[601] in Best-of-Security
BoS: ISSalert: ISS Security Alert Summary v2 n2
daemon@ATHENA.MIT.EDU (X-Force)
Wed Mar 11 09:51:23 1998
X-Delivering-To: best-of-security-mtg@menelaus.mit.edu
XDelivering-To: best-of-security@cyber.com.au
Delivering-To: best-of-security@cyber.com.au
Date: Wed, 18 Feb 1998 15:21:40 -0500 (EST)
From: X-Force <xforce@iss.net>
Cc: X-Force <xforce@arden.iss.net>
Reply-To: X-Force <xforce@iss.net>
Old-X-Originally-To: To: alert@iss.net
Old-X-Originated-From: From: X-Force <xforce@iss.net>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
ISS Security Alert Summary
February 18, 1998
Volume 2 Number 2
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
To receive these Alert Summaries, subscribe to the ISS Alert mailing list
by sending an email to majordomo@iss.net and within the body of the
message type: 'subscribe alert'.
___
Index
7 Reported Vulnerabilities
- NT-logondos
- IBM-telnetdos
- IBM-symlink
- Sun-volrmmount
- NT-web8.3
- NT-portbind
- elm-filter
2 Update
- L0pht-l0phtcrack
- HP-land
Risk Factor Key
___
Date Reported: 2/14/98
Vulnerability: NT-logondos
Platforms Affected: Windows NT
Risk Factor: High
Windows NT servers (including those with Service Pack 3 and all hotfixes
applied) are vulnerable to a denial of service attack. When a logon
request is initiated to access the SMB/CIFS service and the SMB
logon packet is incorrectly processed, memory corruption results in the NT
kernel. When this happens, a blue screen error message appears and the
machine has to be rebooted.
Reference:
ftp://ftp.secnet.com/pub/advisories/SNI-25.Windows.NT.DoS
___
Date Reported: 2/11/98
Vulnerability: IBM-telnetdos
Platforms Affected: AIX (4.1.x, 4.2.x, 4.3)
Risk Factor: High
An AIX-specific denial of service exploit has been made publicly
available on the Bugtraq mailing list. This exploit causes all tty
activity to hang on the system being attacked. This allows remote users to
cause the machine to stop accepting new telnet sessions.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:003.1.txt
___
Date Reported: 2/11/98
Vulnerability: IBM-symlink
Platforms Affected: AIX (3.2.5, 4.1.x, 4.2.x, 4.3)
Risk Factor: High
Several AIX programs will follow symbolic links that have the same name as
temporary files they create. By creating a symbolic link with one of these
temporary file names that points to a carefully selected system file (such
as /etc/passwd), a local user can arrange to cause critical system files to
be overwritten when the root user executes one of these programs.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:002.2.txt
___
Date Reported: 2/10/98
Vulnerability: Sun-volrmmount
Platforms Affected: Solaris 2.6
Risk Factor: High
The Solaris program 'volrmmount' is used to simulate insertion and
ejection of removable media. It is normally setuid and can be used by an
attacker to view any file on the system, or in some cases, even gain root
privileges.
Reference:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-162.txt
___
Date Reported: 2/6/98
Vulnerability: NT-web8.3
Platforms Affected: Win32 Web Servers
Risk Factor: High
Some Windows NT and 95 web servers have problems with file names
because of the way they handle long file names and the standard
Microsoft 8.3 short format file names. In some cases, when a URL is
requested using the short file name, the web server can apply different
configuration properties to the request, thus enabling an attacker to
gain access to unauthorized files.
References:
ftp://info.cert.org/pub/cert_advisories/CA-98.04.Win32.WebServers
http://www.microsoft.com/security/iissfn.htm
___
Date Reported: 2/6/98
Vulnerability: NT-portbind
Platforms Affected: Windows NT
Risk Factor: High
Microsoft Windows NT allows programs run by users who are logged in to
bind to any port. If a program binds to a port that a service is currently
running on, the service will be disrupted, effectively making it
unavailable.
Reference:
http://www.l0pht.com/advisories/nc11adv.txt
___
Date Reported: 1/29/98
Vulnerability: elm-filter
Platforms Affected: Any UNIX system running elm/filter
Risk Factor: High
Two problems have been found in the filter program that is contained in the
elm-2.4 package. The first problem allows local users (and potentially
remote users) to run arbitrary commands as the user who runs the filter.
The second problem allows a local user to read users' mail spools and
gain write access to the mail spool directory. In order for these
programs to be exploited, the filter must have setuid or setgid
permissions (which is common on Linux machines).
Reference:
http://www.dec.net/ksrt/adv7.html
___
Date: 2/12/98
Update: L0pht-l0phtcrack
Platforms: Windows NT
Unix (running Samba)
L0pht crack is a utility that can be used by system administrators and
security professionals concerned about potential points of access in their
local networks. It can also be used by hackers to crack passwords and
gain unauthorized access to systems.
Reference:
http://www.l0pht.com/l0phtcrack/news.html
___
Date: 1/21/98 (CERT Advisory CA-97.28)
Updated: HP-land
Vendor: Hewlett Packard
Platforms: HP-UX (9.X, 10.X, 11.00)
Hewlett Packard has released patches for the land attack. This attack can
lock up or "freeze" many different operating systems as well as network
hardware. An attacker sends a SYN packet, which is normally used to
open a connection, to the host being attacked.
References:
http://us-support.external.hp.com - HP Security Bulletin #00076
ftp://ftp.cert.org/pub/cert_advisories/CA-97.28.Teardrop_Land
___
Risk Factor Key:
High any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium any vulnerability that provides information that has a
high potential of giving access to an intruder. Example:
A misconfigured TFTP or vulnerable NIS server that allows
an intruder to get the password file that possibly can
contain an account with a guessable password.
Low any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via bruteforce.
Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and intrusion detection tools,
providing comprehensive software that enables organizations to proactively
manage and minimize their network security risks. For more information,
contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS
Web site at http://www.iss.net.
________
Copyright (c) 1998 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
email xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNM+1TDRfJiV99eG9AQEAkgQAq9D2aoB/dVtvAqgFE3cB+vp+tcd0IkWh
k9MULvWlP80e+gomp4TvA0eUHHSzx7DkGB6qs9yIzMrbx0SqoMMvBFzB1Y4jOQ/3
myedzvQitCe5POAGW8Ax2UU1CkADgJubDJfe86idYmjPmnbeYJW5EbxuMAy2c4bG
vBFKuDwIQdk=
=wP42
-----END PGP SIGNATURE-----
