|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ14932114608853926
sans.org)Date: Thu Sep 06 2001 - 15:17:50 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 113 (01.36)
Thursday, September 6, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by SurfControl ***
"I was one of the 750,000 Code Red victims. One employee let the virus
in by accessing his personal email account over the web. I had no
control then. But now I'm using SuperScout Web Filter to block access
to Hotmail, Yahoo... actually all web-based email sites. They say Code
Red may never go away, but it might if everyone was protected by
SuperScout." -Network Manager.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/ZSSAC0906
----------------------------------------------------------------------
This week, the SAC team had the pleasure of bringing up a brand
spanking new T1 to our lab, one we'd been awaiting for several
months. On delivery, we noticed considerable activity with nothing but
the router plugged in -- 32 Kbps of IP traffic, to be exact. Turns
out, our class C was being pounded by port 80 probes from all over
the Internet -- yes, piles and piles of port 80 probes from .ida
exploiting worms (that is, Code Red and family).
To network admins watching over edge devices, this is probably not
surprising. They've been battling Code Red for over a month now. For
the rest of us, these experiences are another reminder to employ
several layers of security, to keep systems patched and to run only
the necessary daemons.
On a related note, "Code Green" and a few other "Code Red Cleaner"
automata have been released.
http://www.incidents.org/archives/intrusions/msg01608.html
While we do not condone any unauthorized access, even from "benevolent"
worms such as these, admins who still haven't patched their IIS systems
against Code Red and other IIS vulnerabilities may find their systems
automatically patched by these new worms.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.36.002} Linux - Update {01.33.005}: Fetchmail LIST response memory
overwrite
{01.36.003} Linux - Update {01.33.009}: WindowMaker window title buffer
overflow
{01.36.004} Linux - Update {01.28.021}: xloadimage/faces reader buffer
overflow
{01.36.005} Linux - Update {01.34.020}: Sendmail -d parameter arbitrary
memory writing
{01.36.006} Linux - Update {01.16.032}: IPTables FTP RELATED
connections bypass filters
{01.36.008} Linux - Update {01.29.015}: OpenSSL PRNG predictability
{01.36.009} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.36.010} Linux - Update {01.33.002}: OpenLDAP invalid BER length DoS
{01.36.018} BSD - in.lpd job submission/view status overflow
{01.36.016} Sol - Update {01.26.035}: in.lpd 'transfer job' overflow
{01.36.017} Sol - Update {01.12.024}: snmpXdmid 'indication' buffer
overflow
{01.36.013} HPUX - PRM /opt/prm/bin/ security problem
{01.36.014} HPUX - CIFS/9000 server incorrect password sync
{01.36.022} HPUX - swverify large command line parameter overflow
{01.36.012} SCO - OpenUnix lpsystem long parameter overflow
{01.36.001} Cross - PhpMyExplorer directory traversal
{01.36.007} Cross - Multiple xinetd vulnerabilities
{01.36.011} Cross - S/Key keyinit potential authentication bypass
{01.36.015} Cross - iPlanet administration server authorization header
overflow
{01.36.019} Cross - Bugzilla confidential data access and other bugs
{01.36.020} Cross - gnut gnutella client CSS vulnerability
{01.36.023} Cross - Informix SQL temp file symlink attacks
{01.36.024} Cross - PGPsdk key validity vulnerability
{01.36.025} Cross - Basilix user name parameter command execution
{01.36.026} Cross - POP3Lite unescaped dot server response injection
{01.36.027} Cross - AuthPG/mod_auth_pg SQL injection
{01.36.028} Cross - mod_auth_mysql SQL injection
{01.36.029} Cross - mod_auth_oracle SQL injection
{01.36.030} Cross - mod_auth_pgsql SQL injection
{01.36.031} Cross - mod_auth_pgsql_sys SQL injection
{01.36.021} Svc - Verizon Web site weak session ID/user information
access
- --- Linux News ---------------------------------------------------------
*** {01.36.002} Linux - Update {01.33.005}: Fetchmail LIST response
memory overwrite
Mandrake has released updated fetchmail packages that fix the
vulnerability discussed in {01.33.005} ("Fetchmail LIST response
memory overwrite").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0426.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0426.html
*** {01.36.003} Linux - Update {01.33.009}: WindowMaker window title
buffer overflow
Mandrake has released updated WindowMaker packages that fix the
vulnerability discussed in {01.33.009} ("WindowMaker window title
buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0424.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0424.html
*** {01.36.004} Linux - Update {01.28.021}: xloadimage/faces reader
buffer overflow
Mandrake has released updated xli packages that fix the vulnerability
discussed in {01.28.021} ("xloadimage/faces reader buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0427.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0427.html
*** {01.36.005} Linux - Update {01.34.020}: Sendmail -d parameter
arbitrary memory writing
Multiple vendors have released updated sendmail packages that fix
the vulnerability discussed in {01.34.020} ("Sendmail -d parameter
arbitrary memory writing").
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q3/0051.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0428.html
Source: Immunix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0428.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q3/0051.html
*** {01.36.006} Linux - Update {01.16.032}: IPTables FTP RELATED
connections bypass filters
Mandrake has released updated kernel packages that fix the
vulnerability discussed in {01.16.032} ("IPTables FTP RELATED
connections bypass filters").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0390.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0390.html
*** {01.36.008} Linux - Update {01.29.015}: OpenSSL PRNG predictability
Conectiva has released updated OpenSSL packages that fix the
vulnerability discussed in {01.29.015} ("OpenSSL PRNG predictability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0011.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0011.html
*** {01.36.009} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
SuSE and Conectiva have released updated telnetd packages that fix
the vulnerability discussed in {01.30.021} ("Multiple vendor telnetd
option-handling overflow").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0885.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0005.html
Source: SuSE, Conectiva
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0885.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0005.html
*** {01.36.010} Linux - Update {01.33.002}: OpenLDAP invalid BER length
DoS
Conectiva has released updated OpenLDAP packages that fix the
vulnerability discussed in {01.33.002} ("OpenLDAP invalid BER length
DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0010.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0010.html
- --- BSD News -----------------------------------------------------------
*** {01.36.018} BSD - in.lpd job submission/view status overflow
The (in.)lpd daemon shipped with various BSD distributions contains an
overflow that could allow a remote attacker to execute arbitrary code
with elevated privileges. OpenBSD current, FreeBSD 4.3, NetBSD 1.5.1
and BSD/OS 4.1 (as well as earlier versions of all distributions)
are vulnerable.
BSD/OS 4.2 is not vulnerable. FreeBSD as of August 30, 2001, contains
the fixes.
Source: ISS
http://archives.neohapsis.com/archives/iss/2001-q3/0362.html
- --- Solaris News -------------------------------------------------------
*** {01.36.016} Sol - Update {01.26.035}: in.lpd 'transfer job' overflow
Sun has released patches to fix the vulnerability discussed in
{01.26.035} ("in.lpd 'transfer job' overflow").
Available patches:
SunOS 5.8: 109320-04
SunOS 5.8_x86: 109321-04
SunOS 5.7: 107115-09
SunOS 5.7_x86: 107116-09
SunOS 5.6: 106235-09
SunOS 5.6_x86: 106236-09
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0413.html
*** {01.36.017} Sol - Update {01.12.024}: snmpXdmid 'indication' buffer
overflow
Sun has released patches for the vulnerability discussed in {01.12.024}
("snmpXdmid 'indication' buffer overflow").
Available patches:
SunOS 5.8: 108869-07
SunOS 5.8_x86: 108870-07
SunOS 5.7: 107709-15
SunOS 5.7_x86: 107710-15
SunOS 5.6: 106787-15
SunOS 5.6_x86: 106872-15
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0414.html
- --- HP-UX News ---------------------------------------------------------
*** {01.36.013} HPUX - PRM /opt/prm/bin/ security problem
HP has released an advisory indicating that a component of the Process
Resource Manager contains a security vulnerability that may allow a
local attacker to gain root privileges. If we had to venture a guess,
we would say that the permissions on files within /opt/prm/bin/
are probably incorrect, thereby allowing local attackers to modify
the files.
HP has released patches:
HPUX 10.20: PHSS_24863
HPUX 11.00: PHSS_24864
HPUX 11.11: PHSS_24864
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0048.html
*** {01.36.014} HPUX - CIFS/9000 server incorrect password sync
The CIFS/9000 service has been found to potentially change the wrong
user's password when a user initiates a password change.
HP has confirmed this problem and released manual fix instructions,
which are available at:
http://archives.neohapsis.com/archives/hp/2001-q3/0048.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0048.html
*** {01.36.022} HPUX - swverify large command line parameter overflow
A recently released exploit indicates that there is a buffer overflow
in swverify's handling of command line options. This could allow a
local attacker to execute code with elevated privileges.
This vulnerability has not been confirmed. No patches have been
made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0452.html
- --- SCO News -----------------------------------------------------------
*** {01.36.012} SCO - OpenUnix lpsystem long parameter overflow
The lpsystem application shipped with OpenUnix version 8.0 contains
a buffer overflow in the handling of command line arguments. This
could allow a local attacker to execute arbitrary code with elevated
privileges.
Caldera has confirmed this vulnerability and released a patch. Patch
information is listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0391.html
Source: SCO/Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-08/0391.html
- --- Cross-Platform News ------------------------------------------------
*** {01.36.001} Cross - PhpMyExplorer directory traversal
PhpMyExplorer, a PHP-based file manager, is vulnerable to a directory
traversal attack that allows an attacker to browse the entire file
system with the privileges of the Web server.
The advisory indicates vendor confirmation. Version 1.2.1 is supposed
to contain a fix, which is available at:
http://elegac.free.fr/commun/index.php3?stats=true&langue=uk
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0418.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0408.html
*** {01.36.007} Cross - Multiple xinetd vulnerabilities
Solar Designer recently conducted a thorough audit of xinetd and found
many minor security-related vulnerabilities. All versions prior to
version 2.3.3 are vulnerable. For a full list of bugs/vulnerabilities,
view the reference URL below. Various Linux vendors have also released
updated xinetd packages.
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q3/0050.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0009.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0423.html
Source: Linux Security Auditing Project, Immunix, Conectiva, Mandrake
(SF Bugtraq)
http://archives.neohapsis.com/archives/linux/lsap/2001-q3/0016.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q3/0050.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0009.html
http://archives.neohapsis.com/archives/bugtraq/2001-08/0423.html
*** {01.36.011} Cross - S/Key keyinit potential authentication bypass
An interesting, recently posted advisory pointing out that S/Key's
keyinit program does not require authentication to reset a user's
keystream. This means that an attacker, after gaining access as the
normal user, could then reset the keys' further access applications
that use S/Key authentication. One example would be systems that use
sudo in combination with S/Key.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0441.html
*** {01.36.015} Cross - iPlanet administration server authorization
header overflow
A recent advisory indicates that the iPlanet administration service
contains a buffer overflow in the handling of large user credentials
sent in the authentication header. This vulnerability could allow
a remote attacker to execute arbitrary code under root/system
privileges. The vulnerability has only been reported on iPlanet 5.0
on Windows NT, but other platforms may be vulnerable.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0438.html
*** {01.36.019} Cross - Bugzilla confidential data access and other bugs
Many security bugs were recently fixed in Bugzilla versions
prior to version 2.14. Several bugs had to do with not properly
escaping/filtering incoming user data, and one bug allowed user access
to 'confidential' bug information without the proper credentials.
These vulnerabilities have been confirmed and fixed in version 2.14,
which is available at:
http://www.mozilla.org/projects/bugzilla/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0402.html
*** {01.36.020} Cross - gnut gnutella client CSS vulnerability
The gnut gnutella client contains a cross-site scripting vulnerability
in the Web front-end. This could allow a malicious attacker to embed
JavaScript in shared file names, which then will be automatically
run on all gnut clients that list that entry.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0415.html
*** {01.36.023} Cross - Informix SQL temp file symlink attacks
Certain Informix SQL applications have been found to insecurely
create temporary files, allowing a local attacker to create/overwrite
arbitrary files on the system by using symlinks.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0463.html
*** {01.36.024} Cross - PGPsdk key validity vulnerability
PGP has released an advisory indicating that a vulnerability in the
PGP SDK may lead a user to believe an invalid key is valid.
NAI has confirmed this vulnerability and released many product updates
to fix it. A full list is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-08/0462.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0462.html
*** {01.36.025} Cross - Basilix user name parameter command execution
The Basilix Webmail application contains a vulnerability in the
handling of the user name URL parameter. This would allow a remote
attacker to execute arbitrary command line commands under the
privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0447.html
*** {01.36.026} Cross - POP3Lite unescaped dot server response injection
The POP3Lite server prior to version 0.2.4 does not properly filter
dots/periods from user messages. This could allow a malicious
e-mail message to appear to contain valid POP server responses. The
implications of this bug are mild.
The vendor has confirmed this vulnerability and released version 0.2.4,
which is available at:
ftp://pop3lite.sourceforge.net/pub/pop3lite/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0436.html
*** {01.36.027} Cross - AuthPG/mod_auth_pg SQL injection
The AuthPG/mod_auth_pg Apache SQL authentication module prior to
version 1.3 does not properly filter incoming user data. This allows
a remote attacker to execute arbitrary SQL commands on the Postgres
server.
The vendor has confirmed this vulnerability and released version 1.3.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
*** {01.36.028} Cross - mod_auth_mysql SQL injection
The mod_auth_mysql Apache SQL authentication module prior to version
1.10 does not properly filter incoming user data. This allows a remote
attacker to execute arbitrary SQL commands on the MySQL database.
The vendor has confirmed this vulnerability and released version 1.10.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
*** {01.36.029} Cross - mod_auth_oracle SQL injection
The mod_auth_oracle Apache SQL authentication module version 0.5.1
does not properly filter incoming user data. This allows a remote
attacker to execute arbitrary SQL commands on the Oracle database.
RUS-CERT has confirmed this vulnerability.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
*** {01.36.030} Cross - mod_auth_pgsql SQL injection
The mod_auth_pgsql Apache SQL authentication module version 0.9.5
does not properly handle incoming user data. This allows a remote
attacker to execute arbitrary SQL commands on the Postgres database.
The vendor has confirmed this vulnerability and released version 0.9.6.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
*** {01.36.031} Cross - mod_auth_pgsql_sys SQL injection
The mod_auth_pgsql_sys Apache SQL authentication module version 0.9.4
does not properly filter incoming user data. This allows a remote
attacker to execute arbitrary SQL commands on the Postgres database.
RUS-CERT has confirmed this vulnerability.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0040.html
- --- Services News ------------------------------------------------------
*** {01.36.021} Svc - Verizon Web site weak session ID/user information
access
A report has surfaced indicating that it's possible to access user's
cellular phone information on Verizon's Web site because of a weak
session ID generation.
This vulnerability has not been confirmed. Verizon users who use the
Web account interface should contact the company if they are concerned
about a potential exposure.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-08/0432.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7l9eO+LUG5KFpTkYRAhfKAJ48JIiTv+arVUmG5rCQFbvPn2e3PwCfU0iC
mm85OOZc6Iw0grZ/qlL0G60=
=U928
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by SurfControl ***
"I was one of the 750,000 Code Red victims. One employee let the virus
in by accessing his personal email account over the web. I had no
control then. But now I'm using SuperScout Web Filter to block access
to Hotmail, Yahoo... actually all web-based email sites. They say Code
Red may never go away, but it might if everyone was protected by
SuperScout." -Network Manager.
FREE 30-Day Trial: http://www.surfcontrol.com/promo/ZSSAC0906
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]