OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Network Computing and The SANS Institute (sans+ZZ81183924829033775_at_sans.org)
Date: Thu Sep 19 2002 - 14:10:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    Re: Your personalized newsletter

                       -- Security Alert Consensus --
                            Number 037 (02.37)
                        Thursday, September 19, 2002
                            Created for you by
                  Network Computing and the SANS Institute
                           Powered by Neohapsis

    ----------------------------------------------------------------------

    Welcome to the latest edition of Security Alert Consensus! Below
    you should find information pertaining only to the categories you
    requested. Information on how to manage your subscription can be found
    at the bottom of the newsletter. If you have any problems or questions,
    please e-mail us at <consensusnwc.com>.

    ----------------------------------------------------------------------

    This issue sponsored by F-Secure Inc.

    Secure network traffic with F-Secure SSH.
    Certified by ICSA Labs and containing FIPS-140-1 Validated components
    certified by NIST, many large corporations and government organizations
    rely on F-Secure SSH. Find out why, Try Before You Buy! 30-day FREE
    TRIAL

    http://www.f-secure.com/get/fips140/

    ----------------------------------------------------------------------

    If you haven't heard by now, a worm is slithering around and
    exploiting Apache servers, making them vulnerable to an OpenSSL buffer
    overflow. Upon successfully breaking in, the worm creates a DDoS agent
    on the system and then continues to probe other systems. Fortunately,
    Apache displays the exact software versions by default in the HTTP
    Server response header, so it's extremely easy to remotely determine

    http://archives.neohapsis.com/archives/cc/2002-q3/0009.html

    To go along with this week's release of NetBSD 1.6, the NetBSD team
    also has released a flood of security advisories withheld pending
    the new version's debut. NetBSD folks will notice a lot of traffic
    under the BSD category.

    Until next week,
    --Security Alert Consensus Team

    ************************************************************************

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    TABLE OF CONTENTS:

    {02.37.018} Win - Savant Web server multiple vulnerabilities
    {02.37.019} Win - PlanetWeb server URL request overflow
    {02.37.002} Linux - Update {02.33.024}: Multiple Postgres function
                buffer overflows
    {02.37.003} Linux - Purity two buffer overflows
    {02.37.005} Linux - Update {01.27.039}: PHP mail() command may bypass
                safe_mode
    {02.37.006} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
                vulnerability
    {02.37.008} BSD - TIOCSCTTY ioctl DoS
    {02.37.009} BSD - setlocale array element overflow
    {02.37.010} BSD - Update {02.32.002}: NFS server empty payload infinite
                loop DoS
    {02.37.011} BSD - fd_set overflows fd_setsize
    {02.37.012} BSD - shutdown with SHUT_RD causes instability
    {02.37.014} BSD - libkvm ports can read /dev/(k)mem
    {02.37.017} NApps - Enterasys SSR8000 MPS port DoS
    {02.37.015} Other - Tru64 SSRT-547: TCP ISN, ARP and ftpd
                vulnerabilities
    {02.37.004} Cross - Update {02.30.001}: OpenSSL multiple overflows and
                ASN1 parse vulnerabilities
    {02.37.007} Cross - Konqueror subframe CSS and insecure cookie
                vulnerabilities
    {02.37.013} Cross - Heimdal kfd multiple vulnerabilities
    {02.37.016} Cross - xbreaky highscores file symlink vulnerability
    {02.37.020} Cross - UT2003 small ping DoS
    {02.37.001} Tools - NetBSD 1.6 available

    - --- Windows News -------------------------------------------------------

    *** {02.37.018} Win - Savant Web server multiple vulnerabilities

    Savant Web server version 3.1 contains multiple vulnerabilities: a
    buffer overflow in the cgitest.exe sample CGI; an application crash
    when a negative Content-Length header is given; and an authorization
    bypass on password-protected folders.

    These vulnerabilities are not confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0151.html

    *** {02.37.019} Win - PlanetWeb server URL request overflow

    PlanetWeb version 1.14 reportedly contains a buffer overflow in the
    handling of large URL requests, thereby allowing a remote attacker
    to execute arbitrary code on the system.

    This vulnerability has not been confirmed.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0166.html

    - --- Linux News ---------------------------------------------------------

    *** {02.37.002} Linux - Update {02.33.024}: Multiple Postgres function
                    buffer overflows

    Debian released updated Postgres packages that fix the vulnerability
    discussed in {02.33.024} ("Multiple Postgres function buffer
    overflows").

    Updated DEBs are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0032.html

    *** {02.37.003} Linux - Purity two buffer overflows

    The purity game application contains two buffer overflows that let
    a local attacker gain group 'games' privileges.

    Debian confirmed this vulnerability and released updated DEBs, which
    are listed at the reference URL below.

    Source: Debian
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0039.html

    *** {02.37.005} Linux - Update {01.27.039}: PHP mail() command may
                    bypass safe_mode

    Mandrake released updated PHP packages that fix the vulnerability
    discussed in {01.27.039} ("PHP mail() command may bypass safe_mode").

    Updated RPMs are listed at the reference URL below.

    Source: Mandrake
    http://archives.neohapsis.com/archives/linux/mandrake/2002-q3/0169.html

    *** {02.37.006} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
                    vulnerability

    Conectiva released updated util-linux packages that fix the
    vulnerability discussed in {02.30.003} ("chfn /etc/ptmp lockfile
    vulnerability").

    Updated RPMs are listed at the reference URL below.

    Source: Conectiva
    http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0020.html

    - --- BSD News -----------------------------------------------------------

    *** {02.37.008} BSD - TIOCSCTTY ioctl DoS

    A NetBSD advisory indicates that it's possible for a local attacker
    to issue multiple TIOCSCTTY ioctl requests. Eventually, this will
    overflow an internal kernel counter and lead to a kernel panic.

    This vulnerability is confirmed and was fixed in NetBSD-current and
    - -1.6 on July 31, 2002. It also was fixed in -1.5 on Sept. 5, 2002.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0183.html

    *** {02.37.009} BSD - setlocale array element overflow

    A NetBSD advisory indicates that a local buffer overflow exists in
    the setlocale() libc function whereby a malicious locale definition
    will overwrite the bounds of an array. Certain setuid applications
    (xterm, in particular) could yield local root privileges.

    This vulnerability is confirmed and fixed. NetBSD-current and -1.6
    as of Aug. 8, 2002, contain a fix. NetBSD-1.5 as of Sept. 5, 2002,
    contains a fix.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0187.html

    *** {02.37.010} BSD - Update {02.32.002}: NFS server empty payload
                    infinite loop DoS

    NetBSD released updates that fix the vulnerability discussed in
    {02.32.002} ("NFS server empty payload infinite loop DoS").

    NetBSD-current and NetBSD-1.6 as of Aug. 3, 2002, contain a
    fix. NetBSD-1.5 as of Sept. 5, 2002, contains a fix.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0188.html

    *** {02.37.011} BSD - fd_set overflows fd_setsize

    A NetBSD advisory indicates that the fd_set() function used by select()
    overflows the fd_setsize maximum if a local attacker opens multiple
    file descriptors before executing a program. This can lead to a local
    root compromise via exploitation of mrinfo, mtrace or pppd.

    This vulnerability is confirmed. NetBSD-current and NetBSD-1.6 as of
    Aug. 11, 2002, and NetBSD-1.5 as of Sept. 5, 2002, contain fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0189.html

    *** {02.37.012} BSD - shutdown with SHUT_RD causes instability

    A NetBSD advisory indicates that the shutdown() function does
    not properly handle the SHUT_RD parameter, thereby causing system
    instability when traffic is received. This could potentially be used
    as a locally induced denial of service.

    NetBSD confirmed this vulnerability. NetBSD-current, -1.6 and -1.5
    as of Sept. 7, 2002, contain the fixes.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0194.html

    *** {02.37.014} BSD - libkvm ports can read /dev/(k)mem

    Various setuid applications in the FreeBSD ports collection, which
    are based on libkvm, allow local attackers to read /dev/(k)mem,
    potentially allowing them to recover sensitive information. FreeBSD
    versions 4.6.2-RELEASE and prior are vulnerable.

    The advisory indicates confirmation by the vendor, which committed
    fixes to the 4.6-STABLE and RELENG branches.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0115.html

    - --- Network Appliances News --------------------------------------------

    *** {02.37.017} NApps - Enterasys SSR8000 MPS port DoS

    The Enterasys SSR8000 switch prior to firmware version 8.3.0.10 crashes
    when a remote attacker sends malformed packets to the MPS service ports
    (15077 and 15078). This leads to a denial of service.

    This vulnerability is not confirmed. The advisory indicates that
    firmware version 8.3.0.10 fixes the vulnerability.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0141.html

    - --- Other News ---------------------------------------------------------

    *** {02.37.015} Other - Tru64 SSRT-547: TCP ISN, ARP and ftpd
                    vulnerabilities

    HP/Compaq released SSRT-547 for Tru64. It contains security fixes
    for weak TCP initial sequence numbers, arp spoofing and ftpd globbing
    overflows.

    A full patch list is available at the reference URL below.

    Source: HP/Compaq
    http://archives.neohapsis.com/archives/tru64/2002-q3/0017.html

    - --- Cross-Platform News ------------------------------------------------

    *** {02.37.004} Cross - Update {02.30.001}: OpenSSL multiple overflows
                    and ASN1 parse vulnerabilities

    Debian and HP released patches that fix the vulnerability discussed
    in {02.30.001} ("OpenSSL multiple overflows and ASN1 parse
    vulnerabilities").

    Debian rereleased prior DEBs because of packaging issues. The DEBs
    are available at:
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0118.html

    HP released Apache HP-UX updates, which are available at:
    http://www.software.hp.com/ISS_products_list.html

    Source: Debian, HP
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0118.html
    http://archives.neohapsis.com/archives/hp/2002-q3/0081.html

    *** {02.37.007} Cross - Konqueror subframe CSS and insecure cookie
                    vulnerabilities

    KDE's Konqueror browser reportedly contains a cross-site scripting
    error when handling various frame and iframe HTML elements. The
    browser also does not honor the 'secure' cookie flag, which is used
    to ensure that the browser only sends the cookie over SSL. KDE 2.2.2,
    3.0.3 and prior are vulnerable.

    The vendor confirmed these vulnerabilities and released updated
    versions of kdelibs.

    Debian released updated DEBs, which are listed at:
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0105.html

    Source: SecurityFocus Bugtraq, Debian
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0102.html
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0103.html
    http://archives.neohapsis.com/archives/linux/debian/2002-q3/0105.html

    *** {02.37.013} Cross - Heimdal kfd multiple vulnerabilities

    The Heimdal Kerberos suite prior to version 0.5 contains multiple
    vulnerabilities in the kf and kfd applications. Running kfd allows
    a remote attacker to gain local root access.

    NetBSD confirmed these vulnerabilities and committed fixes to the
    NetBSD-current and -1.5 branches as of Sept. 11, 2002.

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0195.html

    *** {02.37.016} Cross - xbreaky highscores file symlink vulnerability

    The xbreaky application is vulnerable to a symlink attack in the
    handling of the .xbreakyhighscores files. Because xbreaky can be
    set setuid root, a local attacker can overwrite arbitrary files on
    the system.

    The advisory indicates confirmation by the vendor, which released
    version 0.0.5.

    Source: SecurityFocus Bugtraq
    http://archives.neohapsis.com/archives/bugtraq/2002-09/0131.html

    *** {02.37.020} Cross - UT2003 small ping DoS

    The Unreal Tournament 2003 client and server reportedly crash when from
    one to three characters are sent to UDP port 7778 or port 10777. This
    leads to a remote denial of service attack.

    The advisory indicates vendor confirmation.

    Source: VulnWatch
    http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0116.html

    - --- Tool Announcements News --------------------------------------------

    *** {02.37.001} Tools - NetBSD 1.6 available

    The NetBSD team released NetBSD version 1.6. It contains the
    security-related fixes that have been patched for prior versions
    (as reported in this issue).

    The latest version is available at:
    http://www.netbsd.org/mirrors/

    Source: NetBSD
    http://archives.neohapsis.com/archives/netbsd/2002-q3/0176.html

    ************************************************************************

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.0.6 (BSD/OS)
    Comment: For info see http://www.gnupg.org

    iD8DBQE9ih9U+LUG5KFpTkYRAgrqAKCkKodNSzlicyR5INNJZR53SrQ2vACbBOpx
    wUb6CNainyGcvt9eAivhIXY=
    =guBB
    -----END PGP SIGNATURE-----
    ------------------------------------------------------------------------

    This issue sponsored by F-Secure Inc.

    Secure network traffic with F-Secure SSH.
    Certified by ICSA Labs and containing FIPS-140-1 Validated components
    certified by NIST, many large corporations and government organizations
    rely on F-Secure SSH. Find out why, Try Before You Buy! 30-day FREE
    TRIAL

    http://www.f-secure.com/get/fips140/

    ----------------------------------------------------------------------

    Become a Security Alert Consensus member! If this e-mail was passed
    to you and you would like to begin receiving our security e-mail
    newsletter on a weekly basis, we invite you to subscribe today.
    http://www.networkcomputing.com/consensus/.

    We are signing the Consensus newsletter
    with PGP. The new SANS PGP key is posted at:
    http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
    also be accessed from the SANS Web site (http://www.sans.org).

    Special Note: To better secure your confidential information,
    we will no longer include personal URLs in our Consensus
    newsletter mailings. Instead, we have created a new form
    (http://www.sans.org/sansurl). On this form you can enter the SD
    number located near your name at the top of the newsletter. When you
    submit this form, an e-mail containing a URL will be sent to you at
    the e-mail address on record. With this URL you can make changes to
    your account (edit the content of your Consensus mailing, for example)
    without endangering the security of your personal URL. If you'd like
    to change your e-mail address or other information, please visit your
    new URL as described above. If you have any problems or questions,
    e-mail us at <consensusnwc.com>.

    If you would like to unsubscribe from this newsletter, grab your SD
    number (next to your name at the top of this message) and visit the
    URL below. You will be sent a personal URL via E-mail, from which
    you can unsubscribe. http://www.sans.org/sansurl

    Missed an issue? You can find all back issues of
    Security Alert Consensus (and Security Express) online.
    http://archives.neohapsis.com/

    Your opinion counts. We'd like to hear your thoughts on Security Alert
    Consensus. E-mail any questions or comments to <consensusnwc.com>.

    Copyright (c) 2002 Network Computing, a CMP Media LLC
    publication. All Rights Reserved. Distributed by Network
    Computing (http://www.networkcomputing.com) and The SANS Institute
    (http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
    security assessment and integration services consulting group
    (infoneohapsis.com | http://www.neohapsis.com/).