VARIoT IoT vulnerabilities database

Alcatel ADSL modems allow remote attackers to access the Trivial File Transfer Protocol (TFTP) to modify firmware and configuration via a bounce attack from a system on the local area network (LAN) side, which is allowed to access TFTP without authentication. The San Diego Supercomputer Center (SDSC) has recently discovered several vulnerabilities in the Alcatel Speed Touch line of Asymmetric Digital Subscriber Line (ADSL) modems. These vulnerabilities are the result of weak authentication and access control policies and result in one or more of the following impacts: unauthorized access, unauthorized monitoring, information leakage, denial of service, and permanent disability of affected devices.The SDSC has published additional information regarding these vulnerabilities at http://security.sdsc.edu/self-help/alcatel/. The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Due to a problem parsing carriage return/line feeds in RFC822 format mail messages, The Bat! mail client may permaturely detect the end of a mail message, causing an error to occur. This error may prevent the mail user from retrieving other mail messages until the message with the error is removed. Adsl Modem 1000 is prone to a remote security vulnerability. "The Bat!" is an MUA for Windows by Rit Research Labs. "The Bat!" is vulnerable to a remote denial of service attack. Email messages in which carriage return (CR) characters are not followed by a linefeed (LF) can cause "The Bat!" to incorrectly interpret the message's structure. This can lead "The Bat!" to read text in the message body as a response from the POP3 server. The current (corrupt) message will not be deleted from the server, and the mail download process will stop. As a result, the user will remain unable to receive new email messages from the affected POP3 account. Alcatel ADSL modems are vulnerable. The vulnerability allows unauthenticated access to TFTP

Buffer overflow in ntpd ntp daemon 4.0.99k and earlier (aka xntpd and xntp3) allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a long readvar argument. There is a buffer overflow defect in the ctl_getitem() function of the Network Time Protocol (NTP) daemon responsible for providing accurate time reports used for synchronizing the clocks on installed systems. All NTP daemons based on code maintained at the University of Delaware since NTPv2 are assumed at risk. The Lotus Domino Web Server contains a flaw that could be exploited to cause a denial of service. Due to a problem parsing carriage return/line feeds in RFC822 format mail messages, The Bat! mail client may permaturely detect the end of a mail message, causing an error to occur. This error may prevent the mail user from retrieving other mail messages until the message with the error is removed. NTP, the Network Time Protocol, is used to synchronize the time between a computer and another system or time reference. It uses UDP as a transport protocol. There are two protocol versions in use: NTP v3 and NTP v4. The 'ntpd' daemon implementing version 3 is called 'xntp3'; the version implementing version 4 is called 'ntp'. On UNIX systems, the 'ntpd' daemon is available to regularly synchronize system time with internet time servers. Many versions of 'ntpd' are prone to a remotely exploitable buffer-overflow issue. A remote attacker may be able to crash the daemon or execute arbitrary code on the host. If successful, the attacker may gain root access on the victim host or may denial NTP service on the affected host. Submitting numerous HTTP requests with modified headers, could cause Lotus Domino to consume all available system resources. -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary May 10, 2001 Volume 6 Number 6 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at: http://xforce.iss.net/alerts/vol-6_num-6.php _____ Contents: * 120 Reported Vulnerabilities * Risk Factor Key _____ Date Reported: 04/02/2001 Brief Description: The Bat! masked file type in email attachment could allow execution of code Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: The Bat! 1.49 and earlier Vulnerability: thebat-masked-file-type X-Force URL: http://xforce.iss.net/static/6324.php Date Reported: 04/02/2001 Brief Description: PHP-Nuke could allow attackers to redirect ad banner URL links Risk Factor: Medium Attack Type: Network Based Platforms Affected: PHP-Nuke 4.4 and earlier Vulnerability: php-nuke-url-redirect X-Force URL: http://xforce.iss.net/static/6342.php Date Reported: 04/03/2001 Brief Description: Orinoco RG-1000 Residential Gateway default SSID reveals WEP encryption key Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Orinoco Residential Gateway RG-1000 Vulnerability: orinoco-rg1000-wep-key X-Force URL: http://xforce.iss.net/static/6328.php Date Reported: 04/03/2001 Brief Description: Navision Financials server denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Navision Financials 2.5 and 2.6 Vulnerability: navision-server-dos X-Force URL: http://xforce.iss.net/static/6318.php Date Reported: 04/03/2001 Brief Description: uStorekeeper online shopping system allows remote file retrieval Risk Factor: Medium Attack Type: Network Based Platforms Affected: uStorekeeper 1.61 Vulnerability: ustorekeeper-retrieve-files X-Force URL: http://xforce.iss.net/static/6319.php Date Reported: 04/03/2001 Brief Description: Resin server allows remote attackers to view Javabean files Risk Factor: Medium Attack Type: Network Based Platforms Affected: Resin 1.2.x, Resin 1.3b1 Vulnerability: resin-view-javabean X-Force URL: http://xforce.iss.net/static/6320.php Date Reported: 04/03/2001 Brief Description: BPFTP could allow attackers to obtain login credentials Risk Factor: High Attack Type: Network Based Platforms Affected: BPFTP 2.0 Vulnerability: bpftp-obtain-credentials X-Force URL: http://xforce.iss.net/static/6330.php Date Reported: 04/04/2001 Brief Description: Ntpd server readvar control message buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6, AIX 5.1, Slackware Linux 7.1, Engarde Secure Linux 1.0.1, Progeny Linux, SuSE Linux 7.1, ntpd 4.0.99k and earlier, FreeBSD 4.2-Stable, Mandrake Linux Corporate Server 1.0.1, Mandrake Linux 7.2, Trustix Secure Linux, Immunix Linux 7.0, NetBSD 1.5, SuSE Linux 7.0, Caldera OpenLinux eServer 2.3.1 Vulnerability: ntpd-remote-bo X-Force URL: http://xforce.iss.net/static/6321.php Date Reported: 04/04/2001 Brief Description: Cisco CSS debug mode allows users to gain administrative access Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Cisco Content Services Switch 11050, Cisco Content Services Switch 11150, Cisco Content Services Switch 11800 Vulnerability: cisco-css-elevate-privileges X-Force URL: http://xforce.iss.net/static/6322.php Date Reported: 04/04/2001 Brief Description: BEA Tuxedo may allow access to remote services Risk Factor: Medium Attack Type: Network Based Platforms Affected: BEA Tuxedo 7.1 Vulnerability: bea-tuxedo-remote-access X-Force URL: http://xforce.iss.net/static/6326.php Date Reported: 04/05/2001 Brief Description: Ultimate Bulletin Board could allow attackers to bypass authentication Risk Factor: High Attack Type: Network Based Platforms Affected: Ultimate Bulletin Board 5.43, Ultimate Bulletin Board 5.4.7e Vulnerability: ultimatebb-bypass-authentication X-Force URL: http://xforce.iss.net/static/6339.php Date Reported: 04/05/2001 Brief Description: BinTec X4000 NMAP denial of service Risk Factor: Low Attack Type: Network Based Platforms Affected: BinTec X4000 5.1.6P10 and prior, BinTec X1000, BinTec X1200 Vulnerability: bintec-x4000-nmap-dos X-Force URL: http://xforce.iss.net/static/6323.php Date Reported: 04/05/2001 Brief Description: WatchGuard Firebox II kernel denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: WatchGuard Firebox II prior to 4.6 Vulnerability: firebox-kernel-dos X-Force URL: http://xforce.iss.net/static/6327.php Date Reported: 04/06/2001 Brief Description: Cisco PIX denial of service due to multiple TACACS+ requests Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco PIX Firewall 5.1.4 Vulnerability: cisco-pix-tacacs-dos X-Force URL: http://xforce.iss.net/static/6353.php Date Reported: 04/06/2001 Brief Description: Darren Reed's IP Filter allows attackers to access UDP and TCP ports Risk Factor: Medium Attack Type: Network Based Platforms Affected: IP Filter 3.4.16 Vulnerability: ipfilter-access-ports X-Force URL: http://xforce.iss.net/static/6331.php Date Reported: 04/06/2001 Brief Description: Veritas NetBackup nc (netcat) command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: NetBackup 3.2 Vulnerability: veritas-netbackup-nc-dos X-Force URL: http://xforce.iss.net/static/6329.php Date Reported: 04/08/2001 Brief Description: PGP may allow malicious users to access authenticated split keys Risk Factor: Medium Attack Type: Host Based Platforms Affected: PGP 7.0 Vulnerability: nai-pgp-split-keys X-Force URL: http://xforce.iss.net/static/6341.php Date Reported: 04/09/2001 Brief Description: Solaris kcms_configure command line buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 7, Solaris 8 Vulnerability: solaris-kcms-command-bo X-Force URL: http://xforce.iss.net/static/6359.php Date Reported: 04/09/2001 Brief Description: TalkBack CGI script could allow remote attackers to read files on the Web server Risk Factor: Medium Attack Type: Network Based Platforms Affected: TalkBack prior to 1.2 Vulnerability: talkback-cgi-read-files X-Force URL: http://xforce.iss.net/static/6340.php Date Reported: 04/09/2001 Brief Description: Multiple FTP glob(3) implementation Risk Factor: Low Attack Type: Network Based Platforms Affected: FreeBSD 4.2, Solaris 8, IRIX 6.5.x, OpenBSD 2.8, HP-UX 11.00, NetBSD Vulnerability: ftp-glob-implementation X-Force URL: http://xforce.iss.net/static/6333.php Date Reported: 04/09/2001 Brief Description: Pine mail client temp file symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Pine prior to 4.33, Red Hat Linux 5.2, Red Hat Linux 6.2, Red Hat Linux 7.0 Vulnerability: pine-tmp-file-symlink X-Force URL: http://xforce.iss.net/static/6367.php Date Reported: 04/09/2001 Brief Description: Multiple FTP glob(3) expansion Risk Factor: Low Attack Type: Network Based Platforms Affected: HP-UX 11.00, NetBSD, Solaris 8, IRIX 6.5.x, OpenBSD 2.8, FreeBSD 4.2, MIT Kerberos 5 Vulnerability: ftp-glob-expansion X-Force URL: http://xforce.iss.net/static/6332.php Date Reported: 04/09/2001 Brief Description: Netscape embedded JavaScript in GIF file comments can be used to access remote data Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Netscape Communicator 4.76, Red Hat Linux 6.2, Debian Linux 2.2, Conectiva Linux, Red Hat Linux 7.0, Immunix Linux 6.2, Immunix Linux 7.0 Beta, Red Hat Linux 7.1 Vulnerability: netscape-javascript-access-data X-Force URL: http://xforce.iss.net/static/6344.php Date Reported: 04/09/2001 Brief Description: STRIP generates weak passwords Risk Factor: Low Attack Type: Host Based Platforms Affected: STRIP 0.5 and earlier Vulnerability: strip-weak-passwords X-Force URL: http://xforce.iss.net/static/6362.php Date Reported: 04/10/2001 Brief Description: Solaris Xsun HOME environment variable buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 7 Vulnerability: solaris-xsun-home-bo X-Force URL: http://xforce.iss.net/static/6343.php Date Reported: 04/10/2001 Brief Description: Compaq Presario Active X denial of service Risk Factor: Low Attack Type: Network Based Platforms Affected: Compaq Presario, Windows 98, Windows ME Vulnerability: compaq-activex-dos X-Force URL: http://xforce.iss.net/static/6355.php Date Reported: 04/10/2001 Brief Description: Alcatel ADSL modems 'EXPERT' account Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Alcatel ADSL Network Termination Device 1000, Alcatel Speed Touch ADSL modem Home Vulnerability: alcatel-expert-account X-Force URL: http://xforce.iss.net/static/6354.php Date Reported: 04/10/2001 Brief Description: Alcatel ADSL modems allow attacker on LAN to gain access using TFTP Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Alcatel ADSL Network Termination Device 1000, Alcatel Speed Touch ADSL modem Home Vulnerability: alcatel-tftp-lan-access X-Force URL: http://xforce.iss.net/static/6336.php Date Reported: 04/10/2001 Brief Description: Alcatel ADSL modems allow attacker on WAN to gain access using TFTP Risk Factor: Low Attack Type: Network Based Platforms Affected: Alcatel ADSL Network Termination Device 1000, Alcatel Speed Touch ADSL modem Home Vulnerability: alcatel-tftp-wan-access X-Force URL: http://xforce.iss.net/static/6337.php Date Reported: 04/10/2001 Brief Description: Oracle Application Server shared library (ndwfn4.so) buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: iPlanet Web Server 4.x, Oracle Application Server 4.0.8.2 Vulnerability: oracle-appserver-ndwfn4-bo X-Force URL: http://xforce.iss.net/static/6334.php Date Reported: 04/10/2001 Brief Description: Alcatel ADSL modems use blank password by default Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Alcatel ADSL Network Termination Device 1000, Alcatel Speed Touch ADSL modem Home Vulnerability: alcatel-blank-password X-Force URL: http://xforce.iss.net/static/6335.php Date Reported: 04/11/2001 Brief Description: Solaris dtsession buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 7 Vulnerability: solaris-dtsession-bo X-Force URL: http://xforce.iss.net/static/6366.php Date Reported: 04/11/2001 Brief Description: Solaris kcsSUNWIOsolf.so buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 7, Solaris 8 Vulnerability: solaris-kcssunwiosolf-bo X-Force URL: http://xforce.iss.net/static/6365.php Date Reported: 04/11/2001 Brief Description: Lightwave ConsoleServer brute force password attack Risk Factor: High Attack Type: Network Based Platforms Affected: Lightwave ConsoleServer 3200 Vulnerability: lightwave-consoleserver-brute-force X-Force URL: http://xforce.iss.net/static/6345.php Date Reported: 04/11/2001 Brief Description: nph-maillist allows user to execute code Risk Factor: Low Attack Type: Host Based Platforms Affected: Email List Generator 3.5 and earlier Vulnerability: nph-maillist-execute-code X-Force URL: http://xforce.iss.net/static/6363.php Date Reported: 04/11/2001 Brief Description: Symantec Ghost Configuration Server denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ghost 6.5 Vulnerability: ghost-configuration-server-dos X-Force URL: http://xforce.iss.net/static/6357.php Date Reported: 04/11/2001 Brief Description: Lotus Domino Web Server DOS device denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Lotus Domino R5 prior to 5.0.7 Vulnerability: lotus-domino-device-dos X-Force URL: http://xforce.iss.net/static/6348.php Date Reported: 04/11/2001 Brief Description: Lotus Domino Web Server HTTP header denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Lotus Domino R5 prior to 5.0.7 Vulnerability: lotus-domino-header-dos X-Force URL: http://xforce.iss.net/static/6347.php Date Reported: 04/11/2001 Brief Description: Lotus Domino Web Server URL parsing denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Lotus Domino R5 prior to 5.0.7 Vulnerability: lotus-domino-url-dos X-Force URL: http://xforce.iss.net/static/6351.php Date Reported: 04/11/2001 Brief Description: Lotus Domino Web Server CORBA denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Lotus Domino R5 prior to 5.0.7 Vulnerability: lotus-domino-corba-dos X-Force URL: http://xforce.iss.net/static/6350.php Date Reported: 04/11/2001 Brief Description: Symantec Ghost database engine denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ghost 6.5, Sybase Adaptive Server Database Engine 6.0.3.2747 Vulnerability: ghost-database-engine-dos X-Force URL: http://xforce.iss.net/static/6356.php Date Reported: 04/11/2001 Brief Description: cfingerd daemon remote format string Risk Factor: Low Attack Type: Network Based Platforms Affected: Debian Linux 2.1, Debian Linux 2.2, cfingerd 1.4.3 and earlier Vulnerability: cfingerd-remote-format-string X-Force URL: http://xforce.iss.net/static/6364.php Date Reported: 04/11/2001 Brief Description: Lotus Domino Web Server Unicode denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Lotus Domino R5 prior to 5.0.7 Vulnerability: lotus-domino-unicode-dos X-Force URL: http://xforce.iss.net/static/6349.php Date Reported: 04/11/2001 Brief Description: Linux mkpasswd generates weak passwords Risk Factor: High Attack Type: Host Based Platforms Affected: Red Hat Linux 6.2, Red Hat Linux 7.0, mkpasswd Vulnerability: mkpasswd-weak-passwords X-Force URL: http://xforce.iss.net/static/6382.php Date Reported: 04/12/2001 Brief Description: Solaris ipcs utility buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Solaris 7 Vulnerability: solaris-ipcs-bo X-Force URL: http://xforce.iss.net/static/6369.php Date Reported: 04/12/2001 Brief Description: InterScan VirusWall ISADMIN service buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux kernel , InterScan VirusWall 3.0.1 Vulnerability: interscan-viruswall-isadmin-bo X-Force URL: http://xforce.iss.net/static/6368.php Date Reported: 04/12/2001 Brief Description: HylaFAX hfaxd format string Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: HylaFAX 4.1B3 and prior, SuSE Linux 6.x, SuSE Linux 7.0, Mandrake Linux 7.1, FreeBSD 3.5.1, Mandrake Linux 7.2, Mandrake Linux Corporate Server 1.0.1, FreeBSD 4.2, SuSE Linux 7.1 Vulnerability: hylafax-hfaxd-format-string X-Force URL: http://xforce.iss.net/static/6377.php Date Reported: 04/12/2001 Brief Description: Cisco VPN 3000 Concentrators invalid IP Option denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco VPN 3000 Concentrators prior to 2.5.2 F Vulnerability: cisco-vpn-ip-dos X-Force URL: http://xforce.iss.net/static/6360.php Date Reported: 04/13/2001 Brief Description: Net.Commerce package in IBM WebSphere reveals installation path Risk Factor: High Attack Type: Network Based Platforms Affected: IBM Websphere, Solaris 2.6, AIX 4.3.x, Solaris 7, Windows NT 4.0 Vulnerability: ibm-websphere-reveals-path X-Force URL: http://xforce.iss.net/static/6371.php Date Reported: 04/13/2001 Brief Description: QPC ftpd buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: QVT/Term 5.0, QVT/Net 5.0 Vulnerability: qpc-ftpd-bo X-Force URL: http://xforce.iss.net/static/6376.php Date Reported: 04/13/2001 Brief Description: QPC ftpd directory traversal Risk Factor: High Attack Type: Network Based Platforms Affected: QVT/Net 5.0, QVT/Term 5.0 Vulnerability: qpc-ftpd-directory-traversal X-Force URL: http://xforce.iss.net/static/6375.php Date Reported: 04/13/2001 Brief Description: QPC popd buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: QVT/Net 5.0 Vulnerability: qpc-popd-bo X-Force URL: http://xforce.iss.net/static/6374.php Date Reported: 04/13/2001 Brief Description: NCM Content Management System access database Risk Factor: Low Attack Type: Network Based Platforms Affected: NCM Content Management System Vulnerability: ncm-content-database-access X-Force URL: http://xforce.iss.net/static/6386.php Date Reported: 04/13/2001 Brief Description: Netscape SmartDownload 'sdph20.dll' buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Netscape SmartDownload 1.3, Windows NT, Windows 95, Windows 98 Vulnerability: netscape-smartdownload-sdph20-bo X-Force URL: http://xforce.iss.net/static/6403.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer accept buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-accept-bo X-Force URL: http://xforce.iss.net/static/6404.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer cancel buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-cancel-bo X-Force URL: http://xforce.iss.net/static/6406.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer disable buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-disable-bo X-Force URL: http://xforce.iss.net/static/6407.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer enable buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-enable-bo X-Force URL: http://xforce.iss.net/static/6409.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer lp buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-lp-bo X-Force URL: http://xforce.iss.net/static/6410.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer lpfilter buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-lpfilter-bo X-Force URL: http://xforce.iss.net/static/6411.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer lpstat buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-lpstat-bo X-Force URL: http://xforce.iss.net/static/6413.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer reject buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-reject-bo X-Force URL: http://xforce.iss.net/static/6414.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer rmail buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-rmail-bo X-Force URL: http://xforce.iss.net/static/6415.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer tput buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-tput-bo X-Force URL: http://xforce.iss.net/static/6416.php Date Reported: 04/13/2001 Brief Description: IBM WebSphere CGI macro denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: IBM Websphere, Windows NT 4.0, Solaris 2.6, AIX 4.3.x, Solaris 7 Vulnerability: ibm-websphere-macro-dos X-Force URL: http://xforce.iss.net/static/6372.php Date Reported: 04/13/2001 Brief Description: SCO OpenServer lpmove buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO Openserver 5.0.0 to 5.0.6 Vulnerability: sco-openserver-lpmove-bo X-Force URL: http://xforce.iss.net/static/6412.php Date Reported: 04/14/2001 Brief Description: Siemens Reliant Unix ppd -T symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: Reliant Unix 5.45, Reliant Unix 5.43, Reliant Unix 5.44 Vulnerability: reliant-unix-ppd-symlink X-Force URL: http://xforce.iss.net/static/6408.php Date Reported: 04/15/2001 Brief Description: Linux Exuberant Ctags package symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Debian Linux 2.2, exuberant-ctags Vulnerability: exuberant-ctags-symlink X-Force URL: http://xforce.iss.net/static/6388.php Date Reported: 04/15/2001 Brief Description: processit.pl CGI could allow attackers to view sensitive information about the Web server Risk Factor: Medium Attack Type: Network Based Platforms Affected: processit.pl Vulnerability: processit-cgi-view-info X-Force URL: http://xforce.iss.net/static/6385.php Date Reported: 04/16/2001 Brief Description: Microsoft ISA Server Web Proxy denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft ISA Server 2000 Vulnerability: isa-web-proxy-dos X-Force URL: http://xforce.iss.net/static/6383.php Date Reported: 04/16/2001 Brief Description: Microsoft Internet Explorer altering CLSID action allows malicious file execution Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows 2000, Internet Explorer 5.5, Windows 98 Vulnerability: ie-clsid-execute-files X-Force URL: http://xforce.iss.net/static/6426.php Date Reported: 04/16/2001 Brief Description: Cisco Catalyst 5000 series switch 802.1x denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco Catalyst 5000 Series Vulnerability: cisco-catalyst-8021x-dos X-Force URL: http://xforce.iss.net/static/6379.php Date Reported: 04/16/2001 Brief Description: BubbleMon allows users to gain elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: BubbleMon prior to 1.32, FreeBSD Vulnerability: bubblemon-elevate-privileges X-Force URL: http://xforce.iss.net/static/6378.php Date Reported: 04/16/2001 Brief Description: DCForum CGI az= field directory traversal Risk Factor: High Attack Type: Network Based Platforms Affected: DCForum 2000 1.0 Vulnerability: dcforum-az-directory-traversal X-Force URL: http://xforce.iss.net/static/6391.php Date Reported: 04/16/2001 Brief Description: DCForum CGI az= field allows attacker to upload files Risk Factor: Low Attack Type: Network Based Platforms Affected: DCForum 2000 1.0 Vulnerability: dcforum-az-file-upload X-Force URL: http://xforce.iss.net/static/6393.php Date Reported: 04/16/2001 Brief Description: DCForum CGI az= field EXPR allows attacker to execute commands Risk Factor: Low Attack Type: Network Based Platforms Affected: DCForum 2000 1.0 Vulnerability: dcforum-az-expr X-Force URL: http://xforce.iss.net/static/6392.php Date Reported: 04/16/2001 Brief Description: Linux NetFilter IPTables Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux kernel 2.4, Red Hat Linux 7.1 Vulnerability: linux-netfilter-iptables X-Force URL: http://xforce.iss.net/static/6390.php Date Reported: 04/17/2001 Brief Description: Xitami Web server denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Xitami Web server 2.4d7, Xitami Web server 2.5b4 Vulnerability: xitami-server-dos X-Force URL: http://xforce.iss.net/static/6389.php Date Reported: 04/17/2001 Brief Description: Samba tmpfile symlink attack could allow elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: Trustix Secure Linux 1.2, Mandrake Linux 8.0, Progeny Linux, Caldera OpenLinux eBuilder, Trustix Secure Linux 1.01, Mandrake Linux Corporate Server 1.0.1, FreeBSD 4.2, Immunix Linux 7.0, Immunix Linux 6.2, Immunix Linux 7.0 Beta, Caldera OpenLinux eServer 2.3.1, Caldera OpenLinux eDesktop 2.4, FreeBSD 3.5.1 Vulnerability: samba-tmpfile-symlink X-Force URL: http://xforce.iss.net/static/6396.php Date Reported: 04/17/2001 Brief Description: GoAhead WebServer "aux" denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: GoAhead Web Server 2.1, Windows 98, Windows ME Vulnerability: goahead-aux-dos X-Force URL: http://xforce.iss.net/static/6400.php Date Reported: 04/17/2001 Brief Description: AnalogX SimpleServer:WWW "aux" denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: SimpleServer:WWW 1.03 to 1.08 Vulnerability: analogx-simpleserver-aux-dos X-Force URL: http://xforce.iss.net/static/6395.php Date Reported: 04/17/2001 Brief Description: Viking Server hexadecimal URL encoded format directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Viking Server prior to 1.07-381 Vulnerability: viking-hex-directory-traversal X-Force URL: http://xforce.iss.net/static/6394.php Date Reported: 04/17/2001 Brief Description: Solaris FTP server allows attacker to recover shadow file Risk Factor: Medium Attack Type: Host Based Platforms Affected: Solaris 2.6 Vulnerability: solaris-ftp-shadow-recovery X-Force URL: http://xforce.iss.net/static/6422.php Date Reported: 04/18/2001 Brief Description: The Bat! pop3 denial of service Risk Factor: High Attack Type: Network Based Platforms Affected: The Bat! 1.51, Windows Vulnerability: thebat-pop3-dos X-Force URL: http://xforce.iss.net/static/6423.php Date Reported: 04/18/2001 Brief Description: Eudora allows attacker to obtain files using plain text attachments Risk Factor: Medium Attack Type: Network Based Platforms Affected: Eudora 5.0.2 Vulnerability: eudora-plain-text-attachment X-Force URL: http://xforce.iss.net/static/6431.php Date Reported: 04/18/2001 Brief Description: VMware vmware-mount.pl symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: VMware Vulnerability: vmware-mount-symlink X-Force URL: http://xforce.iss.net/static/6420.php Date Reported: 04/18/2001 Brief Description: KFM tmpfile symbolic link could allow local attackers to overwrite files Risk Factor: Medium Attack Type: Host Based Platforms Affected: SuSE Linux 7.0, K File Manager (KFM) Vulnerability: kfm-tmpfile-symlink X-Force URL: http://xforce.iss.net/static/6428.php Date Reported: 04/18/2001 Brief Description: CyberScheduler timezone remote buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: CyberScheduler, Mandrake Linux, Windows 2000, IIS 5.0, Solaris 8, SuSE Linux, Solaris 7, Slackware Linux, Red Hat Linux, IIS 4.0, Debian Linux, Solaris 2.5, Solaris 2.6, Caldera OpenLinux, Windows NT Vulnerability: cyberscheduler-timezone-bo X-Force URL: http://xforce.iss.net/static/6401.php Date Reported: 04/18/2001 Brief Description: Microsoft Data Access Component Internet Publishing Provider allows WebDAV access Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft Data Access Component 8.103.2519.0, Windows 95, Windows NT 4.0, Windows 98, Windows 98 Second Edition, Windows 2000, Windows ME Vulnerability: ms-dacipp-webdav-access X-Force URL: http://xforce.iss.net/static/6405.php Date Reported: 04/18/2001 Brief Description: Oracle tnslsnr80.exe denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Oracle 8.x, Windows NT 4.0 SP6, Solaris 8 Vulnerability: oracle-tnslsnr80-dos X-Force URL: http://xforce.iss.net/static/6427.php Date Reported: 04/18/2001 Brief Description: innfeed -c flag buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Red Hat Linux, Slackware Linux, Mandrake Linux, INN prior to 2.3.1 Vulnerability: innfeed-c-bo X-Force URL: http://xforce.iss.net/static/6398.php Date Reported: 04/18/2001 Brief Description: iPlanet Calendar Server stores username and password in plaintext Risk Factor: Low Attack Type: Host Based Platforms Affected: iPlanet Calendar Server 5.0p2 Vulnerability: iplanet-calendar-plaintext-password X-Force URL: http://xforce.iss.net/static/6402.php Date Reported: 04/18/2001 Brief Description: Linux NEdit symlink when printing Risk Factor: High Attack Type: Host Based Platforms Affected: SuSE Linux 6.3, SuSE Linux 6.4, Debian Linux 2.2, Mandrake Linux 7.1, Mandrake Linux 7.2, SuSE Linux 7.0, Mandrake Linux Corporate Server 1.0.1, SuSE Linux 7.1, Mandrake Linux 8.0 Vulnerability: nedit-print-symlink X-Force URL: http://xforce.iss.net/static/6424.php Date Reported: 04/19/2001 Brief Description: CheckBO TCP buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms Affected: CheckBO 1.56 and earlier Vulnerability: checkbo-tcp-bo X-Force URL: http://xforce.iss.net/static/6436.php Date Reported: 04/19/2001 Brief Description: HP-UX pcltotiff uses insecure permissions Risk Factor: Medium Attack Type: Host Based Platforms Affected: HP-UX 10.01, HP-UX 10.10, HP-UX 10.20, HP-UX 10.26 Vulnerability: hp-pcltotiff-insecure-permissions X-Force URL: http://xforce.iss.net/static/6447.php Date Reported: 04/19/2001 Brief Description: Netopia Timbuktu allows unauthorized system access Risk Factor: Low Attack Type: Host Based Platforms Affected: Timbuktu Pro, Macintosh OS X Vulnerability: netopia-timbuktu-gain-access X-Force URL: http://xforce.iss.net/static/6452.php Date Reported: 04/20/2001 Brief Description: Cisco CBOS could allow attackers to gain privileged information Risk Factor: High Attack Type: Host Based / Network Based Platforms Affected: Cisco CBOS 2.4.1, Cisco CBOS 2.3.053 Vulnerability: cisco-cbos-gain-information X-Force URL: http://xforce.iss.net/static/6453.php Date Reported: 04/20/2001 Brief Description: Internet Explorer 5.x allows active scripts using XML stylesheets Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Internet Explorer 5.x, Outlook Express 5.x Vulnerability: ie-xml-stylesheets-scripting X-Force URL: http://xforce.iss.net/static/6448.php Date Reported: 04/20/2001 Brief Description: Linux gftp format string Risk Factor: Low Attack Type: Network Based Platforms Affected: gftp prior to 2.0.8, Mandrake Linux 8.0, Mandrake Linux Corporate Server 1.0.1, Immunix Linux 7.0, Red Hat Linux 7.1, Mandrake Linux 7.2, Immunix Linux 6.2, Immunix 7.0 beta, Red Hat Linux 6.2, Mandrake Linux 7.1, Red Hat Linux 7.0 Vulnerability: gftp-format-string X-Force URL: http://xforce.iss.net/static/6478.php Date Reported: 04/20/2001 Brief Description: Novell BorderManager VPN client SYN requests denial of service Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Novell BorderManager 3.5 Vulnerability: bordermanager-vpn-syn-dos X-Force URL: http://xforce.iss.net/static/6429.php Date Reported: 04/20/2001 Brief Description: SAFT sendfiled could allow the execution of arbitrary code Risk Factor: Low Attack Type: Host Based Platforms Affected: Debian Linux 2.2, Progeny Linux, sendfile Vulnerability: saft-sendfiled-execute-code X-Force URL: http://xforce.iss.net/static/6430.php Date Reported: 04/21/2001 Brief Description: Mercury MTA for Novell Netware buffer overflow Risk Factor: Medium Attack Type: Network Based Platforms Affected: Mercury MTA 1.47 and earlier, Novell NetWare Vulnerability: mercury-mta-bo X-Force URL: http://xforce.iss.net/static/6444.php Date Reported: 04/21/2001 Brief Description: QNX allows attacker to read files on FAT partition Risk Factor: High Attack Type: Host Based / Network Based Platforms Affected: QNX 2.4 Vulnerability: qnx-fat-file-read X-Force URL: http://xforce.iss.net/static/6437.php Date Reported: 04/23/2001 Brief Description: Viking Server "dot dot" (\...\) directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Viking Server 1.0.7 Vulnerability: viking-dot-directory-traversal X-Force URL: http://xforce.iss.net/static/6450.php Date Reported: 04/24/2001 Brief Description: NetCruiser Web Server could reveal directory path Risk Factor: High Attack Type: Network Based Platforms Affected: NetCruiser Web Server 0.1.2.8 Vulnerability: netcruiser-server-path-disclosure X-Force URL: http://xforce.iss.net/static/6468.php Date Reported: 04/24/2001 Brief Description: Perl Web Server directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Perl Web Server 0.3 and prior Vulnerability: perl-webserver-directory-traversal X-Force URL: http://xforce.iss.net/static/6451.php Date Reported: 04/24/2001 Brief Description: Small HTTP Server /aux denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Small HTTP Server 2.03 Vulnerability: small-http-aux-dos X-Force URL: http://xforce.iss.net/static/6446.php Date Reported: 04/24/2001 Brief Description: IPSwitch IMail SMTP daemon mailing list handler buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: IPSwitch Imail 6.06 and earlier Vulnerability: ipswitch-imail-smtp-bo X-Force URL: http://xforce.iss.net/static/6445.php Date Reported: 04/25/2001 Brief Description: MIT Kerberos 5 could allow attacker to gain root access by injecting base64-encoded data Risk Factor: Low Attack Type: Network Based Platforms Affected: MIT Kerberos 5 Vulnerability: kerberos-inject-base64-encode X-Force URL: http://xforce.iss.net/static/6454.php Date Reported: 04/26/2001 Brief Description: IRIX netprint -n allows attacker to access shared library Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: IRIX 6.x Vulnerability: irix-netprint-shared-library X-Force URL: http://xforce.iss.net/static/6473.php Date Reported: 04/26/2001 Brief Description: WebXQ "dot dot" directory traversal Risk Factor: High Attack Type: Network Based Platforms Affected: Windows, WebXQ 2.1.204 Vulnerability: webxq-dot-directory-traversal X-Force URL: http://xforce.iss.net/static/6466.php Date Reported: 04/26/2001 Brief Description: RaidenFTPD "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows NT 4.0, Windows 2000, RaidenFTPD 2.1 Vulnerability: raidenftpd-dot-directory-traversal X-Force URL: http://xforce.iss.net/static/6455.php Date Reported: 04/27/2001 Brief Description: PerlCal CGI cal_make.pl script directory traversal Risk Factor: High Attack Type: Network Based Platforms Affected: Unix, PerlCal 2.95 and prior Vulnerability: perlcal-calmake-directory-traversal X-Force URL: http://xforce.iss.net/static/6480.php Date Reported: 04/28/2001 Brief Description: ICQ Web Front plugin denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: ICQ Web Front, ICQ 2000b 3278 and earlier Vulnerability: icq-webfront-dos X-Force URL: http://xforce.iss.net/static/6474.php Date Reported: 04/28/2001 Brief Description: Alex FTP Server "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Alex's FTP Server 0.7 Vulnerability: alex-ftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6475.php Date Reported: 04/28/2001 Brief Description: BRS WebWeaver FTP path disclosure Risk Factor: High Attack Type: Network Based Platforms Affected: BRS WebWeaver 0.63 Vulnerability: webweaver-ftp-path-disclosure X-Force URL: http://xforce.iss.net/static/6477.php Date Reported: 04/28/2001 Brief Description: BRS WebWeaver Web server "dot dot" directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: BRS WebWeaver 0.63 Vulnerability: webweaver-web-directory-traversal X-Force URL: http://xforce.iss.net/static/6476.php Date Reported: 04/29/2001 Brief Description: Winamp AIP buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Winamp 2.6x and 2.7x Vulnerability: winamp-aip-bo X-Force URL: http://xforce.iss.net/static/6479.php Date Reported: 04/29/2001 Brief Description: BearShare "dot dot" allows remote attacker to traverse directories and download any file Risk Factor: Medium Attack Type: Network Based Platforms Affected: BearShare 2.2.2 and prior, Windows 95, Windows 98, Windows ME Vulnerability: bearshare-dot-download-files X-Force URL: http://xforce.iss.net/static/6481.php Date Reported: 05/01/2001 Brief Description: IIS 5.0 ISAPI extension buffer overflow Risk Factor: High Attack Type: Network Based Platforms Affected: IIS 5.0, Windows 2000 Server, Windows 2000 Advanced Server, Windows 2000 Datacenter Server Vulnerability: iis-isapi-bo X-Force URL: http://xforce.iss.net/static/6485.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ About Internet Security Systems (ISS) Internet Security Systems is a leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment software, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOvrtmTRfJiV99eG9AQFRFwP+NhRj20kY5edBZBvSMBZKAOKEQGpJPPnD J/YCCB9TkzoWt65a7HR6c2MbimbnCo8YrhkjgFcvPmArCOFMS/68lhcStKd769PO rbojCoys8l1woaFDwzPnQeWVoNMen83sVvsiy7Bwk5Sm0cjM3gZC+X0vqG8EI59Y OAtrNiOkj7o= =kYl+ -----END PGP SIGNATURE-----

NetScreen ScreenOS prior to 2.5r6 on the NetScreen-10 and Netscreen-100 can allow a local attacker to bypass the DMZ 'denial' policy via specific traffic patterns. NetScreen is a line of internet security appliances inetgrating firewall, VPN and traffic management features. Versions of ScreenOS, the inbuild OS of two models in the NetScreen line (NetScreen-10 & -100) contain a flaw which may permit some packets, of a type which has been denied, to enter the DMZ. As a result of this vulnerability, potentially malicious packets of a type which has been prohibited in the device's policy may, to a limited extent, reach the DMZ network. Further details of this vulnerability were not made available. Versions prior to NetScreen ScreenOS 2.5r6 on NetScreen-10 and Netscreen-100 are vulnerable

Configuration error in Axent Raptor Firewall 6.5 allows remote attackers to use the firewall as a proxy to access internal web resources when the http.noproxy Rule is not set. Raptor Firewall is a product distributed and maintained by Axent Technologies, Inc. Raptor is an Enterprise-level firewall, providing a mixture of features and performance. A problem in the software package could allow intruders access to private web resources. By using the nearest interface of the firewall as a proxy, it is possible to access a system connected to the other interface of the firewall within TCP ports 79-99, and 200-65535. The firewall will only permit connections to the other side on ports in this range, excluding port 80, and using HTTP. This affects firewall rules that permit HTTP traffic. Therefore, it is possible for a malicious user to access internal web assets, and potentially gain access to sensitive information. Axent Raptor firewall version 6.5 has a misconfiguration

Cisco switches and routers running IOS 12.1 and earlier produce predictable TCP Initial Sequence Numbers (ISNs), which allows remote attackers to spoof or hijack TCP connections. Over the past several years, a variety of attacks against TCP initial sequence number (ISN) generation have been discussed. A vulnerability exists in some TCP/IP stack implementations that use random increments for initial sequence numbers. Such implementations are vulnerable to statistical attack, which could allow an attacker to predict, within a reasonable range, sequence numbers of future and existing connections. By predicting a sequence number, several attacks could be performed; an attacker could disrupt or hijack existing connections, or spoof future connections

Cisco Aironet 340 Series wireless bridge before 8.55 does not properly disable access to the web interface, which allows remote attackers to modify its configuration. The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Solaris is the Unix Operating System variant distributed and maintained by Sun Microsystems. Solaris is a freely available operating system designed to run on systems of varying size with maximum scalability. A problem with the SNMP Daemon included in the SUNWsspop package results in a buffer overflow, and potentially the execution of arbitrary code. Upon parsing the argv[0] variable from the command line, this information is stored in a static buffer. The static buffer is vulnerable to being overflowed at 700 bytes of data. This vulnerability is only present on systems acting as the System Service Processor for an E10000, or on any system with the SUNWsspop package installed. A remote attacker could exploit this vulnerability to modify the configuration. -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary April 5, 2001 Volume 6 Number 5 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-5.php _____ Contents: * 80 Reported Vulnerabilities * Risk Factor Key _____ Date Reported: 03/01/2001 Brief Description: Palm OS Debug Mode allows attacker to bypass password Risk Factor: Low Attack Type: Host Based Platforms Affected: Palm OS 3.5.2, Palm OS 3.3 Vulnerability: palm-debug-bypass-password X-Force URL: http://xforce.iss.net/static/6196.php Date Reported: 03/01/2001 Brief Description: Microsoft Exchange malformed URL request could cause a denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft Exchange 2000 Vulnerability: exchange-malformed-url-dos X-Force URL: http://xforce.iss.net/static/6172.php Date Reported: 03/02/2001 Brief Description: Mailx buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: OpenLinux 2.4, OpenLinux 2.3, Linux Debian 2.2 Vulnerability: mailx-bo X-Force URL: http://xforce.iss.net/static/6181.php Date Reported: 03/02/2001 Brief Description: SunFTP allows attackers to gain unauthorized file access Risk Factor: Low Attack Type: Host Based Platforms Affected: SunFTP 1.0 Build 9 Vulnerability: sunftp-gain-access X-Force URL: http://xforce.iss.net/static/6195.php Date Reported: 03/02/2001 Brief Description: WinZip /zipandemail option buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows 2000 All versions, Winzip 8.0, Windows NT All versions Vulnerability: winzip-zipandemail-bo X-Force URL: http://xforce.iss.net/static/6191.php Date Reported: 03/04/2001 Brief Description: Broker FTP Server allows remote attacker to delete files outside the FTP root Risk Factor: Medium Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-delete-files X-Force URL: http://xforce.iss.net/static/6190.php Date Reported: 03/04/2001 Brief Description: Broker FTP allows remote user to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-list-directories X-Force URL: http://xforce.iss.net/static/6189.php Date Reported: 03/04/2001 Brief Description: INDEXU allows attackers to gain unauthorized system access Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: INDEXU 2.0beta and earlier Vulnerability: indexu-gain-access X-Force URL: http://xforce.iss.net/static/6202.php Date Reported: 03/04/2001 Brief Description: Fastream FTP++ Client allows user to download files outside of Web root directory Risk Factor: Medium Attack Type: Network Based Platforms Affected: Fastream FTP++ Server 2.0 Vulnerability: fastream-ftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6187.php Date Reported: 03/04/2001 Brief Description: SlimServe HTTPd directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: SlimServe HTTPd 1.1 and earlier Vulnerability: slimserve-httpd-directory-traversal X-Force URL: http://xforce.iss.net/static/6186.php Date Reported: 03/04/2001 Brief Description: WFTPD Pro buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: WFTPD Pro 3.00 Vulnerability: wftpd-pro-bo X-Force URL: http://xforce.iss.net/static/6184.php Date Reported: 03/05/2001 Brief Description: IRCd tkserv buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: IRCd All versions, tkserv 1.3.0 and earlier Vulnerability: irc-tkserv-bo X-Force URL: http://xforce.iss.net/static/6193.php Date Reported: 03/06/2001 Brief Description: War FTPD could allow attackers to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: WarFTPD 1.67b4 Vulnerability: warftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6197.php Date Reported: 03/06/2001 Brief Description: Internet Explorer could allow execution of commands when used with Telnet Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Internet Explorer 5.5, Services for Unix 2.0, Windows NT All versions, Windows 2000 All versions, Internet Explorer 5.01 Vulnerability: ie-telnet-execute-commands X-Force URL: http://xforce.iss.net/static/6230.php Date Reported: 03/07/2001 Brief Description: Cisco Aironet Web access allows remote attacker to view/modify configuration Risk Factor: Low Attack Type: Network Based Platforms Affected: Aironet 340 Series Wireless Bridge Firmware 8.07, Aironet 340 Series Wireless Bridge Firmware 8.24, Aironet 340 Series Wireless Bridge Firmware 7.x Vulnerability: cisco-aironet-web-access X-Force URL: http://xforce.iss.net/static/6200.php Date Reported: 03/07/2001 Brief Description: Netscape Directory Server buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Netscape Directory Server 4.1, Netscape Directory Server 4.12, Windows NT All versions Vulnerability: netscape-directory-server-bo X-Force URL: http://xforce.iss.net/static/6233.php Date Reported: 03/07/2001 Brief Description: Proftpd contains configuration error in postinst script when running as root Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-postinst-root X-Force URL: http://xforce.iss.net/static/6208.php Date Reported: 03/07/2001 Brief Description: proftpd /var symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-var-symlink X-Force URL: http://xforce.iss.net/static/6209.php Date Reported: 03/07/2001 Brief Description: man2html remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: man2html prior to 1.5.23 Vulnerability: man2html-remote-dos X-Force URL: http://xforce.iss.net/static/6211.php Date Reported: 03/07/2001 Brief Description: Linux ePerl buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, ePerl prior to 2.2.14, Linux Debian 2.2, Linux Mandrake 7.1 Vulnerability: linux-eperl-bo X-Force URL: http://xforce.iss.net/static/6198.php Date Reported: 03/08/2001 Brief Description: Novell NetWare could allow attackers to gain unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms Affected: Novell NetWare 4.01, Novell NetWare 5.1, Novell NetWare 3.1, Novell NetWare 4.11, Novell NetWare 5.0 Vulnerability: novell-netware-unauthorized-access X-Force URL: http://xforce.iss.net/static/6215.php Date Reported: 03/08/2001 Brief Description: Linux sgml-tools symlink attack Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, sgml-tools prior to 1.0.9-15, Linux Mandrake 7.2, Linux Immunix OS 6.2, Linux Immunix OS 7.0 Beta, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Red Hat 6.2, Linux Debian 2.2, Linux Mandrake 7.1, Linux Red Hat 5.2 Vulnerability: sgmltools-symlink X-Force URL: http://xforce.iss.net/static/6201.php Date Reported: 03/08/2001 Brief Description: HP-UX asecure denial of service Risk Factor: Medium Attack Type: Host Based Platforms Affected: HP-UX 10.10, HP-UX 10.20, HP-UX 11, HP-UX 10.01 Vulnerability: hp-asecure-dos X-Force URL: http://xforce.iss.net/static/6212.php Date Reported: 03/08/2001 Brief Description: ascdc Afterstep buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: ascdc 0.3 Vulnerability: ascdc-afterstep-bo X-Force URL: http://xforce.iss.net/static/6204.php Date Reported: 03/08/2001 Brief Description: Microsoft IIS WebDAV denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: IIS 5.0 Vulnerability: iis-webdav-dos X-Force URL: http://xforce.iss.net/static/6205.php Date Reported: 03/08/2001 Brief Description: WEBsweeper HTTP request denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: WEBsweeper 4.0, Windows NT All versions Vulnerability: websweeper-http-dos X-Force URL: http://xforce.iss.net/static/6214.php Date Reported: 03/09/2001 Brief Description: FOLDOC allows remote attackers to execute commands Risk Factor: Medium Attack Type: Network Based Platforms Affected: FOLDEC All versions Vulnerability: foldoc-cgi-execute-commands X-Force URL: http://xforce.iss.net/static/6217.php Date Reported: 03/09/2001 Brief Description: slrn newsreader wrapping/unwrapping buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Immunix OS 7.0 Beta, Linux Debian 2.2, Linux Red Hat 7.0, Linux Immunix OS 6.2, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2 Vulnerability: slrn-wrapping-bo X-Force URL: http://xforce.iss.net/static/6213.php Date Reported: 03/09/2001 Brief Description: Linux mutt package contains format string when using IMAP Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Mandrake 7.0, Linux Mandrake 7.1, Linux Conectiva, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2, Linux Red Hat 5.2 Vulnerability: mutt-imap-format-string X-Force URL: http://xforce.iss.net/static/6235.php Date Reported: 03/10/2001 Brief Description: FormMail could be used to flood servers with anonymous email Risk Factor: High Attack Type: Network Based Platforms Affected: FormMail 1.0 to 1.6, Linux All versions Vulnerability: formmail-anonymous-flooding X-Force URL: http://xforce.iss.net/static/6242.php Date Reported: 03/11/2001 Brief Description: Half-Life Server config file buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-config-file-bo X-Force URL: http://xforce.iss.net/static/6221.php Date Reported: 03/11/2001 Brief Description: Half-Life Server exec command buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-exec-bo X-Force URL: http://xforce.iss.net/static/6219.php Date Reported: 03/11/2001 Brief Description: Half-Life Server map command buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-bo X-Force URL: http://xforce.iss.net/static/6218.php Date Reported: 03/11/2001 Brief Description: Half-Life Server 'map' command format string Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-format-string X-Force URL: http://xforce.iss.net/static/6220.php Date Reported: 03/11/2001 Brief Description: Ikonboard allows remote attackers to read files Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ikonboard 2.1.7b and earlier Vulnerability: ikonboard-cgi-read-files X-Force URL: http://xforce.iss.net/static/6216.php Date Reported: 03/12/2001 Brief Description: timed daemon remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Linux SuSE 7.1, Linux Mandrake 7.2, Linux SuSE 7.0, Linux- Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, FreeBSD 4.x, Linux Mandrake 7.0, Linux SuSE 6.1, Linux Mandrake 7.1, FreeBSD 3.x, Linux SuSE 6.3, Linux SuSE 6.4, Linux SuSE 6.2 Vulnerability: timed-remote-dos X-Force URL: http://xforce.iss.net/static/6228.php Date Reported: 03/12/2001 Brief Description: imap, ipop2d and ipop3d buffer overflows Risk Factor: Low Attack Type: Network Based Platforms Affected: OpenLinux eServer 2.3.1, OpenLinux eBuilder for ECential 3.0, OpenLinux eDesktop 2.4, OpenLinux 2.3, Linux SuSE 6.1, Linux Conectiva Vulnerability: imap-ipop2d-ipop3d-bo X-Force URL: http://xforce.iss.net/static/6269.php Date Reported: 03/12/2001 Brief Description: rwhod remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: FreeBSD 3.x, FreeBSD 4.x, Unix All versions Vulnerability: rwhod-remote-dos X-Force URL: http://xforce.iss.net/static/6229.php Date Reported: 03/13/2001 Brief Description: SunOS snmpd argv[0] buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: SunOS 5.8 Vulnerability: snmpd-argv-bo X-Force URL: http://xforce.iss.net/static/6239.php Date Reported: 03/13/2001 Brief Description: Mesa utah-glx symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Mesa prior to 3.3-14, Linux Mandrake 7.2 Vulnerability: mesa-utahglx-symlink X-Force URL: http://xforce.iss.net/static/6231.php Date Reported: 03/14/2001 Brief Description: Linux FTPfs buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux 2.2.x, FTPfs 0.1.1 Vulnerability: ftpfs-bo X-Force URL: http://xforce.iss.net/static/6234.php Date Reported: 03/15/2001 Brief Description: Solaris snmpXdmid malformed DMI request buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Solaris 7, Solaris 8, Solaris 2.6 Vulnerability: solaris-snmpxdmid-bo X-Force URL: http://xforce.iss.net/static/6245.php Date Reported: 03/15/2001 Brief Description: vBulletin PHP Web forum allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Network Based Platforms Affected: vBulletin 1.1.5 and earlier, vBulletin 2.0beta2 and earlier, Windows All versions, Unix All versions Vulnerability: vbulletin-php-elevate-privileges X-Force URL: http://xforce.iss.net/static/6237.php Date Reported: 03/15/2001 Brief Description: MDaemon WorldClient Web services denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows NT All versions, Windows 2000 All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-webservices-dos X-Force URL: http://xforce.iss.net/static/6240.php Date Reported: 03/16/2001 Brief Description: SSH ssheloop.c denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: SSH for Windows Server 2.4, SSH for Windows Server 2.5, Windows All versions Vulnerability: ssh-ssheloop-dos X-Force URL: http://xforce.iss.net/static/6241.php Date Reported: 03/18/2001 Brief Description: Eudora HTML emails could allow remote execution of code Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows All versions, Eudora 5.0.2 Vulnerability: eudora-html-execute-code X-Force URL: http://xforce.iss.net/static/6262.php Date Reported: 03/19/2001 Brief Description: ASPSeek s.cgi buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux All versions, ASPSeek 1.0.3 and earlier Vulnerability: aspseek-scgi-bo X-Force URL: http://xforce.iss.net/static/6248.php Date Reported: 03/20/2001 Brief Description: HSLCTF HTTP denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: AIX All versions, Unix All versions, HSLCTF 1.0 Vulnerability: hslctf-http-dos X-Force URL: http://xforce.iss.net/static/6250.php Date Reported: 03/20/2001 Brief Description: LICQ received URL execute commands Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, LICQ All, Linux Mandrake 7.1, Linux Red Hat 7.0, Linux Mandrake 7.2 Vulnerability: licq-url-execute-commands X-Force URL: http://xforce.iss.net/static/6261.php Date Reported: 03/20/2001 Brief Description: SurfControl SuperScout allows user to bypass filtering rules Risk Factor: Medium Attack Type: Network Based Platforms Affected: SurfControl SuperScout 3.0.2 and prior, Windows NT 4.0, Windows 2000 All versions Vulnerability: superscout-bypass-filtering X-Force URL: http://xforce.iss.net/static/6300.php Date Reported: 03/20/2001 Brief Description: DGUX lpsched buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: DG/UX All versions Vulnerability: dgux-lpsched-bo X-Force URL: http://xforce.iss.net/static/6258.php Date Reported: 03/20/2001 Brief Description: REDIPlus stock trading software stores passwords in plaintext Risk Factor: Medium Attack Type: Host Based Platforms Affected: REDIPlus 1.0, Windows All versions Vulnerability: rediplus-weak-security X-Force URL: http://xforce.iss.net/static/6276.php Date Reported: 03/20/2001 Brief Description: FCheck open() function allows the execution of commands Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO All versions, FCheck prior to 2.07.59, SunOS All versions, Windows All versions, Unix All versions, HP-UX All versions, Linux All versions, Solaris All versions, AIX All versions, BSD All versions Vulnerability: fcheck-open-execute-commands X-Force URL: http://xforce.iss.net/static/6256.php Date Reported: 03/20/2001 Brief Description: NTMail long URL denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows 2000 All versions, NTMail 6, Windows NT 4.0 Vulnerability: ntmail-long-url-dos X-Force URL: http://xforce.iss.net/static/6249.php Date Reported: 03/21/2001 Brief Description: VIM text editor allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: VIM All versions, Linux Red Hat 5.2, Linux Red Hat 6.2, Linux Red Hat 7.0 Vulnerability: vim-elevate-privileges X-Force URL: http://xforce.iss.net/static/6259.php Date Reported: 03/22/2001 Brief Description: FreeBSD UFS/EXT2FS could allow disclosure of deleted data Risk Factor: Medium Attack Type: Host Based Platforms Affected: UFS All versions, EXT2FS All versions, FreeBSD All versions Vulnerability: ufs-ext2fs-data-disclosure X-Force URL: http://xforce.iss.net/static/6268.php Date Reported: 03/22/2001 Brief Description: Microsoft invalid digital certificates could be used for spoofing Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows ME All versions, Windows 95 All versions, Windows 98 All versions, Windows 2000 All versions, Windows NT All versions Vulnerability: microsoft-invalid-digital-certificates X-Force URL: http://xforce.iss.net/static/6265.php Date Reported: 03/23/2001 Brief Description: Akopia Interchange could allow attacker to gain administrative access Risk Factor: Low Attack Type: Network Based Platforms Affected: Akopia Interchange 4.5.3 and 4.6.3 Vulnerability: akopia-interchange-gain-access X-Force URL: http://xforce.iss.net/static/6273.php Date Reported: 03/23/2001 Brief Description: Solaris /opt/JSParm/bin/perfmon allows user to create files with root privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 2.x Vulnerability: solaris-perfmon-create-files X-Force URL: http://xforce.iss.net/static/6267.php Date Reported: 03/23/2001 Brief Description: Windows user.dmp file insecure permissions Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows NT All versions, Windows 2000 All versions Vulnerability: win-userdmp-insecure-permission X-Force URL: http://xforce.iss.net/static/6275.php Date Reported: 03/23/2001 Brief Description: Compaq Web-enabled management software could allow users to bypass proxy settings Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Compaq Web-Enabled Management All versions Vulnerability: compaq-wbm-bypass-proxy X-Force URL: http://xforce.iss.net/static/6264.php Date Reported: 03/25/2001 Brief Description: MDaemon IMAP SELECT and EXAMINE command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-imap-command-dos X-Force URL: http://xforce.iss.net/static/6279.php Date Reported: 03/25/2001 Brief Description: HP-UX 11.11 newgrp(1) command allows users to gain additional privileges Risk Factor: High Attack Type: Host Based Platforms Affected: HP-UX 11.11 Vulnerability: hp-newgrp-additional-privileges X-Force URL: http://xforce.iss.net/static/6282.php Date Reported: 03/26/2001 Brief Description: 602Pro LAN SUITE webprox.dll denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, 602Pro LAN SUITE 2000a All versions Vulnerability: lan-suite-webprox-dos X-Force URL: http://xforce.iss.net/static/6281.php Date Reported: 03/26/2001 Brief Description: BEA WebLogic Server could allow attackers to browse Web directories Risk Factor: High Attack Type: Network Based Platforms Affected: WebLogic Server 6.0, Windows All versions Vulnerability: weblogic-browse-directories X-Force URL: http://xforce.iss.net/static/6283.php Date Reported: 03/27/2001 Brief Description: Solaris tip buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 8, Solaris 2.5.1, Solaris 2.6, Solaris 7 Vulnerability: solaris-tip-bo X-Force URL: http://xforce.iss.net/static/6284.php Date Reported: 03/27/2001 Brief Description: SonicWALL IKE pre-shared key is 48 bytes instead of 128 bytes Risk Factor: Medium Attack Type: Network Based Platforms Affected: SonicWALL TELE2 6.0.0, SonicWALL SOHO2 6.0.0 Vulnerability: sonicwall-ike-shared-keys X-Force URL: http://xforce.iss.net/static/6304.php Date Reported: 03/27/2001 Brief Description: Anaconda Foundation Clipper directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Anaconda Foundation Clipper 3.3 Vulnerability: anaconda-clipper-directory-traversal X-Force URL: http://xforce.iss.net/static/6286.php Date Reported: 03/27/2001 Brief Description: Microsoft Visual Studio VB-TSQL buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows 2000 All versions, Microsoft Visual Studio 6.0 Enterprise Ed., Windows NT All versions Vulnerability: visual-studio-vbtsql-bo X-Force URL: http://xforce.iss.net/static/6288.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer deliver buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-deliver-bo X-Force URL: http://xforce.iss.net/static/6302.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpadmin buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpadmin-bo X-Force URL: http://xforce.iss.net/static/6291.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpforms buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpforms-bo X-Force URL: http://xforce.iss.net/static/6293.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpshut buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpshut-bo X-Force URL: http://xforce.iss.net/static/6290.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpusers buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpusers-bo X-Force URL: http://xforce.iss.net/static/6292.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer recon buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-recon-bo X-Force URL: http://xforce.iss.net/static/6289.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer sendmail buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-sendmail-bo X-Force URL: http://xforce.iss.net/static/6303.php Date Reported: 03/28/2001 Brief Description: Inframail POST command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Inframail 3.97a and earlier, Linux All versions Vulnerability: inframail-post-dos X-Force URL: http://xforce.iss.net/static/6297.php Date Reported: 03/28/2001 Brief Description: Cisco VPN 3000 Concentrators Telnet denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco VPN 3000 Concentrators prior to 3.0.00 Vulnerability: cisco-vpn-telnet-dos X-Force URL: http://xforce.iss.net/static/6298.php Date Reported: 03/28/2001 Brief Description: WebSite Professional remote manager service denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: O'Reilly WebSite Pro 3.0.37 Vulnerability: website-pro-remote-dos X-Force URL: http://xforce.iss.net/static/6295.php Date Reported: 03/28/2001 Brief Description: Windows Me and Plus! 98 could allow the recovery of Compressed Folder passwords Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows 98 All versions, Windows 98 Second Edition, Windows ME All versions Vulnerability: win-compressed-password-recovery X-Force URL: http://xforce.iss.net/static/6294.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ Internet Security Systems is the leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOszkuDRfJiV99eG9AQFlewP8C6v84pW6UR171S6OThwkg/P7ylXIMY3P jO+w8ohAvbsa90iLFMlGo6YY0pIKSwlacQErryVFfVcRLQ1gIQhBxoIQlwrNkB6m XWnhroR/R7rzatML9cnHzpQKUK7Hax3LSxdxZQQwIDISxBZ4aeOTQwD+seuIos8t 8PVD8c9UO3g= =1xgg -----END PGP SIGNATURE-----

Cisco VPN 3000 series concentrators before 2.5.2(F) allow remote attackers to cause a denial of service via a flood of invalid login requests to (1) the SSL service, or (2) the telnet service, which do not properly disconnect the user after several failed login attempts. The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Solaris is the Unix Operating System variant distributed and maintained by Sun Microsystems. Solaris is a freely available operating system designed to run on systems of varying size with maximum scalability. A problem with the SNMP Daemon included in the SUNWsspop package results in a buffer overflow, and potentially the execution of arbitrary code. Upon parsing the argv[0] variable from the command line, this information is stored in a static buffer. The static buffer is vulnerable to being overflowed at 700 bytes of data. This vulnerability is only present on systems acting as the System Service Processor for an E10000, or on any system with the SUNWsspop package installed. VPN 3060 Concentrator is prone to a denial-of-service vulnerability. Concentrators prior to Cisco VPN 3000 Series versions 2.5.2(F) have a vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary April 5, 2001 Volume 6 Number 5 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-5.php _____ Contents: * 80 Reported Vulnerabilities * Risk Factor Key _____ Date Reported: 03/01/2001 Brief Description: Palm OS Debug Mode allows attacker to bypass password Risk Factor: Low Attack Type: Host Based Platforms Affected: Palm OS 3.5.2, Palm OS 3.3 Vulnerability: palm-debug-bypass-password X-Force URL: http://xforce.iss.net/static/6196.php Date Reported: 03/01/2001 Brief Description: Microsoft Exchange malformed URL request could cause a denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft Exchange 2000 Vulnerability: exchange-malformed-url-dos X-Force URL: http://xforce.iss.net/static/6172.php Date Reported: 03/02/2001 Brief Description: Mailx buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: OpenLinux 2.4, OpenLinux 2.3, Linux Debian 2.2 Vulnerability: mailx-bo X-Force URL: http://xforce.iss.net/static/6181.php Date Reported: 03/02/2001 Brief Description: SunFTP allows attackers to gain unauthorized file access Risk Factor: Low Attack Type: Host Based Platforms Affected: SunFTP 1.0 Build 9 Vulnerability: sunftp-gain-access X-Force URL: http://xforce.iss.net/static/6195.php Date Reported: 03/02/2001 Brief Description: WinZip /zipandemail option buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows 2000 All versions, Winzip 8.0, Windows NT All versions Vulnerability: winzip-zipandemail-bo X-Force URL: http://xforce.iss.net/static/6191.php Date Reported: 03/04/2001 Brief Description: Broker FTP Server allows remote attacker to delete files outside the FTP root Risk Factor: Medium Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-delete-files X-Force URL: http://xforce.iss.net/static/6190.php Date Reported: 03/04/2001 Brief Description: Broker FTP allows remote user to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-list-directories X-Force URL: http://xforce.iss.net/static/6189.php Date Reported: 03/04/2001 Brief Description: INDEXU allows attackers to gain unauthorized system access Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: INDEXU 2.0beta and earlier Vulnerability: indexu-gain-access X-Force URL: http://xforce.iss.net/static/6202.php Date Reported: 03/04/2001 Brief Description: Fastream FTP++ Client allows user to download files outside of Web root directory Risk Factor: Medium Attack Type: Network Based Platforms Affected: Fastream FTP++ Server 2.0 Vulnerability: fastream-ftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6187.php Date Reported: 03/04/2001 Brief Description: SlimServe HTTPd directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: SlimServe HTTPd 1.1 and earlier Vulnerability: slimserve-httpd-directory-traversal X-Force URL: http://xforce.iss.net/static/6186.php Date Reported: 03/04/2001 Brief Description: WFTPD Pro buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: WFTPD Pro 3.00 Vulnerability: wftpd-pro-bo X-Force URL: http://xforce.iss.net/static/6184.php Date Reported: 03/05/2001 Brief Description: IRCd tkserv buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: IRCd All versions, tkserv 1.3.0 and earlier Vulnerability: irc-tkserv-bo X-Force URL: http://xforce.iss.net/static/6193.php Date Reported: 03/06/2001 Brief Description: War FTPD could allow attackers to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: WarFTPD 1.67b4 Vulnerability: warftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6197.php Date Reported: 03/06/2001 Brief Description: Internet Explorer could allow execution of commands when used with Telnet Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Internet Explorer 5.5, Services for Unix 2.0, Windows NT All versions, Windows 2000 All versions, Internet Explorer 5.01 Vulnerability: ie-telnet-execute-commands X-Force URL: http://xforce.iss.net/static/6230.php Date Reported: 03/07/2001 Brief Description: Cisco Aironet Web access allows remote attacker to view/modify configuration Risk Factor: Low Attack Type: Network Based Platforms Affected: Aironet 340 Series Wireless Bridge Firmware 8.07, Aironet 340 Series Wireless Bridge Firmware 8.24, Aironet 340 Series Wireless Bridge Firmware 7.x Vulnerability: cisco-aironet-web-access X-Force URL: http://xforce.iss.net/static/6200.php Date Reported: 03/07/2001 Brief Description: Netscape Directory Server buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Netscape Directory Server 4.1, Netscape Directory Server 4.12, Windows NT All versions Vulnerability: netscape-directory-server-bo X-Force URL: http://xforce.iss.net/static/6233.php Date Reported: 03/07/2001 Brief Description: Proftpd contains configuration error in postinst script when running as root Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-postinst-root X-Force URL: http://xforce.iss.net/static/6208.php Date Reported: 03/07/2001 Brief Description: proftpd /var symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-var-symlink X-Force URL: http://xforce.iss.net/static/6209.php Date Reported: 03/07/2001 Brief Description: man2html remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: man2html prior to 1.5.23 Vulnerability: man2html-remote-dos X-Force URL: http://xforce.iss.net/static/6211.php Date Reported: 03/07/2001 Brief Description: Linux ePerl buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, ePerl prior to 2.2.14, Linux Debian 2.2, Linux Mandrake 7.1 Vulnerability: linux-eperl-bo X-Force URL: http://xforce.iss.net/static/6198.php Date Reported: 03/08/2001 Brief Description: Novell NetWare could allow attackers to gain unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms Affected: Novell NetWare 4.01, Novell NetWare 5.1, Novell NetWare 3.1, Novell NetWare 4.11, Novell NetWare 5.0 Vulnerability: novell-netware-unauthorized-access X-Force URL: http://xforce.iss.net/static/6215.php Date Reported: 03/08/2001 Brief Description: Linux sgml-tools symlink attack Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, sgml-tools prior to 1.0.9-15, Linux Mandrake 7.2, Linux Immunix OS 6.2, Linux Immunix OS 7.0 Beta, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Red Hat 6.2, Linux Debian 2.2, Linux Mandrake 7.1, Linux Red Hat 5.2 Vulnerability: sgmltools-symlink X-Force URL: http://xforce.iss.net/static/6201.php Date Reported: 03/08/2001 Brief Description: HP-UX asecure denial of service Risk Factor: Medium Attack Type: Host Based Platforms Affected: HP-UX 10.10, HP-UX 10.20, HP-UX 11, HP-UX 10.01 Vulnerability: hp-asecure-dos X-Force URL: http://xforce.iss.net/static/6212.php Date Reported: 03/08/2001 Brief Description: ascdc Afterstep buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: ascdc 0.3 Vulnerability: ascdc-afterstep-bo X-Force URL: http://xforce.iss.net/static/6204.php Date Reported: 03/08/2001 Brief Description: Microsoft IIS WebDAV denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: IIS 5.0 Vulnerability: iis-webdav-dos X-Force URL: http://xforce.iss.net/static/6205.php Date Reported: 03/08/2001 Brief Description: WEBsweeper HTTP request denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: WEBsweeper 4.0, Windows NT All versions Vulnerability: websweeper-http-dos X-Force URL: http://xforce.iss.net/static/6214.php Date Reported: 03/09/2001 Brief Description: FOLDOC allows remote attackers to execute commands Risk Factor: Medium Attack Type: Network Based Platforms Affected: FOLDEC All versions Vulnerability: foldoc-cgi-execute-commands X-Force URL: http://xforce.iss.net/static/6217.php Date Reported: 03/09/2001 Brief Description: slrn newsreader wrapping/unwrapping buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Immunix OS 7.0 Beta, Linux Debian 2.2, Linux Red Hat 7.0, Linux Immunix OS 6.2, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2 Vulnerability: slrn-wrapping-bo X-Force URL: http://xforce.iss.net/static/6213.php Date Reported: 03/09/2001 Brief Description: Linux mutt package contains format string when using IMAP Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Mandrake 7.0, Linux Mandrake 7.1, Linux Conectiva, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2, Linux Red Hat 5.2 Vulnerability: mutt-imap-format-string X-Force URL: http://xforce.iss.net/static/6235.php Date Reported: 03/10/2001 Brief Description: FormMail could be used to flood servers with anonymous email Risk Factor: High Attack Type: Network Based Platforms Affected: FormMail 1.0 to 1.6, Linux All versions Vulnerability: formmail-anonymous-flooding X-Force URL: http://xforce.iss.net/static/6242.php Date Reported: 03/11/2001 Brief Description: Half-Life Server config file buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-config-file-bo X-Force URL: http://xforce.iss.net/static/6221.php Date Reported: 03/11/2001 Brief Description: Half-Life Server exec command buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-exec-bo X-Force URL: http://xforce.iss.net/static/6219.php Date Reported: 03/11/2001 Brief Description: Half-Life Server map command buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-bo X-Force URL: http://xforce.iss.net/static/6218.php Date Reported: 03/11/2001 Brief Description: Half-Life Server 'map' command format string Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-format-string X-Force URL: http://xforce.iss.net/static/6220.php Date Reported: 03/11/2001 Brief Description: Ikonboard allows remote attackers to read files Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ikonboard 2.1.7b and earlier Vulnerability: ikonboard-cgi-read-files X-Force URL: http://xforce.iss.net/static/6216.php Date Reported: 03/12/2001 Brief Description: timed daemon remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Linux SuSE 7.1, Linux Mandrake 7.2, Linux SuSE 7.0, Linux- Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, FreeBSD 4.x, Linux Mandrake 7.0, Linux SuSE 6.1, Linux Mandrake 7.1, FreeBSD 3.x, Linux SuSE 6.3, Linux SuSE 6.4, Linux SuSE 6.2 Vulnerability: timed-remote-dos X-Force URL: http://xforce.iss.net/static/6228.php Date Reported: 03/12/2001 Brief Description: imap, ipop2d and ipop3d buffer overflows Risk Factor: Low Attack Type: Network Based Platforms Affected: OpenLinux eServer 2.3.1, OpenLinux eBuilder for ECential 3.0, OpenLinux eDesktop 2.4, OpenLinux 2.3, Linux SuSE 6.1, Linux Conectiva Vulnerability: imap-ipop2d-ipop3d-bo X-Force URL: http://xforce.iss.net/static/6269.php Date Reported: 03/12/2001 Brief Description: rwhod remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: FreeBSD 3.x, FreeBSD 4.x, Unix All versions Vulnerability: rwhod-remote-dos X-Force URL: http://xforce.iss.net/static/6229.php Date Reported: 03/13/2001 Brief Description: SunOS snmpd argv[0] buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: SunOS 5.8 Vulnerability: snmpd-argv-bo X-Force URL: http://xforce.iss.net/static/6239.php Date Reported: 03/13/2001 Brief Description: Mesa utah-glx symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Mesa prior to 3.3-14, Linux Mandrake 7.2 Vulnerability: mesa-utahglx-symlink X-Force URL: http://xforce.iss.net/static/6231.php Date Reported: 03/14/2001 Brief Description: Linux FTPfs buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux 2.2.x, FTPfs 0.1.1 Vulnerability: ftpfs-bo X-Force URL: http://xforce.iss.net/static/6234.php Date Reported: 03/15/2001 Brief Description: Solaris snmpXdmid malformed DMI request buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Solaris 7, Solaris 8, Solaris 2.6 Vulnerability: solaris-snmpxdmid-bo X-Force URL: http://xforce.iss.net/static/6245.php Date Reported: 03/15/2001 Brief Description: vBulletin PHP Web forum allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Network Based Platforms Affected: vBulletin 1.1.5 and earlier, vBulletin 2.0beta2 and earlier, Windows All versions, Unix All versions Vulnerability: vbulletin-php-elevate-privileges X-Force URL: http://xforce.iss.net/static/6237.php Date Reported: 03/15/2001 Brief Description: MDaemon WorldClient Web services denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows NT All versions, Windows 2000 All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-webservices-dos X-Force URL: http://xforce.iss.net/static/6240.php Date Reported: 03/16/2001 Brief Description: SSH ssheloop.c denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: SSH for Windows Server 2.4, SSH for Windows Server 2.5, Windows All versions Vulnerability: ssh-ssheloop-dos X-Force URL: http://xforce.iss.net/static/6241.php Date Reported: 03/18/2001 Brief Description: Eudora HTML emails could allow remote execution of code Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows All versions, Eudora 5.0.2 Vulnerability: eudora-html-execute-code X-Force URL: http://xforce.iss.net/static/6262.php Date Reported: 03/19/2001 Brief Description: ASPSeek s.cgi buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux All versions, ASPSeek 1.0.3 and earlier Vulnerability: aspseek-scgi-bo X-Force URL: http://xforce.iss.net/static/6248.php Date Reported: 03/20/2001 Brief Description: HSLCTF HTTP denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: AIX All versions, Unix All versions, HSLCTF 1.0 Vulnerability: hslctf-http-dos X-Force URL: http://xforce.iss.net/static/6250.php Date Reported: 03/20/2001 Brief Description: LICQ received URL execute commands Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, LICQ All, Linux Mandrake 7.1, Linux Red Hat 7.0, Linux Mandrake 7.2 Vulnerability: licq-url-execute-commands X-Force URL: http://xforce.iss.net/static/6261.php Date Reported: 03/20/2001 Brief Description: SurfControl SuperScout allows user to bypass filtering rules Risk Factor: Medium Attack Type: Network Based Platforms Affected: SurfControl SuperScout 3.0.2 and prior, Windows NT 4.0, Windows 2000 All versions Vulnerability: superscout-bypass-filtering X-Force URL: http://xforce.iss.net/static/6300.php Date Reported: 03/20/2001 Brief Description: DGUX lpsched buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: DG/UX All versions Vulnerability: dgux-lpsched-bo X-Force URL: http://xforce.iss.net/static/6258.php Date Reported: 03/20/2001 Brief Description: REDIPlus stock trading software stores passwords in plaintext Risk Factor: Medium Attack Type: Host Based Platforms Affected: REDIPlus 1.0, Windows All versions Vulnerability: rediplus-weak-security X-Force URL: http://xforce.iss.net/static/6276.php Date Reported: 03/20/2001 Brief Description: FCheck open() function allows the execution of commands Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO All versions, FCheck prior to 2.07.59, SunOS All versions, Windows All versions, Unix All versions, HP-UX All versions, Linux All versions, Solaris All versions, AIX All versions, BSD All versions Vulnerability: fcheck-open-execute-commands X-Force URL: http://xforce.iss.net/static/6256.php Date Reported: 03/20/2001 Brief Description: NTMail long URL denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows 2000 All versions, NTMail 6, Windows NT 4.0 Vulnerability: ntmail-long-url-dos X-Force URL: http://xforce.iss.net/static/6249.php Date Reported: 03/21/2001 Brief Description: VIM text editor allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: VIM All versions, Linux Red Hat 5.2, Linux Red Hat 6.2, Linux Red Hat 7.0 Vulnerability: vim-elevate-privileges X-Force URL: http://xforce.iss.net/static/6259.php Date Reported: 03/22/2001 Brief Description: FreeBSD UFS/EXT2FS could allow disclosure of deleted data Risk Factor: Medium Attack Type: Host Based Platforms Affected: UFS All versions, EXT2FS All versions, FreeBSD All versions Vulnerability: ufs-ext2fs-data-disclosure X-Force URL: http://xforce.iss.net/static/6268.php Date Reported: 03/22/2001 Brief Description: Microsoft invalid digital certificates could be used for spoofing Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows ME All versions, Windows 95 All versions, Windows 98 All versions, Windows 2000 All versions, Windows NT All versions Vulnerability: microsoft-invalid-digital-certificates X-Force URL: http://xforce.iss.net/static/6265.php Date Reported: 03/23/2001 Brief Description: Akopia Interchange could allow attacker to gain administrative access Risk Factor: Low Attack Type: Network Based Platforms Affected: Akopia Interchange 4.5.3 and 4.6.3 Vulnerability: akopia-interchange-gain-access X-Force URL: http://xforce.iss.net/static/6273.php Date Reported: 03/23/2001 Brief Description: Solaris /opt/JSParm/bin/perfmon allows user to create files with root privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 2.x Vulnerability: solaris-perfmon-create-files X-Force URL: http://xforce.iss.net/static/6267.php Date Reported: 03/23/2001 Brief Description: Windows user.dmp file insecure permissions Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows NT All versions, Windows 2000 All versions Vulnerability: win-userdmp-insecure-permission X-Force URL: http://xforce.iss.net/static/6275.php Date Reported: 03/23/2001 Brief Description: Compaq Web-enabled management software could allow users to bypass proxy settings Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Compaq Web-Enabled Management All versions Vulnerability: compaq-wbm-bypass-proxy X-Force URL: http://xforce.iss.net/static/6264.php Date Reported: 03/25/2001 Brief Description: MDaemon IMAP SELECT and EXAMINE command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-imap-command-dos X-Force URL: http://xforce.iss.net/static/6279.php Date Reported: 03/25/2001 Brief Description: HP-UX 11.11 newgrp(1) command allows users to gain additional privileges Risk Factor: High Attack Type: Host Based Platforms Affected: HP-UX 11.11 Vulnerability: hp-newgrp-additional-privileges X-Force URL: http://xforce.iss.net/static/6282.php Date Reported: 03/26/2001 Brief Description: 602Pro LAN SUITE webprox.dll denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, 602Pro LAN SUITE 2000a All versions Vulnerability: lan-suite-webprox-dos X-Force URL: http://xforce.iss.net/static/6281.php Date Reported: 03/26/2001 Brief Description: BEA WebLogic Server could allow attackers to browse Web directories Risk Factor: High Attack Type: Network Based Platforms Affected: WebLogic Server 6.0, Windows All versions Vulnerability: weblogic-browse-directories X-Force URL: http://xforce.iss.net/static/6283.php Date Reported: 03/27/2001 Brief Description: Solaris tip buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 8, Solaris 2.5.1, Solaris 2.6, Solaris 7 Vulnerability: solaris-tip-bo X-Force URL: http://xforce.iss.net/static/6284.php Date Reported: 03/27/2001 Brief Description: SonicWALL IKE pre-shared key is 48 bytes instead of 128 bytes Risk Factor: Medium Attack Type: Network Based Platforms Affected: SonicWALL TELE2 6.0.0, SonicWALL SOHO2 6.0.0 Vulnerability: sonicwall-ike-shared-keys X-Force URL: http://xforce.iss.net/static/6304.php Date Reported: 03/27/2001 Brief Description: Anaconda Foundation Clipper directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Anaconda Foundation Clipper 3.3 Vulnerability: anaconda-clipper-directory-traversal X-Force URL: http://xforce.iss.net/static/6286.php Date Reported: 03/27/2001 Brief Description: Microsoft Visual Studio VB-TSQL buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows 2000 All versions, Microsoft Visual Studio 6.0 Enterprise Ed., Windows NT All versions Vulnerability: visual-studio-vbtsql-bo X-Force URL: http://xforce.iss.net/static/6288.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer deliver buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-deliver-bo X-Force URL: http://xforce.iss.net/static/6302.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpadmin buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpadmin-bo X-Force URL: http://xforce.iss.net/static/6291.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpforms buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpforms-bo X-Force URL: http://xforce.iss.net/static/6293.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpshut buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpshut-bo X-Force URL: http://xforce.iss.net/static/6290.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpusers buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpusers-bo X-Force URL: http://xforce.iss.net/static/6292.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer recon buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-recon-bo X-Force URL: http://xforce.iss.net/static/6289.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer sendmail buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-sendmail-bo X-Force URL: http://xforce.iss.net/static/6303.php Date Reported: 03/28/2001 Brief Description: Inframail POST command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Inframail 3.97a and earlier, Linux All versions Vulnerability: inframail-post-dos X-Force URL: http://xforce.iss.net/static/6297.php Date Reported: 03/28/2001 Brief Description: Cisco VPN 3000 Concentrators Telnet denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco VPN 3000 Concentrators prior to 3.0.00 Vulnerability: cisco-vpn-telnet-dos X-Force URL: http://xforce.iss.net/static/6298.php Date Reported: 03/28/2001 Brief Description: WebSite Professional remote manager service denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: O'Reilly WebSite Pro 3.0.37 Vulnerability: website-pro-remote-dos X-Force URL: http://xforce.iss.net/static/6295.php Date Reported: 03/28/2001 Brief Description: Windows Me and Plus! 98 could allow the recovery of Compressed Folder passwords Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows 98 All versions, Windows 98 Second Edition, Windows ME All versions Vulnerability: win-compressed-password-recovery X-Force URL: http://xforce.iss.net/static/6294.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ Internet Security Systems is the leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOszkuDRfJiV99eG9AQFlewP8C6v84pW6UR171S6OThwkg/P7ylXIMY3P jO+w8ohAvbsa90iLFMlGo6YY0pIKSwlacQErryVFfVcRLQ1gIQhBxoIQlwrNkB6m XWnhroR/R7rzatML9cnHzpQKUK7Hax3LSxdxZQQwIDISxBZ4aeOTQwD+seuIos8t 8PVD8c9UO3g= =1xgg -----END PGP SIGNATURE-----

TCP implementations that use random increments for initial sequence numbers (ISN) can allow remote attackers to perform session hijacking or disruption by injecting a flood of packets with a range of ISN values, one of which may match the expected ISN. Attacks against TCP initial sequence number generation have been discussed for some time now. It has long been recognized that the ability to know or predict ISNs can lead to TCP connection hijacking or spoofing. What was not previously illustrated was just how predictable one commonly-used method of randomizing new connection ISNs is in some modern TCP/IP implementations. A vulnerability exists in some TCP/IP stack implementations that use random increments for initial sequence numbers. Such implementations are vulnerable to statistical attack, which could allow an attacker to predict, within a reasonable range, sequence numbers of future and existing connections. By predicting a sequence number, several attacks could be performed; an attacker could disrupt or hijack existing connections, or spoof future connections. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 HP SECURITY BULLETIN HPSBTU01210 REVISION: 0 SSRT4743, SSRT4884 rev.0 - HP Tru64 UNIX TCP/IP remote Denial of Service (DoS) NOTICE: There are no restrictions for distribution of this Security Bulletin provided that it remains complete and intact. The information in this Security Bulletin should be acted upon as soon as possible. INITIAL RELEASE: 15 July 2005 POTENTIAL SECURITY IMPACT: Remote Denial of Service (DoS) SOURCE: Hewlett-Packard Company HP Software Security Response Team VULNERABILITY SUMMARY: Several potential security vulnerabilities have been identified in the HP Tru64 UNIX TCP/IP including ICMP, and Initial Sequence Number generation (ISNs). These exploits could result in a remote Denial of Service (DoS) from network throughput reduction for TCP connections, the reset of TCP connections, or TCP spoofing. REFERENCES: CERT CA-2001-09, NISCC Vulnerability Advisory VU#498440 VU#532967, CAN-2004-0790 CAN-2004-0791 CAN-2004-1060 CAN-2001-0328 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP Tru64 UNIX 5.1B-3 HP Tru64 UNIX 5.1B-2/PK4 HP Tru64 UNIX 5.1A PK HP Tru64 UNIX 4.0G PK4 HP Tru64 UNIX 4.0F PK8 BACKGROUND: Special Instructions for the Customer The Internet Control Message Protocol (ICMP) (RFC 792) is used in the Internet Architecture to perform fault-isolation and recovery (RFC816), which is the group of actions that hosts and routers take to determine if a network failure has occurred. The industry standard TCP specification (RFC 793) has a vulnerability whereby ICMP packets can be used to perform a variety of attacks such as blind connection reset attacks and blind throughput-reduction attacks. Blind connection reset attacks can be triggered by an attacker sending forged ICMP "Destination Unreachable, host unreachable" packets or ICMP "Destination Unreachable, port unreachable" packets. Blind throughput-reduction attacks can be caused by an attacker sending a forged ICMP type 4 (Source Quench) packet. Path MTU Discovery (RFC 1191) describes a technique for dynamically discovering the MTU (maximum transmission unit) of an arbitrary internet path. This protocol uses ICMP packets from the router to discover the MTU for a TCP connection path. An attacker can reduce the throughput of a TCP connection by sending forged ICMP packets (or their IPv6 counterpart) to the discovering host, causing an incorrect Path MTU setting. HP has addressed these potential vulnerabilities by providing a new kernel tunable in Tru64 UNIX V5.1B and 5.1A, icmp_tcpseqcheck. In Tru64 4.0F and 4.0G, HP has introduced two new kernel tunables, icmp_tcpseqcheck and icmp_rejectcodemask. The icmp_rejectcodemask tunable is already available in Tru64 UNIX V5.1B and 5.1A. icmp_tcpseqcheck The icmp_tcpseqcheck variable mitigates ICMP attacks against TCP by checking that the TCP sequence number contained in the payload of the ICMP error message is within the range of the data already sent but not yet acknowledged. An ICMP error message that does not pass this check is discarded. This behavior protects TCP against spoofed ICMP packets. Set the tunable as follows: icmp_tcpseqcheck=1 (default) Provides a level of protection that reduces the possibility of considering a spoofed ICMP packet as valid to one in two raised to the thirty-second power. icmp_tcpseqcheck=0 Retains existing behavior, i.e., accepts all ICMP packets icmp_rejectcodemask In the Requirements for IP Version 4 Routers (RFC 1812), research suggests that the use of ICMP Source Quench packets is an ineffective (and unfair) antidote for congestion. Thus, HP recommends completely ignoring ICMP Source Quench packets using the icmp_rejectcodemask tunable. The icmp_rejectcodemask is a bitmask that designates the ICMP codes that the system should reject. For example, to reject ICMP Source Quench packets, set the mask bit position for the ICMP_SOURCEQUENCH code 4, which is two to the 4th power = 16 (0x10 hex). The icmp_rejectcodemask tunable can be used to reject any ICMP packet type, or multiple masks can be combined to reject more than one type. Note: the ICMP type codes are defined in "/usr/include/netinet/ip_icmp.h". Set the tunable as follows: icmp_rejectcodemask = 0x10 Rejects ICMP Source Quench packets icmp_rejectcodemask = 0 (default) Retains existing behavior, i.e., accepts all ICMP packets Adjusting the variables The ICMP sequence check variable (icmp_tcpseqcheck) can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 1 # sysconfig -r inet icmp_tcpseqcheck=0 icmp_tcpseqcheck: reconfigured # sysconfig -q inet icmp_tcpseqcheck inet: icmp_tcpseqcheck = 0 # sysconfig -q inet icmp_tcpseqcheck > /tmp/icmp_tcpseqcheck_merge # sysconfigdb -m -f /tmp/icmp_tcpseqcheck_merge inet # sysconfigdb -l inet inet: icmp_tcpseqcheck = 1 Similarly, the icmp_rejectcodemask variable can be adjusted using the sysconfig and sysconfigdb commands: # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 0 # sysconfig -r inet icmp_rejectcodemask=0x10 icmp_rejectcodemask: reconfigured # sysconfig -q inet icmp_rejectcodemask inet: icmp_rejectcodemask = 16 # sysconfig -q inet icmp_rejectcodemask > /tmp/icmp_rejectcodemask_merge # sysconfigdb -m -f /tmp/icmp_rejectcodemask_merge inet # sysconfigdb -l inet inet: icmp_rejectcodemask = 16 RESOLUTION: Until the corrections are available in a mainstream release patch kit, HP is releasing the following Early Release Patch (ERP) kits publicly for use by any customer. The ERP kits use dupatch to install and will not install over any installed Customer Specific Patches (CSPs) that have file intersections with the ERPs. Contact your service provider for assistance if the ERP installation is blocked by any of your installed CSPs. The fixes contained in the ERP kits are scheduled to be available in the following mainstream patch kits: HP Tru64 Unix 5.1B-4 Early Release Patches The ERPs deliver the following file: /sys/BINARY/inet.mod HP Tru64 UNIX 5.1B-3 ERP Kit Name: T64KIT0025925-V51BB26-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025925-V51BB26-ES-20050628 MD5 checksum: 129251787a426320af16cd584b982027 HP Tru64 UNIX 5.1B-2/PK4 ERP Kit Name: T64KIT0025924-V51BB25-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025924-V51BB25-ES-20050628 MD5 checksum: 5fcc77a6876db6d10ef07ac96e11b3af HP Tru64 UNIX 5.1A PK6 ERP Kit Name: T64KIT0025922-V51AB24-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025922-V51AB24-ES-20050628 MD5 checksum: 7c373b35c95945651a1cfda96bf71421 HP Tru64 UNIX 4.0G PK4 ERP Kit Name: T64KIT0025920-V40GB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 13849fd555239d75d300d1cb46dc995f HP Tru64 UNIX 4.0F PK8 ERP Kit Name: DUXKIT0025921-V40FB22-ES-20050628 Kit Location: http://www.itrc.hp.com/service/patch/patchDetail.do? patchid=T64KIT0025920-V40GB22-ES-20050628 MD5 checksum: 743b614d39f185802701b7f2dd14ffa5 MD5 checksums are available from the ITRC patch database main page: http://www.itrc.hp.com/service/patch/mainPage.do - From the patch database main page, click Tru64 UNIX, then click verifying MD5 checksums under useful links. General ITRC Patch Page: http://www.itrc.hp.com/service/patch/mainPage SUPPORT: For further information, contact normal HP Services support channel. REPORT: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com. It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To obtain the security-alert PGP key please send an e-mail message to security-alert@hp.com with the Subject of 'get key' (no quotes). SUBSCRIBE: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA& langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your IRTC security bulletins and patches - check ALL categories for which alerts are required and continue. Under Step2: your IRTC operating systems - verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page Subscriber's choice for Business: sign-in. On the Web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number: GN = HP General SW, MA = HP Management Agents, MI = Misc. 3rd party SW, MP = HP MPE/iX, NS = HP NonStop Servers, OV = HP OpenVMS, PI = HP Printing & Imaging, ST = HP Storage SW, TL = HP Trusted Linux, TU = HP Tru64 UNIX, UX = HP-UX, VV = HP Virtual Vault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." (c)Copyright 2005 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. -----BEGIN PGP SIGNATURE----- Version: PGP 8.1 iQA/AwUBQtuSLuAfOvwtKn1ZEQJXrwCgpDVfLyXvXZd3sF6bswgQ3DLz5jcAoNt2 As7Gf9BY697IdlYjIlmrirG1 =143G -----END PGP SIGNATURE-----

SonicWALL Tele2 and SOHO firewalls with 6.0.0.0 firmware using IPSEC with IKE pre-shared keys do not allow for the use of full 128 byte IKE pre-shared keys, which is the intended design of the IKE pre-shared key, and only support 48 byte keys. This allows a remote attacker to brute force attack the pre-shared keys with significantly less resources than if the full 128 byte IKE pre-shared keys were used. The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Solaris is the Unix Operating System variant distributed and maintained by Sun Microsystems. Solaris is a freely available operating system designed to run on systems of varying size with maximum scalability. A problem with the SNMP Daemon included in the SUNWsspop package results in a buffer overflow, and potentially the execution of arbitrary code. Upon parsing the argv[0] variable from the command line, this information is stored in a static buffer. The static buffer is vulnerable to being overflowed at 700 bytes of data. This vulnerability is only present on systems acting as the System Service Processor for an E10000, or on any system with the SUNWsspop package installed. Tele2 is prone to a remote security vulnerability. -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary April 5, 2001 Volume 6 Number 5 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-5.php _____ Contents: * 80 Reported Vulnerabilities * Risk Factor Key _____ Date Reported: 03/01/2001 Brief Description: Palm OS Debug Mode allows attacker to bypass password Risk Factor: Low Attack Type: Host Based Platforms Affected: Palm OS 3.5.2, Palm OS 3.3 Vulnerability: palm-debug-bypass-password X-Force URL: http://xforce.iss.net/static/6196.php Date Reported: 03/01/2001 Brief Description: Microsoft Exchange malformed URL request could cause a denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft Exchange 2000 Vulnerability: exchange-malformed-url-dos X-Force URL: http://xforce.iss.net/static/6172.php Date Reported: 03/02/2001 Brief Description: Mailx buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: OpenLinux 2.4, OpenLinux 2.3, Linux Debian 2.2 Vulnerability: mailx-bo X-Force URL: http://xforce.iss.net/static/6181.php Date Reported: 03/02/2001 Brief Description: SunFTP allows attackers to gain unauthorized file access Risk Factor: Low Attack Type: Host Based Platforms Affected: SunFTP 1.0 Build 9 Vulnerability: sunftp-gain-access X-Force URL: http://xforce.iss.net/static/6195.php Date Reported: 03/02/2001 Brief Description: WinZip /zipandemail option buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows 2000 All versions, Winzip 8.0, Windows NT All versions Vulnerability: winzip-zipandemail-bo X-Force URL: http://xforce.iss.net/static/6191.php Date Reported: 03/04/2001 Brief Description: Broker FTP Server allows remote attacker to delete files outside the FTP root Risk Factor: Medium Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-delete-files X-Force URL: http://xforce.iss.net/static/6190.php Date Reported: 03/04/2001 Brief Description: Broker FTP allows remote user to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-list-directories X-Force URL: http://xforce.iss.net/static/6189.php Date Reported: 03/04/2001 Brief Description: INDEXU allows attackers to gain unauthorized system access Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: INDEXU 2.0beta and earlier Vulnerability: indexu-gain-access X-Force URL: http://xforce.iss.net/static/6202.php Date Reported: 03/04/2001 Brief Description: Fastream FTP++ Client allows user to download files outside of Web root directory Risk Factor: Medium Attack Type: Network Based Platforms Affected: Fastream FTP++ Server 2.0 Vulnerability: fastream-ftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6187.php Date Reported: 03/04/2001 Brief Description: SlimServe HTTPd directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: SlimServe HTTPd 1.1 and earlier Vulnerability: slimserve-httpd-directory-traversal X-Force URL: http://xforce.iss.net/static/6186.php Date Reported: 03/04/2001 Brief Description: WFTPD Pro buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: WFTPD Pro 3.00 Vulnerability: wftpd-pro-bo X-Force URL: http://xforce.iss.net/static/6184.php Date Reported: 03/05/2001 Brief Description: IRCd tkserv buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: IRCd All versions, tkserv 1.3.0 and earlier Vulnerability: irc-tkserv-bo X-Force URL: http://xforce.iss.net/static/6193.php Date Reported: 03/06/2001 Brief Description: War FTPD could allow attackers to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: WarFTPD 1.67b4 Vulnerability: warftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6197.php Date Reported: 03/06/2001 Brief Description: Internet Explorer could allow execution of commands when used with Telnet Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Internet Explorer 5.5, Services for Unix 2.0, Windows NT All versions, Windows 2000 All versions, Internet Explorer 5.01 Vulnerability: ie-telnet-execute-commands X-Force URL: http://xforce.iss.net/static/6230.php Date Reported: 03/07/2001 Brief Description: Cisco Aironet Web access allows remote attacker to view/modify configuration Risk Factor: Low Attack Type: Network Based Platforms Affected: Aironet 340 Series Wireless Bridge Firmware 8.07, Aironet 340 Series Wireless Bridge Firmware 8.24, Aironet 340 Series Wireless Bridge Firmware 7.x Vulnerability: cisco-aironet-web-access X-Force URL: http://xforce.iss.net/static/6200.php Date Reported: 03/07/2001 Brief Description: Netscape Directory Server buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Netscape Directory Server 4.1, Netscape Directory Server 4.12, Windows NT All versions Vulnerability: netscape-directory-server-bo X-Force URL: http://xforce.iss.net/static/6233.php Date Reported: 03/07/2001 Brief Description: Proftpd contains configuration error in postinst script when running as root Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-postinst-root X-Force URL: http://xforce.iss.net/static/6208.php Date Reported: 03/07/2001 Brief Description: proftpd /var symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-var-symlink X-Force URL: http://xforce.iss.net/static/6209.php Date Reported: 03/07/2001 Brief Description: man2html remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: man2html prior to 1.5.23 Vulnerability: man2html-remote-dos X-Force URL: http://xforce.iss.net/static/6211.php Date Reported: 03/07/2001 Brief Description: Linux ePerl buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, ePerl prior to 2.2.14, Linux Debian 2.2, Linux Mandrake 7.1 Vulnerability: linux-eperl-bo X-Force URL: http://xforce.iss.net/static/6198.php Date Reported: 03/08/2001 Brief Description: Novell NetWare could allow attackers to gain unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms Affected: Novell NetWare 4.01, Novell NetWare 5.1, Novell NetWare 3.1, Novell NetWare 4.11, Novell NetWare 5.0 Vulnerability: novell-netware-unauthorized-access X-Force URL: http://xforce.iss.net/static/6215.php Date Reported: 03/08/2001 Brief Description: Linux sgml-tools symlink attack Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, sgml-tools prior to 1.0.9-15, Linux Mandrake 7.2, Linux Immunix OS 6.2, Linux Immunix OS 7.0 Beta, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Red Hat 6.2, Linux Debian 2.2, Linux Mandrake 7.1, Linux Red Hat 5.2 Vulnerability: sgmltools-symlink X-Force URL: http://xforce.iss.net/static/6201.php Date Reported: 03/08/2001 Brief Description: HP-UX asecure denial of service Risk Factor: Medium Attack Type: Host Based Platforms Affected: HP-UX 10.10, HP-UX 10.20, HP-UX 11, HP-UX 10.01 Vulnerability: hp-asecure-dos X-Force URL: http://xforce.iss.net/static/6212.php Date Reported: 03/08/2001 Brief Description: ascdc Afterstep buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: ascdc 0.3 Vulnerability: ascdc-afterstep-bo X-Force URL: http://xforce.iss.net/static/6204.php Date Reported: 03/08/2001 Brief Description: Microsoft IIS WebDAV denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: IIS 5.0 Vulnerability: iis-webdav-dos X-Force URL: http://xforce.iss.net/static/6205.php Date Reported: 03/08/2001 Brief Description: WEBsweeper HTTP request denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: WEBsweeper 4.0, Windows NT All versions Vulnerability: websweeper-http-dos X-Force URL: http://xforce.iss.net/static/6214.php Date Reported: 03/09/2001 Brief Description: FOLDOC allows remote attackers to execute commands Risk Factor: Medium Attack Type: Network Based Platforms Affected: FOLDEC All versions Vulnerability: foldoc-cgi-execute-commands X-Force URL: http://xforce.iss.net/static/6217.php Date Reported: 03/09/2001 Brief Description: slrn newsreader wrapping/unwrapping buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Immunix OS 7.0 Beta, Linux Debian 2.2, Linux Red Hat 7.0, Linux Immunix OS 6.2, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2 Vulnerability: slrn-wrapping-bo X-Force URL: http://xforce.iss.net/static/6213.php Date Reported: 03/09/2001 Brief Description: Linux mutt package contains format string when using IMAP Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Mandrake 7.0, Linux Mandrake 7.1, Linux Conectiva, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2, Linux Red Hat 5.2 Vulnerability: mutt-imap-format-string X-Force URL: http://xforce.iss.net/static/6235.php Date Reported: 03/10/2001 Brief Description: FormMail could be used to flood servers with anonymous email Risk Factor: High Attack Type: Network Based Platforms Affected: FormMail 1.0 to 1.6, Linux All versions Vulnerability: formmail-anonymous-flooding X-Force URL: http://xforce.iss.net/static/6242.php Date Reported: 03/11/2001 Brief Description: Half-Life Server config file buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-config-file-bo X-Force URL: http://xforce.iss.net/static/6221.php Date Reported: 03/11/2001 Brief Description: Half-Life Server exec command buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-exec-bo X-Force URL: http://xforce.iss.net/static/6219.php Date Reported: 03/11/2001 Brief Description: Half-Life Server map command buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-bo X-Force URL: http://xforce.iss.net/static/6218.php Date Reported: 03/11/2001 Brief Description: Half-Life Server 'map' command format string Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-format-string X-Force URL: http://xforce.iss.net/static/6220.php Date Reported: 03/11/2001 Brief Description: Ikonboard allows remote attackers to read files Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ikonboard 2.1.7b and earlier Vulnerability: ikonboard-cgi-read-files X-Force URL: http://xforce.iss.net/static/6216.php Date Reported: 03/12/2001 Brief Description: timed daemon remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Linux SuSE 7.1, Linux Mandrake 7.2, Linux SuSE 7.0, Linux- Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, FreeBSD 4.x, Linux Mandrake 7.0, Linux SuSE 6.1, Linux Mandrake 7.1, FreeBSD 3.x, Linux SuSE 6.3, Linux SuSE 6.4, Linux SuSE 6.2 Vulnerability: timed-remote-dos X-Force URL: http://xforce.iss.net/static/6228.php Date Reported: 03/12/2001 Brief Description: imap, ipop2d and ipop3d buffer overflows Risk Factor: Low Attack Type: Network Based Platforms Affected: OpenLinux eServer 2.3.1, OpenLinux eBuilder for ECential 3.0, OpenLinux eDesktop 2.4, OpenLinux 2.3, Linux SuSE 6.1, Linux Conectiva Vulnerability: imap-ipop2d-ipop3d-bo X-Force URL: http://xforce.iss.net/static/6269.php Date Reported: 03/12/2001 Brief Description: rwhod remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: FreeBSD 3.x, FreeBSD 4.x, Unix All versions Vulnerability: rwhod-remote-dos X-Force URL: http://xforce.iss.net/static/6229.php Date Reported: 03/13/2001 Brief Description: SunOS snmpd argv[0] buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: SunOS 5.8 Vulnerability: snmpd-argv-bo X-Force URL: http://xforce.iss.net/static/6239.php Date Reported: 03/13/2001 Brief Description: Mesa utah-glx symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Mesa prior to 3.3-14, Linux Mandrake 7.2 Vulnerability: mesa-utahglx-symlink X-Force URL: http://xforce.iss.net/static/6231.php Date Reported: 03/14/2001 Brief Description: Linux FTPfs buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux 2.2.x, FTPfs 0.1.1 Vulnerability: ftpfs-bo X-Force URL: http://xforce.iss.net/static/6234.php Date Reported: 03/15/2001 Brief Description: Solaris snmpXdmid malformed DMI request buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Solaris 7, Solaris 8, Solaris 2.6 Vulnerability: solaris-snmpxdmid-bo X-Force URL: http://xforce.iss.net/static/6245.php Date Reported: 03/15/2001 Brief Description: vBulletin PHP Web forum allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Network Based Platforms Affected: vBulletin 1.1.5 and earlier, vBulletin 2.0beta2 and earlier, Windows All versions, Unix All versions Vulnerability: vbulletin-php-elevate-privileges X-Force URL: http://xforce.iss.net/static/6237.php Date Reported: 03/15/2001 Brief Description: MDaemon WorldClient Web services denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows NT All versions, Windows 2000 All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-webservices-dos X-Force URL: http://xforce.iss.net/static/6240.php Date Reported: 03/16/2001 Brief Description: SSH ssheloop.c denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: SSH for Windows Server 2.4, SSH for Windows Server 2.5, Windows All versions Vulnerability: ssh-ssheloop-dos X-Force URL: http://xforce.iss.net/static/6241.php Date Reported: 03/18/2001 Brief Description: Eudora HTML emails could allow remote execution of code Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows All versions, Eudora 5.0.2 Vulnerability: eudora-html-execute-code X-Force URL: http://xforce.iss.net/static/6262.php Date Reported: 03/19/2001 Brief Description: ASPSeek s.cgi buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux All versions, ASPSeek 1.0.3 and earlier Vulnerability: aspseek-scgi-bo X-Force URL: http://xforce.iss.net/static/6248.php Date Reported: 03/20/2001 Brief Description: HSLCTF HTTP denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: AIX All versions, Unix All versions, HSLCTF 1.0 Vulnerability: hslctf-http-dos X-Force URL: http://xforce.iss.net/static/6250.php Date Reported: 03/20/2001 Brief Description: LICQ received URL execute commands Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, LICQ All, Linux Mandrake 7.1, Linux Red Hat 7.0, Linux Mandrake 7.2 Vulnerability: licq-url-execute-commands X-Force URL: http://xforce.iss.net/static/6261.php Date Reported: 03/20/2001 Brief Description: SurfControl SuperScout allows user to bypass filtering rules Risk Factor: Medium Attack Type: Network Based Platforms Affected: SurfControl SuperScout 3.0.2 and prior, Windows NT 4.0, Windows 2000 All versions Vulnerability: superscout-bypass-filtering X-Force URL: http://xforce.iss.net/static/6300.php Date Reported: 03/20/2001 Brief Description: DGUX lpsched buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: DG/UX All versions Vulnerability: dgux-lpsched-bo X-Force URL: http://xforce.iss.net/static/6258.php Date Reported: 03/20/2001 Brief Description: REDIPlus stock trading software stores passwords in plaintext Risk Factor: Medium Attack Type: Host Based Platforms Affected: REDIPlus 1.0, Windows All versions Vulnerability: rediplus-weak-security X-Force URL: http://xforce.iss.net/static/6276.php Date Reported: 03/20/2001 Brief Description: FCheck open() function allows the execution of commands Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO All versions, FCheck prior to 2.07.59, SunOS All versions, Windows All versions, Unix All versions, HP-UX All versions, Linux All versions, Solaris All versions, AIX All versions, BSD All versions Vulnerability: fcheck-open-execute-commands X-Force URL: http://xforce.iss.net/static/6256.php Date Reported: 03/20/2001 Brief Description: NTMail long URL denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows 2000 All versions, NTMail 6, Windows NT 4.0 Vulnerability: ntmail-long-url-dos X-Force URL: http://xforce.iss.net/static/6249.php Date Reported: 03/21/2001 Brief Description: VIM text editor allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: VIM All versions, Linux Red Hat 5.2, Linux Red Hat 6.2, Linux Red Hat 7.0 Vulnerability: vim-elevate-privileges X-Force URL: http://xforce.iss.net/static/6259.php Date Reported: 03/22/2001 Brief Description: FreeBSD UFS/EXT2FS could allow disclosure of deleted data Risk Factor: Medium Attack Type: Host Based Platforms Affected: UFS All versions, EXT2FS All versions, FreeBSD All versions Vulnerability: ufs-ext2fs-data-disclosure X-Force URL: http://xforce.iss.net/static/6268.php Date Reported: 03/22/2001 Brief Description: Microsoft invalid digital certificates could be used for spoofing Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows ME All versions, Windows 95 All versions, Windows 98 All versions, Windows 2000 All versions, Windows NT All versions Vulnerability: microsoft-invalid-digital-certificates X-Force URL: http://xforce.iss.net/static/6265.php Date Reported: 03/23/2001 Brief Description: Akopia Interchange could allow attacker to gain administrative access Risk Factor: Low Attack Type: Network Based Platforms Affected: Akopia Interchange 4.5.3 and 4.6.3 Vulnerability: akopia-interchange-gain-access X-Force URL: http://xforce.iss.net/static/6273.php Date Reported: 03/23/2001 Brief Description: Solaris /opt/JSParm/bin/perfmon allows user to create files with root privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 2.x Vulnerability: solaris-perfmon-create-files X-Force URL: http://xforce.iss.net/static/6267.php Date Reported: 03/23/2001 Brief Description: Windows user.dmp file insecure permissions Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows NT All versions, Windows 2000 All versions Vulnerability: win-userdmp-insecure-permission X-Force URL: http://xforce.iss.net/static/6275.php Date Reported: 03/23/2001 Brief Description: Compaq Web-enabled management software could allow users to bypass proxy settings Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Compaq Web-Enabled Management All versions Vulnerability: compaq-wbm-bypass-proxy X-Force URL: http://xforce.iss.net/static/6264.php Date Reported: 03/25/2001 Brief Description: MDaemon IMAP SELECT and EXAMINE command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-imap-command-dos X-Force URL: http://xforce.iss.net/static/6279.php Date Reported: 03/25/2001 Brief Description: HP-UX 11.11 newgrp(1) command allows users to gain additional privileges Risk Factor: High Attack Type: Host Based Platforms Affected: HP-UX 11.11 Vulnerability: hp-newgrp-additional-privileges X-Force URL: http://xforce.iss.net/static/6282.php Date Reported: 03/26/2001 Brief Description: 602Pro LAN SUITE webprox.dll denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, 602Pro LAN SUITE 2000a All versions Vulnerability: lan-suite-webprox-dos X-Force URL: http://xforce.iss.net/static/6281.php Date Reported: 03/26/2001 Brief Description: BEA WebLogic Server could allow attackers to browse Web directories Risk Factor: High Attack Type: Network Based Platforms Affected: WebLogic Server 6.0, Windows All versions Vulnerability: weblogic-browse-directories X-Force URL: http://xforce.iss.net/static/6283.php Date Reported: 03/27/2001 Brief Description: Solaris tip buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 8, Solaris 2.5.1, Solaris 2.6, Solaris 7 Vulnerability: solaris-tip-bo X-Force URL: http://xforce.iss.net/static/6284.php Date Reported: 03/27/2001 Brief Description: SonicWALL IKE pre-shared key is 48 bytes instead of 128 bytes Risk Factor: Medium Attack Type: Network Based Platforms Affected: SonicWALL TELE2 6.0.0, SonicWALL SOHO2 6.0.0 Vulnerability: sonicwall-ike-shared-keys X-Force URL: http://xforce.iss.net/static/6304.php Date Reported: 03/27/2001 Brief Description: Anaconda Foundation Clipper directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Anaconda Foundation Clipper 3.3 Vulnerability: anaconda-clipper-directory-traversal X-Force URL: http://xforce.iss.net/static/6286.php Date Reported: 03/27/2001 Brief Description: Microsoft Visual Studio VB-TSQL buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows 2000 All versions, Microsoft Visual Studio 6.0 Enterprise Ed., Windows NT All versions Vulnerability: visual-studio-vbtsql-bo X-Force URL: http://xforce.iss.net/static/6288.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer deliver buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-deliver-bo X-Force URL: http://xforce.iss.net/static/6302.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpadmin buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpadmin-bo X-Force URL: http://xforce.iss.net/static/6291.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpforms buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpforms-bo X-Force URL: http://xforce.iss.net/static/6293.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpshut buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpshut-bo X-Force URL: http://xforce.iss.net/static/6290.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpusers buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpusers-bo X-Force URL: http://xforce.iss.net/static/6292.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer recon buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-recon-bo X-Force URL: http://xforce.iss.net/static/6289.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer sendmail buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-sendmail-bo X-Force URL: http://xforce.iss.net/static/6303.php Date Reported: 03/28/2001 Brief Description: Inframail POST command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Inframail 3.97a and earlier, Linux All versions Vulnerability: inframail-post-dos X-Force URL: http://xforce.iss.net/static/6297.php Date Reported: 03/28/2001 Brief Description: Cisco VPN 3000 Concentrators Telnet denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco VPN 3000 Concentrators prior to 3.0.00 Vulnerability: cisco-vpn-telnet-dos X-Force URL: http://xforce.iss.net/static/6298.php Date Reported: 03/28/2001 Brief Description: WebSite Professional remote manager service denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: O'Reilly WebSite Pro 3.0.37 Vulnerability: website-pro-remote-dos X-Force URL: http://xforce.iss.net/static/6295.php Date Reported: 03/28/2001 Brief Description: Windows Me and Plus! 98 could allow the recovery of Compressed Folder passwords Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows 98 All versions, Windows 98 Second Edition, Windows ME All versions Vulnerability: win-compressed-password-recovery X-Force URL: http://xforce.iss.net/static/6294.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ Internet Security Systems is the leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOszkuDRfJiV99eG9AQFlewP8C6v84pW6UR171S6OThwkg/P7ylXIMY3P jO+w8ohAvbsa90iLFMlGo6YY0pIKSwlacQErryVFfVcRLQ1gIQhBxoIQlwrNkB6m XWnhroR/R7rzatML9cnHzpQKUK7Hax3LSxdxZQQwIDISxBZ4aeOTQwD+seuIos8t 8PVD8c9UO3g= =1xgg -----END PGP SIGNATURE-----

Classic Cisco IOS 9.1 and later allows attackers with access to the login prompt to obtain portions of the command history of previous users, which may allow the attacker to access sensitive data. IOS is prone to a local security vulnerability. Vulnerabilities exist in Classic Cisco IOS 9.1 and later versions

IIS 5.0 allows remote attackers to cause a denial of service via a series of malformed WebDAV requests. The SNMP proxy agent on certain large Solaris systems contains a buffer overflow. It may be possible, though it is unconfirmed, that an intruder could use this flaw to execute code with root privileges. Microsoft IIS of Web DAV Has a flaw in handling invalid requests, CPU There is a vulnerability that uses a lot of resources.Web DAV Service disruption (DoS) It may be in a state. Solaris is the Unix Operating System variant distributed and maintained by Sun Microsystems. Solaris is a freely available operating system designed to run on systems of varying size with maximum scalability. A problem with the SNMP Daemon included in the SUNWsspop package results in a buffer overflow, and potentially the execution of arbitrary code. Upon parsing the argv[0] variable from the command line, this information is stored in a static buffer. The static buffer is vulnerable to being overflowed at 700 bytes of data. This vulnerability is only present on systems acting as the System Service Processor for an E10000, or on any system with the SUNWsspop package installed. This vulnerability is also known to restart all IIS services. WebDAV contains a flaw in the handling of certain malformed requests. Submitting a valid WebDAV request containing numerous ':' could cause a remote restart of the server. This vulnerability has been known to affect the server performance and could lead to a denial of service condition, however this has not been verified. -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Alert Summary April 5, 2001 Volume 6 Number 5 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-5.php _____ Contents: * 80 Reported Vulnerabilities * Risk Factor Key _____ Date Reported: 03/01/2001 Brief Description: Palm OS Debug Mode allows attacker to bypass password Risk Factor: Low Attack Type: Host Based Platforms Affected: Palm OS 3.5.2, Palm OS 3.3 Vulnerability: palm-debug-bypass-password X-Force URL: http://xforce.iss.net/static/6196.php Date Reported: 03/01/2001 Brief Description: Microsoft Exchange malformed URL request could cause a denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Microsoft Exchange 2000 Vulnerability: exchange-malformed-url-dos X-Force URL: http://xforce.iss.net/static/6172.php Date Reported: 03/02/2001 Brief Description: Mailx buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: OpenLinux 2.4, OpenLinux 2.3, Linux Debian 2.2 Vulnerability: mailx-bo X-Force URL: http://xforce.iss.net/static/6181.php Date Reported: 03/02/2001 Brief Description: SunFTP allows attackers to gain unauthorized file access Risk Factor: Low Attack Type: Host Based Platforms Affected: SunFTP 1.0 Build 9 Vulnerability: sunftp-gain-access X-Force URL: http://xforce.iss.net/static/6195.php Date Reported: 03/02/2001 Brief Description: WinZip /zipandemail option buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows 2000 All versions, Winzip 8.0, Windows NT All versions Vulnerability: winzip-zipandemail-bo X-Force URL: http://xforce.iss.net/static/6191.php Date Reported: 03/04/2001 Brief Description: Broker FTP Server allows remote attacker to delete files outside the FTP root Risk Factor: Medium Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-delete-files X-Force URL: http://xforce.iss.net/static/6190.php Date Reported: 03/04/2001 Brief Description: Broker FTP allows remote user to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: Broker FTP Server All versions Vulnerability: broker-ftp-list-directories X-Force URL: http://xforce.iss.net/static/6189.php Date Reported: 03/04/2001 Brief Description: INDEXU allows attackers to gain unauthorized system access Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: INDEXU 2.0beta and earlier Vulnerability: indexu-gain-access X-Force URL: http://xforce.iss.net/static/6202.php Date Reported: 03/04/2001 Brief Description: Fastream FTP++ Client allows user to download files outside of Web root directory Risk Factor: Medium Attack Type: Network Based Platforms Affected: Fastream FTP++ Server 2.0 Vulnerability: fastream-ftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6187.php Date Reported: 03/04/2001 Brief Description: SlimServe HTTPd directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: SlimServe HTTPd 1.1 and earlier Vulnerability: slimserve-httpd-directory-traversal X-Force URL: http://xforce.iss.net/static/6186.php Date Reported: 03/04/2001 Brief Description: WFTPD Pro buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: WFTPD Pro 3.00 Vulnerability: wftpd-pro-bo X-Force URL: http://xforce.iss.net/static/6184.php Date Reported: 03/05/2001 Brief Description: IRCd tkserv buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: IRCd All versions, tkserv 1.3.0 and earlier Vulnerability: irc-tkserv-bo X-Force URL: http://xforce.iss.net/static/6193.php Date Reported: 03/06/2001 Brief Description: War FTPD could allow attackers to list directories outside the FTP root Risk Factor: High Attack Type: Network Based Platforms Affected: WarFTPD 1.67b4 Vulnerability: warftp-directory-traversal X-Force URL: http://xforce.iss.net/static/6197.php Date Reported: 03/06/2001 Brief Description: Internet Explorer could allow execution of commands when used with Telnet Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Internet Explorer 5.5, Services for Unix 2.0, Windows NT All versions, Windows 2000 All versions, Internet Explorer 5.01 Vulnerability: ie-telnet-execute-commands X-Force URL: http://xforce.iss.net/static/6230.php Date Reported: 03/07/2001 Brief Description: Cisco Aironet Web access allows remote attacker to view/modify configuration Risk Factor: Low Attack Type: Network Based Platforms Affected: Aironet 340 Series Wireless Bridge Firmware 8.07, Aironet 340 Series Wireless Bridge Firmware 8.24, Aironet 340 Series Wireless Bridge Firmware 7.x Vulnerability: cisco-aironet-web-access X-Force URL: http://xforce.iss.net/static/6200.php Date Reported: 03/07/2001 Brief Description: Netscape Directory Server buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Netscape Directory Server 4.1, Netscape Directory Server 4.12, Windows NT All versions Vulnerability: netscape-directory-server-bo X-Force URL: http://xforce.iss.net/static/6233.php Date Reported: 03/07/2001 Brief Description: Proftpd contains configuration error in postinst script when running as root Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-postinst-root X-Force URL: http://xforce.iss.net/static/6208.php Date Reported: 03/07/2001 Brief Description: proftpd /var symlink Risk Factor: Medium Attack Type: Host Based Platforms Affected: Linux Debian 2.2 Vulnerability: proftpd-var-symlink X-Force URL: http://xforce.iss.net/static/6209.php Date Reported: 03/07/2001 Brief Description: man2html remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: man2html prior to 1.5.23 Vulnerability: man2html-remote-dos X-Force URL: http://xforce.iss.net/static/6211.php Date Reported: 03/07/2001 Brief Description: Linux ePerl buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, ePerl prior to 2.2.14, Linux Debian 2.2, Linux Mandrake 7.1 Vulnerability: linux-eperl-bo X-Force URL: http://xforce.iss.net/static/6198.php Date Reported: 03/08/2001 Brief Description: Novell NetWare could allow attackers to gain unauthorized access Risk Factor: Medium Attack Type: Network Based Platforms Affected: Novell NetWare 4.01, Novell NetWare 5.1, Novell NetWare 3.1, Novell NetWare 4.11, Novell NetWare 5.0 Vulnerability: novell-netware-unauthorized-access X-Force URL: http://xforce.iss.net/static/6215.php Date Reported: 03/08/2001 Brief Description: Linux sgml-tools symlink attack Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, sgml-tools prior to 1.0.9-15, Linux Mandrake 7.2, Linux Immunix OS 6.2, Linux Immunix OS 7.0 Beta, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Red Hat 6.2, Linux Debian 2.2, Linux Mandrake 7.1, Linux Red Hat 5.2 Vulnerability: sgmltools-symlink X-Force URL: http://xforce.iss.net/static/6201.php Date Reported: 03/08/2001 Brief Description: HP-UX asecure denial of service Risk Factor: Medium Attack Type: Host Based Platforms Affected: HP-UX 10.10, HP-UX 10.20, HP-UX 11, HP-UX 10.01 Vulnerability: hp-asecure-dos X-Force URL: http://xforce.iss.net/static/6212.php Date Reported: 03/08/2001 Brief Description: ascdc Afterstep buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: ascdc 0.3 Vulnerability: ascdc-afterstep-bo X-Force URL: http://xforce.iss.net/static/6204.php Date Reported: 03/08/2001 Brief Description: Microsoft IIS WebDAV denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: IIS 5.0 Vulnerability: iis-webdav-dos X-Force URL: http://xforce.iss.net/static/6205.php Date Reported: 03/08/2001 Brief Description: WEBsweeper HTTP request denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: WEBsweeper 4.0, Windows NT All versions Vulnerability: websweeper-http-dos X-Force URL: http://xforce.iss.net/static/6214.php Date Reported: 03/09/2001 Brief Description: FOLDOC allows remote attackers to execute commands Risk Factor: Medium Attack Type: Network Based Platforms Affected: FOLDEC All versions Vulnerability: foldoc-cgi-execute-commands X-Force URL: http://xforce.iss.net/static/6217.php Date Reported: 03/09/2001 Brief Description: slrn newsreader wrapping/unwrapping buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Immunix OS 7.0 Beta, Linux Debian 2.2, Linux Red Hat 7.0, Linux Immunix OS 6.2, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2 Vulnerability: slrn-wrapping-bo X-Force URL: http://xforce.iss.net/static/6213.php Date Reported: 03/09/2001 Brief Description: Linux mutt package contains format string when using IMAP Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux Mandrake 7.2, Linux Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, Linux Red Hat 7.0, Linux Mandrake 7.0, Linux Mandrake 7.1, Linux Conectiva, Linux Red Hat 6.0, Linux Red Hat 6.1, Linux Red Hat 6.2, Linux Red Hat 5.2 Vulnerability: mutt-imap-format-string X-Force URL: http://xforce.iss.net/static/6235.php Date Reported: 03/10/2001 Brief Description: FormMail could be used to flood servers with anonymous email Risk Factor: High Attack Type: Network Based Platforms Affected: FormMail 1.0 to 1.6, Linux All versions Vulnerability: formmail-anonymous-flooding X-Force URL: http://xforce.iss.net/static/6242.php Date Reported: 03/11/2001 Brief Description: Half-Life Server config file buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-config-file-bo X-Force URL: http://xforce.iss.net/static/6221.php Date Reported: 03/11/2001 Brief Description: Half-Life Server exec command buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-exec-bo X-Force URL: http://xforce.iss.net/static/6219.php Date Reported: 03/11/2001 Brief Description: Half-Life Server map command buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-bo X-Force URL: http://xforce.iss.net/static/6218.php Date Reported: 03/11/2001 Brief Description: Half-Life Server 'map' command format string Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Half-Life Dedicated Server All versions Vulnerability: halflife-map-format-string X-Force URL: http://xforce.iss.net/static/6220.php Date Reported: 03/11/2001 Brief Description: Ikonboard allows remote attackers to read files Risk Factor: Medium Attack Type: Network Based Platforms Affected: Ikonboard 2.1.7b and earlier Vulnerability: ikonboard-cgi-read-files X-Force URL: http://xforce.iss.net/static/6216.php Date Reported: 03/12/2001 Brief Description: timed daemon remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Linux SuSE 7.1, Linux Mandrake 7.2, Linux SuSE 7.0, Linux- Mandrake Corporate Server 1.0.1, Linux Mandrake 6.0, Linux Mandrake 6.1, FreeBSD 4.x, Linux Mandrake 7.0, Linux SuSE 6.1, Linux Mandrake 7.1, FreeBSD 3.x, Linux SuSE 6.3, Linux SuSE 6.4, Linux SuSE 6.2 Vulnerability: timed-remote-dos X-Force URL: http://xforce.iss.net/static/6228.php Date Reported: 03/12/2001 Brief Description: imap, ipop2d and ipop3d buffer overflows Risk Factor: Low Attack Type: Network Based Platforms Affected: OpenLinux eServer 2.3.1, OpenLinux eBuilder for ECential 3.0, OpenLinux eDesktop 2.4, OpenLinux 2.3, Linux SuSE 6.1, Linux Conectiva Vulnerability: imap-ipop2d-ipop3d-bo X-Force URL: http://xforce.iss.net/static/6269.php Date Reported: 03/12/2001 Brief Description: rwhod remote denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: FreeBSD 3.x, FreeBSD 4.x, Unix All versions Vulnerability: rwhod-remote-dos X-Force URL: http://xforce.iss.net/static/6229.php Date Reported: 03/13/2001 Brief Description: SunOS snmpd argv[0] buffer overflow Risk Factor: Medium Attack Type: Host Based / Network Based Platforms Affected: SunOS 5.8 Vulnerability: snmpd-argv-bo X-Force URL: http://xforce.iss.net/static/6239.php Date Reported: 03/13/2001 Brief Description: Mesa utah-glx symbolic link Risk Factor: Medium Attack Type: Host Based Platforms Affected: Mesa prior to 3.3-14, Linux Mandrake 7.2 Vulnerability: mesa-utahglx-symlink X-Force URL: http://xforce.iss.net/static/6231.php Date Reported: 03/14/2001 Brief Description: Linux FTPfs buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Linux 2.2.x, FTPfs 0.1.1 Vulnerability: ftpfs-bo X-Force URL: http://xforce.iss.net/static/6234.php Date Reported: 03/15/2001 Brief Description: Solaris snmpXdmid malformed DMI request buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Solaris 7, Solaris 8, Solaris 2.6 Vulnerability: solaris-snmpxdmid-bo X-Force URL: http://xforce.iss.net/static/6245.php Date Reported: 03/15/2001 Brief Description: vBulletin PHP Web forum allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Network Based Platforms Affected: vBulletin 1.1.5 and earlier, vBulletin 2.0beta2 and earlier, Windows All versions, Unix All versions Vulnerability: vbulletin-php-elevate-privileges X-Force URL: http://xforce.iss.net/static/6237.php Date Reported: 03/15/2001 Brief Description: MDaemon WorldClient Web services denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows NT All versions, Windows 2000 All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-webservices-dos X-Force URL: http://xforce.iss.net/static/6240.php Date Reported: 03/16/2001 Brief Description: SSH ssheloop.c denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: SSH for Windows Server 2.4, SSH for Windows Server 2.5, Windows All versions Vulnerability: ssh-ssheloop-dos X-Force URL: http://xforce.iss.net/static/6241.php Date Reported: 03/18/2001 Brief Description: Eudora HTML emails could allow remote execution of code Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows All versions, Eudora 5.0.2 Vulnerability: eudora-html-execute-code X-Force URL: http://xforce.iss.net/static/6262.php Date Reported: 03/19/2001 Brief Description: ASPSeek s.cgi buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Linux All versions, ASPSeek 1.0.3 and earlier Vulnerability: aspseek-scgi-bo X-Force URL: http://xforce.iss.net/static/6248.php Date Reported: 03/20/2001 Brief Description: HSLCTF HTTP denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: AIX All versions, Unix All versions, HSLCTF 1.0 Vulnerability: hslctf-http-dos X-Force URL: http://xforce.iss.net/static/6250.php Date Reported: 03/20/2001 Brief Description: LICQ received URL execute commands Risk Factor: Low Attack Type: Network Based Platforms Affected: Linux Mandrake Corporate Server 1.0.1, LICQ All, Linux Mandrake 7.1, Linux Red Hat 7.0, Linux Mandrake 7.2 Vulnerability: licq-url-execute-commands X-Force URL: http://xforce.iss.net/static/6261.php Date Reported: 03/20/2001 Brief Description: SurfControl SuperScout allows user to bypass filtering rules Risk Factor: Medium Attack Type: Network Based Platforms Affected: SurfControl SuperScout 3.0.2 and prior, Windows NT 4.0, Windows 2000 All versions Vulnerability: superscout-bypass-filtering X-Force URL: http://xforce.iss.net/static/6300.php Date Reported: 03/20/2001 Brief Description: DGUX lpsched buffer overflow Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: DG/UX All versions Vulnerability: dgux-lpsched-bo X-Force URL: http://xforce.iss.net/static/6258.php Date Reported: 03/20/2001 Brief Description: REDIPlus stock trading software stores passwords in plaintext Risk Factor: Medium Attack Type: Host Based Platforms Affected: REDIPlus 1.0, Windows All versions Vulnerability: rediplus-weak-security X-Force URL: http://xforce.iss.net/static/6276.php Date Reported: 03/20/2001 Brief Description: FCheck open() function allows the execution of commands Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO All versions, FCheck prior to 2.07.59, SunOS All versions, Windows All versions, Unix All versions, HP-UX All versions, Linux All versions, Solaris All versions, AIX All versions, BSD All versions Vulnerability: fcheck-open-execute-commands X-Force URL: http://xforce.iss.net/static/6256.php Date Reported: 03/20/2001 Brief Description: NTMail long URL denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows 2000 All versions, NTMail 6, Windows NT 4.0 Vulnerability: ntmail-long-url-dos X-Force URL: http://xforce.iss.net/static/6249.php Date Reported: 03/21/2001 Brief Description: VIM text editor allows attackers to gain elevated privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: VIM All versions, Linux Red Hat 5.2, Linux Red Hat 6.2, Linux Red Hat 7.0 Vulnerability: vim-elevate-privileges X-Force URL: http://xforce.iss.net/static/6259.php Date Reported: 03/22/2001 Brief Description: FreeBSD UFS/EXT2FS could allow disclosure of deleted data Risk Factor: Medium Attack Type: Host Based Platforms Affected: UFS All versions, EXT2FS All versions, FreeBSD All versions Vulnerability: ufs-ext2fs-data-disclosure X-Force URL: http://xforce.iss.net/static/6268.php Date Reported: 03/22/2001 Brief Description: Microsoft invalid digital certificates could be used for spoofing Risk Factor: Low Attack Type: Host Based Platforms Affected: Windows ME All versions, Windows 95 All versions, Windows 98 All versions, Windows 2000 All versions, Windows NT All versions Vulnerability: microsoft-invalid-digital-certificates X-Force URL: http://xforce.iss.net/static/6265.php Date Reported: 03/23/2001 Brief Description: Akopia Interchange could allow attacker to gain administrative access Risk Factor: Low Attack Type: Network Based Platforms Affected: Akopia Interchange 4.5.3 and 4.6.3 Vulnerability: akopia-interchange-gain-access X-Force URL: http://xforce.iss.net/static/6273.php Date Reported: 03/23/2001 Brief Description: Solaris /opt/JSParm/bin/perfmon allows user to create files with root privileges Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 2.x Vulnerability: solaris-perfmon-create-files X-Force URL: http://xforce.iss.net/static/6267.php Date Reported: 03/23/2001 Brief Description: Windows user.dmp file insecure permissions Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows NT All versions, Windows 2000 All versions Vulnerability: win-userdmp-insecure-permission X-Force URL: http://xforce.iss.net/static/6275.php Date Reported: 03/23/2001 Brief Description: Compaq Web-enabled management software could allow users to bypass proxy settings Risk Factor: Low Attack Type: Host Based / Network Based Platforms Affected: Compaq Web-Enabled Management All versions Vulnerability: compaq-wbm-bypass-proxy X-Force URL: http://xforce.iss.net/static/6264.php Date Reported: 03/25/2001 Brief Description: MDaemon IMAP SELECT and EXAMINE command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Mdaemon 3.5.6 Vulnerability: mdaemon-imap-command-dos X-Force URL: http://xforce.iss.net/static/6279.php Date Reported: 03/25/2001 Brief Description: HP-UX 11.11 newgrp(1) command allows users to gain additional privileges Risk Factor: High Attack Type: Host Based Platforms Affected: HP-UX 11.11 Vulnerability: hp-newgrp-additional-privileges X-Force URL: http://xforce.iss.net/static/6282.php Date Reported: 03/26/2001 Brief Description: 602Pro LAN SUITE webprox.dll denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, 602Pro LAN SUITE 2000a All versions Vulnerability: lan-suite-webprox-dos X-Force URL: http://xforce.iss.net/static/6281.php Date Reported: 03/26/2001 Brief Description: BEA WebLogic Server could allow attackers to browse Web directories Risk Factor: High Attack Type: Network Based Platforms Affected: WebLogic Server 6.0, Windows All versions Vulnerability: weblogic-browse-directories X-Force URL: http://xforce.iss.net/static/6283.php Date Reported: 03/27/2001 Brief Description: Solaris tip buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: Solaris 8, Solaris 2.5.1, Solaris 2.6, Solaris 7 Vulnerability: solaris-tip-bo X-Force URL: http://xforce.iss.net/static/6284.php Date Reported: 03/27/2001 Brief Description: SonicWALL IKE pre-shared key is 48 bytes instead of 128 bytes Risk Factor: Medium Attack Type: Network Based Platforms Affected: SonicWALL TELE2 6.0.0, SonicWALL SOHO2 6.0.0 Vulnerability: sonicwall-ike-shared-keys X-Force URL: http://xforce.iss.net/static/6304.php Date Reported: 03/27/2001 Brief Description: Anaconda Foundation Clipper directory traversal Risk Factor: Medium Attack Type: Network Based Platforms Affected: Anaconda Foundation Clipper 3.3 Vulnerability: anaconda-clipper-directory-traversal X-Force URL: http://xforce.iss.net/static/6286.php Date Reported: 03/27/2001 Brief Description: Microsoft Visual Studio VB-TSQL buffer overflow Risk Factor: Low Attack Type: Network Based Platforms Affected: Windows 2000 All versions, Microsoft Visual Studio 6.0 Enterprise Ed., Windows NT All versions Vulnerability: visual-studio-vbtsql-bo X-Force URL: http://xforce.iss.net/static/6288.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer deliver buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-deliver-bo X-Force URL: http://xforce.iss.net/static/6302.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpadmin buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpadmin-bo X-Force URL: http://xforce.iss.net/static/6291.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpforms buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpforms-bo X-Force URL: http://xforce.iss.net/static/6293.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpshut buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpshut-bo X-Force URL: http://xforce.iss.net/static/6290.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer lpusers buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-lpusers-bo X-Force URL: http://xforce.iss.net/static/6292.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer recon buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-recon-bo X-Force URL: http://xforce.iss.net/static/6289.php Date Reported: 03/27/2001 Brief Description: SCO OpenServer sendmail buffer overflow Risk Factor: Low Attack Type: Host Based Platforms Affected: SCO OpenServer 5.0.6 Vulnerability: sco-openserver-sendmail-bo X-Force URL: http://xforce.iss.net/static/6303.php Date Reported: 03/28/2001 Brief Description: Inframail POST command denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Windows All versions, Inframail 3.97a and earlier, Linux All versions Vulnerability: inframail-post-dos X-Force URL: http://xforce.iss.net/static/6297.php Date Reported: 03/28/2001 Brief Description: Cisco VPN 3000 Concentrators Telnet denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: Cisco VPN 3000 Concentrators prior to 3.0.00 Vulnerability: cisco-vpn-telnet-dos X-Force URL: http://xforce.iss.net/static/6298.php Date Reported: 03/28/2001 Brief Description: WebSite Professional remote manager service denial of service Risk Factor: Medium Attack Type: Network Based Platforms Affected: O'Reilly WebSite Pro 3.0.37 Vulnerability: website-pro-remote-dos X-Force URL: http://xforce.iss.net/static/6295.php Date Reported: 03/28/2001 Brief Description: Windows Me and Plus! 98 could allow the recovery of Compressed Folder passwords Risk Factor: Medium Attack Type: Host Based Platforms Affected: Windows 98 All versions, Windows 98 Second Edition, Windows ME All versions Vulnerability: win-compressed-password-recovery X-Force URL: http://xforce.iss.net/static/6294.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ Internet Security Systems is the leading global provider of security management solutions for the Internet, protecting digital assets and ensuring safe and uninterrupted e-business. With its industry-leading intrusion detection and vulnerability assessment, remote managed security services, and strategic consulting and education offerings, ISS is a trusted security provider to more than 8,000 customers worldwide including 21 of the 25 largest U.S. commercial banks and the top 10 U.S. telecommunications companies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe, Latin America and the Middle East. For more information, visit the Internet Security Systems web site at www.iss.net or call 888-901-7477. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOszkuDRfJiV99eG9AQFlewP8C6v84pW6UR171S6OThwkg/P7ylXIMY3P jO+w8ohAvbsa90iLFMlGo6YY0pIKSwlacQErryVFfVcRLQ1gIQhBxoIQlwrNkB6m XWnhroR/R7rzatML9cnHzpQKUK7Hax3LSxdxZQQwIDISxBZ4aeOTQwD+seuIos8t 8PVD8c9UO3g= =1xgg -----END PGP SIGNATURE-----

IIS 5.0 and Microsoft Exchange 2000 allow remote attackers to cause a denial of service (memory allocation error) by repeatedly sending a series of specially formatted URL's. A vulnerability that affects Microsoft IIS 5.0 and Exchange 2000 allows an intruder to disrupt IIS web services and web-based mail services served via an Exchange server. Microsoft Exchange is subject to a denial of service condition due to the handling of web client requests. If an authenticated user requests a specially crafted URL multiple times to the host running Exchange, the web based mail service could stop responding. A restart of the service is required in order to gain normal functionality. Update: Microsoft IIS 5.0 suffers from a similar issue

Cisco IOS 12.0(5)XU through 12.1(2) allows remote attackers to read system administration and topology information via an "snmp-server host" command, which creates a readable "community" community string if one has not been previously created. There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read its configuration, creating an information leak. IOS is prone to a remote security vulnerability

Cisco IOS 12.1(3) and 12.1(3)T allows remote attackers to read and modify device configuration data via the cable-docsis read-write community string used by the Data Over Cable Service Interface Specification (DOCSIS) standard. There is a vulnerability that permits unauthorized access to several switch and router products manufactured by Cisco Systems. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both. IOS is prone to a remote security vulnerability. Cisco IOS 12.1(3) and 12.1(3)T vulnerabilities

Cisco IOS 11.x and 12.0 with ATM support allows attackers to cause a denial of service via the undocumented Interim Local Management Interface (ILMI) SNMP community string. There is a vulnerability in the remote management architecture for Asynchronous Transfer Mode (ATM) networking devices that permits unauthorized access to configuration information. An attacker who gains access to an affected device can read and modify its configuration, creating a denial-of-service condition, an information leak, or both. IOS is the operating system designed for various Cisco devices. It is maintained and distributed by Cisco systems. A problem in the versions of IOS 11.x and 12.0 could allow unauthorized access to certain configuration variables within a Cisco device. The ILMI SNMP Community string allows read and write access to system objects in the MIB-II community group. These configuration parameters do not affect the normal operation of the device, although if changed, can cause confusion or lead to a social engineering attack. It is possible for a malicious remote user to change configuration objects within the MIB-II Community, and rename the system, change the location name in the system, and/or the contact information for the system. This vulnerability affects only certain devices. There is a loophole in the SNMP implementation of IOS 11.x to 12.0 software, and remote attackers may use this loophole to obtain illegal access to the system

PHP-Nuke 5.1 stores user and administrator passwords in a base-64 encoded cookie, which could allow remote attackers to gain privileges by stealing or sniffing the cookie and decoding it. PHP-Nuke is a popular web based Portal system. It allows users to create accounts and contribute content to the site. When a user authenticates to a PHP-Nuke based page, a cookie is created which includes that user's account name and password. This password is encoded using Base 64 encoding, and can be immediately decoded by anyone with access to the cookies contents. This, an attacker able to gain access to this cookie may trivially learn the user's account name and password, and compromise that account. Older versions of PHP-Nuke may also be vulnerable. PostNuke 0.6.4(and possibly earlier versions) is also vulnerable. PHP Nuke uses a global variable named '$user'. It is normally retrieved from a cookie, but can be supplied in a URL. This value contains uuencoded values for the user information and the user's password hash. These values are decoded on the server and used in various SQL queries during the execution of PHP Nuke scripts. Several variables used in this query contain user-supplied input. These values may be injected into a uuencoded $user variable passed in a URL. Attackers may modify the query so that its logic forces retrieval of sensitive information associated with arbitrary users. This could be accomplished if the attacker has a valid username. If exploited, the attacker will have gained the encrypted password and user information of the target user. The password could then be brute-forced, allowing further compromises of security on the affected host, including arbitrary file access and remote command execution as the webserver process. There is a security issue in this CGI program, which may lead to the disclosure of sensitive information

Memory leak in Cisco Catalyst 4000, 5000, and 6000 series switches allows remote attackers to cause a denial of service via a series of failed telnet authentication attempts. There is a buffer overflow in the IBM AIX setclock command that may allow local attackers to gain root privileges. Microsoft Internet Explorer DBCS Remote Memory Corruption Vulnerability By Sowhat of Nevis Labs Date: 2006.04.11 http://www.nevisnetworks.com http://secway.org/advisory/AD20060411.txt http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx CVE: CVE-2006-1189 Vendor Microsoft Inc. Products affected: Internet Explorer 6 Service Pack 1 on Microsoft Windows 2000 Service Pack 4 and Microsoft Windows XP Service Pack 1 Internet Explorer 6 for Microsoft Windows XP Service Pack 2 Internet Explorer 6 for Microsoft Windows Server 2003 Internet Explorer 6 Service Pack 1 on Microsoft Windows 98, Microsoft Windows 98 SE, and Microsoft Windows Millennium Edition This vulnerability affects systems that use Double-Byte Character Sets. Systems that are affected are Windows language versions that use a Double Byte Character Set language. Examples of languages that use DBCS are Chinese, Japanese, and Korean languages. Customers using other language versions of Windows might also be affected if "Language for non-Unicode programs" has been set to a Double Byte Character Set language. Overview: There exists a buffer overflow in Microsoft Internet Explorer in the parsing of DBCS URLS. This vulnerability could allow an attacker to execute arbitrary code on the victim's system when the victim visits a web page or views an HTML email message. This attack may be utilized wherever IE parses HTML, such as webpages, email, newsgroups, and within applications utilizing web-browsing functionality. Details: URLMON.DLL does not properly validate IDN containing double-byte character sets (DBCS), which may lead to remote code execution. Exploiting this vulnerability seems to need a lot of more work but we believe that exploitation is possible. POC: No PoC will be released for this. FIX: Microsoft has released an update for Internet Explorer which is set to address this issue. This can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx Vendor Response: 2005.12.29 Vendor notified via secure@microsoft.com 2005.12.29 Vendor responded 2006.04.11 Vendor released MS06-0xx patch 2006.04.11 Advisory released Common Vulnerabilities and Exposures (CVE) Information: The Common Vulnerabilities and Exposures (CVE) project has assigned the following names to these issues. These are candidates for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. CVE-2006-1189 Greetings to Lennart@MS, Chi, OYXin, Narasimha Datta, all Nevis Labs guys, all XFocus and 0x557 guys :) References: 1. http://www.microsoft.com/technet/security/bulletin/MS06-013.mspx 2. http://www.nsfocus.com/english/homepage/research/0008.htm 3. http://xforce.iss.net/xforce/xfdb/5729 4. http://www.securityfocus.com/bid/2100/discuss 5. http://www.inter-locale.com/whitepaper/IUC27-a303.html 6. http://blogs.msdn.com/michkap/archive/2005/10/28/486034.aspx 7. [Mozilla Firefox IDN "Host:" Buffer Overflow] http://www.security-protocols.com/advisory/sp-x17-advisory.txt 8. [Mozilla Firefox 1.5 Beta 1 IDN Buffer Overflow] http://www.security-protocols.com/advisory/sp-x18-advisory.txt 9. http://72.14.203.104/search?q=cache:Dxn-V4fil1IJ:developer.novell.com /research/devnotes/1995/may/02/05.htm -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?"

opendir.php script in PHP-Nuke allows remote attackers to read arbitrary files by specifying the filename as an argument to the requesturl parameter. PHP-Nuke is prone to a remote security vulnerability. PHP-Nuke is a popular website development and management tool. PHP-Nuke's opendir.php script implementation has an input validation vulnerability. < *Link: http://www.iss.net/security_center/static/6512.php* >

Java Runtime Environment (JRE) and SDK 1.2 through 1.3.0_04 allows untrusted applets to access the system clipboard. In the default java security model for applets, this access should not be granted

Arrowpoint (aka Cisco Content Services, or CSS) allows local users to cause a denial of service via a long argument to the "show script," "clear script," "show archive," "clear archive," "show log," or "clear log" commands. The Cisco Content Services (CSS) switches are hardware designed to provide enhanced web services for e-commerece and Web Content delivery using the Cisco Web Network Services (Web NS). The CSS switch is distributed by Cisco Systems. A problem in the CSS could allow a local user to deny service to legitimate users. The problem occurs in the handling of input by local users. A user must have access to the switch command line interface prior to launching an attack, but not have administrative privileges. Upon connecting to a non-privileged account, a user can locally execute a command on the switch which requires a file name as an argument. Upon specifying a filename that is the maximum size of the filename buffer, the switch reboots and starts system checks. This vulnerability makes it possible for a user with malicious intentions to connect to a switch granting sufficient privileges, and execute a command that could deny service to legitimate network users. This vulnerability affects CSS switches 11050, 11150, and 11800