|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ51664766085734379
sans.org)Date: Thu May 30 2002 - 13:55:36 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 021 (02.21)
Thursday, May 30, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
----------------------------------------------------------------------
*** Sponsored by VeriSign - The Value of Trust ***
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and learn
everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security.
Visit http://www.verisign.com/cgi-bin/go.cgi?a=n20400090990057000
----------------------------------------------------------------------
Previously, we reported that the SQLSpida SQL worm was running around
preying on Microsoft SQL Server installs with a blank password. What
we didn't mention is that MSDE, a small embeddable version of MSDE,
also typically comes with a blank sa password. MSDE is typically
included/embedded in other apps (like the newest version of Visio). So,
vulnerability is still possible, even though you haven't explicitly
installed Microsoft SQL Server.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.21.002} Win - ServletExec ISAPI multiple vulnerabilities
{02.21.004} Win - MatuFtpServer PASS command overflow
{02.21.007} Win - MS02-024: Authentication flaw in Windows debugger
{02.21.008} Win - LocalWeb2000 server protected file bypass
{02.21.016} Win - Opera file element can retrieve files
{02.21.017} Win - Falcon Web server protected file bypass
{02.21.021} Win - Update {02.20.029}: Linux/KDE talkd format string
vulnerability
{02.21.003} Linux - Update {02.19.005}: ISC DHCPD nsupdate format
string vulnerability
{02.21.009} Linux - Update {02.19.012}: (uw-)imapd BODY command overflow
{02.21.023} Linux - pam_ldap logging function format string
vulnerability
{02.21.024} Linux - Update {02.20.008}: fetchmail large e-mail index
overflow
{02.21.025} Linux - Update {02.19.011}: Perl MD5 module does not handle
UTF-8 correctly
{02.21.001} Sol - in.rarpd syserr()/error() overflows and format string
vulnerabilities
{02.21.020} Sol - in.talkd print_mesg() format string vulnerability
{02.21.011} NApps - Update {02.19.021}: Cisco ATA-186 Web interface
exposes configuration
{02.21.012} NApps - Cisco CBOS DSL devices multiple DoS
{02.21.018} NApps - 3Com OfficeConnect ADSL router PAT forwards all
ports
{02.21.006} Other - Cisco VOIP phones multiple DoS
{02.21.019} Other - ProLiant BL e-Class admin authentication
vulnerability
{02.21.005} Cross - Webmin admin authentication bypass
{02.21.010} Cross - OpenSSH 3.2.3 released
{02.21.013} Cross - Mailman multiple CSS vulnerabilities
{02.21.014} Cross - PKS key server CGI search parameter overflow
{02.21.015} Cross - AMANDA multiple overflows
{02.21.022} Cross - phpBB2 CGI IMG tag CSS vulnerability
- --- Windows News -------------------------------------------------------
*** {02.21.002} Win - ServletExec ISAPI multiple vulnerabilities
ServletExec version 4.1 reportedly contains three vulnerabilities:
disclosure of the Webroot's physical path; the ability to read the
source of non-JSP Web files (ASP, ASA, etc); and a denial of service
that causes IIS to crash.
These vulnerabilities are confirmed and fixed in patch #9, which is
available at:
ftp://ftp.newatlanta.com/public/4_1/patches/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0077.html
*** {02.21.004} Win - MatuFtpServer PASS command overflow
MatuFtpServer version 1.1.3.0 is reportedly vulnerable to a buffer
overflow in the handling of large PASS commands, allowing a remote
attacker to cause a denial of service. Execution of arbitrary code
is unknown at this point.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0194.html
*** {02.21.007} Win - MS02-024: Authentication flaw in Windows debugger
Microsoft released MS02-024 ("Authentication flaw in Windows
debugger"). Users who can log on interactively with the system (via
local console or through terminal services) can potentially use the
Windows debugger to execute arbitrary programs with local system
privileges because of a flaw in the authentication process used by
the Windows debugger.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-024.asp
Source: Microsoft
http://archives.neohapsis.com/archives/vendor/2002-q2/0037.html
*** {02.21.008} Win - LocalWeb2000 server protected file bypass
The LocalWeb2000 Web server version 2.1.0 reportedly contains a
vulnerability that would allow remote attackers to access protected
files/folders by simply including a '/./' at the beginning of the
requested URL.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0079.html
*** {02.21.016} Win - Opera file element can retrieve files
A bug in Opera 6.01 allows a malicious Web site to read/upload
arbitrary files on the user's system to the Web site by appending a
particular piece of data to the value parameter of a file input tag.
This vulnerability is confirmed; Opera version 6.03 contains the fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0225.html
*** {02.21.017} Win - Falcon Web server protected file bypass
Two published advisories indicate different ways to gain access to
protected directories/files served by Falcon Web server version 2.0.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0082.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0084.html
*** {02.21.021} Win - Update {02.20.029}: Linux/KDE talkd format string
vulnerability
The KDE team committed fixes to CVS for the vulnerability discussed
in {02.20.029} ("Linux/KDE talkd format string vulnerability").
KDE versions 3.0.1 and prior are vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0209.html
- --- Linux News ---------------------------------------------------------
*** {02.21.003} Linux - Update {02.19.005}: ISC DHCPD nsupdate format
string vulnerability
SuSE released updated dhcpd packages, which fix the vulnerability
discussed in {02.19.005} ("ISC DHCPD nsupdate format string
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0766.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q2/0766.html
*** {02.21.009} Linux - Update {02.19.012}: (uw-)imapd BODY command
overflow
Conectiva and Red Hat released updated imapd packages, which fix
the vulnerability discussed in {02.19.012} ("(uw-)imapd BODY command
overflow").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0018.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0065.html
Source: Conectiva, Red Hat
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0018.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0065.html
*** {02.21.023} Linux - pam_ldap logging function format string
vulnerability
The pam_ldap module prior to version 144 contains a format string
vulnerability in the logging function.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0241.html
Source: Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0241.html
*** {02.21.024} Linux - Update {02.20.008}: fetchmail large e-mail
index overflow
Mandrake released updated fetchmail packages, which fix the
vulnerability discussed in {02.20.008} ("fetchmail large e-mail
index overflow").
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0247.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0247.html
*** {02.21.025} Linux - Update {02.19.011}: Perl MD5 module does not
handle UTF-8 correctly
Mandrake released updated Perl-digest-md5 packages, which fix the
vulnerability discussed in {02.19.011} ("Perl MD5 module does not
handle UTF-8 correctly").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0245.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-05/0245.html
- --- Solaris News -------------------------------------------------------
*** {02.21.001} Sol - in.rarpd syserr()/error() overflows and format
string vulnerabilities
The in.rarpd service reportedly contains remotely exploitable
buffer overflows and format string vulnerabilities in the syserr()
and error() functions, allowing an attacker to execute arbitrary code
on the system.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0074.html
*** {02.21.020} Sol - in.talkd print_mesg() format string vulnerability
A released advisory indicates that the in.talkd service included with
all versions of Solaris contains a remotely exploitable format string
vulnerability in the print_mesg() function.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0078.html
- --- Network Appliances News --------------------------------------------
*** {02.21.011} NApps - Update {02.19.021}: Cisco ATA-186 Web interface
exposes configuration
Cisco released updated firmware, which fixes the vulnerability
discussed in {02.19.021} ("Cisco ATA-186 Web interface exposes
configuration").
The updated firmware is available by contacting your Cisco
representative.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0012.html
*** {02.21.012} NApps - Cisco CBOS DSL devices multiple DoS
Cisco released an advisory indicating the CBOS firmware included with
the 600 series DSL modems contains bugs that cause the devices to be
vulnerable to various denial of service attacks.
These vulnerabilities are confirmed and fixed in CBOS version 2.4.5.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0013.html
*** {02.21.018} NApps - 3Com OfficeConnect ADSL router PAT forwards all
ports
The 3Com OfficeConnect Remote 812 ADSL router reportedly contains a
bug in the PAT (port address translation) feature, which causes the
router to forward all ports (rather than just the configured port) to
the host behind the router, potentially exposing vulnerable services
to compromise.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0230.html
- --- Other News ---------------------------------------------------------
*** {02.21.006} Other - Cisco VOIP phones multiple DoS
Cisco released an advisory indicating that the Cisco VOIP phones
are vulnerable to the classic line up of DoS attacks (jolt,
hping2, etc). The phones also include an administration Web server;
particular remote requests to CGIs in this Web server cause the phone
to reset. Lastly, someone with physical access to the phone can reset
the network settings, potentially allowing that person to eavesdrop
on phone traffic.
These vulnerabilities are confirmed. A full patch matrix is listed at:
http://archives.neohapsis.com/archives/cisco/2002-q2/0011.html
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q2/0011.html
*** {02.21.019} Other - ProLiant BL e-Class admin authentication
vulnerability
Compaq's ProLiant BL e-Class integrated administrator version 1.0
and 1.10 potentially allows authenticated, non-admin users who have
access to the telnet or SSH services to access restricted functions.
Compaq confirmed this vulnerability and released version 1.11, which
is available at:
http://www.compaq.com/support/files/server/us/locate/5708.html
Source: Compaq
http://archives.neohapsis.com/archives/compaq/2002-q2/0061.html
- --- Cross-Platform News ------------------------------------------------
*** {02.21.005} Cross - Webmin admin authentication bypass
Webmin prior to version 0.970 allows a remote attacker to bypass the
administrative authentication and access the services.
Mandrake confirmed this vulnerability.
Updated Mandrake RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-05/0197.html
Source: Mandrake
http://archives.neohapsis.com/archives/bugtraq/2002-05/0197.html
*** {02.21.010} Cross - OpenSSH 3.2.3 released
OpenSSH version 3.2.3 was released. The new version contains bug
fixes only; no security-related changes are included.
The latest source is available for download at:
http://www.openssh.org/
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0235.html
*** {02.21.013} Cross - Mailman multiple CSS vulnerabilities
Mailman prior to version 2.0.11 contains two cross-site scripting
vulnerabilities in the log-in page and the handling of Pipermail
index summaries.
These vulnerabilities are confirmed and fixed in version 2.0.11.
Updated Conectiva RPMs are listed at:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0020.html
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0020.html
*** {02.21.014} Cross - PKS key server CGI search parameter overflow
The PKS key server CGI suite contains a buffer overflow in the handling
of the search URL parameter, potentially allowing a remote attacker to
execute arbitrary code on the system under the Web server's privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0220.html
*** {02.21.015} Cross - AMANDA multiple overflows
The AMANDA backup management software version 2.3.0.4 contains multiple
local buffer overflows in the various setuid/setgid utilities. It
also has a remotely exploitable buffer overflow in the amindexd
daemon. All overflows allow an attacker to execute arbitrary code
with elevated privileges.
These vulnerabilities are confirmed and fixed in recent versions of
AMANDA (version 2.3.0.4 is old).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0227.html
*** {02.21.022} Cross - phpBB2 CGI IMG tag CSS vulnerability
phpBB2 CGI suite versions 2.0 and prior contain a cross-site scripting
vulnerability in the handling of the IMG tag contents.
This vulnerability is confirmed and fixed in version 2.0.1.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-05/0234.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE89nOj+LUG5KFpTkYRAktpAJ98Mb/skqblV4hEzL4mt8AZe0bFOQCaA6so
gUU/nUL/DUCfboCzv84qRRs=
=E/T9
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
*** Sponsored by VeriSign - The Value of Trust ***
Get the strongest server security-128-bit SSL encryption! Download
VeriSign's FREE guide, "Securing Your Web Site for Business" and learn
everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security.
Visit http://www.verisign.com/cgi-bin/go.cgi?a=n20400090990057000
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]