From security em unicamp.br Thu Sep 4 09:56:24 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 4 Sep 2003 09:56:24 -0300 Subject: [SECURITY-L] Bug no Visual Basic abre PCs com Microsoft Office para hackers Message-ID: <20030904125624.GA2610@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Bug no Visual Basic abre PCs com Microsoft Office para hackers To: security em unicamp.br Date: Wed, 3 Sep 2003 19:06:47 -0300 (ART) 03/09/2003 - 18h38 Bug no Visual Basic abre PCs com Microsoft Office para hackers da Folha Online http://www1.folha.uol.com.br/folha/informatica/ult124u13810.shtml Uma falha crítica no VBA (Visual Basic for Applications) deixa os computadores com o Microsoft Office vulneráveis a ataques hackers. Segundo a Microsoft, o bug acontece no processo de verificação de documentos quando o arquivo é aberto em um aplicativo no servidor. A vulnerabilidade envolve o que os especialistas conhecem como "buffer overrun". Um buffer é uma área do computador usada para o armazenamento temporário de dados, e o "buffer overrun" é um ataque pelo qual o invasor explora um buffer vulnerável e reescreve o código do programa com seus próprios dados. Se o código for reescrito com um novo executável, ele modifica a forma de operação do programa, fazendo com que ele seja executado à sua maneira. Normalmente leva à paralisação do software. Para ter o PC invadido, a vítima teria de abrir qualquer documento que use o VBA, como uma planilha do Excel, uma apresentação em PowerPoint ou um arquivo do Word enviado a ela por um hacker. No caso de o Word ser usado como editor de texto no Outlook, a isca também pode ser um e-mail. Mas o usuário precisaria responder ou encaminhar a mensagem. VBA O Microsoft VBA é baseado no sistema de desenvolvimento Visual Basic. Os programas que usam o VBA incluem diferentes versões do Office (Word, Excel, PowerPoint), além do Project, Publisher, Visio e Microsoft Business Solutions. A www.microsoft.com/technet/security/bulletin/MS03-037.asp lista completa dos programas afetados pode ser vista na página de atualizações da Microsoft. Esses programas usam o VBA para realizar uma série de funções, entre elas criar aplicativos personalizados a partir de softs já existentes. Correção Para pegar a correção para a falha, visite a página de atualizações da Microsoft. ----- End forwarded message ----- From security em unicamp.br Thu Sep 4 16:05:39 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 4 Sep 2003 16:05:39 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20030904190539.GA2816@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 28/08/2003 ---------- CAIS-Alerta Assunto: Vulnerabilidade remota no Sendmail. http://www.security.unicamp.br/docs/bugs/2003/08/v76.txt 29/08/2003 ---------- Anúncio de Segurança do Conectiva Linux (CLA-2003:727) Assunto: vulnerabilidade remota no sendmail. http://www.security.unicamp.br/docs/bugs/2003/08/v77.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:729) Assunto: diversas vulnerabilidades no GDM. http://www.security.unicamp.br/docs/bugs/2003/08/v78.txt 02/09/2003 ---------- Anúncio de Atualização do Conectiva Linux (CLA-2003:731) Assunto: correção para falha de segmentação do proftpd. http://www.security.unicamp.br/docs/bugs/2003/09/v1.txt Anúncio de Atualização do Conectiva Linux (CLA-2003:732) Assunto: corrupção de índices no openldap. http://www.security.unicamp.br/docs/bugs/2003/09/v2.txt 03/09/2003 ---------- Microsoft Security Bulletin (MS03-036) Assunto: Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103). http://www.security.unicamp.br/docs/bugs/2003/09/v3.txt Microsoft Security Bulletin (MS03-038) Assunto: Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104). http://www.security.unicamp.br/docs/bugs/2003/09/v4.txt Microsoft Security Bulletin (MS03-034) Assunto: Flaw in NetBIOS Could Lead to Information Disclosure (824105). http://www.security.unicamp.br/docs/bugs/2003/09/v5.txt Microsoft Security Bulletin (MS03-035) Assunto: Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653). http://www.security.unicamp.br/docs/bugs/2003/09/v6.txt Microsoft Security Bulletin (MS03-037) Assunto: Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution (822715). http://www.security.unicamp.br/docs/bugs/2003/09/v12.txt 04/09/2003 ---------- CAIS-Alerta Assunto: Vulnerabilidade no Microsoft NetBIOS (824105). http://www.security.unicamp.br/docs/bugs/2003/09/v7.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft Word (827653). http://www.security.unicamp.br/docs/bugs/2003/09/v8.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft WordPerfect Converter (827103). http://www.security.unicamp.br/docs/bugs/2003/09/v9.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft Access (827104). http://www.security.unicamp.br/docs/bugs/2003/09/v10.txt CAIS-Alerta Assunto: Vulnerabilidade no Microsoft Visual Basic for Applications (822715). http://www.security.unicamp.br/docs/bugs/2003/09/v11.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Fri Sep 5 10:42:32 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 5 Sep 2003 10:42:32 -0300 Subject: [SECURITY-L] MS corrige falhas de seguranca no Office Message-ID: <20030905134232.GA4262@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: MS corrige falhas de seguranXa no Office To: security em unicamp.br Date: Thu, 4 Sep 2003 13:02:04 -0300 (ART) MS corrige falhas de segurança no Office Quarta-feira, 03 de setembro de 2003 - 19h44 SÃO PAULO - A Microsoft publicou nesta quarta-feira cinco boletins anunciando correções de segurança para o Office e a interface de programação para redes NetBios. O boletim MS03-034 alerta para a possibilidade de um ataque usando a falha no NetBIOS, interface que pode ser usada por programas numa rede local. Como resultado, o atacante pode obter dados que estejam em tráfego na rede. O problema afeta o Windows, nas versões NT 4.0, 2000, XP e Server 2003. A correção encontra-se no endereço www.infoexame.com.br/aberto/download/3494.shl. O segundo boletim, MS03-035, trata de uma falha no sistema de segurança de macros no Word, versões, 97, 98 (Mac), 2000 e 2002. O problema também afeta as versões 2001, 2002 e 2003 do Works. Basicamente, um programador malicioso pode criar um documento que dribla a proteção do Word e executa automaticamente uma macro no programa. podendo apagar, modificar ou adicionar arquivos ao sistema, assim como fazê-lo comunicar-se com a internet. A correção está disponível no endereço www.infoexame.com.br/aberto/download/3495.shl. O problema atacado pelo boletim MS03-036 também afeta o Word, assim como outros produtos do Office, incluindo o FrontPage e o Publisher, nas versões de 97 a 2002. Nesse caso, a brecha de segurança está no módulo que converte arquivos do WordPerfect. Um cracker pode preparar um arquivo defeituoso e enviá-lo à vítima. Por causa da falha, o documento, quando aberto, provoca um estouro de memória que abre caminho para que o invasor execute programas na máquina da vítima. Correção: www.infoexame.com.br/aberto/download/3496.shl. A falha tratada no boletim MS03-038 também está na área do Office e afeta especificamente os usuários do Snapshot Viewer, um visualizador de relatórios, de instalação opcional, que permite ver documentos do Access sem ter o banco de dados na máquina. Um documento propositadamente defeituoso pode provocar o erro e a invasão da máquina pelo atacante. A correção está em www.infoexame.com.br/aberto/download/3498.shl. A última falha (MS03-037) localizada na linguagem Visual Basic for Applications, também afeta os produtos do MS-Office. De todas, é a única classificada pela MS como crítica. O atacante precisa criar um documento especial para explorar o problema e levar a vítima a abrir tal documento. O invasor ganha condições de executar qualquer tarefa permitida ao usuário. Correção: www.infoexame.com.br/aberto/download/3497.shl. Carlos Machado, da INFO http://info.abril.com.br/aberto/infonews/092003/03092003-13.shl ----- End forwarded message ----- From security em unicamp.br Fri Sep 5 10:49:01 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 5 Sep 2003 10:49:01 -0300 Subject: [SECURITY-L] Seguranca PHP, parte 1 Message-ID: <20030905134901.GB4262@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: SeguranXa PHP, parte 1 To: security em unicamp.br Date: Thu, 4 Sep 2003 13:04:39 -0300 (ART) Segurança PHP, parte 1 Enviado em Quinta, 04 de setembro de 2003 às 07:50:10 BRT por dms http://www.secforum.com.br/article.php?sid=1792&mode=thread&order=0 Primeira parte do artigo escrito por John Coggeshall para a astalavista.com mostrando algumas questões de segurança vitais ao utilizar PHP em suas páginas. Leitura recomendada. Link? http://www.astalavista.com/code/php/misc/PHP-Security-Part-1.htm ----- End forwarded message ----- From security em unicamp.br Fri Sep 5 10:50:52 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 5 Sep 2003 10:50:52 -0300 Subject: [SECURITY-L] Seguranca PHP, parte 2 Message-ID: <20030905135052.GC4262@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: SeguranXa PHP, parte 2 To: security em unicamp.br Date: Thu, 4 Sep 2003 13:05:40 -0300 (ART) Segurança PHP, parte 2 Enviado em Quinta, 04 de setembro de 2003 às 07:52:24 BRT por dms http://www.secforum.com.br/article.php?sid=1793&mode=thread&order=0 Segunda parte do artigo escrito por John Coggeshall para a astalavista.com mostrando algumas questões de segurança vitais ao utilizar PHP em suas páginas. Leitura recomendada. Link: http://www.astalavista.com/code/php/misc/PHP-Security-Part-2.htm ----- End forwarded message ----- From security em unicamp.br Mon Sep 8 11:13:51 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 8 Sep 2003 11:13:51 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20030908141351.GE299@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 01/09/2003 ---------- SANS Critical Vulnerability Analysis Vol 2 No 34 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b1.txt Módulo Security News no. 307 Fonte: Módulo Security Solutions S/A http://www.security.unicamp.br/docs/informativos/2003/09/b2.txt 03/09/2003 ---------- SANS NewsBites Vol. 5 Num. 35 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b3.txt 08/09/2003 ---------- SANS Critical Vulnerability Analysis Vol 2 No 35 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b4.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Sep 10 10:23:43 2003 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti Silva) Date: Wed, 10 Sep 2003 10:23:43 -0300 Subject: [SECURITY-L] CERT Summary CS-2003-03 Message-ID: <20030910132343.GB4821@ccuec.unicamp.br> ----- Forwarded message from CERT Advisory ----- From: CERT Advisory Subject: CERT Summary CS-2003-03 To: cert-advisory em cert.org Date: Mon, 8 Sep 2003 14:51:30 -0400 Organization: CERT(R) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- CERT Summary CS-2003-03 September 8, 2003 Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT Summary to draw attention to the types of attacks reported to our incident response team, as well as other noteworthy incident and vulnerability information. The summary includes pointers to sources of information for dealing with the problems. Past CERT summaries are available from: CERT Summaries http://www.cert.org/summaries/ ______________________________________________________________________ Recent Activity Since the last regularly scheduled CERT summary, issued in June 2003 (CS-2003-02), we have seen a large volume of reports related to a mass mailing worm, referred to as W32/Sobig.F, and have issued advisories on the exploitation of vulnerabilities in Microsoft's RPC implementation. The culmination of the RPC vulnerabilities resulted in the W32/Blaster Worm, which affected many Microsoft users. We have also reported on a vulnerability in the Cisco IOS interface as well as on multiple vulnerabilities in Microsoft Windows libraries and Internet Explorer. For more current information on activity being reported to the CERT/CC, please visit the CERT/CC Current Activity page. The Current Activity page is a regularly updated summary of the most frequent, high-impact types of security incidents and vulnerabilities being reported to the CERT/CC. The information on the Current Activity page is reviewed and updated as reporting trends change. CERT/CC Current Activity http://www.cert.org/current/current_activity.html 1. W32/Sobig.F Worm On August 18, the CERT/CC began receiving a large volume of reports of a mass mailing worm, referred to as W32/Sobig.F, spreading on the Internet. The W32/Sobig.F worm is an e-mail borne malicious program with a specially crafted attachment that has a .pif extension. The W32/Sobig.F worm requires a user to execute the attachment either manually or by using an e-mail client that will open the attachment automatically. The CERT/CC has released an Incident Note on the W32/Sobig.F worm. CERT Incident Note IN-2003-03 W32/Sobig.F Worm http://www.cert.org/incident_notes/IN-2003-03.html 2. Exploitation of Vulnerabilities in Microsoft RPC Interface In late July, the CERT/CC began receiving reports of widespread scanning and exploitation of two recently discovered vulnerabilities in Microsoft Remote Procedure Call (RPC) Interface. The CERT/CC released an advisory and a Vulnerability Note which described these vulnerabilities approximately two weeks prior to the reports of exploitation. CERT Advisory CA-2003-19 Exploitation of Vulnerabilities in Microsoft RPC Interface http://www.cert.org/advisories/CA-2003-19.html CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC http://www.cert.org/advisories/CA-2003-16.html Vulnerability Note VU#568148 Microsoft Windows RPC vulnerable to buffer overflow http://www.kb.cert.org/vuls/id/568148 a. W32/Blaster Worm Shortly after we released multiple documents describing Microsoft RPC vulnerabilities, we began receiving reports of widespread activity related to a new piece of malicious code known as W32/Blaster. The W32/Blaster worm exploits a vulnerability in the Microsoft DCOM RPC interface. On August 11, the CERT/CC released an advisory on W32/Blaster. We also released step-by-step recovery tips for W32/Blaster. CERT Advisory CA-2003-20 W32/Blaster Worm http://www.cert.org/advisories/CA-2003-20.html W32/Blaster Recovery tips http://www.cert.org/tech_tips/w32_blaster.html b. W32/Welchia Additionally, a worm was reported that attempted to exploit the same vulnerability as W32/Blaster. This worm, known alternately as 'W32/Welchia', 'W32/Nachi', or 'WORM_MS_BLAST.D', has been reported to kill and remove the msblast.exe artifact left behind by W32/Blaster, perform ICMP scanning to identify systems to target for exploitation, apply the patch from Microsoft (described in MS03-026), and reboot the system. The greatest impact of this worm appears to be the potential for denial-of-service conditions within an organization due to high levels of ICMP traffic. 3. Cisco IOS Interface Blocked by IPv4 Packet On July 16, the CERT/CC reported on a vulnerability in many versions of Cisco IOS that could allow an intruder to execute a denial-of-service attack against a vulnerable device. We also released a companion Vulnerability Note on the same topic. CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet http://www.cert.org/advisories/CA-2003-15.html Vulnerability Note VU#411332 Cisco IOS Interface Blocked by IPv4 Packet http://www.kb.cert.org/vuls/id/411332 Two days later we released an advisory which provided information about the availability of a public exploit for the Cisco IOS vulnerability. CERT Advisory CA-2003-17 Exploit available for the Cisco IOS Interface Blocked Vulnerabilities http://www.cert.org/advisories/CA-2003-17.html 4. Vulnerabilities in Microsoft Windows Libraries and Internet Explorer During this quarter, there were a number of vulnerabilities reported in Microsoft Windows Libraries and within Internet Explorer. Below is a summary of those vulnerabilities. a. Buffer Overflow in Microsoft Windows HTML Conversion Library A buffer overflow vulnerability exists in a shared HTML conversion library included in Microsoft Windows. An attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. On July 14, the CERT/CC issued an advisory describing this vulnerability. CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Conversion Library http://www.cert.org/advisories/CA-2003-14.html Vulnerability Note VU#823260 Microsoft Windows HTML conversion library vulnerable to buffer overflow http://www.kb.cert.org/vuls/id/823260 b. Integer Overflows in Microsoft Windows DirectX MIDI Library A set of integer overflows exists in a DirectX library included in Microsoft Windows. An attacker could exploit these vulnerabilities to execute arbitrary code or to cause a denial of service. On July 25, the CERT/CC issued an advisory describing these vulnerabilities. CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library http://www.cert.org/advisories/CA-2003-18.html Vulnerability Note VU#561284 Microsoft Windows DirectX MIDI library does not adequately validate Text or Copyright parameters in MIDI files http://www.kb.cert.org/vuls/id/561284 Vulnerability Note VU#265232 Microsoft Windows DirectX MIDI library does not adequately validate MThd track values in MIDI files http://www.kb.cert.org/vuls/id/265232 c. Multiple Vulnerabilities in Microsoft Internet Explorer Microsoft Internet Explorer (IE) contains multiple vulnerabilities, the most serious of which could allow a remote attacker to execute arbitrary code with the privileges of the user running Internet Explorer. On August 26, the CERT/CC issued an advisory describing these vulnerabilities. CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer http://www.cert.org/advisories/CA-2003-22.html Vulnerability Note VU#205148 Microsoft Internet Explorer does not properly evaluate Content-Type and Content-Disposition headers http://www.kb.cert.org/vuls/id/205148 Vulnerability Note VU#865940 Microsoft Internet Explorer does not properly evaluate "application/hta" MIME type referenced by DATA attribute of OBJECT element http://www.kb.cert.org/vuls/id/865940 Vulnerability Note VU#548964 Microsoft Windows BR549.DLL ActiveX control contains vulnerability http://www.kb.cert.org/vuls/id/548964 Vulnerability Note VU#813208 Internet Explorer does not properly render an input type tag http://www.kb.cert.org/vuls/id/813208 Vulnerability Note VU#334928 Microsoft Internet Explorer contains buffer overflow in Type attribute of OBJECT element on double-byte character set systems http://www.kb.cert.org/vuls/id/334928 5. Malicious Code Propagation and Antivirus Software Updates Recent reports to the CERT/CC have highlighted that the speed at which viruses are spreading is increasing and that users who were compromised may have been under the incorrect impression that merely having antivirus software installed was enough to protect them from all malicious code attacks. On July 14, the CERT/CC issued an Incident Note describing this trend. CERT Incident Note IN-2003-01 Malicious Code Propagation and Antivirus Software Updates http://www.cert.org/incident_notes/IN-2003-01.html ______________________________________________________________________ New CERT Coordination Center (CERT/CC) PGP Key On September 5, the CERT/CC issued a new PGP key, which should be used when sending sensitive information to the CERT/CC. CERT/CC PGP Public Key https://www.cert.org/pgp/cert_pgp_key.asc Sending Sensitive Information to the CERT/CC https://www.cert.org/contact_cert/encryptmail.html ______________________________________________________________________ What's New and Updated Since the last CERT Summary, we have published new and updated * Advisories http://www.cert.org/advisories/ * Vulnerability Notes http://www.kb.cert.org/vuls * CERT/CC Statistics http://www.cert.org/stats/cert_stats.html * Congressional Testimony http://www.cert.org/congressional_testimony * Incident Handling Certification http://www.cert.org/certification/ * Training Schedule http:/www.cert.org/training/ ______________________________________________________________________ This document is available from: http://www.cert.org/summaries/CS-2003-03.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright ©2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP1zEHzpmH2w9K/0VAQEqXAP9FHdMZvoEMC4aLxZzP+e52RhSh6p9rzZ2 W+p3aBh6VOsf1mqpDnlJSZy2kydOLzTwklMm4ESxeSER81TfdbKUIgr7pfzNANn8 4DhrXxUZwcc1+5TWY6/LejrrCjZ2OpK9UxkjDSJKMEcrLqIhaEUL3Vr24iTvNliR JKkslK9BDGk= =w9dI -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Sep 10 16:03:15 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 10 Sep 2003 16:03:15 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades multiplas no servico RPCSS (824146) Message-ID: <20030910190315.GA5343@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades multiplas no servico RPCSS (824146) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Cc: Centro de Atendimento a Incidentes de Seguranca Date: Wed, 10 Sep 2003 15:34:04 -0300 (BRT) O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution (824146), que trata de tres vulnerabilidades no servico RPCSS do Windows, que pode permitir a um atacante a execucao de codigo arbitrario com privilegios do sistema, ou a negacao de servico de RPC. As falhas resultam de um tratamento incorreto de mensagens na interface DCOM (Distributed Communication Object Model) dentro do servico RPCSS. Essas vulnerabilidades permitem que um atacante envie mensagens mal formadas aos servicos RPCSS. Lembramos que recentemente os worms MSBlaster.D e Nachi utilizaram uma vulnerabilidade no servico RPC para se espalhar. Este alerta _nao tem relacao_ com o alerta MS03-026, que informava sobre a vulnerabilidade usada por esses worms. Sistemas afetados: . Microsoft Windows NT Workstation 4.0 . Microsoft Windows NT 4.0 Server . Microsoft Windows NT 4.0, Terminal Server Edition . Microsoft Windows 2000 . Microsoft Windows XP . Microsoft Windows Server 2003 Correcoes disponiveis: A correcao consiste na aplicacao do patch recomendado pela Microsoft e disponivel em: . Windows NT Workstation http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=en . Windows NT Server 4.0 http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=en . Windows NT Server 4.0, Terminal Server Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F&displaylang=en . Windows 2000 http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en . Windows XP http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en . Windows XP 64 bit Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65&displaylang=en . Windows XP 64 bit Edition Version 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en . Windows Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=en . Windows Server 2003 64 bit Edition http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en Maiores informacoes: . http://www.microsoft.com/technet/security/bulletin/ms03-039.asp . http://xforce.iss.net/xforce/alerts/id/152 Identificador do CVE: CAN-2003-0715, CAN-2003-0528, CAN-2003-0605 (http://cve.mitre.org) O CAIS ja tomou conhecimento da existencia de codigo malicioso que explora as vulnerabilidades descritas acima. O CAIS recomenda fortemente aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ MS03-039 Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) Summary Who should read this bulletin: Users running Microsoft ® Windows ® Impact of vulnerability: Run code of attacker's choice Maximum Severity Rating: Critical Recommendation: System administrators should apply the security patch immediately End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms03-039.asp. Protect your PC: Additional information on how you can help protect your PC is available at the following locations: * End Users can visit http://www.microsoft.com/protect * IT Professionals can visit http://www.microsoft.com/technet/security/tips/pcprotec.asp Affected Software: * Microsoft Windows NT Workstation 4.0 * Microsoft Windows NT Server® 4.0 * Microsoft Windows NT Server 4.0, Terminal Server Edition * Microsoft Windows 2000 * Microsoft Windows XP * Microsoft Windows Server 2003 Not Affected Software: * Microsoft Windows Millennium Edition Technical details Technical description: The fix provided by this patch supersedes the one included in Microsoft Security Bulletin MS03-026. Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly access services on another computer. The protocol itself is derived from the Open Software Foundation (OSF) RPC protocol, but with the addition of some Microsoft specific extensions. There are three identified vulnerabilities in the part of RPCSS Service that deals with RPC messages for DCOM activation? two that could allow arbitrary code execution and one that could result in a denial of service. The flaws result from incorrect handling of malformed messages. These particular vulnerabilities affect the Distributed Component Object Model (DCOM) interface within the RPCSS Service. This interface handles DCOM object activation requests that are sent from one machine to another. An attacker who successfully exploited these vulnerabilities could be able to run code with Local System privileges on an affected system, or could cause the RPCSS Service to fail. The attacker could then be able to take any action on the system, including installing programs, viewing, changing or deleting data, or creating new accounts with full privileges. To exploit these vulnerabilities, an attacker could create a program to send a malformed RPC message to a vulnerable system targeting the RPCSS Service. Microsoft has released a tool that can be used to scan a network for the presence of systems which have not had the MS03-039 patch installed. More details on this tool are available in Microsoft Knowledge Base article 827363. This tool supersedes the one provided in Microsoft Knowledge Base article 826369. If the tool provided in Microsoft Knowledge Base Article 826369 is used against a system which has installed the security patch provided with this bulletin, the superseded tool will incorrectly report that the system is missing the patch provided in MS03-026. Microsoft encourages customers to run the latest version of the tool available in Microsoft Knowledge Base article 827363 to determine if their systems are patched. Mitigating factors: * Firewall best practices and standard default firewall configurations can help protect networks from remote attacks originating outside of the enterprise perimeter. Best practices recommend blocking all ports that are not actually being used. For this reason, most systems attached to the Internet should have a minimal number of the affected ports exposed. For more information about the ports used by RPC, visit the following Microsoft Web site: http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp Severity Rating: Windows NT 4.0 Server Windows NT 4.0, Terminal Server Edition Windows 2000 Windows XP Windows Server 2003 Buffer Overrun Vulnerabilities Critical Critical Critical Critical Critical Denial of Service Vulnerability None None Important None None Aggregate Severity of all Vulnerabilities Critical Critical Critical Critical Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: Buffer Overrun: CAN-2003-0715 Buffer Overrun: CAN-2003-0528 Denial of Service: CAN-2003-0605 Tested Versions: Microsoft tested Windows Millennium Edition, Windows NT 4.0 Server, Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and Windows Server 2003 to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. ----- End forwarded message ----- From security em unicamp.br Wed Sep 10 16:03:50 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 10 Sep 2003 16:03:50 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20030910190349.GB5343@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 08/09/2003 ---------- Módulo Security News no. 308 Fonte: Módulo Security Solutions S/A http://www.security.unicamp.br/docs/informativos/2003/09/b5.txt 10/09/2003 ---------- SANS NewsBites Vol. 5 Num. 36 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b6.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Sep 10 16:33:31 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 10 Sep 2003 16:33:31 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20030910193329.GC5343@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 07/09/2003 ---------- Debian Security Advisory (DSA 376-2) Assunto: vulnerabilidade de seguranca no pacote exim. http://www.security.unicamp.br/docs/bugs/2003/09/v16.txt Debian Security Advisory (DSA 378-1) Assunto: vulnerabilidade de seguranca no pacote mah-jong. http://www.security.unicamp.br/docs/bugs/2003/09/v17.txt 08/09/2003 ---------- CERT Summary CS-2003-03 http://www.security.unicamp.br/docs/bugs/2003/09/v18.txt 09/09/2003 ---------- Red Hat Security Advisory (RHSA-2003:264-01) Assunto: Updated gtkhtml packages fix vulnerability. http://www.security.unicamp.br/docs/bugs/2003/09/v19.txt 10/09/2003 ---------- Microsoft Security Bulletin (MS03-039) Assunto: Buffer Overrun In RPCSS Service Could Allow Code Execution (824146). http://www.security.unicamp.br/docs/bugs/2003/09/v20.txt CAIS-Alerta Assunto: Vulnerabilidades multiplas no servico RPCSS (824146). http://www.security.unicamp.br/docs/bugs/2003/09/v21.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Sep 15 10:30:17 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 15 Sep 2003 10:30:17 -0300 Subject: [SECURITY-L] CAIS-Resumo: Julho a Setembro de 2003 Message-ID: <20030915133011.GB346@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Resumo: Julho a Setembro de 2003 To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 12 Sep 2003 11:09:35 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- ************************************************************************ CAIS Resumo Alertas, vulnerabilidades e incidentes de segurança Publicação trimestral do Centro de Atendimento a Incidentes de Segurança da Rede Nacional de Ensino e Pesquisa Julho a Setembro de 2003 ======================================================================== Como e´ de conhecimento da comunidade atuante na area de seguranca, o CERT/CC divulga a cada tres meses o CERT Summary, fazendo um resumo sobre os alertas, vulnerabilidades e incidentes ocorridos nos ultimos meses. Analogamente ao trabalho desenvolvido pelo CERT, O CAIS divulga uma publicacao em separado, o "CAIS Resumo", que segue a mesma filosofia, porem com foco nos dados registrados pelo CAIS e na realidade das redes brasileiras. No presente CAIS Resumo sao abordados os alertas, vulnerabilidades e demais acontecimentos que se destacaram na area de seguranca no terceiro trimestre de 2003. ________________________________________________________________________ DESTAQUES 1. No dia 27 de junho, o CAIS divulgou dois alertas, o primeiro relacionado com a atividade gerada pelo Stumbler e os pacotes com window-size de tamanho 55808 e o segundo sobre a propagacao do virus Sobig.E 2. Neste mesmo dia o CAIS divulgou nota sobre o aumento na pratica de golpes atraves de email. 3. No dia 3 de julho, o CAIS divulgou nota relacionada com a competicao hacker "Defacers Challenge" que visava trocar o conteudo de milhares de paginas na Internet. O movimento acabou sendo reprimido por ataques de negacao de servico contra os organizadores e os sites que iriam contabilizar as trocas de paginas. 4. No dia 16 de julho, o CAIS divulgou alerta relacionado com a vulnerabilidade do RPC do Microsoft Windows (MS03-026), que seria utilizada pelo worm MSBlaster. 5. No dia 18 de julho, o CAIS repassou o terceiro alerta relacionado com com uma vulnerabilidade em equipamentos CISCO. Este alerta trazia informacoes sobre a existencia de um exploit que explorava a vulnerabilidade descrita no alerta do CERT/CC CA-2003-15. 6. No dia 11 de agosto teve inicio a propagacao do worm MSBlaster, quase um mes apos a divulgacao do alerta da Microsoft. Estima-se que o MSBlaster tenha infectado aproximadamente 250.000 computadores nas primeiras horas de propagacao. 7. No dia 13 de agosto, o CAIS divulgou nota relacionada com o serio comprometimento do site ftp.gnu.org que serve como repositorio para inumeras aplicacoes largamente utilizadas pela comunidade Internet. 8. No dia 19 de agosto teve inicio a propagacao do virus Sobig.F com serias repercussoes, elevando significativamente o trafego de mensagens na rede. 9. No dia 3 de setembro, o CAIS repassou 5 alertas envolvendo varios produtos da Microsoft. Algumas das vulnerabilidades reportadas sao extremamente serias, pois envolvem aplicativos que nao sao regularmente atualizados pelos usuarios, como o pacote Microsoft Office por exemplo. 10. No dia 10 de setembro, o CAIS repassou 2 alertas relacionados com duas novas vulnerabilidades envolvendo o RPC da Microsoft. Existe certo receio por parte dos especialistas da area de seguranca, de que tais vulnerabilidades sejam exploradas por novas atividades maliciosas, como a propagacao de um novo worm. ________________________________________________________________________ ALERTAS Os alertas divulgados ou repassados pelo CAIS, com maior destaque e repercussao nos ultimos tres meses de 2003, sao listados abaixo e estao disponiveis em: http://www.rnp.br/cais/alertas/2003/ Microsoft Security Bulletin MS03-039 Vulnerabilidades múltiplas no serviço RPCSS (824146) [Microsoft, 10.09.2003] CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows [Cert, 10.09.2003] CERT Summary CS-2003-03 [Cert, 08.09.2003] Microsoft Security Bulletin MS03-038 Vulnerabilidade no Microsoft Access (827104) [Microsoft, 03.09.2003] Microsoft Security Bulletin MS03-037 Vulnerabilidade no Microsoft Visual Basic for Applications (822715) [Microsoft, 03.09.2003] Microsoft Security Bulletin MS03-036 Vulnerabilidade no Microsoft WordPerfect Converter (827103) [Microsoft, 03.09.2003] Microsoft Security Bulletin MS03-035 Vulnerabilidade no Microsoft Word (827653) [Microsoft, 03.09.2003] Microsoft Security Bulletin MS03-034 Vulnerabilidade no Microsoft NetBIOS (824105) [Microsoft, 03.09.2003] Alerta do CAIS ALR-27082003 Lista negra relays.osirusoft.com desativada [CAIS, 27.08.2003] FreeBSD-SA-03:11.sendmail Vulnerabilidade remota no Sendmail [FreeBSD, 26.08.2003] CERT Advisory CA-2003-22 Multiple Vulnerabilities in Microsoft Internet Explorer [Cert, 26.08.2003] Alerta do CAIS ALR-22082003 Ação programada do virus Sobig.F [CAIS, 22.08.2003] Alerta do CAIS ALR-21082003 Variante do MSBlaster (Welchia ou Nachi) [CAIS, 21.08.2003] Microsoft Security Bulletin MS03-033 Vulnerabilidade no Microsoft MDAC (823718) [Microsoft, 20.08.2003] Microsoft Security Bulletin MS03-032 Patch Acumulativo para o Internet Explorer (822925) [Microsoft, 20.08.2003] Alerta do CAIS ALR-19082003 Propagação do vírus W32.Sobig.F em mm [CAIS, 19.08.2003] CERT Advisory CA-2003-21 GNU Project FTP Server Compromise [Cert, 14.08.2003] The Free Software Foundation Comprometimento de FTP.GNU.ORG [The Free Software Foundation, 13.08.2003] CERT Advisory CA-2003-20 W32/Blaster worm [Cert, 12.08.2003] Alerta do CAIS ALR-11082003 Propagação do Worm Blaster (DCOM RPC) [CAIS, 11.08.2003] Red Hat Security Advisory RHSA-2003:245-15 Buffer Overflow no Wu-ftpd [Red Hat, 31.07.2003] CERT Advisory CA-2003-19 Exploração de Vulnerabilidades do Microsoft RPC [Cert, 31.07.2003] Sun(sm) Alert Notification (Sun Alert ID: 55680) Vulnerabilidade no Runtime Linker ld.so.1(1) do Solaris [Sun, 29.07.2003] Alerta do CAIS ALR-25072003 Atualização do alerta MS03-026 [CAIS, 25.07.2003] CERT Advisory CA-2003-18 Integer Overflows in Microsoft Windows DirectX MIDI Library [Cert, 25.07.2003] Microsoft Security Bulletin MS03-031 Patch Acumulativo para Microsoft SQL Server (815495) [Microsoft, 23.07.2003] Microsoft Security Bulletin MS03-030 Vulnerabilidade no DirectX (819696) [Microsoft, 23.07.2003] Microsoft Security Bulletin MS03-029 Falha no Windows possibilita negação de serviço (823803) [Microsoft, 23.07.2003] CERT Advisory CA-2003-17 Exploit available for the Cisco IOS Interface Blocked [Cert, 18.07.2003] Cisco Security Advisory Cisco IOS Interface Blocked by IPv4 Packet [Cisco, 17.07.2003] CERT Advisory CA-2003-16 Buffer Overflow in Microsoft RPC [Cert, 17.07.2003] Microsoft Security Bulletin MS03-028 Falha nas páginas de erro geradas pelo Microsoft ISA Server (816456) [Microsoft, 16.07.2003] Microsoft Security Bulletin MS03-027 Vulnerabilidade no Shell do Windows (821557) [Microsoft, 16.07.2003] Microsoft Security Bulletin MS03-026 Vulnerabilidade no RPC da Microsoft (823980) [Microsoft, 16.07.2003] CERT Advisory CA-2003-15 Cisco IOS Interface Blocked by IPv4 Packet [Cert, 16.07.2003] CERT Advisory CA-2003-14 Buffer Overflow in Microsoft Windows HTML Conversion Library [Cert, 14.07.2003] Microsoft Security Bulletin MS03-023 Vulnerabilidade no conversor de HTML do Windows (823559) [Microsoft, 09.07.2003] Alerta do CAIS ALR-03072003 Ataques programados para 06/07/2003 [CAIS, 03.07.2003] CERT Incident Note IN-2003-01 Propagação de código malicioso e atualização de aplicativos antivírus (IN-2003-01) [Cert, 02.07.2003] Alerta do CAIS ALR-27062003b Proliferação de golpes por e-mail [CAIS, 27.06.2003] Alerta do CAIS ALR-27062003a Propagação do vírus Sobig.E [CAIS, 27.06.2003] Alerta do CAIS ALR-27062003 Atividade gerada pelo Stumbler (Trojan 55808) [CAIS, 27.06.2003] Microsoft Security Bulletin MS03-022 Vulnerabilidade no ISAPI Extension do Windows Media Services (822343) [Microsoft, 25.06.2003] Microsoft Security Bulletin MS03-021 Vulnerabilidade no Windows Media Player 9 (819639) [Microsoft, 25.06.2003] CAIS Resumo RES-022003 Alertas, vulnerabilidades e incidentes de segurança [CAIS, 11.06.2003] ________________________________________________________________________ CAIS NA MIDIA A seguir, sao listadas algumas reportagens, artigos e entrevistas concedidas pela equipe do CAIS, relacionadas aos temas destacados anteriormente: "Divulgado terceiro CERT Summary do ano" - CAIS/RNP reforça a importância da leitura deste documento. http://www.modulo.com.br/pt/page_i.jsp?page=3&catid=7&objid=2293&pagenumber=0&idiom=0 "Agosto: o mês do worm louco" - artigo escrito por Renata Teixeira, do CAIS. http://informatica.terra.com.br/interna/0,,OI135825-EI559,00.html http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1062005478,103, "Ferramentas anti-spam para o usuário final em plataformas Windows" Artigo escrito por técnicos do CAIS é publicado no boletim Newsgeneration. http://www.rnp.br/newsgen/0305/antispam.shtml "Valor Econômico cita gerente do CAIS em reportagem sobre perfil dos gestores de segurança da informação" http://www.rnp.br/noticias/imprensa/2003/not-imp-030819.html "Voce instala patches?" Renata Teixeira, do CAIS, escreve sobre instalação de patches. http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1060943212,69663,/ "Vírus Blaster explora falha recente do Windows" http://informatica.terra.com.br/interna/0,5862,OI131136-EI559,00.html "Centro de segurança alerta para atividade de trojan" http://www.infoguerra.com.br/infoguerra.php?newsid=1056786135,13683,/ "CAIS/RNP relata proliferacao de golpes por e-mail" http://www.modulo.com.br/index.jsp?page=3&catid=7&objid=2074&pagecounter=0&idiom=0 "Alerta CAIS/RNP: cuidado com ataques coordenados no final de semana" http://www.modulo.com.br/comum/docs_iii_pv.jsp?catid=7&objid=2091&idiom=0&pagenumber=0 "CAIS/RNP lanca segundo "CAIS-Resumo" de 2003" http://www.modulo.com.br/pt/page_i.jsp?page=3&catid=7&objid=2019&pagenumber=0&idiom=0 ________________________________________________________________________ NOTAS O CAIS ressalta que manter os sistemas e aplicativos atualizados, seguir uma politica de seguranca, orientar os usuarios, sao algumas das praticas recomendadas para diminuir os riscos de comprometimento de sua rede, alem de contribuir para o aumento da seguranca da Internet como um todo. O CAIS recomenda aos administradores que se mantenham cientes e conscientes dos alertas, correcoes e atualizacoes disponibilizadas pelos fabricantes e orgaos de renome na area de seguranca. ======================================================================== CAIS Centro de Atendimento a Incidentes de Segurança Rede Nacional de Ensino e Pesquisa http://www.cais.rnp.br cais em cais.rnp.br (19) 3787-3300 (19) 3787-3301 [fax] Chave PGP do CAIS disponível em: http://www.rnp.br/cais/cais-pgp.key Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2HTp+kli63F4U8VAQG+wwP+IDyRJ9BAfjiMZDZ7EB782FJvXRM+vYWX /Eh3iviIP1lQg0zLD89iiArqPIOt2xnPcl/zI/wuwQhkiQBFL99TTUB45JrjPoWb 2ar4dvZrj6UwWBKCTHKGKCuSv9gn/knmMgcKcWkI2r9w0D+QXf+906aBQ156MjO+ TRBbVkeX2AM= =m9nB -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Sep 15 10:29:48 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 15 Sep 2003 10:29:48 -0300 Subject: [SECURITY-L] OpenBSD 3.3 -- root may override security level Message-ID: <20030915132948.GA346@unicamp.br> ----- Forwarded message from Klaus Steding-Jessen ----- From: Klaus Steding-Jessen Subject: [S] OpenBSD 3.3 -- root may override security level To: seguranca em pangeia.com.br Date: Wed, 10 Sep 2003 20:47:59 -0300 To: security-announce em openbsd.org Subject: OpenBSD 3.3 -- root may override security level Date: Wed, 10 Sep 2003 17:18:47 -0600 From: "Todd C. Miller" [ Please note: this bug affects OpenBSD 3.3 only. Prior versions do not have runtime-configurable semaphore limits. ] It is possible for root to raise the value of the seminfo.semmns and seminfo.semmsl sysctls to values sufficiently high such that an integer overflow occurs. This can allow root to write to kernel memory irrespective of the security level. The default security level on OpenBSD is 1 ("secure mode") which does not allow writing to /dev/mem and /dev/kmem. It may be possible for a root user to exploit this bug to reduce the security level itself. The impact of this bug is quite low for most systems since it is only useful to an attacker who already has root on the local system with the expertise to modify the running kernel. Thanks to blexim for finding this bug and notifying us. The problem has been fixed in the OpenBSD 3.3-stable branch. In addition, a patch is available for OpenBSD 3.3: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/003_sysvsem.patch ----- End forwarded message ----- From security em unicamp.br Mon Sep 15 10:30:48 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 15 Sep 2003 10:30:48 -0300 Subject: [SECURITY-L] Anuncio chkrootkit 0.42 Message-ID: <20030915133047.GC346@unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] [ Anuncio chkrootkit 0.42 ] To: seguranca em pangeia.com.br Date: Fri, 12 Sep 2003 21:06:39 -0300 O chkrootkit 0.42 esta disponivel. Esta versao inclui: * chkdirs.c - suporte para BSDI (obrigado a Thomas Davidson) * chkproc.c - corrigido (obrigado a Bill DuPree) * chklastlog.c - extra "\n" removido * chkrootkit - suporte para FreeBSD 5.x - correcao de problemas com HPUX - ifpromisc corrigido para Linux 2.4.x kernels - correcoes para a opcao -r option (obrigado a Jeremy H. Brown) - novos rootkits detectados - Shkit - Suckit (adicoes) - correcao de bugs menores chkrootkit e' uma ferramenta que detecta localmente sinais de rootkit. Mais informacoes sobre chkrootkit e rootkits podem ser encontradas em: http://www.chkrootkit.org/. O pacote foi testado com sucesso nos seguintes sistemas: Linux 2.0.x, 2.2.x, 2.4.x e 2.6.x , FreeBSD 2.2.x, 3.x, 4.x e 5.x, OpenBSD 2.x e 3.x., NetBSD 1.5.2 e 1.6.x, Solaris 2.5.1, 2.6 e 8.0, HP-UX 11, True64 e BSDI. O pacote completo e respectiva assinatura MD5 estao disponiveis em: * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.tar.gz * ftp://ftp.pangeia.com.br/pub/seg/pac/chkrootkit.md5 ou na pagina oficial: * http://www.chkrootkit.org/ Mais informacoes sobre rootkits podem ser encontrados em: * http://www.chkrootkit.org/index.html#related_links ----- End forwarded message ----- From security em unicamp.br Tue Sep 16 16:51:08 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 16 Sep 2003 16:51:08 -0300 Subject: [SECURITY-L] ***IMPORTANTE***[cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade remota no OpenSSH] Message-ID: <20030916195108.GA2707@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no OpenSSH To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 16 Sep 2003 14:23:37 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta repassando o alerta da OpenSSH, OpenSSH Security Advisory: buffer.adv, que trata de uma vulnerabilidade existente no sshd devido a um erro no gerenciamento de buffer, que pode permitir a um atacante remoto executar codigo arbitrario. * Sistemas afetados . Todos os sitemas UNIX/Linux rodando versoes anteriores a 3.7 * Correcoes disponiveis: . OpenBSD ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/openssh-3.7.tgz . Demais sistemas UNIX/Linux ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.7p1.tar.gz Caso nao seja possivel atualizar o OpenSSH para a versao 3.7, o patch em anexo devera ser aplicado no codigo-fonte da versao anterior. Apos a aplicacao do patch, os binarios do OpenSSH deverao ser recompilados. * Maiores informacoes http://www.openssh.com/txt/buffer.adv http://www.openssh.com/security.html O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. Appendix: Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.17 diff -u -r1.16 -r1.17 - --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 03:03:47 -0000 1.17 @@ -69,6 +69,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +99,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - - buffer->alloc += len + 32768; - - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - - buffer->alloc); - - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2dHIekli63F4U8VAQHn+wQAwU1vUg/mHIp5t31S303zDeZYkSSLRUN2 RZewff2ESghfPI3s7UZTskxttghBNp3ZWolBcmfAAvTPx3AF2RsuGo0t6woPCloP USrqWZMm6shmtxpd/ivTyUAhHkNwwUcfmzg6FLgNmRPx+UK0LcnQV37RRCKtE6iD 72+mqecw1/Q= =hAB6 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Sep 16 16:53:35 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 16 Sep 2003 16:53:35 -0300 Subject: [SECURITY-L] [cais@cais.rnp.br: CAIS-Alerta: Vulnerabilidade remota no Solaris Solstice AdminSuite] Message-ID: <20030916195335.GB2707@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Solaris Solstice AdminSuite To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 16 Sep 2003 15:27:28 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta repassando o alerta da iDEFENSE, iDEFENSE Security Advisory 09.16.03: Remote Root Exploitation of Default Solaris sadmind Setting, que trata de uma vulnerabilidade no modulo Solstice AdminSuite presente em sistemas Solaris. Tal vulnerabilidade pode permitir a um atacante local ou remoto obter privilegios de super-usuario (root). O problema descrito no alerta nao é novo. A novidade é que foi desenvolvido um exploit que se utiliza da vulnerabilidade e que esta' circulando na Internet. Sistemas afetados: . SPARC Platform Solaris 7 and Trusted Solaris 7 Solaris 8 and Trusted Solaris 8 Solaris 9 . x86 Platform Solaris 7 and Trusted Solaris 7 Solaris 8 and Trusted Solaris 8 Solaris 9 Sistemas que possuem o sadmind(1M) habilitado no arquivo inetd.conf com autenticacao forte (-S 2) _nao_ sao afetados por este problema. Para determinar se o sadmind(1M) esta' habilitado no seu sistema deve-se executar o seguinte comando: $ grep sadmind /etc/inet/inetd.conf 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind Correcoes disponiveis: Nao existe correcao para esta vulnerabilidade, sistemas vulneraveis devem seguir uma das duas recomendacoes da Sun para contornar o problema: - - Para desabilitar o sadmind(1M) em sistema solaris: 1. Editar o arquivo "etc/inetd.conf" e comentar com o caracter "#" a seguinte linha: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind Que ficará da seguinte forma: #100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind 2. É necessario reinicializar o inetd, executando o seguinte comando: /usr/bin/pkill -HUP inetd - - Habilitar autenticacao forte no sadmind(1M) em um sistema Solaris: 1. Editar o arquivo "/etc/inetd.conf" e adicionar no final da linha do sadmind ""-S 2", como segue: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 2. É necessario reinicializar o inetd, executando o seguinte comando: /usr/bin/pkill -HUP inetd * Maiores informacoes . iDEFENSE Security Advisory 09.16.03 http://www.idefense.com/advisory/09.16.03.txt . Security Issue Involving the Solaris sadmind(1M) Daemon Free Sun Alert Notifications: 56740 http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 Identificador do CVE: CAN-2003-0722, (http://cve.mitre.org) O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ iDEFENSE Security Advisory 09.16.03: http://www.idefense.com/advisory/09.16.03.txt Remote Root Exploitation of Default Solaris sadmind Setting September 16, 2003 I. BACKGROUND Solstice AdminSuite is a set of tools packaged by Sun Microsystems Inc. in its Solaris operating system to help administrators manage systems remotely, centralize configuration information and monitor software usage. The sadmind daemon is used by Solstice AdminSuite applications to perform these distributed system administration operations. The sadmind daemon is typically installed and enabled in a default Solaris installation. II. DESCRIPTION An exploit has surfaced that allows remote attackers to execute arbitrary commands with super-user privileges against Solaris hosts running the default RPC authentication scheme in Solstice AdminSuite. This weakness is documented to some extent in Sun documentation, http://docs.sun.com/db/doc/816-0211/6m6nc676b?a=view . By sending a sequence of specially crafted Remote Procedure Call (RPC) requests to the sadmind daemon, an attacker can exploit this vulnerability to gain unauthorized root access to a vulnerable system. The sadmind daemon defaults to weak authentication (AUTH_SYS), making it possible for a remote attacker to send a sequence of specially crafted RPC packets to forge the client identity. After the identity has been successfully forged, the attacker can invoke a feature within the daemon itself to execute a shell as root or, depending on the forged credential, any other valid user of the system. The daemon will execute the program of the attacker^Òs choice; for example, spawning a reverse-network shell back to the attacker for input/output control. Under certain circumstances, a reverse-network shell could allow for the attacker to bypass firewalls and/or filters. III. ANALYSIS Because the nature of the weakness exists on the application level, successful exploitation does not require the use of machine-specific code, nor does it require any previous knowledge of the target's architecture. Therefore, any local or remote attacker could execute commands as root on a vulnerable system running the sadmind service. By default, sadmind is installed and started at system boot time on most default and fully patched installations of Solaris. While many other vendors rely on SUNRPC related routines from Sun, this design issue is confined to Sun's sadmind authentication implementation in Solaris. The most inherent threat is if this exploit becomes packaged into a cross-platform worm were it to become publicly available. IV. DETECTION An exploit has been obtained and demonstrated in real-world conditions on systems running Solaris or Trusted Solaris operating systems running sadmind. Default installations of SunOS 5.3 thru 5.9 (Solaris 2.x, 7, 8, 9) on both the SPARC and _x86 platforms are susceptible. In addition, versions 7 and 8 of Trusted Solaris on both the SPARC and _x86 platforms are susceptible to exploitation. Exploitation occurs through an initial request through UDP or TCP port 111 (sunrpc). V. WORKAROUNDS For Solaris hosts that do not require the Solstice AdminSuite related services, disable the sadmind service by commenting out the appropriate line in /etc/inetd.conf. Make sure to restart inetd after changing this file (e.g. pkill -HUP inetd). For networks, ensure proper ingress filters are in place on the Internet router and firewall, especially on TCP and UDP port 111. For Solaris hosts that require the Solstice AdminSuite to be running, the authentication security settings of sadmind should be increased to STRONG (AUTH_DES) ^× this is not the default setting. This setting also requires the creation of NIS or NIS+ DES keys to have been created for each Solaris user and each host. In order to upgrade the authentication setting, the sadmind line in /etc/inetd.conf should be changed to look like the following: 100232/10 tli rpc/udp wait root /usr/sbin/sadmind sadmind -S 2 Sun also recommends using the Solaris Security Toolkit (JASS) to harden a Solaris system, http://wwws.sun.com/software/security/jass/ . VI. VENDOR RESPONSE Sun does not plan on releasing a patch for this issue. Because a working exploit now exists for this issue, Sun Microsystems Inc. is issuing Alert 56740 to ensure administrators have proactively applied the proper workarounds in the event this exploit or one like it becomes publicly available. Sun's alert is available at http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F56740 . VII. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned CAN-2003-0722 to this issue. VIII. DISCLOSURE TIMELINE 26 AUG 2003 Exploit acquired by iDEFENSE 26 AUG 2003 Sun notified (security-alert em sun.com) 27 AUG 2003 Followup status request via phone 27 AUG 2003 Response from Derrick Scholl, Sun Security Coordination Team 02 SEP 2003 iDEFENSE clients notified 16 SEP 2003 Coordinated Public Disclosure IX. CREDIT Mark Zielinski (markzielinski em mailblocks.com) is credited with this discovery. Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv em idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world - from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2dWGOkli63F4U8VAQGN/gP7BnDnx8E0gfn5rVMmiBvpG65Bo0Tr0rqN ORs7fHcPAZIpurD1uziju641B1JPgc23BgPDsXrGlk6IgJFjZYPFGTBUkfspEafi qr2wLO7kRzDrI3WaTJB2D9MbN7+0ObaeDWpP41n4Di4edkjDeYNa3SHjMGe3Wu2s 5g6vg3g31zU= =LgO5 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Sep 16 16:54:48 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 16 Sep 2003 16:54:48 -0300 Subject: [SECURITY-L] ***IMPORTANTE*** [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] Message-ID: <20030916195448.GC2707@unicamp.br> ----- Forwarded message from FreeBSD Security Advisories ----- From: FreeBSD Security Advisories Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh To: FreeBSD Security Advisories Date: Tue, 16 Sep 2003 11:17:01 -0700 (PDT) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_1 openssh-portable port prior to openssh-portable-3.6.1p2_1 Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) 2003-09-16 16:27:57 UTC (RELENG_5_1) 2003-09-16 17:34:32 UTC (RELENG_5_0) 2003-09-16 16:24:02 UTC (RELENG_4_8) 2003-09-16 16:45:16 UTC (RELENG_4_7) 2003-09-16 17:44:15 UTC (RELENG_4_6) 2003-09-16 17:45:23 UTC (RELENG_4_5) 2003-09-16 17:46:02 UTC (RELENG_4_4) 2003-09-16 17:46:37 UTC (RELENG_4_3) 2003-09-16 12:43:09 UTC (ports/security/openssh) 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693 FreeBSD only: NO I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 through 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.5 src/crypto/openssh/version.h 1.1.1.1.2.11 RELENG_5_1 src/UPDATING 1.251.2.4 src/crypto/openssh/buffer.c 1.1.1.6.4.1 src/crypto/openssh/version.h 1.20.2.1 src/sys/conf/newvers.sh 1.50.2.5 RELENG_5_0 src/UPDATING 1.229.2.18 src/crypto/openssh/buffer.c 1.1.1.6.2.1 src/crypto/openssh/version.h 1.18.2.1 src/sys/conf/newvers.sh 1.48.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.7 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 src/sys/conf/newvers.sh 1.44.2.29.2.6 RELENG_4_7 src/UPDATING 1.73.2.74.2.18 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.17 RELENG_4_6 src/UPDATING 1.73.2.68.2.46 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.35 RELENG_4_5 src/UPDATING 1.73.2.50.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.20.2.31 RELENG_4_4 src/UPDATING 1.73.2.43.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 src/sys/conf/newvers.sh 1.44.2.17.2.39 RELENG_4_3 src/UPDATING 1.73.2.28.2.35 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 src/sys/conf/newvers.sh 1.44.2.14.2.25 [Ports] ports/security/openssh-portable/Makefile 1.73 ports/security/openssh-portable/files/patch-buffer.c 1.1 ports/security/openssh/Makefile 1.120 ports/security/openssh/files/patch-buffer.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 RELENG_4_3 OpenSSH_2.3.0 green em FreeBSD.org 20030916 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ PW0VvEnS7MMUYyekHuz49ro= =vcm1 -----END PGP SIGNATURE----- _______________________________________________ freebsd-announce em freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Wed Sep 17 09:11:24 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 17 Sep 2003 09:11:24 -0300 Subject: [SECURITY-L] ***IMPORTANTE*** CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH Message-ID: <20030917121124.GA3796@unicamp.br> ----- Forwarded message from CERT Advisory ----- From: CERT Advisory Subject: CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH To: cert-advisory em cert.org Date: Tue, 16 Sep 2003 17:44:29 -0400 Organization: CERT(R) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH Original release date: September 16, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running versions of OpenSSH prior to 3.7 * Systems that use or derive code from vulnerable versions of OpenSSH Overview There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7. This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code. I. Description A vulnerability exists in the buffer management code of OpenSSH. This vulnerability affects versions prior to 3.7. The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. This vulnerability may also allow an attacker to execute arbitrary code. This vulnerability is described in an advisory from OpenSSH and in FreeBSD-SA-03:12: Other systems that use or derive code from OpenSSH may be affected. This includes network equipment and embedded systems. We have monitored incident reports that may be related to this vulnerability. Vulnerability Note VU#333628 lists the vendors we contacted about this vulnerability. The vulnerability note is available from This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 II. Impact While the full impact of this vulnerability is unclear, the most likely result is heap corruption, which could lead to a denial of service. If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH. III. Solution Upgrade to OpenSSH version 3.7 This vulnerability is resolved in OpenSSH version 3.7, which is available from the OpenSSH web site at Apply a patch from your vendor A patch for this vulnerability is included in the OpenSSH advisory at This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH. Find information about vendor patches in Appendix A. We will update this document as vendors provide additional information. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628. If a vendor is not listed below or in VU#333628, we have not received their comments. Bitvise Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist. Cray, Inc. Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release. Debian A fix for the buffer management vulnerability is available for the ssh package at http://www.debian.org/security/2003/dsa-382 A fix for the ssh-krb5 (ssh with kerberos support) package is available at http://www.debian.org/security/2003/dsa-383 Mandrake Software Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue. PuTTY PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks. _________________________________________________________________ The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory. _________________________________________________________________ Authors: Jason A. Rafail and Art Manion ______________________________________________________________________ This document is available from: ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History September 16, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2eByzpmH2w9K/0VAQGnaAP/Zb54OjkSVC0594mOAQDT5s92IOUHY2ND aonp3h1jPmg6kJ6jJyh1Z4ZyC3tFoQa8EnAgKs7tFYJHr/65t4ASLycB/X/tJu1T KGIG+yJ/MP9OZ0s/i2Rp95x1u8wrQHoq1TuDs+sJ6clu638dFcgZk2CzZSojPIr9 hgzCzPOAscA= =Xysb -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Sep 18 12:34:49 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 18 Sep 2003 12:34:49 -0300 Subject: [SECURITY-L] ***IMPORTANTE*** CERT Advisory CA-2003-25 Buffer Overflow in Sendmail Message-ID: <20030918153449.GA473@unicamp.br> ----- Forwarded message from CERT Advisory ----- From: CERT Advisory Subject: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail To: cert-advisory em cert.org Date: Thu, 18 Sep 2003 10:38:29 -0400 Organization: CERT(R) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-25 Buffer Overflow in Sendmail Original issue date: September 18, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Systems running open-source sendmail versions prior to 8.12.10, including UNIX and Linux systems * Commercial releases of sendmail including Sendmail Switch, Sendmail Advanced Message Server (SAMS), and Sendmail for NT Overview A vulnerability in sendmail could allow a remote attacker to execute arbitrary code with the privileges of the sendmail daemon, typically root. I. Description Sendmail is a widely deployed mail transfer agent (MTA). Many UNIX and Linux systems provide a sendmail implementation that is enabled and running by default. Sendmail contains a vulnerability in its address parsing code. An error in the prescan() function could allow an attacker to write past the end of a buffer, corrupting memory structures. Depending on platform and operating system architecture, the attacker may be able to execute arbitrary code with a specially crafted email message. This vulnerability is different than the one described in CA-2003-12. The email attack vector is message-oriented as opposed to connection-oriented. This means that the vulnerability is triggered by the contents of a specially crafted email message rather than by lower-level network traffic. This is important because an MTA that does not contain the vulnerability may pass the malicious message along to other MTAs that may be protected at the network level. In other words, vulnerable sendmail servers on the interior of a network are still at risk, even if the site's border MTA uses software other than sendmail. Also, messages capable of exploiting this vulnerability may pass undetected through packet filters or firewalls. Further information is available in VU#784980. Common Vulnerabilities and Exposures (CVE) refers to this issue as CAN-2003-0694. II. Impact Depending on platform and operating system architecture, a remote attacker could execute arbitrary code with the privileges of the sendmail daemon. Unless the RunAsUser option is set, Sendmail typically runs as root. III. Solution Upgrade or apply a patch This vulnerability is resolved in Sendmail 8.12.10. Sendmail has also released a patch that can be applied to Sendmail 8.9.x through 8.12.9. Information about specific vendors is available in Appendix A. and in the Systems Affected section of VU#784980. Sendmail 8.12.10 is designed to correct malformed messages that are transferred by the server. This should help protect other vulnerable sendmail servers. Enable the RunAsUser option While there is no known complete workaround, consider setting the RunAsUser option to reduce the impact of this vulnerability. It is typically considered to be a good security practice to limit the privileges of applications and services whenever possible. Appendix A. Vendor Information This appendix contains information provided by vendors. When vendors report new information, this section is updated, and the changes are noted in the revision history. If a vendor is not listed below, we have not received their direct statement. Further vendor information is available in the Systems Affected section of VU#784980. Debian The sendmail and sendmail-wide packages are vulnerable to this issue. Updated packages are being prepared and will be available soon. F5 Networks BIG-IP and 3-DNS products are not vulnerable. IBM The AIX Security Team is aware of the issues discussed in CERT Vulnerability Note VU#784980. The following APARs will be released to address this issue: APAR number for AIX 4.3.3: IY48659 (available approx. 10/03/03) APAR number for AIX 5.1.0: IY48658 (available approx. 10/15/03) APAR number for AIX 5.2.0: IY48657 (available approx. 10/29/03) An e-fix will be available shortly. The e-fix will be available from: ftp://ftp.software.ibm.com/aix/efixes/security/sendmail_4_efix.tar.Z This vendor statement will be updated when the e-fix becomes available. Lotus This is a sendmail-specific issue that does not affect any Lotus products. Network Appliance NetApp products are not vulnerable to this problem. NetBSD NetBSD-current ships with sendmail 8.12.9 since June 1, 2003. The patch was applied on September 17, 2003. In the near future we would upgrade to sendmail 8.12.10. Our official releases, such as NetBSD 1.6.1, are also affected (they ship with older version of sendmail). They will be patched as soon as possible. We would issue NetBSD Security Advisory on this matter. Openwall GNU/*/Linux Openwall GNU/*/Linux is not vulnerable. We ship Postfix, not Sendmail. Red Hat Red Hat Linux and Red Hat Enterprise Linux ship with a Sendmail package vulnerable to these issues. Updated Sendmail packages are available along with our advisory at the URLs below. Users of the Red Hat Network can update their systems using the 'up2date' tool. Red Hat Linux: http://rhn.redhat.com/errata/RHSA-2003-283.html Red Hat Enterprise Linux: http://rhn.redhat.com/errata/RHSA-2003-284.html The Sendmail Consortium The Sendmail Consortium recommends that sites upgrade to 8.12.10 whenever possible. Alternatively, patches are available for 8.9, 8.10, 8.11, and 8.12 on http://www.sendmail.org/. Sendmail Inc. All commercial releases including Sendmail Switch, Sendmail Advanced Message Server (which includes the Sendmail Switch MTA), Sendmail for NT, and Sendmail Pro are affected by this issue. Patch information is available at http://www.sendmail.com/security/. Sun Sun acknowledges that our recent release of sendmail 8.12.10 is affected by this issue on Solaris releases S7, S8 and S9. A Sun Alert for this issue will be isuued very soon which will then be available from: http://sunsolve.Sun.COM/pub-cgi/retrieve.pl?doc=fsalert/56860 There are no patches available at this time. The Sun Alert will be updated with the patch information as it becomes available. Please refer to the Sun Alert when available, for more information. SuSE SuSE products shipping sendmail are affected. Update packages that fix the vulnerability are being prepared and will be published shortly. Appendix B. References * CERT/CC Vulnerability Note VU#784980 - * Michal Zalewski's post to BugTraq - * Sendmail 8.12.10 - * Sendmail patch for 8.12.9 - * Sendmail 8.12.10 announcement - * Sendmail Secure Install - _________________________________________________________________ This vulnerability was discovered by Michal Zalewski. Thanks to Claus Assmann and Eric Allman of Sendmail for their help in preparing this document. _________________________________________________________________ Feedback can be directed to the author, Art Manion. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-25.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History September 18, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2nC8jpmH2w9K/0VAQFKwwP/Vagji3+avI6eb/5C++JCjjmL0Y+JrFmD 6DWgYsOVASDUO4bUyHYiAl2BM8s3owsprTRuKFl3WOf18h++qtTOOO1oeRt+bhqP 1q6ImxjAem7kM2f5e3xdArowptIlqMXFakQ2N3gHqyfXEcmgESrFcGNS8oCV20Y4 rriFRV/lvDU= =/mMy -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Sep 17 14:43:13 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 17 Sep 2003 14:43:13 -0300 Subject: [SECURITY-L] ***IMPORTANTE*** CAIS-Alerta: Novidades sobre a vulnerabilidade do OpenSSH - CA-2003-24 Message-ID: <20030917174312.GA4073@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Novidades sobre a vulnerabilidade do OpenSSH - CA-2003-24 To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Wed, 17 Sep 2003 10:20:11 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, Complementando as informacoes enviadas ontem pelo CAIS relacionadas com a vulnerabilidade do OpenSSH, o CAIS esta´ repassando o alerta divulgado pelo CERT/CC, CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH. As informacoes mais recentes disponibilizadas pela OpenSSH dao conta que a correcao indicada e' a atualizacao do software para a versao 3.7.1 que foi disponibilizada ontem para download. Correcoes disponiveis: Recomenda-se a atualizacao do OpenSSH para a versao 3.7.1 ou a aplicacao dos patches. . OpenSSH 3.7.1 http://www.openssh.com/ . Patch para o OpenSSH 3.7 ver apendice A do alerta da OpenSSH . Patch para o OpenSSH 3.6.1 e anteriores ver apendice B do alerta da OpenSSH Maiores informacoes podem ser obtidas nos seguintes enderecos: . Segunda revisao do alerta da OpenSSH http://www.openssh.com/txt/buffer.adv . CA-2003-24 Buffer Management Vulnerability in OpenSSH http://www.cert.org/advisories/CA-2003-24.html Identificador do CVE: CAN-2003-0693, (http://cve.mitre.org) O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.cais.rnp.br/cais-pgp.key # ################################################################ CERT Advisory CA-2003-24 Buffer Management Vulnerability in OpenSSH Original release date: September 16, 2003 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Systems running versions of OpenSSH prior to 3.7 * Systems that use or derive code from vulnerable versions of OpenSSH Overview There is a remotely exploitable vulnerability in a general buffer management function in versions of OpenSSH prior to 3.7. This may allow a remote attacker to corrupt heap memory which could cause a denial-of-service condition. It may also be possible for an attacker to execute arbitrary code. I. Description A vulnerability exists in the buffer management code of OpenSSH. This vulnerability affects versions prior to 3.7. The error occurs when a buffer is allocated for a large packet. When the buffer is cleared, an improperly sized chunk of memory is filled with zeros. This leads to heap corruption, which could cause a denial-of-service condition. This vulnerability may also allow an attacker to execute arbitrary code. This vulnerability is described in an advisory from OpenSSH and in FreeBSD-SA-03:12: Other systems that use or derive code from OpenSSH may be affected. This includes network equipment and embedded systems. We have monitored incident reports that may be related to this vulnerability. Vulnerability Note VU#333628 lists the vendors we contacted about this vulnerability. The vulnerability note is available from This vulnerability has been assigned the following Common Vulnerabilities and Exposures (CVE) number: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0693 II. Impact While the full impact of this vulnerability is unclear, the most likely result is heap corruption, which could lead to a denial of service. If it is possible for an attacker to execute arbitrary code, then they may be able to so with the privileges of the user running the sshd process, typically root. This impact may be limited on systems using the privilege separation (privsep) feature available in OpenSSH. III. Solution Upgrade to OpenSSH version 3.7 This vulnerability is resolved in OpenSSH version 3.7, which is available from the OpenSSH web site at Apply a patch from your vendor A patch for this vulnerability is included in the OpenSSH advisory at This patch may be manually applied to correct this vulnerability in affected versions of OpenSSH. If your vendor has provided a patch or upgrade, you may want to apply it rather than using the patch from OpenSSH. Find information about vendor patches in Appendix A. We will update this document as vendors provide additional information. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or higher may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by creating a privsep user, setting up a restricted (chroot) environment, and adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent this vulnerability from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent this vulnerability from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in the revision history. Additional vendors who have not provided direct statements, but who have made public statements or informed us of their status are listed in VU#333628. If a vendor is not listed below or in VU#333628, we have not received their comments. Bitvise Our software shares no codebase with the OpenSSH implementation, therefore we believe that, in our products, this problem does not exist. Cray, Inc. Cray Inc. supports OpenSSH through its Cray Open Software (COS) package. Cray is vulnerable to this buffer management error and is in the process of compiling OpenSSH 3.7. The new version will be made available in the next COS release. Debian A fix for the buffer management vulnerability is available for the ssh package at http://www.debian.org/security/2003/dsa-382 A fix for the ssh-krb5 (ssh with kerberos support) package is available at http://www.debian.org/security/2003/dsa-383 Mandrake Software Mandrake Linux is affected and MDKSA-2003:090 will be released today with patched versions of OpenSSH to resolve this issue. PuTTY PuTTY is not based on the OpenSSH code base, so it should not be vulnerable to any OpenSSH-specific attacks. _________________________________________________________________ The CERT/CC thanks Markus Friedl of the OpenSSH project for his technical assistance in producing this advisory. _________________________________________________________________ Authors: Jason A. Rafail and Art Manion ______________________________________________________________________ This document is available from: ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History September 16, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2hfkukli63F4U8VAQEPcQP/VNTLuk/sRRjQo8hITE4i/UfzGQ4z3aSZ YJj2f7tqMmyGo8MgA89ZEDE7ryxpuJ7CWNJ+izUamPv6wp9R79Vc/8ZoLbsVsF4C nYqUbjkl0M4wo7kaoioSS1ExLQ36EVZIAkRk9QnYpy8I38fMIUReR3RTsZkzq/zH o8sJi5n12K0= =yyDJ -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Sep 18 14:29:01 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 18 Sep 2003 14:29:01 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20030918172900.GB333@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 15/09/2003 ---------- SANS Critical Vulnerability Analysis Vol 2 No 36 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b7.txt Módulo Security News no. 309 Fonte: Módulo Security Solutions S/A http://www.security.unicamp.br/docs/informativos/2003/09/b8.txt 17/09/2003 ---------- SANS NewsBites Vol. 5 Num. 37 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b9.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Fri Sep 19 10:09:40 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 19 Sep 2003 10:09:40 -0300 Subject: [SECURITY-L] CAIS-Alerta: Falso exploit para a vulnerabilidade do OpenSSH Message-ID: <20030919130940.GC333@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Falso exploit para a vulnerabilidade do OpenSSH To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 19 Sep 2003 10:00:46 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS foi informado de que esta' circulando na comunidade hacker uma noticia sobre a existencia de um exploit capaz de explorar a recente vulnerabilidade encontrada no aplicativo OpenSSH, conforme alerta publicado pelo CAIS em: http://www.rnp.br/cais/alertas/2003/openssh01.html O suposto exploit na verdade e' um trojan que ao ser executado em determinada maquina, age da seguinte forma: . somente pode ser executado pelo root, caso contrario ocorre um erro e a execucao e' abortada, exibindo a seguinte mensagem: "sorry dude need root for rawip" . ao tentar atacar uma maquina com ssh vulneravel, o trojan finge um ataque realizando multiplas conexoes contra a porta 22 da maquina vitima. A mensagem exibida pelo "exploit" e': "r00ting box..." . cria uma conta na maquina, chamada de sys3 com UID 0, ou seja, com o mesmo UID do super-usuario (root). Cada execucao do "exploit" adicionara' o usuario sys3. . grava a saida da execucao dos seguintes comandos no arquivo /tmp/.tmp - ifconfig -a - cat /etc/passwd /etc/shadow /root.ssh*/known_hosts - find /home/ -name known_hosts -exec cat {} . envia o arquivo /tmp/.tmp para o usuario m0nkeyhack em supermarkt.de, forjando o usuario de origem como sendo ownage em gmx.de. Maquinas com suspeita de terem sido contaminadas com este trojan podem confirmar a contaminacao, verificando a presenca destes enderecos de email no arquivo /var/log/maillog. . no final do processo, o arquivo /tmp/.tmp e' apagado. Detalhes dos arquivos: Nome: sshexp.tar.bz2.tar MD5: 1a34d4428d932d35c0966806b29d5b9c Nome: sshexp.tar.bz2 MD5: 1a34d4428d932d35c0966806b29d5b9c Detalhes do conteudo: Nome: README MD5: 3b754b2233e9c80bd4070754f6587c94 Nome: buffer.adv MD5: 4059d198768f9f8dc9372dc1c54bc3c3 Nome: theosshucksass MD5: 830ad2439d9b9206794e5d1a527f8ee0 Os arquivos acima, quando criados na maquina que executou o "exploit", possuirao as seguintes caracteristicas: (horarios em GMT-3) - -rw------- 1 31337 31337 14 Sep 18 18:39 buffer.adv - -rw------- 1 31337 31337 728 Sep 18 16:10 README - -rwxr-xr-x 1 31337 31337 9293 Sep 18 18:32 theosshucksass Maiores informacoes sobre a vulnerabilidade do OpenSSH podem ser encontradas em: . Novidades sobre a vulnerabilidade do OpenSSH http://www.rnp.br/cais/alertas/2003/CA200324.html . Vulnerabilidade remota no OpenSSH http://www.rnp.br/cais/alertas/2003/openssh01.html O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2r+Bukli63F4U8VAQFXlQQAxmvB/nDnYPAAfgjT4kDZ2gNRN/uAjNfY AMNImipVEWMVg3Q7Rw2ALZyIQuMbXyUKyauFmpx25PFnjDt4utzC0BhGedihatGP 7s/ACIO0Jlc6cJ7H55rw64SmHdyQHxNpjYXqcglpqmK5fKIQOCXupybZ3FIP+eia oSHxSpQUOFI= =fey4 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Sep 19 15:32:19 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 19 Sep 2003 15:32:19 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20030919183219.GA3036@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 10/09/2003 ---------- CAIS-Alerta Assunto: CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows. http://www.security.unicamp.br/docs/bugs/2003/09/v22.txt SCO Security Advisory (CSSA-2003-SCO-19) Assunto: OpenServer 5.0.7 OpenServer 5.0.6 OpenServer 5.0.5: SCO Internet Manager - local users can gain root level privileges. http://www.security.unicamp.br/docs/bugs/2003/09/v23.txt Slackware Security Advisory (SSA:2003-253-01) Assunto: security issues in pine. http://www.security.unicamp.br/docs/bugs/2003/09/v24.txt CERT Advisory CA-2003-23 Assunto: RPCSS Vulnerabilities in Microsoft Windows. http://www.security.unicamp.br/docs/bugs/2003/09/v33.txt 11/09/2003 ---------- Red Hat Security Advisory (RHSA-2003:273-01) Assunto: Updated pine packages fix vulnerabilities. http://www.security.unicamp.br/docs/bugs/2003/09/v25.txt SuSE Security Announcement (SuSE-SA:2003:037) Assunto: vulnerabilidade de seguranca no pacote pine. http://www.security.unicamp.br/docs/bugs/2003/09/v26.txt Debian Security Advisory (DSA 379-1) Assunto: vulnerabilidade de seguranca no pacote sane-backends. http://www.security.unicamp.br/docs/bugs/2003/09/v27.txt Guardian Digital Security Advisory (ESA-20030911-022) Assunto: vulnerabilidade de seguranca no pacote pine. http://www.security.unicamp.br/docs/bugs/2003/09/v28.txt 12/09/2003 ---------- Mandrake Linux Security Update Advisory (MDKSA-2003:089) Assunto: vulnerabilidade de seguranca no pacote XFree86. http://www.security.unicamp.br/docs/bugs/2003/09/v29.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:737) Assunto: vulnerabilidade de estouro de buffer no pacote gtkhtml. http://www.security.unicamp.br/docs/bugs/2003/09/v30.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:738) Assunto: vulnerabilidades remotas no pacote pine. http://www.security.unicamp.br/docs/bugs/2003/09/v32.txt CAIS-Resumo: Julho a Setembro de 2003 http://www.security.unicamp.br/docs/bugs/2003/09/v34.txt Debian Security Advisory (DSA 380-1) Assunto: vulnerabilidade de seguranca no pacote xfree86. http://www.security.unicamp.br/docs/bugs/2003/09/v35.txt 13/09/2003 ---------- Debian Security Advisory (DSA 381-1) Assunto: vulnerabilidade de seguranca no pacote mysql. http://www.security.unicamp.br/docs/bugs/2003/09/v31.txt 15/09/2003 ---------- Gentoo Linux Security Announcement (200309-08) Assunto: vulnerabilidade de seguranca no pacote mysql. http://www.security.unicamp.br/docs/bugs/2003/09/v36.txt 16/09/2003 ---------- CAIS-Alerta Assnto: vulnerabilidade remota no OpenSSH. http://www.security.unicamp.br/docs/bugs/2003/09/v39.txt Red Hat Security Advisory (RHSA-2003:279-01) Assunto: Updated OpenSSH packages fix potential vulnerability. http://www.security.unicamp.br/docs/bugs/2003/09/v40.txt FreeBSD Security Advisories (FreeBSD-SA-03:12) Assunto: OpenSSH buffer management error. http://www.security.unicamp.br/docs/bugs/2003/09/v41.txt CAIS-Alerta Assunto: Vulnerabilidade remota no Solaris Solstice AdminSuite. http://www.security.unicamp.br/docs/bugs/2003/09/v42.txt Debian Security Advisory (DSA 382-1) Assunto: vulnerabilidade de seguranca no pacote ssh. http://www.security.unicamp.br/docs/bugs/2003/09/v43.txt Immunix Secured OS Security Advisory (IMNX-2003-7+-020-01) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v44.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:739) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v45.txt Slackware Security Advisory (SSA:2003-259-01) Assunto: OpenSSH Security Advisory. http://www.security.unicamp.br/docs/bugs/2003/09/v46.txt KDE Security Advisory Assunto: KDM vulnerabilities. http://www.security.unicamp.br/docs/bugs/2003/09/v47.txt Mandrake Linux Security Update Advisory (MDKSA-2003:090) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v48.txt CERT Advisory CA-2003-24 Assunto: Buffer Management Vulnerability in OpenSSH. http://www.security.unicamp.br/docs/bugs/2003/09/v49.txt Mandrake Linux Security Update Advisory (MDKSA-2003:091) Assunto: vulnerabilidade de seguranca no pacote kdebase. http://www.security.unicamp.br/docs/bugs/2003/09/v50.txt Guardian Digital Security Advisory (ESA-20030916-023) Assunto: vulnerabilidade de seguranca nos pacotes openssh, openssh-clients, openssh-server (buffer management error). http://www.security.unicamp.br/docs/bugs/2003/09/v38.txt 17/09/2003 ---------- Cisco Security Advisory Assunto: OpenSSH Server Vulnerabilities. http://www.security.unicamp.br/docs/bugs/2003/09/v51.txt OpenPKG Security Advisory (OpenPKG-SA-2003.040) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v52.txt Debian Security Advisory (DSA 382-2) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v53.txt CAIS-Alerta Assunto: Novidades sobre a vulnerabilidade do OpenSSH - CA-2003-24. http://www.security.unicamp.br/docs/bugs/2003/09/v54.txt Trustix Secure Linux Security Advisory (#2003-033) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v55.txt Trustix Secure Linux Security Advisory (#2003-034) Assunto: vulnerabilidade de seguranca no pacote mysql. http://www.security.unicamp.br/docs/bugs/2003/09/v56.txt Mandrake Linux Security Update Advisory (MDKSA-2003:090-1) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v57.txt Slackware Security Advisory (SSA:2003-260-01) Assunto: OpenSSH updated again. http://www.security.unicamp.br/docs/bugs/2003/09/v58.txt Slackware Security Advisory (SSA:2003-260-02) Assunto: Sendmail vulnerabilities fixed. http://www.security.unicamp.br/docs/bugs/2003/09/v59.txt Gentoo Linux Security Announcement (200309-13) Assunto: vulnerabilidade de seguranca no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v60.txt Red Hat Security Advisory (RHSA-2003:279-02) Assunto: Updated OpenSSH packages fix potential vulnerabilities. http://www.security.unicamp.br/docs/bugs/2003/09/v61.txt FreeBSD Security Advisories (FreeBSD-SA-03:13) Assunto: third sendmail header parsing buffer overflow. http://www.security.unicamp.br/docs/bugs/2003/09/v62.txt Red Hat Security Advisory (RHSA-2003:283-01) Assunto: Updated Sendmail packages fix vulnerability. http://www.security.unicamp.br/docs/bugs/2003/09/v63.txt Debian Security Advisory (DSA 384-1) Assunto: vulnerabilidade de seguranca no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v64.txt Immunix Secured OS Security Advisory (IMNX-2003-7+-021-01) Assunto: vulnerabilidade de seguranca no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v66.txt 18/09/2003 ---------- Mandrake Linux Security Update Advisory (MDKSA-2003:092) Assunto: vulnerabilidade de seguranca no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v65.txt NetBSD Security Advisory (2003-012) Assunto: Out of bounds memset(0) in sshd. http://www.security.unicamp.br/docs/bugs/2003/09/v67.txt NetBSD Security Advisory (2003-014) Assunto: Insufficient argument checking in sysctl(2). http://www.security.unicamp.br/docs/bugs/2003/09/v68.txt CERT Advisory CA-2003-25 Assunto: Buffer Overflow in Sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v69.txt Guardian Digital Security Advisory (ESA-20030918-024) Assunto: additional buffer management bugs in openssh, openssh-clients, openssh-server. http://www.security.unicamp.br/docs/bugs/2003/09/v70.txt Guardian Digital Security Advisory (ESA-20030918-025) Assunto: buffer overflow in MySQL, MySQL-client, MySQL-shared. http://www.security.unicamp.br/docs/bugs/2003/09/v71.txt CAIS-Alerta Assunto: CERT Advisory CA-2003-25 Buffer Overflow in Sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v72.txt SuSE Security Announcement (SuSE-SA:2003:039) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v73.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:742) Assunto: vulnerabilidade remota no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v74.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:743) Assunto: diversas vulnerabilidades no pacote MySQL. http://www.security.unicamp.br/docs/bugs/2003/09/v75.txt Mandrake Linux Security Update Advisory (MDKSA-2003:094) Assunto: vulnerabilidade de seguranca no MySQL. http://www.security.unicamp.br/docs/bugs/2003/09/v76.txt 19/09/2003 ---------- CAIS-Alerta Assunto: Falso exploit para a vulnerabilidade do OpenSSH http://www.security.unicamp.br/docs/bugs/2003/09/v37.txt OpenPKG Security Advisory (OpenPKG-SA-2003.041) Assunto: vulnerabilidade remota no pacote sendmail. http://www.security.unicamp.br/docs/bugs/2003/09/v77.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Sep 22 10:36:33 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 22 Sep 2003 10:36:33 -0300 Subject: [SECURITY-L] CAIS-Alerta: Propagacao do Worm Swen Message-ID: <20030922133633.GB342@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Propagacao do Worm Swen To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 19 Sep 2003 16:42:32 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS tem acompanhado desde ontem, 18/09, a propagacao do worm Swen, tambem chamado de W32/Swen em MM e W32/Gibe-F. Ate' o momento, nao se tem noticia de propagacao in-the-wild do referido worm em redes brasileiras. No entanto, o mesmo nao acontece em redes internacionais, o que motivou alguns fabricantes de anti-virus como a McAfee e a Symantec, a aumentar o risco do Swen. O Swen se propaga por email, compartilhamentos de rede, IRC e pelo aplicativo P2P Kazaa. Ele pode atingir a vitima atraves de um email forjado como sendo da Microsoft e alegando a necessidade da instalacao de uma correcao (patch) na maquina vitima. Alem disto, o Swen explora uma vulnerabilidade do Internet Explorer, divulgada no boletim MS01-020 da Microsoft, para assegurar que seu codigo seja executado automaticamente quando o email contaminado for visualizado. Outra funcionalidade do Swen e' interromper o funcionamento de varios programas de seguranca, incluindo anti-virus e firewalls pessoais. Existem varias opcoes possiveis para o campo From:, o Subject: e o nome do arquivo em anexo ao email contaminado. Tambem existe uma relacao de aplicativos de seguranca pre-definida no codigo e que o worm tentara desabilitar. Tais informacoes e outros detalhes do funcionamento do Swen podem ser encontrados nas seguintes referencias: http://www.infoguerra.com.br/infoguerra.php?newsid=1063973417,7158, http://www.ciac.org/ciac/bulletins/n-153.shtml http://securityresponse.symantec.com/avcenter/venc/data/w32.swen.a em mm.html http://www.f-secure.com/v-descs/swen.shtml http://vil.nai.com/vil/content/v_100662.htm O CAIS foi informado de que as maquinas infectadas com o worm Swen tentarao se conectar, via protocolo http, com o site ww2.fce.vutbr.cz (193.86.103.74). Logo, uma maneira de identificar provaveis maquinas contaminadas e' filtrar em sua rede o trafego para o site em questao. O CAIS recomenda fortemente a todos os usuarios que mantenham seus antivírus sempre atualizados, com frequencia diaria ou de forma automatica; nao abram anexos de qualquer especie sem antes analisa´-los com um antivirus, se certificando sempre da autenticidade do endereco de origem do e-mail. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP2tcPOkli63F4U8VAQHrBwP9FIWzAIK5d/tEPZWX9RBekA1sf3tsQNL8 lNjVFW9i20N9gfKBCcZV6LHfrGB+PCDHoHNVYEFzOGKoq/aXBXvAFZ8SewY8E1um Nu/4sy5q39c1K2NEwCVVhS/GhpSr8cfCp0hdEcLf6GNo4Si3r5fxqkCD8XsP3Cgz GztQOAIL9ec= =e8ud -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Sep 23 15:31:51 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 23 Sep 2003 15:31:51 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no servidor FTP ProFTPD Message-ID: <20030923183151.GF292@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no servidor FTP ProFTPD To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 23 Sep 2003 15:18:18 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da ISS X-Force, ISS Security Brief: "ProFTPD ASCII File Remote Compromise Vulnerability", que trata de uma vulnerabilidade existente no servidor ProFTPD que ocorre devido a um erro no gerenciamento de upload de arquivos em formato ASCII, que pode permitir a um atacante remoto executar codigo arbitrario. Um atacante, capaz de enviar um arquivo no formato ASCII para o servidor, pode causar um buffer overflow, resultando na execucao remota de codigo com os privilegios do usuario que executa o servidor ftp, normalmente "root". O ataque somente sera' realizado com sucesso se o usuario possuir permissoes para enviar arquivos para o servidor. Sistemas afetados: . ProFTPD 1.2.7 . ProFTPD 1.2.8 . ProFTPD 1.2.8rc1 . ProFTPD 1.2.8rc2 . ProFTPD 1.2.9rc1 . ProFTPD 1.2.9rc2 E' possivel que versoes anteriores a 1.2.7 tambem sejam vulneraveis ao ataque. Correcoes disponiveis: Recomenda-se fazer a atualizacao para as versoes disponiveis em ftp.proftpd.org: . ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.7p.tar.gz . ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.8p.tar.gz . ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.9rc1p.tar.gz . ftp://ftp.proftpd.org/distrib/source/proftpd-1.2.9rc2p.tar.gz Maiores informacoes: . http://xforce.iss.net/xforce/alerts/id/154 . http://www.proftpd.org/ O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel: http://www.rnp.br/cais/cais-pgp.key # ################################################################ - ----------------------------------------------------------------------- Internet Security Systems Security Brief September 23, 2003 ProFTPD ASCII File Remote Compromise Vulnerability Synopsis: ISS X-Force has discovered a flaw in the ProFTPD Unix FTP server. ProFTPD is a highly configurable FTP (File Transfer Protocol) server for Unix that allows for per-directory access restrictions, easy configuration of virtual FTP servers, and support for multiple authentication mechanisms. A flaw exists in the ProFTPD component that handles incoming ASCII file transfers. Impact: An attacker capable of uploading files to the vulnerable system can trigger a buffer overflow and execute arbitrary code to gain complete control of the system. Attackers may use this vulnerability to destroy, steal, or manipulate data on vulnerable FTP sites. Affected Versions: ProFTPD 1.2.7 ProFTPD 1.2.8 ProFTPD 1.2.8rc1 ProFTPD 1.2.8rc2 ProFTPD 1.2.9rc1 ProFTPD 1.2.9rc2 Note: Versions previous to version 1.2.7 may also be vulnerable. For the complete ISS X-Force Security Advisory, please visit: http://xforce.iss.net/xforce/alerts/id/154 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever-changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2003 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce em iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce em iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP3COdukli63F4U8VAQG1eAP8DJ7Kbi7/ZdasD4elIKeQ1QqxS9Sa+8N2 vlSVl0ud+oK9cUWrfC+aUaSywpe2rZAOLMRTlvlQgQ7U8qm8tz4ydgLwWjX+VtCc MRS/r3C8uV/vUGTQLpBhRyquY7i8ZlqP5nPO0FSUsZUhKivdbKrIuHl3me3XQAmS gbSgkadysc4= =BfMk -----END PGP SIGNATURE----- From security em unicamp.br Tue Sep 23 14:56:58 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 23 Sep 2003 14:56:58 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20030923175657.GE292@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 22/09/2003 ---------- SANS Critical Vulnerability Analysis Vol 2 No 37 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b10.txt Módulo Security News no. 310 Fonte: Módulo Security Solutions S/A http://www.security.unicamp.br/docs/informativos/2003/09/b11.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Fri Sep 26 14:35:13 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 26 Sep 2003 14:35:13 -0300 Subject: [SECURITY-L] CAIS-Alerta: Listas Negras desativadas Message-ID: <20030926173513.GL1981@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Listas Negras desativadas To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 25 Sep 2003 16:02:17 -0300 (BRT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS teve notícia da desativacao das listas negras mantidas pelo site Infinite Monkeys sob o dominio monkeys.com, devido aos sucessivos ataques de DDoS que vinha sendo vítima. A suspensao dos servicos anti-spam do referido site ocorreu no ultimo dia 22 de setembro. Vale ressaltar que a lista negra de open proxies, mantida pela Infinite Monkeys era uma das referencias mais usadas para este proposito. Maiores informações a este respeito podem ser obtidas no comunicado oficial divulgado pelo mantenedor do site em: "ANNOUNCE: MONKEYS.COM: Now retired from spam fighting" http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=vn1lufn8h6r38%40corp.supernews.com&rnum=4&prev=/groups%3Fq%3D%2522Now%2Bretired%2Bfrom%2Bspam%2Bfighting%2522%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26selm%3Dvn1lufn8h6r38%2540corp.supernews.com%26rnum%3D4 Alem da Monkeys.com, a lista negra blackhole.compu.net tambem foi desativada no ultimo dia 23 de setembro, conforme a seguinte nota divulgada pelo administrador de rede da Compu.Net: "blackhole.compu.net is now defunct" http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&selm=3f70e839%241%40dimaggio.newszilla.com O CAIS relembra aos administradores que possuem servidores SMTP configurados com listas negras, a necessidade de retirar as referências ao sites desativados de suas configurações. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP3M7v+kli63F4U8VAQFz+QP/eKV9gqzOl9Fdug5RJU7O/yUrg5OWfnIs 5Mwmp7LccthnjJYddU8nxrr7UJc+Q8wIBNDTdpc0SlqCuxDjqMu9TO+Vxa1+0CYx IHbpO00BICVTjKpHq/QQRzwCnvtQiwY8Up9cINsTwhyDhJcGGfloKqynYgP3peqs or5qxuQgHYQ= =r5Fn -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Sep 26 15:31:38 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 26 Sep 2003 15:31:38 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20030926183138.GT1981@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 24/09/2003 ---------- SANS NewsBites Vol. 5 Num. 38 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2003/09/b12.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Fri Sep 26 16:40:08 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 26 Sep 2003 16:40:08 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20030926194008.GV1981@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 23/09/2003 ---------- Gentoo Linux Security Announcement (200309-14) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v92.txt Slackware Security Advisory (SSA:2003-266-01) Assunto: New OpenSSH packages. http://www.security.unicamp.br/docs/bugs/2003/09/v93.txt Slackware Security Advisory (SSA:2003-259-02) Assunto: ProFTPD Security Advisory. http://www.security.unicamp.br/docs/bugs/2003/09/v94.txt Slackware Security Advisory (SSA:2003-259-03) Assunto: WU-FTPD Security Advisory. http://www.security.unicamp.br/docs/bugs/2003/09/v95.txt FreeBSD Security Advisories (FreeBSD-SA-03:14) Assunto: denial of service due to ARP resource starvation. http://www.security.unicamp.br/docs/bugs/2003/09/v98.txt 24/09/2003 ---------- OpenPKG Security Advisory (OpenPKG-SA-2003.042) Assunto: vulnerabilidade de seguranca no pacote openssh. http://www.security.unicamp.br/docs/bugs/2003/09/v96.txt Guardian Digital Security Advisory (ESA-20030924-026) Assunto: vulnerabilidade de seguranca no pacote WebTool-userpass. http://www.security.unicamp.br/docs/bugs/2003/09/v97.txt Anúncio de Segurança do Conectiva Linux (CLA-2003:749) Assunto: Vulnerabilidades de estouro de inteiro e outros problemas no pacote php4. http://www.security.unicamp.br/docs/bugs/2003/09/v99.txt 25/09/2003 ---------- OpenPKG Security Advisory (OpenPKG-SA-2003.043) Assunto: vulnerabilidade de seguranca no pacote proftpd. http://www.security.unicamp.br/docs/bugs/2003/09/v100.txt REVISED: FreeBSD Security Advisories (FreeBSD-SA-03:14) Assunto: denial of service due to ARP resource starvation. http://www.security.unicamp.br/docs/bugs/2003/09/v101.txt 26/09/2003 ---------- Debian Security Advisory (DSA 390-1) Assunto: vulnerabilidade de seguranca no pacote marbles. http://www.security.unicamp.br/docs/bugs/2003/09/v102.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas Mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Sep 30 09:11:57 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 30 Sep 2003 09:11:57 -0300 Subject: [SECURITY-L] CERT Advisory Notice: Clarifications regarding recent vulnerabilities in OpenSSH Message-ID: <20030930121157.GA2799@unicamp.br> ----- Forwarded message from CERT Advisory ----- From: CERT Advisory Subject: CERT Advisory Notice: Clarifications regarding recent vulnerabilities in OpenSSH To: cert-advisory em cert.org Date: Mon, 29 Sep 2003 18:25:39 -0400 Organization: CERT(R) Coordination Center - +1 412-268-7090 -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory Notice: Clarifications regarding recent vulnerabilities in OpenSSH The CERT/CC has received queries regarding several recent OpenSSH vulnerabilities. We are sending this message to help ensure that administrators have not overlooked one or more of these vulnerabilities. There have been several recent vulnerabilities affecting OpenSSH. They are VU#333628 - OpenSSH contains buffer management errors http://www.kb.cert.org/vuls/id/333628 This issue addresses two releases of OpenSSH to resolve multiple issues in the buffer management code. It is unclear if these issues are exploitable, but they are resolved in version 3.7.1. Note that there are other additional flaws in the buffer management code as reported by Openwall GNU/*/Linux in http://www.kb.cert.org/vuls/id/JARL-5RFQQZ. These four additional flaws are believed to be relatively minor, and are scheduled to be included in the next version of OpenSSH. VU#602204 - OpenSSH PAM challenge authentication failure http://www.kb.cert.org/vuls/id/602204 Under non-standard configurations, portable versions of OpenSSH 3.7p1 and 3.7.1p1 are vulnerable to a remotely exploitable vulnerability. Exploitation of this vulnerability may lead to a remote attacker gaining privileged access to the server, in some cases root access. VU#209807 - Portable OpenSSH server PAM conversion stack corruption http://www.kb.cert.org/vuls/id/209807 There is a vulnerability in portable versions of OpenSSH 3.7p1 and 3.7.1p1 that may permit an attacker to corrupt the PAM conversion stack. The complete impact of this vulnerability is unclear, but may lead to privilege escalation, or a denial of service. Please check the vulnerability notes for resolutions and additional details. Thank you. CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP3iscTpmH2w9K/0VAQGdvAQAjGEyhiCUgXTW/M/JoyKi7TZQG+4D8CJ7 S4+YwWzc8QFYn2c0kXcFd2vc2zHfPO4wGdiL5Tp5Uc7CuOxULVcJSJGbukVcExmg QK3y8ERpSW6V7FyVvCeagrp65Ag20WjvN6ArYeUgyi3sTXKCB8BmFgVvj1cMsivk l8GJsMZNiow= =dOIO -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Sep 30 10:09:04 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 30 Sep 2003 10:09:04 -0300 Subject: [SECURITY-L] Microsoft alerta para virus disfarcado em boletim de seguranca Message-ID: <20030930130904.GA6225@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Microsoft alerta para vXrus disfarXado em boletim de seguranXa To: security em unicamp.br Date: Mon, 29 Sep 2003 14:34:16 -0300 (ART) Microsoft alerta para vírus disfarçado em boletim de segurança 29/9/2003 - 13:35 Giordani Rodrigues http://www.infoguerra.com.br/ A filial brasileira da Microsoft, por meio de sua assessoria de impresa, acaba de divulgar um comunicado alertando os internautas para falsas mensagens eletrônicas que estão circulando em nome da companhia. O e-mail traz remetentes forjados ― como Microsoft Network Security Division e Microsoft Corporation Security Assistance ― e divulga um suposto boletim de atualizações de segurança, alegando vulnerabilidades nos produtos Internet Explorer, Outlook e Outlook Express. A mensagem possui um arquivo anexo que, sob pretexto de realizar as atualizações críticas mencionadas, instala um vírus no computador dos usuários. A assessoria da empresa não forneceu detalhes sobre o vírus, mas pelas características citadas é muito provável que se trate do Swen, descoberto há cerca de 10 dias e cuja incidência no Brasil cresceu bastante nos últimos dias. Clicando aqui(http://www.infoguerra.com.br/infonews/fotos/swen5.gif), você encontra a reprodução de uma mensagem contendo o vírus, que chegou à redação InfoGuerra na semana passada (o arquivo anexo, originalmente um ".exe", foi interceptado pelo firewall Zone Alarm, por isso está com a extensão ".zl9"). O alerta da Microsoft esclarece que a empresa não tem como política de comunicação com seus clientes o envio de mensagens eletrônicas não solicitadas, muito menos para a instalação de qualquer programa ou correção. Os sistemas operacionais e outros aplicativos da empresa são atualizados por meio do Windows Update(http://windowsupdate.microsoft.com/), um serviço de abrangência mundial que funciona como única fonte oficial de atualização para o usuário. Pouco depois da eclosão avassaladora do Blaster, a Microsoft também criou uma página em vários idiomas, incluindo o português, contendo recomendações e dicas de segurança que ajudam os usuários a manter seus computadores mais seguros. A página pode ser acessada em www.microsoft.com/brasil/proteja ----- End forwarded message ----- From security em unicamp.br Tue Sep 30 14:37:51 2003 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 30 Sep 2003 14:37:51 -0300 Subject: [SECURITY-L] Slackware 9.1 lancado! Message-ID: <20030930173750.GA347@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Slackware 9.1 lanXado! To: security em unicamp.br Date: Tue, 30 Sep 2003 11:09:28 -0300 (ART) Slackware 9.1 lançado! Lançada versão 9.1 da distribuição de Linux Slackware, que traz várias atualizações como: Kernel 2.4.22, glibc 2.3.2, gcc-3.2.3, Apache 1.3.28, GNOME 2.4, AbiWord-2.0.0, gaim-0.68, gimp-1.2.5 (gimp 1.3.20 também incluído), gxine-0.3.3, pan-0.13.4, Netscape 7.1, Konqueror 3.1.4, Mozilla 1.4, Epiphany 1.0, Galeon 1.3.9, além do Kernel 2.6 e GCC 3.3.1 como opcionais e muito mais. Outra grande mudança é que agora são 2 cds de instalação. O CD 2 traz extras e o Slackware Live! O CD 2 pode ser necessário para instalação básica mesmo se não for escolhida a opção FULL de instalação. Baixe o Slackware 9.1 em: ftp://ftp.slackware.com/pub/slackware/slackware-9.1/ Mais informações: http://www.slackware.com/announce/9.1.php Fonte: NoticiasLinux.com.br Yahoo! Mail - o melhor webmail do Brasil http://mail.yahoo.com.br ----- End forwarded message -----