|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ55730521004945285
sans.org)Date: Thu Apr 18 2002 - 15:08:10 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 015 (02.15)
Thursday, April 18, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
WHO CAN YOU TRUST TO SECURE YOUR NETWORK?
NetScreen Technologies has released new integrated firewall and VPN
products optimized to protect networks from traditional security
intrusions and emerging threats, such as wireless LANs and Trojan
attacks. Download NetScreen's white paper, "The Disappearance of the
Trusted Network," at
http://www.netscreen.com/idg_textlink
----------------------------------------------------------------------
Last week, a rather large and important IIS security patch was
released. And over the past week, there have been numerous reports
about the patch breaking other services and functions. Some people have
been considering the folly of providing one big patch: If one small
component of the patch breaks something, then the entire patch becomes
useless. The alternative, of course, is applying 10 different little
patches. But is applying a batch of patches harder than troubleshooting
where one big patch went wrong? Patch consolidation may not exactly
help when it comes to regression testing.
In related news, Russ Cooper posted a few rants on the shortcomings
of Windows Update; he makes several good points that are worth
thinking about.
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0053.html
http://archives.neohapsis.com/archives/ntbugtraq/2002-q2/0054.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.15.001} Linux - Update {02.14.012}: IMP multiple CSS vulnerabilities
{02.15.007} Linux - Update {02.12.002}: libsafe printf token and
argument bypass
{02.15.005} BSD - OpenBSD mail accepts tilde in noninteractive mode
{02.15.022} BSD - OpenBSD user info w/YP returns wrong values
{02.15.025} BSD - FreeBSD syncache/syncookies DoS
{02.15.021} NW - WebSearch search parameter CSS vulnerability
{02.15.023} SGI - XFS malformed file name DoS
{02.15.027} SGI - Cron uses predictable temporary file names
{02.15.011} SCO - Update {01.05.001}: Multiple Bind buffer overflows
(TSIG/infoleak)
{02.15.020} SCO - Update {02.02.025}: dtterm/xterm xrm parameter
overflow
{02.15.002} NApps - Intermittent Watchguard SOHO IP restrictions failure
{02.15.015} NApps - Nortel CVX 1800 exposes user names/passwords via
SNMP
{02.15.018} Other - HP Photosmart drivers improper permissions on OS X
{02.15.024} Other - Multiple Tru64 vulnerabilities
{02.15.028} Other - MS02-019: IE/Office on OS X buffer overflow
{02.15.003} Cross - Update {02.14.031}: MS02-018: Cumulative IIS patch
(Cisco products)
{02.15.004} Cross - WoltLab Burning Board CGI CSS vulnerability
{02.15.006} Cross - Tivoli TSM long URL overflow
{02.15.008} Cross - Informix Web DataBlade SQL tampering and unescaping
{02.15.009} Cross - Update {02.14.030}: PHPGroupware CGI SQL injection
{02.15.010} Cross - INN suite format string vulnerabilities
{02.15.012} Cross - StepWeb Search Engine CGI admin bypass
{02.15.013} Cross - Webalizer reverse DNS lookup overflow
{02.15.014} Cross - Melange chat server multiple overflows
{02.15.016} Cross - Raptor firewall allows FTP bouncing
{02.15.017} Cross - Demarc CGI user login bypass
{02.15.019} Cross - SunShop CGI CSS vulnerability
{02.15.026} Cross - Squid compressed DNS answer DoS
- --- Linux News ---------------------------------------------------------
*** {02.15.001} Linux - Update {02.14.012}: IMP multiple CSS
vulnerabilities
Debian and Caldera released updated imp packages, which fix
the vulnerabilities discussed in {02.14.012} ("IMP multiple CSS
vulnerabilities").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q2/0008.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0005.html
Source: Debian, Caldera
http://archives.neohapsis.com/archives/vendor/2002-q2/0008.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0005.html
*** {02.15.007} Linux - Update {02.12.002}: libsafe printf token and
argument bypass
Mandrake released updated libsafe packages, which fix the vulnerability
discussed in {02.12.002} ("libsafe printf token and argument bypass").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-04/0146.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-04/0146.html
- --- BSD News -----------------------------------------------------------
*** {02.15.005} BSD - OpenBSD mail accepts tilde in noninteractive mode
The mail application shipped with OpenBSD versions 2.9 and 3.0
interprets escaped mail functions (called by embedding a tilde into
a message), even when in noninteractive mode. This allows for a local
root compromise via cron.
This vulnerability is confirmed and patches are committed to CVS. You
can download the patches yourself at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/018_mail.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.9/common/023_mail.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2002-04/1005.html
*** {02.15.022} BSD - OpenBSD user info w/YP returns wrong values
Systems running OpenBSD 3.0 with YP enabled have an error that can
result in rshd and rexecd using the wrong shell and in atrun switching
to the wrong user directory.
The vendor confirmed this vulnerability. A patch is available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/016_approval.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2002-04/1002.html
*** {02.15.025} BSD - FreeBSD syncache/syncookies DoS
FreeBSD released an advisory indicating that some bugs in the
syncache/syncookie support could lead to a remote attacker causing
the system to crash.
The 4.5 branches as of Feb. 21, 2002, contain a fix. An individual
patch is available at:
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-04/0214.html
- --- NetWare News -------------------------------------------------------
*** {02.15.021} NW - WebSearch search parameter CSS vulnerability
Novell Web Search version 2.0.1 is vulnerable to cross-site scripting
in the handling of the search parameter.
This vulnerability is confirmed; a fix is included in NetWare 6.0
Support Pack 1.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0010.html
- --- SGI News -----------------------------------------------------------
*** {02.15.023} SGI - XFS malformed file name DoS
SGI released an advisory indicating that the XFS implementation in
IRIX can be caused to crash if a user creates a particular malformed
file name. IRIX 6.5.1 through 6.5.11 are vulnerable.
This vulnerability is confirmed. A full patch matrix is available at:
http://archives.neohapsis.com/archives/vendor/2002-q2/0007.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0007.html
*** {02.15.027} SGI - Cron uses predictable temporary file names
SGI released an advisory indicating that crond uses predictable
temporary file names, which allows a local attacker to perform a
symlink attack. IRIX 6.5 through 6.5.9 are vulnerable.
The proper fix is to update to an IRIX version after 6.5.9 (preferably,
the latest).
Source: SGI
http://archives.neohapsis.com/archives/bugtraq/2002-04/0182.html
- --- SCO News -----------------------------------------------------------
*** {02.15.011} SCO - Update {01.05.001}: Multiple Bind buffer
overflows (TSIG/infoleak)
Caldera/SCO released updated bind packages, which fix the
vulnerability discussed in {01.05.001} ("Multiple Bind buffer overflows
(TSIG/infoleak)").
Updated binaries are located at:
ftp://stage.caldera.com/pub/security/unixware/CSSA-2002-SCO.16
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0004.html
*** {02.15.020} SCO - Update {02.02.025}: dtterm/xterm xrm parameter
overflow
Caldera/SCO released updated packages, which fix the vulnerability
discussed in {02.02.025} ("dtterm/xterm xrm parameter overflow").
Updated binaries are located at:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.15
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0003.html
- --- Network Appliances News --------------------------------------------
*** {02.15.002} NApps - Intermittent Watchguard SOHO IP restrictions
failure
The Watchguard SOHO firewall device with firmware version 5.0.35
randomly disables IP restrictions, potentially leaving a protected
network open to access.
The vendor confirmed this bug, which is limited to this single firmware
version. A new firmware version is available from Watchguard.
Source: Vulnwatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0009.html
*** {02.15.015} NApps - Nortel CVX 1800 exposes user names/passwords
via SNMP
The Nortel CVX 1800 firmware 3.6.3p24 returns the full list of
administrative user names and passwords in SNMP queries using the
read-only community string. This string is also set to 'public'
by default.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0158.html
- --- Other News ---------------------------------------------------------
*** {02.15.018} Other - HP Photosmart drivers improper permissions on
OS X
The HP Photosmart printer drivers create world-writable applications,
which could allow a local attacker to create a trojan that is executed
when anyone logs in.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0169.html
*** {02.15.024} Other - Multiple Tru64 vulnerabilities
Compaq released a large patch bundle for Tru64 systems that fixes
a myriad of problems, including: exploitable buffer overflows in
dtaction, ttsession, dtprintinfo and dtspcd (these all have been
reported previously); a buffer overflow in libc via LANG and LOCPATH
environment variables; and ypbind and NSF denial of service attacks.
A full list of available patches is available at:
http://archives.neohapsis.com/archives/compaq/2002-q2/0021.html
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2002-q2/0021.html
*** {02.15.028} Other - MS02-019: IE/Office on OS X buffer overflow
Microsoft released MS02-019 ("IE/Office on OS X buffer overflow"). This
cumulative patch fixes all Internet Explorer and Office X problems
for the OS X platform as well as two new vulnerabilities: a buffer
overflow in HTML parsing, and the ability of a malicious Web site to
execute local AppleScript files.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-019.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {02.15.003} Cross - Update {02.14.031}: MS02-018: Cumulative IIS
patch (Cisco products)
Many Cisco products include Windows and IIS by default, and they
are vulnerable to the problems discussed in {02.14.031} ("MS02-018:
Cumulative IIS patch").
A full list of vulnerable Cisco products,
and appropriate updates, are listed at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0004.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0004.html
*** {02.15.004} Cross - WoltLab Burning Board CGI CSS vulnerability
The WoltLab Burning Board CGI suite version 1.1.0 is vulnerable to
cross-site scripting. The problem is escalated by the fact that the
CGIs store the user's password in a cookie, allowing a malicious
e-mail/Web site to exploit the CSS vulnerability and gain access to
the user's account.
These vulnerabilities are not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0091.html
*** {02.15.006} Cross - Tivoli TSM long URL overflow
The Tivoli Storage Manager prior to version 4.2.1.32 running on
Windows contains a buffer overflow in the handling of large URL
requests, allowing a remote attacker to execute arbitrary code on
the system. It is uncertain if other platforms are affected.
The vendor confirmed this problem and released client version 4.2.1.32
for Windows.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0126.html
*** {02.15.008} Cross - Informix Web DataBlade SQL tampering and
unescaping
The Informix Web DataBlade is vulnerable to two bugs: SQL tampering
in URL requests, and the introduction of restricted HTML characters
into the database even if they are specifically filtered.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0135.html
http://archives.neohapsis.com/archives/bugtraq/2002-04/0137.html
*** {02.15.009} Cross - Update {02.14.030}: PHPGroupware CGI SQL
injection
The vendor released a statement concerning the vulnerability discussed
in {02.14.030} ("PHPGroupware CGI SQL injection").
Basically, the vendor recommends using the PHP "magic_quotes" features
to protect against SQL tampering.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0143.html
*** {02.15.010} Cross - INN suite format string vulnerabilities
An advisory surfaced indicating that several format string
vulnerabilities exist in various applications that compose the INN
(InterNet News) suite version 2.2.3. The vulnerabilities could allow
a local attacker to gain uid/gid 'news.'
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0140.html
*** {02.15.012} Cross - StepWeb Search Engine CGI admin bypass
The StepWeb Search Engine CGI suite version 2.5 allows remote attackers
to view SWS logs and add information via the administrative interface,
even if they don't have the proper admin credentials.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0148.html
*** {02.15.013} Cross - Webalizer reverse DNS lookup overflow
The Webalizer HTTP log parser contains a buffer overflow in the
handling of long addresses returned from reverse DNS lookups. Thus,
it's possible for a malicious DNS server to execute arbitrary code on
the system running Webalizer. Version 2.01-09 is reportedly affected.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0017.html
*** {02.15.014} Cross - Melange chat server multiple overflows
Melange chat server version 2.02-beta contains several remotely
exploitable buffer overflows, which allow an attacker to perform a
denial of service attack and, potentially, execute code on the system.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0157.html
*** {02.15.016} Cross - Raptor firewall allows FTP bouncing
The Raptor firewall reportedly allows a remote attacker to perform an
FTP 'bounce' attack, which is basically bouncing a portscan off of
a vulnerable FTP server. The particular FTP proxy in Raptor version
6.5.3i aids an attacker in performing a bounce attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0166.html
*** {02.15.017} Cross - Demarc CGI user login bypass
The Demarc PureSecure CGI suite version 1.05 contains a bug in the
handling of cookies, which could allow a remote attacker to bypass
authentication and access the system. This is achieved via SQL
tampering and allows other SQL injection exploits.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0168.html
*** {02.15.019} Cross - SunShop CGI CSS vulnerability
The SunShop shopping cart CGI suite version 2.5 is vulnerable to
cross-site scripting.
The advisory indicates confirmation by the vendor, which fixed the
problem(s) in the latest version.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0154.html
*** {02.15.026} Cross - Squid compressed DNS answer DoS
Mandrake released an advisory indicating that a denial of service
exists in Squid version 2.4.STABLE4. This DoS is triggered by a
malicious DNS server sending a particular malformed compressed DNS
response. It is assumed that all platforms are vulnerable (not just
Mandrake).
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-04/0181.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-04/0181.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE8vyde+LUG5KFpTkYRAs16AJ4rZRJcGWIZ+m3UfrbM9TTcltOkAgCdEZ8A
f8BQ9d6kn1SWxNTxlXVIMjI=
=QNzi
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
WHO CAN YOU TRUST TO SECURE YOUR NETWORK?
NetScreen Technologies has released new integrated firewall and VPN
products optimized to protect networks from traditional security
intrusions and emerging threats, such as wireless LANs and Trojan
attacks. Download NetScreen's white paper, "The Disappearance of the
Trusted Network," at
http://www.netscreen.com/idg_textlink
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://certserver.pgp.com:11371/pks/lookup?op=get&search=0xA1694E46
and can be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]