News August 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
IRIX | Vulnerability in Seyon: SGI-19980803,
I-089,
ESB-98.139 Seyon is a serial port communications package for X window and is distributed by Silicon Graphics. The Seyon package is distributed as an IRIX inst image called "fw_MSSeyon" on the SGI Freeware 1.0 and 2.0 CDROMs. A vulnerability may allow local and remote users with a valid account on the system to gain root access. Any user who can execute the seyon program can exploit this vulnerability . It has been actively exploited on IRIX systems. It's strongly recommended to remove the Seyon package or to remove the set-uid bit of the seyon program. How to do this is described in the advisory. |
|||||||||||||||||||
many | New CERT-Summary
published: CS-98.07,
ESB-98.138 The CERT has seen the following trends since June 1998: 1. New Tools Used For Widespread Scans, e.g. mscan. A further description can be found here. 2. Buffer Overflows in Some POP Servers based on QUALCOMM's qpopper 3. Multiple Vulnerabilities in BIND |
|||||||||||||||||||
Red Hat Linux | Vulnerability in svgalib:
ESB-98.136 Minor security problems have been found in svgalib which allow users to make the console unusable. Svgalib is only supported on the i386 platform; this issue does not affect users of Alpha and SPARC machines. Red Hat 5.0 and 5.1, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.0/i386/svgalib-1.2.13-5.i386.rpm Red Hat 4.2,, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/svgalib-devel-1.2.13.i386.rpm |
|||||||||||||||||||
many Unix | Vulnerabilities in all rpc.pcnfsd:
RSI.0008,
I-088 PCNFSD is a Remote Procedure Call used by NFS clients. This service provides username and password authentication for networked computers which have installed NFS client software. Two vulnerabilities have been found, both leading to compromise the root-account on the system. The following systems are affected: AIX: 4.0, 4.1, 4.2, 4.3 HP-UX: 7.x, 8.x, 9.x, 10.x, 11.x SunOS: 4.1.3, 4.1.4 Solaris: 2.3, 2.4, 2.5, 2.5.1, 2.6 Redhat Linux: 4.0, 4.1, 4.2, 5.0, 5.1 Slackware Linux: 3.0, 3.1, 3.2, 3.3, 3.4, 3.5 OSF: 3.2 For details see the advisory. It's strongly to install patches, if available. Otherwise it's recommended to deinstall the rpc.pcnfsd. |
|||||||||||||||||||
HP-UX 9.x, 10.x, 11.00 | Vulnerability in BIND: HP
Security Bulletin #00083, ERS-100,
ESB-98.137 Because of the known problems in BIND Hewlett Packard has published patches which are an update to version 4.9.7 of BIND. It's strongly recommended to install them as soon as possible.
|
|||||||||||||||||||
Microsoft IE 4.0, 4.01 and 4.01SP1 | Vulnerability in JScript:
MS-98.011,
ERS-098,
c't Microsoft Internet Explorers use the JScript Scripting Engine version 3.1 to process scripts on a web page. When Internet Explorer encounters a web page that uses JScript script to invoke the Window.External function with a very long string, Internet Explorer could terminate. Long strings do not normally occur in scripts, but in principle arbitrary code can be run on the computer. Microsoft recommends an upgrade to version 3.1b of the Scripting Engine. Users of Windows 98 get this patch using the Windows Update. |
|||||||||||||||||||
Windows 95, 98, and NT | Patches for vulnerabilities in Point-to-Point
Tunneling Protocol (PPTP) available: MS98-012,
I-087,
ERS-099 The Microsoft implementation of PPTP uses MS-CHAP for user authentication and Microsoft Point-to-Point Encryption (MPPE) to protect the confidentiality of user data. Potential vulnerabilities addressed by these updates include: - Dictionary attack against the LAN Manager authentication information - Password theft - PPTP server spoofing - Reuse of MPPE session keys Patches should be installed for the following systems: Microsoft Dialup Networking 1.2x and earlier on Windows 95 Microsoft Remote Access Services on Windows NT 4.0 (both client and server) Microsoft Routing and Remote Access Services on Windows NT Server 4.0 Microsoft Windows 98 Dialup Networking Further information can be found in the advisory. |
|||||||||||||||||||
Netscape | Regarding the MIME.problem new Versions of Netscape Communicator have been released: 4.06 and 4.5pr1. | |||||||||||||||||||
Cisco | Vulnerability in Cisco Resorce
Manager (CRM): Cisco,
VB-98.09,
I-086,
ERS-097,
S-98-55,
ESB-98.135 Versions 1.0 and 1.1 of the Cisco Resource Manager (CRM) create log files and temporary files on the managementstation which contain potentially sensitive information. These files are not protected using operating system mechanisms, and are therefore readable by all users of the system on which CRM is installed. The information exposed includes the usernames, passwords, and SNMP community strings used by CRM to gain access to the devices being managed. Users who have access to the computer on which CRM is installed may gain access to information which gives them unauthorized access to the managed routers and switches. This affects both Solaris and Windows NT systems. For workarounds and the patch for CRM 1.1 please refer to the advisory. |
|||||||||||||||||||
Microsoft Windows NT, 95, 98 | New Trojan Horse: FREE! Your
upgrade for Microsoft Internet Explorer: I-085 On the Internet an E-Mail circulates professing to be from Microsoft technical support. This message, which isn't from Microsoft technical support, claims to be a security update for Microsoft Internet Explorer. The message contains an attachment typically named ie080898.exe, however variations of the file name have been reported. The attachment is actually a Trojan Horse program targeted at Microsoft Windows 95, 98, and NT, which sends Spam e-mail messages to several locations on the Internet. It's recommended not to execute the attachment. If already done, the file shell32.exe should be deleted and removed from the registry. For further details please refer to the advisory. |
|||||||||||||||||||
Red Hat Linux | Denial-of-Service against Apache
Web Server: ESB-98.130 A denial-of-service attack against the Apache web server has been found which lets remote sites disable your web server. This attack does not let remote users gain any sort of access to your computer, nor does it let local users gain any special access. Red Hat recommends upgrading apache. After instaling the httpd should be restarted. Red Hat 5.0 and 5.1, i386: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/i386/apache-1.2.6-5.i386.rpm Red Hat 5.0 and 5.1, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/alpha/apache-1.2.6-5.alpha.rpm Red Hat 5.0 and 5.1, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/5.1/sparc/apache-1.2.6-5.sparc.rpm Red Hat 4.2, i386: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/i386/apache-1.2.5-0.1.i386.rpm Red Hat 4.2, alpha: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/alpha/apache-1.2.5-0.1.alpha.rpm Red Hat 4.2, SPARC: rpm -Uvh ftp://ftp.redhat.com/updates/4.2/sparc/apache-1.2.5-0.1.sparc.rpm The version for the secure server will be available soon. |
|||||||||||||||||||
IRIX | Silicon Graphics has published some updates
concerning earlier advisories: IRIX IP Spoofing/TCP Sequence Attack Update (ESB-98.126) IRIX 6.3 & 6.4 mailcap vulnerability IRIX BIND DNS Vulnerabilities (ESB-98.127) BSD/Qualcomm qpopper Vulnerability (ESB-98.129) University of Washington imapd daemon Vulnerability (ESB-98.128) |
|||||||||||||||||||
Cisco IOS 9.1 and higher | Cisco IOS Remote Router Crash:
Cisco,
ERS-095,
ESB-98.133,
I-084,
VB-98.08,
S-98-54 An error in Cisco IOS software makes it possible for untrusted, unauthenticated users who can gain access to the login prompt of a router or other Cisco IOS device, via any means, to cause that device to crash and reload. This applies only to devices running classic Cisco IOS software. This includes most Cisco routers with model numbers greater than or equal to 1000, but does not include the 7xx series, the Catalyst LAN switches, WAN switching products in the IGX or BPX lines, the AXIS shelf, early models of the LS1010 or LS2020 ATM switches, or any host-based software. It's recommended to install an upgrade, Cisco is offering free software upgrades to all vulnerable customers, regardless of contract status. |
|||||||||||||||||||
HP-UX 10.24 | Patches for Virtual Vault
and Netscape published: HP
Security Bulletin #00082, ERS-094,
ESB-98.132 We pointed out earlier a Vulnerability concerning some implementations of SSL. Now the necessary patches have been published:
|
|||||||||||||||||||
OpenBSD 2.3 (and below) | Vulnerability in chpass:
ERS-091 Normal users can change their account data using chpass. Every editor may be used for it. While editing a temporary file is created - and this file may be modified by an attacker. It's recommended to install the patch published by OpenBSD as soon as possible. |
|||||||||||||||||||
many | Problems with the Squid Server:
AL-98.02,
ERS-089,
S-98-51 Squid is a tool for caching static Webpages. If version 1.NOVM of the Squid Server is installed it may happen that a user gets other Web pages as he wants to. So it seems as if the Web server is corrupted but the problem is caused by a bug in the Squid Server. Further information and a patch is avaliable. |
|||||||||||||||||||
HP-UX 10.x, 11.00 | Vulnerability in HP-UX Netscape Servers
using SSL: HP
Security Bulletin #00080, ERS-086,
ESB-98.123 A vulnerability has been identified that affects the use of RSA Data Security encryption algorithms with Netscape server products that support Secure Sockets Layer (SSL). If exploited, this vulnerability could potentially be used to discover the key for a particular encrypted session through a process of repeatedly sending approximately one million carefully constructed messages to a target server and observing the server's response. Further information and how to avoid this vulnerability is described at Netscape's site. |
|||||||||||||||||||
HP-UX 9.x, 10.x, 11.00 | HP UX & MPEix Predictive
Vulnerability: HP
Security Bulletin #00081, I-081,
ERS-087,
ESB-98.124 Many on-site customer machines are running Predictive. This issue is relevant to those users who send Predictive messages and/or receive Predictive messages by modem or by e-mail, on all versions released to date. The data transfer may be compromised. It's recommendended to install the patches published by HP:
For HP/300 Serie 900 Systemes, having installed MPE/iX Version 5.0 or 5.5, a patch has been published by HP. It should be installed, otherwise the data transfer may be compromised. |
|||||||||||||||||||
many | Vulnerability in sendmail
- MIME-Attachments: AA-98.04,
ERS-092 Sendmail is affected by the MIME-problem also.A patch for version 8.9.1 has been published. We strongly recommend to install it to avoid this vulnerability. After the install the version is 8.9.1a. Administrators running earlier versions of sendmail will have to update to version 8.9.1 before installing the patch. |
|||||||||||||||||||
Eudora Pro 4.0, 4.0.1 for Windows | Vulnerability caused by Mail-Attachments:
Eudora,
I-083 This problem is not the same as the MIME-vulnerability. Users of Eudora Lite, elder versions of Eudora Pro under Windows and Eudora running on MacIntosh are not affected. The vulnerability is fairly easy to exploit. The vulnerability allows someone to send hostile Java applets, executable programs, or scripts in an e-mail message and hide the name of the attachment as a URL. A user who clicks on the URL would launch and run the e-mail attachment allowing the rogue attachment to execute. It's strongly recommended to install the update to Eudora Pro 4.02 or to turn off teh Microsoft Viewer at least. |
|||||||||||||||||||
Windows 95 and 98 | Remote-Administration by Back
Orifice: Cult of
the Dead Cow (cDc), MS98-010,
ERS-088,
ESB-98.134 cDc has pulished a tool called Back Orifice, a remote MS Windows Administration tool, using udp and having a comfortable GUI. This tool allows the user to remotely control almost all parts of the operating system, including: File system, Registry, System, Passwords, Network and Processes. Back Orifice is a quite small program which may be installed together with another application as a Trojan Horse. It does not show up in the task list or the Close Programs dialog, it is automatically restarted each time the computer boots. User who want to avoid the exploitation of their PC by Back Orifice using port 31337/udp should not download software from obscure servers. Additionally the active network connections may be controlled with netstat -a. Making a dial-in at an ISP is quite sure because of the use of dynamic IP adresses. |
|||||||||||||||||||
many | Security Risks caused by MIME-Attachments:
CA-98.10,
ERS-093,
ESB-98.131,
S-98-49
and 49a
(!), S-98-53 Many Mail- and Newsreader are vulnerable against MIME attachments with a very long MIME-Type. So the reader may crash and arbitrary code may be executed on the client machine, even a virus code. In this CERT-advisory a survey of vulnerable systems and patches to be installed is given. |
|||||||||||||||||||
IBM AIX, SP2 | Vulnerability in sdrd
daemon: I-079,
ERS-090,
ESB-98.125,
S-98-52 The System Data Repository (SDR) is a SP subsystem that stores e.g. SP configuration. The SDR information is stored on a Control Workstation, an interaction is performed by the command-line interface. A vulnerability in the sdrd-daemon allows anyone tu use the retrieve file command to get any file on the SRD system without any authentication. It's strongly recommended to install the patch published by IBM. |
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: September 10, 1998, 16:32 +0200