OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ33532176679915134sans.org)
Date: Thu Feb 14 2002 - 14:24:41 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                       -- Security Alert Consensus --
                              Number 006 (02.06)
                        Thursday, February 14, 2002
                              Created for you by
                   Network Computing and the SANS Institute
                              Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. If you have any problems or questions, please e-mail us
    at <consensusnwc.com>.

    ----------------------------------------------------------------------

    CEO Minute: Extreme Networks: Part One
    So you want to find out where switching is headed? Tune in to our latest
    CEO Minute and listen to Editor in Chief Doug Barney chat with Gordon
    L. Stitt, president and CEO of Extreme Networks. This week, Gordon
    shares his vision for application switching.
    http://www.nwc.com/go/ceomin.html

    ----------------------------------------------------------------------

    If you haven't heard already, a large cluster of SNMP vulnerabilities
    was found in many platforms, including major system and router OSs. A
    security firm invented an SNMP auditing tool and then ran the tool
    against tons of SNMPd implementations, many of which were vulnerable to
    denial of service attacks. A few even allowed execution of arbitrary
    code. More information is reported in this issue as item {02.06.011}
    in the Cross-Platform category.

    Four weeks ago, we mentioned what seemed to be a bunch of pending
    Oracle advisories. Well, a few were released this week. Anyone running
    Oracle 9iAS should take a peek at the items in the Cross-Platform
    category and check for patches from Oracle.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.06.009} Win - Cisco Secure ACS allows disabled NDS users
    {02.06.010} Win - MS02-00: Exchange 2000 enables remote registry access
    {02.06.013} Win - MS02-004: Telnet option handling buffer overflow
    {02.06.020} Win - MiniPortal FTP service multiple vulnerabilities
    {02.06.021} Win - Update {02.05.006}: BlackIce Defender large ping
                flood DoS
    {02.06.022} Win - Sybex E-Trainer Web server file retrieval
    {02.06.007} Linux - hanterm long parameter overflow
    {02.06.008} Linux - wmtv config file symlink attack
    {02.06.015} Linux - Update {02.04.003}: OpenLDAP ACL bypass on
                attribute removal
    {02.06.016} Linux - Update {02.01.003}: Cross - Mutt e-mail address
                handling overflow
    {02.06.017} Linux - Update {02.04.011}: rsync signed integers
                vulnerability
    {02.06.025} Linux - Astaro insecure file/directory permissions
    {02.06.028} Linux - Update {02.02.043}: LPRng/groff overflow
    {02.06.029} Linux - Update {02.03.025}: uuxqt --config vulnerability
    {02.06.031} Linux - Astaro Linux multiple security concerns
    {02.06.027} AIX - Update {01.45.019}: Overflow in dtspcd via DCE SPC
                library
    {02.06.030} SCO - LC_MESSAGES file format vulnerability
    {02.06.014} NApps - HP AdvanceStack password change via HTTP service
    {02.06.006} Other - MS02-002: Mac Office X Copy Protection DoS
    {02.06.001} Cross - Texis CGI path disclosure
    {02.06.002} Cross - Oracle PL/SQL library arbitrary execution
    {02.06.003} Cross - Oracle mod_plsql multiple overflows
    {02.06.004} Cross - Oracle JSP source disclosure
    {02.06.005} Cross - Actinic CGI suite CSS vulnerabilities
    {02.06.011} Cross Multiple vendor SNMP problems
    {02.06.012} Cross - Update {00.09.021}: Delegate contains numerous
                buffer overflows
    {02.06.018} Cross - Icewarp Web mail account hijacking
    {02.06.019} Cross - Auction Deluxe CGI CSS vulnerability
    {02.06.023} Cross - EasyBoard CGI content-type overflow
    {02.06.024} Cross - Sawmill insecure password storage
    {02.06.026} Cross - GNAT insecure temp file handling

    - --- Windows News -------------------------------------------------------

    *** {02.06.009} Win - Cisco Secure ACS allows disabled NDS users

    Cisco released an advisory indicating that Cisco Secure ACS version
    3.0.1, which is configured to use Novell NDS directories, will
    successfully authenticate users who are disabled or expired in the
    NDS tree.

    A patch is available at:
    http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win
    (requires valid CCO account login)

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q1/0002.html

    *** {02.06.010} Win - MS02-00: Exchange 2000 enables remote registry
                    access

    Microsoft released MS02-00 ("Exchange 2000 enables remote registry
    access"). The Exchange 2000 System Attendant incorrectly gives
    'Everyone' access to the Winreg registry key, which would allow a
    remote attacker to access the registry via SMB/NetBIOS. Exploitation
    depends on the permissions of the various subkeys.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-003.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0023.html

    *** {02.06.013} Win - MS02-004: Telnet option handling buffer overflow

    Microsoft released MS02-004 ("Telnet option handling buffer
    overflow"). The handling of telnet options by the Windows 2000 telnet
    service, and the telnet service included with Interix version 2.2,
    allows a remote attacker to execute arbitrary code. On Windows 2000,
    this code is executed with local system privileges.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-004.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0024.html

    *** {02.06.020} Win - MiniPortal FTP service multiple vulnerabilities

    The MiniPortal FTP service by InstantServers.com prior to version 1.1.6
    contains multiple vulnerabilities, including: storage of authentication
    information in plain text files; access of files outside the FTP root
    directory; and a buffer overflow in the handling of large FTP commands,
    which can lead to execution of arbitrary code.

    The vendor has confirmed the vulnerabilities and released version
    1.1.6 to fix the problems.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0094.html

    *** {02.06.021} Win - Update {02.05.006}: BlackIce Defender large ping
                    flood DoS

    It turns out the vulnerability discussed in {02.05.006} ("BlackIce
    Defender large ping flood DoS") is more severe than originally
    thought. It's a remotely exploitable buffer overflow that let's an
    attacker execute arbitrary code in kernel space (which is actually
    more privileged than the local system).

    ISS has confirmed the vulnerability and released a patch, which is
    available at:
    http://www.iss.net/support/consumer/BI_downloads.php

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0044.html

    *** {02.06.022} Win - Sybex E-Trainer Web server file retrieval

    The E-Trainer application included with Sybex computer-based training
    courses includes a Web server that serves the content to the user. This
    Web server is vulnerable to '..' requests, thereby allowing a remote
    attacker to retrieve arbitrary files from the user's system while
    the user is using the E-Trainer application.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0103.html

    - --- Linux News ---------------------------------------------------------

    *** {02.06.007} Linux - hanterm long parameter overflow

    The hanterm terminal application version 3.3 contains buffer overflows
    in the handling of long URL parameters. If the hanterm binary is
    setuid (which it is in TurboLinux 6.5), then it's possible for a
    local attacker to execute arbitrary code with elevated privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0036.html

    *** {02.06.008} Linux - wmtv config file symlink attack

    The wmtv application insecurely writes configuration information into
    a config file, which could possibly allow a local attacker to perform
    a symlink attack to overwrite arbitrary files on the system.

    This vulnerability has been confirmed.

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0022.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0022.html

    *** {02.06.015} Linux - Update {02.04.003}: OpenLDAP ACL bypass on
                    attribute removal

    Caldera and Mandrake released updated openldap packages, which fix
    the vulnerability discussed in {02.04.003} ("OpenLDAP ACL bypass on
    attribute removal").

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0004.html

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0114.html

    Source: Caldera, Mandrake
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0004.html
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0114.html

    *** {02.06.016} Linux - Update {02.01.003}: Cross - Mutt e-mail address
                    handling overflow

    Caldera released updated mutt packages, which fix the vulnerability
    discussed in {02.01.003} ("Cross - Mutt e-mail address handling
    overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0005.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0005.html

    *** {02.06.017} Linux - Update {02.04.011}: rsync signed integers
                    vulnerability

    Caldera released updated rsync packages, which fix the vulnerability
    discussed in {02.04.011} ("rsync signed integers vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0006.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0006.html

    *** {02.06.025} Linux - Astaro insecure file/directory permissions

    Astaro Linux ships with world-writable permissions on various
    configuration files and directories, which could allow a local attacker
    to cause a denial of service or potentially raise privileges.

    Astaro has confirmed this vulnerability and fixed the problems in
    Up2Date version 2.022.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0045.html

    *** {02.06.028} Linux - Update {02.02.043}: LPRng/groff overflow

    Mandrake released updated groff packages, which fix the vulnerability
    discussed in {02.02.043} ("LPRng/groff overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0057.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0057.html

    *** {02.06.029} Linux - Update {02.03.025}: uuxqt --config vulnerability

    Debian released updated uucp packages, which fix the vulnerability
    discussed in {02.03.025} ("uuxqt --config vulnerability").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q1/0025.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q1/0025.html

    *** {02.06.031} Linux - Astaro Linux multiple security concerns

    A released advisory lists many various security concerns with the
    default configuration of Astaro Linux. The problems include: old,
    known-to-be-vulnerable versions of applications; ineffective daemon
    isolation; and weak password storage.

    More information is available at the reference URL below.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0000.html

    - --- AIX News -----------------------------------------------------------

    *** {02.06.027} AIX - Update {01.45.019}: Overflow in dtspcd via DCE
                    SPC library

    IBM released APAR IY25436, which fixes the vulnerability discussed
    in {01.45.019} ("Overflow in dtspcd via DCE SPC library").

    Source: IBM
    http://archives.neohapsis.com/archives/aix/2002-q1/0002.html

    - --- SCO News -----------------------------------------------------------

    *** {02.06.030} SCO - LC_MESSAGES file format vulnerability

    SCO released an advisory indicating that it's possible for a local
    attacker to use the LC_MESSAGES environment variable to specify a
    trojaned .mesg file. The attacker could then use a format string
    vulnerability in the parsing of the .mesg file to execute arbitrary
    code, potentially with root privileges.

    Caldera has confirmed this vulnerability and released fixed binaries,
    which are available at:
    ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.3/

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0007.html

    - --- Network Appliances News --------------------------------------------

    *** {02.06.014} NApps - HP AdvanceStack password change via HTTP service

    The HP AdvanceStack (J3210A) allows a remote attacker to change
    the administrative password via the included Web management service
    without needing to know the current administrative password. This
    allows a remote attacker to essentially take over the switch.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0043.html

    - --- Other News ---------------------------------------------------------

    *** {02.06.006} Other - MS02-002: Mac Office X Copy Protection DoS

    Microsoft released MS02-002 ("Mac Office X Copy Protection
    DoS"). Microsoft Office X for Macs contains a copy protection feature
    that causes Office to abort if it detects another version on the
    network with the same product ID. It's possible for an attacker
    to send a packet in such a way that Office X will believe the copy
    protection mechanism has been violated, and thus shut down.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-002.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q1/0021.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.06.001} Cross - Texis CGI path disclosure

    Thunderstone's Texis CGI search application displays a full physical
    path when a request for a nonexistent file is made.

    The vendor has confirmed this vulnerability; a patch is available by
    contacting Thunderstone tech support.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0382.html

    *** {02.06.002} Cross - Oracle PL/SQL library arbitrary execution

    A released advisory details the possibility of using the Oracle
    version 8 or 9 listener service to load and execute any function
    in any library contained on the system. It's possible for a remote
    attacker to execute arbitrary commands and code on the system.

    The advisory indicates vendor confirmation.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0039.html

    *** {02.06.003} Cross - Oracle mod_plsql multiple overflows

    The PL/SQL Apache module included with Oracle 9iAS contains multiple
    buffer overflows that could allow a remote attacker to execute
    arbitrary code on the target system. A long request, authentication
    header, cache file name and password can cause the overflows.

    The vendor has confirmed this vulnerability and released patches,
    which are available via OTN at:
    http://metalink.oracle.com

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0040.html

    *** {02.06.004} Cross - Oracle JSP source disclosure

    OracleJSP, shipped with Oracle 9iAS, leaves uncompiled JSP pages in a
    remotely accessible directory, which lets a remote attacker recover the
    original JSP source. Direct requests for the globals.jsa file (which
    typically contains global application information) also are unhindered.

    A third-party workaround is available at the reference URL below.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0041.html

    *** {02.06.005} Cross - Actinic CGI suite CSS vulnerabilities

    Actinic.com's Actinic CGI suite version 4.7.0 is vulnerable to various
    cross-site scripting problems in the handling of URL parameters.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0400.html

    *** {02.06.011} Cross Multiple vendor SNMP problems

    CERT released a large advisory indicating that there are multiple
    buffer overflows in the SNMP daemon that ships with *many* vendors. The
    vulnerabilities are vendor-dependant and range from simple denial of
    service attacks to remote execution of arbitrary code.

    Affected vendors include, but are not limited to, Microsoft, HP,
    Cisco, 3Com, CacheFlow, Computer Associates, Juniper, Lotus, Nokia,
    Novell, RedHat, SGI, Sun and all ucd-snmp/net-snmp installations
    prior to version 4.2.2.

    For a current list of vendors and available patches/workarounds,
    please see the reference URL below.

    Source: CERT
    http://archives.neohapsis.com/archives/cc/2002-q1/0002.html

    *** {02.06.012} Cross - Update {00.09.021}: Delegate contains numerous
                    buffer overflows

    Another advisory surfaced indicating that the vulnerabilities discussed
    in {00.09.021} ("DeleGate contains numerous buffer overflows") still
    have not been fixed. Essentially, all versions of DeleGate contain
    buffer overflows that let a remote attacker execute arbitrary code.

    The vendor has not issued any updates. We suggest you discontinue
    use of DeleGate.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0051.html

    *** {02.06.018} Cross - Icewarp Web mail account hijacking

    The Icewarp Web mail CGI suite allows an attacker to read another
    user's e-mail simply by knowing the user's ID, which is embedded in
    e-mail sent by the user.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0091.html

    *** {02.06.019} Cross - Auction Deluxe CGI CSS vulnerability

    MakeBid's Auction Deluxe CGI suite version 3.30 does not properly
    filter user-submitted data fields. This could allow an auction user
    to embed malicious JavaScript into an auction entry, which is executed
    upon viewing.

    The vendor has confirmed this vulnerability; contact the vendor for
    an update.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0092.html

    *** {02.06.023} Cross - EasyBoard CGI content-type overflow

    The EasyBoard 2000 CGI suite contains a remotely exploitable buffer
    overflow in the handling of the Content-Type HTTP header, which lets
    an attacker execute arbitrary code.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0106.html

    *** {02.06.024} Cross - Sawmill insecure password storage

    The Sawmill Web site management application prior to version 6.2.15
    insecurely stores the administrative information in a local file,
    which could allow a local attacker to change the password to an
    arbitrary value.

    The vendor has confirmed this vulnerability and released version
    6.2.15.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-02/0108.html

    *** {02.06.026} Cross - GNAT insecure temp file handling

    GNAT, the GNU ADA compiler, version 3.14p insecurely creates temporary
    files, which let's a local attacker perform a symlink race attack to
    overwrite files on the system.

    This vulnerability has not been confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0046.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8bBst+LUG5KFpTkYRAgWaAJ9WE+UHG64oJVeSWP6l4w+9lDmDkACdHd1n
    lhfPK/w9ZDmAyEu0EAPRiYY=
    =yTsw
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    CEO Minute: Extreme Networks: Part One
    So you want to find out where switching is headed? Tune in to our latest
    CEO Minute and listen to Editor in Chief Doug Barney chat with Gordon
    L. Stitt, president and CEO of Extreme Networks. This week, Gordon
    shares his vision for application switching.
    http://www.nwc.com/go/ceomin.html

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, or unsubscribe
    to this newsletter, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).