News April 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| IRIX 5.1, 6.1-6.3 | Vulnerabilities in IRIX LicenseManager(1M):
SGI-19980406,
I-045,
ERS-035,
ESB-98.059 The LicenseManager(1M) program is installed by default from license_eoe software subsystem. license_eoe 3.0, 3.1 and 3.1.1 are vulnerable to this exploit. A user account on the vulnerable system is required in order to exploit LicenseManager(1M) locally and remotely. One solution is to change the permissions of this program. Patches are also available, except for IRIX 6.1. |
| Solaris 2.3-2.6 (SPARC and x86) | Vulnerability in rpcbind: SUN
Security Bulletin #00167,
ESB-98.57,
ERS-033 The rpcbind program is a server that converts RPC program numbers into universal addresses. When an RPC service is started, it registers itself with rpcbind by telling rpcbind the address at which the RPC service is listening, and the RPC program numbers it is prepared to serve. A vulnerability has been discovered in rpcbind which, if exploited, can be used to overwrite arbitrary files and permit unauthorized system access. It's recommended to install patches released by Sun Microsystems. |
| IRIX 5.0 - 6.4 | Vulnerable suid_exec program: SGI-19980405,
ESB-98.055,
ERS-032 The suid_exec program is installed by default on all IRIX 5.x and 6.x systems. With a local account, the suid_exec buffer overrun vulnerability can be exploited locally and remotely. The suid_exec buffer overrun vulnerability can be utilized to execute commands with root privileges. At the moment no patches are available, please install the workaround described in the advisory. |
| IRIX | Vulnerabilities in suidperl/sperl: SGI-19980404,
ESB-98.054,
ERS-031,
S-98-16 As pointed out in CA-97.17 there are some vulnerabilities in Perl, caused by buffer overflows. Perl is freeware, so SGI does not support it. It's recommended to install the most recent version: Perl 5.004 or to configure the workaround which is described in the advisory. |
| BIND | Vulnerabilities in BIND: CA-98.05,
I-044,
ESB-98.058,
ERS-034 BIND is the most common named used for DNS. Three vulnerabilities have been found: 1. Inverse Query Buffer Overrun in BIND 4.9 and BIND 8 Releases BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check a memory copy when responding to an inverse query request. An improperly or maliciously formatted inverse query on a TCP stream can crash the server or allow an attacker to gain root privileges. 2. Denial-of-Service Vulnerabilities in BIND 4.9 and BIND 8 Releases BIND 4.9 releases prior to BIND 4.9.7 and BIND 8 releases prior to 8.1.2 do not properly bounds check many memory references in the server and the resolver. An improperly or maliciously formatted DNS message can cause the server to read from invalid memory locations, yielding garbage record data or crashing the server. Many DNS utilities that process DNS messages (e.g., dig, nslookup) also fail to do proper bounds checking. 3. Denial-of-Service Vulnerability in BIND 8 Releases Assume that the following self-referential resource record is in the cache on a name server: foo.example. IN A CNAME foo.example. The actual domain name used does not matter; the important thing is that the target of the CNAME is the same name. The record could be in the cache either because the server was authoritative for it or because the server is recursive and someone asked for it. Once this record is in the cache, issuing a zone transfer request using its name (e.g., "dig @my_nameserver foo.example. axfr") will cause the server to abort(). Most sites will not contain such a record in their configuration files. However, it is possible for an attacker to engineer such a record into the cache of a vulnerable nameserver and thus cause a denial of service. It's strongly recommended to install the current versions 4.9.7 or 8.1.2 of BIND. |
| IRIX 6.3 - 6.4 | Vulnerability in mailcap: SGI-19980403,
VB-98.03,
ESB-98.053,
I-043,
ERS-030 All IRIX 6.3/6.4 users that have Mailcap entries for x-sgi-task and x-sgi-exec have this vulnerability. On IRIX 6.3/6.4, these vulnerable Mailcap entries are installed by default in /usr/local/lib/netscape/mailcap. Users can add their own Mailcap entries in their home directories ($HOME/.mailcap) and these need to be inspected for the vulnerable x-sgi-task and x-sgi-exec entries. By default, this vulnerability requires an IRIX 6.3/6.4 user to use Netscape Navigator to web browse or read email from a malicious site and download a "trojan horse" System Manager Task which will execute locally with the privileges of the user web browsing. If the user is a privileged or root user, the "trojan horse" System Manger Task will execute with root privileges and can lead to a root compromise. It's recommended to install the patches pointed out in the advisory. |
| IRIX 5.0 - 6.4 | Vulnerability found in lp(1): SGI-19980402,
ESB-98.052,
I-042, ERS-029 The lp(1) program and printing subsystem are installed by default on all IRIX systems. A local account is required in order to exploit this vulnerability both locally and remotely. This vulnerability can be utilized to execute commands with root privileges. For some systems a patch is available, a workaround is to de-install the print subsystem. |
| IRIX 6.2 - 6.4 | Vulnerability in Performer API Search Tool
2.2 pfdispaly.cgi: SGI-19980401,
ESB-98.051,
I-041,
ERS-028 The IRIS Performer API Search Tool software subsystem (performer_tools) is loaded by default when installing the IRIX Performer 2.2 CD on IRIX 6.2, 6.3 and 6.4 For this particular vulnerability, a local account is not required and can be exploited remotely. This vulnerability can be utilized to view files on the local system with the user privileges of "nobody". It's recommended to install Patch #3018 or make use of the workaround pointed out in the advisory. |
| Red Hat Linux 4.2 and 5.0 | Vulnerability in lynx: ESB-98.050 Security problems have been found in lynx which allows remote web sites to cause lynx to do unwise things. Red Hat suggests all users of Red Hat Linux upgrade to the new release of lynx. Red Hat 5.0, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/lynx-2.8-1.i386.rpm Red Hat 5.0, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/lynx-2.8-1.alpha.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/lynx-2.8-0.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/lynx-2.8-0.alpha.rpm SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/lynx-2.8-0.sparc.rpm |
| IRIX | Vulnerabilities in IMAP and POP:
SGI-19980302,
ESB-98.046 It's mentioned by SGI that Netscape Mail/Messaging Servers are used for IRIX. The vulnerabilities pointed out in CA-97.09 are not important for IRIX. |
| Red Hat Linux 4.2 and 5.0 | Vulnerabilities in svgalib and kbd:
ESB-98.045 Patches have been released for this known vulnerabilities:entsprechenden Patches erschienen: Red Hat 5.0, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/kbd-0.94-6.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/svgalib-1.2.11-4.i386.rpm Red Hat 5.0, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/kbd-0.94-6.alpha.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/kbd-0.91-10.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/svgalib-1.2.10-3.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/kbd-0.91-10.alpha.rpm |
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Mai 21, 1998, 13:58 +0200