NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > SAC/Security Express> 2001

From: Network Computing and The SANS Institute (sans+ZZ05475662137884530sans.org)
Date: Fri Nov 23 2001 - 06:38:05 CST

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                   -- Security Alert Consensus --
                         Number 124 (01.47)
                     Friday, November 23, 2001
                         Created for you by
               Network Computing and the SANS Institute
                        Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription is contained
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.

----------------------------------------------------------------------

This issue is brought to you by ...
Nokia Internet Communications - a division of Nokia. NOKIA TEAMS UP WITH
LEADING PUBLISHERS, Offering the most reliable, up-to-date SECURITY-
focused information on the Web including: News & Assessment tools,
Reviews & Analyst Reports For more information, visit our Security
Resource Center:
http://www.nokia.com/internet/na

----------------------------------------------------------------------

The mixture of NATed environments and funky application protocols
(particularly VPN-type stuff) can lead to various logging
discrepancies. In a report released this week, it was noted that
Microsoft Terminal Server will log the IP address provided by the
client and not the actual one making the connection. The result? The
server logs the client's private IP address if the client is behind a
NATing firewall/device. It may be difficult to use these logs to trace
back client connects, since the IP may be a reserved/nonrouted address.
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0042.html

We hope everyone enjoys the Thanksgiving holiday, and we will see
you next week.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{01.47.001} Win - MS01-056: Windows Media Player .ASF processor overflow
{01.47.002} Win - Update {01.43.026}: IE about: zone CSS
{01.47.005} Win - Update {01.46.007}: IMP webmail CSS vulnerability
{01.47.013} Win - ActiveState PerlIIS.dll ISAPI file name overflow
{01.47.015} BSD - OpenBSD vi.recover script file deletion
{01.47.008} SGI - Sendmail RestrictQRun vulnerability
{01.47.006} SCO - Nmap scanner kills inetd
{01.47.009} SCO - Update {01.33.014}: Xlock XFILESEARCHPATH env
variable overflow
{01.47.003} NApps - Cisco 12000 ICMP unreachable flood DoS
{01.47.004} NApps - Cisco 12000 ACL vulnerabilities
{01.47.010} NApps - Cisco IOS/CatOS ARP table overwrite DoS
{01.47.007} Cross - PHP-Nuke Gallery add on includes parameter file
viewing
{01.47.011} Cross - Opera JavaScript cross-domain vulnerabilities
{01.47.012} Cross - Postfix session log memory DoS
{01.47.014} Cross - PHP-Nuke Network Tool add on command execution

- --- Windows News -------------------------------------------------------

*** {01.47.001} Win - MS01-056: Windows Media Player .ASF processor
overflow

Microsoft has released MS01-056 ("Windows Media Player .ASF processor
overflow"). Windows Media Player version 6.4 contains a buffer overflow
in the parsing of ASF files. If the user views a trojan ASF file,
it's possible for the trojan to execute arbitrary code under the
privileges of that user.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-056.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0031.html

*** {01.47.002} Win - Update {01.43.026}: IE about: zone CSS

Microsoft has released a patch for the vulnerability discussed in
{01.43.026} ("IE about: zone CSS").

For more information, including download locations, view:
http://www.microsoft.com/technet/security/bulletin/MS01-055.asp

Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0029.html

*** {01.47.005} Win - Update {01.46.007}: IMP webmail CSS vulnerability

Conectiva has released updated IMP packages, which fix the
vulnerability discussed in {01.46.007} ("IMP webmail CSS
vulnerability").

Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0012.html

Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0012.html

*** {01.47.013} Win - ActiveState PerlIIS.dll ISAPI file name overflow

ActiveState Perl installations prior to version 5.6.1.630 contain
a buffer overflow in the IIS ISAPI Perl extension filter. This
could allow a remote attacker to execute arbitrary code with system
privileges.

ActiveState has confirmed this vulnerability and released version
5.6.1.630 as a fix.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0105.html

- --- BSD News -----------------------------------------------------------

*** {01.47.015} BSD - OpenBSD vi.recover script file deletion

OpenBSD has committed a fix in its /usr/libexec/vi.recover script that
could allow a local attacker to delete arbitrary zero-length files.

Patches are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/016_recover.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/007_recover.patch

Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-11/1349.html

- --- SGI News -----------------------------------------------------------

*** {01.47.008} SGI - Sendmail RestrictQRun vulnerability

SGI has released an advisory indicating a misconfiguration in the
default sendmail installations shipped with IRIX. This could allow
a local attacker to perform a denial of service against the mail
subsystem.

SGI has a temporary solution, which is available at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0049.html

Source: SGI (VulnWatch)
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0049.html

- --- SCO News -----------------------------------------------------------

*** {01.47.006} SCO - Nmap scanner kills inetd

Caldera/SCO has released an advisory indicating that when a machine
is scanned by nmap, inetd may crash. OpenServer 5.0.5 is vulnerable.

Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.33/

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0009.html

*** {01.47.009} SCO - Update {01.33.014}: Xlock XFILESEARCHPATH env
variable overflow

Caldera/SCO has released updated xlock packages, which fix the
vulnerability discussed in {01.33.014} ("Xlock XFILESEARCHPATH env
variable overflow").

Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.34/

Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0010.html

- --- Network Appliances News --------------------------------------------

*** {01.47.003} NApps - Cisco 12000 ICMP unreachable flood DoS

Cisco has released an advisory indicating that the Cisco 12000 router
is vulnerable to a denial of service attack whereby a large flood of
ICMP unreachable packets will severely impact performance. This bug
is limited to the Cisco 12000 with various IOS 12.0 versions.

For a full list of corrected software images, view:
http://archives.neohapsis.com/archives/cisco/2001-q4/0005.html

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q4/0005.html

*** {01.47.004} NApps - Cisco 12000 ACL vulnerabilities

Cisco has released an advisory pointing out multiple problems in newer
Cisco 12000 IOS images that impact the effectiveness of ACLs. The
various bugs essentially lead to situations that could allow malicious
packets to pass when they otherwise would be stopped by an ACL.

A full update matrix is available at:
http://archives.neohapsis.com/archives/cisco/2001-q4/0006.html

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q4/0006.html

*** {01.47.010} NApps - Cisco IOS/CatOS ARP table overwrite DoS

Cisco has released an advisory indicating that versions of IOS and
CatOS running on various router and switch platforms are vulnerable
to a denial of service whereby a particular ARP packet can cause the
device to overwrite its own MAC address within the local ARP table,
thus affecting traffic (that is, routing).

A full upgrade matrix is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0114.html

Source: Cisco (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0114.html

- --- Cross-Platform News ------------------------------------------------

*** {01.47.007} Cross - PHP-Nuke Gallery add on includes parameter file
viewing

The Gallery add on for PHP-Nuke has been found to not properly filter
data given in the 'include' URL parameter. This could allow a remote
attacker to view arbitrary files readable by the Web server.

This vulnerability has not been confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0048.html

*** {01.47.011} Cross - Opera JavaScript cross-domain vulnerabilities

A recent advisory indicates that various versions of the Opera
Web browser on multiple platforms contain errors in the JavaScript
implementation. These errors would allow a malicious Web site to
access what normally should be restricted information (including
local user information).

The advisory indicates vendor confirmation.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0045.html

*** {01.47.012} Cross - Postfix session log memory DoS

The Postfix mail daemon has been found to not limit the size of SMTP
sessions logs (saved for debugging purposes). This could result in
a remote attacker exhausting all memory on the system and causing a
denial of service attack.

This vulnerability has been confirmed; a patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0107.html

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0107.html

*** {01.47.014} Cross - PHP-Nuke Network Tool add on command execution

The Network Tool add on version 0.2 for PHP-Nuke has been found to not
properly filter shell metacharacters from user input before passing
them to a command shell. This allows a remote attacker to execute
arbitrary command-line commands with the Web server's privileges.

This vulnerability has not been confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0125.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE7/kFA+LUG5KFpTkYRAvhxAJ49Tlpg1qq0kXnQASQi2XOLU/pLYgCfctap
2XBDmiNV1NVbo4xk3VjMEtM=
=5yxg
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

----------------------------------------------------------------------

Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.

We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).

Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.

Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]