News May 1998

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

FreeBSD 2.2.*	Vulnerability in mmap: BSD9804, ESB-98.087, S-98-34 The 4.4BSD VM system allows files to be "memory mapped", which causes the specified contents of a file to be made available to a process via its address space. Manipulations of that file can then be performed simply by manipulating memory, rather than using filesystem I/O calls. In 4.4BSD, 4 new FFS flags were added that give the possibility to mark files as append-only or immutable. It is possible to change the contents of append-only files. It's recommended to install the patches given in the advisory as soon as possible.
Cisco	PIX: Reduction of effective key length: Cisco11848, VB-98.05, ERS-056, ESB-98.086, S-98-33, I-056 PIX Private Link is an optional feature that can be installed in Cisco PIX firewalls. PIX Private Link creates IP virtual private networks over untrusted networks, such as the Internet, using tunnels encrypted with Data Encryption Standard (DES) in ECB ("electronic codebook") mode. An error in parsing of configuration file commands reduces the effective key length for the PIX Private Link DES encryption to 48 bits from the nominal 56 bits. The next release (4.2.1) will fix this problem, it's scheduled for late June 1998. Fixes for 4.1 are not scheduled yet.
IRIX 6.4	diskperf/diskalign vulnerabilities: SGI-19980502, I-055, S-98-31, ERS-055, ESB-98.079 The diskalign(1)/diskperf(1) programs are installed by default from the January Recommended/Required Patch Set for IRIX 6.4. Patch 2291 and 2848 are vulnerable to this exploit. A user account on the vulnerable system is required in order to exploit diskalign(1)/diskperf(1) locally and remotely.This vulnerability has been publically discussed in Usenet newsgroups and mailing lists. It's strongly recommended to install patch #3030 and to change the configuration as described in the advisory.
IRIX 6.3	Vulnerability in Netware Client 1.0 used under IRIX: SGI-19980501, I-055, S-98-30, ERS-054, ESB-98.078 The NetWare Client 1.0 software subsystem is installed by default on IRIX 6.3. A user account on the vulnerable system is required in order to exploit NetWare Client 1.0 locally and remotely which can lead to root access. This vulnerability has been publically discussed in Usenet newsgroups and mailing lists. It's strongly recommended to install patch #2869 and change the configuration as described in the advisory.
3Com	Vulnerabilities by backdoors and SNMP in CoreBuilder and SuperStack II: 3Com5148, I-052, ESB-98.074, ERS-049 In response to the widespread distribution of special logins intended for service and recovery procedures issued only by 3Com's Customer Service Organization under conditions of extreme emergency, such as in the event of a customer losing passwords. Due to this disclosure some 3Com switching products may be vulnerable to security breaches caused by unauthorized access via special logins. Customers should immediately log in to their switches via the known usernames and passwords (see advisory) and change the password via the appropriate Password parameter to prevent unauthorized access. Customers should also immediately change the SNMP Community string from the default to a proprietary and confidential identifier. This is due to the fact that the admin password is available through a specific proprietary MIB variable when accessed through the read/write SNMP community string.
Cisco	Vulnerability in Web Cache Control Protocol (WCCP): Cisco07174, I-054, ESB-98.073, ERS-051 Cisco's Cisco Cache Engine product provides transparent caching for world-wide web pages retrieved via HTTP. The Cache Engine uses a Cisco proprietary protocol called the Web Cache Control Protocol (WCCP) to communicate with a properly-configured Cisco router and register as a cache service provider. The router then diverts HTTP traffic to the Cache Engine. Attackers can cause a router configured for WCCP to divert some or all HTTP traffic to any host they choose, anywhere on the Internet. Patches are planned. As a Workaround Port 2048/udp destined to the router should be dropped as well as all broadcast addresses for networks on which the router may be attached, and all multicast addresses to which the router may be listening.
all	Bugs in Internet Software Consortium (ISC) DHCP Distribution: I-053, ESB-98.077, S-98-29, ERS-050 There are two bugs in all previous releases of the Internet Software Consortium DHCP Distribution which can be exploited to crash the DHCP server, or possibly worse. There have been published new distributions of version 1.0 and 2.0 of the DHCP Distribution which correct these problems. Links can be found in the advisory.
all	Further problems with BIND: CS-98.05, ERS-052, ESB-98.080, S-98-32 In addition to the problems pointed out in CS-98.04 a new tools has been found e.g. gaining access for user w0rm without password. Log-Files may also be deleted. How to detect and avoid the problem is described in the advisory. The latest version of BIND is not vulnerable. Patched versions (as written in CA-98.05 ) are not vulnerable also.
all	Problems with named and Trojan Horses: CS-98.04, ESB-98.076, ERS-048 In some incidents reported to CERT, it appears that after the "named" server is compromised, the intruder runs a script that - telnets to another host on port 666 - obtains an intruder tool archive named "hide" via ncftp or ftp - unpacks and installs the contents of the "hide" archive This "hide" archive includes Trojan horse programs: e.g. ifconfig, inetd, ls, named, netstat, ps, pstree, syslogd, tcpd, top The Trojan horse "named" program appears to contain a back door that allows the intruder to open an xterm window from the compromised host back to the intruder's system. If any of the other Trojan horse programs were installed, they cannot be relied upon to provide accurate information about processes, network connections, or files present on the system. Further information can be found in the summary.
FreeBSD	Problems with T/TCP: S-98-028, ESB-98.072, ERS-047, I-051 - revised advisory: ESB-98.075 In RFC 1644 an accelerated open is described, not needing the standard three-way handshake. Due to the possibility of spoofing connections unauthorized access to the system is possible, using the r-services. It's recommended to disable all r-services and to install the patch provided by FreeBSD.
DIGITAL Unix 3.2g, 4.0x	Vulnerability in ftpd: ESB-98.070, ERS-041, S-98-24 Digital has discovered a potential vulnerability with ftp for DIGITAL UNIX software, where under certain circumstances, a user may gain unauthorized file access. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately.
DIGITAL Unix 4.0x	Vulnerability in advfs: I-050, ESB-98.069, ERS-040, S-98-25 Digital has discovered a potential vulnerability with the Advanced File System Utility for DIGITAL UNIX software, where under certain circumstances, an authorized user may gain unauthorized privileges. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately.
DIGITAL Unix 3.2g, 4.0x	Vulnerability in rpc.statd: ESB-98.068, ERS-042, S-98-26 Digital has discovered a potential vulnerability with the rpc for DIGITAL UNIX software, where under certain circumstances, an user may gain unauthorized privileges. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that the appropriate patch kit be installed immediately. The patch kit for 3.2g will be released in June 1998.
DIGITAL Unix 3.2g, 4.0x	Potential Security Vulnerability by ftpd (bounce): ESB-98.067, ERS-043, S-98-27 Digital has discovered a potential vulnerability with the FTP (bounce) for DIGITAL UNIX software, where under certain circumstances, an user may gain unauthorized privileges. Digital strongly recommends upgrading to a minimum of Digital UNIX V4.0b accordingly, and that for 4.0x the appropriate patch kit be installed immediately. The patch kit for 3.2g will be released in June 1998.
Red Hat Linux 4.2 and 5.0	New vulnerabilities in lpr: ESB-98.061 More buffer overflows have been found in lpr 0.30. As these flaws may allow users to gain root access to the local system, Red Hat Software recommends that all users upgrade to lpr 0.31 immediately. Red Hat 5.0, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/lpr-0.31-1.i386.rpm Red Hat 5.0, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/lpr-0.31-1.alpha.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/lpr-0.31-0.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/lpr-0.31-0.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/lpr-0.31-0.sparc.rpm
Red Hat Linux 4.2 and 5.0	Vulnerability in lpr: ESB-98.060 A major security problem has been found in all versions of lpr shipped with Red Hat Linux. Version 0.30 of lpr fixes this and is now available from ftp.redhat.com. Red Hat Software encourages all users of Red Hat to upgrade to this new version immediately. Red Hat 5.0, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/lpr-0.30-1.i386.rpm Red Hat 5.0, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/lpr-0.30-1.alpha.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/lpr-0.30-0.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/lpr-0.30-0.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/lpr-0.30-0.sparc.rpm
HP-UX	Vulnerability in Openmail: Hewlett-Packard Security Bulletin #000078, I-047, ERS-037, ESB-98.063 Hewlett-Packard has learned of an OpenMail server misconfiguration that can give users the ability to run arbitrary shell commands. This applies to all currently supported OpenMail versions (B.05.01 (GR4) and B.05.10 (GR5), as well as the earlier B.04.01 (GR3) revision. It's recommended to fix this hole as pointed out in the advisory.
Solaris 2.5 and 2.5.1 (SPARC and x86)	Vulnerability in ufsrestore: SUN Security Bulletin #00169, I-049, ERS-039, ESB-98.065, S-98-23 The ufsrestore utility is used to restore files from backup media created with the ufsdump command. A vulnerability has been found in ufsrestore which, if exploited, would permit a user to become root. It's recommended to install patches released by Sun Microsystems.
Solaris 2.3-2.6 (SPARC and x86)	Vulnerability in mountd: SUN Security Bulletin #00168, I-048, ERS-038, ESB-98.064, S-98-22 mountd is an RPC server that handles NFS file system mount requests. A vulnerability has been discovered with mountd which, if exploited, allows the attacker to obtain information about any file that exists on the NFS server even though the file in question is not a part of the NFS exported file system. It's recommended to install patches released by Sun Microsystems.
Microsoft IE 4.0 and 4.01	Fix available for Embed issue: Microsoft, ESB-98.056 Microsoft has posted a fix to protect Internet Explorer users against a potential problem known as the "Embed" issue. A malicious Web page could cause Internet Explorer 4.0 to crash through an exploit with the "EMBED" tag. It's difficult, but possible, for the page to then run code in memory on that machine. It's strongly recommended to install the patches . Not vulnerable systems are Windows 3.1 and Windows NT 3.51.
X11R3 - X11R6.x	Vulnerabilities in xterm and Xaw: VB-98.04, I-046, ERS-036, ERS-045, ESB-98.062, ESB-98.066, S-98-21 The Open Group has published risks of xterm and Xaw. By crafting an arbitrarily long string that contains embedded machine code and using it to set specific "resources", a user may obtain a shell prompt that has root privileges. Anyone using the MIT X Consortium; X Consortium, Inc.; or X Project Team xterm and that has xterm installed setuid-root may be vulnerable. Anyone using an xterm based on any of the sources listed above may also be vulnerable to the xterm vulnerability. In order to be vulnerable to the Xaw library vulnerability, the Xaw Text widget must be used by a setuid-root program. Anyone using an Xaw replacement based on any of the released versions of Xaw listed above (e.g. Xaw3d) may also be vulnerable to the Xaw vulnerability. A temporary solution is to chmod xterm and the setuid-root-program to 0755. Many vendors have published patches, they are pointed out in the advisory.