^M
^M
|
 |
Last Update: 2000-01-05
Deutsche Version
|
Most
of the links lead to the corresponding files at
CERT or other organisations. So changes take
place immediately, especially which patches
should be installed or which changes in the
configuration should be made to avoid this
vulnerability. Most of the files are transferred
by ftp.
By the way: If we're not publishing
well-known risks inheritant in any widely used
platform or program that doesn't mean this
particular platform or program is safe to use!Here
you find (a beta-version of) our search engine!
|
|
| System: |
Lotus
Notes |
| Topic: |
Encrypted
Mail saved in unencrypted
form: Lotus, ERS-1999.048 |
There is a bug in the Lotus
Notes Client (R4.5 and later) which
causes encrypted E-Mail messages to be
saved in the sender's mailbox in
unencrypted form. The bug only occurs
when the Notes client is misconfigured,
but it is not an unlikely
misconfiguration and it has few if any
other symptoms. Until the problem is
fixed in a future release of the
software, users are encouraged to
consider whether the problem is likely to
affect them and if so check for the
misconfiguration. To ensure that your
E-Mail is saved in encrypted form, Lotus
recommends using backslashes (\) as path
separator in the Mail File field of the
user's Location Document (in both
Personal and Public Address Book) and by
selecting "Encrypt Saved Mail"
in User Preferences.
|
|
|
| System: |
SuSE
Linux |
| Topic: |
Vulnerability
in unix operating systems using xfree86:
SuSE-3 |
XFree86 creates a directory
in /tmp with the name .X11-unix for the X
sockets and sets the directory to mode
1777. If an attacker creates a symlink
with that filename and points it to
another directory (e.g. /root), the
permissions of the target directory is
set to 1777. A local attacker may create
files with any contents in any directory.
It's recommended to upgrade (SuSE 6.0, 5.3) the XF86 or, as a
temporary fix to put these commands into
/sbin/init.d/boot.local:
/bin/rm -rf /tmp/.X11-unix
mkdir -p -m 1777 /tmp/.X11-unix
|
|
|
|
The Melissa macro virus
propagates in the form of an email
message containing an infected Word
document as an attachment. The transport
message has most frequently been reported
to contain the following Subject header
Subject: Important Message From
<name>
Where <name> is the full name of
the user sending the message.
The body of the message is a multipart
MIME message containing two sections. The
first section of the message
(Content-Type: text/plain) contains the
following text.
Here is that document you asked for
... don't show anyone else ;-)
The next section (Content-Type:
application/msword) was initially
reported to be a document called
"list.doc", but the same
document may be spread with other names
too. In fact, under certain conditions
the virus may generate attachments with
documents created by the victim.
Further information can be found in the advisory and in MS99-002.
|
|
|
| System: |
Microsoft
Personal Web Server |
| Topic: |
File
Access Vulnerability in
Personal Web Server: MS99-010, ERS-1999.047 |
A new found vulnerability
allows a file request that uses a
non-standard URL to bypass the server's
normal file access controls. The file
must be specifically requested by name,
so the requester would need to know the
name of the file or correctly guess it.
The vulnerability would allow files on
the server to be read, but not changed or
deleted, and would not allow new files to
be written to the server. The
vulnerability does not allow any
administrative privileges on the server.
Further information can be found in the
MS knowledge base:
Article Q216453, FP98: Security Patch for
FrontPage Personal Web Server.
Article Q217765, FP97: Security Patch for
FrontPage Personal Web Server.
Article Q217763, File Access
Vulnerability in Personal Web Server.
It's recommended to install the
concerning patch published by
Microsoft for the Personal Web Server
4.0. If running an older PWS an upgrade to PWS 4.0 should
be carried through before.
|
|
|
| System: |
HP-UX
11.00 |
| Topic: |
Security
Vulnerability with ftp:
HP Security
Bulletin #00094, ERS-1999.045, J-038 |
Hewlett-Packard Company has
found that during normal operations, the
ftp program might grant users increased
privileges. It's recommended to install
the concerning patch, rebooting the
system will not be required.
| HP9000
Series 700/800, HP-UX 11.00 |
PHCO_17601 |
|
|
|
|
On a system where all
partitions writable by regular users are
mounted with the `noexec' option, a
regular user should not be able to
execute a binary which was not put on the
system by the administrator. Insufficient
checks in the mount system call may allow
a regular user to mount a device, remote
host or local directory without the
`noexec' option, allowing them to execute
arbitrary binaries.
A patch is available for
the NetBSD 1.3.3.
|
|
|
| System: |
HP-UX
10.20 |
| Topic: |
Security
Vulnerability with hpterm:
HP Security
Bulletin #00093, ERS-1999.042, J-038 |
The patch PHSS_13560
introduced a library access problem into
hpterm, so users can gain increased
privileges. It's recommended to install a
new patch as soon as possible:
| HP9000
Series 700/800, HP-UX 10.20 |
PHSS_17830 |
|
|
|
|
|
|
|
A remote attacker who knows
how to exploit this vulnerability, and
who can make a connection to TCP port
7161 on an affected switch, can cause the
supervisor module of that switch to
reload. While the supervisor is
reloading, the switch will not forward
traffic, and the attack will therefore
deny service to the equipment attached to
the switch. The switch will recover
automatically, but repeated attacks can
extend the denial of service
indefinitely. Please see the advisory for a detailed
list of affected versions.
Cisco has published a
patch to fix this problem.
|
|
|
| System: |
Linux
Slackware 3.6 |
| Topic: |
Vulnerability
during Network
Installation: ISS-023, ERS1999-040, |
During a routine Slackware
installation, Slackware completes the
installation without prompting to set the
root password. Upon completion of the
installation, the system is rebooted.
After the initial rebooting, the system
boots with a NULL root password. When
Slackware is initially installed and
rebooted, inetd is active by default and
both telnetd and rlogind are enabled in
inetd.conf.
Securing the installation from this
highly vulnerable state requires to
change the root password to a good
password immediately upon initial reboot
following installation, disable the
services, or disable remote root access
by removing the ptty entries from the
/etc/securetty file.
If not required for normal operation of
the workstation, it's recommended to
disable the telnet and ftp service in the
inetd.conf file and restart inetd. If
enabled by the particular installation,
disable rlogin, rsh, and rexec services
as well.
|
|
|
|
Insufficient
kernel checking in the umapfs virtual file system
allows local users to remap their user id to any
other user including the root user.
A patch is available for the
NetBSD 1.3.3 which restricts umapfs mounts to
root and fixes the above problem.
If this can't be performed, a workaround is to
remove umapfs from the kernel configuration and
rebuild it. For this it's needed to remove the
line
file-system UMAPFS # NULLFS + uid and gid
remapping
in the configuration file. Help in building a
kernel can be found here and here.
|
|
|
A buffer overflow
exploit detected by ISS against Microsoft
Exchange's LDAP (Lightweight Directory Access
Protocol) server which allows read access to the
Exchange server directory by using an LDAP
client. This buffer overflow consists of a
malformed bind request that overflows the buffer
and can execute arbitrary code. This attack can
also cause the Exchange LDAP service to crash.
It's recommended to install a patch published by
Microsoft (X86 or Alpha).
|
|
|
This
notice addresses two unrelated security
vulnerabilities in the software used on the Cisco
7xx series of small-office and home-office
routers. These vulnerabilities affect only the
7xx series routers.
The first vulnerability can be used to cause
system reloads, and therefore denial of service,
using TCP connections to the routers' TELNET
ports. It's recommended to prevent incomint TCP
connections to the router from untrusted hosts by
using the command set ip filter:
# set ip filter tcp source = not trusted-host
destination = router block
This example would configure the router to accept
incoming TCP connections only from a single
trusted administrative host.
Cisco 7xx routers running software versions
3.2(5) through 4.2(3) support a simple HTTP
server. This HTTP server is enabled by default.
Unless the server is explicitly disabled, it can
be used to make changes to the router
configuration, and/or to gain information about
that configuration. This is intentional behavior,
but is mentioned in this notice because it
appears that customers have been caught unawares
by it. It's recommended to disable the HTTP
Server by the system command:
# set clickstart off
|
|
|
An
implementation flaw in the Linux TCP/IP stack
allows remote attackers to forge TCP connections
without predicting sequence numbers and pass data
to the application layer before a connection is
established.
It is recommended that kernels below version
2.0.36 be upgraded to eliminate this
vulnerability.
|
|
| System: |
IRIX 3.x
- 6.5 |
| Topic: |
X
server font path buffer overflow
vulnerability: SGI19990301, J-033 |
An X
server is installed by default on all IRIX
platforms. A buffer overflow vulnerability has
been discovered in the X server's font path which
can lead to a root compromise. A local user
account on the vulnerable system is required.
It's highly recommended to install the concerning
patches listed in the advisory.
|
|
|
The
screen saver is started by Winlogon.Exe,
initially in a suspended mode using CreateProcess
API call. Once Winlogon.Exe gets the process
handle to screen saver, it changes the primary
security token of the screen saver to that of the
logged in user and then resumes the screen saver
process. This is done for security reasons. If
Winlogon were to NOT do this, then screen saver
would run with the security context of
Winlogon.Exe (which runs in system context).
The Winlogon.Exe DOES NOT check whether the
changing of Primary token is successful. Hence if
setting of primary token fails due to some
reason, the screen saver
binary will run in system context and be able to
do whatever it pleases (e.g adding the logged in
user to admin group). A demo of the problem can
be found here.
Microsoft has released hotfixes for X86-based
Windows NT Workstation and Server 4.0 (including Enterprise
Edition), X86-based Windows NT Server 4.0, Terminal Server Edition, Alpha-based Windows NT Workstation and Server 4.0 (including Enterprise
Edition and Terminal Server Edition), and
Alpha-based Windows NT Server 4.0, Terminal Server Edition.
|
|
| System: |
HP-UX |
| Topic: |
Security
Vulnerability with NES3.6 on VVOS:
HP Security Bulletin
#00092, ERS-1999.032 |
Under certain
conditions, Netscape Enterprise Server (NES)
version 3.6 exhibits excessive CPU resource
utilization. This NES CPU activity has been
observed in the NES bundled with Praesidium
VirtualVault A.03.50. It's recommended to install
the concerning patch:
| HP-UX
10.24 with VirtualVault US/Canada |
PHSS_17598 |
| HP-UX
10.24 with VirtualVault A.03.50
International |
PHSS_17599 |
|
|
|
As
reported before (HERT-02), some Unix show a buffer
overflow that will lead to direct root
compromise. In NetBSD anything before lsof-4.40
without arg.c.patch applied is vulnerable. It's
recommended to remove the setgid bit from lsof by
chmod 0755 /usr/pkg/sbin/lsof.
For a real solution NetBSD users should update
pkgsrc/sysutils/lsof.
|
|
|
As
reported in February 1999, there is a security
risk concerning the KnownDLLs. Some more problems
were found. Microsoft has published now Hotfixes
for X86-based Windows NT Workstation and
Server 4.0
(including Enterprise Edition), X86-based Windows NT Server 4.0,
Terminal Server Edition, Alpha-based Windows NT Workstation and
Server 4.0
(including Enterprise Edition and Terminal Server
Edition), Alpha-based Windows NT Server 4.0,
Terminal Server Edition. These are hotfixes for the
US-Version of NT, the international versions will
follow. The workaround mentioned in February
should be removed.
|
|
|
By
feeding traceroute(1) with invalid arguments the
time delay between packets sent is set to zero
resulting in all packets sent out very fast,
possibly flooding the remote host with packets
containing a false source address, making it
extremely difficult to identify the real source
of the flood.
A patch is available for the
NetBSD 1.3.3 source, which fixes the above
problems. As a temporary measure, you can allow
only privileged users to run traceroute by
disabling its setuid bit: chmod u-s
/usr/sbin/traceroute
|
|
| System: |
OpenBSD
2.4 |
| Topic: |
Vulnerabilities
in ping and link
on FFS: OpenBSD |
A
buffer overflow existed in ping(8), which may
have a security issue. To prevent this
vulnerability, a patch should be installed.
When playing with link(2) on FFS a machine crash
is possible, also here a patch has been published.
|
|
| System: |
Internet
Explorer 4.x |
| Topic: |
IE
reveals local clipboard contents:
NTshop |
As
reported by Juan Carlos Garcia Cuartango another IE 4 clipboard
vulnerability exists. The clipboard content can
be made public by a very simple piece of
Javascript code. The problem resides in the IE
ActiveX object.
According to the Microsoft security rules, access
to Windows clipboard content is forbidden for
Internet Explorer scripts unless the clipboard
content was owned by IE itself in the first
place. Normally when a script attempts to perform
a paste operation over an input text box, the
operation succeeds only if data were copied to
the clipboard from the IE (ergo, IE was the
original clipboard contents owner.). To
circumvent this protection, an ActiveX control
object can be used to perform a paste operation
without security restrictions, at which point
clipboard data can then be transferred to a form
input box which can then POST the information to
the Web address of choice.
A demonstration of the vulnerability can
be found at Cuartango's site. Microsoft announced
that this problem will be fixed in the next IE 4
service pack.
|
|
|
The
problems reported in CA-99.03 (ftpd) and HERT-02 (lsof) are fixed now. It's
recommended to install the concerning patches for
ftpd: NetBSD 1.3, 1.3.3 or 1.3I. Concerning the hole in
lsof it's strongly recommended to remove the
setgid bit from lsof by chmod 0755
/usr/pkg/sbin/lsof. How to patch the problem
by recompilation of lsof is described in the advisory.
|
|
|
