News November 1998

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Solaris 2.3 - 2.6 (SPARC, Intel), SunOS 4.1.4 and 4.1.3_U1

Vulnerabilities in rdist: SUN Security Bulletin #00179, ERS-141
The rdist program is a setuid root utility that distributes files from one host to another. Several buffer overflow vulnerabilities have been discovered which could be exploited by an attacker to gain root access. These systems should be patched immediately:

Operating System

Patch-ID

Solaris 2.6 105667-02
Solaris 2.6_x86 105668-02
Solaris 2.5.1 103817-03
Solaris 2.5.1_x86 103818-03
Solaris 2.5 103815-03
Solaris 2.5_x86 103816-03
Solaris 2.4 103813-03
Solaris 2.4_x86 103814-03
Solaris 2.3 101494-04
SunOS 4.1.4 103824-04
SunOS 4.1.3_U1 103823-04
Windows NT Vulnerability caused by snmp: NAI-30, ERS-140
All versions of Windows NT where the administrator has enabled the SNMP Service are vulnerable to attack from users with accounts on the system. These systems are vulnerable to attack from remote users if the administrator has not removed the ``public'' community from the SNMP Service configuration and replaced it with a hard-to-guess name.
Service Pack 4 (SP4) provides a solution to this problem by adding access control and allowing communities to be configured READ ONLY, READ WRITE or READE CREATE. By default, when Service Pack 4 is installed, the permissions will be set to READ CREATE, which still allows modification of SNMP entries, and therefore does not close this vulnerability. Ensure that the communities are configured READ ONLY to prevent modification of SNMP entries.
AIX 3.2.x, 4.1.- 4.3.x

Vulnerability in AIX infod: RSI-011:
The Info Explorer daemon is a AIX utility which is used to provide documentation for the operating system and associated programs. It does not perform any validation on information passed to the local socket that it is bound to. Users on the system can send false information to the daemon and trick it into spawning a connection to the intruders X display.
It's recommended to install a workaround described in the advosory and to install the following patches when released by IBM: BM is currently working on the following fixes which will be
available soon:

AIX 3.2.x: upgrade to version 4
AIX 4.1.x: IX84640
AIX 4.2.x: IX84641
AIX 4.3.x: IX84642
HP-UX

Vulnerability in vacation: HP Security Bulletin #00087, ERS-138, J-017
The program vacation (/usr/bin/vacation) answers E-Mails if the receiver is absent. By exploiting a vulnerability in this program a remote attacker may be able to modify system files and gain root access to the machine. So it's recommended to install the patches listed below.

HP-UX 11.x HP9000 Series 7/800 PHNE_16295
HP-UX 10.20 HP9000 Series 7/800 PHNE_14042
HP-UX 10.0x HP9000 Series 7/800 PHNE_16726
HP-UX 9.x HP9000 Series 7/800 PHNE_16725
Cisco IOS with DFS Cisco IOS DFS Access List Leakage: Cisco, VB-98.13, ERS-136, J-016, S-98-73
Errors in certain Cisco IOS software versions for certain routers can cause IP datagrams to be output to network interfaces even though access lists have been applied to filter those datagrams. This applies to routers from the Cisco 7xxx family only, and only when those routers have been configured for distributed fast switching (DFS).
It's recommended to install patches or a workaround described in the advisory.
FreeBSD 3.0 Denial-of-Service by IP fragmentation: BSD-SA-98.08, ERS-135, S-98-72
IP connections are controlled through a series of packets that are received by the two computers involved in the connection. When packets are too large to be sent in a single IP packet (due to interface hardware limitations for example), they can be fragmented (unless prohibited by the Don't Fragment flag). The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP).
There is a bug in the IP fragment reassembly code that might lead to a kernel panic. An attacker can create and send a pair of malformed IP packets which are then reassembled into an invalid UDP datagram. Such an UDP datagram would then cause a server to panic and crash. This results in a reboot of the system.
There is no workaround, the applicable patch should be installed.
HP OpenView

Backdoor caused by hidden SNMP community: ISS-12, ERS-134
All hosts in a managed network rely on the proper delivery and collection of SNMP data. This vulnerability allows remote attackers access to portions of the MIB tree used for configuration and maintenance of the SNMP agent. Attackers may use this hidden community from remote to gain information otherwise reserved for authorized users. Attackers can also use this community to disrupt collection of data over SNMP as well as sever communication between Collection Agents and Management stations.
It's recommended to install the applicable patch.

HP-UX Version 9.x PHSS_16799
HP-UX Version 10.x PHSS_16800
Solaris Version 2.x PHOV_02190
Solaris 2.6, Sun Microsystems Solstice Enterprise Agent Backdoor in SNMP implementation: SUN Security Bulletin #00178, ISS-11, ERS-132, ERS-137, S-98-74, Update: ISS-13, ERS-139
Solaris is configured by default to support SNMP. A hidden and undocumented community string is present in the SNMP subagent which may allow remote attackers change most system parameters. Remote attackers may indirectly execute arbitrary commands with superuser privileges, they do not need local access to the target host to exploit this vulnerability.
It's recommended to install patch #106787-02 (Sun Microsystems) or to disable the SNMP service.
many BMC PATROL File Creation Vulnerability: ISS-10, ERS-133, Update: ISS-13, ERS-139
PATROL Agent is installed setuid root with world-execute permissions. When PATROL Agent is executed, it creates temporary files on the system. These files are opened and written to in an insecure manner in version 3.2.3 and lower. This allows local users to create a symbolic link to a privileged file. This link is then followed upon the initialization of PATROL Agent. Attackers may use this vulnerability to overwrite any file or create a new file that is owned by root. Attackers commonly use this method to indirectly compromise root access.
Some hints to avoid this vulnerability until a patch is available has been described in the advisory.
Mac OS Vulnerability in FWB Hard Disk Toolkit: L0pht
FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive volumes. This password has to be entered when the hard disk driver loads in order to allow the volume to mount. Failure to enter this password prevents the volume from mounting and therefore prevents access to the data on the device.
By forcibly replacing the FWB driver with a different driver it is possible to access the data on the password protected volume without knowing the password. Further information about this security leak can be found in the advisory.

Back to the News

© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Januar 11, 1999, 00:16 +0000