ISS Security Alert Summary for November 5, 1997.
3038a9619464c01ec344f166326bb8d1732c39f74e9583cbddee0c79460d389b
I S S X - F o r c e
The Most Wanted Alert List
[1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
[5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
[9]Advanced Search
_ Alert Summaries_
ISS Security Alert Summary
November 5, 1997
Volume 1 Number 6
_X-Force Vulnerability and Threat Database:_ [10]http://www.iss.net/xforce
To receive these Alert Summaries, subscribe to the
ISS Alert mailing list by sending an e-mail to [11]majordomo@iss.net
and within the body of the message type: 'subscribe alert'.
___
Index
12 Reported New Vulnerabilities [12]Back to Alert List
[13]- HP-cde
[14]- FreeBSD-open
[15]- IBM-portmir
[16]- IBM-piodmgrsu
[17]- IBM-nslookup
[18]- IBM-ftp
[19]- Sun-niscache
[20]- Sun-ftpd/rlogind
[21]- Sun-sysdef
[22]- IBM-libDtSvc
[23]- bsd-tel-tgetent
[24]- linux-lpd
1 Vulnerability Update
[25]- Sun-rlogin
[26]Top of Page || [27]Back to Alert List
Comparative Network Security Scanner Review
Risk Factor Key
__
Date Reported: 10/29/97
Vulnerability: HP-cde
Affected Platforms: HP-UX (10.10, 10.20, 10.30)
Risk Factor: High
Hewlett Packard's Common Desktop Environment is a windowing system that
contains session and window management tools, network services, and other
common desktop tools. Several setuid and setgid programs have buffer
overflow conditions that can be exploited to gain unauthorized privileges.
HP has release patches that correct these problems.
References:
HP Security Bulletin #00072 - [28]http://us-support.external.hp.com/
[29]http://ciac.llnl.gov/ciac/bulletins/i-009.shtml
[30]Top of Page || [31]Back to Alert List
___
Date Reported: 10/29/97
Vulnerability: FreeBSD-open
Affected Platforms: FreeBSD (2.1.x, 2.2.x)
FreeBSD-stable
FreeBSD-current
Risk Factor: High
A problem exists in in the way that FreeBSD's open() system call obtains
the right to execute io instructions. This would allow any local user to
exploit this problem to execute unauthorized io instructions. The problem
in open() has been corrected in FreeBSD-current 1997/10/24.
Reference:
[32]ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A05.open.asc
[33]Top of Page || [34]Back to Alert List
___
Date Reported: 10/29/97
Vulnerability: IBM-portmir
Affected Platforms: AIX (4.2.1)
Risk Factor: High
Multiple vulnerabilities in AIX's portmir command exist that allow local
users to obtain unauthorized root privileges.
Reference:
[35]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:006.1
.txt
[36]http://ciac.llnl.gov/ciac/bulletins/i-011.shtml
[37]Top of Page || [38]Back to Alert List
___
Date Reported: 10/29/97
Vulnerability: IBM-piodmgrsu
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: Medium
Piodmgrsu is a program that performs various operations on the printer
backend's alternate ODM database. It contains a vulnerability in the way
that is passes environment variables to child processes that allows local
users to obtain access to the printq group.
Reference:
[39]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:007.1
.txt
[40]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
[41]Top of Page || [42]Back to Alert List
___
Date Reported: 10/29/97
Vulnerability: IBM-nslookup
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: High
Nslookup is a program that is used to query Internet domain name servers
and return various information about hosts. It contains a vulnerability
that allows local users to obtain unauthorized root access.
Reference:
[43]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:008.1
.txt
[44]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
[45]Top of Page || [46]Back to Alert List
___
Date Reported: 10/29/97
Vulnerability: IBM-ftp
Affected Platforms: AIX (3.2, 4.1, 4.2)
Risk Factor: High
The File Transfer Protocol (ftp) client contains a vulnerability in that
it can be tricked into executing arbitrary commands. Remote servers can
name a file preceded by the | symbol, and the local ftp client will
execute that file as a shell script on the local machine. It is possible
that root access could be acquired using this trick.
Reference:
[47]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:009.1
.txt
[48]Top of Page || [49]Back to Alert List
___
Date Reported: 10/28/97
Vulnerability: Sun-niscache
Affected Platforms: Solaris (2.4, 2.5, 2.5.1)
Risk Factor: High
The program nis_cachemgr is used by NIS+ to cache location information of
NIS+ servers. This would allow an attacker to potentially add directory
objects to the shared cache and specify rogue NIS+ servers that they
control.
References:
[50]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-155.txt
[51]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
[52]Top of Page || [53]Back to Alert List
___
Date Reported: 10/28/97
Vulnerability: Sun-ftpd/rlogind
Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
SunOS (4.1.3, 4.1.4)
Risk Factor: High
A vulnerability exists in the Internet File Transfer Protocol server
process (in.ftpd) and the rlogin server process (in.rlogind). The
attacker can execute arbitrary commands on the host by connecting from the
ftp server's data port to the rlogin server on a trusted host.
References:
[54]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-156.txt
[55]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
[56]Top of Page || [57]Back to Alert List
___
Date Reported: 10/28/97
Vulnerability: Sun-sysdef
Affected Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
Risk Factor: High
The command, sysdef, is used to display current system information such as
hardware devices, system devices, kernel parameters, etc. It contains a
vulnerability that would allow local users to read kernel memory. Kernel
memory can contain such information as un encrypted passwords, and could
possibly lead to root access.
References:
[58]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-157.txt
[59]http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
[60]Top of Page || [61]Back to Alert List
___
Date Reported: 10/28/97
Vulnerability: IBM-libDtSvc
Affected Platforms: AIX (4.1, 4.2)
Risk Factor: High
AIX has a buffer overflow in the libDtSrv.a library that allows
unauthorized local users to obtain root privileges. An exploit for this
vulnerability was posted on a security mailing list and is publicly
available.
Reference:
[62]http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:005.1
.txt
[63]http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
[64]Top of Page || [65]Back to Alert List
___
Date Reported: 10/21/97
Vulnerability: bsd-tel-tgetent
Affected Platforms: BSD/OS (2.1)
Risk Factor: High
The telnet daemon, telnetd, contains a vulnerability in its tgetent
library routine. By manipulating environment variables which are passed
to the telnet daemon, an attacker can produce a buffer overflow to obtain
root privileges.
Reference:
[66]ftp://ftp.secnet.com/pub/advisories/SNI-20.telnetd.tgetent.advisory
[67]Top of Page || [68]Back to Alert List
___
Date Reported: 10/6/97
Vulnerability: linux-lpd
Affected Platforms: Linux (Redhat 4.2)
Risk Factor: High
The first problem is that Redhat calls the printfilter software package
when any file is being printed. After determining the file type,
printfilter applies the appropriate filter to the file so that it can be
printed properly. Some filters use the /tmp directory to write in,
therefore local users can create system links that will overwrite files
with uid bin and gid root. The second problem concerns groff requests
that allows local as well as remote users execute programs as uid bin and
gid root, which can easily lead to root access.
Reference:
[69]http://www.dec.net/ksrt/adv4.html
[70]Top of Page || [71]Back to Alert List
___
Date: 10/28/97
Update: Sun-rlogin
Vendor: Sun Microsystems, Inc.
Platforms: Solaris (2.3, 2.4, 2.5, 2.5.1)
SunOS (4.1.3, 4.1.4)
Sun has released patches for the rlogin vulnerability in which the TERM
environment variable is copied to an internal buffer. The buffer can be
overflowed and arbitrary code can be executed. Since rlogin is setuid
root, local accounts would be able obtain unauthorized root access.
References:
[72]http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-158.txt
[73]http://ciac.llnl.gov/ciac/bulletins/h-25a.shtml
[74]ftp://info.cert.org/pub/cert_advisories/CA-97.06.rlogin-term
For a comparative review of five network security scanners, see
Network World Magazine. [75]http://www.nwfusion.com and register for a login.
Review: [76]http://www.nwfusion.com/reviews/1027rev.html
[77]Top of Page || [78]Back to Alert List
---
Risk Factor Key:
High any vulnerability that provides an attacker with immediate
access into a machine, gains superuser access, or bypasses
a firewall. Example: A vulnerable Sendmail 8.6.5 version
that allows an intruder to execute commands on mail
server.
Medium any vulnerability that provides information that has a
high potential of giving access to an intruder. Example:
A misconfigured TFTP or vulnerable NIS server that allows
an intruder to get the password file that possibly can
contain an account with a guessable password.
Low any vulnerability that provides information that
potentially could lead to a compromise. Example: A
finger that allows an intruder to find out who is online
and potential accounts to attempt to crack passwords
via brute force.
Developed and maintained by renown security experts, the X-Force Computer
Vulnerability and Threat Database is the world's most comprehensive
on-line source for information on network security risks. It details
hundreds of network security vulnerabilities and threats, including
information on the relative severity of each risk, and recommended
corrective actions to tighten security holes. Visit it at
[79]http://www.iss.net/xforce
Internet Security Systems, Inc., (ISS) is the pioneer and world's
leading supplier of network security assessment and intrusion detection
tools, providing comprehensive software that enables organizations to
proactively manage and minimize their network security risks. For more
information, contact the company at (800) 776-2362 or (770) 395-0150 or
visit the ISS Web site at [80]http://www.iss.net
[81]Top of Page || [82]Back to Alert List
--------
Copyright (c) 1997 by Internet Security Systems, Inc.
Permission is hereby granted for the redistribution of this Alert Summary
electronically. It is not to be edited in any way without express consent
of X-Force. If you wish to reprint the whole or any part of this
Alert Summary in any other medium excluding electronic medium, please
e-mail [83]xforce@iss.net for permission.
Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in connection
with the use or spread of this information. Any use of this information is
at the user's own risk.
X-Force PGP Key available at: [84]http://www.iss.net/xforce/sensitive.html
as well as on MIT's PGP key server and PGP.com's key server.
Please send suggestions, updates, and comments to:
X Force [85]xforce@iss.net of Internet Security Systems, Inc.
[86]Top of Page || [87]Back to Alert List
[88]News | [89]Serious Fun | [90]Mail Lists | [91]Security Library
[92]Protoworx | [93]Alerts | [94]Submissions | [95]Feedback
[96]Advanced Search
[97]About the Knowledge Base
Copyright ©1994-1998 Internet Security Systems, Inc.
All Rights Reserved. Sales Inquiries: [98]sales@iss.net
6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
Phone (678) 443-6000 · Fax (678) 443-6477
Read our [99]privacy guidelines.
References
1. http://xforce.iss.net/news.php3
2. http://xforce.iss.net/seriousfun/
3. http://xforce.iss.net/maillists/
4. http://xforce.iss.net/library/
5. http://xforce.iss.net/protoworx/
6. http://xforce.iss.net/alerts/
7. http://xforce.iss.net/submission.php3
8. http://xforce.iss.net/feedback.php3
9. http://xforce.iss.net/search.php3
10. http://www.iss.net/xforce
11. mailto:majordomo@iss.net
12. http://xforce.iss.net/alerts/alerts.php3
13. http://xforce.iss.net/alerts/vol-1_num-6.php3#HP-cde
14. http://xforce.iss.net/alerts/vol-1_num-6.php3#FreeBSD-open
15. http://xforce.iss.net/alerts/vol-1_num-6.php3#portmir
16. http://xforce.iss.net/alerts/vol-1_num-6.php3#piodmgrsu
17. http://xforce.iss.net/alerts/vol-1_num-6.php3#lookup
18. http://xforce.iss.net/alerts/vol-1_num-6.php3#ftp
19. http://xforce.iss.net/alerts/vol-1_num-6.php3#niscache
20. http://xforce.iss.net/alerts/vol-1_num-6.php3#rlogind
21. http://xforce.iss.net/alerts/vol-1_num-6.php3#sysdef
22. http://xforce.iss.net/alerts/vol-1_num-6.php3#libDtSvc
23. http://xforce.iss.net/alerts/vol-1_num-6.php3#tgetent
24. http://xforce.iss.net/alerts/vol-1_num-6.php3#linux
25. http://xforce.iss.net/alerts/vol-1_num-6.php3#rlogin
26. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
27. http://xforce.iss.net/alerts/alerts.php3
28. http://us-support.external.hp.com/
29. http://ciac.llnl.gov/ciac/bulletins/i-009.shtml
30. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
31. http://xforce.iss.net/alerts/alerts.php3
32. ftp://freebsd.org/pub/CERT/advisories/FreeBSD-SA-97%3A05.open.asc
33. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
34. http://xforce.iss.net/alerts/alerts.php3
35. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:006.1.txt
36. http://ciac.llnl.gov/ciac/bulletins/i-011.shtml
37. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
38. http://xforce.iss.net/alerts/alerts.php3
39. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:007.1.txt
40. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
41. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
42. http://xforce.iss.net/alerts/alerts.php3
43. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:008.1.txt
44. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
45. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
46. http://xforce.iss.net/alerts/alerts.php3
47. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:009.1.txt
48. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
49. http://xforce.iss.net/alerts/alerts.php3
50. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-155.txt
51. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
52. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
53. http://xforce.iss.net/alerts/alerts.php3
54. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-156.txt
55. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
56. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
57. http://xforce.iss.net/alerts/alerts.php3
58. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-157.txt
59. http://ciac.llnl.gov/ciac/bulletins/i-007.shtml
60. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
61. http://xforce.iss.net/alerts/alerts.php3
62. http://www.ers.ibm.com/tech-info/advisories/sva/1997/ERS-SVA-E01-1997:005.1.txt
63. http://ciac.llnl.gov/ciac/bulletins/i-010.shtml
64. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
65. http://xforce.iss.net/alerts/alerts.php3
66. ftp://ftp.secnet.com/pub/advisories/SNI-20.telnetd.tgetent.advisory
67. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
68. http://xforce.iss.net/alerts/alerts.php3
69. http://www.dec.net/ksrt/adv4.html
70. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
71. http://xforce.iss.net/alerts/alerts.php3
72. http://sunsolve.sun.com/sunsolve/secbulletins/security-alert-158.txt
73. http://ciac.llnl.gov/ciac/bulletins/h-25a.shtml
74. ftp://info.cert.org/pub/cert_advisories/CA-97.06.rlogin-term
75. http://www.nwfusion.com/
76. http://www.nwfusion.com/reviews/1027rev.html
77. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
78. http://xforce.iss.net/alerts/alerts.php3
79. http://www.iss.net/xforce
80. http://www.iss.net/
81. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
82. http://xforce.iss.net/alerts/alerts.php3
83. mailto:xforce@iss.net
84. http://xforce.iss.net/alerts/sensitive.html
85. mailto:xforce@iss.net
86. http://xforce.iss.net/alerts/vol-1_num-6.php3#list
87. http://xforce.iss.net/alerts/alerts.php3
88. http://xforce.iss.net/news.php3
89. http://xforce.iss.net/seriousfun/
90. http://xforce.iss.net/maillists/
91. http://xforce.iss.net/library/
92. http://xforce.iss.net/protoworx/
93. http://xforce.iss.net/alerts/
94. http://xforce.iss.net/submission.php3
95. http://xforce.iss.net/feedback.php3
96. http://xforce.iss.net/search.php3
97. http://xforce.iss.net/about.php3
98. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
99. http://xforce.iss.net/privacy.php3