Network Security

Network Security
Current Security Messages

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Some of the files are transferred by FTP.

By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find our network security search engine!

This is some information you send:

Your Browser

CCBot/2.0 (

Your IP address

(no reverse DNS resolution) []

Your referer

(filtered or not existing)

Current month, Last month, Last 10 messages, Last 20 messages (index only)

Chosen month 09 / 2003

System: Mandrake Linux
Topic: Vulnerability in MPlayer
Links: MDKSA-2003:097, OAR-2003:1261
ID: ae-200309-071

A remotely exploitable buffer overflow vulnerability has been found in MPlayer. A malicious host can craft a harmful ASX header and trick MPlayer into executing arbitrary code when it parses that particular header. This problem can be solved with a patch now.

System: IBM AIX 5.x
Topic: Vulnerability in getipnodebyname
Links: OAR-2003.1256
ID: ae-200309-070

On IBM AIX 5.1 and 5.2 the getipnodebyname API does not close sockets. So a remote or local attacker may execute a denial of service attack against an application that uses getipnodebyname. At the present time, the only application that ships with AIX that uses this API is Sendmail. An official patch has been published now.

System: HP-UX
Topic: Vulnerability in Socket Program
Links: HPSBUX0309-283, ESB-2003.0692
ID: ae-200309-069

On HP-UX B.11.00 a potential Security Vulnerability in socket programs has been found. So a local user might cause a system crash. A patch is available now.

System: Debian Linux
Topic: Vulnerabilities in freesweep and webfs
Links: DSA-391, DSA-392, ESB-2003.0695
ID: ae-200309-068

The game 'freesweep' contains a buffer overflow during environment parsing. Local users can get access to group 'games'.
The ligthweight HTTP server 'webfs' has two vulnerabilities. One can be used for retrieving directory listing or files above the document root. The other can triggered by too long pathnames and results in a buffer overflow which can be used for execution of arbitrary code.
Fixed versions are now available.

System: Several systems
Topic: New ISS Summary
Links: AS03-39
ID: ae-200309-067

Within the last the last week 44 new vulnerabilities have been reported:

- xitami-get-request-dos - 602pro-log-file-access - netuputm-sudopath-command-execution
- mplayer-asx-header-bo - speakfreely-globalalloc-image-dos - engarde-webtool-password-disclosure
- wzdftpd-crlf-dos - wodftpserver-ftp-command-bo - savant-httpget-dos
- apache-weak-password-encryption - tclhttpd-multiple-modules-xss - tclhttpd-dirlist-directory-traversal
- gauntlet-sql-gateway-dos - barricade-router-udp-dos - openssh-pam-gain-access
- 602pro-getfile-directory-traversal - marbles-home-bo - gnome-xscreensaver-lock-fail
- threadit-multiple-fields-xss - wuftp-mailadmin-sockprintf-bo - mondosearch-gain-access
- cfengine-byte-bo - codlfusion-handlers-xss - powerslave-colons-obtain-information
- freesweep-bo - rbdaspforum-account-login - speakfreely-spoof-packet-dos
- arkeia-bo - sbox-nonexistent-path-disclosure - netuputm-query-hijack-session
- threaditsql-multiple-fields-xss - netuputm-utmstat-sql-injection - macos-arplookup-dos
- openssh-pam-stack-corruption - communitywizard-login-admin-access - appscan-bypass-detection
- null-httpd-post-dos - java-jaxp-xml-dos - comment-board-xss
- myserver-dot-directory-traversal - cfengine-cfservd-daemon-bo - mpg123-readstring-bo
- powerpoint-data-manipulation - webweaver-improper-ip-logging
System: SCO UnixWare, Open Unix
Topic: Vulnerabilities in network device drivers and sendmail
Links: CSSA-2003-SCO.21, CSSA-2003-SCO.23, OAR-2003:1239, OAR-2003:1238
ID: ae-200309-066

As reported before for other systems (e.g. @stake), many network device drivers reuse old frame buffer data to pad packets, resulting in an information leakage vulnerability that may allow remote attackers to harvest sensitive information from affected devices. Now, also SCO has released a patch for UnixWare 7.1.1., 7.1.3., and Open Unix 8.0.0.
For the remotely exploitable vulnerability in sendmail that could allow an attacker to gain control of a vulnerable sendmail server (see also ae-200309-030 a patch has been released.

System: Mandrake Linux
Topic: Vulnerability in Apache2
Links: MDKSA-2003:096, OAR-2003.1237
ID: ae-200309-065

A problem has been discovered in Apache2 where CGI scripts that output more than 4k of output to STDERR will hang the script's execution which can cause a Denial of Service on the httpd process because it is waiting for more input from the CGI that is not forthcoming due to the locked write() call in mod_cgi. A patch is available now.

System: Debian Linux
Topic: Vulnerability in marbles
Links: DSA-390, OAR-2003.1234
ID: ae-200309-064

When processing the HOME environment variable, a buffer overflow in marbles might occur. This vulnerability could be exploited by a local user to gain gid 'games'. For the current stable distribution (woody) this problem has been fixed in version 1.0.2-1woody1.

System: SGI IRIX
Topic: Vulnerability in DCE
Links: SGI-20030902-01, ESB-2003.0686
ID: ae-200309-063

It has been reported that certain Microsoft RPC scanning can cause the DCE daemon dced to abort, causing a denial of service vulnerability. This vulnerability has been corrected with patches to DCE 1.2.2c.

System: Microsoft Windows
Topic: Vulnerability in MondoSearch
Links: WinITSec
ID: ae-200309-062

A vulnerability in Mondosoft MondoSearch 5.1, 5.0, and 4.4 for Windows can result in the execution of arbitrary code on a vulnerable computer. One of the default installation files, msmsetup.exe, contains a vulnerability that lets malicious users create files with user-specified content on the Web server or anywhere that the executing user (typically IUSR_xxx) has write access. Mondosoft has published a patch to solve this problem.

System: Microsoft Windows
Topic: Vulnerability in WZDftpD FTP Server
Links: WinITSec
ID: ae-200309-061

A vulnerability in the WZDftpD FTP Server for Windows can result in a Denial of Service (DoS) condition. Sending a CRLF sequence at logon causes an unhandled exception at the server. A proof-of-concept has been published as well as a patch.

System: Microsoft Windows
Topic: Vulnerability in SpeakFreely for Windows
Links: WinITSec
ID: ae-200309-060

A vulnerability in Speak Freely 7.6a for Windows and earlier can result in a Denial of Service (DoS) condition. Sending multiple spoofed packets (more than 160 packets of 2 bytes or more) results in the termination of the program, with an error message such as, "Cannot create transmit socket for host (x.x.x.x), error 10055. No buffer space is available." SpeakFreely has been notified.

System: Several
Topic: Vulnerability in Sun ONE Application Server
Links: Sun Alert 55460, OAR-2003:1232
ID: ae-200309-059

The Sun ONE Application Server may incorrectly validate user authentication information with LDAP. This might happen in Sun ONE Application Server 7.0, for which an update is available now.

System: SuSE Linux
Topic: Vulnerabilities in node
Links: SuSE 8.1, SuSE 8.2
ID: ae-200309-058

A security update fixes two possible buffer overflows in expand_string and in writing entries to the syslog. Additionally a format string vulnerability in usr2_handler has been fixed.

System: Engarde Secure Linux
Topic: Vulnerability in WebTool
Links: ESA-20030924-026, OAR-2003:1222
ID: ae-200309-057

The Guardian Digital WebTool provides functionality allowing local users to generate their own SSH keys. The data are passed around with HTTP GET instead of HTTP POST with the result of these data and the rest of the query string being logged in /var/log/userpass.log. It's recommended to install an update as soon as possible.

System: Conectiva Linux
Topic: Vulnerability in PHP4
Links: CLA-2003:749, OAR-2003:1221
ID: ae-200309-056

PHP is a very popular scripting language used by web servers to offer dynamic content. Version 4.3.3 PHP includes several fixes and improvements, including fixes for potential integer overflow vulnerabilities. The exploitation of these vulnerabilities depend on the PHP application and the scenario where it's executed.

System: Various
Topic: Vulnerability in ProFTPD
Links: ISS, OpenPKG-SA-2003.043, ESB-2003.0680, MDKSA-2003:095, TLSA-2003-54, N-156
ID: ae-200309-055

An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Patches and updated packages are available from

System: FreeBSD
Topic: Vulnerability in ARP
Links: FreeBSD-SA-03-14, ESB-2003.0682, revised: ESB-2003.0685
ID: ae-200309-054

The Address Resolution Protocol (ARP) is fundamental to the operation of IP with a variety of network technologies, such as Ethernet and WLAN. It's used to map IP addresses to MAC addresses, which enables hosts on a local network segment to communicate with each other directly. These mappings are stored in the system's ARP cache. The ARP cache is implemented within the kernel routing table as a set of routes. Normally the system adds a reciprocal ARP entry to the cache for the system from where the request originated. Expiry timers are used to purge unused entries from the ARP cache. If a large number of ARP requests with different network protocol addresses are sent in a small space of time, resource starvation can result, as the arplookup function does not delete unnecessary ARP entries cached as the result of responding to an ARP request. This leads to a system panic, Denial-of-Service. This problem can be solved by installing a patch.

System: HP-UX
Topic: Vulnerability in ipcs
Links: HPSBUX0305-260, ESB-2003.0683
ID: ae-200309-053

On HP9000 Series 700/800 running HP-UX release B.11.00 in ipcs a buffer overflow has been found. So local users to get unauthorized access or create denial of service (DoS). This flaw can be fixed by installing the patch PHCO_29043.

System: Sun Solaris
Topic: Vulnerability in GNOME 2.0 XScreenSaver
Links: Sun Alert 56720, ESB-2003.0684
ID: ae-200309-052

When being logged in as root, the desktop can't lock the screen via XScreenSaver. It will not lock when selecting "Lock Screen" from the "Actions" menu item and for root desktop sessions, the screen will not automatically lock after a period of inactivity. Workarounds are not to log in as root or to lock the screen manually by using 'xlock' at the command line interface, but better will be the installation of a patch, which has been published now.

System: Various
Topic: Vulnerability in WU-FTPD
Links: ISS, CLA-2003:748, OAR-2003:1220, SSA:2003-259-03, OAR-2003:1225, OAR-2003:1227, CSSA-2003-024, OAR-2003:1290
ID: ae-200309-051

Washington University's FTP daemon (WU-FTPD) is an FTP server included with most Linux distributions. WU-FTPD versions 2.6.2 and earlier are vulnerable to a buffer overflow in the SockPrintf function in the ftpd.c file, if the server is compiled with the MAIL_ADMIN option, which is not the default configuration. A remote attacker with file upload privileges might upload a large file to overflow a buffer and possibly execute arbitrary code on the system with privileges of the WU-FTPD process.
Patches and updated packages are available now.

System: Various
Topic: Vulnerability in OpenSSH
Links: OpenSSH, VU#602204, OpenPKG-SA-2003.042 ESB-2003.0681, TLSA-2003-53, ESB-2003.0687, N-157, N-158, CSSA-2003-027, FreeBSD-SA-03:15, ESB-2003.0704
ID: ae-200309-050

Portable OpenSSH versions 3.7p1 and 3.7.1p1 contain multiple vulnerabilities in the new PAM code. At least one of these bugs is remotely exploitable (under a non-standard configuration, with privsep disabled). The OpenBSD releases of OpenSSH do not contain this code and are not vulnerable. Older versions of portable OpenSSH are not vulnerable.
The mentioned problem is solved in OpenSSH 3.7.1p2.

System: Several systems
Topic: New ISS Summary
Links: AS03-38
ID: ae-200309-049

Within the last the last week 49 new vulnerabilities have been reported:

- plugandplaywebserver-multiple-commands-dos - nokia-ned-directory-disclosure - mambo-bannersphp-obtain-information
- forumswebserver-dot-directory-traversal - myphpnuke-aid-sql-injection - ibm-db2-db2dart-bo
- linux-helper-read-memory - mambo-banners-sql-injection - openssh-buffer-code-execution
- yak-default-account - linux-proc-sysctl-dos - clearcase-multiple-binaries-bo
- filesharingfornet-login-admin-access - irix-nfs-readonly-bypass - dbabbleXss
- plugapdplaywebserver-directory-traversal - yahoowebcamviewerwrapper-bo - db2-discoveryservice-dos
- hztty-bo - spider-removenewlinesfunction-home-bo - openssh-packet-bo
- spider-spiderdefaultsobjectsinitalize-bo - sendmail-prescan-bo - ibm-db2-db2licm-bo
- sol-sadmind-command-execution - yahooyinststarter-heap-overflow - aix-lpd-format-string
- dspam-insecure-permissions - enceladus-multiple-commands-bo - midnight-commander-vfssresolvesymlink-bo
- forumswebserver-login-admin-access - kdm-pamkrb5-gain-privileges - xfree-cookie-weak-encryption
- tmpop3-registry-plaintext-password - mambo-contact-anonymous-email - liquidwar-bo
- vbportal-authinc-sql-injection - kdm-cookie-weak-encryption - winrar-unrar-header-dos
- dbabble-display-dos - lsh-heap-overflow - chatzilla-string-dos
- mambo-emailfriend-obtain-information - biztalk-permissions-file-upload - win-urg-memory-leak
- nokia-ned-path-disclosure - widechapter-http-bo - easyfilesharing-dotdot-directory-traversal
- easyfilesharing-forum-xss
System: Red Hat Linux 7.x
Topic: Vulnerabilities in Apache mod_ssl
Links: RHSA-2003-243, RHSA-2003-244, ESB-2003.0677
ID: ae-200309-048

Updated Apache and mod_ssl packages that fix several minor security issues are now available for Red Hat Linux 7.1, 7.2, and 7.3.
A bug in the optional renegotiation code in mod_ssl can cause cipher suite restrictions to be ignored. This is triggered if optional renegotiation is used (SSLOptions +OptRenegotiate) along with verification of client certificates and a change to the cipher suite over the renegotiation. Additionally, Apache doesn't filter terminal escape sequences from its error logs, which could make it easier for attackers to insert those sequences into terminal emulators containing vulnerabilities related to escape sequences. It's also possible to get Apache 1.3 to get into an infinite loop handling internal redirects and nested subrequests.

System: Red Hat Linux
Topic: Vulnerability in Perl
Links: RHSA-2003-256, RHSA-2003-257, N-155, ESB-2003.0678, ESB-2003.0705
ID: ae-200309-047

Two security issues have been found in Perl. When versions 2.0.7 and earlier are used with Perl 5.8.0 and earlier, it's possible for an attacker to break out of safe compartments. This issue doesn't affect the Perl packages which shipped with Red Hat Linux 9. Additionally, a cross-site scripting vulnerability has been discovered in the start_form() function of This allows a remote attacker to insert a Web script via a URL fed into the form's action parameter.
These problems can be fixed by installing an updated package.

System: Debian Linux
Topic: Vulnerability in ipmasq
Links: DSA-389, ESB-2003.0667
ID: ae-200309-046

The package ipmasq simplifies the configuration of Linux IP masquerading, a form of network address translation which allows a number of hosts to share a single public IP address. Due to use of certain improper filtering rules, traffic arriving on the external interface addressed for an internal host will be forwarded, regardless of whether it was associated with an established connection. This vulnerability might be exploited by an attacker capable of forwarding IP traffic with an arbitrary destination address to the external interface of a system with ipmasq installed. This problem can be solved by installing the updated package.

System: Several
Topic: Vulnerability in Real Networks Streaming Server
Links: RealNetworks, N-152
ID: ae-200309-045

The Real Networks Helix Universal Server and RealSystems Servers are vulnerable to a root compromise. The affected versions are the Helix Universal Server 9.01, RealSystem Server 8.0 and 7.0. A carefully crafted request to the server could give an intruder root access. So it's recommended to upgrade to Helix Universal Server or remove the View Source plugin from the plugins directory and restart the server.

System: Microsoft Windows
Topic: Vulnerability in ColdFusion MX/ColdFusion
Links: MPSB03-06, ESB-2003.673
ID: ae-200309-044

ColdFusionMX Web Sites that use the default ColdFusionMX Site-Wide Error Handler page or the default ColdFusionMX Missing Template Handler page may be susceptible to a cross-site scripting attack using the HTTP Referer[sic] header field. Macromedia has published patches and notified customers using affected versions.

System: Microsoft Windows
Topic: Vulnerability in Plug and Play Web Server
Links: WinITSec
ID: ae-200309-043

A vulnerability in Plug & Play Software's Plug & Play Web Server for Windows can result in unauthorized read access to any file located on the vulnerable server. By using the "../" or "..\" string in an URL, an attacker can gain read access to any file that resides outside the intended Web-published file system directory. Plug & Play Software has been notified, so a patch will be published soon.

System: Microsoft Windows
Topic: Vulnerability in WideChapter Internet Browser
Links: WinITSec
ID: ae-200309-042

A vulnerability in WideChapter Internet Browser for Windows can result in the execution of arbitrary code on the vulnerable system. By initiating a long HTTP request, an attacker can cause a buffer overflow in WideChapter when JavaScript is activated. This overflow permits modification of the Execution Instruction Point, which lets the attacker execute arbitrary code. An exploit is available in the Internet. Until a patch is available, it's recommended to disable JavaScript.

System: Some
Topic: Vulnerabilities in IBM DB2
Links: N-154, ESB-2003.672
ID: ae-200309-041

DB2 is IBM's relational database software, oriented toward the deployment and development of e-business, business intelligence, content management, enterprise resource planning and customer relationship management solutions. DB2 can be deployed in AIX, HP-UX, Linux, Solaris and Windows environments. IBM's DB2 database ships with two vulnerable setuid binaries: db2licm and db2dart. Both binaries are vulnerable to a buffer overflow that allows a local attacker to execute arbitrary code on the vulnerable machine with privileges root. Today, only Linux on x86 and S390 seems vulnerable - and for these systems, a patch has been published now.

System: Microsoft Windows / IPSwitch
Topic: Vulnerability in WS_FTP server
Links: Secunia#9671, VU#792284, VU#219140
ID: ae-200309-040

WS_FTP Server is a widely used FTP Server for Microsoft NT/2000/XP. It contains a buffer overflow when supplying overly long 'STAT' and 'APE' command.
IPSwitch provied patches for 3.x and 4.x versions, current fixed versions are 3.14 and 4.02.

System: HP-UX
Topic: Vulnerabilities due to Network Traffic, in wu-ftpd, and Java VM and Java Secure Socket Extension
Links: HPSBUX0306-264, HPSBUX0309-277, HPSBUX0309-280, ESB-2003.0668, ESB-2003.0658, ESB-2003.0670
ID: ae-200309-039

As reported before, some Network Traffic may cause a Denial-of-Service on HP9000 Series 700/800 running HP-UX releases B.11.00, B.11.04, B.11.11, and B.11.22. A patch is available now.
The wu-ftpd program on HP-UX B.11.00, B.11.11, and B.11.22 is potentially vulnerable to a buffer overflow, resulting in a remote Denial-of-Service. It's recommended to install the concerning patches or to disable write-access to the FTP-Server. Additionally, a vulnerability exists in Java Secure Socket Extension (JSSE) where it might be possible to gather information about the data transmitted over a Secure Sockets Layer (SSL) or a Transport Layer Security (TLS) channel with CBC encryption. The issue doesn't expose private or session keys. A second vulnerability might give the chance to extract private keys from an SSL server. These probles can be solved by installing an update.

System: Some
Topic: Vulnerability in HP OpenView
Links: HPSBUX0308-274, ESB-2003.0659, ESB-2003.0669
ID: ae-200309-038

The worm referred to as "Blaster" or "W32.Blaster.worm", may impact HP OpenView products running on Microsoft Windows, HP-UX, Solaris and Linux so the DCE processes may fail. Patches are available and should be installed.

System: Microsoft Windows
Topic: W32/Swen worm
Links: NAI, Symantec, CPAI-2003-33, AU-2003.015
ID: ae-200309-037

Since short time, the new worm 'W32/Swen' (also known as 'Gibe') is in the wild. This wurm uses also the since long time already known security hole: the user of Microsoft operating systems, who opens and execute attachements without any proper installed and up-to-date anti-virus software.
This worm is a little bit smarter, he looks like an e-mail from Microsoft and has an executable file attached which the worm describes as a security patch...but it's the worm itself.
The worm is looking for addresses on the local system and sends itself to them, also it tries to infect systems via network shares, KaZaa and IRC.

Additional hint: Microsoft doesn't send Patches via e-mail, so never ever trust such e-mails at all. See also: N-153

System: Mandrake Linux
Topic: Vulnerabilites in gtkhtml and MySQL
Links: MDKSA-2003:093, MDKSA-2003:094, ae-200309-016, ae-200309-024, OAR-2003.1197, OAR-2003.1198, OAR-2003.1212, OAR-2003.1213
ID: ae-200309-036

For the already known vulnerabilites in 'gtkhtml' and 'MySQL', Mandrake provides now updates.

System: IBM AIX 5.2
Topic: Vulnerability in tsm
Links: OAR-2003.1177
ID: ae-200309-035

The tsm command provides terminal state management and login functionality which is used to verify users' identity. The services tsm provides are used by commands such as login, passwd and su. Exploiting a format string vulnerability in tsm, a remote attacker can gain root privileges or a local attacker can escalate his privileges to root privileges. An official patch has been published.

System: NetBSD
Topic: Vulnerabilities in openssh, sysctl and ibcs2
Links: NetBSD-SA2003-012, NetBSD-SA2003-013, NetBSD-SA2003-014, ae-200309-031, ESB-2003.0655, ESB-2003.0656, ESB-2003.0657
ID: ae-200309-034

NetBSD contains also a version of OpenSSH with the already known vulnerability.
The statfs(2) function of 'iBCS2' can be used to return large portion of kernel memory which can lead to local information disclosure.
In sysctl(2) code of the kernel, three problems were found which can be used by the user to trigger a kernel panic or read arbitrary locations in kernel memory space.

Patches are now available.

System: Debian Linux
Topic: Vulnerabilities in hztty, libmailtools-perl and gopher
Links: DSA-385, DSA-386, DSA-387, ESB-2003.0663, ESB-2003.0664, ESB-2003.0665
ID: ae-200309-033

Buffer overflows were found in:
- 'hztty' (a translation program for Chinese letters in a terminal session). This can lead to local-root compromise.
- 'gopher'-daemon. This can lead to remote-exploit of the user which runs the daemon (usually 'gopher').

'libmailtool-perl' contain the Perl module Mail::Mailer which is used for sending email. In case of calling external programs like 'mailx', input is not proper filtered and therefore certain escape sequences would be interpreted as commands to be executed.

Fixed packages are available now.

System: SGI IRIX 6.5.21
Topic: Vulnerability in NFS export
Links: SGI-20030901-01-P, ESB-2003.0650, CAN-2003-0680
ID: ae-200309-032

In certain conditions a NFS client can avoid read-only restrictions on filesystems exported via NFS and mount them in read/write mode.
No workaround is available, so upgrade to IRIX 6.5.22 or applying provided patch will help here only.

System: Various
Topic: Vulnerability in OpenSSH (update)
Links: ae-200309-027, ESB-2003.0653, ESB-2003.0648, ESB-2003.0647, OpenBSD, MDKSA-2003:090, RHSA-2003-279, ESB-2003.0654, SuSE-2003-038, SuSE-2003-039, N-151, DSA-383, ESB-2003.0661, ESB-2003.0675, HPSBUX0309-282, Sun Alert 56862, CSSA-2003-027, FreeBSD-SA-03:15, ESB-2003.0704
ID: ae-200309-031

After fixing the last vulnerability, the code got more review and additional security related fixes were made.
A new version 3.7.1 is now available, vendors of distribution mostly backpatch their delivered version and provide updated packages, too.

System: Various
Topic: Next vulnerability in sendmail
Links: Sendmail Inc., Sendmail, VU#784980, N-149, ESB-2003.0651, ESB-2003.0649, AL-2003.17, OpenBSD, MDKSA-2003:092, RHSA-2003-283, DSA-384, ESB-2003.0662, S-03-070, TLSA-2003-52, CA-2003-25, VU#108964, Sun Alert 56860, ESB-2003.0671, S-03-070, SuSE-2003-040, ESB-2003.0676, HPSBUX0309-281, ESB-2003.0674, ESB-2003.694, APPLE-SA-2003-09-22, FreeBSD-SA-01-13, Sun Alert 56922, SGI-20030903-01-P, ESB-2003.0688, SSRT3631, ESB-2003.0706, NetBSD-SA2003-016, ESB-2003.0714, ESB-2003.0805
ID: ae-200309-030

A next critical bug was found in the never ending story about vulnerabilities in sendmail. Function prescan() can be exploited by an e-mail containing a malicious header. This results in system compromising.
Applying the existing patch or updating to version 8.12.10 is very recommended.
Even better would be the replacement of this MTA with a more secure designed one, e.g. 'postfix'...

System: Sun Solaris
Topic: Vulnerability in sadmind
Links: Sun Alert 56740, ESB-2003.0646, N-148, Symantec, VU#41870
ID: ae-200309-029

If the sadmind(1M) daemon is utilizing the default security level authentication mechanism of AUTH_SYS, users may be able to forge AUTH_SYS credentials and execute arbitrary commands with the permissions of the sadmind(1M) daemon (normally "root"). Enable strong (AUTH_DES) authentication to fix this problem.

System: Various
Topic: Vulnerabilities in KDE
Links: RHSA-2003-269, MDKSA-2003:091, ESB-2003.0652, N-150, DSA-388, ESB-2003.0666
ID: ae-200309-028

KDM might grant local root access to any user with valid login credentials, as it does not correctly handle the result of a pam_setcred() call.
In addition, the session cookie generation algorithm used by KDM was considered too weak. This could make it possible for non-authorized users to brute-force the session cookie and gain acess to the current session.
Patches are available now.

System: Various
Topic: Vulnerability in OpenSSH
Links: OpenSSH, CA-2003-24, VU#333628, AL-2003.16, S-03-069, OpenBSD, FreeBSD-SA-03:12, ESB-2003.0644, DSA-382, ESB-2003.0660, ESB-2003.0645, RHSA-2003-279, MDKSA-2003:090, ISS Advisory, Sun Alert 56861, ESB-2003.0679, Update: ae-200309-031
ID: ae-200309-027

A vulnerability exists in the buffer management code of OpenSSH. The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. This vulnerability may also allow an attacker to execute arbitrary code. Patches are available now.

System: Several systems
Topic: New ISS Summary
Links: AS03-37
ID: ae-200309-026

Within the last the last week 51 new vulnerabilities have been reported:

- pine-display-parameters-bo - apachegallery-inlinec-execute-code - escapade-page-xss
- gtkhtml-dos - webx-dotdot-directory-traversal - realoneplayer-config-file-access
- saned-improper-rpc-validation - kokesh-edit-content-modification - invision-font-color-xss
- ie-navigateand - b2evolution-sql-injection - mah-jong-dos
- inetd-requests-dos - digitalscribe-login-register-xss - man-getenv-manpl-bo
- roger-wilco-nickname-bo - ossim-multiple-sql-injection - bandsite-admin-access
- b2evolution-xss - ftp-desktop-heap-overflow - roger-wilco-bo
- phpbb-bbcode-tags-xss - mysql-password-bo - asterisk-cdr-sql-injection
- myserver-mscgi-get-bo - mah-jong-bo - pine-rfc2231getparam-integer-overflow
- icq-webfront-message-xss - escapade-multiple-path-disclosure - saned-malloc-dos
- saned-sanenetinit-memory-consumption - roger-wilco-network-dos - ftgatepro-exportmbx-script-access
- 4dwebstar-password-bo - iewindowopen-execute-code - saned-memory-consumption
- gordano-dotdot-dos - winserver2003-bypass-security-bo - ie-historyback-obtain-information
- ie-historyback-execute-code - cmdftp-storeline-heap-overflow - myphpnuke-php-file-include
- ms-request-validation-bypass - netsnmp-mibobject-bypass-security - gordano-alertlist-file-access
- openbsd-integer-overflow - ie-perform-actions - wsftp-ftp-command-bo
- ftgatepro-ftgatedump-obtain-information - ie-search-obtain-cookie - saned-debug-message-dos
System: Various
Topic: Vulnerabilities in Nokia Electronic Documentation
Links: Atstake
ID: ae-200309-025

Three vulneralibities were found in Nokia Electronic Documentation (NED) that allow to use the NED as an open proxy, discloses directory listing of certain directories under the web-root, and allow cross-site scripting attacks. No patches are available.

System: Various
Topic: Vulnerability in MySQL
Links: VU#516492, DSA-381, ESB-2003.0642
ID: ae-200309-024

MySQL contains a buffer overflow condition which could be exploited by a user who has permission to execute "ALTER TABLE" commands on the tables in the "mysql" database. If successfully exploited, this vulnerability could allow the attacker to execute arbitrary code with the privileges of the mysqld process (by default, user "mysql"). Patches are available now.

System: Various
Topic: Vulnerabilities in XFree86
Links: MDKSA-2003:089, DSA-380, ESB-2003.0643
ID: ae-200309-023

Several vulnerabilities were discovered in the font libraries of XFree86. These bugs could potentially lead to execution of arbitrary code or a DoS by a remote user. Patches are available now.

System: HP OpenVMS
Topic: Vulnerability in DCE
Links: OAR-2003.1134, OAR-2003.1135, OAR-2003.1136, OAR-2003.1141, OAR-2003.1155
ID: ae-200309-022

OpenVMS systems with DCE or COM installed could be vunerable to a remote initated Buffer Overflow which would result a hang of DCE or COM applications on OpenVMS. Patches are available now.

System: HP Tru64
Topic: Vulnerabilities in Internet Express sendmail and dtterm
Links: SSRT3612, SSRT3507, ESB-2003.0638, ESB-2003.0639
ID: ae-200309-021

HP has released patches for vulnerabilities in Internet Express sendmail and dtterm.

System: Debian Linux
Topic: Vulnerabilities in sane-backends
Links: DSA-379, ESB-2003.0641
ID: ae-200309-020

Several security-related vulnerabilities were discovered in the sane-backends package. These problems allow a remote attacker to cause a segmentation fault and/or consume arbitrary amounts of memory. The attack is successful, even if the attacker's computer isn't listed in saned.conf. Fixed packages are available now.

System: Microsoft Windows NT, 2000, XP, Server 2003
Topic: Vulnerability in RPCSS service
Links: MS03-039, CA-2003-23, VU#254236, VU#483492, AL-2003.15, ESB-2003.0637, ISS Alerts, S-03-068, Symantec, WinITSec
ID: ae-200309-019

No further comment due to Microsoft insisting on their copyright on advisories.

System: OpenBSD
Topic: Vulnerability in semaphore limits
Links: OpenBSD, ESB-2003.0637
ID: ae-200309-018

It is possible for root to raise the value of the seminfo.semmns and seminfo.semmsl sysctls to values sufficiently high such that an integer overflow occurs. This can allow root to write to kernel memory irrespective of the security level. Patches are available now.

System: Various
Topic: Vulnerability in pine
Links: RHSA-2003-273, RHSA-2003-274, OAR-2003.1132, OAR-2003.1133, SuSE-SA:2003:037, OAR-2003.1137, OAR-2003.1139, OAR-2003.1140, OAR-2003.1144, SuSE-2003-037
ID: ae-200309-017

Two buffer overflows exist in pine, one in the way the 'message/external-body' type is handled and on in the parsing of MIME headers. Patches are available now.

System: Red Hat Linux
Topic: Vulnerability in gtkhtml
Links: RHSA-2003-264, ESB-2003.0635,
ID: ae-200309-016

Certain malformed messages could cause the Evolution mail component to crash due to a null pointer dereference in the GtkHTML library. Fixed packages are available now.

System: Several systems
Topic: New ISS Summary
Links: AS03-36
ID: ae-200309-015

Within the last the last week 47 new vulnerabilities have been reported:

- windows-update-notification-failure - webcalendar-multiple-sql-injection - o0mbbs-o0mbbs-file-access
- access-snapshot-viewer-bo - stunnel-file-descriptor-hijack - ftgatepro-url-path-disclosure
- asterisk-sip-message-bo - blackberry-attachment-bypass-security - worldflashgold-bo
- ppa-error-xss - vba-document-bo - go2call-udppacket-bo
- foxweb-pathinfo-bo - webwizguestbook-wwgguestbook-file-access - leafnode-fetchnews-dos
- ftgatepro-login-response - office-wordperfect-bo - its-service-xss
- barricade-router-password-bruteforce - webwizmailing-mailinglist-file-access - its-wgatedll-information-disclosure
- yahoo-archive-weak-encryption - exim-helo-heap-overflow - hp-phne-dce-dos
- catalogintegratorcart-expire-file-access - vmware-symlink - metaworks-base-file-access
- suidperl-error-info-disclosure - fw1-securemote-ip-disclosure - webwizpolls-weeklypoll-file-access
- webcalendar-multiple-xss - ftgatepro-index-xss - mplayer-bo
- ezsiteforum-ezsiteforum-file-access - gastenboek-name-message-xss - its-wgatedll-directory-traversal
- filesharingfornet-dot-directory-traversal - blackberry-pdf-dos - pamldap-pamfilter-unauth-access
- webwizjournal-journal-file-access - win-netbios-info-disclosure - webwizinternet-searchengine-file-access
- e4ums-news-username-bruteforce - wrapsodyviewer-bypass-security - linuxnode-format-string
- zonealarm-udp-dos - word-macro-security-bypass
System: Several
Topic: New CERT Summary
Links: CS-2003-03, ESB-2003.0633
ID: ae-200309-014

As every quarter, CERT/CC has published a summary pointing out the most important vulnerabilities within the last months. These are:
- W32/Sobig.F Worm
- Exploitation of Vulnerabilities in Microsoft RPC Interface
- Cisco IOS Interface Blocked by IPv4 Packet
- Vulnerabilities in Microsoft Windows Libraries and Internet Explorer
- Malicious Code Propagation and Antivirus Software Updates
Further information about these topics can be found in the summary itself.

System: Conectiva Linux
Topic: Vulnerabilities in exim and stunnel
Links: CLA-2003:735, CLA-2003:736, OAR-2003.1119, OAR-2003.1120
ID: ae-200309-013

A remote heap buffer overflow vulnerability has been reported in the Exim server. Carefully constructed EHLO/HELO messages can cause a buffer overflow.
In stunnel there exists a race in the code that handles the SIGCHLD signal and a file descriptor leak vulnerability that allows a local attacker to hijack the stunnel server.
Patches are available now.

System: Sun Linux
Topic: Vulnerabilities in fileutils, lynx, and pam_xauth
Links: OAR-2003:1118, OAR-2003:1124, OAR-2003:1025
ID: ae-200309-012

Sun has released patches for serveral already known vulnerabilities in fileutils, lynx, and pam_xauth.

System: Conectiva Linux
Topic: Vulnerability in pam_smb
Links: CLA-2003:734, OAR-2003.1117
ID: ae-200309-011

If a long password is supplied to the libpam-smb PAM authentication module, this can cause a buffer overflow which could be exploited to execute arbitrary code with the privileges of the process which invokes PAM services. Patches are available now.

System: Debian Linux
Topic: Vulnerabilities in mah-jong
Links: DSA-378, ESB-2003.0630
ID: ae-200309-010

A buffer overflow could be exploited by a remote attacker to execute arbitrary code with the privileges of the user running the mah-jong server. In addition there is the possibility to cause the mah-jong server to enter a tight loop and stop responding to commands. Fixed packages are available now.

System: HP HP-UX & Tru64
Topic: Vulnerabilites in wu-ftpd, Apache 2, OpenSSL and Network DoS
Links: HPSBUX0309-277, SSRT3606, SSRT3587, SSRT3460, SSRT3521, SSRT3499, SSRT3518, ESB-2003.0628, ESB-2003.0626, ESB-2003.0625, ESB-2003.0622, ESB-2003.0623, ESB-2003.0629, ae-200307-028, ae-200308-001, ae-200302-042, ae-200303-071
ID: ae-200309-009

- For the already known vulnerability in 'wu-ftpd', new versions are now also available for Tru64.
Following are only HP-UX related:
- For the already known vulnerabilities in Apache version 2 also updates are now available.
- For the already known vulnerabilities in OpenSSL (timing based attacks and RSA private key attack) also updates are available
- A problem in the the network socket can lead to DoS of services in some cases depending on certain network traffic, patches are available now.

System: Red Hat Linux 8/9
Topic: Vulnerabilities in Apache 2
Links: RHSA-2003-240, ae-200307-028, OAR-2003.1108
ID: ae-200309-008

For the already known vulnerabilities in Apache 2 below version 2.0.47 Red Hat provides backpatched packages of version 2.0.40 (to avoid breaking binary compatibility with 3rd-party Apache 2 modules).

System: Debian Linux
Topic: Vulnerabilities in wu-ftpd and exim
Links: DSA-376, DSA-377, ae-200308-001, ESB-2003.0620, ESB-2003.0627
ID: ae-200309-007

For the already known buffer overflow in 'exim' are now updates available.
The distributed 'wu-ftpd' calls in case of dynamically constructed archive files the local 'tar' (mostly GNU 'tar') in insecure manner, command line options can be passed, too. Fixed packages are available now.

System: Sun JAVA
Topic: Vulnerability in Secure Socket Extension
Links: Sun Alert 56380, N-141, S-02-062, ae-200302-042, HPSBUX0309-280, SSRT3627, ESB-2003.0658, ESB-2003.0737
ID: ae-200309-006

JAVA Secure Socket Extension is also vulnerable to the already known Timing based attacks. Patches are now available.

System: Sun Linux 5.0
Topic: Vulnerability in vnc
Links: Sun Alert 56161, N-140, ae-200302-049
ID: ae-200309-005

For the already known vulnerability in 'vnc' an update is now available.

System: Mandrake Linux 9.1
Topic: Vulnerability in pam_ldap
Links: MDKSA-2003:088, OAR-2003.1098
ID: ae-200309-004

pam_ldap 162 used with pam_filter meachnis for host-based access restriction allows any user regardless of the host attribute to login.
Update is available now.

System: HP HP-UX
Topic: Vulnerabilites in wu-ftpd, DCE and BIND
Links: SSRT2316, SSRT2408, SSRT3603, SSRT3620, ESB-2003.0612, ESB-2003.0613, ESB-2003.0614, ESB-2003.0615, ae-200308-001, ESB-2003.0799
ID: ae-200309-003

- For the already known vulnerability in 'wu-ftpd', new versions are now available.
- The B.11.11 DCE is vulnerable against attacks by e.g. Blaster worm and there are problems in special cases.
- For the BIND vulnerability, the list of affected systems was extended.

System: Microsoft Windows NT, 2000, XP, Server 2003
Topic: Vulnerabilities in Office (Access, Word, Works Suite), Visual Basic for Applications and NetBIOS
Links: MS03-034, MS03-035, MS03-036, MS03-037, MS03-038, N-142, N-143, N-144, N-145, ESB-2003.0610, ESB-2003.0616, ESB-2003.0617, ESB-2003.0618, ESB-2003.0619, WinITSec#40089, WinITSec#40090, WinITSec#40091, S-03-063, S-03-064, S-03-065, S-03-066, S-03-067, VU#992132
ID: ae-200309-002

Several vulnerabilities were found, see given URLs for more.
No further comment due to Microsoft insisting on their copyright on advisories.

System: Red Hat Linux
Topic: New up2date package
Links: RHSA-2003-267, RHSA-2003-268, ESB-2003.0609, N-139
ID: ae-200309-001

Red Hat has released new packages for the up2date and rhn_register clients and are required for continued access to the Red Hat Network. These packages contain the SSL certificate necessary to continue accessing the Red Hat Network.

(c) 2000-2017 AERAsec Network Services and Security GmbH