* Patches from Gentoo, Debian, KDE, others * Beware new Trojan that infects .exe files on the target machine * Black Hat event highlights RFID and VoIP security threats
Despite a legal settlement between Cisco and security research Michael Lynn over any future disclosure of an exploit for the IOS operating system that runs many Cisco routers, the exploit as become public:
Cisco vulnerability posted to Internet, 07/29/05
http://www.networkworld.com/news/2005/072905-cisco-black-hat.html
Cisco advisory:
https://www.cisco.com/warp/public/707/cisco-sa-20050729-ipv6.shtml
CERT advisory:
https://www.us-cert.gov/cas/techalerts/TA05-210A.html
While a patch is available that would render the exploit useless, installing the update on a router is not as easy as updating a Windows machine with the latest Microsoft update, says Network World Test Alliance member Rodney Thayer. Meaning there could be a many routers out there that could be affected. You can hear more of my conversation with Thayer here:
http://www.networkworld.com/research/2005/0801radio.html
Other related IOS/Lynn stories:
Researcher at center of Cisco router-exploit controversy speaks out, 07/28/05
http://www.networkworld.com/news/2005/072805-lynn.html
Cisco, ISS, Michael Lynn and Black Hat sign legal accord, 07/28/05
http://www.networkworld.com/news/2005/072805-cisco-settlement.html
Today’s bug patches and security alerts:
NGSSoftware warns of HP OpenView Radia Management Agent flaw
According to an advisory from NGSSoftware, “By connecting to the TCP port and sending a crafted packet, it is possible to traverse out of C:Program FilesNovadigm (the apparent working directory) and run any executable that is located on the same logical disk partition, in this case the C: drive.” For more, go to:
https://www.ngssoftware.com/advisories/hpovrma.txt
HP advisory:
https://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01138
**********
Gentoo patches MediaWiki
A cross-scripting vulnerability has been found in MediaWiki, a collaborative editing tool. An attacker could exploit this to run arbitrary JavaScript code on the affected machine. For more, go to:
https://security.gentoo.org/glsa/glsa-200507-18.xml
Gentoo upgrades sandbox
The way temporary files are created by sandbox could be exploited by a local user to overwrite arbitrary files with root privileges. For more, go to:
https://security.gentoo.org/glsa/glsa-200507-22.xml
Gentoo releases Ethereal update
A number of flaws have been found in the popular protocol analyzer. A fix is available. For more, go to:
https://security.gentoo.org/glsa/glsa-200507-27.xml
**********
Debian issues fix for cacti
Several flaws have been found in Cacti, a database tool. The most serious of the flaws could be exploit to run malicious code on the affected machine. For more, go to:
https://www.debian.org/security/2005/dsa-764
Debian patches phpbb2
According to a Debian advisory, “A cross-site scripting vulnerability has been detected in phpBB2, a fully featured and skinneable flat webforum software, that allows remote attackers to inject arbitrary web script or HTML via nested tags.” For more, go to:
https://www.debian.org/security/2005/dsa-768
Debian updates Webcalendar
A flaw in the Webcalender authorization module could allow unauthorized parties to view calendar data. For more, go to:
https://www.debian.org/security/2005/dsa-766
Debian releases gaim fix
A new update for Gaim, an open source instant messaging client, fixes a potential denial-of-service vulnerability. For more, go to:
https://www.debian.org/security/2005/dsa-769
Debian patches gopher
The gopher browser for Debian creates temporary files in a non-secure manner. A fix is available. For more, go to:
https://www.debian.org/security/2005/dsa-770
**********
KDE patches libgadu/Kopete
According to an alert from KDE, “Kopete contains a copy of libgadu that is used if no compatible version is installed in the system. Several input validation errors have been reported in libgadu that can lead to integer overflows and remote DoS or arbitrary code execution.” For more, go to:
https://www.kde.org/info/security/advisory-20050721-1.txt
Related Gentoo advisories:
https://security.gentoo.org/glsa/glsa-200507-26.xml
https://security.gentoo.org/glsa/glsa-200507-23.xml
**********
Ubuntu fixes PAM/NSS LDAP
According to an Ubuntu advisory, “Andrea Barisani discovered a flaw in the SSL handling of pam-ldap and libnss-ldap. When a client connected to a slave LDAP server using SSL, the slave server did not use SSL as well when contacting the LDAP master server. This caused passwords and other confident information to be transmitted unencrypted between the slave and the master.” For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-152-1
Ubuntu patches vim
A flaw in the vim text editor could be exploited to execute arbitrary shell commands with the privileges of the affected user. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-154-1
Ubuntu releases fix for epiphany
A recent update for the Mozilla Suite caused a regression in the epiphany browser. A new fix is available. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-155-2
Ubuntu issues patch for Tiff
A denial-of-service vulnerability has been found in the TIFF library. Certain values in a TIFF image header are not properly read, which could result in the application crashing. For more, go to:
https://www.ubuntulinux.org/support/documentation/usn/usn-156-1
**********
Conectiva, Fedora release fixes for php
A new update for the popular PHP scripting language fixes two flaws in previous releases. An attacker could exploit this to run arbitrary PHP script on the affected machine. For more, go to:
Conectiva:
http://www.networkworld.com/go2/0801bug1c.html
Fedora:
https://www.securityfocus.com/archive/1/406800/30/0/threaded
**********
Fedora patches lvm
LVM creates insecure temporary files, which could be exploited by a local user to gain elevated privileges. For more, go to:
https://www.securityfocus.com/archive/1/406385/30/90/threaded
**********
FreeBSD fixes ipsec
A flaw in the FreeBSD implementation of ipsec uses a constant encryption key rather than an administrator-specified one. For more, go to:
http://www.networkworld.com/go2/0801bug1b.html
**********
SCO patches RPCBind for UnixWare
A denial-of-service vulnerability occurs when specific portmap requests are received. SCO has released a fix for UnixWare. For more, go to:
ftp://ftp.sco.com/pub/updates/UnixWare/SCOSA-2005.31
**********
SuSE patches zlib
A flaw in the way zlib, a file compression/decompression utility, handles compressed files could be exploited to crash the application. For more, go to:
https://www.novell.com/linux/security/advisories/2005_43_zlib.html
**********
Mandriva, OpenPKG releases fetchmail fix
A buffer overflow in the popular fetchmail e-mail client could be exploited in a denial-of-service attack or to potentially execute arbitrary code. For more, go to:
Mandriva:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:126
OpenPKG:
https://www.openpkg.org/security/OpenPKG-SA-2005.016-fetchmail.txt
**********
OpenPKG patches SpamAssassin
An attacker could send malformed messages through SpamAssassin, causing the filtering applications to crash. For more, go to:
http://www.networkworld.com/go2/0801bug1a.html
**********
Mandriva releases fix for mozilla-thunderbird
A new update for the Mozilla-based Thunderbird browser could be exploited to run script with elevated privileges on the affected machine. For more, go to:
https://www.mandriva.com/security/advisories?name=MDKSA-2005:127
**********
Today’s roundup of virus alerts:
W32/Mytob-HU — Another Mytob variant that spreads through e-mail and allows backdoor access via IRC. The infected e-mail looks like some type of account warning. In addition to allowing access, Mytob disables security programs and limits access to related Web sites. (Sophos)
Troj/Ablank-AE — A browser-hijacking Trojan that changes a number of Web browser attributes. (Sophos)
W32/Agobot-ADH — An Agobot backdoor variant that spreads through network shares, dropping a randomly named file in the Windows System directory. It disables security applications and modifies the Windows HOSTS file to limit access to related Web sites. (Sophos)
W32/Bobax-M — A new Trojan that infects .exe files on the target machine. It can disable anti-virus applications, restrict access to security Web sites, and download/execute files from a remote site. (Sophos)
Troj/Kelvir-AT — This MSN Messenger worm spreads via the IM “Ever see a glass career?? WHAHAHA its with your email!”, which is followed by a URL. (Sophos)
W32/Kelvir-AQ — Another MSN Messenger worm. This one uses the message “wtff why are you in this crazy site?” followed by a URL. (Sophos)
Troj/Bancban-EB — Another Trojan that targets Brazilian banking sites. It drops “imgrt.scr” in the Windows System folder. (Sophos)
W32/Hagbard-A — A worm that spreads through peer-to-peer file sharing sites. Among the many files it drops on the infected machine is “msn_addons.exe” in the C: root directory. It installs a Web server to allow remote access to the infected machine. (Sophos)
Troj/Badmaca-A — This worm displays a message in Portugese that claims to be a security bulleting from Symantec. It attempts to download and run malicious code on the infected machine. (Sophos)
W32/Sdbot-ABQ — An Sdbot variant that spreads through network shares, attempting to exploit a number of known Windows vulnerabilities. It can be used as a DDoS client, steal local information and download/install additional code. (Sophos)
**********
From the interesting reading department:
Black Hat event highlights RFID and VoIP security threats
The Black Hat conference – an annual event where security professionals get in touch with their inner hacker and vice versa – has for nine years been a stage for detailing new security exploits and sharing visions of the future. Network World, 07/29/05.
http://www.networkworld.com/news/2005/080105-blackhat-side.html?nl




