-- Security Alert Consensus --
Number 042 (02.42)
Thursday, October 24, 2002
Created for you by
Network Computing and the SANS Institute
Powered by Neohapsis
----------------------------------------------------------------------
Welcome to SANS' distribution of the Security Alert Consensus.
If you're not running on the latest Linux kernel, you should definitely
consider it. Both the 2.4 and 2.2 series kernels have fixes for local
security problems. We've reported these issues as items {02.42.001}
and {02.42.002}.
Microsoft also released a patch for the MS Word field code problem
we discussed in an earlier SAC editorial. You can read about MS02-059
in item {02.42.009}.
And, if you haven't heard, the Internet root name servers went under
DDoS attack earlier this week; nine of the 13 fell prey. You can read
more about it at:
http://www.washingtonpost.com/wp-dyn...2002Oct22.html
Until next week,
--Security Alert Consensus Team
************************************************************************
TABLE OF CONTENTS:
{02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information
{02.42.010} Win - MS02-060: Windows XP Help and Support Center control
file deletion
{02.42.011} Win - MS02-061: SQL Server Web tasks command execution
{02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping
{02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities
{02.42.002} Linux - Linux kernel 2.2 vulnerabilities
{02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
{02.42.004} Linux - Update {02.32.017}: xinetd signal pipe descriptor
DoS
{02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so LD_PRELOAD
vulnerability
{02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
{02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass
{02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow
{02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
{02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
{02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
{02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
{02.42.008} BSD - Short ESP packet IPSEC DoS
{02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS
{02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP problems
{02.42.013} Cross - Apache mod_ssl host name CSS
{02.42.017} Cross - PAM treats disabled passwords as empty
{02.42.020} Cross - Heimdal kadmind multiple vulnerabilities
{02.42.022} Cross - Ximian Evolution SSL certificate validation
{02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities
- --- Windows News
-------------------------------------------------------
*** {02.42.009} Win - MS02-059: MS Word/Excel field codes may leak
information
Microsoft released MS02-059 ("MS Word/Excel field codes may leak
information"). Various versions of MS Word and Excel support 'field
codes,' which allow a document to import other documents. If a user
receives a (malicious) document, edits it and then sends it back,
the document may be able to import other files during the edit/saving
process, thereby allowing the recipient access to that data.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-059.asp
Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0006.html
*** {02.42.010} Win - MS02-060: Windows XP Help and Support Center
control file deletion
Microsoft released MS02-060 ("Windows XP Help and Support Center
control file deletion"). The Help and Support Center ActiveX control
included with Windows XP allows a malicious Web site to delete
arbitrary files on the user's system.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-060.asp
Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0005.html
*** {02.42.011} Win - MS02-061: SQL Server Web tasks command execution
Microsoft released MS02-061 ("SQL Server Web tasks command
execution"). SQL Server allows a nonprivileged user to modify and
submit new scheduled Web tasks, thereby allowing arbitrary commands
to be executed under the elevated privileges of the SQL Agent
account. This is also a cumulative patch, which fixes all prior SQL
Server and MSDE vulnerabilities.
FAQ and patch:
http://www.microsoft.com/technet/sec...n/MS02-061.asp
Source: Microsoft
http://archives.neohapsis.com/archiv...2-q4/0007.html
*** {02.42.024} Win - CoolSoft Personal FTP Server ftproot escaping
CoolSoft's Personal FTP Server version 2.24 reportedly contains
vulnerabilities in the handling of various FTP commands that would
allow an attacker to manipulate and read files outside the allowed
ftproot directory. Login credentials (user names and passwords)
are also stored in plain text in the ftpserver.ini file.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0142.html
- --- Linux News
---------------------------------------------------------
*** {02.42.001} Linux - Linux kernel 2.4 driver vulnerabilities
The ixj telephony card driver, pcilynx firewire driver and bttv
video capture card driver included with the Linux 2.4 series kernel
contains security vulnerabilities that allow a local attacker to gain
root privileges.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archiv...2-q4/0026.html
http://archives.neohapsis.com/archiv...2-q4/0025.html
Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0026.html
http://archives.neohapsis.com/archiv...2-q4/0025.html
*** {02.42.002} Linux - Linux kernel 2.2 vulnerabilities
Various vulnerabilities have been found in the Linux 2.2 series
kernels prior to version 2.2.22. Many of these bugs stem from signed
comparison problems via /proc/ entry handlers.
These vulnerabilities are confirmed.
Updated Red Hat RPMs:
http://archives.neohapsis.com/archiv...2-q4/0027.html
Updated Trustix RPMs:
http://archives.neohapsis.com/archiv...2-10/0250.html
Updated EnGarde RPMs:
http://archives.neohapsis.com/archiv...2-q4/0004.html
Source: Red Hat, Trustix, EnGarde (SF Bugtraq)
http://archives.neohapsis.com/archiv...2-q4/0027.html
http://archives.neohapsis.com/archiv...2-10/0250.html
http://archives.neohapsis.com/archiv...2-q4/0004.html
*** {02.42.003} Linux - Update {02.40.013}: Apache host name CSS, ab
overflow and shared memory vulnerabilities
Trustix released updated Apache packages, which fix the vulnerability
discussed in {02.40.013} ("Apache host name CSS, ab overflow and
shared memory vulnerabilities").
Updated RPMs are listed at:
http://archives.neohapsis.com/archiv...2-10/0254.html
Source: Trustix (SF Bugtraq)
http://archives.neohapsis.com/archiv...2-10/0254.html
*** {02.42.004} Linux - Update {02.32.017}: xinetd signal pipe
descriptor DoS
Red Hat released updated xinetd packages, which fix the vulnerability
discussed in {02.32.017} ("xinetd signal pipe descriptor DoS").
Updated RPMs are listed at:
http://archives.neohapsis.com/archiv...2-q4/0022.html
Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0022.html
*** {02.42.005} Linux - Update {02.38.003}: xfree86 libX11.so
LD_PRELOAD vulnerability
Conectiva released updated xfree86 packages, which fix the
vulnerability discussed in {02.38.003} ("xfree86 libX11.so LD_PRELOAD
vulnerability").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0005.html
*** {02.42.006} Linux - Update {02.39.006}: Fetchmail multiple
vulnerabilities
Conectiva released updated Fetchmail packages, which fix the
vulnerability discussed in {02.39.006} ("Fetchmail multiple
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0003.html
*** {02.42.007} Linux - Update {02.40.024}: Sendmail smrsh execution
restriction bypass
Conectiva released updated Sendmail packages, which fix the
vulnerability discussed in {02.40.024} ("Sendmail smrsh execution
restriction bypass").
Updated RPMs are listed at the reference URL below.
Source: Conectiva
http://archives.neohapsis.com/archiv...2-q4/0004.html
*** {02.42.014} Linux - Update {02.39.013}: gv sscanf() overflow
Mandrake released updated ghostview packages, which fix the
vulnerability discussed in {02.39.013} ("gv sscanf() overflow").
Updated Mandrake RPMs:
http://archives.neohapsis.com/archiv...2-q4/0034.html
Updated Debian DEBs:
http://archives.neohapsis.com/archiv...2-q4/0277.html
http://archives.neohapsis.com/archiv...2-q4/0334.html
Source: Mandrake, Debian
http://archives.neohapsis.com/archiv...2-q4/0034.html
http://archives.neohapsis.com/archiv...2-q4/0277.html
http://archives.neohapsis.com/archiv...2-q4/0334.html
*** {02.42.015} Linux - Update {02.37.002}: Multiple Postgres function
buffer overflows
SuSE released updated postgres packages, which fix the vulnerability
discussed in {02.37.002} ("Multiple Postgres function buffer
overflows").
Updated RPMs are listed at the reference URL below.
Source: SuSE
http://archives.neohapsis.com/archiv...2-q4/0294.html
*** {02.42.016} Linux - Update {02.41.012}: syslog-ng macro expansion
overflow
EnGarde released updated syslog-ng packages, which fix the
vulnerability discussed in {02.41.012} ("syslog-ng macro expansion
overflow").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archiv...2-q4/0003.html
*** {02.42.018} Linux - Update {02.38.013}: Multiple Mozilla 1.0
vulnerabilities
Red Hat re-released updated Mozilla packages, which fix the
vulnerability discussed in {02.38.013} ("Multiple Mozilla 1.0
vulnerabilities").
Updated RPMs are listed at the reference URL below.
Source: Red Hat
http://archives.neohapsis.com/archiv...2-q4/0029.html
*** {02.42.021} Linux - Update {02.39.003}: GNU tar file extraction
directory traversal
EnGarde released updated tar packages, which fix the vulnerability
discussed in {02.39.003} ("GNU tar file extraction directory
traversal").
Updated RPMs are listed at the reference URL below.
Source: EnGarde
http://archives.neohapsis.com/archiv...2-10/0032.html
- --- BSD News
-----------------------------------------------------------
*** {02.42.008} BSD - Short ESP packet IPSEC DoS
A NetBSD advisory indicates that a bug in the handling of short ESP
IPSEC packets causes the system to kernel panic.
NetBSD-1.5 as of Sept. 5, 2002, as well as -1.6 and -current as of
Aug. 23, 2002, contain the fix.
Source: NetBSD
http://archives.neohapsis.com/archiv...2-q4/0085.html
- --- Network Appliances News
--------------------------------------------
*** {02.42.025} NApps - Cisco Catalyst CatOS HTTP service DoS
A Cisco advisory indicates that CatOS versions 5.4 through 7.3
contain a buffer overflow in the embedded CiscoView HTTP server,
thereby allowing a remote attacker to cause the switch to reset.
Cisco confirmed this problem; a list of updates is available at the
reference URL below.
Source: Cisco
http://archives.neohapsis.com/archiv...2-q4/0001.html
- --- Other News
---------------------------------------------------------
*** {02.42.012} Other - Update {02.06.011}: Multiple vendor SNMP
problems
HP released updated SNMP packages for MPE/iX, which fix the
vulnerability discussed in {02.06.011} ("Multiple vendor SNMP
problems").
Update information is listed at the reference URL below.
Source: HP
http://archives.neohapsis.com/archiv...2-q4/0010.html
- --- Cross-Platform News
------------------------------------------------
*** {02.42.013} Cross - Apache mod_ssl host name CSS
The mod_ssl module for Apache contains a cross-site scripting error
when printing error messages under certain configurations involving
wildcard DNS names.
Debian confirmed this vulnerability and released updated DEBs, which
are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archiv...2-q4/0385.html
*** {02.42.017} Cross - PAM treats disabled passwords as empty
A Debian advisory indicates that some versions of PAM (version 0.76
is mentioned in particular) will treat disabled accounts with an '*'
in the password field as an empty password, thereby allowing login.
Updated Debian DEBs are listed at the reference URL below.
Source: Debian
http://archives.neohapsis.com/archiv...2-q4/0304.html
*** {02.42.020} Cross - Heimdal kadmind multiple vulnerabilities
A buffer overflow was found in the kadmind daemon of the Heimdal
Kerberos package. The buffer overflow exists in the Kerberos 4 support
code section as well as in versions prior to version 0.5.1.
Updated Debian DEBs:
http://archives.neohapsis.com/archiv...2-q4/0296.html
NetBSD-1.6, -1.6, and -current as of Oct 22, 2002 contain a fix.
Source: Debian, NetBSD
http://archives.neohapsis.com/archiv...2-q4/0296.html
http://archives.neohapsis.com/archiv...2-q4/0083.html
*** {02.42.022} Cross - Ximian Evolution SSL certificate validation
Ximian Evolution versions 1.0.x and prior do not properly validate
SSL certificates, potentially allowing a malicious Web site to present
an invalid SSL certificate that the browser will accept.
The vendor confirmed this vulnerability. Versions 1.1.x and 1.2.x
contain fixes.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0045.html
*** {02.42.023} Cross - VBZoom forum CGI multiple vulnerabilities
VBZoom.com's VBZoom forum CGI suite version 1.01 contains two
vulnerabilities: arbitrary user passwords reset in register.php;
and uploaded files are not properly filtered, thereby allowing the
upload of PHP script code.
These vulnerabilities are not confirmed.
Source: SecurityFocus Bugtraq
http://archives.neohapsis.com/archiv...2-10/0111.html
http://archives.neohapsis.com/archiv...2-10/0126.html
************************************************************************