OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ18689614713033775sans.org)
Date: Thu Oct 04 2001 - 14:42:52 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                          -- Security Alert Consensus --
                                 Number 117 (01.40)
                             Thursday, October 4, 2001
                                 Created for you by
                      Network Computing and the SANS Institute
                                Powered by Neohapsis
      
    ----------------------------------------------------------------------

    Our thoughts and prayers remain with the victims and families affected
    by the tragic events of September 11th. Our support also goes out to
    all the brave individuals working in the recovery efforts.

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. If you have any problems or questions, please e-mail us
    at <consensusnwc.com>.

    ----------------------------------------------------------------------

    ** Request your FREE Internet Security Handbook **

    It's more important than ever to protect your information assets, avoid
    business interruption, and prevent revenue loss. Request your *FREE*
    copy of "Securing the Internet Economy: An Executive Guide to Managing
    Online Risk" from Internet Security Systems (ISS).
    Click here: http://www.iss.net/mktg/sac10401/

    ----------------------------------------------------------------------

    Windows shops, it seems, can rest easy this week -- the only Microsoft
    patch released was a slight denial of service against Outlook Web
    Access IIS deployments. Unix camps, however, are in for a treat:
    a multivendor rpc.ttdbserver remote exploit, which lets attackers
    execute arbitrary code with root privileges. And for those of you who
    upgraded to Sendmail 8.12.0, you'll need to upgrade to 8.12.1 to fix
    some local security problems. All three vulnerabilities are reported
    in this issue (under 'Microsoft' and 'Cross-Platform', respectively).

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.40.009} Win - PGP keyserver admin CGI auth bypass
    {01.40.010} Win - Meteor FTP command reverse directory traversal
    {01.40.011} Win - MS01-049: Deeply nested OWA Request DoS
    {01.40.013} Win - COM2001 Alexis/InternetPBX plain text auth info
    {01.40.017} Win - Amtote HomeBet homebet.log download
    {01.40.021} Win - WinMySqlAdmin plain text auth info storage
    {01.40.023} Win - QVT/Term FTP server security vulnerabilities
    {01.40.006} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
    {01.40.007} Linux - Update {01.36.030}: mod_auth_pgsql SQL injection
    {01.40.012} Linux - RedHat setserial init script temp file vulnerability
    {01.40.019} HPUX - rpcbind malformed request DoS
    {01.40.003} SCO - dtaction command line parameter overflow
    {01.40.004} SCO - dtsession env variable overflow
    {01.40.005} SCO - dtprintinfo env variable overflow
    {01.40.022} NApps - 3Com HomeConnect cable modem HTTP server DoS
    {01.40.024} NApps - Cisco PIX SMTP mailguard bypass
    {01.40.008} Cross - Compaq Insight Manager overflow
    {01.40.014} Cross - Update {01.39.013}: IBM Websphere predictable
                session IDs
    {01.40.015} Cross - Sendmail 8.12.1 fixes security vulnerabilities
    {01.40.016} Cross - OpenSSH from restriction bypass
    {01.40.018} Cross - OpenView NNM privilege escalation vulnerability
    {01.40.020} Cross - (rpc.)ttdbserver syslog() format string attack
    {01.40.001} Tools - TCT 1.08 available
    {01.40.002} Tools - BIND 8.2.5 available

    - --- Windows News -------------------------------------------------------

    *** {01.40.009} Win - PGP keyserver admin CGI auth bypass

    NAI's PGP keyserver version 7.0 contains a vulnerability that would
    allow a remote attacker to bypass authentication and access the
    administrative CGIs.

    NAI has confirmed this vulnerability and released an update, which
    is available at:
    http://www.pgp.com/support/product-advisories/keyserver.asp

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html

    *** {01.40.010} Win - Meteor FTP command reverse directory traversal

    Meteor FTP version 1.0 has been found to allow remote attackers to use
    reverse directory traversal ("..") notation in various FTP commands,
    thereby allowing them to access files outside the restricted FTP root.

    The advisory indicates vendor confirmation; a patch is currently in
    the works.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0231.html

    *** {01.40.011} Win - MS01-049: Deeply nested OWA Request DoS

    Microsoft has released MS01-049 ("Deeply nested OWA Request DoS"). It's
    possible for a remote attacker, who has access to a valid Outlook Web
    Access mailbox, to submit a request that would leave the IIS server
    consuming large amounts of CPU processing time, thus performing a
    denial of service.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-049.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q3/0045.html

    *** {01.40.013} Win - COM2001 Alexis/InternetPBX plain text auth info

    COM2001's Alexis server version 2.1, a part of the InternetPBX software
    suite, has been found to insecurely store authentication information
    in plain text on the local file system. Authentication information
    is also transmitted via unencrypted HTTP (even if the initial server
    connection was over HTTPS).

    The advisory indicates confirmation by the vendor, which will fix
    the problem in a future update.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0232.html

    *** {01.40.017} Win - Amtote HomeBet homebet.log download

    Amtote's HomeBet Web application has been found to place a log file in
    a remotely accessible directory (/homebet/), which could allow a remote
    attacker to download the file and gain access to all user information.

    A suggested workaround is to remove IUSR_<machine> access to the
    homebet.log file (or remove the /homebet/ virtual directory).

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0235.html

    *** {01.40.021} Win - WinMySqlAdmin plain text auth info storage

    WinMySqlAdmin version 1.1 has been found to store database
    authentication information unencrypted in a local file. This could
    allow an attacker to retrieve this information.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0004.html

    *** {01.40.023} Win - QVT/Term FTP server security vulnerabilities

    QVT/Term version 5.0 comes with an FTP server, which has been found
    to allow remote attackers to access files outside the FTP root by
    using reverse directory traversal ('...') notation. Also, a buffer
    overflow exists in the handling of long FTP commands.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0216.html

    - --- Linux News ---------------------------------------------------------

    *** {01.40.006} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS

    Conectiva has released updated squid packages, which fix the
    vulnerability discussed in {01.39.015} ("Squid FTP mkdir PUT DoS").

    The updated packages are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0020.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0020.html

    *** {01.40.007} Linux - Update {01.36.030}: mod_auth_pgsql SQL injection

    Conectiva has released updated mod_auth_pgsql packages, which fix
    the vulnerability discussed in {01.36.030} ("mod_auth_pgsql SQL
    injection").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0021.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0021.html

    *** {01.40.012} Linux - RedHat setserial init script temp file
                    vulnerability

    RedHat has released an advisory indicating that the setserial init
    script uses a predicable temporary file name, thereby allowing a
    local attacker to perform a symlink attack.

    RedHat's recommended solution is to not use the setserial script and
    not compile serial support as a module in the Linux kernel.

    Source: RedHat
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0002.html

    - --- HP-UX News ---------------------------------------------------------

    *** {01.40.019} HPUX - rpcbind malformed request DoS

    HP has released an advisory indicating that a bug in rpcbind could
    cause it to crash, leading to a denial of service.

    HP has released the following patches:
    HPUX 11.00: PHNE_24034
    HPUX 11.11: PHNE_24035

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q4/0000.html

    - --- SCO News -----------------------------------------------------------

    *** {01.40.003} SCO - dtaction command line parameter overflow

    Caldera/SCO has released an advisory indicating a buffer overflow
    in dtaction's handling of command line options. This overflow would
    allow a local attacker to execute arbitrary code with elevated
    privileges. Both Unixware 7 and OpenUnix 8 are vulnerable.

    Caldera has confirmed this vulnerability and released an update,
    which is available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.21/

    Source: Caldera/SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0001.html

    *** {01.40.004} SCO - dtsession env variable overflow

    Unixware version 7 and OpenUnix version 8 shipped with a dtsession
    binary that contains a buffer overflow in the handling of particularly
    long environment variables. A local attacker could use this overflow
    to execute arbitrary commands with elevated privileges.

    Caldera/SCO has confirmed this vulnerability and released a fix,
    which is available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.23/

    Source: Caldera/SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0002.html

    *** {01.40.005} SCO - dtprintinfo env variable overflow

    Both Unixware version 7 and OpenUnix version 8 have been found to
    contain a buffer overflow in dtprintinfo's handling of particular
    environment variables. The overflow could allow a local attacker to
    execute arbitrary code with elevated privileges.

    Caldera/SCO has confirmed this vulnerability and released an update,
    which is available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/

    Source: Caldera/SCO (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-10/0003.html

    - --- Network Appliances News --------------------------------------------

    *** {01.40.022} NApps - 3Com HomeConnect cable modem HTTP server DoS

    3Com's HomeConnect cable modem has been found to reset when a remote
    attacker makes a large HTTP request to the embedded Web server. This
    results in a denial of service situation.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0217.html

    *** {01.40.024} NApps - Cisco PIX SMTP mailguard bypass

    Cisco has released an advisory indicating that the mailguard feature
    of the PIX firewall running versions 6.0(1), 5.2(5) and 5.2(4) can
    be bypassed by a remote attacker.

    A full patch/update matrix is available at:
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0219.html

    Source: Cisco (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0219.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.40.008} Cross - Compaq Insight Manager overflow

    Compaq has released an advisory indicating a buffer overflow in the
    Compaq Insight Manager application for all platforms. The buffer
    overflow would allow a remote attacker to execute arbitrary code
    under root/administrator privileges.

    Compaq has released several updated SoftPaqs; more information is
    available at:
    http://archives.neohapsis.com/archives/compaq/2001-q3/0044.html

    Source: Compaq
    http://archives.neohapsis.com/archives/compaq/2001-q3/0044.html

    *** {01.40.014} Cross - Update {01.39.013}: IBM Websphere predictable
                    session IDs

    IBM has responded to the vulnerability discussed in
    {01.39.013} ("IBM Websphere predictable session IDs"). Patches,
    workarounds and supporting information are all available at:
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html

    *** {01.40.015} Cross - Sendmail 8.12.1 fixes security vulnerabilities

    Sendmail version 8.12.1 has been released. This version fixes three
    notable local security vulnerabilities: sendmail does not properly drop
    privileges, thereby allowing an attacker to take advantage of buffer
    overflows in the configuration parsing code to execute arbitrary code
    to gain gid smmsp; an attacker can force queued messages to expire;
    and configuration and mail information is available, even if the
    local configuration does not normally allow the attacker to read it.

    The vendor has confirmed these vulnerabilities and released Sendmail
    version 8.12.1, which is available at:
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z

    Source: Sendmail, Vulnwatch
    http://archives.neohapsis.com/archives/sendmail/2001-q4/0000.html
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0001.html

    *** {01.40.016} Cross - OpenSSH from restriction bypass

    OpenSSH versions prior to 2.9.9 contain a vulnerability whereby an
    SSH key (specified in the authorized_keys2 file) containing a 'from='
    restriction may have the restriction overwritten if a second key of
    a different type is included after the first key.

    The vendor has confirmed this vulnerability. Version 2.9.9 contains
    a fix.

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2001-09/1743.html

    *** {01.40.018} Cross - OpenView NNM privilege escalation vulnerability

    HP has released an advisory indicating that a privilege escalation
    vulnerability exists in OpenView Network Node Manager (NNM) versions
    5.01, 6.1 and 6.2 on HP-UX and Solaris.

    A full patch matrix is available at:
    http://archives.neohapsis.com/archives/hp/2001-q4/0000.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q4/0000.html

    *** {01.40.020} Cross - (rpc.)ttdbserver syslog() format string attack

    An advisory was released indicating that various Unix vendors'
    implementations of the rpc.ttdbserver Tool Talk service are vulnerable
    to a format string attack in a particular syslog() function. This
    allows a remote attacker to execute arbitrary code, typically with
    root privileges.

    Various vendors have confirmed this vulnerability, while many others
    are currently aware of the problem and producing patches.

    HP updates are listed at:
    http://archives.neohapsis.com/archives/hp/2001-q4/0000.html

    IBM has released an AIX eFix:
    ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z

    Source: ISS, HP
    http://archives.neohapsis.com/archives/iss/2001-q4/0009.html
    http://archives.neohapsis.com/archives/hp/2001-q4/0000.html

    - --- Tool Announcements News --------------------------------------------

    *** {01.40.001} Tools - TCT 1.08 available

    Version 1.08 of TCT (The Coroner's Toolkit), a free forensic software
    suite, has been released. It fixes a big bug in the unrm command when
    used on a Linux ext2 file system.

    The software is available at:
    http://www.porcupine.org/forensics/

    Source: SecurityFocus Forensics list
    http://archives.neohapsis.com/archives/sf/forensics/2001-q3/0317.html

    *** {01.40.002} Tools - BIND 8.2.5 available

    BIND version 8.2.5 has been released. This version contains numerous
    bug fixes over 8.2.4.

    The latest version can be found at:
    ftp://ftp.isc.org/isc/bind/src/8.2.5/bind-src.tar.gz

    Source: BIND
    http://archives.neohapsis.com/archives/bind/2001/0046.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE7vLlZ+LUG5KFpTkYRAjJhAJ98MYUM81fduqlBJDL6PmQoMDlFWQCghUiZ
    Dm4idOlT/q/iYz5CwbiypUA=
    =YDD8
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    ** Request your FREE Internet Security Handbook **

    It's more important than ever to protect your information assets, avoid
    business interruption, and prevent revenue loss. Request your *FREE*
    copy of "Securing the Internet Economy: An Executive Guide to Managing
    Online Risk" from Internet Security Systems (ISS).
    Click here: http://www.iss.net/mktg/sac10401/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).