|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ56432754600163775
sans.org)Date: Thu Dec 06 2001 - 13:53:43 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 126 (01.49)
Thursday, December 6, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription is contained
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
This issue sponsored by NetIQ.
Learn How to Unlock Your Firewall's Secrets with Security Manager. Learn
how to maximize the return on your firewall investment. Download NetIQ's
free white paper, "Reporting and Incident Management for Firewalls:
The Keys to Unlocking Your Firewall's Secrets."
http://www.netiq.com/f/form/form.asp?id=399
----------------------------------------------------------------------
Another worm (W32.Goner) is making its rounds this week via Outlook
and ICQ clients. The fix is the same as always: Update your virus
signature file. In the meantime, you also might want to update your
Outlook patches and watch for e-mails with the subject line of "Hi."
In other news, the Internet is seeing a surge of attackers going
after SSH daemons vulnerable to the reported SSH CRC compensation
detector overflow. In fact, a recent poll indicates that as many as
30 percent of the SSH daemons on the Internet are vulnerable. So be
sure to double check your SSH installs and update the latest versions.
http://www.citi.umich.edu/u/provos/ssh/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.49.023} Win - ASPUpload demo script vulnerabilities
{01.49.025} Win - Alchemy Eye/Network Monitor log viewing
{01.49.003} Linux - Update {01.48.023}: Cyrus/sasl logging function
format string vulnerability
{01.49.006} Linux - Update {01.42.011}: Apache 1.3.22 available, with
security fixes
{01.49.013} Linux - Update {01.23.008}: OpenSSH 'cookie' file deletion
{01.49.015} Linux - Update {01.46.007}: IMP Webmail CSS vulnerability
{01.49.018} Linux - Update {01.47.012}: Postfix session log memory DoS
{01.49.010} BSD - OpenBSD lpd can create files in root directory
{01.49.012} BSD - OpenBSD local kernel crash DoS
{01.49.004} SGI - Update {01.17.009}: Nirvana editor (nedit) insecure
temp file handling
{01.49.005} SGI - Update {01.45.019}: Overflow in dtspcd via DCE SPC
library
{01.49.021} SCO - setcontext full memory access
{01.49.017} NApps - Cisco IOS CBAC filter bypass
{01.49.014} Other - UNICOS NQSD job schedule format string vulnerability
{01.49.001} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
{01.49.002} Cross - SETIHome SOCKS support overflows
{01.49.007} Cross - Update {01.32.009}: Oracle dbsnmp ORACLE_HOME env
variable overflow
{01.49.008} Cross - Oracle dbsnmp exec various trojan programs
{01.49.009} Cross - OpenSSH UseLogin unfiltered environment
{01.49.011} Cross - Valicert Enterprise VA forms CGI vulnerabilities
{01.49.016} Cross - mailmain listinfo CGI CSS vulnerability
{01.49.019} Cross - PGPMail.pl CGI command execution
{01.49.022} Cross - frox ftp proxy MDTM response overflow
{01.49.024} Cross - Lotus Notes https listener DoS
{01.49.026} Cross - Allaire JRun SSI source code disclosure
{01.49.027} Cross - Allaire JRun Web directory browsing
{01.49.028} Cross - Allaire JRun duplicate session ID leak
{01.49.029} Cross - Multiple vulnerabilities in Easynews CGI
{01.49.020} Tools - Snort 1.8.3 available
- --- Windows News -------------------------------------------------------
*** {01.49.023} Win - ASPUpload demo script vulnerabilities
The ASPUpload suite from ASPUpload.com has been found to install
various demonstration scripts that can be used by a remote attacker
to view arbitrary files and to upload new files.
The advisory indicates vendor confirmation. The best fix is to delete
the sample applications.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0292.html
*** {01.49.025} Win - Alchemy Eye/Network Monitor log viewing
The Alchemy Eye Network Monitor Suite version 2.6.18 has been found
to install by default an HTTP server that allows a remote attacker
to access various log files. These log files could expose sensitive
information.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0304.html
- --- Linux News ---------------------------------------------------------
*** {01.49.003} Linux - Update {01.48.023}: Cyrus/sasl logging function
format string vulnerability
Caldera and RedHat have released updated cyrus/sasl packages, which
fix the vulnerability discussed in {01.48.023} ("Cyrus/sasl logging
function format string vuln").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0012.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0139.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0141.html
Source: Caldera, RedHat
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0012.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0139.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0141.html
*** {01.49.006} Linux - Update {01.42.011}: Apache 1.3.22 available,
with security fixes
Mandrake and RedHat have released updated apache packages, which fix
the vulnerability discussed in {01.42.011} ("Apache 1.3.22 available,
with security fixes").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0244.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0148.html
Source: Mandrake , RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0244.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0148.html
*** {01.49.013} Linux - Update {01.23.008}: OpenSSH 'cookie' file
deletion
SuSE has released updated openSSH packages, which fix the vulnerability
discussed in {01.23.008} ("OpenSSH 'cookie' file deletion").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1320.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1320.html
*** {01.49.015} Linux - Update {01.46.007}: IMP Webmail CSS
vulnerability
Caldera has released updated imp packages, which fix the vulnerability
discussed in {01.46.007} ("IMP Webmail CSS vuln").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0011.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0011.html
*** {01.49.018} Linux - Update {01.47.012}: Postfix session log memory
DoS
Mandrake and RedHat have released updated postfix packages, which
fix the vulnerability discussed in {01.47.012} ("Postfix session log
memory DoS").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0288.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0135.html
Source: RedHat, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0288.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0135.html
- --- BSD News -----------------------------------------------------------
*** {01.49.010} BSD - OpenBSD lpd can create files in root directory
OpenBSD has committed patches to the line printer daemon to fix a bug
that allows a remote attacker, who is coming from an lpd-accepted host,
to create arbitrary files in the root ('/') directory.
The vendor has confirmed this vulnerability. Patches have
been committed to the 2.9-stable, 3.0-stable and current
branches. Individual patches are available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/017_lpd.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/008_lpd.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-12/0225.html
*** {01.49.012} BSD - OpenBSD local kernel crash DoS
A post made to the OpenBSD tech list includes a demonstration program
that reportedly crashes OpenBSD 2.9 and 3.0 systems. This could allow
a local attacker to cause a denial of service.
This vulnerability has been confirmed, and a patch has been committed
to the OpenBSD source tree. Third-party patches are available at:
http://archives.neohapsis.com/archives/openbsd/2001-12/0046.html
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2001-12/0046.html
- --- SGI News -----------------------------------------------------------
*** {01.49.004} SGI - Update {01.17.009}: Nirvana editor (nedit)
insecure temp file handling
SGI has released nedit patches, which fix the vulnerability discussed
in {01.17.009} ("Nirvana editor (nedit) insecure temp file handling").
An updated patch matrix is available at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0039.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q4/0039.html
*** {01.49.005} SGI - Update {01.45.019}: Overflow in dtspcd via DCE
SPC library
SGI has released various CDE patches, which fix the vulnerability
discussed in {01.45.019} ("Overflow in dtspcd via DCE SPC library")
as well as other previously reported CDE-related vulnerabilities.
A patch matrix is available at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0041.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2001-q4/0041.html
- --- SCO News -----------------------------------------------------------
*** {01.49.021} SCO - setcontext full memory access
Caldera/SCO has released a fix for a bug by which normal users
can manipulate particular segment registers, allowing them to
read/overwrite values in memory. Vulnerability has been found in
OpenServer versions 5.0.6 and prior.
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0014.html
- --- Network Appliances News --------------------------------------------
*** {01.49.017} NApps - Cisco IOS CBAC filter bypass
The Cisco IOS firewall feature set, also known as CBAC, has been found
to contain a bug that could allow traffic, which normally would be
filtered, to pass unhindered.
Cisco has confirmed this vulnerability. A patch matrix is available at:
http://archives.neohapsis.com/archives/cisco/2001-q4/0007.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2001-q4/0007.html
- --- Other News ---------------------------------------------------------
*** {01.49.014} Other - UNICOS NQSD job schedule format string
vulnerability
An advisory was released indicating the existence of a format string
vulnerability in the nqsd daemon included with UNICOS/mk version
2.0.5.54. Users who can schedule jobs with qsub can potentially
execute arbitrary code with root access.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0231.html
- --- Cross-Platform News ------------------------------------------------
*** {01.49.001} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
Multiple vendors have released updated wu-ftpd packages, which fix
the vulnerability discussed in {01.48.028} ("wu-ftpd unclosed glob
heap overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-11/0300.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0018.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q4/0042.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html
Updated SCO/OpenServer binaries:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2001-SCO.36/
Source: Mandrake, Conectiva, Debian (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-11/0300.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0018.html
http://archives.neohapsis.com/archives/vendor/2001-q4/0042.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0015.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0013.html
*** {01.49.002} Cross - SETIHome SOCKS support overflows
The SETIHome client version 3.03 has been found to contain a buffer
overflow in the handling of various parameters passed to configure
the built-in SOCKS support. Installations that have added suid or
sgid privileges to the client are vulnerable to a local privilege
escalation attack. Fortunately, the client does not have extra
privileges by default.
The advisory indicates confirmation by the vendor, which will fix
the vulnerability in the next version.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0662.html
*** {01.49.007} Cross - Update {01.32.009}: Oracle dbsnmp ORACLE_HOME
env variable overflow
Oracle has released patches, which fix the vulnerability discussed in
{01.32.009} ("Oracle dbsnmp ORACLE_HOME env variable overflow"). All
Unix versions are affected.
A patch matrix is available on Oracle's OTN network at:
http://metalink.oracle.com/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0309.html
*** {01.49.008} Cross - Oracle dbsnmp exec various trojan programs
Two vulnerabilities have been found in the Oracle dbsnmp program
that could allow a local attacker to execute arbitrary programs
with elevated privileges. First, dbsnmp does not sanitize the PATH
environment variable before chown and chgrp, thereby allowing a
local attacker to put trojaned versions of these commands in their
path. Second, dbsnmp will use the user-supplied ORACLE_HOME environment
variable, thus allowing a local attacker to specify an alternate,
trojaned directory from which to load libraries and run commands.
Oracle has confirmed these vulnerabilities and released a patch,
which is available on its OTN network at:
http://metalink.oracle.com
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0306.html
http://archives.neohapsis.com/archives/bugtraq/2001-11/0307.html
*** {01.49.009} Cross - OpenSSH UseLogin unfiltered environment
OpenSSH versions prior to 3.0.2 contain a bug if OpenSSH is configured
with the 'UseLogin' option. The OpenSSH daemon does not sanitize the
user's environment before passing it to the specified login program,
potentially allowing a local attacker to execute arbitrary code with
elevated privileges.
OpenSSH version 3.0.2 fixes this problem. It can be downloaded from:
http://www.openssh.com/
RedHat has released updated RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0150.html
Source: OpenBSD, RedHat
http://archives.neohapsis.com/archives/openbsd/2001-12/0261.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0150.html
*** {01.49.011} Cross - Valicert Enterprise VA forms CGI vulnerabilities
An advisory was released detailing multiple vulnerabilities in
the forms CGI component distributed with Valicert's Enterprise VA
suite. The vulnerabilities range from information disclosure and
cross-site scripting to 14 various buffer overflows that could allow
a remote attacker to execute arbitrary code with elevated privileges.
The advisory indicates confirmation by the vendor, which has patches
available from its site at:
http://www.valicert.com/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0065.html
*** {01.49.016} Cross - mailmain listinfo CGI CSS vulnerability
The listinfo CGI distributed with mailman versions prior to 2.0.8 has
been found vulnerable to cross-site scripting. This could potentially
allow a malicious e-mail or Web site to execute arbitrary JavaScript.
The vendor has confirmed this vulnerability and released version 2.0.8,
which is available at:
http://sourceforge.net/projects/mailman
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0236.html
*** {01.49.019} Cross - PGPMail.pl CGI command execution
The PGPMail.pl CGI script version 1.31 from venturablvd.com has been
found to allow a remote attacker to execute arbitrary command line
commands by using Unix shell metacharacters in the pgpuserid and
recipient parameters of the URL.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0289.html
*** {01.49.022} Cross - frox ftp proxy MDTM response overflow
Versions 0.6.6 and prior of the frox transparent ftp proxy have
been found to contain a buffer overflow in the handling of MDTM FTP
responses. The vulnerability could allow a malicious FTP server to
execute arbitrary code under the frox daemon's privileges.
The vendor has confirmed this vulnerability. Version 0.6.7 has been
released at:
http://frox.sourceforge.net/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0285.html
*** {01.49.024} Cross - Lotus Notes https listener DoS
An advisory has been released indicating that Lotus Notes versions
5.08 and prior shipped with an https (SSL) listener that is vulnerable
to a denial of service attack. The bug can be triggered if you use
nmap to perform an RPC scan (-sR) against the https port (443). The
result is a service crash.
This vulnerability has been confirmed and fixed in version 5.09.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-11/0302.html
*** {01.49.026} Cross - Allaire JRun SSI source code disclosure
Versions 3.1 and prior of Allaire's JRun have been found to contain a
vulnerability whereby a remote attacker can trick the SSI (server-side
include) component into executing arbitrary SSI commands. This allows
the remote attacker to view the contents of files, particularly JSP
source code.
Allaire/Macromedia has confirmed this vulnerability. A workaround is
available at:
http://www.allaire.com/handlers/index.cfm?ID=22235&Method=Full
Source: Allaire/Macromedia
http://archives.neohapsis.com/archives/vendor/2001-q4/0036.html
*** {01.49.027} Cross - Allaire JRun Web directory browsing
Allaire's JRun version 3.1 has been found to contain a vulnerability
that could allow a remote attacker to gain directory listings of
various Web directories by appending particular characters to the
requested URL.
Allaire has confirmed this vulnerability. A workaround is available at:
http://www.allaire.com/handlers/index.cfm?ID=22236&Method=Full
Source: Allaire/Macromedia
http://archives.neohapsis.com/archives/vendor/2001-q4/0036.html
*** {01.49.028} Cross - Allaire JRun duplicate session ID leak
Versions 3.1 and prior of Allaire's JRun contain a vulnerability
whereby a particular request to an application may result in the
server reusing an active session ID, which allows the current session
to be hijacked.
Allaire/Macromedia has confirmed this vulnerability. A hot fix is
available at:
http://www.allaire.com/handlers/index.cfm?ID=22234&Method=Full
Source: Allaire/Macromedia
http://www.allaire.com/handlers/index.cfm?ID=22234&Method=Full
*** {01.49.029} Cross - Multiple vulnerabilities in Easynews CGI
Easynews CGI version 1.5 from easyscripts.power-gaming.de reportedly
contains multiple vulnerabilities: overwriting .dat files (databases
and templates used by Easynews); cross-site scripting problems;
storage of authentication information in plain text; and information
exposure that yields the physical path of the Web root.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0000.html
- --- Tool Announcements News --------------------------------------------
*** {01.49.020} Tools - Snort 1.8.3 available
Snort 1.8.3 has been released. Those of you who use the open source
IDS might be interested in some of the bug fixes and new features of
this version.
It can be downloaded from:
http://www.snort.org/releases/snort-1.8.3.tar.gz
Source: Snort
http://archives.neohapsis.com/archives/snort/2001-11/0990.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8D8rf+LUG5KFpTkYRAu8NAJ9RB9QCuxZxXrkIRPFfo8+qNwQQcQCdGU7x
/0NDeiFwKTS9c46p2LV8S7E=
=QT1G
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by NetIQ.
Learn How to Unlock Your Firewall's Secrets with Security Manager. Learn
how to maximize the return on your firewall investment. Download NetIQ's
free white paper, "Reporting and Incident Management for Firewalls:
The Keys to Unlocking Your Firewall's Secrets."
http://www.netiq.com/f/form/form.asp?id=399
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]