|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ92904046724594228
sans.org)Date: Thu Sep 13 2001 - 16:30:29 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 114 (01.37)
Thursday, September 13, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
In a new edition of the Network Computing Shoot Out, our editors
challenged network storage vendors and service providers to devise
fault-tolerant storage solutions for two fictitious companies. This
fall, the vendors will face off and present their solutions to you, live
and in real-time. And with our wireless audience response system, you'll
help decide which solution hits closest to the mark. It's an
opportunity to compare products and strategies, while learning about
the critical factors to consider when making your own storage decision.
http://www.nwc.com/events/storeshoot.html
----------------------------------------------------------------------
We wish to express our sincerest condolences to all those who were, and
will be, affected by the horrible events that occurred on September
11th. However, we understand the continuing need to protect and
secure companies' resources, we are delivering our security newsletter
as usual.
Those of you running intrusion detection systems may want to
contact your vendor for an update against the IIS %u unicode
encoding bug. Essentially, a new method of encoding requests to
IIS servers has surfaced. By encoding requests in this method,
ID systems do not properly parse and alert on the incoming
URLs. Cisco, ISS and Snort have already released updated
versions of their products. More information is available at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0043.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.37.009} Win - MS01-047: OWA user enumeration
{01.37.010} Win - MS01-048: Malformed data crashes RPC endmapper
{01.37.003} Linux - Update {01.33.005}: Fetchmail LIST response memory
overwrite
{01.37.008} Linux - Update {01.36.028}: mod_auth_mysql SQL injection
{01.37.012} Linux - Update {01.36.007}: Multiple xinetd vulnerabilities
{01.37.013} Linux - Update {01.36.019}: Bugzilla confidential data
access and other bugs
{01.37.006} BSD - Multiple sysctl input validation vulnerabilities
{01.37.011} BSD - Update {01.24.026}: fts-based programs can be made to
recurse into wrong directories
{01.37.020} BSD - NFS mount code overflow
{01.37.001} AIX - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.37.002} AIX - libdiag trace file symlink attack
{01.37.014} HPUX - Update {01.11.017}: asecure improper file permissions
{01.37.025} NApps - DLink 704 router malformed fragment DoS
{01.37.030} Other - DEC Unix msgchk command line param overflow
{01.37.004} Cross - Screen multi-attach vulnerability
{01.37.005} Cross - mailman administration authentication bypass
{01.37.007} Cross - Update {01.34.020}: Sendmail -d parameter arbitrary
memory writing
{01.37.015} Cross - uucp user-supplied config file privilege elevation
{01.37.017} Cross - libnss-pgsql/pam-pgsql SQL injection
{01.37.018} Cross - nss_postgresql/pam_pgsql SQL injection
{01.37.019} Cross - pam-pgsql SQL injection
{01.37.021} Cross - Gauntlet smap/smapd/csmap overflows
{01.37.022} Cross - ShopPlus CGI file param command exec
{01.37.023} Cross - Directory Manager CGI user file param command exec
{01.37.024} Cross - WebSweeper URL filtering bypass
{01.37.026} Cross - Merit RADIUS rladmin help file symlink attack
{01.37.027} Cross - PowerUP HTML CGI file param file viewing
{01.37.028} Cross - CheckPoint FW-1 temp policy compilation symlink
attack
{01.37.029} Cross - sglMerchant html_file param file viewing
{01.37.031} Cross - CheckPoint FW-1 GUI permission bypass/file saves
{01.37.016} Tools - Sendmail 8.12.0 available
- --- Windows News -------------------------------------------------------
*** {01.37.009} Win - MS01-047: OWA user enumeration
Microsoft has released MS01-047 ("OWA user
enumeration"). Enumerating/searching for user names normally requires
authentication; however, it's possible for a remote attacker to gain
access to the lists of available user names without any authentication
credentials. Only e-mail names/aliases are exposed. This affects
Outlook Web Access for Exchange 5.5.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-047.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0035.html
*** {01.37.010} Win - MS01-048: Malformed data crashes RPC endmapper
Microsoft has released MS01-048 ("Malformed data crashes RPC
endmapper"). It's possible for a remote attacker (who has access to
port 139) to send a particular malformed request that would cause the
RPC endmapper to crash, effectively disabling all RPC-based services
until the computer is rebooted.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-048.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0036.html
- --- Linux News ---------------------------------------------------------
*** {01.37.003} Linux - Update {01.33.005}: Fetchmail LIST response
memory overwrite
RedHat and Conectiva have released updated fetchmail packages, which
fix the vulnerability discussed in {01.33.005} ("Fetchmail LIST
response memory overwrite").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0014.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0040.html
Source: Conectiva, RedHat
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0014.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0040.html
*** {01.37.008} Linux - Update {01.36.028}: mod_auth_mysql SQL injection
Conectiva and SuSE have released updated mod_auth_mysql packages,
which fix the vulnerability discussed in {01.36.028} ("mod_auth_mysql
SQL injection").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0015.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/1070.html
Source: Conectiva, SuSE
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0015.html
http://archives.neohapsis.com/archives/linux/suse/2001-q3/1070.html
*** {01.37.012} Linux - Update {01.36.007}: Multiple xinetd
vulnerabilities
RedHat has released updated xinetd packages, which fix the
vulnerability discussed in {01.36.007} ("Multiple xinetd
vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0037.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0037.html
*** {01.37.013} Linux - Update {01.36.019}: Bugzilla confidential data
access and other bugs
RedHat has released updated bugzilla packages, which fix the
vulnerability discussed in {01.36.019} ("Bugzilla confidential data
access and other bugs").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-09/0075.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0075.html
- --- BSD News -----------------------------------------------------------
*** {01.37.006} BSD - Multiple sysctl input validation vulnerabilities
NetBSD has released an advisory indicating multiple potential problems
because the kernel does not correctly check data submitted to it via
sysctl calls. This is similar to vulnerability {01.08.017}.
NetBSD-current as of Aug. 5, 2001, and -1.5 as of Aug. 16, 2001,
contain the patches.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q3/0203.html
*** {01.37.011} BSD - Update {01.24.026}: fts-based programs can be
made to recurse into wrong directories
NetBSD has released updates for the vulnerability discussed in
{01.24.026} ("fts-based programs can be made to recurse into wrong
directories").
NetBSD-current as of July 9, 2001, and -1.5 as of Aug. 22, 2001,
contain the updates.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q3/0204.html
*** {01.37.020} BSD - NFS mount code overflow
OpenBSD has committed a fix for a buffer overflow in the handling of
NFS options to the mount command. If local attackers have privileges
to use mount, it's possible for them to gain root privileges.
This vulnerability has been confirmed. A patch is available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/012_nfs.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-09/0036.html
- --- AIX News -----------------------------------------------------------
*** {01.37.001} AIX - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
IBM has released APAR IY22029, which fixes the vulnerability discussed
in {01.30.021} ("Multiple vendor telnetd option-handling overflow").
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0004.html
*** {01.37.002} AIX - libdiag trace file symlink attack
IBM has released APAR IY22256, which fixes a vulnerability that
allows a local attacker to use a symlink attack and overwrite files
on the system.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q3/0003.html
- --- HP-UX News ---------------------------------------------------------
*** {01.37.014} HPUX - Update {01.11.017}: asecure improper file
permissions
HP has released patches for the vulnerability discussed in {01.11.017}
("asecure improper file permissions").
Install the appropriate patch:
HPUX 10.10: PHSS_24534
HPUX 10.20: PHSS_24534
HPUX 11.00: PHSS_24608
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0062.html
- --- Network Appliances News --------------------------------------------
*** {01.37.025} NApps - DLink 704 router malformed fragment DoS
The DLink 704 home router with firmware prior to version 2.56b6
contains a vulnerability in the handling of malformed fragmented
packets. As a result, the device will neither respond to nor route
any further incoming traffic.
The vendor has confirmed this vulnerability and made updated firmware
available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0034.html
- --- Other News ---------------------------------------------------------
*** {01.37.030} Other - DEC Unix msgchk command line param overflow
The msgchk application shipped with Digital/DEC Unix version
4.0 contains a buffer overflow in the handling of command line
parameters. This would allow a local attacker to execute arbitrary
code with elevated privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0064.html
- --- Cross-Platform News ------------------------------------------------
*** {01.37.004} Cross - Screen multi-attach vulnerability
Screen versions prior to 3.9.10 contain a vulnerability in the
multi-attach handling code that allows a local attacker to gain root
privileges (since screen is typically setuid root to function).
The author has confirmed this vulnerability and released version
3.9.10.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0924.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q3/0924.html
*** {01.37.005} Cross - mailman administration authentication bypass
A bug was found in the mailman HTTP administration interface. If the
admin password is blank, any password can be used to authenticate. A
lesser bug could allow list administrators to access subscriber
passwords.
The author has confirmed this vulnerability.
Conectiva Linux has also released updated RPMs.
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0013.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0013.html
*** {01.37.007} Cross - Update {01.34.020}: Sendmail -d parameter
arbitrary memory writing
NetBSD and RedHat have released updated sendmail packages, which fix
the vulnerability discussed in {01.34.020} ("Sendmail -d parameter
arbitrary memory writing").
Updated NetBSD information:
http://archives.neohapsis.com/archives/netbsd/2001-q3/0205.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0034.html
Source: NetBSD, RedHat
http://archives.neohapsis.com/archives/netbsd/2001-q3/0205.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q3/0034.html
*** {01.37.015} Cross - uucp user-supplied config file privilege
elevation
The Taylor UUCP package contains a vulnerability in the handling of
user-supplied configuration files. This would allow a local attacker to
gain uid/gid 'uucp,' which could potentially be used to gain further
root privileges.
This vulnerability has been confirmed.
Caldera has also released updated Linux RPMs.
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0020.html
Source: SecurityFocus Bugtraq, Caldera
http://archives.neohapsis.com/archives/bugtraq/2001-09/0053.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q3/0020.html
*** {01.37.017} Cross - libnss-pgsql/pam-pgsql SQL injection
The libnss-pgsql PAM module versions 0.9.0 and prior, as well as
pam-pgsql versions 0.9.2 and prior, both by Joerg Wendland, contain
vulnerabilities in the handling of authentication data. It's possible
for an attacker to inject arbitrary SQL commands to be executed on
the backend Postgres database.
RUS-CERT has confirmed these vulnerabilities.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html
*** {01.37.018} Cross - nss_postgresql/pam_pgsql SQL injection
The nss_postgresql PAM module versions 0.6.1 and prior, as well as
the pam_pgsql module versions 0.0.3 and prior, both by Alessandro
Gardich, contain a vulnerability in the handling of authentication
data. This could allow an attacker to execute SQL commands on the
backend Postgres database.
RUS-CERT has confirmed these vulnerabilities.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html
*** {01.37.019} Cross - pam-pgsql SQL injection
Leon Breedt's pam-pgsql PAM module versions 0.5.1 and prior contain a
vulnerability in the handling of user authentication data. This could
allow an attacker to execute SQL commands on the backend Postgres
SQL database.
RUS-CERT has confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0071.html
*** {01.37.021} Cross - Gauntlet smap/smapd/csmap overflows
NAI has released an advisory indicating a remote buffer overflow in
Gauntlet firewall versions 5.x and 6.0 for Unix, as well as various
versions of PGP e-ppliance, McAfee e-ppliance and McAfee WebShield.
Full information is available at:
http://www.pgp.com/support/product-advisories/csmap.asp
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0042.html
*** {01.37.022} Cross - ShopPlus CGI file param command exec
Ksofttech.com's ShopPlus CGI shopping cart application contains
a vulnerability in the handling of the file URL parameter. The
vulnerability allows a remote attacker to execute arbitrary
command-line commands under the privileges of the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0012.html
*** {01.37.023} Cross - Directory Manager CGI user file param command
exec
The Directory Manager CGI version 0.9 contains a vulnerability in the
handling of the userfile/userfile_name URL parameters. This allows
a remote attacker to execute arbitrary command-line commands under
the privileges of the Web server.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0013.html
*** {01.37.024} Cross - WebSweeper URL filtering bypass
Baltimore Technologies' WebSweeper version 4.02 has been found to not
canonicalize HTTP URLs. This allows attackers to bypass any configured
URL filtering by using various forms of URL encoding.
The vendor has acknowledged this vulnerability and released the
following technote.
http://www.mimesweeper.com/support/technotes/notes/1043.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0019.html
*** {01.37.026} Cross - Merit RADIUS rladmin help file symlink attack
The rladmin application shipped with the Merit RADIUS package versions
3.8M and 5.01 commercial contains a vulnerability in the handling of
user-specified configuration directories. It's possible for a local
attacker to view arbitrary files on the system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0036.html
*** {01.37.027} Cross - PowerUP HTML CGI file param file viewing
The PowerUP HTML CGI application version 0.8033beta contains a
vulnerability in the handling of the file URL parameter. This allows
a remote attacker to view the contents of files readable by the
Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0042.html
*** {01.37.028} Cross - CheckPoint FW-1 temp policy compilation symlink
attack
An advisory released this week indicates a temporary file-handling
problem in Checkpoint Firewall-1 versions 3.0b through 4.0SP1: An
attacker with local access to the firewall system could gain root
privileges. Since access to the firewall system itself should be
highly restricted, this problem should be limited to individuals who
do not have access/root privileges but who do have firewall policy
modification access to gain root access to the system.
The vendor has confirmed this vulnerability, which has been fixed in
version 4.1 or 4.0SP2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0046.html
*** {01.37.029} Cross - sglMerchant html_file param file viewing
SeaGlass Technologies' sglMerchant CGI version 1.0 contains a
vulnerability in the handling of the html_file URL parameter. This
could allow a remote attacker to view arbitrary files readable by
the Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0047.html
*** {01.37.031} Cross - CheckPoint FW-1 GUI permission bypass/file saves
An advisory has surfaced indicating that users of the CheckPoint
Firewall-1 GUI are able to save arbitrary files on the firewall system,
regardless of their assigned permissions (read-only, monitor, user-edit
and so on). All versions of FW-1 appear to be vulnerable.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0051.html
- --- Tool Announcements News --------------------------------------------
*** {01.37.016} Tools - Sendmail 8.12.0 available
Sendmail version 8.12.0 has been released. This is the first official
8.12.x release. An overview of new features is available at the
reference URL below.
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2001-q3/0004.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7oSMw+LUG5KFpTkYRAj7RAKCJ2um29WBZ0nA5faqM+jsfGvoU+QCgmLw8
XBIm6ckXWKMPP2mEFLj+SQs=
=ByLD
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
In a new edition of the Network Computing Shoot Out, our editors
challenged network storage vendors and service providers to devise
fault-tolerant storage solutions for two fictitious companies. This
fall, the vendors will face off and present their solutions to you, live
and in real-time. And with our wireless audience response system, you'll
help decide which solution hits closest to the mark. It's an
opportunity to compare products and strategies, while learning about
the critical factors to consider when making your own storage decision.
http://www.nwc.com/events/storeshoot.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]