|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #015
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Apr 17 2003 - 14:53:14 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 015 (03.15)
Thursday, April 17, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue sponsored by Internet Security Systems.
Announcing The Proventia(tm) A Series Appliance From ISS!
Industry-leading security technology and intelligence
combine in a radical new protection appliance to offer
unified protocol analysis and pattern matching for high
speed, multi-seg networks. Learn more at 4/22 webinar!
https://www.iss.net/form.php?type=CMPNetSANS041703
************************** End Advertisement *************************
This week, we are introducing a new format for Security Alert Consensus
by combining vendor patch updates into a single platform-specific
item. There are three main reasons for this new format. The first
is consolidation. In this age of information overload, it is easier
to handle and evaluate one large item than it is to evaluate 15
small items. All follow-up patches are now contained in a single
item, which lets you view the list of updated patches with a single
glance. It also allows you to view Linux distribution-specific patches
without having to wade through multiple items that only concern other
distributions. Second, this format change allows for better platform
specificity. All follow-up patches of any given vendor will only be
found under their appropriate platform. This adds more power to the
overall platform category subscription options and reduces the number
of vendor-specific updates that are placed in the 'Cross-Platform'
category. Lastly, the new format will reduce the number of items
listed in the table of contents, making it easier for everyone to
read and identify new vulnerabilities.
Keep in mind that this format only affects updates to previously
reported problems. All new vulnerabilities (and any vendor patches
known at that time) will still be reported as individual items. Just
the follow-up patches in subsequent SAC issues will be consolidated.
Network Computing editorial needs your help for an upcoming
article. Please take a few moments to fill out our survey on automated
vulnerability assessment solutions for the enterprise. Even if you are
not intimately involved with the topic of this survey, please answer
any questions you can as they pertain to your organization. This
helps give us a more accurate portrait of the market for these
products. Thanks for your help!
http://www.nwc.com/forms/polls/1412survey.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.15.003} Win - MS03-011: MS JVM bytecode verifier vulnerability
{03.15.004} Win - MS03-012: MS Proxy/ISA Server firewall DoS
{03.15.008} Win - Hyperion FTP server long command overflow
{03.15.013} Win - Protegrity stored procedure overflow
{03.15.023} Win - MailMax IMAP password overflow
{03.15.001} Linux - Updated patches for previous vulnerabilities
{03.15.024} Linux - Vulnerable PHP applications 04/15
{03.15.007} HP-UX - Updated patches for previous vulnerabilities
{03.15.005} SGI - Updated patches for previous vulnerabilities
{03.15.011} NetDev - Multiple DSL/cable/VPN/wireless modem/router
vulnerabilities
{03.15.012} NetDev - Nokia DX200 SGSN SNMP vulnerability
{03.15.002} Cross - xfsdump/xfsdq insecure file handling
{03.15.006} Cross - Brocade switch SNMP vulnerability
{03.15.009} Cross - PoPToP PPTP server length vulnerability
{03.15.010} Cross - epic/ircii/bitchx vulnerabilities
{03.15.014} Cross - Kebi Academy CGI file reading
{03.15.015} Cross - Oracle FNDFS/RRA arbitrary file reading
{03.15.017} Cross - Super GuestBook CGI password disclosure
{03.15.018} Cross - KDE ghostscript command execution
{03.15.019} Cross - Ghostscript ps2epsi insecure temp file handling
{03.15.020} Cross - Progress DB multiple environment variables overflow
{03.15.021} Cross - FileMaker Pro shared DB password disclosure
{03.15.022} Cross - Gaim-Encryption plug-in message length overflow
{03.15.025} Cross - Snort TCP stream reassembly overflow
{03.15.016} MacOS - DirectoryServices insecure PATH and DoS
- --- Windows News -------------------------------------------------------
*** {03.15.003} Win - MS03-011: MS JVM bytecode verifier vulnerability
Microsoft released MS03-011 ("MS JVM bytecode verifier
vulnerability"). The Microsoft JVM contains a vulnerability in the
bytecode verifier, which allows a malicious Web site or e-mail to
execute unsafe Java instructions.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0003.html
*** {03.15.004} Win - MS03-012: MS Proxy/ISA Server firewall DoS
Microsoft released MS03-012 ("MS Proxy/ISA Server firewall
DoS"). Microsoft Proxy Server 2.0 and the Microsoft Firewall service
in ISA Server 2000 contain a denial of service vulnerability, which
lets an attacker on the internal network render the proxy server
non-functional.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-012.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0001.html
*** {03.15.008} Win - Hyperion FTP server long command overflow
A released advisory indicates that Hyperion FTP server version 3.0
contains a buffer overflow in the handling of large FTP commands. This
allows a remote attacker to potentially execute arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0143.html
*** {03.15.013} Win - Protegrity stored procedure overflow
The Protegrity database protection suite for MS SQL Server 2000
reportedly contains buffer overflows in various stored procedures,
potentially allowing an attacker able to make SQL queries to execute
arbitrary code on the system. It may also allow the attacker to gain
access to the encrypted data.
This vulnerability is confirmed. The vendor released an update.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-03/0206.html
*** {03.15.023} Win - MailMax IMAP password overflow
The IMAP service included with MailMax IMAPMax versions prior to
5.0.10.8 contains a remotely exploitable buffer overflow in the
handling of a user's password, which allows an attacker to execute
arbitrary code with local system privileges.
This vulnerability is confirmed and fixed in version 5.0.10.8 and 5.5.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0017.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0018.html
- --- Linux News ---------------------------------------------------------
*** {03.15.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Debian:
DSA 269-2: heimdal
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0109.html
DSA 282-1: glibc
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0107.html
DSA 285-1: lprng
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0150.html
- --- Red Hat:
RHSA-2003:135-00: kernel
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0024.html
RHSA-2003:137-02: samba
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0025.html
RHSA-2003:139-01: httpd (Apache 2.0.x)
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0026.html
- --- Conectiva:
CLA-2003:625: openSSL
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0011.html
CLA-2003:626: mutt
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0012.html
- --- Immunix:
IMNX-2003-7+-005-01: postgresql
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0006.html
IMNX-2003-7+-008-01: MySQL
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0007.html
- --- Mandrake:
MDKSA-2003:038-1: kernel
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0024.html
MDKSA-2003:045: evolution
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0047.html
MDKSA-2003:046: gkthtml
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0048.html
Source: Debian, Red Hat, Conectiva, Immunix, Mandrake
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0109.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0107.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0150.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0024.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0025.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0026.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0011.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0012.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0006.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0007.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0024.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0047.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0048.html
*** {03.15.024} Linux - Vulnerable PHP applications 04/15
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
Alexandria 2.5: upload spoofing, cross-site scripting
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0158.html
phPay 2.02: various information disclosures
http://archives.neohapsis.com/archives/bugtraq/2003-04/0135.html
Source: VulnWatch, SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0158.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0135.html
- --- HP-UX News ---------------------------------------------------------
*** {03.15.007} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT3536: CIFS/9000 (samba)
http://archives.neohapsis.com/archives/hp/2003-q2/0010.html
SSRT3531: sendmail
http://archives.neohapsis.com/archives/hp/2003-q2/0015.html
http://archives.neohapsis.com/archives/hp/2003-q2/0011.html
SSRT2345: DNS resolver (HP peripherals)
http://archives.neohapsis.com/archives/hp/2003-q2/0015.html
SSRT2328: openSSL (HP peripherals)
http://archives.neohapsis.com/archives/hp/2003-q2/0015.html
SSRT2316: DNS resolver
http://archives.neohapsis.com/archives/hp/2003-q2/0015.html
SSRT3493: Instant TopTools
http://archives.neohapsis.com/archives/hp/2003-q2/0002.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0002.html
http://archives.neohapsis.com/archives/hp/2003-q2/0010.html
http://archives.neohapsis.com/archives/hp/2003-q2/0011.html
http://archives.neohapsis.com/archives/hp/2003-q2/0015.html
- --- SGI News -----------------------------------------------------------
*** {03.15.005} SGI - Updated patches for previous vulnerabilities
The following is a list of SGI vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
20030303-01-I: Java JVM
http://archives.neohapsis.com/archives/vendor/2003-q1/0087.html
20030402-01-P: libc RPC functions
http://archives.neohapsis.com/archives/vendor/2003-q2/0014.html
20030403-01-P: samba
http://archives.neohapsis.com/archives/vendor/2003-q2/0017.html
20021102-03-P: tooltalk
http://archives.neohapsis.com/archives/vendor/2003-q2/0020.html
20030406-01-P: BSD lpr
http://archives.neohapsis.com/archives/vendor/2003-q2/0025.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q1/0087.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0014.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0017.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0020.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0025.html
- --- Network Devices News -----------------------------------------------
*** {03.15.011} NetDev - Multiple DSL/cable/VPN/wireless modem/router
vulnerabilities
Multiple home- and small-office DSL, VPN, wireless and cable
modems/routers reportedly contain various vulnerabilities. Since
many of the vulnerabilities are related, they are grouped here as a
single item.
D-Link DSL-500: default SNMP communities
http://archives.neohapsis.com/archives/bugtraq/2003-03/0410.html
D-Link DI-614: various TCP/IP DoS attacks
http://archives.neohapsis.com/archives/bugtraq/2003-03/0417.html
D-Link DSL-300: default SNMP communities, default auth info
http://archives.neohapsis.com/archives/bugtraq/2003-03/0458.html
Netgear FM114P: UPNP auth info leak
http://archives.neohapsis.com/archives/bugtraq/2003-04/0042.html
Various Level-One routers: UPNP auth info leak
http://archives.neohapsis.com/archives/bugtraq/2003-04/0053.html
Linsys BEFVP41: default SNMP communities
http://archives.neohapsis.com/archives/bugtraq/2003-04/0165.html
MultiTech RF550VPN: default auth info, Web proxy DoS
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0121.html
NB 1300: default auth info
http://archives.neohapsis.com/archives/bugtraq/2003-04/0202.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-03/0410.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0417.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0458.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0042.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0053.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0165.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0121.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0202.html
*** {03.15.012} NetDev - Nokia DX200 SGSN SNMP vulnerability
The Nokia DX200 SGSN device allows any SNMP community string to read
the SNMP variables, which exposes configuration information.
This vulnerability is confirmed. Nokia released an updated firmware.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0129.html
- --- Cross-Platform News ------------------------------------------------
*** {03.15.002} Cross - xfsdump/xfsdq insecure file handling
The xfsdq utility used by xfsdump for XFS file systems insecurely
creates quota files, which could allow a local attacker to overwrite
arbitrary files on the system.
This vulnerability is confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0123.html
IRIX update information:
http://archives.neohapsis.com/archives/vendor/2003-q2/0018.html
Source: Debian, SGI
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0123.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0018.html
*** {03.15.006} Cross - Brocade switch SNMP vulnerability
SGI released an advisory indicating that Brocade switches are
vulnerable to the previously reported PROTOS SNMP vulnerabilities.
SGI updated firmware information:
http://archives.neohapsis.com/archives/vendor/2003-q2/0021.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0021.html
*** {03.15.009} Cross - PoPToP PPTP server length vulnerability
PoPToP PPTP server versions prior to 1.1.4-b3 and 1.1.3-20030409 do not
properly handle the length field within a PPTP packet, which allows a
remote attacker to cause a buffer overflow and execute arbitrary code.
This vulnerability is confirmed and fixed in the latest versions.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0144.html
*** {03.15.010} Cross - epic/ircii/bitchx vulnerabilities
The epic, ircii and bitchx IRC clients (which all have related code
bases) contain various buffer overflows that would allow a malicious
IRC server to execute arbitrary code on the user's system.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0165.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2003-03/0211.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0279.html
http://archives.neohapsis.com/archives/bugtraq/2003-03/0364.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0165.html
*** {03.15.014} Cross - Kebi Academy CGI file reading
The Kebi Academy 2001 CGI suite allows a remote attacker to read
arbitrary files readable by the Web server by passing '..' style file
names in the 'file' URL parameter.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q1/0131.html
*** {03.15.015} Cross - Oracle FNDFS/RRA arbitrary file reading
The FND File Service (a.k.a. the Report Review Agent) included with
the Oracle e-Business suite allows a remote attacker to read any file
on the system.
The vendor confirmed this vulnerability and released a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0016.html
*** {03.15.017} Cross - Super GuestBook CGI password disclosure
The Super GuestBook CGI version 1.0 allows a remote attacker to
read the superguestconfig file, which exposes the CGI administrative
password.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0149.html
*** {03.15.018} Cross - KDE ghostscript command execution
KDE versions 3.1.1 and prior do not properly escape parameters passed
to ghostscript, which allows a malicious PS or PDF file to execute
arbitrary commands under the user's privileges. This vulnerability
may be automatically triggered by a malicious Web site.
This vulnerability is confirmed and fixed in version 3.1.1a.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0130.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archives/bugtraq/2003-04/0152.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0130.html
*** {03.15.019} Cross - Ghostscript ps2epsi insecure temp file handling
The ps2epsi ghostscript utility insecurely handles temporary files,
which allows a local attacker to overwrite files writeable by the
ps2epsi user.
Updated Debian DEBs are listed at:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0154.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0154.html
*** {03.15.020} Cross - Progress DB multiple environment variables
overflow
Various Progress database utilities contain buffer overflows in
the handling of various environment variables, which allow a local
attacker to execute arbitrary code with elevated privileges. Affected
environment variables include DLC and BINPATHX.
The advisory indicates confirmation by the vendor, which released
version 9.1D05.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0179.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0212.html
*** {03.15.021} Cross - FileMaker Pro shared DB password disclosure
The FileMaker Pro TCP/IP protocol discloses passwords to remote
attackers. The vulnerability stems from a design flaw that sends all
passwords to the client and then expects the client to enforce the
validity of the user's password.
The advisory indicates vendor confirmation. For workarounds, please
see the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0168.html
*** {03.15.022} Cross - Gaim-Encryption plug-in message length overflow
The Gaim-Encryption plug-in prior to version 1.16 does not correctly
handle the message length value, which causes a heap-based byte
overflow. This leads to a remote denial of service attack and possibly
the execution of arbitrary code.
This vulnerability is confirmed and fixed in version 1.16.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0019.html
*** {03.15.025} Cross - Snort TCP stream reassembly overflow
Multiple Snort versions are vulnerable to a buffer overflow in the
handling of TCP stream reassembly, which allows a remote attacker to
execute arbitrary code on the system.
The vendor confirmed this vulnerability and committed a patch to
Snort versions released after Apr. 14, 2003.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0215.html
- --- Mac OS News --------------------------------------------------------
*** {03.15.016} MacOS - DirectoryServices insecure PATH and DoS
The DirectoryServices daemon included with Mac OS X insecurely runs
the 'touch' command without using an absolute PATH, which allows a
local attacker to gain root privileges. The application also crashes
by making multiple connections to port 625.
This vulnerability is confirmed and fixed in version Mac OS X version
10.2.5.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0015.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD4DBQE+nv2U+LUG5KFpTkYRArVWAJiL9RN9IdqySWL+6MjjOb+TGjZcAJ905Zfu
STxwb1VAP80JvzoCkYf/HA==
=bp0A
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue sponsored by Internet Security Systems.
Announcing The Proventia(tm) A Series Appliance From ISS!
Industry-leading security technology and intelligence
combine in a radical new protection appliance to offer
unified protocol analysis and pattern matching for high
speed, multi-seg networks. Learn more at 4/22 webinar!
https://www.iss.net/form.php?type=CMPNetSANS041703
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP
key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]