|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ86318989483504379
sans.org)Date: Thu Dec 20 2001 - 16:37:27 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 128 (01.51)
Thursday, December 20, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Check out the latest edition of Network Computing's BuzzCut!
Another Day, Another Microsoft Security Flaw
By Richard Hoffman
Summer turns into fall. Fall becomes winter. And someone uncovers an
enormous security hole in a Microsoft product. Must all these events
become equally inevitable?
http://www.nwc.com/buzzcut/bc16dec01.html
----------------------------------------------------------------------
Seasons Greetings from the Security Alert Consensus Team! We wish to
extend our sincerest wishes for a very happy holiday season to all
of you and your families.
This week produced a few notable vulnerabilities. Admins of the
various commercial Unixes (Solaris, HP-UX and so on) should look at
the SystemV-derived login buffer overflow (reported as {01.51.009}
under the Cross-Platform category). Linux users may want to update
their glibc libraries to prevent possible overflows in the glob()
function (reported as {01.51.024} in the Linux category). And, finally,
so Windows users don't feel left out, Microsoft Corp. released an
Internet Explorer mega-patch (reported as {01.51.010} in the Windows
category). This patch fixes all nasty problems to date, including the
one that automatically downloads and executes applications without
warning the user.
Special note: Microsoft today issued a critical recommendation
regarding Windows, Windows XP, or ME machines that share internet
connections with Windows 98/98SE clients. You can read more on and
download this significant patch here:
http://www.microsoft.com/technet/treeview/default.asp?url=
/technet/security/bulletin/ms01-059.asp
Until next time,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.51.001} Win - IIS large, content-length header DoS
{01.51.004} Win - IKE UDP flood DoS
{01.51.010} Win - MS01-058: Cumulative IE patch
{01.51.018} Win - Citrix auto-launch of .ICA files
{01.51.025} Win - EFTP directory listing vulnerability
{01.51.026} Win - CentraOne log file info disclosure
{01.51.002} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
{01.51.006} Linux - Update {01.43.018}: Tomcat update
{01.51.007} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
{01.51.008} Linux - Update {01.47.012}: Postfix session log memory DoS
{01.51.015} Linux - Mandrake 8.1 PAM lacks MD5 support
{01.51.021} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
{01.51.024} Linux - glibc glob()/globfree() vulnerability
{01.51.020} BSD - wmcube-gdk
{01.51.011} AIX - rpc.ypasswdd buffer overflow
{01.51.012} AIX - heap overflow in ftpd
{01.51.013} AIX - PMTU/IP packets cause system to crash
{01.51.023} NApps - Zyxel Prestige router DoS
{01.51.003} Cross - CSVForm CGI file parameter command execution
{01.51.005} Cross - Vague OpenView NMM problem
{01.51.009} Cross - /bin/login command line environment overflow
{01.51.014} Cross - Multiple ettercap buffer overflows
{01.51.016} Cross - IBM Websphere authorization info recovery
{01.51.017} Cross - Update {01.50.007}: Platform Computing LSF multiple
vulnerabilities
{01.51.019} Cross - klprfax_filter insecure temp file creation
{01.51.022} Cross - Multiple PHP-Nuke (and add-ons) CSS problems
{01.51.027} Cross - Aktivate shopping cart CGI CSS
{01.51.028} Cross - Agora shopping cart CGI CSS
- --- Windows News -------------------------------------------------------
*** {01.51.001} Win - IIS large, content-length header DoS
Various people are reporting a potential denial of service found in
IIS 5.0 (and possibly other versions), whereby a remote attacker sends
a content-length header with an extremely large value. As a result,
the server waits for the indicated amount of data to be sent, with
no apparent timeouts.
This vulnerability has not been confirmed. An exploit has been
published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0098.html
*** {01.51.004} Win - IKE UDP flood DoS
Various discussions in the past week have touched on the possibility
of a denial of service attack against the IKE IPSEC service listening
on UDP port 500. An ongoing flood can result in abnormally high CPU
use while the packets are processed.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0108.html
*** {01.51.010} Win - MS01-058: Cumulative IE patch
Microsoft has released MS01-058 ("Cumulative IE patch"). This patch
fixes all known security problems in Internet Explorer to date,
including three new problems: the ability for a malicious Web site
to execute arbitrary applications in IE 6; the ability to read files
from the user's system; and a bug that could allow a Web site to
trick the user into seeing a different file name in the download box.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-058.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0053.html
*** {01.51.018} Win - Citrix auto-launch of .ICA files
An advisory was released indicating that IE will automatically
download and launch any .ICA file presented by a malicious Web site
or e-mail. The .ICA file could cause a connection to a trojaned
server, thereby allowing the server to copy files from or to the
client's machine. Apparently, only the Windows version of the client
is affected.
The advisory indicates vendor confirmation. A list of workarounds is
available at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0133.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0133.html
*** {01.51.025} Win - EFTP directory listing vulnerability
EFTP version 2.0.8.346 contains a bug that allows a remote attacker to
gain directory listings outside the FTP root by sending a particular
pattern of CWD commands.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0134.html
*** {01.51.026} Win - CentraOne log file info disclosure
The CentraOne collaboration and learning application has been found
to create world-readable logs that contain large amounts of sensitive
user information, including user name and password.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0072.html
- --- Linux News ---------------------------------------------------------
*** {01.51.002} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
Conectiva and Debian have released updated mailman packages, which
fix the vulnerability discussed in {01.49.016} ("mailmain listinfo
CGI CSS vuln").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0020.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2001-q4/0057.html
Source: Conectiva, Debian
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0020.html
http://archives.neohapsis.com/archives/vendor/2001-q4/0057.html
*** {01.51.006} Linux - Update {01.43.018}: Tomcat update
HP has released updated tomcat packages for HP Secure OS software
for Linux, which fix the vulnerability discussed in {01.43.018}
("Tomcat update").
Instructions for obtaining the patch are available at:
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
*** {01.51.007} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
Multiple vendors have released updated openSSH packages, which fix the
vulnerability discussed in {01.50.005} ("Linux - Update {01.49.009}:
OpenSSH UseLogin unfiltered environment").
Updated HP Secure OS software for Linux RPMs:
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0141.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0021.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0023.html
Source: HP, Mandrake, Conectiva, Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0141.html
http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0021.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0023.html
*** {01.51.008} Linux - Update {01.47.012}: Postfix session log memory
DoS
Debian has released updated postfix packages, which fix the
vulnerability discussed in {01.47.012} ("Postfix session log memory
DoS").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2001-q4/0055.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2001-q4/0055.html
*** {01.51.015} Linux - Mandrake 8.1 PAM lacks MD5 support
Because of a bug, the PAM support of Mandrake version 8.1 does not
use MD5 passwords by default. As a result, any accounts added after
installation will use the weaker crypt() passwords.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0121.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0121.html
*** {01.51.021} Linux - Update {01.30.021}: Multiple vendor telnetd
option-handling overflow
Mandrake has released updated krb5 packages, which fix the
vulnerability discussed in {01.30.021} ("Multiple vendor telnetd
option-handling overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0187.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0187.html
*** {01.51.024} Linux - glibc glob()/globfree() vulnerability
A vulnerability found in the GNU libc library's implementation of
glob() causes any program using it to contain a potentially exploitable
condition, which could lead to the execution of arbitrary code. The
OpenBSD ftpd Linux port is one example of a vulnerable program.
This vulnerability has been confirmed. RedHat has released updated
glibc packages, which are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0162.html
Updatd EnGarde RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0178.html
Source: RedHat, EnGarde, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0175.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0162.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0178.html
- --- BSD News -----------------------------------------------------------
*** {01.51.020} BSD - wmcube-gdk
wmcube-gdk has been found vulnerable to multiple buffer overflows,
which could allow a local attacker to execute arbitrary code with
elevated privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0193.html
- --- AIX News -----------------------------------------------------------
*** {01.51.011} AIX - rpc.ypasswdd buffer overflow
IBM has released APAR IY21609, which fixes buffer overflows in the
rpc.yppasswdd daemon. Although the company indicates the possibility
of remote exploitation, it does not provide any further details.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0009.html
*** {01.51.012} AIX - heap overflow in ftpd
IBM has released APAR IY23674. It indicates a possible heap buffer
overflow in the FTP daemon. This vulnerability is not related to the
recent wu-ftpd incomplete file glob heap overflow, because IBM does
not use the wu-ftpd codebase.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0009.html
*** {01.51.013} AIX - PMTU/IP packets cause system to crash
IBM has released APAR IY25096. It indicates the possibility of certain
IP packets -- specifically, those that have to do with PMTU discovery
- -- may cause the system to hang. This could lead to a remote denial
of service situation.
Source: IBM
http://archives.neohapsis.com/archives/aix/2001-q4/0009.html
- --- Network Appliances News --------------------------------------------
*** {01.51.023} NApps - Zyxel Prestige router DoS
An advisory was released indicating a possible remote denial of service
in the Zyxel Prestige 681 and 1600 SDSL routers. It's possible for
an attacker to send a particular set of malformed packets that cause
the modem to reset and become unavailable for a few minutes.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0140.html
- --- Cross-Platform News ------------------------------------------------
*** {01.51.003} Cross - CSVForm CGI file parameter command execution
EZScripting.com's CSVForm Perl CGI has been found to not properly
filter the file URL parameter before passing it to an open
command. This allows a remote attacker to execute arbitrary
command-line commands under the Web server's privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0102.html
*** {01.51.005} Cross - Vague OpenView NMM problem
HP has released patches for an OpenView Network Node Manager
vulnerability, which results in an attacker gaining elevated
privileges. Further details are lacking.
The full patch matrix for HP-UX and Solaris is listed at:
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
*** {01.51.009} Cross - /bin/login command line environment overflow
A vulnerability has been found in the SystemV-derived login application
included with AIX, HP-UX, SCO OpenServer, IRIX and Solaris.
The problem lies in the fact that an attacker can provide various
environment variable values, which could lead to a buffer overflow
and the execution of arbitrary code. Actual exploitation must be done
through an application that passes control to login, such as telnetd
or rlogind (thus, this can be remotely exploited).
AIX emergency fix located at:
ftp://aix.software.ibm.com/aix/efixes/security/tsmlogin_efix.tar.Z
Solaris patches are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0147.html
SCO OpenServer updates located at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/
IRIX:
Only IRIX versions 3.x, which are unsupported, are vulnerable.
Source: CERT, SCO/Caldera, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0147.html
http://archives.neohapsis.com/archives/cc/2001-q4/0008.html
http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0022.html
*** {01.51.014} Cross - Multiple ettercap buffer overflows
ettercap version 0.6.3 has been released. It fixes many
potential buffer overflows in the parsing of the various observed
packets. Because ettercap requires root privileges to execute, this may
lead to the remote execution of arbitrary code under root privileges.
The latest version can be downloaded from:
http://ettercap.sourceforge.net
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0069.html
*** {01.51.016} Cross - IBM Websphere authorization info recovery
IBM Websphere versions 3.5.x and prior have been found to contain a
vulnerability whereby an attacker can construct a JSP page that has
the capabilities to read the sas.server.props file, which contains
the server authentication credentials. Normally, this file is not
readable to anyone other than root (or whatever the Websphere's uid
is, although it is root by default).
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0130.html
*** {01.51.017} Cross - Update {01.50.007}: Platform Computing LSF
multiple vulnerabilities
Platform Computing has released updated LSF packages, which fix
the vulnerability discussed in {01.50.007} ("Platform Computing LSF
multiple vulnerabilities").
Updates are available by contacting the vendor.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0132.html
*** {01.51.019} Cross - klprfax_filter insecure temp file creation
The lkprfax_filter application included in the kdeutils package
has been found to insecurely create the /tmp/klprfax.filter file,
which could be used to overwrite files on the system (in some cases,
klprfax_filter is suid, allowing for a wider range of exploitation).
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0142.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0150.html
*** {01.51.022} Cross - Multiple PHP-Nuke (and add-ons) CSS problems
Multiple advisories/posts (six total) indicate several possible
cross-site scripting vulnerabilities within PHP-Nuke. The reported
problems are in the core of PHP-Nuke as well as in the IMessenger
and DMOZGateway add-ons. For details, please view the reference
URLs below.
None of these vulnerabilities has been confirmed.
Source: SF Vuln-Dev, SF Bugtraq
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0843.html
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0848.html
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0851.html
http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0853.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0163.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html
*** {01.51.027} Cross - Aktivate shopping cart CGI CSS
The Aktivate shopping cart CGI version 1.03 has been found vulnerable
to a cross-site scripting attack in various URL parameters.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0194.html
*** {01.51.028} Cross - Agora shopping cart CGI CSS
The Agora shopping cart CGI version 3.3e has been found vulnerable
to a cross-site scripting attack in various URL parameters.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0177.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8ImZn+LUG5KFpTkYRAp1SAKCX81apfaALwvD6sc1eu3pD0DWxaACbBaXx
psOXTSuYIPGblxDiFAwXYDQ=
=b6Qf
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Check out the latest edition of Network Computing's BuzzCut!
Another Day, Another Microsoft Security Flaw
By Richard Hoffman
Summer turns into fall. Fall becomes winter. And someone uncovers an
enormous security hole in a Microsoft product. Must all these events
become equally inevitable?
http://www.nwc.com/buzzcut/bc16dec01.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]