Summary of Security Items from October 13 through October 19, 2004
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities that have been recorded in the past week. In some cases, the vulnerabilities in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the Common Vulnerabilities and Exposures (CVE) vulnerability naming standard and are organized according to severity, determined by the Common Vulnerability Scoring System (CVSS) standard. The division of high, medium, and low severities correspond to the following scores:
- High: vulnerabilities with a CVSS base score of 7.0–10.0
- Medium: vulnerabilities with a CVSS base score of 4.0–6.9
- Low: vulnerabilities with a CVSS base score of 0.0–3.9
Entries may include additional information provided by organizations and efforts sponsored by CISA. This information may include identifying information, values, definitions, and related links. Patch information is provided when available. Please note that some of the information in the bulletin is compiled from external, open-source reports and is not a direct result of CISA analysis.
This bulletin
provides a summary of new or updated vulnerabilities, exploits, trends, viruses,
and trojans. Updates to items appearing in previous
bulletins are listed in bold text. The text in the Risk column appears in
red for vulnerabilities ranking High. The risks
levels applied to vulnerabilities in the Cyber Security Bulletin are based on
how the "system" may be impacted. The Recent Exploit/Technique table contains a
"Workaround or Patch Available" column that indicates whether a workaround or
patch has been published for the vulnerability which the script exploits.
name=bugs>Bugs, Holes,
& Patches
face="Arial, Helvetica, sans-serif">The table below summarizes vulnerabilitiesthat have been identified, even if they are not being exploited. Complete
details about patches or workarounds are available from the source of the
information or from the URL provided in the section. CVE numbers are listed
where applicable. Vulnerabilities that affect both Windows and
Unix Operating Systems are included in the Multiple Operating
Systems section.
Note: All the information included in the following tables
has been discussed in newsgroups and on web sites.
The Risk levels
defined below are based on how the system may be impacted:
- High - A
high-risk vulnerability is defined as one that will allow an intruder to
immediately gain privileged access (e.g., sysadmin or root) to the system or
allow an intruder to execute code or alter arbitrary system files. An example
of a high-risk vulnerability is one that allows an unauthorized user to send a
sequence of instructions to a machine and the machine responds with a command
prompt with administrator privileges. - Medium - A
medium-risk vulnerability is defined as one that will allow an intruder
immediate access to a system with less than privileged access. Such
vulnerability will allow the intruder the opportunity to continue the attempt
to gain privileged access. An example of medium-risk vulnerability is a server
configuration error that allows an intruder to capture the password
file. - Low - A
low-risk vulnerability is defined as one that will provide information to an
intruder that could lead to further compromise attempts or a Denial of Service
(DoS) attack. It should be noted that while the DoS attack is deemed low from
a threat potential, the frequency of this type of attack is very high. DoS
attacks against mission-critical nodes are not included in this rating and any
attack of this nature should instead be considered to be a "High"
threat.
name=unix>UNIX / Linux Operating Systems Only | ||||
Vendor & Software Name | Vulnerability - Impact Patches - Workarounds Attacks Scripts | Common Name |
face="Arial, Helvetica, sans-serif">Risk |
face="Arial, Helvetica, sans-serif">Source |
Apache 2.0.35-2.0.52 | A vulnerability exists when the 'SSLCipherSuite' directive is used in a OpenPKG:
href="ftp://ftp.openpkg.org/release/">ftp://ftp.openpkg.org/release/ There is no exploit code required. | Medium | OpenPKG Security Advisory, OpenPKG-SA-2004.044, October 15, 2004 | |
Apache Software Foundation Apache 1.3.26‑1.3.29, 1.3.31; | A buffer overflow vulnerability exists in Apache mod_proxy when a ContentLength: header is submitted that contains a large negative value, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Patches available at:
href="http://marc.theaimsgroup.com/?l=apache-httpd-dev&m=108687304202140&q=p3">http://marc.theaimsgroup.com/?l=apache-httpd- OpenBSD: href="ftp://ftp.openbsd.org/pub/OpenBSD/patches/">ftp://ftp.openbsd.org/pub/OpenBSD/patches/ OpenPKG: href="ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.3.src.rpm">ftp://ftp.openpkg.org/release/2.0/UPD/apache-1.3.29-2.0.3.src.rpm Gentoo: href="http://security.gentoo.org/glsa/glsa-200406-16.xml">http://security.gentoo.org/glsa/glsa-200406-16.xml Mandrake: href="http://www.mandrakesoft.com/security/advisories">http://www.mandrakesoft.com/security/advisories SGI: href="ftp://patches.sgi.com/support/free/security/">ftp://patches.sgi.com/support/free/security/ Fedora Legacy: href="http://download.fedoralegacy.org/redhat/">http://download.fedoralegacy.org/redhat/ Currently we are not aware of any exploits for this | Low/High (High if arbitrary code can be executed) | SecurityTracker Alert, 1010462, June 10, 2004 Gentoo Linux Security Advisory, GLSA 200406-16, June 22, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:065, June 29, OpenPKG Security Advisory, OpenPKG-SA-2004.029, June 11, 2004 SGI Security Advisory, 20040605-01-U, June 21, 2004 Fedora Legacy Update Advisory, FLSA:1737, October 14, 2004 US-Cert Vulnerability Note VU#541310, October 19, 2004 | |
Apache Software Apache 1.3-2.0.49 | A stack-based buffer overflow has been reported in the Apache mod_ssl Patch available at:
href="http://cvs.apache.org/viewcvs.cgi/httpd-2.0/modules/ssl/ssl_engine_kernel.c?r1=1.105&r2=1.106"> Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php ">http://www.mandrakesecure.net/en/ftp.php OpenPKG: ftp://ftp.openpkg.org Tinysofa: href="http://www.tinysofa.org/support/errata/2004/008.html">http://www.tinysofa.org/support/errata/2004/008.html Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200406-05.xml">http://security.gentoo.org/glsa/glsa-200406-05.xml OpenBSD: href="http://www.openbsd.org/errata.html">http://www.openbsd.org/errata.html SGI: href="ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/">ftp://patches.sgi.com/support/free/security/patches/ProPack/2.4/ Apple: href="http://www.apple.com/support/security/security_updates.html">http://www.apple.com/support/security/security_updates.html Fedora Legacy: href="http://download.fedoralegacy.org/redhat/">http://download.fedoralegacy.org/redhat/ Currently we are not aware of any exploits for this | Low/High (High if arbitrary code can be executed) | Security Focus, May 17, 2004 Gentoo Linux Security Advisory, GLSA 200406-05, June 9, 2004 Mandrakelinux Security Update Advisories, MDKSA-2004:054 & 055, OpenPKG Security Advisory, OpenPKG-SA-2004.026, May 27, 2004 RedHat Security Advisory, RHSA-2004:342-10, July 6, 2004 SGI Security Advisory, 20040605-01-U, June 21, 2004 Tinysofa Security Advisory, TSSA-2004-008, June 2, 2004 Trustix Security Advisory, TSLSA-2004-0031, June 2, 2004 Fedora Legacy Update Advisory, FLSA:1888, October 14, 2004 | |
Cyrus SASL 1.5.24, 1.5.27, 1.5.28, 2.1.9-2.1.18 | Several vulnerabilities exist: a buffer overflow vulnerability exists Fedora: Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-05.xml">http://security.gentoo.org/glsa/glsa-200410-05.xml Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-546.html">http://rhn.redhat.com/errata/RHSA-2004-546.html Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ Debian: href="http://security.debian.org/pool/updates/main/c/cyrus-sasl/">http://security.debian.org/pool/updates/main/c/cyrus-sasl/ We are not aware of any exploits for this vulnerability. | High | SecurityTracker Alert ID: 1011568, October 7, 2004 Debian Security Advisories DSA 563-2, 563-3, & 568-1, | |
cPanel 9.4.1-RELEASE-64; 9.9.1-RELEASE-3 | Several vulnerabilities exist: a vulnerability exists in the backup feature, which could let a remote authenticated malicious user obtain sensitive information; a vulnerability exists when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change ownership of critical files; and a vulnerability exists in the '_private' directory when FrontPage extensions are turned on or off, which could let a remote authenticated malicious user change permissions on any file on the target system to 0755. No workaround or patch available at time of Proofs of Concept exploits have been published. | cPanel Backup & FrontPage Management Remote Arbitrary File Modifications | Medium/ High (High if root access can be obtained) | SecurityTracker Alert ID, 1011762, October 18, 2004 |
Ansel 1.2, 1.3, 1.4, 2.0 | A vulnerability exists due to insecure default permissions when picture Upgrade available at: There is no exploit code required. | Federico David Sacerdoti Ansel Insecure Default | Medium | SecurityFocus, October 14, 2004 |
Gnofract 4D prior to 2.2 | A vulnerability exists due to an error in the handling of '.fct' Update available at: href=" http://gnofract4d.sourceforge.net/download.html">http://gnofract4d.sourceforge.net/download.html We are not aware of any exploits for this vulnerability. | Gnofract 4 Remote Arbitrary Code Execution | High | SecurityTracker Alert ID, 1011757, October 17, 2004 |
LibTIFF 3.6.1 | Several buffer overflow vulnerabilities exist: a vulnerability exists because a specially crafted image file can be created, which could let a remote malicious user cause a Denial of Service or execute arbitrary code; a remote Denial of Service vulnerability exists in 'libtiff/tif_dirread.c' due to a division by zero error; and a vulnerability exists in the 'tif_next.c,' 'tif_thunder.c,' and 'tif_luv.c' RLE decoding routines, which could let a remote malicious user execute arbitrary code. Debian: Gentoo: href=" http://security.gentoo.org/glsa/glsa-200410-11.xml">http://security.gentoo.org/glsa/glsa-200410-11.xml Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ OpenPKG: Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ Proofs of Concept exploits have been published. | LibTIFF Buffer Overflows CVE Name: | Low/High (High if arbitrary code can be execute) | Gentoo Linux Security Advisory, GLSA 200410-11, October 13, 2004 Fedora Update Notification, OpenPKG Security Advisory, OpenPKG-SA-2004.043, October 14, 2004 Debian Security Advisory, DSA 567-1, October 15, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, |
Unzoo 4.4 | A vulnerability exists when a specially crafted archive is created due to insufficient validation, which could let a remote malicious user create or overwrite files. No workaround or patch available at time of We are not aware of any exploits for this vulnerability. | unzoo Input Validation | Medium | SecurityTracker Alert ID, 1011673, October 14, 2004 |
mpg123 0.x
| A buffer overflow vulnerability exists in the 'do_layer2()' function, Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-20.xml">http://security.gentoo.org/glsa/glsa-200409-20.xml Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php Debian: href="ttp://security.debian.org/pool/updates/non-free/m/mpg123/">http://security.debian.org/pool/updates/non-free/m/mpg123/ An exploit script has been published. | High | Securiteam, September 7, 2004 Gentoo Linux Security Advisory, GLSA 200409-20, September 16, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:100, September 22, Debian Security Advisory, DSA 564-1, October 13, 2004 | |
LHA 1.14 | Multiple vulnerabilities exist: a buffer overflow vulnerability exists in the parsing of archives, which could let a remote malicious user execute arbitrary code; a buffer overflow vulnerability exists in the parsing of command-line arguments, which could let a remote malicious user execute arbitrary code; and a vulnerability exists due to insufficient validation of shell meta characters in directories, which could let a remote malicious user execute arbitrary shell commands. RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-323.html">http://rhn.redhat.com/errata/RHSA-2004-323.html Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-13.xml">http://security.gentoo.org/glsa/glsa-200409-13.xml Fedora Legacy: href="http://download.fedoralegacy.org/redhat/">http://download.fedoralegacy.org/redhat/ We are not aware of any exploits for these vulnerabilities. | LHA Multiple Code Execution CVE Names: | High | SecurityFocus, September 2, 2004 Fedora Update Notifications Gentoo Linux Security Advisory, GLSA 200409-13, September 8, 2004 Fedora Legacy Update Advisory, FLSA:1833, October 14, 2004 |
MySQL AB MySQL 3.20 .x, 3.20.32 a, 3.21.x, 3.22 .x, 3.22.26-3.22.30, | A vulnerability exists in the 'GRANT' command due to a failure to ensure sufficient privileges, which could let a malicious user obtain unauthorized access. Upgrades available at: Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ There is no exploit code required.
| MySQL Database Unauthorized GRANT Privilege | Medium | Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004 |
Multiple Vendors Conectiva Mr. S.K. LHA 1.14, 1.15, 1.17; RARLAB WinRar 3.20; RedHat | Multiple vulnerabilities exist: two buffer overflow vulnerabilities RedHat: href="ftp://updates.redhat.com/9/en/os/i386/lha-1.14i-9.1.i386.rpm">ftp://updates.redhat.com/9/en/os/i386/lha-1.14i-9.1.i386.rpm Slackware: href="ftp://ftp.slackware.com/pub/slackware/">ftp://ftp.slackware.com/pub/slackware/ Conectiva: href="ftp://atualizacoes.conectiva.com.br/">ftp://atualizacoes.conectiva.com.br/ Debian: href="http://security.debian.org/pool/updates/non-free/l/lha/">http://security.debian.org/pool/updates/non-free/l/lha/ F-Secure: href="http://www.f-secure.com/security/fsc-2004-1.shtml">http://www.f-secure.com/security/fsc-2004-1.shtml Fedora: href="http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html">http://www.redhat.com/archives/fedora-announce-list/2004-May/msg00005.html Gentoo: href="http://security.gentoo.org/glsa/glsa-200405-02.xml">http://security.gentoo.org/glsa/glsa-200405-02.xml SGI: href="http://www.sgi.com/support/security/">http://www.sgi.com/support/security/ Fedora Legacy: href="http://download.fedoralegacy.org/redhat/">http://download.fedoralegacy.org/redhat/ Proofs of Concept exploits have been published. | Medium/ High (High if arbitrary code can be executed) | Conectiva Linux Security Announcement, CLA-2004:840, May 7, 2004 Debian Security Advisory DSA 515-1 , June 5, 2004 F-Secure Security Bulletin, FSC-2004-1, May 26, 2004 Fedora Update Notification, FEDORA-2004-119, May 11, 2004 Gentoo Linux Security Advisory, GLSA 200405-02, May 9, 2004 Red Hat Security Advisory, RHSA-2004:179-01, April 30, 2004 SGI Security Advisories, 20040602-01-U & 20040603-01-U, June 21, Slackware Security Advisory, SSA:2004-125-01, May 5, 2004 Fedora Legacy Update Advisory, FLSA:1833, October 14, 2004 | |
Apple Mac OS X 10.2-10.2.8, 10.3 -10.3.5, OS X Server 10.2-10.2.8, 10.3 | A vulnerability exists in 'error_log' when certain methods of remote Update available at: href="http://www.cups.org/software.php">http://www.cups.org/software.php Apple: Fedora: Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-06.xml">http://security.gentoo.org/glsa/glsa-200410-06.xml Debian: href="http://security.debian.org/pool/updates/main/c/cupsys/">http://security.debian.org/pool/updates/main/c/cupsys/ There is no exploit code required. | Medium | Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004 Fedora Update Notification, Gentoo Linux Security Advisory, GLSA 200410-06, October 9, 2004 Debian Security Advisory, DSA 566-1, October 14, 2004 | |
Easy Software Products CUPS 1.1.14-1.1.20; Trustix Secure Enterprise
| A Denial of Service vulnerability exists in 'scheduler/dirsvc.c' due to Update available at:
href=" http://www.cups.org/software.php">http://www.cups.org/software.php Debian: href=" http://security.debian.org/pool/updates/main/c/cupsys/">http://security.debian.org/pool/updates/main/c/cupsys/ Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php RedHat: http://rhn.redhat.com/ SuSE: href=" ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/ Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ ALTLinux:
href="http://altlinux.com/index.php?module=sisyphus&package=cups">http://altlinux.com/index.php? Gentoo: href=" http://security.gentoo.org/glsa/glsa-200409-25.xml">http://security.gentoo.org/glsa/glsa-200409-25.xml Slackware: href="ftp://ftp.slackware.com/pub/slackware/">ftp://ftp.slackware.com/pub/slackware/ Apple: href="http://www.apple.com/support/security/security_updates.html">http://www.apple.com/support/security/security_updates.html Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/ Sun: href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57646-1&searchclause=">http://sunsolve.sun.com/search/document.do?assetkey=1-26-57646-1&searchclause= Conectiva: href="ftp://atualizacoes.conectiva.com.br/">ftp://atualizacoes.conectiva.com.br/ Fedora Legacy: href="http://download.fedoralegacy.org/fedora/1/updates/">http://download.fedoralegacy.org/fedora/1/updates/ SCO: href="ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.15">ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.15 A Proof of Concept exploit has been published. | Low | SecurityTracker Alert ID, 1011283, September 15, 2004 ALTLinux Advisory, September 17, 2004 Gentoo Linux Security Advisory GLSA 200409-25, September 20, 2004 Slackware Security Advisory, SSA:2004-266-01, September 23, 2004 Fedora Update Notification, Apple Security Update, APPLE-SA-2004-09-30, October 4, 2004 Sun(sm) Alert Notification, 57646, October 7, 2004 SCO Security Advisory, COSA-2004.15, October 12, 2004 Conectiva Linux Security Announcement, CLA-2004:872, October Fedora Legacy Update Advisory, FLSA:2072, October 16, 2004 | |
OpenBSD 3.4, 3.5; SuSE Linux 8.1, 8.2, 9.0, x86_64, 9.1, Linux | Multiple vulnerabilities exist: a stack overflow exists in Debian:
href="http://security.debian.org/pool/updates/main/i/imlib/">http://security.debian.org/pool/updates/main/i/imlib/ Mandrake:
href="http://www.mandrakesecure.net/en/ftp.php" OpenBSD: SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/ X.org: http://x.org/X11R6.8.1/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-34.xml">http://security.gentoo.org/glsa/glsa-200409-34.xml IBM: href="http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp">http://www-912.ibm.com/eserver/support/fixes/fcgui.jsp RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-478.html">http://rhn.redhat.com/errata/RHSA-2004-478.html Sun:
href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57652-1&searchclause=">http://sunsolve.sun.com/search/document.do? Proofs of Concept exploits have been published. | High | X.Org Foundation Security Advisory, September 16, 2004 US-CERT Vulnerability Notes, VU#537878 & VU#882750, September 30, SecurityFocus, October 4, 2004 Debian Security Advisory, DSA 560-1 & 561-1, October 7 & 11, Gentoo Linux Security Advisory, GLSA 200410-09, October 9, 2004 Sun(sm) Alert Notification, 57652, October 18, 2004 | |
MySQL 3.20 .x, 3.20.32 a, 3.21 .x, 3.22 .x, 3.22.26-3.22.30, 3.22.32, | A buffer overflow vulnerability exists in the 'mysql_real_connect' function due to insufficient boundary checking, which could let a remote malicious user cause a Denial of Service and possibly execute arbitrary code. Note: Computers using glibc on Linux and BSD platforms may not be vulnerable to this issue. Debian: href=" http://security.debian.org/pool/updates/main/m/mysql/">http://security.debian.org/pool/updates/main/m/mysql/ Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/ We are not aware of any exploits for this vulnerability. | High/Low (Low if a DoS) | Secunia Advisory, Debian Security Advisory, DSA 562-1, October 11, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0054, | |
MySQL 4.0.0-4.0.15, 4.0.18, 4.0.20 | A remote Denial of Service vulnerability exists in the 'FULLTEXT' Upgrades available at: Trustix: href="ftp://ftp.trustix.org/pub/trustix/updates/">ftp://ftp.trustix.org/pub/trustix/updates/ There is no exploit code required. | MySQL Remote Denial of Service | Low | Trustix Secure Linux Security Advisory, TSLSA-2004-0054, October 15, 2004 |
MySQL 3.x, 4.x
| Two vulnerabilities exist: a vulnerability exists due to an error in Updates available at: href="http://dev.mysql.com/downloads/mysql/">http://dev.mysql.com/downloads/mysql/ Debian: href=" http://security.debian.org/pool/updates/main/m/mysql">http://security.debian.org/pool/updates/main/m/mysql Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/ We are not aware of any exploits for these vulnerabilities. | Low/ Medium (Low if a DoS; and Medium if security restrictions can be | Secunia Advisory, SA12783, October 11, 2004 Trustix Secure Linux Security Advisory, TSLSA-2004-0054, | |
phpMyAdmin 2.0-2.0.5, 2.1-2.1.2, 2.2, 2.2 pre1&2, 2.2 rc1-rc3, | A vulnerability exists in the MIME-based transformation system with 'external' transformations, which could let a remote malicious user execute arbitrary code. Note: Successful exploitation requires that PHP's safe mode is disabled. Upgrades available at: Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-14.xml">http://security.gentoo.org/glsa/glsa-200410-14.xml There is no exploit code required. | phpMyAdmin Remote Command Execution | High | Secunia Advisory, SA12813, October 13, 2004 |
PNG Development libpng 1.2.5 and 1.0.15 | Multiple vulnerabilities exist in the libpng library
If using original, update to libpng version 1.2.6rc1 Conectiva: href="http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856">http://distro.conectiva.com.br/atualizacoes/index.php?id=a&anuncio=000856 Debian:
href="http://lists.debian.org/debian-security-announce/debian-security-announce-2004/msg00139.html">http://lists.debian.org/debian-security-announce/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200408-03.xml">http://security.gentoo.org/glsa/glsa-200408-03.xml Mandrakesoft: href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:079 RedHat href="http://rhn.redhat.com/">http://rhn.redhat.com/ SuSE: href="http://www.suse.de/de/security/2004_23_libpng.html">http://www.suse.de/de/security/2004_23_libpng.html Fedora:
href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/1/ Sun Solaris: href="http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617">http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57617 HP-UX: href="http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065">http://www4.itrc.hp.com/service/cki/docDisplay.do?docId=HPSBUX01065 GraphicsMagick:
href="http://www.graphicsmagick.org/www/download.html ">http://www.graphicsmagick.org/www/download.html ImageMagick: href="http://www.imagemagick.org/www/download.html">http://www.imagemagick.org/www/download.html Slackware:
href="http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.439243">http://www.slackware.com/security/viewer.php?l=slackware- Yahoo: href="http://messenger.yahoo.com/">http://messenger.yahoo.com/ SuSE: href=" ftp://ftp.suse.com/pub/suse">ftp://ftp.suse.com/pub/suse SCO: href="ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16">ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2004.16 A Proof of Concept exploit has been published. | Multiple Vulnerabilities in libpng CVE Names: | High | US-CERT Technical Cyber Security Alert TA04-217A,
US-CERT Vulnerability Notes VU#160448, VU#388984, SUSE Security Announcement, SUSE-SA:2004:035, October SCO Security Advisory, SCOSA-2004.16, |
ProFTPd 1.2.8, 1.2.10; possibly other versions | A vulnerability exists due to a time delay difference in the No workaround or patch available at time of An exploit script has been published. | ProFTPd Login Timing Account Disclosure | Medium | LSS Security Team Advisory, October 14, 2004 |
Samba version 3.0 - 3.0.6 | Several vulnerabilities exist: a remote Denial of Service vulnerability exists in the 'process_logon_packet()' function due to insufficient validation of 'SAM_UAS_CHANGE' request packets; and a remote Denial of Service vulnerability exists when a malicious user submits a malformed packet to a target 'smbd' server. Updates available at: href=" http://samba.org/samba/download/">http://samba.org/samba/download/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-16.xml">http://security.gentoo.org/glsa/glsa-200409-16.xml Mandrake: href="http://www.mandrakesecure.net/en/ftp.php">http://www.mandrakesecure.net/en/ftp.php OpenPKG: href="ftp://ftp.openpkg.org/release/2.1/UPD/">ftp://ftp.openpkg.org/release/2.1/UPD/ SuSE: href="ftp://ftp.suse.com/pub/suse/">ftp://ftp.suse.com/pub/suse/ Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/ RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-467.html">http://rhn.redhat.com/errata/RHSA-2004-467.html Conectiva: href="ftp://atualizacoes.conectiva.com.br/">ftp://atualizacoes.conectiva.com.br/ We are not aware of any exploits for these vulnerabilities. | Low | Securiteam, September 14, 2004 Gentoo Linux Security Advisory, GLSA 200409-16, September 13, 2004 Mandrakelinux Security Update Advisory, MDKSA-2004:092, September 13, Trustix Secure Linux Bugfix Advisory, TSL-2004-0046, September 14, 2004 OpenPKG Security Advisory, OpenPKG-SA-2004.040, September 15, 2004 SUSE Security Announcement, SUSE-SA:2004:034, September 17, 2004 RedHat Security Advisory, RHSA-2004:467-08, September 23, 2004 Conectiva Linux Security Announcement, CLA-2004:873, October | |
sox.sourceforge and 12.17.2 | Multiple vulnerabilities exist that could allow a remote malicious user Fedora: Mandrakesoft:
href="http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076%20">http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:076 Gentoo: href="http://security.gentoo.org/glsa/glsa-200407-23.xml">http://security.gentoo.org/glsa/glsa-200407-23.xml Conectiva: href="ftp://atualizacoes.conectiva.com.br">ftp://atualizacoes.conectiva.com.br RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-409.html">http://rhn.redhat.com/errata/RHSA-2004-409.html Slackware: href="ftp://ftp.slackware.com/pub/slackware/">ftp://ftp.slackware.com/pub/slackware/ SGI: href="ftp://patches.sgi.com/support/free/security/patches/ProPack/3/">ftp://patches.sgi.com/support/free/security/patches/ProPack/3/ Debian: href="http://security.debian.org/pool/updates/main/s/sox/">http://security.debian.org/pool/updates/main/s/sox/ An exploit script has been published. | High | Secunia, SA12175, 12176, 12180, July 29, 2004 SecurityTracker Alerts 1010800 and 1010801, July 28/29, 2004 Mandrakesoft Security Advisory MDKSA-2004:076, July 28, 2004 PacketStorm, August 5, 2004 Slackware Security Advisory, SSA:2004-223-03, august 10, SGI Security Advisory, 20040802-01-U, August 14, 2004 Debian Security Advisory, DSA 565-1, October 13, | |
Squid 2.5-STABLE6, 3.0-PRE3-20040702; when compiled with SNMP support
| A remote Denial of Service vulnerability exists in the Updates available at: href=" http://www.squid-cache.org/">http://www.squid-cache.org/ Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200410-15.xml">http://security.gentoo.org/glsa/glsa-200410-15.xml Trustix: href="http://http.trustix.org/pub/trustix/updates/">http://http.trustix.org/pub/trustix/updates/ We are not aware of any exploits for this vulnerability. | Low | iDEFENSE Security Advisory, October 11, 2004 Fedora Update Notification, Trustix Secure Linux Security Advisory, TSLSA-2004-0054, Gentoo Linux Security Advisory, GLSA 200410-15, October 18, | |
Solaris 8 | A vulnerability exists in the gzip(1) command, which could let a Workaround and update available at: href="http://sunsolve.sun.com/search/document.do?assetkey=1-26-57600-1">http://sunsolve.sun.com/search/document.do?assetkey=1-26-57600-1 We are not aware of any exploits for this vulnerability. | Sun Solaris Gzip File Access | Medium | Sun(sm) Alert Notification, 57600, October 1, 2004 US-CERT Vulnerability Note VU#635998, October 18, 2004 |
Sudo 1.6.8
| A vulnerability exists due to insufficient validation of Upgrade available at: There is no exploit code required; however, a Proof of Concept exploit | Sudo Information Disclosure | High | Secunia Advisory, SA12596, September 20, 2004 US-CERT Vulnerability Note VU#424358, October 19, 2004 |
WeHelpBUS 0.1 | A vulnerability exists in 'wehelpbus/sk.cgi.in,' 'wehelpbus/skdoc.cgi.in,' 'wehelpbus/wehelpbus.pl.in,' 'wehelpbus/info.cgi.in,' 'wehelpbus/man.cgi.in,' 'wehelpbus/rpm.cgi.in,' and 'wehelpbus/code.cgi.in,' which could let a remote malicious user execute arbitrary commands. Upgrade available at: There is no exploit code required. | WeHelpBUS Input Validation | High | SecurityTracker Alert ID, 1011743, October 16, 2004 |
Ruby 1.6, 1.8 | A vulnerability exists in the CGI session management component due to Upgrades available at: href="http://security.debian.org/pool/updates/main/r/ruby/">http://security.debian.org/pool/updates/main/r/ruby/ Gentoo: href="http://security.gentoo.org/glsa/glsa-200409-08.xml">http://security.gentoo.org/glsa/glsa-200409-08.xml RedHat: href="http://rhn.redhat.com/errata/RHSA-2004-441.html">http://rhn.redhat.com/errata/RHSA-2004-441.html Fedora: href="http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/">http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ We are not aware of any exploits for this vulnerability. | Ruby CGI Session Management Unsafe Temporary File CVE Name: | Medium | Debian Security Advisory, DSA 537-1, August 16, 2004 Gentoo Linux Security Advisory, GLSA 200409-08, September 3, 2004 RedHat Security Advisory, RHSA-2004:441-18, September 30, 2004 Fedora Update Notification, |
[back to
top]
size=-2>
Recent
Exploit Scripts/Techniques
The table belowcontains a sample of exploit scripts and "how to" guides identified during this
period. The "Workaround or Patch Available" column indicates if vendors,
security vulnerability listservs, or Computer Emergency Response Teams (CERTs)
have published workarounds or patches.
Note: At times,
scripts/techniques may contain names or content that may be considered
offensive.
Date of | Script name | Workaround or Patch Available | Script Description |
October 18, 2004 | yahoopops.c 101_ypops.cpp dc_ypop.c | No | Exploits for the YPOPs! Buffer Overflows vulnerabilities. |
October 15, 2004 | proftpd.c | No | Script that exploits the ProFTPd Login Timing Differences Disclose Valid User Account Names vulnerability. |
October 13, 2004 | sessmgr.c | No | Script that exploits the Microsoft Windows XP Weak Default Configuration vulnerability. |
October 13, 2004 | shixxbof.zip | No | Exploit for the ShixxNOTE 6.net Remote Buffer Overflow vulnerability. |
name=trends>Trends
- Multiple vendors' networking devices fail to set the
"Secure" cookie attribute and could disclose sensitive information about a
user's HTTP session. Many networking devices provide a built-in web server,
which may support the HTTPS protocol. When a user logs into the device with a
username/password via HTTP, a cookie may be stored for that session by the web
application. When storing this cookie, the "Secure" attribute should be set so
that the user-agent only sends this cookie over secure connections (i.e.
HTTPS). For more information, see US-CERT Vulnerability Note VU#546483 located
at: href="http://www.kb.cert.org/vuls/id/546483">http://www.kb.cert.org/vuls/id/546483. - CipherTrust, an e-mail security company, in a survey this
month of more than 4 million pieces of e-mail found that most phishing
attempts come from about 1000 compromised "zombie" computers owned by
broadband customers, and the phishing attacks are likely generated by less
than five phishing operations. For more information, see "Has Your PC Gone
Phishing?" located at: href="http://www.pcworld.com/news/article/0,aid,118171,00.asp">http://www.pcworld.com/news/article/0,aid,118171,00.asp.
name=viruses>Viruses/Trojans
Top Ten Virus
Threats
A list of high threat
viruses, as reported to various anti-virus vendors and virus incident reporting
organizations, has been ranked and categorized in the table below. For the
purposes of collecting and collating data, infections involving multiple systems
at a single location are considered a single infection. It is therefore possible
that a virus has infected hundreds of machines but has only been counted once.
With the number of viruses that appear each month, it is possible that a new
virus will become widely distributed before the next edition of this
publication. To limit the possibility of infection, readers are reminded to
update their anti-virus packages as soon as updates become available. The table
lists the viruses by ranking (number of sites affected), common virus name, type
of virus code (i.e., boot, file, macro, multi-partite, script), trends (based on
number of infections reported since last week), and approximate date first
found.
face="Arial, Helvetica, sans-serif">Rank | Common Name | Type of Code |
face="Arial, Helvetica, sans-serif">Trends |
face="Arial, Helvetica, sans-serif">Date |
1 | Netsky-P | Win32 Worm | Stable | March 2004 |
2 | Zafi-B | Win32 Worm | Stable | June 2004 |
3 | Netsky-Z | Win32 Worm | Stable | April 2004 |
4 | Netsky-D | Win32 Worm | Stable | March 2004 |
5 | Bagle-AA | Win32 Worm | Stable | April 2004 |
6 | Netsky-B | Win32 Worm | Stable | February 2004 |
7 | Netsky-Q | Win32 Worm | Stable | March 2004 |
8 | MyDoom-O | Win32 Worm | Stable | July 2004 |
9 | Bagle-Z | Win32 Worm | Stable | April 2004 |
10 | MyDoom.M | Win32 Worm | Stable | July 2004 |
Table
Updated October 19, 2004
Viruses or
Trojans Considered to be a High Level of Threat
- Netsky.AG - A new variant of the Netsky virus has been discovered and rated as a medium risk by some anti-virus vendors. Like other Netsky viruses, W32/Netskyag@MM uses an e-mail to gain entry and install itself into several files via the Windows directory. Once installed, it harvests e-mail addresses from the infected machine and sends out copies of itself in messages. The virus differs from earlier versions in that it uses different compression technologies when sending itself out. This makes it more difficult to detect. (CNET News.com, October 14, 2004)
face="Arial, Helvetica, sans-serif">
The following table provides, in
alphabetical order, a list of new viruses, variations of previously encountered
viruses, and Trojans that have been discovered during the period covered by this
bulletin. This information has been compiled from the following anti-virus
vendors: Sophos, Trend Micro, Symantec, McAfee, Network Associates, Central
Command, F-Secure, Kaspersky Labs, MessageLabs, Panda Software, Computer
Associates, and The WildList Organization International. Users should keep
anti-virus software up to date and should contact their anti-virus vendors to
obtain specific information on the Trojans and Trojan variants that anti-virus
software detects.
NOTE: At times, viruses and
Trojans may contain names or content that may be considered offensive.
updated
Please share your thoughts
We recently updated our anonymous product survey; we’d welcome your feedback.