|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #011
From: Network Computing and The SANS Institute (sans+ZZ19344592824117097
sans.org)
Date: Thu Mar 20 2003 - 15:34:58 CST
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 011 (03.11)
Thursday, March 20, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by TruSecure.
FREE 14-DAY TRIAL: Custom Threat & Vulnerability Alert Service
TruSecure's new IntelliShield(TM) Web-based threat and vulnerability
service, supported by TruSecure's vast intelligence resources --
including the ICSA Labs -- provides unmatched early warning, analysis
and decision support tools for protecting your organization. Get a FREE
14-day trial today!
http://www.trusecure.com/offer/s0076/
************************** End Advertisement *************************
As the U.S. tax season nears deadline, a lot of people will be using
PC-based tax programs to prepare their returns. What some people don't
know is that many of the popular tax packages, including H&R Block
TaxCut and Intuit TurboTax, do not generally protect their local data
files with any amount of strong encryption. Each of these tax data
files contains every piece of information necessary to successfully
steal the identity of the user, including: names, addresses, social
security numbers, employer names, bank account numbers and types,
earning information, etc. Recovery of these sensitive files still
relies on an external vulnerability (such as the reading of files
through Web browser JavaScript holes). But, in general, it's still
important to be aware of the ramifications of the insecure storage
of these sensitive files. Storing the files offline (in a secure
location, like a safe) and using encryption utilities will reduce
the chance of recovery.
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0123.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0124.html
Until next week,
-- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.11.008} Win - MS03-007: IIS WebDAV URL overflow
{03.11.023} Win - McAfee ePolicy Orchestrator agent format string
vulnerability
{03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
{03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
{03.11.003} Linux - Update {03.09.018}: file utility local overflow
{03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
{03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
vulnerabilities
{03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
{03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
{03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
{03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
shell commands
{03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
{03.11.026} Linux - Mandrake unrestricted shutdown
{03.11.011} HP-UX - Update {03.08.001}: OpenSSL timing attack
information leak
{03.11.012} HP-UX - Update {03.08.009}: Webmin/usermin session ID
spoofing
{03.11.013} HP-UX - Update {03.05.004}: Apache Tomcat path parsing
vulnerability
{03.11.004} SCO - Update {03.09.001}: Sendmail address header parsing
overflow
{03.11.009} Cross - Samba packet reassembly overflow
{03.11.010} Cross - OpenSSL timing attack/private key disclosure
{03.11.014} Cross - Sun ONE app server NSAPI overflow
{03.11.017} Cross - Vulnerable PHP applications 03/18
{03.11.018} Cross - BEA WebLogic default apps vulnerability
{03.11.019} Cross - Lotus Notes/Domino multiple vulnerabilities 3/17
{03.11.020} Cross - Qpopper qvnsprintf overflow
{03.11.024} Cross - Kerberos v4 protocol weaknesses
{03.11.025} Cross - WorldPay::Junior Perl module XSS
{03.11.027} Tru64 - Stdio file descriptor vulnerability
- --- Windows News -------------------------------------------------------
*** {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
Microsoft released MS03-007 ("IIS WebDAV URL overflow"). IIS 5.0's
handling of WebDAV requests is susceptible to a buffer overflow if
the URL portion of the request is too large. This allows for the
remote execution of arbitrary code.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q1/0010.html
*** {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
vulnerability
The McAfee Security ePolicy Orchestrator version 2.5.1 contains a
remotely exploitable format string buffer overflow vulnerability in
the handling of incoming HTTP requests. This allows a remote attacker
to execute arbitrary code.
This vulnerability is confirmed. Contact the vendor for a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0133.html
- --- Linux News ---------------------------------------------------------
*** {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
SuSE and Debian released updated tcpdump packages, which fix the
vulnerability discussed in {03.09.004} ("tcpdump ISAKMP DoS").
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0751.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0757.html
Source: SuSE, Debian
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0751.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0757.html
*** {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
SuSE released updated lprold packages, which fix the vulnerability
discussed in {03.10.013} ("lprm local buffer overflow").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archives/linux/suse/2003-q1/0752.html
*** {03.11.003} Linux - Update {03.09.018}: file utility local overflow
Multiple vendors released updated file packages, which fix the
vulnerability discussed in {03.09.018} ("file utility local overflow").
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0739.html
NetBSD CVS branchs -current, -1.4, and -1.5 as of Mar. 9, 2003 contain
a fix.
Source: Debian, NetBSD
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0739.html
http://archives.neohapsis.com/archives/netbsd/2003-q1/0066.html
*** {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
The 2.2 and 2.4 series Linux kernels contain a vulnerability in the
handling of ptrace requests that allows a local attacker to gain
root privileges.
This vulnerability is confirmed. The 2.2.25 and 2.4.21 kernels
contain fixes.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0071.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0012.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0268.html
Source: VulnWatch, Red Hat, EnGarde, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0134.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0071.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q1/0012.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0268.html
*** {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
vulnerabilities
Red Hat released updated rxvt packages, which fix the vulnerabilities
discussed in {03.08.017} ("Terminal escape sequence vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0069.html
*** {03.11.007} Linux - Update {03.09.017}: NetPBM multiple
vulnerabilities
Debian released updated NetPBM packages, which fix the vulnerabilities
discussed in {03.09.017} ("NetPBM multiple vulnerabilities").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0787.html
*** {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
Trustix released updated MySQL packages, which fix the vulnerability
discussed in {03.10.004} ("MySQL my.cnf user override").
Updated RPMs are listed at the reference URL below.
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-03/0267.html
*** {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
Mandrake released updated zlib packages, which fix the vulnerability
discussed in {03.10.025} ("zlib gzprintf overflow").
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-03/0263.html
*** {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling
on shell commands
Caldera/SCO released updated KDE packages, which fix the vulnerability
discussed in {03.02.020} ("KDE parameter mishandling on shell
commands").
Updated RPMs are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0019.html
*** {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
Red Hat released an advisory indicating the version of Gnome-lokkit
included with Red Hat 8.0 does not properly generate rules for the
FORWARD rule chain, potentially leaving a machine exposed if packet
forwarding is enabled.
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q1/0066.html
*** {03.11.026} Linux - Mandrake unrestricted shutdown
Mandrake released an advisory indicating improper restrictions on
the shutdown utility allow a local attacker to halt the system and
potentially gain root access if they have access to the local console.
Updated RPMs are listed at the reference URL below.
Source: Mandrake (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-03/0188.html
- --- HP-UX News ---------------------------------------------------------
*** {03.11.011} HP-UX - Update {03.08.001}: OpenSSL timing attack
information leak
HP released update information that fixes the vulnerability discussed
in {03.08.001} ("OpenSSL timing attack information leak").
Update information is available at the reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
*** {03.11.012} HP-UX - Update {03.08.009}: Webmin/usermin session ID
spoofing
HP released update information that fixes the vulnerability discussed
in {03.08.009} ("Webmin/usermin session ID spoofing").
Update information is available at the reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
*** {03.11.013} HP-UX - Update {03.05.004}: Apache Tomcat path parsing
vulnerability
HP released update information that fixes the vulnerability discussed
in {03.05.004} ("Apache Tomcat path parsing vulnerability").
Update information is available at the reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
- --- SCO News -----------------------------------------------------------
*** {03.11.004} SCO - Update {03.09.001}: Sendmail address header
parsing overflow
Caldera/SCO released updated Sendmail binaries, which fix the
vulnerability discussed in {03.09.001} ("Sendmail address header
parsing overflow").
Updated binaries are listed at the reference URL below.
Source: Caldera/SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q1/0018.html
- --- Cross-Platform News ------------------------------------------------
*** {03.11.009} Cross - Samba packet reassembly overflow
Samba versions 2.0.x and 2.2.x prior to version 2.2.8 contain a
remotely exploitable buffer overflow in the reassembly of packets. This
allows the remote execution of arbitrary code.
This vulnerability is confirmed.
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0248.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0775.html
HP-UX update information:
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0274.html
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0265.html
Source: Mandrake, Debian, HP, Trustix, Red Hat (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-03/0248.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0775.html
http://archives.neohapsis.com/archives/hp/2003-q1/0063.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0274.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0265.html
*** {03.11.010} Cross - OpenSSL timing attack/private key disclosure
Some SSL-enabled applications do not properly use the OpenSSL
library. By not enabling the 'RSA-blinding' feature, which shields the
computations from a timing attack, the private key could be exposed. In
OpenSSL versions 0.9.7a and prior, it is the responsibility of the
application to enable RSA-blinding. Apache's mod_ssl module is listed
as vulnerable.
This vulnerability is confirmed. The next version of OpenSSL will
enable RSA-blinding by default in an effort to keep applications
secure. A patch is also available at:
http://www.openssl.org/news/secadv_20030317.txt
Updated Trustix RPMs:
http://archives.neohapsis.com/archives/bugtraq/2003-03/0273.html
Source: VulnWatch, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0130.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0273.html
*** {03.11.014} Cross - Sun ONE app server NSAPI overflow
The Sun ONE application server NSAPI plugin for the Sun ONE/iPlanet Web
server contains a buffer overflow in the handling of large URLs. This
vulnerability allows the remote execution of arbitrary code. Versions
6.0 and 6.5 are vulnerable.
This vulnerability is confirmed. A patch was released for version 6.5.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0128.html
*** {03.11.017} Cross - Vulnerable PHP applications 03/18
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
MyABraCaDaWeb 1.0.2: XSS and path disclosure
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0137.html
PHP-Nuke 6.0 and prior: path disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-03/0250.html
SIPS 0.2.2: user password hash recovery
http://archives.neohapsis.com/archives/bugtraq/2003-03/0270.html
Cyber-cats.com PHP Message Board: password hash recovery
http://archives.neohapsis.com/archives/bugtraq/2003-03/0271.html
Circle.ch PHP Guestbook: XSS
http://archives.neohapsis.com/archives/bugtraq/2003-03/0219.html
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0137.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0250.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0270.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0271.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0219.html
*** {03.11.018} Cross - BEA WebLogic default apps vulnerability
BEA's WebLogic service suite versions 7.0 and prior install many
undocumented, default applications used for internal tasks. These
applications are not properly protected and potentially allow a remote
attacker to compromise the system and/or upload arbitrary files.
This vulnerability is confirmed. The vendor released a patch.
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0135.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0238.html
*** {03.11.019} Cross - Lotus Notes/Domino multiple vulnerabilities 3/17
The Lotus Notes/Domino platform contains multiple vulnerabilities:
a buffer overflow in the NotesRPC protocol allows remote execution
of arbitrary code; Web retriever service allows a buffer overflow
via a long HTTP status line from a malicious Web server; and Domino
R6 betas are vulnerable to the PROTOS LDAP vulnerability discovery
suite. Lotus Notes/Domino prior to 6.0 and 5.0.12 are vulnerable.
The vendor confirmed these vulnerabilities and released updated
versions.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0125.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0126.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0127.html
*** {03.11.020} Cross - Qpopper qvnsprintf overflow
Qpopper prior to version 4.0.5fc2 contains a bug in the internal
qvnsprintf function that allows a remote attacker (with proper POP
authentication credentials) to execute arbitrary code under the
privileges of the authenticated user.
This vulnerability is confirmed and fixed in version 4.0.5fc2.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0731.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2003-03/0152.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0178.html
http://archives.neohapsis.com/archives/linux/debian/2003-q1/0731.html
*** {03.11.024} Cross - Kerberos v4 protocol weaknesses
MIT released a critical security advisory detailing the existence of
many weaknesses in the Kerberos version 4 protocol that could allow
an attacker to impersonate and create TGTs for any principle. These
vulnerabilities are flaws in the Kerberos 4 protocol and the use of
3DES keys.
These vulnerabilities are confirmed. Kerberos v5 is not vulnerable.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0235.html
*** {03.11.025} Cross - WorldPay::Junior Perl module XSS
The Business::OnlinePayment::WorldPay::Junior Perl module prior to
version 1.05 is vulnerable to a cross-site scripting attack.
Version 1.05 contains the necessary fix.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0230.html
- --- Tru64 News ---------------------------------------------------------
*** {03.11.027} Tru64 - Stdio file descriptor vulnerability
HP/Compaq released ERPs for a vulnerability in Tru64 that involves
privileged applications not properly handling closed file descriptors,
possibly allowing a local attacker to elevate privilege or gain access
to sensitive information.
This vulnerability is confirmed. ERP information is available at the
reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/tru64/2003-q1/0002.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+ei2v+LUG5KFpTkYRAkY1AJ9x12VYVXuoEk98ADSj2rL5MZF0jgCeIJFr
Exm/CI9PwHmvecOhyQlbl2g=
=2Rli
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by TruSecure.
FREE 14-DAY TRIAL: Custom Threat & Vulnerability Alert Service
TruSecure's new IntelliShield(TM) Web-based threat and vulnerability
service, supported by TruSecure's vast intelligence resources --
including the ICSA Labs -- provides unmatched early warning, analysis
and decision support tools for protecting your organization. Get a FREE
14-day trial today!
http://www.trusecure.com/offer/s0076/
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensusnwc.com>.
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe. http://www.sans.org/sansurl
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]