News December 1997

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

RADIUS	Vulnerability in Livingston RADIUS 1.16: SNI-22, ERS-146.1 An exploitable stack overrun is present in the RADIUS accounting code in Livingston RADIUS 1.16. The problem occurs as a result of inverse resolution of IP addresses to hostnames; the accounting routine rad_accounting() copies the resolved hostname to a buffer on it's stack, without checking the length of the hostname first. As a result of this bug, an attacker that controls the DNS server for any IP address can configure the records for that address to resolve to a name too large for the RADIUS server's buffer; the characters in the hostname, which overwrites the server's stack, can contain machine code that the server will be forced to execute. This vulnerability exists also for Ascend RADIUS, it's based on Livingston RADIUS 1.16. Merit RADIUS seems not to be vulnerable. An Upgrade to Livingston 2.0.1 is recommended. At least a patch should be installed (version 1.16.1). A Patch for the RADIUS Source-Code is available.
Cisco 7xx	Vulnerability by password buffer overflow: Cisco, I-020, ERS-142.1 Some Cisco 7xx-Router may crash if the password, given at the login, is much too long. Under some circumstances the attacker may gain control over the router. In the advisory a workaround is pointed out by Cisco.
MS Office	Infected Files on a CD from PC FORMAT The December-Issue of the british magazine PC FORMAT includes two bonus CD. One of them has three infected files: \TECH\COMMAND\SOLOINFO.TXT \TECH\COMMAND\SOLOPR~1.TXT \TECH\COMMAND\COMPAT~1.TXT These files are Word documents, the extension has been changed from .doc to .txt geändert wurde. These three files are infected with WM/Imposter.E. Further information is provided by DataFellows.
CrackLib	Buffer-overflow in CrackLib: VB-97.16, S-97-91, ERS-145.1 Alec Muffet has found a has found a vulnerability in CrackLib: A weakness in a published version of CrackLib (v2.5, dated 1993) may be open to exploitation on Unix systems utilising CrackLib in setuid-root software, leading to compromise of system privileges. A revised version has been released by Alec Muffet, which is also downloadable from DFN-CERT.
Solaris 2.3 - 2.6 (x86)	Vulnerability with Intel processors: SUN Security Bulletin #00161, S-97-92, ERS-147.1 Intel processors have instruction combiniations that, when executed, produce illegal instruction traps. This is a normal part of every cpu manufactured and is how new instructions are generally emulated on older hardware. A specific sequence of instructions, starting with the byte codes F0 0F (hex) cause Pentium processors to lock up. This lockup wedges the entire system, requiring a hard reset to correct. Systems that allow users to run arbitrary code are vulnerable to this attack. An unpriviledged user can crash your system. Further information is given by Intel. Sun Microsystems has released patches for Solaris X_86.
FreeBSD	Vulnerability with Intel processors: SA-97:06, ESB-97.159, S-97-88, ERS-139.1 Intel processors have instruction combiniations that, when executed, produce illegal instruction traps. This is a normal part of every cpu manufactured and is how new instructions are generally emulated on older hardware. A specific sequence of instructions, starting with the byte codes F0 0F (hex) cause Pentium processors to lock up. This lockup wedges the entire system, requiring a hard reset to correct. Systems that allow users to run arbitrary code are vulnerable to this attack. An unpriviledged user can crash your system. A Patch has been released by FreeBSD, Inc.
Slackware 3.4	Vulnerability in dillon crontab / crond (dcron 2.2): KSR-005 The crond that comes with Slackware 3.4 contains a locally exploitable buffer overflow. When crond attempts to run a particular cronjob, it will take the user specified command line and copy it into an automatic variable via vsprintf(). Some addresses for getting the patches are listed in the advisory, it can also be downloaded from the Server of Slackware
some	Vulnerability by FTP-Bounce: CA-97.27, ESB-97.160, I-018, S-97-89, ERS-141.1 As CERT has described earlier in a Tech-Tip there is a vulnerability in some FTP Servers. It's pointed out that patches are abailable, but not installed on every server. Without installing a patch an attacker may be able to establish a connection between the FTP server machine and an arbitrary port on another system. This connection may be used to bypass access controls that would otherwise apply. A list of affected FTP Servers and systems as well as links to the corresponding Patches is given in the advisory.
Checkpoint Firewall-1	Vulnerability by snmpd: sni-21, ESB-97.161, ERS-140.1 There is a security problem present in Checkpoint Firewall-1 which allows unauthorized users to access the SNMP daemon running on the firewall. This allows outsiders to obtain internal and confidential information about the installation and operation of the firewall and the network which it protects, without being traced. Once obtained, this information can be used by potential intruders to find vulnerabilities in the firewall or connected systems. In addition, potential intruders can obtain statistics on the firewall's operation. Finding software on the firewall with known vulnerabilities can, in some cases, be exploited immediately to cause a Denial Of Service (DOS) attack. For a patch, please contact your reseller. If you are a reseller, you can obtain the patch directly from Checkpoint (Password-protected). Please have a look at the configuration hints released by Checkpoint.
many	Vulnerability in RPC server, statd: AA-97.29, CA-97.26, I-017, S-97-87, ERS-138.1 Due to insufficient bounds checking on input arguments which may be supplied by local users, as well as remote users, it is possible to overwrite the internal stack space of the statd program while it is executing a specific rpc routine. By supplying a carefully designed input argument to the statd program, intruders may be able to force statd to execute arbitrary commands as the user running statd. In most instances, this will be root. Affected systems, workarounds and patches are pointed out in the advisory. Here you find the advisory concerning SGI.
Solaris 2.3 - 2.5.1 (Sparc und x86)	Vulnerability in at: SUN Security Bulletin #00160, S-97-86, ERS-137.1, ESB-97.158 Patches against this vulnerability, reported in CA-97.18, are made available by Sun Microsystems
SunOS 4.1.4 and 4.1.3_U1	Upgrade of sendmail: SUN Security Bulletin #00159, S-97-85, ERS-136.1, ESB-97.157 An upgrade of sendmail has been released by Sun Microsystems. With this upgrade the actual version of sendmail (V8.6.9 plus extensions) is installed on SunOS. It's the same version as shipped with Solaris.
Solaris 2.3 - 2.5.1 (Sparc und x86)	Vulnerability in nis-cachemgr: VB-97.15 For this vulnerability, reported in October (SUN Security Bulletin #00155) Sun Microsystems has released additional patches: Patch number 101973 has been updated to revision 33 (101973-33), and patch number 101974 has been updated to revision 33 (101974-33).
all	New CERT Summary: CS-97.06, ERS-135.1, ESB-97.156 Trends in incidents reported to CERT: 1. Continuing IMAP Exploits 2. Increased Root Compromises 3. Attacks by using unsecure cgi-scripts More important information about these and other topics can be found in the document linked above.
nearly all	Risks by land.c: RS, Cisco, c't-Ticker (in german), ERS-133.1 , CA-97.28, I-019, S-97-90, ERS-143.1 Features in TCP/IP are exploited to kill systems. Affected are Systems running under Windows 95 und NT as well as several Unix, Ciscos, Livingston Router and MacOS8. Linux is not affected by this program but by a mmodified version: teardrop.c. A special program for attacking Systems under Windows NT 4 SP3 is latierra.c In the CERT-Advisory a workaround is pointed out as well as vendor specific solutions.