|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ22972235326713624
sans.org)Date: Thu Aug 30 2001 - 14:12:29 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 112 (01.35)
Thursday, August 30, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
FREE NETIQ SECURITY AUDIOCAST
Go one-on-one with leading security analyst Frank Prince from Forrester
Research and NetIQ security experts during our FREE audiocast, "Security
in the Era of E-Business, An Analyst's Perspective." You'll gain
insights on IT trends, business challenges and management issues.
Register today!
http://webevents.road-show.com/netiq/20010911/start/register.asp?origin=sans2
----------------------------------------------------------------------
We'd like to point out a simple notion that, hopefully, everyone is
aware of. When you ask an application -- be it your mail agent, Web
browser, project-manager software or whatever -- to store your password
(so you can be lazy and not have to type/remember it next time),
odds are the password is stored in a retrievable format somewhere.
Think about it: The application most likely has to send/use your
plain-text password. If the app uses a cryptographic method to hash
the password, it loses the ability to use the original password. Thus,
any 'encryption' or obfuscation put on the password is most likely
reversible. It doesn't matter if the app uses a home-brewed crypto
scheme, an AES candidate or ROT13. All are reversible and still allow
your password to be recovered.
Now, yes, there are some fancy cryptographic storage facilities that
help this problem. Many of these, however, just encrypt passwords
with more passwords. In the end, if you're worried about your
passwords being recovered, NEVER opt to have an application store
them automatically for you.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.35.007} Win - WinWrapper Pro file retrieval
{01.35.010} Win - BadBlue file source disclosure
{01.35.021} Win - AVTronics InetServer authentication overflow and DoS
{01.35.022} Win - Outlook Web access malformed user name DoS
{01.35.018} Linux - Update {01.28.021}: xloadimage/faces reader buffer
overflow
{01.35.008} BSD - Update {01.29.015}: OpenSSL PRNG predictability
{01.35.009} BSD - dump runs RCMD_CMD with privileges
{01.35.014} AIX - Layout library GetLayoutInitFunc() LANG ENV variable
overflow
{01.35.015} AIX - CDE dtprintinfo/dthelpview buffer overflow
{01.35.016} AIX - Vague security problem in lsmcode
{01.35.006} HPUX - rlpdaemon remote buffer overflow
{01.35.013} SCO - mana buffer overflow
{01.35.017} SCO - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{01.35.024} SCO - uidadmin -S parameter overflow
{01.35.001} NApps - Update {00.50.016}: Multiple vulnerabilities in
CBOS on Cisco 600 series routers
{01.35.004} Other - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.35.028} Other - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
{01.35.002} Cross - Netscape installation insecure temp file creation
{01.35.003} Cross - Update {01.34.020}: Sendmail -d parameter arbitrary
memory writing
{01.35.005} Cross - AOLserver long authorization header DoS
{01.35.011} Cross - qpopper account existence confirmation bug
{01.35.012} Cross - Adobe Acrobat/libCoolType creates world-writable
AdobeFnt.lst file
{01.35.019} Cross - Sage Software MAS200 network service DoS
{01.35.020} Cross - Konqueror long URL DoS
{01.35.023} Cross - BSCW groupware tar/symlink file access
{01.35.025} Cross - JRE 1.3 with Java Plugin 1.4 ignores security
certificates
{01.35.026} Cross - PHProjekt authentication bypass
{01.35.027} Cross - LPRng dvips backtick/command execution
- --- Windows News -------------------------------------------------------
*** {01.35.007} Win - WinWrapper Pro file retrieval
WinWrapper Professional version 2.0 has been found to allow a remote
attacker to download arbitrary files on the target system by using
reverse directory traversal ('..') notation in an HTTP request.
The vendor has confirmed this vulnerability and released a patch,
which is available at:
http://www.tsc.ant.co.jp/products/download.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0310.html
*** {01.35.010} Win - BadBlue file source disclosure
The BadBlue HTTP server version 1.02 has been found to allow a remote
attacker to download the files by appending '%00' to the requested
URL. This may allow an attacker to access source code to dynamic
CGIs/scripts.
The advisory indicates vendor confirmation. Version 1.5 is supposed
to contain a fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0314.html
*** {01.35.021} Win - AVTronics InetServer authentication overflow and
DoS
AVTronics' InetServer versions 3.2.1 and 3.1.1 have been found to
contain a buffer overflow in the handling of the HTTP authentication
header, which potentially could be used by a remote attacker to
execute arbitrary code. There is also a denial of service in the
server, whereby an attacker can cause the service to crash by sending
a large amount of data.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0317.html
*** {01.35.022} Win - Outlook Web access malformed user name DoS
A few unconfirmed reports indicate a potential denial of service in
the Outlook Web Access (OWA) component for Microsoft Exchange. If a
remote attacker enters a particular malformed user name and password,
IIS might become unavailable.
No additional information or confirmation is available at this
time. Some people have reported that requiring NTLM authentication
(in IIS) will bypass the issue.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0323.html
- --- Linux News ---------------------------------------------------------
*** {01.35.018} Linux - Update {01.28.021}: xloadimage/faces reader
buffer overflow
Conectiva has released updated xloadimage packages that fix the
vulnerability discussed in {01.28.021} ("xloadimage/faces reader
buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0007.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0007.html
- --- BSD News -----------------------------------------------------------
*** {01.35.008} BSD - Update {01.29.015}: OpenSSL PRNG predictability
NetBSD has released patches that fix the vulnerability discussed in
{01.29.015} ("OpenSSL PRNG predictability").
NetBSD-current as of July 10, 2001, and NetBSD-1.5 as of July 29,
2001, contain the updated fix.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q3/0150.html
*** {01.35.009} BSD - dump runs RCMD_CMD with privileges
NetBSD has released an advisory indicating that the dump and dump_lfs
commands do not properly drop privileges before executing commands
specified in the RCMD_CMD environment variable. This would allow
a remote attacker to execute arbitrary programs with group 'tty'
privileges.
NetBSD-current and -1.5 as of Aug. 8, 2001, contain the fix. NetBSD-1.4
will need to apply the patch detailed at:
http://archives.neohapsis.com/archives/netbsd/2001-q3/0151.html
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q3/0151.html
- --- AIX News -----------------------------------------------------------
*** {01.35.014} AIX - Layout library GetLayoutInitFunc() LANG ENV
variable overflow
IBM has released APAR IY20867, which fixes a potential overflow in
the GetLayoutInitFunc() function in a layout library used by setuid
applications. The vulnerability may allow local attackers to trigger
a buffer overflow in the handling of the LANG environment variable
and execute arbitrary code.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0003.html
*** {01.35.015} AIX - CDE dtprintinfo/dthelpview buffer overflow
IBM has released APAR IY21539, which fixes a buffer overflow in
dthelpview that could have security concerns. No additional details
have been released.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0003.html
*** {01.35.016} AIX - Vague security problem in lsmcode
IBM has released APAR IY22255, which corrects a problem in the error
messages reported by lsmcode. While IBM indicates that this problem
may impact security, we're not quite sure how.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0003.html
- --- HP-UX News ---------------------------------------------------------
*** {01.35.006} HPUX - rlpdaemon remote buffer overflow
HP has released patches for a rlpdaemon buffer overflow, which may
allow a remote attacker to execute arbitrary code on the system with
root privileges.
HP has released the following patches:
HPUX 10.01: PHCO_24697
HPUX 10.10: PHCO_24698
HPUX 10.20: PHCO_24699
HPUX 11.00: PHCO_24700
HPUX 11.11: PHCO_24701
HPUX 11.20: PHCO_24868
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0047.html
- --- SCO News -----------------------------------------------------------
*** {01.35.013} SCO - mana buffer overflow
The mana application has been found to contain a buffer overflow
that would allow a local attacker to execute arbitrary code under
root privileges.
Caldera has confirmed this vulnerability. Patches are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0017.html
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0017.html
*** {01.35.017} SCO - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
SCO/Caldera has released temporary bind upgrades that fix the
vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
(TSIG/infoleak)").
More information on this temporary upgrade is available at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0019.html
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0019.html
*** {01.35.024} SCO - uidadmin -S parameter overflow
SCO/Caldera has released SR847563 for Unixware 7 and OpenUnix 8. The
patch fixes a buffer overflow in uidadmin's handling of the -S command
line parameter, which could allow a local attacker to execute arbitrary
code under root privileges.
The patches are available at:
ftp://ftp.sco.com/pub/security/openunix/sr847563/
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0016.html
- --- Network Appliances News --------------------------------------------
*** {01.35.001} NApps - Update {00.50.016}: Multiple vulnerabilities in
CBOS on Cisco 600 series routers
Cisco has released updated software that fixes the vulnerabilities
discussed in {00.50.016} ("Multiple vulnerabilities in CBOS on Cisco
600 series routers").
Updated CBOS versions 2.4.2b and 2.4.3 are available at:
http://www.cisco.com/
Source: Cisco (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0344.html
- --- Other News ---------------------------------------------------------
*** {01.35.004} Other - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
SGI has released patches that fix the vulnerability discussed in
{01.30.021} ("Multiple vendor telnetd option-handling overflow").
Patches are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0032.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q3/0032.html
*** {01.35.028} Other - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
SGI has released patches for the vulnerability discussed in {01.15.011}
("Multiple vendor FTP glob functionality buffer overflow").
IRIX versions 6.5 through 6.5.12 are vulnerable. Patches are listed at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0038.html
Source: SGI (VulnWatch)
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0038.html
- --- Cross-Platform News ------------------------------------------------
*** {01.35.002} Cross - Netscape installation insecure temp file
creation
A recent advisory indicates that the Netscape 6.01a installation
process on Solaris (and possibly other platforms) creates an insecure
temporary file that could allow a local attacker to perform a symlink
attack.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0036.html
*** {01.35.003} Cross - Update {01.34.020}: Sendmail -d parameter
arbitrary memory writing
Multiple vendors have released fixes for the vulnerability discussed
in {01.34.020} ("Sendmail -d parameter arbitrary memory writing").
OpenBSD patches are listed at:
http://archives.neohapsis.com/archives/openbsd/2001-08/2324.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0360.html
Updated Caldera Linux RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0018.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0004.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0722.html
Source: Immunix, SuSE, Conectiva, OpenBSD, Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0360.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0004.html
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0722.html
http://archives.neohapsis.com/archives/openbsd/2001-08/2324.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0018.html
*** {01.35.005} Cross - AOLserver long authorization header DoS
It has been reported that AOLserver version 3.0 stops responding when
a large authorization header is included in an HTTP request. This
allows a remote attacker to cause a denial of service situation.
The vendor has not confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0325.html
*** {01.35.011} Cross - qpopper account existence confirmation bug
qpopper version 4.0.1(installed from RPM on RedHat Linux 7.0) has been
found to differ in responses to valid and invalid user accounts. This
could potentially allow a remote attacker to use brute force to gain
a list of valid account names.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0363.html
*** {01.35.012} Cross - Adobe Acrobat/libCoolType creates
world-writable AdobeFnt.lst file
On Unix platforms, Adobe Acrobat (and potentially other applications
using Adobe's libCoolType library) has been found to create the
AdobeFnt.lst file with world-writable permissions. This may allow
local attackers to tamper with the file.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0313.html
*** {01.35.019} Cross - Sage Software MAS200 network service DoS
Safe Software's MAS200 accounting package has been found to contain a
denial of service in the network remote access daemon. It's possible
for a remote attacker to disable the service, causing any subsequent
uses to fail.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0312.html
*** {01.35.020} Cross - Konqueror long URL DoS
It has been reported that Konqueror version 2.2 crashes whenever a
malicious Web site sends an overly long URL. This can be used in a
denial of service situation.
This vulnerability has not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q3/0493.html
*** {01.35.023} Cross - BSCW groupware tar/symlink file access
The BSCW groupware Web application has been found to contain a
vulnerability that would allow a remote attacker, who has proper
user access, to upload a particular tar file containing a symlink.
The symlink could then allow the attacker to view arbitrary files on
the system readable by the BSCW privileges.
The advisory indicates that patches are available at:
http://bscw.gmd.de/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0328.html
*** {01.35.025} Cross - JRE 1.3 with Java Plugin 1.4 ignores security
certificates
A report has surfaced indicating that the particular combination of
JRE 1.3 and Java Plugin 1.4 allows applets without outdated security
certificates to still execute with privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0359.html
*** {01.35.026} Cross - PHProjekt authentication bypass
The PHProjekt PHP Web application prior to version 2.4a has been
found to allow remote attackers to access other user's data without
needing any authentication information.
The vendor has confirmed this vulnerability and released version 2.4a,
which is available at:
http://www.PHProjekt.com/download/phprojekt.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0373.html
*** {01.35.027} Cross - LPRng dvips backtick/command execution
A configuration bug was found in LPRng. It seems that LPRng will
pass tex files to dvips for processing, without specifying the -R
parameter (which is used to disable some insecure features). It's
possible for an attacker who can access the lp daemon to execute
command line commands under the privileges of the lp daemon.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0375.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7jo3A+LUG5KFpTkYRAmBSAJ9k97fZU6/7cJkq9WzlatBI3QocLwCdFhjC
wGSEbX6KxBzzAXeCH7Qnrx4=
=cOkM
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
FREE NETIQ SECURITY AUDIOCAST
Go one-on-one with leading security analyst Frank Prince from Forrester
Research and NetIQ security experts during our FREE audiocast, "Security
in the Era of E-Business, An Analyst's Perspective." You'll gain
insights on IT trends, business challenges and management issues.
Register today!
http://webevents.road-show.com/netiq/20010911/start/register.asp?origin=sans2
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]