[334] in Best-of-Security
BoS: ISS Security Alert Summary V1 N1
daemon@ATHENA.MIT.EDU (X-Force)
Wed Aug 27 18:37:11 1997
Old-X-Envelope-From: xforce@arden.iss.net Wed Aug 27 06:47:22 1997
Date: Tue, 26 Aug 1997 16:46:47 -0400 (EDT)
From: X-Force <xforce@iss.net>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
ISS Security Alert Summary
August 26, 1997
Volume 1 Number 1
To receive these Alert Summaries, get on ISS Alert mailing list by sending
an email to majordomo@iss.net and within the body of the message type:
subscribe alert.
---
7 Reported New Vulnerabilities
- xlock
- sun-ps
- BIND
- irix-ftpd
- sun-automountd
- sun-ifconfig
- libXt
1 Reported Incident
- CERT summary
---
Date reported: 5/7/97 (original), 8/12/97 (updated)
Vulnerability: xlock
Affected platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
SunOS (4.1.3, 4.1.4)
AIX (3.2, 4.1, 4.2)
BSD/OS (2.1)
FreeBSD (any version with xlockmore)
IRIX (5.x, 6.x)
HP-UX (any version with vuelock)
Risk Factor: High
xlock is a physical security program that locks the local X display until
the user supplies their password to 'unlock' the display. Arguments
supplied to xlock are not sufficiently checked and it is possible to
overwrite the stack. xlock is set-user-id root, therefore it is
vulnerable to root exploitation.
References:
ftp://info.cert.org/pub/cert_advisories/CA-97.13.xlock
ftp://sgigate.sgi.com/security/19970502-02-PX
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-150.txt
---
Date reported: 8/12/97
Vulnerability: sun-ps
Affected platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor: High
ps is a program that displays the current active processes on a machine.
It contains a vulnerability that does not sufficently check the arguments
passed to it, and the stack can be overwritten. Since ps is set-user-id
root, it is possible to exploit this vulnerability and gain root
priviledges.
Reference:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-149.txt
---
Date reported: 8/13/97
Vulnerability: BIND
Affected platforms: All UNIX platforms running BIND releases
before 8.1.1
Risk Factor: Medium
BIND (the Berkeley Internet Name Daemon) is the Domain Name Service for
UNIX systems. It contains a vulnerability that allows the mapping between
host name and IP addresses to be altered. An attacker can change the
information exchanged between hosts on a network.
Reference:
ftp://info.cert.org/pub/cert_advisories/CA-97.22.bind
---
Date reported: 8/15/97
Vulnerability: irix-ftpd
Affected platforms: IRIX (3.x, 4.x, 5.x, 6.0.x, 6.1, 6.2)
Risk Factor: High
ftpd is a program that listens on port 21 for incoming Internet File
Transfer Protocol service requests. It contains a race condition in its
signal handling that results in manipulation of files with root
privileges. This vulnerability can be exploited locally as well as from
remote systems.
Reference:
ftp://sgigate.sgi.com/security/19970801-01-PX
---
Date reported: 8/20/97
Vulnerability: sun-automountd
Affected platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor: Medium
automountd is a daemon that answers file system mount and umount requests.
Local users can exploit a vulnerability by sending RPCs to the daemon to
change mount options of a file system.
Reference:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-151.txt
---
Date reported: 8/25/97
Vulnerability: sun-ifconfig
Affected platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor: Medium
ifconfig is used by administrator access level accounts to set up a
network interface and configure it, as well as assigning addresses to
network interfaces. It contains a vulnerability that if exploited allows
non-root users to configure network interface parameters.
Reference:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-152.txt
---
Date reported: 5/1/97 (original), 8/25/97 (updated)
Vulnerability: libXt
Affected platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
AIX (3.2, 4.1, 4.2)
HP-UX (9.x, 10.x)
Risk Factor: High
Buffer overflow conditions have been found in X applications that are
setuid/setgid that can be exploited to gain priviledged access, in some
cases, root uid. Exploit scripts have been written and made
publically avaliable via various newsgroups and mailing lists.
References:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-153.txt
ftp://info.cert.org/pub/cert_advisories/CA-97.11.libXt
---
Date reported: 5/26/97
Incident: Holes being exploited
Risk Factor: High
CERT released a summary of current holes that are being exploited on a
regular basis. These include; IMAP exploits, increased denial-of-service
attacks, IP spoofing, IRC clients/servers running as root, IRIX buffer
overflows, and INND exploits. For a comprehensive explaination and
prevention details, please see the reference.
Reference:
ftp://info.cert.org/pub/cert_summaries/CS-97.05
Risk Factor Key:
High any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Such as Sendmail 8.6.5
Medium any vulnerability that provides information that has a
high potential of giving access to an intruder. Such as
TFTP and NIS.
Low any vulnerability that provides information that
potentially could lead to a compromise. Such as finger.
--------
Copyright (c) 1997 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
email xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
Please send suggestions, updates, and comments to:
X Force <xforce@iss.net> of Internet Security Systems, Inc.
Internet Security Systems, Inc.
Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and monitoring tools, providing
comprehensive software that enables organizations to proactively manage
and minimize their network security risks. ISS' SAFEsuite(tm) product
family automatically detects, monitors, and responds to the growing number
of network security vulnerabilities and threats. The Atlanta-based
company's flagship product, Internet Scanner, is the world's leading
security auditing tool used to eliminate network security vulnerabilities
in corporations, government agencies, and financial institutions including
9 out of the top 10 U.S. banks. ISS' real time attack recognition and
response tool, RealSecure(tm), is the leading network monitoring software
used to automatically guard networks from external threats and internal
misuse. For more information, contact the company at (800) 776-2362 or
(770) 395-0150 or visit the ISS Web site at http://www.iss.net.
