From xforce@iss.net Fri Apr 2 22:41:24 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Fri, 2 Apr 1999 17:31:55 -0500 (EST) Subject: ISSalert: ISS Security Alert Summary v3 n8 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- Join us for a free half-day briefing on "Securing the Enterprise for E-Commerce". See http://www.iss.net/press_rel/seminars/ecommerce/ for details. ISS Security Alert Summary April 1, 1999 Volume 3 Number 8 X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 20 Reported Vulnerabilities - hp-desms-servers - hp-serviceguard - xfree86-temp-directories - java-unverified-code - pws-file-access - cisco-catalyst-crash - hp-ftp - linux-zerolength-fragment - openbsd-poll-crash - ssl-session-reuse - openbsd-tss-panic - eudora-long-attachments - hp-hpterm - netbsd-mount - netscape-talkback-kill - netscape-talkback-overwrite - linux-slackware-install - netbsd-umapfs - http-img-overflow - ldap-mds-bo Melissa Virus Summary Risk Factor Key _____ Date Reported: 1999-03-30 Vulnerability: hp-desms-servers Platforms Affected: HPUX (10.20, 11.00) Risk Factor: High Some applications for HP-UX may cause extra Domain Enterprise Server Management System (DESMS) processes to be run in the background. A vulnerability in these servers could allow user to gain elevated privileges. Reference: HP Security Bulletin HPSBUX9903-095: "Security Vulnerability with DESMS" at: http://us-support.external.hp.com _____ Date Reported: 1999-03-30 Vulnerability: hp-serviceguard Platforms Affected: HPUX (10.00, 10.01, 10.10, 10.20, 11.00) Risk Factor: High The HP-UX programs MC/ServiceGuard and MC/LockManager contain an implementation flaw in how they handle reduced SAM functionality which could allow users to gain elevated privileges. Reference: HP Security Bulletin HPSBUX9903-096: "Security Vulnerability in MC/ServiceGuard & MC/LockManager" at: http://us-support.external.hp.com _____ Date Reported: 1999-03-28 Vulnerability: xfree86-temp-directories Platforms Affected: X11 Risk Factor: High A vulnerability exists in the XFree86 X11 environment through version 3.3.3 which could allow local attackers elevated privileges. A flaw in how the package handles temporary directories could allow an attacker to manipulate the program to change the permissions on arbitrary directories to a world writable state, which could eventually lead to root privileges. Reference: SuSE Security Announcement: "unix operating systems using xfree86" at: http://www.suse.de/security/announcements/suse-security-announce-3.txt _____ Date Reported: 1999-03-26 Vulnerability: java-unverified-code Platforms Affected: Java Risk Factor: High An implementation flaw in the Java Development Kit (JDK) could allow unverified code from an untrusted applet to be executed. This bug could allow any number of malicious actions to be made on vulnerable machines. This bug is present in JDK 1.1.x, the Java 2 implementations, and all applications using the above systems. Reference: Sun Microsystems, Inc: "Java Security" at: http://java.sun.com/security/ _____ Date Reported: 1999-03-26 Vulnerability: pws-file-access Platforms: Microsoft Personal Web Server (4.0) FrontPage Personal Web Server Risk Factor: Medium A vulnerability has been discovered in the file access protocols of the Microsoft Personal Web Server and Frontpage PWS could allow arbitrary files to be remotely read. The attacker is required to have prior knowledge of file names to exploit this vulnerability, which does not yield any other privileges than read access. References: Microsoft Security Bulletin (MS99-010): "Patch Available for File Access Vulnerability in Personal Web Server" at: http://www.microsoft.com/security/bulletins/ms99-010.asp Microsoft Knowledgebase Article ID: Q216453: "FP98: Security Patch for FrontPage Personal Web Server" at: http://support.microsoft.com/support/kb/articles/q216/4/53.asp Microsoft Knowledgebase Article ID: Q217765: "FP97: Security Patch for FrontPage Personal Web Server" at: http://support.microsoft.com/support/kb/articles/q217/7/65.asp Microsoft Knowledgebase Article ID: Q217763: "File Access Vulnerability in Personal Web Server" at: http://support.microsoft.com/support/kb/articles/q217/7/63.asp _____ Date Reported: 1999-03-24 Tagname: cisco-catalyst-crash Platforms Affected: Cisco Risk Factor: Medium A vulnerability exists in some versions of the Cisco Catalyst switch firmware code which could allow a remote attacker to cause the device to stop functioning and reload. This flaw has been identified in some of the Catalyst 5xxx, 29xx and 12xx models of this hardware. References: ISS Security Advisory: "Remote Denial of Service Vulnerability in Cisco Catalyst Series Ethernet Switches" at: http://www.iss.net/xforce/alerts/advise24.html Cisco Field Notice: "Cisco Catalyst Supervisor Remote Reload" at: http://www.cisco.com/warp/public/770/cat7161-pub.shtml _____ Date Reported: 1999-03-24 Vulnerability: hp-ftp Platforms Affected: HPUX (11.00) Risk Factor: High A vulnerability in the 'ftp' program distributed with HP-UX 11.0 could cause a local user to be granted unauthorized increased privileges on the system. Reference: HP Security Bulletin HPSBUX9903-094: "Security Vulnerability with ftp on HP-UX 11.00" at: http://us-support.external.hp.com _____ Date Reported: 1999-03-24 Vulnerability: linux-zerolength-fragment Platforms Affected: Linux Risk Factor: Medium A flaw in the packet fragment reassembly code in Linux kernels 2.1.89 through 2.2.3 could allow a remote attacker to cause the machine to lose network connectivity. Exploiting the vulnerability requires sending many packets, so a successful attack could take several minutes to launch. Reference: BUGTRAQ Mailing List: "DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903d&L=bugtraq&F=&S=&P=623 _____ Date Reported: 1999-03-22 Vulnerability: openbsd-poll-crash Platforms Affected: OpenBSD (2.4) Risk Factor: Medium The nfds parameter to the poll(2) system call under OpenBSD can be used to deplete available kernel memory and eventually crash the system. Reference: The OpenBSD Project: "OpenBSD release errata" at: http://www.openbsd.org/errata.html#poll _____ Date Reported: 1999-03-22 Vulnerability: ssl-session-reuse Platforms Affected: OpenSSL SSLeay Risk Factor: A possible security vulnerability has been identified in the OpenSSL and SSLeay implementation of the Secure Sockets Layer (SSL) protocol. Under some circumstances, SSL sessions can be reused in a different context from their original one. This usage may allow access controls based on client certificates to be bypassed. Reference: BUGTRAQ Mailing List: "OpenSSL/SSLeay Security Alert" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903d&L=bugtraq&F=&S=&P=65 _____ Date Reported: 1999-03-21 Vulnerability: openbsd-tss-panic Platforms Affected: OpenBSD (2.4) Risk Factor: Medium A bug in the OpenBSD kernel TSS signal handling code could allow a malicious local user to cause the system to panic and crash. Reference: The OpenBSD Project: "OpenBSD release errata" at: http://www.openbsd.org/errata.html#tss _____ Date Reported: 1999-03-20 Vulnerability: eudora-long-attachments Platforms Affected: Eudora Risk Factor: High A vulnerability exists in Eudora through version 4.2 Beta which could allow a remote attacker to crash the program and possibly exploit code under the permissions of the program. Eudora will crash if it receives an attachment with a filename that is longer than Windows can handle. Reference: BUGTRAQ Mailing List: "Eudora Attachment Buffer Overflow" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903c&L=bugtraq&F=&S=&P=3519 _____ Date Reported: 1999-03-18 Vulnerability: hp-hpterm Platforms Affected: HPUX (10.20) Risk Factor: High A vulnerability was introduced with the HP patch PHSS_13560. The problem that was introduced was a library access problem with hpterm, the X windows terminal emulator. If this bug is exploited, it can increase the privileges of the attacker. Reference: HP Security Bulletin HPSBUX9903-093: "Security Vulnerability with hpterm on HP-UX 10.20" at: http://us-support.external.hp.com _____ Date Reported: 1999-03-18 Vulnerability: netbsd-mount Platforms Affected: NetBSD (1.3.3) Risk Factor: Medium A flaw in NetBSD 1.3.3 and prior's mount(2) system call could allow a non-root user to mount a partition labeled with the 'noexec' flag with execute permission. This flaw allows the user to execute arbitrary programs on that partition. Reference: NetBSD Security Advisory 1999-007: "noexec mount flag is not properly handled by non-root mount" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-007.txt.asc _____ Date Reported: 1999-03-18 Vulnerability: netscape-talkback-kill Platforms Affected: Netscape Communicator (4.5) Risk Factor: Low A vulnerability has been discovered in the "talkback" addon for Netscape Communicator 4.5. The hole could allow a malicious local user to cause the program to kill an arbitrary process owned by the a user whose Netscape session crashes. Reference: SuSE Security Announcement: "unix operating systems using netscape communicator 4.5" at: http://www.suse.de/security/announcements/suse-security-announce-2.txt _____ Date Reported: 1999-03-18 Vulnerability: netscape-talkback-overwrite Platforms Affected: Netscape Communicator (4.5) Risk Factor: Low A vulnerability exists in the "talkback" addon distributed with some versions of Netscape Communicator. The talkback program fails to check whether temporary files are actually links, and as such can be manipulated to create or overwrite arbitrary files owned by the person invoking the Netscape program. Reference: SuSE Security Announcement: "unix operating systems using netscape communicator 4.5" at: http://www.suse.de/security/announcements/suse-security-announce-2.txt _____ Date Reported: 1999-03-17 Vulnerability: linux-slackware-install Platforms Affected: Linux Slackware Risk Factor: High A vulnerability exists in the network installation of Slackware Linux systems through version 3.6. During a network install there may be a period of time when the root password is left blank and interactive logins from the network are available, in which case an attacker can login to the machine without supplying a root password. References: ISS Security Advisory: "Short-Term High-Risk Vulnerability During Slackware 3.6 Network Installations" at: http://www.iss.net/xforce/alerts/advise23.html _____ Date Reported: 1999-03-17 Vulnerability: netbsd-umapfs Platforms Affected: NetBSD (1.3.3) Risk Factor: High A vulnerability has been found in NetBSD's umapfs virtual file system that would allow a local attacker to remap their userid to any other user on the system including root. Reference: NetBSD Security Advisory 1999-006: "Security hole in umapfs" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-006.txt.asc _____ Date Reported: 1999-03-16 Vulnerability: http-img-overflow Platforms Affected: Lynx Browser Internet Explorer Risk Factor: Medium A flaw in various browsers, namely Lynx and Internet Explorer, allows a web page containing an IMG tag with a width parameter set to an abnormally long value to crash the browser. It is not believed that this flaw can lead to any type of access being compromised on victim machines. Reference: BUGTRAQ Mailing List: "Lynx 2.8 overflow" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903c&L=bugtraq&F=&S=&P=1168 _____ Date Reported: 1999-03-15 Vulnerability: ldap-mds-bo Platforms Affected: Microsoft Exchange (5.5) Risk Factor: High ISS X-Force has discovered a buffer overflow exploit against Microsoft Exchange's LDAP (Lightweight Directory Access Protocol) server which allows read access to the Exchange server directory by using an LDAP client. This buffer overflow consists of a malformed bind request that overflows the buffer and can execute arbitrary code. This attack can also cause the Exchange LDAP service to crash. This vulnerability exists in Microsoft Exchange Server version 5.5. Reference: ISS Security Advisory: "LDAP Buffer overflow against Microsoft Directory Services" at: http://www.iss.net/xforce/alerts/advise22.html _____ Date Reported: 1999-03-26 Vulnerability: melissa-macro-virus Platforms Affected: Microsoft Word 97 Risk Factor: Medium A simple macro virus designed for Microsoft Word 97 known as "Melissa" has become widely disseminated and has caused widespread E-mail systems failure and other problems. This virus is unique in that it is both network-enabled and functions more like a worm than a virus, using each infected system to launch attacks on other users. Reference: CERT Advisory CA-99-04: "Melissa Macro Virus" at: http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNwU/9TRfJiV99eG9AQHV0QP+OrVb5T+tzqhEqYmVbROeznfP524aPrJY ZXF7z9KpGjPbO/6ed8B9WyFzxdFPfPxVWH+Xn1t5L4rG9R52snjdcPbKWAiBMPBE LQkrWnHTGXzZr6GOBWSUKFr5B2Eq9PHyWVtEtsJ+vXWaqSzDhOl42ab7lXOSrEFL upnfNN3J018= =o2KT -----END PGP SIGNATURE-----