From xforce@iss.net Fri Apr  2 22:41:24 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Fri, 2 Apr 1999 17:31:55 -0500 (EST)
Subject: ISSalert: ISS Security Alert Summary v3 n8

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----

Join us for a free half-day briefing on "Securing the Enterprise for
E-Commerce".  See http://www.iss.net/press_rel/seminars/ecommerce/ for
details.

ISS Security Alert Summary
April 1, 1999
Volume 3 Number 8

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To 
receive these Alert Summaries, subscribe to the ISS Alert mailing list. 
Send an email to majordomo@iss.net, and within the body of the message 
type:  'subscribe alert'.

_____

Contents

20 Reported Vulnerabilities
 - hp-desms-servers
 - hp-serviceguard
 - xfree86-temp-directories
 - java-unverified-code
 - pws-file-access
 - cisco-catalyst-crash
 - hp-ftp
 - linux-zerolength-fragment
 - openbsd-poll-crash
 - ssl-session-reuse
 - openbsd-tss-panic
 - eudora-long-attachments
 - hp-hpterm
 - netbsd-mount
 - netscape-talkback-kill
 - netscape-talkback-overwrite
 - linux-slackware-install
 - netbsd-umapfs
 - http-img-overflow
 - ldap-mds-bo

Melissa Virus Summary

Risk Factor Key

_____

Date Reported:    1999-03-30
Vulnerability:    hp-desms-servers
Platforms Affected:  HPUX (10.20, 11.00)
Risk Factor:    High

Some applications for HP-UX may cause extra Domain Enterprise Server
Management System (DESMS) processes to be run in the background.  A
vulnerability in these servers could allow user to gain elevated
privileges.

Reference:
HP Security Bulletin HPSBUX9903-095: "Security Vulnerability with DESMS"
at: http://us-support.external.hp.com

_____

Date Reported:    1999-03-30
Vulnerability:    hp-serviceguard
Platforms Affected:  HPUX (10.00, 10.01, 10.10, 10.20, 11.00) 
Risk Factor:    High

The HP-UX programs MC/ServiceGuard and MC/LockManager contain an
implementation flaw in how they handle reduced SAM functionality which
could allow users to gain elevated privileges.

Reference:
HP Security Bulletin HPSBUX9903-096: "Security Vulnerability in
MC/ServiceGuard & MC/LockManager" at: http://us-support.external.hp.com

_____

Date Reported:    1999-03-28
Vulnerability:    xfree86-temp-directories
Platforms Affected:  X11
Risk Factor:    High

A vulnerability exists in the XFree86 X11 environment through version
3.3.3 which could allow local attackers elevated privileges.  A flaw in
how the package handles temporary directories could allow an attacker to
manipulate the program to change the permissions on arbitrary directories
to a world writable state, which could eventually lead to root privileges.

Reference:
SuSE Security Announcement: "unix operating systems using xfree86" at:
http://www.suse.de/security/announcements/suse-security-announce-3.txt

_____

Date Reported:    1999-03-26
Vulnerability:    java-unverified-code
Platforms Affected:  Java
Risk Factor:            High

An implementation flaw in the Java Development Kit (JDK) could allow
unverified code from an untrusted applet to be executed.  This bug could
allow any number of malicious actions to be made on vulnerable machines.
This bug is present in JDK 1.1.x, the Java 2 implementations, and all
applications using the above systems.

Reference:
Sun Microsystems, Inc: "Java Security" at: http://java.sun.com/security/

_____

Date Reported:    1999-03-26
Vulnerability:    pws-file-access
Platforms:    Microsoft Personal Web Server (4.0)
      FrontPage Personal Web Server
Risk Factor:    Medium

A vulnerability has been discovered in the file access protocols of the
Microsoft Personal Web Server and Frontpage PWS could allow arbitrary
files to be remotely read.  The attacker is required to have prior
knowledge of file names to exploit this vulnerability, which does not
yield any other privileges than read access.

References:
Microsoft Security Bulletin (MS99-010): "Patch Available for File Access
Vulnerability in Personal Web Server" at:
http://www.microsoft.com/security/bulletins/ms99-010.asp

Microsoft Knowledgebase Article ID: Q216453: "FP98: Security Patch for
FrontPage Personal Web Server" at:
http://support.microsoft.com/support/kb/articles/q216/4/53.asp

Microsoft Knowledgebase Article ID: Q217765: "FP97: Security Patch for
FrontPage Personal Web Server" at:
http://support.microsoft.com/support/kb/articles/q217/7/65.asp

Microsoft Knowledgebase Article ID: Q217763: "File Access Vulnerability in
Personal Web Server" at:
http://support.microsoft.com/support/kb/articles/q217/7/63.asp

_____

Date Reported:    1999-03-24
Tagname:    cisco-catalyst-crash
Platforms Affected:  Cisco
Risk Factor:    Medium

A vulnerability exists in some versions of the Cisco Catalyst switch
firmware code which could allow a remote attacker to cause the device to
stop functioning and reload.  This flaw has been identified in some of the
Catalyst 5xxx, 29xx and 12xx models of this hardware. 

References:
ISS Security Advisory: "Remote Denial of Service Vulnerability in Cisco
Catalyst Series Ethernet Switches" at:
http://www.iss.net/xforce/alerts/advise24.html 

Cisco Field Notice: "Cisco Catalyst Supervisor Remote Reload" at:
http://www.cisco.com/warp/public/770/cat7161-pub.shtml

_____

Date Reported:    1999-03-24
Vulnerability:    hp-ftp
Platforms Affected:  HPUX (11.00)
Risk Factor:    High

A vulnerability in the 'ftp' program distributed with HP-UX 11.0 could
cause a local user to be granted unauthorized increased privileges 
on the system.

Reference:
HP Security Bulletin HPSBUX9903-094: "Security Vulnerability with ftp on
HP-UX 11.00" at: http://us-support.external.hp.com

_____

Date Reported:    1999-03-24
Vulnerability:    linux-zerolength-fragment
Platforms Affected:  Linux
Risk Factor:    Medium

A flaw in the packet fragment reassembly code in Linux kernels 2.1.89
through 2.2.3 could allow a remote attacker to cause the machine to lose
network connectivity.  Exploiting the vulnerability requires sending many
packets, so a successful attack could take several minutes to launch.

Reference:
BUGTRAQ Mailing List: "DoS for Linux 2.1.89 - 2.2.3: 0 length fragment bug" 
at: http://www.netspace.org/cgi-bin/wa?A2=ind9903d&L=bugtraq&F=&S=&P=623

_____

Date Reported:    1999-03-22
Vulnerability:    openbsd-poll-crash
Platforms Affected:     OpenBSD (2.4)
Risk Factor:            Medium

The nfds parameter to the poll(2) system call under OpenBSD can be used to
deplete available kernel memory and eventually crash the system.

Reference:
The OpenBSD Project: "OpenBSD release errata" at:
http://www.openbsd.org/errata.html#poll

_____

Date Reported:    1999-03-22
Vulnerability:    ssl-session-reuse
Platforms Affected:  OpenSSL
      SSLeay
Risk Factor:    

A possible security vulnerability has been identified in the OpenSSL and
SSLeay implementation of the Secure Sockets Layer (SSL) protocol.  Under
some circumstances, SSL sessions can be reused in a different context from
their original one. This usage may allow access controls based on client
certificates to be bypassed.

Reference:
BUGTRAQ Mailing List: "OpenSSL/SSLeay Security Alert" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9903d&L=bugtraq&F=&S=&P=65

_____

Date Reported:    1999-03-21
Vulnerability:    openbsd-tss-panic
Platforms Affected:  OpenBSD (2.4)
Risk Factor:    Medium

A bug in the OpenBSD kernel TSS signal handling code could allow a
malicious local user to cause the system to panic and crash.

Reference:
The OpenBSD Project: "OpenBSD release errata" at:
http://www.openbsd.org/errata.html#tss

_____

Date Reported:    1999-03-20
Vulnerability:    eudora-long-attachments
Platforms Affected:  Eudora
Risk Factor:    High

A vulnerability exists in Eudora through version 4.2 Beta which could
allow a remote attacker to crash the program and possibly exploit code
under the permissions of the program.  Eudora will crash if it receives an
attachment with a filename that is longer than Windows can handle.

Reference:
BUGTRAQ Mailing List: "Eudora Attachment Buffer Overflow" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9903c&L=bugtraq&F=&S=&P=3519
 
_____

Date Reported:    1999-03-18
Vulnerability:    hp-hpterm
Platforms Affected:  HPUX (10.20)
Risk Factor:    High

A vulnerability was introduced with the HP patch PHSS_13560.  The problem
that was introduced was a library access problem with hpterm, the X
windows terminal emulator.  If this bug is exploited, it can increase the
privileges of the attacker.

Reference:
HP Security Bulletin HPSBUX9903-093: "Security Vulnerability with hpterm
on HP-UX 10.20" at: http://us-support.external.hp.com

_____

Date Reported:    1999-03-18
Vulnerability:    netbsd-mount
Platforms Affected:  NetBSD (1.3.3)
Risk Factor:    Medium

A flaw in NetBSD 1.3.3 and prior's mount(2) system call could allow a
non-root user to mount a partition labeled with the 'noexec' flag with
execute permission.  This flaw allows the user to execute arbitrary
programs on that partition.

Reference:
NetBSD Security Advisory 1999-007: "noexec mount flag is not properly
handled by non-root mount" at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-007.txt.asc

_____

Date Reported:    1999-03-18
Vulnerability:    netscape-talkback-kill
Platforms Affected:  Netscape Communicator (4.5)
Risk Factor:    Low

A vulnerability has been discovered in the "talkback" addon for Netscape
Communicator 4.5.  The hole could allow a malicious local user to cause
the program to kill an arbitrary process owned by the a user whose
Netscape session crashes.
 
Reference:
SuSE Security Announcement: "unix operating systems using netscape
communicator 4.5" at:
http://www.suse.de/security/announcements/suse-security-announce-2.txt

_____

Date Reported:    1999-03-18
Vulnerability:    netscape-talkback-overwrite
Platforms Affected:  Netscape Communicator (4.5)
Risk Factor:    Low

A vulnerability exists in the "talkback" addon distributed with some
versions of Netscape Communicator.  The talkback program fails to check
whether temporary files are actually links, and as such can be manipulated
to create or overwrite arbitrary files owned by the person invoking the
Netscape program.

Reference:
SuSE Security Announcement: "unix operating systems using netscape
communicator 4.5" at:
http://www.suse.de/security/announcements/suse-security-announce-2.txt

_____

Date Reported:    1999-03-17
Vulnerability:    linux-slackware-install
Platforms Affected:  Linux Slackware
Risk Factor:    High

A vulnerability exists in the network installation of Slackware Linux
systems through version 3.6.  During a network install there may be a
period of time when the root password is left blank and interactive
logins from the network are available, in which case an attacker can login
to the machine without supplying a root password.

References:
ISS Security Advisory: "Short-Term High-Risk Vulnerability During
Slackware 3.6 Network Installations" at:
http://www.iss.net/xforce/alerts/advise23.html

_____

Date Reported:          1999-03-17
Vulnerability:          netbsd-umapfs
Platforms Affected:     NetBSD (1.3.3)
Risk Factor:            High

A vulnerability has been found in NetBSD's umapfs virtual file system that
would allow a local attacker to remap their userid to any other user on
the system including root.

Reference:
NetBSD Security Advisory 1999-006: "Security hole in umapfs" at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-006.txt.asc

_____

Date Reported:          1999-03-16
Vulnerability:          http-img-overflow
Platforms Affected:     Lynx Browser
      Internet Explorer
Risk Factor:            Medium

A flaw in various browsers, namely Lynx and Internet Explorer, allows a
web page containing an IMG tag with a width parameter set to an abnormally
long value to crash the browser.  It is not believed that this flaw can
lead to any type of access being compromised on victim machines.

Reference:
BUGTRAQ Mailing List: "Lynx 2.8 overflow" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9903c&L=bugtraq&F=&S=&P=1168

_____

Date Reported:    1999-03-15
Vulnerability:          ldap-mds-bo
Platforms Affected:     Microsoft Exchange (5.5)
Risk Factor:            High

ISS X-Force has discovered a buffer overflow exploit against Microsoft
Exchange's LDAP (Lightweight Directory Access Protocol) server which
allows read access to the Exchange server directory by using an LDAP
client.  This buffer overflow consists of a malformed bind request that
overflows the buffer and can execute arbitrary code. This attack can also
cause the Exchange LDAP service to crash. This vulnerability exists in
Microsoft Exchange Server version 5.5.

Reference:
ISS Security Advisory: "LDAP Buffer overflow against Microsoft Directory
Services" at: http://www.iss.net/xforce/alerts/advise22.html

_____

Date Reported:                1999-03-26
Vulnerability:                melissa-macro-virus
Platforms Affected:           Microsoft Word 97
Risk Factor:                  Medium

A simple macro virus designed for Microsoft Word 97 known as "Melissa" 
has become widely disseminated and has caused widespread E-mail systems 
failure and other problems.  This virus is unique in that it is both 
network-enabled and functions more like a worm than a virus, using each 
infected system to launch attacks on other users.

Reference:
CERT Advisory CA-99-04: "Melissa Macro Virus" at:
http://www.cert.org/advisories/CA-99-04-Melissa-Macro-Virus.html

_____


Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection and response software that protects
the security and integrity of enterprise information systems.  By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations.  ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks and over 35 governmental
agencies.  For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net.

________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is hereby 
granted for the redistribution of this Alert Summary electronically.  It is 
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other 
medium excluding electronic medium, please e-mail xforce@iss.net for 
permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNwU/9TRfJiV99eG9AQHV0QP+OrVb5T+tzqhEqYmVbROeznfP524aPrJY
ZXF7z9KpGjPbO/6ed8B9WyFzxdFPfPxVWH+Xn1t5L4rG9R52snjdcPbKWAiBMPBE
LQkrWnHTGXzZr6GOBWSUKFr5B2Eq9PHyWVtEtsJ+vXWaqSzDhOl42ab7lXOSrEFL
upnfNN3J018=
=o2KT
-----END PGP SIGNATURE-----