From: Network Computing and The SANS Institute (sanssans.org)
Date: Thu Oct 09 2003 - 16:32:41 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Re: Your personalized newsletter

                 -- Security Alert Consensus --
                       Number 040 (03.40)
                  Thursday, October 9, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below you
should find information pertaining only to the categories you requested.
Information on how to manage your subscription can be found at the
bottom of the newsletter. If you have any problems or questions, please
e-mail us at <consensusnwc.com>.

************************* Begin Advertisement ************************

This issue is sponsored by Hewlett-Packard Company and CMP Media LLC.
What do small to medium sized businesses really need from today's
PC technology? Find out in this special online and print series of
Guides that help SMBs evaluate their choices before deploying new
desktop, notebook, Pocket PC or Tablet PC technology. Get informed
with feature articles, product info and specs, and more.
http://www.techweb.com/cha03/bizcritical

************************** End Advertisement *************************

Cross-site scripting and other client-side browser vulnerabilities
typically are given a low severity ranking by many security experts and
automated security software. Recently, however, we've noticed many cases
in which these supposedly "lesser severity" vulnerabilities are used to
cause major problems. The biggest example is a banner ad server that
served malicious JavaScript meant to autoexecute code in Internet
Explorer. Another notable compromise is the stealing of Half-Life 2
source code, supposedly via a Microsoft Outlook bug, tickled by a
malicious e-mail.

It's important to note that a "low-severity" vulnerability may be rated
such because of the feasibility of exploitation, not the overall damage
that can be caused. Therefore, those of you who make it routine to fix
only moderate- and critical-level vulnerabilities should reassess the
exploitation avenues you are leaving open by delaying fixes for the
low-severity bugs. You never know; perhaps multiple low-severity bugs
can be combined into a critical-severity exploitation.

Until next week,
--Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.40.015} Win - MS03-040: Internet Explorer cumulative patch, 10/07
{03.40.016} Win - EarthStation 5 P2P app multiple vulns
{03.40.017} Win - Adobe SVG viewer multiple vulns
{03.40.001} Linux - Updated patches for previous vulnerabilities
{03.40.013} Linux - SuSE config script insecure temp file handling
{03.40.008} BSD - Updated patches for previous vulnerabilities
{03.40.009} BSD - FreeBSD readv() increments reference count
{03.40.010} BSD - FreeBSD procfs uio kernel memory reading
{03.40.005} NetDev - Conexant Access Runner DSL console login bypass
{03.40.002} Cross - Update {03.39.004}: OpenSSL ASN.1 parsing vulns
{03.40.003} Cross - JBoss HSQLDB multiple vulns
{03.40.004} Cross - OpenSSL malformed public key DoS
{03.40.006} Cross - DB2 INVOKE and LOAD command overflows
{03.40.007} Cross - slocate negative pathlen vuln
{03.40.011} Cross - mod_gzip debug mode multiple vulns
{03.40.012} Cross - Vulnerable PHP applications, 10/07
{03.40.014} Cross - PeopleSoft 'grid' search user file access
{03.40.018} Cross - Fortigate firewall malicious log entry vuln

- --- Windows News -------------------------------------------------------

*** {03.40.015} Win - MS03-040: Internet Explorer cumulative patch,
                10/07

Microsoft released MS03-040 ("Internet Explorer cumulative patch
10/07"). The cumulative patch fixes all known problems to date as well
as two new problems that allow a malicious Web site or e-mail to execute
arbitrary code on the user's system.

FAQ and patch:
http://www.microsoft.com/technet/security/bulletin/MS03-040.asp

Source: Microsoft
http://archives.neohapsis.com/archives/microsoft/2003-q4/0001.html

*** {03.40.016} Win - EarthStation 5 P2P app multiple vulns

The EarthStation 5 P2P application reportedly contains multiple remotely
exploitable vulnerabilities that could allow an attacker to execute
arbitrary code or delete arbitrary files from the system.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0031.html

*** {03.40.017} Win - Adobe SVG viewer multiple vulns

The Adobe SVG viewer browser plugin contains multiple vulnerabilities:
execution of JavaScript regardless of browser security settings; viewing
of local files; and execution of JavaScript in the Local System security
domain.

The advisory indicates confirmation by the vendor, which released an
update, available at:
http://www.adobe.com/svg/viewer/install/mainframed.html

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0007.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0008.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0009.html

- --- Linux News ---------------------------------------------------------

*** {03.40.001} Linux - Updated patches for previous vulnerabilities

The following is a list of Linux vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- Red Hat:

RHSA-2003:256-02: Perl
http://archives.neohapsis.com/archives/linux/redhat/2003-q4/0001.html

RHSA-2003:278-01: SANE
http://archives.neohapsis.com/archives/linux/redhat/2003-q4/0002.html

- --- Conectiva:

CLA-2003:757: vixie-cron
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0001.html

CLA-2003:758: vixie-cron
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0002.html

CLA-2003:760: mplayer
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0004.html

CLA-2003:759: OpenSSL
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0003.html

- --- Debian:

DSA-393-1: OpenSSL
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0852.html

- --- Mandrake:

MDKSA-2003:098: OpenSSL
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0235.html

- --- SuSE:

SuSE-SA:2003:041: LSH
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0939.html

SuSE-SA:2003:042: MySQL
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0941.html

SuSE-SA:2003:043: OpenSSL
http://archives.neohapsis.com/archives/linux/suse/2003-q4/0002.html

- --- Slackware:

SSA:2003-273-01: OpenSSL
http://archives.neohapsis.com/archives/bugtraq/2003-09/0545.html

- --- Tawie:

2003-10-02: OpenSSL
http://archives.neohapsis.com/archives/bugtraq/2003-10/0016.html

2003-10-03: OpenSSL
http://archives.neohapsis.com/archives/bugtraq/2003-10/0040.html

- --- EnGarde:

ESA-20031003-028: OpenSSL
http://archives.neohapsis.com/archives/linux/engarde/2003-q4/0001.html

- --- Caldera:

CSSA-2003-024.0: wu-ftpd
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0001.html

CSSA-2003-025.0: wget
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0002.html

CSSA-2003-026.0: stunnel
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0003.html

CSSA-2003-027.0: OpenSSL
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0004.html

Source: Red Hat, Conectiva, Debian, Mandrake, SuSE, Slackware, Tawie,
EnGarde, Caldera (SF Bugtraq)
http://archives.neohapsis.com/archives/linux/redhat/2003-q4/0001.html
http://archives.neohapsis.com/archives/linux/redhat/2003-q4/0002.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0001.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0002.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0004.html
http://archives.neohapsis.com/archives/linux/conectiva/2003-q4/0003.html
http://archives.neohapsis.com/archives/linux/debian/2003-q3/0852.html
http://archives.neohapsis.com/archives/linux/mandrake/2003-q3/0235.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0939.html
http://archives.neohapsis.com/archives/linux/suse/2003-q3/0941.html
http://archives.neohapsis.com/archives/linux/suse/2003-q4/0002.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0545.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0016.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0040.html
http://archives.neohapsis.com/archives/linux/engarde/2003-q4/0001.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0001.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0002.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0003.html
http://archives.neohapsis.com/archives/linux/caldera/2003-q4/0004.html

*** {03.40.013} Linux - SuSE config script insecure temp file handling

The SuSEconfig.susewm and SuSEconfig.javarunt configuration scripts
shipped with SuSE Linux insecurely use temporary files, which allows a
local user to perform a symlink attack to overwrite the contents of
arbitrary files on the system.

The vendor confirmed this vulnerability.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0068.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0073.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0085.html

- --- BSD News -----------------------------------------------------------

*** {03.40.008} BSD - Updated patches for previous vulnerabilities

The following is a list of BSD vendor patches for vulnerabilities
previously reported in Security Alert Consensus.

- --- FreeBSD

FreeBSD-SA-03:18: OpenSSL
http://archives.neohapsis.com/archives/freebsd/2003-10/0008.html

FreeBSD-SA-03:15: OpenSSH
http://archives.neohapsis.com/archives/freebsd/2003-10/0023.html

- --- OpenBSD

OpenSSL:
http://archives.neohapsis.com/archives/openbsd/2003-10/0173.html

arp:
http://archives.neohapsis.com/archives/openbsd/2003-10/0370.html

Source: FreeBSD, OpenBSD
http://archives.neohapsis.com/archives/freebsd/2003-10/0008.html
http://archives.neohapsis.com/archives/freebsd/2003-10/0023.html
http://archives.neohapsis.com/archives/openbsd/2003-10/0173.html
http://archives.neohapsis.com/archives/openbsd/2003-10/0370.html

*** {03.40.009} BSD - FreeBSD readv() increments reference count

The readv() function as implemented by FreeBSD incorrectly increments
the reference count on the supplied file descriptor. Multiple uses of
the function can cause the reference count to wrap. At that point, the
local attacker can call close(), causing the system to crash.

FreeBSD confirmed this vulnerability and committed fixes to CVS as of
Oct. 2, 2003.

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2003-10/0005.html

*** {03.40.010} BSD - FreeBSD procfs uio kernel memory reading

All versions of FreeBSD contain a bug in the implementation of the
procfs file system's use of the uio family of functions. It may be
possible for a local attacker to read arbitrary portions of kernel
memory.

FreeBSD confirmed this vulnerability. CVS versions as of Oct. 3, 2003,
contain a fix.

Source: FreeBSD
http://archives.neohapsis.com/archives/freebsd/2003-10/0007.html

- --- Network Devices News -----------------------------------------------

*** {03.40.005} NetDev - Conexant Access Runner DSL console login bypass

The Conexant Access Runner DSL device running firmware version 3.21
allows remote attackers to access the administrative telnet console
without requiring a proper password.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0064.html

- --- Cross-Platform News ------------------------------------------------

*** {03.40.002} Cross - Update {03.39.004}: OpenSSL ASN.1 parsing vulns

Many vendors released updated OpenSSL packages that fix the
vulnerability discussed in {03.39.004} ("OpenSSL ASN.1 parsing vulns").

Linux and BSD update information is included in the "Updated patches
for previous vulnerabilities" SAC items in the respective categories.

Novell update information:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0008.html

IRIX update information:
http://archives.neohapsis.com/archives/vendor/2003-q3/0100.html

HP-UX update information:
http://archives.neohapsis.com/archives/hp/2003-q4/0001.html

SCO update information:
http://archives.neohapsis.com/archives/bugtraq/2003-10/0025.html

Source: SecurityFocus Bugtraq, SGI, HP, SCO
http://archives.neohapsis.com/archives/bugtraq/2003-10/0008.html
http://archives.neohapsis.com/archives/vendor/2003-q3/0100.html
http://archives.neohapsis.com/archives/hp/2003-q4/0001.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0025.html

*** {03.40.003} Cross - JBoss HSQLDB multiple vulns

JBoss version 3.2.1 reportedly contains multiple vulnerabilities in the
HSQLDB support that allow remote attackers to compromise the system in
various ways, including executing arbitrary commands.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0074.html

*** {03.40.004} Cross - OpenSSL malformed public key DoS

OpenSSL contains another bug whereby an SSLv2 CLIENT_MASTER_KEY message
can cause the listening SSL-enabled service to crash, leading to a
denial of service.

Because many vendors are addressing this problem within patches that
address the other recent OpenSSL vulnerabilities, the list of available
patches has been merged with patches for the previous OpenSSL
vulnerabilities. The patch list can be found in the "Updated patches
for previous vulnerabilities" SAC item for your particular platform
(assuming your vendor has released a patch).

Also note that many network devices are vulnerable to all these various
OpenSSL bugs. A decent list can be found at the bottom of the CERT
advisory. A copy can be viewed at:
http://archives.neohapsis.com/archives/cert/2003-q4/0001.html

Cisco users should specifically check the Cisco advisory:
http://archives.neohapsis.com/archives/cisco/2003-q3/0014.html

Source: SecurityFocus Bugtraq, CERT, Cisco
http://archives.neohapsis.com/archives/bugtraq/2003-10/0012.html
http://archives.neohapsis.com/archives/cert/2003-q4/0001.html
http://archives.neohapsis.com/archives/cisco/2003-q3/0014.html

*** {03.40.006} Cross - DB2 INVOKE and LOAD command overflows

DB2 database versions 7.2 contain buffer overflows in the handling of
the INVOKE and LOAD commands. This allows an attacker capable of
executing SQL queries against the database to compromise the host.

These vulnerabilities are confirmed and fixed in the latest FixPack.

Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0001.html
http://archives.neohapsis.com/archives/bugtraq/2003-10/0004.html

*** {03.40.007} Cross - slocate negative pathlen vuln

An advisory indicates the possibility of causing a heap overflow in
slocate that allows the eventual execution of arbitrary code with
elevated privileges. The bug stems from the improper handling of
negative integer values.

This vulnerability is not confirmed.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0084.html

*** {03.40.011} Cross - mod_gzip debug mode multiple vulns

The Apache mod_gzip module versions 1.3.x contain three vulnerabilities:
a buffer overflow in the handling of large file names by the logging
routines; a format string vulnerability in the handling of particular
requests; and insecure temp file handling.

The advisory indicates vendor confirmation.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0093.html

*** {03.40.012} Cross - Vulnerable PHP applications, 10/07

The following is a list of reported vulnerable third-party PHP CGI
applications. These vulnerabilities are not necessarily confirmed.

Cafelog WordPress: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-10/0032.html

PHP-Nuke 6.7: file uploading
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0003.html

EternalMart EMML and EMGB: remote file include code exec
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0004.html

Guppy 2.4p3: cross-site scripting, file reading/writing
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0005.html

DCP Portal 5.5: SQL tampering
http://archives.neohapsis.com/archives/bugtraq/2003-09/0547.html

Source: SecurityFocus Bugtraq, VulnWatch
http://archives.neohapsis.com/archives/bugtraq/2003-10/0032.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0003.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0004.html
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0005.html
http://archives.neohapsis.com/archives/bugtraq/2003-09/0547.html

*** {03.40.014} Cross - PeopleSoft 'grid' search user file access

PeopleSoft People Tools version 8.2 temporarily saves a user's search
into a Web-accessible file when the 'grid' search option is invoked.
These files potentially could be retrieved by other remote
users/attackers.

The advisory indicates confirmation by the vendor, which released an
update script.

Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archives/bugtraq/2003-10/0092.html

*** {03.40.018} Cross - Fortigate firewall malicious log entry vuln

Fortigate firewall prior to version 2.50 MR4 logs URL entries verbatim
into the administrative logs. If an administrator views these logs via
the Web interface, it is possible to perform a cross-site scripting
attack to steal the administrator's login credentials.

The advisory indicates confirmation by the vendor, which released
version 2.50 MR4.

Source: VulnWatch
http://archives.neohapsis.com/archives/vulnwatch/2003-q4/0002.html

************************************************************************

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/hbZa+LUG5KFpTkYRAtp7AJ4peqfSt9cL13G0SBaSdIj11wTDhQCgl4GY
t857PdrnxRlPPrasdSw5BNs=
=BytX
-----END PGP SIGNATURE-----
------------------------------------------------------------------------

************************* Begin Advertisement ************************

This issue is sponsored by Hewlett-Packard Company and CMP Media LLC.
What do small to medium sized businesses really need from today's
PC technology? Find out in this special online and print series of
Guides that help SMBs evaluate their choices before deploying new
desktop, notebook, Pocket PC or Tablet PC technology. Get informed
with feature articles, product info and specs, and more.
http://www.techweb.com/cha03/bizcritical

************************** End Advertisement *************************

Become a Security Alert Consensus member! If this e-mail was passed to
you and you would like to begin receiving our security e-mail newsletter
on a weekly basis, we invite you to subscribe today.
http://portal.sans.org

We are signing the Consensus newsletter with PGP. The new SANS PGP key
is posted at:
http://www.pgp.net:11371/pks/lookup?op=get&search=0xA1694E46 and can
also be accessed from the SANS Web site (http://www.sans.org).

To unsubscribe from this newsletter, or to edit your subscription
information, please go to: http://portal.sans.org

Missed an issue? You can find back issues of Security Alert Consensus
(and other SANS newsletters) online. http://www.sans.org/newsletters

Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensusnwc.com>.

Copyright (c) 2003 Network Computing, a CMP Media LLC publication. All
Rights Reserved. Distributed by Network Computing
(http://www.networkcomputing.com) and The SANS Institute
(http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(infoneohapsis.com | http://www.neohapsis.com/).

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]