|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ85421486278904681
sans.org)Date: Thu Apr 04 2002 - 13:59:31 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 013 (02.13)
Thursday, April 4, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
This issue sponsored by Sendmail, the email experts.
Determine how secure your email system is with a fast, free online
analysis created by Sendmail. Identify areas of concern, threats to
consider, and points to reinforce with this confidential tool. Take
advantage of this free analysis at:
http://www.MakeEmailSecure.com
----------------------------------------------------------------------
Microsoft released a cumulative Internet Explorer patch this week,
which fixes two new vulnerabilities in IE as well as everything
else to date. The company has flagged the patch as 'critical.' More
information can be found in this issue under item {02.13.007}.
We also wanted to make a slight correction to a news blurb reported
last week, regarding a new theory paper on cracking 1024-bit RSA
keys. Just to be clear: The implications of the paper are still being
debated and, even so, most of it is still theory, so there's no need to
run out and upgrade your keys in the next week. In general, however,
some people consider 1024-bit keys weak for certain sensitive data
and think their lifespan might be coming to a close over the next few
years. Thus, your organization may want to consider planning ahead
and designing a migration path away from 1024 just in case.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.13.001} Win - IE img dynsrc file enumeration
{02.13.007} Win - MS02-015: Cumulative IE patch
{02.13.018} Win - Debploit local process handle duplication
{02.13.021} Win - Sambar HTTP server overflows
{02.13.024} Win - ZoneAlarm MailSafe extra dot attachment bypass
{02.13.026} Win - Win2K DCOM clients leak memory data
{02.13.005} Linux - Update {02.12.008}: imlib library multiple overflows
{02.13.008} Linux - Update {02.10.001}: OpenSSH channels off-by-one
vulnerability
{02.13.009} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
{02.13.011} Linux - Update {02.08.012}: Squid multiple vulnerabilities
{02.13.013} Linux - nscd A/PTR lookup error
{02.13.019} Linux - Caldera startkde incorrect LD_LIBRARY_PATH
{02.13.014} Sol - Xsun co parameter overflow
{02.13.015} AIX - April AIX 'Security Issues'
{02.13.023} NW - Remote manager HTTP server auth overflow
{02.13.006} SGI - RPC/HOSTALIASES DoS
{02.13.017} NApps - PostNuke CGI case list parameter command execution
{02.13.002} Other - Cisco CallManager LDAP connection DoS
{02.13.003} Cross - NFuse getLastError() CSS vulnerability
{02.13.004} Cross - NFuse boilerplate CGI arbitrary file access
{02.13.010} Cross - XFree86 shared memory access
{02.13.012} Cross - Update {02.08.035}: mod_ssl session serializing
overflow
{02.13.016} Cross - wwwisis CGI command execution/file retrieve
{02.13.020} Cross - Update {02.08.034}: PHP file upload vulnerabilities
{02.13.022} Cross - Squirrelmail cookie THEME command execution
{02.13.025} Cross - Analog CSS vulnerability in reports
{02.13.027} Cross - Posadis DNS server logging format string
vulnerability
- --- Windows News -------------------------------------------------------
*** {02.13.001} Win - IE img dynsrc file enumeration
Internet Explorer versions 5.0 and later reportedly allow a
malicious Web site or e-mail to determine if certain files exist on
a user's system and expose nonsensitive file information (size, date
created/modified, etc.). This is done via the 'dynsrc' attribute of
the 'img' tag.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0331.html
*** {02.13.007} Win - MS02-015: Cumulative IE patch
Microsoft released MS02-015 ("Cumulative IE patch"). The patch
fixes two new security bugs in Internet Explorer, as well as all
past vulnerabilities. The two new vulnerabilities allow a malicious
Web site or e-mail to execute local system programs and arbitrary
JavaScript embedded in a cookie in the local system security zone.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-015.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q1/0072.html
*** {02.13.018} Win - Debploit local process handle duplication
In the past few weeks, a vulnerability known as 'debploit' has been
talked about. The premise is that local users can use the debugging
API to gain access to duplicate a process handle, which then can be
used to gain system privileges. This affects Windows NT and 2000.
This vulnerability is not confirmed in any official form. A
demonstration exploit is available.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0358.html
*** {02.13.021} Win - Sambar HTTP server overflows
Sambar HTTP server version 5.0 reportedly contains multiple buffer
overflows, which could allow a remote attacker to execute arbitrary
code on the system.
These vulnerabilities are confirmed; a patch is available at:
http://www.sambarserver.com/download/sambar51p.exe
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0387.html
*** {02.13.024} Win - ZoneAlarm MailSafe extra dot attachment bypass
ZoneAlarm's MailSafe feature prior to version 3.0.118 does not filter
attachments if an extra dot is added to the file name. This could allow
malicious attachments to bypass the MailSafe attachment filtering.
This vulnerability is confirmed. Version 3.0.118 fixes the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0004.html
*** {02.13.026} Win - Win2K DCOM clients leak memory data
An advisory has surfaced that indicates the Windows 2000 DCOM client
will include a small chunk of arbitrary memory (and any data within
it) in remote requests. This could lead to an information exposure,
depending on what data is contained in the memory when sent.
This vulnerability is confirmed; a fix is included in the Windows
2000 SRP1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0005.html
- --- Linux News ---------------------------------------------------------
*** {02.13.005} Linux - Update {02.12.008}: imlib library multiple
overflows
Conectiva released updated imlib packages, which fix the vulnerability
discussed in {02.12.008} ("imlib library multiple overflows").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0025.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q1/0025.html
*** {02.13.008} Linux - Update {02.10.001}: OpenSSH channels off-by-one
vulnerability
Caldera released updated OpenSSH packages, which fix the vulnerability
discussed in {02.10.001} ("OpenSSH channels off-by-one vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0026.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0026.html
*** {02.13.009} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
Caldera released updated CUPS packages, which fix the vulnerability
discussed in {02.07.004} ("CUPS attribute name buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0022.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0022.html
*** {02.13.011} Linux - Update {02.08.012}: Squid multiple
vulnerabilities
Caldera released updated squid packages, which fix the vulnerabilities
discussed in {02.08.012} ("Squid multiple vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0024.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0024.html
*** {02.13.013} Linux - nscd A/PTR lookup error
An advisory released by Caldera indicates that the nscd name service
cache daemon does not properly look up A records associated with PTR
records. This means applications may not be able to fully resolve
host names, thereby allowing an attacker to bypass certain host-name
restrictions.
Caldera confirmed this problem. Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0027.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0027.html
*** {02.13.019} Linux - Caldera startkde incorrect LD_LIBRARY_PATH
An advisory released by Caldera indicates that the startkde application
incorrectly sets the LD_LIBRARY_PATH to include the current directory,
which could cause unsuspecting users to execute trojaned libraries.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0028.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0028.html
- --- Solaris News -------------------------------------------------------
*** {02.13.014} Sol - Xsun co parameter overflow
The Xsun server shipped with Solaris 2.6, 7 and 8 reportedly contains
a buffer overflow in the handling of the 'co' command-line parameter,
which could allow a local attacker to execute arbitrary commands with
gid 0 privileges (possibly uid 0 on Solaris Intel systems).
Sun confirmed this vulnerability and is currently working on a fix.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0000.html
- --- AIX News -----------------------------------------------------------
*** {02.13.015} AIX - April AIX 'Security Issues'
IBM released APARs IY20699, IY28063, IY28064 and IY28065, which all
fix a 'security issue.'. The details of the issue, or whether they
all refer to the same issue, are unknown. They all appear to affect
AIX 3.x. IBM also released APAR IY28706, which fixes a buffer overflow
in the RPC code in AIX 4.3.x.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q1/0009.html
- --- NetWare News -------------------------------------------------------
*** {02.13.023} NW - Remote manager HTTP server auth overflow
The remote manager HTTP server shipped with Netware 6.0 contains
a buffer overflow in the handling of large user name/password
combinations. This causes the remote manager server to crash and
potentially allows a remote attacker to execute arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0001.html
- --- SGI News -----------------------------------------------------------
*** {02.13.006} SGI - RPC/HOSTALIASES DoS
An advisory released by SGI indicates the potential for various
RPC services to crash, causing a denial of service. Either a remote
attacker or a malformed HOSTALIASES environment variable can trigger
the DoS.
IRIX 6.5.16 will contain the fix. In the meantime, patches for
6.5.10-6.5.15 are listed at the reference URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q1/0074.html
- --- Network Appliances News --------------------------------------------
*** {02.13.017} NApps - PostNuke CGI case list parameter command
execution
PostNuke version 0.7.0.3 does not properly filter the case list URL
parameter, allowing a remote attacker to trick user.php into executing
arbitrary PHP code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0345.html
- --- Other News ---------------------------------------------------------
*** {02.13.002} Other - Cisco CallManager LDAP connection DoS
Cisco CallManager versions 3.0 and 3.1 leak resources when an LDAP user
authentication request fails. This can lead to a denial of service,
which causes the server to crash and reload.
Cisco confirmed this problem and released CallManager version 3.1(3a),
which is available by contacting Cisco.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q1/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {02.13.003} Cross - NFuse getLastError() CSS vulnerability
Citrix NFuse versions 1.6 and prior reportedly contain a cross-site
scripting vulnerability in the getLastError() function. Any NFuse
page displaying the output of getLastError() to the user is vulnerable
to CSS.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0334.html
*** {02.13.004} Cross - NFuse boilerplate CGI arbitrary file access
NFuse version 1.5 ships with the boilerplate CGI that allows an
authenticated user to access arbitrary files on the system by using
'..' notation in the NFuse_Template URL parameter.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0343.html
*** {02.13.010} Cross - XFree86 shared memory access
An advisory released by Caldera indicates that users who have local
X Windows access via XFree86 version 4.1 are able to access arbitrary
shared memory segments via the MIT-SHM functions.
It is unknown at this time whether this vulnerability is specific to
Caldera or if it affects all XFree86 installations.
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0023.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0023.html
*** {02.13.012} Cross - Update {02.08.035}: mod_ssl session serializing
overflow
Caldera and Compaq released updated mod_ssl packages, which fix the
vulnerability discussed in {02.08.035} ("mod_ssl session serializing
overflow").
Updated Caldera RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0025.html
Updated Compaq CSWS packages for OpenVMS and Tru64 are listed at:
http://archives.neohapsis.com/archives/compaq/2002-q1/0118.html
Source: Caldera, Compaq
http://archives.neohapsis.com/archives/linux/caldera/2002-q1/0025.html
http://archives.neohapsis.com/archives/compaq/2002-q1/0118.html
*** {02.13.016} Cross - wwwisis CGI command execution/file retrieve
Bireme.br's wwwisis CGI reportedly does not properly filter URL
parameters, allowing a remote attacker to execute arbitrary commands
and potentially read local files outside the Web root. Version 3.x
is affected.
The vendor confirmed these vulnerabilities and declared that version
3.x is no longer supported. Thus, upgrading to the latest 5.x version
will fix the problem.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q1/0077.html
*** {02.13.020} Cross - Update {02.08.034}: PHP file upload
vulnerabilities
Compaq released updated CSWS packages, which fix the vulnerabilities
discussed in {02.08.034} ("PHP file upload vulnerabilities").
Updated CSWS packages for OpenVMS and Tru64 are listed at:
http://archives.neohapsis.com/archives/compaq/2002-q1/0118.html
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2002-q1/0118.html
*** {02.13.022} Cross - Squirrelmail cookie THEME command execution
The Squirrelmail CGI suite version 1.2.5 does not properly filter the
THEME variable supplied in a cookie, which could allow an authenticated
user to execute arbitrary commands on the local system under the Web
server's privileges.
The vendor confirmed this vulnerability and will have it fixed in
version 1.2.6.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-03/0350.html
http://archives.neohapsis.com/archives/bugtraq/2002-03/0386.html
*** {02.13.025} Cross - Analog CSS vulnerability in reports
An advisory released by Debian indicates that it's possible for a
remote attacker to induce a cross-site scripting vulnerability via
analog by embedding certain malicious JavaScript into requests,
which will then appear on analog's HTML report.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q1/0071.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q1/0071.html
*** {02.13.027} Cross - Posadis DNS server logging format string
vulnerability
The Posadis DNS server version m5pre1 contains format string
vulnerabilities in the logging function, which could allow a remote
attacker to execute arbitrary code on the system.
This vulnerability is not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q1/1092.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8rK7R+LUG5KFpTkYRAur8AJ9VdelA0TN3bIMJBbnUECLKZ8TqUwCgmA5c
LoboEnuFRbg+g6MVbmO9V74=
=O2s7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by Sendmail, the email experts.
Determine how secure your email system is with a fast, free online
analysis created by Sendmail. Identify areas of concern, threats to
consider, and points to reinforce with this confidential tool. Take
advantage of this free analysis at:
http://www.MakeEmailSecure.com
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]