|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ86802191818864530
sans.org)Date: Thu Jan 31 2002 - 14:39:05 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 004 (02.04)
Thursday, January 31, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Five-Minute Workout: Deploying a Remote Access VPN
To select the best and most secure remote-access server for the money,
look no further than our multimedia how-to. Senior Technology Editor
Mike Fratto and Online Editor in Chief Bradley F. Shimmin talk you
through the tough questions to ask before you purchase a VPN server and
offer advice on deploying the one you choose.
http://www.nwc.com/out/fivemin/fmw14jan02.html
----------------------------------------------------------------------
Yet another worm seems to be crawling its way through the Internet. The
W32/MyParty worm only passes on via e-mail, and it depends on the
user running the attachment to execute. The attachment typically looks
like a Web address, particularly myparty.photos.yahoo.com. In reality,
the .com attachment extension is an executable extension on Windows.
As always, update your virus scan signatures.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.04.016} Win - Plumtree Corporate Portal error.asp CSS
{02.04.021} Win - Intel WLAN driver stores plain text WEP key
{02.04.023} Win - Hosting Controller multiple vulnerabilities
{02.04.025} Win - Site Server multiple vulnerabilities/concerns
{02.04.027} Win - NetInventory/NetRC hostcfg.ini recovery
{02.04.029} Win - Real Player malformed header overflow
{02.04.001} Linux - Update {02.03.003}: at invalid time heap overflow
{02.04.002} Linux - jmcce insecure temp file handling
{02.04.004} Linux - Update {02.02.009}: CIPE short packet DoS
{02.04.005} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
{02.04.007} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
{02.04.009} Linux - Update {01.36.007}: Multiple xinetd vulnerabilities
{02.04.018} Linux - Update {02.03.007}: enscript insecure temp file
handling
{02.04.030} Linux - UML kernel memory access
{02.04.017} HPUX - Update {01.15.006}: IPFilter fragmented packet
bypass vulnerability
{02.04.019} SGI - O2 /dev/mvp improper permissions
{02.04.022} SGI - xkas icon file symlink exposure
{02.04.008} SCO - Update {01.49.021}: setcontext full memory access
{02.04.028} SCO - Update {01.05.025}: sort insecure temp file handling
{02.04.020} NApps - Cisco CatOS telnet option DoS
{02.04.010} Other - Update {01.42.001}: Various shells create insecure
tmp files for << processing
{02.04.003} Cross - OpenLDAP ACL bypass on attribute removal
{02.04.006} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
{02.04.011} Cross - rsync signed integers vulnerability
{02.04.012} Cross - Xoops PHP scripts multiple vulnerabilities
{02.04.014} Cross - SquirrelMail PHP suite multiple vulnerabilities
{02.04.015} Cross - PaintBBS configuration file retrieval
{02.04.024} Cross - sastcpd argument overflow/format string
vulnerability
{02.04.026} Cross - W3perl malicious headers execute CGI code
{02.04.013} Tools - Apache 1.3.23 available
- --- Windows News -------------------------------------------------------
*** {02.04.016} Win - Plumtree Corporate Portal error.asp CSS
The Plumtree Corporate Portal versions 3.5 through 4.5 contain a
cross-site scripting vulnerability in the handling of parameters
passed to the error.asp page.
The vendor has confirmed this vulnerability and released a KB article
on how to fix the problem. The article is available through:
http://www.plumtree.com/company/technical_support.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0300.html
*** {02.04.021} Win - Intel WLAN driver stores plain text WEP key
The drivers shipped with Intel's WLAN wireless 802.11b adapter
reportedly store the WEP key in plain text in the registry. It's
possible that an attacker with access to the system can recover
the key.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0330.html
*** {02.04.023} Win - Hosting Controller multiple vulnerabilities
Hosting Controller version 1.4.1 has been found to contain multiple
vulnerabilities: the user login page acts as an oracle, allowing a
remote attacker to brute force a correct user name/password combo;
arbitrary directory browsing via filepath parameter; and creation of
new hosts without having to log in.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0039.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0339.html
*** {02.04.025} Win - Site Server multiple vulnerabilities/concerns
An advisory was released indicating various problems in multiple
versions of Site Server 3.0. The problems include: a default password
on the LDAP_Anonymous account; information exposure via sample and
administrative ASP pages; and the capability of an attacker to upload
and execute ASP pages.
Installing Site Server 3.0 SP4, as well as limiting access to the
mentioned vulnerable scripts, will curtail exploitation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0033.html
*** {02.04.027} Win - NetInventory/NetRC hostcfg.ini recovery
Bindview's NetInventory and NetRC applications have been found to
re-create the hostcfg.ini, which contains authentication information
usable to access other systems if the normally restricted hostcfg._ni
file is deleted.
The vendor has confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0311.html
*** {02.04.029} Win - Real Player malformed header overflow
The Real Player client version 8 has been confirmed to contain a
buffer overflow in the handling of particular malformed headers
contained in a RealMedia stream. This vulnerability could allow a
malicious server to execute arbitrary code on the client's system.
An update to Real Player is available, and it fixes this problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0318.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0322.html
- --- Linux News ---------------------------------------------------------
*** {02.04.001} Linux - Update {02.03.003}: at invalid time heap
overflow
RedHat has released updated at packages, which fix the vulnerability
discussed in {02.03.003} ("at invalid time heap overflow").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0037.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0037.html
*** {02.04.002} Linux - jmcce insecure temp file handling
Mandrake has released an advisory indicating that the jmcce application
insecurely creates log files in the /tmp/ directory, thereby allowing
a local attacker to perform a symlink attack and overwrite arbitrary
files on the system (since jmcce is setuid root).
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0287.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0287.html
*** {02.04.004} Linux - Update {02.02.009}: CIPE short packet DoS
RedHat has released updated kernel packages, which fix the
vulnerability discussed in {02.02.009} ("CIPE short packet DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0041.html
Source: RedHat
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0041.html
*** {02.04.005} Linux - Update {01.49.009}: OpenSSH UseLogin unfiltered
environment
TurboLinux has released updated openSSH packages, which fix the
vulnerability discussed in {01.49.009} ("OpenSSH UseLogin unfiltered
environment").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0000.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0000.html
*** {02.04.007} Linux - Update {01.39.015}: Squid FTP mkdir PUT DoS
TurboLinux has released updated squid packages, which fix the
vulnerability discussed in {01.39.015} ("Squid FTP mkdir PUT DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0002.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0002.html
*** {02.04.009} Linux - Update {01.36.007}: Multiple xinetd
vulnerabilities
TurboLinux has released updated xinetd packages, which fix
the vulnerabilities discussed in {01.36.007} ("Multiple xinetd
vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0003.html
Source: TurboLinux
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0003.html
*** {02.04.018} Linux - Update {02.03.007}: enscript insecure temp file
handling
Mandrake has released updated enscript packages, which fix the
vulnerability discussed in {02.03.007} ("enscript insecure temp
file handling").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0344.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0344.html
*** {02.04.030} Linux - UML kernel memory access
User-Mode-Linux version 2.4.17-8 has been found to allow normal users
within a UML Linux environment to change around system syscalls and
access kernel memory, thereby allows them to gain root access both
inside and outside the UML environment.
The author has confirmed this vulnerability and released version
2.4.17-9.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0338.html
- --- HP-UX News ---------------------------------------------------------
*** {02.04.017} HPUX - Update {01.15.006}: IPFilter fragmented packet
bypass vulnerability
HP has released updated ipfilter packages for HPUX 11.x, which fix
the vulnerability discussed in {01.15.006} ("IPFilter fragmented
packet bypass vulnerability").
HP IPFilter/9000 version A.03.05.02 is available at:
http://www.software.hp.com
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q1/0028.html
- --- SGI News -----------------------------------------------------------
*** {02.04.019} SGI - O2 /dev/mvp improper permissions
The /dev/mvp device found on SGI O2 IRIX systems has been found to
allow a local attacker to view another user's X session under certain
configurations.
SGI has released a workaround, which is explained at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0016.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q1/0016.html
*** {02.04.022} SGI - xkas icon file symlink exposure
A report has surfaced detailing a bug in the xkas IRIX application. The
default permissions for /var/adm/appletalk/icons are set such that
a local attacker can create a symlink to a file that xkas will copy
and make world-readable, thus allowing the attacker to read files on
the system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0329.html
- --- SCO News -----------------------------------------------------------
*** {02.04.008} SCO - Update {01.49.021}: setcontext full memory access
SCO has rereleased updated setcontext packages, which fix the
vulnerability discussed in {01.49.021} ("setcontext full memory
access"). The original updates were flawed.
Updates are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2001-SCO.35.2/
Source: SCO/Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0001.html
*** {02.04.028} SCO - Update {01.05.025}: sort insecure temp file
handling
Caldera/SCO has released updated sort packages, which fix the
vulnerability discussed in {01.05.025} ("sort insecure temp file
handling").
Updated binaries are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.2/
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0002.html
- --- Network Appliances News --------------------------------------------
*** {02.04.020} NApps - Cisco CatOS telnet option DoS
Cisco has released an advisory indicating a buffer overflow in the
handling of telnet options by certain versions of CatOS used on Cisco
Catalyst switches. A remote attacker can trigger the overflow and
cause the switch to reboot.
Cisco has confirmed this vulnerability. A patch matrix is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0346.html
Source: Cisco
http://archives.neohapsis.com/archives/bugtraq/2002-01/0346.html
- --- Other News ---------------------------------------------------------
*** {02.04.010} Other - Update {01.42.001}: Various shells create
insecure tmp files for << processing
Both Compaq and SGI have released updated shell packages, which fix
the vulnerability discussed in {01.42.001} ("Various shells create
insecure tmp files for << processing").
A full list of Tru64 patches is available at:
http://archives.neohapsis.com/archives/tru64/2002-q1/0009.html
An IRIX patch matrix is available at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0017.html
Source: Compaq, SGI
http://archives.neohapsis.com/archives/tru64/2002-q1/0009.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0017.html
- --- Cross-Platform News ------------------------------------------------
*** {02.04.003} Cross - OpenLDAP ACL bypass on attribute removal
OpenLDAP versions 2.0.0 through 2.0.19 have been found to not properly
check configured ACLs when a user attempts to remove nonmandatory
attributes from objects. This allows a user to remove attributes
(not required by the schema) that they otherwise wouldn't be able to
remove from objects.
This vulnerability has been confirmed. Version 2.0.21 is available at:
http://www.openldap.org/software/download/
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0038.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0012.html
Source: RedHat, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0038.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0012.html
*** {02.04.006} Cross - Update {01.48.028}: wu-ftpd unclosed glob heap
overflow
TurboLinux and HP have released updated wuftpd packages, which fix
the vulnerability discussed in {01.48.028} ("wu-ftpd unclosed glob
heap overflow").
Updated TurboLinux RPMs are listed at:
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0001.html
Updated HPUX 11.x patches are listed at:
http://archives.neohapsis.com/archives/hp/2002-q1/0025.html
Source: TurboLinux, HP
http://archives.neohapsis.com/archives/linux/turbolinux/
2002-q1/0001.html
http://archives.neohapsis.com/archives/hp/2002-q1/0025.html
*** {02.04.011} Cross - rsync signed integers vulnerability
Rsync versions prior to 2.5.2 contain a bug in the handling of certain
integers that could allow a remote attacker to overwrite certain
locations in memory with a 0 value as well as possibly lead to the
execution of arbitrary code.
Version 2.5.2 fixes the bugs and is available at:
http://rsync.samba.org/
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0324.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0341.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0015.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0596.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0011.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0008.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-01/0328.html
Source: RedHat, Mandrake, Debian, SuSE, Conectiva, EnGarde, Trustix
(SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-01/0324.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0341.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0015.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/0596.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0011.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0008.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0328.html
*** {02.04.012} Cross - Xoops PHP scripts multiple vulnerabilities
The Xoops PHP script portal suite has been found to contain two
general vulnerabilities: cross-site scripting in the various fields
of the private messaging feature; and SQL injection via uid parameter
on the userinfo.php page.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0347.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0348.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0351.html
*** {02.04.014} Cross - SquirrelMail PHP suite multiple vulnerabilities
SquirrelMail PHP Web mail suite prior to version 1.2.3 has been found
to contain bugs in the handling of JavaScript embedded in HTML tags
within Web mail. It's possible for an attacker to construct an e-mail
that could execute arbitrary JavaScript when the user views the
e-mail. SquirrelMail also passes unfiltered user data to an exec()
command, thereby allowing an attacker to execute arbitrary command
line commands.
This vulnerability has been confirmed and corrected in SquirrelMail
version 1.2.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0310.html
http://archives.neohapsis.com/archives/bugtraq/2002-01/0296.html
*** {02.04.015} Cross - PaintBBS configuration file retrieval
PaintBBS CGI suite version 1.2 reportedly keeps the configuration
file in a Web-accessible location, thereby allowing a remote attacker
to download the configuration and gain access to the administrative
password hash, which then can be run through a normal Unix password
cracker.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-01/0292.html
*** {02.04.024} Cross - sastcpd argument overflow/format string
vulnerability
An advisory was released indicating that the sastcpd component
included with SAS prior to version 8.2 contains a buffer overflow
in the handling of large command line arguments. This could allow a
local attacker to execute arbitrary code with root privileges.
The vendor has confirmed this vulnerability and indicated that version
8.2 fixes the problem. More information is available at:
http://www.sas.com/service/techsup/unotes/SN/004/004201.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0032.html
*** {02.04.026} Cross - W3perl malicious headers execute CGI code
The w3perl HTTP Web log processor version 2.85 has been found to
generate viewable code that could contain malicious CGI code snippets
embedded via malformed HTTP headers.
The vendor has confirmed this vulnerability and released version 2.86,
which is available at:
http://www.w3perl.com/download/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0026.html
- --- Tool Announcements News --------------------------------------------
*** {02.04.013} Tools - Apache 1.3.23 available
Apache version 1.3.23 is available. The new version contains many bug
fixes and enhancements to the mod_proxy module. None of the fixes is
security related.
As always, Apache is available at:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0000.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8Wamc+LUG5KFpTkYRAgSbAKCUciz/wFIwSq8MW4UyHCG4Kkb/6gCePUVh
wgFT2gfBtLBseRdnd2JBBYM=
=kxJk
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Five-Minute Workout: Deploying a Remote Access VPN
To select the best and most secure remote-access server for the money,
look no further than our multimedia how-to. Senior Technology Editor
Mike Fratto and Online Editor in Chief Bradley F. Shimmin talk you
through the tough questions to ask before you purchase a VPN server and
offer advice on deploying the one you choose.
http://www.nwc.com/out/fivemin/fmw14jan02.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]