|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #023
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Jun 12 2003 - 17:42:16 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 023 (03.23)
Thursday, June 12, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Compuware.
Do you need solutions to WAN management?
Join Network Computing for a FREE On-Demand Webcast
Managing Your WAN for Maximum Business Value
View Program NOW:
http://webevents.broadcast.com/cmp/compuware/042203/index.asp?loc=3
************************** End Advertisement *************************
For those of you who dabble in the vulnerability research side of the
security industry, you may be interested in looking at the "Security
Vulnerability Reporting and Response Process" draft published by the
OIS (Organization for Internet Safety), which is composed entirely of
commercial software vendors and security companies.
http://www.oisafety.org/process.html
The OIS draft is largely a rehash of the earlier, withdrawn,
Christey-Wysopal Vulnerability Disclosure IETF RFC draft. The intent of
the process is to clearly define what is expected of researchers when
disclosing vulnerabilities to vendors--which is a bit of a twist, since
you'd expect vendors to be gracious and accommodating about receiving
bug reports concerning their products. A large public outcry by the
research community cites the draft as vendor centric and overly complex,
making the draft worthless if researchers don't volunteer to follow the
detailed 37-page process. Russ Cooper gives a good play-by-play recap
in an NTBugtraq post.
http://archives.neohapsis.com/archives/ntbugtraq/2003-q2/0123.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.23.007} Win - Multiple third-party FTP client overflows
{03.23.010} Win - Network drivers may leak memory data
{03.23.012} Win - Various Xpressions software ASP page SQL tampering
{03.23.016} Win - MegaBrowser HTTP server Web root escaping
{03.23.018} Win - IE USERPROFILE folder disclosure
{03.23.020} Win - Max Web Portal CGI multiple vulns
{03.23.021} Win - Mercur Mailserver IMAP command overflows
{03.23.027} Win - Nuca WebServer Web root escaping
{03.23.001} Linux - Updated patches for previous vulnerabilities
{03.23.025} Linux - Linux 2.0 kernel ICMP padding memory disclosure
{03.23.015} Sol - syslog large packet overflow
{03.23.004} NW - iChain login buffer overflow
{03.23.005} NW - HTTPSTK keep-alive DoS
{03.23.014} HP-UX - 'Network traffic' DoS
{03.23.028} HP-UX - Updated patches for previous vulnerabilities
{03.23.029} HP-UX - FTP server REST arbitrary mem reading
{03.23.003} SGI - Updated patches for previous vulnerabilities
{03.23.011} NetDev - Nokia GGSN invalid TCP option DoS
{03.23.026} NetDev - WatchGuard Firebox ICMP memory disclosure
{03.23.006} Cross - XaoS improper use of setuid
{03.23.008} Cross - eterm ETERMPATH env var overflow
{03.23.009} Cross - gzip utility scripts insecure temp file handling
{03.23.013} Cross - atftpd long file name overflow
{03.23.019} Cross - OpenSSH client address restriction bypass
{03.23.022} Cross - Vulnerable PHP applications, 06/10
{03.23.023} Cross - Speak Freely suite multiple vulns
{03.23.024} Cross - Multiple browser window spoofing script exec
{03.23.030} Cross - Upclient -p param overflow
{03.23.002} Tools - BIND 8.3.6 and 8.4.1 available
{03.23.017} Tru64 - Updated patches for previous CDE vulnerabilities
- --- Windows News -------------------------------------------------------
*** {03.23.007} Win - Multiple third-party FTP client overflows
Multiple third-party graphical FTP clients reportedly contain various
buffer overflows that allow a malicious FTP server to execute arbitrary
code on the user's system.
FlashFXP 2.0 build 905: PASV and long host name overflows
http://archives.neohapsis.com/archives/bugtraq/2003-06/0081.html
SmartFTP 1.0.973: PWD and file name overflows
http://archives.neohapsis.com/archives/bugtraq/2003-06/0083.html
LeapFTP 2.7.3.600: PASV overflow
http://archives.neohapsis.com/archives/bugtraq/2003-06/0080.html
FTP Voyager 10.0.0.0 and prior: file name overflow
http://archives.neohapsis.com/archives/bugtraq/2003-06/0077.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0081.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0083.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0080.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0077.html
*** {03.23.010} Win - Network drivers may leak memory data
An advisory indicates that certain Windows 2003 drivers may leak bytes
from previously used memory in the padding of network packets. This
could expose sensitive information.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0066.html
*** {03.23.012} Win - Various Xpressions software ASP page SQL tampering
Various Xpressions.com software suites are vulnerable to SQL tampering
in the /manage/login.asp page, thereby allowing a local attacker to
manipulate the Web store as well as the back-end database.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0026.html
*** {03.23.016} Win - MegaBrowser HTTP server Web root escaping
The MegaBrowser HTTP server allows remote attackers to access files
outside the Web root by using parent directory references ('..') in
requests.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0024.html
*** {03.23.018} Win - IE USERPROFILE folder disclosure
A posted advisory indicates that it's possible to access the USERPROFILE
environment variable value to determine the logged in user name and gain
access to local files.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0035.html
*** {03.23.020} Win - Max Web Portal CGI multiple vulns
The Max Web Portal CGI suite version 1.30 reportedly contains multiple
vulnerabilities: administrative login bypass; cross-site scripting;
database recovery; and arbitrary password reset.
The advisory indicates confirmation by the vendor, which released a
patch available at:
http://www.gulftech.org/vuln/MaxWebPortal%201.30%20Patch.zip
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0048.html
*** {03.23.021} Win - Mercur Mailserver IMAP command overflows
The Mercur Mailserver version 4.2.14.0 contains buffer overflows in the
handling of nearly all IMAP commands, thereby allowing the remote
execution of arbitrary code.
The advisory indicates vendor confirmation. Versions 4.2.15.0 and higher
includes fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0049.html
*** {03.23.027} Win - Nuca WebServer Web root escaping
Nuca WebServer version 0.01 allows remote attackers to access files
outside the Web root by using parent directory references ('..') in
requests.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0087.html
- --- Linux News ---------------------------------------------------------
*** {03.23.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:070-01: hanterm
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0069.html
RHSA-2003:192-01: KDE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0068.html
- --- Debian:
DSA-311-1: kernel
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0850.html
DSA-312-1: powerpc kernel
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0872.html
- --- Mandrake:
MDKSA-2003:064: kon2
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0165.html
MDKSA-2003:065: ghostscript
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0171.html
- --- Immunix:
IMNX-2003-7+-011-01: wget
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0019.html
IMNX-2003-7+-012-01: file
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0020.html
IMNX-2003-7+-013-01: LPRng
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0021.html
IMNX-2003-7+-015-01: zlib
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0022.html
IMNX-2003-7+-016-01: tetex
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0025.html
- --- SuSE:
SuSE-SA:2003:028: cups
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0718.html
SuSE-SA:2003:029: pptpd
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0720.html
Source: Red Hat, Debian, Mandrake, Immunix, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q2/0069.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0850.html
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0872.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0165.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q2/0171.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0019.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0020.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0021.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0022.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q2/0025.html
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0718.html
http://archives.neohapsis.com/archives/linux/suse/2003-q2/0720.html
*** {03.23.025} Linux - Linux 2.0 kernel ICMP padding memory disclosure
The Linux 2.0 kernel series includes extra data in ICMP response
packets. The extra padding is taken from random memory and could include
sensitive information.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0082.html
- --- Solaris News -------------------------------------------------------
*** {03.23.015} Sol - syslog large packet overflow
The syslogd included with Solaris 8 reportedly contains a buffer
overflow in the handling of large UDP packets, possibly allowing for
the remote execution of arbitrary code.
This vulnerability is confirmed by the vendor, which released patches
110945 and 110946.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0039.html
- --- NetWare News -------------------------------------------------------
*** {03.23.004} NW - iChain login buffer overflow
Novell released field patches for iChain versions 2.1 and 2.2, which
fix buffer overflows in the handling of the login field parameter.
These vulnerabilities are confirmed. Updated information is available
at the reference URLs below.
Source: Novell (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0052.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0053.html
*** {03.23.005} NW - HTTPSTK keep-alive DoS
The Netware HTTPSTK Web daemon (used for various Novell Web
administration services) contains a denial of service attack in the
handling of malformed keep-alive requests.
Update information is available at the reference URL below.
Source: Novell (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-06/0054.html
- --- HP-UX News ---------------------------------------------------------
*** {03.23.014} HP-UX - 'Network traffic' DoS
HP released an advisory indicating that particular malformed network
traffic can cause some network services to fail. Specific details were
not made available.
Update information is available at the reference URL below.
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0058.html
*** {03.23.028} HP-UX - Updated patches for previous vulnerabilities
The following is a list of HP-UX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
HPSBUX0306-265: OpenSSH
http://archives.neohapsis.com/archives/hp/2003-q2/0063.html
Source: HP
http://archives.neohapsis.com/archives/hp/2003-q2/0063.html
*** {03.23.029} HP-UX - FTP server REST arbitrary mem reading
The HP-UX FTP server version 1.1.214.4 included with HP-UX 11.x allows
a remote attacker to read arbitrary data from system memory as a result
of a flaw in the REST command.
This vulnerability is confirmed and fixed in patch PHNE_18377.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0033.html
- --- SGI News -----------------------------------------------------------
*** {03.23.003} SGI - Updated patches for previous vulnerabilities
The following is a list of IRIX vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
20021105-02-I: Apache
http://archives.neohapsis.com/archives/vendor/2003-q2/0059.html
20030602-01-I: Websetup/Webmin
http://archives.neohapsis.com/archives/vendor/2003-q2/0067.html
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q2/0059.html
http://archives.neohapsis.com/archives/vendor/2003-q2/0067.html
- --- Network Devices News -----------------------------------------------
*** {03.23.011} NetDev - Nokia GGSN invalid TCP option DoS
The Nokia GGSN reloads when a packet with an invalid TCP option is
passed through it.
The vendor confirmed this vulnerability.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0098.html
*** {03.23.026} NetDev - WatchGuard Firebox ICMP memory disclosure
The WatchGuard Firebox II uses a vulnerable Linux 2.0 kernel that
discloses extra memory in ICMP responses.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0082.html
- --- Cross-Platform News ------------------------------------------------
*** {03.23.006} Cross - XaoS improper use of setuid
The XaoS graphics application is commonly installed setuid root to use
the svgalib components. However, XaoS was not designed for secure
execution, thereby allowing a local attacker to gain root privileges.
The recommended solution is to remove setuid privileges from the XaoS
binary.
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0851.html
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0851.html
*** {03.23.008} Cross - eterm ETERMPATH env var overflow
Eterm contains a buffer overflow in the handling of the ETERMPATH
environment variable. On systems with eterm installed setuid/setgid,
this could allow a local attacker to gain elevated privileges.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0843.html
*** {03.23.009} Cross - gzip utility scripts insecure temp file handling
The znew and gzexe utilities included with the gzip suite insecurely
handles temporary files, thereby allowing a local attacker to perform
a symlink attack.
These vulnerabilities are confirmed by Debian. Updated Debian DEBs are
listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q2/0842.html
*** {03.23.013} Cross - atftpd long file name overflow
The atftpd server contains a buffer overflow in the handling of large
user names. This could potentially allow the remote execution of
arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Vuln-Dev
http://archives.neohapsis.com/archives/vuln-dev/2003-q2/0232.html
*** {03.23.019} Cross - OpenSSH client address restriction bypass
The client restriction feature of OpenSSH versions 3.6.1 and prior
incorrectly grants access to remote clients who insert an allowed IP
address into their reverse DNS host name.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0038.html
*** {03.23.022} Cross - Vulnerable PHP applications, 06/10
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not confirmed.
zenTrack 2.4.1 and prior: vulnerability in session_start.php
http://archives.neohapsis.com/archives/bugtraq/2003-06/0055.html
Spyke's PHP Board 2.1: password recovery
http://archives.neohapsis.com/archives/bugtraq/2003-06/0078.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0055.html
http://archives.neohapsis.com/archives/bugtraq/2003-06/0078.html
*** {03.23.023} Cross - Speak Freely suite multiple vulns
Versions of the Speak Freely software suite prior to 7.6 contain
multiple vulnerabilities: insecure temporary file handling; numerous
buffer overflows capable of the remote execution of arbitrary code; and
the potential to relay/proxy UDP packets into a protected network.
The advisory indicates confirmation by the vendor, which released
version 7.6.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0057.html
*** {03.23.024} Cross - Multiple browser window spoofing script exec
An advisory indicates the Mozilla, Netscape and Opera browsers are
vulnerable to variations of previously reported JavaScript window
spoofing bugs that allow the execution of arbitrary JavaScript in the
local system security zone.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-06/0065.html
*** {03.23.030} Cross - Upclient -p param overflow
The upclient utility contains a buffer overflow in the handling of the
'-p' command-line parameter. On systems where upclient is installed
setuid/setgid (e.g., the FreeBSD ports tree), there's a potential for
a local attacker to execute arbitrary code with elevated privileges.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-05/0276.html
- --- Tool Announcements News --------------------------------------------
*** {03.23.002} Tools - BIND 8.3.6 and 8.4.1 available
Last week, BIND versions 8.3.5 and 8.4.0 were released. Because of some
bugs, updated versions (8.3.6 and 8.4.1) were released this week. At
this rate, you might want to hold off upgrading until next week, just
in case.
Updated BIND tarballs can be downloaded from:
http://www.isc.org/bind/
Source: BIND
http://archives.neohapsis.com/archives/bind/2003/0010.html
http://archives.neohapsis.com/archives/bind/2003/0011.html
- --- Tru64 News ---------------------------------------------------------
*** {03.23.017} Tru64 - Updated patches for previous CDE vulnerabilities
HP/Compaq released ERPs for various CDE-related vulnerabilities. Full
patch information is available at the reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archives/tru64/2003-q2/0007.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE+6OFg+LUG5KFpTkYRAg8OAJ9QPad34PbsprHOYKdgLza6l2a3bwCfUrHb
eWVGSl6aneyTjFafB4eT9J0=
=5CIX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Compuware.
Do you need solutions to WAN management?
Join Network Computing for a FREE On-Demand Webcast
Managing Your WAN for Maximum Business Value
View Program NOW:
http://webevents.broadcast.com/cmp/compuware/042203/index.asp?loc=3
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org/
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]