From xforce@iss.net Sat Jul 3 18:04:40 1999 From: X-Force To: alert@iss.net Cc: X-Force Date: Sat, 3 Jul 1999 11:22:08 -0400 (EDT) Subject: ISSalert: ISS Security Alert Summary: v4 n3 TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Alert Summary July 1, 1999 Volume 4 Number 3 X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To receive these Alert Summaries, subscribe to the ISS Alert mailing list. Send an email to majordomo@iss.net, and within the body of the message type: 'subscribe alert'. _____ Contents 8 Reported Vulnerabilities - webtrends-bad-perms - hp-visualize-conference-ftp - accelx-bo - linux-vmware-buffer-overflows - iis-double-byte-code-page - eastman-cleartext-passwords - msrpc-lsa-lookupnames-dos - nt-csrss-dos Risk Factor Key _____ Date Reported: 1999-06-29 Vulnerability: webtrends-bad-perms Platforms Affected: WebTrends Risk Factor: High Attack Type: Network Based X-Force has discovered a security hole in many WebTrends products that allows access to service account and MAPI usernames and passwords. WebTrends specializes in providing enterprise management solutions software. The vulnerability only applies to systems using the MAPI and NT service features in the following or earlier versions of the applications currently identified as vulnerable by ISS X-Force: WebTrends for Firewalls v1.2, WebTrends Security Analyzer v2.0, WebTrends Professional Suite v3.01, WebTrends Log Analyzer v4.51, and WebTrends Enterprise Suite v3.5. All applications run on the Windows NT platform. Reference: ISS Security Advisory: "Bad Permissions on Passwords Stored by WebTrends Software" at: http://xforce.iss.net/alerts/advise29.php3 _____ Date Reported: 1999-06-29 Vulnerability: hp-visualize-conference-ftp Platforms Affected: HPUX (10.20) Risk Factor: High Attack Type: Network Based HP Visualize Conference FTP allows users of conferences to push a file to all participants. It contains a bug that could allow a remote user to crash the machine, or gain unauthorized access. Reference: HEWLETT-PACKARD COMPANY SECURITY BULLETIN: #00099: "Security Vulnerability HP Visualize Conference" at: http://us-support.external.hp.com/ _____ Date Reported: 1999-06-25 Vulnerability: accelx-bo Platforms Affected: Accelerated-X Server (4.x, 5.x) Risk Factor: High Attack Type: Host Based AcceleratedX is a commercial X11 server produced by Xi Graphics, Inc. In its default configuration, the server is installed with root privileges so it can acquire system resources available only to the superuser. A buffer overflow in the 5.x and 4.x versions of AccelX's handling of the display command line option could allow a local attacker to compromise root privileges. Reference: KSR[T] Advisory #011: "accelx-bo-011" at: http://www.ksrt.org/adv11.html _____ Date Reported: 1999-06-25 Vulnerability: linux-vmware-buffer-overflows Platforms Affected: VMware for Linux Risk Factor: High Attack Type: Host Based VMware is a software that creates a virtual machine that allows the user to install multiple operating systems without partitioning the hard drive for such. It contains multiple buffer overflows that would allow a local user to obtain root level access. Reference: Team Asylum Security Advisory: "VMware" at: http://www.cyberspace2000.com/security/advisories/files/06-21-99-vmware.txt _____ Date Reported: 1999-06-24 Vulnerability: iis-double-byte-code-page Platforms Affected: IIS (3.0, 4.0) Risk Factor: Medium Attack Type: Network Based Microsoft's Internet Information Server (IIS) when run on a machine that uses a double-byte character set code page (i.e. Korean, Chinese, or Japanese as the default language) could allow a remote attacker to issue server requests, which could return the source code to certain files, bypassing all server side processing. Reference: Microsoft Security Bulletin (MS99-022): "Patch Available for 'Double Byte Code Page' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-022.asp _____ Date Reported: 1999-06-24 Vulnerability: eastman-cleartext-passwords Platforms Affected: Eastman Software's Work Management 3.21 for NT Risk Factor: High Attack Type: Host Based Eastman Software's Work Management 3.21 for Windows NT stores passwords in the COMMON and LOCATOR registry keys. This would allow any local user to gain access to the program. Reference: NTBUGTRAQ Mailing List: "Eastman Software Work Management 3.21" at: http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=ntbugtraq&F=P&S=&P=9113 _____ Date Reported: 1999-06-23 Vulnerability: msrpc-lsa-lookupnames-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network/Host Based A potentially serious denial of service attack on the Windows NT Local Security Authority (LSA) service has been identified. This hole could allow a remote attacker to crash this service by making a malformed request to LsaLookupNames. In most cases, the system will have to be rebooted to regain normal functionality. Reference: Microsoft Security Bulletin MS99-020: "Patch Available for 'Malformed LSA Request' Vulnerability" at: http://support.microsoft.com/support/kb/articles/q231/4/57.asp _____ Date Reported: 1999-06-23 Vulnerability: nt-csrss-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network/Host Based The Microsoft Windows NT CSRSS.EXE service can be used to launch a denial of service attack against hosts accepting interactive logins. When all worker threads within the CSRSS service are awaiting user input, no new connections can be made, effectively hanging the system. Reference: Microsoft Security Bulletin MS99-021: "Patch Available for 'CSRSS Worker Thread Exhaustion' Vulnerability" at: http://www.microsoft.com/security/bulletins/ms99-021.asp _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ISS is the pioneer and leading provider of adaptive network security software delivering enterprise-wide information protection solutions. ISS' award-winning SAFEsuite family of products enables information risk management within intranet, extranet and electronic commerce environments. By combining proactive vulnerability detection with real-time intrusion detection and response, ISS' adaptive security approach creates a flexible cycle of continuous security improvement, including security policy implementation and enforcement. ISS SAFEsuite solutions strengthen the security of existing systems and have dramatically improved the security posture for organizations worldwide, making ISS a trusted security advisor for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks and over 35 governmental agencies. For more information, call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net. ________ Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert Summary electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert Summary in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN32PsTRfJiV99eG9AQGmTwQAuZA8hz9VumTkDKI+HQI7U5PGaWJudG0H ROfY4ScB/ZTU+GhVwgQwxMx5jxH3jaVhtzU0j4udS2/qRRMj3xSsJ5Mq6Mjtql1D Q+T+FOi9RQdM2WcCR5wuBdPQHsitTr+LRbJFnlMTRl2FQ7ggN/m44f+7xw1G7iET Fz8VYuCcAtA= =FUxC -----END PGP SIGNATURE-----