OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ96805574218843624sans.org)
Date: Thu Jun 13 2002 - 13:52:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                      -- Security Alert Consensus --
                            Number 023 (02.23)
                         Thursday, June 13, 2002
                            Created for you by
                 Network Computing and the SANS Institute
                           Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    Sponsored by Symantec

    TechQuiz: Intrusion Detection
    Test your expertise when it comes to tracking down crafty hackers by
    taking our TechQuiz. This is your last chance to outsmart our technical
    editors on this topic, so don't delay! By answering all the questions
    correctly, you could win a color Palm handheld from our sponsor,
    Symantec.
    http://www.nwc.com/techquiz/

    ----------------------------------------------------------------------

    This week's issue leaves a lot of vendors catching up from the large
    barrage of problems that surfaced last week. What's interesting is
    that this week Windows camps will see their very first .NET security
    patch from Microsoft (item {02.23.012}).

    We also wanted to take this opportuntity to elaborate on last
    week's Sendmail DoS attack vulnerability (item {02.22.028}).
    Basically a general class of denial of service attack has been
    pointed out which involves local users exclusively locking
    critical service files. Any applications which use the standard
    file locking APIs are potentially subjectiable to this DoS attack.
    At this point in time it's impossible to enumerate every possible
    vulnerable application, so we will instead just report them as
    they are discovered and patched, much like other vulnerabilities.
    Those curious for the technical details can read the following post:
    http://archives.neohapsis.com/archives/bugtraq/2002-05/0212.html

    Until next week,
    - Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.23.012} Win - MS02-026: ASP.NET worker process overflow DoS
    {02.23.015} Win - BlackICE does not reactivate after suspend on laptops
    {02.23.016} Win - eDonkey 2000 client large URL overflow
    {02.23.023} Win - Seanox DevWex HTTP server '..' file retrieval
    {02.23.001} Linux - Update {02.22.020}: Ethereal multiple
                vulnerabilities
    {02.23.003} Linux - Update {02.22.001}: xchat dns query command exec
    {02.23.004} Linux - Update {02.22.044}: Ghostscript arbitrary command
                exec
    {02.23.005} Linux - Update {02.19.012}: (uw-)imapd BODY command overflow
    {02.23.006} Linux - Update {01.30.001}: tcpdump AFS parsing overflow (2)
    {02.23.007} Linux - Update {02.21.013}: Mailman multiple CSS vulns
    {02.23.008} Linux - Red Hat 7.x accepts remote print jobs by default
    {02.23.019} Linux - TrACESroute -T parameter format string vuln
    {02.23.010} SGI - IRIX talkd format string vuln
    {02.23.011} SGI - Update {02.04.022}: xkas icon file symlink exposure
    {02.23.020} SGI - MediaMail can be forced to core dump
    {02.23.009} SCO - Update {02.06.011}: Multi-vendor SNMP problems
    {02.23.013} NApps - Multiple Red-M 1050 bluetooth AP vulns
    {02.23.014} NApps - Telindus 11xx router provides plaintext password
    {02.23.002} Cross - Update {02.22.004}: BIND 9 internal consistency
                check DoS
    {02.23.017} Cross - PHPReactor browse.php CGI CSS vuln
    {02.23.018} Cross - Splatt forum CGI IMG tag CSS vuln
    {02.23.021} Cross - Voxel CBMS CGI multiple CSS and SQL injection vulns
    {02.23.022} Cross - Bugzilla 2.14.1 multiple vulnerabilities
    {02.23.024} Cross - MyHelpdesk CGI multiple CSS and SQL injection vulns
    {02.23.025} Cross - GeekLog CGI multiple CSS and SQL injection vulns
    {02.23.026} Cross - Datalex BookIt! stores passwords in cookies
    {02.23.027} Cross - AlienForm2 CGI template path filtering vuln

    - --- Windows News -------------------------------------------------------

    *** {02.23.012} Win - MS02-026: ASP.NET worker process overflow DoS

    Microsoft has released MS02-026 ("ASP.NET worker process overflow
    DoS"). The ASP.NET StateServer service contains a buffer overflow
    which allows a malicious cookie to cause it to restart, leading to
    all currently-active sessions (and associated data) to be discarded.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-026.asp

    Source: Microsoft
    http://archives.neohapsis.com/archives/vendor/2002-q2/0046.html

    *** {02.23.015} Win - BlackICE does not reactivate after suspend on
                    laptops

    BlackICE version 3.1 EAL has been found to not properly reactivate
    itself after coming out of suspend mode on laptops, thus leaving the
    system unprotected.

    This vulnerability has been confirmed and corrected in version 3.1 EBH,
    available from the vendor.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0090.html

    *** {02.23.016} Win - eDonkey 2000 client large URL overflow

    eDonkey 2000 file sharing application prior to version 35.16.61 has
    been found to contain a buffer overflow in the handling of URLs
    contained in malicious websites/emails. The buffer overflow may
    allow the execution of arbitrary code.

    This vulnerability has been confirmed by the vendor, who has released
    version 35.16.61.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0032.html

    *** {02.23.023} Win - Seanox DevWex HTTP server '..' file retrieval

    Seanox DevWex versions prior to 1.2002.0601 have been found to be
    vulnerable to URL requests containing '..' notation, allowing a remote
    attacker to access files outside the webroot. A denial of service
    was also reported.

    The advisory indicates vendor confirmation, who has released version
    1.2002.0601.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0056.html

    - --- Linux News ---------------------------------------------------------

    *** {02.23.001} Linux - Update {02.22.020}: Ethereal multiple
                    vulnerabilities

    Red Hat has released updated ethereal packages, which fix the
    vulnerability discussed in {02.22.020} ("Ethereal multiple
    vulnerabilities").

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0091.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0091.html

    *** {02.23.003} Linux - Update {02.22.001}: xchat dns query command exec

    Red Hat has released updated xchat packages, which fix the
    vulnerability discussed in {02.22.001} ("xchat dns query command
    exec").

    Updated Red Hat RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0086.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0086.html

    *** {02.23.004} Linux - Update {02.22.044}: Ghostscript arbitrary
                    command exec

    Red Hat has released updated ghostscript packages, which fix the
    vulnerability discussed in {02.22.044} ("Ghostscript arbitrary
    command exec").

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0087.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0087.html

    *** {02.23.005} Linux - Update {02.19.012}: (uw-)imapd BODY command
                    overflow

    EnGarde has released updated imapd packages, which fix the
    vulnerability discussed in {02.19.012} ("(uw-)imapd BODY command
    overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0007.html

    Source: EnGarde
    http://archives.neohapsis.com/archives/linux/engarde/2002-q2/0007.html

    *** {02.23.006} Linux - Update {01.30.001}: tcpdump AFS parsing
                    overflow (2)

    Multiple vendors have released updated tcpdump packages, which fix the
    vulnerability discussed in {01.30.001} ("tcpdump AFS parsing overflow
    (2)").

    Updated Trustix RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0038.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0022.html

    Updated Caldera RPMs:
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0022.html

    Source: Caldera, Conectiva, Trustix (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0038.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0022.html
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0022.html

    *** {02.23.007} Linux - Update {02.21.013}: Mailman multiple CSS vulns

    Red Hat has released updated mailman packages, which fix the
    vulnerability discussed in {02.21.013} ("Mailman multiple CSS vulns").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0093.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0094.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0093.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0094.html

    *** {02.23.008} Linux - Red Hat 7.x accepts remote print jobs by default

    Red Hat has released an advisory which indicates the default
    configuration of LPRng shipped with Red Hat 7.x distributions allow
    remote users to submit print jobs to the system.

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0095.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0095.html

    *** {02.23.019} Linux - TrACESroute -T parameter format string vuln

    TrACESroute version 6.0 GOLD has been reported to contain a format
    string vulnerability in the handling of the -T command line parameter,
    potentially allowing a local attacker to execute arbitrary code with
    elevated privileges.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0040.html

    - --- SGI News -----------------------------------------------------------

    *** {02.23.010} SGI - IRIX talkd format string vuln

    SGI has released an advisory which indicates the talkd daemon shipped
    with IRIX 6.5.0 through 6.5.9 contains a remotely-exploitable format
    string vulnerability.

    The correct solution is to update to IRIX 6.5.10 or later.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q2/0049.html

    *** {02.23.011} SGI - Update {02.04.022}: xkas icon file symlink
                    exposure

    SGI has released a solution, which fixes the vulnerability discussed
    in {02.04.022} ("xkas icon file symlink exposure").

    SGI recommends manually removing the world write permission from
    /var/adm/appletalk/icons.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q2/0050.html

    *** {02.23.020} SGI - MediaMail can be forced to core dump

    SGI has released an advisory which indicates the MediaMail application
    can be forced by a local attacker to core dump, and this action could
    have potential security implications (probably via a symlink attack).

    MediaMail is a retired product, so SGI's solution is to remove it
    from the system.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q2/0047.html

    - --- SCO News -----------------------------------------------------------

    *** {02.23.009} SCO - Update {02.06.011}: Multi-vendor SNMP problems

    Caldera/SCO has released updated snmp packages, which fix the
    vulnerability discussed in {02.06.011} ("Multi-vendor SNMP problems").

    Updated binaries are located at:
    ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.25

    Source: Caldera/SCO
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0024.html

    - --- Network Appliances News --------------------------------------------

    *** {02.23.013} NApps - Multiple Red-M 1050 bluetooth AP vulns

    An advisory was released that indicates multiple vulnerabilities exist
    in the Red-M 1050 bluetooth access point: management web server DoS,
    password weaknesses, PPP DoS, session storage weakness, and device
    broadcast identification. For details please see the reference
    URL below.

    The advisory indicates vendor confirmation, who is currently working on
    updated firmware.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0089.html

    *** {02.23.014} NApps - Telindus 11xx router provides plaintext password

    The Telindus 11xx series of routers has been found to send the
    plaintext administrative password in a UDP response to a generic
    router probe, potentially allowing attackers to recover the password
    and gain access to the router.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0028.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.23.002} Cross - Update {02.22.004}: BIND 9 internal consistency
                    check DoS

    Multiple vendors have released updated bind9 packages, which fix the
    vulnerability discussed in {02.22.004} ("BIND 9 internal consistency
    check DoS").

    Updated Caldera/SCO binaries located at:
    ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.24

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0085.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0025.html

    Updated SuSE RPMs:
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0905.html

    Source: Caldera/SCO, Red Hat, Conectiva, SuSE
    http://archives.neohapsis.com/archives/linux/caldera/2002-q2/0023.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q2/0085.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q2/0025.html
    http://archives.neohapsis.com/archives/linux/suse/2002-q2/0905.html

    *** {02.23.017} Cross - PHPReactor browse.php CGI CSS vuln

    The PHPReactor CGI suite version 1.2.7 has been found to contain a
    cross-site scripting vulnerability in the browse.php script's handling
    of the 'comments' form field.

    This vulnerability has been confirmed by the vendor, who has released
    version 1.2.7pl1.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0034.html

    *** {02.23.018} Cross - Splatt forum CGI IMG tag CSS vuln

    Splatt forum CGI suite version 3.0 has been found to contain a
    cross-site scripting vulnerability in the handling of the IMG tag.

    This vulnerability has been confirmed by the vendor, who has released
    version 3.1.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q2/0091.html

    *** {02.23.021} Cross - Voxel CBMS CGI multiple CSS and SQL injection
                    vulns

    An advisory was released that indicates Voxel's CBMS CGI suite
    contains multiple cross-site scripting and SQL injection holes.
    The details of the vulnerabilities were not released.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0043.html

    *** {02.23.022} Cross - Bugzilla 2.14.1 multiple vulnerabilities

    Bugzilla prior to 2.14.2 and 2.16rc2 contain multiple vulnerabilities,
    which include cross-site scripting, potential SQL tampering, and
    sensitive data disclosure.

    Versions 2.14.2 and 2.16rc2 fix the problems.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0054.html

    *** {02.23.024} Cross - MyHelpdesk CGI multiple CSS and SQL injection
                    vulns

    The MyHelpdesk CGI suite has been found to be vulnerable to multiple
    cross-site scripting and SQL tampering vulnerabilities. For details
    please see the reference URL below.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0057.html

    *** {02.23.025} Cross - GeekLog CGI multiple CSS and SQL injection vulns

    The GeekLog CGI suite version 1.3.5 and prior has been found to contain
    multiple cross-site scripting and SQL injection vulnerabilities.
    For details please see the reference URL below.

    The advisory indicates vendor confirmation.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0058.html

    *** {02.23.026} Cross - Datalex BookIt! stores passwords in cookies

    Datalex BookIt! prior to version 2.2 has been found to insecurely
    store user credentials (username and password) in plaintext cookies
    transmitted over normal HTTP. This could potentially allow for the
    information to be sniffed/recovered.

    The advisory indicates vendor confirmation, who has released version
    2.2.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0063.html

    *** {02.23.027} Cross - AlienForm2 CGI template path filtering vuln

    The AlienForm2 CGI version 1.5 has been found to incorrectly filter
    out bad characters from the template path URL parameter, potentially
    allowing a remote attacker to view arbitrary files on the system
    (readable by the webserver), and write data out to local files.

    These vulnerabilities have not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-06/0068.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9COfo+LUG5KFpTkYRAhEsAJwNaVskTGQgLB2R/uRscYqUuXbFhwCcDf3J
    BlS+bv2Qsw28aOwIlxdGUlA=
    =8mfa
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    Sponsored by Symantec

    TechQuiz: Intrusion Detection
    Test your expertise when it comes to tracking down crafty hackers by
    taking our TechQuiz. This is your last chance to outsmart our technical
    editors on this topic, so don't delay! By answering all the questions
    correctly, you could win a color Palm handheld from our sponsor,
    Symantec.
    http://www.nwc.com/techquiz/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).