|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Network Computing and The SANS Institute (sans+ZZ59348902743854228_at_sans.org)
Date: Thu Dec 19 2002 - 13:55:21 CST
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 050 (02.50)
Thursday, December 19, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensus
nwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Five-Minute Workout: Working
Between Application- and Network-Layer Security Let our multimedia
tutorial help you evaluate IPSec and SSL VPN solutions. We'll find out
where each approach excels and why the two are more complimentary than
competitive.
http://www.nwc.com/out/fivemin/1325fmw.html
************************** End Advertisement *************************
Last week, we incorrectly reported MS02-067 (item {02.49.021}) as
affecting Outlook 2000, when it actually affects Outlook 2002. While
we knew it was 2002, years of typing 'Windows 2000' led us to key in
'2000' without even thinking. We also want to apologize ahead of
time if we happen to type '2002' when we should be typing '2003'
in the next few months.
Speaking of 2003, this will be the last SAC issue until Jan. 9,
2003. The SAC team is taking a much-needed break for the next two
weeks. We hope you will be able to rest, as well. However, this
week's vulnerability lineup has some heavy-hitters, which may cause
some administrators to spend the next two weeks in the NOC applying
patches. Major Microsoft JVM vulnerabilities affect all IE clients
(item {02.50.005}); the MySQL, SSH and SOAP/XML services all have
various bugs (items {02.50.004}, {02.50.011} and {02.50.026}); and
scores of PHP CGIs have lots of problems (item {02.50.008}).
Until 2003,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.50.005} Win - MS02-069: 8 new vulnerabilities in MS JVM
{02.50.006} Win - MS02-070: SMB signing flaw, group policy modification
{02.50.010} Win - MS02-071: WM_TIMER message handler vulnerability
{02.50.001} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask
modification
{02.50.002} Linux - Update {02.49.014}: wget directory recursion
vulnerability
{02.50.003} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
{02.50.007} Linux - Kernel /proc/pid/mem mmap DoS
{02.50.009} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.50.012} Linux - Update {02.46.030}: Linux kernel lcall7 DoS
{02.50.023} Linux - Update {02.45.012}: nss_ldap DNS SRV record overflow
{02.50.016} HPUX - xntpd DoS
{02.50.021} HPUX - HP Visualize Conference insecure directory
permissions
{02.50.018} SCO - Update {02.19.017}: uudecode insecure output file
handling
{02.50.017} NApps - Cobalt RAQ SHP overflow.cgi vulnerability
{02.50.019} NApps - Cisco OSM card corrupt header DoS
{02.50.004} Cross - Multiple MySQL vulnerabilities
{02.50.008} Cross - Various vulnerable PHP CGI apps
{02.50.011} Cross - Multiple SSH vulnerabilities (SSHredder)
{02.50.013} Cross - zkfingerd syslog format string vulnerabilities
{02.50.014} Cross - PFingerd host name format string vulnerability
{02.50.015} Cross - Macromedia Flash malformed SWF header vulnerability
{02.50.020} Cross - libkpathsea insecure system() call
{02.50.022} Cross - Macromedia ColdFusion/JRun SOAP XML DoS
{02.50.024} Cross - Fetchmail local address creation vulnerability
{02.50.025} Cross - mICQ missing separator DoS
{02.50.026} Cross - XML parser DTD DoS
- --- Windows News -------------------------------------------------------
*** {02.50.005} Win - MS02-069: 8 new vulnerabilities in MS JVM
Microsoft released MS02-069 ("8 new vulnerabilities in MS JVM"). The
Microsoft Java VM contains eight new security vulnerabilities, many
of which could allow a malicious Java applet within a Web page or
e-mail to compromise the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-069.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0020.html
*** {02.50.006} Win - MS02-070: SMB signing flaw, group policy
modification
Microsoft released MS02-070 ("SMB signing flaw, group policy
modification"). The SMB signing feature of Windows 2000 and XP contains
an error that lets a man-in-the-middle cause a downgrade attack. As a
result, the SMB data is modifiable even though signing is explicitly
enabled. It's possible to use this flaw to modify the client group
policy, which is initially downloaded from the domain controller and
allows the compromise of the client system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-070.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0018.html
*** {02.50.010} Win - MS02-071: WM_TIMER message handler vulnerability
Microsoft released MS02-071 ("WM_TIMER message handler
vulnerability"). This patch fixes a flaw we've talked about in the
past, one involving invisible privileged objects on the desktop used
by the various Windows services. The bug potentially lets a local
attacker gain elevated privileges by tricking one of these invisible
objects into executing arbitrary code via the WM_TIMER message.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS02-071.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2002-q4/0019.html
- --- Linux News ---------------------------------------------------------
*** {02.50.001} Linux - Update {02.45.008}: Perl Safe.pm reuse opmask
modification
Debian released updated Perl packages, which fix the vulnerability
discussed in {02.45.008} ("Perl Safe.pm reuse opmask modification").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0981.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0981.html
*** {02.50.002} Linux - Update {02.49.014}: wget directory recursion
vulnerability
Multiple vendors released updated wget packages, which fix the
vulnerability discussed in {02.49.014} ("wget directory recursion
vulnerability").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0303.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0995.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0024.html
Source: Mandrake, Debian, Conectiva
http://archives.neohapsis.com/archives/linux/mandrake/2002-q4/0303.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0995.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0024.html
*** {02.50.003} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
Conectiva and Red Hat released updated Fetchmail packages, which fix
the vulnerabilities discussed in {02.39.006} ("Fetchmail multiple
vulnerabilities").
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0026.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0060.html
Source: Conectiva, Red Hat
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0026.html
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0060.html
*** {02.50.007} Linux - Kernel /proc/pid/mem mmap DoS
The Linux 2.2 kernel contains an error in the handling of mmap()
requests for nonreadable memory regions provided by /proc/pid/mem
that results in the kernel crashing. This vulnerability does not
affect 2.4 kernels.
This vulnerability is confirmed, and a fix is scheduled for kernel
release 2.2.24. A third-party patch is available at the reference
URL below.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0115.html
*** {02.50.009} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Red Hat rereleased updated Apache and mod_ssl packages, which fix
the vulnerability discussed in {02.40.013} ("Apache host name CSS,
ab overflow and shared memory vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2002-q4/0058.html
*** {02.50.012} Linux - Update {02.46.030}: Linux kernel lcall7 DoS
Conectiva released updated kernel packages, which fix the vulnerability
discussed in {02.46.030} ("Linux kernel lcall7 DoS").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0025.html
*** {02.50.023} Linux - Update {02.45.012}: nss_ldap DNS SRV record
overflow
Caldera released updated nss_ldap packages, which fix the vulnerability
discussed in {02.45.012} ("nss_ldap DNS SRV record overflow").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0027.html
- --- HP-UX News ---------------------------------------------------------
*** {02.50.016} HPUX - xntpd DoS
An HP advisory indicates the xntpd daemon included with HP-UX 10.20
through 11.11 may cause the system to lag or hang. We assume this is
a user-triggered denial of service.
Apply the appropriate patch:
HPUX 10.20: PHNE_24510
HPUX 10.24: PHNE_28002
HPUX 11.00: PHNE_27223
HPUX 11.04: PHNE_27442
HPUX 11.11: PHNE_24512
Source: Compaq/HP
http://archives.neohapsis.com/archives/hp/2002-q4/0061.html
*** {02.50.021} HPUX - HP Visualize Conference insecure directory
permissions
An HP advisory indicates that the installation of the Visualize
Conference package version B.11.00.11 leaves insecure permissions on
the /usr/dt directory and subdirectories. This could potentially lead
to a local privilege elevation.
The official solution is to change the permissions of the directories,
as detailed in the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/hp/2002-q4/0060.html
- --- SCO News -----------------------------------------------------------
*** {02.50.018} SCO - Update {02.19.017}: uudecode insecure output file
handling
Caldera/SCO released updates, which fix the vulnerability discussed
in {02.19.017} ("uudecode insecure output file handling").
Updates are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2002-q4/0028.html
- --- Network Appliances News --------------------------------------------
*** {02.50.017} NApps - Cobalt RAQ SHP overflow.cgi vulnerability
The 'Security Hardening Package' (SHP) for Cobalt/Sun RAQ4 systems
ironically contains a vulnerability in the overflow.cgi CGI application
that lets a remote attacker execute arbitrary command-line commands
with root privileges. An exploit is currently available and being used.
The appropriate fix is to remove the SHP patch:
http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/49377
It may also be possible to remove or otherwise deny access to the
overflow.cgi CGI application.
Source: CERT
http://archives.neohapsis.com/archives/cc/2002-q4/0009.html
*** {02.50.019} NApps - Cisco OSM card corrupt header DoS
The Cisco Optical Service Module (OSM) for the Catalyst 6500 and
7600 series hangs when receiving a particular malformed packet from a
local network segment. Only IOS versions 12.1(8)E through 12.1(13.4)E
are affected.
This vulnerability is confirmed and fixed in IOS 12.1(13.5)E.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2002-q4/0004.html
- --- Cross-Platform News ------------------------------------------------
*** {02.50.004} Cross - Multiple MySQL vulnerabilities
MySQL prior to version 3.23.54 contains multiple vulnerabilities in
both the server and client portions that could lead to a denial of
service or execution of arbitrary code.
These vulnerabilities are confirmed and fixed in version 3.23.54.
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0017.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2002-q4/1065.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0027.html
Source: VulnWatch, EnGarde, Debian, Conectiva
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0106.html
http://archives.neohapsis.com/archives/linux/engarde/2002-q4/0017.html
http://archives.neohapsis.com/archives/linux/debian/2002-q4/1065.html
http://archives.neohapsis.com/archives/linux/conectiva/2002-q4/0027.html
*** {02.50.008} Cross - Various vulnerable PHP CGI apps
Recent advisories detailed more than 40 different vulnerable PHP
applications. Rather than enumerate them as individual items, we've
decided to list them all here as a single item. The vulnerable
package names are listed below. More information is available via
the reference URLs.
PHP-Nuke (PHPNuke) 6.0
ALP - Banner Ad 2.0
Tight Auction 3.0
PY-Membres 3.1
dobermann FORUM 0.5
phpnewsDev 1
KillerProtection 1
phpSecurePages 0.27b
Avotravis 2.1
PunxNews 2.1
phpforge 2.3, 3b2
Inertianews 0.02 beta
MySimpleNews 1
Pollen 1.4.1
Pphlogger (Power Phlogger) 2.0.9
News Evolution 1.0, 2.0
LokwaBB 1.2.2
Rose 4.52
WebChat for XOOPS RC3 1-5
EasyNews 4.2, 4.3
Mon Album 0.6.2d
XOOPS RC3
Photo Db 1.4
PHP Image View 1.0
mcPass 1
Pseudo-Frame 1.0
SimpleBBS 1.0.3, 1.0.6
WSC (Web Server Creator) - Web Portal 0.1
Immobilier 1
FreeNews 2.1
phpMyNewsletter 0.6.10
PG 1.0
phpBB 2.0.3
PortailPHP 0.99 and prior
PHPP CMS 0.2.1
D-Book 1.4
CBook 1.0.1 Beta
Thatware 0.5.x, 0.4.x, 0.3
MyPHPLinks 2.1.9, 2.2.0CVS
APBoard-Bug 2.02
Web Portal 0.1
Mambo Site Server 4.0.11
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2002-12/0156.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0134.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0127.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0069.html
http://archives.neohapsis.com/archives/bugtraq/2002-11/0303.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0111.html
http://archives.neohapsis.com/archives/bugtraq/2002-12/0111.html
*** {02.50.011} Cross - Multiple SSH vulnerabilities (SSHredder)
Multiple SSH implementations are vulnerable to various security
vulnerabilities that range from denial of service attacks to potential
execution of arbitrary code. The vulnerabilities were found using the
automated SSHredder test suite. Both clients and servers are affected.
Vulnerable vendors/versions include: F-Secure, SSH Communications,
FiSSH, InterSoft SecureNetTerm, NetComposite ShellGuard, Pragma
Systems SecureShell, PuTTY and WinSCP. OpenSSH is not affected.
Source: CERT, VulnWatch
http://archives.neohapsis.com/archives/cc/2002-q4/0010.html
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0110.html
*** {02.50.013} Cross - zkfingerd syslog format string vulnerabilities
The zkfingerd daemon versions 0.9.1 and prior reportedly contain format
string vulnerabilities in the handling of various user data. This
allows for the remote execution of arbitrary code.
The vendor confirmed this vulnerability and released updates.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0112.html
*** {02.50.014} Cross - PFingerd host name format string vulnerability
The PFinger daemon versions 0.7.8 and prior contain a format string
vulnerability in the handling of malicious DNS names, thereby allowing
a remote attacker to execute arbitrary code on the system.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0113.html
*** {02.50.015} Cross - Macromedia Flash malformed SWF header
vulnerability
The Macromedia Shockwave Flash player contains a buffer overflow in
the handling of malformed SWF files that results in a buffer overflow
and the execution of arbitrary code.
Macromedia confirmed this problem; an update is available at:
http://www.macromedia.com/v1/handlers/index.cfm?ID=23569
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0114.html
*** {02.50.020} Cross - libkpathsea insecure system() call
The kpathsea library, used by xdvi and dvips, contains an insecure
call to the system() function that could allow a remote attacker to
execute arbitrary commands via malformed DVI files submitted to the
printer daemon.
SuSE and Debian confirmed this vulnerability. Updated DEBs are listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/0970.html
*** {02.50.022} Cross - Macromedia ColdFusion/JRun SOAP XML DoS
A Macromedia advisory indicates that ColdFusion MX and JRun 4.0 contain
a vulnerability in the parsing of incoming SOAP XML, thereby leading
to a denial of service situation.
The vendor confirmed this vulnerability.
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2002-q4/0077.html
*** {02.50.024} Cross - Fetchmail local address creation vulnerability
Fetchmail versions 6.1.3 and prior contain a heap overflow in the
construction of local addresses, thereby allowing a malformed e-mail
to potentially execute arbitrary code on the user's system.
This vulnerability is confirmed and fixed in version 6.2.0.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2002-q4/0107.html
*** {02.50.025} Cross - mICQ missing separator DoS
The mICQ client crashes when a malformed packet missing a required
separator character is received.
This vulnerability is confirmed. Updated Debian DEBs are listed at
the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2002-q4/1005.html
*** {02.50.026} Cross - XML parser DTD DoS
Various XML parsers reportedly contain a denial of service in the
parsing of a malformed DTD, thereby leaving the parser to enter an
infinite loop. The advisory indicates many vendors are vulnerable,
including the Expat library, Apache Xerces, SunONE, BEA WebLogic,
Macromedia JRun and ColdFusion, Sybase EAServer and IBM Websphere.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2002-12/0140.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+AiF++LUG5KFpTkYRApJ4AKCZYnUM9ZT19JESHDBzIAzk+3RXlQCfR/48
V98Pn2ywLv0WTTVIYo9ppZk=
=vS/S
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Network Computing's Five-Minute Workout: Working
Between Application- and Network-Layer Security Let our multimedia
tutorial help you evaluate IPSec and SSL VPN solutions. We'll find out
where each approach excels and why the two are more complimentary than
competitive.
http://www.nwc.com/out/fivemin/1325fmw.html
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.networkcomputing.com/consensus/.
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find all back issues of
Security Alert Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]