|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ23491644029414379
sans.org)Date: Thu Oct 18 2001 - 14:15:53 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 119 (01.42)
Thursday, October 18, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Our thoughts and prayers remain with the victims and families affected
by the tragic events of September 11th. Our support also goes out to
all the brave individuals working in the recovery efforts.
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
**Tailor Your Next Network Addition with Cisco**
Not just hardware resellers, Cisco Certified Partners are specialized
to offer support, consulting, systems integration, resale, and
professional services. To learn more or locate a partner right for you,
click:
http://www.cmpnet.com/cgi-bin/goto?SRC=NWCcisco&URL=http://www.cisco.com/warp/public/765/certifiedpartners/newsletter/10041035/10001026
----------------------------------------------------------------------
Once upon a time, administrators didn't have to worry about ARP cache
poisoning and redirection because such assaults required attackers
to gain direct access to the network segment that hosted the target
systems. That segment was protected by physical boundaries. With
the surge of wireless network installations on the rise, however,
the door to ARP redirection and connection hijacking has been opened
to anyone with an off-the-shelf wireless network card. Essentially,
a remote attacker who can get within range of an access point could
potentially poison client ARP caches into believing they are the
default gateway. The result? All traffic routes through the attacker.
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0008.html
The solution is simple: Treat your wireless network as a hostile
network. Require all connections to authenticate and communicate
via VPN (WEP is *not* a VPN!) to enter into the network proper. If
you firewall off the Internet, you should firewall off your wireless
connection points.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.42.007} Win - Ipswitch Imail server user info overwrite
{01.42.008} Win - Ipswitch Imail Web messaging multiple vulnerabilities
{01.42.010} Win - Ipswitch Web calendar server HTTP request overflow
{01.42.014} Win - TrendMicro Virus Buster/Officescan ofcscan.ini
retrieval
{01.42.018} Win - MS01-051: IE handles malformed addresses in wrong zone
{01.42.002} Linux - Update {01.41.007}: htdig/htsearch alternate config
file vulnerability
{01.42.003} Linux - Caldera sendmail config/queue run local DoS
{01.42.004} Linux - Update {01.41.001}: lpd buffer overflows
{01.42.005} Linux - Update {01.40.016}: OpenSSH from restriction bypass
{01.42.020} Linux - login stored PAM result absorbs other user
credentials
{01.42.001} SCO - Various shells create insecure tmp files for <<
processing
{01.42.006} SCO - scoadmin/sysadmin program overflows
{01.42.013} SCO - dtterm long arguments overflow
{01.42.015} SCO - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
{01.42.009} Cross - Cisco PIX firewall manager logs enable password
{01.42.011} Cross - Apache 1.3.22 available, with security fixes
{01.42.012} Cross - PHPNuke/PostNuke article.php auth bypass
{01.42.016} Cross - Zope fmt attribute bypasses security checks
{01.42.017} Cross - Novell Groupwise Webacc servlet file retrieval
{01.42.019} Cross - SNES9x long argument overflow
- --- Windows News -------------------------------------------------------
*** {01.42.007} Win - Ipswitch Imail server user info overwrite
A vulnerability in the Web messaging component of Ipswitch's Imail
server version 7.04 (and prior) allows a remote attacker to change
the user information of arbitrary users by manipulating hidden form
variables.
The vendor has confirmed this vulnerability and released a patch,
which is available at:
http://www.ipswitch.com/support/IMail/patch-upgrades.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0076.html
*** {01.42.008} Win - Ipswitch Imail Web messaging multiple
vulnerabilities
An advisory was released that indicates multiple problems in the Web
messaging component of Ipswitch's Imail server. The vulnerabilities
include predictable session IDs, viewing of other usersŐ inboxes,
physical path information leaks for file attachments and a denial
of service.
The advisory indicates vendor confirmation. A patch for some of the
problems is available at:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0082.html
*** {01.42.010} Win - Ipswitch Web calendar server HTTP request overflow
Ipswitch's Web calendaring server version 7.04 has been found to
contain a buffer overflow in the handling of large HTTP requests. The
buffer overflow allows a remote attacker to execute arbitrary code
on the system with local system privileges.
The vendor has confirmed this vulnerability and released a patch,
which is available at:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0083.html
*** {01.42.014} Win - TrendMicro Virus Buster/Officescan ofcscan.ini
retrieval
TrendMicro's Officescan (a.k.a. Virus Buster) version 3.53 has
been found to allow a remote attacker to download the ofcscan.ini
configuration file from a particular HTTP directory without requiring
authentication. The file contains authentication information that
uses a weak encoding algorithm.
The vendor has confirmed this vulnerability. A patch for the Japanese
Virus Buster version is available at:
http://www.trendmicro.co.jp/esolution/solutionDetail.asp?solutionID=3182
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0102.html
*** {01.42.018} Win - MS01-051: IE handles malformed addresses in wrong
zone
Microsoft has released MS01-051 ("IE handles malformed addresses
in wrong zone"). It's possible to construct a URL that points to a
remote server, but causes IE to believe it's in the local intranet
security zone. As a result, the Web site is accessed with less security
restrictions, potentially allowing the site to harm the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-051.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0002.html
- --- Linux News ---------------------------------------------------------
*** {01.42.002} Linux - Update {01.41.007}: htdig/htsearch alternate
config file vulnerability
Caldera and Conectiva have released updated htdig packages, which fix
the vulnerability discussed in {01.41.007} ("htdig/htsearch alternate
config file vulnerability").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0000.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0001.html
Source: Caldera, Conectiva
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0000.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0001.html
*** {01.42.003} Linux - Caldera sendmail config/queue run local DoS
Caldera has released an advisory indicating that the particular
sendmail configuration shipped with OpenLinux allows a local attacker
to perform a denial of service attack on the system.
A workaround is listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0001.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0001.html
*** {01.42.004} Linux - Update {01.41.001}: lpd buffer overflows
SuSE has released updated lpd packages, which fix the vulnerability
discussed in {01.41.001} ("lpd buffer overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0148.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0148.html
*** {01.42.005} Linux - Update {01.40.016}: OpenSSH from restriction
bypass
RedHat has released updated openSSH packages, which fix the
vulnerability discussed in {01.40.016} ("OpenSSH from restriction
bypass").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-10/0109.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0109.html
*** {01.42.020} Linux - login stored PAM result absorbs other user
credentials
The login application was found to store PAM information in a manner
that could cause it to access another user's PAM information, thus
giving the current user the credentials of another user.
RedHat has confirmed this vulnerability. Updated RedHat RPMs are
listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-10/0114.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0114.html
- --- SCO News -----------------------------------------------------------
*** {01.42.001} SCO - Various shells create insecure tmp files for <<
processing
SCO has released patches for the vulnerabilities reported in
{00.49.018}, {00.53.032} and {00.46.015}, which all have to do
with insecure temp file creation by bash, tcsh and ksh using 'HERE'
document notation. OpenServer version 5.0.6a and prior are vulnerable.
The update can be downloaded from:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.24
/shells.tar.Z
Source: SCO (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0064.html
*** {01.42.006} SCO - scoadmin/sysadmin program overflows
SCO has released an advisory indicating buffer overflows in various
scoadmin/sysadmin programs, which include atcronsh, termsh, lpsh
and backupsh. The buffer overflows would allow a local attacker to
execute arbitrary code with elevated privileges.
An update is available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.25
/sysadm.tar.Z
Source: SCO/Caldera
http://archives.neohapsis.com/archives/bugtraq/2001-10/0080.html
*** {01.42.013} SCO - dtterm long arguments overflow
SCO has released an advisory warning of a buffer overflow in the
handling of command line arguments passed to dtterm. This could allow a
local attacker to execute arbitrary code with elevated privileges. Both
UnixWare version 7.0 and OpenUnix version 8.0.0 are vulnerable.
Updated patches are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.26/
Source: SCO/Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0099.html
*** {01.42.015} SCO - Update {01.15.011}: Multiple vendor FTP glob
functionality buffer overflow
SCO has released a patch for UnixWare version 7 to fix the
vulnerability discussed in {01.15.011} ("Multiple vendor FTP glob
functionality buffer overflow").
The patch can be downloaded from:
ftp://stage.caldera.com/pub/security/unixware/CSSA-2001-SCO.27/
Source: SCO/Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0104.html
- --- Cross-Platform News ------------------------------------------------
*** {01.42.009} Cross - Cisco PIX firewall manager logs enable password
The Cisco PIX firewall manager GUI version 4.3(2)g has been found to
log the PIX-enable password in a local log file, unencrypted. Attackers
who can access the file system of the management station could gain
access to the password.
Of course, the solution is to properly secure the management station
from outside access. The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0071.html
*** {01.42.011} Cross - Apache 1.3.22 available, with security fixes
Apache version 1.3.22 has been released. The new version includes
three security-related fixes: long file names on Windows may bypass
default documents and get a directory listing; the split-logfile
program was vulnerable to tampering via a malicious Host header;
and a particular query could bypass the default document and cause
a directory listing if content-negotiation is enabled.
The latest version can be downloaded from:
http://httpd.apache.org/dist/httpd/
Source: Apache
http://archives.neohapsis.com/archives/apache/2001/0015.html
*** {01.42.012} Cross - PHPNuke/PostNuke article.php auth bypass
PHPNuke version 5.2 and PostNuke version 0.64 (and prior) contain
a bug in the article.php CGI that could allow a remote attacker to
bypass authentication checks and access another user's account by
submitting malformed SQL commands within a cookie.
This vulnerability has not been confirmed by the authors of the
applications.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0088.html
http://archives.neohapsis.com/archives/bugtraq/2001-10/0091.html
*** {01.42.016} Cross - Zope fmt attribute bypasses security checks
A Zope hot fix was released that stops local Zope publishers from using
the 'fmt' attribute to bypass security checks and access otherwise
restricted methods.
Updated Zope hot fix:
http://www.zope.org/Products/Zope/Hotfix_2001-09-28/README.txt
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-10/0106.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-10/0070.html
Source: Mandrake, RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-10/0106.html
http://archives.neohapsis.com/archives/bugtraq/2001-10/0070.html
*** {01.42.017} Cross - Novell Groupwise Webacc servlet file retrieval
Novell Groupwise versions 5.5 and 6.0 have been found to allow a remote
attacker to view arbitrary files on the system by making a particular
request to the Webacc servlet with a malformed User.html URL parameter.
The vendor has confirmed this vulnerability. A patch is available at:
http://support.novell.com/servlet/tidfinder/2960443
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0006.html
*** {01.42.019} Cross - SNES9x long argument overflow
The SNES9x emulator has been found to contain a buffer overflow in
the handling of long command line arguments. If the application is
setuid/setgid, this could allow a local attacker to execute arbitrary
code with elevated privileges. Luckily, on many OS distributions,
SNES9x does not come setuid/setgid by default. Older versions of the
documentation, however, do recommend setting setuid permissions.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0107.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE7zygp+LUG5KFpTkYRAjxLAJ4msZplXmgg8cKU7oEUkCuoS0s/7ACdHqjz
pxMtyr0EGtGku+75Vwy3XjM=
=DnFa
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
**Tailor Your Next Network Addition with Cisco**
Not just hardware resellers, Cisco Certified Partners are specialized
to offer support, consulting, systems integration, resale, and
professional services. To learn more or locate a partner right for you,
click:
http://www.cmpnet.com/cgi-bin/goto?SRC=NWCcisco&URL=http://www.cisco.com/warp/public/765/certifiedpartners/newsletter/10041035/10001026
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]