|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ99470919362323775
sans.org)Date: Thu May 16 2002 - 13:30:42 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 019 (02.19)
Thursday, May 16, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
Don't miss exciting highlights from this week's O'Reilly Emerging
Technology Conference! In today's report, Contributing editor Don
MacVittie gives his take on Bruce Schneier's keynote, "Fixing Network
Security by Hacking the Corporate Culture". Stay tuned for more details
as our coverage continues.
http://www.nwc.com/out/blog/
----------------------------------------------------------------------
This month's latest Crypto-gram newsletter (published by Bruce
Schneier of Counterpane) contains an interesting recap of the
successful attempts of Japanese cryptographer Tsutomu Matsumoto to
fool 11 different commercial fingerprint readers with $10 worth of
gelatin. It's quite an interesting read, and it gives a little insight
into the feasibility of biometrics.
http://www.counterpane.com/crypto-gram-0205.html#5
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.19.001} Win - Lysias Lidik Webserver directory traversal
vulnerability
{02.19.009} Win - MS02-022: MSN chat control buffer overflow
{02.19.013} Win - AIM aimbuddy link DoS
{02.19.019} Win - nCipher MSCAPI CSP install ignores Operator Card Set
option
{02.19.002} Linux - SuSE sysconfig allows spoofed DHCP responses to
execute commands
{02.19.008} Linux - Netfilter does not un-NAT packets in ICMP responses
{02.19.015} Linux - Update {02.14.001}: icecast client_login() overflow
{02.19.010} BSD - OpenBSD file descriptor DoS and fd/suid vulnerability
{02.19.020} Sol - inJoin Directory Server admin server path traversal
and CSS
{02.19.003} NW - FTPD long request DoS
{02.19.004} NW - Border Manager multiple proxy DoS attacks
{02.19.023} HPUX - VirtualVault administration server allows
unauthorized connections
{02.19.018} SGI - fsr_xfs may overwrite critical files
{02.19.007} SCO - Wrong perms on /var/dt
{02.19.021} NApps - Cisco ATA-186 Web interface exposes configuration
{02.19.005} Cross - ISC DHCPD nsupdate format string vulnerability
{02.19.006} Cross - Webmin/Usermin CSS vulnerability
{02.19.011} Cross - Perl MD5 module does not handle UTF-8 correctly
{02.19.012} Cross - wu-imapd BODY command overflow
{02.19.014} Cross - mnoGoSearch CGI query parameter overflow
{02.19.016} Cross - Cisco products ntpd buffer overflow
{02.19.017} Cross - uudecode insecure output file handling
{02.19.022} Cross - GAIM dumps authentication information into /tmp/
files
- --- Windows News -------------------------------------------------------
*** {02.19.001} Win - Lysias Lidik Webserver directory traversal
vulnerability
Lysias Lidik Webserver version 0.7b allows a remote attacker to access
files outside the Webroot if the attacker submits a URL request that
contains '...'.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0039.html
*** {02.19.009} Win - MS02-022: MSN chat control buffer overflow
Microsoft released MS02-022 ("MSN chat control buffer overflow"). The
MSN ActiveX chat control, available from many MSN-affiliated Web sites
as well as included with MSN Messenger and Exchange Instant Messenger,
contains a buffer overflow in the handling of certain parameters. This
could allow a malicious Web site or e-mail to execute arbitrary code
on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-022.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0030.html
*** {02.19.013} Win - AIM aimbuddy link DoS
AOL Instant Messenger reportedly crashes when the user clicks on a
particular malformed 'aimbuddy' URL link.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0086.html
*** {02.19.019} Win - nCipher MSCAPI CSP install ignores Operator Card
Set option
nCipher released an advisory indicating that the MSCAPI CSP
installation wizard for Windows 2000 may ignore the Operator Card Set
protection option, thereby resulting in a reduced level of security.
This vulnerability is confirmed. A workaround/fix is listed at the
reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0103.html
- --- Linux News ---------------------------------------------------------
*** {02.19.002} Linux - SuSE sysconfig allows spoofed DHCP responses to
execute commands
The sysconfig scripts shipped with SuSE 8.0 allow spoofed DHCP
responses during network interface initialization to execute arbitrary
command-line commands with root privileges.
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0514.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0514.html
*** {02.19.008} Linux - Netfilter does not un-NAT packets in ICMP
responses
A bug was found in the Linux netfilter (iptables) code included
with the Linux 2.4 kernels. Basically, if you are using netfilter to
NAT packets to an internal host and the internal host responds with
an ICMP error message (which includes the IP packet as sent to the
internal host), the sender will be able to determine that the packet
was NAT'd and will also discover the internal address.
This vulnerability is confirmed. A source code patch is available at:
http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
Red Hat workaround:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0042.html
Mandrake workaround:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0085.html
Source: SecurityFocus Bugtraq, Red Hat, Mandrake
http://archives.neohapsis.com/archives/bugtraq/2002-05/0049.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0042.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0085.html
*** {02.19.015} Linux - Update {02.14.001}: icecast client_login()
overflow
Caldera released updated icecast packages, which fix the vulnerability
discussed in {02.14.001} ("icecast client_login() overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0011.html
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0011.html
- --- BSD News -----------------------------------------------------------
*** {02.19.010} BSD - OpenBSD file descriptor DoS and fd/suid
vulnerability
A bug found in OpenBSD makes it vulnerable to the vulnerability
previously discussed in {02.16.026} ("Stdin/stdout/stderr closed file
descriptor vulnerability"). Basically, a local attacker can consume
all available file descriptors on the system, which will cause a
safety check to prevent file descriptor tampering with suid/sgid
files to fail, thus still allowing the attack discussed in {02.16.026}
to succeed.
This vulnerability is confirmed. A fix has been committed to OpenBSD
CVS. Patches are listed at:
http://archives.neohapsis.com/archives/openbsd/2002-05/0656.html
Source: OpenBSD, VulnWatch
http://archives.neohapsis.com/archives/openbsd/2002-05/0656.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0066.html
- --- Solaris News -------------------------------------------------------
*** {02.19.020} Sol - inJoin Directory Server admin server path
traversal and CSS
Critical Path inJoin Directory Server version 4.0 reportedly contains
a reverse directory traversal vulnerability in the administrative
Web server that allows a remote attacker with proper authentication
credentials to access files outside the Webroot readable by the 'ids'
account. Multiple URLs/scripts also are vulnerable to cross-site
scripting.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0068.html
- --- NetWare News -------------------------------------------------------
*** {02.19.003} NW - FTPD long request DoS
A denial of service attack was found in the FTP service shipped with
Netware 5.x and 6.0. An attacker can submit large amounts of data to
the service, causing the service to consume all CPU cycles.
This vulnerability is confirmed. An update is available at:
http://support.novell.com/cgi-bin/search/searchtid.cgi?/2962252.htm
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0059.html
*** {02.19.004} NW - Border Manager multiple proxy DoS attacks
Border Manager version 3.6 SP 1a is reportedly vulnerable to three
denial of service attacks: repeatedly sending large amounts of data to
the ftp-proxy service, which causes it to stop accepting connections;
sending large amounts of data to the IP/IPX gateway service, which
causes ipipxgw.nlm to abend; and sending particular malformed requests
to the rtsp proxy, which causes proxy.nlm to abend.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0060.html
- --- HP-UX News ---------------------------------------------------------
*** {02.19.023} HPUX - VirtualVault administration server allows
unauthorized connections
HP released an advisory indicating that VirtualVault administration
server could, under certain circumstances, allow connections from
unauthorized sources. Only HP-UX 11.04 (VVOS) is affected.
HP released patch PHSS_24038, which fixes the issue.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q2/0037.html
- --- SGI News -----------------------------------------------------------
*** {02.19.018} SGI - fsr_xfs may overwrite critical files
SGI released an advisory indicating that the fsr_xfs utility could
be tricked by a local user into overwriting critical system files,
thereby resulting in a denial of service attack. IRIX 5.0 through
6.5.10 are vulnerable.
SGI confirmed this vulnerability. The appropriate fix is to update
to the latest version of IRIX.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q2/0031.html
- --- SCO News -----------------------------------------------------------
*** {02.19.007} SCO - Wrong perms on /var/dt
Various SCO Unix startup scripts and libraries change the permissions
on /var/dt to be world-writable. This could allow a local attacker
to either perform a symlink attack or cause a DoS.
Caldera/SCO confirmed this vulnerability and released updated binaries.
OpenUNIX 8.0 updates:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.18
UnixWare 7.1.1 updates:
ftp://stage.caldera.com/pub/security/openunix/CSSA-2002-SCO.18
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0010.html
- --- Network Appliances News --------------------------------------------
*** {02.19.021} NApps - Cisco ATA-186 Web interface exposes
configuration
The Web administrative interface included with the Cisco ATA-186
VOIP adapter allows a remote attacker to retrieve the device's
configuration, including the plain text administrative password,
by submitting a particular HTTP request.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0083.html
- --- Cross-Platform News ------------------------------------------------
*** {02.19.005} Cross - ISC DHCPD nsupdate format string vulnerability
ISC DHCPD version 3 contains a format string vulnerability in the
nsupdate code. This could allow a malicious attacker on the local
segment to issue DHCP requests, thereby leading to execution of
arbitrary code with root privileges on the DHCP server.
This vulnerability is confirmed. A source code patch is available at:
http://archives.neohapsis.com/archives/cc/2002-q2/0003.html
Updated Conectiva Linux RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0014.html
Source: VulnWatch, CERT, Conectiva
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0063.html
http://archives.neohapsis.com/archives/cc/2002-q2/0003.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0014.html
*** {02.19.006} Cross - Webmin/Usermin CSS vulnerability
Webmin prior to version 0.970 and Usermin prior to version 0.90
were found vulnerable to cross-site scripting in the handling of
unauthenticated requests for pages.
These vulnerabilities are confirmed. Webmin version 0.970 and Usermin
0.90 contain the fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0040.html
*** {02.19.011} Cross - Perl MD5 module does not handle UTF-8 correctly
The Perl MD5 module does not properly handle UTF-8 data correctly,
potentially allowing applications that rely on proper MD5 digests to
give inappropriate results.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0046.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0046.html
*** {02.19.012} Cross - wu-imapd BODY command overflow
A buffer was found in wu-imapd versions 2001.315 (under certain
configurations) and prior (all installs). The buffer overflow can be
triggered by an authenticated user who submits a BODY request with a
large amount of data, which results in a buffer overflow that could
allow the execution of arbitrary code under the privileges of the
logged in user.
The vendor confirmed this vulnerability. A patch is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0093.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0071.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0093.html
*** {02.19.014} Cross - mnoGoSearch CGI query parameter overflow
The mnoGoSearch search CGI version 3.1.19 contains a remotely
exploitable buffer overflow in the handling of the query URL parameter,
thereby allowing a remote attacker to execute arbitrary code on the
system under the privileges of the Web server.
The advisory indicates vendor confirmation. A third-party patch is
available at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0092.html
*** {02.19.016} Cross - Cisco products ntpd buffer overflow
Cisco released an advisory indicating that the NTP daemon bundled
with many of its products, including IOS, MGC and derivative product
suites, BTS and Cisco IP Manager, contains a buffer overflow that
allows a remote attacker to execute arbitrary code on the system.
This vulnerability is confirmed. Update matrixes are available at
the reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0008.html
*** {02.19.017} Cross - uudecode insecure output file handling
The uudecode utility included with the typical Linux sharutils bundle
does not properly check the output file before opening it for writing
- -- potentially allowing a local attacker to perform a symlink attack.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0050.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0050.html
*** {02.19.022} Cross - GAIM dumps authentication information into
/tmp/ files
GAIM version 0.57 creates insecure temporary files in /tmp/ when the
user uses the 'check MSN hotmail' option. The files are world-readable
and contain session information that could allow a local attacker
to recover the files and access the user's mailbox without requiring
authentication.
This vulnerability is confirmed; a fix was committed to the GAIM CVS.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2002-q2/0584.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE84/jp+LUG5KFpTkYRAh5rAJoCPT2HpJDlbSBySpqO3bBliWNi4QCfW6C8
sQ8vG1ex/xzIoD62BQUkyxM=
=/WbD
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Don't miss exciting highlights from this week's O'Reilly Emerging
Technology Conference! In today's report, Contributing editor Don
MacVittie gives his take on Bruce Schneier's keynote, "Fixing Network
Security by Hacking the Corporate Culture". Stay tuned for more details
as our coverage continues.
http://www.nwc.com/out/blog/
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]