of redirected URLs. This has been
discussed elsewhere, because the CodeRed worm triggered the problem.
- - A long, invalid WebDAV request could cause the IIS service to crash.
- - A denial of service involving invalid MIME types in requested files
(details are vague).
- - A buffer overflow in the handling of long file names by the SSI
(server side include) ISAPI handler.
- - A privilege elevation exploit that could allow trojan .dlls placed
on the server to be executed with local system privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/ms01-044.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0025.html
*** {01.34.004} Win - MS01-045: ISA server memory leaks and CSS issues
Microsoft has released MS01-045 ("ISA Server 2000 denial of service,
cross-site scripting"). The patch fixes two memory leaks in the H.323
gatekeeper and proxy services that could be used by a remote attacker
to cause a denial of service. The HTTP proxy error page returned by
ISA server also is vulnerable to cross-site scripting.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-045.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0026.html
*** {01.34.012} Win - MS01-046: Malformed IrDA packets cause system
crash
Microsoft has released MS01-046 ("Malformed IrDA packets cause system
crash"). The IrDA driver installed on certain Windows 2000 platforms
contains a bug that would allow someone with line-of-sight to your
system's IrDA port to send a malformed IrDA packet, which immediately
crashes the system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-046.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0030.html
*** {01.34.016} Win - Panda Anti-Virus malformed .EXE vulnerability
An advisory has surfaced indicating that Panda Anti-Virus versions
prior to 6.23.00 cannot handle malformed packed executable (.exe)
files. This causes PAV to ignore the file and/or crash in the
process. It is unknown if execution of arbitrary code is possible.
The vendor has confirmed the problem; version 6.23.00 fixes the issue.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0474.html
*** {01.34.019} Win - Nudester arbitrary file retrieval/uploading
The Nudester file sharing client version 1.10 has been found to let
remote users download and upload arbitrary files to/from a user's
system. An attacker simply uses reverse directory traversal ('..') FTP
requests to access files outside the specified shared directory.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0232.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0261.html
*** {01.34.025} Win - TrendMicro Virus Buster/Officescan
cgiwebupdate.exe CGI file reading
TrendMicro's Virus Buster/Officescan version 3.5.x has been found
to contain a problem in the cgiwebupdate.exe CGI application. This
could allow a remote attacker to read arbitrary files readable by
the Web server.
TrendMicro has confirmed this vulnerability and released a patch,
which is available at:
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionId=3086
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0307.html
- --- Linux News ---------------------------------------------------------
*** {01.34.007} Linux - Update {01.33.005}: Fetchmail LIST response
memory overwrite
EnGarde Linux has released updated Fetchmail packages that fix the
vulnerability discussed in {01.33.005} ("Fetchmail LIST response
memory overwrite").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/engarde/2001-q3/0005.html
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2001-q3/0005.html
*** {01.34.008} Linux - Update {01.32.006}: sdbsearch CGI local
keylist.txt shell script execution
SuSE has released updated sdb packages that fix the vulnerability
discussed in {01.32.006} ("sdbsearch CGI local keylist.txt shell
script execution").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0029.html
Source: SuSE
http://archives.neohapsis.com/archives/vendor/2001-q3/0029.html
*** {01.34.009} Linux - Update {01.25.018}: Fetchmail large header
buffer overflow
SuSE has released updated Fetchmail packages that fix the vulnerability
discussed in {01.25.018} ("Fetchmail large header buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0028.html
Source: SuSE
http://archives.neohapsis.com/archives/vendor/2001-q3/0028.html
*** {01.34.010} Linux - XDMCP query overflow in gdm
Mandrake has released an advisory that indicates a buffer overflow in
gdm in the handling of XDMCP queries. At this point, we don't know
if this is a new overflow or an update to the XDMCP overflow in gdm
reported in May 2000 ({00.22.017}).
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0288.html
Source: Mandrake (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0288.html
- --- NetWare News -------------------------------------------------------
*** {01.34.013} NW - Groupwise 'padlock fix' available
Novell is being really tight-lipped about the details behind an
"extremely important" security patch for Groupwise versions 5.5 (with
enhancement pack) and 6.0. Earlier versions are not vulnerable. The
released padlock fix has both a server and a client upgrade component,
suggesting that vulnerability may have something to do with weak
client authentication to Groupwise servers.
The patch can be downloaded at:
http://support.novell.com/padlock
Source: Novell (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0189.html
*** {01.34.014} NW - Novell Groupwise/WebAccess NDS browsing and
directory indexing
NMRC has released an advisory indicating that two Web-based problems
have been found in Novell Groupwise and WebAccess servers. First,
it's possible to remotely browse the NDS tree if a particular CGI
(/lcgi/ndsobj.nlm) is available. Also, it seems possible to cause
the server to give back directory indexes by sending a malformed
HTTP request.
These vulnerabilities have not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0024.html
- --- Network Appliances News --------------------------------------------
*** {01.34.006} NApps - Update {01.28.009}: Cobalt Qube Webmail
directory traversal
Cobalt/Sun has released a patch that fixes the vulnerability discussed
in {01.28.009} ("Cobalt Qube Webmail directory traversal").
The updated Qube3-ml-Security-2.0.1-10626.pkg file can be downloaded
at:
ftp://ftp.cobalt.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0245.html
- --- Cross-Platform News ------------------------------------------------
*** {01.34.011} Cross - Netegrity SiteMinder encoded URL filtering
bypass
Netegrity has released a security update for SiteMinder versions
prior to 4.5.1sp1. It is possible to circumvent any URL filtering
configured in the SiteMinder Web Agent by using various unicode URL
encoding mechanisms.
Netegrity has confirmed this vulnerability and released a patch,
which is available through its support services at:
http://support.netegrity.com/
Source: Netegrity
http://support.netegrity.com/
*** {01.34.015} Cross - Arkeia client/server communication concerns
A recent advisory indicates a few potential concerns in the
communication used between an Arkeia GUI client and server (versions
4.2.7 and 4.2.8). The majority of information (which includes license
information and keys) is sent in clear text. Also, the passwords are
encrypted using standard crypt() with a constant salt -- this allows
for a relatively fast, dictionary brute force attack. Of course,
this requires an attacker be able to sniff or otherwise see the
communication happening between the client and the server.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0228.html
*** {01.34.017} Cross - ucd-snmp multiple vulnerabilities
Caldera has released an advisory indicating multiple vulnerabilities
in the ucd-snmp distribution of SNMP tools. The vulnerabilities
include local configuration file buffer overflows, format string
vulnerabilities and race conditions that could allow local attackers
to elevate their privileges to those of the running snmpd process.
Caldera has confirmed these vulnerabilities. It has also released
updated packages for Caldera Linux, which are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0014.html
Source: Caldera, VulnWatch
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0014.html
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0029.html
*** {01.34.020} Cross - Sendmail -d parameter arbitrary memory writing
Sendmail versions 8.10.0 through 8.11.5, as well as all 8.12.0beta
versions, contain a vulnerability that allows a local attacker to
write arbitrary values into the sendmail process's memory via the
- -d command line option. This would allow a local attacker to gain
elevated privileges (since sendmail is typically setuid root).
Sendmail has confirmed this vulnerability and released Sendmail
versions 8.11.6 and 8.12.0beta19, which are available at:
ftp://ftp.sendmail.org/pub/sendmail/
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q3/0003.html
*** {01.34.021} Cross - glFTPD large file globbing DoS
glFTPD version 1.23 is reported vulnerable to a denial of service
attack whereby a remote attacker submits an FTP LIST command with many
'*' characters. This causes the service to consume all CPU cycles
for a moderate amount of time while it attempts to properly parse
the file glob.
This advisory indicates vendor confirmation; version 1.24 has been
made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0239.html
*** {01.34.022} Cross - Surf-net ASP discussion forum CGI
authentication bypass
Surf-net's ASP discussion forum Web application versions prior to
2.30 contain a bug in the handling of user ID cookies. This could
allow a remote attacker to gain access as any user, including the
forum administrator.
The vendor has confirmed this vulnerability and released version 2.30,
which is available at:
http://www.surf-net.co.uk/asp/forum/forum_script.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0276.html
*** {01.34.023} Cross - tdscripts.com tdforum CGI allows malicious
embedded JavaScript
tdscripts.com's tdforum CGI application version 1.2 has been found
to not properly parse submitted forum posts. This allows malicious
users to embed JavaScript in the forum pages.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0268.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0281.html
*** {01.34.024} Cross - 4D.com Web server arbitrary file access
4D.com's Web server has been found to allow a remote attacker to access
arbitrary files on the system by using a particular HTTP URL syntax.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0274.html
- --- Tool Announcements News --------------------------------------------
*** {01.34.005} Tools - Microsoft Personal Security Advisor (MPSA)
Microsoft has released a new tool, the "Microsoft Personal Security
Advisor." This tool is targeted at end users who wish to scan their
systems for basic security problems (missing patches, weak passwords
and vulnerable IE/Outlook/Office security settings).
More information about the tool is available at:
http://www.microsoft.com/security/mpsa
Source: Microsoft (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2001-q3/0058.html
- --- Services News ------------------------------------------------------
*** {01.34.018} Svc - Hotmail arbitrary user e-mail reading
An advisory was released indicating that it's possible to read any
user's e-mail if you know the exact time (or wish to brute force an
approximate range) the e-mail arrived.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0028.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7hX1t+LUG5KFpTkYRAr34AJ9p0rzhS/tYMPYmvL1NdrMe8oWnGwCeOhsl
g1IxhYKZluokDbXE1Yl2gTE=
=iuCm
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
If you've got security problems, why not ask Mike Fratto, one of NWC's
senior technology editors and an "Ask the Experts" resident consultant.
Mike is knowledgeable in all areas of security, and is particularly
experienced with firewalls, VPN, PKI and authentication services. Go
ahead and ask -- he won't bite.
http://networkcomputing.exp.com/app/expertProfile?adv_id=548382
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]