|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ18689614713033775
sans.org)Date: Thu Oct 04 2001 - 14:42:52 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 117 (01.40)
Thursday, October 4, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Our thoughts and prayers remain with the victims and families affected
by the tragic events of September 11th. Our support also goes out to
all the brave individuals working in the recovery efforts.
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS).
Click here: http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Windows shops, it seems, can rest easy this week -- the only Microsoft
patch released was a slight denial of service against Outlook Web
Access IIS deployments. Unix camps, however, are in for a treat:
a multivendor rpc.ttdbserver remote exploit, which lets attackers
execute arbitrary code with root privileges. And for those of you who
upgraded to Sendmail 8.12.0, you'll need to upgrade to 8.12.1 to fix
some local security problems. All three vulnerabilities are reported
in this issue (under 'Microsoft' and 'Cross-Platform', respectively).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.40.009} Win - PGP keyserver admin CGI auth bypass
{01.40.010} Win - Meteor FTP command reverse directory traversal
{01.40.011} Win - MS01-049: Deeply nested OWA Request DoS
{01.40.013} Win - COM2001 Alexis/InternetPBX plain text auth info
{01.40.017} Win - Amtote HomeBet homebet.log download
{01.40.021} Win - WinMySqlAdmin plain text auth info storage
{01.40.023} Win - QVT/Term FTP server security vulnerabilities
{01.40.006} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
{01.40.007} Linux - Update {01.36.030}: mod_auth_pgsql SQL injection
{01.40.012} Linux - RedHat setserial init script temp file vulnerability
{01.40.019} HPUX - rpcbind malformed request DoS
{01.40.003} SCO - dtaction command line parameter overflow
{01.40.004} SCO - dtsession env variable overflow
{01.40.005} SCO - dtprintinfo env variable overflow
{01.40.022} NApps - 3Com HomeConnect cable modem HTTP server DoS
{01.40.024} NApps - Cisco PIX SMTP mailguard bypass
{01.40.008} Cross - Compaq Insight Manager overflow
{01.40.014} Cross - Update {01.39.013}: IBM Websphere predictable
session IDs
{01.40.015} Cross - Sendmail 8.12.1 fixes security vulnerabilities
{01.40.016} Cross - OpenSSH from restriction bypass
{01.40.018} Cross - OpenView NNM privilege escalation vulnerability
{01.40.020} Cross - (rpc.)ttdbserver syslog() format string attack
{01.40.001} Tools - TCT 1.08 available
{01.40.002} Tools - BIND 8.2.5 available
- --- Windows News -------------------------------------------------------
*** {01.40.009} Win - PGP keyserver admin CGI auth bypass
NAI's PGP keyserver version 7.0 contains a vulnerability that would
allow a remote attacker to bypass authentication and access the
administrative CGIs.
NAI has confirmed this vulnerability and released an update, which
is available at:
http://www.pgp.com/support/product-advisories/keyserver.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0230.html
*** {01.40.010} Win - Meteor FTP command reverse directory traversal
Meteor FTP version 1.0 has been found to allow remote attackers to use
reverse directory traversal ("..") notation in various FTP commands,
thereby allowing them to access files outside the restricted FTP root.
The advisory indicates vendor confirmation; a patch is currently in
the works.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0231.html
*** {01.40.011} Win - MS01-049: Deeply nested OWA Request DoS
Microsoft has released MS01-049 ("Deeply nested OWA Request DoS"). It's
possible for a remote attacker, who has access to a valid Outlook Web
Access mailbox, to submit a request that would leave the IIS server
consuming large amounts of CPU processing time, thus performing a
denial of service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-049.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q3/0045.html
*** {01.40.013} Win - COM2001 Alexis/InternetPBX plain text auth info
COM2001's Alexis server version 2.1, a part of the InternetPBX software
suite, has been found to insecurely store authentication information
in plain text on the local file system. Authentication information
is also transmitted via unencrypted HTTP (even if the initial server
connection was over HTTPS).
The advisory indicates confirmation by the vendor, which will fix
the problem in a future update.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0232.html
*** {01.40.017} Win - Amtote HomeBet homebet.log download
Amtote's HomeBet Web application has been found to place a log file in
a remotely accessible directory (/homebet/), which could allow a remote
attacker to download the file and gain access to all user information.
A suggested workaround is to remove IUSR_<machine> access to the
homebet.log file (or remove the /homebet/ virtual directory).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0235.html
*** {01.40.021} Win - WinMySqlAdmin plain text auth info storage
WinMySqlAdmin version 1.1 has been found to store database
authentication information unencrypted in a local file. This could
allow an attacker to retrieve this information.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0004.html
*** {01.40.023} Win - QVT/Term FTP server security vulnerabilities
QVT/Term version 5.0 comes with an FTP server, which has been found
to allow remote attackers to access files outside the FTP root by
using reverse directory traversal ('...') notation. Also, a buffer
overflow exists in the handling of long FTP commands.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0216.html
- --- Linux News ---------------------------------------------------------
*** {01.40.006} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
Conectiva has released updated squid packages, which fix the
vulnerability discussed in {01.39.015} ("Squid FTP mkdir PUT DoS").
The updated packages are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0020.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0020.html
*** {01.40.007} Linux - Update {01.36.030}: mod_auth_pgsql SQL injection
Conectiva has released updated mod_auth_pgsql packages, which fix
the vulnerability discussed in {01.36.030} ("mod_auth_pgsql SQL
injection").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0021.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q3/0021.html
*** {01.40.012} Linux - RedHat setserial init script temp file
vulnerability
RedHat has released an advisory indicating that the setserial init
script uses a predicable temporary file name, thereby allowing a
local attacker to perform a symlink attack.
RedHat's recommended solution is to not use the setserial script and
not compile serial support as a module in the Linux kernel.
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0002.html
- --- HP-UX News ---------------------------------------------------------
*** {01.40.019} HPUX - rpcbind malformed request DoS
HP has released an advisory indicating that a bug in rpcbind could
cause it to crash, leading to a denial of service.
HP has released the following patches:
HPUX 11.00: PHNE_24034
HPUX 11.11: PHNE_24035
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0000.html
- --- SCO News -----------------------------------------------------------
*** {01.40.003} SCO - dtaction command line parameter overflow
Caldera/SCO has released an advisory indicating a buffer overflow
in dtaction's handling of command line options. This overflow would
allow a local attacker to execute arbitrary code with elevated
privileges. Both Unixware 7 and OpenUnix 8 are vulnerable.
Caldera has confirmed this vulnerability and released an update,
which is available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.21/
Source: Caldera/SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0001.html
*** {01.40.004} SCO - dtsession env variable overflow
Unixware version 7 and OpenUnix version 8 shipped with a dtsession
binary that contains a buffer overflow in the handling of particularly
long environment variables. A local attacker could use this overflow
to execute arbitrary commands with elevated privileges.
Caldera/SCO has confirmed this vulnerability and released a fix,
which is available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.23/
Source: Caldera/SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0002.html
*** {01.40.005} SCO - dtprintinfo env variable overflow
Both Unixware version 7 and OpenUnix version 8 have been found to
contain a buffer overflow in dtprintinfo's handling of particular
environment variables. The overflow could allow a local attacker to
execute arbitrary code with elevated privileges.
Caldera/SCO has confirmed this vulnerability and released an update,
which is available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.22/
Source: Caldera/SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0003.html
- --- Network Appliances News --------------------------------------------
*** {01.40.022} NApps - 3Com HomeConnect cable modem HTTP server DoS
3Com's HomeConnect cable modem has been found to reset when a remote
attacker makes a large HTTP request to the embedded Web server. This
results in a denial of service situation.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0217.html
*** {01.40.024} NApps - Cisco PIX SMTP mailguard bypass
Cisco has released an advisory indicating that the mailguard feature
of the PIX firewall running versions 6.0(1), 5.2(5) and 5.2(4) can
be bypassed by a remote attacker.
A full patch/update matrix is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-09/0219.html
Source: Cisco (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-09/0219.html
- --- Cross-Platform News ------------------------------------------------
*** {01.40.008} Cross - Compaq Insight Manager overflow
Compaq has released an advisory indicating a buffer overflow in the
Compaq Insight Manager application for all platforms. The buffer
overflow would allow a remote attacker to execute arbitrary code
under root/administrator privileges.
Compaq has released several updated SoftPaqs; more information is
available at:
http://archives.neohapsis.com/archives/compaq/2001-q3/0044.html
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2001-q3/0044.html
*** {01.40.014} Cross - Update {01.39.013}: IBM Websphere predictable
session IDs
IBM has responded to the vulnerability discussed in
{01.39.013} ("IBM Websphere predictable session IDs"). Patches,
workarounds and supporting information are all available at:
http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-09/0234.html
*** {01.40.015} Cross - Sendmail 8.12.1 fixes security vulnerabilities
Sendmail version 8.12.1 has been released. This version fixes three
notable local security vulnerabilities: sendmail does not properly drop
privileges, thereby allowing an attacker to take advantage of buffer
overflows in the configuration parsing code to execute arbitrary code
to gain gid smmsp; an attacker can force queued messages to expire;
and configuration and mail information is available, even if the
local configuration does not normally allow the attacker to read it.
The vendor has confirmed these vulnerabilities and released Sendmail
version 8.12.1, which is available at:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.1.tar.Z
Source: Sendmail, Vulnwatch
http://archives.neohapsis.com/archives/sendmail/2001-q4/0000.html
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0001.html
*** {01.40.016} Cross - OpenSSH from restriction bypass
OpenSSH versions prior to 2.9.9 contain a vulnerability whereby an
SSH key (specified in the authorized_keys2 file) containing a 'from='
restriction may have the restriction overwritten if a second key of
a different type is included after the first key.
The vendor has confirmed this vulnerability. Version 2.9.9 contains
a fix.
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-09/1743.html
*** {01.40.018} Cross - OpenView NNM privilege escalation vulnerability
HP has released an advisory indicating that a privilege escalation
vulnerability exists in OpenView Network Node Manager (NNM) versions
5.01, 6.1 and 6.2 on HP-UX and Solaris.
A full patch matrix is available at:
http://archives.neohapsis.com/archives/hp/2001-q4/0000.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0000.html
*** {01.40.020} Cross - (rpc.)ttdbserver syslog() format string attack
An advisory was released indicating that various Unix vendors'
implementations of the rpc.ttdbserver Tool Talk service are vulnerable
to a format string attack in a particular syslog() function. This
allows a remote attacker to execute arbitrary code, typically with
root privileges.
Various vendors have confirmed this vulnerability, while many others
are currently aware of the problem and producing patches.
HP updates are listed at:
http://archives.neohapsis.com/archives/hp/2001-q4/0000.html
IBM has released an AIX eFix:
ftp://aix.software.ibm.com/aix/efixes/security/tooltalk_efix.tar.Z
Source: ISS, HP
http://archives.neohapsis.com/archives/iss/2001-q4/0009.html
http://archives.neohapsis.com/archives/hp/2001-q4/0000.html
- --- Tool Announcements News --------------------------------------------
*** {01.40.001} Tools - TCT 1.08 available
Version 1.08 of TCT (The Coroner's Toolkit), a free forensic software
suite, has been released. It fixes a big bug in the unrm command when
used on a Linux ext2 file system.
The software is available at:
http://www.porcupine.org/forensics/
Source: SecurityFocus Forensics list
http://archives.neohapsis.com/archives/sf/forensics/2001-q3/0317.html
*** {01.40.002} Tools - BIND 8.2.5 available
BIND version 8.2.5 has been released. This version contains numerous
bug fixes over 8.2.4.
The latest version can be found at:
ftp://ftp.isc.org/isc/bind/src/8.2.5/bind-src.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0046.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7vLlZ+LUG5KFpTkYRAjJhAJ98MYUM81fduqlBJDL6PmQoMDlFWQCghUiZ
Dm4idOlT/q/iYz5CwbiypUA=
=YDD8
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
** Request your FREE Internet Security Handbook **
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS).
Click here: http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]