|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #30
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Jul 31 2003 - 17:18:36 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 030 (03.30)
Thursday, July 31, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Business Objects.
Join InformationWeek for a FREE On-Demand Webcast
Business Intelligence: Choosing the Best Way to Gain Insight Into Your Business
Turn data into knowledge and insight with BI deployment.
View Program NOW:
http://webevents.broadcast.com/cmp/bo/041603/index.asp?loc=5
************************** End Advertisement *************************
We know many people are dealing with the Windows DCOM fallout from last
week. As it turns out, this week isn't going to be much easier--a number
of big vulnerabilities surfaced. Solaris machines are vulnerable to a
local overflow in the runtime linker, thereby giving out elevated access
to anyone capable of running a suid binary (reported as item {03.30.015}
in the Solaris category). A buffer overflow in a particular DirectX file
leaves Windows boxes vulnerable to arbitrary code execution when playing
a malicious MIDI file (which can be automatically downloaded from a Web
page or e-mail (reported as item {03.30.005} in the Windows category).
And NetWare folks even get to see a little action with a new buffer
overflow in the Perl handler included with the default NetWare
Enterprise Web Server (reported as item {03.30.003} in the NetWare
category). Then there's a batch of Oracle vulnerabilities affecting
various Oracle products (reported as item {03.30.010} in the
Cross-Platform category).
Happy patching!
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.30.004} Win - MS03-029: Windows file name processing DoS
{03.30.005} Win - MS03-030: DirectX MIDI file overflow
{03.30.006} Win - MS03-031: SQL Server cumulative patch, 07/29
{03.30.017} Win - EF Commander FTP response overflow
{03.30.001} Linux - Updated patches for previous vulnerabilities
{03.30.008} Linux - Update {03.26.001}: VMWare insecure temp file
handling
{03.30.009} Linux - Mandrake kernel-2.4.21.0.24mdk ignores umask
{03.30.013} Linux - sup insecure temp file handling
{03.30.015} Sol - ld.so.1 LD_PRELOAD overflow
{03.30.003} NW - Perl CGI handler overflow
{03.30.016} SGI - nsd mishandles AUTH_UNIX gid list
{03.30.007} NetDev - 3COM 812 DSL router large HTTP request DoS
{03.30.012} NetDev - Cisco IOS-based AP1x00 HTTP request DoS
{03.30.020} NetDev - NetScreen large window size DoS
{03.30.002} Cross - stunnel multiple SIGCHLD DoS
{03.30.010} Cross - Multiple Oracle vulnerabilities
{03.30.011} Cross - Vulnerable PHP applications, 07/29
{03.30.014} Cross - Konqueror leaks auth info via Referer header
{03.30.018} Cross - Apache mod_mylo large request logging overflow
{03.30.019} Cross - Half-Life multiple vulns, 07/29
- --- Windows News -------------------------------------------------------
*** {03.30.004} Win - MS03-029: Windows file name processing DoS
Microsoft released MS03-029 ("Windows file name processing DoS"). A flaw
in an unspecified Windows function related to file name processing may
attempt to free() memory that it does not own, thereby causing the
calling process to crash.
Note that there are reports of this patch affecting RRAS services when
installed on Windows NT 4.0 Server.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-029.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0008.html
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0072.html
*** {03.30.005} Win - MS03-030: DirectX MIDI file overflow
Microsoft released MS03-030 ("DirectX MIDI file overflow"). A malicious
MIDI file could potentially exploit one of two buffer overflows in the
DirectX music libraries, thereby allowing the execution of arbitrary
code. DirectX versions 5.2 through 9.0a, Windows Media Player 6.4 and
Internet Explorer 6 SP1 are all vulnerable.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-030.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0007.html
*** {03.30.006} Win - MS03-031: SQL Server cumulative patch, 07/29
Microsoft released MS03-031 ("SQL Server cumulative patch, 07/29"). This
cumulative SQL Server patch fixes three new vulnerabilities: named pipe
impersonation; a named pipe denial of service; and an LPC function
overflow.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-031.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0009.html
*** {03.30.017} Win - EF Commander FTP response overflow
EF Commander version 3.54 reportedly contains a buffer overflow in the
handling of large FTP server banners, thereby allowing a malicious FTP
server to execute arbitrary code on the user's system.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0052.html
- --- Linux News ---------------------------------------------------------
*** {03.30.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:222-01: openssh
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0015.html
RHSA-2003:234-01: semi
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0013.html
- --- Conectiva:
CLA-2003:703: phpgroupware
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0022.html
CLA-2003:704: apache
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0023.html
CLA-2003:711: mnogosearch
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0024.html
CLA-2003:713: perl
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0025.html
- --- Mandrake:
MDKSA-2003:066-2: kernel
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0064.html
MDKSA-2003:071-1: xpdf
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0055.html
MDKSA-2003:077: phpgroupware
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0051.html
MDKSA-2003:078: mpg123
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0056.html
- --- EnGarde:
ESA-20032407-018: kernel
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0001.html
Source: Red Hat, Conectiva, Mandrake, EnGarde
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0015.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0013.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0022.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0023.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0024.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0025.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0064.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0055.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0051.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0056.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0001.html
*** {03.30.008} Linux - Update {03.26.001}: VMWare insecure temp file
handling
VMWare released updates that fix the vulnerability discussed in
{03.26.001} ("VMWare insecure temp file handling").
Update information is listed at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0304.html
*** {03.30.009} Linux - Mandrake kernel-2.4.21.0.24mdk ignores umask
The Mandrake 9.1 kernel-2.4.21.0.24mdk kernel update for
MDKSA-2003:066-1 contained an error that caused all files on non-XFS
file systems to be created world-writable.
This vulnerability is confirmed. An updated kernel patch will be
released.
Source: Mandrake
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0054.html
*** {03.30.013} Linux - sup insecure temp file handling
The sup utility insecurely handles temporary files, thereby allowing a
local attacker to perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0164.html
- --- Solaris News -------------------------------------------------------
*** {03.30.015} Sol - ld.so.1 LD_PRELOAD overflow
The ld.so.1 dynamic runtime linker included in Solaris 2.6 through 9
contains a buffer overflow in the handling of the LD_PRELOAD environment
variable, thereby allowing a local attacker to execute arbitrary code
with elevated privileges.
This vulnerability is confirmed. Update information is available at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/55680
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0060.html
- --- NetWare News -------------------------------------------------------
*** {03.30.003} NW - Perl CGI handler overflow
The cgi2perl.nlm Perl CGI handler included with the Enterprise Web
Server shipped with NetWare 5.1 and 6.0 contains a buffer overflow that
could allow a remote attacker to cause a denial of service attack or
possible execute arbitrary code.
This vulnerability is confirmed. An update is available at:
http://support.novell.com/servlet/tidfinder/2966549
Source: Novell
http://archives.neohapsis.com/archives/novell/2003-q3/0002.html
- --- SGI News -----------------------------------------------------------
*** {03.30.016} SGI - nsd mishandles AUTH_UNIX gid list
SGI reported that the name services daemon (nsd) can be exploited to
gain elevated privileges by its mishandling of the AUTH_UNIX gid list.
Update information is available at the reference URL below.
Source: SGI (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-07/0382.html
- --- Network Devices News -----------------------------------------------
*** {03.30.007} NetDev - 3COM 812 DSL router large HTTP request DoS
The 3COM 812 DSL router reportedly crashes when a large HTTP request is
sent to the administrative Web interface.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0289.html
*** {03.30.012} NetDev - Cisco IOS-based AP1x00 HTTP request DoS
Cisco IOS-based AP1x00 wireless access points reload when a particular
malformed HTTP request is sent to them. User accounts can also be
determined via brute forcing logins to the telnet service.
Cisco confirmed this vulnerability. Update information is available at
the reference URL below.
Source: Cisco, VulnWatch
http://archives.neohapsis.com/archives/cisco/2003-q3/0004.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0056.html
*** {03.30.020} NetDev - NetScreen large window size DoS
NetScreen 204 and 208 devices running ScreenOS version 4.0.3r reportedly
reboot when a large TCP window size is used.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0377.html
- --- Cross-Platform News ------------------------------------------------
*** {03.30.002} Cross - stunnel multiple SIGCHLD DoS
Stunnel prior to version 4.04 does not properly handle multiple SIGCHLD
signals, which could potentially lead to a denial of service situation
that causes the stunnel utility in daemon mode to crash.
This vulnerability is confirmed. Updated Red Hat RPMs are listed at the
reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0014.html
*** {03.30.010} Cross - Multiple Oracle vulnerabilities
Multiple vulnerabilities were reported in Oracle components: a buffer
overflow in the FNDWRR CGI program; AOL/J Setup Test Suit unauthorized
information retrieval; and an extproc security logging buffer overflow.
Oracle confirmed these vulnerabilities and released patches.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0047.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0048.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0050.html
*** {03.30.011} Cross - Vulnerable PHP applications, 07/29
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
PHP-Gastebuch: config file retrieval
http://archives.neohapsis.com/archives/bugtraq/2003-07/0307.html
paFileDB 3.1: file uploading
http://archives.neohapsis.com/archives/bugtraq/2003-07/0312.html
e107: auth info recovery, cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-07/0313.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0331.html
PBLang 4.0: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-07/0327.html
Gallery 1.3.4: cross-site scripting
http://archives.neohapsis.com/archives/bugtraq/2003-07/0354.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0307.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0312.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0313.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0327.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0331.html
http://archives.neohapsis.com/archives/bugtraq/2003-07/0354.html
*** {03.30.014} Cross - Konqueror leaks auth info via Referer header
The Konqueror KDE Web browser versions 3.1.2 and prior incorrectly
include URL-based authentication information in the Referer header sent
to other Web sites.
This vulnerability is confirmed and fixed in version 3.1.3.
Source: KDE (SF Bugtraq)
http://archives.neohapsis.com/archives/bugtraq/2003-07/0368.html
*** {03.30.018} Cross - Apache mod_mylo large request logging overflow
The Apache mod_mylo module version 0.2.1 contains a buffer overflow in
the logging of large HTTP requests, thereby allowing a remote attacker
to execute arbitrary code.
Version 0.2.2 was released; it fixes the problem.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0355.html
*** {03.30.019} Cross - Half-Life multiple vulns, 07/29
Both the Half-Life client and server reportedly contain buffer overflows
in the handling of large parameter values. This could allow a malicious
client or server to execute arbitrary code on a server or client,
respectively.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0061.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0062.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see http://www.gnupg.org
iD8DBQE/KXBR+LUG5KFpTkYRAp8QAKCOjR+sgPq538X6lMvtYex19zlmzQCcCYfu
4MFQCQa5ytnDyv3oghZliSA=
=/lCZ
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Business Objects.
Join InformationWeek for a FREE On-Demand Webcast
Business Intelligence: Choosing the Best Way to Gain Insight Into Your Business
Turn data into knowledge and insight with BI deployment.
View Program NOW:
http://webevents.broadcast.com/cmp/bo/041603/index.asp?loc=5
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]