|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ83082140687203473
sans.org)Date: Thu May 09 2002 - 15:05:45 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 018 (02.18)
Thursday, May 9, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
NetSeminar: Authentication and Encryption: A One-Two Punch Sign up today
to attend our online NetSeminar on May 16 at 9:00 a.m. Pacific time.
We will bring you up to date on current trends and solutions for
creating a successful multilayered security scheme. Neohapsis' Patrick
Mueller and Rainbow Solutions' Shawn Abbot will lead the discussions.
For more info and to register:
http://www.nwc.com/events/netseminar/may2002_auth.html
----------------------------------------------------------------------
Those of you who are interested in the intrusion detection and
forensics field should be aware of the Honeynet Project, a group of
volunteer security experts who deploy honeypot systems around the
Internet in hopes of learning information from attackers who happen
to wander by.
One interesting thing is that the Honeynet Project announced its latest
challenge: the Reverse Challenge, where the person who best reverse
engineers a particular recovered binary wins a prize. Last year the
Honeynet Project hosted the Forensics Challenge, which required doing
a full forensic autopsy on a compromised system image.
More information can be found on the Honeynet Project's Web site:
http://project.honeynet.org/
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.18.011} Win - Winamp ID3v2 tag minibrowser overflow
{02.18.012} Win - RealSecure IDS DHCP packet DoS
{02.18.014} Win - Snapgear Lite+ Firewall multiple DoS vulnerabilities
{02.18.015} Win - Macromedia flash plugin parameter overflow
{02.18.016} Win - 4D Webserver authentication information overflow
{02.18.019} Win - AIM AddExternalApp buffer overflow
{02.18.024} Win - 3Cdaemon FTP service overflow DoS
{02.18.006} Linux - Update {02.12.008}: imlib library multiple overflows
{02.18.021} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.18.022} Sol - cachefs RPC service cache name parameter overflow
{02.18.007} HPUX - ndd local DoS
{02.18.009} SGI - nsd nsd.dump file symlink attack
{02.18.020} SGI - netstat alerts to file existence
{02.18.008} SCO - sar -o parameter overflow
{02.18.002} Other - MPE/iX FTP server command overflows
{02.18.001} Cross - Docbook trojan document creates arbitrary files
{02.18.005} Cross - Eazel Nautilus .nautilus-metafile.xml symlink attack
{02.18.010} Cross - mod_python exposes imported modules via publisher
handler
{02.18.013} Cross - Levcgi.com MyGuestbook CGI CSS vulnerability
{02.18.017} Cross - B2 PHP CGI command execution
{02.18.018} Cross - squid_auth_ldap syslog() format string
vulnerabilities
{02.18.023} Cross - Mozilla XMLHttpRequest file disclosure
{02.18.003} Tools - Bind 9.2.1 available
{02.18.004} Tools - Apache 2.0.36 released
- --- Windows News -------------------------------------------------------
*** {02.18.011} Win - Winamp ID3v2 tag minibrowser overflow
Winamp version 2.79 is vulnerable to a malicious MP3 file containing
a malformed ID3v2 field data, which could trigger a buffer overflow
and lead to the execution of arbitrary code on the user's system.
This vulnerability is confirmed and fixed in version 2.80.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0373.html
*** {02.18.012} Win - RealSecure IDS DHCP packet DoS
ISS released an advisory indicating that RealSecure versions 6.5 and
prior are vulnerable to a denial of service attack whereby a malformed
DHCP packet could cause the IDS engine to crash.
ISS confirmed the problem and released a fix in X-Press update
version 4.3.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0420.html
*** {02.18.014} Win - Snapgear Lite+ Firewall multiple DoS
vulnerabilities
The Snapgear Lite+ Firewall prior to version 1.6.0 contains multiple
remotely exploitable denial of service bugs that could leave the
firewall inoperable.
The vendor confirmed these bugs and fixed them in version 1.6.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0050.html
*** {02.18.015} Win - Macromedia flash plugin parameter overflow
The Macromedia flash plugin version 6 revision 23 and prior contain
a buffer overflow in the handling of long HTML object parameters,
allowing a malicious Web site or e-mail to execute arbitrary code on
the user's system.
Macromedia confirmed this vulnerability and released a fixed version.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0051.html
*** {02.18.016} Win - 4D Webserver authentication information overflow
The 4D Webserver version 6.7.3 does not properly handle large
amounts of data submitted in an HTTP basic authentication header,
which leads to a buffer overflow that allows the remote execution of
arbitrary code.
The advisory indicates vendor confirmation and that the problem fixed
in version 6.7.4 and 6.8.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0013.html
*** {02.18.019} Win - AIM AddExternalApp buffer overflow
Another buffer overflow was found in AOL Instant Messenger's handling
of the AddExternalApp function, which could allow a remote attacker
to execute arbitrary code on the AIM user's system.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0055.html
*** {02.18.024} Win - 3Cdaemon FTP service overflow DoS
The 3Cdaemon FTP service version 2.0 revision 10 reportedly contains
a buffer overflow in the handling of any user-supplied data. This
allows a remote attacker to crash the service, which results in a
denial of service attack. It is unknown if execution of arbitrary
code is possible.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0428.html
- --- Linux News ---------------------------------------------------------
*** {02.18.006} Linux - Update {02.12.008}: imlib library multiple
overflows
SuSE released updated imlib packages, which fix the vulnerability
discussed in {02.12.008} ("imlib library multiple overflows").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0504.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0504.html
*** {02.18.021} Linux - Update {01.30.001}: tcpdump AFS parsing
overflow (2)
Conectiva released updated tcpdump packages, which fix the
vulnerability discussed in {01.30.001} ("tcpdump AFS parsing overflow
(2)").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0010.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0010.html
- --- Solaris News -------------------------------------------------------
*** {02.18.022} Sol - cachefs RPC service cache name parameter overflow
The cachefs RPC service shipped with Solaris 2.5.1, 2.6, 7 and
8 contains a remotely exploitable heap overflow in the handling
of the cache name parameter to the fs_mounted_1_svc RPC function,
thereby allowing a remote attacker to execute arbitrary code with
root privileges.
Sun confirmed this problem. Patches are still being prepared. In the
meantime, a workaround is available at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F44309
Source: CERT
http://archives.neohapsis.com/archives/cc/2002-q2/0002.html
- --- HP-UX News ---------------------------------------------------------
*** {02.18.007} HPUX - ndd local DoS
HP released an advisory indicating that the ndd utility shipped with
HPUX 11.11 contains a bug that allows a local attacker to perform a
denial of service attack against the system. Details were not provided.
HP has released patch PHNE_25644 to fix the problem.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0034.html
- --- SGI News -----------------------------------------------------------
*** {02.18.009} SGI - nsd nsd.dump file symlink attack
SGI released an advisory indicating that the nsd utility does not
perform proper checks when handling the nsd.dump file, thereby allowing
a local attacker to trick the utility into overwriting files via a
symlink attack. IRIX 6.5.0 through 6.5.10 are vulnerable.
This vulnerability is confirmed and fixed in IRIX 6.5.11 and later.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0026.html
*** {02.18.020} SGI - netstat alerts to file existence
SGI released an advisory indicating that a local attacker can use the
netstat utility to determine if arbitrary files are present, even if
file system permissions would normally block them. IRIX 6.5.0 through
6.5.11 are vulnerable.
SGI confirmed the problem; the solution is to update to the latest
version of IRIX.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0028.html
- --- SCO News -----------------------------------------------------------
*** {02.18.008} SCO - sar -o parameter overflow
Caldera/SCO released an advisory indicating that the sar binary shipped
with OpenServer 5.0.5 contains a buffer overflow in the processing
of long values passed to the '-o' command line parameter. This allows
a local attacker to execute code with elevated privileges.
This vulnerability is confirmed; updated binaries are available at:
ftp://stage.caldera.com/pub/security/openserver/CSSA-2002-SCO.17
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0009.html
- --- Other News ---------------------------------------------------------
*** {02.18.002} Other - MPE/iX FTP server command overflows
HP released an advisory indicating that the FTPSRV service included
with MPE/iX versions 6.0, 6.5 and 7.0 contains buffer overflows in
the handling of FTP commands, thereby allowing a remote attacker to
execute arbitrary code.
HP released the following patches:
MPE/iX 6.0: FTPGD91A
MPE/iX 6.5: FTPGD92A
MPE/iX 7.0: FTPGD93A
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0028.html
- --- Cross-Platform News ------------------------------------------------
*** {02.18.001} Cross - Docbook trojan document creates arbitrary files
The docbook suite contains a bug that allows an untrusted docbook
document to create arbitrary files when the document is converted
to HTML.
This vulnerability is confirmed.
Updated Red Hat RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0030.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0030.html
*** {02.18.005} Cross - Eazel Nautilus .nautilus-metafile.xml symlink
attack
Eazel's Nautilus file manager version 1.0.4 does not properly check
before creating a .nautilus-metafile.xml temporary file in a target
directory, which could lead to a local user performing a symlink attack
against the user using Nautilus. The end result is the possibility
to overwrite files writable by the Nautilus user.
This vulnerability is confirmed and fixed in the latest version of
Nautilus, which is available at:
http://cvs.gnome.org/lxr/source/nautilus/
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0035.html
Updated Slackware patches:
ftp://ftp.slackware.com/pub/slackware/slackware-8.0/patches/
Source: Red Hat, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0035.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0006.html
*** {02.18.010} Cross - mod_python exposes imported modules via
publisher handler
Versions 2.7.6 and prior of the mod_python Apache module contain a
bug whereby a remote attacker can use the publisher handler to access
indirectly imported python modules.
mod_python version 2.7.8 was released, which fixes the bug.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0033.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0007.html
Source: Red Hat, Conectiva
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0033.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0007.html
*** {02.18.013} Cross - Levcgi.com MyGuestbook CGI CSS vulnerability
Levcgi.com's MyGuestbook CGI application version 1.0 is reportedly
vulnerable to cross-site scripting in the handling of various user
input fields.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-04/0422.html
*** {02.18.017} Cross - B2 PHP CGI command execution
Cafelog.com's B2 PHP CGI suite does not filter user submitted data
before passing it to an fopen() function, thereby allowing a remote
attacker to potentially execute arbitrary PHP code on the server
under certain configurations.
This vulnerability is not confirmed. The indicated fix is to copy
the b2config.php file into the b2-include/ directory.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0027.html
*** {02.18.018} Cross - squid_auth_ldap syslog() format string
vulnerabilities
An advisory surfaced indicating that the squid_auth_ldap patch version
2.0 for Squid contains multiple format string vulnerabilities in the
handling of data passed to the syslog function, potentially allowing
a remote attacker to execute arbitrary code on the Squid server.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0053.html
*** {02.18.023} Cross - Mozilla XMLHttpRequest file disclosure
Mozilla CVS builds prior to May 2, 2002, contain a bug that allows
a malicious Web site to query the user's system to determine if
certain files exist, and it can actually recreate entire directory
structure lists.
This vulnerability is confirmed and a fix was committed to CVS.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0016.html
- --- Tool Announcements News --------------------------------------------
*** {02.18.003} Tools - Bind 9.2.1 available
Bind version 9.2.1 was released. This is a maintenance release only --
no security fixes or new features are included.
Download available at:
ftp://ftp.isc.org/isc/bind9/9.2.1/bind-9.2.1.tar.gz
Source: ISC BIND
http://archives.neohapsis.com/archives/bind/2002/0008.html
*** {02.18.004} Tools - Apache 2.0.36 released
Apache version 2.0.36 was released. This is the second official
production release of the Apache 2.x series, and it includes many
bug fixes found in prior versions.
It is available for download at:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0006.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE82tSl+LUG5KFpTkYRAstpAKCa0yqkNLSTu6ZOIA3JGyoVTQmpEwCeMWMb
zAejjP1i6eed9GaG5d7P2gc=
=JWz4
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
NetSeminar: Authentication and Encryption: A One-Two Punch Sign up today
to attend our online NetSeminar on May 16 at 9:00 a.m. Pacific time.
We will bring you up to date on current trends and solutions for
creating a successful multilayered security scheme. Neohapsis' Patrick
Mueller and Rainbow Solutions' Shawn Abbot will lead the discussions.
For more info and to register:
http://www.nwc.com/events/netseminar/may2002_auth.html
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP
key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]