From security em unicamp.br Tue Mar 2 16:45:20 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 2 Mar 2004 16:45:20 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040302194517.GB5266@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 25/02/2004 ---------- FreeBSD Security Advisories (FreeBSD-SA-04:03) Assunto: Jailed processes can attach to other jails. http://www.security.unicamp.br/docs/bugs/2004/02/v125.txt 27/02/2004 ---------- Debian Security Advisory (DSA 450-1) Assunto: vulnerabilidade de seguranca no kernel (pacotes: kernel-source-2.4.19, kernel-patch-2.4.19-mips) http://www.security.unicamp.br/docs/bugs/2004/02/v124.txt Debian Security Advisory (DSA 451-1) Assunto: vulnerabilidade de seguranca no pacote xboing. http://www.security.unicamp.br/docs/bugs/2004/02/v126.txt 29/02/2004 ---------- Debian Security Advisory (DSA 452-1) Assunto: vulnerabilidade de seguranca no pacote libapache-mod-python. http://www.security.unicamp.br/docs/bugs/2004/02/v127.txt 01/03/2004 ---------- SCO Security Advisory (CSSA-2004-006.0) Assunto: OpenLinux: Integer overflow may allow local users to cause a denial of service or possibly execute arbitrary code. http://www.security.unicamp.br/docs/bugs/2004/03/v1.txt 02/03/2004 ---------- Fedora Update Notification (FEDORA-2004-085) Assunto: vulnerabilidade de seguranca no pacote perl. http://www.security.unicamp.br/docs/bugs/2004/03/v2.txt Fedora Update Notification (FEDORA-2004-086) Assunto: vulnerabilidade de seguranca no pacote mod_perl. http://www.security.unicamp.br/docs/bugs/2004/03/v3.txt Fedora Update Notification (FEDORA-2004-083) Assunto: vulnerabilidade de seguranca no pacote up2date. http://www.security.unicamp.br/docs/bugs/2004/03/v4.txt Fedora Update Notification (FEDORA-2004-084) Assunto: vulnerabilidade de seguranca no pacote yum. http://www.security.unicamp.br/docs/bugs/2004/03/v5.txt Fedora Update Notification (FEDORA-2004-078) Assunto: vulnerabilidade de seguranca no pacote pwlib. http://www.security.unicamp.br/docs/bugs/2004/03/v6.txt Fedora Update Notification (FEDORA-2004-088) Assunto: vulnerabilidade de seguranca no pacote gnome-panel. http://www.security.unicamp.br/docs/bugs/2004/03/v7.txt Fedora Update Notification (FEDORA-2004-090) Assunto: vulnerabilidade de seguranca no pacote tcpdump. http://www.security.unicamp.br/docs/bugs/2004/03/v8.txt Debian Security Advisory (DSA 454-1) Assunto: vulnerabilidade de seguranca no kernel (pacotes: kernel-source-2.2.22, kernel-image-2.2.22-alpha). http://www.security.unicamp.br/docs/bugs/2004/03/v9.txt -- Computer Security Incident Response Team - CSIRT Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Mar 9 10:50:36 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 9 Mar 2004 10:50:36 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no passwd do Solaris 8,9 Message-ID: <20040309135036.GA14159@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no passwd do Solaris 8,9 To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 5 Mar 2004 15:06:50 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Sun Microsystems, Sun(sm) Alert Notification 57454: "Security Vulnerability Involving the passwd(1) Command", que trata de uma vulnerabilidade no comando passwd que pode permitir a um usuario local ganhar privilegios de administrador (root). Sistemas afetados: . Solaris 8, plataformas X86 e Sparc . Solaris 9, plataformas X86 e Sparc Correcoes disponiveis: Recomenda-se fazer a atualizacao para as versoes disponiveis em: . Solaris 8 Sparc http://www.sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108993&rev=32 . Solaris 9 Sparc http://www.sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=113476&rev=11 . Solaris 8 X86 http://www.sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=108994&rev=32 . Solaris 9 X86 http://www.sunsolve.sun.com/pub-cgi/findPatch.pl?patchId=114242&rev=07 Maiores informacoes: . http://www.sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57454&zone_32=category%3Asecurity . http://www.ciac.org/ciac/bulletins/o-088.shtml O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ document id Synopsis Date 57454 Security Vulnerability Involving the passwd(1) Command 26 Feb 2004 Description Top Sun(sm) Alert Notification Sun Alert ID: 57454 Synopsis: Security Vulnerability Involving the passwd(1) Command Category: Security Product: Solaris BugIDs: 4793719 Avoidance: Patch State: Resolved Date Released: 26-Feb-2004 Date Closed: 26-Feb-2004 Date Modified: 1. Impact A local unprivileged user may be able to gain unauthorized root privileges due to a security issue involving the passwd(1) command. Sun acknowledges, with thanks, Tim Wort (Tim.Wort em InklingResearch.com) for contacting us regarding this issue. 2. Contributing Factors This issue can occur in the following releases: SPARC Platform Solaris 8 with patch 108993-14 through 108993-31 and without patch 108993-32 Solaris 9 without patch 113476-11 x86 Platform Solaris 8 with patch 108994-14 through 108994-31 and without patch 108994-32 Solaris 9 without patch 114242-07 Note: Solaris 7 is not affected by this issue. 3. Symptoms There are no reliable symptoms that would show the described issue has been exploited to gain unauthorized elevated privileges to a host. Solution Summary Top 4. Relief/Workaround There is no workaround for this issue. 5. Resolution This issue is addressed in the following releases: SPARC Platform Solaris 8 with patch 108993-32 or later Solaris 9 with patch 113476-11 or later x86 Platform Solaris 8 with patch 108994-32 or later Solaris 9 with patch 114242-07 or later This Sun Alert notification is being provided to you on an "AS IS" basis. This Sun Alert notification may contain information provided by third parties. The issues described in this Sun Alert notification may or may not impact your system(s). Sun makes no representations, warranties, or guarantees as to the information contained herein. ANY AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun proprietary and confidential information. It is being provided to you pursuant to the provisions of your agreement to purchase services from Sun, or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun Alert notification may only be used for the purposes contemplated by these agreements. Copyright 2000-2004 Sun Microsystems, Inc., 4150 Network Circle, Santa Clara, CA 95054 U.S.A. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQEjBw+kli63F4U8VAQGM/gQAmH65NHX5WK4+VNU/uyEiJuwjS+cUp3xi ij91jGPAyikWIgBAGCJn49ceWfKgF7NCc3s4h9HppyS3RY4/vSH67X9qsEJ8nHJ+ Ksr0AZx9WnknCzBCjKbbz1INukTZIfl7xZtfUnJRBSxMIQHRwaXi0ZIzYm7+qKkl mwhia2sP1Gs= =FUiS -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Mar 9 16:55:58 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 9 Mar 2004 16:55:58 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040309195558.GC14159@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 02/03/2004 ---------- Fedora Legacy Update Advisory (FLSA:1284) Assunto: Updated kernel resolves security vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/03/v10.txt FreeBSD Security Advisories (FreeBSD-SA-04:04) Assunto: many out-of-sequence TCP packets denial-of-service. http://www.security.unicamp.br/docs/bugs/2004/03/v11.txt Fedora Update Notification (FEDORA-2004-067) Assunto: vulnerabilidade de seguranca no pacote kudzu. http://www.security.unicamp.br/docs/bugs/2004/03/v12.txt SCO Security Advisory (CSSA-2004-009.0) Assunto: OpenLinux: Gnupg (gpg) severe bug could compromise almost all ElGamal keys. http://www.security.unicamp.br/docs/bugs/2004/03/v13.txt SCO Security Advisory (CSSA-2004-010.0) Assunto: OpenLinux: rsync heap based overflow. http://www.security.unicamp.br/docs/bugs/2004/03/v14.txt SCO Security Advisory (CSSA-2004-011.0) Assunto: OpenLinux: screen buffer overflow. http://www.security.unicamp.br/docs/bugs/2004/03/v15.txt 03/03/2004 ---------- SGI Security Advisory (20040301-01-U) Assunto: SGI Advanced Linux Environment security update #13. http://www.security.unicamp.br/docs/bugs/2004/03/v16.txt SCO Security Advisory (CSSA-2004-012.0) Assunto: OpenLinux: cups denial of service vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v17.txt Mandrake Linux Security Update Advisory (MDKSA-2004:017) Assunto: vulnerabilidade de seguranca no pacote pwlib. http://www.security.unicamp.br/docs/bugs/2004/03/v18.txt Mandrake Linux Security Update Advisory (MDKSA-2004:018) Assunto: vulnerabilidade de seguranca no pacote libxml2. http://www.security.unicamp.br/docs/bugs/2004/03/v19.txt Debian Security Advisory (DSA 455-1) Assunto: vulnerabilidade de seguranca nos pacotes libxml, libxml2. http://www.security.unicamp.br/docs/bugs/2004/03/v21.txt 04/03/2003 ---------- Fedora Update Notification (FEDORA-2004-091) Assunto: vulnerabilidade de seguranca no pacote tcpdump. http://www.security.unicamp.br/docs/bugs/2004/03/v20.txt Cisco Security Advisory Assunto: Cisco CSS 11000 Series Content Services Switches Malformed UDP Packet Vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v22.txt Netwosix Linux Security Advisory (#2004-0004) Assunto: vulnerabilidade de seguranca no pacote libxml2. http://www.security.unicamp.br/docs/bugs/2004/03/v23.txt Fedora Update Notification (FEDORA-2004-060) Assunto: vulnerabilidade de seguranca no pacote mailman. http://www.security.unicamp.br/docs/bugs/2004/03/v24.txt Fedora Legacy Update Advisory (FLSA:1256) Assunto: Updated util-linux resolves security vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v25.txt -- Computer Security Incident Response Team - CSIRT Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Mar 10 10:05:18 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 10:05:18 -0300 Subject: [SECURITY-L] FreeBSD 5.2.1 CDs Now Available from FreeBSDMall Message-ID: <20040310130515.GB15656@unicamp.br> ----- Forwarded message from Murray Stokely ----- From: Murray Stokely Subject: [FreeBSD-Announce] FreeBSD 5.2.1 CDs Now Available from FreeBSDMall To: announce em freebsd.org Date: Tue, 9 Mar 2004 06:48:21 -0800 FreeBSD Mall, Inc. is happy to announce the availability of FreeBSD 5.2.1 CD products. The four CD set is currently shipping to subscribers. If you haven't yet placed your order, you may do so at http://www.freebsdmall.com. In addition to CD and DVD products, we also have a large collection of FreeBSD shirts, hats, jackets, boxer shorts, stickers, case-plates, coffee mugs, mouse pads, and other promotional materials. FreeBSD Mall, Inc. is proud to support the FreeBSD community through many of our activities. We are happy to announce the recent donation of $5,000 to the FreeBSD Foundation. The Foundation has done excellent work this past year managing the technical and legal requirements of porting Java to FreeBSD (to name just one of their many positive endeavors). For a detailed list of all of the ways that FreeBSD Mall supports the FreeBSD Project, please see our website: http://www.freebsdmall.com/cgi-bin/fm/community.html Finally, the long awaited third edition of the FreeBSD Handbook will be shipping soon. Thanks and Enjoy! - Murray Stokely / FreeBSD Mall, Inc. _______________________________________________ freebsd-announce em freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe em freebsd.org" ----- End forwarded message ----- From security em unicamp.br Wed Mar 10 10:06:52 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 10:06:52 -0300 Subject: [SECURITY-L] OpenBSD: TCP reassembly DoS Message-ID: <20040310130647.GC15656@unicamp.br> ----- Forwarded message from Rafael R Obelheiro ----- From: Rafael R Obelheiro Subject: [S] OpenBSD: TCP reassembly DoS To: seguranca em pangeia.com.br Date: Tue, 9 Mar 2004 13:22:19 -0300 Organization: DAS-UFSC ----- Forwarded message from Markus Friedl ----- Date: Tue, 9 Mar 2004 13:50:49 +0100 From: Markus Friedl Subject: TCP reassembly DoS To: security-announce em openbsd.org OpenBSD's TCP/IP stack did not impose limits on how many out-of-order TCP segments are queued in the system. If an attacker was allowed to connect to an open TCP port, he could send out-of-order TCP segments and trick the system into using all available memory buffers. Packet handling would be impaired, and new connections would fail until the the attacking TCP connection is closed. The problem is fixed in -current, 3.4-stable and 3.3-stable. Patches are available at: ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.4/common/013_tcp.patch ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.3/common/018_tcp.patch ----- End forwarded message ----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 10 10:08:05 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 10:08:05 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Windows Media Services (832359) Message-ID: <20040310130804.GD15656@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no Windows Media Services (832359) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 9 Mar 2004 17:13:24 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-008: Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)", que trata de uma vulnerabilidade presente no Windows Media Services e que se explorada pode resultar na indisponibilidade do servico. O Windows Media Services nao e' instalado automaticamente no sistema. Somente sistemas que necessitaram da instalacao estao sujeitos a vulnerabilidade descrita. Sistemas Afetados: . Microsoft Windows 2000 Server Service Pack 2 . Microsoft Windows 2000 Server Service Pack 3 . Microsoft Windows 2000 Server Service Pack 4 Sistemas nao Afetados: . Microsoft Windows NT� Workstation 4.0 Service Pack 6a . Microsoft Windows NT Server 4.0 Service Pack 6a . Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 . Microsoft Windows 2000 Professional Service Pack 2 . Microsoft Windows 2000 Professional Service Pack 3 . Microsoft 2000 Professional Service Pack 4 . Microsoft Windows XP . Microsoft Windows XP Service Pack 1 . Microsoft Windows XP 64-Bit Edition Service Pack 1 . Microsoft Windows XP 64-Bit Edition Version 2003 . Microsoft Windows Server 2003 . Microsoft Windows Server 2003 64-Bit Edition Componentes Afetados: . Windows Media Services 4.1, parte integrante do Microsoft Windows 2000 Server Componentes nao Afetados: . Windows Media Services 9.0 Series, parte integrante do Microsoft Windows Server 2003 . Windows Media Services 4.1, disponivel para download para o Windows NT4 Server Correcoes disponiveis: A correcao consiste na aplicacao dos correspondentes patches recomendados pela Microsoft e disponiveis em: . Microsoft Windows 2000 Server Service Pack 2 . Microsoft Windows 2000 Server Service Pack 3 . Microsoft Windows 2000 Server Service Pack 4 http://www.microsoft.com/downloads/details.aspx?FamilyId=7F4C067C-5D34-48FB-A9FA-C2200243D4D2&displaylang=en Maiores informacoes: . Microsoft Security Bulletin MS04-008 http://www.microsoft.com/technet/security/bulletin/ms04-008.asp Identificadores do CVE (http://cve.mitre.org): CAN-2003-0905 O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-008 Vulnerability in Windows Media Services Could Allow a Denial of Service (832359) Issued: March 9, 2004 Version: 1.0 Summary Who Should Read This Document: Customers who are using Microsoft� Windows� 2000 Impact of Vulnerability: Denial of Service Maximum Severity Rating: Moderate Recommendation: Systems administrators should consider applying the security update to systems that are running Windows 2000 Server and that have Windows Media Services 4.1 installed. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 - -Download the update Non Affected Software Microsoft Windows NT� Workstation 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows 2000 Professional Service Pack 3, Microsoft 2000 Professional Service Pack 4 Microsoft Windows XP, Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition Service Pack 1 Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server 2003 Microsoft Windows Server 2003 64-Bit Edition Tested Microsoft Windows Components: Affected Components: Windows Media Services 4.1 (included with Microsoft Windows 2000 Server) Non Affected Components: Windows Media Services 9.0 Series (included with Microsoft Windows Server 2003) Windows Media Services 4.1 (available for download for Windows NT4 Server) The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Top of section General Information Technical Details Technical description: A vulnerability exists because of the way that Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. The service must be restarted to regain its functionality. Windows Media Services is made up of Windows Media Services Administrator and four Windows Media Services components running on a single computer: By using Windows Media Unicast Service, Windows Media content can be streamed over unicast, using either TCP or UDP as a transport, to Microsoft Windows Media Player or to another Windows Media server. Windows Media Station Service performs three key functions: It arranges one or more streams of content (also known as a "playlist" or "program") for subsequent streaming. It multicasts the playlist or program to Windows Media Player or to another Windows Media server. It distributes the playlist or program locally to Windows Media Unicast Service for subsequent unicasting to Windows Media Player or to another Windows Media server. Windows Media Program Service is a dependent service of Windows Media Station Service. Windows Media Program Service helps the server administrator build playlists of Windows Media content using Windows Media Services Administrator and persist those playlists for future use. Windows Media Monitor Service is the administrative console of Windows Media Services. Note Windows Media Unicast Service may also be affected by a successful attack against Windows Media Station Service if Windows Media Unicast Service is sourcing a playlist from Windows Media Station Service. In this case, Windows Media Unicast Service could stop functioning when it encounters the next item in the playlist. An administrator can stream media by using Windows Media Unicast Service without a playlist. Mitigating factors: The Windows Media Services component is not installed by default. Windows Media Services can be configured to offer streaming media over unicast only and would then not be affected by this vulnerability. This configuration would mean that different media streams from the same server could not be added into a playlist. Microsoft recommends that customers enable Windows Media Unicast Service only on Internet-facing sockets and ports and not the other components of Windows Media Services. If this practice is followed, the attack surface would not be exposed to the Internet. Customers who administer their Windows Media Services servers directly from the console or through a Terminal Services session are not affected by any successful Denial of Service attempts against Windows Media Monitor Service. Windows Media Monitor Service would not be accessible remotely, only locally. If you have disabled Windows Media Station Service and Windows Media Monitor Service, you are not affected by this vulnerability. Severity Rating: Microsoft Windows 2000 Server Moderate The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0905 Top of section Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Block ports 7007 and 7778 at your firewall. If you do not stream media over TCP to the Internet, you can block TCP port 7007. Also, block port 7778, which is used to administer Windows Media Services through Windows Media Monitor Service. Windows Media Services uses these ports. By blocking these ports at the firewall, you can help prevent systems that are behind the firewall from being attacked by attempts to exploit this vulnerability. Impact of Workaround: If you block port 7007, you will prevent multicast streams and the enabling of playlists from functioning across the firewall. If you block port 7778, you will prevent administrative functions from functioning across the firewall. Administer your Windows Media Services from the console or through a Terminal Services session. Administer your Windows Media Services servers directly from the console or through a Terminal Services session. If you do this, you will not be affected by any successful denial of service attempts against Windows Media Monitor Service. The reason for this is that the service can still be accessed and used from the desktop of the system that is hosting Windows Media Services even after a successful denial of service attack has been taken place. Impact of Workaround: None. Stop, disable, or remove Windows Media Station Service. Stop, disable, or remove Windows Media Station Service. Impact of Workaround: Stopping, disabling, or removing Windows Media Station Service will cause multicast streams or the enabling of playlists to not function. Disable or remove Windows Media Monitor Service. Disable or remove Windows Media Monitor Service. Impact of Workaround: Disabling or removing Windows Media Monitor Service will prevent the possibility of administering Windows Media Services. Top of section Security Update Information Installation Platforms and Prerequisites: For information about the specific security update for your platform, click the appropriate link: Windows 2000 Server (all versions) Prerequisites For Windows 2000 Server, this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4). The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest Windows 2000 Service Pack Inclusion in Future Service Packs: The fix for this issue will be included in Windows 2000 Service Pack 5. Installation Information This security update supports the following Setup switches: /help Displays the command line options Setup Modes /quiet Use Quiet mode (no user interaction or display) /passive Unattended mode (progress bar only) /uninstall Uninstalls the package Restart Options /norestart Do not restart when installation is complete /forcerestart Restart after installation Special Options /l Lists installed Windows hotfixes or update packages /o Overwrite OEM files without prompting /n Do not backup files needed for uninstall /f Force other programs to close when the computer shuts down Note: You can combine these switches into one command. For backwards compatibility, the security update also supports the Setup switches that are used by the previous version of the setup utility. For additional information about the supported installation switches, please review Knowledge Base Article 262841. Deployment Information To install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, or Windows 2000 Service Pack 4: WindowsMedia41-KB832359-ENU /passive /quiet To install the security update without forcing the computer to restart, use the following command at a command prompt for Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, or Windows 2000 Service Pack 4: WindowsMedia41-KB832359-ENU /norestart For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Restart Requirement In some cases, this update does not require a reboot. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are in use, this update will require a reboot. If this occurs, a message appears that advises you to reboot. Removal Information To remove this security update, use the Add/Remove Programs tool in Control Panel. System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB832359$\Spuninst folder. The Spuninst.exe utility supports the following Setup switches: /?: Show the list of installation switches. /u: Use unattended mode. /f: Force other programs to quit when the computer shuts down. /z: Do not restart when the installation is complete. /q: Use Quiet mode (no user interaction). File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000 Service Pack 4 Date Time Version Size File name ------------------------------------------------------ 15-Jan-2004 02:51 4.1.0.3934 222,384 Nscm.exe 15-Jan-2004 02:48 4.1.0.3934 31,808 Nspmon.exe Verifying Update Installation To verify that a security update is installed on an affected system you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. The Microsoft Baseline Security Analyzer (MBSA) allows administrators to scan local and remote systems for missing security updates as well as common security misconfigurations. For additional information about MBSA, please visit the Microsoft Baseline Security Analyzer Web site. You may also be able to verify the files that this security update installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media Services\KB832359\FileList Note This registry key may not be not created properly when an administrator or an OEM integrates or slipstreams the 832359 security update into the Windows installation source files. Top of section Top of section Acknowledgments Microsoft thanks the following for working with us to help protect customers: Qualys for reporting the issue. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the Windows Update Web site. Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web site. Security Resources: The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA) Windows Update Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. Office Update Software Update Services: Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows� 2000 and Windows Server� 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server: Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (March 9, 2004): Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQE4lbukli63F4U8VAQH+QgP7BHI/WtTuFl0q3n/zSE9/u4f0N9YeISeN SYg2VI4LnMuCD6BuTRenP73ZcdaP6ekEc/NJQdBclcRUub2yXBSbX47PljuXktfz DMDg13hiqonfwb2/zSsf+XWfeFpwsN+AMv4QkMLFAw6obCuZGMkoGXaDUaDfErcc 4T3juT1JPFA= =owPn -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 10 10:08:23 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 10:08:23 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Outlook 2002 (828040) Message-ID: <20040310130823.GE15656@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no Outlook 2002 (828040) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 9 Mar 2004 17:13:41 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-009: Vulnerability in Microsoft Outlook Could Allow Code Execution (828040)", que trata de uma vulnerabilidade presente no Microsoft Outlook 2002 e no Microsoft Windows XP Service Pack 2 que pode permitir a um atacante remoto a execucao de codigo arbitrario no contexto de seguranca "Local Machine" do Windows. A execucao de codigo nao necessita da interacao do usuario para ocorrer. Uma vulnerabilidade na maneira como o Outlook trata o conteudo do parametro "mailto:" passado atraves de uma URI podem permitir a execucao de script dentro da zona de seguranca "Local Machine" do Windows. O problema acontece com a insercao da string """ em uma URI "mailto:", seguida do comando ou script que o atacante deseja executar. Este comando pode ser um paramentro de inicializacao do Oulook ou um script javascript. Isto pode permitir ao atacante baixar programas maliciosos e executa-los com acesso local a maquina. Sistemas Afetados: . Microsoft Office XP Service Pack 2 . Microsoft Outlook 2002 Service Pack 2 Sistemas nao Afetados: . Microsoft Office 2000 Service Pack 3 . Microsoft Office XP Service Pack 3 . Microsoft Office 2003 . Microsoft Outlook 2000 Service Pack 3 . Microsoft Outlook 2002 Service Pack 3 . Microsoft Outlook 2003 Correcoes disponiveis: A correcao consiste na aplicacao dos correspondentes patches recomendados pela Microsoft e disponiveis em: . Microsoft Office XP Service Pack 2 http://www.microsoft.com/office/ork/updates/xp/olk1007a.htm . Microsoft Outlook 2002 Service Pack 2 http://www.microsoft.com/office/ork/updates/xp/olk1007a.htm Maiores informacoes: . Microsoft Security Bulletin MS04-009 http://www.microsoft.com/technet/security/Bulletin/MS04-009.mspx . iDEFENSE Security Advisory 03.09.04 http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities Identificadores do CVE (http://cve.mitre.org): CAN-2004-0121 O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-009 Vulnerability in Microsoft Outlook Could Allow Code Execution (828040) Issued: March 9, 2004 Version: 1.0 Summary Who Should Read This Document: Customers that are using Microsoft� Office XP and Outlook 2002 Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Important Recommendation: Customers should install the patch at the earliest opportunity. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software Microsoft Office XP Service Pack 2- Download the update Microsoft Outlook 2002 Service Pack 2- Download the update Non Affected Software Microsoft Office 2000 Service Pack 3 Microsoft Office XP Service Pack 3 Microsoft Office 2003 Microsoft Outlook 2000 Service Pack 3 Microsoft Outlook 2002 Service Pack 3 Microsoft Outlook 2003 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Top of section General Information Technical details Technical description: A security vulnerability exists within Outlook 2002 that could allow Internet Explorer to execute script code in the Local Machine zone on an affected system. The parsing of specially crafted mailto URLs by Outlook 2002 causes this vulnerability. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then persuade a user to view the Web page. The attacker could also create an HTML e-mail message designed to exploit the vulnerability and persuade the user to view the HTML e-mail message. After the user has visited the malicious Web site or viewed the malicious HTML e-mail message an attacker who successfully exploited this vulnerability could access files on a user's system or run arbitrary code on a user's system. This code would run in the security context of the currently logged-on user. Outlook 2002 is available as a separate product and is also included as part of Office XP. Mitigating factors: When an Outlook profile is first created and at least one e-mail account is set up during the initial configuration of the profile the default folder home page is automatically changed from "Outlook Today" to "Inbox." Users are only at risk from this vulnerability when the "Outlook Today" home page is their default folder home page. This is the default configuration when an Outlook profile is created without any e-mail accounts. Users are only at risk from this vulnerability when Outlook 2002 is configured as the default mail reader and when the "Outlook Today" home page is their default folder home page. Installing other e-mail clients may change this configuration as they can register themselves as the default mail reader on the system. If an attacker exploited this vulnerability, the attacker would gain only the same privileges as the user. Users whose accounts are configured to have few privileges on the system would be at less risk than users who operate with administrative privileges. Severity Rating: Microsoft Office XP Important Microsoft Outlook 2002 Important The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2004-0121 Top of section Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Do not use "Outlook Today" as the default home page in Outlook 2002 You can help protect against this vulnerability by changing your default folder home page in Outlook 2002 to the "Inbox" or some other folder than "Outlook Today". The "Outlook Today" home page is only the default folder home page when an Outlook profile is originally configured without any e-mail accounts. 1. In Outlook 2002, click Options in the Tools menu. 2. Under the tab Other choose Advanced Options. 3. Set your "Startup in this folder:" to Inbox if it is set to Outlook Today. Impact of Workaround: The "Outlook Today" folder home page would not be the default view. If you are using Outlook 2002 or Outlook Express 6.0 SP1 or later, read e-mail messages in plain text format to help protect yourself from the HTML e-mail attack vector Microsoft Outlook 2002 users who have applied Service Pack 1 or later and Outlook Express 6.0 users who have applied Service Pack 1 or later can enable a feature that will enable them to view all non-digitally-signed e-mail messages or non-encrypted e-mail messages in plain text only. Digitally-signed e-mail messages and encrypted e-mail messages are not affected by the setting and may be read in their original formats. See Microsoft Knowledge Base Article 307594 for information about how to enable this setting in Outlook 2002. See Microsoft Knowledge Base Article 291387for information about how to enable this setting in Outlook Express 6.0 Impact of Workaround: E-mail that is viewed in plain text format cannot contain pictures, specialized fonts, animations, or other rich content. Additionally: The changes are applied to the preview pane and to open messages. Pictures become attachments to avoid loss of message content. Because the message is still in Rich Text Format or in HTML format in the store, the object model (custom code solutions) may behave unexpectedly because the message is still in Rich Text Format or in HTML format in the mail store. Acknowledgments Microsoft thanks the following for working with us to help protect customers: iDefense and Jouko Pynn�nen for reporting the issue described in MS04-009. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the Windows Update Web site. Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA) Windows Update Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. Office Update Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. Some software updates may require administrative rights following a restart of the computer. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (March 9, 2004): Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQE4lfukli63F4U8VAQFDhgP8CZ7g5FCw3UwH4iVUu8ltgoTl3c0yFm2k +8HoYMx/6nNCC2SRKq28vvqv0Wd6J6IJ5+MLvLJjhzLdKK+PM9rQfOgYmX1oR9E0 eTmxpfGRe15aWbqjETkGW6CTQQBjKteyx4VhC9OZMHtTBtIemYKoK3QJ6yOxFrFy pSNvLt/L3fU= =sfKB -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 10 10:08:43 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 10:08:43 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Messenger possibilita vazamento de informacoes (838512) Message-ID: <20040310130843.GF15656@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no Messenger possibilita vazamento de informacoes (838512) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 9 Mar 2004 17:19:04 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-010: Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)", que trata de uma vulnerabilidade presente no MSN Messenger. A vulnerabilidade existe devido ao metodo utilizado pelo MSN Messenger no tratamento de requisicao de arquivos. Uma vez explorado com sucesso, o atacante pode visualizar o conteudo de arquivos no hard disk da vitima, sem seu conhecimento. Entretanto o atacante deve conhecer a localizacao exata do arquivo, bem como a vitima deve ter permissao de leitura para este arquivo. Para explorar esta vulnerabilidade, o atacante deve conhecer o login do usuario do MSN Messenger, para que seja possivel enviar a solicitacao. Sistemas afetados: . Microsoft MSN Messenger 6.0 . Microsoft MSN Messenger 6.1 Sistemas nao afetados: . Todas as demais versoes Correcoes disponiveis: . Microsoft MSN Messenger 6.0 update http://messenger.msn.com/Download/ . Microsoft MSN Messenger 6.1 update http://messenger.msn.com/Download/ Maiores informacoes: . Microsoft Security Bulletin MS04-010 http://www.microsoft.com/technet/security/bulletin/MS04-010.mspx Identificadores do CVE (http://cve.mitre.org): CAN-2004-0122 O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-010 Vulnerability in MSN Messenger Could Allow Information Disclosure (838512) Issued: March 9, 2004 Version: 1.0 Summary Who should read this document: Customers who are using Microsoft� MSN Messenger Impact of vulnerability: Information Disclosure Maximum Severity Rating: Moderate Recommendation: Customers should consider applying the security update. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software: Microsoft MSN Messenger 6.0 - Download the update (http://messenger.msn.com/) Microsoft MSN Messenger 6.1 - Download the update (http://messenger.msn.com/) Non Affected Software: Windows Messenger (All versions) The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. General Information Technical Details Technical description: A security vulnerability exists in Microsoft MSN Messenger. The vulnerability exists because of the method used by MSN Messenger to handle a file request. An attacker could exploit this vulnerability by sending a specially crafted request to a user running MSN Messenger. If exploited successfully, the attacker could view the contents of a file on the hard drive without the user's knowledge as long as the attacker knew the location of the file and the user had read access to the file. To exploit this vulnerability, an attacker would have to know the sign-on name of the MSN Messenger user in order to send the request. Mitigating factors: An attacker must know the sign-on name of the user If the user has blocked receiving messages from anonymous users not on their contact list by placing "All Others" in their block list, the attacker's messenger account must be on the user's allow list to exploit the vulnerability. The attacker could access files that the user had read access to. If the user is logged into the computer with restricted privileges this would limit the files that the attacker could access. Severity Rating: Microsoft MSN Messenger 6.0 Important Microsoft MSN Messenger 6.1 Important The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2004-0122 Security Update Information Installation Platforms and Prerequisites: For information about the specific security update for your platform, click the appropriate link: MSN Messenger 6.0 or 6.1 Prerequisites This security update requires Microsoft Windows. Restart Requirement This update may require you to restart your computer. Removal Information This update cannot be uninstalled. Verifying Update Installation To verify that a security update is installed on an affected system, please perform the following steps: 1. Within MSN Messenger, Click Help, then About 2. Check the version number. If the Version number reads 6.1 (6.1.0211) the update has been successfully installed. Acknowledgments Microsoft thanks the following for working with us to help protect customers: qFox and Mephisto for reporting the issue in MS04-010. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=21129), and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate Web site. Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources for Windows: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 March 9, 2004: Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQE4mvukli63F4U8VAQEzdQQAjLOPp2hF2iRB7YbM77qDcHONCxxH5Iym 1IJ4j48P0h7icVlcBGvXOjASzRjg6EGRclW49TEKJy/pqXT9/6cE3eDAlW40NERG 9ugBFq2H2x/Ca8hIPRU9tqMt2RNmWp00g5AxOM1yMi2/VOTVLVwRf/Oo/Nhedy/p 4JGovtcXtkk= =TU3z -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 10 13:13:16 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 10 Mar 2004 13:13:16 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040310161315.GG15656@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 05/03/2004 ---------- OpenPKG Security Advisory (OpenPKG-SA-2004.003) Assunto: vulnerabilidade de seguranca no pacote libxml. http://www.security.unicamp.br/docs/bugs/2004/03/v26.txt CAIS-Alerta Assunto: Vulnerabilidade no passwd do Solaris 8,9 http://www.security.unicamp.br/docs/bugs/2004/03/v27.txt Trustix Secure Linux Security Advisory (#2004-0009) Assunto: vulnerabilidade de seguranca no pacote nfs-utils. http://www.security.unicamp.br/docs/bugs/2004/03/v29.txt Trustix Secure Linux Security Advisory (#2004-0010) Assunto: vulnerabilidade de seguranca no pacote libxml2. http://www.security.unicamp.br/docs/bugs/2004/03/v30.txt 06/03/2004 ---------- Debian Security Advisory (DSA 456-1) Assunto: kernel-source-2.2.19, kernel-patch-2.2.19-arm, kernel-image-2.2.19-netwinder, kernel-image-2.2.19-riscpc. http://www.security.unicamp.br/docs/bugs/2004/03/v28.txt Gentoo Linux Security Advisory (GLSA 200403-01) Assunto: Libxml2 URI Parsing Buffer Overflow Vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/03/v31.txt Gentoo Linux Security Advisory (GLSA 200403-02) Assunto: Linux kernel do_mremap local privilege escalation vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v32.txt 08/03/2004 ---------- OpenPKG Security Advisory (OpenPKG-SA-2004.004) Assunto: vulnerabilidade de seguranca no pacote libtool. http://www.security.unicamp.br/docs/bugs/2004/03/v33.txt Debian Security Advisory (DSA 457-1) Assunto: vulnerabilidade de seguranca no pacote wu-ftpd. http://www.security.unicamp.br/docs/bugs/2004/03/v34.txt 09/03/2004 ---------- Fedora Update Notification (FEDORA-2004-089) Assunto: vulnerabilidade de seguranca no pacote less. http://www.security.unicamp.br/docs/bugs/2004/03/v35.txt OpenPKG Security Advisory (OpenPKG-SA-2004.005) Assunto: vulnerabilidade de seguranca no pacote mutt. http://www.security.unicamp.br/docs/bugs/2004/03/v36.txt OpenBSD Assunto: TCP reassembly DoS. http://www.security.unicamp.br/docs/bugs/2004/03/v37.txt CAIS-Alerta Assunto: Vulnerabilidade no Windows Media Services (832359). http://www.security.unicamp.br/docs/bugs/2004/03/v38.txt CAIS-Alerta Assunto: Vulnerabilidade no Outlook 2002 (828040). http://www.security.unicamp.br/docs/bugs/2004/03/v39.txt CAIS-Alerta Assunto:: Vulnerabilidade no Messenger possibilita vazamento de informacoes (838512). http://www.security.unicamp.br/docs/bugs/2004/03/v40.txt Microsoft MSN Products Security Bulletin Summary for March 2004 http://www.security.unicamp.br/docs/bugs/2005/03/v41.txt Microsoft Office Security Bulletin Summary for March 2004 http://www.security.unicamp.br/docs/bugs/2005/03/v42.txt Microsoft Windows Security Bulletin Summary for March 2004 http://www.security.unicamp.br/docs/bugs/2005/03/v43.txt -- Computer Security Incident Response Team - CSIRT Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Mar 15 14:40:12 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 15 Mar 2004 14:40:12 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040315174012.GA46081@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 10/03/2004 ---------- Red Hat Security Advisory (RHSA-2004:102-01) Assunto: Updated gdk-pixbuf packages fix denial of service vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v45.txt Red Hat Security Advisory (RHSA-2004:093-01) Assunto: Updated sysstat packages fix security vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/03/v46.txt Mandrake Linux Security Update Advisory (MDKSA-2004:018) Assunto: vulnerabilidade de seguranca no pacote libxml2. http://www.security.unicamp.br/docs/bugs/2004/03/v47.txt Mandrake Linux Security Update Advisory (MDKSA-2004:021) Assunto: vulnerabilidade de seguranca no pacote mozilla. http://www.security.unicamp.br/docs/bugs/2004/03/v48.txt Mandrake Linux Security Update Advisory (MDKSA-2004:022) Assunto: vulnerabilidade de seguranca no pacote kdelibs. http://www.security.unicamp.br/docs/bugs/2004/03/v49.txt Debian Security Advisory (DSA 459-1) Assunto: vulnerabilidade de seguranca nos pacotes kdelibs e kdelibs-crypto. http://www.security.unicamp.br/docs/bugs/2004/03/v50.txt Debian Security Advisory (DSA 460-1) Assunto: vulnerabilidade de seguranca no pacote sysstat. http://www.security.unicamp.br/docs/bugs/2004/03/v51.txt US-CERT Technical Cyber Security Alert (TA04-070A) Assunto: Microsoft Outlook mailto URL Handling Vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v52.txt REVISED: Microsoft Office Security Bulletin Summary for March 2004 http://www.security.unicamp.br/docs/bugs/2004/03/v53.txt 11/03/2004 ---------- Debian Security Advisory (DSA 461-1) Assunto: vulnerabilidade de seguranca no pacote calife. http://www.security.unicamp.br/docs/bugs/2004/03/v54.txt 12/03/2004 ---------- OpenPKG Security Advisory (OpenPKG-SA-2004.006) Assunto: vulnerabilidade de seguranca no pacote uudeview. http://www.security.unicamp.br/docs/bugs/2004/03/v55.txt SGI Security Advisory (20040302-01-U) Assunto: SGI Advanced Linux Environment security update #14. http://www.security.unicamp.br/docs/bugs/2004/03/v56.txt Debian Security Advisory (DSA 463-1) Assunto: vulnerabilidade de seguranca no pacote samba. http://www.security.unicamp.br/docs/bugs/2004/03/v57.txt -- Computer Security Incident Response Team - CSIRT Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Mar 18 11:13:53 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 18 Mar 2004 11:13:53 -0300 Subject: [SECURITY-L] [S] New OpenSSL releases fix denial of service attacks [17 March 2004] Message-ID: <20040318141352.GA1592@unicamp.br> ----- Forwarded message from Mark J Cox ----- From: Mark J Cox Subject: [S] New OpenSSL releases fix denial of service attacks [17 March 2004] To: openssl-announce em openssl.org, , Date: Wed, 17 Mar 2004 13:13:08 +0000 (GMT) -----BEGIN PGP SIGNED MESSAGE----- OpenSSL Security Advisory [17 March 2004] Updated versions of OpenSSL are now available which correct two security issues: 1. Null-pointer assignment during SSL handshake =============================================== Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. All versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. Out-of-bounds read affects Kerberos ciphersuites =================================================== Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations - --------------- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits - ------- Patches for these issues were created by Dr Stephen Henson (steve em openssl.org) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References - ---------- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iQCVAwUBQFhNTO6tTP1JpWPZAQGayAP/TpKP7CKrRR65w5+zr2/Nlw+Cz6UbY0Rd G1Po5mgZjaP4V63d2TD11IvvZLbjeIeGQj7GxKupcYCn2CxI83xjhwM71vsS6rvQ pQZAhM5IVvb4HERbGI0hryO10rd1V+fCTzxfB0pBsG1VtEL2jTULyuWgwsA/z0/j Ez3jSlsbRRA= =wvAZ -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev em openssl.org Automated List Manager majordomo em openssl.org ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Mar 19 09:05:28 2004 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti Silva) Date: Fri, 19 Mar 2004 09:05:28 -0300 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA04-078A -- Multiple Vulnerabilities in OpenSSL Message-ID: <20040319120528.GA3058@ccuec.unicamp.br> ----- Forwarded message from Luiz Eduardo Roncato Cordeiro ----- From: Luiz Eduardo Roncato Cordeiro Subject: [IRT-L] US-CERT Technical Cyber Security Alert TA04-078A -- Multiple Vulnerabilities in OpenSSL To: irt-l em listas.unesp.br Date: Fri, 19 Mar 2004 08:32:33 -0300 Organization: NBSO -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Technical Cyber Security Alert TA04-078A Multiple Vulnerabilities in OpenSSL Original release date: March 18, 2004 Last revised: -- Source: US-CERT Systems Affected * Applications and systems that use the OpenSSL SSL/TLS library Overview Several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service. I. Description OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is widely deployed across a variety of platforms and systems. In particular, many routers and other types of networking equipment use OpenSSL. The U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the OpenSSL Project have reported three vulnerabilities in the OpenSSL SSL/TLS library (libssl). Any application or system that uses this library may be affected. VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. (Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079, NISCC/224012/OpenSSL/1) VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected. (Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112, NISCC/224012/OpenSSL/2) VU#465542 - OpenSSL does not properly handle unknown message types OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected. (Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3) II. Impact An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library. III. Solution Upgrade or Apply a patch from your vendor Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library. Appendix A. Vendor Information Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542. Appendix B. References * US-CERT Technical Cyber Security Alert TA04-078A - * Vulnerability Note VU#288574 - * Vulnerability Note VU#484726 - * Vulnerability Note VU#465542 - * OpenSSL Security Advisory [17 March 2004] - * NISCC Vulnerability Advisory 224012 - * RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) - _________________________________________________________________ These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC). _________________________________________________________________ Feedback can be directed to the authors: Art Manion and Damon Morda. _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use. Revision History March 18, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFAWiHMXlvNRxAkFWARAvBKAJ4zD2uh0dqSXy4CjyPphrJlcpAD/QCfZASx PLs+5hkNGzVPGQF08K2kPj0= =Lxfo -----END PGP SIGNATURE----- _______________________________________________ irt-l mailing list - irt-l em listas.unesp.br https://listas.unesp.br/mailman/listinfo/irt-l ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Mar 19 09:06:14 2004 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti Silva) Date: Fri, 19 Mar 2004 09:06:14 -0300 Subject: [SECURITY-L] CAIS-Alerta: Nova variante do Worm Bagle.Q (AUSCERT AL-2004.07) Message-ID: <20040319120614.GB3058@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: [ALERTA] CAIS-Alerta: Nova variante do Worm Bagle.Q (AUSCERT AL-2004.07) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 18 Mar 2004 13:55:54 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pelo AUSCERT,"(AUSCERT AL-2004.07) AUSCERT ALERT - Worm Bagle.Q exploits Internet Explorer and Outlook Vulnerability", tratando da propagacao de uma variante do Worm Bagle.Q que explora vulnerabilidade no Internet Explorer e Microsoft Outlook. A variante Q explora uma vulnerabilidade identificada no Internet Explorer que permite ao worm infectar o sistema sem a intervencao do usuario e sem a presenca do executavel anexado na mensagem. O Microsoft Outlook e' vulneravel a este Worm pois utiliza o Internet Explorer para visualisar mensagens HTML. A infeccao do sistema ocorre em duas etapas: . Um mensagem e' recebida com o seguinte conteudo:

. A leitura da mensagem com um dos aplicativos de email vulneraveis (Microsft Outlook e Microsoft Outllok Express), permite que o virus/worm seja carregado atraves de uma conexao http com o IP especificado no corpo da mensagem. Sistemas infectados pelo worm passarao a enviar mensagens para os enderecos de email encontrados na maquina vitima. A vulnerabilidade explorada pelo Worm foi descrita nos seguintes alertas: . Patch Acumulativo para o Internet Explorer (822925) http://www.rnp.br/cais/alertas/2003/MS03-032.html . Microsoft Security Bulletin MS03-032 http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx Em virtude da exploracao da vulnerabilidade e da potencial propagacao do Worm, o CAIS recomenda que sejam aplicadas as correcoes necessarias com urgencia, conforme descrito nos alertas citados acima. Maiores Informacoes: . Sophos http://www.sophos.com/virusinfo/analyses/w32bagleq.html . Computer Associates http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38599 . McAfee http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101108 . Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q&VSect=T . AL-2004.07 -- New Bagle.Q Worm Spreading Rapidly http://www.auscert.org.au/render.html?it=3957 . Patch Acumulativo para o Internet Explorer (822925) http://www.rnp.br/cais/alertas/2003/MS03-032.html . Microsoft Security Bulletin MS03-032 http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ =========================================================================== A U S C E R T A L E R T AL-2004.07 -- AUSCERT ALERT New Bagle.Q Worm Spreading Rapidly 18 March 2004 =========================================================================== AusCERT is aware of local activity by a new type of mass-mailing worm. Dubbed Bagle.Q, this worm exploits a recent vulnerability in the Microsoft Internet Explorer engine to allow infection without active user intervention and without including the virus executable in the email message. The worm has two stages of execution: 1. An email message is received with the following (example) body:

2. Upon preview within vulnerable mail applications (eg Microsoft Outlook and Microsoft Outlook Express), the virus/worm body is downloaded via HTTP from the IP address in the DATA field of the HTML message. Machines infected with the worm repeat the process, using the worm's inbuilt SMTP engine to send the message to addresses harvested from various files on the computer, and constructed with a DATA field containing either the infected machine's IP address or one from a hard-coded list of IP addresses in the worm itself. The vulnerability exploited by this worm is Microsoft Security Bulletin MS03-032 [2][3]. System administrators should apply the measures described in that advisory to correct the vulnerability, either manually or by using Windows Update. Anti-virus vendors will have updated signature files available soon, and these should be applied as soon as possible. It appears, so far, that the URL used to download the viral executable consistently uses TCP port 81, so sites may wish to block that port outbound as a stop-gap measure while more permanent measures are prepared. However, as some legitimate web sites utilise this port, this measure should be regarded as temporary only. References: [1] Protecting your computer from malicious code http://www.auscert.org.au/3352 [2] Microsoft Security Bulletin MS03-032 http://www.microsoft.com/technet/security/bulletin/MS03-032.mspx [3] AusCERT External Security Bulletin ESB-2003.0588 http://www.auscert.org.au/3371 [4] Sophos http://www.sophos.com/virusinfo/analyses/w32bagleq.html [5] Computer Associates http://www3.ca.com/threatinfo/virusinfo/virus.aspx?id=38599 [6] McAfee http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=101108 [7] Trend Micro http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=PE_BAGLE.Q&VSect=T - --------------------------------------------------------------------------- The AusCERT team has made every effort to ensure that the information contained in this security bulletin is accurate at the time of publication. However, the decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation\'s site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 AusCERT maintains a World Wide Web service which is found on: http://www.auscert.org.au. Internet Email: auscert em auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. Postal: Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 AUSTRALIA =========================================================================== -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQFnUpOkli63F4U8VAQGFGgQAl6BE4eD5uWRAHgXVIofIYDxXCHdBUGiE mYqKzS5mes3Xwbpb901/8xmWOxnJO20F5WwUthuNU/itgnLboNl4vrTaVGYGLpeV I1rK5Ws+doB2eBHgcfO0kgLcnO3WB1Cp8YSKUpIbDRma2c0cwJ4pnmbi5u3ENbYS ZrQKDU2/eJI= =E/lu -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Mar 19 09:06:59 2004 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti Silva) Date: Fri, 19 Mar 2004 09:06:59 -0300 Subject: [SECURITY-L] CAIS-Alerta: Duas vulnerabilidades no OpenSSL Message-ID: <20040319120659.GC3058@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Duas vulnerabilidades no OpenSSL To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Thu, 18 Mar 2004 16:34:42 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando os alertas divulgados pelo OpenSSL, intitulados "Null-pointer assignment during SSL handshake" e "Out-of-bounds read affects Kerberos ciphersuites", tratando de duas vulnerabilidades nas versoes atuais da biblioteca OpenSSL que podem causar negacao de servico (DoS - Denial of Service) em programas que a utilizam. A primeira vulnerabilidade afeta uma funcao do protocolo TLS, e pode permitir a um atacante remoto ocasionar a negacao de servico em aplicativos que utilizam a biblioteca OpenSSL, apenas enviando um pacote especialmente construido que causa um erro de null-pointer. A segunda vulnerabilidade afeta o processo de handshake do protocolo SSL/TLS quando se utiliza criptografia Kerberos. Um atacante remoto pode criar um pacote de handshake especialmente construido de forma a resultar na negacao de servico em aplicativos que utilizam a biblioteca OpenSSL. Sistemas afetados: . Qualquer programa que utilize as versoes entre 0.9.6c at� 0.9.6l e 0.9.7a at� 0.9.7c da bibliotecas OpenSSL pode ser afetado por essa vulnerabilidade. Correcoes disponiveis: Recomenda-se fazer a atualizacao para as versoes mais recentes disponiveis em: . OpenSSL 0.9.7d ftp://ftp.openssl.org/source/openssl-0.9.7d.tar.gz . OpenSSL 0.9.6m ftp://ftp.openssl.org/source/openssl-0.9.6m.tar.gz Alem disso, recomenda-se recompilar todos os aplicativos que foram compilados estaticamente com a biblioteca OpenSSL. Maiores informacoes: . OpenSSL Security Advisory http://www.openssl.org/news/secadv_20040317.txt . Cisco Security Advisory: Cisco OpenSSL Implementation Vulnerability http://www.cisco.com/warp/public/707/cisco-sa-20040317-openssl.shtml Identificadores do CVE (http://cve.mitre.org): . Null-pointer assignment during SSL handshake: CAN-2004-0079 . Out-of-bounds read affects Kerberos ciphersuites: CAN-2004-0112 O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ OpenSSL Security Advisory [17 March 2004] Updated versions of OpenSSL are now available which correct two security issues: 1. Null-pointer assignment during SSL handshake =============================================== Testing performed by the OpenSSL group using the Codenomicon TLS Test Tool uncovered a null-pointer assignment in the do_change_cipher_spec() function. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server that used the OpenSSL library in such a way as to cause OpenSSL to crash. Depending on the application this could lead to a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0079 to this issue. All versions of OpenSSL from 0.9.6c to 0.9.6l inclusive and from 0.9.7a to 0.9.7c inclusive are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. 2. Out-of-bounds read affects Kerberos ciphersuites =================================================== Stephen Henson discovered a flaw in SSL/TLS handshaking code when using Kerberos ciphersuites. A remote attacker could perform a carefully crafted SSL/TLS handshake against a server configured to use Kerberos ciphersuites in such a way as to cause OpenSSL to crash. Most applications have no ability to use Kerberos ciphersuites and will therefore be unaffected. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0112 to this issue. Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL are affected by this issue. Any application that makes use of OpenSSL's SSL/TLS library may be affected. Please contact your application vendor for details. Recommendations - --------------- Upgrade to OpenSSL 0.9.7d or 0.9.6m. Recompile any OpenSSL applications statically linked to OpenSSL libraries. OpenSSL 0.9.7d and OpenSSL 0.9.6m are available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under http://www.openssl.org/source/mirror.html): ftp://ftp.openssl.org/source/ The distribution file names are: o openssl-0.9.7d.tar.gz MD5 checksum: 1b49e90fc8a75c3a507c0a624529aca5 o openssl-0.9.6m.tar.gz [normal] MD5 checksum: 1b63bfdca1c37837dddde9f1623498f9 o openssl-engine-0.9.6m.tar.gz [engine] MD5 checksum: 4c39d2524bd466180f9077f8efddac8c The checksums were calculated using the following command: openssl md5 openssl-0.9*.tar.gz Credits - ------- Patches for these issues were created by Dr Stephen Henson (steve em openssl.org) of the OpenSSL core team. The OpenSSL team would like to thank Codenomicon for supplying the TLS Test Tool which was used to discover these vulnerabilities, and Joe Orton of Red Hat for performing the majority of the testing. References - ---------- http://www.codenomicon.com/testtools/tls/ http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0079 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0112 URL for this Security Advisory: http://www.openssl.org/news/secadv_20040317.txt -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQFn52ukli63F4U8VAQEonwQAr8XKVUvGL/umH2VKJFJ6iEiEWzBVQI02 IRg6c5t5nkVEQQpISrCVZWoVLpy1A5q/eQFEAbhI7bLbP7Q7wZbPIC1XFG/4MPFJ +cbYqYxfnuutmUe95E5To5FeojqUd/DmNB94vgYuYz+yycFY8nLM2KhaYT8OAWp0 0Edq5a37gXs= =AZaT -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Fri Mar 19 15:08:16 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Fri, 19 Mar 2004 15:08:16 -0300 Subject: [SECURITY-L] CAIS-Alerta: Multiple Vulnerabilities in OpenSSL (TA04-078A) Message-ID: <20040319180815.GC1648@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Multiple Vulnerabilities in OpenSSL (TA04-078A) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Fri, 19 Mar 2004 10:37:46 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, Complementando as informacoes enviadas pelo CAIS, relacionadas com as ultimas vulnerabilidades do OpenSSL, OpenSSL Project, "Null-pointer assignment during SSL handshake" e "Out-of-bounds read affects Kerberos ciphersuites", o CAIS est� repassando o alerta divulgado pelo US-CERT, intitulado "Multiple Vulnerabilities in OpenSSL". Adicionalmente ao alerta enviado ontem, existem informacoes sobre uma terceira vulnerabilidade que e' solucionada com as correcoes sugeridas. Versoes do OpenSSL anteriores a 0.9.6d possuem uma condicao que se explorada resulta em um loop infinito causando negacao de servico na aplicacao atacada. Maiores Informacoes: . OpenSSL Security Advisory http://www.openssl.org/news/secadv_20040317.txt . Multiple Vulnerabilities in OpenSSL http://www.us-cert.gov/cas/techalerts/TA04-078A.html . Duas vulnerabilidades no OpenSSL http://www.rnp.br/cais/alertas/2004/openssl20040318.html . http://www.uniras.gov.uk/vuls/2004/224012/index.htm Identificadores do CVE (http://cve.mitre.org): . http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0081 O CAIS recomenda aos administradores manterem seus sistemas e aplicativos sempre atualizados, de acordo com as ultimas versoes e correcoes disponibilizadas pelos fabricantes. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Technical Cyber Security Alert TA04-078A Multiple Vulnerabilities in OpenSSL Original release date: March 18, 2004 Last revised: -- Source: US-CERT Systems Affected * Applications and systems that use the OpenSSL SSL/TLS library Overview Several vulnerabilities in the OpenSSL SSL/TLS library could allow an unauthenticated, remote attacker to cause a denial of service. I. Description OpenSSL implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols and includes a general purpose cryptographic library. SSL and TLS are commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications including HTTP, IMAP, POP3, SMTP, and LDAP. OpenSSL is widely deployed across a variety of platforms and systems. In particular, many routers and other types of networking equipment use OpenSSL. The U.K. National Infrastructure Security Co-ordination Centre (NISCC) and the OpenSSL Project have reported three vulnerabilities in the OpenSSL SSL/TLS library (libssl). Any application or system that uses this library may be affected. VU#288574 - OpenSSL contains null-pointer assignment in do_change_cipher_spec() function Versions of OpenSSL from 0.9.6c to 0.9.6k inclusive and 0.9.7a to 0.9.7c inclusive contain a null-pointer assignment in the do_change_cipher_spec() function. By performing a specially crafted SSL/TLS handshake, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. (Other resources: OpenSSL Security Advisory (1.), CAN-2004-0079, NISCC/224012/OpenSSL/1) VU#484726 - OpenSSL does not adequately validate length of Kerberos tickets during SSL/TLS handshake Versions 0.9.7a, 0.9.7b, and 0.9.7c of OpenSSL do not adequately validate the length of Kerberos tickets (RFC 2712) during an SSL/TLS handshake. OpenSSL is not configured to use Kerberos by default. By performing a specially crafted SSL/TLS handshake with an OpenSSL system configured to use Kerberos, an attacker could cause OpenSSL to crash, which may result in a denial of service in the target application. OpenSSL 0.9.6 is not affected. (Other resources: OpenSSL Security Advisory (2.), CAN-2004-0112, NISCC/224012/OpenSSL/2) VU#465542 - OpenSSL does not properly handle unknown message types OpenSSL prior to version 0.9.6d does not properly handle unknown SSL/TLS message types. An attacker could cause the application using OpenSSL to enter an infinite loop, which may result in a denial of service in the target application. OpenSSL 0.9.7 is not affected. (Other resources: CAN-2004-0081, NISCC/224012/OpenSSL/3) II. Impact An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library. III. Solution Upgrade or Apply a patch from your vendor Upgrade to OpenSSL 0.9.6m or 0.9.7d. Alternatively, upgrade or apply a patch as specified by your vendor. Note that it is necessary to recompile any applications that are statically linked to the OpenSSL SSL/TLS library. Appendix A. Vendor Information Multiple vendors are affected by different combinations of these vulnerabilities. For updated information, please see the Systems Affected sections of VU#288574, VU#484726, and VU#465542. Appendix B. References * US-CERT Technical Cyber Security Alert TA04-078A - * Vulnerability Note VU#288574 - * Vulnerability Note VU#484726 - * Vulnerability Note VU#465542 - * OpenSSL Security Advisory [17 March 2004] - * NISCC Vulnerability Advisory 224012 - * RFC 2712 Addition of Kerberos Cipher Suites to Transport Layer Security (TLS) - _________________________________________________________________ These vulnerabilities were researched and reported by the OpenSSL Project and the U.K. National Infrastructure Security Co-ordination Centre (NISCC). _________________________________________________________________ Feedback can be directed to the authors: Art Manion and Damon Morda. _________________________________________________________________ Copyright 2004 Carnegie Mellon University. Terms of use. Revision History March 18, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQFr3s+kli63F4U8VAQHiDAP+NEzureAe4Kzyszpd75+DVOAZ8l+fxVI9 udVlmIdiGzN8GaNYFdGdWg9Qres7oWTf32Ef1vl2PsuacWd7ilHNnJHxFFYvhgMJ Flx+Ob4qcMWnEfgSNdtOhPrSL1zdRF5oG/CVl/ahW/QAXbbuTAV8f4Wk6XOKB+Bu SA7ktDOPRpQ= =r9db -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Mon Mar 22 13:18:40 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 22 Mar 2004 13:18:40 -0300 Subject: [SECURITY-L] [ANNOUNCE] Apache HTTP Server 2.0.49 Released Message-ID: <20040322161840.GA280@unicamp.br> ----- Forwarded message from Sander Striker ----- From: Sander Striker Subject: [S] [ANNOUNCE] Apache HTTP Server 2.0.49 Released To: announce em httpd.apache.org Date: Fri, 19 Mar 2004 22:55:38 +0100 X-Mailer: Ximian Evolution 1.4.5 Apache HTTP Server 2.0.49 Released The Apache Software Foundation and the The Apache HTTP Server Project are pleased to announce the release of version 2.0.49 of the Apache HTTP Server ("Apache"). This Announcement notes the significant changes in 2.0.49 as compared to 2.0.48. This version of Apache is principally a bug fix release. A summary of the bug fixes is given at the end of this document. Of particular note is that 2.0.49 addresses three security vulnerabilities: When using multiple listening sockets, a denial of service attack is possible on some platforms due to a race condition in the handling of short-lived connections. This issue is known to affect some versions of AIX, Solaris, and Tru64; it is known to not affect FreeBSD or Linux. [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0174] Arbitrary client-supplied strings can be written to the error log which can allow exploits of certain terminal emulators. [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0020] A remotely triggered memory leak in mod_ssl can allow a denial of service attack due to excessive memory consumption. [http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0113] This release is compatible with modules compiled for 2.0.42 and later versions. We consider this release to be the best version of Apache available and encourage users of all prior versions to upgrade. Apache HTTP Server 2.0.49 is available for download from http://httpd.apache.org/download.cgi Please see the CHANGES_2.0 file, linked from the above page, for a full list of changes. Apache 2.0 offers numerous enhancements, improvements, and performance boosts over the 1.3 codebase. For an overview of new features introduced after 1.3 please see http://httpd.apache.org/docs-2.0/new_features_2_0.html When upgrading or installing this version of Apache, please keep in mind the following: If you intend to use Apache with one of the threaded MPMs, you must ensure that the modules (and the libraries they depend on) that you will be using are thread-safe. Please contact the vendors of these modules to obtain this information. Apache 2.0.49 Major changes Security vulnerabilities closed since Apache 2.0.48 *) SECURITY: CAN-2004-0174 (cve.mitre.org) Fix starvation issue on listening sockets where a short-lived connection on a rarely-accessed listening socket will cause a child to hold the accept mutex and block out new connections until another connection arrives on that rarely-accessed listening socket. With Apache 2.x there is no performance concern about enabling the logic for platforms which don't need it, so it is enabled everywhere except for Win32. [Jeff Trawick] *) SECURITY: CAN-2004-0113 (cve.mitre.org) mod_ssl: Fix a memory leak in plain-HTTP-on-SSL-port handling. PR 27106. [Joe Orton] *) SECURITY: CAN-2003-0020 (cve.mitre.org) Escape arbitrary data before writing into the errorlog. Unescaped errorlogs are still possible using the compile time switch "-DAP_UNSAFE_ERROR_LOG_UNESCAPED". [Geoffrey Young, Andr???? Malo] Bugs fixed and features added since Apache 2.0.47 *) mod_cgid: Fix storage corruption caused by use of incorrect pool. [Jeff Trawick] *) Win32: find_read_listeners was not correctly handling multiple listeners on the Win32DisableAcceptEx path. [Bill Stoddard] *) Fix bug in mod_usertrack when no CookieName is set. PR 24483. [Manni Wood ] *) Fix some piped log problems: bogus "piped log program '(null)' failed" messages during restart and problem with the logger respawning again after Apache is stopped. PR 21648, PR 24805. [Jeff Trawick] *) Fixed file extensions for real media files and removed rpm extension from mime.types. PR 26079. [Allan Sandfeld ] *) Remove compile-time length limit on request strings. Length is now enforced solely with the LimitRequestLine config directive. [Paul J. Reder] *) mod_ssl: Send the Close Alert message to the peer before closing the SSL session. PR 27428. [Madhusudan Mathihalli, Joe Orton] *) mod_ssl: Fix bug in passphrase handling which could cause spurious failures in SSL functions later. PR 21160. [Joe Orton] *) mod_log_config: Fix corruption of buffered logs with threaded MPMs. PR 25520. [Jeff Trawick] *) Fix mod_include's expression parser to recognize strings correctly even if they start with an escaped token. [Andr?? Malo] *) Add fatal exception hook for use by diagnostic modules. The hook is only available if the --enable-exception-hook configure parm is used and the EnableExceptionHook directive has been set to "on". [Jeff Trawick] *) Allow mod_auth_digest to work with sub-requests with different methods than the original request. PR 25040. [Josh Dady ] *) fix "Expected > but saw " errors in nested, argumentless containers. ["Philippe M. Chiasson" ] *) mod_auth_ldap: Fix some segfaults in the cache logic. PR 18756. [Matthieu Estrade , Brad Nicholes] *) mod_cgid: Restart the cgid daemon if it crashes. PR 19849 [Glenn Nielsen ] *) The whole codebase was relicensed and is now available under the Apache License, Version 2.0 (http://www.apache.org/licenses). [Apache Software Foundation] *) Fixed cache-removal order in mod_mem_cache. [Jean-Jacques Clar, Cliff Woolley] *) mod_setenvif: Fix the regex optimizer, which under circumstances treated the supplied regex as literal string. PR 24219. [Andr?? Malo] *) ap_mpm.h: Fix include guard of ap_mpm.h to reference mpm instead of mmn. [Andr?? Malo] *) mod_rewrite: Catch an edge case, where strange subsequent RewriteRules could lead to a 400 (Bad Request) response. [Andr?? Malo] *) Keep focus of ITERATE and ITERATE2 on the current module when the module chooses to return DECLINE_CMD for the directive. PR 22299. [Geoffrey Young ] *) Add support for IMT minor-type wildcards (e.g., text/*) to ExpiresByType. PR#7991 [Ken Coar] *) Fix segfault in mod_mem_cache cache_insert() due to cache size becoming negative. PR: 21285, 21287 [Bill Stoddard, Massimo Torquati, Jean-Jacques Clar] *) core.c: If large file support is enabled, allow any file that is greater than AP_MAX_SENDFILE to be split into multiple buckets. This allows Apache to send files that are greater than 2gig. Otherwise we run into 32/64 bit type mismatches in the file size. [Brad Nicholes] *) proxy_http fix: mod_proxy hangs when both KeepAlive and ProxyErrorOverride are enabled, and a non-200 response without a body is generated by the backend server. (e.g.: a client makes a request containing the "If-Modified-Since" and "If-None-Match" headers, to which the backend server respond with status 304.) [Graham Wiseman , Richard Reiner] *) mod_dav: Reject requests which include an unescaped fragment in the Request-URI. PR 21779. [Amit Athavale ] *) Build array of allowed methods with proper dimensions, fixing possible memory corruption. [Jeff Trawick] *) mod_ssl: Fix potential segfault on lookup of SSL_SESSION_ID. PR 15057. [Otmar Lendl ] *) mod_ssl: Fix streaming output from an nph- CGI script. PR 21944 [Joe Orton] *) mod_usertrack no longer inspects the Cookie2 header for the cookie name. PR 11475. [Chris Darrochi ] *) mod_usertrack no longer overwrites other cookies. PR 26002. [Scott Moore ] *) worker MPM: fix stack overlay bug that could cause the parent process to crash. [Jeff Trawick] *) Win32: Add Win32DisableAcceptEx directive. This Windows NT/2000/XP directive is useful to work around bugs in some third party layered service providers like virus scanners, VPN and firewall products, that do not properly handle WinSock 2 APIs. Use this directive if your server is issuing AcceptEx failed messages. [Allan Edwards, Bill Rowe, Bill Stoddard, Jeff Trawick] *) Make REMOTE_PORT variable available in mod_rewrite. PR 25772. [Andr?? Malo] *) Fix a long delay with CGI requests and keepalive connections on AIX. [Jeff Trawick] *) mod_autoindex: Add 'XHTML' option in order to allow switching between HTML 3.2 and XHTML 1.0 output. PR 23747. [Andr?? Malo] *) Add XHTML Document Type Definitions to httpd.h (minor MMN bump). [Andr?? Malo] *) mod_ssl: Advertise SSL library version as determined at run-time rather than at compile-time. PR 23956. [Eric Seidel ] *) mod_ssl: Fix segfault on a non-SSL request if the 'c' log format code is used. PR 22741. [Gary E. Miller ] *) Fix build with parallel make. PR 24643. [Joe Orton] *) mod_rewrite: In external rewrite maps lookup keys containing a newline now cause a lookup failure. PR 14453. [Cedric Gavage , Andr?? Malo] *) Backport major overhaul of mod_include's filter parser from 2.1. The new parser code is expected to be more robust and should catch all of the edge cases that were not handled by the previous one. The 2.1 external API changes were hidden by a wrapper which is expected to keep the API backwards compatible. [Andr?? Malo] *) Add a hook (insert_error_filter) to allow filters to re-insert themselves during processing of error responses. Enable mod_expires to use the new hook to include Expires headers in valid error responses. This addresses an RFC violation. It fixes PRs 19794, 24884, and 25123. [Paul J. Reder] *) Add Polish translation of error messages. PR 25101. [Tomasz Kepczynski ] *) Add AP_MPMQ_MPM_STATE function code for ap_mpm_query. (Not yet supported for BeOS or OS/2 MPMs.) [Jeff Trawick, Brad Nicholes, Bill Stoddard] *) Add mod_status hook to allow modules to add to the mod_status report. [Joe Orton] *) Fix htdbm to generate comment fields in DBM files correctly. [Justin Erenkrantz] *) mod_dav: Use bucket brigades when reading PUT data. This avoids problems if the data stream is modified by an input filter. PR 22104 ----- End forwarded message ----- From security em unicamp.br Mon Mar 22 13:19:04 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Mon, 22 Mar 2004 13:19:04 -0300 Subject: [SECURITY-L] Vulnerability in ICQ Parsing in ISS Products Message-ID: <20040322161904.GB280@unicamp.br> ----- Forwarded message from Klaus Steding-Jessen ----- From: Klaus Steding-Jessen Subject: [S] Vulnerability in ICQ Parsing in ISS Products To: seguranca em pangeia.com.br Date: Sun, 21 Mar 2004 12:41:13 -0300 [http://xforce.iss.net/xforce/alerts/id/166] Alerts Internet Security Systems Security Alert March 18, 2004 Vulnerability in ICQ Parsing in ISS Products Synopsis: A vulnerability was discovered in the ICQ instant messaging protocol parsing routines of the ISS Protocol Analysis Module (PAM) component. The PAM module is a shared component of all current ISS host, server, and network protection software and devices. The flaw relates to incorrect parsing of the ICQ protocol which may lead to a buffer overflow condition. Affected Versions: RealSecure� Network 7.0, XPU 22.11 and before RealSecure Server Sensor 7.0 XPU 22.11 and before RealSecure Server Sensor 6.5 for Windows SR 3.10 and before Proventia A Series XPU 22.11 and before Proventia G Series XPU 22.11 and before Proventia M Series XPU 1.9 and before RealSecure Desktop 7.0 ebl and before RealSecure Desktop 3.6 ecf and before RealSecure Guard 3.6 ecf and before RealSecure Sentry 3.6 ecf and before BlackICE Agent for Server 3.6 ecf and before BlackICE PC Protection 3.6 ccf and before BlackICE Server Protection 3.6 ccf and before Impact: The vulnerability is caused by insufficient size checks on certain protocol fields in ICQ response data. After examining the nature of this vulnerability, ISS X-Force believes that exploitation of this issue is possible. It would not be necessary for ICQ response data to be part of a legitimate ICQ session to trigger this issue. Description: The Protocol Analysis Module (PAM) facilitates the parsing of network protocols in order to perform further analysis and attack detection. ICQ is a popular instant messaging application developed by ICQ Inc., a subsidiary of America Online. In order to detect attacks targeting instant messaging software, PAM parses several IM protocols including ICQ. There is incomplete boundary checking when parsing certain protocol fields embedded within ICQ response data. As a result, it may be possible for a remote attacker to cause memory corruption with the potential for remote exploitation. Recommendations: ISS X-Force recommends that customers immediately update to the latest releases provided by ISS. These updates contain a fix for this issue. ISS has already made the following updates available to remedy this vulnerability: RealSecure Network 7.0, XPU 22.12 RealSecure Server Sensor 7.0 XPU 22.12 Proventia A Series XPU 22.12 Proventia G Series XPU 22.12 Proventia M Series XPU 1.10 RealSecure Desktop 7.0 ebm RealSecure Desktop 3.6 ecg RealSecure Guard 3.6 ecg RealSecure Sentry 3.6 ecg BlackICE Agent for Server 3.6 ecg RealSecure Server Sensor 6.5 for Windows SR 3.11 The following updates will soon be made available: BlackICE PC Protection 3.6 ccg BlackICE Server Protection 3.6 ccg Updates are available from the ISS Download Center: http://www.iss.net/download/ While deploying the updates, it may be advisable to block some ICQ traffic in network environments where the ICQ protocol is not in use. This can be achieved by blocking UDP packets with a source port of 4000 at the network perimeter. Additional Information: http://www.eeye.com Credit: ISS X-Force would like to thank eEye Digital Security for notifying ISS of the issue. ------ ----- End forwarded message ----- From security em unicamp.br Tue Mar 23 08:43:46 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 23 Mar 2004 08:43:46 -0300 Subject: [SECURITY-L] [nbso-anuncios] Inscricoes Abertas: Curso Fundamentals of Incident Handling (turma 26-30 de Abril de 2004) Message-ID: <20040323114346.GA1967@unicamp.br> ----- Forwarded message from NIC BR Security Office ----- From: NIC BR Security Office Subject: [nbso-anuncios] Inscricoes Abertas: Curso Fundamentals of Incident Handling (turma 26-30 de Abril de 2004) To: nbso-anuncios em listas.nbso.nic.br Date: Mon, 22 Mar 2004 14:14:43 -0300 Organization: NIC BR Security Office Est�o abertas as inscri��es para a turma de 26 a 30 de abril de 2004, do Curso Fundamentals of Incident Handling. As inscri��o estar�o abertas durante o per�odo de 22 de mar�o a 16 de abril de 2004, podendo ser encerradas assim que a lota��o da turma for atingida. Informa��es detalhadas e os formul�rios de inscri��o podem ser obtidos na p�gina: Inscri��es nos Cursos do CERT�/CC ministrados pelo NBSO http://www.nbso.nic.br/cursos/inscricao/ Atenciosamente NBSO -- NIC BR Security Office Brazilian Computer Emergency Response Team http://www.nbso.nic.br/ _______________________________________________ nbso-anuncios mailing list nbso-anuncios em listas.nbso.nic.br https://listas.nbso.nic.br/mailman/listinfo/nbso-anuncios ----- End forwarded message ----- From security em unicamp.br Tue Mar 23 15:35:58 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 23 Mar 2004 15:35:58 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040323183556.GA3041@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 19/03/2004 ---------- Fedora Update Notification (FEDORA-2004-062) Assunto: vulnerabilidade de seguranca no pacote xmms. http://www.security.unicamp.br/docs/bugs/2004/03/v78.txt Fedora Update Notification (FEDORA-2004-093) Assunto: vulnerabilidade de seguranca no pacote ghostscript. http://www.security.unicamp.br/docs/bugs/2004/03/v79.txt Fedora Update Notification (FEDORA-2004-095) Assunto: vulnerabilidade de seguranca no pacote openssl. http://www.security.unicamp.br/docs/bugs/2004/03/v81.txt 21/03/2004 ---------- CAIS-Alerta Assunto: Propagacao do Worm Witty / BlackIce http://www.security.unicamp.br/docs/bugs/2004/03/v80.txt 22/03/2004 ---------- Fedora Update Notification (FEDORA-2004-097) Assunto: vulnerabilidade de seguranca nos pacotes openssl, pam, krb5, e2fsprogs. http://www.security.unicamp.br/docs/bugs/2004/03/v82.txt -- Computer Security Incident Response Team - CSIRT Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Mar 30 16:25:59 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 30 Mar 2004 16:25:59 -0300 Subject: [SECURITY-L] CAIS-Alerta: Exploracao de vulnerabilidades em produtos Cisco Message-ID: <20040330192559.GA2994@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Exploracao de vulnerabilidades em produtos Cisco To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Mon, 29 Mar 2004 15:26:02 -0300 (BRST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Cisco, intitulado "Exploit for Multiple Cisco Vulnerabilities Released", que trata do aparecimento de um codigo malicioso que explora multiplas vulnerabilidades em diversos produtos da Cisco. Este tipo de codigo, conhecido como "proof-of-concept", e' usado como base para a criacao de novas ferramentas de ataque. As vulnerabilidades exploradas variam desde negacao de servico ate' execucao remota de codigo arbitrario. Sistemas afetados: De acordo com o alerta, as seguintes vulnerabilidades sao exploradas por esse codigo: . Cisco 677/678 Telnet Buffer Overflow Vulnerability . Cisco IOS Router Denial of Service Vulnerability . Cisco IOS HTTP Auth Vulnerability . Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability . Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability . Cisco 675 Web Administration Denial of Service Vulnerability . Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability . Cisco IOS Software HTTP Request Denial of Service Vulnerability . Cisco 514 UDP Flood Denial of Service Vulnerability Correcoes disponiveis: Recomenda-se a leitura de cada alerta da CISCO para a identificacao de qual correcao a ser aplicada para cada vulnerabilidade. . Cisco 677/678 Telnet Buffer Overflow Vulnerability CBOS - Improving Resilience to Denial-of-Service Attacks http://www.cisco.com/warp/public/707/CBOS-DoS.shtml . Cisco IOS Router Denial of Service Vulnerability Cisco IOS HTTP Server Vulnerability http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml . Cisco IOS HTTP Auth Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html . Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html . Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability Cisco Catalyst SSH Protocol Mismatch Vulnerability http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml . Cisco 675 Web Administration Denial of Service Vulnerability Esta vulnerabilidade ainda esta sendo estudada pela Cisco, mas medidas de mitigacao podem ser usadas, de acordo com o descrito em: "Code Red" Worm - Customer Impact http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml#workarounds CBOS Web-based Configuration Utility Vulnerability http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml . Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability Catalyst 3500 Issue Descricao: http://www.securityfocus.com/archive/1/141471 Resposta da Cisco: http://www.securityfocus.com/archive/1/144655 . Cisco IOS Software HTTP Request Denial of Service Vulnerability Cisco IOS HTTP Server Query Vulnerability http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml . Cisco 514 UDP Flood Denial of Service Vulnerability A Vulnerability in IOS Firewall Feature Set http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml O CAIS recomenda que todas as atualizacoes sejam aplicadas o mais rapido possivel, e que medidas de mitigacao sejam tomadas quando nao for possivel a aplicacao das correcoes. Maiores Informacoes: . Cisco Security Notice: Exploit for Multiple Cisco Vulnerabilities http://www.cisco.com/warp/public/707/cisco-sn-20040326-exploits.shtml O CAIS reitera a recomendacao feita aos administradores para que atualizem com urgencia os sistemas afetados, de acordo com as informacoes e correcoes disponibilizadas pelo fabricante. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Cisco Security Notice: Exploit for Multiple Cisco Vulnerabilities Document ID: 50220 Revision 1.0 For Public Release 2004 March 27 19:30 UTC Summary Proof-of-concept code has been publicly released by an external group that exploits multiple previous vulnerabilities in various Cisco products. Details Proof-of-concept code has been publicly released that exploits multiple previous vulnerabilities in various Cisco products. The following list of vulnerabilities taken verbatim from the exploit code are affected. Included after each is a URL which may be referenced for more information regarding each vulnerability where Cisco has previously released a security advisory or response to address the issue. Customers should take steps to ensure that they have addressed each of these either via a software upgrade or workarounds in place as appropriate in order to mitigate any risk from this new exploit code. [1] - Cisco 677/678 Telnet Buffer Overflow Vulnerability CBOS - Improving Resilience to Denial-of-Service Attacks http://www.cisco.com/warp/public/707/CBOS-DoS.shtml [2] - Cisco IOS Router Denial of Service Vulnerability Cisco IOS HTTP Server Vulnerability http://www.cisco.com/warp/public/707/ioshttpserver-pub.shtml [3] - Cisco IOS HTTP Auth Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html [4] - Cisco IOS HTTP Configuration Arbitrary Administrative Access Vulnerability IOS HTTP Authorization Vulnerability http://www.cisco.com/warp/public/707/IOS-httplevel-pub.html [5] - Cisco Catalyst SSH Protocol Mismatch Denial of Service Vulnerability Cisco Catalyst SSH Protocol Mismatch Vulnerability http://www.cisco.com/warp/public/707/catalyst-ssh-protocolmismatch-pub.shtml [6] - Cisco 675 Web Administration Denial of Service Vulnerability Cisco is currently researching this vulnerability further. Mitigation methods have been available for some time such as setting the web server to listen on a different port: "Code Red" Worm - Customer Impact http://www.cisco.com/warp/public/707/cisco-code-red-worm-pub.shtml#workarounds and through bugs resolved in the following advisory where the webserver under Cisco CBOS was enabled by default and listening on port 80 even when the web server was not configured. CBOS Web-based Configuration Utility Vulnerability http://www.cisco.com/warp/public/707/cisco-cbos-webserver-pub.shtml [7] - Cisco Catalyst 3500 XL Remote Arbitrary Command Vulnerability Catalyst 3500 Issue Report: http://www.securityfocus.com/archive/1/141471 Cisco Response: http://www.securityfocus.com/archive/1/144655 [8] - Cisco IOS Software HTTP Request Denial of Service Vulnerability Cisco IOS HTTP Server Query Vulnerability http://www.cisco.com/warp/public/707/ioshttpserverquery-pub.shtml [9] - Cisco 514 UDP Flood Denial of Service Vulnerability A Vulnerability in IOS Firewall Feature Set http://www.cisco.com/warp/public/707/IOS-cbac-dynacl-pub.shtml This issue regarding the publication of new exploit code was first reported to Cisco by the NCC/Telecom-ISAC who also contributed to the content of this notice. Workarounds Possible workarounds for each of the vulnerabilities may be found in the advisories referenced in the Details section. Status of This Notice: INTERIM This is an interim notice. Although Cisco cannot guarantee the accuracy of all statements in this notice, all of the facts have been checked to the best of our ability. Cisco does not anticipate issuing updated versions of this notice. Should there be a change in the facts, Cisco may update this notice. A stand-alone copy or paraphrase of the text of this security notice that omits the distribution URL in the following section is an uncontrolled copy, and may lack important information or contain factual errors. Revision History Revision 1.0 2004-March-26 Initial public release. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQGhqQOkli63F4U8VAQH00wQAvly9zEYrhI2CD7+B3mH8HQlEMRbps65t yAg9axr61M8udIsRNwlsXQHUYRf9+8Jy7ydRGmPwF7TN4LWDtTEi54g9Uq31Eunf hJL+od9HA51GsxWpBXbICzpkXBsJV4vrBEuEXAfwWqA4m5pNX2GnpZJBFVIgyd7T b24VweFTFBs= =qMV4 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Mar 31 15:14:12 2004 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 31 Mar 2004 15:14:12 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040331181412.GH4414@unicamp.br> Srs. Usuarios, Atualizamos o site do CSIRT (Computer Security Incident Response Team) da Unicamp com os seguintes boletins de vulnerabilidades: 24/03/2004 ---------- Debian Security Advisory (DSA 468-1) Assunto: vulnerabilidade de seguranca no pacote emil. http://www.security.unicamp.br/docs/bugs/2004/03/v84.txt Gentoo Linux Security Advisory (GLSA 200403-04) Assunto: Multiple security vulnerabilities in Apache 2. http://www.security.unicamp.br/docs/bugs/2004/03/v85.txt 25/03/2004 ---------- Netwosix Linux Security Advisory (#2004-0006) Assunto: vulnerabilidade de seguranca no pacote apache. http://www.security.unicamp.br/docs/bugs/2004/03/v86.txt SCO Security Advisory (CSSA-2004-013.0) Assunto: OpenLinux: mutt remote buffer overflow. http://www.security.unicamp.br/docs/bugs/2004/03/v87.txt SCO Security Advisory (CSSA-2004-014.0) Assunto: OpenLinux: mc Updated packages resolve local buffer overflow vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v88.txt SGI Security Advisory (20040303-01-U) Assunto: SGI Advanced Linux Environment security update #15. http://www.security.unicamp.br/docs/bugs/2004/03/v89.txt SGI Security Advisory (20040304-01-U) Assunto: SGI Advanced Linux Environment security update #16. http://www.security.unicamp.br/docs/bugs/2004/03/v90.txt 26/03/2004 ---------- Gentoo Linux Security Advisory (GLSA 200403-05) Assunto: UUDeview MIME Buffer Overflow. http://www.security.unicamp.br/docs/bugs/2004/03/v91.txt Gentoo Linux Security Advisory (GLSA 200403-06) Assunto: Multiple remote buffer overflow vulnerabilities in Courier. http://www.security.unicamp.br/docs/bugs/2004/03/v93.txt 28/03/2004 ---------- Gentoo Linux Security Advisory (GLSA 200403-07) Assunto: Multiple remote overflows and vulnerabilities in Ethereal. http://www.security.unicamp.br/docs/bugs/2004/03/v94.txt 29/03/2004 ---------- Red Hat Security Advisory (RHSA-2004:134-01) Assunto: Updated squid package fixes security vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v92.txt Debian Security Advisory (DSA 469-1) Assunto: vulnerabilidade de seguranca no pacote pam-pgsql. http://www.security.unicamp.br/docs/bugs/2004/03/v95.txt FreeBSD Security Advisories (FreeBSD-SA-04:06) Assunto: setsockopt(2) IPv6 sockets input validation error. http://www.security.unicamp.br/docs/bugs/2004/03/v96.txt Netwosix Linux Security Advisory (#2004-0007) Assunto: vulnerabilidade de seguranca no pacote ethereal. http://www.security.unicamp.br/docs/bugs/2004/03/v97.txt Gentoo Linux Security Advisory (GLSA 200403-08) Assunto: oftpd DoS vulnerability. http://www.security.unicamp.br/docs/bugs/2004/03/v98.txt Gentoo Linux Security Advisory (GLSA 200403-09) Assunto: Buffer overflow in Midnight Commander. http://www.security.unicamp.br/docs/bugs/2004/03/v99.txt CAIS-Alerta Assunto: Exploracao de vulnerabilidades em produtos Cisco. http://www.security.unicamp.br/docs/bugs/2004/03/v100.txt 30/03/2004 ---------- Trustix Secure Linux Security Advisory (#2004-0015) Assunto: vulnerabilidade de seguranca nos pacotes tcpdump, libpcap. http://www.security.unicamp.br/docs/bugs/2004/03/v101.txt Trustix Secure Linux Security Advisory (#2004-0017) Assunto: vulnerabilidade de seguranca no pacote apache. http://www.security.unicamp.br/docs/bugs/2004/03/v102.txt -- Computer Security Incident Response Team - CSIRT Universidade Estadual de Campinas - UNICAMP mailto:security em unicamp.br http://www.security.unicamp.br