|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ56529011675043775
sans.org)Date: Thu Aug 02 2001 - 17:02:50 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 108 (01.31)
Thursday, August 2, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
If you've got security problems, why not ask Mike Fratto, one of
NWC's senior technology editors and an "Ask the Experts" resident
consultant. Mike is knowledgeable in all areas of security, and is
particularly experienced with firewalls, VPN, PKI and authentication
services. Go ahead and ask -- he won't bite.
http://networkcomputing-cgi.exp.com/noauth/advisor_profile.cgi?adv_id=548382
----------------------------------------------------------------------
SANS Newsbites (August 1) had a misleading editorial comment about
the new SSH vulnerability. If you are running SSH Secure Shell for
Unix v.3.0.0 and running the sshd2 daemon, you *must* install the
fix. Otherwise, according to SSH Inc. many sites (including stock
Solaris installations), are vulnerable. See the note at the end of
this e-mail.
----------------------------------------------------------------------
As if patches, hot fixes and service packs weren't enough, Microsoft
Corp. has released a "security rollup package" -- think of it as a
security-centric service pack -- for Windows NT. This should make
it easy (well, easier) to bring your servers up to date and fend
off those nasty Code Red worms that are prophesized to destroy the
Internet. The SRP can be grabbed from:
http://www.microsoft.com/ntserver/sp6asrp.asp
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.31.001} Win - MS01-039: SFU telnet and NFS services DoS
{01.31.004} Win - Sambar Web server page count file modification
{01.31.006} Win - Snapstream PVS multiple vulnerabilities
{01.31.007} Win - WS_FTP command long argument overflow
{01.31.009} Win - MS01-040: Terminal Services invalid RDP DoS
{01.31.010} Win - MS01-041: Malformed RPC requests can cause DoS
{01.31.011} Win - MS01-042: WMP .NSC station file overflow
{01.31.022} Win - TrendMicro AppletTrap script filtering bypass
{01.31.014} Linux - Update {01.30.003}: Squid httpd accelerator
unauthorized Web proxy
{01.31.015} Linux - Update {01.29.012}: elm message ID overflow
{01.31.018} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
{01.31.019} Linux - Update {01.30.013}: IMP malicious JavaScript
vulnerability
{01.31.021} Linux - Update {01.21.003}: Apache 1.3.20 available
{01.31.023} Linux - Linux kernel IRC/DCC masquerading helper
vulnerability
{01.31.025} Linux - ColdFusion CFRETHROW restarts Linux
{01.31.012} AIX - Buffer overflow vulnerability in libi18n Library
{01.31.005} SGI - Irix netprint DSO privilege escalation
{01.31.002} SCO - su TERM env variable overflow
{01.31.008} SCO - Update {01.23.006}: Qpopper vague buffer overflow
{01.31.017} Other - Update {01.30.021}: Multivendor telentd option
handling overflow
{01.31.003} Cross - Mambo Site Server PHPSESSID authentication bypass
{01.31.013} Cross - Tripwire temp file symlink attack
{01.31.016} Cross - Update {01.30.009}: phplib libdir remote code
injection
{01.31.020} Cross - Entrust getAccess shell script arbitrary applet
execution
{01.31.024} Cross - Quake3 Arena server malformed connection packet DoS
{01.31.026} Cross - myPHPAdmin Copy/RenameTable arbitrary code execution
{01.31.027} Cross - Critical Path LDAP services vulnerabilities
- --- Windows News -------------------------------------------------------
*** {01.31.001} Win - MS01-039: SFU telnet and NFS services DoS
Microsoft has released MS01-039 ("Services for Unix 2.0 Telnet and
NFS services contain memory leaks"). The NFS and telnet services
contained in Services for Unix (SFU) version 2.0 have been found to
contain memory leaks that could allow a remote attacker, who makes
multiple requests, to exhaust available memory and potentially cause
a denial of service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-039.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0006.html
*** {01.31.004} Win - Sambar Web server page count file modification
The Sambar Web Server ships with a sample page count CGI that is used
as a page hit counter. The CGI is vulnerable to a reverse-directory
traversal attack that allows a remote attacker to specify arbitrary
files to be used to store the hit count information. The result is that
the CGI overwrites the first line of the specified file, potentially
corrupting binary applications and causing a denial of service.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0565.html
*** {01.31.006} Win - Snapstream PVS multiple vulnerabilities
Snapstream Personal Video System has been reported to contain multiple
vulnerabilities, including reverse-directory traversal, arbitrary
file reading, system information and configuration exposure, and
plain-text storage of passwords.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0606.html
*** {01.31.007} Win - WS_FTP command long argument overflow
WS_FTP server version 2.0.2 contains a buffer overflow in the handling
of large arguments passed to various FTP commands. This could allow a
remote attacker to execute arbitrary code with local system privileges.
This vulnerability has not been confirmed. The advisory indicates
that the latest version of WS_FTP server fixes the vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0610.html
*** {01.31.009} Win - MS01-040: Terminal Services invalid RDP DoS
Microsoft has released MS01-040 ("Invalid RDP data can cause memory
leak in Terminal Services"). Windows NT 4.0 Terminal Server and
Windows 2000 Terminal Services have been found to incorrectly handle
incoming invalid RDP packets. This causes the services to leak
memory. Eventually, it's possible for a remote attacker to exhaust
all available data, thereby causing a denial of service situation.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-040.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0007.html
*** {01.31.010} Win - MS01-041: Malformed RPC requests can cause DoS
Microsoft has released MS01-041 ("Malformed RPC request can cause
service failure"). Multiple RPC services (included with Exchange,
SQL, NT and 2000) do not correctly handle various invalid RPC
inputs/packets, thereby allowing a remote attacker to crash the
services and cause a denial of service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-041.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0009.html
*** {01.31.011} Win - MS01-042: WMP .NSC station file overflow
Microsoft has released MS01-042 ("Windows Media Player .NSC Processor
contains unchecked buffer"). An overflow exists in the processing
of .NSC station files, allowing a malicious Web site or e-mail to
potentially execute arbitrary code on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-042.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0010.html
*** {01.31.022} Win - TrendMicro AppletTrap script filtering bypass
TrendMicro's AppletTrap version 2.0 has been found to not thoroughly
filter VBScript and JavaScript from Web content. This could allow a
malicious Web site to include JavaScript or VBScript even though the
filter was configured not to allow them.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0129.html
- --- Linux News ---------------------------------------------------------
*** {01.31.014} Linux - Update {01.30.003}: Squid httpd accelerator
unauthorized Web proxy
Mandrake has released updated packages to fix the vulnerability
discussed in {01.30.003} ("Squid httpd accelerator unauthorized
Web proxy").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0601.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0601.html
*** {01.31.015} Linux - Update {01.29.012}: elm message ID overflow
Mandrake has released updated packages to fix the vulnerability
discussed in {01.29.012} ("elm message ID overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0602.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0602.html
*** {01.31.018} Linux - Update {01.30.014}: IMP local prefs.lang script
execution
Conectiva has released updated packages to fix the vulnerability
discussed in {01.30.014} ("IMP local prefs.lang script execution").
Updated packages are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0001.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0001.html
*** {01.31.019} Linux - Update {01.30.013}: IMP malicious JavaScript
vulnerability
Conectiva has released updated packages to fix the vulnerability
discussed in {01.30.013} ("IMP malicious JavaScript vulnerability").
Updated packages are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0001.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0001.html
*** {01.31.021} Linux - Update {01.21.003}: Apache 1.3.20 available
It seems another vendor failed to read the change log for
Apache. Debian has released an updated Apache package for the
vulnerability discussed in {01.21.003} ("Apache 1.3.20 available").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0011.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0011.html
*** {01.31.023} Linux - Linux kernel IRC/DCC masquerading helper
vulnerability
A bug was found in the various IRC DCC/CTCP masquerading helper modules
shipped with the various Linux kernels. It's possible for a remote
attacker/Web site to open arbitrary ports on a masquerading Linux
firewall by "spoofing" the DCC/CTCP connect commands. This results
in the IRC helper module processing the commands and opening ports
in an effort to allow the incoming DCC/CTCP session.
This vulnerability has been confirmed. A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0750.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0733.html
http://archives.neohapsis.com/archives/bugtraq/2001-07/0750.html
*** {01.31.025} Linux - ColdFusion CFRETHROW restarts Linux
Macromedia/Allaire's ColdFusion server for Linux has a bug in the
handling of the CFRETHROW tag. This could allow malicious (or even
nonmalicious) templates using the tag in a certain manner to cause
the entire system to immediately reboot.
Macromedia/Allaire has confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0755.html
- --- AIX News -----------------------------------------------------------
*** {01.31.012} AIX - Buffer overflow vulnerability in libi18n Library
IBM has released a fix for a buffer overflow in the libi18n
library. The library does not correctly handle the LANG environment
variable, which allows a local attacker to execute arbitrary code
under root privileges.
The IBM eFixe is listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0386.html
Source: IBM (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0386.html
- --- SGI News -----------------------------------------------------------
*** {01.31.005} SGI - Irix netprint DSO privilege escalation
Irix version 6.5 systems that have open lP accounts are susceptible
to a vulnerability in netprint that may allow an attacker to gain
root privileges.
This vulnerability has been confirmed by SGI. Patches are listed at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0010.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q3/0008.html
- --- SCO News -----------------------------------------------------------
*** {01.31.002} SCO - su TERM env variable overflow
The su command shipped with all versions of UnixWare and OpenUnix
version 8.0.0 is vulnerable to a buffer overflow in the handling
of the TERM environment variable. This could allow an attacker to
execute arbitrary code under elevated privileges.
SCO has released fixed su binaries and related libraries, which are
listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0561.html
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0561.html
*** {01.31.008} SCO - Update {01.23.006}: Qpopper vague buffer overflow
SCO has released updated binaries for OpenServer to fix the
vulnerability discussed in {01.23.006} ("Qpopper vague buffer
overflow").
SCO OpenServer binaries are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0610.html
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0006.html
- --- Other News ---------------------------------------------------------
*** {01.31.017} Other - Update {01.30.021}: Multivendor telentd option
handling overflow
Compaq has released updated Tru64 telnetd packages to fix the
vulnerability discussed in {01.30.021} ("Multivendor telentd option
handling overflow").
Updates are listed at:
http://archives.neohapsis.com/archives/tru64/2001-q3/0010.html
Source: Tru64
http://archives.neohapsis.com/archives/tru64/2001-q3/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {01.31.003} Cross - Mambo Site Server PHPSESSID authentication
bypass
Mambo Site Server versions 3.0.0 to 3.0.5 allow an attacker to
bypass the authentication process and log in as any user, including
administrator, because it does not correctly handle the PHPSESSID
and other various global variables before passing them to a SQL query.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0569.html
*** {01.31.013} Cross - Tripwire temp file symlink attack
Mandrake has released updated packages to fix a temp file symlink
vulnerability in tripwire versions 2.3.1-2 and prior. The vulnerability
is caused by Tripwire's incorrect handling of temporary files, which
allows a local attacker to perform a symlink attack.
This vulnerability has been confirmed by Mandrake.
Updated Mandrake packages are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0352.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0352.html
*** {01.31.016} Cross - Update {01.30.009}: phplib libdir remote code
injection
Trustix has released updated packages to fix the vulnerability
discussed in {01.30.009} ("phplib libdir remote code injection").
Updated packages are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-07/0609.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-07/0609.html
*** {01.31.020} Cross - Entrust getAccess shell script arbitrary applet
execution
The Entrust getAccess single sign-on system has been found to contain
a vulnerability in the getAccess CGI scripts. This could allow a local
attacker to execute arbitrary Java applets located on the system. The
exploit potential is elevated if the attacker has the capability to
upload malicious Java applets (via FTP or other mechanism).
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0662.html
*** {01.31.024} Cross - Quake3 Arena server malformed connection packet
DoS
An advisory was released indicating that it's possible to remotely
crash the Quake3 Arena server versions 1.29f and 1.29g by sending a
particular malformed connection packet.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0748.html
*** {01.31.026} Cross - myPHPAdmin Copy/RenameTable arbitrary code
execution
myPHPAdmin versions 2.2.0rc3 and prior contains a vulnerability in
the handling of the strCopyTable and strRenameTable parameters. This
allows a remote attacker to specify arbitrary PHP code to be executed
by the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0757.html
*** {01.31.027} Cross - Critical Path LDAP services vulnerabilities
A report surfaced indicating that the Critical Path LDAP services
(ICL/Peerlogic and InJoin/GDS) contain LDAP vulnerabilities
similar to those published in the recent CERT report found at:
http://archives.neohapsis.com/archives/cc/2001-q3/0002.html
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-07/0770.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7acvF+LUG5KFpTkYRAg4nAKCeUG+6q4lJUVHen9un5dV2BAScFACZAdic
927C6uifUDzFGNdbtk0Kh30=
=CdOl
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Stephanie Thomas of SSH Communications Security, Inc. writes:
Anyone using SSH Secure Shell for Unix v.3.0.0 and running the sshd2
daemon is vulnerable to a potential exploit concerning accounts with
password field entries of two characters or less.
Be aware this vulnerability affects accounts with two character
password field ENTRIES in /etc/passwd or /etc/shadow.Ê Two character
PASSWORDS are NOT vulnerable.Ê Two character passwords, run through
crypt, produce 13 character password field entries in /etc/passwd
or /etc/shadow.
Accounts like these from a stock Solaris 8 install WOULD be vulnerable:
daemon:NP:6445::::::
bin:NP:6445::::::
This account, which has a two character password, would NOT be
vulnerable:
user:Ts9w/7YExm00Y:11536::::::
SSH Secure Shell for Windows is NOT affected.
Version 3.0.1 fixes this vulnerability. Please go to
http://commerce.ssh.com for commercial
or ftp://ftp.ssh.com/pub/ssh for non-commercial to download 3.0.1.
A detailed description of the problem, listing affected operating
systems, is at:
http://www.ssh.com/products/ssh/exploit.cfm
----------------------------------------------------------------------
If you've got security problems, why not ask Mike Fratto, one of
NWC's senior technology editors and an "Ask the Experts" resident
consultant. Mike is knowledgeable in all areas of security, and is
particularly experienced with firewalls, VPN, PKI and authentication
services. Go ahead and ask -- he won't bite.
http://networkcomputing-cgi.exp.com/noauth/advisor_profile.cgi?adv_id=548382
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today. Please
e-mail us at <consensusnwc.com>.
If you'd like to change your e-mail address or unsubscribe to this
newsletter, please send an e-mail to <sanssans.org>. If you have
any problems or questions, e-mail us at <consensusnwc.com>.
We apologize to those subscribers who wish to manage their accounts
online. Our system will be back online as soon as possible. We
apologize for the inconvenience.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]