|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ65089497224734077_at_sans.org)
Date: Thu Nov 14 2002 - 13:26:14 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 045 (02.45)
Thursday, November 14, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Tech Library and Bitpipe
Inc.
Is your network performing the way it needs to?
FREE Sprint White Paper: Ensure the Reliability, Security and
Performance of Your Network
This white paper gives insight into the importance of choosing the right
network vendor to maintain a reliable mission-critical system.
************************** End Advertisement *************************
The big news this week is the announcement of another round of
vulnerabilities found in the popular DNS implementation, BIND
(Berkeley Internet Name Domain Server). Bind versions 4 and 8, both
in wide use on the Internet, are affected (see {02.45.007}).
In addition to the vulnerability announcements themselves, much
of the security community is up in arms over the handling of
the issue. It appears that ISC (the maintainers of BIND) released
patch information to a selective set of paying customers before the
vulnerability announcement was made public, essentially arming any
would-be attackers lurking or associated with those organizations
with the necessary information for exploitation. Complicating matters
further, when the issue did go public (at least a week later), the
patches were only made available via e-mail--with some delay times
reported as exceeding eight hours.
While ISC appears to have changed its position in the past 24
hours by placing the patches online (instead of requiring the manual
intervention of an ISC staff member via e-mail), the whole fiasco calls
into question--once again--the politics and policies surrounding
research, disclosure and vendor/maintainer response. Some good
debates on the issue can be found on SecurityFocus' Bugtraq mailing
list as well as in other popular security forums on the Internet. We
encourage organizations to voice their opinions on vulnerability
disclosure practices to their vendors and software maintainers. The
madness needs to end.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.45.028} Win - ColdFusion/JRun long URI overflow
{02.45.001} Linux - Update {02.31.009}: RPC XDR array decoding overflow
{02.45.002} Linux - Update {02.41.014}: KGhostview sscanf() format
string vulnerability
{02.45.004} Linux - Update {02.44.037}: Perl Mail::Mailer command
execution
{02.45.005} Linux - Update {02.38.006}: Squirrel mail CGI multiple CSS
vulnerabilities
{02.45.009} Linux - Luxman game maped gzip path vulnerability
{02.45.011} Linux - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
{02.45.012} Linux - nss_ldap DNS SRV record overflow
{02.45.013} Linux - html2ps insecure file handling
{02.45.014} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.45.015} Linux - Update {02.37.005}: PHP mail() command may bypass
safe_mode
{02.45.017} Linux - Update {02.35.009}: PXE server malformed DHCP DoS
{02.45.018} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
{02.45.019} Linux - masqmail multiple overflows
{02.45.021} Linux - Update {02.29.004}: libpng progressive image
loading overflows
{02.45.023} Linux - Simple Web Server file restrict bypass
{02.45.026} Linux - KDE Lisa/resLISa multiple vulnerabilities
{02.45.032} Linux - nanog-traceroute overflow
{02.45.016} NW - iManager emFrame user name overflow
{02.45.020} NW - eDir user login/expired password vulnerability
{02.45.010} SGI - Update {02.32.029}: rpc.ttdbserverd _TT_CREATE_FILE()
heap overflow
{02.45.029} SCO - in.talkd format string vulnerability
{02.45.025} NApps - Update {02.44.026}: NetScreen SSH DoS
{02.45.031} NApps - Various 802.11b access points disclose information
{02.45.024} Other - QNX packager insecure path vulnerability
{02.45.003} Cross - Linuxconf allows sendmail relay
{02.45.006} Cross - Window Maker image size integer overflow
{02.45.007} Cross - BIND SIG cached RR overflow + 2 DoS
{02.45.008} Cross - Perl Safe.pm reuse opmask modification
{02.45.022} Cross - Pine 4.44 malformed From field vulnerability
{02.45.027} Cross - KDE KIO rlogin/telnet protocol handler overflows
{02.45.030} Cross - Light HTTP long URL overflow
- --- Windows News -------------------------------------------------------
*** {02.45.028} Win - ColdFusion/JRun long URI overflow
The Macromedia/Allaire ColdFusion version 6.0 (and prior) and JRun
version 4.0 (and prior) IIS ISAPI handlers contain a buffer overflow
in the handling of large URI strings. This lets a remote attacker
execute arbitrary code with local system privileges.
Macromedia released updated patches.
Source: Macromedia, VulnWatch
http://archives.neohapsis.com/archives/vendor/2002-q4/0042.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0072.html
- --- Linux News ---------------------------------------------------------
*** {02.45.001} Linux - Update {02.31.009}: RPC XDR array decoding
overflow
Conectiva and Red Hat (re-)released updated glibc packages, which fix
the vulnerability discussed in {02.31.009} ("RPC XDR array decoding
overflow").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0013.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0033.html
Source: Conectiva, Red Hat
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0013.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0033.html
*** {02.45.002} Linux - Update {02.41.014}: KGhostview sscanf() format
string vulnerability
Conectiva released updated kghostview packages, which fix the
vulnerability discussed in {02.41.014} ("KGhostview sscanf() format
string vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0015.html
*** {02.45.004} Linux - Update {02.44.037}: Perl Mail::Mailer command
execution
Mandrake released updated perl-mailtools packages, which fix the
vulnerability discussed in {02.44.037} ("Perl Mail::Mailer command
execution").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0101.html
*** {02.45.005} Linux - Update {02.38.006}: Squirrel mail CGI multiple
CSS vulnerabilities
Debian released updated Squirrel mail packages, which fix the
vulnerability discussed in {02.38.006} ("Squirrel mail CGI multiple
CSS vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0555.html
*** {02.45.009} Linux - Luxman game maped gzip path vulnerability
The setuid maped utility included with the Luxman game reportedly
relies on the user's PATH when executing the gzip utility, thereby
allowing a trojan gzip to access /dev/mem.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0499.html
Source: VulnWatch, Debian
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0062.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0499.html
*** {02.45.011} Linux - Update {02.42.020}: Heimdal kadmind multiple
vulnerabilities
Red Hat released updated Kerberos packages, which fix the
vulnerabilities discussed in {02.42.020} ("Heimdal kadmind multiple
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0035.html
*** {02.45.012} Linux - nss_ldap DNS SRV record overflow
Under certain configurations, the nss_ldap PAM module prior to version
198 can be triggered to overflow a buffer by receiving a long DNS
SRV record.
Mandrake confirmed this and released updated RPMs, listed at the
reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0100.html
*** {02.45.013} Linux - html2ps insecure file handling
A SuSE advisory indicates the html2ps utility will perform insecure
file operations based on untrusted user data. If html2ps is used as
a filter in lprng, there is a potential for exploitation.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0471.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0515.html
Source: SuSE, Debian
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0471.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0515.html
*** {02.45.014} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
EnGarde re-released updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0008.html
*** {02.45.015} Linux - Update {02.37.005}: PHP mail() command may
bypass safe_mode
Red Hat released updated PHP packages, which fix the vulnerability
discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0036.html
*** {02.45.017} Linux - Update {02.35.009}: PXE server malformed DHCP
DoS
Caldera released updated pxe packages, which fix the vulnerability
discussed in {02.35.009} ("PXE server malformed DHCP DoS").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0010.html
*** {02.45.018} Linux - Update {02.42.013}: Apache mod_ssl host name CSS
EnGarde released updated Apache packages, which fix the vulnerability
discussed in {02.42.013} ("Apache mod_ssl host name CSS").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0009.html
*** {02.45.019} Linux - masqmail multiple overflows
A Debian advisory indicates multiple buffer overflows exist in the
masqmail utility. This vulnerability could allow a local attacker to
gain root privileges.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0577.html
*** {02.45.021} Linux - Update {02.29.004}: libpng progressive image
loading overflows
Caldera released updated libpng packages, which fix the vulnerability
discussed in {02.29.004} ("libpng progressive image loading
overflows").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0011.html
*** {02.45.023} Linux - Simple Web Server file restrict bypass
The Simple Web Server version 0.5.1 allows remote attackers to access
otherwise restricted Web files when they add an extra character to
the URL request.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0065.html
*** {02.45.026} Linux - KDE Lisa/resLISa multiple vulnerabilities
KDE versions prior to 3.0.5 contain three vulnerabilities: a local
attacker can overflow the resLISa module via the LOGNAME environment
variable and gain access to a raw network socket; a remote attacker
can run a trojan lisa service, which can feed data to a scanning lisa
service and cause an overflow that allows the execution of arbitrary
code; and the 'lan:' URL handler contains a buffer overflow that
allows the execution of arbitrary code.
These vulnerabilities are confirmed and fixed in KDE version 3.0.5.
Updated Debian DEBs (which only fix some of the vulnerabilities):
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0558.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0711.html
Source: VulnWatch, Debian, SuSE, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0068.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0558.html
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0711.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0135.html
*** {02.45.032} Linux - nanog-traceroute overflow
A SuSE advisory indicates the nanog-traceroute utility contains a
buffer overflow that could let a local attacker gain access to a raw
network socket.
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2002-q4/0722.html
- --- NetWare News -------------------------------------------------------
*** {02.45.016} NW - iManager emFrame user name overflow
A long distinguished name entered as the user name to the iManager
emFrame login will result in a buffer overflow on the server.
Patch information is available at:
http://support.novell.com/servlet/tidfinder/2963651
Source: Novell
http://archives.neohapsis.com/archives/novell/2002-q4/0000.html
*** {02.45.020} NW - eDir user login/expired password vulnerability
A Novell advisory indicates eDirectory version 8.6.2 allows users to
log in to accounts with expired passwords.
Update information is available at:
http://support.novell.com/servlet/tidfinder/2963767
Source: Novell
http://archives.neohapsis.com/archives/novell/2002-q4/0001.html
- --- SGI News -----------------------------------------------------------
*** {02.45.010} SGI - Update {02.32.029}: rpc.ttdbserverd
_TT_CREATE_FILE() heap overflow
SGI released updated ToolTalk packages, which fix the vulnerability
discussed in {02.32.029} ("rpc.ttdbserverd _TT_CREATE_FILE() heap
overflow").
Patches are listed in the reference URLs below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2002-q4/0035.html
http://archives.neohapsis.com/archives/vendor/2002-q4/0034.html
- --- SCO News -----------------------------------------------------------
*** {02.45.029} SCO - in.talkd format string vulnerability
A Caldera/SCO advisory indicates the in.talkd daemon contains a
remotely exploitable format string vulnerability.
Updated binaries are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0012.html
- --- Network Appliances News --------------------------------------------
*** {02.45.025} NApps - Update {02.44.026}: NetScreen SSH DoS
ScreenOS version 4.0.0r6 was released. It fixes the vulnerability
discussed in {02.44.026} ("NetScreen SSH DoS").
Updates are available to registered customers.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0088.html
*** {02.45.031} NApps - Various 802.11b access points disclose
information
An advisory indicates various GlobalSunTech-based 802.11b access
points (including D-Link DWL-900AP+, Linksys WAP11, Wisecom GL2422AP,
Alloy GL-2422AP and Eusso GL2422-AP) will answer a particular
broadcast packet with a response that contains configuration
information--potentially including the WEP keys.
Third parties confirmed this vulnerability on the various access
points listed. An exploit for this vulnerability was published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0008.html
- --- Other News ---------------------------------------------------------
*** {02.45.024} Other - QNX packager insecure path vulnerability
The setuid packager utility included with QNX OS version 6.2.0
insecurely calls the 'cp' utility without using an absolute path,
thereby allowing a local attacker to execute a trojan cp command with
root privileges.
The advisory indicates confirmation by the vendor, which will have
a fix in QNX 6.2.1. Until then, users can 'chmod -s' the packager
utility.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0066.html
- --- Cross-Platform News ------------------------------------------------
*** {02.45.003} Cross - Linuxconf allows sendmail relay
A bug in the mailconf module causes Linuxconf prior to version 1.28r1
to generate a sendmail configuration that allows the relaying of
'user%domain' addresses.
This vulnerability is confirmed. Linuxconf version 1.28r1 contains
a fix.
Updated Conectiva RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0016.html
*** {02.45.006} Cross - Window Maker image size integer overflow
The Window Maker windows manager does not properly check for integer
overflow/wraparound when calculating the buffer size for an image. This
could potentially lead to the execution of arbitrary code when viewing
a malicious/untrusted graphic.
Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0500.html
*** {02.45.007} Cross - BIND SIG cached RR overflow + 2 DoS
BIND versions 4 and 8 contain a buffer overflow in the handling of
cached SIG RR records, thereby allowing a remote, authoritative DNS
server to execute arbitrary code if recursion is enabled (which is
on by default). Bind 8 also contains two remote denial of service
vulnerabilities.
The vendor confirmed these vulnerabilities and suggests upgrading to
BIND 9.2.1. Fixes to BIND 8.x and 4.x are currently in progress.
Red Hat also released a statement for Red Hat Linux users:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0041.html
Source: VulnWatch, Red Hat
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0071.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0041.html
*** {02.45.008} Cross - Perl Safe.pm reuse opmask modification
The Safe.pm module shipped with Perl 5.8.0 and prior contains a bug
that lets untrusted code executing in a Safe compartment modify the
operation mask. If the compartment were reused, then the modified
mask would still be in effect, thereby giving the untrusted code
additional privileges.
This vulnerability is confirmed, and Safe.pm version 2.08 contains
the fix. The updated module is available via CPAN.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0061.html
*** {02.45.022} Cross - Pine 4.44 malformed From field vulnerability
Pine versions prior to 4.50 (which has not yet been made public)
crash when encountering an e-mail with a malformed From field.
It is uncertain at this point whether arbitrary code execution is
possible. This vulnerability can be remotely triggered.
Third parties confirmed this vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0046.html
*** {02.45.027} Cross - KDE KIO rlogin/telnet protocol handler overflows
KDE prior to version 3.0.5 contains buffer overflows in the rlogin
KIO protocol handler. KDE versions 2.x also contain an overflow in
the telnet KIO protocol handler.
The vendor confirmed these vulnerabilities.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0142.html
*** {02.45.030} Cross - Light HTTP long URL overflow
Light HTTPD (lhttpd) reportedly contains a buffer overflow in the
handling of long URL requests, thereby allowing a remote attacker to
execute arbitrary code.
This vulnerability is not confirmed. An exploit was published.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-11/0138.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE90/bN+LUG5KFpTkYRAnQOAKCWbodQ+YK1QFLmAo6fQ9RjLmC6zQCeOYSK
sSonE5PtrN2exQ+qkwuwau0=
=7cyj
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Tech Library and Bitpipe
Inc.
Is your network performing the way it needs to?
FREE Sprint White Paper: Ensure the Reliability, Security and
Performance of Your Network
This white paper gives insight into the importance of choosing the right
network vendor to maintain a reliable mission-critical system.
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]