No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

Within the last the last week, 45 new vulnerabilities have been found:

The Linux Netfilter team has found a problem in the IRC connection tracking component of the firewall within the linux kernel. The problem consists of an excessively broad netmask setting which is applied to check if an "IRC DCC" connection through a masquerading firewall should be allowed. This results in unwanted ports being opened on the firewall, which could, depending on the firewall filter ruleset, allow inbound connections. Updated kernel 2.4 is available now.

Multiple buffer overflow vulnerabilities have been found in the PHP (Hypertext Preprocessor) scripting language. To successfully exploit these vulnerabilities, attackers must upload a PHP form containing specially crafted MIME encoded data.
A logic flaw in the parsing routine of PHP may lead to a one-byte overflow within the heap memory management data. This vulnerability is fixed in the PHP CVS source code repository. As a workaround, the file upload support can be disabled on Web servers running PHP 4.0.3 or above. Open the php.ini file and modify the line file_uploads = On to file_uploads = Off.

All Cisco devices running Cisco IOS and having Cisco Express Forwarding (CEF) enabled can leak information from previous packets that have been handled by the device. This can happen if the packet length described in the IP header is bigger than the physical packet size. A patch is available now.

CERT/CC reports several vulnerabilities in Oracle 9iAS. It allows access to CGI script source code within the CGI-BIN directory and creates world readable files in the temporary directory when processing JSP requests. Additionally multiple Oracle 9iAS sample pages contain vulnerabilities and the default configuration allows access to the file "globals.jsa". Finally the default configuration has well-known default passwords and the Oracle 9i Database Server PL/SQL module allows remote command execution without authentication.
Detailed information can be found in the vulnerability notes published by CERT/CC.

Like already published in ae-200202-050, Squid versions between 2.X and 2.4.STABLE3 are vulnerable.
New packages are now also available for Red Hat Linux.

Three security issues have recently been found in the Squid-2.X releases up to and including 2.4.STABLE3.
A memory leak in the optional SNMP interface to Squid, allowing an malicious user who can send packets to the Squid SNMP port to possibly perform an denial of service attack on the Squid proxy service if the SNMP interface has been enabled (disabled by default).
A buffer overflow in the implementation of ftp:// URLs where users who are allowed to proxy ftp:// URLs via Squid can perform an denial of service on the proxy service, and possibly even trigger remote execution of code (not yet confirmed).
The optional HTCP interface cannot be properly disabled from squid.conf even if the documentation claims it can.
A patch is available now.

Three security issues have recently been found in the Squid-2.X releases up to and including 2.4.STABLE3.
A memory leak in the optional SNMP interface to Squid, allowing an malicious user who can send packets to the Squid SNMP port to possibly perform an denial of service attack on the Squid proxy service if the SNMP interface has been enabled (disabled by default).
A buffer overflow in the implementation of ftp:// URLs where users who are allowed to proxy ftp:// URLs via Squid can perform an denial of service on the proxy service, and possibly even trigger remote execution of code (not yet confirmed).
The optional HTCP interface cannot be properly disabled from squid.conf even if the documentation claims it can.
A patch is available now.

In CUPS, the Common UNIX Printing System, a potential buffer overflow in the code of the CUPS daemon has been found. This vulnerability occurs when reading the names of attributes. A patch for SuSE Linux is available now.

A vulnerability was found in gnujsp that can be used to bypass access restrictions in the web server. An attacker can view the contents of directories and download files directly rather then receiving their HTML output. This means that the source code of scripts could also be revealed. A patch is available now.

There exists a buffer overflow in ncurses that may lead to crashes when using ncurses applications in large windows. A patch is available now.

It was detected that several firewall, caching and antivirus proxy software doesn't enough restrict the HTTP/CONNECT feature. Looks like on some software this can't be restricted by design.
It's possible to connect to arbitrary ports using this HTTP/CONNECT feature, sometimes also below port 1024.
An example looks like this:
$ telnet your.local.proxy 3128
Trying 1.2.3.4...
Connected to your.local.proxy.
Escape character is '^]'.
CONNECT wwwspecial.domain.example:44444 / HTTP/1.0

HTTP/1.0 200 Connection established

GET /eicar.com
X5************CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*Connection closed by foreign host.

If you see the eicar.com test file in clear text, a second issue exists, if you use a antivirus proxy software: It doesn't scan any traffic using HTTP/CONNECT, even it's not encrypted.

If you can also connect to ports lower than 1024, a third issue is coming up. Try it by using:
CONNECT mail.domain.example:25 / HTTP/1.0
If working, possible any ports from 1 to 65535 can be connected from inside to outside and breaks perhaps your security policy.

Finally a connection request to port 80 using:
CONNECT www.domain.example:80 / HTTP/1.0
This should be normally not working, too.

Solutions:
1) Disable method CONNECT completely, if possible by software and security policy (this will disable HTTPS traffic also)
2) Restrict ports which can be used for method CONNECT to e.g. 443 (https) only (Squid-Cache-Software does this by default setting since some years to ports 443 and 563 [NNTP over ssl] only)
3) Restrict outgoing traffic from the proxy to allowed ports only using local or near-by firewalling (e.g. port 80 and 443 only).
4) If antivirus is bypassed, contact vendor for solution

Several vulnerabilities exists in Squid-Cache software but are already fixed in latest releases:
1) a memory leak exists in SNMP which can be used for a denial of service attack. Check whether SNMP is enabled by looking in the log file on startup for 'Accepting SNMP messages on port' or for the default port 3401/udp (lsof or netstat can help here, too). SNMP can be disabled on compile time or using option following options in configuration file:
snmp_port 0
2) A buffer overflow exists in the implementation of the handling of FTP-URLs containing inline authentication like ftp://user:password@ftp.site. A temporary solution is to add an ACL which denies such requests:
acl non-anonymous-ftp url_regex -i ^ftp://[^/@]*@
http_access deny non-anonymous-ftp
3) The optional HTCP interface cannot be disabled by configuration options, but is enabled in some distributed binary packages. Look for the open default port 4827/udp (lsof or netstat). A temporary solution is to filter incoming traffic using local firewalling.

This vulnerabilities are fixed since version Squid-2.4.STABLE4, which is already available.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

A buffer overrun vulnerability exists in NetWins WebNEWS for Windows 2000 and NT 4.0 that could allow a potential attacker to execute code under the same security context that IIS is running under (Typically IUSR_MACHINENAME). A patch is available now.

A Denial of Service (DoS) condition exists in Nombas. ScriptEase Mini WebServer. By sending a long request, such as http://host/AAAAAA...(Ax2000)...AAAAAA, an attacker can remotely crash the vulnerable server. The vendor, Nombas, has been notified but hasn't issued a patch.

The setuid scripts in the webtop product may be used to gain root privileges. A patch is available now.

Slash, the code that runs Slashdot and many other web sites, has a cross-site scripting vulnerability in all versions prior to 2.2.5, released February 7, 2002. Users who have Javascript enabled, and who can be persuaded to click on an attacker's URL on a victim Slash website, will send their Slash cookie, with username and password, to the attacker's website. The attacker can then take over the user's account. If the user is an administrator of the victim Slash website, the attacker can take nearly full control of that site (post and delete stories, edit users, post as other users, etc.). A patch is available now.

No further comment due to Microsoft insisting on their copyright on advisories.

The authentication configured in BlueFace’s Falcon Web Server for Windows can be tricked out. The reason is a problem in the parsing of requests made to protected directories. So an attacker might circumvent the Web Server's uthentication scheme and access any file in a protected directory without proper credentials. This is possible by typing http://webserver//restricted instead of http://webserver/restricted. BlueFace will release build 2.0.0.1021 to correct this problem.

Several vulnerabilities have been found in Cooolsoft’s PowerFTP 2.10 for Windows. These vulnerabilities let attackers traverse the user directory by either a direct-path request (e.g. DIR C:\) or double-dot notation (e.g. DIR \..\*.*) and permits so access to any file on the system. Another vulnerability results in storing all all account information unencrypted in the ftpserver.ini file. Access to this file through the directory traversal vulnerability gives an attacker elevated privileges on the system. A third vulnerability involves a Denial of Service (DoS) attack when the server receives a string of 2050 or more bytes. A patch isn't available yet.

There exists a buffer overflow in ncurses that may lead to crashes when using ncurses applications in large windows. A patch is available now.

Several remotely exploitable vulnerabilities were discovered in ucd-snmp. A patch is available now.

There is a vulnerability in the command-line argument handling of uucp which could be exploited by a local user to obtain uucp uid/gid. A patch is available now.

Within the last the last week, 56 new vulnerabilities have been found:

A set of buffer overflow problems have been found in hanterm, a Hangul terminal for X11 derived from xterm, that will read and display Korean characters in its terminal window. The font handling code in hanterm uses hard limited string variables but doesn't check for boundaries. This problem can be exploited by an attacker malicious user to gain access to the utmp group which is able to write the wtmp and utmp files. These files record login and logout activities. This problem has been fixed in version 3.3.1p17-5.2 for the stable Debian distribution.

A potential buffer overflow in CUPS when reading the names of attributes has been found in all versions of CUPS lower than 1.1.14. Multiple vulnerabilities in SNMPv1 also affect Linux Mandrake. Exploiting these vulnerabilities will lead to unstable systems, Denial-of-Service or even unauthorized privileged access. Patches are available now and should be installed soon.

After installation of the product, the file /var/adm/isl/ifile is left readable by all users. This file contains, among other things, the encrypted root password, and the encrypted owner password. Make this file readonly by root (# chmod 400 /var/adm/isl/ifile) and change the affected passwords.
A hole in the wu-ftpd ftpglob function to get remote root access to the server was reported last year. Now, a new patch fixes some problems, the old patches didn't.

An attacker with the ability to modify Kerberos Telnet negotiation commands sent from server to client may be able to cause the connection to negotiate less secure authentication and encryption options, including no encryption. The attacker may then be able to read data that the user presumes to be securely encrypted. A patch is available now.

A problem exists in all versions of OpenLDAP from 2.0.0 through 2.0.19 where permissions are not properly checked using access control lists when a user tries to remove an attribute from an object in the directory by replacing it's values with an empty list. A patch is available now.

In CUPS, the Common UNIX Printing System, a potential buffer overflow in the code of the CUPS daemon where it reads the names of attributes has been found. This affects all versions of CUPS. This problem has been fixed in version 1.0.4-10 which is available now.

A local attacker might exploit a buffer overflow in the telnet server to gain root access. The telnet server is not included in the default installation of HP Secure OS Software for Linux, but very often installed. Updated RPM's are available now and can also be downloaded from Red Hat directly.

As reported before (ae-200202-024), a serious hole in SNMPv1 has been detected and can be found on most systems having SNMP installed. The National Infrastructure Protection Center (NIPC) has now also released an alarm. Like CERT/CC they recommend the following steps:
- Review what versions of SNMP are running; apply vendor patches as available
- Disable SNMP service if not critical
- Block access to SNMP services at network perimeter
- Filter SNMP traffic from non-authorized internal hosts
- Change default community strings
- Segregate SNMP traffic onto a separate management network
- Apply egress filtering on ports 161 and 162
- Disable stack execution where possible
The first step is the most important.

A security vulnerability when managing HP Switching Hubs with a web browser has been found. Affected are HP AdvanceStack J3200A, J3201A, J3202A, J3203A, J3204A, J3205A, J3210A with firmware version A.03.02. An attacker might gain elevated privileges when exploiting this vulnerability. A patch isn't available yet. Until then, web access to these machines should be disabled or the management IP removed.

The HP-UX kernel incorrectly specifies arguments for setrlimit and can produce unexpected panics on HP 9000 Series Servers running HP-UX 11.11. This possible Denial-of-Service can be fixed with a patch which is available now.

Due to unescaped HTML code Faq-O-Matic returned unverified scripting code to the browser. With some tweaking this enables an attacker to steal cookies from one of the Faq-O-Matic moderators or the admin. Cross-Site Scripting is a type of problem that allows an attacker to make another person run some JavaScript in their browser. The JavaScript is executed on the victims machine and is in the context of the website running the Faq-O-Matic Frequently Asked Question manager. This problem has been fixed in version 2.603-1.2.

The Simple Network Management Protocol (SNMP) is a widely deployed protocol that is commonly used to monitor and manage network devices. Version 1 of the protocol (SNMPv1) defines several types of SNMP messages that are used to request information or configuration changes, respond to requests, enumerate SNMP objects, and send unsolicited alerts. Now multiple vulnerabilities have been found, e.g. in the trap handling and request handling. The consequences are Denial-of-Service, unstable behavior and unauthorized privileged access to the vulnerable systems.
Additionally, now a tool called PROTOS has been published. This tool is extremely thorough and is perceived to be the most exhaustive SNMP testing tool available. It launches various combinations of six main types of test cases. These are bit pattern exception, BER (Basic Encoding Rules) encoding exception, format string exception, integer value exception, missing symbol exception, and overflow exception. The effectiveness of the tool is increased by targeting broadcast addresses. As a result, the reach of the tool can be greatly extended by simultaneously attacking many devices.
As far as patches are available, Administrators should install them as soon as possible. Until then, Administrators should disable SNMP. If this isn't possible, it's strongly recommended to filter SNMP-traffic, change default community strings, segregate SNMP traffic onto a separate management network, and other hints, given e.g. by CERT/CC.

Within the last the last week, 44 new vulnerabilities have been found:

No further comment due to Microsoft insisting on their copyright on advisories.

It is possible to make `uux' execute `uucp' with malicious commandline arguments. This gives an attacker access to files owned by uid/gid uucp. It was thought, that the in September 2001 published fix will solve this problem, but didn't fix all variations of the problem. In version 1.06.1-11potato2 of uucp it's fixed now.

As reported before (ae-200202-009), a Denial-of-Service condition has been found in all current versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP. They can be remotely crashed using a modified ping flood attack.
Now, a for BlackICE Defender Patch Release version 2.9.car is available for download, as well as the Patch for BlackICE Agent. The fix for RealSecure Server Sensor 6.0.1 will be available soon. Customers may get an updated version of RealSecure Server Sensor 6.5 soon. This update may now requested by contacting the ISS Technical Support.

A vulnerability in OpenLDAP 2.0.19 slapd has been found. It's possible to set the access controls to none by any authenticated user. In versions prior 2.0.8 this might also do an unauthenticated user like anonymous. By sending an E-Mail with very long Mail-Addresses, an attacker is able to overwrite a single memory location with a zero byte, which can be exploited to execute arbitary code within the account of the email recipient using mutt. An attacker might modify memory of the rsync server process by using an rsync client. So it may be possible to make downloads via anonymous rsync. This process can also be turned around, letting a rsync server make downloads from a client.
Patches are available now and should be installed as soon as possible.

No further comment due to Microsoft insisting on their copyright on advisories.

There are multiple buffer overflows in the PL/SQL module for Oracle Application Server running on Apache web servers that allow the execution of arbitrary code. A patch is available now.

There is a vulnerability the 'groff' preprocessor because it contains a exploitable buffer overflow. If 'groff' is invoked by the LPRng printing system a remote exploit can get permissions of user "lp". A patch is available now.

Specific versions of Cisco Secure Authentication Control Server (ACS) allows authentication of users that have been explicitly disabled or expired in the Novell Directory Services (NDS). Only Cisco Secure ACS version 3.0.1, configured for NDS, is affected. A patch is available now.

In 'wmtv' the configuration file is written back as the superuser, and without any further checks. A mailicious user might use that to damage important files. A patch is available now.

No further comment due to Microsoft insisting on their copyright on advisories.

No further comment due to Microsoft insisting on their copyright on advisories.

The library functions that manipulated message catalogs could be subverted via environment variables to use a user's own message catalogs, possibly causing a set{uid,gid} program to memory fault, allowing the possibility of a privilege escalation vulnerability. A patch is available now.

A race condition existed where a file could be removed between calling fstatfs() and the point where the file is accessed causing the file descriptor to become invalid. This may allow unprivileged local users to cause a kernel panic. Currently only the procfs filesystem is known to be vulnerable.
A remote attacker may cause rsync to write NUL bytes onto its stack. This can be exploited in order to execute arbitrary code with the privileges of the user running rsync.
Patches are available now.

A Denial-of-Service condition has been found in all current versions of BlackICE Defender, BlackICE Agent, and RealSecure Server Sensor running on Windows 2000 or Windows XP. They can be remotely crashed using a modified ping flood attack. The vulnerability is caused by a flaw in the routines used for capturing transmitted packets. Memory can be overwritten in such a manner that may cause the engine to crash or to behave in an unpredictable manner. The risk of this vulnerability to corporate users is minimal, because most corporate firewalls already block ICMP from external IP addresses. Systems located behind a corporate firewall are unlikely to be affected by ICMP-based attacks. BlackICE Sentry and BlackICE Guard are not affected by this vulnerability.
Internet Security Systems has developed and is testing a fix for this vulnerability that will be available as soon as possible. Until then, ICMP should be blocked by a firewall.

The Media Gateway Controller (MGC) is installed on top of Solaris operating system. In the default installation Solaris has several known vulnerabilities. In order to prevent them from being exploited, Cisco has published some new packages now. These packages contain the latest Solaris patches and additional hardening of the Solaris OS.

On Systems HP9000 Series 700/800 running HP-UX releases 11.00 and 11.11 with Netscape 6.01 for HP-UX, cookies can be stolen. So private information of the user might be published to an attacker. It's recommended to upgrade to Netscape 6.2.1 for HP-UX.

Within the last the last week, 40 new vulnerabilities have been found:

A cumulative rollup of security updates that have been offered since the release of Windows 2000 Service Pack 2 (SP2) is available now. So it's possible to get the latest security updates in one cumulative package.

There is a vulnerability in 'rsync' which may allow remote attackers to get root access to the server. A Patches is available now.

Pine is a mail and news text based client developed by the Washington University. A vulnerability in the pine URL handler allows remote attackers to execute arbitrary shell commands in the user's machine by encapsulating them in a URL using environment variables. This vulnerability only affects users whith the msg-view-url option enabled (which is not the default). It's recommended to upgrade to a new version.

There exists a buffer overflow in gzip that could be exploited iby a remote attacker if gzip is run on a server such as an FTP server. A patch is available now.

The pic command in 'jgroff' is vulnerable to a printf format attack which makes it possible to circumvent the `-S' option and execute arbitrary code. A patch is available now.