OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ43618355922903624_at_sans.org)
Date: Thu Aug 15 2002 - 11:34:27 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                       -- Security Alert Consensus --
                            Number 032 (02.32)
                        Thursday, August 15, 2002
                           Created for you by
                  Network Computing and the SANS Institute
                           Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80
    and 443 as expressways through network firewalls, hackers are free to
    probe and breach web applications! 75% of today's successful system
    hacks involve Web Application vulnerabilities, not network security
    flaws. Download this FREE Aberdeen Research Report!
    http://www.spidynamics.com/mktg/aberdeen18

    ----------------------------------------------------------------------

    NetWare administrators should be happy to hear that Novell
    launched a new campaign to report and provide security alerts and
    patches. You can read all about it in the company's fact sheet:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0105.html

    As for notable vulnerabilities this week, there are several: OpenBSD
    has a sign bug in select() that yields local root ({02.32.026});
    Macromedia Flash plugins and players on all platforms have buffer
    overflows ({02.32.020}); CDE ttdbserver has another remote overflow
    ({02.32.029}); iPlanet Web server has a chunked encoding overflow
    ({02.32.010}); and Raptor Firewall has weak TCP ISN generation
    ({02.32.014}).

    Also announced last week: many patches for the RPC XDR array decoding
    bug. This vulnerability is present in many RPC-based packages as well
    as in core system components. Relevant updates in this issue include
    {02.32.007 and {02.32.013}.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.32.008} Win - Google toolbar multiple vulnerabilities
    {02.32.009} Win - WS_FTP SITE CPWD overflow
    {02.32.011} Win - MS02-041: MCMS multiple vulnerabilities
    {02.32.022} Win - Update {02.31.016}: pppd file chmod race condition
    {02.32.004} Linux - Update {02.30.002}: libmm temporary file
                vulnerability
    {02.32.005} Linux - Update {02.30.001}: OpenSSL multiple overflows and
                ASN1 parse vulnerabilities
    {02.32.007} Linux - dietlibc RPC XDR array decoding overflow
    {02.32.012} Linux - Update {02.26.003}: Apache mod_ssl off by one
                configuration directive overflow
    {02.32.013} Linux - Update {02.31.009}: RPC XDR array decoding overflow
    {02.32.015} Linux - tinyproxy invalid request double-free vulnerability
    {02.32.016} Linux - Interchange HTTP service file reading
    {02.32.019} Linux - Tcl/tk library path vulnerabilities
    {02.32.021} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS
    {02.32.023} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
                vulnerability
    {02.32.025} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
                vulnerability
    {02.32.001} BSD - FreeBSD kqueue EVFILT_WRITE panic
    {02.32.002} BSD - NFS server empty payload infinite loop DoS
    {02.32.003} BSD - FreeBSD FFS arbitrary block writing
    {02.32.026} BSD - OpenBSD select() signed vulnerability
    {02.32.030} NW - Update {02.26.007}: IManage user name field DoS
    {02.32.031} SGI - Bulk Data Services arbitrary file read
    {02.32.006} NApps - Cisco VPN 5000 RADIUS PAP authentication
                vulnerability
    {02.32.028} NApps - Orinoco/Compaq 802.11b AP ID string vulnerability
    {02.32.010} Cross - iPlanet chunked encoding overflow
    {02.32.014} Cross - Raptor Firewall weak ISN vulnerability
    {02.32.017} Cross - xinetd signal pipe descriptor DoS
    {02.32.018} Cross - Cafelog b2 Weblog CGI multiple vulnerabilities
    {02.32.020} Cross - Macromedia Flash multiple vulnerabilities
    {02.32.024} Cross - Apache 2.0 vulnerability
    {02.32.027} Cross - Cisco VPN client multiple DoS vulnerabilities
    {02.32.029} Cross - rpc.ttdbserverd _TT_CREATE_FILE() heap overflow

    - --- Windows News -------------------------------------------------------

    *** {02.32.008} Win - Google toolbar multiple vulnerabilities

    Versions 1.1.58 and prior of the Google search toolbar reportedly
    contain multiple vulnerabilities that would allow a malicious Web
    site to change the configuration options of the toolbar, uninstall
    the application, execute arbitrary commands, read local files and
    run arbitrary JavaScript code in the 'my computer' zone.

    The advisory indicates confirmation by the vendor, which released
    version 1.1.60.

    Source: NTBugtraq
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0066.html

    *** {02.32.009} Win - WS_FTP SITE CPWD overflow

    WS_FTP server version 3.1.1 contains a buffer overflow in the handling
    of large 'site cpwd' commands that allows an attacker (who is capable
    of logging in) to execute arbitrary code on the system.

    This vulnerability is confirmed; at patch is available at:
    ftp://ftp.ipswitch.com/ipswitch/product_support/WS_FTP_Server/ifs312.exe

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0063.html

    *** {02.32.011} Win - MS02-041: MCMS multiple vulnerabilities

    Microsoft released MS02-041 ("MCMS multiple vulnerabilities"). MCMS
    (Microsoft Content Management Server) 2002 contains a remotely
    exploitable buffer overflow as well as a flaw in the authentication
    mechanism that allows an attacker to upload arbitrary files to be
    executed via the IIS server.

    FAQ and patch:
    http://www.microsoft.com/technet/security/bulletin/MS02-041.asp

    Source: Microsoft (NTBugtraq)
    http://archives.neohapsis.com/archives/ntbugtraq/2002-q3/0080.html

    *** {02.32.022} Win - Update {02.31.016}: pppd file chmod race condition

    SuSE released updated i4l packages that fix the vulnerability discussed
    in {02.31.016} ("pppd file chmod race condition").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0665.html

    Source: SuSE
    http://archives.neohapsis.com/archives/linux/suse/2002-q3/0665.html

    - --- Linux News ---------------------------------------------------------

    *** {02.32.004} Linux - Update {02.30.002}: libmm temporary file
                    vulnerability

    Red Hat released updated secureweb packages that fix the vulnerability
    discussed in {02.30.002} ("libmm temporary file vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0036.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0036.html

    *** {02.32.005} Linux - Update {02.30.001}: OpenSSL multiple overflows
                    and ASN1 parse vulnerabilities

    EnGarde and Mandrake released updated openSSL packages that fix the
    vulnerability discussed in {02.30.001} ("OpenSSL multiple overflows
    and ASN1 parse vulnerabilities"). Conectiva rereleased a new set
    of patches.

    Updated Mandrake RPMs:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0026.html

    Updated EnGarde RPMs:
    http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0005.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0012.html

    Source: EnGarde, Conectiva, Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0026.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0012.html
    http://archives.neohapsis.com/archives/linux/engarde/2002-q3/0005.html

    *** {02.32.007} Linux - dietlibc RPC XDR array decoding overflow

    The dietlibc library is vulnerable to the RPC XDR array decoding
    overflow recently reported as item {02.31.009}.

    Debian confirmed this bug and released updated DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0028.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0028.html

    *** {02.32.012} Linux - Update {02.26.003}: Apache mod_ssl off by one
                    configuration directive overflow

    Mandrake released updated mod_ssl packages that fix the vulnerability
    discussed in {02.26.003} ("Apache mod_ssl off by one configuration
    directive overflow").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0055.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0055.html

    *** {02.32.013} Linux - Update {02.31.009}: RPC XDR array decoding
                    overflow

    Multiple vendors released updated packages that fix the vulnerabilities
    discussed in {02.31.009} ("RPC XDR array decoding overflow").

    Updated Debian DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0033.html

    Updated Conectiva RPMs:
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0011.html

    Updated Red Hat RPMs:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0045.html

    Source: Debian, Conectiva, Red Hat
    http://archives.neohapsis.com/archives/vendor/2002-q3/0033.html
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0011.html
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0045.html

    *** {02.32.015} Linux - tinyproxy invalid request double-free
                    vulnerability

    An advisory released by Debian indicates the tinyproxy service could
    potentially attempt to double-free allocated memory as a result of
    a malformed request, thereby allowing a remote attacker to execute
    arbitrary code on the system.

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0023.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0023.html

    *** {02.32.016} Linux - Interchange HTTP service file reading

    An advisory released by Debian indicates the interchange HTTP service
    contains a vulnerability that allows a remote attacker to read files
    readable by the service user id.

    Updated Debian DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0034.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0034.html

    *** {02.32.019} Linux - Tcl/tk library path vulnerabilities

    An advisory released by Red Hat indicates the tcl/tk package includes
    insecure directories in its library search path, potentially allowing
    a local attacker to cause a trojan library to be loaded when any user
    executes an expect or tcl/tk script.

    Red Hat versions 7.0 and 7.1 are affected. Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0043.html

    Source: Red Hat
    http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0043.html

    *** {02.32.021} Linux - Update {02.30.031}: HylaFAX faxgetty TSI DoS

    Debian released updated hylaFAX packages that fix the vulnerability
    discussed in {02.30.031} ("HylaFAX faxgetty TSI DoS").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0030.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0030.html

    *** {02.32.023} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
                    vulnerability

    Mandrake released updated util-linux packages that fix the
    vulnerability discussed in {02.30.003} ("chfn /etc/ptmp lockfile
    vulnerability").

    Updated RPMs are listed at:
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0052.html

    Source: Mandrake (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0052.html

    *** {02.32.025} Linux - Update {02.30.024}: Mailman ml-name CGI CSS
                    vulnerability

    Debian released updated mailman packages that fix the vulnerability
    discussed in {02.30.024} ("Mailman ml-name CGI CSS vulnerability").

    Updated DEBs are listed at:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0029.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0029.html

    - --- BSD News -----------------------------------------------------------

    *** {02.32.001} BSD - FreeBSD kqueue EVFILT_WRITE panic

    An advisory released by FreeBSD indicates there is a flaw in the
    kqueue subsystem whereby a local attacker can induce a kernel panic by
    registering an EVFILT_WRITE kqueue filter on a half-closed pipe. This
    leads to a denial of service.

    FreeBSD 4.3 through 4.6 prior to August 9, 2002, are affected.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-07/0669.html

    *** {02.32.002} BSD - NFS server empty payload infinite loop DoS

    An advisory released by FreeBSD indicates the NFS server shipped
    with FreeBSD versions 4.6.x and prior contains a bug that causes
    the system to enter an infinite loop if it receives an empty NFS
    packet. A remote attacker can trigger this bug, which leads to a
    denial of service situation.

    FreeBSD supported releases after August 1, 2002, contain a fix.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-07/0668.html

    *** {02.32.003} BSD - FreeBSD FFS arbitrary block writing

    An advisory released by FreeBSD indicates that a bug caused by a
    miscalculation in file size in the FFS file system lets a local
    attacker access arbitrary blocks (and thus data) on the file system.

    FreeBSD releases as of July 31, 2002, contain the fix.

    Source: FreeBSD
    http://archives.neohapsis.com/archives/freebsd/2002-07/0667.html

    *** {02.32.026} BSD - OpenBSD select() signed vulnerability

    There is a bug in OpenBSD's handling of size parameters passed to the
    system via select() calls. The kernel mishandles the signed value
    of the parameter, thereby allowing a local attacker to overwrite
    arbitrary kernel memory and thus gain root access. All versions of
    OpenBSD are vulnerable.

    A patch is available at:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/014_scarg.patch

    Source: OpenBSD
    http://archives.neohapsis.com/archives/openbsd/2002-08/0370.html

    - --- NetWare News -------------------------------------------------------

    *** {02.32.030} NW - Update {02.26.007}: IManage user name field DoS

    Novell released updates that fix the vulnerability discussed in
    {02.26.007} ("IManage user name field DoS").

    A patch is available at:
    http://support.novell.com/servlet/tidfinder/2963081

    Source: Novell (SF Bugtraq)
    http://archives.neohapsis.com/archives/bugtraq/2002-08/0093.html

    - --- SGI News -----------------------------------------------------------

    *** {02.32.031} SGI - Bulk Data Services arbitrary file read

    BDS (Bulk Data Services) versions prior to 2.5 allow a remote attacker
    to read arbitrary files on the system.

    SGI confirmed this vulnerability and released patch 4713 for IRIX
    6.5.13 through 6.5.16.

    Source: SGI
    http://archives.neohapsis.com/archives/vendor/2002-q3/0032.html

    - --- Network Appliances News --------------------------------------------

    *** {02.32.006} NApps - Cisco VPN 5000 RADIUS PAP authentication
                    vulnerability

    The Cisco VPN 5000 series concentrator running firmware versions
    6.0.21.0002 and 5.2.23.003 (and prior) sends the user's password
    in plain text to the RADIUS server in PAP authentication validation
    retry request packets. Attackers sniffing the network may be able to
    recover the user's password.

    Cisco confirmed this vulnerability. Firmware versions 6.0.21.0003
    and 5.2.23.0004 (or later) correct the problem.

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q3/0003.html

    *** {02.32.028} NApps - Orinoco/Compaq 802.11b AP ID string
                    vulnerability

    The Orinoco Residential Gateway and Compaq WL310 802.11b wireless
    access points contain a vulnerability that allows a remote attacker
    to recover the unique serial ID of the unit, which can then function
    as the default SNMP read/write community string. An attacker would
    need to be able to send a UDP packet to port 192 on the access point.

    The advisory indicates confirmation by the vendor, which reported
    the discontinuance of the Residential Gateway.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0075.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.32.010} Cross - iPlanet chunked encoding overflow

    iPlanet Web server versions 4.1 and 6.0 are vulnerable to a client
    chunked encoding request overflow that allows an attacker to overwrite
    4 bytes of arbitrary memory and thus execute arbitrary code.

    Sun confirmed this vulnerability and released patch information,
    which is available at:
    http://www.sun.com/service/support/software/iplanet/alerts/transferencodingalert-23july2002.html

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0065.html

    *** {02.32.014} Cross - Raptor Firewall weak ISN vulnerability

    The Raptor Firewall versions 7.0 and prior, as well as VelociRaptor
    systems, have a weak TCP ISN (initial sequence number) generation
    routine that allows an attacker to potentially hijack and spoof
    packets into open connections.

    The vendor confirmed this vulnerability and released a patch, which
    is available at:
    http://www.symantec.com/techsupp/bulletin/archive/firewall/082002firewall.html

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-07/0492.html

    *** {02.32.017} Cross - xinetd signal pipe descriptor DoS

    Xinetd version 2.3.4 leaks the file descriptors of various pipes
    used for signaling to spawned child processes, potentially allowing
    an attacker to send signals to xinetd and cause a denial of service.

    Debian confirmed this vulnerability and released updated DEBs:
    http://archives.neohapsis.com/archives/vendor/2002-q3/0035.html

    Source: Debian
    http://archives.neohapsis.com/archives/vendor/2002-q3/0035.html

    *** {02.32.018} Cross - Cafelog b2 Weblog CGI multiple vulnerabilities

    The Cafelog b2 Weblog CGI suite version 2.06pre4 reportedly contains
    multiple vulnerabilities, including SQL tampering, cross-site scripting
    and command execution.

    These vulnerabilities are not confirmed.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0071.html

    *** {02.32.020} Cross - Macromedia Flash multiple vulnerabilities

    Macromedia released security bulletins that fix security
    vulnerabilities in the Flash media player and plugins. The
    vulnerabilities include a buffer overflow, which leads to the execution
    of arbitrary code, and the ability for a malicious Web site to upload
    local files to a Web server.

    An updated version of the Flash plugin is available at:
    http;//www.macromedia.com/go/getflashplayer/

    Source: Macromedia
    http://archives.neohapsis.com/archives/vendor/2002-q3/0027.html

    *** {02.32.024} Cross - Apache 2.0 vulnerability

    An advisory released by the Apache team indicates the Apache 2.0 series
    prior to 2.0.40 contains a vulnerability when running on the Windows,
    OS2 and NetWare platforms. As a result of the vulnerability, remote
    attacker has access to "sensitive data." We believe the problem may
    stem from a '..' style directory traversal bug.

    Apache version 2.0.40 fixes the problem and is available for download
                    from:
    http://www.apache.org/dist/httpd/

    Source: Apache
    http://archives.neohapsis.com/archives/apache/2002/0014.html

    *** {02.32.027} Cross - Cisco VPN client multiple DoS vulnerabilities

    An advisory released by Cisco indicates the Cisco VPN client contains
    various denial of service vulnerabilities in the handling of malformed
    IKE and VPN packets. Versions prior to 3.6 are vulnerable.

    Cisco confirmed these vulnerabilities and released client version 3.6,
    which is available at:
    http://www.cisco.com/univercd/cc/td/doc/product/vpn/client/

    Source: Cisco
    http://archives.neohapsis.com/archives/cisco/2002-q3/0004.html

    *** {02.32.029} Cross - rpc.ttdbserverd _TT_CREATE_FILE() heap overflow

    An advisory released by CERT indicates the ttdbserverd RPC service
    included with CDE on various platforms contains a heap-based buffer
    overflow in the _TT_CREATE_FILE() function that allows a remote
    attacker to execute arbitrary code on the system.

    Source: CERT
    http://archives.neohapsis.com/archives/cc/2002-q3/0006.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9W9Yp+LUG5KFpTkYRAs+xAJ9vob30SwmGq0F5WGmKSc5cetofaQCfSLki
    4qv46laqEJtxj7flnA3fxEE=
    =59I7
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue sponsored by SPI Dynamics

    Aberdeen Alert! FREE Research Report on Web App Attacks Using ports 80
    and 443 as expressways through network firewalls, hackers are free to
    probe and breach web applications! 75% of today's successful system
    hacks involve Web Application vulnerabilities, not network security
    flaws. Download this FREE Aberdeen Research Report!
    http://www.spidynamics.com/mktg/aberdeen18

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information, we will
    no longer include personal URLs in our Consensus newsletter mailings.
    Instead, we have created a new form (http://www.sans.org/sansurl). On
    this form you can enter the SD number located near your name at the
    top of the newsletter. When you submit this form, an e-mail containing
    a URL will be sent to you at the e-mail address on record. With this
    URL you can make changes to your account (edit the content of your
    Consensus mailing, for example) without endangering the security of
    your personal URL. If you'd like to change your e-mail address or
    other information, please visit your new URL as described above. If
    you have any problems or questions, e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).