AERAsec - Network Security

July 1999, last change: 01/04/00

Here you find (a beta-version of) our network security search engine!

System:	Cobalt Networks RaQ2 single rack unit Internet servers
Topic:	Insecure Default Configuration on RaQ2 Servers: Cobalt Networks, CA-99-10, ERS-1999.104

A vulnerability has been discovered in the default configuration of Cobalt Networks RaQ2 servers that allows remote users to install arbitrary software packages to the system. RaQ2 servers are configured with an administrative webserver to process remote requests to manage the unit. Systems installed with the default configuration have insufficient access control mechanisms to prevent remote users from adding arbitrary software packages to the system using this webserver.
It's recommended to install one of the patches: RaQ2, RaQ2 - japanese version.

System:	Windows NT
Topic:	Vulnerability by Malformed Dialer Entry: MS99-026, ERS-1999.103

Dialer.exe has an unchecked buffer in the portion of the program that processes the dialer.ini file. This vulnerability could be used to run arbitrary code via a classic buffer overrun technique. It's recommended to install the Hotfixes, published by Microsoft: Windows NT Workstation and Server, Windows NT Terminal Server Edition.

System:	HP-UX
Topic:	Security Vulnerability in Software Distributor (SD): HP Security Bulletin #00101, ERS-1999.102

HP9000 Series 700/800 running HP-UX 10.XX, and 11.00, plus SD OpenView/ITA on other specific vendor platforms are vulnerable against an attack where users can gain increased privileges. It's recommended to install the patchens listed in the advisory.

System:	AIX 3.x, 4.2.x, 4.3.x
Topic:	Vulnerability in ptrace: ERS-1999.002i

A denial of service vulnerability has been discovered in the ptrace system call allowing non-root users to crash the system. Users of AIX 3.x should make an update to version 4, official patches will be published soon. A temporarily patch is also available.

System:	Red Hat Linux 6.0
Topic:	Vulnerabilities in enlightenment and gnumeric:

System:	Red Hat Linux
Topic:	New samba-package published:

System:	Unix
Topic:	Vulnerability in tiger: ERS-1999.101

Tiger is a public domain package developed and maintained by Texas A&M University, used for checking security problems on a Unix system. Due to lack of checking, a local user can craft a command in such a way that he may have the command executed with the privileges of the process running Tiger (usually root).
It's recommended to install the concerning patches.

System:	Microsoft IIS 3.0 and 4.0 using Data Access Components 1.5
Topic:	Vulnerability by ODBC Data Access with RDS: MS99-025 (corr.), ERS-1999.099-1 and 2, S-99-21 and 21a

The RDS DataFactory object, a component of Microsoft Data Access Components (MDAC), exposes unsafe methods. When installed on a system running Internet Information Server 3.0 or 4.0, the DataFactory object may permit an otherwise unauthorized web user to perform privileged actions, including:
- Allowing unauthorized users to execute shell commands on the IIS system as a privileged user.
- On a multi-homed Internet-connected IIS system, using MDAC to tunnel SQL and other ODBC data requests through the public connection to a private back-end network.
- Allowing unauthorized accessing to secured, non-published files on the IIS system.
It's recommended to install the latest version of MDAC (2.1 SP2), to delete the /msadc virtual directory or to apply correct registry settings.
If the RDS functionality is needed the Anoymous Access for the /msdac directory in the default Web should be disabled and a Custom Handler should control incoming requests. Further information about this can be found here.

System:	IRIX
Topic:	Vulnerability in arrayd: SGI19990701, CA-99-09, ERS-1999.100, S-99-20

A vulnerability has been discovered in the default configuration of the Array Services daemon, arrayd running under IRIX and UNICOS. Array Services are used to manage a cluster of systems. The default configuration file, arrayd.auth, disables authentication and does not provide adequate protection for systems connected to an untrusted network. So remote and local users can execute arbitrary commands as root. It's recommended to reconfigure arrayd to use "SIMPLE" authentication as described in the advisory.

System:	many
Topic:	Vulnerability in Calendar Manager Service: CA-99-08, J-051, ERS-1999.098, S-99-19

A buffer overflow vulnerability has been discovered in the Calendar Manager Service daemon, rpc.cmsd. The rpc.cmsd daemon is frequently distributed with the Common Desktop Environment (CDE) and Open Windows. Which systems are affected and what to do against this risk is pointed out in the advisory.

System:	Windows 9x and NT
Topic:	Back Orifice 2000 released: ISS-031, Microsoft, ERS-1999.097

Back Orifice is a client/server application that can gather information, perform system commands, reconfigure machines, and redirect network traffic. By executing the Back Orifice server program on a machine, a user can connect remotely to that specific IP address and perform any of the above actions. Earlier versions of BO only worked on systems under Windows 9x - the latest version, published on July 10th, runs also under Windows NT.
Further description of the features are mentioned in the advisory. We recommend not to install any dubious software, because the risk of installing a Trojan Horse is immense.

System:	HP-UX
Topic:	CDE leaves Current Directory in root PATH: HP Security Bulletin #00100, ERS-1999.096

The PATH environemnt variable is constructed from several sources including dtsearchpath and scripts in /etc/dt/config/Xsession.d/ and /usr/dt/config/Xsession.d/. The resulting PATH contains the string "::" which will be interpreted as the current directory. The root user should not have the current directory in the PATH, the recommended solution is to clean up the root user's PATH after is has been created.

System:	HP-UX
Topic:	Vulnerability HP Visualize Conference: HP Security Bulletin #0099, ERS-1999.090, J-050

HP Visualize Conference is a T-120 conference solution for HP-UX Workstations. The HP Visualize Conference ftp capability allows a conference participant to push a file to all other participants. As a general comment not specifically related to this vulnerability, the user should establish some means of authenticating conference participants. It's recommended to install the available patch:

HP-UX Series 700, release 10.20:

PHSS_17168

System:	Windows NT and 9x
Topic:	New list of Backdoors: ISS-030, ERS-1999.095

ISS has published updates on backdoors for Windows 95, 98, and NT. Because of the number of backdoors mentioned in the advisory, there is only a brief description of each backdoor's features and communications protocol.

System:	Windows NT 4.0
Topic:	Unprotected IOCTLs Vulnerability: MS99-024, ERS-1999.094

The IOCTLs that are used to obtain services from the keyboard and mouse drivers in Windows NT do not require that the calling program have administrative privileges. A user-level program could use legitimate calls to disable the mouse and keyboard, after which the machine would need to be rebooted to restore normal service. On a terminal server, such a program could disable the keyboard and mouse on the console.
It's recommended to install the hotfix for NT 4.0 Server and Workstation or Terminal Server Edition.

System:	Windows NT 4.0, SP4
Topic:	Vulnerability by Malformed Image Header: MS99-023, ERS-1999.091

If an executable file with a malformed image header is executed, it will cause a system failure. The affected machine will need to be rebooted in order to place it back in service. Any work that was in progress when the machine crashed could be lost.
If not using SP5 it's recommended to install the hotfix for NT 4.0 Server and Workstation or Terminal Server Edition.

System:	Debian Linux
Topic:	Vulnerability in mailman: Debian0623, python

The version mailman as supplied in Debian GNU/Linux 2.1 has a problem with verifying list administrators. The problem is that the cookie value generation used was predictable, so using forged authentication cookies it was possible to access the list administration webpages without knowing the proper password. This has been fixed in version 1.0rc2-5.

System:	Windows NT
Topic:	Vulnerability in WebTrends Software: ISS-029, ERS-1999.093

The vulnerability only applies to systems using the MAPI and NT service features in WebTrends Software on the Windows NT platform. It's recommended to download the latest versions of the programs or, at least, make following change in Windows NT: Remove the 'Everyone: Full Control' permission and add 'Administrators: Full Control', so only administrators have access to the file WebTrends.INI.
Further information about the vulnerable products can be found in the advisory.

System:	all
Topic:	New ISS Summary: ISS, ERS-1999.092

ISS reports 8 new vulnerabilities found within the two weeks:
- webtrends-bad-perms
- hp-visualize-conference-ftp
- accelx-bo
- linux-vmware-buffer-overflows
- iis-double-byte-code-page
- eastman-cleartext-passwords
- msrpc-lsa-lookupnames-dos
- nt-csrss-dos
Further information can be found at the site of ISS.

System:	Red Hat Linux
Topic:	Vulnerabilities in dev, rxvt, screen, XFree86, KDE, nfs-server, and net-tools: ESB-1999.082, ESB-1999.083, ESB-1999.084, ESB-1999.087, ESB-1999.088

Here you can find the News from June 1999, May 1999, April 1999, and March 1999