From xforce@iss.net Thu Oct  9 17:09:29 1997
Date: Thu, 9 Oct 1997 10:06:39 -0400 (EDT)
From: X-Force <xforce@iss.net>
To: alert@iss.net
Subject: ISSalert: ISS Security Alert Summary v1 n4

ISS Security Alert Summary
October 8, 1997
Volume 1 Number 4


To receive these Alert Summaries, subscribe to the ISS Alert mailing list
by sending an email to majordomo@iss.net and within the body of the
message type:  'subscribe alert'.

---
Index

ISS X-Force Announcement

8 Reported New Vulnerabilities 
 - HP-mediainit
 - BSD-lpd
 - samba
 - vacation
 - HP-telnetDoS
 - Cisco-CHAP
 - ssh/x11
 - imapd-DoS

2 Reported Incidents
 - SANS Hacked
 - AirTran Airways (ValuJet) Hacked

2 Updates
 - SGI-nls
 - majordomo

ISS Internet Scanner 5.0 Announcement

Risk Factor Key


---
Internet Security Systems, Inc. announces the ISS X-Force Computer 
Vulnerability and Threat Database (http://www.iss.net/xforce). It is a
free public service providing network and security administrators and
users with information regarding online dangers. This database details
hundreds of network security vulnerabilities and threats, including
information on the relative severity of each risk, and recommended
corrective actions and fix information to tighten security holes.


---
Date Reported:    10/2/97
Vulnerability:    HP-mediainit
Affected Platforms:  HP-UX (9.x, 10.x)
Risk Factor:    High

A vulnerability exists in HP-UX's mediainit which is used to prepare
storage media for use.  Local users can exploit this vulnerability to
perform unauthorized activities.

Reference:
HP Security Bulletin #00071 - http://us-support.external.hp.com/


---
Date Reported:    10/2/97
Vulnerability:    BSD-lpd
Affected Platforms:  (see reference for exact versions
       and vulnerability conditions)
      BSD/OS (2.1, 3.0)
      FreeBSD
      Linux
      OpenBSD
Risk Factor:    High

A number of vulnerabilities exist in the line printer daemon (lpd) that,
given a number of existing conditions, allows remote users to create
files, and remove files.  In addition, remote users can execute commands
and obtain a shell with the privileges of the user running lpd.

Reference:
ftp://ftp.secnet.com/advisories/SNI-19.BSD.lpd.advisory


---
Date Reported:    9/26/97
Vulnerability:    samba
Affected Platforms:  Intel based UNIX systems running 
      Samba (pre 1.9.17p2)
Risk Factor:    High

A security hole exists in all versions of Samba (pre 1.9.17p2) that is
being widely exploited over the Internet.  It allows remote users to
obtain root access on the system running Samba.  Although this
vulnerability is restricted to Intel based systems, it is believed to be
possible to produce an exploit on other architectures.

References:
http://ciac.llnl.gov/ciac/bulletins/h-110.shtml

New release with security hole fixed:
ftp://samba.anu.edu.au/pub/samba/samba-1.9.17p2.tar.gz


---
Date Reported:    9/1/97
Vulnerability:          vacation
Affected Platforms:     (see reference for exact versions)
      AIX
      FreeBSD
      HP-UX
      Linux
      NetBSD
      OpenBSD
      Solaris
Risk Factor:            High

The vacation program is used by users to automatically reply to incoming
email such as "out of office" replies, etc.  It contains a vulnerability
that allows remote users to obtain access to the account running vacation.
  
References:
ftp://ftp.secnet.com/advisories/SNI-18.VACATION.advisory  


---
Date:      10/1/97
Vulnerability:    Cisco-CHAP
Affected Platforms:  Cisco IOS (10.3, 11.0, 11.1, 11.2)
Risk Factor:    Medium

A vulnerability existsin all classic Cisco IOS software versions that
support CHAP.  An intruder can set up an unathorized PPP connection to the
system running the IOS software.  Cisco believes that the "cracker
community" does not widely understand the vulnerability and that it would
be very difficult to exploit.

Reference:
http://www.cisco.com/warp/public/770/chapvuln-pub.shtml


---
Date:      10/1/97
Vulnerability:    HP-telnetDoS
Affected Platforms:  HP-UX (10.30)
Risk Factor:    Medium

A vulnerability has been found in HP-UX's telnet service that, if
exploited, can lead to a denial of service attack.  Patches are avaliable
that corrects this problem, see ref.

Reference:
HP Security Bulletin #00070 - http://us-support.external.hp.com/


---
Date Reported:          9/30/97
Vulnerability:          ssh/x11
Affected Platforms:     All systems running SSH and X11
Risk Factor:            Medium
   
Secure Shell (SSH) clients contain a vulnerability that allows user which
have access to foreign .Xauthority files on SSH servers to access the X   
server on the machine running SSH.  This opens the door for a wide variety
of attacks.

Reference:
http://home.braunschweig.netsurf.de/~ulrich.flegel/pub/ssh-x11.ps.gz
   

---
Date Reported:    9/22/97
Vulnerability:    imapd-DoS
Affected Platforms:  UNIX platforms running imapd
Risk Factor:    Medium

The imap daemon written by Mark Crispin of Washington University contains
a denial of service attack.  Anyone with shell access to the server
running imapd can prevent all other users from picking up their mail.

No patch or web reference exists at this time.


---
Date reported:    10/1/97
Incident:    SANS Hacked

SANS Network Security Digest, which distributes news on the latest
security holes and bugs, was hacked and a mailing was sent to all its
subscribers.  It contained various pornographic material as well as
various hacker lingo.  SANS followed up with a report saying,
"Every byte in this file is refuse. We strongly reccommend that you do not
try to use any sample codes."

SANS hack post (pornography omitted):
http://www.infowar.com/hacker/hack_100197a.html-ssi

SANS update:
http://www.infowar.com/hacker/hack_100297b.html-ssi

Short Reference:
http://www.zdnet.com/pcweek/spencer/spencer.html


---
Date reported:    9/30/97
Incident:    AirTran Hacked

The airline formerly known as ValuJet, AirTran Airways had their web page
hacked.  The intruder changed their web pages and made reference to their
crash in 1996 that killed 110 people.  Copies of the original web pages
and hacked pages as well as a short summary of the attack are avaliable on
2600 magazine's web page.

Reference:
http://www.2600.com/value_jet/


---
Date:      9/23/97
Update:      SGI-nls
Vendor:      Silicon Graphics Inc.
Platform:    IRIX (5.0.x, 5.1.x, 5.2, 5.3, 6.0.x, 
            6.1, 6.2, 6.3, 6.4)

Silicon Graphics has released patches that correct the Natural Language
Service (nls) vulnerability in which a set of arguments can overflow the
buffer and result in the execution of arbitrary commands with elevated
privileges.

References:
ftp://sgigate.sgi.com/security/19970901-01-PX
ftp://info.cert.org/pub/cert_advisories/CA-97.10.nls


---
Date:      10/2/97
Update:      majordomo (ISS Security Alert Summary v1 n2)
Author:      Brent Chapman
Platforms:    Any platform running majordomo server

A new version of majordomo has been released that fixes many security
flaws as well as other bugs.  This corrects the advertise or noadvertise
problem as reported in v1 n2.

Obtain newest version of majordomo or a patch from:
ftp://ftp.greatcircle.com/pub/majordomo/1.94.1/


---
ISS is preparing to release a new version of its leading Windows NT-based 
flagship product, Internet Scanner 5.0.  It includes new, state-of-the-art 
security reporting capabilities, and a significant number of new Windows
NT and UNIX network vulnerability checks, making it the world's most 
comprehensive solution for network security assessment and management. The
reporting is powered  by an ODBC database that allows users to tailor
their data and reports.  If you would like to participate in Beta Testing,
please send your request to  jjohnson@iss.net.


---
Risk Factor Key:

  High    any vulnerability that provides an attacker with immediate
    access into a machine, gains superuser access, or bypasses
    a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
    that allows an intruder to execute commands on mail
    server.
  Medium  any vulnerability that provides information that has a
    high potential of giving access to an intruder.  Example: 
    A misconfigured TFTP or vulnerable NIS server that allows
    an intruder to get the password file that possibly can
    contain an account with a guessable password.
  Low  any vulnerability that provides information that
    potentially could lead to a compromise.  Example:  A
    finger that allows an intruder to find out who is online
    and potential accounts to attempt to crack passwords
    via bruteforce.

Developed and maintained by renown security experts, the X-Force Computer
Vulnerability and Threat Database is the world's most comprehensive
on-line source for information on network security risks. It details
hundreds of network security vulnerabilities and threats, including
information on the relative severity of each risk, and recommended
corrective actions to tighten security holes.  Visit it at
http://www.iss.net/xforce

Internet Security Systems, Inc., (ISS) is the pioneer and world's leading
supplier of network security assessment and monitoring tools,  providing   
comprehensive software that enables organizations to proactively manage   
and minimize their network security risks.  For more information, contact
the company at (800) 776-2362 or (770) 395-0150 or visit the ISS Web site
at http://www.iss.net.

--------
Copyright (c) 1997 by Internet Security Systems, Inc.

Permission is hereby granted for the redistribution of this Alert Summary
electronically.  It is not to be edited in any way without express consent
of X-Force.  If you wish to reprint the whole or any part of this 
Alert Summary in any other medium excluding electronic medium, please
email xforce@iss.net for permission.

Disclaimer

The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection 
with the use or spread of this information. Any use of this information is
at the user's own risk.

Please send suggestions, updates, and comments to:
X Force <xforce@iss.net> of Internet Security Systems, Inc.