|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #017
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu May 01 2003 - 17:26:41 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 017 (03.17)
Thursday, May 1, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,
please e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
What's the Best Firewall? How Does a Reverse Proxy Work?
For answers to these and other popular questions, go to SANS new:
Internet Guide To Popular Resources On Information Security
http://www.sans.org/resources/popular.php
And for advanced security training, mark your calendar:
-Four security training racks in Portland, OR (May 5-10)
-Six security training tracks in Monterey, CA (June 11-16)
-Five security training tracks in London, UK (June 23-28)
-Our largest summer conference: SANS Fire in Washington DC (July 14-19)
-And the largest conference for senior security managers, the National
Information Assurance Leadership Conference (NIAL-V) in Washington
(July 21-22)
-Plus smaller programs in Chicago, Raleigh, Atlanta, Melbourne (AU),
and San Francisco, Virginia Beach, Ottawa (CA) and Madrid (SP).
-If you cannot travel, we have local mentor and evening programs in
forty cities, or ask to schedule an on-site course at your location.
Details on all programs at http://www.sans.org
************************** End Advertisement *************************
The most prominent vulnerabilities this week are various bugs in
Microsoft Outlook Express and Internet Explorer, which allow malicious
e-mail or Web sites to execute arbitrary code on the user's system,
amongst other things. Details are reported in items {03.17.008} and
{03.17.009}. There also is a buffer overflow in an Oracle CONNECT
SQL statement parameter, which allows attackers to take over the
database and possibly the entire host if they can execute arbitrary
SQL commands (via direct access or proxied through an insecure Web
application). More information is available in item {03.17.017}.
Plus, Microsoft released new security guides for locking
down Windows Server 2003 deployments. If you're looking into
using Windows Server 2003, you should definitely have a look.
http://archives.neohapsis.com/archives/bugtraq/2003-04/0321.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.17.005} Win - Cisco SecureACS admin service user name overflow
{03.17.008} Win - MS03-014: Cumulative patch for Outlook Express
{03.17.009} Win - MS03-015: Cumulative patch for Internet Explorer
{03.17.010} Win - Xeneo Web server malformed encoding DoS
{03.17.011} Win - BttlxeForum CGI SQL injection
{03.17.021} Win - Auerswald COMsuite default account/password
{03.17.022} Win - Kerio firewall replay attack and admin overflow
{03.17.023} Win - MDaemon IMAP overflow and POP DoS
{03.17.024} Win - VisNetic ActiveDefense large request DoS
{03.17.001} Linux - Updated patches for previous vulnerabilities
{03.17.002} Linux - gkrellm-newsticker arbitrary command exec and DoS
{03.17.015} Linux - les ATM utility -f parameter overflow
{03.17.003} HP-UX - Updated patches for previous vulnerabilities
{03.17.006} SGI - LDAP nsd possible password bypass
{03.17.019} SGI - Updated patches for previous vulnerabilities
{03.17.012} NetDev - Cisco CatOS 7.5(1) enable password bypass
{03.17.014} NetDev - 3Com NBX phone manager FTP 'CEL' DoS
{03.17.007} Cross - Vulnerable PHP applications 04/29
{03.17.013} Cross - Opera browser multiple reported vulns
{03.17.016} Cross - Qpopper poppassd local SMB auth command exec
{03.17.017} Cross - Oracle DB connect overflow
{03.17.018} Cross - opt library multiple vulns
{03.17.020} Cross - Album.pl CGI remote command exec
{03.17.004} Tru64 - dupatch and setld symlink attacks
- --- Windows News -------------------------------------------------------
*** {03.17.005} Win - Cisco SecureACS admin service user name overflow
Cisco SecureACS versions 2.6.4, 3.0.3 and 3.1.1 (and prior) contain a
buffer overflow in the administration service listening on port 2002,
which allows a remote attacker to execute arbitrary code with local
system privileges.
This vulnerability is confirmed. Update information is available at
the reference URL below.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0001.html
*** {03.17.008} Win - MS03-014: Cumulative patch for Outlook Express
Microsoft released MS03-014 ("Cumulative Patch for Outlook
Express"). This patch is an accumulation of all security patches for
Outlook Express to date. In addition, it fixes a vulnerability that
allows MHTML documents to execute arbitrary code on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-014.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0007.html
*** {03.17.009} Win - MS03-015: Cumulative patch for Internet Explorer
Microsoft released MS03-015 ("Cumulative Patch for Internet
Explorer"). This patch fixes all problems to date as well as four
new vulnerabilities: a buffer overflow in URLMON.DLL, which allows a
remote Web site to run arbitrary code; the file upload control allows
uploading of arbitrary user files; calls to third-party programs
could lead to arbitrary command execution; and incorrect handling of
a dialog could allow an attacker to execute arbitrary active script.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-015.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0006.html
*** {03.17.010} Win - Xeneo Web server malformed encoding DoS
Xeneo Web server versions 2.2.9 and prior crashes when it receives a
particular malformed encoded URL, which allows a remote attacker to
cause a denial of service.
This vulnerability is confirmed and fixed in version 2.2.10.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0035.html
*** {03.17.011} Win - BttlxeForum CGI SQL injection
The BttlxeForum ASP CGI suite does not properly filter out unsafe
SQL characters, which allows a remote attacker to manipulate the
back-end database.
This vulnerability is confirmed. A fix was released.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0038.html
*** {03.17.021} Win - Auerswald COMsuite default account/password
The Auerswald COMsuite CTI ControlCenter version 3.1 creates a default
user account with a known password, which may allow a remote attacker
to access system resources. It also appears that disabling the account
may affect COMsuite operation.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0373.html
*** {03.17.022} Win - Kerio firewall replay attack and admin overflow
The Kerio personal firewall versions 2.1.4 and prior reportedly
contain two vulnerabilities: a weakness in the encryption used
by the administrative console, which allows an attacker able to
sniff administrative traffic to replay administrative commands; and
a buffer overflow in the administrative handshake, which allows a
remote attacker to execute arbitrary code on the system.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0046.html
*** {03.17.023} Win - MDaemon IMAP overflow and POP DoS
The MDaemon server suite reportedly contains two vulnerabilities:
a buffer overflow in the IMAP 'CREATE' command, which allows the
remote execution of arbitrary code; and specifying negative number
values to various POP commands causes the service to crash.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0352.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0353.html
*** {03.17.024} Win - VisNetic ActiveDefense large request DoS
VisNetic ActiveDefense version 1.3.1 stops forwarding HTTP traffic
after receiving a particular stream of large HTTP requests, which
leads to a denial of service.
The advisory indicates confirmation by the vendor, which released
a patch.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0297.html
- --- Linux News ---------------------------------------------------------
*** {03.17.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:032-01: tcpdump
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0030.html
RHSA-2003:076-01: ethereal
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0032.html
RHSA-2003:079-01: zlib
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0040.html
RHSA-2003:093-01: MySQL
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0041.html
RHSA-2003:112-01: squirrelmail
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0034.html
RHSA-2003:118-01: mICQ
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0036.html
RHSA-2003:142-01: LPRng
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0037.html
- --- Debian:
DSA 292-2: mime-support
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0276.html
DSA 293-1: kdelibs
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0278.html
- --- Mandrake:
MDKSA-2003:017-1: pam
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0071.html
MDKSA-2003:049-1: kde3
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0069.html
MDKSA-2003:050: Apache
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0061.html
MDKSA-2003:051: ethereal
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0070.html
MDKSA-2003:052: snort
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0072.html
- --- SuSE:
SuSE-SA:2003:0026: KDE
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0236.html
Source: Red Hat, Debian, Mandrake, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0030.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0032.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0040.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0041.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0034.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0036.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0037.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0276.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0278.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0071.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0069.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0061.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0070.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0072.html
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0236.html
*** {03.17.002} Linux - gkrellm-newsticker arbitrary command exec and
DoS
Debian released an advisory indicating the gkrellm-newsticker plug-in
for gkrellm contains two vulnerabilities: malicious characters could be
included in links, causing the user to unknowingly execute arbitrary
commands; and certain malformed elements can cause the plug-in to
crash, leading to a denial of service attack.
These vulnerabilities are confirmed.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0282.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0282.html
*** {03.17.015} Linux - les ATM utility -f parameter overflow
The 'les' ATM configuration utility included in the Linux-atm suite
contains a buffer overflow in the handling of the -f command-line
parameter. Since the utility is typically installed setuid root,
this allows a local attacker to execute arbitrary code with elevated
privileges.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0342.html
- --- HP-UX News ---------------------------------------------------------
*** {03.17.003} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT2439: libc xdrmem_getbytes()
http://archives.neohapsis.com/archives/hp/2003-q2/0019.html
SSRT3534: Apache 2.0 DoS
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
SSRT3499: OpenSSL RSA blinding
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0019.html
http://archives.neohapsis.com/archives/hp/2003-q2/0025.html
- --- SGI News -----------------------------------------------------------
*** {03.17.006} SGI - LDAP nsd possible password bypass
The nsd LDAP implementation does not check for the USERPASSWORD
attribute in the LDAP database, which may allow a remote attacker to
log in without using a password.
This vulnerability is confirmed. A patch is available at the reference
URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0038.html
*** {03.17.019} SGI - Updated patches for previous vulnerabilities
The following is a list of SGI patches for vulnerabilities previously
reported in Security Alert Consensus.
20030406-02-P: BSD LPR subsystem (updated patch)
http://archives.neohapsis.com/archives/vendor/2003-q2/0039.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0039.html
- --- Network Devices News -----------------------------------------------
*** {03.17.012} NetDev - Cisco CatOS 7.5(1) enable password bypass
Cisco Catalyst switches running Catalyst OS version 7.5(1) contain a
bug that allows a normal user to access enable mode without knowing
the enable password. The problem is only present in version 7.5(1).
This vulnerability is confirmed and fixed in version 7.6(1).
Source: Cisco (VulnWatch)
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0040.html
*** {03.17.014} NetDev - 3Com NBX phone manager FTP 'CEL' DoS
The 3Com NBX phone manager crashes when a remote attacker issues an
abnormally long 'CEL' FTP command, which causes a denial of service.
The advisory indicates confirmation by the vendor, which released
a patch.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0045.html
- --- Cross-Platform News ------------------------------------------------
*** {03.17.007} Cross - Vulnerable PHP applications 04/29
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
PHP-Nuke 6.5: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-04/0314.html
True Galerie 1.0: admin log-in bypass, file reading
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0043.html
Bugzilla <2.16.3: cross-site scripting, insecure temp file
http://archives.neohapsis.com/archives/bugtraq/2003-04/0323.html
OpenBB 1.1.0: SQL injection
http://archives.neohapsis.com/archives/bugtraq/2003-04/0325.html
phpSysInfo <2.1: possible file reading
http://archives.neohapsis.com/archives/bugtraq/2003-04/0326.html
XOOPS MyTextSanitizer 2.x: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-04/0327.html
IdeaBox 1.0: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-04/0361.html
Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-04/0314.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0043.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0323.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0325.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0326.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0327.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0361.html
*** {03.17.013} Cross - Opera browser multiple reported vulns
Multiple vulnerabilities are reported in the Opera Web browser: long
file extensions cause a heap-based buffer overflow; the JavaScript
console could allow execution of arbitrary JavaScript; and long URLs
entered in the URL dialog box causes a crash. Versions 6.x and 7.x
are reportedly vulnerable.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0298.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0345.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0346.html
*** {03.17.016} Cross - Qpopper poppassd local SMB auth command exec
The poppassd utility included with qpopper versions 4.0.x allows a
local attacker to execute arbitrary commands with root privileges
because root privileges are not dropped before executing the
'smbpasswd' command using a user-specified path.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0047.html
*** {03.17.017} Cross - Oracle DB connect overflow
Oracle versions 9.x, 8.x and 7.x reportedly contain a buffer overflow
in the handling of large 'CONNECT TO' clauses, which allows an
attacker capable of running arbitrary SQL commands to gain full DB
administrative privileges and, on Windows systems, potentially local
system access as well.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0048.html
*** {03.17.018} Cross - opt library multiple vulns
The opt options parsing library versions 3.18 and prior reportedly
contain various buffer overflows, which could cause a program using
the opt functions to be vulnerable to exploitation.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0042.html
*** {03.17.020} Cross - Album.pl CGI remote command exec
The album.pl CGI application versions 6.1 and prior reportedly allow
remote attackers to execute arbitrary commands under the Web server's
privileges.
The advisory indicates confirmation by the vendor, which fixed the
bug in version 6.2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0337.html
- --- Tru64 News ---------------------------------------------------------
*** {03.17.004} Tru64 - dupatch and setld symlink attacks
The dupatch and setld installation/update tools insecurely handle
existing symlinks while handling temporary files, which allows a local
attacker to potentially cause a denial of service or gain elevated
privileges when either tool is executed.
This vulnerability is confirmed. Patch and workaround information is
available at the reference URL below.
Source: Compaq/HP
http://archives.neohapsis.com/archives/tru64/2003-q2/0006.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+sYDI+LUG5KFpTkYRAoJEAJ9wxl6FPWcQguLfXz5/w9uv2ICyxQCgmNLP
bkEnzrojwEZ/9V3ExmACWzU=
=BkrW
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
What's the Best Firewall? How Does a Reverse Proxy Work?
For answers to these and other popular questions, go to SANS new:
Internet Guide To Popular Resources On Information Security
http://www.sans.org/resources/popular.php
And for advanced security training, mark your calendar:
-Four security training racks in Portland, OR (May 5-10)
-Six security training tracks in Monterey, CA (June 11-16)
-Five security training tracks in London, UK (June 23-28)
-Our largest summer conference: SANS Fire in Washington DC (July 14-19)
-And the largest conference for senior security managers, the National
Information Assurance Leadership Conference (NIAL-V) in Washington
(July 21-22)
-Plus smaller programs in Chicago, Raleigh, Atlanta, Melbourne (AU),
and San Francisco, Virginia Beach, Ottawa (CA) and Madrid (SP).
-If you cannot travel, we have local mentor and evening programs in
forty cities, or ask to schedule an on-site course at your location.
Details on all programs at http://www.sans.org
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]