From: Network Computing and The SANS Institute (sanssans.org)
Date: Fri May 09 2003 - 17:18:10 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 018 (03.18)
                      Friday, May 9, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

New Appliance whitepaper from Internet Security Systems!

ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without
requiring separate firewalls, antivirus and intrusion
detection. Click here to download whitepaper:
http://www.iss.net/ad/appliance_cmpnetsansappliance050803

************************** End Advertisement *************************

A technical glitch resulted in the inadvertent redeployment of the
editorial content of last week's Security Alert Consensus in yesterday's
mailing. This mailing includes this week's editorial content. We
apologize for the error and the inconvenience!

This week a post surfaced on Bugtraq pointing out how it's possible to
use OpenSSH to determine whether or not an account name is valid. The
problem is actually the result of varying delays in the underlying PAM
authentication libraries. Technically, any application using PAM could
be vulnerable to a timing attack, which exposes valid account names.
Fortunately, this is a mild information exposure, and one that is easily
detected. It does not serve as a method of compromise or denial of
service. Apart from PAM, there are also other timing-based attacks
against certain applications that could expose various configuration
information. We've seen in the past how timing attacks can be used to
recover a server's private SSL key. Unfortunately, timing attacks are
extremely difficult to prevent because prevention requires all possible
code execution paths to take approximately the same amount of time to
traverse. It is likely we will continue to see timing-based
vulnerabilities in the future. You can read the inititial OpenSSH/PAM
post at:
http://archives.neohapsis.com/archives/bugtraq/2003-04/0384.html

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.18.002} Win - MS03-016: BizTalk Server multiple vulns
{03.18.007} Win - ICQ client multiple vulns 06/05
{03.18.009} Win - FTGatePro large SMTP parameter overflow
{03.18.001} Linux - Updated patches for previous vulnerabilities
{03.18.008} Linux - Debian leksbot incorrectly setuid root
{03.18.005} AIX - OpenSSH linker incorrect library use
{03.18.013} HPUX - rexec -l parameter overflow
{03.18.003} NetDev - Cisco CSS 11000/11500 DNS response DoS
{03.18.004} NetDev - Cisco ONS family Nessus DoS
{03.18.006} Cross - mod_auth_any arbitrary command exec
{03.18.010} Cross - GPG multiple user ID key validity vuln
{03.18.011} Cross - youbin HOME env var overflow
{03.18.012} Cross - mod_survey invalid survey disk space DoS

- --- Windows News -------------------------------------------------------

*** {03.18.002} Win - MS03-016: BizTalk Server multiple vulns

Microsoft released MS03-016 ("BizTalk Server multiple vulns"). BizTalk
Server 2002 contains a buffer overflow in the HTTP receiving component,
which allows the remote execution of arbitrary code. Both BizTalk Server
2000 and 2002 contain an SQL tampering vulnerability that could be used
in a cross-site scripting fashion by tricking an administrator into
clicking a supplied link, thereby causing exploitation.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-016.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q2/0008.html

*** {03.18.007} Win - ICQ client multiple vulns 06/05

The Mirabilis ICQ Pro client versions 2003a and prior contain multiple
remotely exploitable vulnerabilities: POP3 client multiple overflows
and format string vulnerabilities; 'Features on Demand'
man-in-the-middle spoofing attack; man-in-the-middle ad display denial
of service attack; and denial of service when parsing GIF89a headers.

These vulnerabilities are not confirmed.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0051.html

*** {03.18.009} Win - FTGatePro large SMTP parameter overflow

FTGatePro version 1.22 build 1328 reportedly contains buffer overflows
in the handling of large 'MAIL FROM' and 'RCPT TO' SMTP commands, which
allow a remote attacker to execute arbitrary code on the system under
local system privileges.

The vendor confirmed this vulnerability and released version 1.22 build
1330.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0052.html

- --- Linux News ---------------------------------------------------------

*** {03.18.001} Linux - Updated patches for previous vulnerabilities

The following is a list of Linux vendor patches for vulnerabilities
previously reported in the Security Alert Consensus.

- --- Red Hat:

RHSA-2003:093-02: MySQL
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0047.html

RHSA-2003:133-01: man
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0044.html

- --- Mandrake:

MDKSA-2003:053: mgetty
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0096.html

MDKSA-2003:054: man
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0098.html

- --- Conectiva:

CLA-2003:614: sendmail (revised)
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0018.html

CLA-2003:632: apache
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0017.html

CLA-2003:633: glibc
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0021.html

CLA-2003:635: balsa
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0022.html

CLA-2003:639: krb5
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0027.html

CLA-2003:640: vnc
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0028.html

CLA-2003:642: snort
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0030.html

- --- Debian:

DSA 292-3: mime-support
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0410.html

DSA 295-1: pptpd
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0405.html

DSA 296-1: kdebase
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0409.html

DSA 297-1: snort
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0416.html

DSA 298-1: EPIC4
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0420.html

DSA 300-1: Balsa
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0469.html

- --- EnGarde:

ESA-20030430-013: snort
http://archives.neohapsis.com/archives/bugtraq/2003-04/0388.html

ESA-20030430-014: tcpdump
http://archives.neohapsis.com/archives/bugtraq/2003-04/0387.html

- --- Caldera:

CSSA-2003-017.0: samba
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0002.html

CSSA-2003-018.0: file
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0003.html

CSSA-2003-019.0: tcp_sec
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0004.html

Source: Red Hat, Mandrake, Conectiva, Debian, EnGarde, Caldera
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0047.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0044.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0096.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0098.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0018.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0017.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0021.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0022.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0027.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0028.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q2/0030.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0410.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0405.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0409.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0416.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0420.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0469.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0388.html
http://archives.neohapsis.com/archives/bugtraq/2003-04/0387.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0002.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0003.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q2/0004.html

*** {03.18.008} Linux - Debian leksbot incorrectly setuid root

Debian released an advisory indicating the leksbot binary was
incorrectly given setuid root privileges. The application is not
designed to run with setuid privileges and could allow local attackers
to gain root access.

Updated Debian DEBs are listed at the reference URL below.

Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0471.html

- --- AIX News -----------------------------------------------------------

*** {03.18.005} AIX - OpenSSH linker incorrect library use

An advisory indicates that OpenSSH binaries built on AIX with a
non-native C compiler (such as gcc) could be linked against incorrect
libraries, potentially allowing a local attacker to gain elevated
privileges by supplying trojaned libraries. Precompiled binary packages
downloaded from www.zip.com.au are also vulnerable.

This vulnerability is confirmed. The OpenSSH package was updated to
compile correctly on AIX. Binaries from www.zip.com.au also were
updated.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-04/0385.html
http://archives.neohapsis.com/archives/bugtraq/2003-05/0017.html

- --- HP-UX News ---------------------------------------------------------

*** {03.18.013} HPUX - rexec -l parameter overflow

The rexec utility contains a buffer overflow in the handling of the '-l'
command-line parameter, which allows a local attacker to execute
arbitrary code with elevated privileges.

This vulnerability is confirmed. Update information is available at the
reference URL below.

Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0027.html

- --- Network Devices News -----------------------------------------------

*** {03.18.003} NetDev - Cisco CSS 11000/11500 DNS response DoS

Cisco released an advisory indicating the Content Service Switch 11000
and 11500 will respond to certain DNS requests in a manner that causes
an error to cache, potentially leading to a denial of service for any
future requests made to the name server holding the cached record.

This vulnerability is confirmed. Update information is available at the
reference URL below.

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0003.html

*** {03.18.004} NetDev - Cisco ONS family Nessus DoS

Various devices in the Cisco ONS family contain vulnerabilities in the
telnet and FTP server implementations, which can be crashed by buffer
overflow attempts. These bugs can be tickled by the use of the Nessus
security scanner.

For a list of affected products and versions, please see the reference
URL below.

Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q2/0004.html

- --- Cross-Platform News ------------------------------------------------

*** {03.18.006} Cross - mod_auth_any arbitrary command exec

The mod_auth_any Apache module insecurely passes user-supplied data to
a command shell, which allows a remote attacker to execute arbitrary
command-line commands under the privileges of the Web server.

This vulnerability is confirmed.

Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0049.html

Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0049.html

*** {03.18.010} Cross - GPG multiple user ID key validity vuln

GnuPG versions 1.2.1 and prior contain a bug whereby multiple user IDs
within the same key are given the same trust permissions as the most
trusted user ID amongst them.

This vulnerability is confirmed and fixed in version 1.2.2.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0062.html

*** {03.18.011} Cross - youbin HOME env var overflow

youbin version 3.4 contains an exploitable buffer overflow in the
handling of the HOME environment variable, which allows a local attacker
to execute arbitrary code with root privileges.

The advisory indicates confirmation by the FreeBSD team.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0053.html

*** {03.18.012} Cross - mod_survey invalid survey disk space DoS

The mod_survey Apache module prior to version 3.0.15 contains a denial
of service attack whereby a remote attacker can consume all available
disk space by making repeated requests for non-existing surveys.

This vulnerability is confirmed and fixed in version 3.0.15.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0058.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org

iD8DBQE+vAw6+LUG5KFpTkYRApbbAKCKdz6cqBLKnphMzPhaNdEiaeU7fgCfTfv0
XNfI73fZ7QVHqy7+9if1/wU=
=3Xog
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue sponsored by Internet Security Systems.

New Appliance whitepaper from Internet Security Systems!

ISS' new, easily deployed appliances dynamically protect
regardless of network speed or threat type, without
requiring separate firewalls, antivirus and intrusion
detection. Click here to download whitepaper:
http://www.iss.net/ad/appliance_cmpnetsansappliance050803

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]