|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #33
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Aug 21 2003 - 17:28:42 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 033 (03.33)
Thursday, August 21, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Mercury Interactive.
Join Network Computing for a FREE Webcast on the impact BTO can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices
Weds., August 27, 2003, 11:00 AM PT/2:00 PM ET. REGISTER NOW.
http://www.techweb.com/tecwebcasts/bto0803nwc
************************** End Advertisement *************************
The GNU FTP server has been compromised since March 2003. While no
software packages are believed to be modified, the possibility of an
attacker inserting malicious or trojan code into many of the popular
GNU application source tarballs is quite scary.
http://archives.neohapsis.com/archives/cert/2003-q3/0009.html
We still have many worms running around this week. There is a Blaster
variant on the loose, the payload of which will remove the original
Blaster and patch your system, among other things. The Sobig.F worm is
also causing lots of spoofed e-mail to be passed around, which wouldn't
be bad except that most anti-virus setups send back bounce notices.
We've seen and heard about massive Sobig.F traffic affecting
security-related mailing lists, as well (including SAC).
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.33.009} Win - DameWare Mini-RC Server shatter vuln
{03.33.001} Linux - Updated patches for previous vulnerabilities
{03.33.011} Linux - OpenSLP insecure temp file handling
{03.33.013} SGI - cpr file truncate/overwrite
{03.33.015} SCO - Updated patches for previous vulnerabilities
{03.33.002} Cross - emule/xmule/lmule multiple vulns
{03.33.003} Cross - Dropbear SSH Server format string vuln
{03.33.004} Cross - autorespond utility overflow
{03.33.006} Cross - CiscoWorks admin auth bypass and command exec
{03.33.007} Cross - Fusen News arbitrary account adding
{03.33.008} Cross - Vulnerable PHP applications, 08/19
{03.33.010} Cross - Ecartis multiple vulns
{03.33.012} Cross - Update {03.28.023}: UMN gopherd multiple overflows
{03.33.014} Cross - Poster.version:two arbitrary account adding
{03.33.005} Tru64 - Updated patches for previous vulnerabilities
- --- Windows News -------------------------------------------------------
*** {03.33.009} Win - DameWare Mini-RC Server shatter vuln
DameWare Mini Remote Control Server prior to version 3.71.0.0 is
vulnerable to a 'shatter' attack that allows a local user to execute
arbitrary code with local system privileges.
The advisory indicates confirmation by the vendor, which released
version 3.71.0.0.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0154.html
- --- Linux News ---------------------------------------------------------
*** {03.33.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:199-02: unzip
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0023.html
- --- Conectiva:
CLA-2003:724: unzip
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0032.html
- --- Debian:
DSA-358-4: kernel
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0275.html
DSA-364-3: man-db
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0300.html
DSA-372-1: netris
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0286.html
- --- Mandrake:
MDKSA-2003:073-1: unzip
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0094.html
MDKSA-2003:082-1: php
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0079.html
MDKSA-2003:083: eroaster
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0095.html
Source: Red Hat, Conectiva, Debian, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0023.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0032.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0275.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0300.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0286.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0094.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0079.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0095.html
*** {03.33.011} Linux - OpenSLP insecure temp file handling
OpenSLP version 1.0.11 insecurely handles temporary files within the
slpd.all_init script. This allows a local attacker to perform a symlink
attack.
The advisory indicates vendor confirmation.
Updated Conectiva RPMs:
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0031.html
Source: SecurityFocus Bugtraq, Conectiva
http://archives.neohapsis.com/archives/bugtraq/2003-08/0252.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q3/0031.html
- --- SGI News -----------------------------------------------------------
*** {03.33.013} SGI - cpr file truncate/overwrite
An SGI advisory indicates the checkpoint restart utility (cpr) may allow
a local attacker to truncate or overwrite arbitrary local files.
Patch information is included at the reference URL below.
Source: SGI
http://archives.neohapsis.com/archives/vendor/2003-q3/0054.html
- --- SCO News -----------------------------------------------------------
*** {03.33.015} SCO - Updated patches for previous vulnerabilities
The following is a list of Tru64 vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
CSSA-2003-SCO.15: metamail
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0004.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0005.html
Source: SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0004.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0005.html
- --- Cross-Platform News ------------------------------------------------
*** {03.33.002} Cross - emule/xmule/lmule multiple vulns
The emule, xmule and lmule applications (which share a common code base)
contain multiple vulnerabilities: multiple format string and heap buffer
overflows in the handling of various protocol packets and a double-free
object de-allocation vulnerability.
The advisory indicates confirmation by the vendor, which released
updated versions.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0259.html
*** {03.33.003} Cross - Dropbear SSH Server format string vuln
Dropbear SSH Server prior to version 0.35 contains a format string
vulnerability that allows a remote attacker to execute arbitrary code
on the target system.
The advisory indicates confirmation by the vendor, which released
version 0.35.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0242.html
*** {03.33.004} Cross - autorespond utility overflow
The autorespond utility usable with qmail contains a buffer overflow
that could allow a remote attacker to execute arbitrary code.
Debian confirmed this vulnerability and released updated DEBs, listed
at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0287.html
*** {03.33.006} Cross - CiscoWorks admin auth bypass and command exec
CiscoWorks CMF versions 2.1 and prior contain two vulnerabilities:
normal users can access administrative functionality without requiring
a proper admin user name and password and normal authenticated users
are able to execute commands on the CiscoWorks server.
Cisco confirmed these vulnerabilities and released version 2.2.
Source: Cisco
http://archives.neohapsis.com/archives/cisco/2003-q3/0007.html
*** {03.33.007} Cross - Fusen News arbitrary account adding
The Fusen news Web CGI suite version 3.3 reportedly allows a remote
attacker to add arbitrary accounts to the Web application by using a
specific URL request.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0201.html
*** {03.33.008} Cross - Vulnerable PHP applications, 08/19
The following is a list of reportedly vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.
Horde 2.2.4: session key exposed in Referer
http://archives.neohapsis.com/archives/bugtraq/2003-08/0155.html
Hola CMS 1.2.9: admin auth info disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-08/0159.html
MatrikzGB 2.0: admin rights elevation
http://archives.neohapsis.com/archives/bugtraq/2003-08/0245.html
AttilaPHP 3.0: XSS, SQL tampering, info disclosure
http://archives.neohapsis.com/archives/bugtraq/2003-08/0263.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0155.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0159.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0245.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0263.html
*** {03.33.010} Cross - Ecartis multiple vulns
Ecartis mail manager version 1.0 reportedly contains multiple buffer
overflows that could allow a remote attacker to execute arbitrary code.
The liscript utility also improperly expands application variables,
potentially allowing an attacker to recover configuration values
(including the post password).
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0161.html
*** {03.33.012} Cross - Update {03.28.023}: UMN gopherd multiple
overflows
UMN released updated gopherd packages that fix the vulnerability
discussed in {03.28.023} ("UMN gopherd multiple overflows").
Update information is listed at the reference URL below.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0256.html
*** {03.33.014} Cross - Poster.version:two arbitrary account adding
The Poster.version:two Web CGI suite reportedly allows a remote attacker
to add arbitrary accounts to the Web application by using a specific
URL request.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0205.html
- --- Tru64 News ---------------------------------------------------------
*** {03.33.005} Tru64 - Updated patches for previous vulnerabilities
The following is a list of Tru64 vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
SSRT3498: screend
http://archives.neohapsis.com/archives/tru64/2003-q3/0003.html
SSRT3499, SSRT3518: openssl
http://archives.neohapsis.com/archives/tru64/2003-q3/0004.html
SSRT3608: DCE
http://archives.neohapsis.com/archives/tru64/2003-q3/0005.html
Source: HP/Compaq
http://archives.neohapsis.com/archives/tru64/2003-q3/0003.html
http://archives.neohapsis.com/archives/tru64/2003-q3/0004.html
http://archives.neohapsis.com/archives/tru64/2003-q3/0005.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/RRGz+LUG5KFpTkYRAqI8AJsGOX7EeepUD2QbzhY4Ce6EJaFRQQCfQOYI
0DiAW8hHWmzHf3a/GrJSvu0=
=uDCX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Mercury Interactive.
Join Network Computing for a FREE Webcast on the impact BTO can
have on IT infrastructure and application management.
BTO is Revolutionizing IT Business Practices
Weds., August 27, 2003, 11:00 AM PT/2:00 PM ET. REGISTER NOW.
http://www.techweb.com/tecwebcasts/bto0803nwc
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]