Summary of Security Items from January 21 through February 3, 2004

Released
Sep 22, 2004
Document ID
SB04-035

The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded by the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) in the past week. NVD is sponsored by CISA. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores. Please visit NVD for updated vulnerability entries, which include CVSS scores once they are available.

Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:

  • High: vulnerabilities with a CVSS base score of 7.0–10.0
  • Medium: vulnerabilities with a CVSS base score of 4.0–6.9
  • Low: vulnerabilities with a CVSS base score of 0.0–3.9

Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis. 

valign="top">


Publications by US-CERT | href="#vendors">Publications by Vendors | href="#others">Publications by Third Parties


Publications by US-CERT

Vulnerabilities in Microsoft Internet Explorer

Microsoft Security Bulletin MS04-004 describes three vulnerabilities
in Internet Explorer that have impacts ranging from disguising the
true location of a URL to executing arbitrary commands or code.

W32/MyDoom.B Virus

A variant of the W32/MyDoom (W32/Novarg.A) virus, W32/MyDoom.B infects
Microsoft Windows systems. Like its predecessor, W32/MyDoom.B
propagates via email and P2P networks and requires that a user
intentionally run an executable file in order to infect a system. This
virus may be designed to cease functioning on March 1, 2004.

VU#434566: Apache
mod_rewrite vulnerable to buffer overflow via crafted regular
expression

A vulnerability in a supplementary module to the Apache HTTP server
could allow an attacker to execute arbitrary code on an affected web
server under certain circumstances.

VU#549142: Apache
mod_alias vulnerable to buffer overflow via crafted regular
expression

A vulnerability in a supplementary module to the Apache HTTP server
could allow an attacker to execute arbitrary code on an affected web
server under certain circumstances.

VU#602734: Cisco
default install of IBM Director agent fails to authenticate users for
remote administration

Cisco IBM Director agent fails to authenticate users for remote
administration.

VU#721092: Cisco IBM
Director agent does not properly handle arbitrary TCP packets to port
14247/tcp

Cisco IBM Director agent does not properly handle arbitrary TCP
packets to port 14247/tcp.

VU#509454: HP-UX shar
utility creates files with predictable names in "/tmp" directory

The shar program distributed with some versions of the HP-UX operating
system creates files insecurely. This vulnerability could allow local
users to gain escalated privilege on the system.

VU#820798: KDE
Personal Information Management suite "kdepim" contains a buffer
overflow vulnerability in VCF information reader

KDE Personal Information Management suite "kdepim" contains a buffer
overflow vulnerability. Exploitation of this vulnerability could lead
to the arbitrary execution of commands.

VU#530660: Microsoft
Exchange Server 2003 fails to assign user credentials to proper
mailbox

A flaw in the authentication mechanism that Microsoft Exchange Server
2003 uses for Outlook Web Access users in some configurations could
expose another user's mailbox.

VU#927630:
NetScreen-Security Manager fails to encrypt communications with
managed devices

A vulnerability in the NetScreen-Security Manager software could
expose sensitive information in cleartext over the network.

VU#702526: Sun
Solaris allows unprivileged local user to load arbitrary kernel
modules

Sun Solaris allows an unprivileged local user to load arbitrary kernel
modules.

Back to top


Publications by Vendors

Apache Software Foundation

The Apache Software Foundation released information regarding a
vulnerability in mod_python. For more information, see

Apple

Apple released security updates to MacOS X and MacOS X Server. For
more information, see

Cisco

Cisco Systems released updates for vulnerabilities related to certain
problems in Cisco 6000/6500/7600 series systems and incorrectly formed
layer 2 frames, vulnerabilities in Microsoft Windows which affect
certain Cisco products, and certain Cisco voice products installed on
the IBM platform. For more information, see

Debian

Debian released updates to crawl, perl, trr19, and gnupg. For more
information, see

FreeBSD

FreeBSD released information regarding vulnerabilities in
mksnap_ffs. For more information, see

Gentoo

Gentoo released updates related to GAIM, mod_python, and
Honeyd. For more information, see

Hewlett Packard

Hewlett Packard released a security update describing a problem in
Bind 8 for OpenVMS. Hewlett Packard has also revised previous
bulletins describing problems in BIND 8 for OpenVMS, OpenSSH, a system
service in OpenVMS Alpha, OpenSSL and TLS on Tru64 UNIX, and the way
various programs handle certain types of network traffic. For more
information, see

Macromedia

Macromedia released two updates related to Coldfusion MX. For more
information, see

Mandrake

Mandrake released updates to gaim, php-ini, tcpdump, mc, jabber,
slocate, mrproject, dhcp, and qt3. For more information, see

Microsoft

Microsoft released two security updates to Windows, and a security
update to Microsoft Exchange and IAServer.

Novell

Novell issued updates to HTTPSTK.NLM , iChain 2.2, and eDirectory
prior to 8.7.3. For more information, see

Red Hat

Red Hat released updates related to NetPBM, mc, an updated kernel
that address a number of issues, util-linux, Gaim, and slocate. Note
that the origianl bulletin regarding mc was superceded. Additionally,
Red Hat released an update to Fedora Core regarding slocate. For more
information, see

SGI

SGI released updates related to do_mremap(), kmod, frm (part of
elm), CVS, tcpdump, Ethereal, html2ps, Safe.pm, gzexe and gznew,
libdesktopicon.so, and gr_osview. For more information, see

Slackware

Slackware has released information regarding GAIM. for more
information, see

Sun Microsystems

Sun Microsystems released security updates describing problems in Sun ONE/iPlanet
Webserver, in.named (BIND), the tcsetattr(3C) library function, the
pfexec command, Solaris IKE, SunForum, OpenSSL and TLS on SunPlex
systems, Safe.pm and CGI.pm perl modules, and Loadable Kernel
Modules. Additionally, Sun withdrew two patches previously released
for the Basic Security Module. For more information, see

SuSE Linux

SUSE Linux has released inforamtion regarding gaim. for more
information, see

Trustix

Trustix released an update regarding slocate. For more information,
please see

Turbolinux

Turbolinux released updates regarding tcpdump and lftp. For more
information see

Back to top


Publications by Third Parties

AusCERT

AusCERT released a varety of bulletins and alerts. For more
information, see

F-Secure

F-Secure released information about Lovsan.H, Mydoom, Mydoom.B,
Lasku, Needy.C, Mimail.S, Swen, Dumaru.AA, Dumaru.Z, Mimail.Q,
UrlSpoof.E, Dumaru.Y, and Bagle.

Of these, the variants of Mydoom and Dumaru, Swen, and Bagle
received high alert levels under the "F-Secure Radar."

ISS

ISS released an alert regarding MyDoom, as well as several summary
documents. For more information, see

Network Associates

Network Associates has released information on MS Vulnerabilities,
Proxy-Agent, W32/Anig.worm, W32/Mimail.s@MM, W32/Mydoom.b@MM, Ntpass
application, W32/Mydoom@MM, W32/Mimail.q@MM, VBS/Braco@MM, and
W32/Dumaru.y@MM. For more information, see

SANS

SANS has released two version of the Consensus Security Alert. For
more information, please see

Sophos

Sophos released information about W32/Agobot-CS, W32/Spybot-AF,
WM97/Ortant-A, W32/Agobot-CO, Troj/Chapter-A, Troj/Control-E,
Troj/Daemoni-B, Troj/Daemoni-C, W32/Agobot-P, Troj/Volver-A,
W32/Agobot-CK, W32/Agobot-AD, W32/Agobot-CL, W32/Agobot-CN,
W32/SdBot-W, Troj/SdBot-AP, Troj/Flood-DZ, Troj/ByteVeri-E,
Troj/NoCheat-B, W32/Carpeta-C, W32/RpcSdbot-B, W32/MyDoom-B,
W32/Eyeveg-B, Troj/Femad-B, W32/Agobot-CM, Troj/Winpup-C,
Troj/IRCBot-U, Troj/Hidemirc-A, Troj/Ircfloo-A, W32/Mimail-S,
VBS/Inor-C, W32/Dumaru-Z, W32/Argdoor-A, W32/Spybot-CJ, W32/Apsiv-A,
Troj/Digits-B, Troj/AdClick-Y, Troj/Stawin-A, W32/MyDoom-A,
W32/Mimail-Q, W32/Dumaru-K, Troj/Small-AW, Troj/Mahru-A, W32/Dumaru-Y,
W32/Flopcopy-A, W32/Randon-AC, and W32/Randex-Z.

Symantec

Symantec released information on W32.Hostidel.Trojan.C,
W32.HLLW.Chemsvy, W32.Dumaru.AD@mm, W32.Galil.F@mm, VBS.Shania,
Keylogger.Stawin, W32.Randex.FC, W32.HLLW.Anig, PWSteal.Olbaid,
W32.Mimail.S@mm, Backdoor.Aphexdoor, W32.IRCBot.C, W32.Mydoom.B@mm,
Trojan.Bookmarker.E, W32.HLLW.Pokibat, W32.Mydoom.A@mm,
W32.Mimail.Q@mm, W32.Dumaru.Z@mm, W32.Dumaru.Y@mm,
Trojan.Bookmarker.D, W32.HLLW.Sanker, and Backdoor.OptixPro.13b.

Of these, W32.Dumaru.AD@mm, W32.Galil.F@mm, W32.Mydoom.B@mm,
W32.Mydoom.A@mm, W32.Mimail.Q@mm, W32.Dumaru.Z@mm, and W32.Dumaru.Y@mm
are rated as "High" distribution, which is an indication of how
quickly a threat is able to spread.

Trend Micro

Trend Micro released information on WORM_AGOBOT.RW, WORM_MSBLAST.H,
WORM_DUMARU.AB, WORM_RANDEX.FC, WORM_SDBOT.GO, WORM_SDBOT.K,
WORM_AGOBOT.O, WORM_ANIG.A, WORM_MIMAIL.S, WORM_MYDOOM.B,
WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.Q, WORM_DUMARU.Z,
WORM_AGOBOT.DG, WORM_AGOBOT.FQ, WORM_DUMARU.Y, WORM_AGOBOT.W,
HTML_VISAFRAUD.A, and WORM_AGOBOT.FX.

Of these, WORM_AGOBOT.FX, WORM_DUMARU.Y, WORM_AGOBOT.W,
WORM_AGOBOT.FQ, WORM_DUMARU.Z, WORM_MIMAIL.Q, WORM_MYDOOM.B,
WORM_MYDOOM.A, WORM_AGOBOT.U, WORM_MIMAIL.S, WORM_ANIG.A,
WORM_AGOBOT.O, WORM_SDBOT.K, WORM_SDBOT.GO, WORM_RANDEX.FC,
WORM_DUMARU.AB , WORM_MSBLAST.H, and WORM_AGOBOT.RW are rated as
having "high" distribution potential. For more information, see

UNIRAS

UNIRAS issued a variety of bulletins and alerts. for more
information, see



Copyright 2004 Carnegie Mellon University. Terms of use
Last
updated

Please share your thoughts

We recently updated our anonymous product survey; we’d welcome your feedback.