|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ49215263804954228
sans.org)Date: Thu Nov 15 2001 - 13:58:24 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 123 (01.46)
Thursday, November 15, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription is contained
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
This issue is brought to you by ...
Nokia Internet Communications - a division of Nokia. NOKIA TEAMS UP
WITH LEADING PUBLISHERS, Offering the most reliable, up-to-date
SECURITY- focused information on the Web including: News & Assessment
tools, Reviews & Analyst Reports For more information, visit our
Security Resource Center:
http://www.nokia.com/internet/na
----------------------------------------------------------------------
A few months ago, we saw a very in-depth report surface regarding
potential flaws in the TACACS+ protocol. Well, this week we've
seen two similar reports that take a thorough look at potential
problems/weaknesses in the RADIUS protocol.
http://archives.neohapsis.com/archives/bugtraq/2001-11/0075.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0055.html
On a more administrative front, we wanted to let everyone know that
from this point on we will be posting any error corrections to SAC
in the News section at http://archives.neohapsis.com/. This will
allow us to easily correct things like wrong/missing URLs in a more
timely fashion.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.46.004} Win - Update {01.26.026}: w3m long MIME header overflow
{01.46.005} Win - RunAs service overtaken pipe DoS
{01.46.009} Win - RunAs service pipe impersonation vulnerability
{01.46.012} Win - Update {01.45.010}: MS01-054: Invalid uPnP packet DoS
{01.46.014} Win - Update {01.43.026}: IE about: zone CSS
{01.46.019} Win - Update {01.45.008}: Lots and lots of lpd problems
{01.46.001} Linux - RedHat firewall/iptables save file problems
{01.46.006} Linux - Update {01.44.004}: Webalizer referrer/hostname CSS
vulnerability
{01.46.015} Linux - Debian ssh-nonfree/ssh-socks CRC vulnerability
{01.46.017} Linux - RedHat 7.1 Korean install incorrect file permissions
{01.46.011} Sol - Update {01.40.020}: (rpc.)ttdbserver syslog() format
string attack
{01.46.002} SCO - Update {01.34.020}: Sendmail -d parameter arbitrary
memory writing
{01.46.010} SCO - pppattach buffer overflows
{01.46.020} Other - IBM 4758 cryptographic storage weakness
{01.46.003} Cross - IBM HTTP server source disclosure
{01.46.007} Cross - IMP Webmail CSS vulnerability
{01.46.008} Cross - Update {01.45.019}: Overflow in dtspcd via DCE SPC
library
{01.46.013} Cross - PHP-Nuke case.filemanager.php authorization bypass
{01.46.016} Cross - Acme.com thttpd/mini_httpd trailing slash file
exposure
{01.46.021} Cross - ClearCase db_loader TERM env varb overflow
{01.46.018} Svc - Datek.com transmits portfolio information in the clear
- --- Windows News -------------------------------------------------------
*** {01.46.004} Win - Update {01.26.026}: w3m long MIME header overflow
Conectiva has released updated w3m packages, which fix the
vulnerability discussed in {01.26.026} ("w3m long MIME header
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0009.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0009.html
*** {01.46.005} Win - RunAs service overtaken pipe DoS
The RunAs service in Windows 2000 has been found to contain a denial
of service whereby a local attacker can exclusively lock the RunAs
service, disallowing uses by other users.
The report indicates confirmation by Microsoft and that the company
will fix the DoS in Windows 2000 SP3, circa February 2002.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0069.html
*** {01.46.009} Win - RunAs service pipe impersonation vulnerability
The RunAs service included with Windows 2000 has been reported to
contain a bug whereby if the service is NOT running, a local user
could emulate the service by creating a particular local communication
pipe. If an unwary user tries to use the RunAs service, the trojan
service would receive any passed authentication credentials in plain
text as well as be able to execute code under the calling user's
privileges.
The advisory indicates confirmation by Microsoft and that the company
will fix the problem in Windows 2000 SP3, circa February 2002.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0068.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0070.html
*** {01.46.012} Win - Update {01.45.010}: MS01-054: Invalid uPnP packet
DoS
Microsoft has re-released the Windows ME patch for the vulnerability
discussed in {01.45.010} ("MS01-054: Invalid uPnP packet DoS") due
to a patch error.
More information is available at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0028.html
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0028.html
*** {01.46.014} Win - Update {01.43.026}: IE about: zone CSS
Microsoft has released advisory MS01-055, which includes workaround
information for the vulnerability discussed in {01.43.026} ("IE about:
zone CSS"). A patch is still in production.
More information is available at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0025.html
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0025.html
*** {01.46.019} Win - Update {01.45.008}: Lots and lots of lpd problems
RedHat has reissued updated lpd packages for the vulnerability
discussed in {01.45.008} ("Lots and lots of lpd problems") due to
errors in prior binaries.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0121.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0121.html
- --- Linux News ---------------------------------------------------------
*** {01.46.001} Linux - RedHat firewall/iptables save file problems
RedHat has released an advisory indicating that some bugs in iptables
may prevent the RedHat firewall script from functioning properly,
leaving the system unprotected.
Updated RPMs are available at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0119.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0119.html
*** {01.46.006} Linux - Update {01.44.004}: Webalizer referrer/hostname
CSS vulnerability
Conectiva has released updated Webalizer packages, which fix the
vulnerability discussed in {01.44.004} ("Webalizer referrer/hostname
CSS vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0010.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0010.html
*** {01.46.015} Linux - Debian ssh-nonfree/ssh-socks CRC vulnerability
Debian has overlooked the SSH CRC compensation vulnerability in the
ssh-nonfree and ssh-socks packages, so it has released fixed versions.
Updated package information is listed at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0027.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q4/0027.html
*** {01.46.017} Linux - RedHat 7.1 Korean install incorrect file
permissions
RedHat has found that the installation program used in the Korean
version of RedHat 7.1 ISO images does not correctly set the umask,
leaving incorrect permissions on installed system files.
An update RPM is listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0124.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0124.html
- --- Solaris News -------------------------------------------------------
*** {01.46.011} Sol - Update {01.40.020}: (rpc.)ttdbserver syslog()
format string attack
Sun has released updates for the vulnerability discussed in {01.40.020}
("(rpc.)ttdbserver syslog() format string attack").
Sun Solaris update information is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0081.html
Source: Sun (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0081.html
- --- SCO News -----------------------------------------------------------
*** {01.46.002} SCO - Update {01.34.020}: Sendmail -d parameter
arbitrary memory writing
Caldera/SCO has released updated sendmail packages, which fix the
vulnerability discussed in {01.34.020} ("Sendmail -d parameter
arbitrary memory writing").
Updated patch information is available at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0007.html
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0007.html
*** {01.46.010} SCO - pppattach buffer overflows
Caldera/SCO has released an advisory indicating that UnixWare and
OpenUnix are vulnerable to a buffer overflow in pppattach, which could
allow a local user to execute arbitrary code with elevated privileges.
Fixed binaries are located at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.32/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0008.html
- --- Other News ---------------------------------------------------------
*** {01.46.020} Other - IBM 4758 cryptographic storage weakness
An interesting (and complex) report was released indicating that,
under certain circumstances, it is possible for an attacker with
physical access to an IBM 4758 cryptographic co-processor to recover
the storage crypto keys. Of course, those of you familiar with the
nature of this device will know that, by design, this should not be
allowed. These devices are responsible for storing the crypto keys
used in many banking networks and applications, and they actually
are designed against physical tampering.
The full report can be read at:
http://www.cl.cam.ac.uk/~rnc1/descrack/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0051.html
- --- Cross-Platform News ------------------------------------------------
*** {01.46.003} Cross - IBM HTTP server source disclosure
Many reports have surfaced indicating that the IBM HTTP server running
on the AS/400 and OS/390 platforms are vulnerable to a source code
disclosure bug, which would allow a remote attacker to gain access
to the source code of jsp pages.
There have been many confirmation reports from the community.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0023.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0025.html
*** {01.46.007} Cross - IMP Webmail CSS vulnerability
The IMP Webmail suite prior to version 2.2.7 has been found to contain
a cross-site scripting bug that could allow a malicious e-mail or
Web site to hijack a user's session.
IMP 2.2.7 is available at:
ftp://ftp.horde.org/pub/imp/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0056.html
*** {01.46.008} Cross - Update {01.45.019}: Overflow in dtspcd via DCE
SPC library
It turns out that many platforms are vulnerable to the local root
vulnerability discussed in {01.45.019} ("Overflow in dtspcd via DCE
SPC library").
HP has a workaround; information is available at:
http://archives.neohapsis.com/archives/hp/2001-q4/0039.html
AIX update information is listed at:
http://archives.neohapsis.com/archives/aix/2001-q4/0007.html
Other vendor updates are listed in the CERT advisory at:
http://archives.neohapsis.com/archives/cc/2001-q4/0004.html
Source: CERT, HP, IBM
http://archives.neohapsis.com/archives/cc/2001-q4/0004.html
http://archives.neohapsis.com/archives/hp/2001-q4/0039.html
http://archives.neohapsis.com/archives/aix/2001-q4/0007.html
*** {01.46.013} Cross - PHP-Nuke case.filemanager.php authorization
bypass
PHP-Nuke version 5.2 has been found to contain a bug in the checking of
administrator access in the case.filemanager.php script. It's possible
for a remote attacker to bypass administrator authentication and use
the file manager script to manipulate the file system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0033.html
*** {01.46.016} Cross - Acme.com thttpd/mini_httpd trailing slash file
exposure
Acme.com's thttpd and mini_httpd have been found to contain a bug that
could allow a remote attacker to bypass any server-imposed file access
restrictions by appending a trailing slash ('/') to the requested URL.
The vendor has confirmed this vulnerability. A patch is included at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0037.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0037.html
*** {01.46.021} Cross - ClearCase db_loader TERM env varb overflow
Rational Software's ClearCase suite versions 4.2 and prior have been
found to contain a buffer overflow in the db_loader binary's handling
of the TERM environment variable. This could allow a local attacker
to execute arbitrary code with root privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0046.html
- --- Services News ------------------------------------------------------
*** {01.46.018} Svc - Datek.com transmits portfolio information in the
clear
A recent report indicates that Datek.com's "Streamer" service transmits
user and portfolio information over insecure channels, potentially
allowing an eavesdropper to recover this information.
The advisory indicates confirmation by Datek.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0058.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE79Bxo+LUG5KFpTkYRAqYNAKCFuPFC3E9XRoKclP/3wYn+XSDmMQCcDCmF
O6FJJIZO5E54mwdNayC3DEk=
=LpGg
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue is brought to you by ...
Nokia Internet Communications - a division of Nokia. NOKIA TEAMS UP
WITH LEADING PUBLISHERS, Offering the most reliable, up-to-date
SECURITY- focused information on the Web including: News & Assessment
tools, Reviews & Analyst Reports For more information, visit our
Security Resource Center:
http://www.nokia.com/internet/na
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]