[450] in Best-of-Security
BoS: ISS Security Alert Summary v1 n6
daemon@ATHENA.MIT.EDU (X-Force)
Wed Nov 12 22:26:23 1997
Old-X-Envelope-From: xforce@arden.iss.net Fri Nov 7 13:49:35 1997
Date: Thu, 6 Nov 1997 16:24:28 -0500 (EST)
From: X-Force <xforce@iss.net>
cc: X-Force <xforce@arden.iss.net>
Old-X-Originally-To: To: best-of-security@cyber.com.au
Old-X-Originated-From: From: X-Force <xforce@iss.net>
Errors-To: best-of-security-request@cyber.com.au
To: best-of-security@cyber.com.au
Resent-From: best-of-security@cyber.com.au
-----BEGIN PGP SIGNED MESSAGE-----
ISS Security Alert Summary
November 5, 1997
Volume 1 Number 6
X-Force Vulnerability and Threat Database: http://www.iss.net/xforce
To receive these Alert Summaries, subscribe to the ISS Alert mailing list
by sending an email to majordomo@iss.net and within the body of the
message type: 'subscribe alert'.
___
Index
12 Reported New Vulnerabilities
- HP-cde
- FreeBSD-open
- IBM-portmir
- IBM-piodmgrsu
- IBM-nslookup
- IBM-ftp
- Sun-niscache
- Sun-ftpd/rlogind
- Sun-sysdef
- IBM-libDtSvc
- bsd-tel-tgetent
- linux-lpd
1 Vulnerability Update
- Sun-rlogin
Comparative Network Security Scanner Review
Risk Factor Key
___
Date Reported: 10/29/97
Vulnerability: HP-cde
Affected Platforms: HP-UX (10.10, 10.20, 10.30)
Risk Factor: High
Hewlett Packard's Common Desktop Environment is a windowing system that
contains session and window management tools, network services, and other
common desktop tools. Several setuid and setgid programs have buffer
overflow conditions that can be exploited to gain unauthorized privileges.
HP has release patches that correct these problems.
References:
HP Security Bulletin #00072 - http://us-support.external.hp.com/
http://ciac.llnl.gov/ciac/bulletins/i-009.shtml
___
Date Reported: 10/29/97
Vulnerability: FreeBSD-open
Affected Platforms: FreeBSD (2.1.x, 2.2.x)
FreeBSD-stable
FreeBSD-current
Risk Factor: High
A problem exists in in the way that FreeBSD's open() system call obtains
the right to execute io instructions. This would allow any local user to
exploit this problem to execute unauthorized io instructions. The problem
in open() has been corrected in FreeBSD-current 1997/10/24.
Reference:
ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A05.open.asc
___
Date Reported: 10/29/97
Vulnerability: IBM-portmir
Affected Platforms: AIX (4.2.1)
Risk Factor: High
Multiple vulnerabilities in AIX's portmir command exist that allow local
users to obtain unauthorized root privileges.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:006.1.txt
http://ciac.llnl.gov/ciac/bulletins/i-011.shtml
___
Date Reported: 10/29/97
Vulnerability: IBM-piodmgrsu
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: Medium
Piodmgrsu is a program that performs various operations on the printer
backend's alternate ODM database. It contains a vulnerability in the way
that is passes environment variables to child processes that allows local
users to obtain access to the printq group.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:007.1.txt
http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
___
Date Reported: 10/29/97
Vulnerability: IBM-nslookup
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: High
Nslookup is a program that is used to query Internet domain name servers
and return various information about hosts. It contains a vulnerability
that allows local users to obtain unauthorized root access.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:008.1.txt
http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
___
Date Reported: 10/29/97
Vulnerability: IBM-ftp
Affected Platforms: AIX (3.2, 4.1, 4.2)
Risk Factor: High
The File Transfer Protocol (ftp) client contains a vulnerability in that
it can be tricked into executing arbitrary commands. Remote servers can
name a file preceded by the | symbol, and the local ftp client will
execute that file as a shell script on the local machine. It is possible
that root access could be acquired using this trick.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:009.1.txt
___
Date Reported: 10/28/97
Vulnerability: Sun-niscache
Affected Platforms: Solaris (2.4, 2.5, 2.5.1)
Risk Factor: High
The program nis_cachemgr is used by NIS+ to cache location information of
NIS+ servers. This would allow an attacker to potentially add directory
objects to the shared cache and specify rogue NIS+ servers that they
control.
References:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-155.txt
http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
___
Date Reported: 10/28/97
Vulnerability: Sun-ftpd/rlogind
Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
SunOS (4.1.3, 4.1.4)
Risk Factor: High
A vulnerability exists in the Internet File Transfer Protocol server
process (in.ftpd) and the rlogin server process (in.rlogind). The
attacker can execute arbitrary commands on the host by connecting from the
ftp server's data port to the rlogin server on a trusted host.
References:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-156.txt
http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
___
Date Reported: 10/28/97
Vulnerability: Sun-sysdef
Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor: High
The command, sysdef, is used to display current system information such as
hardware devices, system devices, kernel parameters, etc. It contains a
vulnerability that would allow local users to read kernel memory. Kernel
memory can contain such information as unencrypted passwords, and could
possibly lead to root access.
References:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-157.txt
http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
___
Date Reported: 10/28/97
Vulnerability: IBM-libDtSvc
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: High
AIX has a buffer overflow in the libDtSrv.a library that allows
unauthorized local users to obtain root privileges. An exploit for this
vulnerability was posted on a security mailing list and is publicly
available.
Reference:
http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:005.1.txt
http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
___
Date Reported: 10/21/97
Vulnerability: bsd-tel-tgetent
Affected Platforms: BSD/OS (2.1)
Risk Factor: High
The telnet daemon, telnetd, contains a vulnerability in its tgetent
library routine. By manipulating environment variables which are passed
to the telnet daemon, an attacker can produce a buffer overflow to obtain
root privileges.
Reference:
ftp://ftp.secnet.com/pub/advisories/SNI-20.telnetd.tgetent.advisory
___
Date Reported: 10/6/97
Vulnerability: linux-lpd
Affected Platforms: Linux (Redhat 4.2)
Risk Factor: High
The first problem is that Redhat calls the printfilter software package
when any file is being printed. After determining the file type,
printfilter applies the appropriate filter to the file so that it can be
printed properly. Some filters use the /tmp directory to write in,
therefore local users can create system links that will overwrite files
with uid bin and gid root. The second problem concerns groff requests
that allows local as well as remote users execute programs as uid bin and
gid root, which can easily lead to root access.
Reference:
http://www.dec.net/ksrt/adv4.html
___
Date: 10/28/97
Update: Sun-rlogin
Vendor: Sun Microsystems, Inc.
Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
SunOS (4.1.3, 4.1.4)
Sun has released patches for the rlogin vulnerability in which the TERM
environment variable is copied to an internal buffer. The buffer can be
overflowed and arbitrary code can be executed. Since rlogin is setuid
root, local accounts would be able obtain unauthorized root access.
References:
http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-158.txt
http://ciac.llnl.gov/ciac/bulletins/h-25a.shtml
ftp://info.cert.org/pub/cert_advisories/CA-97.06.rlogin-term
___
For a comparative review of five network security scanners, see
Network World Magazine. http://www.nwfusion.com and register for a login.
Review: http://www.nwfusion.com/reviews/1027rev.html
___
Risk Factor Key:
High any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium any vulnerability that provides information that has a
high potential of giving access to an intruder. Example:
A misconfigured TFTP or vulnerable NIS server that allows
an intruder to get the password file that possibly can
contain an account with a guessable password.
Low any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via bruteforce.
Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and intrusion detection tools,
providing comprehensive software that enables organizations to proactively
manage and minimize their network security risks. For more information,
contact the company at (800) 776-2362 or (770) 395-0150 or visit the ISS
Web site at http://www.iss.net.
________
Copyright (c) 1997 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
email xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
X-Force PGP Key available at: http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X Force <xforce@iss.net> of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBNGI0dDRfJiV99eG9AQFh8QQAt2TguJezbENZNcWo/OrcScv6ivCArXX9
Ch+90D5YdX3e3465NcUNeKqRa6+oI6SdTVN4MWqzMEYpCSx3axan6i1VXeeIrIHB
YZAKKxrpeDQRIFfoi8t8iPoxSfU/m3HKDux2o8iWGvQSlpxfuNn3rg2HKaZPB1WJ
Xy74XimMs3E=
=2oAC
-----END PGP SIGNATURE-----
