|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ65273195518384832
sans.org)Date: Thu Nov 29 2001 - 14:15:52 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 125 (01.48)
Thursday, November 29, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription is contained
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
With Cisco Storage Networking, you can store large amounts of data and
make it available over the network, so that retrieval is easy. And, with
Cisco AVVID architecture, you can enable large data transfers without
congestion. Click here to get a white paper now.
http://www.networkcomputing.com/ciscosans
----------------------------------------------------------------------
An interesting turn of events happened this week. A wu-ftpd bug
found and discussed back in April -- and believed to be benign --
actually turned out to be exploitable on some platforms (particularly
Linux). You can find more information on this bug in this issue under
the 'Cross-Platform' category, item {01.48.028}.
For those of you looking for a secure FTP daemon alternative,
the SAC team recommends vsftpd. It was designed with security
as its number-one priority. You can download vsftpd from:
http://freshmeat.net/projects/vsftpd/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.48.017} Win - helpcntr.exe URL overflow
{01.48.025} Win - IE htmlfile control file viewing/command execution
{01.48.002} Linux - Update {01.45.013}: teTeX insecure temp file and
dvips invocation
{01.48.003} Linux - Update {01.43.009}: procmail privilege elevation
via signals
{01.48.004} Linux - Update {01.23.002}: gpg file name format string
vulnerability
{01.48.005} Linux - Update {01.45.004}: SYNCookie problems in Linux
kernels
{01.48.010} Linux - Update {01.44.002}: RPM info query heap overflow
{01.48.011} Linux - Mandrake expect loads libraries from user directory
{01.48.012} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
{01.48.013} Linux - susehelp CGIs arbitrary command exec
{01.48.014} Linux - Update {01.47.012}: Postfix session log memory DoS
{01.48.023} Linux - Cyrus/sasl logging function format string
vulnerability
{01.48.024} Linux - RedHat Stronghold Web server info disclosure
{01.48.006} HPUX - rlpdaemon arbitrary file writing
{01.48.016} SGI - Update {01.42.001}: Various shells create insecure
tmp files for << processing
{01.48.008} Other - Update {01.46.003}: IBM HTTP server source
disclosure
{01.48.009} Other - Update {01.46.020}: IBM 4758 cryptographic storage
weakness
{01.48.019} Other - Xircom REX6000 transmits PIN in clear
{01.48.001} Cross - OpenSSH 3.0.1 available with security fixes
{01.48.007} Cross - pmake shell format string vulnerability
{01.48.018} Cross - Secure Computing SafeWord SSH CRC attack
vulnerability
{01.48.020} Cross - libgtop_daemon syslog() format string vulnerability
{01.48.021} Cross - NetDynamics session hijacking
{01.48.022} Cross - NSI/ARIN rwhoisd syslog() format string
vulnerability
{01.48.026} Cross - Auto nice daemon process name format string
vulnerability
{01.48.027} Cross - Xitami server world-readable configuration file
{01.48.028} Cross - wu-ftpd unclosed glob heap overflow
{01.48.015} Tools - Bind 9.2.0 available
- --- Windows News -------------------------------------------------------
*** {01.48.017} Win - helpcntr.exe URL overflow
An advisory has surfaced indicating that a remotely exploitable buffer
overflow exists in the helpcntr.exe application, which handles all
URLs using the 'hcp' protocol. It may be possible for a malicious Web
site or e-mail to execute arbitrary code under the user's privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtra
http://archives.neohapsis.com/archives/bugtraq/2001-11/0179.html
*** {01.48.025} Win - IE htmlfile control file viewing/command execution
Multiple advisories have been released indicating that the htmlfile
ActiveX control shipped with Internet Explorer 5.x and 6.0 allows a
malicious Web site or e-mail to view arbitrary files on the user's
system and potentially execute programs, as well.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0201.html
- --- Linux News ---------------------------------------------------------
*** {01.48.002} Linux - Update {01.45.013}: teTeX insecure temp file
and dvips invocation
Mandrake has released updated teTeX packages, which fix the
vulnerability discussed in {01.45.013} ("teTeX insecure temp file
and dvips invocation").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0159.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0159.html
*** {01.48.003} Linux - Update {01.43.009}: procmail privilege
elevation via signals
Mandrake has released updated procmail packages, which fix the
vulnerability discussed in {01.43.009} ("procmail privilege elevation
via signals").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0156.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0156.html
*** {01.48.004} Linux - Update {01.23.002}: gpg file name format string
vulnerability
Mandrake has released updated gnupg packages, which fix the
vulnerability discussed in {01.23.002} ("gpg file name format string
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0160.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0160.html
*** {01.48.005} Linux - Update {01.45.004}: SYNCookie problems in Linux
kernels
Mandrake has released updated kernel packages, which fix the
vulnerability discussed in {01.45.004} ("SYNCookie problems in Linux
kernels").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0163.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0164.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0163.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0164.html
*** {01.48.010} Linux - Update {01.44.002}: RPM info query heap overflow
Conectiva has released updated rpm packages, which fix the
vulnerability discussed in {01.44.002} ("RPM info query heap
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0015.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0015.html
*** {01.48.011} Linux - Mandrake expect loads libraries from user
directory
Mandrake has released an advisory indicating a problem in its
distribution of expect. The expect binary looks into a particular
user's directory to load required libraries, thus allowing a malicious
user to offer trojaned libraries and to execute code under the
unsuspecting user's privileges.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0176.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0176.html
*** {01.48.012} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
Mandrake has released updated squid packages, which fix the
vulnerability discussed in {01.39.015} ("Squid FTP mkdir PUT DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0180.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0180.html
*** {01.48.013} Linux - susehelp CGIs arbitrary command exec
SuSE has released an advisory indicating that some of the susehelp
CGIs allow a remote attacker to execute arbitrary commands under the
Web server's uid.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1085.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1085.html
*** {01.48.014} Linux - Update {01.47.012}: Postfix session log memory
DoS
Conectiva has released updated postfix packages, which fix the
vulnerability discussed in {01.47.012} ("Postfix session log memory
DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0014.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0014.html
*** {01.48.023} Linux - Cyrus/sasl logging function format string
vulnerability
SuSE has released an advisory indicating that a format string
vulnerability exists in a logging function used by the cyrus/sasl
package. This could allow a remote attacker to execute arbitrary code
on the system.
Updated SuSE RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1109.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1109.html
*** {01.48.024} Linux - RedHat Stronghold Web server info disclosure
An advisory was released indicating that the default configuration
of the RedHat Stronghold secure Web server prior to version 3.0 build
3015 allows a remote attacker to view various configuration and runtime
information via two particular status URLs. The advisory also hints
that it's possible to view file contents.
The advisory indicates vendor confirmation, and version 3.0 build
3015 is supposed to fix the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0195.html
- --- HP-UX News ---------------------------------------------------------
*** {01.48.006} HPUX - rlpdaemon arbitrary file writing
HP has released updated patches for a vulnerability in the rlpdaemon
printer service that could allow a remote attacker to (over)write
data into arbitrary files.
Apply the appropriate patch:
HPUX 10.01: PHCO_25107
HPUX 10.10: PHCO_25108
HPUX 10.20: PHCO_25109
HPUX 11.00: PHCO_25110
HPUX 11.11: PHCO_25111
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0047.html
- --- SGI News -----------------------------------------------------------
*** {01.48.016} SGI - Update {01.42.001}: Various shells create
insecure tmp files for << processing
SGI has released patches that fix the vulnerability discussed in
{01.42.001} ("Various shells creates insecure tmp files for <<
processing").
A patch matrix is available at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0058.html
Source: SGI (Vulnwatch)
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0058.html
- --- Other News ---------------------------------------------------------
*** {01.48.008} Other - Update {01.46.003}: IBM HTTP server source
disclosure
IBM has reportedly confirmed the vulnerability discussed in {01.46.003}
("IBM HTTP server source disclosure"). A fix will be included in
fixpack 5, which is due at the end of November.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0174.html
*** {01.48.009} Other - Update {01.46.020}: IBM 4758 cryptographic
storage weakness
IBM has released a statement addressing the vulnerability discussed
in {01.46.020} ("IBM 4758 cryptographic storage weakness").
The statement is available at:
http://www-3.ibm.com/security/cryptocards/html/ccaupdate.shtml
Source: IBM
http://www-3.ibm.com/security/cryptocards/html/ccaupdate.shtml
*** {01.48.019} Other - Xircom REX6000 transmits PIN in clear
A recent advisory indicates that the Xircom REX6000 PDA device will
transmit its PIN number over the serial connection to the host-based
software. As a result, it is not necessary to know the appropriate
PIN number to access the device, regardless of the security setting.
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0187.html
- --- Cross-Platform News ------------------------------------------------
*** {01.48.001} Cross - OpenSSH 3.0.1 available with security fixes
OpenSSH version 3.0.1 has been released. The new version contains
two security related fixes: attackers can bypass authentication if
KerberosV is enabled and a memory-clearing bug may cause the service
to crash leading to a denial of service.
The updated version can be downloaded from:
http://www.openssh.com/
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-11/1772.html
*** {01.48.007} Cross - pmake shell format string vulnerability
pmake version 2.1.33 has been reported vulnerable to a format
string vulnerability in the handling of certain parameters used in a
makefile. If pmake is setuid/setgid, then this could lead to a local
system compromise.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0172.html
*** {01.48.018} Cross - Secure Computing SafeWord SSH CRC attack
vulnerability
Secure Computing distributes a SafeWord-enabled SSH server that has
been found vulnerable to the previously reported SSH CRC compensation
attack ({01.07.027}).
No patches have been made available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0186.html
*** {01.48.020} Cross - libgtop_daemon syslog() format string
vulnerability
Libgtop_daemon prior to version 1.0.13 has been found to contain
a format string vulnerability when passing data to the syslog()
function. This could allow a remote attacker to execute arbitrary
code under the ilbgtop_daemon's uid (typically 'nobody').
This vulnerability has been confirmed, and version 1.0.13 has been
released. It is available at:
ftp://ftp.gnome.org/pub/GNOME/stable/sources/
libgtop/libgtop-1.0.13.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0218.html
*** {01.48.021} Cross - NetDynamics session hijacking
NetDynamics versions 4.x and 5.x are reportedly vulnerable to session
hijacking, whereby a remote attacker can possibly guess the 'random'
variables provided to new users. This allows the attacker to assume
the new users' logged in identity.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0056.html
*** {01.48.022} Cross - NSI/ARIN rwhoisd syslog() format string
vulnerability
NSI/ARIN's rwhoisd versions 1.5.7.2 and prior have been found to
contain a remotely exploitable format string vulnerability in the
handling of data passed to the syslog() function. This would allow
a remote attacker to execute arbitrary code on the system.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0051.html
*** {01.48.026} Cross - Auto nice daemon process name format string
vulnerability
The auto nice daemon (and) versions 1.0.4 and prior have been found
to contain a format string vulnerability in the handling of process
names. This could allow a local attacker to execute arbitrary code
with root privileges.
This vulnerability has been confirmed, and version 1.0.5 has been
released at:
http://and.sourceforge.net
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0206.html
*** {01.48.027} Cross - Xitami server world-readable configuration file
Xitami Web server version 2.4d9 has been found to leave the
configuration file world readable. This file contains the
administrative password, which a local user then could use to
reconfigure the server and potentially read arbitrary files because
of the server's running with root privileges.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0055.html
*** {01.48.028} Cross - wu-ftpd unclosed glob heap overflow
A vulnerability has been found in wu-ftpd versions 2.7.0 (beta)
and prior. If an attacker is able to log into the FTP service, via
anonymous or actual user account, then it is possible for the attacker
to execute arbitrary code under the privileges of the logged in user.
This vulnerability has been confirmed. At this point in time the
exploitability is believed to be limited to the Linux platform.
A patch for wu-ftpd 2.6.1 is available at:
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0059.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0257.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0226.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1218.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html
Source: Caldera, SuSE, RedHat, Immunix, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0254.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0257.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0226.html
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1218.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html
- --- Tool Announcements News --------------------------------------------
*** {01.48.015} Tools - Bind 9.2.0 available
Bind version 9.2.0 has been released. This version contains bug fixes
and performance enhancements. No security-related fixes are associated
with this release.
The new version can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.2.0/bind-9.2.0.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2001/0055.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8BpWF+LUG5KFpTkYRAubbAKCXm2zQKT2gSKIWiSB2KQUjY4g3vwCfXDJY
6s89Q2Q6UDBMeS8da/uOGr4=
=r8vc
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
With Cisco Storage Networking, you can store large amounts of data and
make it available over the network, so that retrieval is easy. And, with
Cisco AVVID architecture, you can enable large data transfers without
congestion. Click here to get a white paper now.
http://www.networkcomputing.com/ciscosans
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]