OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ86318989483504379sans.org)
Date: Thu Dec 20 2001 - 16:37:27 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                         -- Security Alert Consensus --
                               Number 128 (01.51)
                          Thursday, December 20, 2001
                              Created for you by
                     Network Computing and the SANS Institute
                              Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Check out the latest edition of Network Computing's BuzzCut!
    Another Day, Another Microsoft Security Flaw
    By Richard Hoffman
    Summer turns into fall. Fall becomes winter. And someone uncovers an
    enormous security hole in a Microsoft product. Must all these events
    become equally inevitable?
    http://www.nwc.com/buzzcut/bc16dec01.html

    ----------------------------------------------------------------------

    Seasons Greetings from the Security Alert Consensus Team! We wish to
    extend our sincerest wishes for a very happy holiday season to all
    of you and your families.

    This week produced a few notable vulnerabilities. Admins of the
    various commercial Unixes (Solaris, HP-UX and so on) should look at
    the SystemV-derived login buffer overflow (reported as {01.51.009}
    under the Cross-Platform category). Linux users may want to update
    their glibc libraries to prevent possible overflows in the glob()
    function (reported as {01.51.024} in the Linux category). And, finally,
    so Windows users don't feel left out, Microsoft Corp. released an
    Internet Explorer mega-patch (reported as {01.51.010} in the Windows
    category). This patch fixes all nasty problems to date, including the
    one that automatically downloads and executes applications without
    warning the user.

    Special note: Microsoft today issued a critical recommendation
    regarding Windows, Windows XP, or ME machines that share internet
    connections with Windows 98/98SE clients. You can read more on and
    download this significant patch here:
    http://www.microsoft.com/technet/treeview/default.asp?url=
    /technet/security/bulletin/ms01-059.asp

    Until next time,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {01.51.001} Win - IIS large, content-length header DoS
    {01.51.004} Win - IKE UDP flood DoS
    {01.51.010} Win - MS01-058: Cumulative IE patch
    {01.51.018} Win - Citrix auto-launch of .ICA files
    {01.51.025} Win - EFTP directory listing vulnerability
    {01.51.026} Win - CentraOne log file info disclosure
    {01.51.002} Linux - Update {01.49.016}: mailman listinfo CGI CSS
                vulnerability
    {01.51.006} Linux - Update {01.43.018}: Tomcat update
    {01.51.007} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
                environment
    {01.51.008} Linux - Update {01.47.012}: Postfix session log memory DoS
    {01.51.015} Linux - Mandrake 8.1 PAM lacks MD5 support
    {01.51.021} Linux - Update {01.30.021}: Multiple vendor telnetd
                option-handling overflow
    {01.51.024} Linux - glibc glob()/globfree() vulnerability
    {01.51.020} BSD - wmcube-gdk
    {01.51.011} AIX - rpc.ypasswdd buffer overflow
    {01.51.012} AIX - heap overflow in ftpd
    {01.51.013} AIX - PMTU/IP packets cause system to crash
    {01.51.023} NApps - Zyxel Prestige router DoS
    {01.51.003} Cross - CSVForm CGI file parameter command execution
    {01.51.005} Cross - Vague OpenView NMM problem
    {01.51.009} Cross - /bin/login command line environment overflow
    {01.51.014} Cross - Multiple ettercap buffer overflows
    {01.51.016} Cross - IBM Websphere authorization info recovery
    {01.51.017} Cross - Update {01.50.007}: Platform Computing LSF multiple
                vulnerabilities
    {01.51.019} Cross - klprfax_filter insecure temp file creation
    {01.51.022} Cross - Multiple PHP-Nuke (and add-ons) CSS problems
    {01.51.027} Cross - Aktivate shopping cart CGI CSS
    {01.51.028} Cross - Agora shopping cart CGI CSS

    - --- Windows News -------------------------------------------------------

    *** {01.51.001} Win - IIS large, content-length header DoS

    Various people are reporting a potential denial of service found in
    IIS 5.0 (and possibly other versions), whereby a remote attacker sends
    a content-length header with an extremely large value. As a result,
    the server waits for the indicated amount of data to be sent, with
    no apparent timeouts.

    This vulnerability has not been confirmed. An exploit has been
                    published.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0098.html

    *** {01.51.004} Win - IKE UDP flood DoS

    Various discussions in the past week have touched on the possibility
    of a denial of service attack against the IKE IPSEC service listening
    on UDP port 500. An ongoing flood can result in abnormally high CPU
    use while the packets are processed.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0108.html

    *** {01.51.010} Win - MS01-058: Cumulative IE patch

    Microsoft has released MS01-058 ("Cumulative IE patch"). This patch
    fixes all known security problems in Internet Explorer to date,
    including three new problems: the ability for a malicious Web site
    to execute arbitrary applications in IE 6; the ability to read files
    from the user's system; and a bug that could allow a Web site to
    trick the user into seeing a different file name in the download box.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS01-058.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2001-q4/0053.html

    *** {01.51.018} Win - Citrix auto-launch of .ICA files

    An advisory was released indicating that IE will automatically
    download and launch any .ICA file presented by a malicious Web site
    or e-mail. The .ICA file could cause a connection to a trojaned
    server, thereby allowing the server to copy files from or to the
    client's machine. Apparently, only the Windows version of the client
    is affected.

    The advisory indicates vendor confirmation. A list of workarounds is
    available at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0133.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0133.html

    *** {01.51.025} Win - EFTP directory listing vulnerability

    EFTP version 2.0.8.346 contains a bug that allows a remote attacker to
    gain directory listings outside the FTP root by sending a particular
    pattern of CWD commands.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0134.html

    *** {01.51.026} Win - CentraOne log file info disclosure

    The CentraOne collaboration and learning application has been found
    to create world-readable logs that contain large amounts of sensitive
    user information, including user name and password.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0072.html

    - --- Linux News ---------------------------------------------------------

    *** {01.51.002} Linux - Update {01.49.016}: mailman listinfo CGI CSS
                    vulnerability

    Conectiva and Debian have released updated mailman packages, which
    fix the vulnerability discussed in {01.49.016} ("mailmain listinfo
    CGI CSS vuln").

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0020.html

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0057.html

    Source: Conectiva, Debian
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0020.html
    http://archives.neohapsis.com/archives/vendor/2001-q4/0057.html

    *** {01.51.006} Linux - Update {01.43.018}: Tomcat update

    HP has released updated tomcat packages for HP Secure OS software
    for Linux, which fix the vulnerability discussed in {01.43.018}
    ("Tomcat update").

    Instructions for obtaining the patch are available at:
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html

    *** {01.51.007} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
                    environment

    Multiple vendors have released updated openSSH packages, which fix the
    vulnerability discussed in {01.50.005} ("Linux - Update {01.49.009}:
    OpenSSH UseLogin unfiltered environment").

    Updated HP Secure OS software for Linux RPMs:
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0141.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0021.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0023.html

    Source: HP, Mandrake, Conectiva, Caldera (SF Bugtraq)
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0141.html
    http://archives.neohapsis.com/archives/linux/conectiva/2001-q4/0021.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0023.html

    *** {01.51.008} Linux - Update {01.47.012}: Postfix session log memory
                    DoS

    Debian has released updated postfix packages, which fix the
    vulnerability discussed in {01.47.012} ("Postfix session log memory
    DoS").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2001-q4/0055.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2001-q4/0055.html

    *** {01.51.015} Linux - Mandrake 8.1 PAM lacks MD5 support

    Because of a bug, the PAM support of Mandrake version 8.1 does not
    use MD5 passwords by default. As a result, any accounts added after
    installation will use the weaker crypt() passwords.

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0121.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0121.html

    *** {01.51.021} Linux - Update {01.30.021}: Multiple vendor telnetd
                    option-handling overflow

    Mandrake has released updated krb5 packages, which fix the
    vulnerability discussed in {01.30.021} ("Multiple vendor telnetd
    option-handling overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0187.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0187.html

    *** {01.51.024} Linux - glibc glob()/globfree() vulnerability

    A vulnerability found in the GNU libc library's implementation of
    glob() causes any program using it to contain a potentially exploitable
    condition, which could lead to the execution of arbitrary code. The
    OpenBSD ftpd Linux port is one example of a vulnerable program.

    This vulnerability has been confirmed. RedHat has released updated
    glibc packages, which are listed at:

    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0162.html

    Updatd EnGarde RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0178.html

    Source: RedHat, EnGarde, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0175.html
    http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0162.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0178.html

    - --- BSD News -----------------------------------------------------------

    *** {01.51.020} BSD - wmcube-gdk

    wmcube-gdk has been found vulnerable to multiple buffer overflows,
    which could allow a local attacker to execute arbitrary code with
    elevated privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0193.html

    - --- AIX News -----------------------------------------------------------

    *** {01.51.011} AIX - rpc.ypasswdd buffer overflow

    IBM has released APAR IY21609, which fixes buffer overflows in the
    rpc.yppasswdd daemon. Although the company indicates the possibility
    of remote exploitation, it does not provide any further details.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q4/0009.html

    *** {01.51.012} AIX - heap overflow in ftpd

    IBM has released APAR IY23674. It indicates a possible heap buffer
    overflow in the FTP daemon. This vulnerability is not related to the
    recent wu-ftpd incomplete file glob heap overflow, because IBM does
    not use the wu-ftpd codebase.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q4/0009.html

    *** {01.51.013} AIX - PMTU/IP packets cause system to crash

    IBM has released APAR IY25096. It indicates the possibility of certain
    IP packets -- specifically, those that have to do with PMTU discovery
    - -- may cause the system to hang. This could lead to a remote denial
    of service situation.

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2001-q4/0009.html

    - --- Network Appliances News --------------------------------------------

    *** {01.51.023} NApps - Zyxel Prestige router DoS

    An advisory was released indicating a possible remote denial of service
    in the Zyxel Prestige 681 and 1600 SDSL routers. It's possible for
    an attacker to send a particular set of malformed packets that cause
    the modem to reset and become unavailable for a few minutes.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0140.html

    - --- Cross-Platform News ------------------------------------------------

    *** {01.51.003} Cross - CSVForm CGI file parameter command execution

    EZScripting.com's CSVForm Perl CGI has been found to not properly
    filter the file URL parameter before passing it to an open
    command. This allows a remote attacker to execute arbitrary
    command-line commands under the Web server's privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0102.html

    *** {01.51.005} Cross - Vague OpenView NMM problem

    HP has released patches for an OpenView Network Node Manager
    vulnerability, which results in an attacker gaining elevated
    privileges. Further details are lacking.

    The full patch matrix for HP-UX and Solaris is listed at:
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html

    Source: HP
    http://archives.neohapsis.com/archives/hp/2001-q4/0062.html

    *** {01.51.009} Cross - /bin/login command line environment overflow

    A vulnerability has been found in the SystemV-derived login application
    included with AIX, HP-UX, SCO OpenServer, IRIX and Solaris.

    The problem lies in the fact that an attacker can provide various
    environment variable values, which could lead to a buffer overflow
    and the execution of arbitrary code. Actual exploitation must be done
    through an application that passes control to login, such as telnetd
    or rlogind (thus, this can be remotely exploited).

    AIX emergency fix located at:
    ftp://aix.software.ibm.com/aix/efixes/security/tsmlogin_efix.tar.Z

    Solaris patches are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0147.html

    SCO OpenServer updates located at:
    ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.40/

    IRIX:
    Only IRIX versions 3.x, which are unsupported, are vulnerable.

    Source: CERT, SCO/Caldera, SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0147.html
    http://archives.neohapsis.com/archives/cc/2001-q4/0008.html
    http://archives.neohapsis.com/archives/linux/caldera/2001-q4/0022.html

    *** {01.51.014} Cross - Multiple ettercap buffer overflows

    ettercap version 0.6.3 has been released. It fixes many
    potential buffer overflows in the parsing of the various observed
    packets. Because ettercap requires root privileges to execute, this may
    lead to the remote execution of arbitrary code under root privileges.

    The latest version can be downloaded from:
    http://ettercap.sourceforge.net

    Source: Vulnwatch
    http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0069.html

    *** {01.51.016} Cross - IBM Websphere authorization info recovery

    IBM Websphere versions 3.5.x and prior have been found to contain a
    vulnerability whereby an attacker can construct a JSP page that has
    the capabilities to read the sas.server.props file, which contains
    the server authentication credentials. Normally, this file is not
    readable to anyone other than root (or whatever the Websphere's uid
    is, although it is root by default).

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0130.html

    *** {01.51.017} Cross - Update {01.50.007}: Platform Computing LSF
                    multiple vulnerabilities

    Platform Computing has released updated LSF packages, which fix
    the vulnerability discussed in {01.50.007} ("Platform Computing LSF
    multiple vulnerabilities").

    Updates are available by contacting the vendor.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0132.html

    *** {01.51.019} Cross - klprfax_filter insecure temp file creation

    The lkprfax_filter application included in the kdeutils package
    has been found to insecurely create the /tmp/klprfax.filter file,
    which could be used to overwrite files on the system (in some cases,
    klprfax_filter is suid, allowing for a wider range of exploitation).

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0142.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0150.html

    *** {01.51.022} Cross - Multiple PHP-Nuke (and add-ons) CSS problems

    Multiple advisories/posts (six total) indicate several possible
    cross-site scripting vulnerabilities within PHP-Nuke. The reported
    problems are in the core of PHP-Nuke as well as in the IMessenger
    and DMOZGateway add-ons. For details, please view the reference
    URLs below.

    None of these vulnerabilities has been confirmed.

    Source: SF Vuln-Dev, SF Bugtraq
    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0843.html
    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0848.html
    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0851.html
    http://archives.neohapsis.com/archives/vuln-dev/2001-q4/0853.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0163.html
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0168.html

    *** {01.51.027} Cross - Aktivate shopping cart CGI CSS

    The Aktivate shopping cart CGI version 1.03 has been found vulnerable
    to a cross-site scripting attack in various URL parameters.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0194.html

    *** {01.51.028} Cross - Agora shopping cart CGI CSS

    The Agora shopping cart CGI version 3.3e has been found vulnerable
    to a cross-site scripting attack in various URL parameters.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2001-12/0177.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8ImZn+LUG5KFpTkYRAp1SAKCX81apfaALwvD6sc1eu3pD0DWxaACbBaXx
    psOXTSuYIPGblxDiFAwXYDQ=
    =b6Qf
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Check out the latest edition of Network Computing's BuzzCut!
    Another Day, Another Microsoft Security Flaw
    By Richard Hoffman
    Summer turns into fall. Fall becomes winter. And someone uncovers an
    enormous security hole in a Microsoft product. Must all these events
    become equally inevitable?
    http://www.nwc.com/buzzcut/bc16dec01.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2001 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).