I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary April 3, 1998 Volume 2 Number 4 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an e-mail to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 10 Reported Vulnerabilities - [14]SGI-mailcap - [15]SGI-pfdispaly - [16]HP-inetd - [17]Sun-NIS+ - [18]AIX-ttdbserver - [19]Ascend-kill2 - [20]fraggle - [21]SGI-digitalmedia-tools - [22]Sun-ndd - [23]Sun-rpc.cmsd 4 Updates - [24]SGI-pset - [25]SGI-imap/pop - [26]FreeBSD-iland - [27]FreeBSD-mmap Risk Factor Key [28]Top of Page || [29]Back to Alert List ___ Date Reported: 4/2/98 Vulnerability: SGI-mailcap Platforms Affected: IRIX (6.3, 6.4) Risk Level: High The IRIX System Manager is a web-like interface that allows you to administer an SGI workstation. A vulnerability exists that would allow an attacker to mimic the runtask or runexec descriptor files. An unknowing SGI user could download the descriptor files while reading e-mail or browsing the web. The fake descriptor files could execute a local System Manager Task using the privileges of the user reading e-mail or browsing the web. This action could lead to a local root compromise. References: [30]ftp://sgigate.sgi.com/security/19980403-01-PX [31]http://www.sgi.com/Support/security [32]Top of Page || [33]Back to Alert List ___ Date Reported: 4/2/98 Vulnerability: SGI-pfdispaly Platforms Affected: IRIX (6.2, 6.3, 6.4) Risk Level: Medium The IRIS Performer API Search Tool is a web-based search tool that assists in searching of man pages, documents, example code, and special items known as classes, methods, tokens, and samples. The program pfdispaly.cgi contains a vulnerability that allows remote users to view any file on the system with 'nobody' privileges. References: [34]ftp://sgigate.sgi.com/security/19980401-01-P3018 [35]http://www.sgi.com/Support/security [36]Top of Page || [37]Back to Alert List ___ Date Reported: 3/30/98 Vulnerability: HP-inetd Platforms Affected: HP-UX (9.x, 10.x) Risk Level: Medium A vulnerability exists in HP-UX's inetd service. Improperly coded routines could result in denial of service attacks such as the loss of networking. References: HP Security Bulletin #00077 - [38]http://us-support.external.hp.com/ [39]http://ciac.llnl.gov/ciac/bulletins/i-039.shtml [40]Top of Page || [41]Back to Alert List ___ Date Reported: 3/23/98 Vulnerability: Sun-NIS+ Platforms Affected: Network Information Server Plus (NIS+) Risk Factor: High NIS+ (Network Information Server Plus) is a directory service that provides various services distributed over a network. Vulnerabilities exist in NIS+ that allows unauthenticated remote users to gain sensitive information from the server, as well as disable logging on the NIS+ server. Reference: [42]ftp://ftp.secnet.com/pub/advisories/SNI-27.NIS+.advisory [43]Top of Page || [44]Back to Alert List ___ Date Reported: 3/18/98 Vulnerability: AIX-ttdbserver Platforms Affected: AIX (4.1.5) Risk Factor: Medium-High AIX 4.1.5 machines running ttdbserver are vulnerable to a denial of service attack that can be initiated by anyone on the Internet without a login or password on the vulnerable system. The attack can result in a slowdown of the system or a complete crash of the system depending on the configuration of the machine being attacked. AIX inetd PATCH IX70400 fixes this problem. Reference: [45]http://www.netspace.org/cgi-bin/wa?A2=ind9803c&L=bugtraq&O=T&P=2497 [46]Top of Page || [47]Back to Alert List ___ Date Reported: 3/16/98 Vulnerability: Ascend-kill2/snmp Platforms Affected: Ascend Operating Systems (5.0Ap42 (MAX) and 5.0A (Pipeline)) Risk Factor: High A denial of service vulnerability exists in Ascend Pipeline and MAX networking equipment running Ascend operating systems 5.0A and 5.0Ap42, respectively. An attacker can send a malformed probe packet to the discard port of the router, which causes the router to lock up. A second issue allows an attacker to use SNMP and TFTP to capture the entire configuration file, including passwords and keys for the router. Reference: [48]ftp://ftp.secnet.com/pub/advisories/SNI-26.Ascend.advisory [49]http://ciac.llnl.gov/ciac/bulletins/i-038.shtml [50]Top of Page || [51]Back to Alert List ___ Date Reported: 3/15/98 Vulnerability: fraggle Platforms Affected: Any platform connected to the Internet Risk Factor: High A variant of the smurf denial of service attack called 'fraggle' has been posted to a number of security mailing lists. The attack consists of sending out hundreds of UDP packets from a spoofed source (the victim) to broadcast addresses. All of these hosts then reply to the victim with ICMP unreach messages, which will crash the system being attacked. Reference: [52]http://www.netspace.org/cgi-bin/wa?A2=ind9803c&L=bugtraq&O=T&P=367 [53]Top of Page || [54]Back to Alert List ___ Date Reported: 3/11/98 Vulnerability: SGI-digitalmedia-tools Platforms Affected: IRIX (5.x, 6.x) Risk Factor: High The Digital Media Tools are a set of programs that provide software support to Silicon Graphic's Multimedia hardware. A number of these tools contain buffer overruns that could allow arbitrary commands to be run as root. These tools include: startmidi/stopmidi, datman/cdman, cdplayer and the CDROM Confidence Test program. References: [55]ftp://sgigate.sgi.com/security/19980301-01-PX [56]http://ciac.llnl.gov/ciac/bulletins/i-035.shtml [57]http://www.sgi.com/Support/security [58]Top of Page || [59]Back to Alert List ___ Date Reported: 3/11/98 Vulnerability: Sun-ndd Platforms Affected: Solaris (2.6) Risk Factor: Medium The ndd command is used to get and set selected TCP/IP Internet protocol family configuration parameters in some kernel drivers. A vulnerability has been found that would allow a potential attacker to set TCP/IP parameters to cause a denial of service on the vulnerable system. Reference: [60]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-165.txt [61]Top of Page || [62]Back to Alert List ___ Date Reported: 3/11/98 Vulnerability: Sun-rpc.cmsd Platforms Affected: Solaris (2.3, 2.4, 2.5, 2.5.1) Risk Factor: High Sun has found a vulnerability in the database manager rpc.cmsd. It is used as an appointment and resource-scheduler with clients such as Calendar Manager in Openwindows, and Calendar in CDE. The vulnerability, if exploited, would allow an attacker to overwrite arbitrary files and gain root level access. Reference: [63]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-166.txt [64]Top of Page || [65]Back to Alert List ___ Date: 3/26/98 (CERT CA-97.21) Update: SGI-pset Vendor: Silicon Graphics Inc. Platforms: IRIX (5.x, 6.0.x, 6.1, 6.2, 6.3) The pset program is used to display and manage processor set information. It contains a vulnerability that would allow local users to execute arbitrary files as root. References: [66]ftp://sgigate.sgi.com/security/19970506-02-PX [67]ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow [68]http://ciac.llnl.gov/ciac/bulletins/h-61b.shtml [69]Top of Page || [70]Back to Alert List ___ Date: 3/25/98 (CERT CA-97.09) Update: SGI-imap/pop Vendor: Silicon Graphics Inc. Platforms: IMAP4 POP3 The Internet Mail Access Protocol (IMAP) and Post Office Protocol (POP) are programs that provide users with means to process and retrieve mail. A vulnerability exists in these programs that would allow remote users to obtain root access. SGI has investigated these issues and found that IRIX implementations of IMAP and POP are not vulnerable to this problem. References: [71]ftp://sgigate.sgi.com/security/19980302-01-I [72]http://ciac.llnl.gov/ciac/bulletins/h-46a.shtml [73]Top of Page || [74]Back to Alert List ___ Date: 3/12/98 (ISS Security Alert Summary v1 n8) Update: FreeBSD-land Vendor: FreeBSD, Inc. Platforms: FreeBSD 2.1.*, FreeBSD 2.2.0R, 2.2.1R, 2.2.5R FreeBSD-stable and FreeBSD-current A bug called the land attack (named by its discoverer) has been posted to the BUGTRAQ security mailing list. This is an exploit that can lock up or "freeze" many different operating systems, as well as network hardware. An attacker can send a SYN packet, which is normally used to open a connection, to the host they want to attack. The packet is spoofed to appear to the machine that it is coming from itself, from the same port. When the machine tries to respond to itself multiple times, it crashes. Many different operating systems and hardware (such as routers and hubs) have been reported to being vulnerable to this bug. FreeBSD has released patches that correct this problem on the vulnerable FreeBSD systems. Patch: [75]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:01/ References: [76]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:01.land.asc [77]http://ciac.llnl.gov/ciac/bulletins/i-036.shtml [78]http://www.iss.net/xforce/alerts/vol-1_num-8.html [79]Top of Page || [80]Back to Alert List ___ Date: 3/12/98 (ISS Security Alert Summary v2 n3) Update: FreeBSD-mmap Vendor: FreeBSD, Inc. Platforms: FreeBSD 2.2.*, FreeBSD-stable and FreeBSD-current before 1998/03/11 The mmap() system call is used to map files to a memory address space. In some 4.4 BSD derived operating systems (such as FreeBSD, NetBSD, OpenBSD, and BSDI), a vulnerability exists within this system call that allows a user of a privileged group (kmem) to become root. This vulnerability also allows a root user to modify the securelevel of a system. This setting normally prevents everyone, even root users, from making some security critical modifications to a normal system. FreeBSD has released patches that correct this issue. Patch: [81]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:02/ References: [82]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:02.mmap.asc [83]http://ciac.llnl.gov/ciac/bulletins/i-037.shtml [84]Top of Page || [85]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via bruteforce methods. Internet Security Systems, Inc. (NASDAQ-NMS:ISSX) is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite® family of products provides protection across the enterprise, including the Internet, extranets and internal networks, from attacks, misuse and security policy violations. The Company has delivered its network security, monitoring, detection and response solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 770-395-0150 or 800-776-2376 or visit the ISS Web site at HYPERLINK [86]http://www.iss.net. [87]Top of Page || [88]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail [89]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [90]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [91]News | [92]Serious Fun | [93]Mail Lists | [94]Security Library [95]Protoworx | [96]Alerts | [97]Submissions | [98]Feedback [99]Advanced Search [100]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [101]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [102]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-2_num-4.php3#SGI-mailcap 15. http://xforce.iss.net/alerts/vol-2_num-4.php3#SGI-pfdispaly 16. http://xforce.iss.net/alerts/vol-2_num-4.php3#HP-inetd 17. http://xforce.iss.net/alerts/vol-2_num-4.php3#Sun-NIS+ 18. http://xforce.iss.net/alerts/vol-2_num-4.php3#AIX-ttdbserver 19. http://xforce.iss.net/alerts/vol-2_num-4.php3#Ascend-kill2 20. http://xforce.iss.net/alerts/vol-2_num-4.php3#fraggle 21. http://xforce.iss.net/alerts/vol-2_num-4.php3#SGI-digitalmedia-tools 22. http://xforce.iss.net/alerts/vol-2_num-4.php3#Sun-ndd 23. http://xforce.iss.net/alerts/vol-2_num-4.php3#Sun-rpc.cmsd 24. http://xforce.iss.net/alerts/vol-2_num-4.php3#SGI-pset 25. http://xforce.iss.net/alerts/vol-2_num-4.php3#SGI-imap/pop 26. http://xforce.iss.net/alerts/vol-2_num-4.php3#FreeBSD-iland 27. http://xforce.iss.net/alerts/vol-2_num-4.php3#FreeBSD-mmap 28. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 29. http://xforce.iss.net/alerts/alerts.php3 30. ftp://sgigate.sgi.com/security/19980403-01-PX 31. http://www.sgi.com/Support/security 32. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 33. http://xforce.iss.net/alerts/alerts.php3 34. ftp://sgigate.sgi.com/security/19980401-01-P3018 35. http://www.sgi.com/Support/security 36. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 37. http://xforce.iss.net/alerts/alerts.php3 38. http://us-support.external.hp.com/ 39. http://ciac.llnl.gov/ciac/bulletins/i-039.shtml 40. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 41. http://xforce.iss.net/alerts/alerts.php3 42. ftp://ftp.secnet.com/pub/advisories/SNI-27.NIS+.advisory 43. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 44. http://xforce.iss.net/alerts/alerts.php3 45. http://www.netspace.org/cgi-bin/wa?A2=ind9803c&L=bugtraq&O=T&P=2497 46. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 47. http://xforce.iss.net/alerts/alerts.php3 48. ftp://ftp.secnet.com/pub/advisories/SNI-26.Ascend.advisory 49. http://ciac.llnl.gov/ciac/bulletins/i-038.shtml 50. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 51. http://xforce.iss.net/alerts/alerts.php3 52. http://www.netspace.org/cgi-bin/wa?A2=ind9803c&L=bugtraq&O=T&P=367 53. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 54. http://xforce.iss.net/alerts/alerts.php3 55. ftp://sgigate.sgi.com/security/19980301-01-PX 56. http://ciac.llnl.gov/ciac/bulletins/i-035.shtml 57. http://www.sgi.com/Support/security 58. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 59. http://xforce.iss.net/alerts/alerts.php3 60. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-165.txt 61. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 62. http://xforce.iss.net/alerts/alerts.php3 63. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-166.txt 64. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 65. http://xforce.iss.net/alerts/alerts.php3 66. ftp://sgigate.sgi.com/security/19970506-02-PX 67. ftp://info.cert.org/pub/cert_advisories/CA-97.21.sgi_buffer_overflow 68. http://ciac.llnl.gov/ciac/bulletins/h-61b.shtml 69. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 70. http://xforce.iss.net/alerts/alerts.php3 71. ftp://sgigate.sgi.com/security/19980302-01-I 72. http://ciac.llnl.gov/ciac/bulletins/h-46a.shtml 73. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 74. http://xforce.iss.net/alerts/alerts.php3 75. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:01 76. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:01.land.asc 77. http://ciac.llnl.gov/ciac/bulletins/i-036.shtml 78. http://www.iss.net/xforce/alerts/vol-1_num-8.html 79. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 80. http://xforce.iss.net/alerts/alerts.php3 81. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-98:02 82. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98:02.mmap.asc 83. http://ciac.llnl.gov/ciac/bulletins/i-037.shtml 84. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 85. http://xforce.iss.net/alerts/alerts.php3 86. http://www.iss.net/ 87. http://xforce.iss.net/alerts/vol-2_num-4.php3#list 88. http://xforce.iss.net/alerts/alerts.php3 89. mailto:xforce@iss.net 90. http://www.iss.net/xforce/sensitive.html 91. http://xforce.iss.net/news.php3 92. http://xforce.iss.net/seriousfun/ 93. http://xforce.iss.net/maillists/ 94. http://xforce.iss.net/library/ 95. http://xforce.iss.net/protoworx/ 96. http://xforce.iss.net/alerts/ 97. http://xforce.iss.net/submission.php3 98. http://xforce.iss.net/feedback.php3 99. http://xforce.iss.net/search.php3 100. http://xforce.iss.net/about.php3 101. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 102. http://xforce.iss.net/privacy.php3