From mieko em ccuec.unicamp.br Thu Mar 6 08:54:36 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Mar 2003 08:54:36 -0300 Subject: [SECURITY-L] CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Message-ID: <3E6736FC.3A5B9DE1@ccuec.unicamp.br> Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Date: Mon, 3 Mar 2003 13:07:24 -0500 From: CERT Advisory Organization: CERT(R) Coordination Center - +1 412-268-7090 To: cert-advisory em cert.org -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Original release date: March 3, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sendmail Pro (all versions) * Sendmail Switch 2.1 prior to 2.1.5 * Sendmail Switch 2.2 prior to 2.2.5 * Sendmail Switch 3.0 prior to 3.0.3 * Sendmail for NT 2.X prior to 2.6.2 * Sendmail for NT 3.0 prior to 3.0.3 * Systems running open-source sendmail versions prior to 8.12.8, including UNIX and Linux systems Overview There is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. I. Description Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server. Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default. This vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls. Sendmail has indicated to the CERT/CC that this vulnerability has been successfully exploited in a laboratory environment. We do not believe that this exploit is available to the public. However, this vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high. A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message: Dropped invalid comments from header address Although this does not represent conclusive evidence of an attack, it may be useful as an indicator. A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them. The CERT/CC is tracking this issue as VU#398025. This reference number corresponds to CVE candidate CAN-2002-1337. For more information, please see http://www.sendmail.org http://www.sendmail.org/8.12.8.html http://www.sendmail.com/security/ http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 II. Impact Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message. III. Solution Apply a patch from Sendmail Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. However, the vulnerability also exists in earlier versions of the code; therefore, site administrators using an earlier version are encouraged to upgrade to 8.12.8. These patches are located at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Apply a patch from your vendor Many vendors include vulnerable sendmail servers as part of their software distributions. We have notified vendors of this vulnerability and recorded their responses in the systems affected section of VU#398025. Several vendors have provided a statement for direct inclusion in this advisory; these statements are available in Appendix A. Enable the RunAsUser option There is no known workaround for this vulnerability. Until a patch can be applied, you may wish to set the RunAsUser option to reduce the impact of this vulnerability. As a good general practice, the CERT/CC recommends limiting the privileges of an application or service whenever possible. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Security Update 2003-03-03 is available to fix this issue. Packages are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be noted that sendmail is not enabled by default on Mac OS X, so only those systems which have explicitly enabled it are susceptible to the vulnerability. All customers of Mac OS X, however, are encouraged to apply this update to their systems. Avaya, Inc. Avaya is aware of the vulnerability and is investigating impact. As new information is available this statement will be updated. BSD/OS Wind River Systems has created patches for this problem which are available from the normal locations for each release. The relevant patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for BSD/OS 4.2 systems. Cisco Systems Cisco is investigating this issue. If we determine any of our products are vulnerable that information will be available at: http://www.cisco.com/go/psirt Cray Inc. The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp may be vulnerable. Cray has opened SPRs 724749 and 724750 to investigate. Cray, Inc. is not vulnerable for the MTA systems. Hewlett-Packard Company SOURCE: Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT3469 sendmail HP will provide notice of the availability of patches through standard security bulletin announcements and be available from your normal HP Services support channel. IBM Corporation The AIX operating system is vulnerable to the sendmail issues discussed in releases 4.3.3, 5.1.0 and 5.2.0. A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z IBM will provide the following official fixes: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) Openwall GNU/*/Linux Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not sendmail. Red Hat Inc. Updated sendmail packages that are not vulnerable to this issue are available for Red Hat Linux, Red Hat Advanced Server, and Red Hat Advanced Workstation. Red Hat Network users can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-073.html Red Hat Linux Advanced Server, Advanced Workstation: http://rhn.redhat.com/errata/RHSA-2003-074.html SGI SGI acknowledges VU#398025 reported by CERT and has released an advisory to address the vulnerability on IRIX. Refer to SGI Security Advisory 20030301-01-P available from ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P or http://www.sgi.com/support/security/. The Sendmail Consortium The Sendmail Consortium suggests that sites upgrade to 8.12.8 if possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/ Sendmail, Inc. All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at http://www.sendmail.com/security. _________________________________________________________________ Our thanks to Internet Security Systems, Inc. for discovering this problem, and to Eric Allman, Claus Assmann, and Greg Shapiro of Sendmail for notifying us of this problem. We thank both groups for their assistance in coordinating the response to this problem. _________________________________________________________________ Authors: Jeffrey P. Lanza and Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Mar 03, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPmOZEWjtSoHZUTs5AQGNUwP/YC0aRMqrFoLxUjG9pZIOBb98z8BFPfTW w/5u09rcW7WpH52XGaOWbu9PYtnLKtPaMrwevc38r6ILvZywasxdpUcUtR4W9XPZ 9EW4LYB1EaU81PLpzkQXWkVAhlX4vgHTU75oEcjfsacxXHlxtMYM1JpmyO8gvlnl pD4vLdvJqHE= =PfHu -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 6 09:14:10 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Mar 2003 09:14:10 -0300 Subject: [SECURITY-L] CAIS-Alerta: Remote Buffer Overflow in Sendmail Message-ID: <3E673B92.27E3F55A@ccuec.unicamp.br> Subject: CAIS-Alerta: Remote Buffer Overflow in Sendmail Date: Mon, 3 Mar 2003 20:11:17 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Prezados, O CAIS esta“ repassando o alerta divulgado hoje pelo CERT/CC, "CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail", a respeito de uma vulnerabilide do tipo _buffer overflow_ que permitiria ser explorada remotamente por um atacante, permitindo-lhe acesso privilegiado ao sistema (basicamente, acesso de "root" ou de super usuįrio). Muito provavelmente o Sendmail seja o MTA (Mail Transfer Agent) de maior uso na Internet (tem sido documentado que entre 50 a 75% dos servidores de e-mail). Se a isto soma-se o fato que por seu carater publico estes servidores encontram-se altamente expostos e totalmente impedidos de algum tipo de protecao por firewalls e/ou filtros de pacotes, o impacto da exploracao desta vulnerabilidade se torna ainda maior. Assim, embora nao se tenham indicios da existencia de algum exploit de dominio publico que explore esta vulnerabilidade, o CAIS recomenda fortemente aos administradores que atualizem os seus sistemas **com urgencia**, devido `a gravidade do problema reportado. * Sistemas afetados: . Sendmail Pro (all versions) . Sendmail Switch 2.1 prior to 2.1.5 . Sendmail Switch 2.2 prior to 2.2.5 . Sendmail Switch 3.0 prior to 3.0.3 . Sendmail for NT 2.X prior to 2.6.2 . Sendmail for NT 3.0 prior to 3.0.3 . Systems running open-source sendmail versions prior to 8.12.8, including UNIX and Linux systems * Correcoes disponiveis: Recomenda-se fazer a atualizacao para a versao 8.12.8 ou aplicar a correcao ("patch") para sistemas 8.12.x (ou anteriores). As atualizacoes podem ser obtidas acessando a seguinte URL: http://www.sendmail.org/8.12.8.html Para aqueles que usem versoes de Sendmail comerciais, recomenda-se contatar o seu respectivo fornecedor a fim de providenciar uma correcao. * Maiores informacoes: http://www.cert.org/advisories/CA-2003-07.html http://www.sendmail.org http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 * Identificador CVE: O projeto CVE (http://cve.mitre.org), que padroniza nomes para problemas de seguranca, designou o nome CAN-2002-1337 para esta vulnerabilidade. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ ----- Forwarded message from CERT Coordination Center ----- Date: Mon, 3 Mar 2003 13:05:55 -0500 From: CERT Coordination Center Organization: CERT(R) Coordination Center - +1 412-268-7090 Subject: CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail CERT Advisory CA-2003-07 Remote Buffer Overflow in Sendmail Original release date: March 3, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Sendmail Pro (all versions) * Sendmail Switch 2.1 prior to 2.1.5 * Sendmail Switch 2.2 prior to 2.2.5 * Sendmail Switch 3.0 prior to 3.0.3 * Sendmail for NT 2.X prior to 2.6.2 * Sendmail for NT 3.0 prior to 3.0.3 * Systems running open-source sendmail versions prior to 8.12.8, including UNIX and Linux systems Overview There is a vulnerability in sendmail that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. I. Description Researchers at Internet Security Systems (ISS) have discovered a remotely exploitable vulnerability in sendmail. This vulnerability could allow an intruder to gain control of a vulnerable sendmail server. Most organizations have a variety of mail transfer agents (MTAs) at various locations within their network, with at least one exposed to the Internet. Since sendmail is the most popular MTA, most medium-sized to large organizations are likely to have at least one vulnerable sendmail server. In addition, many UNIX and Linux workstations provide a sendmail implementation that is enabled and running by default. This vulnerability is message-oriented as opposed to connection-oriented. That means that the vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability will pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through many common packet filters or firewalls. Sendmail has indicated to the CERT/CC that this vulnerability has been successfully exploited in a laboratory environment. We do not believe that this exploit is available to the public. However, this vulnerability is likely to draw significant attention from the intruder community, so the probability of a public exploit is high. A successful attack against an unpatched sendmail system will not leave any messages in the system log. However, on a patched system, an attempt to exploit this vulnerability will leave the following log message: Dropped invalid comments from header address Although this does not represent conclusive evidence of an attack, it may be useful as an indicator. A patched sendmail server will drop invalid headers, thus preventing downstream servers from receiving them. The CERT/CC is tracking this issue as VU#398025. This reference number corresponds to CVE candidate CAN-2002-1337. For more information, please see http://www.sendmail.org http://www.sendmail.org/8.12.8.html http://www.sendmail.com/security/ http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 II. Impact Successful exploitation of this vulnerability may allow an attacker to gain the privileges of the sendmail daemon, typically root. Even vulnerable sendmail servers on the interior of a given network may be at risk since the vulnerability is triggered from the contents of a malicious email message. III. Solution Apply a patch from Sendmail Sendmail has produced patches for versions 8.9, 8.10, 8.11, and 8.12. However, the vulnerability also exists in earlier versions of the code; therefore, site administrators using an earlier version are encouraged to upgrade to 8.12.8. These patches are located at ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Apply a patch from your vendor Many vendors include vulnerable sendmail servers as part of their software distributions. We have notified vendors of this vulnerability and recorded their responses in the systems affected section of VU#398025. Several vendors have provided a statement for direct inclusion in this advisory; these statements are available in Appendix A. Enable the RunAsUser option There is no known workaround for this vulnerability. Until a patch can be applied, you may wish to set the RunAsUser option to reduce the impact of this vulnerability. As a good general practice, the CERT/CC recommends limiting the privileges of an application or service whenever possible. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Security Update 2003-03-03 is available to fix this issue. Packages are available for Mac OS X 10.1.5 and Mac OS X 10.2.4. It should be noted that sendmail is not enabled by default on Mac OS X, so only those systems which have explicitly enabled it are susceptible to the vulnerability. All customers of Mac OS X, however, are encouraged to apply this update to their systems. Avaya, Inc. Avaya is aware of the vulnerability and is investigating impact. As new information is available this statement will be updated. BSD/OS Wind River Systems has created patches for this problem which are available from the normal locations for each release. The relevant patches are M500-006 for BSD/OS version 5.0 or the Wind River Platform for Server Appliances 1.0, M431-002 for BSD/OS 4.3.1, or M420-032 for BSD/OS 4.2 systems. Cisco Systems Cisco is investigating this issue. If we determine any of our products are vulnerable that information will be available at: http://www.cisco.com/go/psirt Cray Inc. The code supplied by Cray, Inc. in Unicos, Unicos/mk, and Unicos/mp may be vulnerable. Cray has opened SPRs 724749 and 724750 to investigate. Cray, Inc. is not vulnerable for the MTA systems. Hewlett-Packard Company SOURCE: Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT3469 sendmail HP will provide notice of the availability of patches through standard security bulletin announcements and be available from your normal HP Services support channel. IBM Corporation The AIX operating system is vulnerable to the sendmail issues discussed in releases 4.3.3, 5.1.0 and 5.2.0. A temporary patch is available through an efix package which can be found at ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z IBM will provide the following official fixes: APAR number for AIX 4.3.3: IY40500 (available approx. 03/12/2003) APAR number for AIX 5.1.0: IY40501 (available approx. 04/28/2003) APAR number for AIX 5.2.0: IY40502 (available approx. 04/28/2003) Openwall GNU/*/Linux Openwall GNU/*/Linux is not vulnerable. We use Postfix as the MTA, not sendmail. Red Hat Inc. Updated sendmail packages that are not vulnerable to this issue are available for Red Hat Linux, Red Hat Advanced Server, and Red Hat Advanced Workstation. Red Hat Network users can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-073.html Red Hat Linux Advanced Server, Advanced Workstation: http://rhn.redhat.com/errata/RHSA-2003-074.html SGI SGI acknowledges VU#398025 reported by CERT and has released an advisory to address the vulnerability on IRIX. Refer to SGI Security Advisory 20030301-01-P available from ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P or http://www.sgi.com/support/security/. The Sendmail Consortium The Sendmail Consortium suggests that sites upgrade to 8.12.8 if possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/ Sendmail, Inc. All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at http://www.sendmail.com/security. _________________________________________________________________ Our thanks to Internet Security Systems, Inc. for discovering this problem, and to Eric Allman, Claus Assmann, and Greg Shapiro of Sendmail for notifying us of this problem. We thank both groups for their assistance in coordinating the response to this problem. _________________________________________________________________ Authors: Jeffrey P. Lanza and Shawn V. Hernan ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-07.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Mar 03, 2003: Initial release ----- End forwarded message ----- ------------ Output from pgp ------------ Pretty Good Privacy(tm) Version 6.5.8 (c) 1999 Network Associates Inc. Uses the RSAREF(tm) Toolkit, which is copyright RSA Data Security, Inc. Export of this software may be restricted by the U.S. government. File is signed. Good signature from user "CERT Coordination Center ". Signature made 2003/03/03 18:04 GMT WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "CERT Coordination Center ". From mieko em ccuec.unicamp.br Thu Mar 6 09:17:06 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Mar 2003 09:17:06 -0300 Subject: [SECURITY-L] SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability Message-ID: <3E673C42.B8CDEFC4@ccuec.unicamp.br> Subject: SANS Alert - Critical Vulnerability in Sendmail and a Snort Vulnerability Date: Mon, 3 Mar 2003 15:40:46 -0700 (MST) From: The SANS Institute -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SANS Alert 2003-03-03 Critical vulnerability in all versions of SENDMAIL Plus a Snort Vulnerability And an invitation to a web broadcast on the vulnerabilities The Sendmail Vulnerability What systems are affected? UNIX and Linux Systems running sendmail - probably even those that are not mail servers. Level: CRITICAL - affords root or superuser access when sendmail is running with those privileges. A new critical vulnerability has been discovered in Sendmail. The UNIX and Linux vendors have been working feverishly to get a patch ready and most are available now. Sendmail is too big a target for attackers to ignore, so it makes sense to act immediately to protect your systems. In this note you will find: (1) The invitation to the webcast covering both vulnerabilities (2) DHS/NIPC Advisory 03-004 Remote Sendmail Header Processing Vulnerability (3) A description of what government and industry did to try to mitigate damage from this newly discovered vulnerability. (4) The Department of Homeland Security Alert on the Snort Vulnerability ******************************************************** SANS Web Broadcast (free) on the Sendmail Vulnerability and the Snort Vulnerability Date: March 3, 2003 (today) Time: 7 PM EST (0000 UTC) Register at: http://www.sans.org/webcasts/030303.php There is an absolute limit of 2,000 people on the live program to ensure quality audio, but the archive will be available about 5 hours later for anyone who does not get a reservation. Featuring the ISS X-Force folks (ISS discovered the vulnerability), Hal Pomeranz (sendmail expert) and Marty Roesch, author of Snort, will brief you on the Snort vulnerability. Below you'll find the Department of Homeland Security advisory followed by a brief description of what happened behind the scenes inside the government followed by the DHS Snort vulnerability alert. *********************************************************************** Here's the DHS/NIPC Advisory Remote Sendmail Header Processing Vulnerability SUMMARY: The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) is issuing this advisory to heighten awareness of the recently discovered Remote Sendmail Header Processing Vulnerability (CAN-2002-1337). NIPC has been working closely with the industry on vulnerability awareness and information dissemination. The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server. Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code. Sendmail is the most commonly used Mail Transfer Agent and processes an estimated 50 to 75 percent of all Internet e-mail traffic. System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications. A successful attacker could install malicious code, run destructive programs and modify or delete files. Additionally, attackers may gain access to other systems thru a compromised Sendmail server, depending on local configurations. Sendmail versions 5.2 up to 8.12.8 are known to be vulnerable at this time. DESCRIPTION: The Remote Sendmail Header Processing Vulnerability is exploited during the processing and evaluation of e-mail header fields collected during an SMTP transaction. Examples of these header fields are the "To", "From" and "CC" lines. The crackaddr() function in the Sendmail headers.c file allows Sendmail to evaluate whether a supplied address or list of addresses contained in the header fields is valid. Sendmail uses a static buffer to store processed data. It detects when the static buffer becomes full and stops adding characters. However, Sendmail continues processing data and several security checks are used to ensure that characters are parsed correctly. The vulnerability allows a remote attacker to gain access to the Sendmail server by sending an e-mail containing a specially crafted address field which triggers a buffer overflow. RECOMMENDATION: Due to the seriousness of this vulnerability, the NIPC is strongly recommending that system administrators who employ Sendmail take this opportunity to review the security of their Sendmail software and to either upgrade to Sendmail 8.12.8 or apply the appropriate patch for older versions as soon as possible. Patches for the vulnerability are available from Sendmail, from ISS who discovered the vulnerability and from vendors whose applications incorporate Sendmail code, including IBM, HP, SUN, Apple and SGI. Other vendors will release patches in the near future. The primary distribution site for Sendmail is: http://www.sendmail.org Patches and information are also available from the following sites: The ISS Download center http://www.iss.net/download IBM Corporation http://www.ibm.com/support/us/ Hewlett-Packard , Co. http://www.hp.com Silicon Graphics Inc. http://www.sgigate.sgi.com Apple Computer, Inc. http://www.apple.com/ Sun Microsystems, Inc. http://www.sun.com/service/support/ Common Vulnerabilities and Exposure (CVE) Project http://CVE.mitre.org As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch em fbi.gov. ==== Background on government/industry cooperation to mitigate damage The Sendmail Vulnerability Announced Today, March 3, 2003 How Well Did The Cyber Defense Community Do? Today, hundreds of thousands of people learned of a vulnerability in the sendmail program which is widely used for Internet mail handling. A vulnerability in such a widely used open source software program presents difficult challenges for the cyber defense community - including the need to get more than twenty different software organizations to act quickly and silently to develop patches. Three primary actions are required to respond effectively to such a vulnerability: 1. Verify that the vulnerability exists and is important. 2. Contact the key technical personnel at each of the software companies and other groups that distribute sendmail (either alone or with other software) and ensure that they develop and test patches and make them ready for widespread distribution. 3. Plan and execute an early warning and distribution strategy that enables critical infrastructure organizations in the US and in partner countries to be prepared for rapid deployment of the patches once they are ready.ļæ½ This must be accomplished without leaking data about the vulnerability to the black hat community that exploits such vulnerabilities by creating worms like Code Red, Slapper, and Slammer. When possible, several other actions may be appropriate: 4. Provide military and other very sensitive organizations with early access to the patches so their systems can be protected even before public disclosure of the vulnerability. 5. Use sensor networks with smart filters to test for exploitation. 6. Develop and distribute filters that can block the offending packets to protect systems that cannot or will not install patches immediately. On Saturday, March 1, 2003, the US Department of Homeland Security became fully operational, although the elements of the new department had been working together for several weeks.ļæ½ In cybersecurity, the new Department brings together four highly visible cybersecurity agencies: (1) The National Infrastructure Protection Center from the FBI, (2) FedCIRC from the General Services Administration, (3) the National Communications System program from the US Department of Defense, and (4) the Critical Infrastructure Assurance Office from the Department of Commerce. Today's disclosure of a vulnerability in sendmail offers the opportunity to see how quickly and effectively the cyber defense community, led by this new Department, can respond to important threats. Sendmail's vulnerability offers a legitimate test because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems. More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention. You can draw your own conclusion on how well the problem is being handled. Here are the facts: 1. On Friday, February 14, telephone calls to the Department of Homeland Security (DHS) and the White House Office of Cyberspace Security alerted the US government to a suspected sendmail vulnerability. The source of the data was Internet Security Systems (ISS), a well-respected security firm with solid security research credentials, giving the data an initial base level of credibility. However, to be more certain, DHS technical experts reviewed the details of the vulnerability and especially the tests that ISS had run to prove the existence and severity of the vulnerability. They were convinced. 2. Almost immediately the DHS/White House team, working with ISS, contacted vendors that distribute sendmail, including Sun, IBM, HP, and SGI, as well as the Sendmail Consortium, the organization that develops the open source version of sendmail that is the core of sendmail distributed with both free and commercial operating systems. Partially because of government involvement, but primarily because the vulnerability involved the widely used sendmail package, the vendors immediately started working together on patches. 3. The DHS/White House staff contacted and shared what they knew with the US Department of Defense and the Federal CIO Council. Through the Federal CIO Council, the US FedCIRC and US Office of Management and Budget were added to the coordinating team. Together the government planners, ISS, and the vendors developing patches worked out a plan for public dissemination of the vulnerability information and patch distribution. 4. To help ensure that the open source LINUX and BSD distributions (Red Hat, SUSE, OpenBSD, etc.) developed patches, the Computer Emergency Response Team at Carnegie Mellon University (CERT/CC) was brought into the project. CERT/CC deployed its formalized process to inform the LINUX and BSD distribution developers and to assist them in getting the corrected source code and any additional knowledge needed to create the patch. CERT/CC (which is funded, in part, by two organizations being merged into DHS and by the DoD) also created an advisory to educate system administrators and the security community in general on the vulnerability, on which systems are affected, and on where to get the patches for each affected system. 5. Some of the large commercial vendors developed the patches very quickly, but the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23. The coordinating group faced a decision of whether to release data about the exploit before most patches were ready or to wait. The answer depended on whether they had reason to believe an exploit was already being used by attackers. They had two sources of information that led them to conclude waiting an extra week was acceptable. First, people who monitored the hacker discussion groups reported that this vulnerability did not seem to be one that was being discussed. Second, the organization that discovered the vulnerability, ISS, had deployed sensors for the exploit in a number of places around the world. Those sensors were showing no exploits. Based on both sets of data, the coordination group decided to schedule the announcement for Monday, March 3. A second-order reason to schedule a Monday announcement was that some members of the team believed that Monday-Tuesday announcements generate more rapid and complete patching than announcements made late in the week. 6. Since some of the patches were ready, the coordination group decided to provide what was available to the US DoD so that military sites could have the protection as early as possible. The military distributions took place on or around February 25 and 26. 7. On February 27 and 28, government groups in the US and in several other countries were given early warnings, without details about how the vulnerability could be exploited, to help them plan for rapid deployment of the patches when they were released on March 3. In addition to the Chief Information Officers of US Cabinet level departments, and the directors or deputy directors of national cyber security offices in several other countries, the officers of the critical infrastructure Information Sharing And Analysis Centers (ISACs) were also briefed so they could be ready for rapid information distribution to commercial organizations such as banks and utilities, that comprise the critical infrastructure. 8. On March 3, beginning about 10 am EST, alerts began flowing to federal agencies from FedCIRC and to the critical infrastructure companies from the ISACs. At noon, ISS released their advisory, followed by CERT/CC's general release. Once the data was public, the SANS Institute also issued a release and scheduled free web-based education programs. ==== DHS/NIPC Advisory 03-003 Snort Buffer Overflow Vulnerability The Department of Homeland Security (DHS), National Infrastructure Protection Center (NIPC) has been informed of a recently discovered serious vulnerability in Snort, a widely used Intrusion Detection System, IDS. DHS/NIPC has been working closely with the Internet security industry on vulnerability awareness and is issuing this advisory in conjunction with public announcements. Snort is available in open source and commercial versions form Sourcefire, a privately held company headquartered in Columbia, MD. Details are available from Sourcefire. See Snort Vulnerability Advisory [SNORT-2003-001]. The affected Snort versions include all version of Snort from version 1.8 through current. Snort 1.9.1 has been released to resolve this issue. The vulnerability was discovered by Internet Security Systems (ISS), and is a buffer overflow in the Snort Remote Procedure Call, RPC, normalization routines. This buffer overflow can cause snort to execute arbitrary code embedded within sniffed network packets. Depending upon the particular implementation of Snort this may give local and remote users almost complete control of a vulnerable machine. The vulnerability is enabled by default. Mitigation instructions for immediate protections prior to installing patches or upgrading are described in the Snort Vulnerability Advisory. Due to the seriousness of this vulnerability, the DHS/NIPC strongly recommends that system administrators or security managers who employ Snort take this opportunity to review their security procedures and patch or upgrade software with known vulnerabilities. Sourcefire has acquired additional bandwidth and hosting to aid users wishing to upgrade their Snort implementation. Future information can be found at: http://www.sourcefire.com/ As always, computer users are advised to keep their anti-virus and systems software current by checking their vendor's web sites frequently for new updates and to check for alerts put out by the DHS/NIPC, CERT/CC, ISS and other cognizant organizations. The DHS/NIPC encourages recipients of this advisory to report computer intrusions to their local FBI office (http://www.fbi.gov/contact/fo/fo.htm) and other appropriate authorities. Recipients may report incidents online to http://www.nipc.gov/incident/cirr.htm. The DHS/NIPC Watch and Warning Unit can be reached at (202) 323-3204/3205/3206 or nipc.watch em fbi.gov. == end == -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQE+Y7oL+LUG5KFpTkYRAh6ZAJ9oWXqnCwZyP4Wxla1HUbMOcjdlSwCfboS8 wnLCqqyaA0+Dpcn9gUI7yxo= =cIQn -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 6 09:22:40 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Mar 2003 09:22:40 -0300 Subject: [SECURITY-L] [S] Traducao: CERT Advisory CA-2003-07 "Buffer Overflow" Remoto no Sendmail Message-ID: <3E673D90.5FEFD79E@ccuec.unicamp.br> Subject: [S] Traducao: CERT Advisory CA-2003-07 "Buffer Overflow" Remoto no Sendmail Date: Mon, 3 Mar 2003 19:58:08 -0300 From: Cristine Hoepers Reply-To: seguranca em pangeia.com.br To: seguranca em pangeia.com.br [http://www.nbso.nic.br/certcc/advisories/CA-2003-07-br.html] -----BEGIN PGP SIGNED MESSAGE----- _________________________________________________________________________ NBSO - NIC BR Security Office CG-I.br - Comitź Gestor da Internet no Brasil Chave PGP: http://www.nbso.nic.br/pgp/nbso em nic.br.asc Traduēćo dos Advisories do CERT/CC, com permissćo especial do Software Engineering Institute (SEI). _________________________________________________________________________ CERT Advisory CA-2003-07 "Buffer Overflow" Remoto no Sendmail Data original de lanēamento: 03 de marēo de 2003 Śltima Revisćo: -- Origem: CERT/CC Um histórico completo das revisões pode ser encontrado ao final deste documento. Sistemas Afetados * Sendmail Pro (todas as versões) * Sendmail Switch 2.1 versões anteriores ą 2.1.5 * Sendmail Switch 2.2 versões anteriores ą 2.2.5 * Sendmail Switch 3.0 versões anteriores ą 3.0.3 * Sendmail para NT 2.X versões anteriores ą 2.6.2 * Sendmail para NT 3.0 versões anteriores ą 3.0.3 * Sistemas que executam versões "open-source" do sendmail anteriores ą 8.12.8, incluindo sistemas UNIX e Linux Resumo Existe uma vulnerabilidade no sendmail que pode permitir que atacantes remotos ganhem privilégios do "daemon" sendmail, normalmente root. I. Descriēćo Pesquisadores da Internet Security Systems (ISS) descobriram uma vulnerabilidade no sendmail que pode ser explorada remotamente. Esta vulnerabilidade pode permitir que um atacante ganhe o controle de um servidor sendmail vulnerįvel. A maior parte das organizaēões possui diversos MTAs (mail transfer agents) em diversas localizaēões dentro de sua rede, sendo pelo menos um deles exposto ą Internet. Uma vez que o sendmail é o MTA mais popular, boa parte das organizaēões de médio a grande porte provavelmente possuem ao menos um servidor sendmail vulnerįvel. Somado a isto, diversas estaēões de trabalho UNIX e Linux possuem na sua instalaēćo padrćo uma implementaēćo de sendmail habilitada e em execuēćo. Esta vulnerabilidade é orientada a mensagens, em oposiēćo ąquelas orientadas a conexćo. Isto significa que a vulnerabilidade é disparada pelo conteśdo de uma mensagem de email especialmente construķda, ao invés de trįfego de rede em baixo nķvel. Isto é importante porque um MTA que nćo possui a vulnerabilidade passarį a mensagem maliciosa para outros MTAs que podem estar protegidos no nķvel de rede. Em outras palavras, servidores sendmail vulnerįveis no interior de uma rede estćo em risco mesmo que os servidores MTA de borda utilizem outros softwares que nćo o sendmail. Além disso, mensagens capazes de explorar esta vulnerabilidade podem passar sem ser detectadas através de vįrios firewalls ou filtros de pacotes. A Sendmail informou ao CERT/CC que esta vulnerabilidade foi explorada com sucesso em ambiente de laboratório. Nós nćo acreditamos que este "exploit" esteja disponķvel para o pśblico. Entretanto, esta vulnerabilidade provavelmente chamarį a atenēćo da comunidade de invasores, deste modo a probabilidade de surgir um "exploit" pśblico é grande. Um ataque bem sucedido contra um sendmail sem correēões nćo deixarį nenhuma mensagem nos logs do sistema. Entretanto, em um sistema com as correēões, uma tentativa de explorar esta vulnerabilidade deixarį a seguinte mensagem nos logs do sistema: Dropped invalid comments from header address Apesar disto nćo representar uma evidźncia conclusiva de um ataque, pode ser śtil como uma indicaēćo de sua ocorrźncia. Um sendmail com as devidas correēões descartarį cabeēalhos invįlidos, prevenindo deste modo que servidores internos os recebam. O CERT/CC estį catalogando este problema como VU#398025. Este nśmero de referźncia corresponde ao nśmero CAN-2002-1337 do CVE. Para maiores informaēões, por favor consulte: http://www.sendmail.org http://www.sendmail.org/8.12.8.html http://www.sendmail.com/security/ http://www.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21950 http://www.kb.cert.org/vuls/id/398025 II. Impacto A exploraēćo bem sucedida desta vulnerabilidade pode permitir a um atacante conseguir os privilégios do "daemon" sendmail, normalmente root. Mesmo os servidores sendmail internos a uma dada rede poderćo estar em risco, uma vez que a vulnerabilidade é disparada a partir do conteśdo de um email malicioso. III. Soluēćo Aplique uma correēćo fornecida pela Sendmail A Sendmail produziu correēões para as versões 8.9, 8.10, 8.11 e 8.12. Entretanto, a vulnerabilidade também existe em versões mais antigas do código. Deste modo, os administradores que estiverem utilizando versões mais antigas sćo encorajados a atualizį-las para a versćo 8.12.8. As correēões estćo disponķveis em: ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.11.6.security.cr.patch ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.9.3.security.cr.patch Aplicar uma correēćo disponibilizada pelo seu fornecedor Muitos fornecedores incluem servidores sendmail vulnerįveis como parte de suas distribuiēões. Nós notificamos os fornecedores sobre esta vulnerabilidade e colocamos suas respostas na seēćo de sistemas afetados da "Vulnerability Note" VU#398025. Diversos fornecedores enviaram declaraēões para inclusćo direta neste "advisory". Estas declaraēões estćo disponķveis no Apźndice A. Habilitar a opēćo RunAsUser Nćo existe nenhuma soluēćo paliativa para esta vulnerabilidade. Até que uma correēćo possa ser aplicada vocź pode querer habilitar a opēćo RunAsUser para reduzir o impacto desta vulnerabilidade. Como uma boa prįtica, o CERT/CC recomenda limitar os privilégios de uma aplicaēćo ou serviēo sempre que possķvel. Apźndice A. - Informaēões dos Fornecedores Este apźndice contém informaēões providas pelos próprios fornecedores para inclusćo neste documento. Ą medida que os fornecedores enviarem novas informaēões ao CERT/CC, este documento serį atualizado e as modificaēões serćo registradas no histórico de revisões. Se algum fornecedor em particular nćo estiver listado abaixo é porque nćo recebemos seus comentįrios. Apple Computer, Inc. O "Security Update 2003-03-03" estį disponķvel para corrigir este problema. Estćo disponķveis pacotes para os sistemas Mac OS X 10.1.5 e Mac OS X 10.2.4. Deve-se notar que o sendmail nćo estį habilitado na instalaēćo padrćo do Mac OS X, deste modo, somente aqueles sistemas que o tiverem habilitado explicitamente estarćo suscetķveis a esta vulnerabilidade. Entretanto, todos os usuįrios de Mac OS X sćo encorajados a aplicar esta atualizaēćo em seus sistemas. Avaya, Inc. A Avaya estį ciente desta vulnerabilidade e estį investigando seu impacto. Conforme novas informaēões estejam disponķveis, esta seēćo serį atualizada. BSD/OS A Wind River Systems criou correēões para este problema que estćo disponķveis nos locais usuais para cada "release". As correēões relevantes sćo a M500-006 para o BSD/OS versćo 5.0 ou para o "Wind River Platform for Server Appliances 1.0", a M431-002 para o BSD/OS 4.3.1 ou a M420-032 para o BSD/OS 4.2. Cisco Systems A Cisco estį investigando este problema. Se nós determinarmos que algum de nossos produtos estį vulnerįvel esta iformaēćo estarį disponķvel em: http://www.cisco.com/go/psirt. Cray Inc. O código fornecido pela Cray, Inc. nos sistemas Unicos, Unicos/mk e Unicos/mp pode estar vulnerįvel. A Cray abriu os SPRs 724749 e 724750 para investigar. Cray, Inc. nćo é vulnerįvel para os sistemas de MTA. Hewlett-Packard Company ORIGEM: Hewlett-Packard Company HP Services Software Security Response Team x-ref: SSRT3469 sendmail A HP anunciarį a disponibilidade de correēões através dos anśncios do "security bulletin" e através dos canais normais de suporte do HP Services. IBM Corporation O sistema operacional AIX é vulnerįvel ao problema do sendmail nas versões 4.3.3, 5.1.0 e 5.2.0. Uma correēćo temporįria estį disponķvel através de um pacote "efix", que pode ser encontrado em: ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_efix.tar.Z A IBM proverį as seguintes correēões oficiais: Nśmero do APAR para o AIX 4.3.3: IY40500 (disponķvel aprox. em 12/03/2003) Nśmero do APAR para o AIX 5.1.0: IY40501 (disponķvel aprox. em 28/04/2003) Nśmero do APAR para o AIX 5.2.0: IY40502 (disponķvel aprox. em 28/04/2003) Openwall GNU/*/Linux O Openwall GNU/*/Linux nćo é vulnerįvel. Nós usamos o Postfix como MTA e nćo sendmail. Red Hat Inc. Pacotes atualizados do sendmail, que nćo estćo vulnerįveis a este problema, estćo disponķveis para o "Red Hat Linux", para o "Red Hat Advanced Server" e para o "Red Hat Advanced Workstation". Os usuįrios do serviēo Red Hat Network poderćo atualizar seus sistemas utilizando a ferramenta 'up2date'. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-073.html Red Hat Linux Advanced Server e Advanced Workstation: http://rhn.redhat.com/errata/RHSA-2003-074.html SGI A SGI tomou conhecimento da VU#398025 notificada pelo CERT e lanēou um advisory para tratar desta vulnerabilidade no IRIX. Referencie-se ao "SGI Security Advisory 20030301-01-P", disponķvel em: ftp://patches.sgi.com/support/free/security/advisories/20030301-01-P ou http://www.sgi.com/support/security/. The Sendmail Consortium O Sendmail Consortium sugere que os sites faēam uma atualizaēćo para a versćo 8.12.8 se possķvel. De maneira alternativa, estćo disponķveis correēões para as versões for 8.9, 8.10, 8.11 e 8.12 em http://www.sendmail.org/ Sendmail, Inc. Todas as versões comerciais, incluindo "Sendmail Switch", "Sendmail Advanced Message Server" (que inclui o "Sendmail Switch" MTA), Sendmail para NT e Sendmail Pro, sćo afetadas por este problema. Informaēões sobre as correēões estćo disponķveis em http://www.sendmail.com/security. Sun Microsystems As versões de Solaris 2.6, 7, 8 e 9 sćo vulnerįveis ą VU#398025. A Sun publicarį um Alerta para este problema, que estarį disponķvel em breve em: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51181 As correēões listadas no Alerta da Sun estarćo disponķveis em: http://sunsolve.sun.com/securitypatch _________________________________________________________________ Nossos agradecimentos para a Internet Security Systems, Inc. por ter descoberto este problema e para Eric Allman, Claus Assmann e Greg Shapiro da Sendmail por nos notificarem deste problema. Nós agradecemos ambos os grupos pela sua assistźncia na coordenaēćo da resposta a este problema. _________________________________________________________________ Autores: Jeffrey P. Lanza e Shawn V. Hernan ____________________________________________________________________ Traduēćo: Cristine Hoepers ____________________________________________________________________ Revisćo Técnica: Klaus Steding-Jessen ____________________________________________________________________ Esta versćo traduzida do documento pode ser obtida em: http://www.nbso.nic.br/certcc/advisories/CA-2003-07-br.html ____________________________________________________________________ A versćo original, em Inglźs, deste documento pode ser obtida em: http://www.cert.org/advisories/CA-2003-07.html ____________________________________________________________________ Informaēões de Contato do CERT/CC Email: cert em cert.org Telefone: +1 412-268-7090 (Hotline 24 horas) Fax: +1 412-268-6989 Endereēo para correspondźncia: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. O pessoal do CERT/CC atende ao hotline no perķodo das 8:00 ąs 17:00h EST(GMT-5), de segunda a sexta-feira; nos demais perķodos eles atendem em esquema emergencial, incluindo finais de semana e feriados dos Estados Unidos. Utilizaēćo de criptografia Nós recomendamos fortemente que informaēões sensķveis sejam criptogradas ao serem enviadas por email. Nossa chave pśblica PGP estį disponķvel em: http://www.cert.org/CERT_PGP.key Se voce preferir utilizar DES, por favor telefone para o hotline do CERT para obter maiores informaēões. Obtendo informaēões sobre seguranēa As publicaēões do CERT e outras informaēões sobre seguranēa estćo disponķveis em nosso site: http://www.cert.org/ Para inscrever-se na lista de advisories e boletins do CERT, envie um email para majordomo em cert.org, incluindo o seguinte no corpo da sua mensagem: subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ Translations of CERT/CC Advisories, (c) 2002 by Carnegie Mellon University, with special permission from the Software Engineering Institute. Accuracy and interpretation of this translation are the responsibility of NBSO. The SEI has not participated in this translation. NBSO shall ensure that all translated materials incorporate the CERT/CC logos, service marks, and/or trademarks, as well as a link to the original English version on the CERT web site (www.cert.org). NBSO shall ensure that all translated materials are translated in their entirety and that the SEI will be notified of which CERT/CC Advisories are being translated. Notifications go to cert em cert.org. NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN "AS IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT. CMU Indemnification. NBSO hereby agrees to defend, indemnify, and hold harmless CMU, its trustees, officers, employees, and agents from all claims or demands made against them (and any related losses, expenses, or attorney's fees) arising out of, or relating to NBSO's and/or its sublicensees' negligent use or willful misuse of or negligent conduct or willful misconduct regarding CMU in tellectual Property, facilities, or other rights or assistance granted by CMU under this Agreement, including, but not limited to, any claims of product liability, personal injury, death, damage to property, or violation of any laws or regulations. This indemnification will not apply to claims by third parties which allege that CMU Intellectual Property infringes on the intellectual property rights of such third parties, unless such infringement results from NBSO modifying CMU Intellectual Property or combining it with other intellectual property. Disputes. This Agreement shall be governed by the laws of the Commonwealth of Pennsylvania. Any dispute or claim arising out of or relating to this Agreement will be settled by arbitration in Pittsburgh, Pennsylvania in accordance with the rules of the American Arbitration Association and judgment upon award rendered by the arbitrator(s) may be entered in any court having jurisdiction. No Endorsement. The SEI and CMU do not directly or indirectly endorse NBSO work. Translations of CMU/SEI copyrighted material are not official SEI-authorized translations. NBSO agrees to assign and transfer to CMU/SEI all copyrights in the translation of any CMU/SEI document. This permission is granted on a non-exclusive basis for non-commercial purposes. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Histórico de Revisões 03 de marēo de 2003: Lanēamento da versćo inicial 03 de marēo de 2003: Inclusćo da declaraēćo da Sun Microsystems -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPmPYFJxE2EupRshlAQH6ZAQAkEZsUwwZT9Y+LiXsg+PTdl35GAg16A5j JCE33vb7LJm1t+P/SFzYFYr6dcZMs9f0nMt/JhX7LzrW+n/U4TaQKF6vzlP90uBR VFhl2LY7Xq1OFQ+YnwnjWsFoad2YwiHeeAyWD8t6LRrb635bGDQTFIlBv6TkNx3E 772JcE0Yj7o= =YbfT -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 6 09:24:18 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 06 Mar 2003 09:24:18 -0300 Subject: [SECURITY-L] [S] Major Internet vulnerability discovered in e-mail protocol Message-ID: <3E673DF2.A074EB53@ccuec.unicamp.br> Subject: [S] Major Internet vulnerability discovered in e-mail protocol Date: Wed, 5 Mar 2003 18:44:02 -0300 From: Cristine Hoepers Reply-To: seguranca em pangeia.com.br To: seguranca em pangeia.com.br [http://www.computerworld.com/securitytopics/security/holes/story/0,10801,78991,00.html] Major Internet vulnerability discovered in e-mail protocol By DAN VERTON MARCH 03, 2003 Source: Computerworld The Department of Homeland Security (DHS) has been working in secret for more than two weeks with the private sector to fix a major Internet vulnerability that could have had disastrous consequences for millions of businesses and the U.S. military. Since early December, the DHS and the White House Office of Cyberspace Security have been working with Atlanta-based Internet Security Systems Inc. (ISS) to alert IT vendors and the business community about a major buffer-overflow vulnerability in the sendmail mail-transfer agent (MTA). Sendmail is the most common MTA and handles 50% to 75% of all Internet e-mail traffic. Versions of the software, from 5.79 to 8.12.7, arE vulnerable, according to an ISS alert issued publicly today. According to sources familiar with the investigation, ISS discovered the vulnerability on Dec. 1. It contacted the homeland security officials on Dec. 5, who began alerting IT vendors that distribute sendmail, including Sun Microsystems Inc., IBM, Hewlett-Packard Co. and Silicon Graphics Inc., as well as the Sendmail Consortium, the organization that develops the open-source version of sendmail that is distributed with both free and commercial operating systems. Those vendors were told of the flaw on Jan. 13. The seriousness of the vulnerability, coupled with the fact that the hacker community wasn't yet aware of it, led the government and ISS to decide it was better to keep the news under wraps until patches could be developed. The Sendmail Consortium is urging all users to upgrade to Sendmail 8.12.8 or apply a patch for 8.12.x or for older versions. Updates can be downloaded from ftp.sendmail.org or any of its mirrors, or from the Sendmail Consortium's Web site. The consortium said patch users should remember to check the Pretty Good Privacy signatures of any patches or releases obtained. It also suggested that users running the open-source version of sendmail check with their vendors for a patch. Emeryville, Calif.-based Sendmail Inc., the commercial provider of the sendmail MTA, is providing a binary patch for its commercial customers that can be downloaded from its Web site at: www.sendmail.com/. "The Remote Sendmail Header Processing Vulnerability allows local and remote users to gain almost complete control of a vulnerable Sendmail server," according to an alert prepared today by the DHS. "Attackers gain the ability to execute privileged commands using super-user (root) access/control. This vulnerability can be exploited through a simple e-mail message containing malicious code. "System administrators should be aware that many Sendmail servers are not typically shielded by perimeter defense applications" such as firewalls, warned the DHS alert, which hadn't yet been made publicly available as of midafternoon. "A successful attacker could install malicious code, run destructive programs and modify or delete files." In addition, attackers could gain access to other systems through a compromised sendmail server, depending on local configurations, according to the DHS warning. According to ISS, the sendmail remote vulnerability occurs when processing and evaluating header fields in e-mail collected during a Simple Mail Transfer Protocol transaction. Specifically, when fields are encountered that contain addresses or lists of addresses (such as the "From" field, "To" field and "CC" field), sendmail attempts to semantically evaluate whether the supplied address or list of addresses is valid. This is accomplished using the crackaddr() function, which is located in the headers.c file in the sendmail source tree. A static buffer is used to store data that has been processed. Sendmail detects when this buffer becomes full and stops adding characters, although it continues processing. Sendmail implements several security checks to ensure that characters are parsed correctly. One such security check is flawed, making it possible for a remote attacker to send an e-mail with a specially crafted address field that triggers a buffer overflow. "Sendmail's vulnerability offers a legitimate test [of the new DHS and its ability to work with the private sector] because sendmail handles a large amount of Internet mail traffic and is installed on at least 1.5 million Internet-connected systems," said an alert from the SANS Institute in Bethesda, Md., that was obtained by Computerworld today. "More than half of the large ISPs and Fortune 500 companies use sendmail, as do tens of thousands of other organizations. A security hole in sendmail affects a lot of people and demands their immediate attention." Of particular concern to the White House was the potential vulnerability of the U.S. military, which is poised to begin offensive military operations in Iraq and is simultaneously facing the possibility of conflict on the Korean peninsula. As a result, early versions of available patches were distributed first to U.S. military organizations on Feb. 25 and 26, according to the SANS alert. The advance military alert was followed last Thursday and Friday with alerts to various government organizations in the U.S. and around the world, including the Information Sharing and Analysis Centers (ISAC). "Some of the large commercial vendors developed patches very quickly. But the delayed notice to smaller sources of sendmail distributions and limited resources at those organizations meant that not all the patches would be ready by early in the week of February 23," according to the SANS analysis of the public/private response effort. A senior-level coordination group of government and private-sector experts then decided, based on a review of cyberintelligence from various hacker discussion boards and a series of sensors deployed around the world by ISS, that it was safe to wait until all the patches were available before alerting the general business and Internet community to the vulnerability. Beginning today at 10 a.m. EST, alerts began flowing from the Federal Computer Incident Response Center to federal agencies and from the ISACs to companies responsible for critical infrastructure. At noon EST today, ISS released its own advisory, followed by a general alert from the CERT Coordination Center at Carnegie Mellon University in Pittsburgh. From caio_sm em yahoo.com.br Mon Mar 17 20:12:53 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Mon, 17 Mar 2003 20:12:53 -0300 (ART) Subject: [SECURITY-L] Vulnerability Note VU#298233 Message-ID: <20030317231253.52007.qmail@web13205.mail.yahoo.com> Vulnerability Note VU#298233Samba contains buffer overflow in SMB/CIFS packet fragment reassembly codeOverviewA buffer overflow vulnerability has been discovered in Samba. An updated version has been released. I. DescriptionA remotely exploitable buffer overflow vulnerability was discoved to affect Samba versions 2.0.x through 2.2.7a. From their bulletin: The SuSE security audit team, in particular Sebastian Krahmer, has found a flaw in the Samba main smbd code which could allow an external attacker to remotely and anonymously gain Super User (root) privileges on a server running a Samba server. This flaw exists in previous versions of Samba from 2.0.x to 2.2.7a inclusive. This is a serious problem and all sites should either upgrade to Samba 2.2.8 immediately or prohibit access to TCP ports 139 and 445. Advice created by Andrew Tridgell, the leader of the Samba Team, on how to protect an unpatched Samba server is given at the end of this section. The SMB/CIFS protocol implemented by Samba is vulnerable to many attacks, even without specific security holes. The TCP ports 139 and the new port 445 (used by Win2k and the Samba 3.0 alpha code in particular) should never be exposed to untrusted networks. II. ImpactA remote attacker may be able to execute arbitrary code with the privileges of the Super User, typically root. III. SolutionUpgrade to Samba version 2.2.8. The "Protecting an unpatched Samba server" section of the Samba bulletin discusses several work arounds for unpatched servers. Systems AffectedVendorStatusDate UpdatedApple Computer Inc.Vulnerable17-Mar-2003ConectivaVulnerable17-Mar-2003DebianVulnerable17-Mar-2003Gentoo LinuxVulnerable17-Mar-2003IBMVulnerable17-Mar-2003IngrianNot Vulnerable17-Mar-2003MandrakeSoftVulnerable17-Mar-2003MontaVista SoftwareVulnerable17-Mar-2003Samba TeamVulnerable17-Mar-2003SGIUnknown17-Mar-2003SuSE Inc.Vulnerable17-Mar-2003References http://www.samba.org/samba/whatsnew/samba-2.2.8.html Credit Thanks to Sebastian Krahmer for reporting this vulnerability. This document was written by Jason A Rafail. Other InformationDate Public03/16/2003Date First Published03/17/2003 10:01:25 AMDate Last Updated03/17/2003CERT Advisory CVE Name Metric23.63Document Revision5 http://www.kb.cert.org/vuls/id/298233 --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Mon Mar 17 20:14:03 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Mon, 17 Mar 2003 20:14:03 -0300 (ART) Subject: [SECURITY-L] Vulnerability Note VU#117394 Message-ID: <20030317231403.87640.qmail@web13207.mail.yahoo.com> Vulnerability Note VU#117394Buffer Overflow in Microsoft IIS 5.0OverviewA buffer overflow vulnerability exists in Microsoft IIS 5.0 running on Microsoft Windows 2000. IIS 5.0 is installed and running by default on Microsoft Windows 2000 server systems. This vulnerability may allow a remote attacker to run arbitrary code on the victim machine. An exploit is publicly available for this vulnerability, which increases the urgency that system administrators apply a patch. I. DescriptionIIS 5.0 includes support for WebDAV, which allows users to manipulate files stored on a web server (RFC2518). A buffer overflow vulnerability exists in ntdll.dll (a portion of code utilized by the IIS WebDAV component). By sending a specially crafted request to an IIS 5.0 server, an attacker may be able to execute arbitrary code in the Local System security context, essentially giving the attacker compete control of the system. II. ImpactAny attacker who can reach a vulnerable web server can gain complete control of the system and execute arbitrary code in the Local System security context. Note that this may be significantly more serious than a simple "web defacement." III. SolutionApply a patch from your vendor A patch is available from Microsoft at http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en Disable vulnerable service Until a patch can be applied, you may wish to disable IIS. To determine if IIS is running, Microsoft recommends the following: Go to "Start | Settings | Control Panel | Administrative Tools | Services". If the "World Wide Web Publishing" service is listed then IIS is installed To disable IIS, run the IIS lockdown tool. This tool is available here: http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 If you cannot disable IIS, consider using the IIS lockdown tool to disable WebDAV (removing WebDAV can be specified when running the IIS lockdown tool). Alternatively, you can disable WebDAV by following the instructions located in Microsoft's Knowledgebase Article 241520, "How to Disable WebDAV for IIS 5.0": http://support.microsoft.com/default.aspx?scid=kb;en-us;241520 Restrict buffer size If you cannot use either IIS lockdown tool or URLScan, consider restricting the size of the buffer IIS utilizes to process requests by using Microsoft's URL Buffer Size Registry Tool. This tool can be run against a local or remote Windows 2000 system running Windows 2000 Service Pack 2 or Service Pack 3. The tool, instructions on how to use it, and instructions on how to manually make changes to the registry are available here: URL Buffer Size Registry Tool - http://go.microsoft.com/fwlink/?LinkId=14875 Microsoft Knowledge Base Article 816930 - http://support.microsoft.com/default.aspx?scid=kb;en-us;816930 Microsoft Knowledge Base Article 260694 - http://support.microsoft.com/default.aspx?scid=kb;en-us;260694 You may also wish to use URLScan, which will block web requests that attempt to exploit this vulnerability. Information about URLScan is available at: http://support.microsoft.com/default.aspx?scid=kb;[LN];326444 Systems AffectedVendorStatusDate UpdatedMicrosoft CorporationVulnerable17-Mar-2003References http://www.microsoft.com/windows2000/technologies/web/default.asp http://www.ietf.org/rfc/rfc2518.txt http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp http://microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-007.asp http://www.microsoft.com/downloads/release.asp?ReleaseID=43955 http://support.microsoft.com/default.aspx?scid=kb;en-us;241520 http://support.microsoft.com/default.aspx?scid=kb;%5BLN%5D;326444 http://go.microsoft.com/fwlink/?LinkId=14875 http://support.microsoft.com/default.aspx?scid=kb;en-us;816930 http://support.microsoft.com/default.aspx?scid=kb;en-us;260694 Credit This document was written by Ian A Finlay. Other InformationDate Public03/17/2003Date First Published03/17/2003 02:26:26 PMDate Last Updated03/17/2003CERT AdvisoryCA-2003-09CVE NameCAN-2003-0109Metric112.50Document Revision4 http://www.kb.cert.org/vuls/id/117394 --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Mon Mar 17 20:17:16 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Mon, 17 Mar 2003 20:17:16 -0300 (ART) Subject: [SECURITY-L] Descoberta vulnerabilidades crķticas no Eudora Message-ID: <20030317231716.65038.qmail@web13208.mail.yahoo.com> Descoberta vulnerabilidades crķticas no Eudora DATA - 14 Mar 2003 FONTE - Oxygen3 A empresa de seguranēa Secunia divulgou nesta semana alerta de seguranēa sobre vulnerabilidades crķticas no programa de correio eletrōnico Eudora. As falhas de seguranēa atingiriam as versões até a 5.1. Segundo a Secunia, as falhas de seguranēa estariam relacionadas com a forma como o Eudora manuseia os arquivos anexados em mensagens eletrōnicas (a vulnerabilidade ocorre quando o nome de um arquivo anexado excede 200 caracteres). Assim, um cracker poderia lanēar um ataque denial-of-service (DoS) para derrubar o sistema da vķtima. A fabricante do Eudora recomenda que os usuįrios efetuam a atualizaēćo do programa para versćo 5.2, que corrige as vulnerabilidades. http://www.modulo.com.br/index.jsp --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Mon Mar 17 20:15:37 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Mon, 17 Mar 2003 20:15:37 -0300 (ART) Subject: [SECURITY-L] Encontrada falha no Sun One Message-ID: <20030317231537.1627.qmail@web13201.mail.yahoo.com> Encontrada falha no Sun One Segunda-feira, 17 de Marēo de 2003 - 10h14 IDG Now! A empresa especializada em seguranēa @Stake anunciou que um dos módulos incluķdos no servidor de aplicaēões Sun Microsystems One tem uma falha que pode ser explorada por invasores externos, que conseguiriam, através dela, controlar o funcionamento do servidor Web. A falha estį no módulo Conector, uma interface plug-in de programaēćo para aplicaēões do Netscape que sćo integradas ao servidor Web Sun One. Um indicador Uniform Resource Indicator (URI) em um pedido HTTP, gerenciado pelo módulo, pode causar a falha, segundo informou a @Stake. A falha afeta as versões 6.0 e 6.5 do Sun One Application Server. A correēćo para a versćo 6.5 jį estį disponķvel em http://wwws.sun.com/software/download/products/3e3afb89.html. Apesar de nćo existir correēćo para a versćo 6.0 a @Stake sugere algumas dicas como: - Escrever um módulo NSAPI para inspecionar o tamanho dos HTTP pedidos pelos URIs. - Encerrar a sessćo Secure Sockets Layer (SSL) em um dispositivo antes do servidor Web Sun One e instalar um sistema de detecēćo de intrusćo (IDS) para monitorar o trįfego. - Encerrar a sessćo SSL em um proxy reverso que faēa a validaēćo dos dados em todos os cabeēalhos de pedidos HTTP. [ David Legard - IDG News Service, Australia ] Notķcia relacionada: · Servidor Web da PeopleSoft tem falha de seguranēa Site relacionado: · www.sun.com http://idgnow.terra.com.br/idgnow/internet/2003/03/0034 --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Wed Mar 19 20:32:38 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Wed, 19 Mar 2003 20:32:38 -0300 (ART) Subject: [SECURITY-L] Vulnerabilidade Ptrace Linux 2.4 e 2.2 Message-ID: <20030319233238.80999.qmail@web13203.mail.yahoo.com> Vulnerabilidade Ptrace Linux 2.4 e 2.2 Enviado em: Quarta, marēo 19 @ 11:02:00 BRT Os kernels Linux 2.2 e 2.4 possuem uma falha no ptrace... Essa vulnerabilidade permite a usuarios locais realizarem escalada de privilegios... A exploracao remota dessa vulnerabilidade NAO é possivel e acredita-se que a familia 2.5 do kernel nao seja vulneravel... O Linux 2.2.25 foi lancado para corrigir o problema... O patch para a versao 2.4.20/2.4.21pre pode ser acessado no link abaixo... Andrzej Szombierski foi o responsavel pela descoberta da vulnerabilidade e pelo desenvolvimento do patch inicial... 2.4.20.ptrace.diff http://www.linuxsecurity.com.br/article.php?sid=7220 --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Wed Mar 19 21:39:24 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Wed, 19 Mar 2003 21:39:24 -0300 (ART) Subject: [SECURITY-L] MS corrige falha nos scripts do Windows Message-ID: <20030320003924.92880.qmail@web13203.mail.yahoo.com> MS corrige falha nos scripts do WindowsQuarta-feira, 19 de marēo de 2003 - 19h23 SĆO PAULO Uma falha no Windows Script Engine (WSE), programa que dį ao Windows a capacidade de rodar scripts em linguagens como VBScript e JScript, permite a invasćo da mįquina rodando quandolquer versćo do Windows, de 98 a XP. Segundo a Microsoft, a falha localiza-se na forma como o WSE processa as informaēões do JScript. Um hacker pode construir uma pįgina web que, quando visitada, dispare um código que explore essa fragilidade, invadindo o PC. Essa pįgina web pode estar num site, mas também pode ser enviada por e-mail. A correēćo encontra-se no endereēo www.infoexame.com.br/aberto/download/3151.shl. Observe: hį um patch diferente para cada versćo do Windows: 98, Me, NT 4.0, 2000 e XP. Carlos Machado, da INFO http://info.abril.com.br/aberto/infonews/032003/19032003-9.shl --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Wed Mar 19 21:43:17 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Wed, 19 Mar 2003 21:43:17 -0300 (ART) Subject: [SECURITY-L] Correēćo do Windows 2000 trava sistema Message-ID: <20030320004317.95723.qmail@web13202.mail.yahoo.com> Correēćo do Windows 2000 trava sistema Quarta-feira, 19 de Marēo de 2003 - 15h59 A Microsoft divulgou nota informando que a correēćo MS03-007, criada para eliminar uma grave vulnerabilidade descoberta no Windows 2000, é incompatķvel com outras 12 correēões do mesmo sistema operacional, desenvolvidas entre dezembro de 2001 e fevereiro de 2002. Se instalarem a nova correēćo, os usuįrios do sistema nćo tźm meios de reiniciar suas mįquinas. Usuįrios de Windows 2000 com o Service Pack 2 instalado devem verificar qual é a versćo do arquivo denominado "ntoskrnl.exe" instalado em seus sistemas. As versões 5.0.2195.4797 em diante, além da 5.0.2195.4928, distribuķdas pelo PSS (Product Support Services) da Microsoft, nćo sćo compatķveis com a nova correēćo. Usuįrios afetados devem entrar em contato com o PSS antes de validar a correēćo. De acordo com a Microsoft, a correēćo deveria corrigir uma falha de buffer overrun em um componente do Windows 2000, usado para realizar gerenciamento remoto de servidores com Windows 2000. O componente é denominado "ntdll.dll" e seu dispositivo é chamado de WebDAV, ou World Wide Web Distributed Authoring and Versioning. A ataque daria controle total do sistema do usuįrio, através do envio de arquivos HTTP (Hypertext Transfer Protocol). A falha é porta de entrada para ameaēas como Code Red e Nimda. Segundo a Microsoft, usuįrios do Windows 2000 que nćo tźm a necessidade de instalar imediatamente a correēćo, podem desabilitar o WebDAV para acabar com a vulnerabilidade. A medida temporįria faz o bloqueio da ferramenta IIS Lockdown que roda no sistema operacional. [ Joris Evers - IDG News Service, Amsterdć Com traduēćo de CSO ] Notķcias relacionadas: · Microsoft alerta para mais uma falha no Windows 2000 · Servidor do exército dos EUA é atacado Site relacionado: · www.microsoft.com http://idgnow.terra.com.br/idgnow/internet/2003/03/0043 --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From caio_sm em yahoo.com.br Wed Mar 19 21:45:59 2003 From: caio_sm em yahoo.com.br (=?iso-8859-1?q?Caio=20Souza?=) Date: Wed, 19 Mar 2003 21:45:59 -0300 (ART) Subject: [SECURITY-L] Site falso tenta roubar senhas do Itaś Message-ID: <20030320004559.18194.qmail@web13201.mail.yahoo.com> Mensagem falsa chega por e-mail e diz que usuįrios tźm que se recadastrar em um novo site, informando todas as senhas, incluindo a do cartćo. Pįgina falsificada é muito bem-feita e pode enganar o usuįrio. Banco alerta aos clientes que apaguem a mensagem. Henrique Martin, PC World 19/03/2003 16:54:23 Um e-mail assinado por Paulo Roberto Setubal pede aos correntistas do Itaś que modifiquem seus dados em um site novo do banco. O problema é que o site é falso e foi feito para roubar as senhas do cartćo e da internet do correntista. Detalhe: nćo existe nenhum Paulo Roberto Setubal no organograma do Itaś. Setubal, por acaso, é o sobrenome do presidente do banco. A pįgina criada pelos falsificadores estį hospedada em um domķnio com terminaēćo .CX, das Ilhas Natal, no oeste da Austrįlia, e copia fielmente o site de internet banking do Itaś. A diferenēa estį na barra de digitaēćo dos dados do cliente, que pede nśmero da agźncia, conta, senha do cartćo e senha eletrōnica (veja imagem acima). No site oficial do Itaś, apenas é necessįrio digitar a agźncia e o nśmero da conta. A senha eletrōnica é digitada em um teclado virtual, em outra pįgina, para garantir a seguranēa da transaēćo. A mensagem falsa chega por e-mail sem assunto. O e-mail com as informaēões fraudulentas diz que, por determinaēćo de um decreto-lei assinado pelo "senhor Presidente da Repśblica" (sem citar nomes), o banco informa que em todas as movimentaēões de iguais ou maiores a R$ 5 mil o Itaś deve notificar a Receita Federal e checar os endereēos dos clientes - aqui comeēa a confusćo para iludir o cliente. Na sequźncia, o e-mail falso diz que os endereēos devem ser confirmados em até 48 horas em um site - e dį o endereēo localizado nas Ilhas Natal. A audįcia do falsificador é tćo grande que diz que "o novo endereēo do Itaś é subordinado a sistemas de seguranēa internacionais e com rķgidas contra-medidas anti-fraude". O golpe é similar ao aplicado com correntistas do Banco do Brasil, na semana do Carnaval. Itaś esclarece O Banco Itaś informa em um comunicado que "nunca se utiliza deste tipo de procedimento para encaminhar aos correntistas quaisquer orientaēões, se comunicar com os mesmos ou mesmo para proceder a atualizaēões dos programas que oferece". Para garantir a integridade das informaēões e do seu computador, o Itaś pede aos clientes que se receberem um e-mail encaminhado por pessoa ou origem desconhecida, só a leia após passar a mensagem por um programa antivķrus. E que apague a mensagem imediatamente, para proteger seu PC - e, claro, sua conta bancįria. http://pcworld.terra.com.br/pcw/update/8705.html --------------------------------- Busca Yahoo! O serviēo de busca mais completo da Internet. O que vocź pensar o Yahoo! encontra. -------------- Próxima Parte ---------- Um anexo em HTML foi limpo... URL: From mieko em ccuec.unicamp.br Thu Mar 20 09:03:32 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 09:03:32 -0300 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-009: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065) Message-ID: <3E79AE14.9B4DCDE6@ccuec.unicamp.br> Subject: Microsoft Security Bulletin MS03-009: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065) Date: Wed, 19 Mar 2003 17:33:01 -0800 From: "Microsoft" <0_45731_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Reply-To: <3_45731_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------- Title: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065) Date: 19 March 2003 Software: Microsoft ISA Server Impact: Denial of Service Max Risk: Moderate Bulletin: MS03-009 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-009.asp http://www.microsoft.com/security/security_bulletins/ms03-009.asp - ------------------------------------------------------------------- Issue: ====== Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. Application filters allow ISA Server to analyze a data stream for a particular application and provide application- specific processing including inspecting, screening or blocking, redirecting, or modifying the data as it passes through the firewall. This mechanism is used to protect against invalid URLs which may indicate attempted attacks as well as attacks against internal Domain Name Service (DNS) Servers. A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests. An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected. Mitigating Factors: ==================== - By default, no DNS servers are published. DNS server publishing must be manually enabled. - The vulnerability would not enable an attacker to gain any privileges on an affected ISA Server or the published DNS server or to compromise any cached content on the server. It is strictly a denial of service vulnerability. Risk Rating: ============ - Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-009.asp http://www.microsoft.com/security/security_bulletins/ms03-009.asp for information on obtaining this patch. - ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPni3qo0ZSRQxA/UrAQGl3gf+LrKTjf5hyCV2b+qkEagre6zgb2CuOP+A auPp73+kYOHiI5Bd8STtHSdeedevmui5EDWDIkWR9tWm45eDXuy4dLFU8N9qH+id lVrL/61eJuJz/9W53PxSsCy2wAisYrXcRA9nl0TrBU3/2WApHY2AkcIXWieG/KBS XIcZQ+1gNb5Go+i/vrhNhsQaJJcWf7ziKLks5SRtWYUPc947DYLGulFhc+FRzwnc OxSxKVGgncg/nc/86cDLZVM1jGzYao78VloPQoIVNPfsBmjx6s3+x0oGzOKCJwNp w/GWnDIK8usqPu62pQYsjVDViA7Rz5Piub+73gbwEX1ytri/FHPsgg== =Uf5c -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. From mieko em ccuec.unicamp.br Thu Mar 20 09:05:07 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 09:05:07 -0300 Subject: [SECURITY-L] Microsoft Security Bulletin MS03-008: Flaw in Windows Script Engine Could Allow Code Execution (814078) Message-ID: <3E79AE73.8E87BF68@ccuec.unicamp.br> Subject: Microsoft Security Bulletin MS03-008: Flaw in Windows Script Engine Could Allow Code Execution (814078) Date: Wed, 19 Mar 2003 17:37:28 -0800 From: "Microsoft" <0_45730_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Reply-To: <3_45730_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----BEGIN PGP SIGNED MESSAGE----- - ------------------------------------------------------------------- Title: Flaw in Windows Script Engine Could Allow Code Execution (814078) Date: 19 March 2003 Software: Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Me Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS03-008 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-008.asp http://www.microsoft.com/security/security_bulletins/ms03-008.asp - ------------------------------------------------------------------- Issue: ====== The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript. A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email. Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the Frequently Asked Questions section of the security bulletin for this release. Mitigating Factors: ==================== - For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker. - Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue. - Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges. - Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-008.asp http://www.microsoft.com/security/security_bulletins/ms03-008.asp for information on obtaining this patch. - ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPni3jI0ZSRQxA/UrAQFpYwf+Mo4kacxuVP/ret4PnPYViIR82npvhps8 4WaG+zNop2J/euPXryfK2aL6xpo3kGC9Dc4ova9QUPoEwIyIVLlAzSX6BkYfhp1a QlRWE+x9DYEtPR7/hqPdCpdbiDB9tHFSEpVk3ZD7qBxZ5pBF2T0/sxplhIZj7PAw 24xyIYCwDBcn/aOITXbC0L6SuO2dgdY1jJZ1Sl2A0TLChN4XaDjVksky0Fd72ofU JTqdLq29kDXD1qf3yKKpVjDlyNXzjHdzNg2H4R4pUpTEhCbtgpzSKOG+2xXdDNvS fl9u67O/3YUMv1zcvSE+OD0/bGeVIa2csobBIeA8LHCm411ge0MHaA== =Ccb2 -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. From mieko em ccuec.unicamp.br Thu Mar 20 09:07:06 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 09:07:06 -0300 Subject: [SECURITY-L] CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines Message-ID: <3E79AEEA.5C2033C@ccuec.unicamp.br> Subject: CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines Date: Wed, 19 Mar 2003 14:53:45 -0500 From: CERT Advisory Organization: CERT(R) Coordination Center - +1 412-268-7090 To: cert-advisory em cert.org -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines Original release date: March 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Applications using vulnerable implementations of SunRPC-derived XDR libraries, which include * Sun Microsystems network services library (libnsl) * BSD-derived libraries with XDR/RPC routines (libc) * GNU C library with sunrpc (glibc) Overview There is an integer overflow in the xdrmem_getbytes() function distributed as part of the Sun Microsystems XDR library. This overflow can cause remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. I. Description XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Depending on how and where the vulnerable xdrmem_getbytes() function is used, subsequent problems like buffer overflows may result. Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This issue is currently being tracked as VU#516825 by the CERT/CC and as CAN-2003-0028 in the Common Vulnerabilities and Exposures (CVE) dictionary. Note that this vulnerability is similar to, but distinct from, VU#192995. II. Impact Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Specific impacts reported include the ability to crash the rpcbind service and possibly execute arbitrary code with root privileges. In addition, intruders may be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys. III. Solution Apply a patch from your vendor Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#516825 for further information. Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated XDR/RPC libraries. 2. Restart any dynamically linked services that make use of the XDR/RPC libraries. 3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries. Disable access to vulnerable services or applications Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_getbytes() function. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report. Cray, Inc. Cray Inc. may be vulnerable and has opened spr's 724153 and 724154 to investigate. Fujitsu We are currently investigating how the vulnerability reported under VU#516825 affects the Fujitsu UXP/V O.S. We will update this statement as soon as new information becomes available. GNU glibc Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also vulnerable. The following patches have been installed into the CVS sources, and should appear in the next version of the GNU C Library. These patches are also available from the following URLs: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h. diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c. diff?r1=1.13&r2=1.15&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c. diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof .c.diff?r1=1.5&r2=1.6&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio. c.diff?r1=1.15&r2=1.16&cvsroot=glibc 2002-12-16 Roland McGrath * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type. * sunrpc/xdr_rec.c (xdrrec_inline): Likewise. * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise. 2002-12-13 Paul Eggert * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg is now u_int, not int. (struct XDR.x_handy): Now u_int, not int. * sunrpc/xdr_mem.c: Include . (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes, xdrmem_inline, xdrmem_getint32, xdrmem_putint32): x_handy is now unsigned, not signed. Do not decrement x_handy if no change is made. (xdrmem_setpos): Check for int overflow. * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned. (xdr_sizeof): Remove cast that is now unnecessary, now that x_handy is unsigned. [ text of diffs available in the links included above --CERT/CC ] Hewlett-Packard Company RE: HP Case ID SSRT2439 At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. Hitachi Hitachi's GR2000 gibabit router series - is NOT vulnerable. IBM Corporation The AIX operating system is vulnerable to the issues discussed in CERT vulnerability note VU#516825 in releases 4.3.3, 5.1.0 and 5.2.0. IBM provides the following official fixes: APAR number for AIX 4.3.3: IY38524 APAR number for AIX 5.1.0: IY38434 APAR number for AIX 5.2.0: IY39231 Please contact your local IBM AIX support center for any assistance. Ingrian Networks Ingrian Networks products are not succeptable to the vulnerabilities in VU#516825. MIT Kerberos Development Team It may be possible for a remote attacker to exploit an integer overflow in xdrmem_getbytes() to crash the kadmind server process by a read segmentation fault. For this to succeed, the kadmind process must be able to allocate more than MAX_INT bytes of memory. This is believed to be unlikely, as most installations are not likely to permit that the allocation of that much memory. It may also be possible for a remote attacker to exploit this integer overflow to obtain sensitive information, such as secret keys, from the kadmind process. This is believed to be extremely unlikely, as there are unlikely to be ways for the information, once improperly copied, of being returned to the attacker. In addition, the above condition of the kadmind being able to allocate huge amounts of memory must be satisfied. Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt This patch may also be found at: http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt.asc NEC Corporation [Server Products] * EWS/UP 48 Series operating system - is NOT vulnerable. NetBSD The length types of the various xdr*_getbytes functions were made consistent somewhere back in 1997 (all u_int), so we're not vulnerable in that area. Network Appliance NetApp products are not vulnerable to this issue. Nokia This issue has no relationship to the product we ship. SGI SGI acknowledges receiving CERT VU#516825 and is currently investigating. This is being tracked as SGI Bug# 880925. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/ Sun Microsystems Solaris 2.6, 7, 8 and 9 are vulnerable to VU#516825. Sun will be publishing a Sun Alert for the issue at the following location shortly: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51884 The Sun Alert will be updated with the patch information as soon as the patches are available. At that time, the patches listed in the Sun Alert will be available from: http://sunsolve.sun.com/securitypatch _________________________________________________________________ Appendix B. - References 1. AD20030318.html - http://www.eeye.com/html/Research/Advisories/AD20030318.html 2. VU#192995 - http://www.kb.cert.org/vuls/id/192995 3. VU#516825 - http://www.kb.cert.org/vuls/id/516825 4. RFC1831 - http://www.ietf.org/rfc/rfc1831.txt 5. RFC1832 - http://www.ietf.org/rfc/rfc1832.txt _________________________________________________________________ Thanks to Riley Hassell of eEye Digital Security for discovering and reporting this vulnerability. Thanks also to Sun Microsystems for additional technical details. _________________________________________________________________ Authors: Chad Dougherty and Jeffrey Havrilla ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-10.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Mar 19, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPni7vGjtSoHZUTs5AQEOgwQAyJow8nuWp5kard1CYquPxQM53+8cLCuF 45XFkhQgHCR4bjaf3+e+B6n4XyPcZWNF2rmCfEj11H1TVKkKKRZxJPRiNPZ9Tht1 iDAsy5kES7LwBowIsjMrPJl25M7JrKIRwyoO36UGD5xFPMopzlJGsxpCdr9Yo4nT yfb381fVUWc= =dAEv -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 20 11:03:27 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 11:03:27 -0300 Subject: [SECURITY-L] Fwd:CAIS-Alerta: CERT Advisory CA-2003-10 Integer Overflow In Sun RPC XDR library routines Message-ID: <3E79CA2F.A365CEC7@ccuec.unicamp.br> Subject: CAIS-Alerta: CERT Advisory CA-2003-10 Integer Overflow In Sun RPC XDR library routines Date: Thu, 20 Mar 2003 10:49:12 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pelo CERT/CC, CERT Advisory CA-2003-10 Integer Overflow In Sun RPC XDR library routines, tratando de uma vulnerabilidade na biblioteca XDR que pode permitir a um atacante remoto a execucao de codigo arbitrario. A exploracao da vulnerabilidade pode ainda resultar em negacao de servico (DoS) ou no acesso a informacoes sigilosas. Sistemas afetados: . Sun Microsystems network services library (libnsl) . BSD-derived libraries with XDR/RPC routines (libc) . GNU C library with sunrpc (glibc) Por se tratar de uma vulnerabilidade em uma biblioteca largamente utilizada, qualquer aplicativo nao listado neste alerta mas que se utiliza do codigo em questao pode estar vulneravel. Correcoes disponiveis: O Apendice A do alerta em anexo, contem informacoes especificas de varios fabricantes, com relacao a este problema. Maiores informacoes: . http://www.cert.org/advisories/CA-2003-10.html . http://www.kb.cert.org/vuls/id/516825 Identificadores do CVE: CAN-2003-0028, (http://cve.mitre.org) O CAIS recomenda aos administradores que atualizem seus sistemas com urgencia. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Advisory CA-2003-10 Integer overflow in Sun RPC XDR library routines Original release date: March 19, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected Applications using vulnerable implementations of SunRPC-derived XDR libraries, which include * Sun Microsystems network services library (libnsl) * BSD-derived libraries with XDR/RPC routines (libc) * GNU C library with sunrpc (glibc) Overview There is an integer overflow in the xdrmem_getbytes() function distributed as part of the Sun Microsystems XDR library. This overflow can cause remotely exploitable buffer overflows in multiple applications, leading to the execution of arbitrary code. Although the library was originally distributed by Sun Microsystems, multiple vendors have included the vulnerable code in their own implementations. I. Description XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. Such routines are commonly used in remote procedure call (RPC) implementations to provide transparency to application programmers who need to use common interfaces to interact with many different types of systems. The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Depending on how and where the vulnerable xdrmem_getbytes() function is used, subsequent problems like buffer overflows may result. Researchers at eEye Digital Security discovered this vulnerability and have also published an advisory. This issue is currently being tracked as VU#516825 by the CERT/CC and as CAN-2003-0028 in the Common Vulnerabilities and Exposures (CVE) dictionary. Note that this vulnerability is similar to, but distinct from, VU#192995. II. Impact Because SunRPC-derived XDR libraries are used by a variety of vendors in a variety of applications, this defect may lead to a number of security problems. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Specific impacts reported include the ability to crash the rpcbind service and possibly execute arbitrary code with root privileges. In addition, intruders may be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys. III. Solution Apply a patch from your vendor Apply the appropriate patch or upgrade as specified by your vendor. See Appendix A below and the Systems Affected section of VU#516825 for further information. Note that XDR libraries can be used by multiple applications on most systems. It may be necessary to upgrade or apply multiple patches and then recompile statically linked applications. Applications that are statically linked must be recompiled using patched libraries. Applications that are dynamically linked do not need to be recompiled; however, running services need to be restarted in order to use the patched libraries. System administrators should consider the following process when addressing this issue: 1. Patch or obtain updated XDR/RPC libraries. 2. Restart any dynamically linked services that make use of the XDR/RPC libraries. 3. Recompile any statically linked applications using the patched or updated XDR/RPC libraries. Disable access to vulnerable services or applications Until patches are available and can be applied, you may wish to disable access to services or applications compiled with the vulnerable xdrmem_getbytes() function. As a best practice, the CERT/CC recommends disabling all services that are not explicitly required. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Apple Computer, Inc. Mac OS X and Mac OS X Server do not contain the vulnerabilities described in this report. Cray, Inc. Cray Inc. may be vulnerable and has opened spr's 724153 and 724154 to investigate. Fujitsu We are currently investigating how the vulnerability reported under VU#516825 affects the Fujitsu UXP/V O.S. We will update this statement as soon as new information becomes available. GNU glibc Version 2.3.1 of the GNU C Library is vulnerable. Earlier versions are also vulnerable. The following patches have been installed into the CVS sources, and should appear in the next version of the GNU C Library. These patches are also available from the following URLs: http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/rpc/xdr.h. diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_mem.c. diff?r1=1.13&r2=1.15&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_rec.c. diff?r1=1.26&r2=1.27&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_sizeof .c.diff?r1=1.5&r2=1.6&cvsroot=glibc http://sources.redhat.com/cgi-bin/cvsweb.cgi/libc/sunrpc/xdr_stdio. c.diff?r1=1.15&r2=1.16&cvsroot=glibc 2002-12-16 Roland McGrath * sunrpc/xdr_mem.c (xdrmem_inline): Fix argument type. * sunrpc/xdr_rec.c (xdrrec_inline): Likewise. * sunrpc/xdr_stdio.c (xdrstdio_inline): Likewise. 2002-12-13 Paul Eggert * sunrpc/rpc/xdr.h (struct XDR.xdr_ops.x_inline): 2nd arg is now u_int, not int. (struct XDR.x_handy): Now u_int, not int. * sunrpc/xdr_mem.c: Include . (xdrmem_getlong, xdrmem_putlong, xdrmem_getbytes, xdrmem_putbytes, xdrmem_inline, xdrmem_getint32, xdrmem_putint32): x_handy is now unsigned, not signed. Do not decrement x_handy if no change is made. (xdrmem_setpos): Check for int overflow. * sunrpc/xdr_sizeof.c (x_inline): 2nd arg is now unsigned. (xdr_sizeof): Remove cast that is now unnecessary, now that x_handy is unsigned. [ text of diffs available in the links included above --CERT/CC ] Hewlett-Packard Company RE: HP Case ID SSRT2439 At the time of writing this document, Hewlett Packard is currently investigating the potential impact to HP's released Operating System software products. As further information becomes available HP will provide notice of the availability of any necessary patches through standard security bulletin announcements and be available from your normal HP Services support channel. Hitachi Hitachi's GR2000 gibabit router series - is NOT vulnerable. IBM Corporation The AIX operating system is vulnerable to the issues discussed in CERT vulnerability note VU#516825 in releases 4.3.3, 5.1.0 and 5.2.0. IBM provides the following official fixes: APAR number for AIX 4.3.3: IY38524 APAR number for AIX 5.1.0: IY38434 APAR number for AIX 5.2.0: IY39231 Please contact your local IBM AIX support center for any assistance. Ingrian Networks Ingrian Networks products are not succeptable to the vulnerabilities in VU#516825. MIT Kerberos Development Team It may be possible for a remote attacker to exploit an integer overflow in xdrmem_getbytes() to crash the kadmind server process by a read segmentation fault. For this to succeed, the kadmind process must be able to allocate more than MAX_INT bytes of memory. This is believed to be unlikely, as most installations are not likely to permit that the allocation of that much memory. It may also be possible for a remote attacker to exploit this integer overflow to obtain sensitive information, such as secret keys, from the kadmind process. This is believed to be extremely unlikely, as there are unlikely to be ways for the information, once improperly copied, of being returned to the attacker. In addition, the above condition of the kadmind being able to allocate huge amounts of memory must be satisfied. Please see http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt This patch may also be found at: http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt The associated detached PGP signature is at: http://web.mit.edu/kerberos/www/advisories/2003-003-xdr_patch.txt.asc NEC Corporation [Server Products] * EWS/UP 48 Series operating system - is NOT vulnerable. NetBSD The length types of the various xdr*_getbytes functions were made consistent somewhere back in 1997 (all u_int), so we're not vulnerable in that area. Network Appliance NetApp products are not vulnerable to this issue. Nokia This issue has no relationship to the product we ship. SGI SGI acknowledges receiving CERT VU#516825 and is currently investigating. This is being tracked as SGI Bug# 880925. No further information is available at this time. For the protection of all our customers, SGI does not disclose, discuss or confirm vulnerabilities until a full investigation has occurred and any necessary patch(es) or release streams are available for all vulnerable and supported SGI operating systems. Until SGI has more definitive information to provide, customers are encouraged to assume all security vulnerabilities as exploitable and take appropriate steps according to local site security policies and requirements. As further information becomes available, additional advisories will be issued via the normal SGI security information distribution methods including the wiretap mailing list on http://www.sgi.com/support/security/ Sun Microsystems Solaris 2.6, 7, 8 and 9 are vulnerable to VU#516825. Sun will be publishing a Sun Alert for the issue at the following location shortly: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/51884 The Sun Alert will be updated with the patch information as soon as the patches are available. At that time, the patches listed in the Sun Alert will be available from: http://sunsolve.sun.com/securitypatch _________________________________________________________________ Appendix B. - References 1. AD20030318.html - http://www.eeye.com/html/Research/Advisories/AD20030318.html 2. VU#192995 - http://www.kb.cert.org/vuls/id/192995 3. VU#516825 - http://www.kb.cert.org/vuls/id/516825 4. RFC1831 - http://www.ietf.org/rfc/rfc1831.txt 5. RFC1832 - http://www.ietf.org/rfc/rfc1832.txt _________________________________________________________________ Thanks to Riley Hassell of eEye Digital Security for discovering and reporting this vulnerability. Thanks also to Sun Microsystems for additional technical details. _________________________________________________________________ Authors: Chad Dougherty and Jeffrey Havrilla ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-10.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Mar 19, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPnnG3+kli63F4U8VAQHk4gP+M6NG2lumy37tAGJCrDb42J3eJvUs43Y4 E33rbnoW9tr0EmgwKEQRh2+Seky9wP8l6N49SeAY8XKcCOQ3/dl7y5Ji9u0PmJbK 5jOIarqmvpZqcHlz83gBljeuVYifCwSN7r+NFnULv8YIentVgXnJkJEE4k7FqWVK TmHnHn6CjWI= =JCOQ -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 20 11:05:48 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 11:05:48 -0300 Subject: [SECURITY-L] Fwd: CAIS-Alerta: Vulnerabilidade critica no Windows Script Engine (814078) Message-ID: <3E79CABC.E46D9BE@ccuec.unicamp.br> Subject: CAIS-Alerta: Vulnerabilidade critica no Windows Script Engine (814078) Date: Thu, 20 Mar 2003 11:01:29 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS estį repassando o alerta divulgado pela Microsoft, Microsoft Security Bulletin MS03-008: Flaw in Windows Script Engine Could Allow Code Execution (814078), que trata de uma vulnerabilidade existente na implementacao do Windows Script Engine que pode permitir a um atacante remoto a execucao de codigo arbitrario. Sistemas Afetados: . Microsoft Windows 98 . Microsoft Windows 98 Second Edition . Microsoft Windows Me . Microsoft Windows NT 4.0 . Microsoft Windows NT 4.0 Terminal Server Edition . Microsoft Windows 2000 . Microsoft Windows XP Correēões disponķveis: A correēćo consiste na aplicaēćo do patch recomendado pela Microsoft e disponķveis nas URLs listadas abaixo. * Windows 98 and Windows 98 SE: http://www.microsoft.com/windows98/downloads/contents/WUCritical/q814078/default.asp * Windows Me: http://windowsupdate.microsoft.com * Windows NT 4.0: http://microsoft.com/downloads/details.aspx?FamilyId=C6504FD9-5E2C-45BF-9424-55D7C5D2221B&displaylang=en * Windows NT 4.0, Terminal Server Edition: http://microsoft.com/downloads/details.aspx?FamilyId=C6504FD9-5E2C-45BF-9424-55D7C5D2221B&displaylang=en * Windows 2000: http://microsoft.com/downloads/details.aspx?FamilyId=824B1BD4-B4D6-49D5-8C58-199BDC731B64&displaylang=en * Windows XP Home Edition and Professional Edition: http://microsoft.com/downloads/details.aspx?FamilyId=824B1BD4-B4D6-49D5-8C58-199BDC731B64&displaylang=en Maiores informaēões: http://www.microsoft.com/technet/security/bulletin/ms03-008.asp Identificador do CVE: CAN-2003-0010 (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ------------------------------------------------------------------- Title: Flaw in Windows Script Engine Could Allow Code Execution (814078) Date: 19 March 2003 Software: Microsoft Windows 98 Microsoft Windows 98 Second Edition Microsoft Windows Me Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Impact: Run Code of Attacker's Choice Max Risk: Critical Bulletin: MS03-008 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-008.asp http://www.microsoft.com/security/security_bulletins/ms03-008.asp - ------------------------------------------------------------------- Issue: ====== The Windows Script Engine provides Windows operating systems with the ability to execute script code. Script code can be used to add functionality to web pages, or to automate tasks within the operating system or within a program. Script code can be written in several different scripting languages, such as Visual Basic Script, or JScript. A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email. Although Microsoft has supplied a patch for this vulnerability and recommends all affected customers install the patch immediately, additional preventive measures have been provided that customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. These temporary workarounds are discussed in the "Workarounds" section in the Frequently Asked Questions section of the security bulletin for this release. Mitigating Factors: ==================== - For an attack to be successful, the user would need to visit a website under the attacker's control or receive an HTML e-mail from the attacker. - Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue. - Exploiting the vulnerability would allow the attacker only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges. - Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Risk Rating: ============ - Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-008.asp http://www.microsoft.com/security/security_bulletins/ms03-008.asp for information on obtaining this patch. - ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPnnJxOkli63F4U8VAQH4IgQAkbLS0hhsySkWwQs2qa+3aJOw6l1fntZw yHzEu2nGwe56EPfzpJRDPAzVaeDps7YO5o5WdJvmdjRNYEav0i/hlm5f/suTRQkm iaApJJzkC00hInepX7Yldoen5fHsjkGv4zDHe1NJQwrl5/d5wj8IUQAsukDadiX0 okSCtC4B3/M= =x/yJ -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 20 11:04:35 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 11:04:35 -0300 Subject: [SECURITY-L] Fwd: CAIS-Alerta: Vulnerabilidade no Microsoft ISA Server DNS (331065) Message-ID: <3E79CA73.6D5DDBD0@ccuec.unicamp.br> Subject: CAIS-Alerta: Vulnerabilidade no Microsoft ISA Server DNS (331065) Date: Thu, 20 Mar 2003 11:00:51 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS estį repassando o alerta divulgado pela Microsoft, Microsoft Security Bulletin MS03-009: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065), que trata de uma vulnerabilidade existente na implementacao da deteccao de intrusao do ISA Server DNS que pode permitir a um atacante realizar um ataque de negacao de servico (DoS). Sistemas Afetados: . Microsoft ISA Server Correēões disponķveis: A correēćo consiste na aplicaēćo do patch recomendado pela Microsoft e disponķveis nas URLs listadas abaixo. * English: http://microsoft.com/downloads/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang=en * French: http://microsoft.com/downloads/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang=fr * German: http://microsoft.com/downloads/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang=de * Spanish: http://microsoft.com/downloads/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang=es * Japanese: http://microsoft.com/downloads/details.aspx?FamilyId=F62127C5-51E3-4B34-A6D3-B9CF840358BD&displaylang=ja Maiores informaēões: http://www.microsoft.com/technet/security/bulletin/ms03-009.asp Identificador do CVE: CAN-2003-0011 (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ------------------------------------------------------------------- Title: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065) Date: 19 March 2003 Software: Microsoft ISA Server Impact: Denial of Service Max Risk: Moderate Bulletin: MS03-009 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-009.asp http://www.microsoft.com/security/security_bulletins/ms03-009.asp - ------------------------------------------------------------------- Issue: ====== Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. Application filters allow ISA Server to analyze a data stream for a particular application and provide application- specific processing including inspecting, screening or blocking, redirecting, or modifying the data as it passes through the firewall. This mechanism is used to protect against invalid URLs which may indicate attempted attacks as well as attacks against internal Domain Name Service (DNS) Servers. A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests. An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected. Mitigating Factors: ==================== - By default, no DNS servers are published. DNS server publishing must be manually enabled. - The vulnerability would not enable an attacker to gain any privileges on an affected ISA Server or the published DNS server or to compromise any cached content on the server. It is strictly a denial of service vulnerability. Risk Rating: ============ - Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-009.asp http://www.microsoft.com/security/security_bulletins/ms03-009.asp for information on obtaining this patch. - ------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPnnJoekli63F4U8VAQEcrgP/T07QyUHV6tsYgiRFKnTiIBaqO/JjCOV+ hn8ruCBEMvDGoV/JZtM/nKV30Wx8DFgEio4W2Fwj5eqy2YhWZz3PDjNBMBfs6qxw jSIkLMNbpB2pYFL7kfaCDulutEBk2XQQOMmRszBCJA/vjyLItk3UlLuF3pNsHoOe sPH15FZaXdY= =tsNQ -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Thu Mar 20 14:57:24 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 14:57:24 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030320175724.GA13946@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 20/03/2003 ---------- CAIS-Alerta Assunto: Vulnerabilidade critica no Windows Script Engine (814078) http://www.security.unicamp.br/docs/bugs/2003/03/v53.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft ISA Server DNS (331065) http://www.security.unicamp.br/docs/bugs/2003/03/v52.txt EnGarde Secure Linux Security Advisory(ESA-20030320-010) Assunto: Several vulnerabilities in the OpenSSL toolkit. http://www.security.unicamp.br/docs/bugs/2003/03/v51.txt CAIS-Alerta Assunto: CAIS-Alerta: CERT Advisory CA-2003-10 Integer Overflow In Sun RPC XDR library routines http://www.security.unicamp.br/docs/bugs/2003/03/v50.txt Red Hat Security Advisory(RHSA-2003:088-01) Assunto: New kernel 2.2 packages fix vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v49.txt 19/03/2003 ---------- RHN Errata Alert Assunto: Updated glibc packages fix vulnerabilities in RPC XDR decoder http://www.security.unicamp.br/docs/bugs/2003/03/v48.txt Microsoft Security Bulletin (MS03-008) Assunto: Flaw in Windows Script Engine Could Allow Code Execution (814078) http://www.security.unicamp.br/docs/bugs/2003/03/v47.txt Microsoft Security Bulletin (MS03-009) Assunto: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service (331065) http://www.security.unicamp.br/docs/bugs/2003/03/v46.txt SCO Security Advisory(CSSA-2003-013.0) Assunto: Linux: integer overflow vulnerability in XDR/RPC routines http://www.security.unicamp.br/docs/bugs/2003/03/v45.txt MIT krb5 Security Advisory (2003-003) Assunto: faulty length checks in xdrmem_getbytes http://www.security.unicamp.br/docs/bugs/2003/03/v44.txt Red Hat Security Advisory(RHSA-2003:089-00) Assunto: Updated glibc packages fix vulnerabilities in RPC XDR decoder http://www.security.unicamp.br/docs/bugs/2003/03/v43.txt SGI Security Advisory(20030302-01-I) Assunto: SMB/CIFS Security Vulnerability in Samba http://www.security.unicamp.br/docs/bugs/2003/03/v42.txt OpenSSL Security Advisory Assunto: Klima-Pokorny-Rosa attack on RSA in SSL/TLS http://www.security.unicamp.br/docs/bugs/2003/03/v41.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Thu Mar 20 16:04:14 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 20 Mar 2003 16:04:14 -0300 Subject: [SECURITY-L] Boletins de Noticias Message-ID: <20030320190413.GA14011@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 19/03/2003 ---------- SANS NewsBites Vol. 5 Num. 11 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b9.txt 17/03/2003 ---------- SecurityFocus Newsletter #188 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/03/b8.txt SANS Critical Vulnerability Analysis Vol 2 No 10 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b7.txt 12/03/2003 ---------- SANS NewsBites Vol. 5 Num. 10 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b6.txt 10/03/2003 ---------- Modulo Security News : No.284 : Conheca os perigos dos Remote Access Trojans Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/03/b5.txt SecurityFocus Newsletter #187 Fonte:Security Focus http://www.security.unicamp.br/docs/informativos/2003/03/b4.txt 05/03/2003 ---------- SANS NewsBites Vol. 5 Num. 09 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b3.txt 03/03/2003 ---------- SecurityFocus Newsletter #186 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/03/b2.txt SANS Critical Vulnerability Analysis Vol 2 No 08 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b1.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Fri Mar 21 08:48:16 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Mar 2003 08:48:16 -0300 Subject: [SECURITY-L] Fwd: =?iso-8859-1?q?V=EDrus?= Ganda explora mensagens sobre os EUA Message-ID: <3E7AFBFF.6059EADD@ccuec.unicamp.br> Subject: Vķrus Ganda explora mensagens sobre os EUA Date: Fri, 21 Mar 2003 07:23:07 -0300 From: Andre Aparecido Nogueira Quinta-feira, 20 de Marēo de 2003 - 17h59 *FOnte: IDG Now!* Is USA always number one?, G.W Bush animation e Is USA a UFO? estćo entre as linhas de assunto dos e-mails enviados com o novo vķrus W32/Ganda em MM, detectado nesta quinta-feira (20/03) pela McAfee Security. A ameaēa de origem sueca se propaga em massa para endereēos de e-mails encontrados no Windows Address Book. Ao infectar o sistema, o Ganda interrompe certos processos em execuēćo na mįquina da vķtima e infecta arquivos executįveis, incrementando-os com 567 bytes. O Ganda também se envia pelo servidor SMTP padrćo, especificado no Internet Account Manager e escolhe suas vķtimas aleatoriamente a partir dos endereēos de e-mail coletados da mįquina infectada. A praga explora uma vulnerabilidade do Microsoft Internet Explorer nas versões 5.01 ou 5.5. As mensagens com o vķrus sćo escritas em Inglźs e Sueco e possuem linhas de assunto como Is USA always number one? ; LINUX. ; GO USA !!!! ; Nazi propaganda? ; Disgusting propaganda ; Spy pics ; Screensaver advice ; Catlover. ; G.W Bush animation; Is USA a UFO? ; Olaglig_skärmsläckare? ; Hakkors. ; Rashets eller inte? ; Suspekta semaforer. ; Avskyvä rd_reklam. ; Överviktiga_förnedras. ; Go ack ack ack.... ; Är_USA_ett_UFO? ; Korkad president. e Katt, hund, kanin. No corpo do e-mail, o internauta pode encontrar as seguintes mensagens: # Some misguided people actually believe that an american life has a greater value than those of other nationalities. Just have a look at this pathetic screensaver and then you'll know what i'm talking about. All the best. # Are you a windows user who is curious about the linux environment? This screensaver gives you a preview of the KDE and GNOME desktops. What's more, LINUX is a free system, meaning anyone can download it. # Have a look at this screensaver, and then tell me that George.W Bush is not an alien ;-) Por enquanto, a McAfee classifica o Ganda como uma ameaēa de baixo risco diante do nśmero de infecēões e indica que os usuįrios atualizem seus software antivķrus -- Andre Aparecido Nogueira Faculdade de Eng. Agricola/UNICAMP °v° E-mail: mailto:andre em agr.unicamp.br /(_)\ Seja livre, use Linux! ^ ^ From mieko em ccuec.unicamp.br Fri Mar 21 14:54:16 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Mar 2003 14:54:16 -0300 Subject: [SECURITY-L] Fwd: Alan Cox corrige bug no Linux Message-ID: <3E7B51C8.9A369D73@ccuec.unicamp.br> Subject: Alan Cox corrige bug no Linux Date: Fri, 21 Mar 2003 14:42:59 -0300 From: Andre Aparecido Nogueira Alan Cox corrige bug no Linux Sexta-feira, 21 de marēo de 2003 - 13h32 SĆO PAULO As versões 2.2 e 2.4 do Linux tźm uma falha de seguranēa que dį a usuįrios locais a possibilidade de assumir o controle da rede. O alerta foi dado numa mensagem de Alan Cox, um dos desenvolvedores originais do Linux. Cox, que hoje trabalha para a Red Hat, diz que a vulnerabilidade pode ser explorada dentro da rede local, por usuįrio jį cadastrado, mas nćo remotamente. Segundo ele, a falha nćo afeta a versćo 2.5 do kernel. A correēćo para o código-fonte estį na própria mensagem de Cox, no endereēo: www.spinics.net/lists/kernel/msg162986.html . Fonte: Carlos Machado, da INFO -- Andre Aparecido Nogueira Faculdade de Eng. Agricola/UNICAMP °v° E-mail: mailto:andre em agr.unicamp.br /(_)\ Seja livre, use Linux! ^ ^ From mieko em unicamp.br Fri Mar 21 17:56:09 2003 From: mieko em unicamp.br (Silvana Mieko Misuta) Date: Fri, 21 Mar 2003 17:56:09 -0300 Subject: [SECURITY-L] Fwd: CAIS-Alerta: CERT Summary CS-2003-01 Message-ID: <3E7B7C69.DF7746F7@unicamp.br> Subject: CAIS-Alerta: CERT Summary CS-2003-01 Date: Fri, 21 Mar 2003 17:38:47 -0300 (BRT) From: Centro de Atendimento a Incidentes de Seguranca To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS estį repassando o CERT Summary CS-2003-01, no qual sćo resumidos os tipos de ataques e vulnerabilidades reportados com mais freqüźncia ao CERT/CC nos śltimos trźs meses. Tal documento inclui tambem referźncias a artigos, documentos e outras informaēões que auxiliam no tratamento dos problemas de seguranēa apontados. O CAIS relembra aos administradores a necessidade de acompanhar os alertas de seguranca divulgados pelos fabricantes e orgaos de renome na area de seguranca. Tao importante quanto manter-se atualizado, e“ manter seus sistemas operacionais e aplicativos em dia, de acordo com as śltimas versões e correēões disponķveis. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Summary CS-2003-01 March 21, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in November 2002 (CS-2002-04), we have seen vulnerabilities in multiple Windows operating system components, vulnerabilities in several widely used pieces of server software, and a new piece of self-propagating malicious code. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. Buffer Overflow Vulnerability in Core Windows DLL A buffer overflow vulnerability exists in ntdll.dll. This vulnerability may allow a remote attacker to execute arbitrary code on the victim machine. An exploit is publicly available for this vulnerability which increases the urgency that system administrators apply a patch. The CERT/CC strongly encourages sites Windows to read CERT Advisory CA-2003-09, examine their systems for signs of compromise and apply the appropriate patch as soon as possible. CERT Advisory CA-2003-09: Buffer Overflow Vulnerability in Core Windows DLL http://www.cert.org/advisories/CA-2003-09.html 2. Remote Buffer Overflow in Sendmail A vulnerability has been discovered in sendmail, the most popular mail transfer agent (MTA) in use on the Internet, that may allow remote attackers to gain the privileges of the sendmail daemon, typically root. This vulnerability is triggered by the contents of a specially-crafted email message rather than by lower-level network traffic. The CERT/CC has received reports of increased scanning for port 25/tcp (SMTP) and apparent attempts to exploit this vulnerability. Sites running sendmail are encouraged to read CERT Advisory CA-2003-07 apply the appropriate patch. Some other vendors have released patches for their MTA software which prevents the MTA from passing potentially malicious messages to other systems which may be running sendmail. We encourage sites to apply these patches if possible to help protect other servers on the Internet. CERT Advisory CA-2003-07: Remote Buffer Overflow in Sendmail http://www.cert.org/advisories/CA-2003-07.html 3. Increased Activity Targeting Windows Shares Over the past few weeks, the CERT/CC has received an increasing number of reports of intruder activity involving the exploitation of Null (i.e., non-existent) or weak Administrator passwords on Server Message Block (SMB) file shares used on systems running Windows 2000 or Windows XP. This activity has resulted in the successful compromise of thousands of systems, with home broadband users' systems being a prime target. More information on this activity and the attack tools known to be involved are described in CERT Advisory CA-2003-08. CERT Advisory CA-2003-08: Increased Activity Targeting Windows Shares http://www.cert.org/advisories/CA-2003-08.html 4. Samba Contains Buffer Overflow in SMB/CIFS Packet Fragment Reassembly Code A buffer overflow vulnerability has been discovered in Samba, a popular file and printer sharing tool. By exploiting this vulnerability a remote attacker may be able to execute arbitrary code with the privileges of the Super User, typically root. An updated version of Samba (2.2.8) has been released. The CERT/CC has not yet received reports of this vulnerability being exploited, but sites are strongly encouraged to examine their samba servers and upgrade to the newest version if possible to eliminate the potential for exploitation. Vulnerability Note VU#298233: Samba contains buffer overflow in SMB/CIFS packet fragment reassembly code http://www.kb.cert.org/vuls/id/298233 5. MS-SQL Server Worm The CERT/CC has received reports of self-propagating malicious code that exploits a vulnerability in the Resolution Service of Microsoft SQL Server 2000 and Microsoft Desktop Engine (MSDE) 2000. This worm has been referred to as the SQLSlammer, W32.Slammer, and Sapphire worm. The propagation of this malicious code has caused varied levels of network degradation across the Internet and the compromise of vulnerable machines. In January, 2003, the CERT/CC issued an advisory describing the SQL Server Worm. CERT Advisory CA-2003-04: MS-SQL Server Worm http://www.cert.org/advisories/CA-2003-04.html Administrators of all systems running Microsoft SQL Server 2000 and MSDE 2000 are encouraged to review CA-2002-22 and VU#484891. For detailed vendor recommendations regarding installing the patch see the following: http://www.microsoft.com/technet/security/virus/alerts/slammer.asp Six months earlier, the CERT/CC issued an advisory describing several serious vulnerabilities in Microsoft SQL Server that allow attackers to obtain sensitive information, alter database contents, and compromise server hosts. CERT Advisory CA-2002-22: Multiple Vulnerabilities in Microsoft SQL Server http://www.cert.org/advisories/CA-2002-22.html 6. Multiple Vulnerabilities in Implementations of the Session Initiation Protocol (SIP) Numerous vulnerabilities have been reported in multiple vendors' implementations of the Session Initiation Protocol. These vulnerabilities may allow an attacker to gain unauthorized privileged access, cause denial-of-service attacks, or cause unstable system behavior. If your site uses SIP-enabled products in any capacity, the CERT/CC encourages you to read this advisory and follow the advice provided in the Solution section below. CERT Advisory CA-2003-06: Multiple vulnerabilities in implementations of the Session Initiation Protocol (SIP) http://www.cert.org/advisories/CA-2003-06.html 7. Multiple Vulnerabilities in SSH Implementations Multiple vendors' implementations of the secure shell (SSH) transport layer protocol contain vulnerabilities that could allow a remote attacker to execute arbitrary code with the privileges of the SSH process or cause a denial of service. The vulnerabilities affect SSH clients and servers, and they occur before user authentication takes place. CERT Advisory CA-2002-36: Multiple Vulnerabilities in SSH Implementations http://www.cert.org/advisories/CA-2002-36.html CERT Vulnerability Note VU#389665: Multiple vendors' SSH transport layer protocol implementations contain vulnerabilities in key exchange and initialization http://www.kb.cert.org/vuls/id/389665 8. Buffer Overflow in Microsoft Windows Shell A buffer overflow vulnerability exists in the Microsoft Windows Shell. An attacker can exploit this vulnerability by enticing a victim to read a malicious email message, visit a malicious web page, or browse to a folder containing a malicious .MP3 or .WMA file. The attacker can then execute arbitrary code with the privileges of the victim. CERT Advisory CA-2002-37: Buffer Overflow in Microsoft Windows Shell http://www.cert.org/advisories/CA-2002-37.html 9. Double-Free Bug in CVS Server A "double-free" vulnerability in the Concurrent Versions System (CVS) server could allow an unauthenticated, remote attacker with read-only access to execute arbitrary code, alter program operation, read sensitive information, or cause a denial of service. CERT Advisory CA-2003-02: Double-Free Bug in CVS Server http://www.cert.org/advisories/CA-2003-02.html 10. Buffer Overflow in Windows Locator Service A buffer overflow vulnerability in the Microsoft Windows Locator service could allow a remote attacker to execute arbitrary code or cause the Windows Locator service to fail. This service is enabled and running by default on Windows 2000 domain controllers and Windows NT 4.0 domain controllers. On January 23, 2003, the CERT/CC issued an advisory describing the vulnerabilities in Windows Locator Service and provided patch information. CERT Advisory CA-2003-03: Buffer Overflow in Windows Locator Service http://www.cert.org/advisories/CA-2003-03.html ______________________________________________________________________ A note about CERT Advisories and email filters CERT advisories occasionally contain words that may trigger email filters. Please check your filters carefully to ensure proper delivery of our email notifications. If your service provider conducts filtering on your behalf, be aware that you may not receive some of our notifications. ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated: * CERT/CC 2002 Annual Report http://www.cert.org/annual_rpts/cert_rpt_02.html * Advisories http://www.cert.org/advisories/ * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Incident Notes http://www.cert.org/incident_notes * Tech Tips http://www.cert.org/tech_tips/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-01.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPnt4X+kli63F4U8VAQGFkwQApryHtMAKo548aG5C4u/qmZMNYc5rGyph Rg9paTmKnKpMqHEaS2cbbMbLXB5y+aTZtbfR+h5Jum6F81MV2NnxfrnbsQjnxrUb luPl3b4F4tHZYzc8l65Ske8tFK6iTkiOlNPGB48IJUzYKlJKn0QB5yzBtTbohqhs f2MlpdI6fo4= =KGwC -----END PGP SIGNATURE----- From mieko em ccuec.unicamp.br Mon Mar 24 13:45:22 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Mon, 24 Mar 2003 13:45:22 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030324164522.GA639@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 21/03/2003 ---------- FreeBSD Security Advisory (FreeBSD-SA-03:06) Assunto: OpenSSL timing-based SSL/TLS attack http://www.security.unicamp.br/docs/bugs/2003/03/v69.txt CAIS-Alerta Assunto: CERT Summary CS-2003-01 http://www.security.unicamp.br/docs/bugs/2003/03/v68.txt EnGarde Secure Linux Security Advisory(ESA-20030321-010) Assunto: RPC XDR decoder vulnerability in glibc http://www.security.unicamp.br/docs/bugs/2003/03/v67.txt Gentoo Security Linux Announcement(200303-18) Assunto: multiple vulnerabilities in evolution http://www.security.unicamp.br/docs/bugs/2003/03/v66.txt RHN Errata Alert Assunto: Updated Evolution packages fix multiple vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v65.txt Debian Security Advisory (DSA 265-1) Assunto: Vulnerabiliade de Seguranca no pacote bonsai http://www.security.unicamp.br/docs/bugs/2003/03/v64.txt SuSE Security Announcement(SuSE-SA:2003:019) Assunto: local privilege escalation in ethereal http://www.security.unicamp.br/docs/bugs/2003/03/v63.txt SuSE Security Announcement(SuSE-SA:2003:018) Assunto: remote system compromise in qpopper http://www.security.unicamp.br/docs/bugs/2003/03/v62.txt SuSE Security Announcement(SuSE-SA:2003:017) Assunto: remote system compromise in file http://www.security.unicamp.br/docs/bugs/2003/03/v61.txt Gentoo Linux Security Announcement (200303-17) Assunto: ptrace flaw in kernel http://www.security.unicamp.br/docs/bugs/2003/03/v60.txt Red Hat Security Advisory(RHSA-2003:108-01) Assunto: Updated Evolution packages fix multiple vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v59.txt 20/03/2003 ---------- OpenPKG Security Advisory (OpenPKG-SA-2003.026) Assunto: information leakage in openssl http://www.security.unicamp.br/docs/bugs/2003/03/v58.txt OpenPKG Security Advisory (OpenPKG-SA-2003.025) Assunto: buffer overflow in IMAP client in mutt http://www.security.unicamp.br/docs/bugs/2003/03/v57.txt FreeBSD Security Advisory (FreeBSD-SA-03:05) Assunto: remote denial-of-service in XDR encoder/decoder in libc http://www.security.unicamp.br/docs/bugs/2003/03/v56.txt Gentoo Linux Security Announcement (200303-16) Assunto: dangerous interception of escape sequences in rxvt http://www.security.unicamp.br/docs/bugs/2003/03/v55.txt Gentoo Linux Security Announcement (200303-15) Assunto: timing based attack in openssl http://www.security.unicamp.br/docs/bugs/2003/03/v54.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Mar 25 09:14:38 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Mar 2003 09:14:38 -0300 Subject: [SECURITY-L] Fwd:Projeto de lei =?iso-8859-1?q?prev=EA?=4 anos de =?iso-8859-1?q?pris=E3opara?=pirata de software Message-ID: <3E80482E.E58704AD@ccuec.unicamp.br> Subject: Projeto de lei prevź 4 anos de prisćopara pirata de software Date: Tue, 25 Mar 2003 07:27:55 -0300 From: Andre Aparecido Nogueira *Projeto de lei prevź 4 anos de prisćo para pirata de software* Segunda-feira, 24 de Marēo de 2003 - 10h43 Fonte: A Cāmara dos Deputados aprovou na quinta-feira (20/03), em Brasķlia, um projeto de lei (nŗ 2681/96) para combate ą pirataria de direitos autorais, com mudanēas nos Códigos Penal e de Processo Penal. Quem violar direito autoral pode pegar pena de dois a quatro anos de reclusćo, além de multa. O projeto, que agora segue para o Senado Federal, refere-se ą reproduēćo ilegal de mśsicas, vķdeos, livros, obras de arte, programas de computador e inclui também qualquer tipo de violaēćo de direitos autorais praticada pelo meio da Internet - redes ponto-a-ponto, como Kazaa e Gnutella, por exemplo. Segundo informaēões da Agźncia Cāmara, estį sujeito ą pena também quem "oferecer ou distribuir ao pśblico a obra sem autorizaēćo do autor ou produtor da obra intelectual". O material apreendido poderį ser destruķdo por ordem judicial e os equipamentos para fabricaēćo serćo desapropriados, podendo também ser destruķdos ou doados. O projeto de lei vale apenas para pirataria com finalidade de comercializaēćo. As cópias de bens intelectuais feitas para uso individual nćo sćo classificadas como crime contra o direito autoral, informa a Agźncia Cāmara -- Andre Aparecido Nogueira Faculdade de Eng. Agricola/UNICAMP °v° E-mail: mailto:andre em agr.unicamp.br /(_)\ Seja livre, use Linux! ^ ^ From mieko em ccuec.unicamp.br Tue Mar 25 11:30:18 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Mar 2003 11:30:18 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030325143017.GA2706@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 24/03/2003 ---------- RHN Errata Alert Assunto: Updated Evolution packages fix multiple vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v81.txt SGI Security Advisory(20030304-01-P) Assunto: Multiple Vulnerabilities and Enhancements in ftpd http://www.security.unicamp.br/docs/bugs/2003/03/v80.txt EnGarde Secure Linux Security Advisory (ESA-20030324-012) Assunto: root exploit in MySQL, MySQL-client, MySQL-shared http://www.security.unicamp.br/docs/bugs/2003/03/v79.txt Debian Security Advisory (DSA 267-1) Assunto: buffer overflow in lpr http://www.security.unicamp.br/docs/bugs/2003/03/v78.txt SuSE Security Announcement(SuSE-SA:2003:020) Assunto: remote system compromise in mutt http://www.security.unicamp.br/docs/bugs/2003/03/v77.txt Debian Security Advisory (DSA 266-1) Assunto: Vulnerabilidade de Seguranca no pacote krb5 http://www.security.unicamp.br/docs/bugs/2003/03/v76.txt Gentoo Linux Security Announcement(200303-21) Assunto: buffer overflow in bitchx http://www.security.unicamp.br/docs/bugs/2003/03/v75.txt Gentoo Linux Security Announcement(200303-20) Assunto: Klima-Pokorny-Rosa attack in openssl http://www.security.unicamp.br/docs/bugs/2003/03/v74.txt 23/03/2003 ---------- Samba Assunto: Samba-TNG 0.3.1 Security Release http://www.security.unicamp.br/docs/bugs/2003/03/v73.txt 22/03/2003 ---------- Gentoo Linux Security Announcement(200303-19) Assunto: buffer overflow in mutt http://www.security.unicamp.br/docs/bugs/2003/03/v72.txt 21/03/2003 ---------- SCO Security Advisory (CSSA-2003-014.0) Assunto: Linux: several recently discovered openssl vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v71.txt 19/03/2003 ---------- SCO Security Advisory (CSSA-2003-SCO.7) Assunto: UnixWare 7.1.1 Open UNIX 8.0.0 : Several vulnerabilities in XDR/RPC routines http://www.security.unicamp.br/docs/bugs/2003/03/v70.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Tue Mar 25 11:49:51 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Tue, 25 Mar 2003 11:49:51 -0300 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20030325144950.GA2731@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 24/03/2003 ---------- Modulo Security News : No.286 : O que quer o Security Officer? Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2003/03/b12.txt SecurityFocus Newsletter #189 Fonte: Security Focus http://www.security.unicamp.br/docs/informativos/2003/03/b11.txt SANS Critical Vulnerability Analysis Vol 2 No 11 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/03/b10.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Mar 26 11:46:52 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 26 Mar 2003 11:46:52 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030326144651.GA4369@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 25/03/2003 ---------- SCO Security Advisory (CSSA-2003-015.0) Assunto: Linux: apcupsd remote root vulnerability and buffer overflows http://www.security.unicamp.br/docs/bugs/2003/03/v95.txt Mandrake Linux Security Update Advisory (MDKSA-2003:037) Assunto: Vulnerabilidade de Seguranca no pacote glibc http://www.security.unicamp.br/docs/bugs/2003/03/v94.txt Mandrake Linux Security Update Advisory (MDKSA-2003:036) Assunto: Vulnerabilidade de Seguranca no pacote netpbm http://www.security.unicamp.br/docs/bugs/2003/03/v93.txt Mandrake Linux Security Update Advisory (MDKSA-2003:035) Assunto: Vulnerabilidades de Seguranca no pacote openssl http://www.security.unicamp.br/docs/bugs/2003/03/v92.txt Mandrake Linux Security Update Advisory (MDKSA-2003:034) Assunto: Vulnerabilidades de Seguranca no pacote rxvt http://www.security.unicamp.br/docs/bugs/2003/03/v91.txt Gentoo Linux Security Announcement (200303-24) Assunto: timing based attack in stunnel http://www.security.unicamp.br/docs/bugs/2003/03/v90.txt RHN Errata Alert Assunto: New samba packages fix security vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v89.txt SuSE Security Announcement (SuSE-SA:2003:021) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2003/03/v88.txt Debian Security Advisory (DSA 268-1) Assunto: buffer overflow in mutt http://www.security.unicamp.br/docs/bugs/2003/03/v87.txt Gentoo Linux Security Announcement (200303-23) Assunto: timing based attack in mod_ssl http://www.security.unicamp.br/docs/bugs/2003/03/v86.txt Red Hat Security Advisory (RHSA-2003:095-02) Assunto: New samba packages fix security vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v85.txt Gentoo Linux Security Announcement (200303-22) Assunto: integer overflow in glibc http://www.security.unicamp.br/docs/bugs/2003/03/v84.txt 24/03/2003 ---------- APPLE (APPLE-SA-2003-03-24) Assunto: Vulnerabilidades de Seguranca nos pacotes Samba, OpenSSL http://www.security.unicamp.br/docs/bugs/2003/03/v83.txt Adobe Systems Assunto: Digital signature for Adobe Acrobat/Reader plug-in can be forged http://www.security.unicamp.br/docs/bugs/2003/03/v82.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From mieko em ccuec.unicamp.br Wed Mar 26 16:58:08 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 26 Mar 2003 16:58:08 -0300 Subject: [SECURITY-L] [cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade no Microsoft RPC Endpoint Mapper (331953)] Message-ID: <20030326195808.GC4795@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no Microsoft RPC Endpoint Mapper (331953) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 26 Mar 2003 16:53:10 -0300 (BRT) Prezados, O CAIS estį repassando o alerta divulgado pela Microsoft, Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953), que trata de uma vulnerabilidade existente na implementacao do RPC Endpoint Mapper que pode permitir a um atacante remoto realizar um ataque de negacao de servico (DoS). Sistemas Afetados: . Microsoft Windows NT 4 . Microsoft Windows 2000 . Microsoft Windows XP Correēões disponķveis: A correēćo consiste na aplicaēćo do patch recomendado pela Microsoft e disponķveis nas URLs listadas abaixo. . Microsoft Windows 2000 o All except Japanese NEC http://microsoft.com/downloads/details.aspx?FamilyId=BD55EB38-A5DE-4810-90F7-097C5B4B9919&displaylang=en o Japanese NEC http://microsoft.com/downloads/details.aspx?FamilyId=3F7DC0DA-A684-43A8-B2E3-1EEDEEDC822C&displaylang=ja . Windows XP o 32-bit Edition http://microsoft.com/downloads/details.aspx?FamilyId=94213569-3258-4439-9AE7-5D86813B4D9E&displaylang=en o 64-bit edition http://microsoft.com/downloads/details.aspx?FamilyId=E3FB88CF-FA48-4426-A4F8-D18D8D4D2295&displaylang=en Maiores informaēões: http://www.microsoft.com/technet/security/bulletin/ms03-010.asp Identificador do CVE: CAN-2002-1561 (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ ---------------------------------------------------------------------- Title: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) Date: 26 March 2003 Software: Microsoft(r) Windows(r) NT 4.0, Windows 2000, or Windows XP Impact: denial of service Max Risk: Important Bulletin: MS03-010 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-010.asp ---------------------------------------------------------------------- Issue: ====== Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ in the bulletin, which is to protect the NT 4.0 system with a firewall that blocks Port 135. Mitigating Factors: ==================== - To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges. - Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. - More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en- us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/res kit/tcpip/part4/tcpappc.asp - This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to Risk Rating: ============ Important Patch Availability: =================== A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-10.asp for information on obtaining this patch. Acknowledgment: =============== - Microsoft thanks jussi jaakonaho for reporting this issue to us and working with us to protect customers ---------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* ----- End forwarded message ----- From mieko em ccuec.unicamp.br Wed Mar 26 16:57:38 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Wed, 26 Mar 2003 16:57:38 -0300 Subject: [SECURITY-L] [cais@cais.rnp.br: CAIS-Alerta: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino] Message-ID: <20030326195738.GB4795@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 26 Mar 2003 16:42:49 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pelo CERT/CC, CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino, tratando de multiplas vulnerabilidades identificadas nos produtos Lotus Notes e Lotus Domino. Sistemas afetados: . Lotus Notes e Domino, versoes anteriores a 5.0.12 e 6.0 Gold . A vulnerabilidade VU#571297 atinge as versoes 5.0.12, 6.0.1, e anteriores Correcoes disponiveis: A maioria das vulnerabilidades foram solucionadas nas versoes 5.0.12 e 6.0.1 do Lotus Domino. Somente a vulnerabilidade VU#571297, "Lotus Notes and Domino COM Object Control Handler contains buffer overflow," nao foi resolvida nas versoes 5.0.12, ou 6.0.1. Uma correcao adicional para a versao 6.0.1 foi disponibilizada no dia 18 de Marco de 2003. http://www-10.lotus.com/ldd/r5fixlist.nsf/80bff5d07b4be477052569ce00710588/8bc951d3ff1e578385256ce10052a78a?OpenDocument Maiores informacoes: . http://www.cert.org/advisories/CA-2003-11.html . http://www.kb.cert.org/vuls/id/571297 O CAIS recomenda aos administradores que atualizem seus sistemas com urgencia. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino Original release date: March 26, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Lotus Notes and Domino versions prior to 5.0.12 and 6.0 Gold * VU#571297 affects 5.0.12, 6.0.1 and prior versions. Overview Multiple vulnerabilities have been reported to affect Lotus Notes clients and Domino servers. Multiple reporters, the close timing, and some ambiguity caused confusion about what releases are vulnerable. We are issuing this advisory to help clarify the details of the vulnerabilities, the versions affected, and the patches that resolve these issues. I. Description In February 2003, NGS Software released several advisories detailing vulnerabilities affecting Lotus Notes and Domino. The following vulnerabilities reported by NGS Software affect versions of Lotus Domino prior to 5.0.12 and 6.0: VU#206361 - Lotus iNotes vulnerable to buffer overflow via PresetFields FolderName field Lotus Technical Documentation: KSPR5HUQ59 NGS Software's Advisory: NISR17022003b VU#355169 - Lotus Domino Web Server vulnerable to denial of service via incomplete POST request Lotus Technical Documentation: KSPR5HTQHS NGS Software's Advisory: NISR17022003d VU#542873 - Lotus iNotes vulnerable to buffer overflow via PresetFields s_ViewName field Lotus Technical Documentation: KSPR5HUPEK NGS Software's Advisory: NISR17022003b VU#772817 - Lotus Domino Web Server vulnerable to buffer overflow via non-existent "h_SetReturnURL" parameter with an overly long "Host Header" field Lotus Technical Documentation: KSPR5HTLW6 NGS Software's Advisory: NISR17022003a The following vulnerability reported by NGS Software affects versions of Lotus Domino up to and including 5.0.12 and 6.0.1: VU#571297 - Lotus Notes and Domino COM Object Control Handler contains buffer overflow Lotus Technical Documentation: SWG21104543 NGS Software's Advisory: NISR17022003e VU#571297 was originally reported as a vulnerability in an iNotes ActiveX control. The vulnerable code is not specific to iNotes or ActiveX. The iNotes ActiveX control was an attack vector for the vulnerability and is not the affected code base. Because this issue is not specific to ActiveX, Lotus Notes clients and Domino Servers running on platforms other than Microsoft Windows may be affected. In March 2003, Rapid7, Inc. released several advisories. The following vulnerabilities, reported by Rapid7, Inc., affect versions of Lotus Domino prior to 5.0.12: VU#433489 - Lotus Domino Server susceptible to a pre-authentication buffer overflow during Notes authentication Lotus Technical Documentation: DBAR5CJJJS Rapid7, Inc.'s Advisory: R7-0010 VU#411489 - Lotus Domino Web Retriever contains a buffer overflow vulnerability Lotus Technical Documentation: KSPR5DFJTR Rapid7, Inc.'s Advisory: R7-0011 Rapid7, Inc. also discovered that Lotus Domino pre-release and beta versions of 6.0 were also affected by the following vulnerability: VU#583184 - Lotus Domino R5 Server Family contains multiple vulnerabilities in LDAP handling code Lotus Technical Documentation: DWUU4W6NC8 Rapid7, Inc.'s Advisory: R7-0012 VU#583184 was a regression of the PROTOS LDAP Test-Suite from CA-2001-18 and was originally fixed in 5.0.7a. II. Impact The impact of these vulnerabilities range from denial of service to data corruption and the potential to execute arbitrary code. For details about the impact of a specific vulnerability, please see the related vulnerability note. III. Solution Upgrade Most of these vulnerabilities are resolved in versions 5.0.12 and 6.0.1 of Lotus Domino. Only VU#571297, "Lotus Notes and Domino COM Object Control Handler contains buffer overflow," is not resolved in 5.0.12, or 6.0.1. Critical Fix 1 for 6.0.1 was released on March 18, 2003, to resolve this issue for both the Notes client and Domino server. Apply a patch Patches are available for some vulnerabilities. Please view the individual vulnerability notes for specific patch information. Block access from outside the network perimeter Lotus Domino servers listen on port 1352/TCP. Notes may also be configured to listen on other ports, such as NETBIOS, SPX, or XPC. Blocking access to these ports from machines outside your trusted network perimeter may help mitigate successful exploitation of these vulnerabilities. Appendix A - References 1. http://www.kb.cert.org/vuls/id/571297 2. http://www.kb.cert.org/vuls/id/206361 3. http://www.ibm.com/Search?v=11 ----- Forwarded message from Microsoft <0_46013_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> ----- From: "Microsoft" <0_46013_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> Subject: Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) To: Date: Wed, 26 Mar 2003 12:45:15 -0800 X-Mailer: Microsoft CDO for Windows 2000 -----BEGIN PGP SIGNED MESSAGE----- - ---------------------------------------------------------------------- Title: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) Date: 26 March 2003 Software: Microsoft(r) Windows(r) NT 4.0, Windows 2000, or Windows XP Impact: denial of service Max Risk: Important Bulletin: MS03-010 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-010.asp - ---------------------------------------------------------------------- Issue: ====== Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerabilty affects the RPC Endpoint Mapper process, which listens on TCP/IP port 135. The RPC endpoint mapper allows RPC clients to determine the port number currently assigned to a particular RPC service. To exploit this vulnerability, an attacker would need to establish a TCP/IP connection to the Endpoint Mapper process on a remote machine. Once the connection was established, the attacker would begin the RPC connection negotiation before transmitting a malformed message. At this point, the process on the remote machine would fail. The RPC Endpoint Mapper process is responsible for maintaining the connection information for all of the processes on that machine using RPC. Because the Endpoint Mapper runs within the RPC service itself, exploiting this vulnerability would cause the RPC service to fail, with the attendant loss of any RPC-based services the server offers, as well as potential loss of some COM functions. Microsoft has provided patches with this bulletin to correct this vulnerability for Windows 2000 and Windows XP. Although Windows NT 4.0 is affected by this vulnerability, Microsoft is unable to provide a patch for this vulnerability for Windows NT 4.0. The architectural limitations of Windows NT 4.0 do not support the changes that would be required to remove this vulnerability. Windows NT 4.0 users are strongly encouraged to employ the workaround discussed in the FAQ in the bulletin, which is to protect the NT 4.0 system with a firewall that blocks Port 135. Mitigating Factors: ==================== - - To exploit this vulnerability, the attacker would require the ability to connect to the Endpoint Mapper running on the target machine. For intranet environments, the Endpoint Mapper would normally be accessible, but for Internet connected machines, the port used by the Endpoint Mapper would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges. - - Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. - - More robust protocols such as RPC over HTTP are provided for hostile environments. To learn more about securing RPC for client and server please refer to http://msdn.microsoft.com/library/default.asp?url=/library/en- us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn more about the ports used by RPC, please refer to http://www.microsoft.com/technet/prodtechnol/windows2000serv/res kit/tcpip/part4/tcpappc.asp - - This vulnerability only permits a denial of service attack and does not provide an attacker with the ability to Risk Rating: ============ Important Patch Availability: =================== A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-010.asp http://www.microsoft.com/security/security_bulletins/ms03-10.asp for information on obtaining this patch. Acknowledgment: =============== - Microsoft thanks jussi jaakonaho for reporting this issue to us and working with us to protect customers - ---------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBPoHxjY0ZSRQxA/UrAQFF0ggAnL7ZKOFPi/iHRGvKYnkMcvWHkbMOVXIt i54N1mlJT+xgdABVPPRSn5WlBcJgLoEhTNrvS/FNCPILDqbtLbn+STmESFthYCOd iuQEOX+/CnIer/w/joxztv43M02lAKIA8qdJyAfFGYg2kNuFAjYuxvjK7+GCoIrE MPISW163Xb/MN/Xm2AqmYuxlzovvCzyVJ2kWSbh7CamKgrgq8GaUfh7LeqzIlPP8 5pDTZbXYZhxjs+mSH7xCE+U0WkZhsWqnR1OOTwPo/OOBIdYMcLqXdsm5QAqqaFF5 NOBb1k/OFFMlKZJMs6lCaZ6x2FGiAf1HBYEanYhypGdJQC/zoWM6MA== =f12Q -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below: Reply to this message with the word UNSUBSCRIBE in the Subject line. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. ----- End forwarded message ----- From mieko em ccuec.unicamp.br Thu Mar 27 11:22:14 2003 From: mieko em ccuec.unicamp.br (Silvana Mieko Misuta) Date: Thu, 27 Mar 2003 11:22:14 -0300 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20030327142214.GA5940@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 26/03/2003 ---------- RHN Errata Alert (RHSA-2003:051-30) Assunto: Updated kerberos packages fix various vulnerabilities http://www.security.unicamp.br/docs/bugs/2003/03/v107.txt Microsoft Security Bulletin (MS03-010) Assunto: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953) http://www.security.unicamp.br/docs/bugs/2003/03/v106.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft RPC Endpoint Mapper (331953) http://www.security.unicamp.br/docs/bugs/2003/03/v105.txt CAIS-Alerta Assunto: CERT Advisory CA-2003-11 Multiple Vulnerabilities in Lotus Notes and Domino http://www.security.unicamp.br/docs/bugs/2003/03/v104.txt NetBSD Security Advisory (2003-008) Assunto: faulty length checks in xdrmem_getbytes http://www.security.unicamp.br/docs/bugs/2003/03/v103.txt NetBSD Security Advisory (2003-007) Assunto: (Another) Encryption weakness in OpenSSL code http://www.security.unicamp.br/docs/bugs/2003/03/v102.txt NetBSD Security Advisory (2003-005) Assunto: RSA timing attack in OpenSSL code http://www.security.unicamp.br/docs/bugs/2003/03/v101.txt NetBSD Security Advisory (2003-004) Assunto: Format string vulnerability in zlib gzprintf() http://www.security.unicamp.br/docs/bugs/2003/03/v100.txt CERT Advisory (CA-2003-11) Assunto: Multiple Vulnerabilities in Lotus Notes and Domino http://www.security.unicamp.br/docs/bugs/2003/03/v99.txt SuSE Security Announcement (SuSE-SA:2003:022) Assunto: remote system compromise in apcupsd http://www.security.unicamp.br/docs/bugs/2003/03/v98.txt Debian Security Advisory (DSA 269-1) Assunto: Cryptographic weakness in heimdal http://www.security.unicamp.br/docs/bugs/2003/03/v97.txt Corsaire Security Advisory Assunto: Symantec Enterprise Firewall (SEF) HTTP URL pattern evasion issue http://www.security.unicamp.br/docs/bugs/2003/03/v96.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br