-- Security Alert Consensus --
Number 037 (02.37)
Thursday, September 19, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
If you haven't heard by now, a worm is slithering around and
exploiting Apache servers, making them vulnerable to an OpenSSL buffer
overflow. Upon successfully breaking in, the worm creates a DDoS agent
on the system and then continues to probe other systems. Fortunately,
Apache displays the exact software versions by default in the HTTP
Server response header, so it's extremely easy to remotely determine
http://archives.neohapsis.com/archiv...2-q3/0009.html
To go along with this week's release of NetBSD 1.6, the NetBSD team
also has released a flood of security advisories withheld pending
the new version's debut. NetBSD folks will notice a lot of traffic
under the BSD category.
Until next week,
--Security Alert Consensus Team
************************************************************************
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TABLE OF CONTENTS:
{02.37.018} Win - Savant Web server multiple vulnerabilities
{02.37.019} Win - PlanetWeb server URL request overflow
{02.37.002} Linux - Update {02.33.024}: Multiple Postgres function
buffer overflows
{02.37.003} Linux - Purity two buffer overflows
{02.37.005} Linux - Update {01.27.039}: PHP mail() command may bypass
safe_mode
{02.37.006} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
{02.37.008} BSD - TIOCSCTTY ioctl DoS
{02.37.009} BSD - setlocale array element overflow
{02.37.010} BSD - Update {02.32.002}: NFS server empty payload infinite
loop DoS
{02.37.011} BSD - fd_set overflows fd_setsize
{02.37.012} BSD - shutdown with SHUT_RD causes instability
{02.37.014} BSD - libkvm ports can read /dev/(k)mem
{02.37.017} NApps - Enterasys SSR8000 MPS port DoS
{02.37.015} Other - Tru64 SSRT-547: TCP ISN, ARP and ftpd
vulnerabilities
{02.37.004} Cross - Update {02.30.001}: OpenSSL multiple overflows and
ASN1 parse vulnerabilities
{02.37.007} Cross - Konqueror subframe CSS and insecure cookie
vulnerabilities
{02.37.013} Cross - Heimdal kfd multiple vulnerabilities
{02.37.016} Cross - xbreaky highscores file symlink vulnerability
{02.37.020} Cross - UT2003 small ping DoS
{02.37.001} Tools - NetBSD 1.6 available
- --- Windows News
-------------------------------------------------------
*** {02.37.018} Win - Savant Web server multiple vulnerabilities
Savant Web server version 3.1 contains multiple vulnerabilities: a
buffer overflow in the cgitest.exe sample CGI; an application crash
when a negative Content-Length header is given; and an authorization
bypass on password-protected folders.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0151.html
*** {02.37.019} Win - PlanetWeb server URL request overflow
PlanetWeb version 1.14 reportedly contains a buffer overflow in the
handling of large URL requests, thereby allowing a remote attacker
to execute arbitrary code on the system.
This vulnerability has not been confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0166.html
- --- Linux News
---------------------------------------------------------
*** {02.37.002} Linux - Update {02.33.024}: Multiple Postgres function
buffer overflows
Debian released updated Postgres packages that fix the vulnerability
discussed in {02.33.024} ("Multiple Postgres function buffer
overflows").
Updated DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archiv...2-q3/0032.html
*** {02.37.003} Linux - Purity two buffer overflows
The purity game application contains two buffer overflows that let
a local attacker gain group 'games' privileges.
Debian confirmed this vulnerability and released updated DEBs, which
are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archiv...2-q3/0039.html
*** {02.37.005} Linux - Update {01.27.039}: PHP mail() command may
bypass safe_mode
Mandrake released updated PHP packages that fix the vulnerability
discussed in {01.27.039} ("PHP mail() command may bypass safe_mode").
Updated RPMs are listed at the reference URL below.
Source: Mandrake
http://archives.neohapsis.com/archiv...2-q3/0169.html
*** {02.37.006} Linux - Update {02.30.003}: chfn /etc/ptmp lockfile
vulnerability
Conectiva released updated util-linux packages that fix the
vulnerability discussed in {02.30.003} ("chfn /etc/ptmp lockfile
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q3/0020.html
- --- BSD News
-----------------------------------------------------------
*** {02.37.008} BSD - TIOCSCTTY ioctl DoS
A NetBSD advisory indicates that it's possible for a local attacker
to issue multiple TIOCSCTTY ioctl requests. Eventually, this will
overflow an internal kernel counter and lead to a kernel panic.
This vulnerability is confirmed and was fixed in NetBSD-current and
- -1.6 on July 31, 2002. It also was fixed in -1.5 on Sept. 5, 2002.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0183.html
*** {02.37.009} BSD - setlocale array element overflow
A NetBSD advisory indicates that a local buffer overflow exists in
the setlocale() libc function whereby a malicious locale definition
will overwrite the bounds of an array. Certain setuid applications
(xterm, in particular) could yield local root privileges.
This vulnerability is confirmed and fixed. NetBSD-current and -1.6
as of Aug. 8, 2002, contain a fix. NetBSD-1.5 as of Sept. 5, 2002,
contains a fix.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0187.html
*** {02.37.010} BSD - Update {02.32.002}: NFS server empty payload
infinite loop DoS
NetBSD released updates that fix the vulnerability discussed in
{02.32.002} ("NFS server empty payload infinite loop DoS").
NetBSD-current and NetBSD-1.6 as of Aug. 3, 2002, contain a
fix. NetBSD-1.5 as of Sept. 5, 2002, contains a fix.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0188.html
*** {02.37.011} BSD - fd_set overflows fd_setsize
A NetBSD advisory indicates that the fd_set() function used by select()
overflows the fd_setsize maximum if a local attacker opens multiple
file descriptors before executing a program. This can lead to a local
root compromise via exploitation of mrinfo, mtrace or pppd.
This vulnerability is confirmed. NetBSD-current and NetBSD-1.6 as of
Aug. 11, 2002, and NetBSD-1.5 as of Sept. 5, 2002, contain fixes.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0189.html
*** {02.37.012} BSD - shutdown with SHUT_RD causes instability
A NetBSD advisory indicates that the shutdown() function does
not properly handle the SHUT_RD parameter, thereby causing system
instability when traffic is received. This could potentially be used
as a locally induced denial of service.
NetBSD confirmed this vulnerability. NetBSD-current, -1.6 and -1.5
as of Sept. 7, 2002, contain the fixes.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0194.html
*** {02.37.014} BSD - libkvm ports can read /dev/(k)mem
Various setuid applications in the FreeBSD ports collection, which
are based on libkvm, allow local attackers to read /dev/(k)mem,
potentially allowing them to recover sensitive information. FreeBSD
versions 4.6.2-RELEASE and prior are vulnerable.
The advisory indicates confirmation by the vendor, which committed
fixes to the 4.6-STABLE and RELENG branches.
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0115.html
- --- Network Appliances News
--------------------------------------------
*** {02.37.017} NApps - Enterasys SSR8000 MPS port DoS
The Enterasys SSR8000 switch prior to firmware version 8.3.0.10 crashes
when a remote attacker sends malformed packets to the MPS service ports
(15077 and 15078). This leads to a denial of service.
This vulnerability is not confirmed. The advisory indicates that
firmware version 8.3.0.10 fixes the vulnerability.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0141.html
- --- Other News
---------------------------------------------------------
*** {02.37.015} Other - Tru64 SSRT-547: TCP ISN, ARP and ftpd
vulnerabilities
HP/Compaq released SSRT-547 for Tru64. It contains security fixes
for weak TCP initial sequence numbers, arp spoofing and ftpd globbing
overflows.
A full patch list is available at the reference URL below.
Source: HP/Compaq
http://archives.neohapsis.com/archiv...2-q3/0017.html
- --- Cross-Platform News
------------------------------------------------
*** {02.37.004} Cross - Update {02.30.001}: OpenSSL multiple overflows
and ASN1 parse vulnerabilities
Debian and HP released patches that fix the vulnerability discussed
in {02.30.001} ("OpenSSL multiple overflows and ASN1 parse
vulnerabilities").
Debian rereleased prior DEBs because of packaging issues. The DEBs
are available at:
http://archives.neohapsis.com/archiv...2-q3/0118.html
HP released Apache HP-UX updates, which are available at:
http://www.software.hp.com/ISS_products_list.html
Source: Debian, HP
http://archives.neohapsis.com/archiv...2-q3/0118.html
http://archives.neohapsis.com/archiv...2-q3/0081.html
*** {02.37.007} Cross - Konqueror subframe CSS and insecure cookie
vulnerabilities
KDE's Konqueror browser reportedly contains a cross-site scripting
error when handling various frame and iframe HTML elements. The
browser also does not honor the 'secure' cookie flag, which is used
to ensure that the browser only sends the cookie over SSL. KDE 2.2.2,
3.0.3 and prior are vulnerable.
The vendor confirmed these vulnerabilities and released updated
versions of kdelibs.
Debian released updated DEBs, which are listed at:
http://archives.neohapsis.com/archiv...2-q3/0105.html
Source: SecurityFocus Bugtraq, Debian
http://archives.neohapsis.com/archiv...2-09/0102.html
http://archives.neohapsis.com/archiv...2-09/0103.html
http://archives.neohapsis.com/archiv...2-q3/0105.html
*** {02.37.013} Cross - Heimdal kfd multiple vulnerabilities
The Heimdal Kerberos suite prior to version 0.5 contains multiple
vulnerabilities in the kf and kfd applications. Running kfd allows
a remote attacker to gain local root access.
NetBSD confirmed these vulnerabilities and committed fixes to the
NetBSD-current and -1.5 branches as of Sept. 11, 2002.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0195.html
*** {02.37.016} Cross - xbreaky highscores file symlink vulnerability
The xbreaky application is vulnerable to a symlink attack in the
handling of the .xbreakyhighscores files. Because xbreaky can be
set setuid root, a local attacker can overwrite arbitrary files on
the system.
The advisory indicates confirmation by the vendor, which released
version 0.0.5.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-09/0131.html
*** {02.37.020} Cross - UT2003 small ping DoS
The Unreal Tournament 2003 client and server reportedly crash when from
one to three characters are sent to UDP port 7778 or port 10777. This
leads to a remote denial of service attack.
The advisory indicates vendor confirmation.
Source: VulnWatch
http://archives.neohapsis.com/archiv...2-q3/0116.html
- --- Tool Announcements News
--------------------------------------------
*** {02.37.001} Tools - NetBSD 1.6 available
The NetBSD team released NetBSD version 1.6. It contains the
security-related fixes that have been patched for prior versions
(as reported in this issue).
The latest version is available at:
http://www.netbsd.org/mirrors/
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q3/0176.html
************************************************************************