Cisco patches IOS firewall flaw

Opinion
Sep 8, 20055 mins

* Patches from Cisco, Debian, FreeBSD, others * Beware e-mail harvesting worm that spreads through network shares, exploiting the Windows LSASS vulnerability

Today’s bug patches and security alerts:

Cisco patches IOS firewall flaw

According to a Cisco advisory, “Cisco IOS Software is vulnerable to a denial of service and potentially an arbitrary code execution attack when processing the user authentication credentials from an Authentication Proxy Telnet/FTP session. To exploit this vulnerability an attacker must first complete a TCP connection to the IOS device running affected software and receive an auth-proxy authentication prompt.” For more, go to:

https://www.cisco.com/warp/public/620/1.html

**********

KDE publishes fix for a number of flaws

A number of KDE graphical environments contain multiple flaws. The most serious of them could be exploited to gain root access on the affected machine. For more, go to:

https://www.kde.org/info/security/advisory-20050905-1.txt

Related fixes:

Mandriva (kdebase):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:160

Mandriva (kdeedu):

https://www.mandriva.com/security/advisories?name=MDKSA-2005:159

Ubuntu:

https://www.ubuntu.com/usn/usn-176-1/document_view

**********

Debian, FreeBSD patch cvs

A flaw in the way temporary files are created by cvsbug, part of the CVS version control system, could be exploited to place arbitrary files on the affected machine. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-802

FreeBSD:

http://www.networkworld.com/go2/0905bug2a.html

**********

More PCRE fixes available

An integer overflow in the Perl Compatible Regular Expressions (PCRE) library could be exploited by to run malicious code on the affected machine. For more, go to:

Debian (pcre3):

https://www.debian.org/security/2005/dsa-800

Gentoo:

https://security.gentoo.org/glsa/glsa-200508-17.xml

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2005.018-pcre.txt

**********

OpenPKG releases OpenSSH update

As we reported in our last newsletter, there’s a new version of OpenSSH available that includes fixes for a number of flaws in previous releases. The OpenPKG version of the update is here:

https://www.openpkg.org/security/OpenPKG-SA-2005.019-openssh.txt

**********

Gentoo, Mandriva patch mplayer

A buffer overflow in mplayer, a multimedia player, could be exploited through a malicious video file, allowing the attacker to run arbitrary code on the affected machine. For more, go to:

Gentoo:

https://security.gentoo.org/glsa/glsa-200509-01.xml

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:158

**********

Debian, Mandriva release fix for ntp

The Network Time Protocol (ntp) does not properly set its permissions. A fix is available for this bug. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-801

Mandriva:

https://www.mandriva.com/security/advisories?name=MDKSA-2005:156

**********

Debian, OpenPKG patch proftpd

Two format string vulnerabilities have been found in the proftpd server, which could be exploited to insert data into a connected SQL database. For more, go to:

Debian:

https://www.debian.org/security/2005/dsa-795

OpenPKG:

https://www.openpkg.org/security/OpenPKG-SA-2005.020-proftpd.txt

**********

Debian patches sqwebmail flaw

The sqwebmail mail application that comes in the Courier suite does not properly handle certain attachments. An attacker could exploit this to insert malicious scripts on the affected machine. For more, go to:

https://www.debian.org/security/2005/dsa-793

**********

SuSE patches kernel

A new update to the SuSE Linux kernel fixes a number of flaws found in previous releases. Most of the vulnerabilities could be exploited to crash the kernel. For more, go to:

http://www.networkworld.com/go2/0905bug2b.html

**********

Today’s roundup of virus alerts:

New Trojan swaps porn for Koran

A new Trojan horse program circulating around the Internet this week appears to be on a moral mission to stamp out adult Web sites, according to security research firm Sophos. Instead of snooping for sensitive financial information or secretly taking control of an infected computer, the Trojan, called Yusufali-A, monitors Web surfing habits. IDG News Service, 09/06/05.

http://www.networkworld.com/news/2005/090605-trojan.html

Troj/Perda-D — A Trojan horse that creates a proxy server on the affected machine. It may also mess up the Windows Firewall on XP. It uses a random file name as its infection point. (Sophos)

Troj/Sisery-A — An interesting little virus that changes a number of Windows and application characteristics. More annoying than damaging. (Sophos)

W32/Alasrou-A — An e-mail harvesting worm that spreads through network shares, exploiting the Windows LSASS vulnerability. It installs itself as “file1.exe” in the Windows temp directory. (Sophos)

W32/Tilebot-O — This Trojan can turn its infected host into a proxy server, participate in denial-of-service attacks, access remote machines via HTTP and disable security applications. It spreads through network shares, exploiting a number of known Windows vulnerabilities. It installs itself as “rdriv.sys”. (Sophos)

W32/Rbot-AGV — An Rbot variant that installs itself to look like a McAfee file (mcafee32.exe in the Windows System directory). It spreads through network shares and allows backdoor access via IRC. (Sophos)

Troj/Haxdoor-AI — An IRC backdoor worm that can be used to terminate security related applications. It drops “msftcpip.sys” on the infected machine. (Sophos)

Troj/BankAsh-J — A Trojan that harvests user names and passwords from the infected machine, sending the bounty to a remote site via FTP. It also tries to suppress firewall messages in an effort to hide its presence. (Sophos)

W32/Codbot-X — A backdoor Trojan that allows FTP access, logs keystrokes, and harvests other local system information. It installs itself as “spooler.exe” in the Windows System folder. When spreading through network shares, it exploits a number of known Windows flaws. (Sophos)

Troj/Zapchas-K — A backdoor Trojan that spreads through an IRC connection, usually as the file “postcard.gif.exe”. (Sophos)

Troj/Paymite-B — A virus that attempts to modify the Windows Start page, among other attributes. It installs itself as “paytime.exe” in the Windows System folder. (Sophos)

W32/Agobot-PI  — An Agobot variant that drops “Ksrv32.exe” in the Windows System folder. It can be used for a number of malicious applications and can terminate security related utilities. (Sophos)