AERAsec - Network Security - News April 1999

April 1999, last Change: 01/05/00

Most of the links lead to the corresponding files at CERT or other organisations. So changes take place immediately, especially which patches should be installed or which changes in the configuration should be made to avoid this vulnerability. Most of the files are transferred by ftp.
By the way: If we're not publishing well-known risks inheritant in any widely used platform or program that doesn't mean this particular platform or program is safe to use!

Here you find (a beta-version of) our search engine!

System:	NetBSD
Topic:	SVR4 compatibility device creation vulnerability: NetBSD-09, ERS-1999.057

In order to provide a system environment capable of executing System V Release 4 (`SVR4') binaries, it is necessary to create a set of device special files; to simplify this task, a shell script is shipped with the system. Due to a mismatch of device major numbers between NetBSD platforms, one device special file is erroneously created with a wrong major number, which may allow a regular user to arbitrarily read or write any data stored on the NetBSD portion of the first IDE disk configured by the system.
This vulnerability is restricted to the i386 port of NetBSD with SVR4 emulation additionally configured only. It's recommended to install the concerning patch.

System:	Caldera Linux
Topic:	Vulnerabilities in bash and shadow: CSSA-1999:008, CSSA-1999:009

In OpenLinux 1.0, 1.1, 1.2, 1.3, 2.2, using bash-1.14.7-10 and below commands in directory names may get executed via the prompt string. To avoid this problem, an upgrade package (source) is available. In OpenLinux 2.2 /etc/shadow may become world-readable under some circumstances. It's recommended to change the permissions to
chmod 600 /etc/shadow
and to install the upgrade package (source)

System:	Linux
Topic:	Security Problems caused by procmail: CSSA-1999:007, Debian0422

In Debian and Caldera Linux some vulnerabilities were found, so if procmail is installed as setuid root, local users may gain more rights than wanted.
It's recommended to install the latest version of procmail:
Caldera: package, source. Debian: alpha, i386, m68k, sparc, source.

System:	Microsoft IE 5 and 4.x under Windows 9x and NT
Topic:	Vulnerabilities caused by MSHTML: MS99-012, ERS-1999.060

MSHTML.DLL is the parsing engine for HTML in Internet Explorer. Some vulnerabilities were found:

The first vulnerability is the "IMG SRC" tag in HTML files. This tag identifies and loads image sources. The vulnerability results because the tag can be used to point to files of any type. A malicious web site operator could use this vulnerability to determine the size and other information about files on the computer of a visiting user.
The second vulnerability is a new variant of a previously identified cross-frame security vulnerability. A particular malformed URL could be used to execute a Java scriplet in the security context of a different domain. This could allow a malicious web site operator to execute a scriptlet on a visiting user's machine as though it were from a trusted site.
The third vulnerability affects only Internet Explorer 5.0, and is a new variant of a previously-identified untrusted scripted paste vulnerability. The vulnerability would allow a malicious web site operator to create a particular type of web page control and paste into it the contents of a visiting user's clipboard.
It's recommended to install the patch published by Microsoft

System:	Microsoft IE 5 under Windows NT
Topic:	Security risk by DHTML Edit: MS99-011, ERS-1999.059

The DHTML Edit control is an ActiveX control that is distributed with Internet Explorer 5 and can be downloaded for use in Internet Explorer 4.0. The control enables users to edit HTML text and see a faithful rendition of how the text would look in the browser.
A vulnerability could allow a malicious web site operator to read information that a user had loaded into the control, and it also could allow files with known names to be copied from the user's local hard drive.
Further information can be found in the advisory and in the MS knowledge base. It's recommended to install the concerning patch for the US-version of the IE.

System:	Cold Fusion 3 and 4
Topic:	Vulnerability in Cold Fusion Server: L0pht, ERS-1999.058

There is a security problem with installations of Cold Fusion Application Server when (as the default is) the online documentation is installed. This vulnerability allows web users to view, delete, upload and potentialy execute files anywhere on the server. A demonstration of the problem can be found at L0pht's site.
It's recommended not to install the online documentation and to install the patch from Allaire.

System:	all
Topic:	New ISS Summary: ISS, ERS-1999.056

ISS reports 19 new vulnerabilities found within the last month:
- default-flowpoint (also here)
- ucd-snmpd-community
- cisco-natacl-leakage
- mpeix-debug
- netbsd-vfslocking-panic
- bmc-patrol-frames
- bmc-patrol-replay
- http-cgi-webcom-guestbook
- ie-scriplet-fileread
- ie-window-spoof
- winroute-config
- netcache-snmp
- rsync-permissions
- wingate-redirector-dos
- wingate-registry-passwords
- sco-termvision-password
- webramp-device-crash
- webramp-ipchange
- xylan-omniswitch-ftp
- xylan-omniswitch-login
Further information can be found at the site of ISS.

System:	Red Hat Linux
Topic:	Several Security Vulnerabilities fixed (pine, mutt, sysklogd, zgv, XFree86, lpr, procmail, rsync): ESB-1999.044, ESB-1999.045, ESB-1999.051, ESB-1999.052, ESB-1999.053

System:	HP-UX
Topic:	Security Vulnerability in sendmail: HP Security Bulletin #00097, ERS-1999.055, ESB-1999.054, J-040

Hewlett-Packard systems that are running sendmail release 8.8.6 accept connections sub-optimally, which may allow users to initiate a Denial of Service. Public domain fixes now in sendmail 8.9.3 have been ported to HP-UX sendmail 8.8.6 release patch.

HP9000 Series 700/800, HP-UX 10.20	PHNE_17135
HP9000 Series 700/800, HP-UX 11.00	PHNE_17135

System:	Cisco
Topic:	IOS Software Input Access List Lücke bei NAT: Cisco, ERS-1999.054, ESB-1999.049, J-041, S-99-13

A group of related software bugs create an undesired interaction between network address translation (NAT) and input access list processing in certain Cisco routers running 12.0-based versions of Cisco IOS software. This may cause input access list filters to "leak" packets in certain NAT configurations, creating a security exposure. Configurations without NAT are not affected.
It's recommended to install the fixes published by Cisco. Further information about these and affected versions can be found in the advisory.

System:	HP-UX
Topic:	Security Vulnerability in MPEi/X debug: HP Security Bulletin MPE#006, ERS-1999.053, ESB-1999.050

Because Debug improperly handles commands, users can increase their privileges. The problem does not exist with the release MPE/iX 6.0. It's recommended to install the concernig patch:

HP3000 mit MPE/iX 5.0	MPEKXM1A
HP3000 mit MPE/iX 5.5	MPEKXM1B

System:	NetBSD
Topic:	Denial-of-Service by Name Lookup: NetBSD-08, ERS-1999.052, ESB-1999.048

Unprivileged users can trigger a file-system locking error, causing the system to panic or hang. There are no workarounds for this problem. It's necessary to install a kernel patch published by the NetBSD Project.

System:	Netscape
Topic:	Java Vulnerability in Netscape Communicator and Navigator: Netscape

A security vulnerability has been found in the implementation of Java. It affects Windows, Mac and Unix versions of Netscape Communicator and Navigator 4.0x and higher. The vulnerability could be exploited by running a malicious Java applet from an untrusted Web site. It's recommended to install the latest version of the browser or to turn off Java.

System:	Ramp Networks WebRamp
Topic:	WebRamp Denial of Service Attacks: ERS-1999.051

Ramp Networks WebRamp Internet access devices allow multiple computers to share a dialup connection. The WebRamp family of Internet access devices are designed for small businesses.
WebRamp is vulnerable to two denial of service attacks that allow an attacker to either crash the WebRamp device or change its IP address. When the device crashes, it will have to be manually reset before it will dial up. Sending a specially-formatted UDP packet to port 5353 changes the WebRamp's local IP address, effectively 'hiding' the device from the rest of your machines.
Here you can get the latest firmware for your model of WebRamp.

System:	HP-UX
Topic:	Security Vulnerability in MC/ServiceGuard and MC/LockManager: HP Security Bulletin #00096, ERS-1999.049, J-039

MC/ServiceGuard and MC/LockManager exhibit improper implementation of restricted SAM functionality so users can gain increased privileges.
It's recommended to install the patches listed below:

HP9000 Series 700/800, HP-UX 10.00 MC/SG A.10.03	PHSS_17478
HP9000 Series 700/800, HP-UX 10.01 MC/SG A.10.03	PHSS_17478
HP9000 Series 700/800, HP-UX 10.10 MC/SG MC/LM A.10.05	PHSS_17479
HP9000 Series 700/800, HP-UX 10.20 MC/SG MC/LM A.10.06	PHSS_17480
HP9000 Series 700/800, HP-UX 10.20 MC/SG A.10.11	PHSS_17580
HP9000 Series 700/800, HP-UX 10.20 MC/LM A.10.07.01	PHSS_17482
HP9000 Series 700/800, HP-UX 11.00 MC/SG A.11.05	PHSS_17581
HP9000 Series 700/800, HP-UX 11.00 MC/LM A.11.05	PHSS_17483
HP9000 Series 700/800, HP-UX 11.00 MC/LM-J A.11.05	PHSS_17484

System:	HP-UX
Topic:	Security Vulnerability with DESMS: HP Security Bulletin #00095, ERS-1999.050, J-039

The Domain Enterprise Server Management System (DESMS) processes allow increased privileges for ordinary users.
It's recommended to install the patches listed below:

HP9000 Series 700/800, HP-UX 10.20	PHNE_17948
HP9000 Series 700/800, HP-UX 11.00	PHNE_18017 for product J1593AA only
HP9000 Series 700/800, HP-UX 11.00	PHNE_17949 for other products (see advisory)