|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ33532176679915134
sans.org)Date: Thu Feb 14 2002 - 14:24:41 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 006 (02.06)
Thursday, February 14, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. If you have any problems or questions, please e-mail us
at <consensusnwc.com>.
----------------------------------------------------------------------
CEO Minute: Extreme Networks: Part One
So you want to find out where switching is headed? Tune in to our latest
CEO Minute and listen to Editor in Chief Doug Barney chat with Gordon
L. Stitt, president and CEO of Extreme Networks. This week, Gordon
shares his vision for application switching.
http://www.nwc.com/go/ceomin.html
----------------------------------------------------------------------
If you haven't heard already, a large cluster of SNMP vulnerabilities
was found in many platforms, including major system and router OSs. A
security firm invented an SNMP auditing tool and then ran the tool
against tons of SNMPd implementations, many of which were vulnerable to
denial of service attacks. A few even allowed execution of arbitrary
code. More information is reported in this issue as item {02.06.011}
in the Cross-Platform category.
Four weeks ago, we mentioned what seemed to be a bunch of pending
Oracle advisories. Well, a few were released this week. Anyone running
Oracle 9iAS should take a peek at the items in the Cross-Platform
category and check for patches from Oracle.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.06.009} Win - Cisco Secure ACS allows disabled NDS users
{02.06.010} Win - MS02-00: Exchange 2000 enables remote registry access
{02.06.013} Win - MS02-004: Telnet option handling buffer overflow
{02.06.020} Win - MiniPortal FTP service multiple vulnerabilities
{02.06.021} Win - Update {02.05.006}: BlackIce Defender large ping
flood DoS
{02.06.022} Win - Sybex E-Trainer Web server file retrieval
{02.06.007} Linux - hanterm long parameter overflow
{02.06.008} Linux - wmtv config file symlink attack
{02.06.015} Linux - Update {02.04.003}: OpenLDAP ACL bypass on
attribute removal
{02.06.016} Linux - Update {02.01.003}: Cross - Mutt e-mail address
handling overflow
{02.06.017} Linux - Update {02.04.011}: rsync signed integers
vulnerability
{02.06.025} Linux - Astaro insecure file/directory permissions
{02.06.028} Linux - Update {02.02.043}: LPRng/groff overflow
{02.06.029} Linux - Update {02.03.025}: uuxqt --config vulnerability
{02.06.031} Linux - Astaro Linux multiple security concerns
{02.06.027} AIX - Update {01.45.019}: Overflow in dtspcd via DCE SPC
library
{02.06.030} SCO - LC_MESSAGES file format vulnerability
{02.06.014} NApps - HP AdvanceStack password change via HTTP service
{02.06.006} Other - MS02-002: Mac Office X Copy Protection DoS
{02.06.001} Cross - Texis CGI path disclosure
{02.06.002} Cross - Oracle PL/SQL library arbitrary execution
{02.06.003} Cross - Oracle mod_plsql multiple overflows
{02.06.004} Cross - Oracle JSP source disclosure
{02.06.005} Cross - Actinic CGI suite CSS vulnerabilities
{02.06.011} Cross Ð Multiple vendor SNMP problems
{02.06.012} Cross - Update {00.09.021}: Delegate contains numerous
buffer overflows
{02.06.018} Cross - Icewarp Web mail account hijacking
{02.06.019} Cross - Auction Deluxe CGI CSS vulnerability
{02.06.023} Cross - EasyBoard CGI content-type overflow
{02.06.024} Cross - Sawmill insecure password storage
{02.06.026} Cross - GNAT insecure temp file handling
- --- Windows News -------------------------------------------------------
*** {02.06.009} Win - Cisco Secure ACS allows disabled NDS users
Cisco released an advisory indicating that Cisco Secure ACS version
3.0.1, which is configured to use Novell NDS directories, will
successfully authenticate users who are disabled or expired in the
NDS tree.
A patch is available at:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win
(requires valid CCO account login)
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q1/0002.html
*** {02.06.010} Win - MS02-00: Exchange 2000 enables remote registry
access
Microsoft released MS02-00 ("Exchange 2000 enables remote registry
access"). The Exchange 2000 System Attendant incorrectly gives
'Everyone' access to the Winreg registry key, which would allow a
remote attacker to access the registry via SMB/NetBIOS. Exploitation
depends on the permissions of the various subkeys.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0023.html
*** {02.06.013} Win - MS02-004: Telnet option handling buffer overflow
Microsoft released MS02-004 ("Telnet option handling buffer
overflow"). The handling of telnet options by the Windows 2000 telnet
service, and the telnet service included with Interix version 2.2,
allows a remote attacker to execute arbitrary code. On Windows 2000,
this code is executed with local system privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-004.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0024.html
*** {02.06.020} Win - MiniPortal FTP service multiple vulnerabilities
The MiniPortal FTP service by InstantServers.com prior to version 1.1.6
contains multiple vulnerabilities, including: storage of authentication
information in plain text files; access of files outside the FTP root
directory; and a buffer overflow in the handling of large FTP commands,
which can lead to execution of arbitrary code.
The vendor has confirmed the vulnerabilities and released version
1.1.6 to fix the problems.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0094.html
*** {02.06.021} Win - Update {02.05.006}: BlackIce Defender large ping
flood DoS
It turns out the vulnerability discussed in {02.05.006} ("BlackIce
Defender large ping flood DoS") is more severe than originally
thought. It's a remotely exploitable buffer overflow that let's an
attacker execute arbitrary code in kernel space (which is actually
more privileged than the local system).
ISS has confirmed the vulnerability and released a patch, which is
available at:
http://www.iss.net/support/consumer/BI_downloads.php
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0044.html
*** {02.06.022} Win - Sybex E-Trainer Web server file retrieval
The E-Trainer application included with Sybex computer-based training
courses includes a Web server that serves the content to the user. This
Web server is vulnerable to '..' requests, thereby allowing a remote
attacker to retrieve arbitrary files from the user's system while
the user is using the E-Trainer application.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0103.html
- --- Linux News ---------------------------------------------------------
*** {02.06.007} Linux - hanterm long parameter overflow
The hanterm terminal application version 3.3 contains buffer overflows
in the handling of long URL parameters. If the hanterm binary is
setuid (which it is in TurboLinux 6.5), then it's possible for a
local attacker to execute arbitrary code with elevated privileges.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0036.html
*** {02.06.008} Linux - wmtv config file symlink attack
The wmtv application insecurely writes configuration information into
a config file, which could possibly allow a local attacker to perform
a symlink attack to overwrite arbitrary files on the system.
This vulnerability has been confirmed.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0022.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0022.html
*** {02.06.015} Linux - Update {02.04.003}: OpenLDAP ACL bypass on
attribute removal
Caldera and Mandrake released updated openldap packages, which fix
the vulnerability discussed in {02.04.003} ("OpenLDAP ACL bypass on
attribute removal").
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0004.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0114.html
Source: Caldera, Mandrake
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0004.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0114.html
*** {02.06.016} Linux - Update {02.01.003}: Cross - Mutt e-mail address
handling overflow
Caldera released updated mutt packages, which fix the vulnerability
discussed in {02.01.003} ("Cross - Mutt e-mail address handling
overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0005.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0005.html
*** {02.06.017} Linux - Update {02.04.011}: rsync signed integers
vulnerability
Caldera released updated rsync packages, which fix the vulnerability
discussed in {02.04.011} ("rsync signed integers vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0006.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0006.html
*** {02.06.025} Linux - Astaro insecure file/directory permissions
Astaro Linux ships with world-writable permissions on various
configuration files and directories, which could allow a local attacker
to cause a denial of service or potentially raise privileges.
Astaro has confirmed this vulnerability and fixed the problems in
Up2Date version 2.022.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0045.html
*** {02.06.028} Linux - Update {02.02.043}: LPRng/groff overflow
Mandrake released updated groff packages, which fix the vulnerability
discussed in {02.02.043} ("LPRng/groff overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0057.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-02/0057.html
*** {02.06.029} Linux - Update {02.03.025}: uuxqt --config vulnerability
Debian released updated uucp packages, which fix the vulnerability
discussed in {02.03.025} ("uuxqt --config vulnerability").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0025.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0025.html
*** {02.06.031} Linux - Astaro Linux multiple security concerns
A released advisory lists many various security concerns with the
default configuration of Astaro Linux. The problems include: old,
known-to-be-vulnerable versions of applications; ineffective daemon
isolation; and weak password storage.
More information is available at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0000.html
- --- AIX News -----------------------------------------------------------
*** {02.06.027} AIX - Update {01.45.019}: Overflow in dtspcd via DCE
SPC library
IBM released APAR IY25436, which fixes the vulnerability discussed
in {01.45.019} ("Overflow in dtspcd via DCE SPC library").
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0002.html
- --- SCO News -----------------------------------------------------------
*** {02.06.030} SCO - LC_MESSAGES file format vulnerability
SCO released an advisory indicating that it's possible for a local
attacker to use the LC_MESSAGES environment variable to specify a
trojaned .mesg file. The attacker could then use a format string
vulnerability in the parsing of the .mesg file to execute arbitrary
code, potentially with root privileges.
Caldera has confirmed this vulnerability and released fixed binaries,
which are available at:
ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0007.html
- --- Network Appliances News --------------------------------------------
*** {02.06.014} NApps - HP AdvanceStack password change via HTTP service
The HP AdvanceStack (J3210A) allows a remote attacker to change
the administrative password via the included Web management service
without needing to know the current administrative password. This
allows a remote attacker to essentially take over the switch.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0043.html
- --- Other News ---------------------------------------------------------
*** {02.06.006} Other - MS02-002: Mac Office X Copy Protection DoS
Microsoft released MS02-002 ("Mac Office X Copy Protection
DoS"). Microsoft Office X for Macs contains a copy protection feature
that causes Office to abort if it detects another version on the
network with the same product ID. It's possible for an attacker
to send a packet in such a way that Office X will believe the copy
protection mechanism has been violated, and thus shut down.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-002.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0021.html
- --- Cross-Platform News ------------------------------------------------
*** {02.06.001} Cross - Texis CGI path disclosure
Thunderstone's Texis CGI search application displays a full physical
path when a request for a nonexistent file is made.
The vendor has confirmed this vulnerability; a patch is available by
contacting Thunderstone tech support.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0382.html
*** {02.06.002} Cross - Oracle PL/SQL library arbitrary execution
A released advisory details the possibility of using the Oracle
version 8 or 9 listener service to load and execute any function
in any library contained on the system. It's possible for a remote
attacker to execute arbitrary commands and code on the system.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0039.html
*** {02.06.003} Cross - Oracle mod_plsql multiple overflows
The PL/SQL Apache module included with Oracle 9iAS contains multiple
buffer overflows that could allow a remote attacker to execute
arbitrary code on the target system. A long request, authentication
header, cache file name and password can cause the overflows.
The vendor has confirmed this vulnerability and released patches,
which are available via OTN at:
http://metalink.oracle.com
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0040.html
*** {02.06.004} Cross - Oracle JSP source disclosure
OracleJSP, shipped with Oracle 9iAS, leaves uncompiled JSP pages in a
remotely accessible directory, which lets a remote attacker recover the
original JSP source. Direct requests for the globals.jsa file (which
typically contains global application information) also are unhindered.
A third-party workaround is available at the reference URL below.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0041.html
*** {02.06.005} Cross - Actinic CGI suite CSS vulnerabilities
Actinic.com's Actinic CGI suite version 4.7.0 is vulnerable to various
cross-site scripting problems in the handling of URL parameters.
These vulnerabilities have not been confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0400.html
*** {02.06.011} Cross Ð Multiple vendor SNMP problems
CERT released a large advisory indicating that there are multiple
buffer overflows in the SNMP daemon that ships with *many* vendors. The
vulnerabilities are vendor-dependant and range from simple denial of
service attacks to remote execution of arbitrary code.
Affected vendors include, but are not limited to, Microsoft, HP,
Cisco, 3Com, CacheFlow, Computer Associates, Juniper, Lotus, Nokia,
Novell, RedHat, SGI, Sun and all ucd-snmp/net-snmp installations
prior to version 4.2.2.
For a current list of vendors and available patches/workarounds,
please see the reference URL below.
Source: CERT
http://archives.neohapsis.com/archives/cc/2002-q1/0002.html
*** {02.06.012} Cross - Update {00.09.021}: Delegate contains numerous
buffer overflows
Another advisory surfaced indicating that the vulnerabilities discussed
in {00.09.021} ("DeleGate contains numerous buffer overflows") still
have not been fixed. Essentially, all versions of DeleGate contain
buffer overflows that let a remote attacker execute arbitrary code.
The vendor has not issued any updates. We suggest you discontinue
use of DeleGate.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0051.html
*** {02.06.018} Cross - Icewarp Web mail account hijacking
The Icewarp Web mail CGI suite allows an attacker to read another
user's e-mail simply by knowing the user's ID, which is embedded in
e-mail sent by the user.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0091.html
*** {02.06.019} Cross - Auction Deluxe CGI CSS vulnerability
MakeBid's Auction Deluxe CGI suite version 3.30 does not properly
filter user-submitted data fields. This could allow an auction user
to embed malicious JavaScript into an auction entry, which is executed
upon viewing.
The vendor has confirmed this vulnerability; contact the vendor for
an update.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0092.html
*** {02.06.023} Cross - EasyBoard CGI content-type overflow
The EasyBoard 2000 CGI suite contains a remotely exploitable buffer
overflow in the handling of the Content-Type HTTP header, which lets
an attacker execute arbitrary code.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0106.html
*** {02.06.024} Cross - Sawmill insecure password storage
The Sawmill Web site management application prior to version 6.2.15
insecurely stores the administrative information in a local file,
which could allow a local attacker to change the password to an
arbitrary value.
The vendor has confirmed this vulnerability and released version
6.2.15.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0108.html
*** {02.06.026} Cross - GNAT insecure temp file handling
GNAT, the GNU ADA compiler, version 3.14p insecurely creates temporary
files, which let's a local attacker perform a symlink race attack to
overwrite files on the system.
This vulnerability has not been confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0046.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8bBst+LUG5KFpTkYRAgWaAJ9WE+UHG64oJVeSWP6l4w+9lDmDkACdHd1n
lhfPK/w9ZDmAyEu0EAPRiYY=
=yTsw
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
CEO Minute: Extreme Networks: Part One
So you want to find out where switching is headed? Tune in to our latest
CEO Minute and listen to Editor in Chief Doug Barney chat with Gordon
L. Stitt, president and CEO of Extreme Networks. This week, Gordon
shares his vision for application switching.
http://www.nwc.com/go/ceomin.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]