Security Advisories Week: 30 May – 6 June 2002

Title: Imap server buffer overflow

Date: May 30 2002

Vendor: Mandrake

Vulnerable systems: Mandrake Linux 7.1, 7.2, 8.1, 8.2, Corporate Server 1.0.1

Full advisory: http://www.net-security.org/advisory.php?id=731

Problem description: A buffer overflow was discovered in the imap server that could allow a malicious user to run code on the server with the uid and gid of the email owner by constructing a malformed request that would trigger the buffer overflow.

Title: Ftpd allows data connection hijacking via PASV mode

Date: May 30 2002

Vendor: Caldera

Vulnerable systems: Open UNIX 8.0.0 UnixWare 7.1.1

Full advisory: http://www.net-security.org/advisory.php?id=732

Problem description: If an attacker can make a connection to the listening port before the client connects, the server will transmit the data to the attacker instead of the client.

Title: Updated tcpdump packages fix buffer overflow

Date: May 30 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 6.2 and 7.x

Full advisory: http://www.net-security.org/advisory.php?id=734

Problem description: tcpdump is a command-line tool for monitoring network traffic. Versions of tcpdump up to and including 3.6.2 have a buffer overflow that can be triggered when tracing the network by a bad NFS packet.

Title: in.uucpd string truncation problem

Date: May 30 2002

Vendor: Debian

Vulnerable systems: Debian GNU/Linux 2.2

Full advisory: http://www.net-security.org/advisory.php?id=735

Problem description: in.uucpd, an authentication agent in the uucp package, does not properly terminate certain long input strings.

Title: Memory allocation error in ethereal

Date: May 30 2002

Vendor: Debian

Vulnerable systems: Debian GNU/Linux 2.2

Full advisory: http://www.net-security.org/advisory.php?id=736

Problem description: Ethereal versions prior to 0.9.3 were vulnerable to an allocation error in the ASN.1 parser. This can be triggered when analyzing traffic using the SNMP, LDAP, COPS, or Kerberos protocols in ethereal.

Title: Directory Administrator password in cleartext

Date: June 3 2002

Vendor: Caldera

Vulnerable systems: Volution Manager 1.1 Standard

Full advisory: http://www.net-security.org/advisory.php?id=737

Problem description: Volution Manager stores the unencrypted Directory Administrator’s password in the /etc/ldap/slapd.conf file.

Title: Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources

Date: June 4 2002

Vendor: Microsoft

Vulnerable systems: Microsoft Exchange

Full advisory: http://www.net-security.org/advisory.php?id=738

Problem description: There is a flaw in the way Exchange 2000 handles certain malformed RFC message attributes on received mail. Upon receiving a message containing such a malformation, the flaw causes the Store service to consume 100% of the available CPU in processing the message.

Title: rpc.passwd vulnerability

Date: June 5 2002

Vendor: SGI

Vulnerable systems: IRIX 6.5.*

Full advisory: http://www.net-security.org/advisory.php?id=739

Problem description: It’s been reported that /usr/etc/rpc.passwd has a vulnerability which could allow a user to compromise root.

Title: Denial-of-Service Vulnerability in ISC BIND 9

Date: June 5 2002

Vendor: ISC

Vulnerable systems: ISC BIND 9

Full advisory: http://www.net-security.org/advisory.php?id=740

Problem description: A denial-of-service vulnerability exists in version 9 of the Internet Software Consortium’s (ISC) Berkeley Internet Name Domain (BIND) server. ISC BIND versions 8 and 4 are not affected. Exploiting this vulnerability will cause the BIND server to shut down.

Title: Updated xchat packages fix /dns vulnerability

Date: June 5 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 6.2 and 7.x

Full advisory: http://www.net-security.org/advisory.php?id=741

Problem description: A security issue in XChat allows a malicious server to execute arbitrary commands.

Title: Updated bind packages fix denial of service attack

Date: June 5 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 7.x

Full advisory: http://www.net-security.org/advisory.php?id=742

Problem description: Versions of BIND 9 prior to 9.2.1 have a bug that causes certain requests to the BIND name server (named) to fail an internal consistency check, causing the name server to stop responding to requests.

Title: Ghostscript command execution vulnerability

Date: June 5 2002

Vendor: Red Hat

Vulnerable systems: Red Hat Linux 6.2 and 7.x

Full advisory: http://www.net-security.org/advisory.php?id=743

Problem description: An untrusted PostScript file can cause ghostscript to execute arbitrary commands due to insufficient checking. Since ghostscript is often used during the course of printing a document (and is run as user ‘lp’), all users should install these fixed packages.

Title: snmpdx(1M) and mibiisa(1M) fixes available

Date: June 5 2002

Vendor: SUN

Vulnerable systems: SunOS 5.8, 5.8_x86, 5.7, 5.7_x86, 5.6, 5.6_x86

Full advisory: http://www.net-security.org/advisory.php?id=744

Problem description: A format string vulnerability has been discovered in snmpdx and a buffer overflow found in mibiisa which may be exploited by a local or a remote attacker to gain root access on the affected system.

Title: Multiple Vulnerabilities in Yahoo! Messenger

Date: June 6 2002

Vendor: Yahoo

Vulnerable systems: Yahoo! Messenger version 5,0,0,1064 and prior for Microsoft Windows

Full advisory: http://www.net-security.org/advisory.php?id=745

Problem description: There are multiple vulnerabilities in Yahoo! Messenger. Attackers that are able to exploit these vulnerabilities may be able to execute arbitrary code with the privileges of the victim user.

Title: Buffer Overflow when parsing NFS traffic

Date: June 6 2002

Vendor: Conectiva

Vulnerable systems: Conectiva Linux 6.0, 7.0, 8

Full advisory: http://www.net-security.org/advisory.php?id=746

Problem description: There is a buffer overflow vulnerability in tcpdump when it is parsing NFS traffic. A remote attacker could exploit this to at least crash the tcpdump process.

Title: tcpdump AFS RPC and NFS packet vulnerabilities

Date: June 6 2002

Vendor: Caldera

Vulnerable systems: OpenLinux 3.1.1 Server prior to tcpdump-3.6.2-2.i386.rpm, OpenLinux 3.1.1 Workstation prior to tcpdump-3.6.2-2.i386.rpm, OpenLinux 3.1 Server prior to tcpdump-3.6.2-2.i386.rpm, OpenLinux 3.1 Workstation prior to tcpdump-3.6.2-2.i386.rpm

Full advisory: http://www.net-security.org/advisory.php?id=747

Problem description: The tcpdump program is vulnerable to several buffer overflows, the most serious of which are problems with the decoding of AFS RPCpackets and the handling of malformed NFS packets.

Title: Conectiva Linux Kernel update

Date: June 6 2002

Vendor: Conectiva

Vulnerable systems: 5.0, prg graficos, ecommerce, 5.1, 6.0, 7.0

Full advisory: http://www.net-security.org/advisory.php?id=748

Problem description: This announcement updates the kernel package and fixes zlib and lcall vulnerabilities.

Title: Remote denial of service attack in BIND

Date: June 6 2002

Vendor: SuSE

Vulnerable systems: SuSE Linux 7.0, 7.1, 7.2, 7.3, 8.0

Full advisory: http://www.net-security.org/advisory.php?id=749

Problem description: There is a bug in the BIND9 name server that is triggered when processing certain types of DNS replies.