From xforce@iss.net Tue Apr 20 18:46:13 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Mon, 19 Apr 1999 16:14:14 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary v3 n9 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary April 15, 1999 Volume 3 Number 9 X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 19 Reported Vulnerabilities - default-flowpoint - ucd-snmpd-community - cisco-natacl-leakage - mpeix-debug - netbsd-vfslocking-panic - bmc-patrol-frames - bmc-patrol-replay - http-cgi-webcom-guestbook - ie-scriplet-fileread - ie-window-spoof - winroute-config - netcache-snmp - rsync-permissions - wingate-redirector-dos - wingate-registry-passwords - sco-termvision-password - webramp-device-crash - webramp-ipchange - xylan-omniswitch-ftp - xylan-omniswitch-login Risk Factor Key _____ Date Reported: 1999-04-14 Vulnerability: default-flowpoint Platforms Affected: Flowpoint Risk Factor: High Flowpoint DSL routers by default ship with either no administrator password or the password 'admin'. This could allow a remote attacker to gain complete administrative control over these devices. References: BUGTRAQ Mailing List: "FlowPoint 2000 DSL Routers" at: http://www.netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R6856 BUGTRAQ Mailing List: "FlowPoint ADSL Reported Problem" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904C&L=bugtraq&P=R994 _____ Date Reported: 1999-04-13 Vulnerability: cisco-natacl-leakage Platforms Affected: Cisco Risk Factor: High A flaw in the interaction between network address translation (NAT) and access control lists in some 12.0-based versions of IOS could cause packets to be erroneously leaked through the ACL. This could expose networks and machines normally protected by access rules to outside attack. Reference: Cisco Field Notice: "Cisco IOSŪ Software Input Access List Leakage with NAT" at: http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml _____ Date Reported: 1999-04-13 Vulnerability: mpeix-debug Platforms Affected: MPE/iX Risk Factor: High A vulnerability in the debug utility on the MPE/iX operating system can allow local users to compromise elevated privileges. Reference: HP Security Bulletin HPSBMP9904-006: "Security Vulnerability in MPE/iX debug" at: http://us-support.external.hp.com _____ Date Reported: 1999-04-13 Vulnerability: netbsd-vfslocking-panic Platforms Affected: NetBSD (1.3.1, 1.3.2, 1.3.3) Risk Factor: Medium A problem within the virtual filesystem (VFS) file locking code on NetBSD systems could allow a local, non-privileged user to cause the system to hang or crash. Reference: NetBSD Security Advisory 1999-008: "Kernel hang or panic in name lookup under certain circumstances" at: ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-008.txt.asc _____ Date Reported: 1999-04-09 Vulnerability: bmc-patrol-frames Platforms: PATROL Agent (3.2.3) Risk Factor: Medium A weakness in the algorithm used to seal Patrol frames as they are exchanged could allow a spoofing system to be trivially created. This could compromise unauthorized access to the agent. Reference: BUGTRAQ Mailing List: "Patrol security bugs" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=3253 _____ Date Reported: 1999-04-09 Tagname: bmc-patrol-replay Platforms Affected: PATROL Agent (3.2.3) Risk Factor: Medium The system used to authenticate users with the Patrol agent is susceptible to session replaying attacks. An attacker can capture the encrypted password sent to the agent and then later replay that information and be granted access. Reference: BUGTRAQ Mailing List: "Patrol security bugs" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=3253 _____ Date Reported: 1999-04-09 Vulnerability: http-cgi-webcom-guestbook Platforms Affected: Common Gateway Interface (CGI) Risk Factor: Medium The wguest.exe and rguest.exe programs are distributed with the WebCom Guestbook CGI package. Remote attackers can view any file on the system that the anonymous Internet user account has read access to. The attacker must have prior knowledge of the file's name to exploit this vulnerability. Reference: NTBUGTRAQ Mailing List: "Webcom's CGI Guestbook for Win32 web servers" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=2194 _____ Date Reported: 1999-04-09 Vulnerability: ie-scriplet-fileread Platforms Affected: Internet Explorer Risk Factor: Medium A problem in at least Internet Explorer 5.0's scriptlet component allows a content provider to read files on the browser's file system. The malicious site would have to have prior knowledge of the file's name to retrieve it as file listings are not possible. Reference: BUGTRAQ Mailing List: "IE 5.0 security vulnerabilities - %01 bug again" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1504 _____ Date Reported: 1999-04-09 Vulnerability: ie-window-spoof Platforms Affected: Internet Explorer Risk Factor: High A vulnerability exists in at least Internet Explorer 5.0 which allows a malicious web page that appears to be that of a legitimate, trusted site but which in fact contains content from the malicious user. This page could be used to capture sensitive information from the user who believes it is actually being requested by another site. Reference: BUGTRAQ Mailing List: "IE 5.0 security vulnerabilities - %01 bug again" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1504 _____ Date Reported: 1999-04-09 Vulnerability: netware-remotenlm-passwords Platforms Affected: Novell NetWare (4.0) Risk Factor: High The password encryption algorithm implemented in Novell's Remote.NLM is very weak and trivially decrypted. This could expose the passwords of accounts to attackers who have access to the stored encrypted passwords. Reference: BUGTRAQ Mailing List: "New Novell Remote.NLM Password Decryption Algorithm with Exploit" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904B&L=bugtraq&P=R1516 _____ Date Reported: 1999-04-09 Vulnerability: winroute-config Platforms Affected: WinRoute Risk Factor: High The procedure used to authenticate users for access to the admin configuration menu on Winroute servers contains a flaw that allows users to bypass the authentication and gain direct access. This access could be used to change the configuration of the proxy from remote. Reference: BUGTRAQ Mailing List: "Bug in Winroute 3.04g" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904B&L=bugtraq&P=R1283 _____ Date Reported: 1999-04-07 Vulnerability: netcache-snmp Platforms Affected: SNMP NetCache Risk Factor: Medium Network Appliance's NetCache software ships with a SNMP community string of 'public'. When users try to reconfigure this string via the web interface, the new string is only added to the list of valid strings and does not delete the 'public' community string. This could lead administrators to incorrectly believe the public string has been disabled. Reference: BUGTRAQ Mailing List: "Netcache snmp behaviour" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904A&L=bugtraq&P=R4014 _____ Date Reported: 1999-04-07 Vulnerability: rsync-permissions Platforms Affected: Unix Risk Factor: Medium A vulnerability in some versions of the rsync client could allow the permissions of a transmitted vacant directory to be applied to the local working directory of the client machine. This could cause the permissions of sensitive directories to be modified to an insecure state. Reference: BUGTRAQ Mailing List: "rsync 2.3.1 release - security fix" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904A&L=bugtraq&P=R3834 _____ Date Reported: 1999-04-05 Vulnerability: apache-debian-usrdoc Platforms Affected: Apache Linux (Debian) Risk Factor: Low By default, the Apache configuration under Debian Linux aliases the '/usr/doc' directory to '/doc/' in the ServerRoot. This could allow a remote user to view the documentation files on the machine, which may reveal information about the versions of software packages installed on the machine. Reference: BUGTRAQ Mailing List: "An issue with Apache on Debian" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=2822 _____ Date Reported: 1999-04-05 Vulnerability: icq-webserver-read Platforms Affected: ICQ Risk Factor: Medium A vulnerability exists in how the ICQ personal web server offers files that could allow a remote attacker to access any files on the local system of any vulnerable host. Reference: BUGTRAQ Mailing List: "security hole in ICQ-Webserver" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3795 _____ Date Reported: 1999-04-05 Vulnerability: procmail-overflow Platforms Affected: procmail Risk Factor: High A number of buffer overflows have been discovered in the configuration file processing of the Procmail package. These vulnerabilities may allow users to execute arbitrary code with elevated privileges. Under some circumstances, this vulnerability could be exploited from remote locations. Reference: BUGTRAQ Mailing List: "Re: [SECURITY] new version of procmail with security fixes" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&D=0&P=2003 _____ Date Reported: 1999-04-05 Vulnerability: procmail-race Platforms Affected: procmail Risk Factor: Medium A race condition within the portion of Procmail that reads a user's configuration files could allow non-privileged users to read arbitrary files on the system that they would normally not have access to. Reference: BUGTRAQ Mailing List: "More procmail" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=4470 _____ Date Reported: 1999-04-05 Vulnerability: wingate-redirector-dos Platforms Affected: WinGate Risk Factor: Medium A buffer overflow exists in the Winsock Redirector Service (TCP 2080) which when exploited allows a remote attacker to crash that service and all other Wingate services. It has not been shown to be possible to use this hole to execute arbitrary code on the vulnerable machine. Reference: BUGTRAQ Mailing List: "Multiple WinGate Vulnerabilities[Tad late]" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3201 _____ Date Reported: 1999-04-05 Vulnerability: wingate-registry-passwords vPlatforms Affected: WinGate Risk Factor: Medium WinGate stores passwords by default in a system registry key with world readable permissions. Combined with the weak encryption used to protect these passwords, it is trivial for an attacker with access to the WinGate server to gain access to them. Reference: BUGTRAQ Mailing List: "Multiple WinGate Vulnerabilities[Tad late]" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3201 _____ Date Reported: 1999-03-31 Vulnerability: sco-termvision-password Platforms Affected: SCO TermVision Risk Factor: Low TermVision is a Windows application for connecting to and using SCO OpenServer machines. The TermVision program by default stores user's passwords in an insecure form within a file on the local machine. Login access is required for a malicious user to obtain this encrypted password, but once that access is gained, decrypting the password is trivial. Reference: BUGTRAQ Mailing List: "Potential vulnerability in SCO TermVision Windows 95 client" at: http://www.netspace.org/cgi-bin/wa?A2=ind9903e&L=bugtraq&F=&S=&P=6124 _____ Date Reported: 1999-03-31 Vulnerability: webramp-device-crash Platforms Affected: WebRamp Risk Factor: Medium The WebRamp series of network devices by Ramp Networks allows small networks to cost effectively access the Internet through dialup lines. A flaw in how the WebRamps internal HTTP server handles certain requests could allow an attacker to cause the device to crash, requiring a manual reset to return the device to service. Reference: ISS Security Advisory: "WebRamp Denial of Service Attacks" at: http://www.iss.net/xforce/alerts/advise25.html _____ Date Reported: 1999-03-31 Vulnerability: webramp-ipchange Platforms Affected: WebRamp Risk Factor: Medium The WebRamp series of network devices by Ramp Networks allows small networks to cost effectively access the Internet through dial-up lines. By sending a specially formed packet to port 5353 on the router, it has been shown to be possible to change the device's IP address to an arbitrary value. While network connectivity is not lost within the device, all configurations that point to the old address will no longer be able to access the router. Reference: ISS Security Advisory: "WebRamp Denial of Service Attacks" at: http://www.iss.net/xforce/alerts/advise25.html _____ Date Reported: 1999-03-31 Vulnerability: xylan-omniswitch-ftp Platforms Affected: Xylan OmniSwitch Risk Factor: Medium Some Xylan OmniSwitches allow remote users to access the device via FTP and gain read (and write) access to flash memory. Some files accessable may be sensitive in nature, i.e. contain SNMP community name strings, etc. Reference: BUGTRAQ Mailing List: "Xylan OmniSwitch 'features'" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=185 _____ Date Reported: 1999-03-31 Vulnerability: xylan-omniswitch-login Platforms Affected: Xylan OmniSwitch Risk Factor: Low Some Xylan OmniSwitches have been observed to allow logins via telnet by users entering an arbitrary username and then a control character sequence at the password prompt. The access compromised by this "feature" does not allow the attacker to issue any administrative commands to the switch, but does allow the attacker to deny further interactive logins to the device. Reference: BUGTRAQ Mailing List: "Xylan OmniSwitch 'features'" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=185 _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. Internet Security Systems, Inc. (ISS) is the leading provider of adaptive network security monitoring, detection and response software that protects the security and integrity of enterprise information systems. By dynamically detecting and responding to security vulnerabilities and threats inherent in open systems, ISS's SAFEsuite family of products provide protection across the enterprise, including the Internet, extranets, and internal networks, from attacks, misuse, and security policy violations. ISS has delivered its adaptive network security solutions to organizations worldwide, including firms in the Global 2000, nine of the ten largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at http://www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBNxuNLjRfJiV99eG9AQGHPAQAt891nKnC7yrGiuwcBue6iuRfCc6E22sg Q+jtyfw+WE4d73+3vOm6VvfRLhMryRThYXoGG2zfoGAVEhwpxKUNQyAe6P9yxJ9p 6hupM/XDyuZ+OGpBPZLRYktFsea1ixOQoRCDbMjLy0QMWN//OiYnfIn56MH3rD9Q yMipx4zJhyI= =iZfN -----END PGP SIGNATURE-----