|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ17674819167854379_at_sans.org)
Date: Thu Oct 24 2002 - 13:36:53 CDT
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 042 (02.42)
Thursday, October 24, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT! --Cross-Site Scripting Cookie Theft-- Cross-site scripting
vulnerabilities in Web applications allow hackers to collect
confidential user information, manipulate and steal cookies. All
undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!
http://www.spidynamics.com/mktg/xss13
************************** End Advertisement *************************
If you're not running on the latest Linux kernel, you should definitely
consider it. Both the 2.4 and 2.2 series kernels have fixes for local
security problems. We've reported these issues as items {02.42.001}
and {02.42.002}.
Microsoft also released a patch for the MS Word field code problem
we discussed in an earlier SAC editorial. You can read about MS02-059
in item {02.42.009}.
And, if you haven't heard, the Internet root name servers went under
DDoS attack earlier this week; nine of the 13 fell prey. You can read
more about it at:
http://www.washingtonpost.com/wp-dyn/articles/A828-2002Oct22.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information
{02.42.010} Win - MS02-060: Windows XP Help and Support Center control
file deletion
{02.42.011} Win - MS02-061: SQL Server Web tasks command execution
{02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping
{02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities
{02.42.002} Linux - Linux kernel 2.2 vulnerabilities
{02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.42.004} Linux - Update {02.32.017}: xinetd signal pipe descriptor
DoS
{02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so LD_PRELOAD
vulnerability
{02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
{02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass
{02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow
{02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
{02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
{02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
{02.42.008} BSD - Short ESP packet IPSEC DoS
{02.42.019} SCO - rcp /proc directory DoS
{02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS
{02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP problems
{02.42.013} Cross - Apache mod_ssl host name CSS
{02.42.017} Cross - PAM treats disabled passwords as empty
{02.42.020} Cross - Heimdal kadmind multiple vulnerabilities
{02.42.022} Cross - Ximian Evolution SSL certificate validation
{02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities
- --- Windows News -------------------------------------------------------
*** {02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information
Microsoft released MS02-059 ("MS Word/Excel field codes may leak
information"). Various versions of MS Word and Excel support 'field
codes,' which allow a document to import other documents. If a user
receives a (malicious) document, edits it and then sends it back,
the document may be able to import other files during the edit/saving
process, thereby allowing the recipient access to that data.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-059.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0006.html
*** {02.42.010} Win - MS02-060: Windows XP Help and Support Center
control file deletion
Microsoft released MS02-060 ("Windows XP Help and Support Center
control file deletion"). The Help and Support Center ActiveX control
included with Windows XP allows a malicious Web site to delete
arbitrary files on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-060.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0005.html
*** {02.42.011} Win - MS02-061: SQL Server Web tasks command execution
Microsoft released MS02-061 ("SQL Server Web tasks command
execution"). SQL Server allows a nonprivileged user to modify and
submit new scheduled Web tasks, thereby allowing arbitrary commands
to be executed under the elevated privileges of the SQL Agent
account. This is also a cumulative patch, which fixes all prior SQL
Server and MSDE vulnerabilities.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-061.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0007.html
*** {02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping
CoolSoft's Personal FTP Server version 2.24 reportedly contains
vulnerabilities in the handling of various FTP commands that would
allow an attacker to manipulate and read files outside the allowed
ftproot directory. Login credentials (user names and passwords)
are also stored in plain text in the ftpserver.ini file.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0142.html
- --- Linux News ---------------------------------------------------------
*** {02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities
The ixj telephony card driver, pcilynx firewire driver and bttv
video capture card driver included with the Linux 2.4 series kernel
contains security vulnerabilities that allow a local attacker to gain
root privileges.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0026.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0025.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0026.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0025.html
*** {02.42.002} Linux - Linux kernel 2.2 vulnerabilities
Various vulnerabilities have been found in the Linux 2.2 series
kernels prior to version 2.2.22. Many of these bugs stem from signed
comparison problems via /proc/ entry handlers.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0027.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0250.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0004.html
Source: Red Hat, Trustix, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0027.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0250.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0004.html
*** {02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Trustix released updated Apache packages, which fix the vulnerability
discussed in {02.40.013} ("Apache host name CSS, ab overflow and
shared memory vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2002-10/0254.html
*** {02.42.004} Linux - Update {02.32.017}: xinetd signal pipe
descriptor DoS
Red Hat released updated xinetd packages, which fix the vulnerability
discussed in {02.32.017} ("xinetd signal pipe descriptor DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0022.html
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0022.html
*** {02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so
LD_PRELOAD vulnerability
Conectiva released updated xfree86 packages, which fix the
vulnerability discussed in {02.38.003} ("xfree86 libX11.so LD_PRELOAD
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0005.html
*** {02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
Conectiva released updated Fetchmail packages, which fix the
vulnerability discussed in {02.39.006} ("Fetchmail multiple
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0003.html
*** {02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass
Conectiva released updated Sendmail packages, which fix the
vulnerability discussed in {02.40.024} ("Sendmail smrsh execution
restriction bypass").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0004.html
*** {02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow
Mandrake released updated ghostview packages, which fix the
vulnerability discussed in {02.39.013} ("gv sscanf() overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0034.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0277.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0334.html
Source: Mandrake, Debian
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0034.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0277.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0334.html
*** {02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
SuSE released updated postgres packages, which fix the vulnerability
discussed in {02.37.002} ("Multiple Postgres function buffer
overflows").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0294.html
*** {02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
EnGarde released updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0003.html
*** {02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
Red Hat re-released updated Mozilla packages, which fix the
vulnerability discussed in {02.38.013} ("Multiple Mozilla 1.0
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0029.html
*** {02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
EnGarde released updated tar packages, which fix the vulnerability
discussed in {02.39.003} ("GNU tar file extraction directory
traversal").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/bugtraq/2002-10/0032.html
- --- BSD News -----------------------------------------------------------
*** {02.42.008} BSD - Short ESP packet IPSEC DoS
A NetBSD advisory indicates that a bug in the handling of short ESP
IPSEC packets causes the system to kernel panic.
NetBSD-1.5 as of Sept. 5, 2002, as well as -1.6 and -current as of
Aug. 23, 2002, contain the fix.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0085.html
- --- SCO News -----------------------------------------------------------
*** {02.42.019} SCO - rcp /proc directory DoS
A Caldera/SCO advisory indicates that a normal user can rcp the /proc
directory and render the machine unusable.
Patches are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0002.html
- --- Network Appliances News --------------------------------------------
*** {02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS
A Cisco advisory indicates that CatOS versions 5.4 through 7.3
contain a buffer overflow in the embedded CiscoView HTTP server,
thereby allowing a remote attacker to cause the switch to reset.
Cisco confirmed this problem; a list of updates is available at the
reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q4/0001.html
- --- Other News ---------------------------------------------------------
*** {02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP
problems
HP released updated SNMP packages for MPE/iX, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").
Update information is listed at the reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2002-q4/0010.html
- --- Cross-Platform News ------------------------------------------------
*** {02.42.013} Cross - Apache mod_ssl host name CSS
The mod_ssl module for Apache contains a cross-site scripting error
when printing error messages under certain configurations involving
wildcard DNS names.
Debian confirmed this vulnerability and released updated DEBs, which
are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0385.html
*** {02.42.017} Cross - PAM treats disabled passwords as empty
A Debian advisory indicates that some versions of PAM (version 0.76
is mentioned in particular) will treat disabled accounts with an '*'
in the password field as an empty password, thereby allowing login.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0304.html
*** {02.42.020} Cross - Heimdal kadmind multiple vulnerabilities
A buffer overflow was found in the kadmind daemon of the Heimdal
Kerberos package. The buffer overflow exists in the Kerberos 4 support
code section as well as in versions prior to version 0.5.1.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0296.html
NetBSD-1.6, -1.6, and -current as of Oct 22, 2002 contain a fix.
Source: Debian, NetBSD
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0296.html
http://archives.neohapsis.com/archives/netbsd/2002-q4/0083.html
*** {02.42.022} Cross - Ximian Evolution SSL certificate validation
Ximian Evolution versions 1.0.x and prior do not properly validate
SSL certificates, potentially allowing a malicious Web site to present
an invalid SSL certificate that the browser will accept.
The vendor confirmed this vulnerability. Versions 1.1.x and 1.2.x
contain fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0045.html
*** {02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities
VBZoom.com's VBZoom forum CGI suite version 1.01 contains two
vulnerabilities: arbitrary user passwords reset in register.php;
and uploaded files are not properly filtered, thereby allowing the
upload of PHP script code.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0111.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0126.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9uDve+LUG5KFpTkYRAk++AJ9WJDR4OdRADHmg8Tfa57TKOVpzgACffnSs
8SRSeLfTfg9R1uEZxNSlNHE=
=7HLJ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by SPI Dynamics.
ALERT! --Cross-Site Scripting Cookie Theft-- Cross-site scripting
vulnerabilities in Web applications allow hackers to collect
confidential user information, manipulate and steal cookies. All
undetectable by IDS! Download this *FREE* white paper from SPI Dynamics
for a complete guide to protection!
http://www.spidynamics.com/mktg/xss13
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]