I S S X - F o r c e The Most Wanted Alert List [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback [9]Advanced Search _ Alert Summaries_ ISS Security Alert Summary November 6, 1998 Volume 3 Number 2 X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to [11]majordomo@iss.net, and within the body of the message type: 'subscribe alert'. [12]Top of Page || [13]Back to Alert List ___ Contents 6 Reported Vulnerabilities - [14]Solaris-hidden-comm-string - [15]HPOV-hidden-SNMP-comm - [16]BMC-PATROL-file-create - [17]Mac-FWB - [18]IBM-automountd - [19]SGI-autofsd 1 Update - [20]Sun-imapd Risk Factor Key [21]Top of Page || [22]Back to Alert List ___ Date Reported: 11/4/98 Vulnerability: FreeBSD-ip-frag-dos Platforms Affected: FreeBSD 3.0 FreeBSD-current (before 1998/10/27) Risk Level: High A bug exists in FreeBSD's IP fragment reassembly code that can lead to a kernel panic. An attacker can send malformed IP packets to the FreeBSD machine, where the reassembly code assembles them into an invalid UDP datagram. The UDP datagram would cause the system to kernel panic, and have to be restarted. Reference: Security Advisory FreeBSD, Inc: "IP fragmentation denial of service" at: [23]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98%3A08.fragme nt.asc [24]Top of Page || [25]Back to Alert List ___ Date Reported: 11/2/98 Vulnerability: Solaris-hidden-comm-string Platforms Affected: Solaris 2.6 Risk Level: High Internet Security System (ISS) X-Force has discovered a serious vulnerability in Sun Microsystems Solstice Enterprise Agent and the Solaris operating system. This vulnerability allows attackers to execute arbitrary commands with root privileges, manipulate system parameters and kill processes. This vulnerability is present on the Solaris Operating System version 2.6. Earlier versions are vulnerable. Solaris 2.7 beta is not vulnerable. Reference: ISS Security Advisory: "Hidden community string in SNMP implementation" at: [26]http://www.iss.net/xforce/alerts/advise11.html [27]Top of Page || [28]Back to Alert List ___ Date Reported: 11/2/98 Vulnerability: HPOV-hidden-SNMP-comm Platforms Affected: HP-UX (9.x, 10.x) Solaris (2.x) Risk Level: Medium Internet Security Systems (ISS) X-Force has researched a hidden SNMP community string that exists in HP OpenView. This community may allow unauthorized access to certain SNMP variables. Attackers may use this hidden community to learn about network topology as well as modify MIB variables. This vulnerability is present in HP OpenView Version 5.02. Earlier versions are believed to be vulnerable. HP-UX 9.X and HP-UX 10.X SNMP agents are vulnerable if OpenView is installed. OpenView for Solaris 2.X is also vulnerable. OpenView for Windows NT is not vulnerable. Reference: ISS Security Advisory: "Hidden SNMP community in HP OpenView" at: [29]http://www.iss.net/xforce/alerts/advise12.html [30]Top of Page || [31]Back to Alert List ___ Date Reported: 11/2/98 Vulnerability: BMC-PATROL-file-create Platforms Affected: PATROL Agent (3.2.3) Risk Level: High Internet Security Systems (ISS) X-Force has discovered a vulnerability in BMC Software PATROL(r) network management software. PATROL contains a vulnerability that may allow local attackers to compromise root access. The agent creates insecure temporary files that may lead to a symbolic link attack. This vulnerability exists on version 3.2.3 of PATROL Agent(tm) software product. Earlier versions of PATROL Agent are also vulnerable. Reference: ISS Security Advisory: "BMC PATROL File Creation Vulnerability" at: [32]http://www.iss.net/xforce/alerts/advise10.html [33]Top of Page || [34]Back to Alert List ___ Date Reported: 10/30/98 Vulnerability: Mac-FWB Platforms Affected: FWB Hard Disk Toolkit 2.5 Risk Level: Low The FWB Hard Disk Toolkit for the Apple Macintosh allows users to place a password on hard drive volumes to protect data. A bug has been found by l0pht that would allow a malicious user to forcibly replace the FWB driver with another driver, and access the data on the password protected drive. Reference: L0phT Security Advisory: "FWB Hard Disk Toolkit 2.5: Users can bypass hard disk driver level passwords" at: [35]http://www.l0pht.com/advisories/fwb.txt [36]Top of Page || [37]Back to Alert List ___ Date Reported: 10/16/98 Vulnerability: IBM-automountd Platforms Affected: AIX (4.3.x) Risk Level: High The automountd daemon processes requests from the local AutoFS filesystem kernel extension. A vulnerability in automountd has been found that would allow an attacker to execute commands as root both locally and remotely. References: IBM Emergency Response Service Security Vulnerability Alert: "The automountd daemon allows local and remote users to become root." at: [38]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:004.1 .txt CIAC Information Bulletin: "IBM AIX automountd Vulnerability" at [39]http://www.ciac.org/ciac/bulletins/j-014.shtml [40]Top of Page || [41]Back to Alert List ___ Date Reported: 10/21/98 Vulnerability: SGI-autofsd Platforms Affected: IRIX (6.2, 6.3, 6.4, 6.5) Risk Level: High Autofsd is an RPC server that answers file system mount and umount requests from the autofs file system. Upon receiving a map argument from a client, the server will attempt to verify if it is executable. If autofsd determines the map has an executable flag, the server will append the client's key and attempt to execute it. By sending a map name that is executable on the server, and a key beginning with a semicolon or a newline followed by a command, unprivileged users can execute arbitrary commands as the superuser. References: Repent Security Incorporated: "IRIX autofsd" (RSI.0010.10-21-98.IRIX.AUTOFSD) at: [42]http://www.repsec.com/advisory/0010.html Silicon Graphics Inc. Security Advisory: "Vulnerability in IRIX autofsd" at: [43]ftp://sgigate.sgi.com/security/19981005-01-A CIAC Information Bulletin: "SGI IRIX autofsd Vulnerability" at [44]http://www.ciac.org/ciac/bulletins/j-013.shtml [45]Top of Page || [46]Back to Alert List ___ Date: 10/21/98 (CERT Advisory CA-98.09.imapd) Update: Sun-imapd Vendor: Sun Microsystems, Inc. Platforms: Sun Internet Mail Server (2.0, 3.2) Sun has released patches that correct the IMAP buffer overflow condition that could allow an attacker to gain root privileges. References: CERT* Advisory CA-98.09: "Buffer Overflow in Some Implementations of IMAP Servers" at: [47]ftp://info.cert.org/pub/cert_advisories/CA-98.09.imapd Sun Microsystems, Inc. Security Bulletin: "IMAP" at: [48]http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/177 [49]Top of Page || [50]Back to Alert List ___ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse and security policy violations. The Company has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, 9 of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at [51]http://www.iss.net. [52]Top of Page || [53]Back to Alert List ___ Copyright (c) 1998 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please email [54]xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: [55]http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net > of Internet Security Systems, Inc. [56]News | [57]Serious Fun | [58]Mail Lists | [59]Security Library [60]Protoworx | [61]Alerts | [62]Submissions | [63]Feedback [64]Advanced Search [65]About the Knowledge Base Copyright ©1994-1998 Internet Security Systems, Inc. All Rights Reserved. Sales Inquiries: [66]sales@iss.net 6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328 Phone (678) 443-6000 · Fax (678) 443-6477 Read our [67]privacy guidelines. References 1. http://xforce.iss.net/news.php3 2. http://xforce.iss.net/seriousfun/ 3. http://xforce.iss.net/maillists/ 4. http://xforce.iss.net/library/ 5. http://xforce.iss.net/protoworx/ 6. http://xforce.iss.net/alerts/ 7. http://xforce.iss.net/submission.php3 8. http://xforce.iss.net/feedback.php3 9. http://xforce.iss.net/search.php3 10. http://www.iss.net/xforce 11. mailto:majordomo@iss.net 12. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 13. http://xforce.iss.net/alerts/alerts.php3 14. http://xforce.iss.net/alerts/vol-3_num-2.php3#Solaris-hidden-comm-string 15. http://xforce.iss.net/alerts/vol-3_num-2.php3#HPOV-hidden-SNMP-comm 16. http://xforce.iss.net/alerts/vol-3_num-2.php3#BMC-PATROL-file-create 17. http://xforce.iss.net/alerts/vol-3_num-2.php3#Mac-FWB 18. http://xforce.iss.net/alerts/vol-3_num-2.php3#IBM-automountd 19. http://xforce.iss.net/alerts/vol-3_num-2.php3#SGI-autofsd 20. http://xforce.iss.net/alerts/vol-3_num-2.php3#Sun-imapd 21. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 22. http://xforce.iss.net/alerts/alerts.php3 23. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98 24. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 25. http://xforce.iss.net/alerts/alerts.php3 26. http://www.iss.net/xforce/alerts/advise11.html 27. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 28. http://xforce.iss.net/alerts/alerts.php3 29. http://www.iss.net/xforce/alerts/advise12.html 30. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 31. http://xforce.iss.net/alerts/alerts.php3 32. http://www.iss.net/xforce/alerts/advise10.html 33. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 34. http://xforce.iss.net/alerts/alerts.php3 35. http://www.l0pht.com/advisories/fwb.txt 36. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 37. http://xforce.iss.net/alerts/alerts.php3 38. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:004.1.txt 39. http://www.ciac.org/ciac/bulletins/j-014.shtml 40. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 41. http://xforce.iss.net/alerts/alerts.php3 42. http://www.repsec.com/advisory/0010.html 43. ftp://sgigate.sgi.com/security/19981005-01-A 44. http://www.ciac.org/ciac/bulletins/j-013.shtml 45. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 46. http://xforce.iss.net/alerts/alerts.php3 47. ftp://info.cert.org/pub/cert_advisories/CA-98.09.imapd 48. http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/177 49. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 50. http://xforce.iss.net/alerts/alerts.php3 51. http://www.iss.net/ 52. http://xforce.iss.net/alerts/vol-3_num-2.php3#list 53. http://xforce.iss.net/alerts/alerts.php3 54. mailto:xforce@iss.net 55. http://www.iss.net/xforce/sensitive.html 56. http://xforce.iss.net/news.php3 57. http://xforce.iss.net/seriousfun/ 58. http://xforce.iss.net/maillists/ 59. http://xforce.iss.net/library/ 60. http://xforce.iss.net/protoworx/ 61. http://xforce.iss.net/alerts/ 62. http://xforce.iss.net/submission.php3 63. http://xforce.iss.net/feedback.php3 64. http://xforce.iss.net/search.php3 65. http://xforce.iss.net/about.php3 66. http://xforce.iss.net/cgi-bin/getSGIInfo.pl 67. http://xforce.iss.net/privacy.php3