News December 1998
Most of the links lead to the corresponding files at CERT or
other organisations. So changes take place immediately,
especially which patches should be installed or which changes in
the configuration should be made to avoid this vulnerability.
Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks
inheritant in any widely used platform or program that doesn't
mean this particular platform or program is safe to use!
| NetBSD 1.3.2 and prior; NetBSD-current to 19981120. | Problem with mmap(2) and many drivers: ERS-143,
ESB-98.181 The NetBSD character device d_mmap driver-provided service entry is called by the device page fault routine to check for valid access and return a machine dependant value (normally a physicaly address or a page frame number) used to create a virtual to physical address mapping. One of the arguments to the d_mmap() routine is `int offset;' which is a signed value. Many of the device drivers which implement mmap access do not properly check for negative values, each having different failure modes. The NetBSD d_mmap interface was inherited by NetBSD from 4.4BSD, and there may be problems in other 4.4BSD derived operating systems. |
| Windows NT 4.0
(Workstation, Server, Enterprise Edition, Terminal
Server Edition)
|
Named pipes over the RemoteProcedure Call
(RPC) services can be used to create Denial of Service: ERS-144,
MS98-017,
ESB-98.180 The underlying problem is the way that Windows NT 4.0 attempts to shut downinvalid named pipe RPC connections. An attacker could exploit this problem to create a denial of service condition by opening multiple named pipeconnections and sending random data. When the RPC service attempts to close the invalid connections, the service consumes all CPU resources and memory use grows considerably, which may result in the system hanging. The problem is described at Microsoft Knowledge Base: Q195733 Microsoft has a Patch (HotFix) for this Problem for x86 and for Alpha |
| IRIX 6.2 to 6.5.1 | In autofsd(eamon) (which is installed by
default) a security-lack allowing root-access has been
discovered: ERS-145,
RSI.0010,
ESB-98.182,
ESB-98.187 This problem has been heavily discussed in the respective newsgroups. The vulnerability can be exploited remotely by using carefully crafted network packets that are sent to the autofsd(1M) daemon.This can lead to a root compromise. Patches are available at SGI´s public server: sgigate.sgi.com, in ~ftp/security and ~ftp/patches. If it´s not possible to install the patches immediately, instructions to disable the autofs(1M) daemon thereby removing the vulnerability can be found at: ERS-145 Also see the ONC3/NFS Administrator's Guide at http://techpubs.sgi.com/library |
| HP-UX
|
For the problem concerning undocumented SNMP-Community
Strings (mentioned in november) now Patches are
available: HP
Security Bulletin #00088, ERS-146,
ESB-98.183, ESB-98.190, J-022. Further Information can be
found there. The Mail-Spamming-Problem at several releases of sendmail/HPUX is solved (ERS147, ESB-98.185, J-022), for operating systems Ver. 10.20, 10.30, 11.0, and upgrades for versions 10.00, 10.01 and 10.10 to sendmail version 8.8.6: http://www.software.hp.com/software/HPsoftware/Sendmail/index.html Meanwhile patches are available for the security problems concerning the remote-commands remshd(1M), rexecd(1M), rlogind(1M), rlogin(1), remsh(1),rcp(1), rexec(1), and rdist(1). Information on this topic can be found at ERS-148, J-022 |
| IRIX 6.4, 6.5, and 6.5.1
on Origin and Onyx2 computers
|
The fcagent(1m) daemon, installed by
default on Origin and Onyx2 platforms running IRIX 6.4
and higher, can be used remotely to establish a denial of
service: S-98-78,
ERS-149, J-020 The vulnerability can be exploited to rendering the FibreVault unavailable. Patches are available on SGI´s public server: sgigate.sgi.com , in ~ftp/security and ~ftp/patches. If it´s not possible to install the patches immediately,SGI recommends to disable the fcagent(1m) daemon until patches can be installed. Instructions can be found at ERS-149 |
| Microsoft Excel
|
Microsoft has released a patch that fixes a
vulnerability in Excel that could allow
executables to be run from within a worksheet via the CALL
function without a warning to the user: ERS-150, MS98-018, ESB-98.188 If the executable called by the function is of a malicious nature, a worksheet containing this function could represent a security risk to customers. Microsoft´s patch eliminates the vulnerability by disabling the CALL function on a worksheet, where it is used very infrequently; however, it does not disable the function when used within macros. For a description of the problem see the Microsoft Knowledge Base at : Q196791 The patch (HotFix) is available at http://support.microsoft.com/support/articles/q196/7/91.asp |
| FreeBSD until Oct.
26.1998
|
Due to a bug in the IP fragment reassembly code IP
Packet Fragmentation might lead to a kernel panic
causing a server to crash: ESB-98.169 When this bug is exploited the operating system will panic. This results in a reboot of the system. This vulnerability has been discussed in public security forums and exploit programs are circulating to take advantage of this bug. A Solution is described in the mentioned Bulletin. |
| CISCO IOS DFS Family 7xxx
|
The distributed fast switching (DFS)
functionality of Cisco 7xxx family routers configured for
this service may allow users to send IP-packets to parts
of the network for which they are not authorized: ESB-98.170 There are two independent vulnerabilities, which have been given Cisco bug IDs CSCdk35564 and CSCdk43862. Each vulnerability affects only a specialized subset of DFS configurations. Affected configurations are not believed to be extremely common, but neither are they extremely rare. For details and who is affected see the mentioned bulletin: ESB-98.170 |
| Red Hat Linux 4.2, 5.0,
and 5.1
|
Red Hat released the following patches, fixing the
vulnerabilities in the zgv and svgalib: ESB-98.171
* Red Hat Linux 4.2: * Red Hat Linux 5.0: * Red Hat Linux 5.1: * Red Hat Linux 5.2: |
| Red HAT Linux 4.2 and
prior, all Versions that use libc 5 packages
|
In all Versions of the libc 5 packages
delivered with RedHat Linux a vulnerability due to a
Buffer Overflow has been discovered:
ESB-98.172 Following patches are available: Red Hat
Linux 4.2: Red Hat Linux 5.0, 5.1 and 5.2: |
| Red HAT Linux
|
A buffer overflow has been identified in all versions
of the sysklogd packages shipped with Red Hat Linux: ESB-98.175. Although there are no known exploits of this security vulnerability, there are patches making potential attacks impossible: Red Hat Linux 4.2: Red Hat Linux 5.0, 5.1 and 5.2:
|
| Red HAT Linux 5.2
|
In the samba-1.9.18p10-3 RPMs as
distributed in RedHat 5.2 there is a security
vulnerability. The problem is the installation
permissions of the /usr/sbin/wsmbconf binary. The RPM
installs wsmbconf as a setgid binary owned by group root
and executable by all users: ESB-98.176 Recommendations are to remove the respective file from the system (rm -f /usr/sbin/wsmbconf) or to use one of the following updates: Red Hat Linux 5.2: |
| Red HAT Linux bis 5.2
|
The security vulnerability mentioned above exists in
all versions of Red HAT Linux. The additional fixes are
available at: Red Hat Linux 4.2: Red Hat Linux 5.0, 5.1 and 5.2: |
| Microsoft Windows Systems running IIS or Windows Scripting System | The risks caused by the recently discovered HTML-Viruses
seems to be moderate: J-018 A WEB-Page stored locally can be infected by this type of virus utilizing the VBScripting Runtime Libraries. A exact description and the history of this security problem can be found at the CIAC-Security Bulletin mentioned above. Protection is possible: 1) If you need the Scripting Runtime Libraries for your active WEB-Pages, e.g. for database access, make sure your antivirus software is up to date and active. 2) If you are not using Active Server Pages or the Windows Scripting Host, you can delete the respective library from your system: remove the file $WINDIR\system32\scrrun.dll To see if you are vulnerable, run the following HTML-Page on your system: ------------------------cut
here-------------------------- 'This code should create a file system object,
open the root file system Dim fso, f, f1, fc --> </body> These tips are from CIAC´s Security Bulletin J-018. |
| Several Patches for SunOS | For several Buffer Overflows recently discovered in the widely used dtmail mail user agent for Sun Solaris/Common Desktop patches now available: SUN Security Bulletin #00181, ESB-98.193, S-98-76, ERS-153, J-021 |
| BIND-Patch for Solaris
|
CERT-Advisory CA-98.05 (I-044a) several
months ago reported three very problematic security
problems in current BIND-Distributions, allowing a
remote intruder to gain root-level access or create a
Denial of Service at a name server. Affected are all
Versions of Solaris/SunOS ver. 2.3 and higher. Additionally a tool wich allows even unexperienced users to exploit these vulnerabilities became known. Patches that fix these problems can be found at Sun´s Security Bulletin #00180, ESB-98.192, S-98-77, ERS-152 |
| IRIX and UNICOS; moreover: Solaris 2.3 - 2.6, SunOS 4.1. and 4.1.3_U1, HP-UX 10.10 - 11.00, IRIX 5.3 - 6.4, AIX 4.1.x - 4.3.x, TriTeal CDE - TED up to V. 4.3, Xi Graphics Maximum CDE v1.2.3 |
The possibility of a Stack Overflow in ToolTalk
RPC Service is reported: NAI-29, CERT
CA-98.11, ESB-98.179,
ERS-142,
SGI-9981101, S-98-78 This Stack Overflow enables an intruder to run arbitrary code on hosts supporting ToolTalk. The affected program runs on many popular UNIX operating systems supporting CDE and some Open Windows installs. Because ToolTalk runs on root level, these commands are also executed in "Superuser-Mode". This vulnerability is being actively exploited. Silicon Graphics recommends to disable rpc.ttdbserverd; this recommendation should also apply to other systems. Instructions can be found in each of the bulletins mentioned above. |
| Sun Solaris 2.3 -
2.6 (SPARC and X86)
|
In the passwd-command utility
used to change passwords and their attributes a
vulnerability has been discovered which could be
exploited to create a denial of service. See SUN Security
Bulletin #00182, ESB-98.194, S-98-79,
ERS-154, J-021 |
Back to the News
© 1999 Dr. Matthias Leu, EDV Beratung fuer Internet/Intranet, last Update: Januar 16, 1999, 11:18 +0000