News July 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| Microsoft Windows NT 3.51 and 4.0 | NT Privilege Elevation attack:
MS98-09,
AA-98.03 This vulnerability can be exploited by a program called sechole.exe which was published on the Internet. It performs steps to allow a non-administrative user who is logged on locally (at the console) of a system to gain debug level access on a system process. Using this program, a normal user is able to run arbitrary code in the system security context and can increase his privileges on the local system. It's strongly recommended to install the (US-) patches immediately: Windows NT 4.0 x86, Windows NT 4.0 Alpha, the Fixes for NT 3.51 and Windows NT Server 4.0 Terminal Server Edition will be released shortly. |
||||||||||||||||||||||
| Netscape Communicator 4.0-4.05, 4.5b1 | Long Filename Mail Vulnerability:
Netscape,
I-077,
ESB-98.120,
ERS-084 This vulnerability affects the mail and news components of Netscape Communicator 4.0 through 4.05 and Netscape Communicator 4.5 Preview Release 1 on the Windows 3.1, 95, 98, and NT platforms. The Long Filename Mail vulnerability could allow an email or newsgroup message with an attachment that has a very long filename to execute malicious code on your computer. The Communicator may quit unexpectedly and/or selecting the File menu may cause malicious code to be executed on your computer. Netscape is not aware of any users who have been affected by a malicious message. Until a patch is released (in about two weeks) it's strongly recommended to view all attachments just as links: Communicator 4.0 - 4.05: In the menu select View: Attachments: As links Communicator 4.5 Preview Release 1: In the menue select View: View attachments inline. By selecting this item it will change to View: View attachments as links. |
||||||||||||||||||||||
| Microsoft Outlook 98, Outlook Express | Mime Name Vulnerability: MS98-08,
AA-98.02,
I-077,
ESB-98.120,
ERS-084,
ERS-085,
ERS-096,
S-98-49
and 49a
(!) Outlook 98: When Outlook 98 attempts to download a message with a file attachment that has a filename greater than a certain length, Outlook could terminate unexpectedly. The user does not have to open the attachment in order for this to occur. The newsreader has the same vulnerability . Outlook Express 4.x: When the user attempts to open an attachment in Outlook Express mail or news client and the attachment has a filename longer than a certain number of characters, the client could terminate unexpectedly. It is difficult but possible for an individual to cause malicious code to be executed on your computer as a result of this problem. There have not been any reports of customers being affected by this problem. It's recommended to install the patches, published by Microsoft (Fixes for the international versions will follow): Microsoft Outlook 98 for Windows 95, 98 or NT 4.0 Microsoft Outlook Express 4.0 (Internet Explorer 4.0 on Windows 95 98 or NT 4.0): Upgrade to 4.01 first! Microsoft Outlook Express 4.01 for Windows 95, 98, NT 4.0 or Macintosh (Solaris will be published soon) Further information can be found in the advisory. The attachments in E-Mail should not be opened until the patches are installed. |
||||||||||||||||||||||
| Microsoft Exchange | Potential SMTP and NNTP
Denial-of-Service Vulnerabilities in Exchange Server 5.0
and 5.5: MS98-07,
I-080 If a malicious attacker connects to a Microsoft Exchange Server running the NNTP Service (TCP/119) and issues certain sequences of incorrect data, an application error could occur causing the Server Information Store to stop responding. If the Exchange Information Store stops responding, it could cause other Exchange services to fail as well. It would also cause user attempts to connect to their folders on the mail server to fail. A re-start of the services will bring the server back to normal operation, a reboot is not necessary. It's recommended to install the patches distributed by Microsoft: Exchange Server 5.0 ALL LANGUAGES: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-STORE/ ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.0/Post-SP2-IMS/ Exchange Server 5.5 ENGLISH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Eng/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 FRENCH: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Frn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Frn/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 GERMAN: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Ger/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Ger/Exchg5.5/PostRTM/IMS-FIX Exchange Server 5.5 JAPANESE: ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Jpn/Exchg5.5/PostRTM/STORE-FIX ftp://ftp.microsoft.com/bussys/exchange/exchange-public/fixes/Jpn/Exchg5.5/PostRTM/IMS-FIX |
||||||||||||||||||||||
| Microsoft IIS 2.0 - 4.0 | Potential Denial-of-Service in IIS
FTP Server: MS98-06 In the IIS certain uses of multiple passive FTP connections may result in errors, degrade system performance, and create denial of service situations for both the FTP service and the WWW service running on the same machine. This denial of service vulnerability may be used by someone with malicious intent to cause disruption of service, the FTP server can't be crashed this way. It's recommended to install the patches (for the US-version) released by Microsoft: Intel (IIS 2.0 and 3.0, 4.0), Alpha (IIS 2.0 and 3.0, 4.0) |
||||||||||||||||||||||
| HP-UX releases 9.X, 10.X, and 11.00 | Vulnerability in FTP Client:
HP
Security Bulletin #00079, I-078,
ERS-083,
S-98-47,
ESB-98.122 On HP9000 series 700/800 running HP-UX a security risk has been found. The ftp client can be tricked into running arbitrary commands supplied by the remote server. It's recommended to install the patches. They can be downloaded from HP's site.
|
||||||||||||||||||||||
| MS Office 98 for Macintosh | Unwanted Data Issue with Office
98: MS98-05,
I-075,
ERS-082 Using Microsoft Office 98 on a Macintosh deleting a document is not complete: It is possible that a small amount of random data of the previously deleted file could become embedded in the new Office 98 file. This is a problem if the new document is sent to another user who could possibly expose data from a previously deleted file of the sender. It's recommended to install the update published by Microsoft. |
||||||||||||||||||||||
| many | New Scanning-Tool multiscan
('mscan'): AL-98.01,
I-073,
ERS-078,
S-98-50 It was found out that at the moment there is an increase in network scanning activity. It is believed that intruders are using a new tool called 'Multiscan' or 'mscan'. This tool enables the user to scan whole domains and complete ranges of IP addresses to discover well-known vulnerabilities in the following services: statd nfs cgi-bin Programs (eg: 'handler', 'phf' & 'cgi-test') X POP3 IMAP Domain Name Servers finger 'mscan' also provides information to the user which may be useful in hiding their probe attempts against a subnet by bouncing their scans off hosts identified as running the application 'wingate'. What to do against these attack-preparatios is pointed out in the advisory. Mscan can only scan hosts that are visible on the network. External users can not probe hosts behind a suitably configured firewall. |
||||||||||||||||||||||
| many | Security risk through some
implementations of IMAP Servers: CA-98.09,
I-074,
ESB-98.117,
ERS-079,
S-98-44 This vulnerability was found on earlier versions of the University of Washington IMAP server. Provoking a buffer overflow remote intruders can execute arbitrary commands under the privileges of the process running the vulnerable IMAP server. If the vulnerable IMAP server is running as root, remote intruders can gain root access. Which versions and systems are effected, how to find out if a system is vulnerable and which patches to istall can be found in the advisory. |
||||||||||||||||||||||
| IRIX 6.4 | Vulnderability in ioconfig
and disk_bandwidth: SGI19980701,
I-076,
ESB-98.118,
ERS-080,
S-98-45,
S-98-48 The IRIX ioconfig program assigns logical controller numbers to all I/O devices on a Silicon Graphics Origin or Onyx2 system. The IRIX disk_bandwidth(1M) program is used to determine the number of I/O operations that can be performed on a given disk device on an Origin or Onyx2 system.Both programs are normally only used by IRIX System administrators. A vulnerability has been discovered in both ioconfig and disk_bandwidth programs that can lead to a root compromise of the system. It's recommended to restrict permissions of the ioconfig and disk_bandwidth programs to the root user. |
||||||||||||||||||||||
| IRIX 6.3 and 6.4 | Vulnerability in mailcap:
SGI19980403,
ESB-98.119,
ERS-081,
S-98-46 IRIX 6.3/6.4 users that have Mailcap entries for x-sgi-task and x-sgi-exec have this vulnerability. On IRIX 6.3/6.4, these vulnerable Mailcap entries are installed by default in /usr/local/lib/netscape/mailcap. Users can add their own Mailcap entries in their home directories ($HOME/.mailcap) and these need to be inspected for the vulnerable x-sgi-task and x-sgi-exec entries. This vulnerability requires an user to use Netscape Navigator to web browse or read email from a malicious site and download a "trojan horse" System Manager Task which will execute locally with the privileges of the user web browsing. If the user is a privileged or root user, the "trojan horse" System Manger Task will execute with root privileges and can lead to a root compromise. Which patches should be installed can be found in the advisory. |
||||||||||||||||||||||
| Apache | Apache Web Server vulnerable under WIN32:
Apache Some security holes were found when running the Apache Web Server under WIN32. It's recommended to install version 1.3.1 where these vulnerabilities are fixed. |
||||||||||||||||||||||
| Microsoft IIS 4.0 and RDS 1.5 | Unauthorized ODBC Data Access
with RDS and IIS: MS98-004,
ESB-98.113 Remote Data Service (RDS) is a component of Microsoft Data Access Components (MDAC), which is installed by default when IIS 4.0 is installed via the Windows NT Option Pack. A web client connecting to an IIS server can use the RDS DataFactory object to direct that server to access data using an installed OLE DB provider. This includes executing SQL calls to ODBC-compliant databases using the ODBC drivers installed on the server. The RDS DataFactory object along with other installed ODBC drivers opens other possibilities, including possible access to non-published files on the IIS server. In the bulletin a workaround to avoid this problem is given. |
||||||||||||||||||||||
| NIS Servers | Distributed DoS attack against NIS/NIS+
networks: I-070,
ESB-98.114,
ERS-076 It is possible, through an attack using the finger service against multiple NIS clients, to disrupt an entire NIS based network and/or starve the NIS servers for resources. The problem is in the finger service but the attack causes long duration, network-wide, congestion and resource exhaustion on NIS servers. It's recommended to avoid using finger if it is allowed to do ambiguous lookups. If the finger service is required for some specific purpose, limit it to the minimum number of restricted hosts or to hosts which are not participating in NIS. |
||||||||||||||||||||||
| Cisco PIX | Vulnerability caused by misconfigured established
command: Cisco707 Some Adminstrators do not correctly understand the established and a static conduit giving outside users access to a specific TCP or UDP port on an inside server. A misconfigured combination of both commands allows external users to connect to every port on the inside server. Because the reasons for using the established command differ from installation to installation a global solution doesn't work for all. It's strongly recommended to make sure that the implemented security policy gives the expected security. |
||||||||||||||||||||||
| OpenVMS (VAX and ALPHA) V7.1 | Potential security vulnerability by loginout:
I-071,
ESB-98.115,
VB-98.07,
ERS-077,
ESB-98.121 A potential vulnerability with loginout for OpenVMS (VAX and ALPHA) software has been discovered, where under certain circumstances, a user may gain unauthorized access. It's strongly recommended upgrading to a minimum of OpenVMS (VAX or ALPHA) V7.1 accordingly, and that the appropriate patch kit be installed immediately. Which patches to install is pointed out in the advisory. |
||||||||||||||||||||||
| Red Hat Linux | Problems with Samba, and
imap-4.1.final released: ESB-98.110,
ESB-98.116 Serious security problems have been found in all versions of Samba shipped with Red Hat Linux. All users of samba should upgrade to the latest version and restart samba with: /etc/rc.d/init.d/smb stop; /etc/rc.d/init.d/smb start as soon as possible. There was a mistake in the original post about the imap update. Security problems have been found in all versions of imap shipped with Red Hat Linux. If "rpm -q imap" shows that imap is installed on your system, please upgrade to these new imap releases immediately, or remove imap by running "rpm -e imap". Red Hat 5.0 and 5.1, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/samba-1.9.18p7-2.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/imap-4.1.final-1.i386.rpm Red Hat 5.0 and 5.1, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/samba-1.9.18p7-2.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/imap-4.1.final-1.alpha.rpm Red Hat 5.0 and 5.1, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/sparc/samba-1.9.18p7-2.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/sparc/imap-4.1.final-1.sparc.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/samba-1.9.18p7-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/imap-4.1.final-0.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/samba-1.9.18p7-0.alpha.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/imap-4.1.final-0.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/samba-1.9.18p7-0.sparc.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/imap-4.1.final-0.sparc.rpm |
||||||||||||||||||||||
| Solaris 2.6 (SPARC and x86) | Vulnerability in SUNWadmap:
SUN Security Bulletin #00173,
I-072,
ESB-98.112,
ERS-075 The System administration applications package, SUNWadmap, provides software used to perform system administration tasks. A vulnerability has been discovered in the SUNWadmap package of the Solaris 2.6 Hardware:3/98 and 5/98 update releases which could be exploited to get root access. Where to download patches and the patch-numbers are listed in the advisory. |
||||||||||||||||||||||
| Solaris 2.3-2.6 (SPARC and x86) | Vulnerabilities in libnsl:
SUN Security Bulletin #00172,
I-072,
ESB-98.111,
ERS-074 The network services library, libnsl, provides functions which may be used by application programs to interface to network services. Several buffer overflows have been discovered in the library routines which could be exploited to gain root access. Where to download patches and the patch-numbers are listed in the advisory. |
||||||||||||||||||||||
| Red Hat Linux | Vulnerabilities in dosemu
and libtermcap: ESB-98.107 Security problems have been found in dosemu and libtermcap. These security problems allow users on your local system to gain root access, and should be fixed as soon as possible. Red Hat 5.0 and 5.1, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/dosemu-0.66.7-7.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/libtermcap-2.0.8-9.i386.rpm Red Hat 5.0 and 5.1, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/alpha/libtermcap-2.0.8-9.alpha.rpm Red Hat 5.0 and 5.1, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/sparc/libtermcap-2.0.8-9.sparc.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/dosemu-0.66.7-0.i386.rpm rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/libtermcap-2.0.8-4.1.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/libtermcap-2.0.8-4.1.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/libtermcap-2.0.8-4.1.sparc.rpm |
||||||||||||||||||||||
| MacOS | Danger for PowerPC by Autostart
9805 worm virus: I-067,
ERS-071,
ESB-98.108 There is a Autostart 9805 worm virus spreading itself among PowerPC systems. It spreads itself through HFS or HFS+ volumes. Autostart 9805 overwrites some data files and produces denial of service charactertics. Some invisible files may be added to all disk partitions. It's recommended to upgrade the most current anti-virus software for the Mac. Some commercial and non-commercial tools are listed in the Advisory. |
||||||||||||||||||||||
| many Unix | Vulnerability in qpopper:
AA-98.01,
CA-98.08,
I-069,
S-98-40,
ERS-073,
S-98-40 A vulnerability has been found in Qualcomm's popper(8) POP mail server distributed as qpopper available for various Unix platforms. The popper(8) server program runs with root privileges so it can act on behalf of users accessing their mail using the POP protocol. Due to insufficient bounds checking on its input in versions prior 2.5 it is possible to cause a buffer overrun in the popper(8) program while it is executing. This vulnerability permits attackers to gain root privileges remotely, even without an user account on the server. It's strongly recommended to install the latest version of qpopper which is not vulnerable. |
||||||||||||||||||||||
| Microsoft IIS 3.0, 4.0 | Vulnerability in Internet
Information Server: MS98-003,
I-068,
VB-98.06,
S-98-39,
ERS-072,
ESB-98.109,
S-98-39 Web clients that connect to IIS can read the contents of files to which they have execute and read only permissions. These files have to be in a web server v-root directory and on an NTFS volume. NTFS supports multiple data streams within a file. The main data stream, which stores the primary content has an attribute called $DATA. Accessing this NTFS stream via IIS from a browser may display the script code for the file. A workaround is described in the Advisory. It's recommended to install a hotfix released by Microsoft: IIS 3.0 (Intel x86) hotfix, IIS 3.0 (Alpha) hotfix, IIS 4.0 (Intel x86) hotfix, IIS 4.0 (Alpha) hotfix. |
||||||||||||||||||||||
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: August 31, 1998, 14:23 +0200