-- Security Alert Consensus --
Number 030 (02.30)
Thursday, August 1, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
----------------------------------------------------------------------
This issue sponsored by SPI Dynamics
Aberdeen Alert! Using ports 80 and 443 as expressways through network
firewalls, hackers are free to probe and breach Web applications! How
can you combat this problem? Get the latest recommendations from
Aberdeen in this FREE Research Report!
http://www.spidynamics.com/mktg/aberdeen9
----------------------------------------------------------------------
The largest vulnerability this week is a collection of bugs in the
OpenSSL library, affecting all applications that use OpenSSL SSL
functions (like Apache mod_ssl, stunnel, various IMAP and SMTP SSL/TLS
addons, etc.). These bugs are confirmed to be remotely exploitable.
It is reported in this issue as item {02.30.001}, in the Cross-Platform
category.
There's also a few Microsoft SQL Server patches which fix various
problems ({02.30.007} and {02.30.008}), as well as an Exchange 5.5
buffer overflow ({02.30.006}). Speaking of mail servers, Groupwise
6.0.1SP1 has a buffer overflow as well ({02.30.028}).
Finally, the DMCA has been dragged into yet another forum. A recent
CNET article sheds some disturbing light on how DMCA could be leveraged
against vulnerability research, as HP recently issued a rather harsh
warning to a research team:
http://news.com.com/2100-1023-947325.html
Until next week,
- Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.30.004} Win - MS02-036: MS Metadirectory Services authentication
bypass
{02.30.006} Win - MS02-037: Exchange SMTP EHLO response overflow
{02.30.007} Win - MS02-038: MS SQL 2000 utilities, multiple
vulnerabilities
{02.30.008} Win - MS02-039: MS SQL 2000 resolution service, multiple
vulnerabilities
{02.30.009} Win - Update {02.29.015}: SecureCRT server version string
overflow
{02.30.020} Win - VMWare GSX authentication service GLOBAL parameter
overflow
{02.30.021} Win - Update {02.16.026}: Stdin/stdout/stderr closed file
descriptor vulnerability
{02.30.025} Win - Pegasus mail client To/From field overflow DoS
{02.30.029} Win - IPSwitch IMail GET request overflow
{02.30.030} Win - JanaServer, multiple vulnerabilities
{02.30.032} Win - Abyss Web server directory listing via slashes
- --- Windows News -------------------------------------------------------
*** {02.30.004} Win - MS02-036: MS Metadirectory Services
authentication bypass
Microsoft released MS02-036 ("MS Metadirectory Services authentication
bypass"). A vulnerability in Microsoft Metadirectory Services version
2.2 lets a remote client gain administrative access to the MMS data
without supplying valid authentication credentials.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-036.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archiv...2-q3/0026.html
*** {02.30.006} Win - MS02-037: Exchange SMTP EHLO response overflow
Microsoft released MS02-037 ("Exchange SMTP EHLO response overflow"). A
remote attacker can submit a particularly long EHLO parameter that,
when inserted into the EHLO response given by Exchange, will result in
a buffer overflow capable of executing arbitrary code with Exchange
service account privileges. Only Exchange version 5.5 is reported
vulnerable.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-037.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archiv...2-q3/0027.html
*** {02.30.007} Win - MS02-038: MS SQL 2000 utilities, multiple
vulnerabilities
Microsoft released MS02-038 ("MS SQL 2000 utilities, multiple
vulnerabilities"). MS SQL Server 2000 and MSDE 2000 contain various
vulnerabilities in the included database utilities that could allow
local attackers to gain privileges equal to the SQL service account.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-038.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archiv...2-q3/0029.html
*** {02.30.008} Win - MS02-039: MS SQL 2000 resolution service,
multiple vulnerabilities
Microsoft released MS02-039 ("MS SQL 2000 resolution service, multiple
vulnerabilities"). The resolution service included with MS SQL Server
2000 contains two remotely exploitable buffer overflows that allow an
attacker to execute arbitrary code under the privileges of the SQL
service account. A remote denial of service vulnerability exists,
as well.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-039.asp
Source: Microsoft (NTBugtraq)
http://archives.neohapsis.com/archiv...2-q3/0028.html
*** {02.30.009} Win - Update {02.29.015}: SecureCRT server version
string overflow
The vendor released SecureCRT versions 3.4.6 and 4.0beta3, which fix
the vulnerability discussed in {02.29.015} ("SecureCRT server version
string overflow").
More information is available at:
http://www.vandyke.com/products/secu...y07-25-02.html
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-07/0323.html
*** {02.30.020} Win - VMWare GSX authentication service GLOBAL
parameter overflow
The VMWare GSX authentication service included with version 2.0.0 build
2050 contains a buffer overflow in the handling of the GLOBAL command,
which allows a remote attacker (with a valid user name and password)
to potentially execute arbitrary code on the system. Only the Windows
version is affected.
The vendor confirmed this vulnerability and released an update on
its site.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-07/0260.html
http://archives.neohapsis.com/archiv...2-07/0320.html
*** {02.30.021} Win - Update {02.16.026}: Stdin/stdout/stderr closed
file descriptor vulnerability
FreeBSD committed updates that fix the vulnerability discussed
in {02.16.026} ("Stdin/stdout/stderr closed file descriptor
vulnerability"). The previous fixes were insufficient.
FreeBSD branches as of July 30, 2002, contain the corrected code.
Source: FreeBSD
http://archives.neohapsis.com/archiv...2-07/0503.html
*** {02.30.025} Win - Pegasus mail client To/From field overflow DoS
The Pegasus mail client version 4.01 crashes when an e-mail containing
a long To or From field is received, resulting in a denial of service
attack.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-07/0277.html
*** {02.30.029} Win - IPSwitch IMail GET request overflow
The HTTP server included with IPSwitch IMail version 7.1 reportedly
contains a buffer overflow in the handling of large HTTP 1.0 requests,
thereby allowing a remote attacker to execute arbitrary code.
This vulnerability is not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-07/0326.html
*** {02.30.030} Win - JanaServer, multiple vulnerabilities
JanaServer versions 2.2.1 and prior contain multiple vulnerabilities,
among which are remotely exploitable buffer overflows in the various
services and a denial of service.
The advisory indicates vendor confirmation.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-07/0329.html
*** {02.30.032} Win - Abyss Web server directory listing via slashes
The Abyss Web server version 1.0.3 gives a directory listing if a
remote attacker makes a URL request that contains many slashes ('/').
This vulnerability is confirmed by the vendor, which released version
1.0.7 at:
http://www.aprelium.com/news/abws107tp.html
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0043.html
************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (BSD/OS)
Comment: For info see
http://www.gnupg.org
iD8DBQE9SasI+LUG5KFpTkYRApdpAJ46ZJ7U4vHqMU2MRhvatMtUsQbp+ACdGdJP
iFVlg9LBDo5R/UAvV9GiMtI=
=kDuI
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This issue sponsored by SPI Dynamics
Aberdeen Alert! Using ports 80 and 443 as expressways through network
firewalls, hackers are free to probe and breach Web applications! How
can you combat this problem? Get the latest recommendations from
Aberdeen in this FREE Research Report!
http://www.spidynamics.com/mktg/aberdeen9
----------------------------------------------------------------------
Become a Security Alert Consensus member! If this e-mail was passed
to you and you would like to begin receiving our security e-mail
newsletter on a weekly basis, we invite you to subscribe today.
http://www.sans.org/sansnews/
We are signing the Consensus newsletter
with PGP. The new SANS PGP key is posted at:
http://www.pgp.net:11371/pks/lookup?...rch=0xA1694E46 and can
also be accessed from the SANS Web site (
http://www.sans.org).
Special Note: To better secure your confidential information,
we will no longer include personal URLs in our Consensus
newsletter mailings. Instead, we have created a new form
(
http://www.sans.org/sansurl). On this form you can enter the SD
number located near your name at the top of the newsletter. When you
submit this form, an e-mail containing a URL will be sent to you at
the e-mail address on record. With this URL you can make changes to
your account (edit the content of your Consensus mailing, for example)
without endangering the security of your personal URL. If you'd like
to change your e-mail address or other information, please visit your
new URL as described above. If you have any problems or questions,
e-mail us at <consensus@nwc.com> .
If you would like to unsubscribe from this newsletter, grab your SD
number (next to your name at the top of this message) and visit the
URL below. You will be sent a personal URL via E-mail, from which
you can unsubscribe.
http://www.sans.org/sansurl
Missed an issue? You can find all back issues of Security Alert
Consensus (and Security Express) online.
http://archives.neohapsis.com/
Your opinion counts. We'd like to hear your thoughts on Security Alert
Consensus. E-mail any questions or comments to <consensus@nwc.com> .
Copyright (c) 2002 Network Computing, a CMP Media LLC
publication. All Rights Reserved. Distributed by Network
Computing (
http://www.networkcomputing.com) and The SANS Institute
(
http://www.sans.org). Powered by Neohapsis Inc., a Chicago-based
security assessment and integration services consulting group
(info@neohapsis.com |
http://www.neohapsis.com/).
Security Alert Consensus #030
Reply With Quote