|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #029
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Fri Jul 25 2003 - 08:26:32 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 029 (03.29)
Thursday, July 24, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Sprint, Cisco and CMP.
Looking for a service that allows frame relay packets to ride
securely over an IP core? Here's one that delivers high reliability
and flexible bandwidth. Best of all, since it's IP-based, it can help
you migrate to a VPN solution down the road.
http://www.techweb.com/cha03/framerelaypav
************************** End Advertisement *************************
It's another big week for security vulnerabilities. This week brings a
new version of Apache, which contains security fixes (reported as
{03.29.003}), multiple Linux kernel bugs (reported as {03.29.005}) and
another possible Windows DCOM RPC problem (reported as {03.29.012}).
If you don't have any of the above mentioned news items, it is because
you have not subscribed to their respective platform categories.
Information on how to change your platform category subscription choices
is at the bottom of this newsletter.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.29.002} Win - Update {03.28.014}: Storefront CGI login SQL tampering
{03.29.007} Win - RAV Antivirus online scanning control overflow
{03.29.008} Win - Mail System CGI database recovery and SQL tampering
{03.29.009} Win - .netCart CGI config file retrieval
{03.29.010} Win - ServerLock DLL injection and device symlink bypass
{03.29.011} Win - WiTango/Tango long cookie overflow
{03.29.012} Win - RPC DCOM RemoteGetClassObject DoS
{03.29.013} Win - Netterm netftpd multiple overflows
{03.29.001} Linux - Updated patches for previous vulnerabilities
{03.29.005} Linux - Multiple kernel vulns, 07/22
{03.29.016} SGI - nsd multiple vulns
{03.29.006} SCO - Merge display utility vuln
{03.29.003} Cross - Apache 1.3.28 released, with security fixes
{03.29.004} Cross - Vulnerable PHP applications, 07/22
{03.29.014} Cross - fdclone insecure temp file handling
{03.29.015} Cross - QuickTime/Darwin Streaming Server multiple vulns
- --- Windows News -------------------------------------------------------
*** {03.29.002} Win - Update {03.28.014}: Storefront CGI login SQL
tampering
The vulnerability previously discussed in {03.28.014} ("Storefront CGI
login SQL tampering") only affects Storefront versions 5.0 (builds prior
to 50.4014). Version 6.0 is not affected.
The vendor confirmed the vulnerability. A patch is available at:
http://support.storefront.net/Updates/50.4014/security/default.htm
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0233.html
*** {03.29.007} Win - RAV Antivirus online scanning control overflow
The RAV Antivirus Online Scanning ActiveX control reportedly contains
a buffer overflow in the browseForFolder() function that could allow a
malicious Web site to execute arbitrary code on the user's system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0240.html
*** {03.29.008} Win - Mail System CGI database recovery and SQL
tampering
The Mail System ASP CGI suite version 0.9 beta reportedly contains a
SQL tampering vulnerability in the handling of login information. The
database file is also stored in the Web root, making it retrievable by
remote attackers.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0200.html
*** {03.29.009} Win - .netCart CGI config file retrieval
The .netCart ASP.NET CGI suite reportedly allows a remote attacker to
retrieve the settings.xml file, thereby disclosing sensitive
configuration information.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0213.html
*** {03.29.010} Win - ServerLock DLL injection and device symlink bypass
WatchGuard ServerLock version 2.0.1 reportedly contains two
vulnerabilities that could allow a local attacker to bypass the security
protection: loading of arbitrary kernel drivers via DLL injection and
access to physical memory via device name symlinks.
The advisory indicates confirmation by the vendor, which released a
patch at:
https://www.watchguard.com/archive/softwarecenter.asp
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0234.html
*** {03.29.011} Win - WiTango/Tango long cookie overflow
The WiTango application server and the Tango 2000 application server
contain a buffer overflow in the handling of the WiTango_UserReference
cookie that allows a remote attacker to execute arbitrary code on the
systems.
WiTango version 5.0.1.062 contains a fix. It is available for download
at:
http://www.witango.com/
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0038.html
*** {03.29.012} Win - RPC DCOM RemoteGetClassObject DoS
The RemoteGetClassObject DCOM RPC function implemented in Windows 2000
contains a denial of service vulnerability that lets an attacker crash
the RPC service. It may then be possible for a local attacker to perform
an impersonation and privilege elevation attack. Windows 2000 SP4 is
reportedly vulnerable, and this appears to be separate from MS03-026.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0255.html
*** {03.29.013} Win - Netterm netftpd multiple overflows
Netterm netftpd version 4.2.8.e contains various buffer overflows and
oddities that cause the netftpd process to crash. Execution of arbitrary
code may be possible.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0261.html
- --- Linux News ---------------------------------------------------------
*** {03.29.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:162-02: Mozilla
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0012.html
RHSA-2003:196-02: Xpdf
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0009.html
- --- Mandrake:
MDKSA-2003:066-1: kernel
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0044.html
MDKSA-2003:075: Apache2
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0045.html
MDKSA-2003:076: nfs-utils
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0046.html
- --- Conectiva:
CLA-2003:698: Apache
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0017.html
CLA-2003:700: nfs-utils
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0019.html
CLA-2003:701: kernel
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0020.html
CLA-2003:702: cups
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0021.html
- --- Trustix:
TSLSA-2003-0027: nfs-utils
http://archives.neohapsis.com/archives/bugtraq/2003-07/0238.html
Source: Red Hat, Mandrake, Conectiva, Trustix (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0012.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0009.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0044.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0045.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0046.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0017.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0019.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0020.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0021.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0238.html
*** {03.29.005} Linux - Multiple kernel vulns, 07/22
Red Hat released an advisory detailing multiple vulnerabilities in the
Linux 2.4 kernel: serial driver proc entry exposes byte counts; execve()
race condition DoS; RPC sockets incorrectly set reuse flag; execve()
incorrectly passes file descriptors; proc may allow local users to
retain control of proc entries of suid apps; STP protocol input did not
check length, resulting in DoS; and the local forwarding table can be
spoofed.
Red Hat confirmed these vulnerabilities.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0011.html
- --- SGI News -----------------------------------------------------------
*** {03.29.016} SGI - nsd multiple vulns
SGI released an advisory indicating several vulnerabilities exist in
the name service daemon (nsd): UDP portscan can cause a crash;
/etc/group doesn't honor '-' entries; dynamic maps can be used to
consume all memory; and DNS callbacks do not perform enough sanity
checking.
Update information is listed at the reference URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q3/0020.html
- --- SCO News -----------------------------------------------------------
*** {03.29.006} SCO - Merge display utility vuln
SCO released an advisory indicating local attackers can exploit a
security vulnerability in the Merge /usr/lib/merge/display utility to
gain root privileges.
Update information is available at the reference URLs below.
Source: SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0001.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0002.html
- --- Cross-Platform News ------------------------------------------------
*** {03.29.003} Cross - Apache 1.3.28 released, with security fixes
Apache version 1.3.28 was released. This version fixes multiple security
vulnerabilities: rotatelogs invalid character sent via pipe results in
denial of service; too many internal subrequests could result in a
denial of service; and file descriptors are leaked to child CGI
processes.
Updated versions of Apache are available at:
http://httpd.apache.org/
Source: Apache
http://archives.neohapsis.com/archives/apache/2003/0003.html
*** {03.29.004} Cross - Vulnerable PHP applications, 07/22
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
AtomicBoard 0.6.2: file reading
http://archives.neohapsis.com/archives/bugtraq/2003-07/0262.html
Simpnews 2.13: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-07/0252.html
Elite News 1.0.0.3: admin login bypass
http://archives.neohapsis.com/archives/bugtraq/2003-07/0227.html
eStore 1.0.2: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-07/0220.html
Webcalendar 0.9.41: file reading
http://archives.neohapsis.com/archives/bugtraq/2003-07/0264.html
Ashnews 0.83: remote file include code execution
http://archives.neohapsis.com/archives/bugtraq/2003-07/0270.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0262.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0252.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0227.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0220.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0264.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0270.html
*** {03.29.014} Cross - fdclone insecure temp file handling
Debian released an advisory indicating the fdclone utility insecurely
uses temporary files/directories, thereby allowing a local attacker to
perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0128.html
*** {03.29.015} Cross - QuickTime/Darwin Streaming Server multiple vulns
QuickTime/Darwin Streaming Server versions prior to 4.1.3g contain
multiple vulnerabilities: DOS device name URL request denial of service;
malformed view_broadcast.cgi script request denial of service;
parse_xml.cgi file contents disclosure; source code retrieval by
appending encoded characters to the URL; access to files outside the
Web root; and insecure default install.
The advisory indicates confirmation by the vendor, which released
version 4.1.3g.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0040.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE/ISwS+LUG5KFpTkYRAgqoAKCVXC1tNfQp/Za39IN7jiiw4ro8hACgmnBd
/H8q0Vj0R7ei9G0aPO2oopc=
=4oma
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Sprint, Cisco and CMP.
Looking for a service that allows frame relay packets to ride
securely over an IP core? Here's one that delivers high reliability
and flexible bandwidth. Best of all, since it's IP-based, it can help
you migrate to a VPN solution down the road.
http://www.techweb.com/cha03/framerelaypav
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]