|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ51349830940325134_at_sans.org)
Date: Thu Nov 07 2002 - 13:27:27 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 044 (02.44)
Thursday, November 7, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Tech Library and Bitpipe
Inc.
How secure are your Web-based applications?
FREE Internet Security Systems White Paper: Web Application Protection
- Using Existing Protection Solutions
This paper highlights emerging threats specific to Web application
security and provides guidance on effective approaches to Web
application protection.
http://techlibrary.networkcomputing.com/data/detail?id=1032958097_44&type=RES&x=1942521078&src=email
************************** End Advertisement *************************
AIX admins will be busy this week; IBM released a batch of new
security-related APARs. A few new bugs will let local attackers gain
root privileges.
Microsoft also released a few patches. This week's IIS cumulative patch
isn't as critical as ones past, so there's no urgent rush to apply it
(unless you're a Web hosting provider). A patch for the PPTP buffer
overflow previously reported also was released.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.44.017} Win - MS02-062: IIS cumulative patch 11/2002
{02.44.018} Win - MS02-063: PPTP buffer overflow
{02.44.019} Win - MS02-064: Win2K root folder improper permissions
{02.44.029} Win - Pablo FTP server multiple format string
vulnerabilities
{02.44.031} Win - Xeneo HTTP server percent DoS
{02.44.009} Linux - Update {01.45.013}: teTeX insecure temp file and
dvips invocation
{02.44.010} Linux - Update {02.29.004}: libpng progressive image
loading overflows
{02.44.011} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
{02.44.012} Linux - Update {02.43.007}: ypserv memory leak DoS
{02.44.013} Linux - Update {02.41.008}: heartbeat daemon format string
overflow
{02.44.014} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
{02.44.015} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.44.016} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
{02.44.020} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
{02.44.030} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.44.001} AIX - autofs executable map command execution
{02.44.002} AIX - Update {02.32.029}: rpc.ttdbserverd _TT_CREATE_FILE()
heap overflow
{02.44.003} AIX - Update {02.26.002}: DNS libresolve/resolver buffer
overflow
{02.44.004} AIX - Update {02.31.009}: RPC XDR array decoding overflow
{02.44.005} AIX - dump_smutil.sh insecure temp file handling
{02.44.006} AIX - nslookup local buffer overflow
{02.44.007} AIX - AIX ypserv security vulnerability
{02.44.022} NApps - Iomega NAS A300U multiple vulnerabilities
{02.44.025} NApps - Linksys BEFSR41 Gozila.cgi DoS
{02.44.026} NApps - NetScreen SSH DoS
{02.44.033} NApps - Cisco ONS multiple vulnerabilities
{02.44.036} Other - Tru64 TruCluster interconnect DoS
{02.44.008} Cross - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
{02.44.021} Cross - log2mail message overflow
{02.44.023} Cross - PHPNuke account manager SQL injection
{02.44.024} Cross - Prometheus CGI framework code execution
{02.44.027} Cross - Abuse game -net parameter overflow
{02.44.028} Cross - ion-p CGI page parameter file retrieval
{02.44.032} Cross - gBook CGI admin login bypass
{02.44.034} Cross - Oracle iSQLPlus user name overflow
{02.44.035} Cross - IPFilter FTP module state tracking vulnerability
{02.44.037} Cross - Perl Mail::Mailer command execution
- --- Windows News -------------------------------------------------------
*** {02.44.017} Win - MS02-062: IIS cumulative patch 11/2002
Microsoft released MS02-062 ("IIS cumulative patch 10/2002"). The
cumulative patch fixes four new vulnerabilities: local, out-of-process
ISAPIs can gain system privileges; a WebDAV request memory exhaustion
DoS; '.com' file upload bypasses script checking; and cross-site
scripting in the administrative pages.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-062.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0010.html
*** {02.44.018} Win - MS02-063: PPTP buffer overflow
Microsoft released MS02-063 ("PPTP buffer overflow"). This patch
fixes the vulnerability previously discussed in {02.39.012} ("PPTP
preauthorization buffer overflow").
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-063.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0009.html
*** {02.44.019} Win - MS02-064: Win2K root folder improper permissions
Microsoft released MS02-064 ("Win2K root folder improper
permissions"). The root drive folder (C:\) in all versions of Windows
2000 gives 'everyone' full control. Since the root directory is
automatically in the path under certain situations, this could let
an attacker place a trojan on the system for execution.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-064.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0008.html
*** {02.44.029} Win - Pablo FTP server multiple format string
vulnerabilities
Pablo FTP Server versions 1.5 and prior contain format string
vulnerabilities in the handling of various FTP commands, including the
login prompt. This could allow a remote attacker to execute arbitrary
code on the system.
This vulnerability is confirmed and fixed in version 1.5.1.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0057.html
*** {02.44.031} Win - Xeneo HTTP server percent DoS
The Xeneo HTTP server version 2.1.0.0 crashes when an attacker submits
a URL request ending in a single percent sign ('%'). This leads to
a denial of service attack.
This vulnerability is confirmed and fixed in versions 2.1.5 and later.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0058.html
- --- Linux News ---------------------------------------------------------
*** {02.44.009} Linux - Update {01.45.013}: teTeX insecure temp file
and dvips invocation
Conectiva released updated teTeX packages, which fix the vulnerability
discussed in {01.45.013} ("teTeX insecure temp file and dvips
invocation").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0007.html
*** {02.44.010} Linux - Update {02.29.004}: libpng progressive image
loading overflows
Conectiva released updated libpng packages, which fix the
vulnerability discussed in {02.29.004} ("libpng progressive image
loading overflows").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0008.html
*** {02.44.011} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
Conectiva released updated tar packages, which fix the vulnerability
discussed in {02.39.003} ("GNU tar file extraction directory
traversal").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0009.html
*** {02.44.012} Linux - Update {02.43.007}: ypserv memory leak DoS
Conectiva released updated ypserv packages, which fix the vulnerability
discussed in {02.43.007} ("ypserv memory leak DoS").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0010.html
*** {02.44.013} Linux - Update {02.41.008}: heartbeat daemon format
string overflow
Conectiva released updated heartbeat packages, which fix the
vulnerability discussed in {02.41.008} ("heartbeat daemon format
string overflow").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0011.html
*** {02.44.014} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
Conectiva released updated mod_ssl packages, which fix the
vulnerability discussed in {02.42.013} ("Apache mod_ssl host name
CSS").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0012.html
*** {02.44.015} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
SuSE released updated syslog-ng packages, which fix the vulnerability
discussed in {02.41.012} ("syslog-ng macro expansion overflow").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0469.html
*** {02.44.016} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
Caldera released updated util-linux packages, which fix the
vulnerability discussed in {02.30.003} ("chfn /etc/ptmp lockfile
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0008.html
*** {02.44.020} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
Mandrake released updated Mozilla packages, which fix the vulnerability
discussed in {02.38.013} ("Multiple Mozilla 1.0 vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0083.html
*** {02.44.030} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Debian released updated Apache packages, which fix the vulnerabilities
discussed in {02.40.013} ("Apache host name CSS, ab overflow and
shared memory vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0487.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0496.html
- --- AIX News -----------------------------------------------------------
*** {02.44.001} AIX - autofs executable map command execution
IBM released APAR IY31934, which fixes a vulnerability in
configurations using autofs and executable maps. The vulnerability
lets local malicious attackers execute arbitrary commands under
root privileges.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.002} AIX - Update {02.32.029}: rpc.ttdbserverd
_TT_CREATE_FILE() heap overflow
IBM released APARs IY32368 and IY32792, which fix the vulnerability
discussed in {02.32.029} ("rpc.ttdbserverd _TT_CREATE_FILE() heap
overflow") as well as other ttdbserverd vulnerabilities.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.003} AIX - Update {02.26.002}: DNS libresolve/resolver
buffer overflow
IBM released APARs IY32719 and IY34644, which fix the vulnerability
discussed in {02.26.002} ("DNS libresolve/resolver buffer overflow").
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.004} AIX - Update {02.31.009}: RPC XDR array decoding
overflow
IBM released APAR IY34194, which fixes the vulnerability discussed
in {02.31.009} ("RPC XDR array decoding overflow").
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.005} AIX - dump_smutil.sh insecure temp file handling
The dump_smutil.sh script insecurely handles temporary files, thereby
allowing a local user to perform a symlink attack.
IBM confirmed this problem and released APAR IY34617.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.006} AIX - nslookup local buffer overflow
IBM released APAR IY34670, which fixes a buffer overflow in
nslookup. Further details were not provided.
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
*** {02.44.007} AIX - AIX ypserv security vulnerability
IBM released APAR IY34800, which fixes a 'security hole' in
ypserv. Details were not provided, but the security hole may be the
one reported in {02.43.007} ("ypserv memory leak DoS").
Source: IBM
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
- --- Network Appliances News --------------------------------------------
*** {02.44.022} NApps - Iomega NAS A300U multiple vulnerabilities
The Iomega NAS A300U reportedly sends the administrative user
name/password in the clear to the administrative HTTP service. The
advisory also notes a few other concerns, which may have security
impact: inability to turn off the FTP service; plain text LANMAN SMB
logins are allowed; and the device affects Windows network browsing.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0440.html
*** {02.44.025} NApps - Linksys BEFSR41 Gozila.cgi DoS
The Linksys BEFSR41 cable/DSL router crashes when an empty HTTP
request is made for Gozila.cgi to the built-in administrative Web
server. Firmware versions prior to 1.42.7 are vulnerable.
This vulnerability is confirmed and fixed in firmware version 1.42.7.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0049.html
*** {02.44.026} NApps - NetScreen SSH DoS
A released advisory indicates that a denial of service exists in the
various NetScreen devices, which could let a remote attacker cause
the device to reset.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0053.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0054.html
*** {02.44.033} NApps - Cisco ONS multiple vulnerabilities
The Cisco ONS15454 and ONS15327 with ONS software prior to version
3.4 contains multiple vulnerabilities: FTP login with invalid user
name/password; plain text storage of user names/passwords; the SNMP
community is hard coded as 'public'; an invalid CORBA request causes
reset; a malformed HTTP request causes reset; and a backdoor telnet
account to the underlying OS.
Cisco confirmed these vulnerabilities; software versions 3.4 and
after contain the fixes.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q4/0002.html
- --- Other News ---------------------------------------------------------
*** {02.44.036} Other - Tru64 TruCluster interconnect DoS
A Compaq/HP advisory indicates that the Tru64 TruCluster server
software contains a remote denial of service vulnerability. Details
were not provided.
Updated ERPs are listed at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2002-q4/0004.html
- --- Cross-Platform News ------------------------------------------------
*** {02.44.008} Cross - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
Multiple vendors released updates, which fix the vulnerability
discussed in {02.42.020} ("Heimdal kadmind multiple vulnerabilities").
IBM has released APAR IY36339.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0444.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0460.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0473.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0060.html
OpenBSD 3.2 patch information:
http://archives.neohapsis.com/archives/openbsd/2002-11/0401.html
Source: IBM, Debian, Mandrake, OpenBSD
http://archives.neohapsis.com/archives/aix/2002-q4/0002.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0444.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0460.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0473.html
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0060.html
http://archives.neohapsis.com/archives/openbsd/2002-11/0401.html
*** {02.44.021} Cross - log2mail message overflow
A Debian advisory indicates that the log2mail utility contains a buffer
overflow in the handling of particular log messages, which could allow
an attacker to execute arbitrary code with root privileges. If the
system accepts remote syslog messages, than this could be a remote
vulnerability; otherwise it is limited to the local system.
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0474.html
*** {02.44.023} Cross - PHPNuke account manager SQL injection
PHPNuke version 5.6 reportedly contains a SQL injection vulnerability
in the handling of parameters passed to the user account manager
module, thereby allowing a malicious user to reset the password of
all user accounts to a known value.
The advisory indicates confirmation vendor, which states the problem
is fixed in version 6.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0051.html
*** {02.44.024} Cross - Prometheus CGI framework code execution
The Prometheus PHP CGI framework version 6.0 reportedly allows a
remote attacker to execute arbitrary PHP code by submitting particular
PROMETHEUS_LIB_PATH and PHP_AUTO_LOAD_LIB URL parameters.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0050.html
*** {02.44.027} Cross - Abuse game -net parameter overflow
The 'abuse' game version 2.0, included with some Debian distributions,
contains a buffer overflow in the handling of the 'net' command-line
parameter, thereby allowing a local attacker to gain elevated
privileges. By default, abuse is setuid root and setgid games.
The advisory indicates confirmation by the vendor, which also suggests
that other vulnerabilities exist. The solution is to not install
abuse on security-critical systems.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0055.html
*** {02.44.028} Cross - ion-p CGI page parameter file retrieval
The ion-p CGI script for both Windows and Unix reportedly allows remote
attackers to request arbitrary files via the 'page' URL parameter.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0447.html
http://archives.neohapsis.com/archives/bugtraq/2002-10/0448.html
*** {02.44.032} Cross - gBook CGI admin login bypass
The gBook PHP CGI suite has a flaw in its administrative login
checking code, which allows a remote attacker to log in by appending
'login=true' to the URL.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-10/0328.html
*** {02.44.034} Cross - Oracle iSQLPlus user name overflow
Oracle iSQLPlus included with Oracle 9i contains a buffer overflow in
the handling of large login user names, thereby allowing a remote
attacker to execute arbitrary code under the privileges of the
Web server.
The advisory indicates confirmation by the vendor, which released a
patch via the Oracle Metalink Web site.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0060.html
*** {02.44.035} Cross - IPFilter FTP module state tracking vulnerability
A NetBSD advisory indicates that the FTP module included with IPFilter
does not properly track the state of the connection's commands and
responses, potentially allowing a remote attacker to open arbitrary
ports. All IPFilter versions prior to 3.4.29 are vulnerable.
NetBSD-current as of Sept. 20, 2002, and -1.5 and -1.6 as of Oct. 19,
2002, contain the fix.
Source: NetBSD
http://archives.neohapsis.com/archives/netbsd/2002-q4/0225.html
*** {02.44.037} Cross - Perl Mail::Mailer command execution
The SuSE team uncovered vulnerabilities in the Perl Mail::Mailer
module that could execute arbitrary commands if they are passed
untrusted data by unsuspecting parent applications. Exploitability
will depend on the actual situation in which the module is used.
Updated SuSE RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0531.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE9yryl+LUG5KFpTkYRAoRMAJ4iZ6UQKEMi3eF9vzm2UDTzljxTSwCfXIBH
JP58OvEx/RzXb6wh4KVItBY=
=1skt
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Tech Library and Bitpipe
Inc.
How secure are your Web-based applications?
FREE Internet Security Systems White Paper: Web Application Protection
- Using Existing Protection Solutions
This paper highlights emerging threats specific to Web application
security and provides guidance on effective approaches to Web
application protection.
http://techlibrary.networkcomputing.com/data/detail?id=1032958097_44&type=RES&x=1942521078&src=email
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]