@RISK: The Consensus Security Vulnerability Alert
Volume: II, Issue: 50
December 11, 2003
Current Newsletters
The biggest new risk this week affects Linux systems used by a very large number of organizations. This pair of vulnerabilities demonstrates how a medium risk vulnerability can have as big an impact as a very critical vulnerability when it is paired with other vulnerabilities. We point this out in the hope that you might not ignore vulnerabilities that allow root privileges but demand the attacker already have local user privileges. If local user privileges can be obtained using one vulnerability, then the vulnerability allowing escalation to root becomes critical, indeed. These Linux vulnerabilities are being actively exploited. Alan
@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).
Summary of the vulnerabilities reported this week:
-
- Category
- # of Updates & Vulnerabilities
-
- Other Microsoft Products
- 1 II
-
- Third Party Windows Apps
- 3 I & II
-
- Mac Os
- 1 II
-
- Linux
- 1 I & II
-
- Novell
- 1 II
-
- UNIX
- 3 II
-
- Cross Platform
- 6 I & II
-
- Web Server & Application
- 9 II
-
- Network Device
- 3 II
*************** Sponsored Links For This Week ************************* Privacy notice: These links redirect to non-SANS web pages.
1-Instantly stop DDoS and Day Zero Threats. Go beyond defensive security. Hands-on, online demo. http://www.sans.org/cgi-bin/sanspromo/CVA113
2-Minimize business risks and eliminate network vulnerabilities; download the Best Practices for Vulnerability Management White Paper. http://www.sans.org/cgi-bin/sanspromo/CVA114
3-How much is employee Internet abuse costing your organization? Click here to find out! http://www.sans.org/cgi-bin/sanspromo/CVA115
The following link directs you to SANS web pages:
(4) Attend SANS Cyber Defense Initiative Conference in San Diego at the end of January: SANS highest rated teachers, small class sizes, all hands on, and the joy of San Diego in the middle of winter. http://www.sans.org/cdiwest04 *************************************************************************
Table Of Contents
Part I -- Critical Vulnerabilities from TippingPoint (www.tippingpoint.com)
Widely Deployed Software
-
(4) MODERATE: Yahoo! Messenger YAuto.dll Buffer Overflow
Affected Products: Yahoo! Messenger 5.6.0.1347 and prior
**Description: Yahoo! Messenger's YAuto.dll ActiveX control is
reportedly vulnerable to a buffer overflow. The overflow
- (1) HIGH: Linux rsync Heap Overflow
**Affected Products: Linux rsync versions 2.x prior to 2.5.7
**Description: The rsync utility is used to synchronize directories and
files residing on different Linux machines. By default, the rsync server
- (2) MODERATE: Linux Kernel do_brk() Privilege Escalation Vulnerability
Affected Products: Linux kernel versions prior to 2.4.23
**Description: A local privilege escalation vulnerability has been
discovered in the do_brk() function of all Linux
Other Software
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
PART I Critical Vulnerabilities
[Compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description on the process may be found at http://www.sans.org/newsletters/cva/#process
Other Software
- (4) MODERATE: Yahoo! Messenger YAuto.dll Buffer Overflow Affected Products: Yahoo! Messenger 5.6.0.1347 and prior **Description: Yahoo! Messenger's YAuto.dll ActiveX control is reportedly vulnerable to a buffer overflow. The overflow
Widely Deployed Software
- (1) HIGH: Linux rsync Heap Overflow **Affected Products: Linux rsync versions 2.x prior to 2.5.7 **Description: The rsync utility is used to synchronize directories and files residing on different Linux machines. By default, the rsync server
Council Site Actions: All but two of the reporting council sites are using the affected software and have actions planned. Most of these sites plan to deploy the patch during their normal system update cycle. Several sites do not plan any actions since they have very limited deployments of rsync and this is a local exploit only. Several sites also commented that they use rsync only in conjunction with ssh; hence, a user must already have an account on the local system to exploit the vulnerability. Thus, these sites either took no action or plan to deploy the patches during the normal system update process. **References: rsync Security Advisory http://archives.neohapsis.com/archives/bugtraq/2003-12/0052.html CERT Vulnerability Notes: http://www.kb.cert.org/vuls/id/325603 Differences in rsync version 2.5.6 and 2.5.7 http://samba.org/ftp/rsync/rsync-2.5.6-2.5.7.diff.gz rsync Homepage: http://rsync.samba.org Secunia Advisory: http://www.secunia.com/advisories/10353 SecurityFocus BID: http://www.securityfocus.com/bid/9153
- (2) MODERATE: Linux Kernel do_brk() Privilege Escalation Vulnerability Affected Products: Linux kernel versions prior to 2.4.23 **Description: A local privilege escalation vulnerability has been discovered in the do_brk() function of all Linux
- (3) MODERATE: eZmeeting eZ Software Multiple Buffer Overflows Affected Products: eZ version 3.5.0 and prior; eZphotoshare version 1.1 and prior **Description: eZmeeting's eZ software suite is designed to facilitate meetings and interacti
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 50, 2003
This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3114 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that can not be scanned remotely.
- - CVE: Not Available Platform: Other Microsoft Products
- Title: Microsoft Internet Explorer URL spoofing vulnerability
- Description: A vulnerability has been reported in Microsoft Internet Explorer that allow an attacker to display a fake url in the address bar.This vulnerability can be used to gain senstive information by faking a trusted web page.
- Ref: http://www.secunia.com/advisories/10395/
(c) 2003. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.
==END OF PART II==
Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.
To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.
To change your subscription, address, or other information, visit http://portal.sans.org
Copyright 2003. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.
Check Them Out!
Absolutely wonderful, both in presentation and content
-Don Seymour, TerpSys
- SANS Site Network
- Current Site
Training- Choose a different site Help
Certification
College
Internet Storm Center
Security Awareness
Computer Forensics
IT Audit
Software Security
Penetration Testing
