From xforce@iss.net Tue Apr 20 18:46:13 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Mon, 19 Apr 1999 16:14:14 -0400 (EDT)
Subject: ISSalert: ISS Security Alert Summary v3 n9

TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------


-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
April 15, 1999
Volume 3 Number 9

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To 
receive these Alert Summaries, subscribe to the ISS Alert mailing list. 
Send an email to majordomo@iss.net, and within the body of the message 
type:  'subscribe alert'.

_____

Contents

19 Reported Vulnerabilities
 - default-flowpoint
 - ucd-snmpd-community
 - cisco-natacl-leakage
 - mpeix-debug
 - netbsd-vfslocking-panic
 - bmc-patrol-frames
 - bmc-patrol-replay
 - http-cgi-webcom-guestbook
 - ie-scriplet-fileread
 - ie-window-spoof
 - winroute-config
 - netcache-snmp
 - rsync-permissions
 - wingate-redirector-dos
 - wingate-registry-passwords
 - sco-termvision-password
 - webramp-device-crash
 - webramp-ipchange
 - xylan-omniswitch-ftp
 - xylan-omniswitch-login

Risk Factor Key

_____

Date Reported:    1999-04-14
Vulnerability:    default-flowpoint
Platforms Affected:  Flowpoint
Risk Factor:    High

Flowpoint DSL routers by default ship with either no administrator
password or the password 'admin'.  This could allow a remote attacker to
gain complete administrative control over these devices.

References:
BUGTRAQ Mailing List: "FlowPoint 2000 DSL Routers" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9808B&L=bugtraq&P=R6856

BUGTRAQ Mailing List: "FlowPoint ADSL Reported Problem" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904C&L=bugtraq&P=R994

_____

Date Reported:    1999-04-13
Vulnerability:    cisco-natacl-leakage
Platforms Affected:  Cisco
Risk Factor:    High

A flaw in the interaction between network address translation (NAT) and
access control lists in some 12.0-based versions of IOS could cause
packets to be erroneously leaked through the ACL.  This could expose
networks and machines normally protected by access rules to outside
attack.

Reference:
Cisco Field Notice: "Cisco IOS® Software Input Access List Leakage with
NAT" at: http://www.cisco.com/warp/public/770/iosnatacl-pub.shtml

_____

Date Reported:    1999-04-13
Vulnerability:    mpeix-debug
Platforms Affected:  MPE/iX
Risk Factor:    High

A vulnerability in the debug utility on the MPE/iX operating system can
allow local users to compromise elevated privileges.

Reference:
HP Security Bulletin HPSBMP9904-006: "Security Vulnerability in MPE/iX
debug" at: http://us-support.external.hp.com

_____

Date Reported:    1999-04-13
Vulnerability:    netbsd-vfslocking-panic
Platforms Affected:  NetBSD (1.3.1, 1.3.2, 1.3.3)
Risk Factor:    Medium

A problem within the virtual filesystem (VFS) file locking code on NetBSD
systems could allow a local, non-privileged user to cause the system to
hang or crash.

Reference:
NetBSD Security Advisory 1999-008: "Kernel hang or panic in name lookup
under certain circumstances" at:
ftp://ftp.netbsd.org/pub/NetBSD/misc/security/advisories/NetBSD-SA1999-008.txt.asc

_____

Date Reported:    1999-04-09
Vulnerability:    bmc-patrol-frames
Platforms:    PATROL Agent (3.2.3)
Risk Factor:    Medium

A weakness in the algorithm used to seal Patrol frames as they are
exchanged could allow a spoofing system to be trivially created.  This
could compromise unauthorized access to the agent.

Reference:
BUGTRAQ Mailing List: "Patrol security bugs" at: 
http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=3253

_____

Date Reported:    1999-04-09
Tagname:    bmc-patrol-replay
Platforms Affected:  PATROL Agent (3.2.3)
Risk Factor:    Medium

The system used to authenticate users with the Patrol agent is susceptible
to session replaying attacks.  An attacker can capture the encrypted
password sent to the agent and then later replay that information and be
granted access.

Reference:
BUGTRAQ Mailing List: "Patrol security bugs" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=3253

_____

Date Reported:    1999-04-09
Vulnerability:    http-cgi-webcom-guestbook
Platforms Affected:  Common Gateway Interface (CGI)
Risk Factor:    Medium

The wguest.exe and rguest.exe programs are distributed with the WebCom
Guestbook CGI package. Remote attackers can view any file on the
system that the anonymous Internet user account has read access to.
The attacker must have prior knowledge of the file's name to exploit this
vulnerability.

Reference:
NTBUGTRAQ Mailing List: "Webcom's CGI Guestbook for Win32 web servers" at:
http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9904&L=ntbugtraq&F=P&S=&P=2194

_____

Date Reported:    1999-04-09
Vulnerability:    ie-scriplet-fileread
Platforms Affected:  Internet Explorer
Risk Factor:    Medium

A problem in at least Internet Explorer 5.0's scriptlet component 
allows a content provider to read files on the browser's file system.  The
malicious site would have to have prior knowledge of the file's name to
retrieve it as file listings are not possible.

Reference:
BUGTRAQ Mailing List: "IE 5.0 security vulnerabilities - %01 bug again"
at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1504

_____

Date Reported:    1999-04-09
Vulnerability:    ie-window-spoof
Platforms Affected:     Internet Explorer
Risk Factor:            High

A vulnerability exists in at least Internet Explorer 5.0 which allows a
malicious web page that appears to be that of a legitimate, trusted site
but which in fact contains content from the malicious user. This page
could be used to capture sensitive information from the user who believes
it is actually being requested by another site.

Reference:
BUGTRAQ Mailing List: "IE 5.0 security vulnerabilities - %01 bug again"
at: http://www.netspace.org/cgi-bin/wa?A2=ind9904b&L=bugtraq&F=&S=&P=1504

_____

Date Reported:    1999-04-09
Vulnerability:    netware-remotenlm-passwords
Platforms Affected:  Novell NetWare (4.0)
Risk Factor:    High

The password encryption algorithm implemented in Novell's Remote.NLM is
very weak and trivially decrypted.  This could expose the passwords of
accounts to attackers who have access to the stored encrypted passwords.

Reference:
BUGTRAQ Mailing List: "New Novell Remote.NLM Password Decryption Algorithm
with Exploit" at: http://www.netspace.org/cgi-bin/wa?A2=ind9904B&L=bugtraq&P=R1516

_____

Date Reported:    1999-04-09
Vulnerability:    winroute-config
Platforms Affected:  WinRoute
Risk Factor:    High

The procedure used to authenticate users for access to the admin
configuration menu on Winroute servers contains a flaw that allows users
to bypass the authentication and gain direct access.  This access could be
used to change the configuration of the proxy from remote.

Reference:
BUGTRAQ Mailing List: "Bug in Winroute 3.04g" at: 
http://www.netspace.org/cgi-bin/wa?A2=ind9904B&L=bugtraq&P=R1283

_____

Date Reported:    1999-04-07
Vulnerability:    netcache-snmp
Platforms Affected:  SNMP
      NetCache
Risk Factor:    Medium

Network Appliance's NetCache software ships with a SNMP community string
of 'public'.  When users try to reconfigure this string via the web
interface, the new string is only added to the list of valid strings and
does not delete the 'public' community string.  This could lead
administrators to incorrectly believe the public string has been disabled.

Reference:
BUGTRAQ Mailing List: "Netcache snmp behaviour" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904A&L=bugtraq&P=R4014

_____

Date Reported:    1999-04-07
Vulnerability:    rsync-permissions
Platforms Affected:  Unix
Risk Factor:    Medium

A vulnerability in some versions of the rsync client could allow the
permissions of a transmitted vacant directory to be applied to the local
working directory of the client machine.  This could cause the permissions
of sensitive directories to be modified to an insecure state.

Reference:
BUGTRAQ Mailing List: "rsync 2.3.1 release - security fix" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904A&L=bugtraq&P=R3834

_____

Date Reported:    1999-04-05
Vulnerability:    apache-debian-usrdoc
Platforms Affected:  Apache
      Linux (Debian)
Risk Factor:    Low

By default, the Apache configuration under Debian Linux aliases the
'/usr/doc' directory to '/doc/' in the ServerRoot.  This could allow a
remote user to view the documentation files on the machine, which may
reveal information about the versions of software packages installed on
the machine.

Reference:
BUGTRAQ Mailing List: "An issue with Apache on Debian" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=2822

_____

Date Reported:    1999-04-05
Vulnerability:    icq-webserver-read
Platforms Affected:  ICQ
Risk Factor:    Medium

A vulnerability exists in how the ICQ personal web server offers files
that could allow a remote attacker to access any files on the local system
of any vulnerable host.
 
Reference:
BUGTRAQ Mailing List: "security hole in ICQ-Webserver" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3795

_____

Date Reported:    1999-04-05
Vulnerability:    procmail-overflow
Platforms Affected:  procmail
Risk Factor:    High

A number of buffer overflows have been discovered in the configuration
file processing of the Procmail package. These vulnerabilities may
allow users to execute arbitrary code with elevated privileges.  Under
some circumstances, this vulnerability could be exploited from remote
locations.

Reference:
BUGTRAQ Mailing List: "Re: [SECURITY] new version of procmail with
security fixes" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&D=0&P=2003

_____

Date Reported:    1999-04-05
Vulnerability:    procmail-race
Platforms Affected:  procmail
Risk Factor:    Medium

A race condition within the portion of Procmail that reads a user's
configuration files could allow non-privileged users to read arbitrary
files on the system that they would normally not have access to.

Reference:
BUGTRAQ Mailing List: "More procmail" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=4470

_____

Date Reported:    1999-04-05
Vulnerability:    wingate-redirector-dos
Platforms Affected:  WinGate
Risk Factor:    Medium

A buffer overflow exists in the Winsock Redirector Service (TCP 2080)
which when exploited allows a remote attacker to crash that service and
all other Wingate services.  It has not been shown to be possible to use
this hole to execute arbitrary code on the vulnerable machine.

Reference:
BUGTRAQ Mailing List: "Multiple WinGate Vulnerabilities[Tad late]" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3201

_____

Date Reported:          1999-04-05
Vulnerability:          wingate-registry-passwords
vPlatforms Affected:     WinGate
Risk Factor:            Medium

WinGate stores passwords by default in a system registry key with world
readable permissions.  Combined with the weak encryption used to protect
these passwords, it is trivial for an attacker with access to the WinGate
server to gain access to them.

Reference:
BUGTRAQ Mailing List: "Multiple WinGate Vulnerabilities[Tad late]" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=3201

_____

Date Reported:    1999-03-31
Vulnerability:    sco-termvision-password
Platforms Affected:  SCO TermVision
Risk Factor:    Low

TermVision is a Windows application for connecting to and using SCO
OpenServer machines.  The TermVision program by default stores user's
passwords in an insecure form within a file on the local machine.  Login
access is required for a malicious user to obtain this encrypted password,
but once that access is gained, decrypting the password is trivial.

Reference:
BUGTRAQ Mailing List: "Potential vulnerability in SCO TermVision Windows
95 client" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9903e&L=bugtraq&F=&S=&P=6124

_____

Date Reported:    1999-03-31
Vulnerability:    webramp-device-crash
Platforms Affected:  WebRamp
Risk Factor:    Medium

The WebRamp series of network devices by Ramp Networks allows small
networks to cost effectively access the Internet through dialup lines.  A
flaw in how the WebRamps internal HTTP server handles certain requests
could allow an attacker to cause the device to crash, requiring a manual
reset to return the device to service.

Reference:
ISS Security Advisory: "WebRamp Denial of Service Attacks"
at: http://www.iss.net/xforce/alerts/advise25.html

_____

Date Reported:    1999-03-31
Vulnerability:    webramp-ipchange
Platforms Affected:  WebRamp
Risk Factor:    Medium

The WebRamp series of network devices by Ramp Networks allows small
networks to cost effectively access the Internet through dial-up lines. By
sending a specially formed packet to port 5353 on the router, it has been
shown to be possible to change the device's IP address to an arbitrary
value. While network connectivity is not lost within the device, all
configurations that point to the old address will no longer be able to
access the router.

Reference:
ISS Security Advisory: "WebRamp Denial of Service Attacks"
at: http://www.iss.net/xforce/alerts/advise25.html

_____

Date Reported:    1999-03-31
Vulnerability:    xylan-omniswitch-ftp
Platforms Affected:  Xylan OmniSwitch
Risk Factor:    Medium

Some Xylan OmniSwitches allow remote users to access the 
device via FTP and gain read (and write) access to flash memory.  Some
files accessable may be sensitive in nature, i.e. contain SNMP community
name strings, etc.

Reference:
BUGTRAQ Mailing List: "Xylan OmniSwitch 'features'" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=185

_____

Date Reported:    1999-03-31
Vulnerability:    xylan-omniswitch-login
Platforms Affected:  Xylan OmniSwitch
Risk Factor:    Low

Some Xylan OmniSwitches have been observed to allow logins via telnet by
users entering an arbitrary username and then a control character sequence
at the password prompt. The access compromised by this "feature" does not
allow the attacker to issue any administrative commands to the switch, but
does allow the attacker to deny further interactive logins to the device.

Reference:
BUGTRAQ Mailing List: "Xylan OmniSwitch 'features'" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9904a&L=bugtraq&F=&S=&P=185

_____


Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


Internet Security Systems, Inc. (ISS) is the leading provider of adaptive
network security monitoring, detection and response software that protects
the security and integrity of enterprise information systems.  By
dynamically detecting and responding to security vulnerabilities and
threats inherent in open systems, ISS's SAFEsuite family of products
provide protection across the enterprise, including the Internet,
extranets, and internal networks, from attacks, misuse, and security
policy violations.  ISS has delivered its adaptive network security
solutions to organizations worldwide, including firms in the Global 2000,
nine of the ten largest U.S. commercial banks and over 35 governmental
agencies.  For more information, call ISS at 678-443-6000 or 800-776-2362
or visit the ISS Web site at http://www.iss.net.

________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is hereby 
granted for the redistribution of this Alert Summary electronically.  It is 
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other 
medium excluding electronic medium, please e-mail xforce@iss.net for 
permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBNxuNLjRfJiV99eG9AQGHPAQAt891nKnC7yrGiuwcBue6iuRfCc6E22sg
Q+jtyfw+WE4d73+3vOm6VvfRLhMryRThYXoGG2zfoGAVEhwpxKUNQyAe6P9yxJ9p
6hupM/XDyuZ+OGpBPZLRYktFsea1ixOQoRCDbMjLy0QMWN//OiYnfIn56MH3rD9Q
yMipx4zJhyI=
=iZfN
-----END PGP SIGNATURE-----