|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ43618355922903624_at_sans.org)
Date: Thu Aug 15 2002 - 11:34:27 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 032 (02.32)
Thursday, August 15, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
----------------------------------------------------------------------
This issue sponsored by SPI Dynamics
Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80
and 443 as expressways through network firewalls, hackers are free to
probe and breach web applications! 75% of today's successful system
hacks involve Web Application vulnerabilities, not network security
flaws. Download this FREE Aberdeen Research Report!
http://www.spidynamics.com/mktg/aberdeen18
----------------------------------------------------------------------
NetWare administrators should be happy to hear that Novell
launched a new campaign to report and provide security alerts and
patches. You can read all about it in the company's fact sheet:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0105.html
As for notable vulnerabilities this week, there are several: OpenBSD
has a sign bug in select() that yields local root ({02.32.026});
Macromedia Flash plugins and players on all platforms have buffer
overflows ({02.32.020}); CDE ttdbserver has another remote overflow
({02.32.029}); iPlanet Web server has a chunked encoding overflow
({02.32.010}); and Raptor Firewall has weak TCP ISN generation
({02.32.014}).
Also announced last week: many patches for the RPC XDR array decoding
bug. This vulnerability is present in many RPC-based packages as well
as in core system components. Relevant updates in this issue include
{02.32.007 and {02.32.013}.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.32.008} Win - Google toolbar multiple vulnerabilities
{02.32.009} Win - WS_FTP SITE CPWD overflow
{02.32.011} Win - MS02-041: MCMS multiple vulnerabilities
{02.32.022} Win - Update {02.31.016}: pppd file chmod race condition
{02.32.004} Linux - Update {02.30.002}: libmm temporary file
vulnerability
{02.32.005} Linux - Update {02.30.001}: OpenSSL multiple overflows and
ASN1 parse vulnerabilities
{02.32.007} Linux - dietlibc RPC XDR array decoding overflow
{02.32.012} Linux - Update {02.26.003}: Apache mod_ssl off by one
configuration directive overflow
{02.32.013} Linux - Update {02.31.009}: RPC XDR array decoding overflow
{02.32.015} Linux - tinyproxy invalid request double-free vulnerability
{02.32.016} Linux - Interchange HTTP service file reading
{02.32.019} Linux - Tcl/tk library path vulnerabilities
{02.32.021} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
{02.32.023} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
{02.32.025} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
vulnerability
{02.32.001} BSD - FreeBSD kqueue EVFILT_WRITE panic
{02.32.002} BSD - NFS server empty payload infinite loop DoS
{02.32.003} BSD - FreeBSD FFS arbitrary block writing
{02.32.026} BSD - OpenBSD select() signed vulnerability
{02.32.030} NW - Update {02.26.007}: IManage user name field DoS
{02.32.031} SGI - Bulk Data Services arbitrary file read
{02.32.006} NApps - Cisco VPN 5000 RADIUS PAP authentication
vulnerability
{02.32.028} NApps - Orinoco/Compaq 802.11b AP ID string vulnerability
{02.32.010} Cross - iPlanet chunked encoding overflow
{02.32.014} Cross - Raptor Firewall weak ISN vulnerability
{02.32.017} Cross - xinetd signal pipe descriptor DoS
{02.32.018} Cross - Cafelog b2 Weblog CGI multiple vulnerabilities
{02.32.020} Cross - Macromedia Flash multiple vulnerabilities
{02.32.024} Cross - Apache 2.0 vulnerability
{02.32.027} Cross - Cisco VPN client multiple DoS vulnerabilities
{02.32.029} Cross - rpc.ttdbserverd _TT_CREATE_FILE() heap overflow
- --- Windows News -------------------------------------------------------
*** {02.32.008} Win - Google toolbar multiple vulnerabilities
Versions 1.1.58 and prior of the Google search toolbar reportedly
contain multiple vulnerabilities that would allow a malicious Web
site to change the configuration options of the toolbar, uninstall
the application, execute arbitrary commands, read local files and
run arbitrary JavaScript code in the 'my computer' zone.
The advisory indicates confirmation by the vendor, which released
version 1.1.60.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0066.html
*** {02.32.009} Win - WS_FTP SITE CPWD overflow
WS_FTP server version 3.1.1 contains a buffer overflow in the handling
of large 'site cpwd' commands that allows an attacker (who is capable
of logging in) to execute arbitrary code on the system.
This vulnerability is confirmed; at patch is available at:
ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0063.html
*** {02.32.011} Win - MS02-041: MCMS multiple vulnerabilities
Microsoft released MS02-041 ("MCMS multiple vulnerabilities"). MCMS
(Microsoft Content Management Server) 2002 contains a remotely
exploitable buffer overflow as well as a flaw in the authentication
mechanism that allows an attacker to upload arbitrary files to be
executed via the IIS server.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-041.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0080.html
*** {02.32.022} Win - Update {02.31.016}: pppd file chmod race condition
SuSE released updated i4l packages that fix the vulnerability discussed
in {02.31.016} ("pppd file chmod race condition").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/suse/2002-q3/0665.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q3/0665.html
- --- Linux News ---------------------------------------------------------
*** {02.32.004} Linux - Update {02.30.002}: libmm temporary file
vulnerability
Red Hat released updated secureweb packages that fix the vulnerability
discussed in {02.30.002} ("libmm temporary file vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0036.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0036.html
*** {02.32.005} Linux - Update {02.30.001}: OpenSSL multiple overflows
and ASN1 parse vulnerabilities
EnGarde and Mandrake released updated openSSL packages that fix the
vulnerability discussed in {02.30.001} ("OpenSSL multiple overflows
and ASN1 parse vulnerabilities"). Conectiva rereleased a new set
of patches.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0026.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0005.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0012.html
Source: EnGarde, Conectiva, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0026.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0012.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0005.html
*** {02.32.007} Linux - dietlibc RPC XDR array decoding overflow
The dietlibc library is vulnerable to the RPC XDR array decoding
overflow recently reported as item {02.31.009}.
Debian confirmed this bug and released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q3/0028.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0028.html
*** {02.32.012} Linux - Update {02.26.003}: Apache mod_ssl off by one
configuration directive overflow
Mandrake released updated mod_ssl packages that fix the vulnerability
discussed in {02.26.003} ("Apache mod_ssl off by one configuration
directive overflow").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0055.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0055.html
*** {02.32.013} Linux - Update {02.31.009}: RPC XDR array decoding
overflow
Multiple vendors released updated packages that fix the vulnerabilities
discussed in {02.31.009} ("RPC XDR array decoding overflow").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q3/0033.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0011.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0045.html
Source: Debian, Conectiva, Red Hat
http://archives.neohapsis.com/archives/vendor/2002-q3/0033.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0011.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0045.html
*** {02.32.015} Linux - tinyproxy invalid request double-free
vulnerability
An advisory released by Debian indicates the tinyproxy service could
potentially attempt to double-free allocated memory as a result of
a malformed request, thereby allowing a remote attacker to execute
arbitrary code on the system.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0023.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0023.html
*** {02.32.016} Linux - Interchange HTTP service file reading
An advisory released by Debian indicates the interchange HTTP service
contains a vulnerability that allows a remote attacker to read files
readable by the service user id.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0034.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0034.html
*** {02.32.019} Linux - Tcl/tk library path vulnerabilities
An advisory released by Red Hat indicates the tcl/tk package includes
insecure directories in its library search path, potentially allowing
a local attacker to cause a trojan library to be loaded when any user
executes an expect or tcl/tk script.
Red Hat versions 7.0 and 7.1 are affected. Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0043.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0043.html
*** {02.32.021} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
Debian released updated hylaFAX packages that fix the vulnerability
discussed in {02.30.031} ("HylaFAX faxgetty TSI DoS").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0030.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0030.html
*** {02.32.023} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
Mandrake released updated util-linux packages that fix the
vulnerability discussed in {02.30.003} ("chfn /etc/ptmp lockfile
vulnerability").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-08/0052.html
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0052.html
*** {02.32.025} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
vulnerability
Debian released updated mailman packages that fix the vulnerability
discussed in {02.30.024} ("Mailman ml-name CGI CSS vulnerability").
Updated DEBs are listed at:
http://archives.neohapsis.com/archives/vendor/2002-q3/0029.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0029.html
- --- BSD News -----------------------------------------------------------
*** {02.32.001} BSD - FreeBSD kqueue EVFILT_WRITE panic
An advisory released by FreeBSD indicates there is a flaw in the
kqueue subsystem whereby a local attacker can induce a kernel panic by
registering an EVFILT_WRITE kqueue filter on a half-closed pipe. This
leads to a denial of service.
FreeBSD 4.3 through 4.6 prior to August 9, 2002, are affected.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-07/0669.html
*** {02.32.002} BSD - NFS server empty payload infinite loop DoS
An advisory released by FreeBSD indicates the NFS server shipped
with FreeBSD versions 4.6.x and prior contains a bug that causes
the system to enter an infinite loop if it receives an empty NFS
packet. A remote attacker can trigger this bug, which leads to a
denial of service situation.
FreeBSD supported releases after August 1, 2002, contain a fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-07/0668.html
*** {02.32.003} BSD - FreeBSD FFS arbitrary block writing
An advisory released by FreeBSD indicates that a bug caused by a
miscalculation in file size in the FFS file system lets a local
attacker access arbitrary blocks (and thus data) on the file system.
FreeBSD releases as of July 31, 2002, contain the fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2002-07/0667.html
*** {02.32.026} BSD - OpenBSD select() signed vulnerability
There is a bug in OpenBSD's handling of size parameters passed to the
system via select() calls. The kernel mishandles the signed value
of the parameter, thereby allowing a local attacker to overwrite
arbitrary kernel memory and thus gain root access. All versions of
OpenBSD are vulnerable.
A patch is available at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2002-08/0370.html
- --- NetWare News -------------------------------------------------------
*** {02.32.030} NW - Update {02.26.007}: IManage user name field DoS
Novell released updates that fix the vulnerability discussed in
{02.26.007} ("IManage user name field DoS").
A patch is available at:
http://support.novell.com/servlet/tidfinder/2963081
Source: Novell (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-08/0093.html
- --- SGI News -----------------------------------------------------------
*** {02.32.031} SGI - Bulk Data Services arbitrary file read
BDS (Bulk Data Services) versions prior to 2.5 allow a remote attacker
to read arbitrary files on the system.
SGI confirmed this vulnerability and released patch 4713 for IRIX
6.5.13 through 6.5.16.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q3/0032.html
- --- Network Appliances News --------------------------------------------
*** {02.32.006} NApps - Cisco VPN 5000 RADIUS PAP authentication
vulnerability
The Cisco VPN 5000 series concentrator running firmware versions
6.0.21.0002 and 5.2.23.003 (and prior) sends the user's password
in plain text to the RADIUS server in PAP authentication validation
retry request packets. Attackers sniffing the network may be able to
recover the user's password.
Cisco confirmed this vulnerability. Firmware versions 6.0.21.0003
and 5.2.23.0004 (or later) correct the problem.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q3/0003.html
*** {02.32.028} NApps - Orinoco/Compaq 802.11b AP ID string
vulnerability
The Orinoco Residential Gateway and Compaq WL310 802.11b wireless
access points contain a vulnerability that allows a remote attacker
to recover the unique serial ID of the unit, which can then function
as the default SNMP read/write community string. An attacker would
need to be able to send a UDP packet to port 192 on the access point.
The advisory indicates confirmation by the vendor, which reported
the discontinuance of the Residential Gateway.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0075.html
- --- Cross-Platform News ------------------------------------------------
*** {02.32.010} Cross - iPlanet chunked encoding overflow
iPlanet Web server versions 4.1 and 6.0 are vulnerable to a client
chunked encoding request overflow that allows an attacker to overwrite
4 bytes of arbitrary memory and thus execute arbitrary code.
Sun confirmed this vulnerability and released patch information,
which is available at:
http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0065.html
*** {02.32.014} Cross - Raptor Firewall weak ISN vulnerability
The Raptor Firewall versions 7.0 and prior, as well as VelociRaptor
systems, have a weak TCP ISN (initial sequence number) generation
routine that allows an attacker to potentially hijack and spoof
packets into open connections.
The vendor confirmed this vulnerability and released a patch, which
is available at:
http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-07/0492.html
*** {02.32.017} Cross - xinetd signal pipe descriptor DoS
Xinetd version 2.3.4 leaks the file descriptors of various pipes
used for signaling to spawned child processes, potentially allowing
an attacker to send signals to xinetd and cause a denial of service.
Debian confirmed this vulnerability and released updated DEBs:
http://archives.neohapsis.com/archives/vendor/2002-q3/0035.html
Source: Debian
http://archives.neohapsis.com/archives/vendor/2002-q3/0035.html
*** {02.32.018} Cross - Cafelog b2 Weblog CGI multiple vulnerabilities
The Cafelog b2 Weblog CGI suite version 2.06pre4 reportedly contains
multiple vulnerabilities, including SQL tampering, cross-site scripting
and command execution.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0071.html
*** {02.32.020} Cross - Macromedia Flash multiple vulnerabilities
Macromedia released security bulletins that fix security
vulnerabilities in the Flash media player and plugins. The
vulnerabilities include a buffer overflow, which leads to the execution
of arbitrary code, and the ability for a malicious Web site to upload
local files to a Web server.
An updated version of the Flash plugin is available at:
http;//www.macromedia.com/go/getflashplayer/
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2002-q3/0027.html
*** {02.32.024} Cross - Apache 2.0 vulnerability
An advisory released by the Apache team indicates the Apache 2.0 series
prior to 2.0.40 contains a vulnerability when running on the Windows,
OS2 and NetWare platforms. As a result of the vulnerability, remote
attacker has access to "sensitive data." We believe the problem may
stem from a '..' style directory traversal bug.
Apache version 2.0.40 fixes the problem and is available for download
from:
http://www.apache.org/dist/httpd/
Source: Apache
http://archives.neohapsis.com/archives/apache/2002/0014.html
*** {02.32.027} Cross - Cisco VPN client multiple DoS vulnerabilities
An advisory released by Cisco indicates the Cisco VPN client contains
various denial of service vulnerabilities in the handling of malformed
IKE and VPN packets. Versions prior to 3.6 are vulnerable.
Cisco confirmed these vulnerabilities and released client version 3.6,
which is available at:
http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q3/0004.html
*** {02.32.029} Cross - rpc.ttdbserverd _TT_CREATE_FILE() heap overflow
An advisory released by CERT indicates the ttdbserverd RPC service
included with CDE on various platforms contains a heap-based buffer
overflow in the _TT_CREATE_FILE() function that allows a remote
attacker to execute arbitrary code on the system.
Source: CERT
http://archives.neohapsis.com/archives/cc/2002-q3/0006.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9W9Yp+LUG5KFpTkYRAs+xAJ9vob30SwmGq0F5WGmKSc5cetofaQCfSLki
4qv46laqEJtxj7flnA3fxEE=
=59I7
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by SPI Dynamics
Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80
and 443 as expressways through network firewalls, hackers are free to
probe and breach web applications! 75% of today's successful system
hacks involve Web Application vulnerabilities, not network security
flaws. Download this FREE Aberdeen Research Report!
http://www.spidynamics.com/mktg/aberdeen18
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information, we will
no longer include personal URLs in our Consensus newsletter mailings.
Instead, we have created a new form (http://www.sans.org/sansurl). On
this form you can enter the SD number located near your name at the
top of the newsletter. When you submit this form, an e-mail containing
a URL will be sent to you at the e-mail address on record. With this
URL you can make changes to your account (edit the content of your
Consensus mailing, for example) without endangering the security of
your personal URL. If you'd like to change your e-mail address or
other information, please visit your new URL as described above. If
you have any problems or questions, e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]