From xforce@iss.net Wed Jun 16 16:02:00 1999
From: X-Force <xforce@iss.net>
To: alert@iss.net
Cc: X-Force <xforce@iss.net>
Date: Tue, 15 Jun 1999 22:12:31 -0400 (EDT)
Subject: ISSalert: ISS Security Alert Summary v4 n2


TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo@iss.net  Contact alert-owner@iss.net for help with any problems!
---------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----

ISS Security Alert Summary
June 15, 1999
Volume 4 Number 2

X-Force Vulnerability and Threat Database: http://www.iss.net/xforce To 
receive these Alert Summaries, subscribe to the ISS Alert mailing list. 
Send an email to majordomo@iss.net, and within the body of the message 
type:  'subscribe alert'.

_____

Contents

5 Reported Vulnerabilities
 - sun-rpc-statd
 - ntmail-relay
 - management-agent-file-read
 - management-agent-dos
 - http-cgi-cdomain

ExploreZip Trojan Horse Summary

Risk Factor Key

_____

Date Reported:    1999-06-07
Vulnerability:    sun-rpc-statd
Platforms Affected:  Solaris (2.3, 2.4, 2.4_x86, 2.5, 2.5_x86, 2.5.1,
         2.5.1_x86, 2.6, 2.6_x86)
Risk Factor:    High
Attack Type:    Network Based

The rpc service statd works with lockd to provide crash and recovery
functions for file locking over NFS.  A remote attacker can bypass the
access controls of statd and control other RPC services, resulting in root 
level access.

Reference:
Sun Microsystems, Inc. Security Bulletin: "rpc.statd" at:
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/186&type=0&nav=sec.sba

_____

Date Reported:    1999-06-07
Vulnerability:    ntmail-relay
Platforms Affected:  NTMail
Risk Factor:            Medium
Attack type:    Network Based

NTMail is a commercial mail server for Windows NT systems. A vulnerability
in version 3 (and maybe other versions) allows a remote user to specify a
MAIL FROM address of <>, which will bypass NTMail's anti-spam features and
allow third party mail relaying.

Reference:
NTHELP.COM: "NTMail version 3 relay problem" at:
http://www.nthelp.com/40/ntmailspam.htm

_____

Date Reported:    1999-06-07
Vulnerability:    management-agent-file-read
Platforms Affected:  Compaq Management Agent
      Compaq Survey Utility
Risk Factor:    Medium
Attack type:            Host/Network Based

The Compaq Management Agent and Compaq Survey Utility provide HTTP
services, which allow information to be accessed through a web browser.  A
vulnerability with these services that would allow a user who has
information about the machine to read a known file on the system.

Reference:
BUGTRAQ Mailing List: "Update on compaq webadmin" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9906a&L=bugtraq&F=&S=&P=6337

_____

Date Reported:    1999-06-07
Vulnerability:    management-agent-dos
Platforms Affected:  Compaq Management Agent
                        Compaq Survey Utility
Risk Factor:    Low
Attack type:            Host/Network Based

The Compaq Management Agent and Compaq Survey Utility provide HTTP
services, which allow information to be accessed through a web browser.  A
vulnerability with these services that would allow a user to force the web
service to stop responding, thus denying service. 

Reference:
BUGTRAQ Mailing List: "Update on compaq webadmin" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9906a&L=bugtraq&F=&S=&P=6337

_____

Date Reported:    1999-06-01
Vulnerability:    http-cgi-cdomain
Platforms Affected:  Common Gateway Interface (CGI)
Risk Factor:    High
Attack type:            Network Based

CDomain is a commercial CGI package that provides a Web-based gateway to
the Whois service. Versions previous to 2.5, namely the Unix versions
formerly distributed for free, contain a vulnerability in the
whois_raw.cgi component that could allow a remote attacker to execute
commands with the privileges of the server process.

Reference:
BUGTRAQ Mailing List: "whois_raw.cgi problem" at:
http://www.netspace.org/cgi-bin/wa?A2=ind9906a&L=bugtraq&F=&S=&P=409

_____

Date Reported:    1999-06-10
Vulnerability:    ExploreZip Trojan Horse
Platforms Affected:  Windows 95/98
      Windows NT
Risk Factor:    High

ExploreZip is a trojan horse or worm type program that infects Windows
systems through e-mail attachments.  It appears as a WinZip icon in the
e-mail attachment and once run, will target Microsoft Office type files
and source code files for deletion.

Reference:
CERT/CC: "CERT® Advisory CA-99-06-explorezip" at:
http://www.cert.org/advisories/CA-99-06-explorezip.html

_____


Risk Factor Key:

        High    Any vulnerability that provides an attacker with immediate
                access into a machine, gains superuser access, or bypasses
                a firewall.  Example:  A vulnerable Sendmail 8.6.5 version
                that allows an intruder to execute commands on mail
                server.
        Medium  Any vulnerability that provides information that has a
                high potential of giving system access to an intruder.
                Example: A misconfigured TFTP or vulnerable NIS server
                that allows an intruder to get the password file that
                could contain an account with a guessable password.
        Low     Any vulnerability that provides information that
                potentially could lead to a compromise.  Example:  A
                finger that allows an intruder to find out who is online
                and potential accounts to attempt to crack passwords
                via brute force methods.


ISS is the pioneer and leading provider of adaptive network security
software delivering enterprise-wide information protection solutions. ISS'
award-winning SAFEsuite family of products enables information risk
management within intranet, extranet and electronic commerce environments.
By combining proactive vulnerability detection with real-time intrusion
detection and response, ISS' adaptive security approach creates a flexible
cycle of continuous security improvement, including security policy
implementation and enforcement. ISS SAFEsuite solutions strengthen the
security of existing systems and have dramatically improved the security
posture for organizations worldwide, making ISS a trusted security advisor
for firms in the Global 2000, 21 of the 25 largest U.S. commercial banks
and over 35 governmental agencies. For more information, call ISS at
678-443-6000 or 800-776-2362 or visit the ISS Web site at www.iss.net.


________

Copyright (c) 1999 by Internet Security Systems, Inc.  Permission is hereby 
granted for the redistribution of this Alert Summary electronically.  It is 
not to be edited in any way without express consent of the X-Force.  If
you wish to reprint the whole or any part of this Alert Summary in any other 
medium excluding electronic medium, please e-mail xforce@iss.net for 
permission.

Disclaimer
The information within this paper may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are 
NO warranties with regard to this information. In no event shall the author 
be liable for any damages whatsoever arising out of or in connection with 
the use or spread of this information. Any use of this information is at 
the user's own risk.

X-Force PGP Key available at:   http://www.iss.net/xforce/sensitive.html as 
well as on MIT's PGP key server and PGP.com's key server.

Please send suggestions, updates, and comments to:
X-Force <xforce@iss.net> of Internet Security Systems, Inc.


-----BEGIN PGP SIGNATURE-----
Version: 2.6.3a
Charset: noconv

iQCVAwUBN2cHPzRfJiV99eG9AQEXtwP/cBvvKY8eoXLRUMxDerIAsnF3Ctf/SYzz
ANLglEcbpWoCBLvcGD126dgxpSeq0VHJFk0UGkWNUYqGGXgSiz/83FL+Gkv8auQC
nK5x7PeMD5R5UGrHLhxJkT3MWyD+P9TZgxtGsTvRuxukwA5Hf0am6mKca+F2y2rs
BOTDmeBUveo=
=n4WZ
-----END PGP SIGNATURE-----