|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ92749548344794983
sans.org)Date: Thu Apr 11 2002 - 14:34:12 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 014 (02.14)
Thursday, April 11, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Take the Survey, Win a Dell Laptop!
InformationWeek's annual Global Information Security Survey, fielded by
PricewaterhouseCoopers LLP, canvasses IT professionals around the globe
about security breaches, strategies, spending and cutting-edge
technology. As soon as you submit your completed questionnaire, you'll
be entered in a drawing to win a customized Dell laptop. Other prizes
include a Palm, a Sony Clie and a Handspring Visor, among others. Your
point of view means a great deal to us and to others in the IT industry.
For more information and to take the survey.
http://i.nl03.net/ltr0/?_m=0f.206q.2.00seed0002.0
----------------------------------------------------------------------
Microsoft released an IIS mega-patch this week that fixes 10 (yes,
*10*) new vulnerabilities. Some of the vulnerabilities are critical
buffer overflows that let remote attackers execute arbitrary code on
the IIS system. We definitely recommend you review and install the
patch as soon as possible. The links to the advisory are reported
under SAC item {02.14.031} in the 'Windows' section.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.14.005} Win - Cisco ACS HTTP server format string vulnerability and
file retrieval
{02.14.007} Win - Quik-Serv HTTP server file retrieval
{02.14.011} Win - Funk Software Proxy multiple vulnerabilities
{02.14.013} Win - MS02-016: Group policy file exclusive read DoS
{02.14.014} Win - MS02-017: Multiple UNC Provider buffer overflow
{02.14.017} Win - IE OWC control multiple vulnerabilities
{02.14.022} Win - Abyss HTTP server encoded URL file retrieval
{02.14.023} Win - Typsoft FTP server directory browsing
{02.14.027} Win - Winamp minibrowser CSS vulnerability
{02.14.031} Win - MS02-018: Cumulative IIS patch
{02.14.004} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
{02.14.006} Linux - Update {02.11.004}: rsync inherits group privileges
in daemon mode
{02.14.015} Linux - Update {02.12.028}: Logwatch tmp file race condition
{02.14.020} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.14.024} Linux - HP Secure Linux audit daemon/zlib overflow
{02.14.025} Linux - HP Secure Linux kernel updates
{02.14.018} SCO - Update {02.13.010}: XFree86 shared memory access
{02.14.010} NApps - Watchguard SOHO firewall malformed IP options DoS
{02.14.021} NApps - Cisco Aironet AP/Bridge telnet DoS
{02.14.003} Other - Update {02.06.011}: Multiple vendor SNMP problems
{02.14.001} Cross - icecast client_login() overflow
{02.14.002} Cross - Update {02.10.014}: zlib double free decompression
bug
{02.14.012} Cross - IMP multiple CSS vulnerabilities
{02.14.016} Cross - Anthill CGI CSS and authentication bypass
vulnerabilities
{02.14.019} Cross - ASP-Nuke CGI multiple vulnerabilities
{02.14.026} Cross - Emumail CGI file retrieval
{02.14.028} Cross - Dynamic Guestbook CGI gbdaten parameter script
execution
{02.14.029} Cross - phpBB CGI malformed code section DoS
{02.14.030} Cross - PHPGroupware CGI SQL injection
{02.14.008} Tools - Sendmail 8.12.3 available
{02.14.009} Tools - Apache 2.0 officially released
- --- Windows News -------------------------------------------------------
*** {02.14.005} Win - Cisco ACS HTTP server format string vulnerability
and file retrieval
Cisco ACS versions 3.0.1 build 40 and 2.6.x on Windows contain a
remotely exploitable format string vulnerability in the included
HTTP administrative server. This could allow a remote attacker to
execute arbitrary code or crash the service, resulting in a denial of
service. It's also possible for an attacker to use reverse directory
traversal URL notation ('..') to request certain files outside the
Webroot.
Cisco released patches, which are available at:
http://www.cisco.com/cgi-bin/tablebuild.pl/cs-acs-win
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0001.html
*** {02.14.007} Win - Quik-Serv HTTP server file retrieval
The Quik-Serv HTTP server version 1.1b allows a remote attacker to
download arbitrary files by using reverse directory traversal notation
('..') in a URL request.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0051.html
*** {02.14.011} Win - Funk Software Proxy multiple vulnerabilities
Funk Software's Proxy prior to version 3.09a contains multiple
vulnerabilities that would allow a local user to recover the Proxy
administrative password. Improper permissions on a communications
pipe could also allow remote users to change the password and other
Proxy configuration settings.
The vendor confirmed this vulnerability and released version 3.09a.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0007.html
*** {02.14.013} Win - MS02-016: Group policy file exclusive read DoS
Microsoft released MS02-016 ("Group policy file exclusive read
DoS"). After logging on to the domain, an attacker can open the group
policy files for exclusive read, thereby preventing any other users
from reading and applying the policies. This affects Windows 2000 only.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-016.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0002.html
*** {02.14.014} Win - MS02-017: Multiple UNC Provider buffer overflow
Microsoft released MS02-017 ("Multiple UNC Provider buffer
overflow"). Windows NT, 2000 and XP come with the Multiple UNC Provider
service that handles all UNC paths. A buffer overflow in the handling
of long UNC names can allow a local attacker to execute arbitrary
code with elevated privileges.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-017.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0001.html
*** {02.14.017} Win - IE OWC control multiple vulnerabilities
The Office Web Components control shipped with Office XP contains
many bugs that could allow a malicious Web site to: execute arbitrary
JavaScript, even if active scripting is disabled; read local files;
and access the clipboard.
These vulnerabilities are not confirmed.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0015.html
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0016.html
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0017.html
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0018.html
*** {02.14.022} Win - Abyss HTTP server encoded URL file retrieval
Abyss HTTP server version 1.0 lets remote attackers use encoded reverse
directory traversal ('..') notation to retrieve files outside the
Webroot. It's possible to recover the abyss.conf file, which contains
the Abyss server administrative password.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0110.html
*** {02.14.023} Win - Typsoft FTP server directory browsing
Typsoft FTP server version 0.97.1 reportedly allows an attacker
who can log into the FTP service (anonymous or otherwise) to browse
directories by using reverse directory traversal ('..') notation in
certain FTP commands.
The vendor confirmed this vulnerability and released version 0.97.5.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0090.html
*** {02.14.027} Win - Winamp minibrowser CSS vulnerability
Winamp's mini Web browser included with versions 2.79 and prior does
not filter out HTML characters from ID3v2 tags, thereby allowing a
trojan MP3 file to redirect the user's browser to any Web site and
execute arbitrary code in cross-site scripting fashion.
The vendor confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0026.html
http://archives.neohapsis.com/archives/bugtraq/2002-04/0049.html
*** {02.14.031} Win - MS02-018: Cumulative IIS patch
Microsoft released MS02-018 ("Cumulative IIS patch"). The patch fixes
10 new vulnerabilities in IIS versions 4.0 through 5.1 on Windows NT
and 2000.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-018.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0005.html
- --- Linux News ---------------------------------------------------------
*** {02.14.004} Linux - Update {02.07.004}: CUPS attribute name buffer
overflow
Conectiva released updated cups packages, which fix the vulnerability
discussed in {02.07.004} ("CUPS attribute name buffer overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0000.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0000.html
*** {02.14.006} Linux - Update {02.11.004}: rsync inherits group
privileges in daemon mode
Caldera released updated rsync packages, which fix the vulnerability
discussed in {02.11.004} ("rsync inherits group privileges in daemon
mode").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0000.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0000.html
*** {02.14.015} Linux - Update {02.12.028}: Logwatch tmp file race
condition
Red Hat released updated logwatch packages, which fix the vulnerability
discussed in {02.12.028} ("Logwatch tmp file race condition").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-04/0069.html
Source: Red Hat (SecurityFocus Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-04/0069.html
*** {02.14.020} Linux - Update {01.30.001}: tcpdump AFS parsing
overflow (2)
Red Hat released updated tcpdump packages, which fix the vulnerability
discussed in {01.30.001} ("tcpdump AFS parsing overflow (2)").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0015.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0015.html
*** {02.14.024} Linux - HP Secure Linux audit daemon/zlib overflow
The audit daemon included with HP's Secure OS software for Linux
distribution uses the vulnerable version of zlib, which allows a
local attacker to execute arbitrary code with elevated privileges.
HP released patch HPTL_00016.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0002.html
*** {02.14.025} Linux - HP Secure Linux kernel updates
HP released updated kernel patches, which fix prior bugs found in
the kernel shipped with the HP Secure OS software for Linux.
HP released patches HPTL_00013, HPTL_00014 and HPTL_00015.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0002.html
- --- SCO News -----------------------------------------------------------
*** {02.14.018} SCO - Update {02.13.010}: XFree86 shared memory access
Caldera/SCO released updated xserver packages, which fix the
vulnerability discussed in {02.13.010} ("XFree86 shared memory
access").
Updates are available at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.14
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0002.html
- --- Network Appliances News --------------------------------------------
*** {02.14.010} NApps - Watchguard SOHO firewall malformed IP options
DoS
Under certain configurations, the Watchguard SOHO firewall crashes and
reboots when it attempts to forward packets with particular malformed
IP options.
The vendor confirmed this vulnerability and released firmware version
5.0.35.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0006.html
*** {02.14.021} NApps - Cisco Aironet AP/Bridge telnet DoS
Cisco released an advisory indicating the Aironet Access Point 340
and 350, as well as the Aironet Bridge 350, are vulnerable to a denial
of service attack if the device is configured to allow telnet access.
More information and notes on how to obtain fixes are available at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0002.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0002.html
- --- Other News ---------------------------------------------------------
*** {02.14.003} Other - Update {02.06.011}: Multiple vendor SNMP
problems
Compaq and SuSE released updated SNMP packages, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").
A list of Compaq Tru64 patches is available at:
http://archives.neohapsis.com/archives/tru64/2002-q2/0005.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0074.html
Source: Compaq, SuSE
http://archives.neohapsis.com/archives/tru64/2002-q2/0005.html
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0074.html
- --- Cross-Platform News ------------------------------------------------
*** {02.14.001} Cross - icecast client_login() overflow
Icecast server versions 1.3.11 and prior contain a buffer overflow in
the client_login() function that allows a remote attacker to execute
arbitrary shellcode under the privileges of the icecast server.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0017.html
*** {02.14.002} Cross - Update {02.10.014}: zlib double free
decompression bug
There are multiple updates to the vulnerability discussed in
{02.10.014} ("zlib double free decompression bug"): a list of various
vulnerable VNC viewers (and patches); Cisco also released a list of
potentially affected products; and Caldera released updated RPMs.
A full list of vulnerable VNC viewers, as well as updates, are
listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-04/0021.html
A list of affected Cisco products is available at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0000.html
Updated Caldera Linux RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0001.html
Source: SecurityFocus Bugtraq, Cisco, Caldera
http://archives.neohapsis.com/archives/bugtraq/2002-04/0021.html
http://archives.neohapsis.com/archives/cisco/2002-q2/0000.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0001.html
*** {02.14.012} Cross - IMP multiple CSS vulnerabilities
The Horde team released a new version of IMP (version 2.2.8), which
fixes multiple cross-site scripting attacks found in previous versions.
The updated packages can be found at:
ftp://ftp.horde.org/pub/imp/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0087.html
*** {02.14.016} Cross - Anthill CGI CSS and authentication bypass
vulnerabilities
The Anthill bug tracking CGI suite does not properly filter incoming
user data, thereby allowing cross-site scripting attacks. Another
bug allows an unauthenticated user to submit new bug reports.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0089.html
*** {02.14.019} Cross - ASP-Nuke CGI multiple vulnerabilities
The ASP-Nuke CGI suite contains multiple vulnerabilities, including
cross-site scripting and authentication bypassing.
These vulnerabilities are not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0074.html
*** {02.14.026} Cross - Emumail CGI file retrieval
The Emumail CGI from emumail.com allows a remote attacker to read files
readable by the Web server by tampering with the 'type' URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0066.html
*** {02.14.028} Cross - Dynamic Guestbook CGI gbdaten parameter script
execution
Gcf.de's Dynamic Guestbook version 3.0 does not properly filter the
'gbdaten' URL parameter before passing it to an open call, thereby
allowing a remote user to trick PHP into downloading scripts from a
malicious server.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0052.html
*** {02.14.029} Cross - phpBB CGI malformed code section DoS
The phpBB CGI suite is vulnerable to a denial of service whereby
submitting lots of NULL characters in certain HTML sections could
cause the CGI script to consume large amounts of memory and CPU time.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0005.html
*** {02.14.030} Cross - PHPGroupware CGI SQL injection
The PHPGroupware CGI suite version 0.9.12 is vulnerable to SQL
injection, thereby allowing a remote attacker to access and modify
the back-end database.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0036.html
- --- Tool Announcements News --------------------------------------------
*** {02.14.008} Tools - Sendmail 8.12.3 available
Sendmail version 8.12.3 has been released. While it features many
bug fixes, none is of a security nature.
The new version can be downloaded from:
ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.3.tar.Z
Source: Sendmail
http://archives.neohapsis.com/archives/sendmail/2002-q2/0000.html
*** {02.14.009} Tools - Apache 2.0 officially released
Apache 2.0.35 has been deemed a general release, meaning that Apache
2.0 is now out of beta and considered production quality. Apache 2.0
claims higher performance over the 1.3 series, as well as integrated
SSL, WebDA, and improved proxy support.
More information and downloads are available at:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0005.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8teNd+LUG5KFpTkYRAgxbAJsFz8cpgg1IXHRMY/Amis1Ni+pjJwCfVtL+
tUhruZltSQ+orM+Y5u8gGd0=
=aXD6
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Take the Survey, Win a Dell Laptop!
InformationWeek's annual Global Information Security Survey, fielded by
PricewaterhouseCoopers LLP, canvasses IT professionals around the globe
about security breaches, strategies, spending and cutting-edge
technology. As soon as you submit your completed questionnaire, you'll
be entered in a drawing to win a customized Dell laptop. Other prizes
include a Palm, a Sony Clie and a Handspring Visor, among others. Your
point of view means a great deal to us and to others in the IT industry.
For more information and to take the survey.
http://i.nl03.net/ltr0/?_m=0f.206q.2.00seed0002.0
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]