|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ37659695647654832_at_sans.org)
Date: Thu Oct 03 2002 - 15:05:42 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 039 (02.39)
Thursday, October 3, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
TechQuiz: Access & Security
Security experts, this is your last chance to show off your knowledge
of secure network access management. So think fast, and if you correctly
answer all our editors' questions, we'll throw your name in the hat to
win a very cool 10-Gb Apple iPod from our sponsor, Novell.
http://www.nwc.com/techquiz/
************************** End Advertisement *************************
This week, a rather large bug was reported in the Microsoft PPTP
client and server. The buffer overflow lets an attacker execute
arbitrary code without a valid user name and password. Microsoft has
yet to release a patch, so the only currently known workaround is to
block access to any PPTP service by hosts that are not trusted. This
vulnerability is reported as item {02.39.012}.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.39.009} Win - Winamp wsabi skin file include overflow
{02.39.012} Win - PPTP preauthorization buffer overflow
{02.39.016} Win - MS02-053: SmartHTMLbuffer overflow
{02.39.010} Linux - Update {02.35.017}: Python insecure temporary file
handling
{02.39.002} NApps - Procurve 4000M HTTP device_reset DoS
{02.39.018} NApps - Watchguard cli vulnerabilities
{02.39.001} Cross - xbru xbru_dscheck.dd symlink vulnerability
{02.39.003} Cross - GNU tar file extraction directory traversal
{02.39.004} Cross - unzip file extraction directory traversal
{02.39.005} Cross - Astaware/SunONE search engine directory traversal
vulnerability
{02.39.006} Cross - Fetchmail multiple vulnerabilities
{02.39.007} Cross - WN HTTP server request overflow
{02.39.008} Cross - Update {02.37.013}: Heimdal kfd multiple
vulnerabilities
{02.39.011} Cross - EMU Webmail info disclosure and CSS vulnerabilities
{02.39.013} Cross - gv sscanf() overflow
{02.39.014} Cross - Update {02.38.016}: Lycos HTMLGear guestbook
address CSS
{02.39.015} Cross - Webserver 4D insecure password storage
{02.39.017} Cross - Zope multiple vulnerabilities
{02.39.019} Cross - Interbase gds_lock_mgr symlink vulnerability
- --- Windows News -------------------------------------------------------
*** {02.39.009} Win - Winamp wsabi skin file include overflow
Winamp 3 version 1.0.0.488 reportedly contains a buffer overflow in
the handling of large 'include' tags within Winamp WAL skin files. This
could allow a malicious Web site or trojan Winamp skin file to execute
arbitrary code on the user's system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0346.html
*** {02.39.012} Win - PPTP preauthorization buffer overflow
An advisory surfaced indicating that a buffer overflow exists in the
PPTP client and server services included with Windows 2000 and XP. This
overflow could allow a remote attacker to execute arbitrary code.
Although the vendor has not confirmed this vulnerability, there is
third-party verification.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0313.html
*** {02.39.016} Win - MS02-053: SmartHTMLbuffer overflow
Microsoft released MS02-053 ("SmartHTMLbuffer overflow"). FrontPage
server extensions version 2000 and 2002 contain buffer overflows that
can lead to a denial of service and, in some cases, the execution of
arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-053.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q3/0003.html
- --- Linux News ---------------------------------------------------------
*** {02.39.010} Linux - Update {02.35.017}: Python insecure temporary
file handling
Conectiva released updated python packages that fix the vulnerability
discussed in {02.35.017} ("Python insecure temporary file handling").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q3/0024.html
- --- Network Appliances News --------------------------------------------
*** {02.39.002} NApps - Procurve 4000M HTTP device_reset DoS
Under certain configurations, the HP Procurve 4000M switches running
firmware prior to version C.09.16 allow a remote attacker to reboot
the switch via the HTTP administrative interface.
The vendor confirmed this vulnerability and released updated firmware.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0154.html
*** {02.39.018} NApps - Watchguard cli vulnerabilities
The Watchguard RSSA and Vclass appliances contain a bug in the cli
binary that could allow an attacker with normal user access to the
system to gain root access.
The vendor confirmed this vulnerability and released patches, which
are available at:
http://watchguard.com/vars/rssa.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0325.html
http://archives.neohapsis.com/archives/bugtraq/2002-09/0335.html
- --- Cross-Platform News ------------------------------------------------
*** {02.39.001} Cross - xbru xbru_dscheck.dd symlink vulnerability
The xbru application shipped with the bru backup suite version 17.0
reportedly does not properly handle access to the xbru_dscheck.dd file,
thereby allowing a local attacker to perform a symlink attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0154.html
*** {02.39.003} Cross - GNU tar file extraction directory traversal
The GNU tar utility versions 1.13.19 and prior allow a malicious
tar archive to overwrite arbitrary files on the system by embedding
reverse directory traversal notation ('..') in the file names.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0085.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0085.html
*** {02.39.004} Cross - unzip file extraction directory traversal
Versions 5.42 and prior of the unzip utility allow a malicious tar
archive to overwrite arbitrary files on the system by embedding
reverse directory traversal notation ('..') in the file names.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0085.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0085.html
*** {02.39.005} Cross - Astaware/SunONE search engine directory
traversal vulnerability
The Astaware SearchDisk search engine version 2002, shipped with
the SunONE starter kit version 2.0, allows a remote attacker to read
arbitrary files on the system by making direct URL requests to the
provided HTTP server.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0135.html
*** {02.39.006} Cross - Fetchmail multiple vulnerabilities
Fetchmail versions 6.0.0 and prior reportedly contain multiple
vulnerabilities in e-mail/header parsing that could allow a malicious
e-mail to execute arbitrary code on the system running fetchmail.
The advisory indicates confirmation by the vendor, which released
version 6.1.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0136.html
*** {02.39.007} Cross - WN HTTP server request overflow
The WN HTTP server versions 2.0.0 and prior reportedly contain a
buffer overflow in the handling of large GET requests that may allow
a remote attacker to execute arbitrary code.
The advisory indicates confirmation by the vendor, which released
version 2.4.4.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0138.html
*** {02.39.008} Cross - Update {02.37.013}: Heimdal kfd multiple
vulnerabilities
SuSE released updated krb packages that fix the vulnerability discussed
in {02.37.013} ("Heimdal kfd multiple vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q3/1283.html
*** {02.39.011} Cross - EMU Webmail info disclosure and CSS
vulnerabilities
EMU Webmail version 5.0 reportedly contains an information disclosure
bug that reveals the physical path to the Web root directory. There
is also a cross-site scripting bug in the handling of the e-mail
address form entry.
The advisory indicates confirmation by the vendor, which released
patches.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0131.html
*** {02.39.013} Cross - gv sscanf() overflow
The gv/ghostview graphic utility contains a buffer overflow that may
allow a malicious PDF or postscript file to execute arbitrary code
on the viewer's system.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0129.html
*** {02.39.014} Cross - Update {02.38.016}: Lycos HTMLGear guestbook
address CSS
The vendor released an updated HTMLGear package that fixes the
vulnerability discussed in {02.38.016} ("Lycos HTMLGear guestbook
address CSS").
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0132.html
*** {02.39.015} Cross - Webserver 4D insecure password storage
MDG Computer Services' Webserver 4D HTTP server version 3.6.0
insecurely stores passwords in clear text in the ws4d.4dd file.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q3/0128.html
*** {02.39.017} Cross - Zope multiple vulnerabilities
Zope versions 2.5.1 and prior contain multiple vulnerabilities: users
who are not trusted can shut down the Zope server; anonymous users and
code can bypass restrictions and execute arbitrary methods of catalog
indexes; and access to objects with proxy roles is not well enforced.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0084.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q3/0084.html
*** {02.39.019} Cross - Interbase gds_lock_mgr symlink vulnerability
The Borland Interbase gds_lock_mgr utility is vulnerable to a symlink
attack during the handling of a temporary file. This allows a local
attacker to gain root privileges on systems where gds_lock_mgr is
setuid root, which is reportedly the default on Sun RAQ systems.
This vulnerability is not confirmed. An exploit was published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-09/0311.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9nKE5+LUG5KFpTkYRAl6zAJ4wfnKRxw2ZMDgEnIUztU174RFafQCgoXzv
XAm1rtzhv1wbVsj0IVliVUw=
=b/Sg
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
TechQuiz: Access & Security
Security experts, this is your last chance to show off your knowledge
of secure network access management. So think fast, and if you correctly
answer all our editors' questions, we'll throw your name in the hat to
win a very cool 10-Gb Apple iPod from our sponsor, Novell.
http://www.nwc.com/techquiz/
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]