February 2001 Advisories and Exploits
February 28, 2001
CERT Summary CS-2001-01 - Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems.
Cisco IOS Software Multiple SNMP Community String Vulnerabilities - Multiple Cisco IOS® Software and CatOS software releases contain several independent but related vulnerabilities involving the unexpected creation and exposure of SNMP community strings. These vulnerabilities can be exploited to permit the unauthorized viewing or modification of affected devices.
AFFECTED: Cisco devices that may be running an affected IOS software release include, but are not limited to:
- 800, 1000, 1005, 1400, 1600, 1700, 2500, 2600, 3600, MC3810, 4000, 4500, 4700, 6200, 6400 NRP, 6400 NSP series Cisco routers.
- ubr900 and ubr920 universal broadband routers.
- Catalyst 2900 ATM, 2900XL, 2948g, 3500XL, 4232, 4840g, 5000 RSFC series switches.
- 5200, 5300, 5800 series access servers.
- Catalyst 6000 MSM, 6000 Hybrid Mode, 6000 Native Mode, 6000 Supervisor Module, Catalyst ATM Blade.
- RSM, 7000, 7010, 7100, 7200, ubr7200, 7500, 10000 ESR, and 12000 GSR series Cisco routers.
- Catalyst 8510CSR, 8510MSR, 8540CSR, 8540MSR series switches.
Debian Security Advisory DSA-031-1
- Todd Miller announced a new version of sudo which corrects a buffer overflow that could potentially be used to gain root privilages on the local system. The fix from sudo 1.6.3p6 is available in sudo 1.6.2p2-1potato1 for Debian 2.2 (potato).
February 27, 2001
RainForestPuppy-RFP2101 - PHP-Nuke is a pretty groovy web portal/news system written in PHP---link to RFP2101
February 26, 2001
Microsoft MS01-013 - Windows 2000 Event Viewer Contains Unchecked Buffer - Run code of attackers choice
AFFECTED: Windows 2000
- New Zope packages are available - From the Zope advisory: "This hotfix addresses and [sic] important security issue that affects Zope versions up to and including Zope 2.3.1 b1. The issue is related to ZClasses in that a user with through-the-web scripting capabilities on a Zope site can view and assign class attributes to ZClasses, possibly allowing them to make inappropriate changes to ZClass instances. This patch also fixes problems in the ObjectManager, PropertyManager, and PropertySheet classes related to mutability of method return values which could be perceived as a security problem. We *highly* recommend that any Zope site running versions of Zope up to and including 2.3.1 b1 have this hotfix product installed to mitigate these issues if the site is accessible by untrusted users who have through-the-web scripting privileges."
AFFECTED: Red Hat Powertools 6.2 - alpha, i386, sparc/Red Hat Powertools 7.0 - alpha, i386
February 23, 2001
- Updated analog packages are available - Previous releases of analog were vulnerable to a buffer overflow vulnerability where a malicious user could use an ALIAS command to construct very long strings which were not checked for length. This bug was discovered by the program author, and there is no known exploit.
AFFECTED: Red Hat Secure Web Server 2.0 - i386
February 22, 2001
- Outlook, Outlook Express Vcard Handler Contains
AFFECTED: Because the component that contains the flaw ships as part of OE, which itself ships as part of IE, the patch is specified in terms of the version of IE rather than OE or Outlook
Unchecked Buffer - Run code of attacker's choice
February 20, 2001
- Malformed Request to Domain Controller can Cause Denia of Service
AFFECTED: Windows 2000 Server, Advanced Server and Datacenter Server
February 19, 2001
- New vixie-cron packages available - A buffer overflow existed in the 'crontab' command; if called by a user with a username longer than 20 characters. If the system administrator has created usernames of that length, it would be possible for those users to gain elevated privileges.
AFFECTED: Red Hat Linux 5.2 - alpha, i386, sparc/Red Hat Linux 6.2 - alpha, i386, sparc/Red Hat Linux 7.0 - alpha, i386
February 14, 2001
- Local and remote vulnerabilities in Kerberos IV
AFFECTED: FreeBSD 4.2-STABLE and 3.5-STABLE prior to the correction dates.
Microsoft MS01-010 - Patch Available for "Windows Media Player Skins File Download" Vulnerability - Windows Media Player 7 introduced a feature called "skins", that allows customization of the look and feel of Windows Media Player. If a Windows Media Player skin (.WMZ) file were downloaded from a malicious web site it could potentially be used to run Java code to read and browse files on a local machine.
AFFECTED: Windows Media Player 7
February 13, 2001
- Patch Available for "Malformed PPTP Packet Stream" Vulnerability - Denial of Service
AFFECTED: Windows NT 4.0 servers running PPTP
February 12, 2001
CERT Advisory CA-2001-03 - VBS/OnTheFly (Anna Kournikova) Malicious Code
AFFECTED: Users of Microsoft Outlook who have not applied previously available security updates.
Debian Security Advisory DSA-030-1 - xfree86-1 - buffer overflow, insecure tempfile handling, denial-of-service attack
AFFECTED: Vulnerable: Debian 2.2, Debian 2.2r1, Debian 2.2r2
- SSH1 implementations may allow remote system, data compromise
AFFECTED: FreeBSD 4.x, 4.2-STABLE prior to the correction date. Ports collection prior to the correction date.
February 09, 2001
Debian Security Advisory DSA-028-1 - man-db - Styx has reported that the program `man' mistakenly passes malicious strings (i.e. containing format characters) through routines that were not meant to use them as format strings. Since this could cause a segmentation fault and privileges were not dropped it may lead to an exploit for the 'man' user.
AFFECTED: Debian GNU/Linux 2.2 alias potato for the alpha, arm, i386, m68k, powerpc and sparc architectures.
Microsoft MS01-007 UPDATED - Patch Available for "Network DDE Agent Request" Vulnerability - Privilege elevation - this update includes addition of Terminal Server
AFFECTED: Windows 2000
Remote vulnerability in SSH daemon
February 08, 2001
CORE-20010207 - CORE SDI S.A. Security Advisory - SSH1 CRC-32 compensation attack detector vulnerability
AFFECTS: All versions of SSH supporting the protocol 1 (1.5) that use the CRC compensation attack detector are vulnerable. See below for vendor specific information.
OpenSSH - OpenSSH versions prior to 2.3.0 are vulnerable. OpenSSH versions 2.3.0 and above are not vulnerable, source changes in deattack.c that fix this problem were incorporated into the source tree on October 31st, 2000.
SSH.com - ssh-1.2.24 up to , and including, ssh-1.2.31 are vulnerable. Versions prior to 1.2.24 did not include the CRC compensation attack detector.
The official response from SSH.com follows: SSH-2.x is not vulnerable. SSH1 is deprecated, and not supported, upgrade to SSH2. Nonetheless the proposed patch has been applied to the ssh-1.2.x source tree, future releases of ssh-1.2.x will have the bug closed.
F-Secure SSH - F-Secure SSH-1.3.x is vulnerable. Contact the vendor for a fix.
AppGate - The default configuration of the AppGate server is not vulnerable since it has SSH-1 support disabled. However customers who need ssh1-support can contact firstname.lastname@example.org to get patches.
Mindbright - The MindtTerm client does not have this vulnerability.
TTSSH - Not vulnerable. All version that incorporated the attack detector are not vulnerable.
LSH - Not vulnerable. LSH does not support SSH protocol 1.
JavaSSH - Not vulnerable. The Java Telnet/SSH Applet (http://www.mud.de/se/jta/)does not include CRC attack detection. A security note regarding Java SSH plugin can be found on: http://www.mud.de/se/jta/doc/plugins/SSH.html
OSSH (by Bjoern Groenvall) - OSSH 1.5.7 and below is vulnerable. The problem has been fixed in version 1.5.8
OpenBSD Security Advisory - SSH BYPASS - Authentication By-Pass Vulnerability in OpenSSH-2.3.1. OpenSSH-2.3.1, a development snapshot, only checked if a public key for public key authentication was permitted. In the protocol 2 part of the server, the challenge-response step that ensures that the connecting client is in possession of the corresponding private key has been omitted. As a result, anyone who could obtain the public key listed in the users authorized_keys file could log in as that user without authentication.
AFFECTED: This vulnerability affects only OpenSSH version 2.3.1 with support for protocol 2 enabled. The latest official release OpenSSH 2.3.0 is not affected by this problem. The latest snapshot version OpenSSH 2.3.2 is not affected either.
- Three security holes fixed in new kernel - One involves ptrace, another involves sysctl, and the last is specific to some Intel CPUs.
AFFECTED: Red Hat Linux 6.x - alpha, i386, i586, i686, sparc, sparc64/Red Hat Linux 7.0 - alpha, i386, i586, i686
crc32 compensation attack detector Author: Michal Zalewski Contact: Scott Blake CVE: CAN-2001-0144
February 07, 2001
CORE-20010116 - CORE SDI S.A. Security Advisory - SSH protocol 1.5 session key recovery vulnerability - This advisory describes a vulnerability in the SSH 1.5 protocol that allows an attacker to exploit some design or implementation problem on either client or server to obtain the session key and then proceed to decrypt the stored session using any implementation of the crypto algorithm used.
AFFECTS: All versions of SSH supporting the protocol 1.5 key exchange. This vulnerability applies to SSH servers only.
- inetd ident server allows remote users to partially read arbitrary wheel-accessible files [REVISED from 01/29/2001]
AFFECTED: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases)
FreeBSD-SA-01:20 - mars_nwe contains potential remote root compromise
AFFECTED: Ports collection prior to the correction date.
Microsoft MS01-007 - Patch Available for "Network DDE Agent Request" Vulnerability - Privilege elevation
AFFECTED: Windows 2000
Microsoft MS01-008 - NTLMSSP Privilege Elevation Vulnerability - Privilege elevation - A flaw in the NTLM Security Support Provider (NTLMSSP) service could potentially allow a non-administrative user to gain administrative control over the system
AFFECTED: Windows NT4