|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ53854021664284681
sans.org)Date: Thu Dec 27 2001 - 15:07:55 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 129 (01.52)
Thursday, December 27, 2001
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Ask the Experts, Relaunched!
To help you gain access to the wealth of knowledge trapped within the
minds of both Network Computing editors and readers, we've relaunched
our Ask the Experts service using an open discussion forum. So, if
you've got a tough IT problem, post it here and simply await real-world,
hands-on advice. Also, if you've already climbed the mountain and
discovered a solution to a particularly sticky problem, be a hero and
post it here. Your fellow IT professionals will thank you.
http://www.nwc.com/forum/askexp
----------------------------------------------------------------------
Seasons Greetings from the Security Alert Consensus Team! We wish to
extend our sincerest wishes for a very happy holiday season to all
of you and your families.
Please note that we'll be taking a short holiday break. We will not
be publishing a newsletter on Jan. 3, 2002. Look for the next edition
of the Security Alert Consensus newsletter on Thursday, Jan. 10,
2002. Happy Holidays!
Last week, we included a quick last-minute blurb in the news section
about a critical Microsoft vulnerability in the UPnP service. It's
reported as item {01.52.005} this week. Essentially, the UPnP service
is on by default in Windows XP installations, thereby leaving all
systems open to local network attack (assuming you're fortunate enough
to have a firewall between your local network and the Internet).
Until next time,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{01.52.005} Win - MS01-059: UPnP service buffer overflow
{01.52.006} Win - MS01-060: SQL Server string function buffer overflows
{01.52.019} Win - IE improper SSL server name checking
{01.52.001} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
{01.52.002} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
{01.52.003} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
{01.52.004} Linux - Update {01.48.020}: libgtop_daemon syslog() format
string vulnerability
{01.52.007} Linux - Update {01.51.009}: /bin/login command line
environment overflow
{01.52.008} Linux - Update {01.34.020}: Sendmail -d parameter arbitrary
memory writing
{01.52.014} Linux - namazu CSS vulnerability
{01.52.010} NW - Sewse viewcode.jse file disclosure
{01.52.011} NApps - D-Link DWL-1000AP SNMP vulnerability
{01.52.012} Cross - pfinger client/server format string vulnerabilities
{01.52.013} Cross - Oracle PL/SQL Apache module vulnerabilities
{01.52.015} Cross - AdRotate Pro SQL injection vulnerability
{01.52.016} Cross - AdCycle SQL injection vulnerability
{01.52.017} Cross - AdStreamer URL parameter command execution
{01.52.018} Cross - perdition/vanessa_logger syslog() format string
vulnerability
{01.52.020} Cross - Exim local pipe forward/command execution
{01.52.021} Cross - Magic Software Magic Enterprise multiple
vulnerabilities
{01.52.009} Svc - CCBill possible customer authentication information
leak
- --- Windows News -------------------------------------------------------
*** {01.52.005} Win - MS01-059: UPnP service buffer overflow
Microsoft has released MS01-059 ("UPnP service buffer overflow"). A
buffer overflow in the Universal Plug-and-Play service allows a remote
attacker to execute arbitrary code under local system privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0059.html
*** {01.52.006} Win - MS01-060: SQL Server string function buffer
overflows
Microsoft has released MS01-060 ("SQL Server string function buffer
overflows"). MS SQL Server versions 7.0 and 2000 ship with string
processing functions that do not check the size of the buffer passed
to them. This results in a buffer overflow on the SQL server, thereby
allowing a remote attacker to execute arbitrary code in the context
of the SQL service.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS01-060.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2001-q4/0060.html
*** {01.52.019} Win - IE improper SSL server name checking
An advisory indicates a potential problem in Internet Explorer and
how it verifies/caches invalid SSL certificates. It may be possible
to trick IE into caching an invalid certificate and then to use
that certificate without the user knowing. This could result in the
man-in-the-middle attack.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0077.html
- --- Linux News ---------------------------------------------------------
*** {01.52.001} Linux - Update {01.49.016}: mailman listinfo CGI CSS
vulnerability
RedHat has released updated mailman packages, which fix the
vulnerability discussed in {01.49.016} ("mailman listinfo CGI CSS
vuln").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0163.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0164.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0163.html
http://archives.neohapsis.com/archives/linux/redhat/2001-q4/0164.html
*** {01.52.002} Linux - Update {01.51.024}: glibc glob()/globfree()
vulnerability
Multiple vendors have released updated glibc packages, which fix
the vulnerability discussed in {01.51.024} ("glibc glob()/globfree()
vulnerability").
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0220.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0230.html
Updated Immunix RPMs:
http://archives.neohapsis.com/archives/linux/immunix/2001-q4/0078.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1688.html
Source: Immunix, SuSE, Trustix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0220.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0230.html
http://archives.neohapsis.com/archives/linux/suse/2001-q4/1688.html
http://archives.neohapsis.com/archives/linux/immunix/2001-q4/0078.html
*** {01.52.003} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
Trustix has released updated openSSH packages, which fix the
vulnerability discussed in {01.49.009} ("OpenSSH UseLogin unfiltered
environment").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0221.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0221.html
*** {01.52.004} Linux - Update {01.48.020}: libgtop_daemon syslog()
format string vulnerability
Mandrake has released updated libgtop packages, which fix the
vulnerability discussed in {01.48.020} ("libgtop_daemon syslog()
format string vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0222.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0222.html
*** {01.52.007} Linux - Update {01.51.009}: /bin/login command line
environment overflow
Some unconfirmed posts indicate that certain Linux distributions are
vulnerable to the bug discussed in {01.51.009} ("/bin/login command
line environment overflow").
More specifically, some Slakware and SuSE distributions have been
reported to have SysV option handling enabled, which makes it
vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0206.html
*** {01.52.008} Linux - Update {01.34.020}: Sendmail -d parameter
arbitrary memory writing
HP has released updated sendmail packages for its HP Secure OS software
for Linux, which fix the vulnerability discussed in {01.34.020}
("Sendmail -d parameter arbitrary memory writing").
Patch HPTL_00007 is available from HP's resource center.
Source: HP
http://archives.neohapsis.com/archives/hp/2001-q4/0069.html
*** {01.52.014} Linux - namazu CSS vulnerability
RedHat has released updated namazu packages, which fix a cross-site
scripting vulnerability. No further details were made available.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2001-12/0252.html
Source: RedHat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2001-12/0252.html
- --- NetWare News -------------------------------------------------------
*** {01.52.010} NW - Sewse viewcode.jse file disclosure
Netware version 5.1 prior to version 5.1sp3 contains a vulnerability
in the viewcode.jse sample script, which would allow a remote attacker
to view the contents of arbitrary files on the system.
This vulnerability has been confirmed and is fixed in sp3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0200.html
http://archives.neohapsis.com/archives/bugtraq/2001-12/0219.html
- --- Network Appliances News --------------------------------------------
*** {01.52.011} NApps - D-Link DWL-1000AP SNMP vulnerability
D-Link's DWL-1000AP wireless access point ships with a default
SNMP read-only community string ('public'). It's possible for a
remote attacker to use the read-only string to gain access to the
administrative/read-write string (which is available in the read-only
MIB). Unfortunately, the D-Link management software does not provide
a mechanism to change the read-only string, so odds are many people
will leave it as the default.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0239.html
- --- Cross-Platform News ------------------------------------------------
*** {01.52.012} Cross - pfinger client/server format string
vulnerabilities
The pfinger suite versions 0.7.7 and prior contain an error in the
handling of finger responses, which could result in the execution
of arbitrary code. Both the client and the server (finger daemon)
using the <sitehost> directive are vulnerable.
This vulnerability has been confirmed; version 0.7.8 has been released.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0224.html
*** {01.52.013} Cross - Oracle PL/SQL Apache module vulnerabilities
The Apache PL/SQL module shipped with Oracle 9iAS has been found
to contain a buffer overflow in the handling of large requests to
particular help files in the /admin_/ directory. This could lead to
execution of arbitrary code by a remote attacker. The Windows NT/2000
version also has a directory traversal problem.
Oracle has confirmed these vulnerabilities. More information is
available at:
http://otn.oracle.com/deploy/security/pdf/modplsql.pdf
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0225.html
*** {01.52.015} Cross - AdRotate Pro SQL injection vulnerability
Vanbrunt.com's AdRotate Pro CGI reportedly does not properly filter
incoming user data, which could potentially allow a remote attacker
to inject arbitrary SQL commands into SQL queries via various URL
parameters.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0247.html
*** {01.52.016} Cross - AdCycle SQL injection vulnerability
Adcycle.com's Adcycle CGI reportedly does not properly filter incoming
user data, which could potentially allow a remote attacker to inject
arbitrary SQL commands into SQL queries via various URL parameters.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0257.html
*** {01.52.017} Cross - AdStreamer URL parameter command execution
Sha-la-la.com's AdStreamer banner management CGIs have been found to
not properly filter incoming user data, thereby allowing a remote
attacker to execute arbitrary command line commands by using shell
metacharacters in the 'cat' URL parameter.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0081.html
*** {01.52.018} Cross - perdition/vanessa_logger syslog() format string
vulnerability
The vanessa_logger library, included with the perdition POP/IMAP proxy,
contains a format string vulnerability in which a remote attacker
can execute arbitrary code on the server.
This vulnerability has been confirmed. The latest version found on
the site contains a fix.
http://perdition.sourceforge.net/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0082.html
*** {01.52.020} Cross - Exim local pipe forward/command execution
Exim 3.33 and prior contain a bug in the handling of e-mails that are
forwarded to a local pipe alias, which could result in a malicious
e-mail executing arbitrary commands.
The vendor has confirmed this vulnerability and released Exim 3.34.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2001-12/0198.html
*** {01.52.021} Cross - Magic Software Magic Enterprise multiple
vulnerabilities
Magic Software's Magic Enterprise Edition version 8.30 is reportedly
vulnerable to multiple denial of service attacks, temporary file
handling problems and incorrect directory/file permissions.
These vulnerabilities have not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2001-q4/0074.html
- --- Services News ------------------------------------------------------
*** {01.52.009} Svc - CCBill possible customer authentication
information leak
Multiple reports indicate that the CCBill customer database (which
contains information on CCBill customers/vendors, not individual
credit card users) may have been compromised and that attackers may
be using the authentication information to log in and compromise
customer systems (since CCBill maintains an SSH/telnet login to the
customer's system to update files).
This vulnerability has not been confirmed.
Source: SecurityFocus Incidents
http://archives.neohapsis.com/archives/incidents/2001-12/0208.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8K4vb+LUG5KFpTkYRAs5iAKCJCVtFBZYTFxxwmqW+khVrUJ/ibQCeKGGr
elvfLA73KRwZcB/8AJvWikM=
=m5C5
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Ask the Experts, Relaunched!
To help you gain access to the wealth of knowledge trapped within the
minds of both Network Computing editors and readers, we've relaunched
our Ask the Experts service using an open discussion forum. So, if
you've got a tough IT problem, post it here and simply await real-world,
hands-on advice. Also, if you've already climbed the mountain and
discovered a solution to a particularly sticky problem, be a hero and
post it here. Your fellow IT professionals will thank you.
http://www.nwc.com/forum/askexp
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2001 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]