|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ32308498689124530
sans.org)Date: Thu Sep 20 2001 - 14:44:49 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 115 (01.38)
Thursday, September 20, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Our thoughts and prayers are with the victims and families affected
by the tragic events of September 11th. Our support also goes to all
the brave individuals working in the recovery efforts.
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
---------------------- From Network Computing ------------------------
If you've got security problems, why not ask Mike Fratto, one of NWC's
senior technology editors and an "Ask the Experts" resident consultant.
Mike is knowledgeable in all areas of security, and he's particularly
experienced with firewalls, VPNs, PKI and authentication services. Go
ahead and ask -- he won't bite.
http://networkcomputing.exp.com/app/expertProfile?adv_id=548382
----------------------------------------------------------------------
This issue is smaller than average, presumably because everyone's
attention is on more important matters, namely last week's happenings
at the World Trade Center and the Pentagon. This week's attention, at
least in the security industry, seems to be on a new worm that is --
once again -- exploiting old bugs in Microsoft IIS servers. This worm,
however, appears to be quite aggressive, propagating via e-mail as
well as HTTP.
Among its bag of tricks: It actually infects the hosted Web site,
potentially allowing visiting Web surfers to download the worm and
infect themselves; it's capable of e-mailing copies of itself using its
own engine; it will enable the Guest account (and create one if it
doesn't already exist) and add it to the Administrators group; and it
will share the user's hard drive. Nimda also has some other fun tricks.
We caution organizations to take great care in cleaning this one;
its "staying power" (from infecting EXEs and other files) is quite
nasty. A lot of information is circulating about Nimda -- some of
it true, some of it not so true. SecurityFocus put out a fairly
comprehensive paper on the worm that is definitely worth a look:
http://aris.securityfocus.com/alerts/nimda/010919-Analysis-Nimda.pdf
Some other good starting points on W32.Nimda.amm (the worm's supposed
full name):
http://archives.neohapsis.com/archives/ntbugtraq/2001-q3/
http://archives.neohapsis.com/archives/incidents/2001-09/
http://archives.neohapsis.com/archives/sf/ms/2001-q3/
Finally, we've created a site, which will be updated as needed,
containing all the information we've found to be credible/accurate
as well as information from our consultants currently battling Nimda
in the field:
http://www.neohapsis.com/neolabs/nimda.php
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.38.002} Win - EFTP server multiple vulnerabilities
{01.38.003} Win - TrendMicro Interscan Viruswall eManager CGI DLL
overflows
{01.38.013} Win - ARCServe hidden share hosts auth info
{01.38.008} BSD - NetBSD 1.5.2 available
{01.38.016} HPUX - VVOS libsecurity resource handling problems
{01.38.015} SGI - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
{01.38.001} Cross - Update {01.37.015}: uucp user-supplied config file
privilege elevation
{01.38.004} Cross - RSA BSAFE SSL-J library client auth bypass
{01.38.005} Cross - Cisco iCDN SSL client auth bypass
{01.38.010} Cross - 'most' tab expansion overflow
{01.38.011} Cross - Majordomo file appension via wrapper
{01.38.014} Cross - speechio.org speechd command execution
{01.38.017} Cross - Lotus Notes direct object access
{01.38.018} Cross - Oracle App Server file path disclosure
{01.38.019} Cross - Textor listrec.pl TEMPLATE param command exec
{01.38.009} Tools - JASS 0.3.1 available
{01.38.006} Svc - Myowne-mail.com From field JavaScript execution
{01.38.007} Svc - Hushmail.com From/Topic field JavaScript execution
{01.38.012} Svc - Bank of America Web site auth credentials replay
- --- Windows News -------------------------------------------------------
*** {01.38.002} Win - EFTP server multiple vulnerabilities
EFTP server version 2.0.7.377 has been found to contain multiple
vulnerabilities exploitable by an attacker who has proper login
access. The vulnerabilities are: access to files outside the restricted
FTP root; authentication information stored in plain text; exploitable
buffer overflow in the handling of LNK files; and authentication
credential exposure via UNC requests.
These vulnerabilities have not been confirmed.
Source: Win2KSecurityAdvice
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q3/0108.html
*** {01.38.003} Win - TrendMicro Interscan Viruswall eManager CGI DLL
overflows
A recent advisory indicates multiple remotely exploitable buffer
overflows in the various TrendMicro eManager version 3.51, which
is a Web-based/CGI administration application plugin for TrendMicro
Interscan Viruswall.
TrendMicro has confirmed the vulnerabilities and will be releasing
a patch shortly. A patch for the Japanese version is available at:
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3142
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0099.html
*** {01.38.013} Win - ARCServe hidden share hosts auth info
ARCServe versions 6.61 SP2 and 2000 have been found to create a
hidden share named 'ARCSERVE$,' which is accessible to all domain
users. Further, there is a file on that share (aremote.dmp) that
contains the ARCServe backup agent account user name and password
in clear text. This could enable a remote attacker to gain ARCServe
agent privileges, which typically have backup or admin access.
This vulnerability has been confirmed. A patch for ARCServe 2000 is
available at:
http://support.ca.com/Download/patches/asitnt/QO00945.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0137.html
http://archives.neohapsis.com/archives/bugtraq/2001-09/0141.html
- --- BSD News -----------------------------------------------------------
*** {01.38.008} BSD - NetBSD 1.5.2 available
NetBSD 1.5.2 has been released. Significant additions since version
1.5.1 include multiple security fixes (apparently, all were previously
reported in SAC).
A list of download mirrors is available at:
http://www.netbsd.org/mirrors/
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2001-q3/0262.html
- --- HP-UX News ---------------------------------------------------------
*** {01.38.016} HPUX - VVOS libsecurity resource handling problems
HP has released a patch for a 'resource handling problem'
in libsecurity. The vulnerability, which is limited to HPUX 11.04
(VVOS), may allow a local attacker to perform a denial of service
against the system.
Installing patch PHCO_24852 will fix the problem.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q3/0063.html
- --- SGI News -----------------------------------------------------------
*** {01.38.015} SGI - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
SGI has released a full set of patches, as well as a workaround,
for the vulnerability discussed in {01.15.011} ("Multiple vendor FTP
glob functionality buffer overflow").
Full information can be found at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0038.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q3/0038.html
- --- Cross-Platform News ------------------------------------------------
*** {01.38.001} Cross - Update {01.37.015}: uucp user-supplied config
file privilege elevation
Conectiva and OpenBSD have released updates for the vulnerability
discussed in {01.37.015} ("uucp user-supplied config file privilege
elevation").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0019.html
OpenBSD 2.8 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/033_uucp.patch
OpenBSD 2.9 patch:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/015_uucp.patch
Source: Conectiva, OpenBSD
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0019.html
http://archives.neohapsis.com/archives/openbsd/2001-09/0638.html
*** {01.38.004} Cross - RSA BSAFE SSL-J library client auth bypass
The RSA BSAFE SSL-J SDK/library contains a bug that could allow
a remote client to bypass client authentication and thus access an
SSL-enabled service as an authenticated user. All applications based
on the RSA BSAFE SSL-J SDK version 3.x are vulnerable.
More information is available at:
http://www.rsasecurity.com/support/bsafe/index.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q3/0008.html
*** {01.38.005} Cross - Cisco iCDN SSL client auth bypass
Cisco iCDN (Internet Content Distribution Network) version 2.0
uses the vulnerable RSA BSAFE SSL-J library (reported in this issue
under 'Cross-Platform'). This could allow a remote client to bypass
authentication and access the iCDN services. iCDN version 1.0 is
not vulnerable.
Cisco has confirmed this vulnerability and fixed it in version 2.0.1.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q3/0008.html
*** {01.38.010} Cross - 'most' tab expansion overflow
The 'most' pager application prior to version 4.9.2 contains a
buffer overflow in the expansion of embedded tabs. This could allow
a malicious document viewed with most to execute arbitrary code under
the user's privileges.
Debian has confirmed this vulnerability. Updated Debian DEBs are
listed at:
http://archives.neohapsis.com/archives/vendor/2001-q3/0039.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q3/0039.html
*** {01.38.011} Cross - Majordomo file appension via wrapper
Majordomo versions 1.94.4 and prior are reportedly vulnerable to a
bug that would potentially allow local attackers to append arbitrary
data to the end of majordomo-owned files, thus allowing them to tamper
with mailing lists or gain majordomo privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0132.html
*** {01.38.014} Cross - speechio.org speechd command execution
The speechd script from speechio.org does not properly filter out
single quote characters from incoming text. This may allow an attacker
to execute arbitrary commands under the privileges in which speechd
is running.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0089.html
*** {01.38.017} Cross - Lotus Notes direct object access
An advisory posted this week indicates that it's possible to directly
access various objects in a Notes database without having to access
via an associated note. This means it could potentially bypass ACL
checking and other restrictions imposed by the associated note.
Lotus is currently investigating the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0147.html
http://archives.neohapsis.com/archives/bugtraq/2001-09/0150.html
*** {01.38.018} Cross - Oracle App Server file path disclosure
A recent advisory indicates that the Oracle Application Server version
included with Oracle 9i will display a full physical path in response
to an HTTP request for a nonexisting JSP page.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0140.html
*** {01.38.019} Cross - Textor listrec.pl TEMPLATE param command exec
Textor Webmaster's listrec.pl CGI application has been found to not
properly filter the TEMPLATE URL parameter. This could allow a remote
attacker to execute arbitrary commands under the privileges of the
Web server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0096.html
- --- Tool Announcements News --------------------------------------------
*** {01.38.009} Tools - JASS 0.3.1 available
JASS version 0.3.1 has been released. JASS is a security toolkit for
Sun Solaris systems.
The latest version can be downloaded from:
http://www.sun.com/security/jass
Source: SecurityFocus Focus-Sun
http://archives.neohapsis.com/archives/sf/sun/2001-q3/0170.html
- --- Services News ------------------------------------------------------
*** {01.38.006} Svc - Myowne-mail.com From field JavaScript execution
The Myowne-mail.com e-mail service has been found to not properly
filter JavaScript out of the 'From' e-mail field. This means a
malicious e-mail could potentially execute arbitrary JavaScript in
a myowne-mail.com user's browser.
This vulnerability has not been confirmed.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0049.html
*** {01.38.007} Svc - Hushmail.com From/Topic field JavaScript execution
The Hushmail.com e-mail service has been found to not properly filter
JavaScript out of the 'From' and 'Topic' e-mail fields. This means
a malicious e-mail could potentially execute arbitrary JavaScript in
a hushmail.com user's browser.
This vulnerability has been fixed.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q3/0050.html
*** {01.38.012} Svc - Bank of America Web site auth credentials replay
The Bank of America Web site has been reported vulnerable to a replay
attack, whereby it is possible to submit session information from a
logged-out session and have that session accepted as valid.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0127.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7qkTe+LUG5KFpTkYRArKQAJ47RDoi38xEJ8UAt3IeEtChZjCnvgCfY77b
szBTcl2U7oSXKOF6k+deIs4=
=8yle
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
---------------------- From Network Computing ------------------------
If you've got security problems, why not ask Mike Fratto, one of NWC's
senior technology editors and an "Ask the Experts" resident consultant.
Mike is knowledgeable in all areas of security, and he's particularly
experienced with firewalls, VPNs, PKI and authentication services. Go
ahead and ask -- he won't bite.
http://networkcomputing.exp.com/app/expertProfile?adv_id=548382
----------------------------------------------------------------------
Network Computing offers a way for you to help the businesses that
suffered disruptions in the lower Manhattan section of NYC on September
11. If you can provide services, supplies or expertise that would help
them in their recovery efforts, please post your name/business on our
"Business Assistance List".
http://www.nwc.com/helpamerica/index.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP
key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]