OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ92749548344794983sans.org)
Date: Thu Apr 11 2002 - 14:34:12 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                     -- Security Alert Consensus --
                           Number 014 (02.14)
                        Thursday, April 11, 2002
                           Created for you by
                 Network Computing and the SANS Institute
                          Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Take the Survey, Win a Dell Laptop!
    InformationWeek's annual Global Information Security Survey, fielded by
    PricewaterhouseCoopers LLP, canvasses IT professionals around the globe
    about security breaches, strategies, spending and cutting-edge
    technology. As soon as you submit your completed questionnaire, you'll
    be entered in a drawing to win a customized Dell laptop. Other prizes
    include a Palm, a Sony Clie and a Handspring Visor, among others. Your
    point of view means a great deal to us and to others in the IT industry.

    For more information and to take the survey.
    http://i.nl03.net/ltr0/?_m=0f.206q.2.00seed0002.0

    ----------------------------------------------------------------------

    Microsoft released an IIS mega-patch this week that fixes 10 (yes,
    *10*) new vulnerabilities. Some of the vulnerabilities are critical
    buffer overflows that let remote attackers execute arbitrary code on
    the IIS system. We definitely recommend you review and install the
    patch as soon as possible. The links to the advisory are reported
    under SAC item {02.14.031} in the 'Windows' section.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.14.005} Win - Cisco ACS HTTP server format string vulnerability and
                file retrieval
    {02.14.007} Win - Quik-Serv HTTP server file retrieval
    {02.14.011} Win - Funk Software Proxy multiple vulnerabilities
    {02.14.013} Win - MS02-016: Group policy file exclusive read DoS
    {02.14.014} Win - MS02-017: Multiple UNC Provider buffer overflow
    {02.14.017} Win - IE OWC control multiple vulnerabilities
    {02.14.022} Win - Abyss HTTP server encoded URL file retrieval
    {02.14.023} Win - Typsoft FTP server directory browsing
    {02.14.027} Win - Winamp minibrowser CSS vulnerability
    {02.14.031} Win - MS02-018: Cumulative IIS patch
    {02.14.004} Linux - Update {02.07.004}: CUPS attribute name buffer
                overflow
    {02.14.006} Linux - Update {02.11.004}: rsync inherits group privileges
                in daemon mode
    {02.14.015} Linux - Update {02.12.028}: Logwatch tmp file race condition
    {02.14.020} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
    {02.14.024} Linux - HP Secure Linux audit daemon/zlib overflow
    {02.14.025} Linux - HP Secure Linux kernel updates
    {02.14.018} SCO - Update {02.13.010}: XFree86 shared memory access
    {02.14.010} NApps - Watchguard SOHO firewall malformed IP options DoS
    {02.14.021} NApps - Cisco Aironet AP/Bridge telnet DoS
    {02.14.003} Other - Update {02.06.011}: Multiple vendor SNMP problems
    {02.14.001} Cross - icecast client_login() overflow
    {02.14.002} Cross - Update {02.10.014}: zlib double free decompression
                bug
    {02.14.012} Cross - IMP multiple CSS vulnerabilities
    {02.14.016} Cross - Anthill CGI CSS and authentication bypass
                vulnerabilities
    {02.14.019} Cross - ASP-Nuke CGI multiple vulnerabilities
    {02.14.026} Cross - Emumail CGI file retrieval
    {02.14.028} Cross - Dynamic Guestbook CGI gbdaten parameter script
                execution
    {02.14.029} Cross - phpBB CGI malformed code section DoS
    {02.14.030} Cross - PHPGroupware CGI SQL injection
    {02.14.008} Tools - Sendmail 8.12.3 available
    {02.14.009} Tools - Apache 2.0 officially released

    - --- Windows News -------------------------------------------------------

    *** {02.14.005} Win - Cisco ACS HTTP server format string vulnerability
                    and file retrieval

    Cisco ACS versions 3.0.1 build 40 and 2.6.x on Windows contain a
    remotely exploitable format string vulnerability in the included
    HTTP administrative server. This could allow a remote attacker to
    execute arbitrary code or crash the service, resulting in a denial of
    service. It's also possible for an attacker to use reverse directory
    traversal URL notation ('..') to request certain files outside the
    Webroot.

    Cisco released patches, which are available at:
    http://www.cisco.com/cgi-bin/tablebuild.pl/cs-acs-win

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q2/0001.html

    *** {02.14.007} Win - Quik-Serv HTTP server file retrieval

    The Quik-Serv HTTP server version 1.1b allows a remote attacker to
    download arbitrary files by using reverse directory traversal notation
    ('..') in a URL request.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0051.html

    *** {02.14.011} Win - Funk Software Proxy multiple vulnerabilities

    Funk Software's Proxy prior to version 3.09a contains multiple
    vulnerabilities that would allow a local user to recover the Proxy
    administrative password. Improper permissions on a communications
    pipe could also allow remote users to change the password and other
    Proxy configuration settings.

    The vendor confirmed this vulnerability and released version 3.09a.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0007.html

    *** {02.14.013} Win - MS02-016: Group policy file exclusive read DoS

    Microsoft released MS02-016 ("Group policy file exclusive read
    DoS"). After logging on to the domain, an attacker can open the group
    policy files for exclusive read, thereby preventing any other users
    from reading and applying the policies. This affects Windows 2000 only.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-016.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q2/0002.html

    *** {02.14.014} Win - MS02-017: Multiple UNC Provider buffer overflow

    Microsoft released MS02-017 ("Multiple UNC Provider buffer
    overflow"). Windows NT, 2000 and XP come with the Multiple UNC Provider
    service that handles all UNC paths. A buffer overflow in the handling
    of long UNC names can allow a local attacker to execute arbitrary
    code with elevated privileges.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-017.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q2/0001.html

    *** {02.14.017} Win - IE OWC control multiple vulnerabilities

    The Office Web Components control shipped with Office XP contains
    many bugs that could allow a malicious Web site to: execute arbitrary
    JavaScript, even if active scripting is disabled; read local files;
    and access the clipboard.

    These vulnerabilities are not confirmed.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0015.html
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0016.html
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0017.html
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0018.html

    *** {02.14.022} Win - Abyss HTTP server encoded URL file retrieval

    Abyss HTTP server version 1.0 lets remote attackers use encoded reverse
    directory traversal ('..') notation to retrieve files outside the
    Webroot. It's possible to recover the abyss.conf file, which contains
    the Abyss server administrative password.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0110.html

    *** {02.14.023} Win - Typsoft FTP server directory browsing

    Typsoft FTP server version 0.97.1 reportedly allows an attacker
    who can log into the FTP service (anonymous or otherwise) to browse
    directories by using reverse directory traversal ('..') notation in
    certain FTP commands.

    The vendor confirmed this vulnerability and released version 0.97.5.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0090.html

    *** {02.14.027} Win - Winamp minibrowser CSS vulnerability

    Winamp's mini Web browser included with versions 2.79 and prior does
    not filter out HTML characters from ID3v2 tags, thereby allowing a
    trojan MP3 file to redirect the user's browser to any Web site and
    execute arbitrary code in cross-site scripting fashion.

    The vendor confirmed this vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0026.html
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0049.html

    *** {02.14.031} Win - MS02-018: Cumulative IIS patch

    Microsoft released MS02-018 ("Cumulative IIS patch"). The patch fixes
    10 new vulnerabilities in IIS versions 4.0 through 5.1 on Windows NT
    and 2000.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-018.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q2/0005.html

    - --- Linux News ---------------------------------------------------------

    *** {02.14.004} Linux - Update {02.07.004}: CUPS attribute name buffer
                    overflow

    Conectiva released updated cups packages, which fix the vulnerability
    discussed in {02.07.004} ("CUPS attribute name buffer overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0000.html

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0000.html

    *** {02.14.006} Linux - Update {02.11.004}: rsync inherits group
                    privileges in daemon mode

    Caldera released updated rsync packages, which fix the vulnerability
    discussed in {02.11.004} ("rsync inherits group privileges in daemon
    mode").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0000.html

    Source: Caldera
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0000.html

    *** {02.14.015} Linux - Update {02.12.028}: Logwatch tmp file race
                    condition

    Red Hat released updated logwatch packages, which fix the vulnerability
    discussed in {02.12.028} ("Logwatch tmp file race condition").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0069.html

    Source: Red Hat (SecurityFocus Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0069.html

    *** {02.14.020} Linux - Update {01.30.001}: tcpdump AFS parsing
                    overflow (2)

    Red Hat released updated tcpdump packages, which fix the vulnerability
    discussed in {01.30.001} ("tcpdump AFS parsing overflow (2)").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0015.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0015.html

    *** {02.14.024} Linux - HP Secure Linux audit daemon/zlib overflow

    The audit daemon included with HP's Secure OS software for Linux
    distribution uses the vulnerable version of zlib, which allows a
    local attacker to execute arbitrary code with elevated privileges.

    HP released patch HPTL_00016.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q2/0002.html

    *** {02.14.025} Linux - HP Secure Linux kernel updates

    HP released updated kernel patches, which fix prior bugs found in
    the kernel shipped with the HP Secure OS software for Linux.

    HP released patches HPTL_00013, HPTL_00014 and HPTL_00015.

    Source: HP
    http://archives.neohapsis.com/archives/hp/2002-q2/0002.html

    - --- SCO News -----------------------------------------------------------

    *** {02.14.018} SCO - Update {02.13.010}: XFree86 shared memory access

    Caldera/SCO released updated xserver packages, which fix the
    vulnerability discussed in {02.13.010} ("XFree86 shared memory
    access").

    Updates are available at:
    ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.14

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0002.html

    - --- Network Appliances News --------------------------------------------

    *** {02.14.010} NApps - Watchguard SOHO firewall malformed IP options
                    DoS

    Under certain configurations, the Watchguard SOHO firewall crashes and
    reboots when it attempts to forward packets with particular malformed
    IP options.

    The vendor confirmed this vulnerability and released firmware version
    5.0.35.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0006.html

    *** {02.14.021} NApps - Cisco Aironet AP/Bridge telnet DoS

    Cisco released an advisory indicating the Aironet Access Point 340
    and 350, as well as the Aironet Bridge 350, are vulnerable to a denial
    of service attack if the device is configured to allow telnet access.

    More information and notes on how to obtain fixes are available at:
    http://archives.neohapsis.com/archives/cisco/2002-q2/0002.html

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q2/0002.html

    - --- Other News ---------------------------------------------------------

    *** {02.14.003} Other - Update {02.06.011}: Multiple vendor SNMP
                    problems

    Compaq and SuSE released updated SNMP packages, which fix the
    vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
    problems").

    A list of Compaq Tru64 patches is available at:
    http://archives.neohapsis.com/archives/tru64/2002-q2/0005.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0074.html

    Source: Compaq, SuSE
    http://archives.neohapsis.com/archives/tru64/2002-q2/0005.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0074.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.14.001} Cross - icecast client_login() overflow

    Icecast server versions 1.3.11 and prior contain a buffer overflow in
    the client_login() function that allows a remote attacker to execute
    arbitrary shellcode under the privileges of the icecast server.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0017.html

    *** {02.14.002} Cross - Update {02.10.014}: zlib double free
                    decompression bug

    There are multiple updates to the vulnerability discussed in
    {02.10.014} ("zlib double free decompression bug"): a list of various
    vulnerable VNC viewers (and patches); Cisco also released a list of
    potentially affected products; and Caldera released updated RPMs.

    A full list of vulnerable VNC viewers, as well as updates, are
    listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0021.html

    A list of affected Cisco products is available at:
    http://archives.neohapsis.com/archives/cisco/2002-q2/0000.html

    Updated Caldera Linux RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0001.html

    Source: SecurityFocus Bugtraq, Cisco, Caldera
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0021.html
    http://archives.neohapsis.com/archives/cisco/2002-q2/0000.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0001.html

    *** {02.14.012} Cross - IMP multiple CSS vulnerabilities

    The Horde team released a new version of IMP (version 2.2.8), which
    fixes multiple cross-site scripting attacks found in previous versions.

    The updated packages can be found at:
    ftp://ftp.horde.org/pub/imp/

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0087.html

    *** {02.14.016} Cross - Anthill CGI CSS and authentication bypass
                    vulnerabilities

    The Anthill bug tracking CGI suite does not properly filter incoming
    user data, thereby allowing cross-site scripting attacks. Another
    bug allows an unauthenticated user to submit new bug reports.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0089.html

    *** {02.14.019} Cross - ASP-Nuke CGI multiple vulnerabilities

    The ASP-Nuke CGI suite contains multiple vulnerabilities, including
    cross-site scripting and authentication bypassing.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Vuln-Dev
    http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0074.html

    *** {02.14.026} Cross - Emumail CGI file retrieval

    The Emumail CGI from emumail.com allows a remote attacker to read files
    readable by the Web server by tampering with the 'type' URL parameter.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0066.html

    *** {02.14.028} Cross - Dynamic Guestbook CGI gbdaten parameter script
                    execution

    Gcf.de's Dynamic Guestbook version 3.0 does not properly filter the
    'gbdaten' URL parameter before passing it to an open call, thereby
    allowing a remote user to trick PHP into downloading scripts from a
    malicious server.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0052.html

    *** {02.14.029} Cross - phpBB CGI malformed code section DoS

    The phpBB CGI suite is vulnerable to a denial of service whereby
    submitting lots of NULL characters in certain HTML sections could
    cause the CGI script to consume large amounts of memory and CPU time.

    This vulnerability is not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0005.html

    *** {02.14.030} Cross - PHPGroupware CGI SQL injection

    The PHPGroupware CGI suite version 0.9.12 is vulnerable to SQL
    injection, thereby allowing a remote attacker to access and modify
    the back-end database.

    This vulnerability is not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-04/0036.html

    - --- Tool Announcements News --------------------------------------------

    *** {02.14.008} Tools - Sendmail 8.12.3 available

    Sendmail version 8.12.3 has been released. While it features many
    bug fixes, none is of a security nature.

    The new version can be downloaded from:
    ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.3.tar.Z

    Source: Sendmail
    http://archives.neohapsis.com/archives/sendmail/2002-q2/0000.html

    *** {02.14.009} Tools - Apache 2.0 officially released

    Apache 2.0.35 has been deemed a general release, meaning that Apache
    2.0 is now out of beta and considered production quality. Apache 2.0
    claims higher performance over the 1.3 series, as well as integrated
    SSL, WebDA, and improved proxy support.

    More information and downloads are available at:
    http://httpd.apache.org/

    Source: Apache
    http://archives.neohapsis.com/archives/apache/2002/0005.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE8teNd+LUG5KFpTkYRAgxbAJsFz8cpgg1IXHRMY/Amis1Ni+pjJwCfVtL+
    tUhruZltSQ+orM+Y5u8gGd0=
    =aXD6
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Take the Survey, Win a Dell Laptop!
    InformationWeek's annual Global Information Security Survey, fielded by
    PricewaterhouseCoopers LLP, canvasses IT professionals around the globe
    about security breaches, strategies, spending and cutting-edge
    technology. As soon as you submit your completed questionnaire, you'll
    be entered in a drawing to win a customized Dell laptop. Other prizes
    include a Palm, a Sony Clie and a Handspring Visor, among others. Your
    point of view means a great deal to us and to others in the IT industry.

    For more information and to take the survey.
    http://i.nl03.net/ltr0/?_m=0f.206q.2.00seed0002.0

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
    and can be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).