|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ71495127011553926
sans.org)Date: Thu Nov 08 2001 - 13:12:36 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 122 (01.45)
Thursday, November 8, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
We wish to express our sincerest condolences to all those affected
by the horrible events of September 11th.
If you are or know of a company that needs assistance getting back
up and running, view our list of currently available services and
resources.
http://www.nwc.com/helpamerica/services.html
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
Request your FREE Internet Security Handbook
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Some interesting accusations were made this week about the security
of Microsoft's Passport technology. A researcher found that Passport's
caching of credentials can be preyed upon; a few cross-site scripting
attacks also provided avenues of exploitation. Microsoft, fortunately,
has fixed or addressed many of the problems, but it does raise an
interesting question: Given Microsoft's track record of security
exposures (100 published bulletins in 2000 and 54 bulletins to date
for 2001), do you trust Passport to be a central database of user
information?
http://alive.znep.com/~marcs/passport/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.45.006} Win - WS_FTP STAT command overflow
{01.45.010} Win - MS01-054: Invalid uPnP packet DoS
{01.45.017} Win - MS ISA server fragmented UDP DoS
{01.45.004} Linux - SYNCookie problems in Linux kernels
{01.45.005} Linux - libdb format string vulnerability
{01.45.009} Linux - Update {01.44.004}: Webalizer referrer/host name
CSS vulnerability
{01.45.011} Linux - Update {01.42.020}: Login stored PAM result absorbs
other user credentials
{01.45.012} Linux - Update {01.41.007}: htdig/htsearch alternate
configuration file vulnerability
{01.45.013} Linux - teTeX insecure temp file and dvips invocation
{01.45.014} Linux - Update {01.43.009}: procmail privilege elevation
via signals
{01.45.018} Linux - TUX large Host header DoS
{01.45.020} Linux - Update {01.34.017}: ucd-snmp multiple
vulnerabilities
{01.45.021} Linux - Update {01.37.015}: uucp user-supplied
configuration file privilege elevation
{01.45.016} SCO - Overflow in DCE ToolTalk library
{01.45.019} SCO - Overflow in dtspcd via DCE SPC library
{01.45.001} Cross - Lotus Domino restricted view bypass
{01.45.002} Cross - Lotus Notes default navigator redirection bypass
{01.45.003} Cross - Lotus Notes template access via ReplicaID
{01.45.007} Cross - Entrust GetAccess CGI script file retrieval
{01.45.008} Cross - Lots and lots of lpd problems
{01.45.015} Cross - Viralator proxy virus scanner command execution
{01.45.022} Cross - dreamcatchersWeb.com multiple CGI command execution
{01.45.023} Cross - leoboard.com Ikonboard/LB5000 CGI file overwrite
{01.45.024} Svc - Sierra OnLine session info leak via HTTP referrer
- --- Windows News -------------------------------------------------------
*** {01.45.006} Win - WS_FTP STAT command overflow
WS_FTP server version 2.0.3 is reported to contain a buffer overflow
in the handling of the STAT command. This could allow a remote attacker
to execute arbitrary code with local system privileges.
The vendor has confirmed this vulnerability and released version 2.0.4,
which is available at:
http://www.ipswitch.com/support/WS_FTP-Server/patch-upgrades.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0019.html
*** {01.45.010} Win - MS01-054: Invalid uPnP packet DoS
Microsoft has released MS01-054 ("Invalid uPnP packet DoS"). A bug
in the uPnP service found on Windows ME, XP and some instances of 98
allows a remote attacker to perform a DoS against the system by sending
invalid packets to the uPnP (universal plug and play) service. The
DoS effects range from memory leakage to full system crashes.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-054.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0021.html
*** {01.45.017} Win - MS ISA server fragmented UDP DoS
An advisory was released indicating that Microsoft ISA server is
vulnerable to a denial of service attack whereby a remote attacker
sends many fragmented UDP packets, which causes abnormally high
CPU utilization.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0032.html
- --- Linux News ---------------------------------------------------------
*** {01.45.004} Linux - SYNCookie problems in Linux kernels
A bug was found in the SYNcookies implementations in both the 2.2
and 2.4 Linux kernel series. It's possible that packets using valid
SYNcookies could bypass firewall filters. It also has been noted that
it's possible to brute-force a valid SYNcookie within an acceptable
amount of time.
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0107.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0007.html
Source: RedHat, EnGarde, Caldera, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0107.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0010.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0007.html
*** {01.45.005} Linux - libdb format string vulnerability
Caldera has released an advisory confirming that format string
vulnerabilities within the libdb library would affect all programs
using the library. The vulnerability may allow a local attacker to
execute arbitrary code with elevated privileges.
It is unknown at this time if other Linux distributions are affected.
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0003.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0003.html
*** {01.45.009} Linux - Update {01.44.004}: Webalizer referrer/host
name CSS vulnerability
Multiple Linux vendors have released updated Webalizer packages,
which fix the vulnerability discussed in {01.44.004} ("Webalizer
referrer/host name CSS vulnerability").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0699.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0009.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0097.html
Source: SuSE, EnGarde, RedHat
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0699.html
http://archives.neohapsis.com/archives/linux/engarde/2001-q4/0009.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0097.html
*** {01.45.011} Linux - Update {01.42.020}: Login stored PAM result
absorbs other user credentials
Mandrake has released updated util-linux packages, which fix the
vulnerability discussed in {01.42.020} ("Login stored PAM result
absorbs other user credentials").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0006.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0006.html
*** {01.45.012} Linux - Update {01.41.007}: htdig/htsearch alternate
configuration file vulnerability
Mandrake has released updated htdig packages, which fix the
vulnerability discussed in {01.41.007} ("htdig/htsearch alternate
configuration file vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0007.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0007.html
*** {01.45.013} Linux - teTeX insecure temp file and dvips invocation
RedHat has released an advisory indicating that the teTeX suite does
not properly create temporary files, potentially allowing a local
attacker to gain LPRng group privileges. teTeX also was found to not
securely invoke dvips, which could lead to potential command execution.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0100.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0100.html
*** {01.45.014} Linux - Update {01.43.009}: procmail privilege
elevation via signals
Conectiva has released updated procmail packages, which fix the
vulnerability discussed in {01.43.009} ("procmail privilege elevation
via signals").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0008.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0008.html
*** {01.45.018} Linux - TUX large Host header DoS
TUX Web server version 2.1.0 has been reported vulnerable to a denial
of service whereby a remote attacker submits a large Host header in
an HTTP request. This causes the server system to crash.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0033.html
*** {01.45.020} Linux - Update {01.34.017}: ucd-snmp multiple
vulnerabilities
RedHat has released updated ucd-snmp packages, which fix the
vulnerability discussed in {01.34.017} ("ucd-snmp multiple
vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0104.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0104.html
*** {01.45.021} Linux - Update {01.37.015}: uucp user-supplied
configuration file privilege elevation
SuSE has released updated uucp packages, which fix the vulnerability
discussed in {01.37.015} ("uucp user-supplied configuration file
privilege elevation").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0603.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q4/0603.html
- --- SCO News -----------------------------------------------------------
*** {01.45.016} SCO - Overflow in DCE ToolTalk library
Caldera/SCO has released an advisory indicating that a buffer overflow
exists in the DCE ToolTalk library. This could allow a local user to
execute arbitrary code with elevated privileges.
Patches are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.29/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0004.html
*** {01.45.019} SCO - Overflow in dtspcd via DCE SPC library
Caldera/SCO has released an advisory indicating that a remotely
exploitable buffer overflow exists in the DCE SPC library, which is
used by dtspcd. This could lead to an attacker executing arbitrary
code.
Updates are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.30/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0006.html
- --- Cross-Platform News ------------------------------------------------
*** {01.45.001} Cross - Lotus Domino restricted view bypass
Lotus Domino version 5.x has been found to contain a bug that could
allow an attacker to access a document even if a particular view is
restricted. Lotus responds that, technically, the document itself
should be restricted and not just its parent view.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0027.html
*** {01.45.002} Cross - Lotus Notes default navigator redirection bypass
It is seemingly a known security problem to let remote attackers
access the 'default navigator' of databases. Thus, the accepted fix is
to use a URL filter to redirect or reject access to URLs containing
'.nsf/$defaultNav'. It appears it is easy to bypass this filter by
using various forms of URL encoding, thus allowing the attacker to
still gain access to the default navigator.
The advisory referenced below recommends a few workarounds to help
fix this problem.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0028.html
*** {01.45.003} Cross - Lotus Notes template access via ReplicaID
Lotus Notes version 5.x has been found vulnerable to a bug that allows
a remote attacker to access otherwise inaccessible templates by making
a request containing the templates' ReplicaID. One specific risk is
access to the Web administration template, which potentially allows
attackers to affect the Web services.
The advisory indicates vendor confirmation and the availability of
a fix in the next Lotus Notes release.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0029.html
*** {01.45.007} Cross - Entrust GetAccess CGI script file retrieval
Entrust's GetAccess CGI application has been found to allow a remote
attacker to view the contents of arbitrary files readable by the Web
server. The problem is because the GetAccess CGI does not correctly
handle data passed in via URL parameters.
Entrust has released a patch, which is available at:
https://login.encommerce.com/private/docs/techSupport/Patches-BugFix
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html
*** {01.45.008} Cross - Lots and lots of lpd problems
CERT has released an advisory about the slew of lpd problems that have
come to attention as of late. We've reported on most of them in past
SAC issues, but we feel it's best to mention them again. The number
of actual vulnerabilities varies depending on platform, so you should
review the CERT advisory for details on your platform:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html
Updated RedHat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0054.html
IRIX update information:
http://archives.neohapsis.com/archives/vendor/2001-q4/0022.html
Source: CERT, RedHat, SGI
http://archives.neohapsis.com/archives/bugtraq/2001-11/0022.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0054.html
http://archives.neohapsis.com/archives/vendor/2001-q4/0022.html
*** {01.45.015} Cross - Viralator proxy virus scanner command execution
The Viralator virus scanner script for Squid proxies has been reported
to not properly filter malicious URL characters before using them in
a system call, thus allowing a remote attacker to execute arbitrary
command-line commands under the privileges of the proxy server.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0001.html
*** {01.45.022} Cross - dreamcatchersWeb.com multiple CGI command
execution
Two CGIs written by Seth Leonard and available from
dreamcatchersWeb.com have been found to improperly filter out
metacharacters. Specifically, the "book of guests" and "post it!" CGIs
allow a remote attacker to execute arbitrary command-line commands
under the privileges of the Web server.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0270.html
*** {01.45.023} Cross - leoboard.com Ikonboard/LB5000 CGI file overwrite
The LB5000 and Ikonboard Web BBS CGIs available from leoboard.com have
been found to contain bugs that allow remote attackers to overwrite
files writable by the Web server process.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0272.html
http://archives.neohapsis.com/archives/bugtraq/2001-10/0273.html
- --- Services News ------------------------------------------------------
*** {01.45.024} Svc - Sierra OnLine session info leak via HTTP referrer
An advisory has surfaced indicating that the Sierra OnLine Web portal
available at community.sierra.com has been found to leak user session
information via HTTP referrer headers when users follow links to
offsite locations.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-10/0274.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE76tbk+LUG5KFpTkYRArvhAJ4qYI+PRPjnLYVhfDejUz/CAoAyZwCeI3+7
tXaBUpDdM48W2afQFwx7808=
=ueWi
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Request your FREE Internet Security Handbook
It's more important than ever to protect your information assets, avoid
business interruption, and prevent revenue loss. Request your *FREE*
copy of "Securing the Internet Economy: An Executive Guide to Managing
Online Risk" from Internet Security Systems (ISS). Click here:
http://www.iss.net/mktg/sac10401/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]