Network Security

AERAsec
Network Security
Current Security Messages


Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!


This is some information you send:

Your Browser

CCBot/2.0 (http://commoncrawl.org/faq/)

Your IP address

ec2-54-227-171-163.compute-1.amazonaws.com [54.227.171.163]

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 02 / 2002

System: Microsoft Windows 2000, XP, Exchange 2000
Topic: Denial-of-Service against SMTP-Service
Links: MS02-012, OAR-2002:137, WinITSec, S-02-29
ID: ae-200202-064

No further comment due to Microsoft insisting on their copyright on advisories.

System: Microsoft Windows 2000, Exchange 5.5
Topic: Vulnerability in authentication for SMTP
Links: MS02-011, OAR-2002:136, WinITSec
ID: ae-200202-063

No further comment due to Microsoft insisting on their copyright on advisories.

System: Several systems
Topic: New ISS Summary
Links: AS02-08
ID: ae-200202-062

Within the last the last week, 45 new vulnerabilities have been found:

- mailman-open-execute-commands - pforum-quotes-sql-injection - hns-cgi-css
- netgear-udp-portscan-dos - winxp-udp-dos - lasso-webdata-dos
- winxp-cifs-dos - blackice-urg-flag-dos - phusion-dot-directoy-traversal
- phusion-long-url-dos - phusion-get-bo - ie-opera-contenttype-css
- webnews-cgi-group-bo - slashcode-site-css - gnu-ncurses-window-bo
- tarantella-tmp-spinning-symlink - omnipcx-default-user-accounts - omnipcx-ftp-root-access
- omnipcx-shutdown-permissions - omnipcx-insecure-groups - omnipcx-nmap-running
- dino-log-tag-bo - scriptease-long-http-dos - fw1-connect-bypass-restrictions
- gnujsp-jserv-information-disclosure - cigital-its4-undetected-code - ms-compiler-insecure-protection
- mssql-oledb-adhoc-bo - groupwise-ldap-blank-password - admentor-asp-gain-access
- lilhttp-protected-file-access - essentia-server-directory-traversal - essentia-server-long-request-dos
- scriptease-get-dos - sef-smtp-proxy-information - ie-vbscript-view-files
- sef-snmp-notify-loss - mscs-authfilter-isapi-bo - webnews-cgi-default-accounts
- ans-plugin-execute-commands - nfuse-user-information-disclosure - squid-ftpbuildtitleurl-bo
- catchup-rvp-execute-code - squid-snmp-dos - squid-htcp-enabled
System: Red Hat Linux
Topic: Vulnerabilities in Netfilter
Links: RHSA-2002-028, OAR-2002:138, VU#230307
ID: ae-200202-061

The Linux Netfilter team has found a problem in the IRC connection tracking component of the firewall within the linux kernel. The problem consists of an excessively broad netmask setting which is applied to check if an "IRC DCC" connection through a masquerading firewall should be allowed. This results in unwanted ports being opened on the firewall, which could, depending on the firewall filter ruleset, allow inbound connections. Updated kernel 2.4 is available now.

System: Various Systems
Topic: Vulnerability in PHP
Links: eMatters012002, ISS-112, CA-2002-05, OAR-2002:131, S-02-26, OAR-2002:133, M-049, WinITSec, RHSA-2002-035, MDKSA-2002-017, SuSE 7.1, SuSE 7.2, SuSE 7.3, OAR-2002:133.2, OAR-2002:133.3, OAR-2002:133.4, OAR-2002:133.5, OAR-2002:133.6, Symantec20020228, SuSE-SA:2002:007, S-02-42
ID: ae-200202-060

Multiple buffer overflow vulnerabilities have been found in the PHP (Hypertext Preprocessor) scripting language. To successfully exploit these vulnerabilities, attackers must upload a PHP form containing specially crafted MIME encoded data.
A logic flaw in the parsing routine of PHP may lead to a one-byte overflow within the heap memory management data. This vulnerability is fixed in the PHP CVS source code repository. As a workaround, the file upload support can be disabled on Web servers running PHP 4.0.3 or above. Open the php.ini file and modify the line file_uploads = On to file_uploads = Off.

System: Cisco IOS
Topic: Vulnerability in Cisco Express Forwarding
Links: Cisco, OAR-2002:132, M-050
ID: ae-200202-059

All Cisco devices running Cisco IOS and having Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been handled by the device. This can happen if the packet length described in the IP header is bigger than the physical packet size. A patch is available now.

System: Oracle 9iAS
Topic: Several vulnerabilities found
Links: VU#936507, VU#547459, VU#717827, VU#698467, VU#712723, VU#180147, M-047, M-048, OAR-2002:134, OAR-2002:135, VU#193523 , S-02-027, S-02-028
ID: ae-200202-058

CERT/CC reports several vulnerabilities in Oracle 9iAS. It allows access to CGI script source code within the CGI-BIN directory and creates world readable files in the temporary directory when processing JSP requests. Additionally multiple Oracle 9iAS sample pages contain vulnerabilities and the default configuration allows access to the file "globals.jsa". Finally the default configuration has well-known default passwords and the Oracle 9i Database Server PL/SQL module allows remote command execution without authentication.
Detailed information can be found in the vulnerability notes published by CERT/CC.

System: Red Hat Linux
Topic: Vulnerabilities in squid
Links: ae-200202-050, RHSA-2002-029, OAR-2002:130
ID: ae-200202-057

Like already published in ae-200202-050, Squid versions between 2.X and 2.4.STABLE3 are vulnerable.
New packages are now also available for Red Hat Linux.

System: SuSE Linux
Topic: Vulnerabilities in squid
Links: SuSE 7.1, SuSE 7.2, SuSE 7.3, SuSE-SA:2002:008, OAR-2002:149
ID: ae-200202-056

Three security issues have recently been found in the Squid-2.X releases up to and including 2.4.STABLE3.
A memory leak in the optional SNMP interface to Squid, allowing an malicious user who can send packets to the Squid SNMP port to possibly perform an denial of service attack on the Squid proxy service if the SNMP interface has been enabled (disabled by default).
A buffer overflow in the implementation of ftp:// URLs where users who are allowed to proxy ftp:// URLs via Squid can perform an denial of service on the proxy service, and possibly even trigger remote execution of code (not yet confirmed).
The optional HTCP interface cannot be properly disabled from squid.conf even if the documentation claims it can.
A patch is available now.

System: Trustix Secure Linux
Topic: Vulnerabilities in squid
Links: OAR-2002:127
ID: ae-200202-055

Three security issues have recently been found in the Squid-2.X releases up to and including 2.4.STABLE3.
A memory leak in the optional SNMP interface to Squid, allowing an malicious user who can send packets to the Squid SNMP port to possibly perform an denial of service attack on the Squid proxy service if the SNMP interface has been enabled (disabled by default).
A buffer overflow in the implementation of ftp:// URLs where users who are allowed to proxy ftp:// URLs via Squid can perform an denial of service on the proxy service, and possibly even trigger remote execution of code (not yet confirmed).
The optional HTCP interface cannot be properly disabled from squid.conf even if the documentation claims it can.
A patch is available now.

System: SuSE Linux
Topic: Vulnerability in cups
Links: SuSE 7.3, SuSE 7.2, SuSE 7.1, OAR-2002:128
ID: ae-200202-054

In CUPS, the Common UNIX Printing System, a potential buffer overflow in the code of the CUPS daemon has been found. This vulnerability occurs when reading the names of attributes. A patch for SuSE Linux is available now.

System: Debian GNU/Linux
Topic: Vulnerability in gnujsp
Links: DSA-114, OAR-2002:124
ID: ae-200202-053

A vulnerability was found in gnujsp that can be used to bypass access restrictions in the web server. An attacker can view the contents of directories and download files directly rather then receiving their HTML output. This means that the source code of scripts could also be revealed. A patch is available now.

System: Red Hat Linux
Topic: Vulnerability in ncurses
Links: RHSA-2002-020, OAR-2002:125, M-046
ID: ae-200202-052

There exists a buffer overflow in ncurses that may lead to crashes when using ncurses applications in large windows. A patch is available now.

System: Several Firewall, Caching & Antivirus Proxy Software
Topic: Bypass blocking rules or Antivirus filters by using HTTP/CONNECT method
Links: Squid-Cache/FAQ, SecurityFocus#4131, SecurityFocus/Info-Finjan, CERT VU#150227, CERT VU#868219
ID: ae-200202-051

It was detected that several firewall, caching and antivirus proxy software doesn't enough restrict the HTTP/CONNECT feature. Looks like on some software this can't be restricted by design.
It's possible to connect to arbitrary ports using this HTTP/CONNECT feature, sometimes also below port 1024.
An example looks like this:
$ telnet your.local.proxy 3128
Trying 1.2.3.4...
Connected to your.local.proxy.
Escape character is '^]'.
CONNECT wwwspecial.domain.example:44444 / HTTP/1.0

HTTP/1.0 200 Connection established

GET /eicar.com
X5************CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Connection closed by foreign host.

If you see the eicar.com test file in clear text, a second issue exists, if you use a antivirus proxy software: It doesn't scan any traffic using HTTP/CONNECT, even it's not encrypted.

If you can also connect to ports lower than 1024, a third issue is coming up. Try it by using:
CONNECT mail.domain.example:25 / HTTP/1.0
If working, possible any ports from 1 to 65535 can be connected from inside to outside and breaks perhaps your security policy.

Finally a connection request to port 80 using:
CONNECT www.domain.example:80 / HTTP/1.0
This should be normally not working, too.

Solutions:
1) Disable method CONNECT completely, if possible by software and security policy (this will disable HTTPS traffic also)
2) Restrict ports which can be used for method CONNECT to e.g. 443 (https) only (Squid-Cache-Software does this by default setting since some years to ports 443 and 563 [NNTP over ssl] only)
3) Restrict outgoing traffic from the proxy to allowed ports only using local or near-by firewalling (e.g. port 80 and 443 only).
4) If antivirus is bypassed, contact vendor for solution

System: Unix Squid-Cache
Topic: Several vulnerabilities
Links: SQUID-2002_1, MDKSA-2002-016, FreeBSD-SA-02:12, S-02-23, OAR-2002:129
ID: ae-200202-050

Several vulnerabilities exists in Squid-Cache software but are already fixed in latest releases:
1) a memory leak exists in SNMP which can be used for a denial of service attack. Check whether SNMP is enabled by looking in the log file on startup for 'Accepting SNMP messages on port' or for the default port 3401/udp (lsof or netstat can help here, too). SNMP can be disabled on compile time or using option following options in configuration file:
snmp_port 0
2) A buffer overflow exists in the implementation of the handling of FTP-URLs containing inline authentication like ftp://user:password@ftp.site. A temporary solution is to add an ACL which denies such requests:
acl non-anonymous-ftp url_regex -i ^ftp://[^/@]*@
http_access deny non-anonymous-ftp

3) The optional HTCP interface cannot be disabled by configuration options, but is enabled in some distributed binary packages. Look for the open default port 4827/udp (lsof or netstat). A temporary solution is to filter incoming traffic using local firewalling.

This vulnerabilities are fixed since version Squid-2.4.STABLE4, which is already available.

System: Microsoft Commerce Server 2000
Topic: Vulnerability due to buffer overflow
Links: MS02-010, OAR-2002:123, WinITSec, Symantec
ID: ae-200202-049

No further comment due to Microsoft insisting on their copyright on advisories.

System: Microsoft Internet Explorer
Topic: Vulnerability by scripting
Links: MS02-009, OAR-2002:122, WinITSec, M-045, S-02-25
ID: ae-200202-048

No further comment due to Microsoft insisting on their copyright on advisories.

System: Microsoft XML Core Services
Topic: Vulnerability due to ActiveX
Links: MS02-008, OAR-2002:121, WinITSec, M-051
ID: ae-200202-047

No further comment due to Microsoft insisting on their copyright on advisories.

System: Windows NT / 2000
Topic: Vulnerability in WebNEWS
Links: WinITSec
ID: ae-200202-046

A buffer overrun vulnerability exists in NetWins WebNEWS for Windows 2000 and NT 4.0 that could allow a potential attacker to execute code under the same security context that IIS is running under (Typically IUSR_MACHINENAME). A patch is available now.

System: Windows NT / 95
Topic: Vulnerability in ScriptEase Mini WebServer
Links: WinITSec
ID: ae-200202-045

A Denial of Service (DoS) condition exists in Nombas. ScriptEase Mini WebServer. By sending a long request, such as http://host/AAAAAA...(Ax2000)...AAAAAA, an attacker can remotely crash the vulnerable server. The vendor, Nombas, has been notified but hasn't issued a patch.

System: Caldera Open UNIX, UnixWare
Topic: Vulnerability in webtop
Links: CSSA-2002-SCO.6, OAR-2002:126
ID: ae-200202-044

The setuid scripts in the webtop product may be used to gain root privileges. A patch is available now.

System: OSDN Slash
Topic: Login Vulnerability in Slashcode
Links: OAR-2002:118
ID: ae-200202-043

Slash, the code that runs Slashdot and many other web sites, has a cross-site scripting vulnerability in all versions prior to 2.2.5, released February 7, 2002. Users who have Javascript enabled, and who can be persuaded to click on an attacker's URL on a victim Slash website, will send their Slash cookie, with username and password, to the attacker's website. The attacker can then take over the user's account. If the user is an administrator of the victim Slash website, the attacker can take nearly full control of that site (post and delete stories, edit users, post as other users, etc.). A patch is available now.

System: Microsoft SQL Server
Topic: Vulnerability due to buffer overflow
Links: MS02-007, OAR-2002:120, WinITSec, M-044, S-02-24, VU#619707
ID: ae-200202-042

No further comment due to Microsoft insisting on their copyright on advisories.

System: MS Windows
Topic: Vulnerability in Falcon Web Server
Links: WinITSec
ID: ae-200202-041

The authentication configured in BlueFace’s Falcon Web Server for Windows can be tricked out. The reason is a problem in the parsing of requests made to protected directories. So an attacker might circumvent the Web Server's uthentication scheme and access any file in a protected directory without proper credentials. This is possible by typing http://webserver//restricted instead of http://webserver/restricted. BlueFace will release build 2.0.0.1021 to correct this problem.

System: MS Windows
Topic: Vulnerability in Cooolsoft PowerFTP Server
Links: WinITSec
ID: ae-200202-040

Several vulnerabilities have been found in Cooolsoft’s PowerFTP 2.10 for Windows. These vulnerabilities let attackers traverse the user directory by either a direct-path request (e.g. DIR C:\) or double-dot notation (e.g. DIR \..\*.*) and permits so access to any file on the system. Another vulnerability results in storing all all account information unencrypted in the ftpserver.ini file. Access to this file through the directory traversal vulnerability gives an attacker elevated privileges on the system. A third vulnerability involves a Denial of Service (DoS) attack when the server receives a string of 2050 or more bytes. A patch isn't available yet.

System: Debian GNU/Linux
Topic: Vulnerability in ncurses
Links: DSA-113, OAR-2002:119
ID: ae-200202-039

There exists a buffer overflow in ncurses that may lead to crashes when using ncurses applications in large windows. A patch is available now.

System: Caldera OpenLinux
Topic: Vulnerability in ucd-snmp
Links: CSSA-2002-004
ID: ae-200202-038

Several remotely exploitable vulnerabilities were discovered in ucd-snmp. A patch is available now.

System: Conectiva Linux
Topic: Vulnerability in uucp
Links: OAR-2002:117
ID: ae-200202-037

There is a vulnerability in the command-line argument handling of uucp which could be exploited by a local user to obtain uucp uid/gid. A patch is available now.

System: Several systems
Topic: New ISS Summary
Links: AS02-07
ID: ae-200202-036

Within the last the last week, 56 new vulnerabilities have been found:

- licq-static-bo - theos-dot-directory-traversal - hanterm-command-line-bo
- wmtv-config-file-symlink - wmtv-local-bo - bsd-fstatfs-dos
- unixware-msg-catalog-format-string - delegate-proxy-pop-bo - protos-snmp-tool
- ie-html-directive-bo - ie-file-download-display - ie-application-invocation
- apache-php-options-information - ie-scripting-bypass - php-123-path-information
- php-slash-path-information - netdsl-telnet-dos - hp-advancestack-bypass-auth
- netdsl-telnet-bypass-authentication - quicktime-content-header-bo - icq-large-jpg-bo
- lotus-domino-reveal-information - makebid-description-css - ezboard-bbs-contenttype-bo
- miniportal-plaintext-information - miniportal-ftp-directory-traversal - miniportal-ftp-login-bo
- sawmill-admin-password-insecure - iis-cnf-reveal-information - sybex-etrainer-directory-traversal
- snmp-improper-request-handling - snmp-improper-trap-handling - gnat-temp-symlink
- as400-system-request-information - actinic-html-tags-css - sitenews-add-users
- powerftp-pwd-path-disclosure - powerftp-ftpserver-ini-plaintext - prospero-html-msg-css
- cwmail-item-bo - linux-dlogin-bo - cginews-view-files
- unixware-ifile-insecure-permissions - falcon-protected-dir-access - astaro-insecure-file-permissions
- iis-cnf-view-contents - cups-ippread-bo - sips-theme-admin-access
- exim-config-arg-bo - hpux-setrlimit-kernel-panic - dcpportal-adduser-path-disclosure
- dcpportal-userupdate-css - outlook-express-return-bypass - win2k-terminal-services-unlocked
- ettercap-memcpy-bo - biologon3-gina-bypass-authentication
System: Debian GNU/Linux
Topic: Vulnerability in hanterm
Links: DSA-112, OAR-2002:116
ID: ae-200202-035

A set of buffer overflow problems have been found in hanterm, a Hangul terminal for X11 derived from xterm, that will read and display Korean characters in its terminal window. The font handling code in hanterm uses hard limited string variables but doesn't check for boundaries. This problem can be exploited by an attacker malicious user to gain access to the utmp group which is able to write the wtmp and utmp files. These files record login and logout activities. This problem has been fixed in version 3.3.1p17-5.2 for the stable Debian distribution.

System: Linux Mandrake
Topic: Vulnerabilities in cups and SNMP
Links: MDKSA-2002-015, MDKSA-2002-014, OAR-2002:115
ID: ae-200202-034

A potential buffer overflow in CUPS when reading the names of attributes has been found in all versions of CUPS lower than 1.1.14. Multiple vulnerabilities in SNMPv1 also affect Linux Mandrake. Exploiting these vulnerabilities will lead to unstable systems, Denial-of-Service or even unauthorized privileged access. Patches are available now and should be installed soon.

System: Caldera Open UNIX, UnixWare
Topic: Encrypted Password Disclosure and vulnerability in wu-ftpd
Links: CSSA-2002-SCO.5, OAR-2002:113, CSSA-2001-SCO.36.2
ID: ae-200202-033

After installation of the product, the file /var/adm/isl/ifile is left readable by all users. This file contains, among other things, the encrypted root password, and the encrypted owner password. Make this file readonly by root (# chmod 400 /var/adm/isl/ifile) and change the affected passwords.
A hole in the wu-ftpd ftpglob function to get remote root access to the server was reported last year. Now, a new patch fixes some problems, the old patches didn't.

System: KHT Kerberos
Topic: Vulnerability in Kerberos Telnet
Links: VU#390280, VU#774587
ID: ae-200202-032

An attacker with the ability to modify Kerberos Telnet negotiation commands sent from server to client may be able to cause the connection to negotiate less secure authentication and encryption options, including no encryption. The attacker may then be able to read data that the user presumes to be securely encrypted. A patch is available now.

System: Linux Mandrake
Topic: Vulnerability in openldap
Links: MDKSA-2002-013, OAR-2002:107
ID: ae-200202-031

A problem exists in all versions of OpenLDAP from 2.0.0 through 2.0.19 where permissions are not properly checked using access control lists when a user tries to remove an attribute from an object in the directory by replacing it's values with an empty list. A patch is available now.

System: Debian GNU/Linux
Topic: Vulnerability in cups
Links: DSA-110, OAR-2002:112
ID: ae-200202-030

In CUPS, the Common UNIX Printing System, a potential buffer overflow in the code of the CUPS daemon where it reads the names of attributes has been found. This affects all versions of CUPS. This problem has been fixed in version 1.0.4-10 which is available now.

System: HP Secure OS Software for Linux
Topic: Vulnerability in telnet
Links: HP Company Security Bulletin #023, OAR-2002:110, M-043
ID: ae-200202-029

A local attacker might exploit a buffer overflow in the telnet server to gain root access. The telnet server is not included in the default installation of HP Secure OS Software for Linux, but very often installed. Updated RPM's are available now and can also be downloaded from Red Hat directly.

System: Nearly all systems
Topic: Dangerous vulnerability in SNMP
Links: NIPS-02-001, OAR-2002:106.8, VU#107186, VU#854306, Check Point, DSA-111
ID: ae-200202-028

As reported before (ae-200202-024), a serious hole in SNMPv1 has been detected and can be found on most systems having SNMP installed. The National Infrastructure Protection Center (NIPC) has now also released an alarm. Like CERT/CC they recommend the following steps:
- Review what versions of SNMP are running; apply vendor patches as available
- Disable SNMP service if not critical
- Block access to SNMP services at network perimeter
- Filter SNMP traffic from non-authorized internal hosts
- Change default community strings
- Segregate SNMP traffic onto a separate management network
- Apply egress filtering on ports 161 and 162
- Disable stack execution where possible
The first step is the most important.

System: HP
Topic: Vulnerability in Switching Hubs
Links: HP Company Security Bulletin #0185, OAR-2002:109, WinITSec
ID: ae-200202-027

A security vulnerability when managing HP Switching Hubs with a web browser has been found. Affected are HP AdvanceStack J3200A, J3201A, J3202A, J3203A, J3204A, J3205A, J3210A with firmware version A.03.02. An attacker might gain elevated privileges when exploiting this vulnerability. A patch isn't available yet. Until then, web access to these machines should be disabled or the management IP removed.

System: HP-UX
Topic: Vulnerability in setrlimit
Links: HP Company Security Bulletin #0183, OAR-2002:108, VU#726187
ID: ae-200202-026

The HP-UX kernel incorrectly specifies arguments for setrlimit and can produce unexpected panics on HP 9000 Series Servers running HP-UX 11.11. This possible Denial-of-Service can be fixed with a patch which is available now.

System: Debian GNU/Linux
Topic: Vulnerability in Faq-O-Matic
Links: DSA-109, OAR-2002:111
ID: ae-200202-025

Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. Cross-Site Scripting is a type of problem that allows an attacker to make another person run some JavaScript in their browser. The JavaScript is executed on the victims machine and is in the context of the website running the Faq-O-Matic Frequently Asked Question manager. This problem has been fixed in version 2.603-1.2.

System: Nearly all systems
Topic: Dangerous vulnerability in SNMP
Links: PROTOS, CA-2002-03, ISS-110, S-02-22, M-042, MS02-006, Sun Security Bulletin#215, Cisco, Cisco II, RHSA-2001-163, FreeBSD-SA-02:11, CSSA-2002-SCO.4, HP Security Bulletin #0184, SGI:20020201-01, WinITSec
ID: ae-200202-024

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. Now multiple vulnerabilities have been found, e.g. in the trap handling and request handling. The consequences are Denial-of-Service, unstable behavior and unauthorized privileged access to the vulnerable systems.
Additionally, now a tool called PROTOS has been published. This tool is extremely thorough and is perceived to be the most exhaustive SNMP testing tool available. It launches various combinations of six main types of test cases. These are bit pattern exception, BER (Basic Encoding Rules) encoding exception, format string exception, integer value exception, missing symbol exception, and overflow exception. The effectiveness of the tool is increased by targeting broadcast addresses. As a result, the reach of the tool can be greatly extended by simultaneously attacking many devices.
As far as patches are available, Administrators should install them as soon as possible. Until then, Administrators should disable SNMP. If this isn't possible, it's strongly recommended to filter SNMP-traffic, change default community strings, segregate SNMP traffic onto a separate management network, and other hints, given e.g. by CERT/CC.

System: Several systems
Topic: New ISS Summary
Links: AS02-06
ID: ae-200202-023

Within the last the last week, 44 new vulnerabilities have been found:

- lotus-domino-username-disclosure - vbulletin-bbs-css - tru64-nmap-portscan-dos
- sun-jre-jvm-dos - win-ntfs-file-hiding - dcforum-cgi-recover-passwords
- msdtc-default-port-dos - siteserver-ldap-anonymous-account - siteserver-asp-css
- siteserver-ldap-plaintext-passwords - siteserver-cphost-upload-dos - netscreen-screenos-scan-dos
- blackice-ping-flood-dos - tacplus-insecure-accounting-files - mrtg-cgi-view-files
- kicq-telnet-dos - netware-nds-unauth-access - faqomatic-cgi-css
- siteserver-post-directory-traversal - mrtg-14allcgi-path-disclosure - siteserver-asp-information-disclosure
- lotus-domino-auth-bypass - siteserver-ldap-weak-passwords - expressions-dot-directory-traversal
- siteserver-sample-sql-injection - netgear-web-interface-css - mirc-nickname-bo
- msn-messenger-reveal-information - icq-macos-dos - faxpress-plaintext-password
- officex-pid-checker-dos - oracle-plsql-remote-access - exchange-attendant-incorrect-permissions
- phpwebthings-coremain-direct-access - ms-telnet-option-bo - oracle-appserver-plsql-bo
- oracle-appserver-plsql-authclient-bo - oracle-appserver-plsql-cache-bo - oracle-appserver-plsql-adddad-bo
- oracle-appserver-plsql-pls-dos - oracle-appserver-oraclejsp-view-info - texis-cgi-information-disclosure
- php-mysql-safemode-bypass - ciscosecure-nds-authentication
System: Microsoft Windows
Topic: New cumulative patch for Internet Explorer
Links: MS02-005, OAR-2002:105, M-041, S-02-21, WinITSec, #VU932283, CA-2002-04, ISS-111
ID: ae-200202-022

No further comment due to Microsoft insisting on their copyright on advisories.

System: Debian GNU/Linux
Topic: Vulnerability in uucp
Links: DSA-079, OAR-2002:101
ID: ae-200202-021

It is possible to make `uux' execute `uucp' with malicious commandline arguments. This gives an attacker access to files owned by uid/gid uucp. It was thought, that the in September 2001 published fix will solve this problem, but didn't fix all variations of the problem. In version 1.06.1-11potato2 of uucp it's fixed now.

System: MS Windows
Topic: Vulernability in BlackICE Products and RealSecure Server Sensor
Links: ISS-109
ID: ae-200202-020

As reported before (ae-200202-009), a Denial-of-Service condition has been found in all current versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP. They can be remotely crashed using a modified ping flood attack.
Now, a for BlackICE Defender Patch Release version 2.9.car is available for download, as well as the Patch for BlackICE Agent. The fix for RealSecure Server Sensor 6.0.1 will be available soon. Customers may get an updated version of RealSecure Server Sensor 6.5 soon. This update may now requested by contacting the ISS Technical Support.

System: Caldera OpenLinux
Topic: Vulnerabilities in OpenLDAP, mutt, and rsync
Links: CSSA-2002-001, CSSA-2002-002, CSSA-2002-003, OAR-2002:102, OAR-2002:104, OAR-2002:103
ID: ae-200202-019

A vulnerability in OpenLDAP 2.0.19 slapd has been found. It's possible to set the access controls to none by any authenticated user. In versions prior 2.0.8 this might also do an unauthenticated user like anonymous. By sending an E-Mail with very long Mail-Addresses, an attacker is able to overwrite a single memory location with a zero byte, which can be exploited to execute arbitary code within the account of the email recipient using mutt. An attacker might modify memory of the rsync server process by using an rsync client. So it may be possible to make downloads via anonymous rsync. This process can also be turned around, letting a rsync server make downloads from a client.
Patches are available now and should be installed as soon as possible.

System: Microsoft Windows 2000, Microsoft Interix 2.2
Topic: Vulnderability in Telnet
Links: MS02-004, OAR-2002:099, WinITSec, M-039
ID: ae-200202-018

No further comment due to Microsoft insisting on their copyright on advisories.

System: Oracle 9iAS
Topic: Vulnerability in PL/SQL Module
Links: M-037, WinITSec, OAR-2002:098, VU#923395, VU#878603, VU#878603, VU#659043, VU#750299, VU#805915
ID: ae-200202-017

There are multiple buffer overflows in the PL/SQL module for Oracle Application Server running on Apache web servers that allow the execution of arbitrary code. A patch is available now.

System: Linux Mandrake
Topic: Vulnerability in groff
Links: MDKSA-2002-012, OAR-2002:100
ID: ae-200202-016

There is a vulnerability the 'groff' preprocessor because it contains a exploitable buffer overflow. If 'groff' is invoked by the LPRng printing system a remote exploit can get permissions of user "lp". A patch is available now.

System: Cisco Secure Authentication Control Server
Topic: Vulnerability in authentication
Links: Cisco, M-038, OAR-2002:095
ID: ae-200202-015

Specific versions of Cisco Secure Authentication Control Server (ACS) allows authentication of users that have been explicitly disabled or expired in the Novell Directory Services (NDS). Only Cisco Secure ACS version 3.0.1, configured for NDS, is affected. A patch is available now.

System: Debian GNU/Linux
Topic: Vulnerability in wmtv
Links: DSA-108
ID: ae-200202-014

In 'wmtv' the configuration file is written back as the superuser, and without any further checks. A mailicious user might use that to damage important files. A patch is available now.

System: Microsoft Exchange Server 2000
Topic: Vulnderability caused by Registry Permissions
Links: MS02-003, WinITSec, M-040
ID: ae-200202-013

No further comment due to Microsoft insisting on their copyright on advisories.

System: Mac
Topic: Denial-of-Service against Microsoft Office v. X
Links: MS02-002, OAR-2002:094
ID: ae-200202-012

No further comment due to Microsoft insisting on their copyright on advisories.

System: Caldera UnixWare 7
Topic: Vulnerability in libc
Links: CSSA-2002-SCO.3, OAR-2002:097,
ID: ae-200202-011

The library functions that manipulated message catalogs could be subverted via environment variables to use a user's own message catalogs, possibly causing a set{uid,gid} program to memory fault, allowing the possibility of a privilege escalation vulnerability. A patch is available now.

System: FreeBSD
Topic: Vulnerabilities in fstatfs and rsync
Links: FreeBSD-SA-02:09, FreeBSD-SA-02:10
ID: ae-200202-010

A race condition existed where a file could be removed between calling fstatfs() and the point where the file is accessed causing the file descriptor to become invalid. This may allow unprivileged local users to cause a kernel panic. Currently only the procfs filesystem is known to be vulnerable.
A remote attacker may cause rsync to write NUL bytes onto its stack. This can be exploited in order to execute arbitrary code with the privileges of the user running rsync.
Patches are available now.

System: MS Windows
Topic: Vulernability in BlackICE Products and RealSecure Server Sensor
Links: ISS-109
ID: ae-200202-009

A Denial-of-Service condition has been found in all current versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP. They can be remotely crashed using a modified ping flood attack. The vulnerability is caused by a flaw in the routines used for capturing transmitted packets. Memory can be overwritten in such a manner that may cause the engine to crash or to behave in an unpredictable manner. The risk of this vulnerability to corporate users is minimal, because most corporate firewalls already block ICMP from external IP addresses. Systems located behind a corporate firewall are unlikely to be affected by ICMP-based attacks. BlackICE Sentry and BlackICE Guard are not affected by this vulnerability.
Internet Security Systems has developed and is testing a fix for this vulnerability that will be available as soon as possible. Until then, ICMP should be blocked by a firewall.

System: Cisco
Topic: Hints for the Media Gateway Controller
Links: Cisco, OAR-2002:092
ID: ae-200202-008

The Media Gateway Controller (MGC) is installed on top of Solaris operating system. In the default installation Solaris has several known vulnerabilities. In order to prevent them from being exploited, Cisco has published some new packages now. These packages contain the latest Solaris patches and additional hardening of the Solaris OS.

System: HP-UX
Topic: Vulnerability in Netscape
Links: HP Company Security Bulletin #0182, OAR-2002:093
ID: ae-200202-007

On Systems HP9000 Series 700/800 running HP-UX releases 11.00 and 11.11 with Netscape 6.01 for HP-UX, cookies can be stolen. So private information of the user might be published to an attacker. It's recommended to upgrade to Netscape 6.2.1 for HP-UX.

System: Several systems
Topic: New ISS Summary
Links: AS02-05
ID: ae-200202-006

Within the last the last week, 40 new vulnerabilities have been found:

- cows-cgi-css - cows-cgi-obtain-information - phppgadmin-plaintext-password
- squirrelmail-html-execute-script - squirrelmail-spellchecker-command-execution - gnu-chess-bo
- bindview-netinventory-plaintext-password - linux-rsync-root-access - w3perl-http-header
- tarantella-gunzip-tmp-race - ganglia-graph-command-execution - winxp-manifest-xml-dos
- wikkitikkitavi-include-template - kashare-xkas-icon-symlink - bru-tmp-file-symlink
- uml-kernel-memory-access - hosting-controller-brute-force - sapgui-invalid-connect-dos
- pgpfire-icmp-fingerprint - vaio-html-gain-access - acedirector-http-reveal-ip
- agora-cgi-revel-path - formmail-referer-header-spoof - formmail-smtp-header-spam
- intel-wlan-wep-plaintext - irix-o2-vcp-view-information - sas-sastcpd-spawner-bo
- sas-sastcpd-spawner-format-string - phpsmssend-command-execution - eserv-pasv-dos
- eserv-ftp-bounce - ubbthreads-file-upload - win-sid-gain-privileges
- sas-sastcpd-authprog-env - xoops-private-message-css - xoops-userinfo-information-disclosure
- xoops-pmlite-image-css - ahg-search-execute-commands - cnet-catchup-gain-privileges
- win2k-empty-tcp-dos
System: Microsoft Windows 2000
Topic: New: Windows 2000 Security Rollup Package 1
Links: Microsoft
ID: ae-200202-005

A cumulative rollup of security updates that have been offered since the release of Windows 2000 Service Pack 2 (SP2) is available now. So it's possible to get the latest security updates in one cumulative package.

System: SuSE Linux
Topic: Vulnerability in rsync
Links: SuSE 7.3, SuSE 7.2, SuSE 7.1
ID: ae-200202-004

There is a vulnerability in 'rsync' which may allow remote attackers to get root access to the server. A Patches is available now.

System: Conectiva Linux
Topic: Vulnerability in pine
Links: OAR-2002:090
ID: ae-200202-003

Pine is a mail and news text based client developed by the Washington University. A vulnerability in the pine URL handler allows remote attackers to execute arbitrary shell commands in the user's machine by encapsulating them in a URL using environment variables. This vulnerability only affects users whith the msg-view-url option enabled (which is not the default). It's recommended to upgrade to a new version.

System: Linux Mandrake
Topic: Vulnerability in gzip
Links: MDKSA-2002-011, OAR-2002:091
ID: ae-200202-002

There exists a buffer overflow in gzip that could be exploited iby a remote attacker if gzip is run on a server such as an FTP server. A patch is available now.

System: Debian GNU/Linux
Topic: Vulnerability in jgroff
Links: DSA-107, OAR-2002:088
ID: ae-200202-001

The pic command in 'jgroff' is vulnerable to a printf format attack which makes it possible to circumvent the `-S' option and execute arbitrary code. A patch is available now.



(c) 2000-2014 AERAsec Network Services and Security GmbH