|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #32
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Aug 14 2003 - 17:16:27 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 032 (03.32)
Thursday, August 14, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Mercury Interactive.
Join Network Magazine for a FREE Webcast on the impact BTO can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices
Weds., August 27, 2003, 11:00 AM PT/2:00 PM ET. REGISTER NOW.
http://cmpnetseminars.com/BTG/intel.asp?K=NWMERCINTNWLTR&Q=36
************************** End Advertisement *************************
About the W32/Blaster worm: Yeah, it was painful, but it could have been
worse. That is, unless you allow arbitrary TFTP traffic to pass through
your network and gateways.
Come on folks, this is not a well-written worm. Its method of scanning
for new hosts is slow and not as effective as it could be. It requires
not only port 135 access but also port 69 (TFTP) access. Just imagine
if the worm pulled everything in over the established connection (rather
than using TFTP) and it was more efficient at scanning. If you think
the current incarnation was a nightmare....
One common situation popped up often enough that we feel it important
to comment. Many folks locked down their gateways and checked their
perimeter servers for vulnerability. Satisfied that nothing could come
in from the Internet, they were humbled when an internal employee
brought in an infected laptop from home. Sure, the servers were OK, but
the desktops proved to be a fertile worm incubation playground.
Moral to the story: Security doesn't stop at the perimeter. From the
mightiest of servers to the lowliest of desktops, and all print servers
in-between, everything needs to be patched when dealing with a
nondiscriminatory worm.
CERT writeup of the W32/Blaster worm:
http://archives.neohapsis.com/archives/cert/2003-q3/0008.html
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.32.006} Win - 121 WAM! Server FTP root escaping
{03.32.008} Win - Meteor FTP server USER overflow
{03.32.010} Win - MDaemon auth allows blank password
{03.32.014} Win - Lotus Sametime encryption weaknesses
{03.32.019} Win - Webdeskpro role privilege elevation
{03.32.001} Linux - Updated patches for previous vulnerabilities
{03.32.004} Linux - eroaster insecure lock file handling
{03.32.005} Linux - zblast high score buffer overflow
{03.32.009} Linux - up2date does not check/enforce GPG signatures
{03.32.012} Linux - xpcd-svga HOME env var overflow
{03.32.002} BSD - FreeBSD invalid signal values
{03.32.007} BSD - FreeBSD ibcs2 statfs() exposes kernel memory
{03.32.017} NetDev - Cisco CSS 11000 series SYN flood DoS
{03.32.003} Cross - Vulnerable PHP applications, 08/12
{03.32.011} Cross - pam-pgsql user name format string vuln
{03.32.013} Cross - SBM protocol hijacking via RSVP
{03.32.015} Cross - Netris malicious server overflow
{03.32.016} Cross - iPlanet Directory Server admin server file access
{03.32.018} MacOS - IPNetMonitorX/IPNetSentryX utility script vulns
- --- Windows News -------------------------------------------------------
*** {03.32.006} Win - 121 WAM! Server FTP root escaping
The 121 WAM! Server version 1.0.4.0 allows an attacker to access files
outside the FTP root. A valid user account is required to execute this
attack.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0071.html
*** {03.32.008} Win - Meteor FTP server USER overflow
Meteor FTP server version 1.5 contains a buffer overflow in the handling
of a large FTP USER command. Execution of arbitrary code may be
possible.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0092.html
*** {03.32.010} Win - MDaemon auth allows blank password
MDaemon SMTP server version 5.0.5 allows an attacker to login to the
server without having to know the appropriate password (it can be left
blank).
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0088.html
*** {03.32.014} Win - Lotus Sametime encryption weaknesses
The Lotus SameTime protocol used in versions 3.0 and prior allows an
eavesdropping attacker to recover the session key and thus decrypt the
traffic. It may also allow the recovery of the user's password.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0075.html
*** {03.32.019} Win - Webdeskpro role privilege elevation
A recent post indicates the possibility of modifying the URL parameters
of the Webdeskpro UI to access files using a higher privileged role.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0098.html
- --- Linux News ---------------------------------------------------------
*** {03.32.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:235-01: KDE
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0021.html
RHSA-2003:241-01: ddskk
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0020.html
- --- Conectiva:
CLA-2003:720: lynx
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0030.html
- --- Debian:
DSA-361-2: kdelibs-crypto
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0247.html
DSA-364-2: man-db
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0241.html
DSA-365-1: phpgroupware
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0209.html
DSA-371-1: Perl
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0261.html
- --- Immunix
IMNX-2003-7+-019-01: wu-ftpd
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0005.html
- --- Trustix
TSLSA-2003-0029: postfix
http://archives.neohapsis.com/archives/bugtraq/2003-08/0074.html
- --- EnGarde
ESA-20030806-020: stunnel
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0003.html
TSLSA-2003-0030: stunnel
http://archives.neohapsis.com/archives/bugtraq/2003-08/0073.html
- --- SuSE:
SuSE-SA:2003:034: kernel
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0428.html
Source: Red Hat, Conectiva, Debian, Immunix, Trustix, EnGarde, SuSE
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0021.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0020.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0030.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0247.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0241.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0209.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0261.html
http://archives.neohapsis.com/archives/linux/immunix/2003-q3/0005.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0074.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0073.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q3/0003.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0428.html
*** {03.32.004} Linux - eroaster insecure lock file handling
A Debian advisory indicates the eroaster utility insecurely handles lock
files, thereby allowing a local attacker to perform a symlink attack.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0210.html
*** {03.32.005} Linux - zblast high score buffer overflow
The zblast-svgalib game contains a buffer overflow in the saving of the
high score, which could allow a local attacker to execute arbitrary code
under gid 'games.'
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0245.html
*** {03.32.009} Linux - up2date does not check/enforce GPG signatures
A Red Hat advisory indicates the up2date utility included with Red Hat
8.0 and 9 does not properly validate GPG signatures, potentially
allowing an unsigned package to be installed.
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0018.html
*** {03.32.012} Linux - xpcd-svga HOME env var overflow
The xpcd-svga utility contains a buffer overflow in the handling of a
large HOME environment variable, thereby allowing a local attacker to
execute arbitrary code with elevated privileges.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0243.html
- --- BSD News -----------------------------------------------------------
*** {03.32.002} BSD - FreeBSD invalid signal values
A FreeBSD advisory indicates the ptrace() subsystem, as well as the
spigot device driver, can allow a local attacker to send
invalid/negative signals to applications, potentially causing a denial
of service or an integer comparison vulnerability.
FreeBSD branches as of Aug. 10, 2003, contain the fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2003-08/0101.html
*** {03.32.007} BSD - FreeBSD ibcs2 statfs() exposes kernel memory
A FreeBSD advisory indicates the ibcs2 support, when enabled, can allow
a local attacker to read portions of the kernel memory because of a bug
in the statfs() translation function.
FreeBSD branches as of Aug. 10, 2003, contain the fix.
Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2003-08/0102.html
- --- Network Devices News -----------------------------------------------
*** {03.32.017} NetDev - Cisco CSS 11000 series SYN flood DoS
A released advisory indicates Cisco CSS 11000 series devices running
WebNS prior to version 5.00.110s can be caused to stall or reboot by
sending large amounts of SYN traffic.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0073.html
- --- Cross-Platform News ------------------------------------------------
*** {03.32.003} Cross - Vulnerable PHP applications, 08/12
The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
Woltlab Burning Board: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-07/0423.html
phpWeb site 0.9.x: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-08/0097.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-07/0423.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0097.html
*** {03.32.011} Cross - pam-pgsql user name format string vuln
The pam-pgsql PAM authentication module is vulnerable to a format string
attack, thereby allowing an attacker to execute arbitrary code.
This vulnerability is confirmed. Updated Debian DEBs are listed at the
reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0246.html
*** {03.32.013} Cross - SBM protocol hijacking via RSVP
A released research paper discusses the possibility of using higher
priority RSVP packets to preempt any current RSVP servers, thus allowing
a rouge RSVP server to start handling requests.
This is an unconfirmed, general protocol attack that may or may not
affect any actual products. One solution is to ensure your RSVP servers
use the maximum priority value (255).
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0114.html
*** {03.32.015} Cross - Netris malicious server overflow
The Netris game contains a buffer overflow that could allow a malicious
server/remote client to execute arbitrary code on the local user's
system when connecting.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0127.html
*** {03.32.016} Cross - iPlanet Directory Server admin server file
access
The administration service included with iPlanet Directory Server
version 5.1 allows anyone with admin access to use the admin HTTP
service to read arbitrary files on the system.
The advisory indicates confirmation by the vendor, which released Sun
Directory Server version 5.2 and iPlanet Directory Server 5.1 Service
Pack 2.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0078.html
- --- Mac OS News --------------------------------------------------------
*** {03.32.018} MacOS - IPNetMonitorX/IPNetSentryX utility script vulns
The IPNetMonitorX and IPNetSentryX application suites come with various
helper utilities that are installed setuid root. These utilities allow
arbitrary local attackers to sniff the network and possibly execute
arbitrary code with elevated privileges because of a format string bug
in tcpflow.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0076.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/O9ua+LUG5KFpTkYRAtHxAJ9QIhXzrixAnMBJNqwofh+bKulwyQCghxqC
1F2t0k58ygN1OAFUxfZzSeU=
=tl4V
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Mercury Interactive.
Join Network Magazine for a FREE Webcast on the impact BTO can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices
Weds., August 27, 2003, 11:00 AM PT/2:00 PM ET. REGISTER NOW.
http://cmpnetseminars.com/BTG/intel.asp?K=NWMERCINTNWLTR&Q=36
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]