News November 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
Solaris 2.3 - 2.6 (SPARC, Intel), SunOS 4.1.4 and 4.1.3_U1 | Vulnerabilities in rdist:
SUN Security Bulletin #00179,
ERS-141 |
||||||||
Windows NT | Vulnerability caused by snmp:
NAI-30, ERS-140 All versions of Windows NT where the administrator has enabled the SNMP Service are vulnerable to attack from users with accounts on the system. These systems are vulnerable to attack from remote users if the administrator has not removed the ``public'' community from the SNMP Service configuration and replaced it with a hard-to-guess name. Service Pack 4 (SP4) provides a solution to this problem by adding access control and allowing communities to be configured READ ONLY, READ WRITE or READE CREATE. By default, when Service Pack 4 is installed, the permissions will be set to READ CREATE, which still allows modification of SNMP entries, and therefore does not close this vulnerability. Ensure that the communities are configured READ ONLY to prevent modification of SNMP entries. |
||||||||
AIX 3.2.x, 4.1.- 4.3.x | Vulnerability in AIX infod:
RSI-011:
|
||||||||
HP-UX | Vulnerability in vacation:
HP
Security Bulletin #00087, ERS-138,
J-017
|
||||||||
Cisco IOS with DFS | Cisco IOS DFS Access List Leakage: Cisco,
VB-98.13,
ERS-136,
J-016,
S-98-73 Errors in certain Cisco IOS software versions for certain routers can cause IP datagrams to be output to network interfaces even though access lists have been applied to filter those datagrams. This applies to routers from the Cisco 7xxx family only, and only when those routers have been configured for distributed fast switching (DFS). It's recommended to install patches or a workaround described in the advisory. |
||||||||
FreeBSD 3.0 | Denial-of-Service by IP fragmentation:
BSD-SA-98.08,
ERS-135,
S-98-72 IP connections are controlled through a series of packets that are received by the two computers involved in the connection. When packets are too large to be sent in a single IP packet (due to interface hardware limitations for example), they can be fragmented (unless prohibited by the Don't Fragment flag). The final destination will reassemble all the fragments of an IP packet and pass it to higher protocol layers (like TCP or UDP). There is a bug in the IP fragment reassembly code that might lead to a kernel panic. An attacker can create and send a pair of malformed IP packets which are then reassembled into an invalid UDP datagram. Such an UDP datagram would then cause a server to panic and crash. This results in a reboot of the system. There is no workaround, the applicable patch should be installed. |
||||||||
HP OpenView | Backdoor caused by hidden SNMP
community: ISS-12,
ERS-134
|
||||||||
Solaris 2.6, Sun Microsystems Solstice Enterprise Agent | Backdoor in SNMP implementation: SUN
Security Bulletin #00178,
ISS-11,
ERS-132,
ERS-137,
S-98-74,
Update: ISS-13,
ERS-139 Solaris is configured by default to support SNMP. A hidden and undocumented community string is present in the SNMP subagent which may allow remote attackers change most system parameters. Remote attackers may indirectly execute arbitrary commands with superuser privileges, they do not need local access to the target host to exploit this vulnerability. It's recommended to install patch #106787-02 (Sun Microsystems) or to disable the SNMP service. |
||||||||
many | BMC PATROL File Creation
Vulnerability: ISS-10,
ERS-133,
Update: ISS-13,
ERS-139 PATROL Agent is installed setuid root with world-execute permissions. When PATROL Agent is executed, it creates temporary files on the system. These files are opened and written to in an insecure manner in version 3.2.3 and lower. This allows local users to create a symbolic link to a privileged file. This link is then followed upon the initialization of PATROL Agent. Attackers may use this vulnerability to overwrite any file or create a new file that is owned by root. Attackers commonly use this method to indirectly compromise root access. Some hints to avoid this vulnerability until a patch is available has been described in the advisory. |
||||||||
Mac OS | Vulnerability in FWB Hard Disk Toolkit:
L0pht FWB Hard Disk Toolkit 2.5 allows users to password protect hard drive volumes. This password has to be entered when the hard disk driver loads in order to allow the volume to mount. Failure to enter this password prevents the volume from mounting and therefore prevents access to the data on the device. By forcibly replacing the FWB driver with a different driver it is possible to access the data on the password protected volume without knowing the password. Further information about this security leak can be found in the advisory. |
Back to the News
© 1998 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Januar 11, 1999, 00:16 +0000