|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ85611012638983775_at_sans.org)
Date: Thu Jul 18 2002 - 13:42:28 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 028 (02.28)
Thursday, July 18, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
Tech Library White Paper Spotlight: SAFE VPN: IPSec VPNs in Depth Read
Cisco's best practice information for designing and implementing
enterprise IPSec (IP security) VPNs (virtual private networks).
http://techlibrary.networkcomputing.com/data/detail?id=1014669748_545&type=RES&x=7571703
----------------------------------------------------------------------
Microsoft released patches for a bulk of MS SQL Server vulnerabilities
this week (items {02.28.006} and {02.28.007} in the Windows
category). The CDE-equipped Unix camps need to worry about the latest
rpc.ttdbserver vulnerability (item {02.28.011} in the Cross-Platform
category). Historically, other CDE ttdb bugs have been exploited to
a large degree, so affected shops should consider upgrading sooner
rather than later.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.28.003} Win - Carello CGI arbitrary app execution
{02.28.005} Win - PGP Outlook plugin decryption overflow
{02.28.006} Win - MS02-034: Cumulative Patch for SQL Server
{02.28.007} Win - MS02-035: SQL Server setup.iss log file exposes
passwords
{02.28.015} Win - RealONE/RealJukebox RJS skin.ini overflow
{02.28.023} Win - Adobe Library eBook DoS vulnerabilities
{02.28.026} Win - Lil'HTTP pbcgi CGI e-mail parameter CSS vulnerability
{02.28.027} Win - Popcorn e-mail client multiple vulnerabilities
{02.28.029} Win - BadBlue Web server multiple vulnerabilities
{02.28.032} Win - Norton Personal Internet Firewall HTTP proxy overflow
{02.28.034} Win - Oddsock Playlist Generator CGI multiple DoS
{02.28.008} Linux - Update {02.26.002}: DNS libresolve/resolver buffer
overflow
{02.28.014} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
with security fixes
{02.28.018} Linux - Update {02.26.003}: Apache mod_ssl off by one
configuration directive overflow
{02.28.009} BSD - Update {01.30.001}: tcpdump AFS parsing overflow (2)
{02.28.010} BSD - ktrace suid app access to privileged information
{02.28.025} Sol - Sun iRunbook CGIs file access
{02.28.033} HPUX - Update {02.26.023}: HP/Sharity cifslogin multiple
command-line parameter overflows
{02.28.012} SCO - timed remote DoS
{02.28.013} SCO - uux long status file name overflow
{02.28.016} Other - Update {02.27.012}: MacOSX SoftwareUpdate
unauthenticated downloads
{02.28.021} Other - Tru64 inetd service flood DoS
{02.28.022} Other - Tru64 ipcs local buffer overflow
{02.28.024} Other - Pingtel xpressa SIP phone multiple vulnerabilities
{02.28.001} Cross - GoAhead Web server directive traversal and CSS
vulnerabilities
{02.28.002} Cross - Apache Tomcat invoker servlet CSS vulnerability
{02.28.004} Cross - Fluid Dynamics search CGI 'Rank' parameter CSS
vulnerability
{02.28.011} Cross - CDE rpc.ttdbserver two vulnerabilities
{02.28.017} Cross - Double Choco Latte CGI multiple vulnerabilities
{02.28.019} Cross - atphttpd multiple vulnerabilities
{02.28.020} Cross - Novell Netmail/NIMS multiple vulnerabilities
{02.28.028} Cross - CARE 2002 CGI file reading
{02.28.030} Cross - Tivoli TMR Endpoint HTTP request DoS
{02.28.031} Cross - Tivoli TMR ManagedNodes HTTP overflow
- --- Windows News -------------------------------------------------------
*** {02.28.003} Win - Carello CGI arbitrary app execution
The Carello shopping cart CGI suite version 1.3 allows a remote
attacker to execute arbitrary programs on the system by submitting
a particular VBEXE URL parameter.
The advisory indicates confirmation by the vendor, which fixed the
problem in the next available version.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0015.html
*** {02.28.005} Win - PGP Outlook plugin decryption overflow
The PGP Outlook plugin included with PGP Desktop, Personal and Freeware
versions 7.0.4 and prior contains a buffer overflow in the decryption
of malformed e-mail messages. This allows a remote attacker to execute
arbitrary code on users' systems as soon as they view the malformed
e-mail. It is said that PGP Corporate Desktop users are not vulnerable.
The vendor confirmed this vulnerability and
released a patch, which is available at:
http://www.nai.com/naicommon/download/upgrade/patches/patch-pgphotfix.asp
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0016.html
*** {02.28.006} Win - MS02-034: Cumulative Patch for SQL Server
Microsoft released MS02-034 ("Cumulative Patch for SQL Server"). MS
SQL Server and MSDE installations have three new vulnerabilities:
a buffer overflow in the bulk insert procedure; a buffer overflow in
the password encryption procedure; and insecure permissions on the
SQL service account registry key. The buffer overflows allow attackers
capable of running arbitrary SQL statements to elevate their SQL user
privileges and potentially execute arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-034.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0012.html
*** {02.28.007} Win - MS02-035: SQL Server setup.iss log file exposes
passwords
Microsoft released MS02-035 ("SQL Server setup.iss log file
exposes passwords"). It's possible to create a precomputed
set-up file (setup.iss) in MS SQL Server to use for unattended
installations. However, installations that use the setup.iss
file produce installation log files afterwards, which include any
SQL-server-related passwords in plain text.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-035.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0009.html
*** {02.28.015} Win - RealONE/RealJukebox RJS skin.ini overflow
The RealONE and RealJukebox clients contain a buffer overflow in the
parsing of custom skin files, potentially allowing a malformed skin
file to execute arbitrary code on the user's system. In addition, it
may be possible for a malicious Web site to force the download of a
skin file. Skin files also can potentially contain active scripting,
which is executed in the Local System zone.
The vendor confirmed this problem; updates are listed at:
http://service.real.com/help/faq/security/bufferoverrun07092002.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0127.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0130.html
*** {02.28.023} Win - Adobe Library eBook DoS vulnerabilities
The Adobe Library eBook virtual library suite contains multiple denial
of service attacks that could allow a malicious attacker to check out
all available books for large periods of time, regardless of settings.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0020.html
*** {02.28.026} Win - Lil'HTTP pbcgi CGI e-mail parameter CSS
vulnerability
The pbcgi CGI included with Lil'HTTP contains a cross-site scripting
vulnerability in the handling of the e-mail URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0112.html
*** {02.28.027} Win - Popcorn e-mail client multiple vulnerabilities
The popcorn e-mail client versions 1.20 and prior contain multiple
vulnerabilities: a buffer overflow in the Subject e-mail header and
two denial of service attacks that lead to resource consumption or
application crashing.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0117.html
*** {02.28.029} Win - BadBlue Web server multiple vulnerabilities
The BadBlue Web server reportedly contains three vulnerabilities:
a denial of service attack when submitting a malformed HTTP request;
disclosure of source code and other file contents regardless of
settings; and weak storage of the administrative password.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0143.html
*** {02.28.032} Win - Norton Personal Internet Firewall HTTP proxy
overflow
Norton Personal Internet Firewall version 3.0.4.91 (version 2001)
contains a buffer overflow in the handling of large HTTP proxy
requests. As a result, an internal/local attacker can execute arbitrary
code on the system.
The vendor confirmed this vulnerability and released a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0026.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0027.html
*** {02.28.034} Win - Oddsock Playlist Generator CGI multiple DoS
The Oddsock Playlist Generator CGI contains multiple overflows that
lead to denial of service situations. A remote attacker can trigger
these vulnerabilities.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0175.html
- --- Linux News ---------------------------------------------------------
*** {02.28.008} Linux - Update {02.26.002}: DNS libresolve/resolver
buffer overflow
Conectiva and Mandrake released updated bind packages, which fix
the vulnerability discussed in {02.26.002} ("DNS libresolve/resolver
buffer overflow").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0004.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-07/0180.html
Source: Conectiva, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0004.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0180.html
*** {02.28.014} Linux - Update {02.27.004}: Squid 2.4.STABLE7 released,
with security fixes
Trustix released updated squid packages, which fix the vulnerability
discussed in {02.27.004} ("Squid 2.4.STABLE7 released, with security
fixes").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-07/0154.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-07/0154.html
*** {02.28.018} Linux - Update {02.26.003}: Apache mod_ssl off by one
configuration directive overflow
Red Hat and Caldera released updated modssl packages, which fix the
vulnerability discussed in {02.26.003} ("Apache mod_ssl off by one
configuration directive overflow").
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0008.html
Updated Caldera RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-07/0183.html
Source: Red Hat, Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0008.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0183.html
- --- BSD News -----------------------------------------------------------
*** {02.28.009} BSD - Update {01.30.001}: tcpdump AFS parsing overflow
(2)
FreeBSD committed updated tcpdump packages to CVS, which fix the
vulnerability discussed in {01.30.001} ("tcpdump AFS parsing overflow
(2)").
The RELENG branches as of July 12th contain the updated versions.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-07/0242.html
*** {02.28.010} BSD - ktrace suid app access to privileged information
FreeBSD released an advisory that indicates the potential for local
attackers to ktrace setuid/setgid applications, potentially allowing
them to access/view information that is privileged (and retained
after the privileges rights are dropped).
FreeBSD RELENG branches as of July 11th contain the appropriate fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-07/0243.html
- --- Solaris News -------------------------------------------------------
*** {02.28.025} Sol - Sun iRunbook CGIs file access
The iRunbook Explorer CGI suite allows a remote attacker to access
arbitrary files readable by the Web server by submitting a request
with a variant of reverse directory traversal ('..') notation.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0107.html
- --- HP-UX News ---------------------------------------------------------
*** {02.28.033} HPUX - Update {02.26.023}: HP/Sharity cifslogin
multiple command-line parameter overflows
HP released updated CIFS/9000 packages, which fix the vulnerability
discussed in {02.26.023} ("HP/Sharity cifslogin multiple command-line
parameter overflows").
Install CIFS/9000 client version A.01.07 or later.
Source: HP/Compaq
http://archives.neohapsis.com/archives/hp/2002-q3/0016.html
- --- SCO News -----------------------------------------------------------
*** {02.28.012} SCO - timed remote DoS
Caldera/SCO released an advisory indicating that the timed daemon
does not properly check certain incoming data, potentially resulting
in a denial of service situation.
Updated binaries are available at:
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.33
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0003.html
*** {02.28.013} SCO - uux long status file name overflow
Caldera/SCO released an advisory indicating that the uux utility
is vulnerable to a local buffer overflow in the handling of long
file-name parameters. This could allow a local attacker to execute
arbitrary code with elevated privileges.
Updated binaries are available at:
ftp://ftp.caldera.com/pub/updates/OpenServer/CSSA-2002-SCO.34
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0004.html
- --- Other News ---------------------------------------------------------
*** {02.28.016} Other - Update {02.27.012}: MacOSX SoftwareUpdate
unauthenticated downloads
Apple released a patch that fixes the vulnerability discussed in
{02.27.012} ("MacOSX SoftwareUpdate unauthenticated downloads").
The patch is available at:
http://download.info.apple.com/Mac_OS_X/061-0074.20020712/2z/SecurityUpdate7-12-02.dmg.bin
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0146.html
*** {02.28.021} Other - Tru64 inetd service flood DoS
Compaq/HP released an advisory indicating the potential for a denial
of service attack whereby a remote attacker floods inetd.
The vendor confirmed this vulnerability and released an early-release
patch. Further information is available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2002-q3/0011.html
*** {02.28.022} Other - Tru64 ipcs local buffer overflow
Compaq/HP released an advisory indicating the ipcs utility contains a
buffer overflow that would allow a local attacker to execute arbitrary
code with elevated privileges.
A full list of updated patches is available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/compaq/2002-q3/0009.html
*** {02.28.024} Other - Pingtel xpressa SIP phone multiple
vulnerabilities
Pingtel xpressa SIP phones with firmware versions 1.2.7.4 and prior
contain a few vulnerabilities: a default administrative password;
non-admin-authenticated users can perform a denial of service attack
by changing system settings; and attackers with physical access can
reset the administrative password.
The advisory indicates confirmation by the vendor, which released a
'best practices' deployment guide:
http://www.pingtel.com/docs/best_practices_20x.txt
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0019.html
- --- Cross-Platform News ------------------------------------------------
*** {02.28.001} Cross - GoAhead Web server directive traversal and CSS
vulnerabilities
GoAhead Web server version 2.1 reportedly contains two vulnerabilities:
a directory traversal problem that allows remote attackers to access
files outside the Web root and a cross-site scripting vulnerability
in the handling of HTTP 404 responses.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0013.html
*** {02.28.002} Cross - Apache Tomcat invoker servlet CSS vulnerability
The invoker servlet included with Apache Tomcat version 4.0.3 is
vulnerable to cross-site scripting in the handling of URLs for
particular servlets.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0014.html
*** {02.28.004} Cross - Fluid Dynamics search CGI 'Rank' parameter CSS
vulnerability
The Fluid Dynamics search CGI prior to version 2.0.0.0055 contains
a cross-site scripting bug in the handling of the 'Rank' URL parameter.
The vendor confirmed this vulnerability and released version
2.0.0.0055.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0096.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0094.html
*** {02.28.011} Cross - CDE rpc.ttdbserver two vulnerabilities
The CDE rpc.ttdbserver contains two vulnerabilities that would allow
a remote attacker to execute arbitrary code as well as delete or
overwrite arbitrary files.
IBM released APARs IY32368 (4.3.3) and IY32370 (5.1.0).
Caldera/SCO released updated binaries, which are available at:
ftp://ftp.caldera.com/pub/updates/OpenUNIX/CSSA-2002-SCO.28
HP released a temporary workaround, which is detailed at:
http://archives.neohapsis.com/archives/hp/2002-q3/0011.html
Source: CERT, IBM, Caldera/SCO, HP
http://archives.neohapsis.com/archives/cc/2002-q3/0000.html
http://archives.neohapsis.com/archives/aix/2002-q3/0002.html
http://archives.neohapsis.com/archives/linux/caldera/2002-q3/0002.html
http://archives.neohapsis.com/archives/hp/2002-q3/0011.html
*** {02.28.017} Cross - Double Choco Latte CGI multiple vulnerabilities
The Double Choco Latte CGI suite prior to version 20020706 allows a
remote attacker to trick the server into downloading arbitrary files
readable by the Web server. The CGI suite also contains multiple
cross-site scripting errors.
The vendor confirmed these vulnerabilities and released version
20020706.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0022.html
*** {02.28.019} Cross - atphttpd multiple vulnerabilities
The atphttpd Web server version 0.4b contains multiple buffer
overflows, which allow a remote attacker to execute arbitrary code
under the privileges of the Web server.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0134.html
*** {02.28.020} Cross - Novell Netmail/NIMS multiple vulnerabilities
Novell released patches for various buffer overflows found in the
Netmail/NIMS package prior to version 3.0.3b. The buffer overflows
exist in the Web interface and the IMAP service, and they could
potentially allow the remote execution of arbitrary code.
A full list of patches is available at:
http://archives.neohapsis.com/archives/bugtraq/2002-07/0153.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0152.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0153.html
http://archives.neohapsis.com/archives/bugtraq/2002-07/0152.html
*** {02.28.028} Cross - CARE 2002 CGI file reading
Under certain configurations, the CARE 2002 CGI suite allows a remote
attacker to read arbitrary files readable by the Web server. The
vulnerability depends on the PHP 'magic_quotes_gpc' directive being
turned off.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0128.html
*** {02.28.030} Cross - Tivoli TMR Endpoint HTTP request DoS
The Web server included with IBM Tivoli TMR Endpoints version 3.7.1
contains a buffer overflow in the handling of very large GET requests,
resulting in a denial of service attack.
The vendor confirmed this vulnerability, which is fixed in FixPack 2.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0023.html
*** {02.28.031} Cross - Tivoli TMR ManagedNodes HTTP overflow
The Web server included with IBM Tivoli TMR ManagedNodes version
3.7.1 contains a buffer overflow in the handling of very large GET
requests. As a result, a remote attacker can execute arbitrary code.
The vendor confirmed this vulnerability.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0024.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9Nwn4+LUG5KFpTkYRAiLYAJsEffRpqBXOU0NNk7FQPBkE7RoowQCbBVyT
nFPuZfwNejc1L8tG8QE35v0=
=fsJF
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
Tech Library White Paper Spotlight: SAFE VPN: IPSec VPNs in Depth Read
Cisco's best practice information for designing and implementing
enterprise IPSec (IP security) VPNs (virtual private networks).
http://techlibrary.networkcomputing.com/data/detail?id=1014669748_545&type=RES&x=7571703
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46
and can also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the
top of the newsletter. When you submit this form, an e-mail containing
a URL will be sent to you at the e-mail address on record. With this
URL you can make changes to your account (edit the content of your
Consensus mailing, for example) without endangering the security of
your personal URL. If you'd like to change your e-mail address or
other information, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]