I S S   X - F o r c e
                                      
                         The Most Wanted Alert List
                                      
       [1]News | [2]Serious Fun | [3]Mail Lists | [4]Security Library
          [5]Protoworx | [6]Alerts | [7]Submissions | [8]Feedback
                             [9]Advanced Search
                                      
   _ Alert Summaries_

ISS Security Alert Summary
November 6, 1998
Volume 3 Number 2

X-Force Vulnerability and Threat Database: [10]http://www.iss.net/xforce To
receive these Alert Summaries, subscribe to the ISS Alert mailing list.
Send an email to [11]majordomo@iss.net, and within the body of the message
type:  'subscribe alert'.


[12]Top of Page || [13]Back to Alert List

___

Contents

6 Reported Vulnerabilities
 - [14]Solaris-hidden-comm-string
 - [15]HPOV-hidden-SNMP-comm
 - [16]BMC-PATROL-file-create
 - [17]Mac-FWB
 - [18]IBM-automountd
 - [19]SGI-autofsd

1 Update
 - [20]Sun-imapd

Risk Factor Key


[21]Top of Page || [22]Back to Alert List

___


Date Reported:          11/4/98
Vulnerability:          FreeBSD-ip-frag-dos
Platforms Affected:     FreeBSD 3.0
                        FreeBSD-current (before 1998/10/27)
Risk Level:             High

A bug exists in FreeBSD's IP fragment reassembly code that can lead to a
kernel panic.  An attacker can send malformed IP packets to the FreeBSD
machine, where the reassembly code assembles them into an invalid UDP
datagram.  The UDP datagram would cause the system to kernel panic, and
have to be restarted.

Reference:
Security Advisory FreeBSD, Inc: "IP fragmentation denial of service" at:
[23]ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98%3A08.fragme
nt.asc


[24]Top of Page || [25]Back to Alert List

___


Date Reported:          11/2/98
Vulnerability:          Solaris-hidden-comm-string
Platforms Affected:     Solaris 2.6
Risk Level:             High

Internet Security System (ISS) X-Force has discovered a serious
vulnerability in Sun Microsystems Solstice Enterprise Agent and the
Solaris operating system.  This vulnerability allows attackers to execute
arbitrary commands with root privileges, manipulate system parameters and
kill processes.  This vulnerability is present on the Solaris Operating
System version 2.6.  Earlier versions are vulnerable.  Solaris 2.7 beta is
not vulnerable.

Reference:
ISS Security Advisory: "Hidden community string in SNMP implementation"
at: [26]http://www.iss.net/xforce/alerts/advise11.html


[27]Top of Page || [28]Back to Alert List

___


Date Reported:          11/2/98
Vulnerability:          HPOV-hidden-SNMP-comm
Platforms Affected:     HP-UX (9.x, 10.x)
                        Solaris (2.x)
Risk Level:             Medium

Internet Security Systems (ISS) X-Force has researched a hidden SNMP
community string that exists in HP OpenView.  This community may allow
unauthorized access to certain SNMP variables.  Attackers may use this
hidden community to learn about network topology as well as modify MIB
variables. This vulnerability is present in HP OpenView Version 5.02.
Earlier versions are believed to be vulnerable.  HP-UX 9.X and HP-UX 10.X
SNMP agents are vulnerable if OpenView is installed.  OpenView for Solaris
2.X is also vulnerable.  OpenView for Windows NT is not vulnerable.

Reference:
ISS Security Advisory: "Hidden SNMP community in HP OpenView" at:
[29]http://www.iss.net/xforce/alerts/advise12.html


[30]Top of Page || [31]Back to Alert List

___


Date Reported:          11/2/98
Vulnerability:          BMC-PATROL-file-create
Platforms Affected:     PATROL Agent (3.2.3)
Risk Level:             High

Internet Security Systems (ISS) X-Force has discovered a vulnerability in
BMC Software PATROL(r) network management software.  PATROL contains a
vulnerability that may allow local attackers to compromise root access.
The agent creates insecure temporary files that may lead to a symbolic
link attack.  This vulnerability exists on version 3.2.3 of PATROL
Agent(tm) software product.  Earlier versions of PATROL Agent are also
vulnerable.

Reference:
ISS Security Advisory: "BMC PATROL File Creation Vulnerability" at:
[32]http://www.iss.net/xforce/alerts/advise10.html


[33]Top of Page || [34]Back to Alert List

___


Date Reported:          10/30/98
Vulnerability:          Mac-FWB
Platforms Affected:     FWB Hard Disk Toolkit 2.5
Risk Level:             Low

The FWB Hard Disk Toolkit for the Apple Macintosh allows users to place a
password on hard drive volumes to protect data.  A bug has been found by
l0pht that would allow a malicious user to forcibly replace the FWB driver
with another driver, and access the data on the password protected drive.

Reference:
L0phT Security Advisory: "FWB Hard Disk Toolkit 2.5: Users can bypass hard
disk driver level passwords" at: [35]http://www.l0pht.com/advisories/fwb.txt


[36]Top of Page || [37]Back to Alert List

___


Date Reported:          10/16/98
Vulnerability:          IBM-automountd
Platforms Affected:     AIX (4.3.x)
Risk Level:             High

The automountd daemon processes requests from the local AutoFS filesystem
kernel extension.  A vulnerability in automountd has been found that would
allow an attacker to execute commands as root both locally and remotely.

References:
IBM Emergency Response Service Security Vulnerability Alert: "The
automountd daemon allows local and remote users to become root." at:
[38]http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:004.1
.txt

CIAC Information Bulletin: "IBM AIX automountd Vulnerability" at
[39]http://www.ciac.org/ciac/bulletins/j-014.shtml


[40]Top of Page || [41]Back to Alert List

___


Date Reported:          10/21/98
Vulnerability:          SGI-autofsd
Platforms Affected:     IRIX (6.2, 6.3, 6.4, 6.5)
Risk Level:             High

Autofsd is an RPC server that answers file system mount and umount
requests from the autofs file system. Upon receiving a map argument from a
client, the server will attempt to verify if it is executable.  If autofsd
determines the map has an executable flag, the server will append the
client's key and attempt to execute it.  By sending a map name that is
executable on the server, and a key beginning with a semicolon or a
newline followed by a command, unprivileged users can execute arbitrary
commands as the superuser.

References:
Repent Security Incorporated: "IRIX autofsd" (RSI.0010.10-21-98.IRIX.AUTOFSD)
at: [42]http://www.repsec.com/advisory/0010.html

Silicon Graphics Inc. Security Advisory: "Vulnerability in IRIX autofsd" at:
[43]ftp://sgigate.sgi.com/security/19981005-01-A

CIAC Information Bulletin: "SGI IRIX autofsd Vulnerability" at
[44]http://www.ciac.org/ciac/bulletins/j-013.shtml


[45]Top of Page || [46]Back to Alert List

___

Date:                   10/21/98 (CERT Advisory CA-98.09.imapd)
Update:                 Sun-imapd
Vendor:                 Sun Microsystems, Inc.
Platforms:              Sun Internet Mail Server (2.0, 3.2)

Sun has released patches that correct the IMAP buffer overflow condition
that could allow an attacker to gain root privileges.

References:
CERT* Advisory CA-98.09: "Buffer Overflow in Some Implementations of IMAP
Servers" at: [47]ftp://info.cert.org/pub/cert_advisories/CA-98.09.imapd

Sun Microsystems, Inc. Security Bulletin: "IMAP" at:
[48]http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/177


[49]Top of Page || [50]Back to Alert List

___

Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


Internet Security Systems, Inc. is the leading provider of adaptive network
security monitoring, detection and response software that protects the
security and integrity of enterprise information systems.  By dynamically
detecting and responding to security vulnerabilities and threats inherent
in open systems, ISS's SAFEsuite family of products provide protection
across the enterprise, including the Internet, extranets, and internal
networks, from attacks, misuse and security policy violations.  The Company
has delivered its adaptive network security solutions to organizations
worldwide, including firms in the Global 2000, 9 of the ten largest U.S.
commercial banks and over 35 governmental agencies.  For more information,
call ISS at 678-443-6000 or 800-776-2362 or visit the ISS Web site at
[51]http://www.iss.net.


[52]Top of Page || [53]Back to Alert List

___

Copyright (c) 1998 by Internet Security Systems, Inc.  Permission is hereby
granted for the redistribution of this Alert Summary electronically.  It is
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other
medium excluding electronic medium, please email [54]xforce@iss.net for
permission.

Disclaimer
The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There are
NO warranties with regard to this information. In no event shall the author
be liable for any damages whatsoever arising out of or in connection with
the use or spread of this information. Any use of this information is at
the user's own risk.

X-Force PGP Key available at:   [55]http://www.iss.net/xforce/sensitive.html as

well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force xforce@iss.net

   > of Internet Security Systems, Inc.
   
     [56]News | [57]Serious Fun | [58]Mail Lists | [59]Security Library
        [60]Protoworx | [61]Alerts | [62]Submissions | [63]Feedback
                            [64]Advanced Search
                                      
                        [65]About the Knowledge Base
                                      
            Copyright ©1994-1998 Internet Security Systems, Inc.
          All Rights Reserved. Sales Inquiries: [66]sales@iss.net
         6600 Peachtree-Dunwoody Rd · Bldg 300 · Atlanta, GA 30328
                 Phone (678) 443-6000 · Fax (678) 443-6477
                                      
                      Read our [67]privacy guidelines.

References

   1. http://xforce.iss.net/news.php3
   2. http://xforce.iss.net/seriousfun/
   3. http://xforce.iss.net/maillists/
   4. http://xforce.iss.net/library/
   5. http://xforce.iss.net/protoworx/
   6. http://xforce.iss.net/alerts/
   7. http://xforce.iss.net/submission.php3
   8. http://xforce.iss.net/feedback.php3
   9. http://xforce.iss.net/search.php3
  10. http://www.iss.net/xforce
  11. mailto:majordomo@iss.net
  12. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  13. http://xforce.iss.net/alerts/alerts.php3
  14. http://xforce.iss.net/alerts/vol-3_num-2.php3#Solaris-hidden-comm-string
  15. http://xforce.iss.net/alerts/vol-3_num-2.php3#HPOV-hidden-SNMP-comm
  16. http://xforce.iss.net/alerts/vol-3_num-2.php3#BMC-PATROL-file-create
  17. http://xforce.iss.net/alerts/vol-3_num-2.php3#Mac-FWB
  18. http://xforce.iss.net/alerts/vol-3_num-2.php3#IBM-automountd
  19. http://xforce.iss.net/alerts/vol-3_num-2.php3#SGI-autofsd
  20. http://xforce.iss.net/alerts/vol-3_num-2.php3#Sun-imapd
  21. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  22. http://xforce.iss.net/alerts/alerts.php3
  23. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-98
  24. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  25. http://xforce.iss.net/alerts/alerts.php3
  26. http://www.iss.net/xforce/alerts/advise11.html
  27. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  28. http://xforce.iss.net/alerts/alerts.php3
  29. http://www.iss.net/xforce/alerts/advise12.html
  30. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  31. http://xforce.iss.net/alerts/alerts.php3
  32. http://www.iss.net/xforce/alerts/advise10.html
  33. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  34. http://xforce.iss.net/alerts/alerts.php3
  35. http://www.l0pht.com/advisories/fwb.txt
  36. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  37. http://xforce.iss.net/alerts/alerts.php3
  38. http://www.ers.ibm.com/tech-info/advisories/sva/1998/ERS-SVA-E01-1998:004.1.txt
  39. http://www.ciac.org/ciac/bulletins/j-014.shtml
  40. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  41. http://xforce.iss.net/alerts/alerts.php3
  42. http://www.repsec.com/advisory/0010.html
  43. ftp://sgigate.sgi.com/security/19981005-01-A
  44. http://www.ciac.org/ciac/bulletins/j-013.shtml
  45. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  46. http://xforce.iss.net/alerts/alerts.php3
  47. ftp://info.cert.org/pub/cert_advisories/CA-98.09.imapd
  48. http://sunsolve.Sun.COM/pub-cgi/us/sec2html?secbull/177
  49. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  50. http://xforce.iss.net/alerts/alerts.php3
  51. http://www.iss.net/
  52. http://xforce.iss.net/alerts/vol-3_num-2.php3#list
  53. http://xforce.iss.net/alerts/alerts.php3
  54. mailto:xforce@iss.net
  55. http://www.iss.net/xforce/sensitive.html
  56. http://xforce.iss.net/news.php3
  57. http://xforce.iss.net/seriousfun/
  58. http://xforce.iss.net/maillists/
  59. http://xforce.iss.net/library/
  60. http://xforce.iss.net/protoworx/
  61. http://xforce.iss.net/alerts/
  62. http://xforce.iss.net/submission.php3
  63. http://xforce.iss.net/feedback.php3
  64. http://xforce.iss.net/search.php3
  65. http://xforce.iss.net/about.php3
  66. http://xforce.iss.net/cgi-bin/getSGIInfo.pl
  67. http://xforce.iss.net/privacy.php3