|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #009
From: Network Computing and The SANS Institute (sans+ZZ55498627155966493
sans.org)
Date: Thu Mar 06 2003 - 15:27:34 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 009 (03.09)
Thursday, March 6, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC
Security Essentials and earns much higher ratings for practical value
and teacher quality than plain CISSP courses. Although it has sold
out in San Diego, it is available in multiple other cities around the
world and may be run at your site. SANS' ten other training tracks --
Auditing, Intrusion Detection, Firewalls, Hacker Exploits, Windows
Security and more - are also available at our conferences and at your
site. See: http://www.sans.org.
************************** End Advertisement *************************
No doubt you've already received alerts for this week's sendmail and
snort buffer overflows, which are reported as items {03.09.001} and
{03.09.009}, respectively. However, a few more new vulnerabilities also
are worth mentioning. The first is a denial of service in tcpdump,
which can leave it in an infinite loop and not monitoring traffic
(see item {03.09.004}). The next is a new version of BIND, which
uses an updated version of OpenSSL to overcome some cryptographic
vulnerabilities (see item {03.09.011}). And last, there's a
nondescript security vulnerability in Macromedia's Flash Player
(see item {03.09.012}). All five of these items are reported in the
'Cross-Platform' category; if you do not subscribe to this category,
these items will not appear in your newsletter.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.09.002} Win - MS03-006: Windows ME help component buffer overflow
{03.09.015} Win - Battlefield 1942 game server UDP packet DoS
{03.09.021} Win - ISMail long mail address overflows
{03.09.006} Linux - Update {02.45.032}: nanog-traceroute overflow
{03.09.007} Linux - Update {03.08.009}: Webmin/usermin session ID
spoofing
{03.09.013} Linux - Update {02.37.005}: PHP mail() command may bypass
safe_mode
{03.09.014} Linux - Update {03.01.028}: libmcrypt buffer overflows and
memory leak
{03.09.016} Linux - Update {03.08.015}: Red Hat useradd incorrect mail
spool permissions
{03.09.018} Linux - file utility local overflow
{03.09.010} SCO - ftp client pipe command execution
{03.09.019} NetDev - Axis Webcam multiple vulnerabilities
{03.09.001} Cross - Sendmail address header parsing overflow
{03.09.003} Cross - Vulnerable PHP applications 03/02
{03.09.004} Cross - tcpdump ISAKMP DoS
{03.09.005} Cross - Update {03.08.001}: OpenSSL timing attack
information leak
{03.09.008} Cross - Hypermail multiple vulnerabilities
{03.09.009} Cross - Snort 1.8 RPC preprocessor overflow
{03.09.011} Cross - Bind 9.2.2 released, with security fixes
{03.09.012} Cross - Macromedia Flash Player vulnerability 03/03
{03.09.017} Cross - NetPBM multiple vulnerabilities
{03.09.020} Cross - CoffeeCup Password Wizard CGI password disclosure
{03.09.023} Cross - Veritas BMR arbitrary remote command execution
{03.09.022} Mobile - Siemens 35/45 series phone SMS DoS
- --- Windows News -------------------------------------------------------
*** {03.09.002} Win - MS03-006: Windows ME help component buffer
overflow
Microsoft released MS03-006 ("Windows ME help component buffer
overflow"). The 'Help and Support Center' component included in
Windows ME contains a buffer overflow in the handling of 'hcp://'
URLs that allows a malicious Web site or e-mail to execute arbitrary
code on the user's system.
FAQ and patch:
http://www.microsoft.com/security/security_bulletins/ms03-006.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q1/0009.html
*** {03.09.015} Win - Battlefield 1942 game server UDP packet DoS
The Battlefield 1942 game server version 1.2 crashes when it receives
a particular malformed UDP packet to the administrative port.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0342.html
*** {03.09.021} Win - ISMail long mail address overflows
The ISMail SMTP suite versions 1.4.3 and prior contain buffer overflows
in the parsing of large domain names passed to the MAIL FROM and RCPT
TO SMTP commands. The vulnerability allows the remote execution of
arbitrary code.
The vendor confirmed this vulnerability and released version 1.4.5,
available at:
http://instantservers.com/download/ism145.exe
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0097.html
- --- Linux News ---------------------------------------------------------
*** {03.09.006} Linux - Update {02.45.032}: nanog-traceroute overflow
Debian released updated traceroute packages, which fix the
vulnerability discussed in {02.45.032} ("nanog-traceroute overflow").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0482.html
*** {03.09.007} Linux - Update {03.08.009}: Webmin/usermin session ID
spoofing
Mandrake released updated Webmin packages, which fix the vulnerability
discussed in {03.08.009} ("Webmin/usermin session ID spoofing").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-02/0360.html
*** {03.09.013} Linux - Update {02.37.005}: PHP mail() command may
bypass safe_mode
Caldera released updated PHP packages, which fix the vulnerability
discussed in {02.37.005} ("PHP mail() command may bypass safe_mode").
Updated RPMs are listed at the reference URL below.
Source: Caldera
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0011.html
*** {03.09.014} Linux - Update {03.01.028}: libmcrypt buffer overflows
and memory leak
SuSE released updated libmcrypt packages, which fix the vulnerabilities
discussed in {03.01.028} ("libmcrypt buffer overflows and memory
leak").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0574.html
*** {03.09.016} Linux - Update {03.08.015}: Red Hat useradd incorrect
mail spool permissions
Mandrake released updated shadow-utils packages, which fix the
vulnerability discussed in {03.08.015} ("Red Hat useradd incorrect
mail spool perms"). Mandrake redistributes Red hat sources, so any
vulnerability that affects Red Hat typically affects Mandrake as well.
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q1/0211.html
*** {03.09.018} Linux - file utility local overflow
The 'file' command-line utility contains a buffer overflow in the
handling of trojaned ELF headers. This allows a malicious file to
execute arbitrary code when an unsuspecting user uses the 'file'
utility to read the particular trojaned file.
This vulnerability is confirmed. An updated version is available at:
ftp://ftp.astron.com/pub/file/file-3.41.tar.gz
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0108.html
- --- SCO News -----------------------------------------------------------
*** {03.09.010} SCO - ftp client pipe command execution
Caldera/SCO released advisory CSSA-2003-SCO.3. It indicates that the
FTP client included with UnixWare and OpenUnix 7.1.1 through 8.0.0
contains a vulnerability in the handing of pipe ('|') characters in
FTP responses, potentially allowing a malicious FTP server to execute
arbitrary command-line commands on the user's system.
The vendor confirmed this vulnerability. Updated binary locations
are included in the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0010.html
- --- Network Devices News -----------------------------------------------
*** {03.09.019} NetDev - Axis Webcam multiple vulnerabilities
The Axis 2400 Webcam contains multiple vulnerabilities: disclosure
of the local system syslog logfile; overwriting of arbitrary files;
and creation of arbitrary files, possibly leading to script execution.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0377.html
- --- Cross-Platform News ------------------------------------------------
*** {03.09.001} Cross - Sendmail address header parsing overflow
Sendmail prior to version 8.12.8 contains a buffer overflow in the
parsing of large e-mail address header comments that allows the
remote execution of arbitrary code. Version 8.12.8 also fixes two
other security-related bugs, which also may be exploitable.
The latest sendmail source is available at:
http://www.sendmail.org
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0516.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0519.html
Mac OS X updates:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0060.html
NetBSD updates:
http://archives.neohapsis.com/archives/netbsd/2003-q1/0049.html
HP-UX updates:
http://archives.neohapsis.com/archives/hp/2003-q1/0045.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0047.html
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0010.html
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0606.html
FreeBSD updates:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0001.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0051.html
IRIX updates:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0013.html
OpenBSD updates:
http://archives.neohapsis.com/archives/openbsd/2003-03/0171.html
AIX updates:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0023.html
Tru64 updates:
http://archives.neohapsis.com/archives/tru64/2003-q1/0001.html
Source: Sendmail, Debian, NetBSD, HP, Mandrake, Conectiva, SuSE,
Red Hat, FreeBSD, SGI, OpenBSD, IBM, SF Bugtraq
http://archives.neohapsis.com/archives/sendmail/2003-q1/0001.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0516.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0519.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0060.html
http://archives.neohapsis.com/archives/netbsd/2003-q1/0049.html
http://archives.neohapsis.com/archives/hp/2003-q1/0045.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0047.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q1/0010.html
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0606.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0001.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0051.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0013.html
http://archives.neohapsis.com/archives/openbsd/2003-03/0171.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0023.html
http://archives.neohapsis.com/archives/tru64/2003-q1/0001.html
*** {03.09.003} Cross - Vulnerable PHP applications 03/02
The following list of third-party PHP CGI applications is reported
as vulnerable. These vulnerabilities have not been confirmed.
GTCatalog 0.9: remote file include code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0106.html
WebChat 0.77: remote file include code execution
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0103.html
PY-Livredor 1.0: cross-site scripting
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0102.html
Invision Power Board 1.0.1-1.1.0: remote file include code execution;
information disclosure
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0099.html
GOnicus 1.0.0: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-02/0345.html
PHP-Nuke Webmail module: config.php content recovery
http://archives.neohapsis.com/archives/bugtraq/2003-03/0010.html
Uploader 1.1: password is not set by default, thereby allowing anyone
to upload files
http://archives.neohapsis.com/archives/bugtraq/2003-03/0062.html
Web-erp 0.1.4: configuration information recovery
http://archives.neohapsis.com/archives/bugtraq/2003-03/0002.html
Typo3 3.5b5: multiple vulnerabilities
http://archives.neohapsis.com/archives/bugtraq/2003-02/0380.html
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0106.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0103.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0102.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0099.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0345.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0010.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0062.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0002.html
http://archives.neohapsis.com/archives/bugtraq/2003-02/0380.html
*** {03.09.004} Cross - tcpdump ISAKMP DoS
Tcpdump versions prior to 3.7.2 contain a denial of service in the
decoding of ISAKMP packets. This allows a remote attacker to spoof
a malicious UDP packet that, when read by a vulnerable tcpdump
application, will cause tcpdump to enter an infinite loop.
This vulnerability is confirmed and fixed in version 3.7.2, available
from:
http://www.tcpdump.org/
Updated Debian DEBs:
http://archives.neohapsis.com/archives/vendor/2003-q1/0061.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0032.html
Source: VulnWatch, Debian, Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0100.html
http://archives.neohapsis.com/archives/vendor/2003-q1/0061.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0032.html
*** {03.09.005} Cross - Update {03.08.001}: OpenSSL timing attack
information leak
SuSE and NetBSD released OpenSSL updates, which fix the vulnerability
discussed in {03.08.001} ("OpenSSL timing attack information leak").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0577.html
NetBSD branches -current, -1.5 and -1.6 as of Feb. 27, 2003, contain
the appropriate fixes.
Source: SuSE, NetBSD
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0577.html
http://archives.neohapsis.com/archives/netbsd/2003-q1/0048.html
*** {03.09.008} Cross - Hypermail multiple vulnerabilities
Hypermail prior to version 2.1.7 contains multiple vulnerabilities:
temporary file race conditions; denial of service attacks; buffer
overflows leading to arbitrary code execution; and CGI abuse by
spammers.
The vendor confirmed these vulnerabilities and released version 2.1.7,
available at:
http://www.hypermail.org/
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0588.html
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0588.html
*** {03.09.009} Cross - Snort 1.8 RPC preprocessor overflow
Snort 1.8 and Snort CVS up to March 3, 2003, contain a buffer overflow
in the preprocessing of RPC packets that allows a remote attacker to
execute arbitrary code on the system running snort, which is typically
running with root privileges.
The vendor confirmed this vulnerability and released version 1.9.1,
available at:
http://www.snort.org/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0110.html
*** {03.09.011} Cross - Bind 9.2.2 released, with security fixes
Bind version 9.2.2 was released. This version uses newer OpenSSL
libraries, thereby removing various OpenSSL-related vulnerabilities.
Source code can be downloaded from:
ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz
Source: BIND
http://archives.neohapsis.com/archives/bind/2003/0001.html
*** {03.09.012} Cross - Macromedia Flash Player vulnerability 03/03
A Macromedia advisory indicates the Flash Player contains some sort
of security vulnerability. Further information was not made available.
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2003-q1/0068.html
*** {03.09.017} Cross - NetPBM multiple vulnerabilities
The NetPBM utility contains multiple vulnerabilities that could
potentially allow a graphics file that is not trusted to execute
arbitrary code.
These vulnerabilities are confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0372.html
*** {03.09.020} Cross - CoffeeCup Password Wizard CGI password
disclosure
The CoffeeCup Password Wizard generates .apw files on the Web server,
which a remote attacker could possibly retrieve and thereby gain
access to all programmed user names and passwords.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0004.html
*** {03.09.023} Cross - Veritas BMR arbitrary remote command execution
Veritas Bare Metal Restore for Tivoli Storage Manager versions 3.2.1
and prior allow a remote attacker to execute arbitrary command-line
commands with root privileges.
The vendor confirmed this vulnerability. More information is available
online at:
http://seer.support.veritas.com/docs/252933.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-02/0333.html
- --- Mobile Devices News ------------------------------------------------
*** {03.09.022} Mobile - Siemens 35/45 series phone SMS DoS
The Siemens 35 and 45 series phones crash or become unusable for
a lengthy period of time when they receive a particular malicious
SMS message.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0046.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+Z7cb+LUG5KFpTkYRAlTyAJ9GKRfZrvXR+lc9tSNPYOY/KWk6CgCaA/AE
D+gUWwfxHs05fRHgwq4gHWo=
=7sVQ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
SECURITY TRAINING UPDATE
Looking for CISSP training? SANS Track 1 covers both CISSP and GIAC
Security Essentials and earns much higher ratings for practical value
and teacher quality than plain CISSP courses. Although it has sold
out in San Diego, it is available in multiple other cities around the
world and may be run at your site. SANS' ten other training tracks --
Auditing, Intrusion Detection, Firewalls, Hacker Exploits, Windows
Security and more - are also available at our conferences and at your
site. See: http://www.sans.org.
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]