Last day to save $500 for SANS San Diego 2013

@RISK: The Consensus Security Vulnerability Alert

Volume: III, Issue: 44
November 8, 2004

SANS Newsletters Home

Java System Web Proxy Server users will have some work to do patching this week.

If any of you have a chance to attend a security training class this fall, definitely try to make it to Washington, DC, the second week of December. Phenomenal teachers and up-to-the-minute, practical material. Details at http://www.sans.org/cdieast04

Alan

@RISK is the SANS community's consensus bulletin summarizing the most important vulnerabilities and exploits identified during the past week and providing guidance on appropriate actions to protect your systems (PART I). It also includes a comprehensive list of all new vulnerabilities discovered in the past week (PART II).

Summary of the vulnerabilities reported this week:

    • Category
    • # of Updates & Vulnerabilities
    • Other Microsoft Products
    • 1 (#2, #3)
    • Third Party Windows Apps
    • 7 (#5)
    • Mac Os
    • 1
    • Linux
    • 2
    • Unix
    • 3 (#6)
    • Cross Platform
    • 11 (#1)
    • Web Application
    • 6
    • Network Device
    • 2 (#4)

********* This Issue Sponsored by Internet Security Systems *************

Keeping Your Organization Ahead of the Threat

All intrusion prevention systems (IPS) are not created equal. Find out the difference between reactive and preemptive IPS appliances. Preemptive IPS solutions shield vulnerabilities AND block threats. Reactive IPS solutions only block attacks. Download the FREE whitepaper, "Defining the Rules of Preemptive Protection: The ISS Intrusion Prevention System," to learn more http://www.iss.net/proof/ipswp/sans/11014

*************************************************************************

Table Of Contents
Part II -- Comprehensive List of Newly Discovered Vulnerabilities from Qualys (www.qualys.com)
Other Microsoft Products
Third Party Windows Apps
Mac Os
Linux
Unix
Cross Platform
Web Application
Network Device

************************** SPONSORED LINKS ******************************

Privacy notice: Sponsored links redirect to non-SANS web pages.

Radware DefensePro secures networked applications against viruses, malicious intrusions and Denial of Service at 3-Gbps. FREE Whitepaper. http://www.sans.org/info.php?id=642

*************************************************************************

Highlighted Cybersecurity Training: Washington, DC, Dec. 7-13, 2004

SANS best instructors will be in DC teaching great courses for

  • Auditors who want the technical skills so critical to successful audits.
  • Security Managers interested in best practices and SANS exclusive "security make-over"
  • Security professionals seeking CISSP (a trademark of (ISC)2) certification who want a more effective course.
  • Technical security professionals with hands-on responsibility: Hacker Exploits; Intrusion Detection In-Depth; Introduction to Information Security; SANS Security Essentials; Firewalls, VPNs, and Perimeter Protection; Securing Windows; Securing Linux/Linux; System Forensics, Investigation & Response; .Net Security.

More information and http://www.sans.org/cdieast04

*************************************************************************

PART I Critical Vulnerabilities

Part I is compiled by the security team at TippingPoint (www.tippingpoint.com) as a by-product of that company's continuous effort to ensure that its intrusion prevention products effectively block exploits using known vulnerabilities. TippingPoint's analysis is complemented by input from a council of security managers from twelve large organizations who confidentially share with SANS the specific actions they have taken to protect their systems. A detailed description of the process may be found at http://www.sans.org/newsletters/cva/#process

Widely Deployed Software
  • (1) HIGH: Sun Java System Web Proxy Server Buffer Overflows
  • Affected:
    • Java System Web Proxy Server version 3.6 SP4 and prior

  • Description: The Sun Java System Web Proxy Server (formerly Sun ONE WebProxy Server) is designed to cache web content and reduce requests tocontent servers thereby reducing the network traffic and lowering userwait times. The server is used by e-commerce sites, ISPs and largeenterprises. This server contains buffer overflow vulnerabilities thatmay be exploited to execute arbitrary code with typically the privilegesof the "nobody" user. In addition, the administration server for theproxy server also contains buffer overflow vulnerabilities that may beexploited to run arbitrary code on the server with possibly "root" or"SYSTEM" privileges (depending on the platform the server is installed).The flaws in the proxy server can be triggered by a malformed HTTP"CONNECT" request according to the discoverer. The complete technicaldetails have not been publicly posted yet.

  • Status: Sun has confirmed, upgrade to SP5 or later. A workaround for theadministration server overflow (that may yield maximum privileges to anattacker) is to block access to the port the administration server isrunning on from the Internet. This port number is configured during theinstallation of the proxy server.

  • Council Site Actions: Only three of the reporting council sites areusing the affected software. One site has already patched their systemssince SP5 came out back in April. Also, access to their Admin server isonly allowed from localhost with SSH tunneling. The second sitenotified their UNIX support group and requested them to plan forpatching the systems. The third site is still investigating whatactions are needed.

  • References:
  • (3) UPDATE: Internet Explorer FRAME Processing Overflow

  • Description: It has been confirmed that the Internet Explorer bufferoverflow in processing a malformed "FRAME/IFRAME" element discussed inthe last week's @RISK newsletter can be exploited to execute arbitrarycode. The exploit code has been publicly posted. Note that a Windowsuser faces the risk of getting compromised by merely visiting amalicious webpage.

  • Council Site Actions: All of the reporting council sites are waitingon official release of the patch. Several of the sites have notifiedtheir appropriate support groups so they can be prepared once a patchis released.

  • References:
Other Software
  • (5) LOW: Rarlab WinRAR Repair Archive Feature Vulnerability
  • Affected:
    • WinRAR version 3.40 and prior

  • Description: WinRAR is a popularly used compression tool that has beenreportedly downloaded over 20 million times. WinRAR contains avulnerability in its "repair archive" feature, a feature that can beused to repair damaged archives. An attacker or a virus that can tricka user into repairing a compressed archive may exploit this flaw topossibly compromise the user's system. No technical details have beenreleased yet. More details may be obtained by comparing the fixed andthe vulnerable versions of WinRAR.

  • Status: Vendor has confirmed, upgrade to winRAR 3.41.

  • Council Site Actions: Only one council site is using the affectedsoftware. However, WinRAR is not supported by their central ITdepartment; thus they do not plan any action.

  • References:
Patches
Part II: Weekly Comprehensive List of Newly Discovered Vulnerabilities
Week 44, 2004

This list is compiled by Qualys ( www.qualys.com ) as part of that company's ongoing effort to ensure its vulnerability management web service tests for all known vulnerabilities that can be scanned. As of this week Qualys scans for 3838 unique vulnerabilities. For this special SANS community listing, Qualys also includes vulnerabilities that cannot be scanned remotely.

  • 04.44.1 - CVE: Not Available
  • Platform: Other Microsoft Products
  • Title: Internet Explorer URI Spoofing
  • Description: Microsoft Internet Explorer is reportedly vulnerable to URI obfuscation weaknesses. These issues allow a malicious web site to render a spoofed URI in the status bar when a user hovers over a specially crafted link. This URI is different from the one actually opened when the link is clicked on.
  • Ref: http://www.securityfocus.com/archive/1/379903 http://www.securityfocus.com/archive/1/380193
  • 04.44.2 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: F-Secure Anti-Virus Archive Bypass
  • Description: F-Secure Anti-Virus for Microsoft Exchange is mail gateway anti-virus software. A password-protected archive that is nested within another archive containing malicious applications will not be detected and quarantined at the email gateway. F-Secure Anti-Virus for Microsoft Exchange version 6.x is affected.
  • Ref: ftp://ftp.f-secure.com/support/hotfix/fsav-mse/fsavmse63x-02_readme.txt
  • 04.44.3 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailPost Remote File Enumeration
  • Description: TIPS MailPost is an HTML form content email application. It is vulnerable to a remote file enumeration issue due to insufficient sanitization of "../" sequences and an explicit error message which allows malicious users to determine whether the file is present on the system. MailPost version 5.1.1sv is known to be vulnerable.
  • Ref: http://www.procheckup.com/security_info/vuln_pr0408.html
  • 04.44.4 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailPost Remote Debug Mode Information Disclosure
  • Description: TIPS MailPost is an HTML form content email application. In debug mode MailPost is vulnerable to some information disclosure. TIPS MailPost version 5.1.1sv is known to be vulnerable.
  • Ref: http://www.procheckup.com/security_info/vuln_pr0409.html
  • 04.44.5 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailEnable Professional Webmail Vulnerability
  • Description: MailEnable is a POP3 and SMTP server. It is vulnerable to an unspecified remotely exploitable issue. MailEnable Professional versions 1.5 and earlier are vulnerable.
  • Ref: http://www.mailenable.com/professionalhistory.html
  • 04.44.6 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: Cisco Secure Access Control Server Authentication Bypass
  • Description: Cisco Secure Access Control Server is a centralized management server. It is reported to be vulnerable to a remote authentication bypass issue, due to improper validation of user credentials prior to granting access. Secure Access Control Server version 3.3.1 for Windows is reported to be vulnerable.
  • Ref: http://www.cisco.com/en/US/products/products_security_advisory09186a008033320e.s
    html
  • 04.44.7 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: ArGoSoft FTP Server Shortcut File Upload Vulnerability
  • Description: ArGoSoft FTP server allows users to upload shortcut (.lnk) files to the server which may be used by attackers to gain access to all files and directories accessible by the FTP server. ArGoSoft FTP server versions 1.4.2.1 and earlier are affected.
  • Ref: http://www.argosoft.com/ftpserver/changelist.aspx
  • 04.44.8 - CVE: Not Available
  • Platform: Third Party Windows Apps
  • Title: MailPost Error Message Cross-Site Scripting
  • Description: MailPost is an HTML form content email application. Insufficient sanitization of the "/" character in the HTTP GET request exposes this issue. MailPost version 5.1.1sv is affected.
  • Ref: http://www.procheckup.com/security_info/vuln_pr0411.html
  • 04.44.9 - CVE: Not Available
  • Platform: Mac Os
  • Title: Safari TABLE Status Bar URI Obfuscation
  • Description: Apple Safari is vulnerable to a zone status bar spoofing when an HREF tag contains an additional HREF tag contained within a TABLE tag. An attacker could display false information in the status bar to display web pages to users that seem to originate from a trusted location. All versions of Safari are known to be vulnerable.
  • Ref: http://www.neoresearch.org/[neo]safari_url_spoof.html
  • 04.44.10 - CVE: Not Available
  • Platform: Linux
  • Title: KOffice PDF Import Filter Integer Overflow
  • Description: The KOffice PDF Import Filter is reportedly vulnerable to an undisclosed integer overflow condition. This could be leveraged to execute arbitrary code on a vulnerable host by supplying a maliciously crafted PDF document to the application.
  • Ref: http://kde.org/areas/koffice/announcements/changelog-1.3.4.php
  • 04.44.11 - CVE: Not Available
  • Platform: Linux
  • Title: Debian ISC DHCPD Package Remote Format String Vulnerability
  • Description: ISC DHCPD is an implementation of Dynamic Host Control Protocol (DHCP) which is distributed with Debian Linux. It is vulnerable to a remote format string issue which may help an attacker to run arbitrary code. ISC DHCPD version 2.0.pl5 is vulnerable to this issue.
  • Ref: http://www.securityfocus.com/archive/1/380188
  • 04.44.12 - CVE: Not Available
  • Platform: Unix
  • Title: Info-ZIP Remote Buffer Overflow
  • Description: Info-ZIP zip compression utility is reported to be vulnerable to a buffer overflow condition. Successful exploitation of this issue would allow an attacker to execute arbitrary code on the affected computer with the privileges of a user running the affected application. Info-ZIP version 2.3 is reported to be vulnerable.
  • Ref: http://www.hexview.com/docs/20041103-1.txt
  • 04.44.13 - CVE: Not Available
  • Platform: Unix
  • Title: pppd Remote Denial of Service
  • Description: pppd is vulnerable to a remote denial of service condition due to a failure of the application to properly handle invalid input. pppd version 2.4.1 is knwown to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7406
  • 04.44.14 - CVE: Not Available
  • Platform: Unix
  • Title: Bogofilter EMail Filter Remote Denial of Service
  • Description: Bogofilter is an email spam filter. Reportedly, it is vulnerable to a remote denial of service condition when parsing malformed email headers. An attacker can leverage this issue to cause the affected email filter to crash, denying service to all legitimate users. Bogofilter Email Filter 0.92.8 fixes this issue.
  • Ref: http://bogofilter.sourceforge.net/security/bogofilter-SA-2004-01
  • 04.44.15 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Java Application Server HTTP TRACE Information Disclosure
  • Description: Sun Java System Application Server is reportedly vulnerable to a security issue that could allow a remote attacker to steal sensitive information, such as cookie-based authentication credentials. This issue exists due to insufficient sanitization of HTTP TRACE method. Sun Java System Application Server (Sun ONE) version 7.x is affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57670-1
  • 04.44.16 - CVE: Not Available
  • Platform: Cross Platform
  • Title: HP OpenView Remote Privilege Escalation
  • Description: HP OpenView Operations (OVO) provides network and system administration services. Using OVO an administrator without sufficient privileges may carry out privileged actions on a remote computer. HP OpenView versions 6.x, 7.x and 8.x are affected.
  • Ref: http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01092
  • 04.44.17 - CVE: Not Available
  • Platform: Cross Platform
  • Title: HTML::Merge Template Parameter File Disclosure
  • Description: HTML::Merge is an embedded scripting tool implemented in Perl. It is vulnerable to a remote file disclosure issue due to insufficient sanitization of user-supplied data. HTML::Merge versions 3.42 and earlier are vulnerable.
  • Ref: http://sourceforge.net/projects/rmerge/
  • 04.44.19 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Cherokee HTTPD Auth_Pam Authentication Format String Vulnerability
  • Description: Cherokee web server is affected by a remote format string condition due to insufficient sanitization of user-supplied input in the "cherokee_logger_ncsa_write_string()" function. All current versions of Cherokee are reported to be vulnerable.
  • Ref: http://www.securityfocus.com/advisories/7424
  • 04.44.20 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Chesapeake TFTP Server Remote Directory Traversal
  • Description: Chesapeake TFTP Server is vulnerable to a directory traversal issue due to insufficient sanitization of requests containing "../" character sequences. An attacker could retrieve any file on the remote file system. Chesapeake TFTP Server version 1.0 is known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/cccitftp-adv.txt
  • 04.44.21 - CVE: CAN-2004-0992
  • Platform: Cross Platform
  • Title: Proxytunnel Remote Format String Vulnerability
  • Description: proxytunnel is an HTTPS tunnel implementation that forwards stdin and stdout over HTTPS. It is reported to be vulnerable to a format string issue caused by improper sanitization of user-supplied input. proxytunnel version 1.2.3 was released to address this issue.
  • Ref: http://archives.neohapsis.com/archives/bugtraq/2004-11/0050.html
  • 04.44.22 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Java Web Server Certificate Handling Denial of Service
  • Description: Sun Java Web Server and Application Server are vulnerable to a remote denial of service issue. The issue presents itself when processing malformed client certificates. Sun has released multiple patches to address this issue.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57669-1
  • 04.44.24 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Java Web Proxy Buffer Overflow
  • Description: Sun Java System Web Proxy Server and its administration server application are susceptible to multiple buffer overflow issues. Sun Java System Web Proxy Server versions 3.x are affected.
  • Ref: http://sunsolve.sun.com/search/document.do?assetkey=1-26-57606-1
  • 04.44.25 - CVE: Not Available
  • Platform: Cross Platform
  • Title: Caudium Remote Denial of Service
  • Description: Caudium is a web server application. It is vulnerable to a remote denial of service issue due to improper handling of exceptional conditions while processing query strings ending with the "&" character. Caudium versions prior to 1.4.4 RC2 are vulnerable.
  • Ref: http://sourceforge.net/tracker/index.php?func=detail&aid=1028622&group_i
    d=8825&atid=108825
  • 04.44.26 - CVE: Not Available
  • Platform: Web Application
  • Title: Gbook MX Multiple SQL Injection Vulnerabilities
  • Description: Gbook MX is a web-based guestbook application. It is vulnerable to multiple SQL injection issues which can be used by a remote attacker to compromise the application. Gbook MX versions prior to 4.1.0 are reported vulnerable to these issues.
  • Ref: http://sourceforge.net/project/showfiles.php?group_id=80296
  • 04.44.27 - CVE: Not Available
  • Platform: Web Application
  • Title: MailPost APPEND Variable Cross-Site Scripting
  • Description: TIPS MailPost is an HTML form content email application. It is reported to be vulnerable to a cross-site scripting issue due to improper sanitization of the "append" variable in the URL input. MailPost 5.1.1sv is reported to be vulnerable.
  • Ref: http://www.procheckup.com/security_info/vuln_pr0410.html
  • 04.44.28 - CVE: Not Available
  • Platform: Web Application
  • Title: Gallery Unspecified Remote HTML Injection
  • Description: Gallery is a web application designed to allow users to manage images on their web site. Due to insufficient sanitization of user-supplied input, it is reported to be vulnerable to an HTML injection issue. Gallery version 1.4.4-pl4 is reported to fix this issue.
  • Ref: http://sourceforge.net/project/shownotes.php?release_id=279821
  • 04.44.29 - CVE: Not Available
  • Platform: Web Application
  • Title: Goolery Multiple Cross-Site Scripting Vulnerabilities
  • Description: Goolery is an image gallery web-based script that interacts with the Gmail service. It is reported to be vulnerable to multiple cross-site scripting issues due to improper sanitization of user-supplied URL input. Goolery version 0.3 is reported to be vulnerable.
  • Ref: http://www.securityfocus.com/bid/11587/info/
  • 04.44.30 - CVE: Not Available
  • Platform: Web Application
  • Title: Land Down Under SQL Injection
  • Description: Land Down Under is a content management system. Insufficient sanitization of user-supplied input exposes various SQL injection issues in the application. All versions are affected.
  • Ref: http://www.neocrome.net/index.php?msingle&id91
  • 04.44.31 - CVE: Not Available
  • Platform: Web Application
  • Title: Helm Control Panel Multiple Input Validation Issues
  • Description: Helm Control Panel is a web-based management system. It is affected by multiple SQL and HTML injection issues. Helm Control Panel versions 3.1.19 and prior are vulnerable to these issues.
  • Ref: http://www.securityfocus.com/archive/1/380195
  • 04.44.32 - CVE: Not Available
  • Platform: Network Device
  • Title: Telesyn TFTP Server Multiple Remote Vulnerabilities
  • Description: Allied Telesyn TFTP daemon is reported vulnerable to multiple security issues such as directory traversal and remote buffer overflow. Allied Telesyn TFTP Daemon versions 1.8 and earlier are known to be vulnerable.
  • Ref: http://aluigi.altervista.org/adv/attftp-adv.txt
  • 04.44.33 - CVE: Not Available
  • Platform: Network Device
  • Title: NetGear ProSafe Default SNMP Community String Vulnerability
  • Description: NetGear ProSafe Dual Band Wireless VPN Firewall is a security appliance for wireless VPN access. The appliance uses a default community string for SNMP which allows an attacker to gain sensitive information about a network managed by the firewall. NetGear ProSafe Dual Band Wireless VPN Firewall model FWAG114 is affected.
  • Ref: http://www.securityfocus.com/bid/11580/info/

(c) 2004. All rights reserved. The information contained in this newsletter, including any external links, is provided "AS IS," with no express or implied warranty, for informational purposes only. In some cases, copyright for material in this newsletter may be held by a party other than Qualys (as indicated herein) and permission to use such material must be requested from the copyright owner.

==end==

Subscriptions: @RISK is distributed free of charge to people responsible for managing and securing information systems and networks. You may forward this newsletter to others with such responsibility inside or outside your organization.

To subscribe, at no cost, go to https://portal.sans.org where you may also request subscriptions to any of SANS other free newsletters.

To change your subscription, address, or other information, visit http://portal.sans.org

Copyright 2004. All rights reserved. No posting or reuse allowed, other that listed above, without prior written permission.

The quality of a SANS course is "exceptional" and the instructors are true experts with real experience.
-Todd Coston, Kern Community College District

SANS Golden Gate 2013 - San Francisco

Latest Whitepapers

Building and Maintaining a "Certifiable" Workforce
By Robert J. Mavretich

How Can You Build and Leverage SNORT IDS Metrics to Reduce Risk?
By Tim Proffitt

Daisy Chain Authentication
By Courtney Imbert

Latest Tweets

NEW #SANS Survey: Security Analytics & Intelligence 2nd [...]
October 1, 2013 - 6:30 PM

Tips on how to convince your boss to let you train online wi [...]
October 1, 2013 - 6:23 PM

#2 Tip on how 2 convince your boss 2 let u train online: Fle [...]
October 1, 2013 - 3:00 PM

Contact Us

(301) 654-SANS (7267)
Mon-Fri 9am - 8pm EST/EDT
info@sans.org

"The amount of knowledge conveyed and technical diving by practical hands-on was well balanced."
- Aaron Moore, Maricopa County

"The perfect balance of theory and hands-on experience."
- James D. Perry II, University of Tennessee

"Expertise of the trainer is impressive, real life situations explained, very good manuals. Best training ever!"
- Jerry Robles de Medina, Godo CU