News June 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| NetBSD 1.3.2 and earlier | Vulnerability in at: NetBSD-19980626,
ERS-070 Due to a bug in the at(1) program, any local user can queue any file on the system for execution by /bin/sh, readable by root. As at(1) returns errors to the submitter, it is possibly that they may obtain parts of the file. A patch is released and if it can't be applied the set-user-ID flag from the at(1) binary should be removed. |
|
| IRIX | Vulnerability in mailx: SGI-19980605,
ESB-98.106 Silicon Graphics is working on a patch and workarounds for a hole found in mailx. Further information will be given when the patch is published. |
|
| all | Vulnerability in PKCS#1:
CA-98.07,
I-066,
ERS-069,
SGI-19980606,
ESB-98.104 PKCS#1 is a standard for encrypting data using the RSA public-key cryptosystem. Its intended use is in the construction of digital signatures and digital envelopes. One use for the digital envelopes constructed using PKCS#1 is to provide confidentiality during the session key negotiation of an SSL-encrypted session. The SSL protocol is widely used to encrypt traffic to and from web servers to protect the privacy of information such as personal data or a credit card number, as it traverses the internet. A sophisticated intruder may be able to use the vulnerability in PKCS#1 to recover information from an SSL-encrypted session. Additional information regarding this vulnerability will be available here. This vulnerability does not affect all PKCS#1-enabled products. See the Advisory for further Vendor Information. |
|
| Solaris 2.5 and 2.5.1 (SPARC and x86) | Vulnerability in ufsrestore:
I-065,
ERS-068,
ESB-98.105 A buffer overflow vulnerability has been identified in the ufsrestore utility, used to restore files from backup media created with the ufsdump command. This is different from the vulnerability identified in Sun Security Bulletin #00169! Sun is working on patches for this utility and estimate that the patches will be available in the mid of July. Until then, system managers should use the workarounds mentioned in the Advisory. |
|
| IRIX 3.x-6.4 | Problems with mail, rmail
and sendmail: SGI-19980604,
ESB-98.102,
I-064,
ERS-067 As published in CA-96.20 there are some vulnerabilities in these programs. In the Advisory Silicon Graphics shows temporary solutions and recommends to install the patches. |
|
| IRIX 3.x-6.4 | IRIX and the problems in BIND:
SGI-19980603,
ESB-98.101,
I-062,
ERS-066 As pointed out in CA-98.05 several vulnerabilities were discovered in BIND. In the Advosory Silicon Graphics shows a way for their systems to avoid these vulnerabilities. |
|
| BSDI 2.0, 2.1 | Vulnerability in rlogind:
RSI.0004,
I-063 A vulnerability exists in BSDI rlogind that has the potential to allow an attacker to gain remote root access on any server running BSDI 2.1 or earlier with rlogind enabled. This vulnerability occurs as a result of inverse resolution of IP addresses to hostnames. An attacker in control of a DNS server can configure the records for a specific IP address to resolve with a name larger than rlogind can handle. Due to insufficient bounds checking, a buffer overflow can result when rlogind attempts to copy the connecting hostname into a buffer with a predefined size. While overwriting the buffer, the attacker can manipulate the stack and execute their own commands, possibly gaining root access on the server. It's recommended to disable the rlogind until a patch is released. |
|
| IRIX 5.1-6.4 | Vulnerability in mediad:
SGI-19980602,
I-061,
ESB-98.100,
ERS-065,
S-98-38 The IRIX mediad(1M) daemon is used to monitor removable media devices on Silicon Graphics Inc. (SGI) platforms (IRIX 5.1 through IRIX 6.4). Unfortunately, a vulnerability has been discovered in the default behavior of the mediad(1M) program that can lead to a root compromise of the system. Physical access to the removable media devices on the system and a local account is required in order to exploit the mediad(1M) vulnerability locally and remotely. In the advisory a workaround is pointed out, as well as the patch-numbers. |
|
| IRIX 5.3, 6.2-6.4 | Denial-of-Service caused by OSF/DCE:
SGI-19980601,
ESB-98.099,
I-060,
ERS-064 The Open Group has released an advisory via CERT concerning a buffer overflow which has been discovered with Distributed Computing Environment (DCE) security demon (secd) causing it core dump and no longer accept connections. Silicon Graphic's implementation of OSF/DCE is vulnerable to this denial of service attack (IRIX 5.3, 6.2, 6.3 or 6.4). The denial of service attack can be performed locally and remotely and without the use of a local account on the system. For IRIX 6.x there are patches available now. |
|
| all | New CERT Summary: CS-98.06,
ESB-98.096,
ERS-063 Since the last regularly scheduled CERT Summary issued in March 1998 (CS-98.03), CERT has seen these trends in incidents reported. 1. Multiple Vulnerabilities in BIND 2. Scans to Port 1/tcpmux and unpassworded SGI accounts 3. Root Compromises |
|
| FreeBSD 2.2.* | FreeBSD 2.2.* and smurf
attacks: ESB-98.093,
S-98-37,
ERS-060 Your network can suffer performance degradation when a large amount of spoofed ICMP is sent to your broadcast address. It's recommended to block ICMP echo requests to broadcast addresses in your kernel using ipfw(8). See also CERT advisory CA-98.01.smurf for more workarounds. A recommended Patch is described by FreeBSD. |
|
| Solaris 2.3-2.6 (SPARC and x86) | Vulnerability in ftpd:
SUN Security Bulletin #00171,
I-059,
ERS-062 The in.ftpd daemon is the Internet File Transfer Protocol (FTP) server process. The server is invoked by the Internet daemon inetd each time a connection to the FTP service is made. A vulnerability has been discovered which could be exploited to launch an denial of service attack against the ftp server. It's strongly recommended to install these patches: SunOS 5.6 106301-01, SunOS 5.6_x86 106302-01, SunOS 5.5.1 103603-08, SunOS 5.5.1_x86 103604-08, SunOS 5.5 103577-08, SunOS 5.5_x86 103578-08, SunOS 5.4 101945-59 (to be released in 6 weeks), SunOS 5.4_x86 101946-52 (to be released in 6 weeks), SunOS 5.3 104938-02 |
|
| Solaris 2.3-2.6 (SPARC and x86) | Vulnerability in rpc.nisd
(NIS+): SUN Security Bulletin #00170,
CA-98.06,
I-058,
ERS-061 The rpc.nisd daemon is an RPC service that implements the NIS+ service. This daemon must be running on all machines which serve a portion of the NIS+ namespace. A buffer overflow has been discovered in rpc.nisd which could be exploited to gain root access and execute arbitrary commands. It's strongly recommended to install these patches: SunOS 5.6 105401-13, SunOS 5.6_x86 105402-13, SunOS 5.5.1 103612-41, SunOS 5.5.1_x86 103613-41, SunOS 5.5 103187-38, SunOS 5.5_x86 103188-38, SunOS 5.4 101973-35, SunOS 5.4_x86 101974-35 The patch for SunOS 5.3 (101318-91) will be released in 12 weeks. |
|
| many Unix | Vulnerability caused by Buffer Overflow
in NIS+: CA-98.06,
ESB-98.091,
S-98-36,
ERS-059 Depending on the configuration of the target machine running NIS+, a remote intruder can gain root access to a vulnerable system or cause the NIS+ server to crash, which will affect the usability of any system which depends on NIS+. Additionally, if your NIS+ server is running in NIS compatibility mode and if an intruder is able to crash the NIS+ server, the intruder may be able to masquerade as an NIS server and gain access to machines that depend on NIS for authentication. Finally, if an intruder is able to crash an NIS+ server and there are clients on the local network that are initialized by broadcast, an intruder may be able to provide false initialization information to the NIS+ clients. Clients that are initialized by hostname may also be vulnerable under some circumstances. In the advisory it's pointed out exactly which systems are vulnerable and where to obtain the patches. |
|
| XFree86 | Vulnerabilities in Xlib,
Xt, Xmu, and Xaw:
ESB-98.090 Problems exist in the Xlib, Xt, Xmu, and Xaw libraries that allow user supplied data to cause buffer overflows in programs that use these libraries. The buffer overflows may be exploited using either X resources or environment variables used by the affected libraries. These buffer overflows are associated with the use of fixed length character arrays for temporary storage and processing of user supplied data. In many cases, the length of this user supplied data is not checked to make sure that it will fit in the provided fixed length array. Exploiting these buffer overflows with programs installed setuid-root that use any of these libraries can allow an unprivileged user to gain root access to the system. It's strongly recommended to install a patch. Binaries are also available as pointed out in the Advisory. |
|
| FreeBSD 2.2.* | Denial of Service: system crash with NFS:
ESB-98.088,
S-98-35,
I-057,
ERS-058 NFS can be used to mount remote file systems. Apart from being remote, it acts like a normal UFS file system. Among others, this means that creating hard links can be done in NFS file systems. When creating hard links on file systems, the kernel checks that both the original file and the link to it are located on the same file system. Unfortunately, there is an error in the NFS kernel code in FreeBSD 2.2.* systems that performs this check. It is possible to crash a FreeBSD 2.2.* system by hard linking a device special files to a file on an NFS mounted file system. FreeBSD-current as of 1998/05/31 is not vulnerable. For others it's recommended to install a patch. |
|
| Red Hat Linux | Patches for xosview,
bootp, metamail, dhcpcd, minicom, initscripts, X
libraries, xterm, xscreensaver, findutils ... released:
ESB-98.082,
ESB-98.083,
ESB-98.084,
ESB-98.085,
ESB-98.089,
ESB-98.092,
ESB-98.097,
ESB-98.098,
ESB-98.103 xosview in Red Hat 5.1 was unintentionally made setuid, initscripts had setguid. Users of Red Hat 5.1 should upgrade to the newpackage immediately. The versions of bootp, metamail, and dhcpcd distributed with Red xosview Hat 4.2,security problems. Users of any Red Hat distribution should upgrade their versions of 5.0, and 5.1 all have these programs immediately. If you are using dhcpcd on your system, you must restart it before the fix will take effect. Red Hat 5.0 and 5.1, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/xosview-1.5.1-4.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/bootp-2.4.3-7.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/metamail-2.7-13.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/metamail-2.7-16.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/elm-2.4.25-14.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/mailx-8.1.1-2.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/dhcpcd-0.65-3.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/dhcp-2.0b1pl1-1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/dhcp-2.0b1pl1-2.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/minicom-1.81-3.1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/initscripts-3.65-2.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/XFree86-3.3.2-11.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/XFree86-libs-3.3.2-11.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/xscreensaver-2.16-4.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/findutils-4.1-24.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/mailx-8.1.1-1.i386.rpm Red Hat 5.0 and 5.1, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/xosview-1.5.1-4.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/bootp-2.4.3-7.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/metamail-2.7-13.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/metamail-2.7-16.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/elm-2.4.25-14.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/mailx-8.1.1-2.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/dhcpcd-0.65-3.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/dhcp-2.0b1pl1-1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/dhcp-2.0b1pl1-2.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/minicom-1.81-3.1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/initscripts-3.65-2.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/XFree86-3.3.2-11.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/XFree86-libs-3.3.2-11.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/xscreensaver-2.16-4.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/findutils-4.1-24.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/mailx-8.1.1-1.alpha.rpm Red Hat 5.1, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/metamail-2.7-16.sparc.rpm pm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/elm-2.4.25-14.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/mailx-8.1.1-2.sparc.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/bootp-2.4.3-2.1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/metamail-2.7-7.3.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/metamail-2.7-7.4.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/elm-2.4.25-8.1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/dhcpcd-0.65-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/minicom-1.81-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/XFree86-3.3.2-1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/XFree86-libs-3.3.2-1.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/xscreensaver-2.16-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/findutils-4.1-11.2.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/mailx-8.1.1-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/mailx-8.1.1-0.1.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/bootp-2.4.3-2.1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/metamail-2.7-7.3.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/metamail-2.7-7.4.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/elm-2.4.25-8.1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/dhcpcd-0.65-0.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/minicom-1.81-0.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-3.3.2-1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/XFree86-libs-3.3.2-1.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/xscreensaver-2.16-0.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/findutils-4.1-11.2.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/mailx-8.1.1-0.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/mailx-8.1.1-0.1.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/bootp-2.4.3-2.1.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/metamail-2.7-7.3.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/metamail-2.7-7.4.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/elm-2.4.25-8.1.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/dhcpcd-0.65-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/minicom-1.81-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/xscreensaver-2.16-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/findutils-4.1-11.2.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/mailx-8.1.1-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/mailx-8.1.1-0.1.sparc.rpm |
|
| all | New Apache Web
Server Version 1.3 has been released. Now also systems running Microsoft Windows NT/95 are supported. More information about the features of Apache httpd 1.3 can be read at the Apache Website. |
|
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Juli 15, 1998, 06:09 +0200