|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Security Alert Consensus #34
From: Network Computing and The SANS Institute (sans
sans.org)
Date: Thu Aug 28 2003 - 18:42:50 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Re: Your personalized newsletter
-- Security Alert Consensus --
Number 034 (03.34)
Thursday, August 28, 2003
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.
************************* Begin Advertisement ************************
This issue is sponsored by Wily Technology.
Join InformationWeek for a FREE Webcast on J2EE Application
Management: The Critical Tools and Processes for eBusiness
Success on Tues., Sept. 9, 2003 at 9:00 AM PT/12:00 PM ET. Learn
to better manage your Java application performance and availability.
REGISTER NOW. http://www.techweb.com/techwebcasts/j2eee0903nwc
************************** End Advertisement *************************
The biggest vulnerabilities this week are a few new bugs in Internet
Explorer (reported as item {03.34.005}) and a buffer overflow in
Helix/RealServer (reported as item {03.34.012}). The Helix/RealServer
bug is being actively exploited in the wild. Interestingly enough, the
exploit for this bug was included in ImmunitySec.com's CANVAS
'exploitation framework' long before the vendor actually patched the
problem.
In other news, worms are still plaguing the Internet. Whether it's
Sobig, Blaster or Welchia, the current worms are all reminders that we
are all in this together. You can have perfect security, but if other
people on the Internet are not up to date on their patches, you are
still likely to feel some pain (particularly with Sobig). The day also
has arrived where perfect perimeter security is not enough--worms can
slip in through vendor/B2B WAN links or be carried in on employee
laptops.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{03.34.003} Win - Avant browser large URL DoS
{03.34.005} Win - MS03-032: Internet Explorer cumulative patch, 8/26
{03.34.015} Win - eTrust AntiVirus system account lockout DoS
{03.34.018} Win - MS03-033: MDAC function buffer overflow
{03.34.001} Linux - Updated patches for previous vulnerabilities
{03.34.004} Linux - ViRobot multiple overflows
{03.34.009} Linux - GDM local file reading and XDMCP DoS
{03.34.020} BSD - OpenBSD semget() memory exhaustion DoS
{03.34.002} Cross - OMail CGI command exec
{03.34.006} Cross - Intersystems Cache DB multiple vulns
{03.34.007} Cross - Sendmail DNS map DoS
{03.34.008} Cross - pam_smb long password overflow
{03.34.010} Cross - widz SSID command exec
{03.34.011} Cross - docview CGI file reading
{03.34.012} Cross - Helix/RealServer view source plugin vuln
{03.34.013} Cross - BitKeeper trigger vuln
{03.34.016} Cross - Dreamweaver/UltraDev behaviors XSS vuln
{03.34.017} Cross - vpop3d large user name DoS
{03.34.019} Cross - srcpd multiple overflows
{03.34.014} Tru64 - SSH improper RSA key checking
- --- Windows News -------------------------------------------------------
*** {03.34.003} Win - Avant browser large URL DoS
Avant Browser version 8.02 reportedly crashes when attempting to access
a very long URL. The URL can be entered manually or included in a link
on a Web page, which the user must click.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0325.html
*** {03.34.005} Win - MS03-032: Internet Explorer cumulative patch, 8/26
Microsoft released MS03-032 ("Internet Explorer cumulative patch 8/26").
This is a cumulative patch for Internet Explorer versions 5.01 through
6.0 that fixes three new vulnerabilities: a problem with the
cross-domain security model, which allows script execution in the local
computer zone; a vulnerability in object type handling, which allows
execution of arbitrary code; and an unspecified security vulnerability
in the BR549.DLL ActiveX control.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-032.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0016.html
*** {03.34.015} Win - eTrust AntiVirus system account lockout DoS
eTrust AntiVirus version 7.0 occasionally locks out the local system
account, which causes a denial of service situation.
This vulnerability is confirmed. Update information is available at the
reference URL below.
Source: NTBugtraq
http://archives.neohapsis.com/archives/ntbugtraq/2003-q3/0156.html
*** {03.34.018} Win - MS03-033: MDAC function buffer overflow
Microsoft released MS03-033 ("MDAC function buffer overflow"). MDAC
versions 2.5 through 2.7 contain a buffer overflow in an unspecified
function that could allow an attacker to execute arbitrary code under
the privileges of the application using the vulnerable MDAC components.
FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-033.asp
Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q3/0015.html
- --- Linux News ---------------------------------------------------------
*** {03.34.001} Linux - Updated patches for previous vulnerabilities
The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.
- --- Red Hat:
RHSA-2003:213-01: iptables
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0027.html
- --- Debian:
DSA-344-2: unzip
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0370.html
- --- Mandrake:
MDKSA-2003:084: perl-CGI
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0097.html
Source: Red Hat, Debian, Mandrake
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0027.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0370.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0097.html
*** {03.34.004} Linux - ViRobot multiple overflows
A security advisory indicates many of the setuid applications included
with ViRobot version 2.0 contain buffer overflows that allow local (and
possibly remote) attackers to execute arbitrary code with root
privileges.
These vulnerabilities are not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0083.html
*** {03.34.009} Linux - GDM local file reading and XDMCP DoS
GDM versions prior to 2.4.1.6 allow a local attacker to perform a
symlink attack and read arbitrary local files via the 'examine session
errors' feature. A denial of service attack also was found in the XDMCP
code.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0026.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0100.html
Updated Slackware tarballs:
http://archives.neohapsis.com/archives/bugtraq/2003-08/0347.html
Source: Red Hat, Mandrake, Slackware (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0026.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0100.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0347.html
- --- BSD News -----------------------------------------------------------
*** {03.34.020} BSD - OpenBSD semget() memory exhaustion DoS
OpenBSD version 3.3 contains a bug in the semget() function that could
allow a local attacker to consume all memory and thus cause a kernel
panic.
This vulnerability is confirmed and fixed in CVS. A patch is available
at:
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/002_semget.patch
Source: OpenBSD
http://archives.neohapsis.com/archives/openbsd/2003-08/1342.html
- --- Cross-Platform News ------------------------------------------------
*** {03.34.002} Cross - OMail CGI command exec
The OMail CGI suite version 0.98.x reportedly does not properly filter
out various URL parameters before using and passing them to be executed
as a command-line string. This allows a remote attacker to execute
arbitrary commands under the privileges of the Web server.
This vulnerability is confirmed; an update is available at:
http://prdownloads.sourceforge.net/omail/omail-webmail-0.98.5.tar.gz
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0289.html
http://archives.neohapsis.com/archives/bugtraq/2003-08/0318.html
*** {03.34.006} Cross - Intersystems Cache DB multiple vulns
The Intersystems Cache database reportedly contains two vulnerabilities
that let a local attacker gain root privileges.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0308.html
*** {03.34.007} Cross - Sendmail DNS map DoS
Sendmail versions 8.12.0 through 8.12.8 contain a denial of service
vulnerability in the handling of invalid DNS responses received when
the 'enhdnsbl' DNS map feature is enabled.
This vulnerability is confirmed and fixed in version 8.12.9.
Updated SuSE RPMs:
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0592.html
Updated Mandrake RPMs:
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0115.html
OpenBSD update info:
http://archives.neohapsis.com/archives/openbsd/2003-08/1907.html
IRIX update info:
http://archives.neohapsis.com/archives/vendor/2003-q3/0061.html
Source: Sendmail, SuSE, Mandrake, OpenBSD, SGI
http://archives.neohapsis.com/archives/sendmail/2003-q3/0001.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0592.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0115.html
http://archives.neohapsis.com/archives/openbsd/2003-08/1907.html
http://archives.neohapsis.com/archives/vendor/2003-q3/0061.html
*** {03.34.008} Cross - pam_smb long password overflow
The (lib)pam_smb authentication module contains a buffer overflow in
the handling of large user passwords that allows a remote attacker to
execute arbitrary code on the system.
This vulnerability is confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0028.html
Updated Debian DEBs:
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0376.html
Source: Red Hat, Debian
http://archives.neohapsis.com/archives/linux/redhat/2003-q3/0028.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0376.html
*** {03.34.010} Cross - widz SSID command exec
The widz 'wireless intrusion detection' utility version 1.5 does not
properly filter out the SSID value before passing it to the system()
function, thereby allowing a remote attacker to execute arbitrary
commands on the system running widz.
This vulnerability is not confirmed.
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0085.html
*** {03.34.011} Cross - docview CGI file reading
The docview CGI utility allows a remote attacker to read arbitrary files
readable by the Web server.
This vulnerability is confirmed.
Updated Caldera/SCO Linux RPMs:
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0007.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0008.html
OpenServer/Unixware update information:
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0009.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0010.html
Source: SCO
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0007.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0008.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0009.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q3/0010.html
*** {03.34.012} Cross - Helix/RealServer view source plugin vuln
The Helix and RealServer suites contain a remotely exploitable buffer
overflow in the handling of particular URLs by the view source plugin.
The vulnerability allows a remote attacker to execute arbitrary code
with root privileges.
The vendor confirmed this vulnerability. Workaround information is
available at:
http://www.service.real.com/help/faq/security/rootexploit082203.html
Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q3/0087.html
*** {03.34.013} Cross - BitKeeper trigger vuln
The BitKeeper system versions prior to 3.0.2 reportedly contain a
vulnerability in the handling of commit triggers, which can be exploited
by a commit of an untrusted/malicious source code file.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0307.html
*** {03.34.016} Cross - Dreamweaver/UltraDev behaviors XSS vuln
The Macromedia Dreamweaver and UltraDev suites contain a cross-site
scripting vulnerability in the server behavior templates. Any sites
created using the various vulnerable behaviors need to be updated.
Update information is included at the reference URL below.
Source: Macromedia
http://archives.neohapsis.com/archives/vendor/2003-q3/0059.html
*** {03.34.017} Cross - vpop3d large user name DoS
The vpop3d daemon reportedly crashes when a large user name is sent to
the service.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0332.html
*** {03.34.019} Cross - srcpd multiple overflows
The srcpd "simple railroad command protocol" daemon version 2.0 contains
multiple remotely exploitable buffer and integer overflows that could
allow an attacker to execute arbitrary code on the target system.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-08/0306.html
- --- Tru64 News ---------------------------------------------------------
*** {03.34.014} Tru64 - SSH improper RSA key checking
An HP advisory indicates the SSH service included with Tru64 versions
5.1A and 5.1B does not properly check RSA keys, potentially allowing a
remote attacker to authenticate without a valid RSA certificate.
This vulnerability is confirmed. Update information is available at the
reference URL below.
Source: HP
http://archives.neohapsis.com/archives/tru64/2003-q3/0007.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
iD8DBQE/TlBV+LUG5KFpTkYRAhYwAJ0Y0dWAC8LVtVG2DT5nD0+fIvJAyACfU6KN
PFIMj3nIOpmze23kjdZhzA4=
=SjiD
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
************************* Begin Advertisement ************************
This issue is sponsored by Wily Technology.
Join InformationWeek for a FREE Webcast on J2EE Application
Management: The Critical Tools and Processes for eBusiness
Success on Tues., Sept. 9, 2003 at 9:00 AM PT/12:00 PM ET. Learn
to better manage your Java application performance and availability.
REGISTER NOW. http://www.techweb.com/techwebcasts/j2eee0903nwc
************************** End Advertisement *************************
Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org
We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).
To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org
Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.
Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]