News June 1999
Most of the links lead to the corresponding files at CERT or other organisations. So
changes take place immediately, especially which patches should be installed or which
changes in the configuration should be made to avoid this vulnerability. Most of the files
are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used
platform or program that doesn't mean this particular platform or program is safe to use!
| Microsoft IIS 3.0, 4.0, with default language Chinese, Korean, or Japanese | Double Byte Code Page Vulnerability: MS99-022, ERS-1999.089 When IIS is run on a machine on which a double-byte character set code page is used (i.e., the default language on the server is set to Chinese, Japanese, or Korean), and a specific URL construction is used to request a file in a virtual directory, normal server-side processing is bypassed. As a result, the file is simply delivered as text to the browser, thereby allowing the source code to be viewed. Patches are available for the English, simplified Chinese, traditional Chinese, Japanese, and Korean version. |
||||||||||||||||||||
| Windows NT 4.0 | Vulnerability caused by CSRSS Worker Thread Exhaustion: MS99-021, ERS-1999.088,
J-049, ESB-1999.086 If all worker threads in CSRSS.EXE are occupied awaiting user input, no other requests can be serviced, effectively causing the server to hang. When user input is provided, processing returns to normal. The patch eliminates the vulnerability by ensuring that the last CSRSS worker thread services only requests that do not require user input. Further information as well as a hotfix can be found in the advisory. |
||||||||||||||||||||
| Windows NT 4.0 | Vulnerability by Malformed LSA Request: MS99-020, ERS-1999.087,
J-049, ESB-1999.085 Windows NT provides the ability to manage user privileges programmatically via the Local Security Authority (LSA) API. The API allows a program to query user names, modify privileges, and change other elements of the security policy, subject to the program's authorizations. Certain API methods do not correctly handle certain types of invalid arguments. The vulnerability is a denial of service threat only, and service can be restored by restarting the machine. It's recommended to install a hotfix published by Microsoft. |
||||||||||||||||||||
| all | New ISS Summary: ISS,
ERS-1999.085 ISS reports 6 new vulnerabilities found: - sun-rpc-statd - ntmail-relay - management-agent-file-read - management-agent-dos - http-cgi-cdomain - ExploreZip Trojan Horse Further information can be found at the site of ISS. |
||||||||||||||||||||
| Microsoft IIS 4.0 | Malformed HTR Request Vulnerability: MS99-019, CA-99-07, ERS-1999.084,
ERS-1999.086,
ERS-1999.084-2,
J-048, ESB-1999.080 IIS supports several file types that require server-side processing. When a web site visitor requests a file of one of these types, an appropriate filter DLL processes it. A vulnerability exists involving an unchecked buffer in ISM.DLL, the filter DLL that processes .HTR files. HTR files enable remote administration of user passwords. The result of the buffer overflow is either a crash of IIS or the possiblity for remote users to run arbitrary code on the server. It's highly recommended to disable the script mapping for .HTR files. How to do this is described in the advisory or to install a hotfix: US-version, german version. |
||||||||||||||||||||
| Windows 9x and NT | New Trojan Horse Program called ExploreZip: CA-99-06, J-047, ERS-1999.082,
S-99-15,
ERS-1999.083,
ESB-1999.075, ESB-1999.079, ESB-1999.078 A Trojan horse program that is propagating in E-Mail attachments very often now. This program is called ExploreZip (alias: W32/ExploreZip.worm, Worm.ExploreZip). It's indicated that this has the potential to be a widespread attack. The program is not known to exploit any new vulnerabilities. While the primary transport mechanism of this program is via E-Mail, any way of transferring files can also propagate the program. The user is animated to open the attachment by the text in the E-Mail (e.g.) I received your email and I shall send you a reply ASAP. Till then, take a look at the attached zipped docs. Once opened, the program searches local and networked drives (drive letters C through Z) for specific file types and attempts to erase the contents of the files, leaving a zero byte file. The targets may include Microsoft Office files (.doc, .xls, and .ppt), and various source code files (.c, .cpp, .h, and .asm). The program propagates by replying to any new E-Mail that is received by an infected computer, a copy of zipped_files.exe is attached to the reply message. In order to spread using e-mail, the worm needs Microsoft Outlook or Microsoft Exchange. The program modifies the win.ini and creates a file called explore.exe. Vendors of AntiVirus-Software are working on a solution. At the moment an update is available for the scanners by NAI (McAfee), Symantec (NAV), DataFellows (FProt), and Trend Micro. |
||||||||||||||||||||
| HP-UX | Security Vulnerability in VVOS NES: HP Security Bulletin #00098, ERS-1999.080,
J-046, ESB-1999.076 Under certain conditions, Netscape Enterprise Server (NES) fails to properly process web requests. This activity has been observed in the NES bundled with Praesidium VirtualVault releases A.02.00, A.03.00, A.03.01 and A.03.50. It's recommended to install the available patches:
|
||||||||||||||||||||
| Cisco 12000 series | IOS Software established Access List Keyword Error: Cisco, ERS-1999.081,
ESB-1999.077 Cisco 12000 series Gigabit Switch Routers(currently the 12008 and 12012 GSRs) running Cisco IOS software release 11.2(14)GS2 through 11.2(15)GS3 forward unauthorized traffic due to an error encountered while processing the established keyword in an access-list statement. The resulting vulnerability could be exploited to circumvent a site's security policy: When an affected Router executes the following command on an interface: access-list 101 permit tcp any any established the established keyword is ignored. It's recommended to install a patch mentioned in the advisory. |
||||||||||||||||||||
| many Unix | Vulnerability in statd exposes vulnerability in automountd:
CA-99-05, ERS-1999.078,
J-045, S-99-16,
ESB-1999.074 Systems running older versions of rpc.statd and automountd are affected by this vulnerability. A vulnerability in rpc.statd may allow a remote intruder to call arbitrary rpc services with the privileges of the rpc.statd process, typically root. The vulnerablility in automountd may allow a local intruder to execute arbitrary commands with the privileges of the automountd service. By combining attacks exploiting these two vulnerabilities, a remote intruder is able to execute arbitrary commands with the privileges of the automountd service. Further information about affected vendors and how to get a patch is described in the advisory. |
||||||||||||||||||||
| KDE 1.1 | KDE K-Mail File Creation Vulnerability: ISS-027, ERS-1999.079 KDE is a very popular window manager available for most Unix platforms, and provides an easy-to-use interface and a number of graphical front ends to common command-line Unix applications. K-Mail contains a vulnerability that may allow local attackers to compromise the UID of whoever is running K-Mail. The mail client creates insecure temporary directories that are used to store MIME encoded files. It recommended to install a patch. |
||||||||||||||||||||
| Debian Linux under Sparc | Denial-of-service in 2.2-series kernel: Debian0607 Linux 2.2.x kernels had a problem with parsing IP options, which made them susceptible to a DoS attack. The Debian GNU/Linux 2.1 release (slink) for the Sun sparc architecture uses such a kernel. If you are using such a system and haven't upgraded the kernel yourself, it's recommended to upgrade your kernel-image package immediately. If you have a sun4u system please use kernel-image-2.2.9-sun4u, otherwise use the normal kernel-image-2.2.9 package. Kernel-Headers-2.2.9, kernel-image-2.2.9 sun4u, kernel-image-2.2.9 |
||||||||||||||||||||
| Solaris 2.5.1 - 2.6 | Update for sendmail: SUN Security Bulletin #00187,
ERS-1999.077,
S-99-17,
ESB-1999.073 Sendmail is a mail transfer agent which is freely available. Their base version is commonly known as "Berkeley sendmail", as opposed to various vendors' versions of sendmail (including Sun's). SunOS 5.6 and 5.5.1 originally included version 8.6.9 of Berkeley sendmail, with Sun enhancements added. Various security related improvements were made in version 8.8.8 of Berkeley sendmail, including improvements relating to email spam and bombs, and email relaying. It's recommended to install the new version.
|
||||||||||||||||||||
| Solaris 2.3 - 2.6 | Vulnerability caused by rpc.statd: SUN Security Bulletin #00186,
ERS-1999.076,
ESB-1999.072 Rpc.statd is the NFS file-locking status monitor. It interacts with rpc.lockd to provide the crash and recovery functions for file locking across NFS. rpc.statd allows indirect RPC calls to other RPC services. Because rpc.statd runs as root, this allows remote attackers to bypass access controls of other RPC services. It's recommended to install a patch, published by Sun Microsystems.
|
||||||||||||||||||||
| Debian Linux | Vulnerability in POP-2 daemon: Debian0607a The version of the imap suite in Debian GNU/Linux 2.1 has a vulnerability in its POP-2 daemon, which can be found in the ipopd package. Using this vulnerability it is possible for remote users to get a shell as user "nobody" on the server. It's recommended to install the concerning patches for alpha, i386, m68k or sparc. |
||||||||||||||||||||
| all | New ISS Summary: ISS, ERS-1999.075 ISS reports 13 new vulnerabilities found within the last month: - nt-ras-pwcache - cmail-command-bo - cmail-fileread - ftgate-fileread - coldfusion-admin-dos - coldfusion-encryption - netscape-space-view - netscape-title - netbsd-arp - nt-ras-bo - irix-midikeys - cde-dtlogin - nt-helpfile-bo Further information can be found at the site of ISS. |
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: 1999-07-13, 10:55 +0200