VARIoT IoT vulnerabilities database

Buffer overflow in httpGets function in CUPS 1.1.5 allows remote attackers to execute arbitrary commands via a long input line. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. **UPDATE**: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. CUPS is prone to a remote security vulnerability. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused. Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php _____ Contents 90 Reported Vulnerabilities Risk Factor Key _____ Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php _____ Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php _____ Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php _____ Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php _____ Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php _____ Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php _____ Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php _____ Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php _____ Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php _____ Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php _____ Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php _____ Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php _____ Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php _____ Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php _____ Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php _____ Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php _____ Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php _____ Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php _____ Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php _____ Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php _____ Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php _____ Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php _____ Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php _____ Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php _____ Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php _____ Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php _____ Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php _____ Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php _____ Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php _____ Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php _____ Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php _____ Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php _____ Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php _____ Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php _____ Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php _____ Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php _____ Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php _____ Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php _____ Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php _____ Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php _____ Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php _____ Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php _____ Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php _____ Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php _____ Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php _____ Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php _____ Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php _____ Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php _____ Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php _____ Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php _____ Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php _____ Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php _____ Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php _____ Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php _____ Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php _____ Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php _____ Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php _____ Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php _____ Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php _____ Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php _____ Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php _____ Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php _____ Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php _____ Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php _____ Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php _____ Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php _____ Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php _____ Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php _____ Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php _____ Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php _____ Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php _____ Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php _____ Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php _____ Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php _____ Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php _____ Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php _____ Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php _____ Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----

Network Dynamic Data Exchange (DDE) in Windows 2000 allows local users to gain SYSTEM privileges via a "WM_COPYDATA" message to an invisible window that is running with the privileges of the WINLOGON process. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. **UPDATE**: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. Using a command function such as WM_COPYDATA, it is possible for a message to be sent through the Net DDE Agent to a trusted share with a process associated with that share. Unfortunately NetDDE Agent runs in the LOCAL SYSTEM context, therefore a local user can specify arbitrary code to be run at SYSTEM privileges. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused. Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php _____ Contents 90 Reported Vulnerabilities Risk Factor Key _____ Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php _____ Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php _____ Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php _____ Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php _____ Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php _____ Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php _____ Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php _____ Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php _____ Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php _____ Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php _____ Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php _____ Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php _____ Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php _____ Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php _____ Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php _____ Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php _____ Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php _____ Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php _____ Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php _____ Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php _____ Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php _____ Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php _____ Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php _____ Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php _____ Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php _____ Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php _____ Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php _____ Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php _____ Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php _____ Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php _____ Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php _____ Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php _____ Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php _____ Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php _____ Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php _____ Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php _____ Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php _____ Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php _____ Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php _____ Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php _____ Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php _____ Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php _____ Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php _____ Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php _____ Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php _____ Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php _____ Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php _____ Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php _____ Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php _____ Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php _____ Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php _____ Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php _____ Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php _____ Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php _____ Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php _____ Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php _____ Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php _____ Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php _____ Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php _____ Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php _____ Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php _____ Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php _____ Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php _____ Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php _____ Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php _____ Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php _____ Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php _____ Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php _____ Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php _____ Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php _____ Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php _____ Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php _____ Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php _____ Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php _____ Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php _____ Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php _____ Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php _____ Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----

CORE SDI SSH1 CRC-32 compensation attack detector allows remote attackers to execute arbitrary commands on an SSH server or client via an integer overflow. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. **UPDATE**: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. The problem lies in deattack.c, a program developed by CORE SDI to prevent the SSH1 protocol from being attacked by CRC32 compensation. Because a 16-bit unsigned variable is mistakenly used as a 32-bit variable in the detect_attack() function, the table index overflow problem is caused. The problem is in the detect_attack() function: ... /* detect_attack Detects a crc32 compensation attack on a packet */ int detect_attack(unsigned char *buf, word32 len, unsigned char *IV) { static word16 *h = (word16 * ) NULL; (*) static word16 n = HASH_MINSIZE / HASH_ENTRYSIZE; register word32 i , j; After allocation by xmalloc(0), the following code will be executed: for (i = HASH(c) & (n - 1); h[i] != HASH_UNUSED; Since i is set as a 32-bit unsigned integer, when n=0 , the result becomes: i = HASH(c) & 0xffffffff and c can be provided by the client. If the value of i exceeds the normal range, the program will segfault when trying to access h[i]. Through careful By constructing an attack packet, the attacker may overwrite the content of any address and execute arbitrary code remotely. The attacker does not need a valid system account to carry out the attack. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused. Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php _____ Contents 90 Reported Vulnerabilities Risk Factor Key _____ Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php _____ Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php _____ Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php _____ Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php _____ Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php _____ Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php _____ Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php _____ Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php _____ Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php _____ Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php _____ Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php _____ Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php _____ Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php _____ Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php _____ Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php _____ Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php _____ Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php _____ Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php _____ Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php _____ Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php _____ Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php _____ Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php _____ Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php _____ Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php _____ Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php _____ Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php _____ Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php _____ Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php _____ Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php _____ Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php _____ Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php _____ Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php _____ Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php _____ Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php _____ Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php _____ Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php _____ Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php _____ Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php _____ Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php _____ Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php _____ Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php _____ Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php _____ Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php _____ Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php _____ Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php _____ Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php _____ Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php _____ Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php _____ Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php _____ Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php _____ Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php _____ Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php _____ Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php _____ Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php _____ Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php _____ Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php _____ Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php _____ Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php _____ Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php _____ Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php _____ Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php _____ Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php _____ Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php _____ Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php _____ Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php _____ Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php _____ Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php _____ Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php _____ Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php _____ Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php _____ Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php _____ Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php _____ Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php _____ Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php _____ Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php _____ Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php _____ Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php _____ Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----

inetd in Compaq Tru64 UNIX 5.1 allows attackers to cause a denial of service (network connection loss) by causing one of the services handled by inetd to core dump during startup, which causes inetd to stop accepting connections to all of its services. Multiple Cisco networking products contain a denial-of-service vulnerability. The inetd service on Compaq's Tru64 UNIX is vulnerable to a denial-of-service. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. **UPDATE**: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused. Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php _____ Contents 90 Reported Vulnerabilities Risk Factor Key _____ Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php _____ Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php _____ Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php _____ Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php _____ Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php _____ Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php _____ Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php _____ Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php _____ Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php _____ Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php _____ Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php _____ Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php _____ Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php _____ Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php _____ Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php _____ Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php _____ Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php _____ Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php _____ Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php _____ Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php _____ Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php _____ Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php _____ Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php _____ Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php _____ Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php _____ Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php _____ Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php _____ Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php _____ Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php _____ Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php _____ Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php _____ Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php _____ Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php _____ Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php _____ Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php _____ Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php _____ Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php _____ Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php _____ Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php _____ Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php _____ Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php _____ Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php _____ Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php _____ Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php _____ Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php _____ Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php _____ Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php _____ Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php _____ Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php _____ Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php _____ Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php _____ Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php _____ Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php _____ Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php _____ Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php _____ Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php _____ Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php _____ Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php _____ Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php _____ Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php _____ Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php _____ Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php _____ Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php _____ Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php _____ Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php _____ Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php _____ Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php _____ Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php _____ Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php _____ Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php _____ Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php _____ Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php _____ Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php _____ Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php _____ Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php _____ Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php _____ Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php _____ Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----

Buffer overflow in the text editor functionality in HP-UX 10.01 through 11.04 on HP9000 Series 700 and Series 800 allows local users to cause a denial of service ("system availability") via text editors such as (1) e, (2) ex, (3) vi, (4) edit, (5) view, and (6) vedit. A buffer overflow in the text editor on certain Hewlett-Packard systems could compromise system availability. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. While addressing vulnerabilities described in http://www.cisco.com/warp/public/707/SSH-multiple-pub.html, a denial of service condition has been inadvertently introduced into firmware upgrades. Firmware for routers and switches (IOS), Catalyst 6000 switches running CatOS, Cisco PIX Firewall and Cisco 11000 Content Service Switch devices may be vulnerable. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. Repeated and concurrent attacks may result in a denial of device service. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. HP-UX is prone to a denial-of-service vulnerability

The IDEA cipher as implemented by SSH1 does not protect the final block of a message against modification, which allows remote attackers to modify the block without detection by changing its cyclic redundancy check (CRC) to match the modifications to the message. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. Secure Shell, or SSH, is an encrypted remote access protocol. SSH or code based on SSH is used by many systems all over the world and in a wide variety of commercial applications. An integer-overflow bug in the CRC32 compensation attack detection code may allow remote attackers to write values to arbitrary locations in memory. This would occur in situations where large SSH packets are recieved by either a client or server, and a 32 bit representation of the SSH packet length is assigned to a 16 bit integer. The difference in data representation in these situations will cause the 16 bit variable to be assigned to zero (or a really low value). As a result, future calls to malloc() as well as an index used to reference locations in memory can be corrupted by an attacker. This could occur in a manner that can be exploited to write certain numerical values to almost arbitrary locations in memory. **UPDATE**: There have been reports suggesting that exploitation of this vulnerability may be widespread. Since early september, independent, reliable sources have confirmed that this vulnerability is being exploited by attackers on the Internet. Security Focus does not currently have the exploit code being used, however this record will be updated if and when it becomes available. NOTE: Cisco 11000 Content Service Switch family is vulnerable to this issue. All WebNS releases prior, but excluding, versions: 4.01 B42s, 4.10 22s, 5.0 B11s, 5.01 B6s, are vulnerable. Secure Computing SafeWord Agent for SSH is reportedly prone to this issue, as it is based on a vulnerable version of SSH. ** NetScreen ScreenOS is not directly vulnerable to this issue, however the referenced exploit will cause devices using vulnerable versions of the software to stop functioning properly. This will result in a denial of service condition for NetScreen devices. This issue is in the Secure Command Shell (SCS) administrative interface, which is an implementation of SSHv1. SCS is not enabled on NetScreen devices by default. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability. An expired public key could cause GPG to fail the encryption of an outgoing message, without any error message or warning being delivered to the user. As a result, the user could transmit data, meant to be encrypted, as plaintext. SSH is prone to a denial-of-service vulnerability. TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS X-Force has received reports that some individuals were unable to verify the PGP signature on the Security Alert Summary distributed earlier in the week. Due to this issue, X-Force is re-distributing the Security Alert Summary. We apologize for any inconvience this may have caused. Internet Security Systems Security Alert Summary March 5, 2001 Volume 6 Number 4 X-Force Vulnerability and Threat Database: http://xforce.iss.net/ To receive these Alert Summaries as well as other Alerts and Advisories, subscribe to the Internet Security Systems Alert mailing list at: http://xforce.iss.net/maillists/index.php This summary can be found at http://xforce.iss.net/alerts/vol-6_num-4.php _____ Contents 90 Reported Vulnerabilities Risk Factor Key _____ Date Reported: 2/27/01 Vulnerability: a1-server-dos Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server denial of service X-Force URL: http://xforce.iss.net/static/6161.php _____ Date Reported: 2/27/01 Vulnerability: a1-server-directory-traversal Platforms Affected: A1 Server Risk Factor: Medium Attack Type: Network Based Brief Description: A1 Server directory traversal X-Force URL: http://xforce.iss.net/static/6162.php _____ Date Reported: 2/27/01 Vulnerability: webreflex-web-server-dos Platforms Affected: WebReflex Risk Factor: Medium Attack Type: Network Based Brief Description: WebReflex Web server denial of service X-Force URL: http://xforce.iss.net/static/6163.php _____ Date Reported: 2/26/01 Vulnerability: sudo-bo-elevate-privileges Platforms Affected: Sudo Risk Factor: Medium Attack Type: Host Based Brief Description: Sudo buffer overflow could allow elevated user privileges X-Force URL: http://xforce.iss.net/static/6153.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-skin-overwrite-file Platforms Affected: My GetRight Risk Factor: High Attack Type: Network Based Brief Description: My GetRight 'skin' allows remote attacker to overwrite existing files X-Force URL: http://xforce.iss.net/static/6155.php _____ Date Reported: 2/26/01 Vulnerability: mygetright-directory-traversal Platforms Affected: My GetRight Risk Factor: Medium Attack Type: Network Based Brief Description: My GetRight directory traversal X-Force URL: http://xforce.iss.net/static/6156.php _____ Date Reported: 2/26/01 Vulnerability: win2k-event-viewer-bo Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Host Based Brief Description: Windows 2000 event viewer buffer overflow X-Force URL: http://xforce.iss.net/static/6160.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-cpu-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra CPU denial of service X-Force URL: http://xforce.iss.net/static/6159.php _____ Date Reported: 2/26/01 Vulnerability: netscape-collabra-kernel-dos Platforms Affected: Netscape Risk Factor: Medium Attack Type: Network Based Brief Description: Netscape Collabra Server kernel denial of service X-Force URL: http://xforce.iss.net/static/6158.php _____ Date Reported: 2/23/01 Vulnerability: mercur-expn-bo Platforms Affected: MERCUR Risk Factor: High Attack Type: Network Based Brief Description: MERCUR Mailserver EXPN buffer overflow X-Force URL: http://xforce.iss.net/static/6149.php _____ Date Reported: 2/23/01 Vulnerability: sedum-http-dos Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP server denial of service X-Force URL: http://xforce.iss.net/static/6152.php _____ Date Reported: 2/23/01 Vulnerability: tru64-inetd-dos Platforms Affected: Tru64 Risk Factor: Medium Attack Type: Host Based Brief Description: Tru64 UNIX inetd denial of service X-Force URL: http://xforce.iss.net/static/6157.php _____ Date Reported: 2/22/01 Vulnerability: outlook-vcard-bo Platforms Affected: Microsoft Outlook Risk Factor: High Attack Type: Host Based Brief Description: Outlook and Outlook Express vCards buffer overflow X-Force URL: http://xforce.iss.net/static/6145.php _____ Date Reported: 2/22/01 Vulnerability: ultimatebb-cookie-member-number Platforms Affected: Ultimate Bulletin Board Risk Factor: High Attack Type: Network Based Brief Description: Ultimate Bulletin Board cookie allows attacker to change member number X-Force URL: http://xforce.iss.net/static/6144.php _____ Date Reported: 2/21/01 Vulnerability: ultimatebb-cookie-gain-privileges Platforms Affected: Ultimate Bulletin Board Risk Factor: Medium Attack Type: Network Based Brief Description: Ultimate Bulletin Board allows remote attacker to obtain cookie information X-Force URL: http://xforce.iss.net/static/6142.php _____ Date Reported: 2/21/01 Vulnerability: sendmail-elevate-privileges Platforms Affected: Sendmail Risk Factor: High Attack Type: Host Based Brief Description: Sendmail -bt command could allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6147.php _____ Date Reported: 2/21/01 Vulnerability: jre-jdk-execute-commands Platforms Affected: JRE/JDK Risk Factor: High Attack Type: Host Based Brief Description: JRE/JDK could allow unauthorized execution of commands X-Force URL: http://xforce.iss.net/static/6143.php _____ Date Reported: 2/20/01 Vulnerability: licq-remote-port-dos Platforms Affected: LICQ Risk Factor: Medium Attack Type: Network Based Brief Description: LICQ remote denial of service X-Force URL: http://xforce.iss.net/static/6134.php _____ Date Reported: 2/20/01 Vulnerability: pgp4pine-expired-keys Platforms Affected: pgp4pine Risk Factor: Medium Attack Type: Host Based Brief Description: pgp4pine may transmit messages using expired public keys X-Force URL: http://xforce.iss.net/static/6135.php _____ Date Reported: 2/20/01 Vulnerability: chilisoft-asp-view-files Platforms Affected: Chili!Soft ASP Risk Factor: High Attack Type: Network Based Brief Description: Chili!Soft ASP allows remote attackers to gain access to sensitive information X-Force URL: http://xforce.iss.net/static/6137.php _____ Date Reported: 2/20/01 Vulnerability: win2k-domain-controller-dos Platforms Affected: Windows 2000 Risk Factor: once-only Attack Type: Network/Host Based Brief Description: Windows 2000 domain controller denial of service X-Force URL: http://xforce.iss.net/static/6136.php _____ Date Reported: 2/19/01 Vulnerability: asx-remote-dos Platforms Affected: ASX Switches Risk Factor: Medium Attack Type: Network Based Brief Description: ASX switches allow remote denial of service X-Force URL: http://xforce.iss.net/static/6133.php _____ Date Reported: 2/18/01 Vulnerability: http-cgi-mailnews-username Platforms Affected: Mailnews.cgi Risk Factor: High Attack Type: Network Based Brief Description: Mailnews.cgi allows remote attacker to execute shell commands using username X-Force URL: http://xforce.iss.net/static/6139.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-reveal-path Platforms Affected: BadBlue Risk Factor: Low Attack Type: Network Based Brief Description: BadBlue ext.dll library reveals path X-Force URL: http://xforce.iss.net/static/6130.php _____ Date Reported: 2/17/01 Vulnerability: badblue-ext-dos Platforms Affected: BadBlue Risk Factor: Medium Attack Type: Network Based Brief Description: BadBlue ext.dll library denial of service X-Force URL: http://xforce.iss.net/static/6131.php _____ Date Reported: 2/17/01 Vulnerability: moby-netsuite-bo Platforms Affected: Moby's NetSuite Risk Factor: Medium Attack Type: Network Based Brief Description: Moby's NetSuite Web server buffer overflow X-Force URL: http://xforce.iss.net/static/6132.php _____ Date Reported: 2/16/01 Vulnerability: webactive-directory-traversal Platforms Affected: WEBactive Risk Factor: Medium Attack Type: Network/Host Based Brief Description: WEBactive HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6121.php _____ Date Reported: 2/16/01 Vulnerability: esone-cgi-directory-traversal Platforms Affected: ES.One store.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Thinking Arts ES.One store.cgi directory traversal X-Force URL: http://xforce.iss.net/static/6124.php _____ Date Reported: 2/16/01 Vulnerability: vshell-username-bo Platforms Affected: VShell Risk Factor: High Attack Type: Network Based Brief Description: VShell username buffer overflow X-Force URL: http://xforce.iss.net/static/6146.php _____ Date Reported: 2/16/01 Vulnerability: vshell-port-forwarding-rule Platforms Affected: VShell Risk Factor: Medium Attack Type: Network/Host Based Brief Description: VShell uses weak port forwarding rule X-Force URL: http://xforce.iss.net/static/6148.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-isapi-bo Platforms Affected: Pi3Web Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Pi3Web ISAPI tstisapi.dll denial of service X-Force URL: http://xforce.iss.net/static/6113.php _____ Date Reported: 2/15/01 Vulnerability: pi3web-reveal-path Platforms Affected: Pi3Web Risk Factor: Low Attack Type: Network Based Brief Description: Pi3Web reveals physical path of server X-Force URL: http://xforce.iss.net/static/6114.php _____ Date Reported: 2/15/01 Vulnerability: bajie-execute-shell Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer execute shell commands X-Force URL: http://xforce.iss.net/static/6117.php _____ Date Reported: 2/15/01 Vulnerability: bajie-directory-traversal Platforms Affected: Bajie HTTP JServer Risk Factor: High Attack Type: Network Based Brief Description: Bajie HTTP JServer directory traversal X-Force URL: http://xforce.iss.net/static/6115.php _____ Date Reported: 2/15/01 Vulnerability: resin-directory-traversal Platforms Affected: Resin Risk Factor: Medium Attack Type: Network Based Brief Description: Resin Web server directory traversal X-Force URL: http://xforce.iss.net/static/6118.php _____ Date Reported: 2/15/01 Vulnerability: netware-mitm-recover-passwords Platforms Affected: Netware Risk Factor: Low Attack Type: Network Based Brief Description: Netware "man in the middle" attack password recovery X-Force URL: http://xforce.iss.net/static/6116.php _____ Date Reported: 2/14/01 Vulnerability: firebox-pptp-dos Platforms Affected: WatchGuard Firebox II Risk Factor: High Attack Type: Network Based Brief Description: WatchGuard Firebox II PPTP denial of service X-Force URL: http://xforce.iss.net/static/6109.php _____ Date Reported: 2/14/01 Vulnerability: hp-virtualvault-iws-dos Platforms Affected: HP VirtualVault Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HP VirtualVault iPlanet Web Server denial of service X-Force URL: http://xforce.iss.net/static/6110.php _____ Date Reported: 2/14/01 Vulnerability: kicq-execute-commands Platforms Affected: KICQ Risk Factor: High Attack Type: Network Based Brief Description: kicq could allow remote execution of commands X-Force URL: http://xforce.iss.net/static/6112.php _____ Date Reported: 2/14/01 Vulnerability: hp-text-editor-bo Platforms Affected: HPUX Risk Factor: Medium Attack Type: Host Based Brief Description: HP Text editors buffer overflow X-Force URL: http://xforce.iss.net/static/6111.php _____ Date Reported: 2/13/01 Vulnerability: sendtemp-pl-read-files Platforms Affected: sendtemp.pl Risk Factor: Medium Attack Type: Network/Host Based Brief Description: sendtemp.pl could allow an attacker to read files on the server X-Force URL: http://xforce.iss.net/static/6104.php _____ Date Reported: 2/13/01 Vulnerability: analog-alias-bo Platforms Affected: Analog ALIAS Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Analog ALIAS command buffer overflow X-Force URL: http://xforce.iss.net/static/6105.php _____ Date Reported: 2/13/01 Vulnerability: elm-long-string-bo Platforms Affected: Elm Risk Factor: Medium Attack Type: Host Based Brief Description: ELM -f command long string buffer overflow X-Force URL: http://xforce.iss.net/static/6151.php _____ Date Reported: 2/13/01 Vulnerability: winnt-pptp-dos Platforms Affected: Windows NT Risk Factor: Medium Attack Type: Network Based Brief Description: Windows NT PPTP denial of service X-Force URL: http://xforce.iss.net/static/6103.php _____ Date Reported: 2/12/01 Vulnerability: startinnfeed-format-string Platforms Affected: Inn Risk Factor: High Attack Type: Host Based Brief Description: Inn 'startinnfeed' binary format string attack X-Force URL: http://xforce.iss.net/static/6099.php _____ Date Reported: 2/12/01 Vulnerability: his-auktion-cgi-url Platforms Affected: HIS Auktion Risk Factor: Medium Attack Type: Network/Host Based Brief Description: HIS Auktion CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6090.php _____ Date Reported: 2/12/01 Vulnerability: wayboard-cgi-view-files Platforms Affected: Way-BOARD Risk Factor: Medium Attack Type: Network Based Brief Description: Way-BOARD CGI could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6091.php _____ Date Reported: 2/12/01 Vulnerability: muskat-empower-url-dir Platforms Affected: Musket Empower Risk Factor: Low Attack Type: Network/Host Based Brief Description: Musket Empower could allow attackers to gain access to the DB directory path X-Force URL: http://xforce.iss.net/static/6093.php _____ Date Reported: 2/12/01 Vulnerability: icq-icu-rtf-dos Platforms Affected: LICQ Gnome ICU Risk Factor: Low Attack Type: Network/Host Based Brief Description: LICQ and Gnome ICU rtf file denial of service X-Force URL: http://xforce.iss.net/static/6096.php _____ Date Reported: 2/12/01 Vulnerability: commerce-cgi-view-files Platforms Affected: Commerce.cgi Risk Factor: Medium Attack Type: Network Based Brief Description: Commerce.cgi could allow attackers to view unauthorized files X-Force URL: http://xforce.iss.net/static/6095.php _____ Date Reported: 2/12/01 Vulnerability: roads-search-view-files Platforms Affected: ROADS Risk Factor: Medium Attack Type: Network Based Brief Description: ROADS could allow attackers to view unauthorized files using search.pl program X-Force URL: http://xforce.iss.net/static/6097.php _____ Date Reported: 2/12/01 Vulnerability: webpage-cgi-view-info Platforms Affected: WebPage.cgi Risk Factor: Low Attack Type: Network Based Brief Description: WebPage.cgi allows attackers to view sensitive information X-Force URL: http://xforce.iss.net/static/6100.php _____ Date Reported: 2/12/01 Vulnerability: webspirs-cgi-view-files Platforms Affected: WebSPIRS Risk Factor: Medium Attack Type: Network Based Brief Description: WebSPIRS CGI could allow an attacker to view unauthorized files X-Force URL: http://xforce.iss.net/static/6101.php _____ Date Reported: 2/12/01 Vulnerability: webpals-library-cgi-url Platforms Affected: WebPALS Risk Factor: Medium Attack Type: Network Based Brief Description: WebPALS Library System CGI script could allow attackers to view unauthorized files or execute commands X-Force URL: http://xforce.iss.net/static/6102.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-permissions Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled with nolicense permissions X-Force URL: http://xforce.iss.net/static/6092.php _____ Date Reported: 2/11/01 Vulnerability: cobol-apptrack-nolicense-symlink Platforms Affected: MicroFocus Cobol Risk Factor: High Attack Type: Host Based Brief Description: MicroFocus Cobol with AppTrack enabled allows symlink in nolicense X-Force URL: http://xforce.iss.net/static/6094.php _____ Date Reported: 2/10/01 Vulnerability: vixie-crontab-bo Platforms Affected: Vixie crontab Risk Factor: Medium Attack Type: Host Based Brief Description: Vixie crontab buffer overflow X-Force URL: http://xforce.iss.net/static/6098.php _____ Date Reported: 2/10/01 Vulnerability: novell-groupwise-bypass-policies Platforms Affected: Novell GroupWise Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Novell Groupwise allows user to bypass policies and view files X-Force URL: http://xforce.iss.net/static/6089.php _____ Date Reported: 2/9/01 Vulnerability: infobot-calc-gain-access Platforms Affected: Infobot Risk Factor: High Attack Type: Network Based Brief Description: Infobot 'calc' command allows remote users to gain access X-Force URL: http://xforce.iss.net/static/6078.php _____ Date Reported: 2/8/01 Vulnerability: linux-sysctl-read-memory Platforms Affected: Linux Risk Factor: Medium Attack Type: Host Based Brief Description: Linux kernel sysctl() read memory X-Force URL: http://xforce.iss.net/static/6079.php _____ Date Reported: 2/8/01 Vulnerability: openssh-bypass-authentication Platforms Affected: OpenSSH Risk Factor: High Attack Type: Network/Host Based Brief Description: OpenSSH 2.3.1 allows remote users to bypass authentication X-Force URL: http://xforce.iss.net/static/6084.php _____ Date Reported: 2/8/01 Vulnerability: lotus-notes-stored-forms Platforms Affected: Lotus Notes Risk Factor: High Attack Type: Network/Host Based Brief Description: Lotus Notes stored forms X-Force URL: http://xforce.iss.net/static/6087.php _____ Date Reported: 2/8/01 Vulnerability: linux-ptrace-modify-process Platforms Affected: Linux Risk Factor: High Attack Type: Host Based Brief Description: Linux kernel ptrace modify process X-Force URL: http://xforce.iss.net/static/6080.php _____ Date Reported: 2/8/01 Vulnerability: ssh-deattack-overwrite-memory Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 deattack.c allows memory to be overwritten X-Force URL: http://xforce.iss.net/static/6083.php _____ Date Reported: 2/7/01 Vulnerability: dc20ctrl-port-bo Platforms Affected: FreeBSD Risk Factor: Medium Attack Type: Host Based Brief Description: FreeBSD dc20ctrl port buffer overflow X-Force URL: http://xforce.iss.net/static/6077.php _____ Date Reported: 2/7/01 Vulnerability: ja-xklock-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: ja-xklock buffer overflow X-Force URL: http://xforce.iss.net/static/6073.php _____ Date Reported: 2/7/01 Vulnerability: ja-elvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ja-elvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6074.php _____ Date Reported: 2/7/01 Vulnerability: ko-helvis-elvrec-bo Platforms Affected: FreeBSD Risk Factor: High Attack Type: Host Based Brief Description: FreeBSD ko-helvis port buffer overflow X-Force URL: http://xforce.iss.net/static/6075.php _____ Date Reported: 2/7/01 Vulnerability: serverworx-directory-traversal Platforms Affected: ServerWorx Risk Factor: Medium Attack Type: Network Based Brief Description: ServerWorx directory traversal X-Force URL: http://xforce.iss.net/static/6081.php _____ Date Reported: 2/7/01 Vulnerability: ntlm-ssp-elevate-privileges Platforms Affected: NTLM Risk Factor: High Attack Type: Host Based Brief Description: NTLM Security Support Provider could allow elevation of privileges X-Force URL: http://xforce.iss.net/static/6076.php _____ Date Reported: 2/7/01 Vulnerability: ssh-session-key-recovery Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH protocol 1.5 session key recovery X-Force URL: http://xforce.iss.net/static/6082.php _____ Date Reported: 2/6/01 Vulnerability: aolserver-directory-traversal Platforms Affected: AOLserver Risk Factor: Medium Attack Type: Network Based Brief Description: AOLserver directory traversal X-Force URL: http://xforce.iss.net/static/6069.php _____ Date Reported: 2/6/01 Vulnerability: chilisoft-asp-elevate-privileges Platforms Affected: Chili!Soft Risk Factor: High Attack Type: Network/Host Based Brief Description: Chili!Soft ASP could allow elevated privileges X-Force URL: http://xforce.iss.net/static/6072.php _____ Date Reported: 2/6/01 Vulnerability: win-udp-dos Platforms Affected: Windows Risk Factor: Medium Attack Type: Network/Host Based Brief Description: Windows UDP socket denial of service X-Force URL: http://xforce.iss.net/static/6070.php _____ Date Reported: 2/5/01 Vulnerability: ssh-daemon-failed-login Platforms Affected: SSH Risk Factor: High Attack Type: Network/Host Based Brief Description: SSH daemon failed login attempts are not logged X-Force URL: http://xforce.iss.net/static/6071.php _____ Date Reported: 2/5/01 Vulnerability: picserver-directory-traversal Platforms Affected: PicServer Risk Factor: Medium Attack Type: Network Based Brief Description: PicServer directory traversal X-Force URL: http://xforce.iss.net/static/6065.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-directory-traversal Platforms Affected: BiblioWeb Risk Factor: Medium Attack Type: Network Based Brief Description: BiblioWeb Server directory traversal X-Force URL: http://xforce.iss.net/static/6066.php _____ Date Reported: 2/5/01 Vulnerability: biblioweb-get-dos Platforms Affected: BiblioWeb Risk Factor: Low Attack Type: Network Based Brief Description: BiblioWeb Server GET request denial of service X-Force URL: http://xforce.iss.net/static/6068.php _____ Date Reported: 2/5/01 Vulnerability: ibm-netcommerce-reveal-information Platforms Affected: IBM Risk Factor: Medium Attack Type: Network/Host Based Brief Description: IBM Net.Commerce could reveal sensitive information X-Force URL: http://xforce.iss.net/static/6067.php _____ Date Reported: 2/5/01 Vulnerability: win-dde-elevate-privileges Platforms Affected: Windows DDE Risk Factor: High Attack Type: Host Based Brief Description: Windows DDE can allow the elevation of privileges X-Force URL: http://xforce.iss.net/static/6062.php _____ Date Reported: 2/4/01 Vulnerability: hsweb-directory-browsing Platforms Affected: HSWeb Risk Factor: Low Attack Type: Network Based Brief Description: HSWeb Web Server allows attacker to browse directories X-Force URL: http://xforce.iss.net/static/6061.php _____ Date Reported: 2/4/01 Vulnerability: sedum-directory-traversal Platforms Affected: SEDUM Risk Factor: Medium Attack Type: Network Based Brief Description: SEDUM HTTP Server directory traversal X-Force URL: http://xforce.iss.net/static/6063.php _____ Date Reported: 2/4/01 Vulnerability: free-java-directory-traversal Platforms Affected: Free Java Risk Factor: Medium Attack Type: Network Based Brief Description: Free Java Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6064.php _____ Date Reported: 2/2/01 Vulnerability: goahead-directory-traversal Platforms Affected: GoAhead Risk Factor: High Attack Type: Network Based Brief Description: GoAhead Web Server directory traversal X-Force URL: http://xforce.iss.net/static/6046.php _____ Date Reported: 2/2/01 Vulnerability: gnuserv-tcp-cookie-overflow Platforms Affected: Gnuserv Risk Factor: High Attack Type: Network/Host Based Brief Description: Gnuserv TCP enabled cookie buffer overflow X-Force URL: http://xforce.iss.net/static/6056.php _____ Date Reported: 2/2/01 Vulnerability: xmail-ctrlserver-bo Platforms Affected: Xmail CTRLServer Risk Factor: High Attack Type: Network Based Brief Description: XMail CTRLServer buffer overflow X-Force URL: http://xforce.iss.net/static/6060.php _____ Date Reported: 2/2/01 Vulnerability: netscape-webpublisher-acl-permissions Platforms Affected: Netscape Web Publisher Risk Factor: Medium Attack Type: Network Based Brief Description: Netcape Web Publisher poor ACL permissions X-Force URL: http://xforce.iss.net/static/6058.php _____ Date Reported: 2/1/01 Vulnerability: cups-httpgets-dos Platforms Affected: CUPS Risk Factor: High Attack Type: Host Based Brief Description: CUPS httpGets() function denial of service X-Force URL: http://xforce.iss.net/static/6043.php _____ Date Reported: 2/1/01 Vulnerability: prospero-get-pin Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero GET request reveals PIN information X-Force URL: http://xforce.iss.net/static/6044.php _____ Date Reported: 2/1/01 Vulnerability: prospero-weak-permissions Platforms Affected: Prospero Risk Factor: High Attack Type: Network/Host Based Brief Description: Prospero uses weak permissions X-Force URL: http://xforce.iss.net/static/6045.php _____ Risk Factor Key: High Any vulnerability that provides an attacker with immediate access into a machine, gains superuser access, or bypasses a firewall. Example: A vulnerable Sendmail 8.6.5 version that allows an intruder to execute commands on mail server. Medium Any vulnerability that provides information that has a high potential of giving system access to an intruder. Example: A misconfigured TFTP or vulnerable NIS server that allows an intruder to get the password file that could contain an account with a guessable password. Low Any vulnerability that provides information that potentially could lead to a compromise. Example: A finger that allows an intruder to find out who is online and potential accounts to attempt to crack passwords via brute force methods. ________ ISS is a leading global provider of security management solutions for e-business. By offering best-of-breed SAFEsuite(tm) security software, comprehensive ePatrol(tm) monitoring services and industry-leading expertise, ISS serves as its customers' trusted security provider protecting digital assets and ensuring the availability, confidentiality and integrity of computer systems and information critical to e-business success. ISS' security management solutions protect more than 5,000 customers including 21 of the 25 largest U.S. commercial banks, 9 of the 10 largest telecommunications companies and over 35 government agencies. Founded in 1994, ISS is headquartered in Atlanta, GA, with additional offices throughout North America and international operations in Asia, Australia, Europe and Latin America. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 2001 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBOqb8ojRfJiV99eG9AQGEaAP+KH+SQYNBsbUcv/mUJNUz7dDPIYVcmPNV 1xyO/ctnG6qScWnlXGltYS7Rj8T8tYAAZC77oDhFSvvs8CX1Dr32ImEyvOIJhMLA h0wKCV3HOAYJ662BASe3jbO3nL/bumNKCRL5heuIU85pQOuH9xbqXkmFEimDmG2B tT+ylKw4hn4= =kfHg -----END PGP SIGNATURE-----

Unknown vulnerability in Sun StorEdge 6130 Arrays (SE6130) with serial numbers between 0451AWF00G and 0513AWF00J allows local users and remote attackers to delete data. Multiple Cisco networking products contain a denial-of-service vulnerability. There is an information integrity vulnerability in the SSH1 protocol that allows packets encrypted with a block cipher to be modified without notice. There is a remote integer overflow vulnerability in several implementations of the SSH1 protocol that allows an attacker to execute arbitrary code with the privileges of the SSH daemon, typically root. The program pgp4pine version 1.75.6 fails to properly identify expired keys when working with the Gnu Privacy Guard program (GnuPG). This failure may result in the clear-text transmission of senstive information when used with the PINE mail reading package. The SEDUM web server permits intruders to access files outside the web root. While addressing vulnerabilities described in http://www.cisco.com/warp/public/707/SSH-multiple-pub.html, a denial of service condition has been inadvertently introduced into firmware upgrades. Firmware for routers and switches (IOS), Catalyst 6000 switches running CatOS, Cisco PIX Firewall and Cisco 11000 Content Service Switch devices may be vulnerable. Cisco has reported that scanning for SSH vulnerabilities on affected devices will cause excessive CPU consumption. The condition is due to a failure of the Cisco SSH implementation to properly process large SSH packets. Repeated and concurrent attacks may result in a denial of device service. As many of these devices are critical infrastructure components, more serious network outages may occur. Cisco has released upgrades that will eliminate this vulnerability

Buffer overflow in CSAdmin module in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large packet. Depending on the data entered, CiscoSecure ACS for Windows NT can be made to crash or arbitrary code execution can be made possible if an unusually long packet is sent to port 2002. If the application were to crash due to an oversized packet, the CSadmin Module would automatically restart after one minute in versions 2.3x and higher. Existing sessions would re-establish although they would need to be authenticated again. In prior versions, a restart is required in order to regain normal functionality

Buffer overflow in CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to cause a denial of service and possibly execute arbitrary commands via a large TACACS+ packet. If a remote attacker is capable of sniffing or injecting traffic in between a server running CiscoSecure ACS for Windows NT and a TACACS+ client, CiscoSecure ACS for Windows NT can be made to crash if an oversized TACACS+ packet is sent to it. CiscoSecure ACS Server 2.4(2) and earlier versions have a buffer overflow vulnerability

CiscoSecure ACS Server 2.4(2) and earlier allows remote attackers to bypass LDAP authentication on the server if the LDAP server allows null passwords. There are certain Lightweight Directory Access Protocol (LDAP) servers that allow users to have undefined passwords. Vulnerabilities exist in CiscoSecure ACS Server 2.4(2) and earlier versions

The mailguard feature in Cisco Secure PIX Firewall 5.2(2) and earlier does not properly restrict access to SMTP commands, which allows remote attackers to execute restricted commands by sending a DATA command before sending the restricted commands. Like other firewalls, the Cisco PIX Firewall implements technology that reads the contents of packets passing through it for application-level filtering. In the case of SMTP, it can be configured so only certain smtp commands can be allowed through (for example, dropping extra functionality, such as HELP or commands that could be a security concern, like EXPN or VRFY). When recieving messages, it allows all text through between "data" and "<CR><LF><CR><LF>.<CR><LF>", as this is where the body of the message would normally go and there could be words in it that are smtp commands which shouldn't be filtered. Due to the nature of SMTP and flaws in exceptional condition handling of PIX, it is reportedly possible to evade the smtp command restrictions by tricking the firewall into thinking the body of the message is being sent when it isn't. During communication with an smtp server, if the "data" command is sent before the more important information is sent, such as "rcpt to", the smtp server will return error 503, saying that rcpt was required. The firewall, however, thinks everything is alright and will let everything through until recieving "<CR><LF><CR><LF>.<CR><LF>". It is then possible for the attacker to do whatever he wishes on the email server. An old vulnerability that allowed for bypassing of SMTP content filtering has been re-introduced into PIX firmware. This vulnerability is archived in the SecurityFocus vulnerability database as Bugtraq ID: 1698

WinCOM LPD 1.00.90 allows remote attackers to cause a denial of service via a large number of LPD options to the LPD port (515). If a user sends continuous LPD requests to the serivce on default port 515, the program will consume all available CPU usage. A restart of the service is required in order to gain normal functionality. WinCOM LPD 1.00.90 is vulnerable

Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed ICMP packet, which causes the CPU to crash. The malformed packet can be sent locally or remotely and can be spoofed. In the event that the switch receives the malformed ICMP packet, it will continue to operate as a switch, however, it will lose all routing functionality and will not pick up on new connections

Vulnerability in Microsoft Windows NT 4.0 allows remote attackers to cause a denial of service in IIS by sending it a series of malformed requests which cause INETINFO.EXE to fail, aka the "Invalid URL" vulnerability. IIS 4.0 is subject to a denial of service due to the mishandling of URL requests. This issue is a result of a flaw in Windows NT 4.0. If a remote user requests a specifically malformed URL, an invalid memory request is made by inetinfo.exe. The end result is that all system resources are used until inetinfo.exe is eventually automatically shut down by NT. A restart of the service is required in order to gain normal functionality

The web server in IPSWITCH IMail 6.04 and earlier allows remote attackers to read and delete arbitrary files via a .. (dot dot) attack. IPSWITCH ships a product titled IMail, an email server for usage on NT servers serving clients their mail via a web interface. To this end the IMail server provides a web server typically running on port 8383 for it's end users to access. Via this interface users may read and send mail, as well as mail with file attachments. Certain versions of IMail do not perform proper access validation however resulting in users being able to attach files resident on the server. The net result of this is users may attach files on the server to which they should have no access. This access is limited to the user privileges which the server is being run as, typically SYSTEM. It should be noted that once a user attachs the files in question the server deletes them

Intel Express 500 series switches allow a remote attacker to cause a denial of service via a malformed IP packet. In order to regain functionality, the power must be disconnected and reconnected - the reset switch will not be operational. Vulnerabilities exist in the Intel Express 500 serial switch

admin.php3 in PHP-Nuke does not properly verify the PHP-Nuke administrator password, which allows remote attackers to gain privileges by requesting a URL that does not specify the aid or pwd parameter. PHP-Nuke is a website creation/maintainence tool written in PHP3. It is possible to elevate priviliges in this system from normal user to administrator due to a flaw in authentication code. The problem occurs here: $aid = variable holding author name, pwd = author password $result=mysql_query("select pwd from authors where aid='$aid'"); if(!$result) { echo "Selection from database failed!"; exit; } else { list($pass)=mysql_fetch_row($result); if($pass == $pwd) { $admintest = 1; } } First off, the code checks to make sure the query passed to mysql_query is legal. There are no checks to see whether any rows are returned (whether any authors match $aid..). Then, the password given is compared to the result of the above query. If the author doesn't match, mysql_fetch_row returns FALSE. This is where the problem occurs. A NULL string is logically equal to FALSE and thus if an empty string is supplied as password, the condition tested for above (the if($pass == $pwd)) is met and admintest is set to 1 (TRUE). The user is then able to perform all administrative functions

Vulnerabilities in IIS 4.0 and 5.0 do not properly protect against cross-site scripting (CSS) attacks. They allow a malicious web site operator to embed scripts in a link to a trusted site, which are returned without quoting in an error message back to the client. The client then executes those scripts in the same context as the trusted site, aka the "IIS Cross-Site Scripting" vulnerabilities. Microsoft IIS Has text added shtml A vulnerability exists in which an executable script can be included in an error message when a request for a file in the format is received.An arbitrary script may be executed on the user's browser. If FrontPage Server Extensions 1.2 is installed on an IIS server, IIS may return content specified by a malicious third party back to a client through the use of specially formed links. If additional text is appended to a request for shtml.dll, the server will generate an error including that text. This becomes an issue especially if the server specified in the hostile URL is a trusted site, as content from that site may then be granted a higher privilege level than usual. For example, consider a link off of a page from a hostile website: &lt;a href="http://TrustedServer/_vti_bin/shtml.dll/&lt;script&gt;Hostile Code Here&lt;/script&gt;"&gt;http://TrustedServer&lt;/a&gt;. If a user clicks on the link specified above, the script will get passed in the http request from the client to TrustedSite. TrustedSite will then return the script as part of the error message. The client, receiving the error page containing the script, will then execute it and assign to it all rights granted to content from TrustedSite. Update (November 2, 2000): A new variant of this vulnerability has been discovered and is addressed in the re-release of patches described in Microsoft Security Bulletin (MS00-060). Please see 'Solution' for the patches

Ipswitch Imail 6.0 allows remote attackers to cause a denial of service via a large number of connections in which a long Host: header is sent, which causes a thread to crash. IPSwitch IMail is an e-mail server which provides WWW (HTTP) E-mail services. By default this web service resides on port 8181 or 8383. Sending an HTTP request with an extremely long "HOST" field multiple times can cause the system hosting the service to become unresponsive. Each long request "kills" a thread without freeing up the memory used by it. By repeating this request, the system's resources can be used up completely. Ipswitch Imail 6.0 is vulnerable

Check Point Firewall-1 session agent 3.0 through 4.1 generates different error messages for invalid user names versus invalid passwords, which allows remote attackers to determine valid usernames and guess a password via a brute force attack. A vulnerability exists in all versions of the Check Point Session Agent, part of Firewall-1. Session Agent works in such a way that the firewall will establish a connection back to the client machine. Upon doing so, it will prompt for a username, and if the username exists, a password. Upon failure, it will reprompt indefinitely. This allows for a simple brute force attack against the username and password