|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ70491249049314681
sans.org)Date: Thu Mar 07 2002 - 14:45:18 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 009 (02.09)
Thursday, March 7, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
ALERT! Web applications are the new area of attack for hackers! By
taking advantage of your Web site and using it to exploit your
applications, a hacker can gain access to your backend data. All
undetectable by today's methods of Internet security! Download this
*FREE* white paper from SPI Dynamics that provides a complete guide of
vulnerabilities and steps for protection!
http://www.spidynamics.com/mktg/webappsecurity3/
----------------------------------------------------------------------
To get the most value out of SAC, we recommend three things:
A) Subscribe to the Cross-Platform category. Multi-vendor bugs,
which most likely apply to you, show up there. Instructions on how
to change your category subscriptions are at the bottom of the e-mail.
B) Don't stop with the summary -- make sure you read the appropriate
reference URLs if you think a bug applies to you. Our goal is to
summarize the information and not necessarily provide all the exact
details. The original posts also might contain workaround and/or
instructions on how to confirm if you're vulnerable.
C) If you see a reference to a bug that is not in your issue, it's
because you didn't subscribe to that category. You can view the online
copy, which has all categories, at:
http://archives.neohapsis.com/archives/sac/
Also, if you're at all confused about how to work with this newsletter
(change your e-mail address, unsubscribe, etc.), simply scroll to
the bottom of this message amd follow the directions there.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.09.006} Win - MS02-012: Malformed SMTP command DoS
{02.09.013} Win - MS02-011: Users can use SMTP service with null session
{02.09.016} Win - WorldGroup FTP and HTTP overflows
{02.09.019} Win - Hotline client stores plain text authentication
information in bookmarks
{02.09.023} Win - MS02-013: Java applets can redirect HTTP traffic via
proxy
{02.09.024} Win - MS SQL Server xp_dirtree overflow
{02.09.025} Win - Talentsoft Web+ buffer overflow
{02.09.029} Win - BPM Studio Pro internal HTTP server vulnerabilities
{02.09.002} Linux - Update {02.08.035}: mod_ssl session serializing
overflow
{02.09.004} Linux - Update {02.08.034}: PHP file upload vulnerabilities
{02.09.005} Linux - Netfilter IRC DCC tracking vulnerability
{02.09.021} Linux - Users can kill processes via lcall()
{02.09.028} BSD - KAME IPSEC IPv4 forwarding SPD bypass
{02.09.007} NApps - Cisco IOS CEF packet data leak
{02.09.014} NApps - Cobalt Raq/Cube admin CGI vulnerabilities
{02.09.001} Cross - Update {02.08.012}: Squid multiple vulnerabilities
{02.09.003} Cross - Apache-SSL buffer overflow
{02.09.008} Cross - Multiple vendor RADIUS vulnerabilities
{02.09.009} Cross - CVS pserver overflow/DoS
{02.09.010} Cross - Cyrus SASL logging format string vulnerability
{02.09.011} Cross - cfsd overflows/DoS
{02.09.012} Cross - Update {02.06.011}: Multiple vendor SNMP problems
{02.09.015} Cross - Zope proxy roles ownership vulnerability
{02.09.017} Cross - DCP-Portal reveals file paths
{02.09.018} Cross - xtelld multiple overflow vulnerabilities
{02.09.020} Cross - Bad SNMP packet crashes Ethereal
{02.09.022} Cross - ntop traceEvent() format string vulnerability
{02.09.026} Cross - xsane insecure temp file handling
{02.09.027} Cross - Java applets can hijack HTTP proxy connections
{02.09.030} Cross - Snitz CGI forum img tag CSS vulnerability
{02.09.031} Cross - AeroMail CGI multiple vulnerabilities
- --- Windows News -------------------------------------------------------
*** {02.09.006} Win - MS02-012: Malformed SMTP command DoS
Microsoft released MS02-012 ("Malformed SMTP command DoS"). A remote
attacker could potentially issue a malformed SMTP command to the
Windows 2000 SMTP service (also used by Exchange 2000), which causes
the service to crash.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-012.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0044.html
*** {02.09.013} Win - MS02-011: Users can use SMTP service with null
session
Microsoft released MS02-011 ("Users can use SMTP service with null
session"). The SMTP service shipped with Windows 2000, Exchange 2000
and Exchange 5.5 contains a bug in the authentication of remote users,
which would allow a remote attacker to authenticate with a null session
and thus be able to relay e-mail. As such, there is a potential for
abuse (read: spammers).
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-011.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0045.html
*** {02.09.016} Win - WorldGroup FTP and HTTP overflows
Galacticomm's WorldGroup suite version 3.x comes with an FTP
and HTTP server. Both are vulnerable to buffer overflows in long
requests/commands.
These vulnerabilities are unconfirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0311.html
*** {02.09.019} Win - Hotline client stores plain text authentication
information in bookmarks
The Hotline client version 1.8.5 stores a user's authentication
information in plain text within any bookmarks created by the
user. This allows anyone with file system access to recover the
information.
These vulnerabilities are unconfirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0338.html
*** {02.09.023} Win - MS02-013: Java applets can redirect HTTP traffic
via proxy
Microsoft released MS02-013 ("Java applets can redirect HTTP traffic
via proxy"). A bug in the MS JVM lets Java applets 'do something'
(vague, since we have no details) that would cause users who surf with
IE through a proxy to have their traffic redirected to a location of
the Java applet's choice.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-013.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0051.html
*** {02.09.024} Win - MS SQL Server xp_dirtree overflow
Microsoft SQL Server version 7 is vulnerable to a buffer overflow
in the handling of large strings passed to the xp_dirtree stored
procedure.
This vulnerability is unconfirmed.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0152.html
*** {02.09.025} Win - Talentsoft Web+ buffer overflow
Talensoft's Web+ version 5.0 is vulnerable to a buffer overflow in
the handling of long strings, which could allow a remote attacker to
execute arbitrary code with local system privileges.
The vendor confirmed this vulnerability and released an update,
which is available at:
http://www.talentsoft.com/Issues/IssueDetail.wml?ID=WP943
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q1/0153.html
*** {02.09.029} Win - BPM Studio Pro internal HTTP server
vulnerabilities
BPM Studio Pro version 4.2 comes with an internal HTTP server that has
two vulnerabilities: a denial of service by requesting DOS device
files in a URL request; and access to arbitrary files by using
'..' notation in URL requests.
These vulnerabilities are unconfirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0312.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0320.html
- --- Linux News ---------------------------------------------------------
*** {02.09.002} Linux - Update {02.08.035}: mod_ssl session serializing
overflow
Conectiva released updated mod_ssl packages, which fix the
vulnerability discussed in {02.08.035} ("mod_ssl session serializing
overflow").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0018.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0009.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0357.html
Source: Conectiva, EnGarde, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0018.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0009.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0357.html
*** {02.09.004} Linux - Update {02.08.034}: PHP file upload
vulnerabilities
Multiple vendors released updated PHP packages, which fix the
vulnerabilities discussed in {02.08.034} ("PHP file upload
vulnerabilities").
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0087.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1403.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0010.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0048.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0346.html
Source: RedHat, SuSE, EnGarde, Debian, Trustix, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0087.html
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1403.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q1/0010.html
http://archives.neohapsis.com/archives/vendor/2002-q1/0048.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0362.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0346.html
*** {02.09.005} Linux - Netfilter IRC DCC tracking vulnerability
A bug in the IRC DCC netfilter firewalling code could potentially
reconfigure the local firewall in a manner that could allow unwanted
inbound access.
A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0306.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0085.html
Source: RedHat, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0085.html
http://archives.neohapsis.com/archives/bugtraq/2002-02/0306.html
*** {02.09.021} Linux - Users can kill processes via lcall()
A bug in the Linux kernel allows local users to kill arbitrary
processes, even system processes to which they don't have access.
This vulnerability is confirmed. A third-party patch is available at:
http://www.openwall.com/linux/
Source: Owl Linux
http://archives.neohapsis.com/archives/linux/owl/2002-q1/0008.html
- --- BSD News -----------------------------------------------------------
*** {02.09.028} BSD - KAME IPSEC IPv4 forwarding SPD bypass
A released advisory indicates that a bug in the handling of forwarded
IPv4 traffic in KAME-derived IPSEC implementations allows invalid
packets to pass through the security gateway. Both NetBSD and FreeBSD
appear to be vulnerable.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0057.html
- --- Network Appliances News --------------------------------------------
*** {02.09.007} NApps - Cisco IOS CEF packet data leak
Cisco released an advisory indicating that the Cisco Express Forwarding
feature of IOS can potentially include data from prior packets in
packets that it forwards. The bug is the result of IOS not clearing
the memory it uses to pad the packet.
An update matrix is available at:
http://archives.neohapsis.com/archives/cisco/2002-q1/0006.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q1/0006.html
*** {02.09.014} NApps - Cobalt Raq/Cube admin CGI vulnerabilities
A released advisory indicates various problems in the administrative
CGIs included with the Cobalt/Sun Raq4 appliances. The problems include
cross-site scripting, the ability to read server-readable files and a
denial of service. Another advisory indicates that cross-site scripting
problems also are present in the Cube.
These vulnerabilities are unconfirmed. Some third-party workarounds
are available at:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0371.html
Source: SecurityFocus Bugtraq, Vuln-Dev
http://archives.neohapsis.com/archives/bugtraq/2002-02/0365.html
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/0719.html
- --- Cross-Platform News ------------------------------------------------
*** {02.09.001} Cross - Update {02.08.012}: Squid multiple
vulnerabilities
SuSE and Caldera/SCO released updated squid packages, which
fix the vulnerability discussed in {02.08.012} ("Squid multiple
vulnerabilities").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1462.html
Updated SCO binaries are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0017.html
Source: SuSE, Caldera/SCO, Conectiva
http://archives.neohapsis.com/archives/linux/suse/2002-q1/1462.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0014.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0017.html
*** {02.09.003} Cross - Apache-SSL buffer overflow
Apache-SSL also is vulnerable to the mod_ssl buffer overflow discussed
in {02.08.035}.
Updated source tarballs are available at:
http://www.apache-ssl.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0000.html
*** {02.09.008} Cross - Multiple vendor RADIUS vulnerabilities
CERT released an advisory indicating that many RADIUS implementations
are vulnerable to remote buffer overflows, which lead to denial of
service attacks and, potentially, the execution of arbitrary code
under certain conditions.
For a list of affected products and vendors, view the CERT advisory at:
http://archives.neohapsis.com/archives/cc/2002-q1/0006.html
Updated RedHat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0089.html
Source: CERT, RedHat
http://archives.neohapsis.com/archives/cc/2002-q1/0006.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q1/0089.html
*** {02.09.009} Cross - CVS pserver overflow/DoS
Debian released an advisory indicating that certain CVS components
have a buffer overflow, which could allow a remote attacker (with
proper credentials) to crash the CVS service. It is uncertain if
execution of arbitrary code is possible.
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0052.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0052.html
*** {02.09.010} Cross - Cyrus SASL logging format string vulnerability
The Cyrus SASL library contains an exploitable format string
vulnerability in one of the logging functions, which could potentially
allow a remote attacker to execute arbitrary code.
Mandrake released updated RPMs, which are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0334.html
Source: Mandrake
http://archives.neohapsis.com/archives/bugtraq/2002-02/0334.html
*** {02.09.011} Cross - cfsd overflows/DoS
The crytographic file system cfsd daemon contains various buffer
overflows that allow a local user to crash the service, which leads
to a denial of service attack. It also may be possible to execute
arbitrary code with elevated privileges.
Debian released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q1/0049.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0049.html
*** {02.09.012} Cross - Update {02.06.011}: Multiple vendor SNMP
problems
nCipher released updated patches for the SNMP agent that ships with
various nForce, nFast and nShield modules, which fix the vulnerability
discussed in {02.06.011} ("Multiple vendor SNMP problems").
Updated information is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-02/0353.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0353.html
*** {02.09.015} Cross - Zope proxy roles ownership vulnerability
Zope versions 2.2.0 through 2.5.x contain a bug in the enforcement of
ownership roles in relation to proxy roles. The bug may allow users
to access objects they otherwise wouldn't be able to access.
The Zope developers confirmed this vulnerability and released a hotfix,
which is available at:
http://www.zope.org/Products/Zope/Hotfix_2002-03-01/
Hotfix_2002-03-01.tgz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0377.html
*** {02.09.017} Cross - DCP-Portal reveals file paths
The DCP-Portal CGI suite prior to version 4.5.1 displays full path
information in a request that has an invalid language file.
The vendor confirmed this vulnerability and released version 4.5.1
to fix the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0323.html
*** {02.09.018} Cross - xtelld multiple overflow vulnerabilities
xtelld version 2.6.1 contains multiple vulnerabilities: a buffer
overflow in the handling of large authd return data; a buffer overflow
in the handling of large DNS names; and a buffer overflow in the
handling of large amounts of data sent to the service.
These vulnerabilities are unconfirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0333.html
*** {02.09.020} Cross - Bad SNMP packet crashes Ethereal
The Ethereal Web browser crashes when trying to decode a particular
malformed SNMP packet. This leads to a remotely exploitable denial
of service situation.
The advisory indicates confirmation by the vendor, which has checked
a fix into the current CVS.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0356.html
*** {02.09.022} Cross - ntop traceEvent() format string vulnerability
Ntop version 2.0 contains a remotely exploitable format string
vulnerability in the traceEvent() function, which will let an attacker
execute arbitrary code.
This vulnerability is unconfirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0056.html
*** {02.09.026} Cross - xsane insecure temp file handling
Debian released an advisory indicating that the xsane application
insecurely handles temporary files, thereby allowing local symlink
attacks.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0053.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0053.html
*** {02.09.027} Cross - Java applets can hijack HTTP proxy connections
A released advisory indicates various vendor JVMs are vulnerable to
a bug that lets a Java applet hijack a user's connection to an HTTP
proxy, thus allowing the applet to have unrestricted network access.
This vulnerability is confirmed. Sun, Netscape and Microsoft are
vulnerable. Microsoft was reported elsewhere in this issue.
Sun bulletin:
http://sunsolve.Sun.COM/pub-cgi/secBulletin.pl
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0025.html
*** {02.09.030} Cross - Snitz CGI forum img tag CSS vulnerability
The Snitz CGI forum suite versions 3.3.03 and prior are vulnerable
to cross-site scripting in the handling of user-submitted img tags.
The vendor confirmed the problem. Fix information is available at:
http://forum.snitz.com/forum/link.asp?TOPIC_ID=23660
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-02/0326.html
*** {02.09.031} Cross - AeroMail CGI multiple vulnerabilities
The AeroMail PHP CGI suite prior to version 1.45 contains multiple
vulnerabilities, including: e-mail header spoofing; cross-site
scripting in Subject line; and attachment of local server files
to e-mails.
These vulnerabilities are confirmed and fixed in version 1.45.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0004.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8h8+S+LUG5KFpTkYRAkCKAJ40I+HTLQlQn53yWBbMe4bwUY3zVACePh9e
ETO07VTWBgW6YBF3tlyDmV0=
=kTcX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
ALERT! Web applications are the new area of attack for hackers! By
taking advantage of your Web site and using it to exploit your
applications, a hacker can gain access to your backend data. All
undetectable by today's methods of Internet security! Download this
*FREE* white paper from SPI Dynamics that provides a complete guide of
vulnerabilities and steps for protection!
http://www.spidynamics.com/mktg/webappsecurity3/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, or unsubscribe
to this newsletter, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]